From sle-security-updates at lists.suse.com Tue Nov 1 09:07:20 2016 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Tue, 1 Nov 2016 16:07:20 +0100 (CET) Subject: SUSE-SU-2016:2477-2: important: Security update for php5 Message-ID: <20161101150720.848FDFFBA@maintenance.suse.de> SUSE Security Update: Security update for php5 ______________________________________________________________________________ Announcement ID: SUSE-SU-2016:2477-2 Rating: important References: #999679 #999680 #999682 #999684 #999685 #999819 #999820 Cross-References: CVE-2016-7411 CVE-2016-7412 CVE-2016-7413 CVE-2016-7414 CVE-2016-7416 CVE-2016-7417 CVE-2016-7418 Affected Products: SUSE Linux Enterprise Module for Web Scripting 12 ______________________________________________________________________________ An update that fixes 7 vulnerabilities is now available. Description: This update for php5 fixes the following security issues: * CVE-2016-7411: php5: Memory corruption when destructing deserialized object * CVE-2016-7412: Heap overflow in mysqlnd when not receiving UNSIGNED_FLAG in BIT field * CVE-2016-7413: Use after free in wddx_deserialize * CVE-2016-7414: Out of bounds heap read when verifying signature of zip phar in phar_parse_zipfile * CVE-2016-7416: Stack based buffer overflow in msgfmt_format_message * CVE-2016-7417: Missing type check when unserializing SplArray * CVE-2016-7418: Null pointer dereference in php_wddx_push_element Patch Instructions: To install this SUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Module for Web Scripting 12: zypper in -t patch SUSE-SLE-Module-Web-Scripting-12-2016-1446=1 To bring your system up-to-date, use "zypper patch". Package List: - SUSE Linux Enterprise Module for Web Scripting 12 (aarch64): apache2-mod_php5-5.5.14-78.1 apache2-mod_php5-debuginfo-5.5.14-78.1 php5-5.5.14-78.1 php5-bcmath-5.5.14-78.1 php5-bcmath-debuginfo-5.5.14-78.1 php5-bz2-5.5.14-78.1 php5-bz2-debuginfo-5.5.14-78.1 php5-calendar-5.5.14-78.1 php5-calendar-debuginfo-5.5.14-78.1 php5-ctype-5.5.14-78.1 php5-ctype-debuginfo-5.5.14-78.1 php5-curl-5.5.14-78.1 php5-curl-debuginfo-5.5.14-78.1 php5-dba-5.5.14-78.1 php5-dba-debuginfo-5.5.14-78.1 php5-debuginfo-5.5.14-78.1 php5-debugsource-5.5.14-78.1 php5-dom-5.5.14-78.1 php5-dom-debuginfo-5.5.14-78.1 php5-enchant-5.5.14-78.1 php5-enchant-debuginfo-5.5.14-78.1 php5-exif-5.5.14-78.1 php5-exif-debuginfo-5.5.14-78.1 php5-fastcgi-5.5.14-78.1 php5-fastcgi-debuginfo-5.5.14-78.1 php5-fileinfo-5.5.14-78.1 php5-fileinfo-debuginfo-5.5.14-78.1 php5-fpm-5.5.14-78.1 php5-fpm-debuginfo-5.5.14-78.1 php5-ftp-5.5.14-78.1 php5-ftp-debuginfo-5.5.14-78.1 php5-gd-5.5.14-78.1 php5-gd-debuginfo-5.5.14-78.1 php5-gettext-5.5.14-78.1 php5-gettext-debuginfo-5.5.14-78.1 php5-gmp-5.5.14-78.1 php5-gmp-debuginfo-5.5.14-78.1 php5-iconv-5.5.14-78.1 php5-iconv-debuginfo-5.5.14-78.1 php5-imap-5.5.14-78.1 php5-imap-debuginfo-5.5.14-78.1 php5-intl-5.5.14-78.1 php5-intl-debuginfo-5.5.14-78.1 php5-json-5.5.14-78.1 php5-json-debuginfo-5.5.14-78.1 php5-ldap-5.5.14-78.1 php5-ldap-debuginfo-5.5.14-78.1 php5-mbstring-5.5.14-78.1 php5-mbstring-debuginfo-5.5.14-78.1 php5-mcrypt-5.5.14-78.1 php5-mcrypt-debuginfo-5.5.14-78.1 php5-mysql-5.5.14-78.1 php5-mysql-debuginfo-5.5.14-78.1 php5-odbc-5.5.14-78.1 php5-odbc-debuginfo-5.5.14-78.1 php5-opcache-5.5.14-78.1 php5-opcache-debuginfo-5.5.14-78.1 php5-openssl-5.5.14-78.1 php5-openssl-debuginfo-5.5.14-78.1 php5-pcntl-5.5.14-78.1 php5-pcntl-debuginfo-5.5.14-78.1 php5-pdo-5.5.14-78.1 php5-pdo-debuginfo-5.5.14-78.1 php5-pgsql-5.5.14-78.1 php5-pgsql-debuginfo-5.5.14-78.1 php5-phar-5.5.14-78.1 php5-phar-debuginfo-5.5.14-78.1 php5-posix-5.5.14-78.1 php5-posix-debuginfo-5.5.14-78.1 php5-pspell-5.5.14-78.1 php5-pspell-debuginfo-5.5.14-78.1 php5-shmop-5.5.14-78.1 php5-shmop-debuginfo-5.5.14-78.1 php5-snmp-5.5.14-78.1 php5-snmp-debuginfo-5.5.14-78.1 php5-soap-5.5.14-78.1 php5-soap-debuginfo-5.5.14-78.1 php5-sockets-5.5.14-78.1 php5-sockets-debuginfo-5.5.14-78.1 php5-sqlite-5.5.14-78.1 php5-sqlite-debuginfo-5.5.14-78.1 php5-suhosin-5.5.14-78.1 php5-suhosin-debuginfo-5.5.14-78.1 php5-sysvmsg-5.5.14-78.1 php5-sysvmsg-debuginfo-5.5.14-78.1 php5-sysvsem-5.5.14-78.1 php5-sysvsem-debuginfo-5.5.14-78.1 php5-sysvshm-5.5.14-78.1 php5-sysvshm-debuginfo-5.5.14-78.1 php5-tokenizer-5.5.14-78.1 php5-tokenizer-debuginfo-5.5.14-78.1 php5-wddx-5.5.14-78.1 php5-wddx-debuginfo-5.5.14-78.1 php5-xmlreader-5.5.14-78.1 php5-xmlreader-debuginfo-5.5.14-78.1 php5-xmlrpc-5.5.14-78.1 php5-xmlrpc-debuginfo-5.5.14-78.1 php5-xmlwriter-5.5.14-78.1 php5-xmlwriter-debuginfo-5.5.14-78.1 php5-xsl-5.5.14-78.1 php5-xsl-debuginfo-5.5.14-78.1 php5-zip-5.5.14-78.1 php5-zip-debuginfo-5.5.14-78.1 php5-zlib-5.5.14-78.1 php5-zlib-debuginfo-5.5.14-78.1 - SUSE Linux Enterprise Module for Web Scripting 12 (noarch): php5-pear-5.5.14-78.1 References: https://www.suse.com/security/cve/CVE-2016-7411.html https://www.suse.com/security/cve/CVE-2016-7412.html https://www.suse.com/security/cve/CVE-2016-7413.html https://www.suse.com/security/cve/CVE-2016-7414.html https://www.suse.com/security/cve/CVE-2016-7416.html https://www.suse.com/security/cve/CVE-2016-7417.html https://www.suse.com/security/cve/CVE-2016-7418.html https://bugzilla.suse.com/999679 https://bugzilla.suse.com/999680 https://bugzilla.suse.com/999682 https://bugzilla.suse.com/999684 https://bugzilla.suse.com/999685 https://bugzilla.suse.com/999819 https://bugzilla.suse.com/999820 From sle-security-updates at lists.suse.com Tue Nov 1 09:19:34 2016 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Tue, 1 Nov 2016 16:19:34 +0100 (CET) Subject: SUSE-SU-2016:2470-2: important: Security update for nodejs4 Message-ID: <20161101151934.4501AFFBC@maintenance.suse.de> SUSE Security Update: Security update for nodejs4 ______________________________________________________________________________ Announcement ID: SUSE-SU-2016:2470-2 Rating: important References: #1001652 #985201 Cross-References: CVE-2016-2178 CVE-2016-2183 CVE-2016-5325 CVE-2016-6304 CVE-2016-6306 CVE-2016-7052 CVE-2016-7099 Affected Products: SUSE Linux Enterprise Module for Web Scripting 12 ______________________________________________________________________________ An update that fixes 7 vulnerabilities is now available. Description: This update brings the new upstream nodejs LTS version 4.6.0, fixing bugs and security issues: * Nodejs embedded openssl version update + upgrade to 1.0.2j (CVE-2016-6304, CVE-2016-2183, CVE-2016-2178, CVE-2016-6306, CVE-2016-7052) + remove support for dynamic 3rd party engine modules * http: Properly validate for allowable characters in input user data. This introduces a new case where throw may occur when configuring HTTP responses, users should already be adopting try/catch here. (CVE-2016-5325, bsc#985201) * tls: properly validate wildcard certificates (CVE-2016-7099, bsc#1001652) * buffer: Zero-fill excess bytes in new Buffer objects created with Buffer.concat() Patch Instructions: To install this SUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Module for Web Scripting 12: zypper in -t patch SUSE-SLE-Module-Web-Scripting-12-2016-1439=1 To bring your system up-to-date, use "zypper patch". Package List: - SUSE Linux Enterprise Module for Web Scripting 12 (aarch64): nodejs4-4.6.0-8.1 nodejs4-debuginfo-4.6.0-8.1 nodejs4-debugsource-4.6.0-8.1 nodejs4-devel-4.6.0-8.1 npm4-4.6.0-8.1 - SUSE Linux Enterprise Module for Web Scripting 12 (noarch): nodejs4-docs-4.6.0-8.1 References: https://www.suse.com/security/cve/CVE-2016-2178.html https://www.suse.com/security/cve/CVE-2016-2183.html https://www.suse.com/security/cve/CVE-2016-5325.html https://www.suse.com/security/cve/CVE-2016-6304.html https://www.suse.com/security/cve/CVE-2016-6306.html https://www.suse.com/security/cve/CVE-2016-7052.html https://www.suse.com/security/cve/CVE-2016-7099.html https://bugzilla.suse.com/1001652 https://bugzilla.suse.com/985201 From sle-security-updates at lists.suse.com Tue Nov 1 09:21:25 2016 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Tue, 1 Nov 2016 16:21:25 +0100 (CET) Subject: SUSE-SU-2016:2460-2: important: Security update for php7 Message-ID: <20161101152125.D5556FFBC@maintenance.suse.de> SUSE Security Update: Security update for php7 ______________________________________________________________________________ Announcement ID: SUSE-SU-2016:2460-2 Rating: important References: #1001950 #987580 #988032 #991422 #991424 #991426 #991427 #991428 #991429 #991430 #991434 #991437 #995512 #997206 #997207 #997208 #997210 #997211 #997220 #997225 #997230 #997247 #997248 #997257 #999313 #999679 #999680 #999684 #999685 #999819 #999820 Cross-References: CVE-2016-4473 CVE-2016-5399 CVE-2016-6128 CVE-2016-6161 CVE-2016-6207 CVE-2016-6289 CVE-2016-6290 CVE-2016-6291 CVE-2016-6292 CVE-2016-6295 CVE-2016-6296 CVE-2016-6297 CVE-2016-7124 CVE-2016-7125 CVE-2016-7126 CVE-2016-7127 CVE-2016-7128 CVE-2016-7129 CVE-2016-7130 CVE-2016-7131 CVE-2016-7132 CVE-2016-7133 CVE-2016-7134 CVE-2016-7412 CVE-2016-7413 CVE-2016-7414 CVE-2016-7416 CVE-2016-7417 CVE-2016-7418 Affected Products: SUSE Linux Enterprise Module for Web Scripting 12 ______________________________________________________________________________ An update that solves 29 vulnerabilities and has two fixes is now available. Description: This update for php7 fixes the following security issues: * CVE-2016-6128: Invalid color index not properly handled [bsc#987580] * CVE-2016-6161: global out of bounds read when encoding gif from malformed input withgd2togif [bsc#988032] * CVE-2016-6292: Null pointer dereference in exif_process_user_comment [bsc#991422] * CVE-2016-6295: Use after free in SNMP with GC and unserialize() [bsc#991424] * CVE-2016-6297: Stack-based buffer overflow vulnerability in php_stream_zip_opener [bsc#991426] * CVE-2016-6291: Out-of-bounds access in exif_process_IFD_in_MAKERNOTE [bsc#991427] * CVE-2016-6289: Integer overflow leads to buffer overflow in virtual_file_ex [bsc#991428] * CVE-2016-6290: Use after free in unserialize() with Unexpected Session Deserialization [bsc#991429] * CVE-2016-5399: Improper error handling in bzread() [bsc#991430] * CVE-2016-6296: Heap buffer overflow vulnerability in simplestring_addn in simplestring.c [bsc#991437] * CVE-2016-6207: Integer overflow error within _gdContributionsAlloc() [bsc#991434] * CVE-2016-4473: Invalid free() instead of efree() in phar_extract_file() * CVE-2016-7124: Create an Unexpected Object and Don't Invoke __wakeup() in Deserialization * CVE-2016-7125: PHP Session Data Injection Vulnerability * CVE-2016-7126: select_colors write out-of-bounds * CVE-2016-7127: imagegammacorrect allowed arbitrary write access * CVE-2016-7128: Memory Leakage In exif_process_IFD_in_TIFF * CVE-2016-7129: wddx_deserialize allowed illegal memory access * CVE-2016-7131: wddx_deserialize null dereference with invalid xml * CVE-2016-7132: wddx_deserialize null dereference in php_wddx_pop_element * CVE-2016-7133: memory allocator fails to realloc small block to large one * CVE-2016-7134: Heap overflow in the function curl_escape * CVE-2016-7130: wddx_deserialize null dereference * CVE-2016-7413: Use after free in wddx_deserialize * CVE-2016-7412: Heap overflow in mysqlnd when not receiving UNSIGNED_FLAG in BIT field * CVE-2016-7417: Missing type check when unserializing SplArray * CVE-2016-7416: Stack based buffer overflow in msgfmt_format_message * CVE-2016-7418: Null pointer dereference in php_wddx_push_element * CVE-2016-7414: Out of bounds heap read when verifying signature of zip phar in phar_parse_zipfile Patch Instructions: To install this SUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Module for Web Scripting 12: zypper in -t patch SUSE-SLE-Module-Web-Scripting-12-2016-1434=1 To bring your system up-to-date, use "zypper patch". Package List: - SUSE Linux Enterprise Module for Web Scripting 12 (aarch64): apache2-mod_php7-7.0.7-15.1 apache2-mod_php7-debuginfo-7.0.7-15.1 php7-7.0.7-15.1 php7-bcmath-7.0.7-15.1 php7-bcmath-debuginfo-7.0.7-15.1 php7-bz2-7.0.7-15.1 php7-bz2-debuginfo-7.0.7-15.1 php7-calendar-7.0.7-15.1 php7-calendar-debuginfo-7.0.7-15.1 php7-ctype-7.0.7-15.1 php7-ctype-debuginfo-7.0.7-15.1 php7-curl-7.0.7-15.1 php7-curl-debuginfo-7.0.7-15.1 php7-dba-7.0.7-15.1 php7-dba-debuginfo-7.0.7-15.1 php7-debuginfo-7.0.7-15.1 php7-debugsource-7.0.7-15.1 php7-dom-7.0.7-15.1 php7-dom-debuginfo-7.0.7-15.1 php7-enchant-7.0.7-15.1 php7-enchant-debuginfo-7.0.7-15.1 php7-exif-7.0.7-15.1 php7-exif-debuginfo-7.0.7-15.1 php7-fastcgi-7.0.7-15.1 php7-fastcgi-debuginfo-7.0.7-15.1 php7-fileinfo-7.0.7-15.1 php7-fileinfo-debuginfo-7.0.7-15.1 php7-fpm-7.0.7-15.1 php7-fpm-debuginfo-7.0.7-15.1 php7-ftp-7.0.7-15.1 php7-ftp-debuginfo-7.0.7-15.1 php7-gd-7.0.7-15.1 php7-gd-debuginfo-7.0.7-15.1 php7-gettext-7.0.7-15.1 php7-gettext-debuginfo-7.0.7-15.1 php7-gmp-7.0.7-15.1 php7-gmp-debuginfo-7.0.7-15.1 php7-iconv-7.0.7-15.1 php7-iconv-debuginfo-7.0.7-15.1 php7-imap-7.0.7-15.1 php7-imap-debuginfo-7.0.7-15.1 php7-intl-7.0.7-15.1 php7-intl-debuginfo-7.0.7-15.1 php7-json-7.0.7-15.1 php7-json-debuginfo-7.0.7-15.1 php7-ldap-7.0.7-15.1 php7-ldap-debuginfo-7.0.7-15.1 php7-mbstring-7.0.7-15.1 php7-mbstring-debuginfo-7.0.7-15.1 php7-mcrypt-7.0.7-15.1 php7-mcrypt-debuginfo-7.0.7-15.1 php7-mysql-7.0.7-15.1 php7-mysql-debuginfo-7.0.7-15.1 php7-odbc-7.0.7-15.1 php7-odbc-debuginfo-7.0.7-15.1 php7-opcache-7.0.7-15.1 php7-opcache-debuginfo-7.0.7-15.1 php7-openssl-7.0.7-15.1 php7-openssl-debuginfo-7.0.7-15.1 php7-pcntl-7.0.7-15.1 php7-pcntl-debuginfo-7.0.7-15.1 php7-pdo-7.0.7-15.1 php7-pdo-debuginfo-7.0.7-15.1 php7-pgsql-7.0.7-15.1 php7-pgsql-debuginfo-7.0.7-15.1 php7-phar-7.0.7-15.1 php7-phar-debuginfo-7.0.7-15.1 php7-posix-7.0.7-15.1 php7-posix-debuginfo-7.0.7-15.1 php7-pspell-7.0.7-15.1 php7-pspell-debuginfo-7.0.7-15.1 php7-shmop-7.0.7-15.1 php7-shmop-debuginfo-7.0.7-15.1 php7-snmp-7.0.7-15.1 php7-snmp-debuginfo-7.0.7-15.1 php7-soap-7.0.7-15.1 php7-soap-debuginfo-7.0.7-15.1 php7-sockets-7.0.7-15.1 php7-sockets-debuginfo-7.0.7-15.1 php7-sqlite-7.0.7-15.1 php7-sqlite-debuginfo-7.0.7-15.1 php7-sysvmsg-7.0.7-15.1 php7-sysvmsg-debuginfo-7.0.7-15.1 php7-sysvsem-7.0.7-15.1 php7-sysvsem-debuginfo-7.0.7-15.1 php7-sysvshm-7.0.7-15.1 php7-sysvshm-debuginfo-7.0.7-15.1 php7-tokenizer-7.0.7-15.1 php7-tokenizer-debuginfo-7.0.7-15.1 php7-wddx-7.0.7-15.1 php7-wddx-debuginfo-7.0.7-15.1 php7-xmlreader-7.0.7-15.1 php7-xmlreader-debuginfo-7.0.7-15.1 php7-xmlrpc-7.0.7-15.1 php7-xmlrpc-debuginfo-7.0.7-15.1 php7-xmlwriter-7.0.7-15.1 php7-xmlwriter-debuginfo-7.0.7-15.1 php7-xsl-7.0.7-15.1 php7-xsl-debuginfo-7.0.7-15.1 php7-zip-7.0.7-15.1 php7-zip-debuginfo-7.0.7-15.1 php7-zlib-7.0.7-15.1 php7-zlib-debuginfo-7.0.7-15.1 - SUSE Linux Enterprise Module for Web Scripting 12 (noarch): php7-pear-7.0.7-15.1 php7-pear-Archive_Tar-7.0.7-15.1 References: https://www.suse.com/security/cve/CVE-2016-4473.html https://www.suse.com/security/cve/CVE-2016-5399.html https://www.suse.com/security/cve/CVE-2016-6128.html https://www.suse.com/security/cve/CVE-2016-6161.html https://www.suse.com/security/cve/CVE-2016-6207.html https://www.suse.com/security/cve/CVE-2016-6289.html https://www.suse.com/security/cve/CVE-2016-6290.html https://www.suse.com/security/cve/CVE-2016-6291.html https://www.suse.com/security/cve/CVE-2016-6292.html https://www.suse.com/security/cve/CVE-2016-6295.html https://www.suse.com/security/cve/CVE-2016-6296.html https://www.suse.com/security/cve/CVE-2016-6297.html https://www.suse.com/security/cve/CVE-2016-7124.html https://www.suse.com/security/cve/CVE-2016-7125.html https://www.suse.com/security/cve/CVE-2016-7126.html https://www.suse.com/security/cve/CVE-2016-7127.html https://www.suse.com/security/cve/CVE-2016-7128.html https://www.suse.com/security/cve/CVE-2016-7129.html https://www.suse.com/security/cve/CVE-2016-7130.html https://www.suse.com/security/cve/CVE-2016-7131.html https://www.suse.com/security/cve/CVE-2016-7132.html https://www.suse.com/security/cve/CVE-2016-7133.html https://www.suse.com/security/cve/CVE-2016-7134.html https://www.suse.com/security/cve/CVE-2016-7412.html https://www.suse.com/security/cve/CVE-2016-7413.html https://www.suse.com/security/cve/CVE-2016-7414.html https://www.suse.com/security/cve/CVE-2016-7416.html https://www.suse.com/security/cve/CVE-2016-7417.html https://www.suse.com/security/cve/CVE-2016-7418.html https://bugzilla.suse.com/1001950 https://bugzilla.suse.com/987580 https://bugzilla.suse.com/988032 https://bugzilla.suse.com/991422 https://bugzilla.suse.com/991424 https://bugzilla.suse.com/991426 https://bugzilla.suse.com/991427 https://bugzilla.suse.com/991428 https://bugzilla.suse.com/991429 https://bugzilla.suse.com/991430 https://bugzilla.suse.com/991434 https://bugzilla.suse.com/991437 https://bugzilla.suse.com/995512 https://bugzilla.suse.com/997206 https://bugzilla.suse.com/997207 https://bugzilla.suse.com/997208 https://bugzilla.suse.com/997210 https://bugzilla.suse.com/997211 https://bugzilla.suse.com/997220 https://bugzilla.suse.com/997225 https://bugzilla.suse.com/997230 https://bugzilla.suse.com/997247 https://bugzilla.suse.com/997248 https://bugzilla.suse.com/997257 https://bugzilla.suse.com/999313 https://bugzilla.suse.com/999679 https://bugzilla.suse.com/999680 https://bugzilla.suse.com/999684 https://bugzilla.suse.com/999685 https://bugzilla.suse.com/999819 https://bugzilla.suse.com/999820 From sle-security-updates at lists.suse.com Tue Nov 1 09:32:19 2016 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Tue, 1 Nov 2016 16:32:19 +0100 (CET) Subject: SUSE-SU-2016:2683-2: important: Security update for php7 Message-ID: <20161101153219.48B91FFC1@maintenance.suse.de> SUSE Security Update: Security update for php7 ______________________________________________________________________________ Announcement ID: SUSE-SU-2016:2683-2 Rating: important References: #1001900 #1004924 #1005274 Cross-References: CVE-2016-6911 CVE-2016-7568 CVE-2016-8670 Affected Products: SUSE Linux Enterprise Module for Web Scripting 12 ______________________________________________________________________________ An update that fixes three vulnerabilities is now available. Description: This update for php7 fixes the following security issue: - CVE-2016-7568: A specially crafted image file could cause an application crash or potentially execute arbitrary code when the image is converted to webp (bsc#1001900) - CVE-2016-8670: Stack Buffer Overflow in GD dynamicGetbuf (bsc#1004924) - CVE-2016-6911: Check for out-of-bound read in dynamicGetbuf() (bsc#1005274) Patch Instructions: To install this SUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Module for Web Scripting 12: zypper in -t patch SUSE-SLE-Module-Web-Scripting-12-2016-1576=1 To bring your system up-to-date, use "zypper patch". Package List: - SUSE Linux Enterprise Module for Web Scripting 12 (aarch64): apache2-mod_php7-7.0.7-20.1 apache2-mod_php7-debuginfo-7.0.7-20.1 php7-7.0.7-20.1 php7-bcmath-7.0.7-20.1 php7-bcmath-debuginfo-7.0.7-20.1 php7-bz2-7.0.7-20.1 php7-bz2-debuginfo-7.0.7-20.1 php7-calendar-7.0.7-20.1 php7-calendar-debuginfo-7.0.7-20.1 php7-ctype-7.0.7-20.1 php7-ctype-debuginfo-7.0.7-20.1 php7-curl-7.0.7-20.1 php7-curl-debuginfo-7.0.7-20.1 php7-dba-7.0.7-20.1 php7-dba-debuginfo-7.0.7-20.1 php7-debuginfo-7.0.7-20.1 php7-debugsource-7.0.7-20.1 php7-dom-7.0.7-20.1 php7-dom-debuginfo-7.0.7-20.1 php7-enchant-7.0.7-20.1 php7-enchant-debuginfo-7.0.7-20.1 php7-exif-7.0.7-20.1 php7-exif-debuginfo-7.0.7-20.1 php7-fastcgi-7.0.7-20.1 php7-fastcgi-debuginfo-7.0.7-20.1 php7-fileinfo-7.0.7-20.1 php7-fileinfo-debuginfo-7.0.7-20.1 php7-fpm-7.0.7-20.1 php7-fpm-debuginfo-7.0.7-20.1 php7-ftp-7.0.7-20.1 php7-ftp-debuginfo-7.0.7-20.1 php7-gd-7.0.7-20.1 php7-gd-debuginfo-7.0.7-20.1 php7-gettext-7.0.7-20.1 php7-gettext-debuginfo-7.0.7-20.1 php7-gmp-7.0.7-20.1 php7-gmp-debuginfo-7.0.7-20.1 php7-iconv-7.0.7-20.1 php7-iconv-debuginfo-7.0.7-20.1 php7-imap-7.0.7-20.1 php7-imap-debuginfo-7.0.7-20.1 php7-intl-7.0.7-20.1 php7-intl-debuginfo-7.0.7-20.1 php7-json-7.0.7-20.1 php7-json-debuginfo-7.0.7-20.1 php7-ldap-7.0.7-20.1 php7-ldap-debuginfo-7.0.7-20.1 php7-mbstring-7.0.7-20.1 php7-mbstring-debuginfo-7.0.7-20.1 php7-mcrypt-7.0.7-20.1 php7-mcrypt-debuginfo-7.0.7-20.1 php7-mysql-7.0.7-20.1 php7-mysql-debuginfo-7.0.7-20.1 php7-odbc-7.0.7-20.1 php7-odbc-debuginfo-7.0.7-20.1 php7-opcache-7.0.7-20.1 php7-opcache-debuginfo-7.0.7-20.1 php7-openssl-7.0.7-20.1 php7-openssl-debuginfo-7.0.7-20.1 php7-pcntl-7.0.7-20.1 php7-pcntl-debuginfo-7.0.7-20.1 php7-pdo-7.0.7-20.1 php7-pdo-debuginfo-7.0.7-20.1 php7-pgsql-7.0.7-20.1 php7-pgsql-debuginfo-7.0.7-20.1 php7-phar-7.0.7-20.1 php7-phar-debuginfo-7.0.7-20.1 php7-posix-7.0.7-20.1 php7-posix-debuginfo-7.0.7-20.1 php7-pspell-7.0.7-20.1 php7-pspell-debuginfo-7.0.7-20.1 php7-shmop-7.0.7-20.1 php7-shmop-debuginfo-7.0.7-20.1 php7-snmp-7.0.7-20.1 php7-snmp-debuginfo-7.0.7-20.1 php7-soap-7.0.7-20.1 php7-soap-debuginfo-7.0.7-20.1 php7-sockets-7.0.7-20.1 php7-sockets-debuginfo-7.0.7-20.1 php7-sqlite-7.0.7-20.1 php7-sqlite-debuginfo-7.0.7-20.1 php7-sysvmsg-7.0.7-20.1 php7-sysvmsg-debuginfo-7.0.7-20.1 php7-sysvsem-7.0.7-20.1 php7-sysvsem-debuginfo-7.0.7-20.1 php7-sysvshm-7.0.7-20.1 php7-sysvshm-debuginfo-7.0.7-20.1 php7-tokenizer-7.0.7-20.1 php7-tokenizer-debuginfo-7.0.7-20.1 php7-wddx-7.0.7-20.1 php7-wddx-debuginfo-7.0.7-20.1 php7-xmlreader-7.0.7-20.1 php7-xmlreader-debuginfo-7.0.7-20.1 php7-xmlrpc-7.0.7-20.1 php7-xmlrpc-debuginfo-7.0.7-20.1 php7-xmlwriter-7.0.7-20.1 php7-xmlwriter-debuginfo-7.0.7-20.1 php7-xsl-7.0.7-20.1 php7-xsl-debuginfo-7.0.7-20.1 php7-zip-7.0.7-20.1 php7-zip-debuginfo-7.0.7-20.1 php7-zlib-7.0.7-20.1 php7-zlib-debuginfo-7.0.7-20.1 - SUSE Linux Enterprise Module for Web Scripting 12 (noarch): php7-pear-7.0.7-20.1 php7-pear-Archive_Tar-7.0.7-20.1 References: https://www.suse.com/security/cve/CVE-2016-6911.html https://www.suse.com/security/cve/CVE-2016-7568.html https://www.suse.com/security/cve/CVE-2016-8670.html https://bugzilla.suse.com/1001900 https://bugzilla.suse.com/1004924 https://bugzilla.suse.com/1005274 From sle-security-updates at lists.suse.com Wed Nov 2 06:06:52 2016 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Wed, 2 Nov 2016 13:06:52 +0100 (CET) Subject: SUSE-SU-2016:2696-1: important: Security update for bind Message-ID: <20161102120652.45487FFC5@maintenance.suse.de> SUSE Security Update: Security update for bind ______________________________________________________________________________ Announcement ID: SUSE-SU-2016:2696-1 Rating: important References: #1007829 Cross-References: CVE-2016-8864 Affected Products: SUSE Linux Enterprise Server for SAP 12 SUSE Linux Enterprise Server 12-LTSS ______________________________________________________________________________ An update that fixes one vulnerability is now available. Description: This update for bind fixes the following security issue: - A defect in BIND's handling of responses containing a DNAME answer had the potential to trigger assertion errors in the server remotely, thereby facilitating a denial-of-service attack. (CVE-2016-8864, bsc#1007829). Patch Instructions: To install this SUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Server for SAP 12: zypper in -t patch SUSE-SLE-SAP-12-2016-1587=1 - SUSE Linux Enterprise Server 12-LTSS: zypper in -t patch SUSE-SLE-SERVER-12-2016-1587=1 To bring your system up-to-date, use "zypper patch". Package List: - SUSE Linux Enterprise Server for SAP 12 (noarch): bind-doc-9.9.9P1-28.23.1 - SUSE Linux Enterprise Server for SAP 12 (x86_64): bind-9.9.9P1-28.23.1 bind-chrootenv-9.9.9P1-28.23.1 bind-debuginfo-9.9.9P1-28.23.1 bind-debugsource-9.9.9P1-28.23.1 bind-libs-32bit-9.9.9P1-28.23.1 bind-libs-9.9.9P1-28.23.1 bind-libs-debuginfo-32bit-9.9.9P1-28.23.1 bind-libs-debuginfo-9.9.9P1-28.23.1 bind-utils-9.9.9P1-28.23.1 bind-utils-debuginfo-9.9.9P1-28.23.1 - SUSE Linux Enterprise Server 12-LTSS (ppc64le s390x x86_64): bind-9.9.9P1-28.23.1 bind-chrootenv-9.9.9P1-28.23.1 bind-debuginfo-9.9.9P1-28.23.1 bind-debugsource-9.9.9P1-28.23.1 bind-libs-9.9.9P1-28.23.1 bind-libs-debuginfo-9.9.9P1-28.23.1 bind-utils-9.9.9P1-28.23.1 bind-utils-debuginfo-9.9.9P1-28.23.1 - SUSE Linux Enterprise Server 12-LTSS (s390x x86_64): bind-libs-32bit-9.9.9P1-28.23.1 bind-libs-debuginfo-32bit-9.9.9P1-28.23.1 - SUSE Linux Enterprise Server 12-LTSS (noarch): bind-doc-9.9.9P1-28.23.1 References: https://www.suse.com/security/cve/CVE-2016-8864.html https://bugzilla.suse.com/1007829 From sle-security-updates at lists.suse.com Wed Nov 2 06:07:19 2016 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Wed, 2 Nov 2016 13:07:19 +0100 (CET) Subject: SUSE-SU-2016:2697-1: important: Security update for bind Message-ID: <20161102120719.8469AFFC5@maintenance.suse.de> SUSE Security Update: Security update for bind ______________________________________________________________________________ Announcement ID: SUSE-SU-2016:2697-1 Rating: important References: #1007829 #965748 Cross-References: CVE-2016-8864 Affected Products: SUSE Linux Enterprise Software Development Kit 12-SP2 SUSE Linux Enterprise Software Development Kit 12-SP1 SUSE Linux Enterprise Server 12-SP2 SUSE Linux Enterprise Server 12-SP1 SUSE Linux Enterprise Desktop 12-SP2 SUSE Linux Enterprise Desktop 12-SP1 ______________________________________________________________________________ An update that solves one vulnerability and has one errata is now available. Description: This update for bind fixes the following issues: - A defect in BIND's handling of responses containing a DNAME answer had the potential to trigger assertion errors in the server remotely, thereby facilitating a denial-of-service attack. (CVE-2016-8864, bsc#1007829). - Fix BIND to return a valid hostname in response to ldapdump queries. (bsc#965748) Patch Instructions: To install this SUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Software Development Kit 12-SP2: zypper in -t patch SUSE-SLE-SDK-12-SP2-2016-1588=1 - SUSE Linux Enterprise Software Development Kit 12-SP1: zypper in -t patch SUSE-SLE-SDK-12-SP1-2016-1588=1 - SUSE Linux Enterprise Server 12-SP2: zypper in -t patch SUSE-SLE-SERVER-12-SP2-2016-1588=1 - SUSE Linux Enterprise Server 12-SP1: zypper in -t patch SUSE-SLE-SERVER-12-SP1-2016-1588=1 - SUSE Linux Enterprise Desktop 12-SP2: zypper in -t patch SUSE-SLE-DESKTOP-12-SP2-2016-1588=1 - SUSE Linux Enterprise Desktop 12-SP1: zypper in -t patch SUSE-SLE-DESKTOP-12-SP1-2016-1588=1 To bring your system up-to-date, use "zypper patch". Package List: - SUSE Linux Enterprise Software Development Kit 12-SP2 (aarch64 ppc64le s390x x86_64): bind-debuginfo-9.9.9P1-49.1 bind-debugsource-9.9.9P1-49.1 bind-devel-9.9.9P1-49.1 - SUSE Linux Enterprise Software Development Kit 12-SP1 (ppc64le s390x x86_64): bind-debuginfo-9.9.9P1-49.1 bind-debugsource-9.9.9P1-49.1 bind-devel-9.9.9P1-49.1 - SUSE Linux Enterprise Server 12-SP2 (aarch64 ppc64le x86_64): bind-9.9.9P1-49.1 bind-chrootenv-9.9.9P1-49.1 bind-debuginfo-9.9.9P1-49.1 bind-debugsource-9.9.9P1-49.1 bind-libs-9.9.9P1-49.1 bind-libs-debuginfo-9.9.9P1-49.1 bind-utils-9.9.9P1-49.1 bind-utils-debuginfo-9.9.9P1-49.1 - SUSE Linux Enterprise Server 12-SP2 (x86_64): bind-libs-32bit-9.9.9P1-49.1 bind-libs-debuginfo-32bit-9.9.9P1-49.1 - SUSE Linux Enterprise Server 12-SP2 (noarch): bind-doc-9.9.9P1-49.1 - SUSE Linux Enterprise Server 12-SP1 (ppc64le s390x x86_64): bind-9.9.9P1-49.1 bind-chrootenv-9.9.9P1-49.1 bind-debuginfo-9.9.9P1-49.1 bind-debugsource-9.9.9P1-49.1 bind-libs-9.9.9P1-49.1 bind-libs-debuginfo-9.9.9P1-49.1 bind-utils-9.9.9P1-49.1 bind-utils-debuginfo-9.9.9P1-49.1 - SUSE Linux Enterprise Server 12-SP1 (s390x x86_64): bind-libs-32bit-9.9.9P1-49.1 bind-libs-debuginfo-32bit-9.9.9P1-49.1 - SUSE Linux Enterprise Server 12-SP1 (noarch): bind-doc-9.9.9P1-49.1 - SUSE Linux Enterprise Desktop 12-SP2 (x86_64): bind-debuginfo-9.9.9P1-49.1 bind-debugsource-9.9.9P1-49.1 bind-libs-32bit-9.9.9P1-49.1 bind-libs-9.9.9P1-49.1 bind-libs-debuginfo-32bit-9.9.9P1-49.1 bind-libs-debuginfo-9.9.9P1-49.1 bind-utils-9.9.9P1-49.1 bind-utils-debuginfo-9.9.9P1-49.1 - SUSE Linux Enterprise Desktop 12-SP1 (x86_64): bind-debuginfo-9.9.9P1-49.1 bind-debugsource-9.9.9P1-49.1 bind-libs-32bit-9.9.9P1-49.1 bind-libs-9.9.9P1-49.1 bind-libs-debuginfo-32bit-9.9.9P1-49.1 bind-libs-debuginfo-9.9.9P1-49.1 bind-utils-9.9.9P1-49.1 bind-utils-debuginfo-9.9.9P1-49.1 References: https://www.suse.com/security/cve/CVE-2016-8864.html https://bugzilla.suse.com/1007829 https://bugzilla.suse.com/965748 From sle-security-updates at lists.suse.com Wed Nov 2 09:07:52 2016 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Wed, 2 Nov 2016 16:07:52 +0100 (CET) Subject: SUSE-SU-2016:2699-1: important: Security update for curl Message-ID: <20161102150752.EA45BFFC1@maintenance.suse.de> SUSE Security Update: Security update for curl ______________________________________________________________________________ Announcement ID: SUSE-SU-2016:2699-1 Rating: important References: #1005633 #1005634 #1005635 #1005637 #1005638 #1005640 #1005642 #1005643 #1005645 #1005646 #998760 Cross-References: CVE-2016-7167 CVE-2016-8615 CVE-2016-8616 CVE-2016-8617 CVE-2016-8618 CVE-2016-8619 CVE-2016-8620 CVE-2016-8621 CVE-2016-8622 CVE-2016-8623 CVE-2016-8624 Affected Products: SUSE Linux Enterprise Software Development Kit 12-SP1 SUSE Linux Enterprise Server 12-SP1 SUSE Linux Enterprise Desktop 12-SP1 ______________________________________________________________________________ An update that fixes 11 vulnerabilities is now available. Description: This update for curl fixes the following security issues: - CVE-2016-8624: invalid URL parsing with '#' (bsc#1005646) - CVE-2016-8623: Use-after-free via shared cookies (bsc#1005645) - CVE-2016-8622: URL unescape heap overflow via integer truncation (bsc#1005643) - CVE-2016-8621: curl_getdate read out of bounds (bsc#1005642) - CVE-2016-8620: glob parser write/read out of bounds (bsc#1005640) - CVE-2016-8619: double-free in krb5 code (bsc#1005638) - CVE-2016-8618: double-free in curl_maprintf (bsc#1005637) - CVE-2016-8617: OOB write via unchecked multiplication (bsc#1005635) - CVE-2016-8616: case insensitive password comparison (bsc#1005634) - CVE-2016-8615: cookie injection for other servers (bsc#1005633) - CVE-2016-7167: escape and unescape integer overflows (bsc#998760) Patch Instructions: To install this SUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Software Development Kit 12-SP1: zypper in -t patch SUSE-SLE-SDK-12-SP1-2016-1591=1 - SUSE Linux Enterprise Server 12-SP1: zypper in -t patch SUSE-SLE-SERVER-12-SP1-2016-1591=1 - SUSE Linux Enterprise Desktop 12-SP1: zypper in -t patch SUSE-SLE-DESKTOP-12-SP1-2016-1591=1 To bring your system up-to-date, use "zypper patch". Package List: - SUSE Linux Enterprise Software Development Kit 12-SP1 (ppc64le s390x x86_64): curl-debuginfo-7.37.0-31.1 curl-debugsource-7.37.0-31.1 libcurl-devel-7.37.0-31.1 - SUSE Linux Enterprise Server 12-SP1 (ppc64le s390x x86_64): curl-7.37.0-31.1 curl-debuginfo-7.37.0-31.1 curl-debugsource-7.37.0-31.1 libcurl4-7.37.0-31.1 libcurl4-debuginfo-7.37.0-31.1 - SUSE Linux Enterprise Server 12-SP1 (s390x x86_64): libcurl4-32bit-7.37.0-31.1 libcurl4-debuginfo-32bit-7.37.0-31.1 - SUSE Linux Enterprise Desktop 12-SP1 (x86_64): curl-7.37.0-31.1 curl-debuginfo-7.37.0-31.1 curl-debugsource-7.37.0-31.1 libcurl4-32bit-7.37.0-31.1 libcurl4-7.37.0-31.1 libcurl4-debuginfo-32bit-7.37.0-31.1 libcurl4-debuginfo-7.37.0-31.1 References: https://www.suse.com/security/cve/CVE-2016-7167.html https://www.suse.com/security/cve/CVE-2016-8615.html https://www.suse.com/security/cve/CVE-2016-8616.html https://www.suse.com/security/cve/CVE-2016-8617.html https://www.suse.com/security/cve/CVE-2016-8618.html https://www.suse.com/security/cve/CVE-2016-8619.html https://www.suse.com/security/cve/CVE-2016-8620.html https://www.suse.com/security/cve/CVE-2016-8621.html https://www.suse.com/security/cve/CVE-2016-8622.html https://www.suse.com/security/cve/CVE-2016-8623.html https://www.suse.com/security/cve/CVE-2016-8624.html https://bugzilla.suse.com/1005633 https://bugzilla.suse.com/1005634 https://bugzilla.suse.com/1005635 https://bugzilla.suse.com/1005637 https://bugzilla.suse.com/1005638 https://bugzilla.suse.com/1005640 https://bugzilla.suse.com/1005642 https://bugzilla.suse.com/1005643 https://bugzilla.suse.com/1005645 https://bugzilla.suse.com/1005646 https://bugzilla.suse.com/998760 From sle-security-updates at lists.suse.com Wed Nov 2 09:09:53 2016 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Wed, 2 Nov 2016 16:09:53 +0100 (CET) Subject: SUSE-SU-2016:2700-1: important: Security update for curl Message-ID: <20161102150953.B4FD3FFC5@maintenance.suse.de> SUSE Security Update: Security update for curl ______________________________________________________________________________ Announcement ID: SUSE-SU-2016:2700-1 Rating: important References: #1005633 #1005634 #1005635 #1005637 #1005638 #1005642 #1005645 #1005646 #997420 #998760 Cross-References: CVE-2016-5420 CVE-2016-7141 CVE-2016-7167 CVE-2016-8615 CVE-2016-8616 CVE-2016-8617 CVE-2016-8618 CVE-2016-8619 CVE-2016-8620 CVE-2016-8621 CVE-2016-8622 CVE-2016-8623 CVE-2016-8624 Affected Products: SUSE Studio Onsite 1.3 ______________________________________________________________________________ An update that fixes 13 vulnerabilities is now available. Description: This update for curl fixes the following issues: - CVE-2016-8624: invalid URL parsing with '#' (bsc#1005646) - CVE-2016-8623: Use-after-free via shared cookies (bsc#1005645) - CVE-2016-8621: curl_getdate read out of bounds (bsc#1005642) - CVE-2016-8619: double-free in krb5 code (bsc#1005638) - CVE-2016-8618: double-free in curl_maprintf (bsc#1005637) - CVE-2016-8617: OOB write via unchecked multiplication (bsc#1005635) - CVE-2016-8616: case insensitive password comparison (bsc#1005634) - CVE-2016-8615: cookie injection for other servers (bsc#1005633) - CVE-2016-7167: escape and unescape integer overflows (bsc#998760) - CVE-2016-7141: Fixed incorrect reuse of client certificates with NSS not fixed in CVE-2016-5420 (bsc#997420) Patch Instructions: To install this SUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - SUSE Studio Onsite 1.3: zypper in -t patch slestso13-curl-12827=1 To bring your system up-to-date, use "zypper patch". Package List: - SUSE Studio Onsite 1.3 (x86_64): libcurl-devel-7.19.7-1.20.47.2 References: https://www.suse.com/security/cve/CVE-2016-5420.html https://www.suse.com/security/cve/CVE-2016-7141.html https://www.suse.com/security/cve/CVE-2016-7167.html https://www.suse.com/security/cve/CVE-2016-8615.html https://www.suse.com/security/cve/CVE-2016-8616.html https://www.suse.com/security/cve/CVE-2016-8617.html https://www.suse.com/security/cve/CVE-2016-8618.html https://www.suse.com/security/cve/CVE-2016-8619.html https://www.suse.com/security/cve/CVE-2016-8620.html https://www.suse.com/security/cve/CVE-2016-8621.html https://www.suse.com/security/cve/CVE-2016-8622.html https://www.suse.com/security/cve/CVE-2016-8623.html https://www.suse.com/security/cve/CVE-2016-8624.html https://bugzilla.suse.com/1005633 https://bugzilla.suse.com/1005634 https://bugzilla.suse.com/1005635 https://bugzilla.suse.com/1005637 https://bugzilla.suse.com/1005638 https://bugzilla.suse.com/1005642 https://bugzilla.suse.com/1005645 https://bugzilla.suse.com/1005646 https://bugzilla.suse.com/997420 https://bugzilla.suse.com/998760 From sle-security-updates at lists.suse.com Wed Nov 2 13:07:05 2016 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Wed, 2 Nov 2016 20:07:05 +0100 (CET) Subject: SUSE-SU-2016:2704-1: moderate: Security update for python-suds-jurko Message-ID: <20161102190705.E94F0FFC0@maintenance.suse.de> SUSE Security Update: Security update for python-suds-jurko ______________________________________________________________________________ Announcement ID: SUSE-SU-2016:2704-1 Rating: moderate References: #827568 Cross-References: CVE-2013-2217 Affected Products: SUSE OpenStack Cloud 6 ______________________________________________________________________________ An update that fixes one vulnerability is now available. Description: This update for python-suds-jurko fixes the following issues: - CVE-2013-2217: A temporary directory was used in an insecure fashion when initializing file-based URL cache. (bsc#827568) Patch Instructions: To install this SUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - SUSE OpenStack Cloud 6: zypper in -t patch SUSE-OpenStack-Cloud-6-2016-1595=1 To bring your system up-to-date, use "zypper patch". Package List: - SUSE OpenStack Cloud 6 (noarch): python-suds-jurko-0.6-4.1 References: https://www.suse.com/security/cve/CVE-2013-2217.html https://bugzilla.suse.com/827568 From sle-security-updates at lists.suse.com Wed Nov 2 14:06:58 2016 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Wed, 2 Nov 2016 21:06:58 +0100 (CET) Subject: SUSE-SU-2016:2706-1: important: Security update for bind Message-ID: <20161102200658.17C86FFC5@maintenance.suse.de> SUSE Security Update: Security update for bind ______________________________________________________________________________ Announcement ID: SUSE-SU-2016:2706-1 Rating: important References: #1007829 #965748 Cross-References: CVE-2016-8864 Affected Products: SUSE OpenStack Cloud 5 SUSE Manager Proxy 2.1 SUSE Manager 2.1 SUSE Linux Enterprise Software Development Kit 11-SP4 SUSE Linux Enterprise Server 11-SP4 SUSE Linux Enterprise Server 11-SP3-LTSS SUSE Linux Enterprise Server 11-SP2-LTSS SUSE Linux Enterprise Point of Sale 11-SP3 SUSE Linux Enterprise Debuginfo 11-SP4 SUSE Linux Enterprise Debuginfo 11-SP3 SUSE Linux Enterprise Debuginfo 11-SP2 ______________________________________________________________________________ An update that solves one vulnerability and has one errata is now available. Description: This update for bind fixes the following issues: - A defect in BIND's handling of responses containing a DNAME answer had the potential to trigger assertion errors in the server remotely, thereby facilitating a denial-of-service attack. (CVE-2016-8864, bsc#1007829). - Fix BIND to return a valid hostname in response to ldapdump queries. (bsc#965748) Patch Instructions: To install this SUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - SUSE OpenStack Cloud 5: zypper in -t patch sleclo50sp3-bind-12829=1 - SUSE Manager Proxy 2.1: zypper in -t patch slemap21-bind-12829=1 - SUSE Manager 2.1: zypper in -t patch sleman21-bind-12829=1 - SUSE Linux Enterprise Software Development Kit 11-SP4: zypper in -t patch sdksp4-bind-12829=1 - SUSE Linux Enterprise Server 11-SP4: zypper in -t patch slessp4-bind-12829=1 - SUSE Linux Enterprise Server 11-SP3-LTSS: zypper in -t patch slessp3-bind-12829=1 - SUSE Linux Enterprise Server 11-SP2-LTSS: zypper in -t patch slessp2-bind-12829=1 - SUSE Linux Enterprise Point of Sale 11-SP3: zypper in -t patch sleposp3-bind-12829=1 - SUSE Linux Enterprise Debuginfo 11-SP4: zypper in -t patch dbgsp4-bind-12829=1 - SUSE Linux Enterprise Debuginfo 11-SP3: zypper in -t patch dbgsp3-bind-12829=1 - SUSE Linux Enterprise Debuginfo 11-SP2: zypper in -t patch dbgsp2-bind-12829=1 To bring your system up-to-date, use "zypper patch". Package List: - SUSE OpenStack Cloud 5 (x86_64): bind-9.9.6P1-0.33.1 bind-chrootenv-9.9.6P1-0.33.1 bind-doc-9.9.6P1-0.33.1 bind-libs-32bit-9.9.6P1-0.33.1 bind-libs-9.9.6P1-0.33.1 bind-utils-9.9.6P1-0.33.1 - SUSE Manager Proxy 2.1 (x86_64): bind-9.9.6P1-0.33.1 bind-chrootenv-9.9.6P1-0.33.1 bind-doc-9.9.6P1-0.33.1 bind-libs-32bit-9.9.6P1-0.33.1 bind-libs-9.9.6P1-0.33.1 bind-utils-9.9.6P1-0.33.1 - SUSE Manager 2.1 (s390x x86_64): bind-9.9.6P1-0.33.1 bind-chrootenv-9.9.6P1-0.33.1 bind-doc-9.9.6P1-0.33.1 bind-libs-32bit-9.9.6P1-0.33.1 bind-libs-9.9.6P1-0.33.1 bind-utils-9.9.6P1-0.33.1 - SUSE Linux Enterprise Software Development Kit 11-SP4 (i586 ia64 ppc64 s390x x86_64): bind-devel-9.9.6P1-0.33.1 - SUSE Linux Enterprise Software Development Kit 11-SP4 (ppc64): bind-devel-32bit-9.9.6P1-0.33.1 - SUSE Linux Enterprise Server 11-SP4 (i586 ia64 ppc64 s390x x86_64): bind-9.9.6P1-0.33.1 bind-chrootenv-9.9.6P1-0.33.1 bind-doc-9.9.6P1-0.33.1 bind-libs-9.9.6P1-0.33.1 bind-utils-9.9.6P1-0.33.1 - SUSE Linux Enterprise Server 11-SP4 (ppc64 s390x x86_64): bind-libs-32bit-9.9.6P1-0.33.1 - SUSE Linux Enterprise Server 11-SP4 (ia64): bind-libs-x86-9.9.6P1-0.33.1 - SUSE Linux Enterprise Server 11-SP3-LTSS (i586 s390x x86_64): bind-9.9.6P1-0.33.1 bind-chrootenv-9.9.6P1-0.33.1 bind-doc-9.9.6P1-0.33.1 bind-libs-9.9.6P1-0.33.1 bind-utils-9.9.6P1-0.33.1 - SUSE Linux Enterprise Server 11-SP3-LTSS (s390x x86_64): bind-libs-32bit-9.9.6P1-0.33.1 - SUSE Linux Enterprise Server 11-SP2-LTSS (i586 s390x x86_64): bind-9.9.6P1-0.33.1 bind-chrootenv-9.9.6P1-0.33.1 bind-devel-9.9.6P1-0.33.1 bind-doc-9.9.6P1-0.33.1 bind-libs-9.9.6P1-0.33.1 bind-utils-9.9.6P1-0.33.1 - SUSE Linux Enterprise Server 11-SP2-LTSS (s390x x86_64): bind-libs-32bit-9.9.6P1-0.33.1 - SUSE Linux Enterprise Point of Sale 11-SP3 (i586): bind-9.9.6P1-0.33.1 bind-chrootenv-9.9.6P1-0.33.1 bind-doc-9.9.6P1-0.33.1 bind-libs-9.9.6P1-0.33.1 bind-utils-9.9.6P1-0.33.1 - SUSE Linux Enterprise Debuginfo 11-SP4 (i586 ia64 ppc64 s390x x86_64): bind-debuginfo-9.9.6P1-0.33.1 bind-debugsource-9.9.6P1-0.33.1 - SUSE Linux Enterprise Debuginfo 11-SP3 (i586 s390x x86_64): bind-debuginfo-9.9.6P1-0.33.1 bind-debugsource-9.9.6P1-0.33.1 - SUSE Linux Enterprise Debuginfo 11-SP2 (i586 s390x x86_64): bind-debuginfo-9.9.6P1-0.33.1 bind-debugsource-9.9.6P1-0.33.1 References: https://www.suse.com/security/cve/CVE-2016-8864.html https://bugzilla.suse.com/1007829 https://bugzilla.suse.com/965748 From sle-security-updates at lists.suse.com Thu Nov 3 04:13:25 2016 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Thu, 3 Nov 2016 11:13:25 +0100 (CET) Subject: SUSE-SU-2016:2697-2: important: Security update for bind Message-ID: <20161103101325.88199FFC4@maintenance.suse.de> SUSE Security Update: Security update for bind ______________________________________________________________________________ Announcement ID: SUSE-SU-2016:2697-2 Rating: important References: #1007829 #965748 Cross-References: CVE-2016-8864 Affected Products: SUSE Linux Enterprise Server for Raspberry Pi 12-SP2 ______________________________________________________________________________ An update that solves one vulnerability and has one errata is now available. Description: This update for bind fixes the following issues: - A defect in BIND's handling of responses containing a DNAME answer had the potential to trigger assertion errors in the server remotely, thereby facilitating a denial-of-service attack. (CVE-2016-8864, bsc#1007829). - Fix BIND to return a valid hostname in response to ldapdump queries. (bsc#965748) Patch Instructions: To install this SUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Server for Raspberry Pi 12-SP2: zypper in -t patch SUSE-SLE-RPI-12-SP2-2016-1588=1 To bring your system up-to-date, use "zypper patch". Package List: - SUSE Linux Enterprise Server for Raspberry Pi 12-SP2 (aarch64): bind-9.9.9P1-49.1 bind-chrootenv-9.9.9P1-49.1 bind-debuginfo-9.9.9P1-49.1 bind-debugsource-9.9.9P1-49.1 bind-libs-9.9.9P1-49.1 bind-libs-debuginfo-9.9.9P1-49.1 bind-utils-9.9.9P1-49.1 bind-utils-debuginfo-9.9.9P1-49.1 - SUSE Linux Enterprise Server for Raspberry Pi 12-SP2 (noarch): bind-doc-9.9.9P1-49.1 References: https://www.suse.com/security/cve/CVE-2016-8864.html https://bugzilla.suse.com/1007829 https://bugzilla.suse.com/965748 From sle-security-updates at lists.suse.com Thu Nov 3 08:08:41 2016 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Thu, 3 Nov 2016 15:08:41 +0100 (CET) Subject: SUSE-SU-2016:2714-1: important: Security update for curl Message-ID: <20161103140841.5DC64FFC5@maintenance.suse.de> SUSE Security Update: Security update for curl ______________________________________________________________________________ Announcement ID: SUSE-SU-2016:2714-1 Rating: important References: #1005633 #1005634 #1005635 #1005637 #1005638 #1005642 #1005645 #1005646 #998760 Cross-References: CVE-2016-7167 CVE-2016-8615 CVE-2016-8616 CVE-2016-8617 CVE-2016-8618 CVE-2016-8619 CVE-2016-8620 CVE-2016-8621 CVE-2016-8622 CVE-2016-8623 CVE-2016-8624 Affected Products: SUSE Linux Enterprise Software Development Kit 11-SP4 SUSE Linux Enterprise Server 11-SP4 SUSE Linux Enterprise Server 11-SECURITY SUSE Linux Enterprise Debuginfo 11-SP4 ______________________________________________________________________________ An update that fixes 11 vulnerabilities is now available. Description: This update for curl fixes the following security issues: - CVE-2016-8624: invalid URL parsing with '#' (bsc#1005646) - CVE-2016-8623: Use-after-free via shared cookies (bsc#1005645) - CVE-2016-8621: curl_getdate read out of bounds (bsc#1005642) - CVE-2016-8619: double-free in krb5 code (bsc#1005638) - CVE-2016-8618: double-free in curl_maprintf (bsc#1005637) - CVE-2016-8617: OOB write via unchecked multiplication (bsc#1005635) - CVE-2016-8616: case insensitive password comparison (bsc#1005634) - CVE-2016-8615: cookie injection for other servers (bsc#1005633) - CVE-2016-7167: escape and unescape integer overflows (bsc#998760) Patch Instructions: To install this SUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Software Development Kit 11-SP4: zypper in -t patch sdksp4-curl-12831=1 - SUSE Linux Enterprise Server 11-SP4: zypper in -t patch slessp4-curl-12831=1 - SUSE Linux Enterprise Server 11-SECURITY: zypper in -t patch secsp3-curl-12831=1 - SUSE Linux Enterprise Debuginfo 11-SP4: zypper in -t patch dbgsp4-curl-12831=1 To bring your system up-to-date, use "zypper patch". Package List: - SUSE Linux Enterprise Software Development Kit 11-SP4 (i586 ia64 ppc64 s390x x86_64): libcurl-devel-7.19.7-1.64.1 - SUSE Linux Enterprise Server 11-SP4 (i586 ia64 ppc64 s390x x86_64): curl-7.19.7-1.64.1 libcurl4-7.19.7-1.64.1 - SUSE Linux Enterprise Server 11-SP4 (ppc64 s390x x86_64): libcurl4-32bit-7.19.7-1.64.1 - SUSE Linux Enterprise Server 11-SP4 (ia64): libcurl4-x86-7.19.7-1.64.1 - SUSE Linux Enterprise Server 11-SECURITY (i586 ia64 ppc64 s390x x86_64): curl-openssl1-7.19.7-1.64.1 libcurl4-openssl1-7.19.7-1.64.1 - SUSE Linux Enterprise Server 11-SECURITY (ppc64 s390x x86_64): libcurl4-openssl1-32bit-7.19.7-1.64.1 - SUSE Linux Enterprise Server 11-SECURITY (ia64): libcurl4-openssl1-x86-7.19.7-1.64.1 - SUSE Linux Enterprise Debuginfo 11-SP4 (i586 ia64 ppc64 s390x x86_64): curl-debuginfo-7.19.7-1.64.1 curl-debugsource-7.19.7-1.64.1 References: https://www.suse.com/security/cve/CVE-2016-7167.html https://www.suse.com/security/cve/CVE-2016-8615.html https://www.suse.com/security/cve/CVE-2016-8616.html https://www.suse.com/security/cve/CVE-2016-8617.html https://www.suse.com/security/cve/CVE-2016-8618.html https://www.suse.com/security/cve/CVE-2016-8619.html https://www.suse.com/security/cve/CVE-2016-8620.html https://www.suse.com/security/cve/CVE-2016-8621.html https://www.suse.com/security/cve/CVE-2016-8622.html https://www.suse.com/security/cve/CVE-2016-8623.html https://www.suse.com/security/cve/CVE-2016-8624.html https://bugzilla.suse.com/1005633 https://bugzilla.suse.com/1005634 https://bugzilla.suse.com/1005635 https://bugzilla.suse.com/1005637 https://bugzilla.suse.com/1005638 https://bugzilla.suse.com/1005642 https://bugzilla.suse.com/1005645 https://bugzilla.suse.com/1005646 https://bugzilla.suse.com/998760 From sle-security-updates at lists.suse.com Fri Nov 4 08:07:01 2016 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Fri, 4 Nov 2016 15:07:01 +0100 (CET) Subject: SUSE-SU-2016:2723-1: moderate: Security update for ghostscript-library Message-ID: <20161104140701.E88D4FFC0@maintenance.suse.de> SUSE Security Update: Security update for ghostscript-library ______________________________________________________________________________ Announcement ID: SUSE-SU-2016:2723-1 Rating: moderate References: #1004237 Cross-References: CVE-2016-8602 Affected Products: SUSE Linux Enterprise Software Development Kit 11-SP4 SUSE Linux Enterprise Server 11-SP4 SUSE Linux Enterprise Debuginfo 11-SP4 ______________________________________________________________________________ An update that fixes one vulnerability is now available. Description: This update for ghostscript fixes the following issues: - CVE-2016-8602: Insufficient parameter check in .sethalftone5 (bsc#1004237) Patch Instructions: To install this SUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Software Development Kit 11-SP4: zypper in -t patch sdksp4-ghostscript-12834=1 - SUSE Linux Enterprise Server 11-SP4: zypper in -t patch slessp4-ghostscript-12834=1 - SUSE Linux Enterprise Debuginfo 11-SP4: zypper in -t patch dbgsp4-ghostscript-12834=1 To bring your system up-to-date, use "zypper patch". Package List: - SUSE Linux Enterprise Software Development Kit 11-SP4 (i586 ia64 ppc64 s390x x86_64): ghostscript-devel-8.62-32.41.1 ghostscript-ijs-devel-8.62-32.41.1 libgimpprint-devel-4.2.7-32.41.1 - SUSE Linux Enterprise Server 11-SP4 (i586 ia64 ppc64 s390x x86_64): ghostscript-fonts-other-8.62-32.41.1 ghostscript-fonts-rus-8.62-32.41.1 ghostscript-fonts-std-8.62-32.41.1 ghostscript-library-8.62-32.41.1 ghostscript-omni-8.62-32.41.1 ghostscript-x11-8.62-32.41.1 libgimpprint-4.2.7-32.41.1 - SUSE Linux Enterprise Debuginfo 11-SP4 (i586 ia64 ppc64 s390x x86_64): ghostscript-library-debuginfo-8.62-32.41.1 ghostscript-library-debugsource-8.62-32.41.1 References: https://www.suse.com/security/cve/CVE-2016-8602.html https://bugzilla.suse.com/1004237 From sle-security-updates at lists.suse.com Fri Nov 4 08:07:30 2016 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Fri, 4 Nov 2016 15:07:30 +0100 (CET) Subject: SUSE-SU-2016:2724-1: moderate: Security update for GraphicsMagick Message-ID: <20161104140730.CF8FCFFC5@maintenance.suse.de> SUSE Security Update: Security update for GraphicsMagick ______________________________________________________________________________ Announcement ID: SUSE-SU-2016:2724-1 Rating: moderate References: #1000399 #1000434 #1000436 #1000689 #1000690 #1000691 #1000692 #1000693 #1000695 #1000698 #1000700 #1000704 #1000707 #1000711 #1001066 #1001221 #1002206 #1002209 #1002422 #1003629 #1005123 #1005125 #1005127 #999673 Cross-References: CVE-2015-8957 CVE-2015-8958 CVE-2016-6823 CVE-2016-7101 CVE-2016-7446 CVE-2016-7447 CVE-2016-7448 CVE-2016-7449 CVE-2016-7515 CVE-2016-7516 CVE-2016-7517 CVE-2016-7519 CVE-2016-7522 CVE-2016-7524 CVE-2016-7527 CVE-2016-7528 CVE-2016-7529 CVE-2016-7531 CVE-2016-7533 CVE-2016-7537 CVE-2016-7800 CVE-2016-7996 CVE-2016-7997 CVE-2016-8682 CVE-2016-8683 CVE-2016-8684 Affected Products: SUSE Studio Onsite 1.3 SUSE Linux Enterprise Software Development Kit 11-SP4 SUSE Linux Enterprise Debuginfo 11-SP4 ______________________________________________________________________________ An update that fixes 26 vulnerabilities is now available. Description: This update for GraphicsMagick fixes the following issues: These vulnerabilities could be triggered by processing specially crafted image files, which could lead to a process crash or resource consumtion, or potentially have unspecified futher impact. - CVE-2016-8684: Mismatch between real filesize and header values (bsc#1005123) - CVE-2016-8683: Check that filesize is reasonable compared to the header value (bsc#1005127) - CVE-2016-8682: Stack-buffer read overflow while reading SCT header (bsc#1005125) - CVE-2016-7996, CVE-2016-7997: WPG Reader Issues (bsc#1003629) - CVE-2016-7800: 8BIM/8BIMW unsigned underflow leads to heap overflow (bsc#1002422) - CVE-2016-7537: Out of bound access for corrupted pdb file (bsc#1000711) - CVE-2016-7533: Wpg file out of bound for corrupted file (bsc#1000707) - CVE-2016-7531: Pbd file out of bound access (bsc#1000704) - CVE-2016-7529: Out-of-bound in quantum handling (bsc#1000399) - CVE-2016-7528: Out-of-bound access in xcf file coder (bsc#1000434) - CVE-2016-7527: Out-of-bound access in wpg file coder: (bsc#1000436) - CVE-2016-7524: AddressSanitizer:heap-buffer-overflow READ of size 1 in meta.c:465 (bsc#1000700) - CVE-2016-7522: Out of bound access for malformed psd file (bsc#1000698) - CVE-2016-7519: Out-of-bounds read in coders/rle.c (bsc#1000695) - CVE-2016-7517: Out-of-bounds read in coders/pict.c (bsc#1000693) - CVE-2016-7516: Out-of-bounds problem in rle, pict, viff and sun files (bsc#1000692) - CVE-2016-7515: Rle file handling for corrupted file (bsc#1000689) - CVE-2016-7446 CVE-2016-7447 CVE-2016-7448 CVE-2016-7449: various issues fixed in 1.3.25 (bsc#999673) - CVE-2016-7101: SGI Coder Out-Of-Bounds Read Vulnerability (bsc#1001221) - CVE-2016-6823: BMP Coder Out-Of-Bounds Write Vulnerability (bsc#1001066) - CVE-2015-8958: Potential DOS in sun file handling due to malformed files (bsc#1000691) - CVE-2015-8957: Buffer overflow in sun file handling (bsc#1000690) - Divide by zero in WriteTIFFImage (bsc#1002206) - Buffer overflows in SIXEL, PDB, MAP, and TIFF coders (bsc#1002209) Patch Instructions: To install this SUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - SUSE Studio Onsite 1.3: zypper in -t patch slestso13-GraphicsMagick-12835=1 - SUSE Linux Enterprise Software Development Kit 11-SP4: zypper in -t patch sdksp4-GraphicsMagick-12835=1 - SUSE Linux Enterprise Debuginfo 11-SP4: zypper in -t patch dbgsp4-GraphicsMagick-12835=1 To bring your system up-to-date, use "zypper patch". Package List: - SUSE Studio Onsite 1.3 (x86_64): GraphicsMagick-1.2.5-4.46.1 libGraphicsMagick2-1.2.5-4.46.1 - SUSE Linux Enterprise Software Development Kit 11-SP4 (i586 ia64 ppc64 s390x x86_64): GraphicsMagick-1.2.5-4.46.1 libGraphicsMagick2-1.2.5-4.46.1 perl-GraphicsMagick-1.2.5-4.46.1 - SUSE Linux Enterprise Debuginfo 11-SP4 (i586 ia64 ppc64 s390x x86_64): GraphicsMagick-debuginfo-1.2.5-4.46.1 GraphicsMagick-debugsource-1.2.5-4.46.1 References: https://www.suse.com/security/cve/CVE-2015-8957.html https://www.suse.com/security/cve/CVE-2015-8958.html https://www.suse.com/security/cve/CVE-2016-6823.html https://www.suse.com/security/cve/CVE-2016-7101.html https://www.suse.com/security/cve/CVE-2016-7446.html https://www.suse.com/security/cve/CVE-2016-7447.html https://www.suse.com/security/cve/CVE-2016-7448.html https://www.suse.com/security/cve/CVE-2016-7449.html https://www.suse.com/security/cve/CVE-2016-7515.html https://www.suse.com/security/cve/CVE-2016-7516.html https://www.suse.com/security/cve/CVE-2016-7517.html https://www.suse.com/security/cve/CVE-2016-7519.html https://www.suse.com/security/cve/CVE-2016-7522.html https://www.suse.com/security/cve/CVE-2016-7524.html https://www.suse.com/security/cve/CVE-2016-7527.html https://www.suse.com/security/cve/CVE-2016-7528.html https://www.suse.com/security/cve/CVE-2016-7529.html https://www.suse.com/security/cve/CVE-2016-7531.html https://www.suse.com/security/cve/CVE-2016-7533.html https://www.suse.com/security/cve/CVE-2016-7537.html https://www.suse.com/security/cve/CVE-2016-7800.html https://www.suse.com/security/cve/CVE-2016-7996.html https://www.suse.com/security/cve/CVE-2016-7997.html https://www.suse.com/security/cve/CVE-2016-8682.html https://www.suse.com/security/cve/CVE-2016-8683.html https://www.suse.com/security/cve/CVE-2016-8684.html https://bugzilla.suse.com/1000399 https://bugzilla.suse.com/1000434 https://bugzilla.suse.com/1000436 https://bugzilla.suse.com/1000689 https://bugzilla.suse.com/1000690 https://bugzilla.suse.com/1000691 https://bugzilla.suse.com/1000692 https://bugzilla.suse.com/1000693 https://bugzilla.suse.com/1000695 https://bugzilla.suse.com/1000698 https://bugzilla.suse.com/1000700 https://bugzilla.suse.com/1000704 https://bugzilla.suse.com/1000707 https://bugzilla.suse.com/1000711 https://bugzilla.suse.com/1001066 https://bugzilla.suse.com/1001221 https://bugzilla.suse.com/1002206 https://bugzilla.suse.com/1002209 https://bugzilla.suse.com/1002422 https://bugzilla.suse.com/1003629 https://bugzilla.suse.com/1005123 https://bugzilla.suse.com/1005125 https://bugzilla.suse.com/1005127 https://bugzilla.suse.com/999673 From sle-security-updates at lists.suse.com Fri Nov 4 08:11:19 2016 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Fri, 4 Nov 2016 15:11:19 +0100 (CET) Subject: SUSE-SU-2016:2725-1: important: Security update for xen Message-ID: <20161104141119.972D4FFC5@maintenance.suse.de> SUSE Security Update: Security update for xen ______________________________________________________________________________ Announcement ID: SUSE-SU-2016:2725-1 Rating: important References: #954872 #961600 #963161 #973188 #973631 #974038 #975130 #975138 #976470 #978164 #978295 #978413 #980716 #980724 #981264 #982224 #982225 #982960 #983984 #985503 #988675 #990843 #990923 #995785 #995792 Cross-References: CVE-2014-3615 CVE-2014-3672 CVE-2016-3158 CVE-2016-3159 CVE-2016-3710 CVE-2016-3712 CVE-2016-3960 CVE-2016-4001 CVE-2016-4002 CVE-2016-4439 CVE-2016-4441 CVE-2016-4453 CVE-2016-4454 CVE-2016-4480 CVE-2016-5238 CVE-2016-5338 CVE-2016-5403 CVE-2016-6258 CVE-2016-6351 CVE-2016-7092 CVE-2016-7094 Affected Products: SUSE OpenStack Cloud 5 SUSE Manager Proxy 2.1 SUSE Manager 2.1 SUSE Linux Enterprise Server 11-SP3-LTSS SUSE Linux Enterprise Point of Sale 11-SP3 ______________________________________________________________________________ An update that solves 21 vulnerabilities and has four fixes is now available. Description: This update for xen fixes several issues. These security issues were fixed: - CVE-2016-7094: Buffer overflow in Xen allowed local x86 HVM guest OS administrators on guests running with shadow paging to cause a denial of service via a pagetable update (bsc#995792) - CVE-2016-7092: The get_page_from_l3e function in arch/x86/mm.c in Xen allowed local 32-bit PV guest OS administrators to gain host OS privileges via vectors related to L3 recursive pagetables (bsc#995785) - CVE-2016-5403: Unbounded memory allocation allowed a guest administrator to cause a denial of service of the host (bsc#990923) - CVE-2016-6351: The esp_do_dma function in hw/scsi/esp.c, when built with ESP/NCR53C9x controller emulation support, allowed local guest OS administrators to cause a denial of service (out-of-bounds write and QEMU process crash) or execute arbitrary code on the host via vectors involving DMA read into ESP command buffer (bsc#990843) - CVE-2016-6258: The PV pagetable code in arch/x86/mm.c in Xen allowed local 32-bit PV guest OS administrators to gain host OS privileges by leveraging fast-paths for updating pagetable entries (bsc#988675) - CVE-2016-5338: The (1) esp_reg_read and (2) esp_reg_write functions allowed local guest OS administrators to cause a denial of service (QEMU process crash) or execute arbitrary code on the host via vectors related to the information transfer buffer (bsc#983984) - CVE-2016-5238: The get_cmd function in hw/scsi/esp.c might have allowed local guest OS administrators to cause a denial of service (out-of-bounds write and QEMU process crash) via vectors related to reading from the information transfer buffer in non-DMA mode (bsc#982960) - CVE-2016-4453: The vmsvga_fifo_run function allowed local guest OS administrators to cause a denial of service (infinite loop and QEMU process crash) via a VGA command (bsc#982225) - CVE-2016-4454: The vmsvga_fifo_read_raw function allowed local guest OS administrators to obtain sensitive host memory information or cause a denial of service (QEMU process crash) by changing FIFO registers and issuing a VGA command, which triggered an out-of-bounds read (bsc#982224) - CVE-2014-3672: The qemu implementation in libvirt Xen allowed local guest OS users to cause a denial of service (host disk consumption) by writing to stdout or stderr (bsc#981264) - CVE-2016-4441: The get_cmd function in the 53C9X Fast SCSI Controller (FSC) support did not properly check DMA length, which allowed local guest OS administrators to cause a denial of service (out-of-bounds write and QEMU process crash) via unspecified vectors, involving an SCSI command (bsc#980724) - CVE-2016-4439: The esp_reg_write function in the 53C9X Fast SCSI Controller (FSC) support did not properly check command buffer length, which allowed local guest OS administrators to cause a denial of service (out-of-bounds write and QEMU process crash) or potentially execute arbitrary code on the host via unspecified vectors (bsc#980716) - CVE-2016-3710: The VGA module improperly performed bounds checking on banked access to video memory, which allowed local guest OS administrators to execute arbitrary code on the host by changing access modes after setting the bank register, aka the "Dark Portal" issue (bsc#978164) - CVE-2016-4480: The guest_walk_tables function in arch/x86/mm/guest_walk.c in Xen did not properly handle the Page Size (PS) page table entry bit at the L4 and L3 page table levels, which might have allowed local guest OS users to gain privileges via a crafted mapping of memory (bsc#978295) - CVE-2016-3960: Integer overflow in the x86 shadow pagetable code allowed local guest OS users to cause a denial of service (host crash) or possibly gain privileges by shadowing a superpage mapping (bsc#974038) - CVE-2016-3158: The xrstor function did not properly handle writes to the hardware FSW.ES bit when running on AMD64 processors, which allowed local guest OS users to obtain sensitive register content information from another guest by leveraging pending exception and mask bits (bsc#973188) - CVE-2016-4001: Buffer overflow in the stellaris_enet_receive function, when the Stellaris ethernet controller is configured to accept large packets, allowed remote attackers to cause a denial of service (QEMU crash) via a large packet (bsc#975130) - CVE-2016-4002: Buffer overflow in the mipsnet_receive function, when the guest NIC is configured to accept large packets, allowed remote attackers to cause a denial of service (memory corruption and QEMU crash) or possibly execute arbitrary code via a packet larger than 1514 bytes (bsc#975138) These non-security issues were fixed: - bsc#985503: vif-route broken - bsc#978413: PV guest upgrade from sles11sp4 to sles12sp2 alpha3 failed on sles11sp4 xen host. - bsc#954872: Script block-dmmd not working as expected - libxl: error: libxl_dm.c (another modification) - bsc#961600: Poor performance when Xen HVM domU configured with max memory > current memory - bsc#963161: Windows VM getting stuck during load while a VF is assigned to it after upgrading to latest maintenance updates - bsc#976470: Xend fails to start - bsc#973631: AWS EC2 kdump issue Patch Instructions: To install this SUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - SUSE OpenStack Cloud 5: zypper in -t patch sleclo50sp3-xen-12836=1 - SUSE Manager Proxy 2.1: zypper in -t patch slemap21-xen-12836=1 - SUSE Manager 2.1: zypper in -t patch sleman21-xen-12836=1 - SUSE Linux Enterprise Server 11-SP3-LTSS: zypper in -t patch slessp3-xen-12836=1 - SUSE Linux Enterprise Point of Sale 11-SP3: zypper in -t patch sleposp3-xen-12836=1 To bring your system up-to-date, use "zypper patch". Package List: - SUSE OpenStack Cloud 5 (x86_64): xen-4.2.5_21-27.1 xen-doc-html-4.2.5_21-27.1 xen-doc-pdf-4.2.5_21-27.1 xen-kmp-default-4.2.5_21_3.0.101_0.47.86-27.1 xen-libs-32bit-4.2.5_21-27.1 xen-libs-4.2.5_21-27.1 xen-tools-4.2.5_21-27.1 xen-tools-domU-4.2.5_21-27.1 - SUSE Manager Proxy 2.1 (x86_64): xen-4.2.5_21-27.1 xen-doc-html-4.2.5_21-27.1 xen-doc-pdf-4.2.5_21-27.1 xen-kmp-default-4.2.5_21_3.0.101_0.47.86-27.1 xen-libs-32bit-4.2.5_21-27.1 xen-libs-4.2.5_21-27.1 xen-tools-4.2.5_21-27.1 xen-tools-domU-4.2.5_21-27.1 - SUSE Manager 2.1 (x86_64): xen-4.2.5_21-27.1 xen-doc-html-4.2.5_21-27.1 xen-doc-pdf-4.2.5_21-27.1 xen-kmp-default-4.2.5_21_3.0.101_0.47.86-27.1 xen-libs-32bit-4.2.5_21-27.1 xen-libs-4.2.5_21-27.1 xen-tools-4.2.5_21-27.1 xen-tools-domU-4.2.5_21-27.1 - SUSE Linux Enterprise Server 11-SP3-LTSS (i586 x86_64): xen-kmp-default-4.2.5_21_3.0.101_0.47.86-27.1 xen-libs-4.2.5_21-27.1 xen-tools-domU-4.2.5_21-27.1 - SUSE Linux Enterprise Server 11-SP3-LTSS (x86_64): xen-4.2.5_21-27.1 xen-doc-html-4.2.5_21-27.1 xen-doc-pdf-4.2.5_21-27.1 xen-libs-32bit-4.2.5_21-27.1 xen-tools-4.2.5_21-27.1 - SUSE Linux Enterprise Server 11-SP3-LTSS (i586): xen-kmp-pae-4.2.5_21_3.0.101_0.47.86-27.1 - SUSE Linux Enterprise Point of Sale 11-SP3 (i586): xen-kmp-default-4.2.5_21_3.0.101_0.47.86-27.1 xen-kmp-pae-4.2.5_21_3.0.101_0.47.86-27.1 xen-libs-4.2.5_21-27.1 xen-tools-domU-4.2.5_21-27.1 References: https://www.suse.com/security/cve/CVE-2014-3615.html https://www.suse.com/security/cve/CVE-2014-3672.html https://www.suse.com/security/cve/CVE-2016-3158.html https://www.suse.com/security/cve/CVE-2016-3159.html https://www.suse.com/security/cve/CVE-2016-3710.html https://www.suse.com/security/cve/CVE-2016-3712.html https://www.suse.com/security/cve/CVE-2016-3960.html https://www.suse.com/security/cve/CVE-2016-4001.html https://www.suse.com/security/cve/CVE-2016-4002.html https://www.suse.com/security/cve/CVE-2016-4439.html https://www.suse.com/security/cve/CVE-2016-4441.html https://www.suse.com/security/cve/CVE-2016-4453.html https://www.suse.com/security/cve/CVE-2016-4454.html https://www.suse.com/security/cve/CVE-2016-4480.html https://www.suse.com/security/cve/CVE-2016-5238.html https://www.suse.com/security/cve/CVE-2016-5338.html https://www.suse.com/security/cve/CVE-2016-5403.html https://www.suse.com/security/cve/CVE-2016-6258.html https://www.suse.com/security/cve/CVE-2016-6351.html https://www.suse.com/security/cve/CVE-2016-7092.html https://www.suse.com/security/cve/CVE-2016-7094.html https://bugzilla.suse.com/954872 https://bugzilla.suse.com/961600 https://bugzilla.suse.com/963161 https://bugzilla.suse.com/973188 https://bugzilla.suse.com/973631 https://bugzilla.suse.com/974038 https://bugzilla.suse.com/975130 https://bugzilla.suse.com/975138 https://bugzilla.suse.com/976470 https://bugzilla.suse.com/978164 https://bugzilla.suse.com/978295 https://bugzilla.suse.com/978413 https://bugzilla.suse.com/980716 https://bugzilla.suse.com/980724 https://bugzilla.suse.com/981264 https://bugzilla.suse.com/982224 https://bugzilla.suse.com/982225 https://bugzilla.suse.com/982960 https://bugzilla.suse.com/983984 https://bugzilla.suse.com/985503 https://bugzilla.suse.com/988675 https://bugzilla.suse.com/990843 https://bugzilla.suse.com/990923 https://bugzilla.suse.com/995785 https://bugzilla.suse.com/995792 From sle-security-updates at lists.suse.com Fri Nov 4 08:16:32 2016 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Fri, 4 Nov 2016 15:16:32 +0100 (CET) Subject: SUSE-SU-2016:2726-1: important: Security update for java-1_8_0-ibm Message-ID: <20161104141632.4D313FFC5@maintenance.suse.de> SUSE Security Update: Security update for java-1_8_0-ibm ______________________________________________________________________________ Announcement ID: SUSE-SU-2016:2726-1 Rating: important References: #992537 Cross-References: CVE-2016-3485 CVE-2016-3511 CVE-2016-3598 Affected Products: SUSE Linux Enterprise Software Development Kit 12-SP1 SUSE Linux Enterprise Server 12-SP1 ______________________________________________________________________________ An update that fixes three vulnerabilities is now available. Description: IBM Java 8 was updated to version 8.0-3.10 to fix the following security issues: - CVE-2016-3485: Unspecified vulnerability allowed local users to affect integrity via vectors related to Networking - CVE-2016-3511: Unspecified vulnerability allowed local users to affect confidentiality, integrity, and availability via vectors related to Deployment - CVE-2016-3598: Unspecified vulnerability allowed remote attackers to affect confidentiality, integrity, and availability via vectors related to Libraries Please see https://www.ibm.com/developerworks/java/jdk/alerts/ for more information. - Add hwkeytool binary for zSeries. Patch Instructions: To install this SUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Software Development Kit 12-SP1: zypper in -t patch SUSE-SLE-SDK-12-SP1-2016-1606=1 - SUSE Linux Enterprise Server 12-SP1: zypper in -t patch SUSE-SLE-SERVER-12-SP1-2016-1606=1 To bring your system up-to-date, use "zypper patch". Package List: - SUSE Linux Enterprise Software Development Kit 12-SP1 (ppc64le s390x x86_64): java-1_8_0-ibm-devel-1.8.0_sr3.10-15.1 - SUSE Linux Enterprise Server 12-SP1 (ppc64le s390x x86_64): java-1_8_0-ibm-1.8.0_sr3.10-15.1 - SUSE Linux Enterprise Server 12-SP1 (x86_64): java-1_8_0-ibm-alsa-1.8.0_sr3.10-15.1 java-1_8_0-ibm-plugin-1.8.0_sr3.10-15.1 References: https://www.suse.com/security/cve/CVE-2016-3485.html https://www.suse.com/security/cve/CVE-2016-3511.html https://www.suse.com/security/cve/CVE-2016-3598.html https://bugzilla.suse.com/992537 From sle-security-updates at lists.suse.com Wed Nov 9 14:07:51 2016 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Wed, 9 Nov 2016 22:07:51 +0100 (CET) Subject: SUSE-SU-2016:2764-1: moderate: Security update for util-linux Message-ID: <20161109210751.3476AFFC2@maintenance.suse.de> SUSE Security Update: Security update for util-linux ______________________________________________________________________________ Announcement ID: SUSE-SU-2016:2764-1 Rating: moderate References: #947494 #966891 #978993 #982331 #983164 #987176 #988361 #994399 Cross-References: CVE-2016-5011 Affected Products: SUSE Linux Enterprise Workstation Extension 12-SP1 SUSE Linux Enterprise Software Development Kit 12-SP1 SUSE Linux Enterprise Server 12-SP1 SUSE Linux Enterprise Desktop 12-SP1 ______________________________________________________________________________ An update that solves one vulnerability and has 7 fixes is now available. Description: This update for util-linux fixes a number of bugs and one minor security issue. The following minor vulnerability was fixed: - CVE-2016-5011: Infinite loop DoS in libblkid while parsing DOS partition (bsc#988361) The following bugs were fixed: - bsc#987176: When mounting a subfolder of a CIFS share, mount -a would show the mount as busy - bsc#947494: mount -a would fail to recognize btrfs already mounted, address loop re-use in libmount - bsc#966891: Conflict in meaning of losetup -L. This switch in SLE12 SP1 and SP2 continues to carry the meaning of --logical-blocksize instead of upstream --nooverlap - bsc#994399: Package would trigger conflicts with sysvinit-tools - bsc#983164: mount uid= and gid= would reject valid non UID/GID values - bsc#978993: cfdisk would mangle some text output - bsc#982331: libmount: ignore redundant slashes Patch Instructions: To install this SUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Workstation Extension 12-SP1: zypper in -t patch SUSE-SLE-WE-12-SP1-2016-1630=1 - SUSE Linux Enterprise Software Development Kit 12-SP1: zypper in -t patch SUSE-SLE-SDK-12-SP1-2016-1630=1 - SUSE Linux Enterprise Server 12-SP1: zypper in -t patch SUSE-SLE-SERVER-12-SP1-2016-1630=1 - SUSE Linux Enterprise Desktop 12-SP1: zypper in -t patch SUSE-SLE-DESKTOP-12-SP1-2016-1630=1 To bring your system up-to-date, use "zypper patch". Package List: - SUSE Linux Enterprise Workstation Extension 12-SP1 (x86_64): libuuid-devel-2.25-37.1 util-linux-debuginfo-2.25-37.1 util-linux-debugsource-2.25-37.1 - SUSE Linux Enterprise Software Development Kit 12-SP1 (ppc64le s390x x86_64): libblkid-devel-2.25-37.1 libmount-devel-2.25-37.1 libsmartcols-devel-2.25-37.1 libuuid-devel-2.25-37.1 util-linux-debuginfo-2.25-37.1 util-linux-debugsource-2.25-37.1 - SUSE Linux Enterprise Server 12-SP1 (ppc64le s390x x86_64): libblkid1-2.25-37.1 libblkid1-debuginfo-2.25-37.1 libmount1-2.25-37.1 libmount1-debuginfo-2.25-37.1 libsmartcols1-2.25-37.1 libsmartcols1-debuginfo-2.25-37.1 libuuid1-2.25-37.1 libuuid1-debuginfo-2.25-37.1 python-libmount-2.25-37.1 python-libmount-debuginfo-2.25-37.1 python-libmount-debugsource-2.25-37.1 util-linux-2.25-37.1 util-linux-debuginfo-2.25-37.1 util-linux-debugsource-2.25-37.1 util-linux-systemd-2.25-37.1 util-linux-systemd-debuginfo-2.25-37.1 util-linux-systemd-debugsource-2.25-37.1 uuidd-2.25-37.1 uuidd-debuginfo-2.25-37.1 - SUSE Linux Enterprise Server 12-SP1 (s390x x86_64): libblkid1-32bit-2.25-37.1 libblkid1-debuginfo-32bit-2.25-37.1 libmount1-32bit-2.25-37.1 libmount1-debuginfo-32bit-2.25-37.1 libuuid1-32bit-2.25-37.1 libuuid1-debuginfo-32bit-2.25-37.1 - SUSE Linux Enterprise Server 12-SP1 (noarch): util-linux-lang-2.25-37.1 - SUSE Linux Enterprise Desktop 12-SP1 (noarch): util-linux-lang-2.25-37.1 - SUSE Linux Enterprise Desktop 12-SP1 (x86_64): libblkid1-2.25-37.1 libblkid1-32bit-2.25-37.1 libblkid1-debuginfo-2.25-37.1 libblkid1-debuginfo-32bit-2.25-37.1 libmount1-2.25-37.1 libmount1-32bit-2.25-37.1 libmount1-debuginfo-2.25-37.1 libmount1-debuginfo-32bit-2.25-37.1 libsmartcols1-2.25-37.1 libsmartcols1-debuginfo-2.25-37.1 libuuid-devel-2.25-37.1 libuuid1-2.25-37.1 libuuid1-32bit-2.25-37.1 libuuid1-debuginfo-2.25-37.1 libuuid1-debuginfo-32bit-2.25-37.1 python-libmount-2.25-37.1 python-libmount-debuginfo-2.25-37.1 python-libmount-debugsource-2.25-37.1 util-linux-2.25-37.1 util-linux-debuginfo-2.25-37.1 util-linux-debugsource-2.25-37.1 util-linux-systemd-2.25-37.1 util-linux-systemd-debuginfo-2.25-37.1 util-linux-systemd-debugsource-2.25-37.1 uuidd-2.25-37.1 uuidd-debuginfo-2.25-37.1 References: https://www.suse.com/security/cve/CVE-2016-5011.html https://bugzilla.suse.com/947494 https://bugzilla.suse.com/966891 https://bugzilla.suse.com/978993 https://bugzilla.suse.com/982331 https://bugzilla.suse.com/983164 https://bugzilla.suse.com/987176 https://bugzilla.suse.com/988361 https://bugzilla.suse.com/994399 From sle-security-updates at lists.suse.com Wed Nov 9 14:10:02 2016 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Wed, 9 Nov 2016 22:10:02 +0100 (CET) Subject: SUSE-SU-2016:2766-1: important: Security update for php5 Message-ID: <20161109211002.B6A33FFC2@maintenance.suse.de> SUSE Security Update: Security update for php5 ______________________________________________________________________________ Announcement ID: SUSE-SU-2016:2766-1 Rating: important References: #1001900 #1004924 #1005274 Cross-References: CVE-2016-6911 CVE-2016-7568 CVE-2016-8670 Affected Products: SUSE Linux Enterprise Software Development Kit 12-SP1 SUSE Linux Enterprise Module for Web Scripting 12 ______________________________________________________________________________ An update that fixes three vulnerabilities is now available. Description: This update for php5 fixes the following security issues: - CVE-2016-7568: A specially crafted image file could cause an application crash or potentially execute arbitrary code when the image is converted to webp (bsc#1001900) - CVE-2016-8670: Stack Buffer Overflow in GD dynamicGetbuf (bsc#1004924) - CVE-2016-6911: Check for out-of-bound read in dynamicGetbuf() (bsc#1005274) Patch Instructions: To install this SUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Software Development Kit 12-SP1: zypper in -t patch SUSE-SLE-SDK-12-SP1-2016-1629=1 - SUSE Linux Enterprise Module for Web Scripting 12: zypper in -t patch SUSE-SLE-Module-Web-Scripting-12-2016-1629=1 To bring your system up-to-date, use "zypper patch". Package List: - SUSE Linux Enterprise Software Development Kit 12-SP1 (ppc64le s390x x86_64): php5-debuginfo-5.5.14-83.1 php5-debugsource-5.5.14-83.1 php5-devel-5.5.14-83.1 - SUSE Linux Enterprise Module for Web Scripting 12 (aarch64 ppc64le s390x x86_64): apache2-mod_php5-5.5.14-83.1 apache2-mod_php5-debuginfo-5.5.14-83.1 php5-5.5.14-83.1 php5-bcmath-5.5.14-83.1 php5-bcmath-debuginfo-5.5.14-83.1 php5-bz2-5.5.14-83.1 php5-bz2-debuginfo-5.5.14-83.1 php5-calendar-5.5.14-83.1 php5-calendar-debuginfo-5.5.14-83.1 php5-ctype-5.5.14-83.1 php5-ctype-debuginfo-5.5.14-83.1 php5-curl-5.5.14-83.1 php5-curl-debuginfo-5.5.14-83.1 php5-dba-5.5.14-83.1 php5-dba-debuginfo-5.5.14-83.1 php5-debuginfo-5.5.14-83.1 php5-debugsource-5.5.14-83.1 php5-dom-5.5.14-83.1 php5-dom-debuginfo-5.5.14-83.1 php5-enchant-5.5.14-83.1 php5-enchant-debuginfo-5.5.14-83.1 php5-exif-5.5.14-83.1 php5-exif-debuginfo-5.5.14-83.1 php5-fastcgi-5.5.14-83.1 php5-fastcgi-debuginfo-5.5.14-83.1 php5-fileinfo-5.5.14-83.1 php5-fileinfo-debuginfo-5.5.14-83.1 php5-fpm-5.5.14-83.1 php5-fpm-debuginfo-5.5.14-83.1 php5-ftp-5.5.14-83.1 php5-ftp-debuginfo-5.5.14-83.1 php5-gd-5.5.14-83.1 php5-gd-debuginfo-5.5.14-83.1 php5-gettext-5.5.14-83.1 php5-gettext-debuginfo-5.5.14-83.1 php5-gmp-5.5.14-83.1 php5-gmp-debuginfo-5.5.14-83.1 php5-iconv-5.5.14-83.1 php5-iconv-debuginfo-5.5.14-83.1 php5-imap-5.5.14-83.1 php5-imap-debuginfo-5.5.14-83.1 php5-intl-5.5.14-83.1 php5-intl-debuginfo-5.5.14-83.1 php5-json-5.5.14-83.1 php5-json-debuginfo-5.5.14-83.1 php5-ldap-5.5.14-83.1 php5-ldap-debuginfo-5.5.14-83.1 php5-mbstring-5.5.14-83.1 php5-mbstring-debuginfo-5.5.14-83.1 php5-mcrypt-5.5.14-83.1 php5-mcrypt-debuginfo-5.5.14-83.1 php5-mysql-5.5.14-83.1 php5-mysql-debuginfo-5.5.14-83.1 php5-odbc-5.5.14-83.1 php5-odbc-debuginfo-5.5.14-83.1 php5-opcache-5.5.14-83.1 php5-opcache-debuginfo-5.5.14-83.1 php5-openssl-5.5.14-83.1 php5-openssl-debuginfo-5.5.14-83.1 php5-pcntl-5.5.14-83.1 php5-pcntl-debuginfo-5.5.14-83.1 php5-pdo-5.5.14-83.1 php5-pdo-debuginfo-5.5.14-83.1 php5-pgsql-5.5.14-83.1 php5-pgsql-debuginfo-5.5.14-83.1 php5-phar-5.5.14-83.1 php5-phar-debuginfo-5.5.14-83.1 php5-posix-5.5.14-83.1 php5-posix-debuginfo-5.5.14-83.1 php5-pspell-5.5.14-83.1 php5-pspell-debuginfo-5.5.14-83.1 php5-shmop-5.5.14-83.1 php5-shmop-debuginfo-5.5.14-83.1 php5-snmp-5.5.14-83.1 php5-snmp-debuginfo-5.5.14-83.1 php5-soap-5.5.14-83.1 php5-soap-debuginfo-5.5.14-83.1 php5-sockets-5.5.14-83.1 php5-sockets-debuginfo-5.5.14-83.1 php5-sqlite-5.5.14-83.1 php5-sqlite-debuginfo-5.5.14-83.1 php5-suhosin-5.5.14-83.1 php5-suhosin-debuginfo-5.5.14-83.1 php5-sysvmsg-5.5.14-83.1 php5-sysvmsg-debuginfo-5.5.14-83.1 php5-sysvsem-5.5.14-83.1 php5-sysvsem-debuginfo-5.5.14-83.1 php5-sysvshm-5.5.14-83.1 php5-sysvshm-debuginfo-5.5.14-83.1 php5-tokenizer-5.5.14-83.1 php5-tokenizer-debuginfo-5.5.14-83.1 php5-wddx-5.5.14-83.1 php5-wddx-debuginfo-5.5.14-83.1 php5-xmlreader-5.5.14-83.1 php5-xmlreader-debuginfo-5.5.14-83.1 php5-xmlrpc-5.5.14-83.1 php5-xmlrpc-debuginfo-5.5.14-83.1 php5-xmlwriter-5.5.14-83.1 php5-xmlwriter-debuginfo-5.5.14-83.1 php5-xsl-5.5.14-83.1 php5-xsl-debuginfo-5.5.14-83.1 php5-zip-5.5.14-83.1 php5-zip-debuginfo-5.5.14-83.1 php5-zlib-5.5.14-83.1 php5-zlib-debuginfo-5.5.14-83.1 - SUSE Linux Enterprise Module for Web Scripting 12 (noarch): php5-pear-5.5.14-83.1 References: https://www.suse.com/security/cve/CVE-2016-6911.html https://www.suse.com/security/cve/CVE-2016-7568.html https://www.suse.com/security/cve/CVE-2016-8670.html https://bugzilla.suse.com/1001900 https://bugzilla.suse.com/1004924 https://bugzilla.suse.com/1005274 From sle-security-updates at lists.suse.com Thu Nov 10 13:07:45 2016 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Thu, 10 Nov 2016 21:07:45 +0100 (CET) Subject: SUSE-SU-2016:2775-1: moderate: Security update for jasper Message-ID: <20161110200745.7351CFFC0@maintenance.suse.de> SUSE Security Update: Security update for jasper ______________________________________________________________________________ Announcement ID: SUSE-SU-2016:2775-1 Rating: moderate References: #1005084 #1005090 #1005242 #1006591 #1006593 #1006597 #1006598 #1006599 #1006836 #1006839 #1007009 #392410 #941919 #942553 #961886 #963983 #968373 Cross-References: CVE-2008-3522 CVE-2014-8158 CVE-2015-5203 CVE-2015-5221 CVE-2016-1577 CVE-2016-1867 CVE-2016-2089 CVE-2016-2116 CVE-2016-8690 CVE-2016-8691 CVE-2016-8692 CVE-2016-8693 CVE-2016-8880 CVE-2016-8881 CVE-2016-8882 CVE-2016-8883 CVE-2016-8884 CVE-2016-8885 CVE-2016-8886 CVE-2016-8887 Affected Products: SUSE Linux Enterprise Software Development Kit 12-SP2 SUSE Linux Enterprise Software Development Kit 12-SP1 SUSE Linux Enterprise Server for Raspberry Pi 12-SP2 SUSE Linux Enterprise Server 12-SP2 SUSE Linux Enterprise Server 12-SP1 SUSE Linux Enterprise Desktop 12-SP2 SUSE Linux Enterprise Desktop 12-SP1 ______________________________________________________________________________ An update that fixes 20 vulnerabilities is now available. Description: This update for jasper to version 1.900.14 fixes several issues. These security issues were fixed: - CVE-2016-8887: NULL pointer dereference in jp2_colr_destroy (jp2_cod.c) (bsc#1006836) - CVE-2016-8886: memory allocation failure in jas_malloc (jas_malloc.c) (bsc#1006599) - CVE-2016-8884,CVE-2016-8885: two null pointer dereferences in bmp_getdata (incomplete fix for CVE-2016-8690) (bsc#1007009) - CVE-2016-8883: assert in jpc_dec_tiledecode() (bsc#1006598) - CVE-2016-8882: segfault / null pointer access in jpc_pi_destroy (bsc#1006597) - CVE-2016-8881: Heap overflow in jpc_getuint16() (bsc#1006593) - CVE-2016-8880: Heap overflow in jpc_dec_cp_setfromcox() (bsc#1006591) - CVE-2016-8693 Double free vulnerability in mem_close (bsc#1005242) - CVE-2016-8691, CVE-2016-8692: Divide by zero in jpc_dec_process_siz (bsc#1005090) - CVE-2016-8690: Null pointer dereference in bmp_getdata triggered by crafted BMP image (bsc#1005084) - CVE-2016-2116: Memory leak in the jas_iccprof_createfrombuf function in JasPer allowed remote attackers to cause a denial of service (memory consumption) via a crafted ICC color profile in a JPEG 2000 image file (bsc#968373) - CVE-2016-2089: invalid read in the JasPer's jas_matrix_clip() function (bsc#963983) - CVE-2016-1867: Out-of-bounds Read in the JasPer's jpc_pi_nextcprl() function (bsc#961886) - CVE-2015-5221: Use-after-free (and double-free) in Jasper JPEG-200 (bsc#942553). - CVE-2015-5203: Double free corruption in JasPer JPEG-2000 implementation (bsc#941919) - CVE-2008-3522: Buffer overflow in the jas_stream_printf function in libjasper/base/jas_stream.c in JasPer might have allowed context-dependent attackers to have an unknown impact via vectors related to the mif_hdr_put function and use of vsprintf (bsc#392410) - jasper: NULL pointer dereference in jp2_colr_destroy (jp2_cod.c) (incomplete fix for CVE-2016-8887) (bsc#1006839) For additional change description please have a look at the changelog. Patch Instructions: To install this SUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Software Development Kit 12-SP2: zypper in -t patch SUSE-SLE-SDK-12-SP2-2016-1639=1 - SUSE Linux Enterprise Software Development Kit 12-SP1: zypper in -t patch SUSE-SLE-SDK-12-SP1-2016-1639=1 - SUSE Linux Enterprise Server for Raspberry Pi 12-SP2: zypper in -t patch SUSE-SLE-RPI-12-SP2-2016-1639=1 - SUSE Linux Enterprise Server 12-SP2: zypper in -t patch SUSE-SLE-SERVER-12-SP2-2016-1639=1 - SUSE Linux Enterprise Server 12-SP1: zypper in -t patch SUSE-SLE-SERVER-12-SP1-2016-1639=1 - SUSE Linux Enterprise Desktop 12-SP2: zypper in -t patch SUSE-SLE-DESKTOP-12-SP2-2016-1639=1 - SUSE Linux Enterprise Desktop 12-SP1: zypper in -t patch SUSE-SLE-DESKTOP-12-SP1-2016-1639=1 To bring your system up-to-date, use "zypper patch". Package List: - SUSE Linux Enterprise Software Development Kit 12-SP2 (aarch64 ppc64le s390x x86_64): jasper-debuginfo-1.900.14-181.1 jasper-debugsource-1.900.14-181.1 libjasper-devel-1.900.14-181.1 - SUSE Linux Enterprise Software Development Kit 12-SP1 (ppc64le s390x x86_64): jasper-debuginfo-1.900.14-181.1 jasper-debugsource-1.900.14-181.1 libjasper-devel-1.900.14-181.1 - SUSE Linux Enterprise Server for Raspberry Pi 12-SP2 (aarch64): jasper-debuginfo-1.900.14-181.1 jasper-debugsource-1.900.14-181.1 libjasper1-1.900.14-181.1 libjasper1-debuginfo-1.900.14-181.1 - SUSE Linux Enterprise Server 12-SP2 (aarch64 ppc64le x86_64): jasper-debuginfo-1.900.14-181.1 jasper-debugsource-1.900.14-181.1 libjasper1-1.900.14-181.1 libjasper1-debuginfo-1.900.14-181.1 - SUSE Linux Enterprise Server 12-SP2 (x86_64): libjasper1-32bit-1.900.14-181.1 libjasper1-debuginfo-32bit-1.900.14-181.1 - SUSE Linux Enterprise Server 12-SP1 (ppc64le s390x x86_64): jasper-debuginfo-1.900.14-181.1 jasper-debugsource-1.900.14-181.1 libjasper1-1.900.14-181.1 libjasper1-debuginfo-1.900.14-181.1 - SUSE Linux Enterprise Server 12-SP1 (s390x x86_64): libjasper1-32bit-1.900.14-181.1 libjasper1-debuginfo-32bit-1.900.14-181.1 - SUSE Linux Enterprise Desktop 12-SP2 (x86_64): jasper-debuginfo-1.900.14-181.1 jasper-debugsource-1.900.14-181.1 libjasper1-1.900.14-181.1 libjasper1-32bit-1.900.14-181.1 libjasper1-debuginfo-1.900.14-181.1 libjasper1-debuginfo-32bit-1.900.14-181.1 - SUSE Linux Enterprise Desktop 12-SP1 (x86_64): jasper-debuginfo-1.900.14-181.1 jasper-debugsource-1.900.14-181.1 libjasper1-1.900.14-181.1 libjasper1-32bit-1.900.14-181.1 libjasper1-debuginfo-1.900.14-181.1 libjasper1-debuginfo-32bit-1.900.14-181.1 References: https://www.suse.com/security/cve/CVE-2008-3522.html https://www.suse.com/security/cve/CVE-2014-8158.html https://www.suse.com/security/cve/CVE-2015-5203.html https://www.suse.com/security/cve/CVE-2015-5221.html https://www.suse.com/security/cve/CVE-2016-1577.html https://www.suse.com/security/cve/CVE-2016-1867.html https://www.suse.com/security/cve/CVE-2016-2089.html https://www.suse.com/security/cve/CVE-2016-2116.html https://www.suse.com/security/cve/CVE-2016-8690.html https://www.suse.com/security/cve/CVE-2016-8691.html https://www.suse.com/security/cve/CVE-2016-8692.html https://www.suse.com/security/cve/CVE-2016-8693.html https://www.suse.com/security/cve/CVE-2016-8880.html https://www.suse.com/security/cve/CVE-2016-8881.html https://www.suse.com/security/cve/CVE-2016-8882.html https://www.suse.com/security/cve/CVE-2016-8883.html https://www.suse.com/security/cve/CVE-2016-8884.html https://www.suse.com/security/cve/CVE-2016-8885.html https://www.suse.com/security/cve/CVE-2016-8886.html https://www.suse.com/security/cve/CVE-2016-8887.html https://bugzilla.suse.com/1005084 https://bugzilla.suse.com/1005090 https://bugzilla.suse.com/1005242 https://bugzilla.suse.com/1006591 https://bugzilla.suse.com/1006593 https://bugzilla.suse.com/1006597 https://bugzilla.suse.com/1006598 https://bugzilla.suse.com/1006599 https://bugzilla.suse.com/1006836 https://bugzilla.suse.com/1006839 https://bugzilla.suse.com/1007009 https://bugzilla.suse.com/392410 https://bugzilla.suse.com/941919 https://bugzilla.suse.com/942553 https://bugzilla.suse.com/961886 https://bugzilla.suse.com/963983 https://bugzilla.suse.com/968373 From sle-security-updates at lists.suse.com Thu Nov 10 13:10:29 2016 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Thu, 10 Nov 2016 21:10:29 +0100 (CET) Subject: SUSE-SU-2016:2776-1: moderate: Security update for jasper Message-ID: <20161110201030.004E1FFC3@maintenance.suse.de> SUSE Security Update: Security update for jasper ______________________________________________________________________________ Announcement ID: SUSE-SU-2016:2776-1 Rating: moderate References: #1005084 #1005090 #1005242 #1006591 #1006593 #1006597 #1006598 #1006599 #1006836 #1006839 #1007009 #392410 #941919 #942553 #961886 #963983 #968373 Cross-References: CVE-2008-3522 CVE-2015-5203 CVE-2015-5221 CVE-2016-1577 CVE-2016-1867 CVE-2016-2089 CVE-2016-2116 CVE-2016-8690 CVE-2016-8691 CVE-2016-8692 CVE-2016-8693 CVE-2016-8880 CVE-2016-8881 CVE-2016-8882 CVE-2016-8883 CVE-2016-8884 CVE-2016-8885 CVE-2016-8886 CVE-2016-8887 Affected Products: SUSE Linux Enterprise Software Development Kit 11-SP4 SUSE Linux Enterprise Server 11-SP4 SUSE Linux Enterprise Debuginfo 11-SP4 ______________________________________________________________________________ An update that fixes 19 vulnerabilities is now available. Description: This update for jasper fixes the following issues: Security fixes: - CVE-2016-8887: NULL pointer dereference in jp2_colr_destroy (jp2_cod.c) (bsc#1006836) - CVE-2016-8886: memory allocation failure in jas_malloc (jas_malloc.c) (bsc#1006599) - CVE-2016-8884,CVE-2016-8885: two null pointer dereferences in bmp_getdata (incomplete fix for CVE-2016-8690) (bsc#1007009) - CVE-2016-8883: assert in jpc_dec_tiledecode() (bsc#1006598) - CVE-2016-8882: segfault / null pointer access in jpc_pi_destroy (bsc#1006597) - CVE-2016-8881: Heap overflow in jpc_getuint16() (bsc#1006593) - CVE-2016-8880: Heap overflow in jpc_dec_cp_setfromcox() (bsc#1006591) - CVE-2016-8693: Double free vulnerability in mem_close (bsc#1005242) - CVE-2016-8691, CVE-2016-8692: Divide by zero in jpc_dec_process_siz (bsc#1005090) - CVE-2016-8690: Null pointer dereference in bmp_getdata triggered by crafted BMP image (bsc#1005084) - CVE-2016-2089: invalid read in the JasPer's jas_matrix_clip() function (bsc#963983) - CVE-2016-1867: Out-of-bounds Read in the JasPer's jpc_pi_nextcprl() function (bsc#961886) - CVE-2016-1577, CVE-2016-2116: double free vulnerability in the jas_iccattrval_destroy function (bsc#968373) - CVE-2015-5221: Use-after-free (and double-free) in Jasper JPEG-200 (bsc#942553) - CVE-2015-5203: Double free corruption in JasPer JPEG-2000 implementation (bsc#941919) - CVE-2008-3522: multiple integer overflows (bsc#392410) - bsc#1006839: NULL pointer dereference in jp2_colr_destroy (jp2_cod.c) (incomplete fix for CVE-2016-8887) Patch Instructions: To install this SUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Software Development Kit 11-SP4: zypper in -t patch sdksp4-jasper-12846=1 - SUSE Linux Enterprise Server 11-SP4: zypper in -t patch slessp4-jasper-12846=1 - SUSE Linux Enterprise Debuginfo 11-SP4: zypper in -t patch dbgsp4-jasper-12846=1 To bring your system up-to-date, use "zypper patch". Package List: - SUSE Linux Enterprise Software Development Kit 11-SP4 (i586 ia64 ppc64 s390x x86_64): libjasper-devel-1.900.14-134.25.1 - SUSE Linux Enterprise Server 11-SP4 (i586 ia64 ppc64 s390x x86_64): libjasper-1.900.14-134.25.1 - SUSE Linux Enterprise Server 11-SP4 (ppc64 s390x x86_64): libjasper-32bit-1.900.14-134.25.1 - SUSE Linux Enterprise Server 11-SP4 (ia64): libjasper-x86-1.900.14-134.25.1 - SUSE Linux Enterprise Debuginfo 11-SP4 (i586 ia64 ppc64 s390x x86_64): jasper-debuginfo-1.900.14-134.25.1 jasper-debugsource-1.900.14-134.25.1 References: https://www.suse.com/security/cve/CVE-2008-3522.html https://www.suse.com/security/cve/CVE-2015-5203.html https://www.suse.com/security/cve/CVE-2015-5221.html https://www.suse.com/security/cve/CVE-2016-1577.html https://www.suse.com/security/cve/CVE-2016-1867.html https://www.suse.com/security/cve/CVE-2016-2089.html https://www.suse.com/security/cve/CVE-2016-2116.html https://www.suse.com/security/cve/CVE-2016-8690.html https://www.suse.com/security/cve/CVE-2016-8691.html https://www.suse.com/security/cve/CVE-2016-8692.html https://www.suse.com/security/cve/CVE-2016-8693.html https://www.suse.com/security/cve/CVE-2016-8880.html https://www.suse.com/security/cve/CVE-2016-8881.html https://www.suse.com/security/cve/CVE-2016-8882.html https://www.suse.com/security/cve/CVE-2016-8883.html https://www.suse.com/security/cve/CVE-2016-8884.html https://www.suse.com/security/cve/CVE-2016-8885.html https://www.suse.com/security/cve/CVE-2016-8886.html https://www.suse.com/security/cve/CVE-2016-8887.html https://bugzilla.suse.com/1005084 https://bugzilla.suse.com/1005090 https://bugzilla.suse.com/1005242 https://bugzilla.suse.com/1006591 https://bugzilla.suse.com/1006593 https://bugzilla.suse.com/1006597 https://bugzilla.suse.com/1006598 https://bugzilla.suse.com/1006599 https://bugzilla.suse.com/1006836 https://bugzilla.suse.com/1006839 https://bugzilla.suse.com/1007009 https://bugzilla.suse.com/392410 https://bugzilla.suse.com/941919 https://bugzilla.suse.com/942553 https://bugzilla.suse.com/961886 https://bugzilla.suse.com/963983 https://bugzilla.suse.com/968373 From sle-security-updates at lists.suse.com Fri Nov 11 09:06:42 2016 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Fri, 11 Nov 2016 17:06:42 +0100 (CET) Subject: SUSE-SU-2016:2778-1: important: Security update for flash-player Message-ID: <20161111160642.2B3D9FFC3@maintenance.suse.de> SUSE Security Update: Security update for flash-player ______________________________________________________________________________ Announcement ID: SUSE-SU-2016:2778-1 Rating: important References: #1009217 Cross-References: CVE-2016-7857 CVE-2016-7858 CVE-2016-7859 CVE-2016-7860 CVE-2016-7861 CVE-2016-7862 CVE-2016-7863 CVE-2016-7864 CVE-2016-7865 Affected Products: SUSE Linux Enterprise Workstation Extension 12-SP1 SUSE Linux Enterprise Desktop 12-SP1 ______________________________________________________________________________ An update that fixes 9 vulnerabilities is now available. Description: This update to Adobe Flash Player 11.2.202.644 fixes the following security issues: - type confusion vulnerabilities that could lead to code execution (CVE-2016-7860, CVE-2016-7861, CVE-2016-7865) - use-after-free vulnerabilities that could lead to code execution (CVE-2016-7857, CVE-2016-7858, CVE-2016-7859, CVE-2016-7862, CVE-2016-7863, CVE-2016-7864) Patch Instructions: To install this SUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Workstation Extension 12-SP1: zypper in -t patch SUSE-SLE-WE-12-SP1-2016-1643=1 - SUSE Linux Enterprise Desktop 12-SP1: zypper in -t patch SUSE-SLE-DESKTOP-12-SP1-2016-1643=1 To bring your system up-to-date, use "zypper patch". Package List: - SUSE Linux Enterprise Workstation Extension 12-SP1 (x86_64): flash-player-11.2.202.644-149.1 flash-player-gnome-11.2.202.644-149.1 - SUSE Linux Enterprise Desktop 12-SP1 (x86_64): flash-player-11.2.202.644-149.1 flash-player-gnome-11.2.202.644-149.1 References: https://www.suse.com/security/cve/CVE-2016-7857.html https://www.suse.com/security/cve/CVE-2016-7858.html https://www.suse.com/security/cve/CVE-2016-7859.html https://www.suse.com/security/cve/CVE-2016-7860.html https://www.suse.com/security/cve/CVE-2016-7861.html https://www.suse.com/security/cve/CVE-2016-7862.html https://www.suse.com/security/cve/CVE-2016-7863.html https://www.suse.com/security/cve/CVE-2016-7864.html https://www.suse.com/security/cve/CVE-2016-7865.html https://bugzilla.suse.com/1009217 From sle-security-updates at lists.suse.com Sat Nov 12 00:06:43 2016 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Sat, 12 Nov 2016 08:06:43 +0100 (CET) Subject: SUSE-SU-2016:2780-1: important: Security update for mysql Message-ID: <20161112070643.4A590FFC3@maintenance.suse.de> SUSE Security Update: Security update for mysql ______________________________________________________________________________ Announcement ID: SUSE-SU-2016:2780-1 Rating: important References: #1005558 #1005580 #1005581 Cross-References: CVE-2016-5584 CVE-2016-6662 CVE-2016-7440 Affected Products: SUSE Linux Enterprise Software Development Kit 11-SP4 SUSE Linux Enterprise Server 11-SP4 SUSE Linux Enterprise Debuginfo 11-SP4 ______________________________________________________________________________ An update that fixes three vulnerabilities is now available. Description: This mysql version update to 5.5.53 fixes the following issues: - CVE-2016-6662: Unspecified vulnerability in subcomponent Logging (bsc#1005580) - CVE-2016-7440: Unspecified vulnerability in subcomponent Encryption (bsc#1005581) - CVE-2016-5584: Unspecified vulnerability in subcomponent Encryption (bsc#1005558) Release Notes: http://dev.mysql.com/doc/relnotes/mysql/5.5/en/news-5-5-53.html Patch Instructions: To install this SUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Software Development Kit 11-SP4: zypper in -t patch sdksp4-mysql-12847=1 - SUSE Linux Enterprise Server 11-SP4: zypper in -t patch slessp4-mysql-12847=1 - SUSE Linux Enterprise Debuginfo 11-SP4: zypper in -t patch dbgsp4-mysql-12847=1 To bring your system up-to-date, use "zypper patch". Package List: - SUSE Linux Enterprise Software Development Kit 11-SP4 (ppc64 s390x x86_64): libmysql55client_r18-32bit-5.5.53-0.30.1 - SUSE Linux Enterprise Software Development Kit 11-SP4 (ia64): libmysql55client_r18-x86-5.5.53-0.30.1 - SUSE Linux Enterprise Server 11-SP4 (i586 ia64 ppc64 s390x x86_64): libmysql55client18-5.5.53-0.30.1 libmysql55client_r18-5.5.53-0.30.1 mysql-5.5.53-0.30.1 mysql-client-5.5.53-0.30.1 mysql-tools-5.5.53-0.30.1 - SUSE Linux Enterprise Server 11-SP4 (ppc64 s390x x86_64): libmysql55client18-32bit-5.5.53-0.30.1 libmysql55client_r18-32bit-5.5.53-0.30.1 - SUSE Linux Enterprise Server 11-SP4 (ia64): libmysql55client18-x86-5.5.53-0.30.1 libmysql55client_r18-x86-5.5.53-0.30.1 - SUSE Linux Enterprise Debuginfo 11-SP4 (i586 ia64 ppc64 s390x x86_64): mysql-debuginfo-5.5.53-0.30.1 mysql-debugsource-5.5.53-0.30.1 References: https://www.suse.com/security/cve/CVE-2016-5584.html https://www.suse.com/security/cve/CVE-2016-6662.html https://www.suse.com/security/cve/CVE-2016-7440.html https://bugzilla.suse.com/1005558 https://bugzilla.suse.com/1005580 https://bugzilla.suse.com/1005581 From sle-security-updates at lists.suse.com Sat Nov 12 00:07:29 2016 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Sat, 12 Nov 2016 08:07:29 +0100 (CET) Subject: SUSE-SU-2016:2781-1: moderate: Security update for qemu Message-ID: <20161112070729.88D0EFFC0@maintenance.suse.de> SUSE Security Update: Security update for qemu ______________________________________________________________________________ Announcement ID: SUSE-SU-2016:2781-1 Rating: moderate References: #893323 #944697 #967012 #967013 #982017 #982018 #982019 #982222 #982223 #982285 #982959 #983961 #983982 #991080 #991466 #994760 #994771 #994774 #996441 #997858 #997859 Cross-References: CVE-2014-5388 CVE-2015-6815 CVE-2016-2391 CVE-2016-2392 CVE-2016-4453 CVE-2016-4454 CVE-2016-5105 CVE-2016-5106 CVE-2016-5107 CVE-2016-5126 CVE-2016-5238 CVE-2016-5337 CVE-2016-5338 CVE-2016-5403 CVE-2016-6490 CVE-2016-6833 CVE-2016-6836 CVE-2016-6888 CVE-2016-7116 CVE-2016-7155 CVE-2016-7156 Affected Products: SUSE Linux Enterprise Server for SAP 12 SUSE Linux Enterprise Server 12-LTSS ______________________________________________________________________________ An update that fixes 21 vulnerabilities is now available. Description: qemu was updated to fix 21 security issues. These security issues were fixed: - CVE-2014-5388: Off-by-one error in the pci_read function in the ACPI PCI hotplug interface (hw/acpi/pcihp.c) in QEMU allowed local guest users to obtain sensitive information and have other unspecified impact related to a crafted PCI device that triggers memory corruption (bsc#893323). - CVE-2015-6815: e1000 NIC emulation support was vulnerable to an infinite loop issue. A privileged user inside guest could have used this flaw to crash the Qemu instance resulting in DoS. (bsc#944697). - CVE-2016-2391: The ohci_bus_start function in the USB OHCI emulation support (hw/usb/hcd-ohci.c) in QEMU allowed local guest OS administrators to cause a denial of service (NULL pointer dereference and QEMU process crash) via vectors related to multiple eof_timers (bsc#967013). - CVE-2016-2392: The is_rndis function in the USB Net device emulator (hw/usb/dev-network.c) in QEMU did not properly validate USB configuration descriptor objects, which allowed local guest OS administrators to cause a denial of service (NULL pointer dereference and QEMU process crash) via vectors involving a remote NDIS control message packet (bsc#967012). - CVE-2016-4453: The vmsvga_fifo_run function in hw/display/vmware_vga.c in QEMU allowed local guest OS administrators to cause a denial of service (infinite loop and QEMU process crash) via a VGA command (bsc#982223). - CVE-2016-4454: The vmsvga_fifo_read_raw function in hw/display/vmware_vga.c in QEMU allowed local guest OS administrators to obtain sensitive host memory information or cause a denial of service (QEMU process crash) by changing FIFO registers and issuing a VGA command, which triggers an out-of-bounds read (bsc#982222). - CVE-2016-5105: The megasas_dcmd_cfg_read function in hw/scsi/megasas.c in QEMU, when built with MegaRAID SAS 8708EM2 Host Bus Adapter emulation support, used an uninitialized variable, which allowed local guest administrators to read host memory via vectors involving a MegaRAID Firmware Interface (MFI) command (bsc#982017). - CVE-2016-5106: The megasas_dcmd_set_properties function in hw/scsi/megasas.c in QEMU, when built with MegaRAID SAS 8708EM2 Host Bus Adapter emulation support, allowed local guest administrators to cause a denial of service (out-of-bounds write access) via vectors involving a MegaRAID Firmware Interface (MFI) command (bsc#982018). - CVE-2016-5107: The megasas_lookup_frame function in QEMU, when built with MegaRAID SAS 8708EM2 Host Bus Adapter emulation support, allowed local guest OS administrators to cause a denial of service (out-of-bounds read and crash) via unspecified vectors (bsc#982019). - CVE-2016-5126: Heap-based buffer overflow in the iscsi_aio_ioctl function in block/iscsi.c in QEMU allowed local guest OS users to cause a denial of service (QEMU process crash) or possibly execute arbitrary code via a crafted iSCSI asynchronous I/O ioctl call (bsc#982285). - CVE-2016-5238: The get_cmd function in hw/scsi/esp.c in QEMU allowed local guest OS administrators to cause a denial of service (out-of-bounds write and QEMU process crash) via vectors related to reading from the information transfer buffer in non-DMA mode (bsc#982959). - CVE-2016-5337: The megasas_ctrl_get_info function in hw/scsi/megasas.c in QEMU allowed local guest OS administrators to obtain sensitive host memory information via vectors related to reading device control information (bsc#983961). - CVE-2016-5338: The (1) esp_reg_read and (2) esp_reg_write functions in hw/scsi/esp.c in QEMU allowed local guest OS administrators to cause a denial of service (QEMU process crash) or execute arbitrary code on the QEMU host via vectors related to the information transfer buffer (bsc#983982). - CVE-2016-5403: The virtqueue_pop function in hw/virtio/virtio.c in QEMU allowed local guest OS administrators to cause a denial of service (memory consumption and QEMU process crash) by submitting requests without waiting for completion (bsc#991080). - CVE-2016-6490: Infinite loop in the virtio framework. A privileged user inside the guest could have used this flaw to crash the Qemu instance on the host resulting in DoS (bsc#991466). - CVE-2016-6833: Use-after-free issue in the VMWARE VMXNET3 NIC device support. A privileged user inside guest could have used this issue to crash the Qemu instance resulting in DoS (bsc#994774). - CVE-2016-6836: VMWARE VMXNET3 NIC device support was leaging information leakage. A privileged user inside guest could have used this to leak host memory bytes to a guest (bsc#994760). - CVE-2016-6888: Integer overflow in packet initialisation in VMXNET3 device driver. A privileged user inside guest could have used this flaw to crash the Qemu instance resulting in DoS (bsc#994771). - CVE-2016-7116: Host directory sharing via Plan 9 File System(9pfs) was vulnerable to a directory/path traversal issue. A privileged user inside guest could have used this flaw to access undue files on the host (bsc#996441). - CVE-2016-7155: In the VMWARE PVSCSI paravirtual SCSI bus a OOB access and/or infinite loop issue could have allowed a privileged user inside guest to crash the Qemu process resulting in DoS (bsc#997858). - CVE-2016-7156: In the VMWARE PVSCSI paravirtual SCSI bus a infinite loop issue could have allowed a privileged user inside guest to crash the Qemu process resulting in DoS (bsc#997859). Patch Instructions: To install this SUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Server for SAP 12: zypper in -t patch SUSE-SLE-SAP-12-2016-1646=1 - SUSE Linux Enterprise Server 12-LTSS: zypper in -t patch SUSE-SLE-SERVER-12-2016-1646=1 To bring your system up-to-date, use "zypper patch". Package List: - SUSE Linux Enterprise Server for SAP 12 (noarch): qemu-ipxe-1.0.0-48.22.1 qemu-seabios-1.7.4-48.22.1 qemu-sgabios-8-48.22.1 qemu-vgabios-1.7.4-48.22.1 - SUSE Linux Enterprise Server for SAP 12 (x86_64): qemu-2.0.2-48.22.1 qemu-block-curl-2.0.2-48.22.1 qemu-block-curl-debuginfo-2.0.2-48.22.1 qemu-block-rbd-2.0.2-48.22.1 qemu-block-rbd-debuginfo-2.0.2-48.22.1 qemu-debugsource-2.0.2-48.22.1 qemu-guest-agent-2.0.2-48.22.1 qemu-guest-agent-debuginfo-2.0.2-48.22.1 qemu-kvm-2.0.2-48.22.1 qemu-lang-2.0.2-48.22.1 qemu-tools-2.0.2-48.22.1 qemu-tools-debuginfo-2.0.2-48.22.1 qemu-x86-2.0.2-48.22.1 qemu-x86-debuginfo-2.0.2-48.22.1 - SUSE Linux Enterprise Server 12-LTSS (ppc64le s390x x86_64): qemu-2.0.2-48.22.1 qemu-block-curl-2.0.2-48.22.1 qemu-block-curl-debuginfo-2.0.2-48.22.1 qemu-debugsource-2.0.2-48.22.1 qemu-guest-agent-2.0.2-48.22.1 qemu-guest-agent-debuginfo-2.0.2-48.22.1 qemu-lang-2.0.2-48.22.1 qemu-tools-2.0.2-48.22.1 qemu-tools-debuginfo-2.0.2-48.22.1 - SUSE Linux Enterprise Server 12-LTSS (s390x x86_64): qemu-kvm-2.0.2-48.22.1 - SUSE Linux Enterprise Server 12-LTSS (ppc64le): qemu-ppc-2.0.2-48.22.1 qemu-ppc-debuginfo-2.0.2-48.22.1 - SUSE Linux Enterprise Server 12-LTSS (noarch): qemu-ipxe-1.0.0-48.22.1 qemu-seabios-1.7.4-48.22.1 qemu-sgabios-8-48.22.1 qemu-vgabios-1.7.4-48.22.1 - SUSE Linux Enterprise Server 12-LTSS (x86_64): qemu-block-rbd-2.0.2-48.22.1 qemu-block-rbd-debuginfo-2.0.2-48.22.1 qemu-x86-2.0.2-48.22.1 qemu-x86-debuginfo-2.0.2-48.22.1 - SUSE Linux Enterprise Server 12-LTSS (s390x): qemu-s390-2.0.2-48.22.1 qemu-s390-debuginfo-2.0.2-48.22.1 References: https://www.suse.com/security/cve/CVE-2014-5388.html https://www.suse.com/security/cve/CVE-2015-6815.html https://www.suse.com/security/cve/CVE-2016-2391.html https://www.suse.com/security/cve/CVE-2016-2392.html https://www.suse.com/security/cve/CVE-2016-4453.html https://www.suse.com/security/cve/CVE-2016-4454.html https://www.suse.com/security/cve/CVE-2016-5105.html https://www.suse.com/security/cve/CVE-2016-5106.html https://www.suse.com/security/cve/CVE-2016-5107.html https://www.suse.com/security/cve/CVE-2016-5126.html https://www.suse.com/security/cve/CVE-2016-5238.html https://www.suse.com/security/cve/CVE-2016-5337.html https://www.suse.com/security/cve/CVE-2016-5338.html https://www.suse.com/security/cve/CVE-2016-5403.html https://www.suse.com/security/cve/CVE-2016-6490.html https://www.suse.com/security/cve/CVE-2016-6833.html https://www.suse.com/security/cve/CVE-2016-6836.html https://www.suse.com/security/cve/CVE-2016-6888.html https://www.suse.com/security/cve/CVE-2016-7116.html https://www.suse.com/security/cve/CVE-2016-7155.html https://www.suse.com/security/cve/CVE-2016-7156.html https://bugzilla.suse.com/893323 https://bugzilla.suse.com/944697 https://bugzilla.suse.com/967012 https://bugzilla.suse.com/967013 https://bugzilla.suse.com/982017 https://bugzilla.suse.com/982018 https://bugzilla.suse.com/982019 https://bugzilla.suse.com/982222 https://bugzilla.suse.com/982223 https://bugzilla.suse.com/982285 https://bugzilla.suse.com/982959 https://bugzilla.suse.com/983961 https://bugzilla.suse.com/983982 https://bugzilla.suse.com/991080 https://bugzilla.suse.com/991466 https://bugzilla.suse.com/994760 https://bugzilla.suse.com/994771 https://bugzilla.suse.com/994774 https://bugzilla.suse.com/996441 https://bugzilla.suse.com/997858 https://bugzilla.suse.com/997859 From sle-security-updates at lists.suse.com Tue Nov 15 14:06:58 2016 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Tue, 15 Nov 2016 22:06:58 +0100 (CET) Subject: SUSE-SU-2016:2809-1: moderate: Recommended update for ceph Message-ID: <20161115210658.B515EFFC3@maintenance.suse.de> SUSE Security Update: Recommended update for ceph ______________________________________________________________________________ Announcement ID: SUSE-SU-2016:2809-1 Rating: moderate References: #1005954 #982141 #985232 #987144 #987594 #989512 #990438 #999688 Cross-References: CVE-2016-5009 Affected Products: SUSE Enterprise Storage 3 ______________________________________________________________________________ An update that solves one vulnerability and has 7 fixes is now available. Description: This update provides Ceph 10.2.3, which includes important bug fixes in RBD mirroring, RGW multi-site, CephFS, and RADOS. Build/OPS: - AArch64: Detect crc32 extension support from assembler. (bsc#999688) - Drop legacy ceph RA which doesn't work with systemd unit files. - The mount.ceph binary, which is used to mount CephFS pools, was moved to the ceph-common package so it can be run from any client. - Accept bcache devices as data disks and fix partprobe intermittent issues during ceph-disk prepare. CephFS: - Several bug fixes for improved stability. RBD: - A number of fixes for RBD mirroring. - Several bug fixes for improved stability. RADOS: - CVE-2016-5009: moncommand with empty prefix crashes monitor. (bsc#987144) - Backports of many asyncmsgr fixes to jewel. - Several bug fixes for improved OSD stability. - Fix for a C++ symbol visibility issue in librados. RGW: - Fixes for number of issues related to syncing between remote sites. - A number of other bug fixes, including fixes for: + IPv6 + HTTPS/port 443 (bsc#990438) + radosgw-admin + Swift API + AWS4 API For a full list of issues fixed in this release, see: http://docs.ceph.com/docs/master/release-notes/#v10-2-3-jewel Patch Instructions: To install this SUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - SUSE Enterprise Storage 3: zypper in -t patch SUSE-Storage-3-2016-1653=1 To bring your system up-to-date, use "zypper patch". Package List: - SUSE Enterprise Storage 3 (aarch64 x86_64): ceph-10.2.3+git.1475228057.755cf99-7.3 ceph-base-10.2.3+git.1475228057.755cf99-7.3 ceph-base-debuginfo-10.2.3+git.1475228057.755cf99-7.3 ceph-common-10.2.3+git.1475228057.755cf99-7.3 ceph-common-debuginfo-10.2.3+git.1475228057.755cf99-7.3 ceph-debugsource-10.2.3+git.1475228057.755cf99-7.3 ceph-fuse-10.2.3+git.1475228057.755cf99-7.3 ceph-fuse-debuginfo-10.2.3+git.1475228057.755cf99-7.3 ceph-mds-10.2.3+git.1475228057.755cf99-7.3 ceph-mds-debuginfo-10.2.3+git.1475228057.755cf99-7.3 ceph-mon-10.2.3+git.1475228057.755cf99-7.3 ceph-mon-debuginfo-10.2.3+git.1475228057.755cf99-7.3 ceph-osd-10.2.3+git.1475228057.755cf99-7.3 ceph-osd-debuginfo-10.2.3+git.1475228057.755cf99-7.3 ceph-radosgw-10.2.3+git.1475228057.755cf99-7.3 ceph-radosgw-debuginfo-10.2.3+git.1475228057.755cf99-7.3 libcephfs1-10.2.3+git.1475228057.755cf99-7.3 libcephfs1-debuginfo-10.2.3+git.1475228057.755cf99-7.3 librados2-10.2.3+git.1475228057.755cf99-7.3 librados2-debuginfo-10.2.3+git.1475228057.755cf99-7.3 libradosstriper1-10.2.3+git.1475228057.755cf99-7.3 libradosstriper1-debuginfo-10.2.3+git.1475228057.755cf99-7.3 librbd1-10.2.3+git.1475228057.755cf99-7.3 librbd1-debuginfo-10.2.3+git.1475228057.755cf99-7.3 librgw2-10.2.3+git.1475228057.755cf99-7.3 librgw2-debuginfo-10.2.3+git.1475228057.755cf99-7.3 python-ceph-compat-10.2.3+git.1475228057.755cf99-7.3 python-cephfs-10.2.3+git.1475228057.755cf99-7.3 python-cephfs-debuginfo-10.2.3+git.1475228057.755cf99-7.3 python-rados-10.2.3+git.1475228057.755cf99-7.3 python-rados-debuginfo-10.2.3+git.1475228057.755cf99-7.3 python-rbd-10.2.3+git.1475228057.755cf99-7.3 python-rbd-debuginfo-10.2.3+git.1475228057.755cf99-7.3 rbd-fuse-10.2.3+git.1475228057.755cf99-7.3 rbd-fuse-debuginfo-10.2.3+git.1475228057.755cf99-7.3 rbd-mirror-10.2.3+git.1475228057.755cf99-7.3 rbd-mirror-debuginfo-10.2.3+git.1475228057.755cf99-7.3 rbd-nbd-10.2.3+git.1475228057.755cf99-7.3 rbd-nbd-debuginfo-10.2.3+git.1475228057.755cf99-7.3 References: https://www.suse.com/security/cve/CVE-2016-5009.html https://bugzilla.suse.com/1005954 https://bugzilla.suse.com/982141 https://bugzilla.suse.com/985232 https://bugzilla.suse.com/987144 https://bugzilla.suse.com/987594 https://bugzilla.suse.com/989512 https://bugzilla.suse.com/990438 https://bugzilla.suse.com/999688 From sle-security-updates at lists.suse.com Wed Nov 16 12:07:42 2016 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Wed, 16 Nov 2016 20:07:42 +0100 (CET) Subject: SUSE-SU-2016:2817-1: moderate: Security update for ghostscript Message-ID: <20161116190742.97886FFC3@maintenance.suse.de> SUSE Security Update: Security update for ghostscript ______________________________________________________________________________ Announcement ID: SUSE-SU-2016:2817-1 Rating: moderate References: #1006592 Cross-References: CVE-2013-5653 Affected Products: SUSE Linux Enterprise Software Development Kit 12-SP2 SUSE Linux Enterprise Software Development Kit 12-SP1 SUSE Linux Enterprise Server for Raspberry Pi 12-SP2 SUSE Linux Enterprise Server 12-SP2 SUSE Linux Enterprise Server 12-SP1 SUSE Linux Enterprise Desktop 12-SP2 SUSE Linux Enterprise Desktop 12-SP1 ______________________________________________________________________________ An update that fixes one vulnerability is now available. Description: This update for ghostscript fixes the following issues: - bsc#1006592: Fix a regression introduced in CVE-2013-5653 by which ps files couldn't be opened in okular/evince (kde#371887). Patch Instructions: To install this SUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Software Development Kit 12-SP2: zypper in -t patch SUSE-SLE-SDK-12-SP2-2016-1657=1 - SUSE Linux Enterprise Software Development Kit 12-SP1: zypper in -t patch SUSE-SLE-SDK-12-SP1-2016-1657=1 - SUSE Linux Enterprise Server for Raspberry Pi 12-SP2: zypper in -t patch SUSE-SLE-RPI-12-SP2-2016-1657=1 - SUSE Linux Enterprise Server 12-SP2: zypper in -t patch SUSE-SLE-SERVER-12-SP2-2016-1657=1 - SUSE Linux Enterprise Server 12-SP1: zypper in -t patch SUSE-SLE-SERVER-12-SP1-2016-1657=1 - SUSE Linux Enterprise Desktop 12-SP2: zypper in -t patch SUSE-SLE-DESKTOP-12-SP2-2016-1657=1 - SUSE Linux Enterprise Desktop 12-SP1: zypper in -t patch SUSE-SLE-DESKTOP-12-SP1-2016-1657=1 To bring your system up-to-date, use "zypper patch". Package List: - SUSE Linux Enterprise Software Development Kit 12-SP2 (aarch64 ppc64le s390x x86_64): ghostscript-debuginfo-9.15-17.2 ghostscript-debugsource-9.15-17.2 ghostscript-devel-9.15-17.2 - SUSE Linux Enterprise Software Development Kit 12-SP1 (ppc64le s390x x86_64): ghostscript-debuginfo-9.15-17.2 ghostscript-debugsource-9.15-17.2 ghostscript-devel-9.15-17.2 - SUSE Linux Enterprise Server for Raspberry Pi 12-SP2 (aarch64): ghostscript-9.15-17.2 ghostscript-debuginfo-9.15-17.2 ghostscript-debugsource-9.15-17.2 ghostscript-x11-9.15-17.2 ghostscript-x11-debuginfo-9.15-17.2 - SUSE Linux Enterprise Server 12-SP2 (aarch64 ppc64le x86_64): ghostscript-9.15-17.2 ghostscript-debuginfo-9.15-17.2 ghostscript-debugsource-9.15-17.2 ghostscript-x11-9.15-17.2 ghostscript-x11-debuginfo-9.15-17.2 - SUSE Linux Enterprise Server 12-SP1 (ppc64le s390x x86_64): ghostscript-9.15-17.2 ghostscript-debuginfo-9.15-17.2 ghostscript-debugsource-9.15-17.2 ghostscript-x11-9.15-17.2 ghostscript-x11-debuginfo-9.15-17.2 - SUSE Linux Enterprise Desktop 12-SP2 (x86_64): ghostscript-9.15-17.2 ghostscript-debuginfo-9.15-17.2 ghostscript-debugsource-9.15-17.2 ghostscript-x11-9.15-17.2 ghostscript-x11-debuginfo-9.15-17.2 - SUSE Linux Enterprise Desktop 12-SP1 (x86_64): ghostscript-9.15-17.2 ghostscript-debuginfo-9.15-17.2 ghostscript-debugsource-9.15-17.2 ghostscript-x11-9.15-17.2 ghostscript-x11-debuginfo-9.15-17.2 References: https://www.suse.com/security/cve/CVE-2013-5653.html https://bugzilla.suse.com/1006592 From sle-security-updates at lists.suse.com Thu Nov 17 10:07:19 2016 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Thu, 17 Nov 2016 18:07:19 +0100 (CET) Subject: SUSE-SU-2016:2827-1: moderate: Security update for eog Message-ID: <20161117170719.94A99FFC2@maintenance.suse.de> SUSE Security Update: Security update for eog ______________________________________________________________________________ Announcement ID: SUSE-SU-2016:2827-1 Rating: moderate References: #994819 Cross-References: CVE-2016-6855 Affected Products: SUSE Linux Enterprise Software Development Kit 12-SP1 SUSE Linux Enterprise Server 12-SP1 SUSE Linux Enterprise Desktop 12-SP1 ______________________________________________________________________________ An update that fixes one vulnerability is now available. Description: This update for eog fixes the following issues: - out-of-bounds write in eog (bsc#994819, CVE-2016-6855) Patch Instructions: To install this SUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Software Development Kit 12-SP1: zypper in -t patch SUSE-SLE-SDK-12-SP1-2016-1669=1 - SUSE Linux Enterprise Server 12-SP1: zypper in -t patch SUSE-SLE-SERVER-12-SP1-2016-1669=1 - SUSE Linux Enterprise Desktop 12-SP1: zypper in -t patch SUSE-SLE-DESKTOP-12-SP1-2016-1669=1 To bring your system up-to-date, use "zypper patch". Package List: - SUSE Linux Enterprise Software Development Kit 12-SP1 (ppc64le s390x x86_64): eog-debuginfo-3.10.2-2.3.1 eog-debugsource-3.10.2-2.3.1 eog-devel-3.10.2-2.3.1 - SUSE Linux Enterprise Server 12-SP1 (ppc64le s390x x86_64): eog-3.10.2-2.3.1 eog-debuginfo-3.10.2-2.3.1 eog-debugsource-3.10.2-2.3.1 - SUSE Linux Enterprise Server 12-SP1 (noarch): eog-lang-3.10.2-2.3.1 - SUSE Linux Enterprise Desktop 12-SP1 (noarch): eog-lang-3.10.2-2.3.1 - SUSE Linux Enterprise Desktop 12-SP1 (x86_64): eog-3.10.2-2.3.1 eog-debuginfo-3.10.2-2.3.1 eog-debugsource-3.10.2-2.3.1 References: https://www.suse.com/security/cve/CVE-2016-6855.html https://bugzilla.suse.com/994819 From sle-security-updates at lists.suse.com Thu Nov 17 10:07:49 2016 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Thu, 17 Nov 2016 18:07:49 +0100 (CET) Subject: SUSE-SU-2016:2828-1: moderate: Security update for X Window System client libraries Message-ID: <20161117170749.98392FFC2@maintenance.suse.de> SUSE Security Update: Security update for X Window System client libraries ______________________________________________________________________________ Announcement ID: SUSE-SU-2016:2828-1 Rating: moderate References: #1002991 #1002995 #1002998 #1003000 #1003002 #1003012 #1003017 #1003023 Cross-References: CVE-2016-5407 CVE-2016-7942 CVE-2016-7944 CVE-2016-7945 CVE-2016-7946 CVE-2016-7947 CVE-2016-7948 CVE-2016-7949 CVE-2016-7950 CVE-2016-7951 CVE-2016-7952 CVE-2016-7953 Affected Products: SUSE Linux Enterprise Software Development Kit 12-SP2 SUSE Linux Enterprise Server for Raspberry Pi 12-SP2 SUSE Linux Enterprise Server 12-SP2 SUSE Linux Enterprise Desktop 12-SP2 ______________________________________________________________________________ An update that fixes 12 vulnerabilities is now available. Description: This update for the X Window System client libraries fixes a class of privilege escalation issues. A malicious X Server could send specially crafted data to X clients, which allowed for triggering crashes, or privilege escalation if this relationship was untrusted or crossed user or permission level boundaries. libX11, libXfixes, libXi, libXrandr, libXrender, libXtst, libXv, libXvMC were fixed, specifically: libX11: - CVE-2016-7942: insufficient validation of data from the X server allowed out of boundary memory read (bsc#1002991) libXfixes: - CVE-2016-7944: insufficient validation of data from the X server can cause an integer overflow on 32 bit architectures (bsc#1002995) libXi: - CVE-2016-7945, CVE-2016-7946: insufficient validation of data from the X server can cause out of boundary memory access or endless loops (Denial of Service) (bsc#1002998) libXtst: - CVE-2016-7951, CVE-2016-7952: insufficient validation of data from the X server can cause out of boundary memory access or endless loops (Denial of Service) (bsc#1003012) libXv: - CVE-2016-5407: insufficient validation of data from the X server can cause out of boundary memory and memory corruption (bsc#1003017) libXvMC: - CVE-2016-7953: insufficient validation of data from the X server can cause a one byte buffer read underrun (bsc#1003023) libXrender: - CVE-2016-7949, CVE-2016-7950: insufficient validation of data from the X server can cause out of boundary memory writes (bsc#1003002) libXrandr: - CVE-2016-7947, CVE-2016-7948: insufficient validation of data from the X server can cause out of boundary memory writes (bsc#1003000) Patch Instructions: To install this SUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Software Development Kit 12-SP2: zypper in -t patch SUSE-SLE-SDK-12-SP2-2016-1668=1 - SUSE Linux Enterprise Server for Raspberry Pi 12-SP2: zypper in -t patch SUSE-SLE-RPI-12-SP2-2016-1668=1 - SUSE Linux Enterprise Server 12-SP2: zypper in -t patch SUSE-SLE-SERVER-12-SP2-2016-1668=1 - SUSE Linux Enterprise Desktop 12-SP2: zypper in -t patch SUSE-SLE-DESKTOP-12-SP2-2016-1668=1 To bring your system up-to-date, use "zypper patch". Package List: - SUSE Linux Enterprise Software Development Kit 12-SP2 (aarch64 ppc64le s390x x86_64): libX11-debugsource-1.6.2-8.1 libX11-devel-1.6.2-8.1 libXfixes-debugsource-5.0.1-7.1 libXfixes-devel-5.0.1-7.1 libXi-debugsource-1.7.4-14.1 libXi-devel-1.7.4-14.1 libXrender-debugsource-0.9.8-7.1 libXrender-devel-0.9.8-7.1 libXtst-debugsource-1.2.2-7.1 libXtst-devel-1.2.2-7.1 libXv-debugsource-1.0.10-7.1 libXv-devel-1.0.10-7.1 libXvMC-debugsource-1.0.8-7.1 libXvMC-devel-1.0.8-7.1 - SUSE Linux Enterprise Server for Raspberry Pi 12-SP2 (aarch64): libX11-6-1.6.2-8.1 libX11-6-debuginfo-1.6.2-8.1 libX11-debugsource-1.6.2-8.1 libX11-xcb1-1.6.2-8.1 libX11-xcb1-debuginfo-1.6.2-8.1 libXfixes-debugsource-5.0.1-7.1 libXfixes3-5.0.1-7.1 libXfixes3-debuginfo-5.0.1-7.1 libXi-debugsource-1.7.4-14.1 libXi6-1.7.4-14.1 libXi6-debuginfo-1.7.4-14.1 libXrender-debugsource-0.9.8-7.1 libXrender1-0.9.8-7.1 libXrender1-debuginfo-0.9.8-7.1 libXtst-debugsource-1.2.2-7.1 libXtst6-1.2.2-7.1 libXtst6-debuginfo-1.2.2-7.1 libXv-debugsource-1.0.10-7.1 libXv1-1.0.10-7.1 libXv1-debuginfo-1.0.10-7.1 libXvMC-debugsource-1.0.8-7.1 libXvMC1-1.0.8-7.1 libXvMC1-debuginfo-1.0.8-7.1 - SUSE Linux Enterprise Server for Raspberry Pi 12-SP2 (noarch): libX11-data-1.6.2-8.1 - SUSE Linux Enterprise Server 12-SP2 (aarch64 ppc64le x86_64): libX11-6-1.6.2-8.1 libX11-6-debuginfo-1.6.2-8.1 libX11-debugsource-1.6.2-8.1 libX11-xcb1-1.6.2-8.1 libX11-xcb1-debuginfo-1.6.2-8.1 libXfixes-debugsource-5.0.1-7.1 libXfixes3-5.0.1-7.1 libXfixes3-debuginfo-5.0.1-7.1 libXi-debugsource-1.7.4-14.1 libXi6-1.7.4-14.1 libXi6-debuginfo-1.7.4-14.1 libXrender-debugsource-0.9.8-7.1 libXrender1-0.9.8-7.1 libXrender1-debuginfo-0.9.8-7.1 libXtst-debugsource-1.2.2-7.1 libXtst6-1.2.2-7.1 libXtst6-debuginfo-1.2.2-7.1 libXv-debugsource-1.0.10-7.1 libXv1-1.0.10-7.1 libXv1-debuginfo-1.0.10-7.1 libXvMC-debugsource-1.0.8-7.1 libXvMC1-1.0.8-7.1 libXvMC1-debuginfo-1.0.8-7.1 - SUSE Linux Enterprise Server 12-SP2 (noarch): libX11-data-1.6.2-8.1 - SUSE Linux Enterprise Server 12-SP2 (x86_64): libX11-6-32bit-1.6.2-8.1 libX11-6-debuginfo-32bit-1.6.2-8.1 libX11-xcb1-32bit-1.6.2-8.1 libX11-xcb1-debuginfo-32bit-1.6.2-8.1 libXfixes3-32bit-5.0.1-7.1 libXfixes3-debuginfo-32bit-5.0.1-7.1 libXi6-32bit-1.7.4-14.1 libXi6-debuginfo-32bit-1.7.4-14.1 libXrender1-32bit-0.9.8-7.1 libXrender1-debuginfo-32bit-0.9.8-7.1 libXtst6-32bit-1.2.2-7.1 libXtst6-debuginfo-32bit-1.2.2-7.1 libXv1-32bit-1.0.10-7.1 libXv1-debuginfo-32bit-1.0.10-7.1 - SUSE Linux Enterprise Desktop 12-SP2 (x86_64): libX11-6-1.6.2-8.1 libX11-6-32bit-1.6.2-8.1 libX11-6-debuginfo-1.6.2-8.1 libX11-6-debuginfo-32bit-1.6.2-8.1 libX11-debugsource-1.6.2-8.1 libX11-xcb1-1.6.2-8.1 libX11-xcb1-32bit-1.6.2-8.1 libX11-xcb1-debuginfo-1.6.2-8.1 libX11-xcb1-debuginfo-32bit-1.6.2-8.1 libXfixes-debugsource-5.0.1-7.1 libXfixes3-32bit-5.0.1-7.1 libXfixes3-5.0.1-7.1 libXfixes3-debuginfo-32bit-5.0.1-7.1 libXfixes3-debuginfo-5.0.1-7.1 libXi-debugsource-1.7.4-14.1 libXi6-1.7.4-14.1 libXi6-32bit-1.7.4-14.1 libXi6-debuginfo-1.7.4-14.1 libXi6-debuginfo-32bit-1.7.4-14.1 libXrender-debugsource-0.9.8-7.1 libXrender1-0.9.8-7.1 libXrender1-32bit-0.9.8-7.1 libXrender1-debuginfo-0.9.8-7.1 libXrender1-debuginfo-32bit-0.9.8-7.1 libXtst-debugsource-1.2.2-7.1 libXtst6-1.2.2-7.1 libXtst6-32bit-1.2.2-7.1 libXtst6-debuginfo-1.2.2-7.1 libXtst6-debuginfo-32bit-1.2.2-7.1 libXv-debugsource-1.0.10-7.1 libXv1-1.0.10-7.1 libXv1-32bit-1.0.10-7.1 libXv1-debuginfo-1.0.10-7.1 libXv1-debuginfo-32bit-1.0.10-7.1 libXvMC-debugsource-1.0.8-7.1 libXvMC1-1.0.8-7.1 libXvMC1-debuginfo-1.0.8-7.1 - SUSE Linux Enterprise Desktop 12-SP2 (noarch): libX11-data-1.6.2-8.1 References: https://www.suse.com/security/cve/CVE-2016-5407.html https://www.suse.com/security/cve/CVE-2016-7942.html https://www.suse.com/security/cve/CVE-2016-7944.html https://www.suse.com/security/cve/CVE-2016-7945.html https://www.suse.com/security/cve/CVE-2016-7946.html https://www.suse.com/security/cve/CVE-2016-7947.html https://www.suse.com/security/cve/CVE-2016-7948.html https://www.suse.com/security/cve/CVE-2016-7949.html https://www.suse.com/security/cve/CVE-2016-7950.html https://www.suse.com/security/cve/CVE-2016-7951.html https://www.suse.com/security/cve/CVE-2016-7952.html https://www.suse.com/security/cve/CVE-2016-7953.html https://bugzilla.suse.com/1002991 https://bugzilla.suse.com/1002995 https://bugzilla.suse.com/1002998 https://bugzilla.suse.com/1003000 https://bugzilla.suse.com/1003002 https://bugzilla.suse.com/1003012 https://bugzilla.suse.com/1003017 https://bugzilla.suse.com/1003023 From sle-security-updates at lists.suse.com Fri Nov 18 08:07:44 2016 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Fri, 18 Nov 2016 16:07:44 +0100 (CET) Subject: SUSE-SU-2016:2859-1: moderate: Security update for python3 Message-ID: <20161118150744.A8480FFC2@maintenance.suse.de> SUSE Security Update: Security update for python3 ______________________________________________________________________________ Announcement ID: SUSE-SU-2016:2859-1 Rating: moderate References: #951166 #983582 #984751 #985177 #985348 #989523 #991069 Cross-References: CVE-2016-0772 CVE-2016-1000110 CVE-2016-5636 CVE-2016-5699 Affected Products: SUSE Linux Enterprise Software Development Kit 12-SP2 SUSE Linux Enterprise Server for Raspberry Pi 12-SP2 SUSE Linux Enterprise Server 12-SP2 SUSE Linux Enterprise Desktop 12-SP2 ______________________________________________________________________________ An update that solves four vulnerabilities and has three fixes is now available. Description: This update provides Python 3.4.5, which brings many fixes and enhancements. The following security issues have been fixed: - CVE-2016-1000110: CGIHandler could have allowed setting of HTTP_PROXY environment variable based on user supplied Proxy request header. (bsc#989523) - CVE-2016-0772: A vulnerability in smtplib could have allowed a MITM attacker to perform a startTLS stripping attack. (bsc#984751) - CVE-2016-5636: A heap overflow in Python's zipimport module. (bsc#985177) - CVE-2016-5699: A header injection flaw in urrlib2/urllib/httplib/http.client. (bsc#985348) The update also includes the following non-security fixes: - Don't force 3rd party C extensions to be built with -Werror=declaration-after-statement. (bsc#951166) - Make urllib proxy var handling behave as usual on POSIX. (bsc#983582) For a comprehensive list of changes please refer to the upstream change log: https://docs.python.org/3.4/whatsnew/changelog.html Patch Instructions: To install this SUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Software Development Kit 12-SP2: zypper in -t patch SUSE-SLE-SDK-12-SP2-2016-1676=1 - SUSE Linux Enterprise Server for Raspberry Pi 12-SP2: zypper in -t patch SUSE-SLE-RPI-12-SP2-2016-1676=1 - SUSE Linux Enterprise Server 12-SP2: zypper in -t patch SUSE-SLE-SERVER-12-SP2-2016-1676=1 - SUSE Linux Enterprise Desktop 12-SP2: zypper in -t patch SUSE-SLE-DESKTOP-12-SP2-2016-1676=1 To bring your system up-to-date, use "zypper patch". Package List: - SUSE Linux Enterprise Software Development Kit 12-SP2 (aarch64 ppc64le s390x x86_64): python3-base-debuginfo-3.4.5-19.1 python3-base-debugsource-3.4.5-19.1 python3-devel-3.4.5-19.1 - SUSE Linux Enterprise Software Development Kit 12-SP2 (ppc64le s390x x86_64): python3-devel-debuginfo-3.4.5-19.1 - SUSE Linux Enterprise Server for Raspberry Pi 12-SP2 (aarch64): libpython3_4m1_0-3.4.5-19.1 libpython3_4m1_0-debuginfo-3.4.5-19.1 python3-3.4.5-19.1 python3-base-3.4.5-19.1 python3-base-debuginfo-3.4.5-19.1 python3-base-debugsource-3.4.5-19.1 python3-curses-3.4.5-19.1 python3-curses-debuginfo-3.4.5-19.1 python3-debuginfo-3.4.5-19.1 python3-debugsource-3.4.5-19.1 - SUSE Linux Enterprise Server 12-SP2 (aarch64 ppc64le x86_64): libpython3_4m1_0-3.4.5-19.1 libpython3_4m1_0-debuginfo-3.4.5-19.1 python3-3.4.5-19.1 python3-base-3.4.5-19.1 python3-base-debuginfo-3.4.5-19.1 python3-base-debugsource-3.4.5-19.1 python3-curses-3.4.5-19.1 python3-curses-debuginfo-3.4.5-19.1 python3-debuginfo-3.4.5-19.1 python3-debugsource-3.4.5-19.1 - SUSE Linux Enterprise Desktop 12-SP2 (x86_64): libpython3_4m1_0-3.4.5-19.1 libpython3_4m1_0-debuginfo-3.4.5-19.1 python3-3.4.5-19.1 python3-base-3.4.5-19.1 python3-base-debuginfo-3.4.5-19.1 python3-base-debugsource-3.4.5-19.1 python3-curses-3.4.5-19.1 python3-curses-debuginfo-3.4.5-19.1 python3-debuginfo-3.4.5-19.1 python3-debugsource-3.4.5-19.1 References: https://www.suse.com/security/cve/CVE-2016-0772.html https://www.suse.com/security/cve/CVE-2016-1000110.html https://www.suse.com/security/cve/CVE-2016-5636.html https://www.suse.com/security/cve/CVE-2016-5699.html https://bugzilla.suse.com/951166 https://bugzilla.suse.com/983582 https://bugzilla.suse.com/984751 https://bugzilla.suse.com/985177 https://bugzilla.suse.com/985348 https://bugzilla.suse.com/989523 https://bugzilla.suse.com/991069 From sle-security-updates at lists.suse.com Tue Nov 22 07:07:38 2016 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Tue, 22 Nov 2016 15:07:38 +0100 (CET) Subject: SUSE-SU-2016:2869-1: important: Security update for pacemaker Message-ID: <20161122140738.E42FAFFBF@maintenance.suse.de> SUSE Security Update: Security update for pacemaker ______________________________________________________________________________ Announcement ID: SUSE-SU-2016:2869-1 Rating: important References: #1000743 #1002767 #1003565 #1007433 #967388 #986644 #987348 Cross-References: CVE-2016-7035 CVE-2016-7797 Affected Products: SUSE Linux Enterprise Software Development Kit 12-SP2 SUSE Linux Enterprise High Availability 12-SP2 ______________________________________________________________________________ An update that solves two vulnerabilities and has 5 fixes is now available. Description: This update for pacemaker fixes the following issues: Security issues fixed: - CVE-2016-7797: Notify other clients of a new connection only if the handshake has completed (bsc#967388, bsc#1002767). - CVE-2016-7035: Fixed improper IPC guarding in pacemaker (bsc#1007433). Bug fixes: - bsc#1003565: crmd: Record pending operations in the CIB before they are performed - bsc#1000743: pengine: Do not fence a maintenance node if it shuts down cleanly - bsc#987348: ping: Avoid temporary files for fping check - bsc#986644: libcrmcommon: report errors consistently when waiting for data on connection - bsc#986644: remote: Correctly calculate the remaining timeouts when receiving messages Patch Instructions: To install this SUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Software Development Kit 12-SP2: zypper in -t patch SUSE-SLE-SDK-12-SP2-2016-1679=1 - SUSE Linux Enterprise High Availability 12-SP2: zypper in -t patch SUSE-SLE-HA-12-SP2-2016-1679=1 To bring your system up-to-date, use "zypper patch". Package List: - SUSE Linux Enterprise Software Development Kit 12-SP2 (aarch64 ppc64le s390x x86_64): libpacemaker-devel-1.1.15-21.1 pacemaker-cts-1.1.15-21.1 pacemaker-cts-debuginfo-1.1.15-21.1 pacemaker-debuginfo-1.1.15-21.1 pacemaker-debugsource-1.1.15-21.1 - SUSE Linux Enterprise High Availability 12-SP2 (ppc64le s390x x86_64): libpacemaker3-1.1.15-21.1 libpacemaker3-debuginfo-1.1.15-21.1 pacemaker-1.1.15-21.1 pacemaker-cli-1.1.15-21.1 pacemaker-cli-debuginfo-1.1.15-21.1 pacemaker-cts-1.1.15-21.1 pacemaker-cts-debuginfo-1.1.15-21.1 pacemaker-debuginfo-1.1.15-21.1 pacemaker-debugsource-1.1.15-21.1 pacemaker-remote-1.1.15-21.1 pacemaker-remote-debuginfo-1.1.15-21.1 References: https://www.suse.com/security/cve/CVE-2016-7035.html https://www.suse.com/security/cve/CVE-2016-7797.html https://bugzilla.suse.com/1000743 https://bugzilla.suse.com/1002767 https://bugzilla.suse.com/1003565 https://bugzilla.suse.com/1007433 https://bugzilla.suse.com/967388 https://bugzilla.suse.com/986644 https://bugzilla.suse.com/987348 From sle-security-updates at lists.suse.com Tue Nov 22 08:07:00 2016 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Tue, 22 Nov 2016 16:07:00 +0100 (CET) Subject: SUSE-SU-2016:2871-1: moderate: Security update for libtcnative-1-0 Message-ID: <20161122150700.33650FFC2@maintenance.suse.de> SUSE Security Update: Security update for libtcnative-1-0 ______________________________________________________________________________ Announcement ID: SUSE-SU-2016:2871-1 Rating: moderate References: #1004455 Affected Products: SUSE Linux Enterprise Software Development Kit 12-SP2 SUSE Linux Enterprise Software Development Kit 12-SP1 SUSE Linux Enterprise Server for Raspberry Pi 12-SP2 SUSE Linux Enterprise Server 12-SP2 SUSE Linux Enterprise Server 12-SP1 ______________________________________________________________________________ An update that contains security fixes can now be installed. Description: This update for libtcnative-1-0 fixes the following issues: - Upgrade to libtcnative-1.1.34 (bugfix release) (bsc#1004455) See https://tomcat.apache.org/native-1.1-doc/miscellaneous/changelog.html * Unconditionally disable export Ciphers. * Improve ephemeral key handling for DH and ECDH. Parameter strength is by default derived from the certificate key strength. * APIs SSL.generateRSATempKey() and SSL.loadDSATempKey() are no longer supported. * Various bugfixes. Patch Instructions: To install this SUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Software Development Kit 12-SP2: zypper in -t patch SUSE-SLE-SDK-12-SP2-2016-1680=1 - SUSE Linux Enterprise Software Development Kit 12-SP1: zypper in -t patch SUSE-SLE-SDK-12-SP1-2016-1680=1 - SUSE Linux Enterprise Server for Raspberry Pi 12-SP2: zypper in -t patch SUSE-SLE-RPI-12-SP2-2016-1680=1 - SUSE Linux Enterprise Server 12-SP2: zypper in -t patch SUSE-SLE-SERVER-12-SP2-2016-1680=1 - SUSE Linux Enterprise Server 12-SP1: zypper in -t patch SUSE-SLE-SERVER-12-SP1-2016-1680=1 To bring your system up-to-date, use "zypper patch". Package List: - SUSE Linux Enterprise Software Development Kit 12-SP2 (aarch64 ppc64le s390x x86_64): libtcnative-1-0-debuginfo-1.1.34-12.1 libtcnative-1-0-debugsource-1.1.34-12.1 libtcnative-1-0-devel-1.1.34-12.1 - SUSE Linux Enterprise Software Development Kit 12-SP1 (ppc64le s390x x86_64): libtcnative-1-0-debuginfo-1.1.34-12.1 libtcnative-1-0-debugsource-1.1.34-12.1 libtcnative-1-0-devel-1.1.34-12.1 - SUSE Linux Enterprise Server for Raspberry Pi 12-SP2 (aarch64): libtcnative-1-0-1.1.34-12.1 libtcnative-1-0-debuginfo-1.1.34-12.1 libtcnative-1-0-debugsource-1.1.34-12.1 - SUSE Linux Enterprise Server 12-SP2 (aarch64 ppc64le x86_64): libtcnative-1-0-1.1.34-12.1 libtcnative-1-0-debuginfo-1.1.34-12.1 libtcnative-1-0-debugsource-1.1.34-12.1 - SUSE Linux Enterprise Server 12-SP1 (ppc64le s390x x86_64): libtcnative-1-0-1.1.34-12.1 libtcnative-1-0-debuginfo-1.1.34-12.1 libtcnative-1-0-debugsource-1.1.34-12.1 References: https://bugzilla.suse.com/1004455 From sle-security-updates at lists.suse.com Tue Nov 22 08:07:28 2016 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Tue, 22 Nov 2016 16:07:28 +0100 (CET) Subject: SUSE-SU-2016:2872-1: moderate: Security update for bash Message-ID: <20161122150728.B6FA8FFC2@maintenance.suse.de> SUSE Security Update: Security update for bash ______________________________________________________________________________ Announcement ID: SUSE-SU-2016:2872-1 Rating: moderate References: #1000396 #1001299 #1001759 #898812 #898884 Cross-References: CVE-2014-6277 CVE-2014-6278 CVE-2016-0634 CVE-2016-7543 Affected Products: SUSE Linux Enterprise Workstation Extension 12-SP1 SUSE Linux Enterprise Software Development Kit 12-SP1 SUSE Linux Enterprise Server 12-SP1 SUSE Linux Enterprise Desktop 12-SP1 ______________________________________________________________________________ An update that solves four vulnerabilities and has one errata is now available. Description: This update for bash fixes the following issues: - CVE-2016-7543: Local attackers could have executed arbitrary commands via specially crafted SHELLOPTS+PS4 variables (bsc#1001299) - CVE-2016-0634: Malicious hostnames could have allowed arbitrary command execution when $HOSTNAME was expanded in the prompt (bsc#1000396) - CVE-2014-6277: More troubles with functions (bsc#898812, bsc#1001759) - CVE-2014-6278: Code execution after original 6271 fix (bsc#898884) Patch Instructions: To install this SUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Workstation Extension 12-SP1: zypper in -t patch SUSE-SLE-WE-12-SP1-2016-1681=1 - SUSE Linux Enterprise Software Development Kit 12-SP1: zypper in -t patch SUSE-SLE-SDK-12-SP1-2016-1681=1 - SUSE Linux Enterprise Server 12-SP1: zypper in -t patch SUSE-SLE-SERVER-12-SP1-2016-1681=1 - SUSE Linux Enterprise Desktop 12-SP1: zypper in -t patch SUSE-SLE-DESKTOP-12-SP1-2016-1681=1 To bring your system up-to-date, use "zypper patch". Package List: - SUSE Linux Enterprise Workstation Extension 12-SP1 (noarch): bash-lang-4.2-82.1 - SUSE Linux Enterprise Software Development Kit 12-SP1 (ppc64le s390x x86_64): bash-debuginfo-4.2-82.1 bash-debugsource-4.2-82.1 bash-devel-4.2-82.1 readline-devel-6.2-82.1 - SUSE Linux Enterprise Server 12-SP1 (ppc64le s390x x86_64): bash-4.2-82.1 bash-debuginfo-4.2-82.1 bash-debugsource-4.2-82.1 libreadline6-6.2-82.1 libreadline6-debuginfo-6.2-82.1 - SUSE Linux Enterprise Server 12-SP1 (s390x x86_64): libreadline6-32bit-6.2-82.1 libreadline6-debuginfo-32bit-6.2-82.1 - SUSE Linux Enterprise Server 12-SP1 (noarch): bash-doc-4.2-82.1 readline-doc-6.2-82.1 - SUSE Linux Enterprise Desktop 12-SP1 (noarch): bash-doc-4.2-82.1 bash-lang-4.2-82.1 readline-doc-6.2-82.1 - SUSE Linux Enterprise Desktop 12-SP1 (x86_64): bash-4.2-82.1 bash-debuginfo-4.2-82.1 bash-debugsource-4.2-82.1 libreadline6-32bit-6.2-82.1 libreadline6-6.2-82.1 libreadline6-debuginfo-32bit-6.2-82.1 libreadline6-debuginfo-6.2-82.1 References: https://www.suse.com/security/cve/CVE-2014-6277.html https://www.suse.com/security/cve/CVE-2014-6278.html https://www.suse.com/security/cve/CVE-2016-0634.html https://www.suse.com/security/cve/CVE-2016-7543.html https://bugzilla.suse.com/1000396 https://bugzilla.suse.com/1001299 https://bugzilla.suse.com/1001759 https://bugzilla.suse.com/898812 https://bugzilla.suse.com/898884 From sle-security-updates at lists.suse.com Tue Nov 22 11:09:07 2016 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Tue, 22 Nov 2016 19:09:07 +0100 (CET) Subject: SUSE-SU-2016:2879-1: moderate: Security update for qemu Message-ID: <20161122180907.EC7A6FFBF@maintenance.suse.de> SUSE Security Update: Security update for qemu ______________________________________________________________________________ Announcement ID: SUSE-SU-2016:2879-1 Rating: moderate References: #1000345 #1000346 #1001151 #1002116 #1002549 #1002550 #1002557 #1003612 #1003613 #1003878 #1003893 #1003894 #1004702 #1004706 #1004707 #1005353 #1005374 #1006536 #1006538 #1007263 #1007391 #1007493 #1007494 #1007495 #1007769 #1008148 #998516 Cross-References: CVE-2016-7161 CVE-2016-7170 CVE-2016-7422 CVE-2016-7466 CVE-2016-7907 CVE-2016-7908 CVE-2016-7909 CVE-2016-7994 CVE-2016-7995 CVE-2016-8576 CVE-2016-8577 CVE-2016-8578 CVE-2016-8667 CVE-2016-8668 CVE-2016-8669 CVE-2016-8909 CVE-2016-8910 CVE-2016-9101 CVE-2016-9104 CVE-2016-9105 CVE-2016-9106 Affected Products: SUSE Linux Enterprise Server for Raspberry Pi 12-SP2 SUSE Linux Enterprise Server 12-SP2 SUSE Linux Enterprise Desktop 12-SP2 ______________________________________________________________________________ An update that solves 21 vulnerabilities and has 6 fixes is now available. Description: This update for qemu to version 2.6.2 fixes the several issues. These security issues were fixed: - CVE-2016-7161: Heap-based buffer overflow in the .receive callback of xlnx.xps-ethernetlite in QEMU (aka Quick Emulator) allowed attackers to execute arbitrary code on the QEMU host via a large ethlite packet (bsc#1001151). - CVE-2016-7170: OOB stack memory access when processing svga command (bsc#998516). - CVE-2016-7466: xhci memory leakage during device unplug (bsc#1000345). - CVE-2016-7422: NULL pointer dereference in virtqueu_map_desc (bsc#1000346). - CVE-2016-7908: The mcf_fec_do_tx function in hw/net/mcf_fec.c did not properly limit the buffer descriptor count when transmitting packets, which allowed local guest OS administrators to cause a denial of service (infinite loop and QEMU process crash) via vectors involving a buffer descriptor with a length of 0 and crafted values in bd.flags (bsc#1002550). - CVE-2016-7995: Memory leak in ehci_process_itd (bsc#1003612). - CVE-2016-8576: The xhci_ring_fetch function in hw/usb/hcd-xhci.c allowed local guest OS administrators to cause a denial of service (infinite loop and QEMU process crash) by leveraging failure to limit the number of link Transfer Request Blocks (TRB) to process (bsc#1003878). - CVE-2016-8578: The v9fs_iov_vunmarshal function in fsdev/9p-iov-marshal.c allowed local guest OS administrators to cause a denial of service (NULL pointer dereference and QEMU process crash) by sending an empty string parameter to a 9P operation (bsc#1003894). - CVE-2016-9105: Memory leakage in v9fs_link (bsc#1007494). - CVE-2016-8577: Memory leak in the v9fs_read function in hw/9pfs/9p.c allowed local guest OS administrators to cause a denial of service (memory consumption) via vectors related to an I/O read operation (bsc#1003893). - CVE-2016-9106: Memory leakage in v9fs_write (bsc#1007495). - CVE-2016-8669: The serial_update_parameters function in hw/char/serial.c allowed local guest OS administrators to cause a denial of service (divide-by-zero error and QEMU process crash) via vectors involving a value of divider greater than baud base (bsc#1004707). - CVE-2016-7909: The pcnet_rdra_addr function in hw/net/pcnet.c allowed local guest OS administrators to cause a denial of service (infinite loop and QEMU process crash) by setting the (1) receive or (2) transmit descriptor ring length to 0 (bsc#1002557). - CVE-2016-9101: eepro100 memory leakage whern unplugging a device (bsc#1007391). - CVE-2016-8668: The rocker_io_writel function in hw/net/rocker/rocker.c allowed local guest OS administrators to cause a denial of service (out-of-bounds read and QEMU process crash) by leveraging failure to limit DMA buffer size (bsc#1004706). - CVE-2016-8910: The rtl8139_cplus_transmit function in hw/net/rtl8139.c allowed local guest OS administrators to cause a denial of service (infinite loop and CPU consumption) by leveraging failure to limit the ring descriptor count (bsc#1006538). - CVE-2016-8909: The intel_hda_xfer function in hw/audio/intel-hda.c allowed local guest OS administrators to cause a denial of service (infinite loop and CPU consumption) via an entry with the same value for buffer length and pointer position (bsc#1006536). - CVE-2016-7994: Memory leak in virtio_gpu_resource_create_2d (bsc#1003613). - CVE-2016-9104: Integer overflow leading to OOB access in 9pfs (bsc#1007493). - CVE-2016-8667: The rc4030_write function in hw/dma/rc4030.c allowed local guest OS administrators to cause a denial of service (divide-by-zero error and QEMU process crash) via a large interval timer reload value (bsc#1004702). - CVE-2016-7907: The pcnet_rdra_addr function in hw/net/pcnet.c allowed local guest OS administrators to cause a denial of service (infinite loop and QEMU process crash) by setting the (1) receive or (2) transmit descriptor ring length to 0 (bsc#1002549). These non-security issues were fixed: - Change kvm-supported.txt to be per-architecture documentation, stored in the package documentation directory of each per-arch package (bsc#1005353). - Update support doc to include current ARM64 (AArch64) support stance (bsc#1005374). - Fix migration failure when snapshot also has been done (bsc#1008148). - Change package post script udevadm trigger calls to be device specific (bsc#1002116). - Add qmp-commands.txt documentation file back in. It was inadvertently dropped. - Add an x86 cpu option (l3-cache) to specify that an L3 cache is present and another option (cpuid-0xb) to enable the cpuid 0xb leaf (bsc#1007769). For Leap 42.2 this update also enabled the smartcard support (bsc#1007263). Patch Instructions: To install this SUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Server for Raspberry Pi 12-SP2: zypper in -t patch SUSE-SLE-RPI-12-SP2-2016-1682=1 - SUSE Linux Enterprise Server 12-SP2: zypper in -t patch SUSE-SLE-SERVER-12-SP2-2016-1682=1 - SUSE Linux Enterprise Desktop 12-SP2: zypper in -t patch SUSE-SLE-DESKTOP-12-SP2-2016-1682=1 To bring your system up-to-date, use "zypper patch". Package List: - SUSE Linux Enterprise Server for Raspberry Pi 12-SP2 (aarch64): qemu-2.6.2-31.2 qemu-arm-2.6.2-31.2 qemu-arm-debuginfo-2.6.2-31.2 qemu-block-curl-2.6.2-31.2 qemu-block-curl-debuginfo-2.6.2-31.2 qemu-block-rbd-2.6.2-31.2 qemu-block-rbd-debuginfo-2.6.2-31.2 qemu-block-ssh-2.6.2-31.2 qemu-block-ssh-debuginfo-2.6.2-31.2 qemu-debugsource-2.6.2-31.2 qemu-guest-agent-2.6.2-31.2 qemu-guest-agent-debuginfo-2.6.2-31.2 qemu-lang-2.6.2-31.2 qemu-tools-2.6.2-31.2 qemu-tools-debuginfo-2.6.2-31.2 - SUSE Linux Enterprise Server for Raspberry Pi 12-SP2 (noarch): qemu-ipxe-1.0.0-31.2 - SUSE Linux Enterprise Server 12-SP2 (aarch64 ppc64le x86_64): qemu-2.6.2-31.2 qemu-block-curl-2.6.2-31.2 qemu-block-curl-debuginfo-2.6.2-31.2 qemu-block-ssh-2.6.2-31.2 qemu-block-ssh-debuginfo-2.6.2-31.2 qemu-debugsource-2.6.2-31.2 qemu-guest-agent-2.6.2-31.2 qemu-guest-agent-debuginfo-2.6.2-31.2 qemu-lang-2.6.2-31.2 qemu-tools-2.6.2-31.2 qemu-tools-debuginfo-2.6.2-31.2 - SUSE Linux Enterprise Server 12-SP2 (aarch64 x86_64): qemu-block-rbd-2.6.2-31.2 qemu-block-rbd-debuginfo-2.6.2-31.2 - SUSE Linux Enterprise Server 12-SP2 (ppc64le): qemu-ppc-2.6.2-31.2 qemu-ppc-debuginfo-2.6.2-31.2 - SUSE Linux Enterprise Server 12-SP2 (aarch64): qemu-arm-2.6.2-31.2 qemu-arm-debuginfo-2.6.2-31.2 - SUSE Linux Enterprise Server 12-SP2 (x86_64): qemu-kvm-2.6.2-31.2 qemu-x86-2.6.2-31.2 - SUSE Linux Enterprise Server 12-SP2 (noarch): qemu-ipxe-1.0.0-31.2 qemu-seabios-1.9.1-31.2 qemu-sgabios-8-31.2 qemu-vgabios-1.9.1-31.2 - SUSE Linux Enterprise Desktop 12-SP2 (x86_64): qemu-2.6.2-31.2 qemu-block-curl-2.6.2-31.2 qemu-block-curl-debuginfo-2.6.2-31.2 qemu-debugsource-2.6.2-31.2 qemu-kvm-2.6.2-31.2 qemu-tools-2.6.2-31.2 qemu-tools-debuginfo-2.6.2-31.2 qemu-x86-2.6.2-31.2 - SUSE Linux Enterprise Desktop 12-SP2 (noarch): qemu-ipxe-1.0.0-31.2 qemu-seabios-1.9.1-31.2 qemu-sgabios-8-31.2 qemu-vgabios-1.9.1-31.2 References: https://www.suse.com/security/cve/CVE-2016-7161.html https://www.suse.com/security/cve/CVE-2016-7170.html https://www.suse.com/security/cve/CVE-2016-7422.html https://www.suse.com/security/cve/CVE-2016-7466.html https://www.suse.com/security/cve/CVE-2016-7907.html https://www.suse.com/security/cve/CVE-2016-7908.html https://www.suse.com/security/cve/CVE-2016-7909.html https://www.suse.com/security/cve/CVE-2016-7994.html https://www.suse.com/security/cve/CVE-2016-7995.html https://www.suse.com/security/cve/CVE-2016-8576.html https://www.suse.com/security/cve/CVE-2016-8577.html https://www.suse.com/security/cve/CVE-2016-8578.html https://www.suse.com/security/cve/CVE-2016-8667.html https://www.suse.com/security/cve/CVE-2016-8668.html https://www.suse.com/security/cve/CVE-2016-8669.html https://www.suse.com/security/cve/CVE-2016-8909.html https://www.suse.com/security/cve/CVE-2016-8910.html https://www.suse.com/security/cve/CVE-2016-9101.html https://www.suse.com/security/cve/CVE-2016-9104.html https://www.suse.com/security/cve/CVE-2016-9105.html https://www.suse.com/security/cve/CVE-2016-9106.html https://bugzilla.suse.com/1000345 https://bugzilla.suse.com/1000346 https://bugzilla.suse.com/1001151 https://bugzilla.suse.com/1002116 https://bugzilla.suse.com/1002549 https://bugzilla.suse.com/1002550 https://bugzilla.suse.com/1002557 https://bugzilla.suse.com/1003612 https://bugzilla.suse.com/1003613 https://bugzilla.suse.com/1003878 https://bugzilla.suse.com/1003893 https://bugzilla.suse.com/1003894 https://bugzilla.suse.com/1004702 https://bugzilla.suse.com/1004706 https://bugzilla.suse.com/1004707 https://bugzilla.suse.com/1005353 https://bugzilla.suse.com/1005374 https://bugzilla.suse.com/1006536 https://bugzilla.suse.com/1006538 https://bugzilla.suse.com/1007263 https://bugzilla.suse.com/1007391 https://bugzilla.suse.com/1007493 https://bugzilla.suse.com/1007494 https://bugzilla.suse.com/1007495 https://bugzilla.suse.com/1007769 https://bugzilla.suse.com/1008148 https://bugzilla.suse.com/998516 From sle-security-updates at lists.suse.com Wed Nov 23 06:07:23 2016 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Wed, 23 Nov 2016 14:07:23 +0100 (CET) Subject: SUSE-SU-2016:2887-1: important: Security update for java-1_8_0-openjdk Message-ID: <20161123130723.C5D7BFFC2@maintenance.suse.de> SUSE Security Update: Security update for java-1_8_0-openjdk ______________________________________________________________________________ Announcement ID: SUSE-SU-2016:2887-1 Rating: important References: #1005522 #1005523 #1005524 #1005525 #1005526 #1005527 #1005528 #988651 Cross-References: CVE-2016-5542 CVE-2016-5554 CVE-2016-5556 CVE-2016-5568 CVE-2016-5573 CVE-2016-5582 CVE-2016-5597 Affected Products: SUSE Linux Enterprise Server for Raspberry Pi 12-SP2 SUSE Linux Enterprise Server 12-SP2 SUSE Linux Enterprise Server 12-SP1 SUSE Linux Enterprise Desktop 12-SP2 SUSE Linux Enterprise Desktop 12-SP1 ______________________________________________________________________________ An update that solves 7 vulnerabilities and has one errata is now available. Description: OpenJDK Java was updated to jdk8u111 (icedtea 3.2.0) to fix the following issues: * Security fixes + S8146490: Direct indirect CRL checks + S8151921: Improved page resolution + S8155968: Update command line options + S8155973, CVE-2016-5542: Tighten jar checks (bsc#1005522) + S8156794: Extend data sharing + S8157176: Improved classfile parsing + S8157739, CVE-2016-5554: Classloader Consistency Checking (bsc#1005523) + S8157749: Improve handling of DNS error replies + S8157753: Audio replay enhancement + S8157759: LCMS Transform Sampling Enhancement + S8157764: Better handling of interpolation plugins + S8158302: Handle contextual glyph substitutions + S8158993, CVE-2016-5568: Service Menu services (bsc#1005525) + S8159495: Fix index offsets + S8159503: Amend Annotation Actions + S8159511: Stack map validation + S8159515: Improve indy validation + S8159519, CVE-2016-5573: Reformat JDWP messages (bsc#1005526) + S8160090: Better signature handling in pack200 + S8160094: Improve pack200 layout + S8160098: Clean up color profiles + S8160591, CVE-2016-5582: Improve internal array handling (bsc#1005527) + S8160838, CVE-2016-5597: Better HTTP service (bsc#1005528) + PR3206, RH1367357: lcms2: Out-of-bounds read in Type_MLU_Read() + CVE-2016-5556 (bsc#1005524) * New features + PR1370: Provide option to build without debugging + PR1375: Provide option to strip and link debugging info after build + PR1537: Handle alternative Kerberos credential cache locations + PR1978: Allow use of system PCSC + PR2445: Support system libsctp + PR3182: Support building without pre-compiled headers + PR3183: Support Fedora/RHEL system crypto policy + PR3221: Use pkgconfig to detect Kerberos CFLAGS and libraries * Import of OpenJDK 8 u102 build 14 + S4515292: ReferenceType.isStatic() returns true for arrays + S4858370: JDWP: Memory Leak: GlobalRefs never deleted when processing invokeMethod command + S6976636: JVM/TI test ex03t001 fails assertion + S7185591: jcmd-big-script.sh ERROR: could not find app's Java pid. + S8017462: G1: guarantee fails with UseDynamicNumberOfGCThreads + S8034168: ThreadMXBean/Locks.java failed, blocked on wrong object + S8036006: [TESTBUG] sun/tools/native2ascii/NativeErrors.java fails: Process exit code was 0, but error was expected. + S8041781: Need new regression tests for PBE keys + S8041787: Need new regressions tests for buffer handling for PBE algorithms + S8043836: Need new tests for AES cipher + S8044199: Tests for RSA keys and key specifications + S8044772: TempDirTest.java still times out with -Xcomp + S8046339: sun.rmi.transport.DGCAckHandler leaks memory + S8047031: Add SocketPermission tests for legacy socket types + S8048052: Permission tests for setFactory + S8048138: Tests for JAAS callbacks + S8048147: Privilege tests with JAAS Subject.doAs + S8048356: SecureRandom default provider tests + S8048357: PKCS basic tests + S8048360: Test signed jar files + S8048362: Tests for doPrivileged with accomplice + S8048596: Tests for AEAD ciphers + S8048599: Tests for key wrap and unwrap operations + S8048603: Additional tests for MAC algorithms + S8048604: Tests for strong crypto ciphers + S8048607: Test key generation of DES and DESEDE + S8048610: Implement regression test for bug fix of 4686632 in JCE + S8048617: Tests for PKCS12 read operations + S8048618: Tests for PKCS12 write operations. + S8048619: Implement tests for converting PKCS12 keystores + S8048624: Tests for SealedObject + S8048819: Implement reliability test for DH algorithm + S8048820: Implement tests for SecretKeyFactory + S8048830: Implement tests for new functionality provided in JEP 166 + S8049237: Need new tests for X509V3 certificates + S8049321: Support SHA256WithDSA in JSSE + S8049429: Tests for java client server communications with various TLS/SSL combinations. + S8049432: New tests for TLS property jdk.tls.client.protocols + S8049814: Additional SASL client-server tests + S8050281: New permission tests for JEP 140 + S8050370: Need new regressions tests for messageDigest with DigestIOStream + S8050371: More MessageDigest tests + S8050374: More Signature tests + S8050427: LoginContext tests to cover JDK-4703361 + S8050460: JAAS login/logout tests with LoginContext + S8050461: Tests for syntax checking of JAAS configuration file + S8054278: Refactor jps utility tests + S8055530: assert(_exits.control()->is_top() || !_gvn.type(ret_phi)->empty()) failed: return value must be well defined + S8055844: [TESTBUG] test/runtime/NMT/VirtualAllocCommitUncommitRecommit.java fails on Solaris Sparc due to incorrect page size being used + S8059677: Thread.getName() instantiates Strings + S8061464: A typo in CipherTestUtils test + S8062536: [TESTBUG] Conflicting GC combinations in jdk tests + S8065076: java/net/SocketPermission/SocketPermissionTest.java fails intermittently + S8065078: NetworkInterface.getNetworkInterfaces() triggers intermittent test failures + S8066871: java.lang.VerifyError: Bad local variable type - local final String + S8068427: Hashtable deserialization reconstitutes table with wrong capacity + S8069038: javax/net/ssl/TLS/TLSClientPropertyTest.java needs to be updated for JDK-8061210 + S8069253: javax/net/ssl/TLS/TestJSSE.java failed on Mac + S8071125: Improve exception messages in URLPermission + S8072081: Supplementary characters are rejected in comments + S8072463: Remove requirement that AKID and SKID have to match when building certificate chain + S8072725: Provide more granular levels for GC verification + S8073400: Some Monospaced logical fonts have a different width + S8073872: Schemagen fails with StackOverflowError if element references containing class + S8074931: Additional tests for CertPath API + S8075286: Additional tests for signature algorithm OIDs and transformation string + S8076486: [TESTBUG] javax/security/auth/Subject/doAs/NestedActions.java fails if extra VM options are given + S8076545: Text size is twice bigger under Windows L&F on Win 8.1 with HiDPI display + S8076995: gc/ergonomics/TestDynamicNumberOfGCThreads.java failed with java.lang.RuntimeException: 'new_active_workers' missing from stdout/stderr + S8079138: Additional negative tests for XML signature processing + S8081512: Remove sun.invoke.anon classes, or move / co-locate them with tests + S8081771: ProcessTool.createJavaProcessBuilder() needs new addTestVmAndJavaOptions argument + S8129419: heapDumper.cpp: assert(length_in_bytes > 0) failed: nothing to copy + S8130150: Implement BigInteger.montgomeryMultiply intrinsic + S8130242: DataFlavorComparator transitivity exception + S8130304: Inference: NodeNotFoundException thrown with deep generic method call chain + S8130425: libjvm crash due to stack overflow in executables with 32k tbss/tdata + S8133023: ParallelGCThreads is not calculated correctly + S8134111: Unmarshaller unmarshalls XML element which doesn't have the expected namespace + S8135259: InetAddress.getAllByName only reports "unknown error" instead of actual cause + S8136506: Include sun.arch.data.model as a property that can be queried by jtreg + S8137068: Tests added in JDK-8048604 fail to compile + S8139040: Fix initializations before ShouldNotReachHere() etc. and enable -Wuninitialized on linux. + S8139581: AWT components are not drawn after removal and addition to a container + S8141243: Unexpected timezone returned after parsing a date + S8141420: Compiler runtime entries don't hold Klass* from being GCed + S8141445: Use of Solaris/SPARC M7 libadimalloc.so can generate unknown signal in hs_err file + S8141551: C2 can not handle returns with inccompatible interface arrays + S8143377: Test PKCS8Test.java fails + S8143647: Javac compiles method reference that allows results in an IllegalAccessError + S8144144: ORB destroy() leaks filedescriptors after unsuccessful connection + S8144593: Suppress not recognized property/feature warning messages from SAXParser + S8144957: Remove PICL warning message + S8145039: JAXB marshaller fails with ClassCastException on classes generated by xjc + S8145228: Java Access Bridge, getAccessibleStatesStringFromContext doesn't wrap the call to getAccessibleRole + S8145388: URLConnection.guessContentTypeFromStream returns image/jpg for some JPEG images + S8145974: XMLStreamWriter produces invalid XML for surrogate pairs on OutputStreamWriter + S8146035: Windows - With LCD antialiasing, some glyphs are not rendered correctly + S8146192: Add test for JDK-8049321 + S8146274: Thread spinning on WeakHashMap.getEntry() with concurrent use of nashorn + S8147468: Allow users to bound the size of buffers cached in the per-thread buffer caches + S8147645: get_ctrl_no_update() code is wrong + S8147807: crash in libkcms.so on linux-sparc + S8148379: jdk.nashorn.api.scripting spec. adjustments, clarifications + S8148627: RestrictTestMaxCachedBufferSize.java to 64-bit platforms + S8148820: Missing @since Javadoc tag in Logger.log(Level, Supplier) + S8148926: Call site profiling fails on braces-wrapped anonymous function + S8149017: Delayed provider selection broken in RSA client key exchange + S8149029: Secure validation of XML based digital signature always enabled when checking wrapping attacks + S8149330: Capacity of StringBuilder should not get close to Integer.MAX_VALUE unless necessary + S8149334: JSON.parse(JSON.stringify([])).push(10) creates an array containing two elements + S8149368: [hidpi] JLabel font is twice bigger than JTextArea font on Windows 7,HiDPI, Windows L&F + S8149411: PKCS12KeyStore cannot extract AES Secret Keys + S8149417: Use final restricted flag + S8149450: LdapCtx.processReturnCode() throwing Null Pointer Exception + S8149453: [hidpi] JFileChooser does not scale properly on Windows with HiDPI display and Windows L&F + S8149543: range check CastII nodes should not be split through Phi + S8149743: JVM crash after debugger hotswap with lambdas + S8149744: fix testng.jar delivery in Nashorn build.xml + S8149915: enabling validate-annotations feature for xsd schema with annotation causes NPE + S8150002: Check for the validity of oop before printing it in verify_remembered_set + S8150470: JCK: api/xsl/conf/copy/copy19 test failure + S8150518: G1 GC crashes at G1CollectedHeap::do_collection_pause_at_safepoint(double) + S8150533: Test java/util/logging/LogManagerAppContextDeadlock.java times out intermittently. + S8150704: XALAN: ERROR: 'No more DTM IDs are available' when transforming with lots of temporary result trees + S8150780: Repeated offer and remove on ConcurrentLinkedQueue lead to an OutOfMemoryError + S8151064: com/sun/jdi/RedefineAddPrivateMethod.sh fails intermittently + S8151197: [TEST_BUG] Need to backport fix for test/javax/net/ssl/TLS/TestJSSE.java + S8151352: jdk/test/sample fails with "effective library path is outside the test suite" + S8151431: DateFormatSymbols triggers this.clone() in the constructor + S8151535: TESTBUG: java/lang/invoke/AccessControlTest.java should be modified to run with JTREG 4.1 b13 + S8151731: Add new jtreg keywords to jdk 8 + S8151998: VS2010 ThemeReader.cpp(758) : error C3861: 'round': identifier not found + S8152927: Incorrect GPL header in StubFactoryDynamicBase.java reported + S8153252: SA: Hotspot build on Windows fails if make/closed folder does not exist + S8153531: Improve exception messaging for RSAClientKeyExchange + S8153641: assert(thread_state == _thread_in_native) failed: Assumed thread_in_native while heap dump + S8153673: [BACKOUT] JDWP: Memory Leak: GlobalRefs never deleted when processing invokeMethod command + S8154304: NullpointerException at LdapReferralException.getReferralContext + S8154722: Test gc/ergonomics/TestDynamicNumberOfGCThreads.java fails + S8157078: 8u102 L10n resource file updates + S8157838: Personalized Windows Font Size is not taken into account in Java8u102 * Import of OpenJDK 8 u111 build 14 + S6882559: new JEditorPane("text/plain","") fails for null context class loader + S8049171: Additional tests for jarsigner's warnings + S8063086: Math.pow yields different results upon repeated calls + S8140530: Creating a VolatileImage with size 0,0 results in no longer working g2d.drawString + S8142926: OutputAnalyzer's shouldXXX() calls return this + S8147077: IllegalArgumentException thrown by api/java_awt/Component/FlipBufferStrategy/indexTGF_General + S8148127: IllegalArgumentException thrown by JCK test api/java_awt/Component/FlipBufferStrategy/indexTGF_General in opengl pipeline + S8150611: Security problem on sun.misc.resources.Messages* + S8153399: Constrain AppCDS behavior (back port) + S8157653: [Parfait] Uninitialised variable in awt_Font.cpp + S8158734: JEditorPane.createEditorKitForContentType throws NPE after 6882559 + S8158994: Service Menu services + S8159684: (tz) Support tzdata2016f + S8160904: Typo in code from 8079718 fix : enableCustomValueHanlde + S8160934: isnan() is not available on older MSVC compilers + S8161141: correct bugId for JDK-8158994 fix push + S8162411: Service Menu services 2 + S8162419: closed/com/oracle/jfr/runtime/TestVMInfoEvent.sh failing after JDK-8155968 + S8162511: 8u111 L10n resource file updates + S8162792: Remove constraint DSA keySize < 1024 from jdk.jar.disabledAlgorithms in jdk8 + S8164452: 8u111 L10n resource file update - msgdrop 20 + S8165816: jarsigner -verify shows jar unsigned if it was signed with a weak algorithm + S8166381: Back out changes to the java.security file to not disable MD5 * Backports + S8078628, PR3208: Zero build fails with pre-compiled headers disabled + S8141491, PR3159, G592292: Unaligned memory access in Bits.c + S8157306, PR3121: Random infrequent null pointer exceptions in javac (enabled on AArch64 only) + S8162384, PR3122: Performance regression: bimorphic inlining may be bypassed by type speculation * Bug fixes + PR3123: Some object files built without -fPIC on x86 only + PR3126: pax-mark-vm script calls "exit -1" which is invalid in dash + PR3127, G590348: Only apply PaX markings by default on running PaX kernels + PR3199: Invalid nashorn URL + PR3201: Update infinality configure test + PR3218: PR3159 leads to build failure on clean tree * AArch64 port + S8131779, PR3220: AARCH64: add Montgomery multiply intrinsic + S8167200, PR3220: AArch64: Broken stack pointer adjustment in interpreter + S8167421, PR3220: AArch64: in one core system, fatal error: Illegal threadstate encountered + S8167595, PR3220: AArch64: SEGV in stub code cipherBlockChaining_decryptAESCrypt + S8168888, PR3220: Port 8160591: Improve internal array handling to AArch64. * Shenandoah + PR3224: Shenandoah broken when building without pre-compiled headers - Build against system kerberos - Build against system pcsc and sctp - S8158260, PR2991, RH1341258: PPC64: unaligned Unsafe.getInt can lead to the generation of illegal instructions (bsc#988651) Patch Instructions: To install this SUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Server for Raspberry Pi 12-SP2: zypper in -t patch SUSE-SLE-RPI-12-SP2-2016-1683=1 - SUSE Linux Enterprise Server 12-SP2: zypper in -t patch SUSE-SLE-SERVER-12-SP2-2016-1683=1 - SUSE Linux Enterprise Server 12-SP1: zypper in -t patch SUSE-SLE-SERVER-12-SP1-2016-1683=1 - SUSE Linux Enterprise Desktop 12-SP2: zypper in -t patch SUSE-SLE-DESKTOP-12-SP2-2016-1683=1 - SUSE Linux Enterprise Desktop 12-SP1: zypper in -t patch SUSE-SLE-DESKTOP-12-SP1-2016-1683=1 To bring your system up-to-date, use "zypper patch". Package List: - SUSE Linux Enterprise Server for Raspberry Pi 12-SP2 (aarch64): java-1_8_0-openjdk-1.8.0.111-17.1 java-1_8_0-openjdk-debuginfo-1.8.0.111-17.1 java-1_8_0-openjdk-debugsource-1.8.0.111-17.1 java-1_8_0-openjdk-demo-1.8.0.111-17.1 java-1_8_0-openjdk-demo-debuginfo-1.8.0.111-17.1 java-1_8_0-openjdk-devel-1.8.0.111-17.1 java-1_8_0-openjdk-devel-debuginfo-1.8.0.111-17.1 java-1_8_0-openjdk-headless-1.8.0.111-17.1 java-1_8_0-openjdk-headless-debuginfo-1.8.0.111-17.1 - SUSE Linux Enterprise Server 12-SP2 (aarch64 ppc64le x86_64): java-1_8_0-openjdk-1.8.0.111-17.1 java-1_8_0-openjdk-debuginfo-1.8.0.111-17.1 java-1_8_0-openjdk-debugsource-1.8.0.111-17.1 java-1_8_0-openjdk-demo-1.8.0.111-17.1 java-1_8_0-openjdk-demo-debuginfo-1.8.0.111-17.1 java-1_8_0-openjdk-devel-1.8.0.111-17.1 java-1_8_0-openjdk-devel-debuginfo-1.8.0.111-17.1 java-1_8_0-openjdk-headless-1.8.0.111-17.1 java-1_8_0-openjdk-headless-debuginfo-1.8.0.111-17.1 - SUSE Linux Enterprise Server 12-SP1 (ppc64le s390x x86_64): java-1_8_0-openjdk-1.8.0.111-17.1 java-1_8_0-openjdk-debuginfo-1.8.0.111-17.1 java-1_8_0-openjdk-debugsource-1.8.0.111-17.1 java-1_8_0-openjdk-demo-1.8.0.111-17.1 java-1_8_0-openjdk-demo-debuginfo-1.8.0.111-17.1 java-1_8_0-openjdk-devel-1.8.0.111-17.1 java-1_8_0-openjdk-headless-1.8.0.111-17.1 java-1_8_0-openjdk-headless-debuginfo-1.8.0.111-17.1 - SUSE Linux Enterprise Desktop 12-SP2 (x86_64): java-1_8_0-openjdk-1.8.0.111-17.1 java-1_8_0-openjdk-debuginfo-1.8.0.111-17.1 java-1_8_0-openjdk-debugsource-1.8.0.111-17.1 java-1_8_0-openjdk-headless-1.8.0.111-17.1 java-1_8_0-openjdk-headless-debuginfo-1.8.0.111-17.1 - SUSE Linux Enterprise Desktop 12-SP1 (x86_64): java-1_8_0-openjdk-1.8.0.111-17.1 java-1_8_0-openjdk-debuginfo-1.8.0.111-17.1 java-1_8_0-openjdk-debugsource-1.8.0.111-17.1 java-1_8_0-openjdk-headless-1.8.0.111-17.1 java-1_8_0-openjdk-headless-debuginfo-1.8.0.111-17.1 References: https://www.suse.com/security/cve/CVE-2016-5542.html https://www.suse.com/security/cve/CVE-2016-5554.html https://www.suse.com/security/cve/CVE-2016-5556.html https://www.suse.com/security/cve/CVE-2016-5568.html https://www.suse.com/security/cve/CVE-2016-5573.html https://www.suse.com/security/cve/CVE-2016-5582.html https://www.suse.com/security/cve/CVE-2016-5597.html https://bugzilla.suse.com/1005522 https://bugzilla.suse.com/1005523 https://bugzilla.suse.com/1005524 https://bugzilla.suse.com/1005525 https://bugzilla.suse.com/1005526 https://bugzilla.suse.com/1005527 https://bugzilla.suse.com/1005528 https://bugzilla.suse.com/988651 From sle-security-updates at lists.suse.com Wed Nov 23 11:07:14 2016 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Wed, 23 Nov 2016 19:07:14 +0100 (CET) Subject: SUSE-SU-2016:2891-1: moderate: Security update for sudo Message-ID: <20161123180714.5F5BDFFC3@maintenance.suse.de> SUSE Security Update: Security update for sudo ______________________________________________________________________________ Announcement ID: SUSE-SU-2016:2891-1 Rating: moderate References: #1007501 #1007766 #1008043 #948973 #966755 Cross-References: CVE-2016-7032 CVE-2016-7076 Affected Products: SUSE Linux Enterprise Server 11-SP4 SUSE Linux Enterprise Debuginfo 11-SP4 ______________________________________________________________________________ An update that solves two vulnerabilities and has three fixes is now available. Description: This update for sudo fixes the following issues: - Fix two security vulnerabilities that allowed users to bypass sudo's NOEXEC functionality: * noexec bypass via system() and popen() [CVE-2016-7032, bsc#1007766] * noexec bypass via wordexp() [CVE-2016-7076, bsc#1007501] - The SSSD plugin would occasionally crash sudo with an "internal error". This issue has been fixed. [bsc#948973] - The SSSD plugin would occasionally apply @netgroups rules from LDAP to all users rather than the @netgroup. This issue is now fixed. [bsc#966755] - When the SSSD plugin was used and a local user ran sudo, an e-mail used to be sent to administrator because SSSD did not support sudo rules for local users. This message did not signify an error, however, it was only noise. [bsc#1008043] Patch Instructions: To install this SUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Server 11-SP4: zypper in -t patch slessp4-sudo-12852=1 - SUSE Linux Enterprise Debuginfo 11-SP4: zypper in -t patch dbgsp4-sudo-12852=1 To bring your system up-to-date, use "zypper patch". Package List: - SUSE Linux Enterprise Server 11-SP4 (i586 ia64 ppc64 s390x x86_64): sudo-1.7.6p2-0.29.1 - SUSE Linux Enterprise Debuginfo 11-SP4 (i586 ia64 ppc64 s390x x86_64): sudo-debuginfo-1.7.6p2-0.29.1 sudo-debugsource-1.7.6p2-0.29.1 References: https://www.suse.com/security/cve/CVE-2016-7032.html https://www.suse.com/security/cve/CVE-2016-7076.html https://bugzilla.suse.com/1007501 https://bugzilla.suse.com/1007766 https://bugzilla.suse.com/1008043 https://bugzilla.suse.com/948973 https://bugzilla.suse.com/966755 From sle-security-updates at lists.suse.com Wed Nov 23 11:09:10 2016 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Wed, 23 Nov 2016 19:09:10 +0100 (CET) Subject: SUSE-SU-2016:2893-1: moderate: Security update for sudo Message-ID: <20161123180910.47F58FFC0@maintenance.suse.de> SUSE Security Update: Security update for sudo ______________________________________________________________________________ Announcement ID: SUSE-SU-2016:2893-1 Rating: moderate References: #1007501 #1007766 Cross-References: CVE-2016-7032 CVE-2016-7076 Affected Products: SUSE Linux Enterprise Software Development Kit 12-SP2 SUSE Linux Enterprise Server for Raspberry Pi 12-SP2 SUSE Linux Enterprise Server 12-SP2 SUSE Linux Enterprise Desktop 12-SP2 ______________________________________________________________________________ An update that fixes two vulnerabilities is now available. Description: This update for sudo fixes the following issues: - fix two security vulnerabilities that allowed users to bypass sudo's NOEXEC functionality: * noexec bypass via system() and popen() [CVE-2016-7032, bsc#1007766] * noexec bypass via wordexp() [CVE-2016-7076, bsc#1007501] Patch Instructions: To install this SUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Software Development Kit 12-SP2: zypper in -t patch SUSE-SLE-SDK-12-SP2-2016-1686=1 - SUSE Linux Enterprise Server for Raspberry Pi 12-SP2: zypper in -t patch SUSE-SLE-RPI-12-SP2-2016-1686=1 - SUSE Linux Enterprise Server 12-SP2: zypper in -t patch SUSE-SLE-SERVER-12-SP2-2016-1686=1 - SUSE Linux Enterprise Desktop 12-SP2: zypper in -t patch SUSE-SLE-DESKTOP-12-SP2-2016-1686=1 To bring your system up-to-date, use "zypper patch". Package List: - SUSE Linux Enterprise Software Development Kit 12-SP2 (aarch64 ppc64le s390x x86_64): sudo-debuginfo-1.8.10p3-8.1 sudo-debugsource-1.8.10p3-8.1 sudo-devel-1.8.10p3-8.1 - SUSE Linux Enterprise Server for Raspberry Pi 12-SP2 (aarch64): sudo-1.8.10p3-8.1 sudo-debuginfo-1.8.10p3-8.1 sudo-debugsource-1.8.10p3-8.1 - SUSE Linux Enterprise Server 12-SP2 (aarch64 ppc64le x86_64): sudo-1.8.10p3-8.1 sudo-debuginfo-1.8.10p3-8.1 sudo-debugsource-1.8.10p3-8.1 - SUSE Linux Enterprise Desktop 12-SP2 (x86_64): sudo-1.8.10p3-8.1 sudo-debuginfo-1.8.10p3-8.1 sudo-debugsource-1.8.10p3-8.1 References: https://www.suse.com/security/cve/CVE-2016-7032.html https://www.suse.com/security/cve/CVE-2016-7076.html https://bugzilla.suse.com/1007501 https://bugzilla.suse.com/1007766 From sle-security-updates at lists.suse.com Thu Nov 24 04:08:38 2016 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Thu, 24 Nov 2016 12:08:38 +0100 (CET) Subject: SUSE-SU-2016:2894-1: Security update for GraphicsMagick Message-ID: <20161124110838.71A14FFC3@maintenance.suse.de> SUSE Security Update: Security update for GraphicsMagick ______________________________________________________________________________ Announcement ID: SUSE-SU-2016:2894-1 Rating: low References: #1007245 Cross-References: CVE-2016-8862 Affected Products: SUSE Studio Onsite 1.3 SUSE Linux Enterprise Software Development Kit 11-SP4 SUSE Linux Enterprise Debuginfo 11-SP4 ______________________________________________________________________________ An update that fixes one vulnerability is now available. Description: This update for GraphicsMagick fixes the following issues: - Memory allocation failure in AcquireMagickMemory (CVE-2016-8862) [bsc#1007245] Patch Instructions: To install this SUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - SUSE Studio Onsite 1.3: zypper in -t patch slestso13-GraphicsMagick-12853=1 - SUSE Linux Enterprise Software Development Kit 11-SP4: zypper in -t patch sdksp4-GraphicsMagick-12853=1 - SUSE Linux Enterprise Debuginfo 11-SP4: zypper in -t patch dbgsp4-GraphicsMagick-12853=1 To bring your system up-to-date, use "zypper patch". Package List: - SUSE Studio Onsite 1.3 (x86_64): GraphicsMagick-1.2.5-4.52.1 libGraphicsMagick2-1.2.5-4.52.1 - SUSE Linux Enterprise Software Development Kit 11-SP4 (i586 ia64 ppc64 s390x x86_64): GraphicsMagick-1.2.5-4.52.1 libGraphicsMagick2-1.2.5-4.52.1 perl-GraphicsMagick-1.2.5-4.52.1 - SUSE Linux Enterprise Debuginfo 11-SP4 (i586 ia64 ppc64 s390x x86_64): GraphicsMagick-debuginfo-1.2.5-4.52.1 GraphicsMagick-debugsource-1.2.5-4.52.1 References: https://www.suse.com/security/cve/CVE-2016-8862.html https://bugzilla.suse.com/1007245 From sle-security-updates at lists.suse.com Thu Nov 24 04:09:09 2016 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Thu, 24 Nov 2016 12:09:09 +0100 (CET) Subject: SUSE-SU-2016:2895-1: moderate: Security update for tar Message-ID: <20161124110909.1A243FFC3@maintenance.suse.de> SUSE Security Update: Security update for tar ______________________________________________________________________________ Announcement ID: SUSE-SU-2016:2895-1 Rating: moderate References: #1007188 Cross-References: CVE-2016-6321 Affected Products: SUSE Linux Enterprise Server 11-SP4 SUSE Linux Enterprise Debuginfo 11-SP4 ______________________________________________________________________________ An update that fixes one vulnerability is now available. Description: This update for tar fixes the following issues: - Fix the POINTYFEATHER vulnerability - GNU tar archiver can be tricked into extracting files and directories in the given destination, regardless of the path name(s) specified on the command line [bsc#1007188] [CVE-2016-6321] Patch Instructions: To install this SUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Server 11-SP4: zypper in -t patch slessp4-tar-12854=1 - SUSE Linux Enterprise Debuginfo 11-SP4: zypper in -t patch dbgsp4-tar-12854=1 To bring your system up-to-date, use "zypper patch". Package List: - SUSE Linux Enterprise Server 11-SP4 (i586 ia64 ppc64 s390x x86_64): tar-1.26-1.2.10.1 - SUSE Linux Enterprise Debuginfo 11-SP4 (i586 ia64 ppc64 s390x x86_64): tar-debuginfo-1.26-1.2.10.1 tar-debugsource-1.26-1.2.10.1 References: https://www.suse.com/security/cve/CVE-2016-6321.html https://bugzilla.suse.com/1007188 From sle-security-updates at lists.suse.com Thu Nov 24 04:09:33 2016 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Thu, 24 Nov 2016 12:09:33 +0100 (CET) Subject: SUSE-SU-2016:2896-1: moderate: Security update for tar Message-ID: <20161124110933.CAA7AFFC0@maintenance.suse.de> SUSE Security Update: Security update for tar ______________________________________________________________________________ Announcement ID: SUSE-SU-2016:2896-1 Rating: moderate References: #1007188 #913058 Cross-References: CVE-2016-6321 Affected Products: SUSE Linux Enterprise Server for Raspberry Pi 12-SP2 SUSE Linux Enterprise Server 12-SP2 SUSE Linux Enterprise Server 12-SP1 SUSE Linux Enterprise Desktop 12-SP2 SUSE Linux Enterprise Desktop 12-SP1 ______________________________________________________________________________ An update that solves one vulnerability and has one errata is now available. Description: This update for tar fixes the following issues: - Fix the POINTYFEATHER vulnerability - GNU tar archiver can be tricked into extracting files and directories in the given destination, regardless of the path name(s) specified on the command line [bsc#1007188] [CVE-2016-6321] - Fix Amanda integration issue (bsc#913058) Patch Instructions: To install this SUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Server for Raspberry Pi 12-SP2: zypper in -t patch SUSE-SLE-RPI-12-SP2-2016-1690=1 - SUSE Linux Enterprise Server 12-SP2: zypper in -t patch SUSE-SLE-SERVER-12-SP2-2016-1690=1 - SUSE Linux Enterprise Server 12-SP1: zypper in -t patch SUSE-SLE-SERVER-12-SP1-2016-1690=1 - SUSE Linux Enterprise Desktop 12-SP2: zypper in -t patch SUSE-SLE-DESKTOP-12-SP2-2016-1690=1 - SUSE Linux Enterprise Desktop 12-SP1: zypper in -t patch SUSE-SLE-DESKTOP-12-SP1-2016-1690=1 To bring your system up-to-date, use "zypper patch". Package List: - SUSE Linux Enterprise Server for Raspberry Pi 12-SP2 (aarch64): tar-1.27.1-11.1 tar-debuginfo-1.27.1-11.1 tar-debugsource-1.27.1-11.1 - SUSE Linux Enterprise Server for Raspberry Pi 12-SP2 (noarch): tar-lang-1.27.1-11.1 - SUSE Linux Enterprise Server 12-SP2 (aarch64 ppc64le x86_64): tar-1.27.1-11.1 tar-debuginfo-1.27.1-11.1 tar-debugsource-1.27.1-11.1 - SUSE Linux Enterprise Server 12-SP2 (noarch): tar-lang-1.27.1-11.1 - SUSE Linux Enterprise Server 12-SP1 (ppc64le s390x x86_64): tar-1.27.1-11.1 tar-debuginfo-1.27.1-11.1 tar-debugsource-1.27.1-11.1 - SUSE Linux Enterprise Server 12-SP1 (noarch): tar-lang-1.27.1-11.1 - SUSE Linux Enterprise Desktop 12-SP2 (x86_64): tar-1.27.1-11.1 tar-debuginfo-1.27.1-11.1 tar-debugsource-1.27.1-11.1 - SUSE Linux Enterprise Desktop 12-SP2 (noarch): tar-lang-1.27.1-11.1 - SUSE Linux Enterprise Desktop 12-SP1 (x86_64): tar-1.27.1-11.1 tar-debuginfo-1.27.1-11.1 tar-debugsource-1.27.1-11.1 - SUSE Linux Enterprise Desktop 12-SP1 (noarch): tar-lang-1.27.1-11.1 References: https://www.suse.com/security/cve/CVE-2016-6321.html https://bugzilla.suse.com/1007188 https://bugzilla.suse.com/913058 From sle-security-updates at lists.suse.com Thu Nov 24 10:07:32 2016 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Thu, 24 Nov 2016 18:07:32 +0100 (CET) Subject: SUSE-SU-2016:2898-1: moderate: Security update for nodejs4 Message-ID: <20161124170732.EC3F0FFC3@maintenance.suse.de> SUSE Security Update: Security update for nodejs4 ______________________________________________________________________________ Announcement ID: SUSE-SU-2016:2898-1 Rating: moderate References: #1007728 #1009011 Cross-References: CVE-2016-5180 Affected Products: SUSE Linux Enterprise Module for Web Scripting 12 ______________________________________________________________________________ An update that solves one vulnerability and has one errata is now available. Description: This update for nodejs4 fixes the following issues: Security issues fixed: - CVE-2016-5180: c-ares: Fix for single-byte buffer overwrite (bsc#1007728). Bug fixes: - bsc#1009011: npm4 should provide versioned nodejs-npm and npm allowing nodejs-packaging to continue to function properly in Leap 42.2 Patch Instructions: To install this SUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Module for Web Scripting 12: zypper in -t patch SUSE-SLE-Module-Web-Scripting-12-2016-1694=1 To bring your system up-to-date, use "zypper patch". Package List: - SUSE Linux Enterprise Module for Web Scripting 12 (aarch64 ppc64le x86_64): nodejs4-4.6.1-11.1 nodejs4-debuginfo-4.6.1-11.1 nodejs4-debugsource-4.6.1-11.1 nodejs4-devel-4.6.1-11.1 npm4-4.6.1-11.1 - SUSE Linux Enterprise Module for Web Scripting 12 (noarch): nodejs4-docs-4.6.1-11.1 References: https://www.suse.com/security/cve/CVE-2016-5180.html https://bugzilla.suse.com/1007728 https://bugzilla.suse.com/1009011 From sle-security-updates at lists.suse.com Thu Nov 24 10:10:21 2016 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Thu, 24 Nov 2016 18:10:21 +0100 (CET) Subject: SUSE-SU-2016:2902-1: important: Security update for kvm Message-ID: <20161124171021.230D6FFC0@maintenance.suse.de> SUSE Security Update: Security update for kvm ______________________________________________________________________________ Announcement ID: SUSE-SU-2016:2902-1 Rating: important References: #1001151 #1002550 #1002557 #1003878 #1003893 #1003894 #1004702 #1004707 #1006536 #1006538 #1007391 #1007450 #1007454 #1007493 #1007494 #1007495 #998516 Cross-References: CVE-2016-7161 CVE-2016-7170 CVE-2016-7908 CVE-2016-7909 CVE-2016-8576 CVE-2016-8577 CVE-2016-8578 CVE-2016-8667 CVE-2016-8669 CVE-2016-8909 CVE-2016-8910 CVE-2016-9101 CVE-2016-9102 CVE-2016-9103 CVE-2016-9104 CVE-2016-9105 CVE-2016-9106 Affected Products: SUSE Linux Enterprise Server 11-SP4 ______________________________________________________________________________ An update that fixes 17 vulnerabilities is now available. Description: This update for kvm fixes the following issues: - Address various security/stability issues * Fix OOB access in xlnx.xpx-ethernetlite emulation (CVE-2016-7161 bsc#1001151) * Fix OOB access in VMware SVGA emulation (CVE-2016-7170 bsc#998516) * Fix DOS in ColdFire Fast Ethernet Controller emulation (CVE-2016-7908 bsc#1002550) * Fix DOS in USB xHCI emulation (CVE-2016-8576 bsc#1003878) * Fix DOS in virtio-9pfs (CVE-2016-8578 bsc#1003894) * Fix DOS in virtio-9pfs (CVE-2016-9105 bsc#1007494) * Fix DOS in virtio-9pfs (CVE-2016-8577 bsc#1003893) * Plug data leak in virtio-9pfs interface (CVE-2016-9103 bsc#1007454) * Fix DOS in virtio-9pfs interface (CVE-2016-9102 bsc#1007450) * Fix DOS in virtio-9pfs (CVE-2016-9106 bsc#1007495) * Fix DOS in 16550A UART emulation (CVE-2016-8669 bsc#1004707) * Fix DOS in PC-Net II emulation (CVE-2016-7909 bsc#1002557) * Fix DOS in PRO100 emulation (CVE-2016-9101 bsc#1007391) * Fix DOS in RTL8139 emulation (CVE-2016-8910 bsc#1006538) * Fix DOS in Intel HDA controller emulation (CVE-2016-8909 bsc#1006536) * Fix DOS in virtio-9pfs (CVE-2016-9104 bsc#1007493) * Fix DOS in JAZZ RC4030 emulation (CVE-2016-8667 bsc#1004702) - Patch queue updated from https://gitlab.suse.de/virtualization/qemu.git SLE11-SP4 - Remove semi-contradictory and now determined erroneous statement in kvm-supported.txt regarding not running ntp in kvm guest when kvm-clock is used. It is now recommended to use ntp in guest in this case. Patch Instructions: To install this SUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Server 11-SP4: zypper in -t patch slessp4-kvm-12855=1 To bring your system up-to-date, use "zypper patch". Package List: - SUSE Linux Enterprise Server 11-SP4 (i586 s390x x86_64): kvm-1.4.2-50.1 References: https://www.suse.com/security/cve/CVE-2016-7161.html https://www.suse.com/security/cve/CVE-2016-7170.html https://www.suse.com/security/cve/CVE-2016-7908.html https://www.suse.com/security/cve/CVE-2016-7909.html https://www.suse.com/security/cve/CVE-2016-8576.html https://www.suse.com/security/cve/CVE-2016-8577.html https://www.suse.com/security/cve/CVE-2016-8578.html https://www.suse.com/security/cve/CVE-2016-8667.html https://www.suse.com/security/cve/CVE-2016-8669.html https://www.suse.com/security/cve/CVE-2016-8909.html https://www.suse.com/security/cve/CVE-2016-8910.html https://www.suse.com/security/cve/CVE-2016-9101.html https://www.suse.com/security/cve/CVE-2016-9102.html https://www.suse.com/security/cve/CVE-2016-9103.html https://www.suse.com/security/cve/CVE-2016-9104.html https://www.suse.com/security/cve/CVE-2016-9105.html https://www.suse.com/security/cve/CVE-2016-9106.html https://bugzilla.suse.com/1001151 https://bugzilla.suse.com/1002550 https://bugzilla.suse.com/1002557 https://bugzilla.suse.com/1003878 https://bugzilla.suse.com/1003893 https://bugzilla.suse.com/1003894 https://bugzilla.suse.com/1004702 https://bugzilla.suse.com/1004707 https://bugzilla.suse.com/1006536 https://bugzilla.suse.com/1006538 https://bugzilla.suse.com/1007391 https://bugzilla.suse.com/1007450 https://bugzilla.suse.com/1007454 https://bugzilla.suse.com/1007493 https://bugzilla.suse.com/1007494 https://bugzilla.suse.com/1007495 https://bugzilla.suse.com/998516 From sle-security-updates at lists.suse.com Thu Nov 24 10:14:26 2016 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Thu, 24 Nov 2016 18:14:26 +0100 (CET) Subject: SUSE-SU-2016:2904-1: moderate: Security update for sudo Message-ID: <20161124171426.5E053FFC3@maintenance.suse.de> SUSE Security Update: Security update for sudo ______________________________________________________________________________ Announcement ID: SUSE-SU-2016:2904-1 Rating: moderate References: #1007501 #1007766 #899252 #917806 #979531 Cross-References: CVE-2014-9680 CVE-2016-7032 CVE-2016-7076 Affected Products: SUSE Linux Enterprise Software Development Kit 12-SP1 SUSE Linux Enterprise Server 12-SP1 SUSE Linux Enterprise Desktop 12-SP1 ______________________________________________________________________________ An update that solves three vulnerabilities and has two fixes is now available. Description: This update for sudo fixes the following security issues: - Fix two security vulnerabilities that allowed users to bypass sudo's NOEXEC functionality: * noexec bypass via system() and popen() [CVE-2016-7032, bsc#1007766] * noexec bypass via wordexp() [CVE-2016-7076, bsc#1007501] - Fix unsafe handling of TZ environment variable. [CVE-2014-9680, bsc#917806] Additionally, these non-security fixes are included in the update: - Fix "ignoring time stamp from the future" message after each boot with !tty_tickets. [bsc#899252] - Enable support for SASL-based authentication. [bsc#979531] Patch Instructions: To install this SUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Software Development Kit 12-SP1: zypper in -t patch SUSE-SLE-SDK-12-SP1-2016-1692=1 - SUSE Linux Enterprise Server 12-SP1: zypper in -t patch SUSE-SLE-SERVER-12-SP1-2016-1692=1 - SUSE Linux Enterprise Desktop 12-SP1: zypper in -t patch SUSE-SLE-DESKTOP-12-SP1-2016-1692=1 To bring your system up-to-date, use "zypper patch". Package List: - SUSE Linux Enterprise Software Development Kit 12-SP1 (ppc64le s390x x86_64): sudo-debuginfo-1.8.10p3-2.6.1 sudo-debugsource-1.8.10p3-2.6.1 sudo-devel-1.8.10p3-2.6.1 - SUSE Linux Enterprise Server 12-SP1 (ppc64le s390x x86_64): sudo-1.8.10p3-2.6.1 sudo-debuginfo-1.8.10p3-2.6.1 sudo-debugsource-1.8.10p3-2.6.1 - SUSE Linux Enterprise Desktop 12-SP1 (x86_64): sudo-1.8.10p3-2.6.1 sudo-debuginfo-1.8.10p3-2.6.1 sudo-debugsource-1.8.10p3-2.6.1 References: https://www.suse.com/security/cve/CVE-2014-9680.html https://www.suse.com/security/cve/CVE-2016-7032.html https://www.suse.com/security/cve/CVE-2016-7076.html https://bugzilla.suse.com/1007501 https://bugzilla.suse.com/1007766 https://bugzilla.suse.com/899252 https://bugzilla.suse.com/917806 https://bugzilla.suse.com/979531 From sle-security-updates at lists.suse.com Fri Nov 25 08:07:25 2016 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Fri, 25 Nov 2016 16:07:25 +0100 (CET) Subject: SUSE-SU-2016:2911-1: moderate: Security update for libarchive Message-ID: <20161125150725.506C4FFD3@maintenance.suse.de> SUSE Security Update: Security update for libarchive ______________________________________________________________________________ Announcement ID: SUSE-SU-2016:2911-1 Rating: moderate References: #1005070 #1005072 #1005076 #986566 #989980 #998677 Cross-References: CVE-2015-2304 CVE-2016-5418 CVE-2016-5844 CVE-2016-6250 CVE-2016-8687 CVE-2016-8688 CVE-2016-8689 Affected Products: SUSE Linux Enterprise Software Development Kit 12-SP2 SUSE Linux Enterprise Software Development Kit 12-SP1 SUSE Linux Enterprise Server for Raspberry Pi 12-SP2 SUSE Linux Enterprise Server 12-SP2 SUSE Linux Enterprise Server 12-SP1 SUSE Linux Enterprise Desktop 12-SP2 SUSE Linux Enterprise Desktop 12-SP1 ______________________________________________________________________________ An update that fixes 7 vulnerabilities is now available. Description: This update for libarchive fixes several issues. These security issues were fixed: - CVE-2016-8687: Buffer overflow when printing a filename (bsc#1005070). - CVE-2016-8689: Heap overflow when reading corrupted 7Zip files (bsc#1005072). - CVE-2016-8688: Use after free because of incorrect calculation in next_line (bsc#1005076). - CVE-2016-5844: Integer overflow in the ISO parser in libarchive allowed remote attackers to cause a denial of service (application crash) via a crafted ISO file (bsc#986566). - CVE-2016-6250: Integer overflow in the ISO9660 writer in libarchive allowed remote attackers to cause a denial of service (application crash) or execute arbitrary code via vectors related to verifying filename lengths when writing an ISO9660 archive, which trigger a buffer overflow (bsc#989980). - CVE-2016-5418: The sandboxing code in libarchive mishandled hardlink archive entries of non-zero data size, which might allowed remote attackers to write to arbitrary files via a crafted archive file (bsc#998677). Patch Instructions: To install this SUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Software Development Kit 12-SP2: zypper in -t patch SUSE-SLE-SDK-12-SP2-2016-1698=1 - SUSE Linux Enterprise Software Development Kit 12-SP1: zypper in -t patch SUSE-SLE-SDK-12-SP1-2016-1698=1 - SUSE Linux Enterprise Server for Raspberry Pi 12-SP2: zypper in -t patch SUSE-SLE-RPI-12-SP2-2016-1698=1 - SUSE Linux Enterprise Server 12-SP2: zypper in -t patch SUSE-SLE-SERVER-12-SP2-2016-1698=1 - SUSE Linux Enterprise Server 12-SP1: zypper in -t patch SUSE-SLE-SERVER-12-SP1-2016-1698=1 - SUSE Linux Enterprise Desktop 12-SP2: zypper in -t patch SUSE-SLE-DESKTOP-12-SP2-2016-1698=1 - SUSE Linux Enterprise Desktop 12-SP1: zypper in -t patch SUSE-SLE-DESKTOP-12-SP1-2016-1698=1 To bring your system up-to-date, use "zypper patch". Package List: - SUSE Linux Enterprise Software Development Kit 12-SP2 (aarch64 ppc64le s390x x86_64): libarchive-debugsource-3.1.2-25.1 libarchive-devel-3.1.2-25.1 - SUSE Linux Enterprise Software Development Kit 12-SP1 (ppc64le s390x x86_64): libarchive-debugsource-3.1.2-25.1 libarchive-devel-3.1.2-25.1 - SUSE Linux Enterprise Server for Raspberry Pi 12-SP2 (aarch64): libarchive-debugsource-3.1.2-25.1 libarchive13-3.1.2-25.1 libarchive13-debuginfo-3.1.2-25.1 - SUSE Linux Enterprise Server 12-SP2 (aarch64 ppc64le x86_64): libarchive-debugsource-3.1.2-25.1 libarchive13-3.1.2-25.1 libarchive13-debuginfo-3.1.2-25.1 - SUSE Linux Enterprise Server 12-SP1 (ppc64le s390x x86_64): libarchive-debugsource-3.1.2-25.1 libarchive13-3.1.2-25.1 libarchive13-debuginfo-3.1.2-25.1 - SUSE Linux Enterprise Desktop 12-SP2 (x86_64): libarchive-debugsource-3.1.2-25.1 libarchive13-3.1.2-25.1 libarchive13-debuginfo-3.1.2-25.1 - SUSE Linux Enterprise Desktop 12-SP1 (x86_64): libarchive-debugsource-3.1.2-25.1 libarchive13-3.1.2-25.1 libarchive13-debuginfo-3.1.2-25.1 References: https://www.suse.com/security/cve/CVE-2015-2304.html https://www.suse.com/security/cve/CVE-2016-5418.html https://www.suse.com/security/cve/CVE-2016-5844.html https://www.suse.com/security/cve/CVE-2016-6250.html https://www.suse.com/security/cve/CVE-2016-8687.html https://www.suse.com/security/cve/CVE-2016-8688.html https://www.suse.com/security/cve/CVE-2016-8689.html https://bugzilla.suse.com/1005070 https://bugzilla.suse.com/1005072 https://bugzilla.suse.com/1005076 https://bugzilla.suse.com/986566 https://bugzilla.suse.com/989980 https://bugzilla.suse.com/998677 From sle-security-updates at lists.suse.com Fri Nov 25 09:07:34 2016 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Fri, 25 Nov 2016 17:07:34 +0100 (CET) Subject: SUSE-SU-2016:2912-1: important: Security update for the Linux Kernel Message-ID: <20161125160734.939AA10040@maintenance.suse.de> SUSE Security Update: Security update for the Linux Kernel ______________________________________________________________________________ Announcement ID: SUSE-SU-2016:2912-1 Rating: important References: #1000189 #1000287 #1000304 #1000776 #1001419 #1001486 #1002165 #1003079 #1003153 #1003400 #1003568 #1003866 #1003925 #1003964 #1004252 #1004462 #1004517 #1004520 #1005666 #1006691 #1007615 #1007886 #744692 #772786 #789311 #857397 #860441 #865545 #866130 #868923 #874131 #876463 #898675 #904489 #909994 #911687 #915183 #921338 #921784 #922064 #922634 #924381 #924384 #930399 #931454 #934067 #937086 #937888 #940545 #941420 #946309 #955446 #956514 #959463 #961257 #962846 #966864 #967640 #970943 #971975 #971989 #974406 #974620 #975596 #975772 #976195 #977687 #978094 #979451 #979928 #982783 #983619 #984194 #984419 #984779 #984992 #985562 #986445 #987192 #987333 #987542 #987565 #987621 #987805 #988440 #988617 #988715 #989152 #989953 #990245 #991247 #991608 #991665 #992244 #992555 #992591 #992593 #992712 #993392 #993841 #993890 #993891 #994296 #994438 #994520 #994748 #995153 #995968 #996664 #997059 #997299 #997708 #997896 #998689 #998795 #998825 #999577 #999584 #999600 #999779 #999907 #999932 Cross-References: CVE-2015-8956 CVE-2016-5696 CVE-2016-6130 CVE-2016-6327 CVE-2016-6480 CVE-2016-6828 CVE-2016-7042 CVE-2016-7097 CVE-2016-7425 CVE-2016-8658 CVE-2016-8666 Affected Products: SUSE Linux Enterprise Workstation Extension 12-SP1 SUSE Linux Enterprise Software Development Kit 12-SP1 SUSE Linux Enterprise Server 12-SP1 SUSE Linux Enterprise Module for Public Cloud 12 SUSE Linux Enterprise Live Patching 12 SUSE Linux Enterprise Desktop 12-SP1 ______________________________________________________________________________ An update that solves 11 vulnerabilities and has 111 fixes is now available. Description: The SUSE Linux Enterprise 12 kernel was updated to 3.12.67 to receive various security and bugfixes. The following security bugs were fixed: - CVE-2016-7042: The proc_keys_show function in security/keys/proc.c in the Linux kernel used an incorrect buffer size for certain timeout data, which allowed local users to cause a denial of service (stack memory corruption and panic) by reading the /proc/keys file (bsc#1004517). - CVE-2016-7097: The filesystem implementation in the Linux kernel preserved the setgid bit during a setxattr call, which allowed local users to gain group privileges by leveraging the existence of a setgid program with restrictions on execute permissions (bsc#995968). - CVE-2015-8956: The rfcomm_sock_bind function in net/bluetooth/rfcomm/sock.c in the Linux kernel allowed local users to obtain sensitive information or cause a denial of service (NULL pointer dereference) via vectors involving a bind system call on a Bluetooth RFCOMM socket (bnc#1003925). - CVE-2016-5696: net/ipv4/tcp_input.c in the Linux kernel did not properly determine the rate of challenge ACK segments, which made it easier for man-in-the-middle attackers to hijack TCP sessions via a blind in-window attack (bnc#989152). - CVE-2016-6130: Race condition in the sclp_ctl_ioctl_sccb function in drivers/s390/char/sclp_ctl.c in the Linux kernel allowed local users to obtain sensitive information from kernel memory by changing a certain length value, aka a "double fetch" vulnerability (bnc#987542). - CVE-2016-6327: drivers/infiniband/ulp/srpt/ib_srpt.c in the Linux kernel allowed local users to cause a denial of service (NULL pointer dereference and system crash) by using an ABORT_TASK command to abort a device write operation (bnc#994748). - CVE-2016-6480: Race condition in the ioctl_send_fib function in drivers/scsi/aacraid/commctrl.c in the Linux kernel allowed local users to cause a denial of service (out-of-bounds access or system crash) by changing a certain size value, aka a "double fetch" vulnerability (bnc#991608). - CVE-2016-6828: The tcp_check_send_head function in include/net/tcp.h in the Linux kernel did not properly maintain certain SACK state after a failed data copy, which allowed local users to cause a denial of service (tcp_xmit_retransmit_queue use-after-free and system crash) via a crafted SACK option (bnc#994296). - CVE-2016-7425: The arcmsr_iop_message_xfer function in drivers/scsi/arcmsr/arcmsr_hba.c in the Linux kernel did not restrict a certain length field, which allowed local users to gain privileges or cause a denial of service (heap-based buffer overflow) via an ARCMSR_MESSAGE_WRITE_WQBUFFER control code (bnc#999932). - CVE-2016-8658: Stack-based buffer overflow in the brcmf_cfg80211_start_ap function in drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c in the Linux kernel allowed local users to cause a denial of service (system crash) or possibly have unspecified other impact via a long SSID Information Element in a command to a Netlink socket (bnc#1004462). - CVE-2016-8666: The IP stack in the Linux kernel allowed remote attackers to cause a denial of service (stack consumption and panic) or possibly have unspecified other impact by triggering use of the GRO path for packets with tunnel stacking, as demonstrated by interleaved IPv4 headers and GRE headers, a related issue to CVE-2016-7039 (bsc#1001486). The following non-security bugs were fixed: - aacraid: Fix RRQ overload (bsc#1003079). - acpi / PM: Ignore wakeup setting if the ACPI companion can't wake up (FATE#315621). - AF_VSOCK: Shrink the area influenced by prepare_to_wait (bsc#994520). - apparmor: add missing id bounds check on dfa verification (bsc#1000304). - apparmor: check that xindex is in trans_table bounds (bsc#1000304). - apparmor: do not expose kernel stack (bsc#1000304). - apparmor: don't check for vmalloc_addr if kvzalloc() failed (bsc#1000304). - apparmor: ensure the target profile name is always audited (bsc#1000304). - apparmor: exec should not be returning ENOENT when it denies (bsc#1000304). - apparmor: fix arg_size computation for when setprocattr is null terminated (bsc#1000304). - apparmor: fix audit full profile hname on successful load (bsc#1000304). - apparmor: fix change_hat not finding hat after policy replacement (bsc#1000287). - apparmor: fix disconnected bind mnts reconnection (bsc#1000304). - apparmor: fix log failures for all profiles in a set (bsc#1000304). - apparmor: fix module parameters can be changed after policy is locked (bsc#1000304). - apparmor: fix oops in profile_unpack() when policy_db is not present (bsc#1000304). - apparmor: fix oops, validate buffer size in apparmor_setprocattr() (bsc#1000304). - apparmor: fix put() parent ref after updating the active ref (bsc#1000304). - apparmor: fix refcount bug in profile replacement (bsc#1000304). - apparmor: fix refcount race when finding a child profile (bsc#1000304). - apparmor: fix replacement bug that adds new child to old parent (bsc#1000304). - apparmor: fix uninitialized lsm_audit member (bsc#1000304). - apparmor: fix update the mtime of the profile file on replacement (bsc#1000304). - apparmor: internal paths should be treated as disconnected (bsc#1000304). - apparmor: use list_next_entry instead of list_entry_next (bsc#1000304). - arm64: Ensure pmd_present() returns false after pmd_mknotpresent() (Automatic NUMA Balancing (fate#315482)). - arm64: mm: remove broken &= operator from pmd_mknotpresent (Automatic NUMA Balancing (fate#315482)). - avoid dentry crash triggered by NFS (bsc#984194). - be2net: Don't leak iomapped memory on removal (bsc#921784). - be2net: fix BE3-R FW download compatibility check (bsc#921784). - be2net: fix wrong return value in be_check_ufi_compatibility() (bsc#921784). - be2net: remove vlan promisc capability from VF's profile descriptors (bsc#921784). - blkfront: fix an error path memory leak (luckily none so far). - blk-mq: fix undefined behaviour in order_to_size() (fate#315209). - blktap2: eliminate deadlock potential from shutdown path (bsc#909994). - blktap2: eliminate race from deferred work queue handling (bsc#911687). - bond: Check length of IFLA_BOND_ARP_IP_TARGET attributes (fate#316924). - bonding: always set recv_probe to bond_arp_rcv in arp monitor (bsc#977687). - bonding: fix curr_active_slave/carrier with loadbalance arp monitoring (fate#316924). - bonding: Prevent IPv6 link local address on enslaved devices (fate#316924). - bonding: prevent out of bound accesses (fate#316924). - bonding: set carrier off for devices created through netlink (bsc#999577). - btrfs: account for non-CoW'd blocks in btrfs_abort_transaction (bsc#983619). - btrfs: add missing discards when unpinning extents with -o discard (bsc#904489). - btrfs: btrfs_issue_discard ensure offset/length are aligned to sector boundaries (bsc#904489). - btrfs: do not create or leak aliased root while cleaning up orphans (bsc#904489). - btrfs: ensure that file descriptor used with subvol ioctls is a dir (bsc#999600). - btrfs: explictly delete unused block groups in close_ctree and ro-remount (bsc#904489). - btrfs: Fix a data space underflow warning (bsc#985562, bsc#975596, bsc#984779) - btrfs: fix fitrim discarding device area reserved for boot loader's use (bsc#904489). - btrfs: handle quota reserve failure properly (bsc#1005666). - btrfs: iterate over unused chunk space in FITRIM (bsc#904489). - btrfs: make btrfs_issue_discard return bytes discarded (bsc#904489). - btrfs: properly track when rescan worker is running (bsc#989953). - btrfs: remove unnecessary locking of cleaner_mutex to avoid deadlock (bsc#904489). - btrfs: reorder patches to place local patches back at the end of the series - btrfs: skip superblocks during discard (bsc#904489). - btrfs: test_check_exists: Fix infinite loop when searching for free space entries (bsc#987192). - btrfs: waiting on qgroup rescan should not always be interruptible (bsc#992712). - cdc-acm: added sanity checking for probe() (bsc#993891). - ceph: After a write, we must free the 'request', not the 'response'. This error crept in during the backport. bsc#995153 - cephfs: ignore error from invalidate_inode_pages2_range() in direct write (bsc#995153). - cephfs: remove warning when ceph_releasepage() is called on dirty page (bsc#995153). - clockevents: export clockevents_unbind_device instead of clockevents_unbind (bnc#937888). - conntrack: RFC5961 challenge ACK confuse conntrack LAST-ACK transition (bsc#966864). - cpumask, nodemask: implement cpumask/nodemask_pr_args() (bnc1003866). - cxgbi: fix uninitialized flowi6 (bsc#924384 FATE#318570 bsc#921338). - dm: fix AB-BA deadlock in __dm_destroy(). (bsc#970943) - Document the process to blacklist upstream commit-ids - drivers/hv: share Hyper-V SynIC constants with userspace (bnc#937888). - drivers: hv: vmbus: avoid scheduling in interrupt context in vmbus_initiate_unload() (bnc#937888). - drivers: hv: vmbus: avoid unneeded compiler optimizations in vmbus_wait_for_unload() (bnc#937888). - drivers: hv: vmbus: avoid wait_for_completion() on crash (bnc#937888). - drivers: hv: vmbus: Cleanup vmbus_set_event() (bnc#937888). - drivers: hv: vmbus: do not loose HVMSG_TIMER_EXPIRED messages (bnc#937888). - drivers: hv: vmbus: do not manipulate with clocksources on crash (bnc#937888). - drivers: hv: vmbus: Force all channel messages to be delivered on CPU 0 (bnc#937888). - drivers: hv: vmbus: Get rid of the unused irq variable (bnc#937888). - drivers: hv: vmbus: handle various crash scenarios (bnc#937888). - drivers: hv: vmbus: remove code duplication in message handling (bnc#937888). - drivers: hv: vmbus: Support handling messages on multiple CPUs (bnc#937888). - drivers: hv: vmbus: Support kexec on ws2012 r2 and above (bnc#937888). - efi: Small leak on error in runtime map code (fate#315019). - ext2: Enable ext2 driver in config files (bsc#976195, fate#320805) - ext4: Add parameter for tuning handling of ext2 (bsc#976195). - ext4: Fixup handling for custom configs. - fs/select: add vmalloc fallback for select(2) (bsc#1000189). - ftrace/x86: Set ftrace_stub to weak to prevent gcc from using short jumps to it (bsc#984419). - hyperv: enable call to clockevents_unbind_device in kexec/kdump path - hyperv: replace KEXEC_CORE by plain KEXEC because we lack 2965faa5e0 in the base kernel - i40e: fix an uninitialized variable bug (bnc#857397 FATE#315659). - ib/iwpm: Fix a potential skb leak (bsc#924381 FATE#318568 bsc#921338). - ib/mlx5: Fix RC transport send queue overhead computation (bnc#865545 FATE#316891). - input: Revert "can: dev: fix deadlock reported after bus-off". - input: Revert "Input: i8042 - break load dependency between atkbd/psmouse and i8042". - input: Revert "Input: i8042 - set up shared ps2_cmd_mutex for AUX ports". - introduce NETIF_F_GSO_ENCAP_ALL helper mask (bsc#1001486). - iommu/amd: Update Alias-DTE in update_device_table() (bsc#975772). - ipv6: Fix improper use or RCU (bsc#961257) - ipv6: fix multipath route replace error recovery (bsc#930399). - ipv6: KABI workaround for ipv6: add complete rcu protection around np->opt. - ipv6: send NEWLINK on RA managed/otherconf changes (bsc#934067). - ipv6: send only one NEWLINK when RA causes changes (bsc#934067). - iscsi: Add a missed complete in iscsit_close_connection (bsc#992555, bsc#987805). - iwlwifi: dvm: fix flush support for old firmware (bsc#940545). - kabi: clockevents: export clockevents_unbind again. - kabi: Fix kabi change cause by adding flock_owner to open_context (bsc#998689). - kabi: hide harmless change in struct inet_connection_sock (fate#318553). - kABI: protect backing-dev include in mm/migrate. - kABI: protect enum usb_device_speed. - kABI: protect struct mlx5_modify_qp_mbox_in. - kabi: work around kabi changes from commit 53f9ff48f636 (bsc#988617). - kaweth: fix firmware download (bsc#993890). - kaweth: fix oops upon failed memory allocation (bsc#993890). - kernel/fork: fix CLONE_CHILD_CLEARTID regression in nscd (bnc#941420). - kernel/printk/printk.c: fix faulty logic in the case of recursive printk (bnc#744692, bnc#789311). - kvm: do not handle APIC access page if in-kernel irqchip is not in use (bsc#959463). - Kvm: vmx: defer load of APIC access page address during reset (bsc#959463). - libceph: enable large, variable-sized OSD requests (bsc#988715). - libceph: make r_request msg_size calculation clearer (bsc#988715). - libceph: move r_reply_op_{len,result} into struct ceph_osd_req_op (bsc#988715). - libceph: osdc->req_mempool should be backed by a slab pool (bsc#988715). - libceph: rename ceph_osd_req_op::payload_len to indata_len (bsc#988715). - libfc: do not send ABTS when resetting exchanges (bsc#962846). - libfc: Do not take rdata->rp_mutex when processing a -FC_EX_CLOSED ELS response (bsc#962846). - libfc: Fixup disc_mutex handling (bsc#962846). - libfc: fixup locking of ptp_setup() (bsc#962846). - libfc: Issue PRLI after a PRLO has been received (bsc#962846). - libfc: reset exchange manager during LOGO handling (bsc#962846). - libfc: Revisit kref handling (bnc#990245). - libfc: sanity check cpu number extracted from xid (bsc#988440). - libfc: send LOGO for PLOGI failure (bsc#962846). - lib/vsprintf: implement bitmap printing through '%*pb[l]' (bnc#1003866). - md: check command validity early in md_ioctl() (bsc#1004520). - md: Drop sending a change uevent when stopping (bsc#1003568). - md: lockless I/O submission for RAID1 (bsc#982783). - md/raid5: fix a recently broken BUG_ON() (bsc#1006691). - memcg: convert threshold to bytes (bnc#931454). - memcg: fix thresholds for 32b architectures (bnc#931454). - mm, cma: prevent nr_isolated_* counters from going negative (bnc#971975 VM performance -- git fixes). - mm: thp: fix SMP race condition between THP page fault and MADV_DONTNEED (VM Functionality, bnc#986445). - module: Issue warnings when tainting kernel (bsc#974406). - mpt2sas, mpt3sas: Fix panic when aer correct error occurred (bsc#997708). - MSI-X: fix an error path (luckily none so far). - netback: fix flipping mode (bsc#996664). - netback: fix refounting (bsc#978094). - netfront: don't truncate grant references. - netfront: use correct linear area after linearizing an skb (bsc#1007886). - nfs4: reset states to use open_stateid when returning delegation voluntarily (bsc#1003400). - nfs: Add a stub for GETDEVICELIST (bnc#898675). - nfs: Do not write enable new pages while an invalidation is proceeding (bsc#999584). - nfsd: Use free_conn to free connection (bsc#979451). - nfs: Fix an LOCK/OPEN race when unlinking an open file (bsc#956514). - nfs: Fix a regression in the read() syscall (bsc#999584). - nfs: fix BUG() crash in notify_change() with patch to chown_common() (bnc#876463). - nfs: fix pg_test page count calculation (bnc#898675). - nfs: nfs4_fl_prepare_ds must be careful about reporting success (bsc#1000776). - nfsv4: add flock_owner to open context (bnc#998689). - nfsv4: change nfs4_do_setattr to take an open_context instead of a nfs4_state (bnc#998689). - nfsv4: change nfs4_select_rw_stateid to take a lock_context inplace of lock_owner (bnc#998689). - nfsv4: enhance nfs4_copy_lock_stateid to use a flock stateid if there is one (bnc#998689). - nfsv4: Ensure nfs_atomic_open set the dentry verifier on ENOENT (bnc#866130). - oom: print nodemask in the oom report (bnc#1003866). - packet: tpacket_snd(): fix signed/unsigned comparison (bsc#874131). - perf/x86/intel: Fix bug for "cycles:p" and "cycles:pp" on SLM (bsc#997896). - pm / hibernate: Fix 2G size issue of snapshot image verification (bsc#1004252). - pm / hibernate: Fix rtree_next_node() to avoid walking off list ends (bnc#860441). - powerpc: add kernel parameter iommu_alloc_quiet (bsc#998825). - printk: add kernel parameter to control writes to /dev/kmsg (bsc#979928). - qgroup: Prevent qgroup->reserved from going subzero (bsc#993841). - qlcnic: potential NULL dereference in qlcnic_83xx_get_minidump_template() (bsc#922064 FATE#318609) - radeon: avoid boot hang in Xen Dom0 (luckily none so far). - ratelimit: extend to print suppressed messages on release (bsc#979928). - ratelimit: fix bug in time interval by resetting right begin time (bsc#979928). - rbd: truncate objects on cmpext short reads (bsc#988715). - rpm/config.sh: Set the SP1 release string to 60. (bsc#997059) - rpm/mkspec: Read a default release string from rpm/config.sh (bsc997059) - rtnetlink: avoid 0 sized arrays (fate#316924). - s390: add SMT support (bnc#994438, LTC#144756). - sched/core: Fix an SMP ordering race in try_to_wake_up() vs. schedule() (bnc#1001419). - sched/core: Fix a race between try_to_wake_up() and a woken up task (bsc#1002165, bsc#1001419). - scsi: ibmvfc: add FC Class 3 Error Recovery support (bsc#984992). - scsi: ibmvfc: Fix I/O hang when port is not mapped (bsc#971989) - scsi: ibmvfc: Set READ FCP_XFER_READY DISABLED bit in PRLI (bsc#984992). - sd: Fix memory leak caused by RESET_WP patch (bsc#999779). - squashfs3: properly handle dir_emit() failures (bsc#998795). - sunrpc: Add missing support for RPC_CLNT_CREATE_NO_RETRANS_TIMEOUT (bnc#868923). - sunrpc: Fix a regression when reconnecting (bsc#946309). - supported.conf: Add ext2 - supported.conf: Add iscsi modules to -base (bsc#997299) - supported.conf: Add tun to -base (bsc#992593) - supported.conf: Add veth to -base (bsc#992591) - target: Fix missing complete during ABORT_TASK + CMD_T_FABRIC_STOP (bsc#987621). - target: Fix race between iscsi-target connection shutdown + ABORT_TASK (bsc#987621). - tcp: add proper TS val into RST packets (bsc#937086). - tcp: align tcp_xmit_size_goal() on tcp_tso_autosize() (bsc#937086). - tcp: fix child sockets to use system default congestion control if not set (fate#318553). - tcp: fix cwnd limited checking to improve congestion control (bsc#988617). - tcp: refresh skb timestamp at retransmit time (bsc#937086). - timers: Use proper base migration in add_timer_on() (bnc#993392). - tunnels: Do not apply GRO to multiple layers of encapsulation (bsc#1001486). - tunnels: Remove encapsulation offloads on decap (bsc#1001486). - Update patches.drivers/mpt3sas-Fix-use-sas_is_tlr_enabled-API-before-enabli.patch (bsc#967640, bsc#992244). - Update patches.kabi/kabi.clockevents_unbind.patch (bnc#937888). - uprobes: Fix the memcg accounting (bnc#931454). - usb: fix typo in wMaxPacketSize validation (bsc#991665). - usbhid: add ATEN CS962 to list of quirky devices (bsc#1007615). - usb: hub: Fix auto-remount of safely removed or ejected USB-3 devices (bsc#922634). - usb: validate wMaxPacketValue entries in endpoint descriptors (bnc#991665). - vmxnet3: Wake queue from reset work (bsc#999907). - x86/tlb/trace: Do not trace on CPU that is offline (TLB Performance git-fixes). - xenbus: don't invoke ->is_ready() for most device states (bsc#987333). - xenbus: inspect the correct type in xenbus_dev_request_and_reply(). - xen: Linux 3.12.63. - xen/pciback: Fix conf_space read/write overlap check. - xen-pciback: return proper values during BAR sizing. - xen: Refresh patches.xen/xen3-patch-3.9 (bsc#991247). - xen: x86/mm/pat, /dev/mem: Remove superfluous error message (bsc#974620). - xfs: fixed signedness of error code in xfs_inode_buf_verify (bsc#1003153). - xfs: fix xfs-handle-dquot-buffer-readahead-in-log-recovery-co.patch (bsc#1003153). - xfs: handle dquot buffer readahead in log recovery correctly (bsc#955446). - xfs: Silence warnings in xfs_vm_releasepage() (bnc#915183 bsc#987565). - xhci: silence warnings in switch (bnc#991665). Patch Instructions: To install this SUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Workstation Extension 12-SP1: zypper in -t patch SUSE-SLE-WE-12-SP1-2016-1700=1 - SUSE Linux Enterprise Software Development Kit 12-SP1: zypper in -t patch SUSE-SLE-SDK-12-SP1-2016-1700=1 - SUSE Linux Enterprise Server 12-SP1: zypper in -t patch SUSE-SLE-SERVER-12-SP1-2016-1700=1 - SUSE Linux Enterprise Module for Public Cloud 12: zypper in -t patch SUSE-SLE-Module-Public-Cloud-12-2016-1700=1 - SUSE Linux Enterprise Live Patching 12: zypper in -t patch SUSE-SLE-Live-Patching-12-2016-1700=1 - SUSE Linux Enterprise Desktop 12-SP1: zypper in -t patch SUSE-SLE-DESKTOP-12-SP1-2016-1700=1 To bring your system up-to-date, use "zypper patch". Package List: - SUSE Linux Enterprise Workstation Extension 12-SP1 (x86_64): kernel-default-debuginfo-3.12.67-60.64.18.1 kernel-default-debugsource-3.12.67-60.64.18.1 kernel-default-extra-3.12.67-60.64.18.1 kernel-default-extra-debuginfo-3.12.67-60.64.18.1 - SUSE Linux Enterprise Software Development Kit 12-SP1 (ppc64le s390x x86_64): kernel-obs-build-3.12.67-60.64.18.1 kernel-obs-build-debugsource-3.12.67-60.64.18.1 - SUSE Linux Enterprise Software Development Kit 12-SP1 (noarch): kernel-docs-3.12.67-60.64.18.3 - SUSE Linux Enterprise Server 12-SP1 (ppc64le s390x x86_64): kernel-default-3.12.67-60.64.18.1 kernel-default-base-3.12.67-60.64.18.1 kernel-default-base-debuginfo-3.12.67-60.64.18.1 kernel-default-debuginfo-3.12.67-60.64.18.1 kernel-default-debugsource-3.12.67-60.64.18.1 kernel-default-devel-3.12.67-60.64.18.1 kernel-syms-3.12.67-60.64.18.1 - SUSE Linux Enterprise Server 12-SP1 (noarch): kernel-devel-3.12.67-60.64.18.1 kernel-macros-3.12.67-60.64.18.1 kernel-source-3.12.67-60.64.18.1 - SUSE Linux Enterprise Server 12-SP1 (x86_64): kernel-xen-3.12.67-60.64.18.1 kernel-xen-base-3.12.67-60.64.18.1 kernel-xen-base-debuginfo-3.12.67-60.64.18.1 kernel-xen-debuginfo-3.12.67-60.64.18.1 kernel-xen-debugsource-3.12.67-60.64.18.1 kernel-xen-devel-3.12.67-60.64.18.1 - SUSE Linux Enterprise Server 12-SP1 (s390x): kernel-default-man-3.12.67-60.64.18.1 - SUSE Linux Enterprise Module for Public Cloud 12 (x86_64): kernel-ec2-3.12.67-60.64.18.1 kernel-ec2-debuginfo-3.12.67-60.64.18.1 kernel-ec2-debugsource-3.12.67-60.64.18.1 kernel-ec2-devel-3.12.67-60.64.18.1 kernel-ec2-extra-3.12.67-60.64.18.1 kernel-ec2-extra-debuginfo-3.12.67-60.64.18.1 - SUSE Linux Enterprise Live Patching 12 (x86_64): kgraft-patch-3_12_67-60_64_18-default-1-6.3 kgraft-patch-3_12_67-60_64_18-xen-1-6.3 - SUSE Linux Enterprise Desktop 12-SP1 (noarch): kernel-devel-3.12.67-60.64.18.1 kernel-macros-3.12.67-60.64.18.1 kernel-source-3.12.67-60.64.18.1 - SUSE Linux Enterprise Desktop 12-SP1 (x86_64): kernel-default-3.12.67-60.64.18.1 kernel-default-debuginfo-3.12.67-60.64.18.1 kernel-default-debugsource-3.12.67-60.64.18.1 kernel-default-devel-3.12.67-60.64.18.1 kernel-default-extra-3.12.67-60.64.18.1 kernel-default-extra-debuginfo-3.12.67-60.64.18.1 kernel-syms-3.12.67-60.64.18.1 kernel-xen-3.12.67-60.64.18.1 kernel-xen-debuginfo-3.12.67-60.64.18.1 kernel-xen-debugsource-3.12.67-60.64.18.1 kernel-xen-devel-3.12.67-60.64.18.1 References: https://www.suse.com/security/cve/CVE-2015-8956.html https://www.suse.com/security/cve/CVE-2016-5696.html https://www.suse.com/security/cve/CVE-2016-6130.html https://www.suse.com/security/cve/CVE-2016-6327.html https://www.suse.com/security/cve/CVE-2016-6480.html https://www.suse.com/security/cve/CVE-2016-6828.html https://www.suse.com/security/cve/CVE-2016-7042.html https://www.suse.com/security/cve/CVE-2016-7097.html https://www.suse.com/security/cve/CVE-2016-7425.html https://www.suse.com/security/cve/CVE-2016-8658.html https://www.suse.com/security/cve/CVE-2016-8666.html https://bugzilla.suse.com/1000189 https://bugzilla.suse.com/1000287 https://bugzilla.suse.com/1000304 https://bugzilla.suse.com/1000776 https://bugzilla.suse.com/1001419 https://bugzilla.suse.com/1001486 https://bugzilla.suse.com/1002165 https://bugzilla.suse.com/1003079 https://bugzilla.suse.com/1003153 https://bugzilla.suse.com/1003400 https://bugzilla.suse.com/1003568 https://bugzilla.suse.com/1003866 https://bugzilla.suse.com/1003925 https://bugzilla.suse.com/1003964 https://bugzilla.suse.com/1004252 https://bugzilla.suse.com/1004462 https://bugzilla.suse.com/1004517 https://bugzilla.suse.com/1004520 https://bugzilla.suse.com/1005666 https://bugzilla.suse.com/1006691 https://bugzilla.suse.com/1007615 https://bugzilla.suse.com/1007886 https://bugzilla.suse.com/744692 https://bugzilla.suse.com/772786 https://bugzilla.suse.com/789311 https://bugzilla.suse.com/857397 https://bugzilla.suse.com/860441 https://bugzilla.suse.com/865545 https://bugzilla.suse.com/866130 https://bugzilla.suse.com/868923 https://bugzilla.suse.com/874131 https://bugzilla.suse.com/876463 https://bugzilla.suse.com/898675 https://bugzilla.suse.com/904489 https://bugzilla.suse.com/909994 https://bugzilla.suse.com/911687 https://bugzilla.suse.com/915183 https://bugzilla.suse.com/921338 https://bugzilla.suse.com/921784 https://bugzilla.suse.com/922064 https://bugzilla.suse.com/922634 https://bugzilla.suse.com/924381 https://bugzilla.suse.com/924384 https://bugzilla.suse.com/930399 https://bugzilla.suse.com/931454 https://bugzilla.suse.com/934067 https://bugzilla.suse.com/937086 https://bugzilla.suse.com/937888 https://bugzilla.suse.com/940545 https://bugzilla.suse.com/941420 https://bugzilla.suse.com/946309 https://bugzilla.suse.com/955446 https://bugzilla.suse.com/956514 https://bugzilla.suse.com/959463 https://bugzilla.suse.com/961257 https://bugzilla.suse.com/962846 https://bugzilla.suse.com/966864 https://bugzilla.suse.com/967640 https://bugzilla.suse.com/970943 https://bugzilla.suse.com/971975 https://bugzilla.suse.com/971989 https://bugzilla.suse.com/974406 https://bugzilla.suse.com/974620 https://bugzilla.suse.com/975596 https://bugzilla.suse.com/975772 https://bugzilla.suse.com/976195 https://bugzilla.suse.com/977687 https://bugzilla.suse.com/978094 https://bugzilla.suse.com/979451 https://bugzilla.suse.com/979928 https://bugzilla.suse.com/982783 https://bugzilla.suse.com/983619 https://bugzilla.suse.com/984194 https://bugzilla.suse.com/984419 https://bugzilla.suse.com/984779 https://bugzilla.suse.com/984992 https://bugzilla.suse.com/985562 https://bugzilla.suse.com/986445 https://bugzilla.suse.com/987192 https://bugzilla.suse.com/987333 https://bugzilla.suse.com/987542 https://bugzilla.suse.com/987565 https://bugzilla.suse.com/987621 https://bugzilla.suse.com/987805 https://bugzilla.suse.com/988440 https://bugzilla.suse.com/988617 https://bugzilla.suse.com/988715 https://bugzilla.suse.com/989152 https://bugzilla.suse.com/989953 https://bugzilla.suse.com/990245 https://bugzilla.suse.com/991247 https://bugzilla.suse.com/991608 https://bugzilla.suse.com/991665 https://bugzilla.suse.com/992244 https://bugzilla.suse.com/992555 https://bugzilla.suse.com/992591 https://bugzilla.suse.com/992593 https://bugzilla.suse.com/992712 https://bugzilla.suse.com/993392 https://bugzilla.suse.com/993841 https://bugzilla.suse.com/993890 https://bugzilla.suse.com/993891 https://bugzilla.suse.com/994296 https://bugzilla.suse.com/994438 https://bugzilla.suse.com/994520 https://bugzilla.suse.com/994748 https://bugzilla.suse.com/995153 https://bugzilla.suse.com/995968 https://bugzilla.suse.com/996664 https://bugzilla.suse.com/997059 https://bugzilla.suse.com/997299 https://bugzilla.suse.com/997708 https://bugzilla.suse.com/997896 https://bugzilla.suse.com/998689 https://bugzilla.suse.com/998795 https://bugzilla.suse.com/998825 https://bugzilla.suse.com/999577 https://bugzilla.suse.com/999584 https://bugzilla.suse.com/999600 https://bugzilla.suse.com/999779 https://bugzilla.suse.com/999907 https://bugzilla.suse.com/999932 From sle-security-updates at lists.suse.com Fri Nov 25 11:08:25 2016 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Fri, 25 Nov 2016 19:08:25 +0100 (CET) Subject: SUSE-SU-2016:2915-1: Security update for dovecot22 Message-ID: <20161125180825.5100A1003D@maintenance.suse.de> SUSE Security Update: Security update for dovecot22 ______________________________________________________________________________ Announcement ID: SUSE-SU-2016:2915-1 Rating: low References: #1003952 #984639 Cross-References: CVE-2016-4983 Affected Products: SUSE Linux Enterprise Software Development Kit 12-SP2 SUSE Linux Enterprise Software Development Kit 12-SP1 SUSE Linux Enterprise Server for Raspberry Pi 12-SP2 SUSE Linux Enterprise Server 12-SP2 SUSE Linux Enterprise Server 12-SP1 ______________________________________________________________________________ An update that solves one vulnerability and has one errata is now available. Description: This update for dovecot22 fixes the following issues: - insecure SSL/TLS key and certificate file creation (CVE-2016-4983) (bnc #984639) - Fix LDAP based authentication for some setups (boo #1003952) Patch Instructions: To install this SUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Software Development Kit 12-SP2: zypper in -t patch SUSE-SLE-SDK-12-SP2-2016-1703=1 - SUSE Linux Enterprise Software Development Kit 12-SP1: zypper in -t patch SUSE-SLE-SDK-12-SP1-2016-1703=1 - SUSE Linux Enterprise Server for Raspberry Pi 12-SP2: zypper in -t patch SUSE-SLE-RPI-12-SP2-2016-1703=1 - SUSE Linux Enterprise Server 12-SP2: zypper in -t patch SUSE-SLE-SERVER-12-SP2-2016-1703=1 - SUSE Linux Enterprise Server 12-SP1: zypper in -t patch SUSE-SLE-SERVER-12-SP1-2016-1703=1 To bring your system up-to-date, use "zypper patch". Package List: - SUSE Linux Enterprise Software Development Kit 12-SP2 (aarch64 ppc64le s390x x86_64): dovecot22-debuginfo-2.2.13-4.1 dovecot22-debugsource-2.2.13-4.1 dovecot22-devel-2.2.13-4.1 - SUSE Linux Enterprise Software Development Kit 12-SP1 (ppc64le s390x x86_64): dovecot22-debuginfo-2.2.13-4.1 dovecot22-debugsource-2.2.13-4.1 dovecot22-devel-2.2.13-4.1 - SUSE Linux Enterprise Server for Raspberry Pi 12-SP2 (aarch64): dovecot22-2.2.13-4.1 dovecot22-backend-mysql-2.2.13-4.1 dovecot22-backend-mysql-debuginfo-2.2.13-4.1 dovecot22-backend-pgsql-2.2.13-4.1 dovecot22-backend-pgsql-debuginfo-2.2.13-4.1 dovecot22-backend-sqlite-2.2.13-4.1 dovecot22-backend-sqlite-debuginfo-2.2.13-4.1 dovecot22-debuginfo-2.2.13-4.1 dovecot22-debugsource-2.2.13-4.1 - SUSE Linux Enterprise Server 12-SP2 (aarch64 ppc64le x86_64): dovecot22-2.2.13-4.1 dovecot22-backend-mysql-2.2.13-4.1 dovecot22-backend-mysql-debuginfo-2.2.13-4.1 dovecot22-backend-pgsql-2.2.13-4.1 dovecot22-backend-pgsql-debuginfo-2.2.13-4.1 dovecot22-backend-sqlite-2.2.13-4.1 dovecot22-backend-sqlite-debuginfo-2.2.13-4.1 dovecot22-debuginfo-2.2.13-4.1 dovecot22-debugsource-2.2.13-4.1 - SUSE Linux Enterprise Server 12-SP1 (ppc64le s390x x86_64): dovecot22-2.2.13-4.1 dovecot22-backend-mysql-2.2.13-4.1 dovecot22-backend-mysql-debuginfo-2.2.13-4.1 dovecot22-backend-pgsql-2.2.13-4.1 dovecot22-backend-pgsql-debuginfo-2.2.13-4.1 dovecot22-backend-sqlite-2.2.13-4.1 dovecot22-backend-sqlite-debuginfo-2.2.13-4.1 dovecot22-debuginfo-2.2.13-4.1 dovecot22-debugsource-2.2.13-4.1 References: https://www.suse.com/security/cve/CVE-2016-4983.html https://bugzilla.suse.com/1003952 https://bugzilla.suse.com/984639 From sle-security-updates at lists.suse.com Mon Nov 28 12:07:12 2016 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Mon, 28 Nov 2016 20:07:12 +0100 (CET) Subject: SUSE-SU-2016:2932-1: important: Security update for mariadb Message-ID: <20161128190712.AB799FFD3@maintenance.suse.de> SUSE Security Update: Security update for mariadb ______________________________________________________________________________ Announcement ID: SUSE-SU-2016:2932-1 Rating: important References: #1001367 #1003800 #1005555 #1005558 #1005562 #1005564 #1005566 #1005569 #1005581 #1005582 #1006539 #1008318 Cross-References: CVE-2016-3492 CVE-2016-5584 CVE-2016-5616 CVE-2016-5624 CVE-2016-5626 CVE-2016-5629 CVE-2016-6663 CVE-2016-7440 CVE-2016-8283 Affected Products: SUSE Linux Enterprise Server for SAP 12 SUSE Linux Enterprise Server 12-LTSS ______________________________________________________________________________ An update that solves 9 vulnerabilities and has three fixes is now available. Description: This mariadb update to version 10.0.28 fixes the following issues (bsc#1008318): Security fixes: - CVE-2016-8283: Unspecified vulnerability in subcomponent Types (bsc#1005582) - CVE-2016-7440: Unspecified vulnerability in subcomponent Encryption (bsc#1005581) - CVE-2016-5629: Unspecified vulnerability in subcomponent Federated (bsc#1005569) - CVE-2016-5626: Unspecified vulnerability in subcomponent GIS (bsc#1005566) - CVE-2016-5624: Unspecified vulnerability in subcomponent DML (bsc#1005564) - CVE-2016-5616: Unspecified vulnerability in subcomponent MyISAM (bsc#1005562) - CVE-2016-5584: Unspecified vulnerability in subcomponent Encryption (bsc#1005558) - CVE-2016-3492: Unspecified vulnerability in subcomponent Optimizer (bsc#1005555) - CVE-2016-6663: Privilege Escalation / Race Condition (bsc#1001367) Bugfixes: - mysql_install_db can't find data files (bsc#1006539) - mariadb failing test sys_vars.optimizer_switch_basic (bsc#1003800) - Notable changes: * XtraDB updated to 5.6.33-79.0 * TokuDB updated to 5.6.33-79.0 * Innodb updated to 5.6.33 * Performance Schema updated to 5.6.33 - Release notes and upstream changelog: * https://kb.askmonty.org/en/mariadb-10028-release-notes * https://kb.askmonty.org/en/mariadb-10028-changelog Patch Instructions: To install this SUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Server for SAP 12: zypper in -t patch SUSE-SLE-SAP-12-2016-1718=1 - SUSE Linux Enterprise Server 12-LTSS: zypper in -t patch SUSE-SLE-SERVER-12-2016-1718=1 To bring your system up-to-date, use "zypper patch". Package List: - SUSE Linux Enterprise Server for SAP 12 (x86_64): libmysqlclient-devel-10.0.28-20.16.2 libmysqlclient18-10.0.28-20.16.2 libmysqlclient18-32bit-10.0.28-20.16.2 libmysqlclient18-debuginfo-10.0.28-20.16.2 libmysqlclient18-debuginfo-32bit-10.0.28-20.16.2 libmysqlclient_r18-10.0.28-20.16.2 libmysqld-devel-10.0.28-20.16.2 libmysqld18-10.0.28-20.16.2 libmysqld18-debuginfo-10.0.28-20.16.2 mariadb-10.0.28-20.16.2 mariadb-client-10.0.28-20.16.2 mariadb-client-debuginfo-10.0.28-20.16.2 mariadb-debuginfo-10.0.28-20.16.2 mariadb-debugsource-10.0.28-20.16.2 mariadb-errormessages-10.0.28-20.16.2 mariadb-tools-10.0.28-20.16.2 mariadb-tools-debuginfo-10.0.28-20.16.2 - SUSE Linux Enterprise Server 12-LTSS (ppc64le s390x x86_64): libmysqlclient-devel-10.0.28-20.16.2 libmysqlclient18-10.0.28-20.16.2 libmysqlclient18-debuginfo-10.0.28-20.16.2 libmysqlclient_r18-10.0.28-20.16.2 libmysqld-devel-10.0.28-20.16.2 libmysqld18-10.0.28-20.16.2 libmysqld18-debuginfo-10.0.28-20.16.2 mariadb-10.0.28-20.16.2 mariadb-client-10.0.28-20.16.2 mariadb-client-debuginfo-10.0.28-20.16.2 mariadb-debuginfo-10.0.28-20.16.2 mariadb-debugsource-10.0.28-20.16.2 mariadb-errormessages-10.0.28-20.16.2 mariadb-tools-10.0.28-20.16.2 mariadb-tools-debuginfo-10.0.28-20.16.2 - SUSE Linux Enterprise Server 12-LTSS (s390x x86_64): libmysqlclient18-32bit-10.0.28-20.16.2 libmysqlclient18-debuginfo-32bit-10.0.28-20.16.2 References: https://www.suse.com/security/cve/CVE-2016-3492.html https://www.suse.com/security/cve/CVE-2016-5584.html https://www.suse.com/security/cve/CVE-2016-5616.html https://www.suse.com/security/cve/CVE-2016-5624.html https://www.suse.com/security/cve/CVE-2016-5626.html https://www.suse.com/security/cve/CVE-2016-5629.html https://www.suse.com/security/cve/CVE-2016-6663.html https://www.suse.com/security/cve/CVE-2016-7440.html https://www.suse.com/security/cve/CVE-2016-8283.html https://bugzilla.suse.com/1001367 https://bugzilla.suse.com/1003800 https://bugzilla.suse.com/1005555 https://bugzilla.suse.com/1005558 https://bugzilla.suse.com/1005562 https://bugzilla.suse.com/1005564 https://bugzilla.suse.com/1005566 https://bugzilla.suse.com/1005569 https://bugzilla.suse.com/1005581 https://bugzilla.suse.com/1005582 https://bugzilla.suse.com/1006539 https://bugzilla.suse.com/1008318 From sle-security-updates at lists.suse.com Mon Nov 28 12:09:17 2016 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Mon, 28 Nov 2016 20:09:17 +0100 (CET) Subject: SUSE-SU-2016:2933-1: important: Recommended update for mariadb Message-ID: <20161128190917.15DDAFFD3@maintenance.suse.de> SUSE Security Update: Recommended update for mariadb ______________________________________________________________________________ Announcement ID: SUSE-SU-2016:2933-1 Rating: important References: #1001367 #1003800 #1004477 #1005555 #1005558 #1005562 #1005564 #1005566 #1005569 #1005581 #1005582 #1006539 #1008318 #990890 Cross-References: CVE-2016-3492 CVE-2016-5584 CVE-2016-5616 CVE-2016-5624 CVE-2016-5626 CVE-2016-5629 CVE-2016-6663 CVE-2016-7440 CVE-2016-8283 Affected Products: SUSE Linux Enterprise Workstation Extension 12-SP2 SUSE Linux Enterprise Workstation Extension 12-SP1 SUSE Linux Enterprise Software Development Kit 12-SP2 SUSE Linux Enterprise Software Development Kit 12-SP1 SUSE Linux Enterprise Server for Raspberry Pi 12-SP2 SUSE Linux Enterprise Server 12-SP2 SUSE Linux Enterprise Server 12-SP1 SUSE Linux Enterprise Desktop 12-SP2 SUSE Linux Enterprise Desktop 12-SP1 ______________________________________________________________________________ An update that solves 9 vulnerabilities and has 5 fixes is now available. Description: This mariadb update to version 10.0.28 fixes the following issues (bsc#1008318): Security fixes: - CVE-2016-8283: Unspecified vulnerability in subcomponent Types (bsc#1005582) - CVE-2016-7440: Unspecified vulnerability in subcomponent Encryption (bsc#1005581) - CVE-2016-5629: Unspecified vulnerability in subcomponent Federated (bsc#1005569) - CVE-2016-5626: Unspecified vulnerability in subcomponent GIS (bsc#1005566) - CVE-2016-5624: Unspecified vulnerability in subcomponent DML (bsc#1005564) - CVE-2016-5616: Unspecified vulnerability in subcomponent MyISAM (bsc#1005562) - CVE-2016-5584: Unspecified vulnerability in subcomponent Encryption (bsc#1005558) - CVE-2016-3492: Unspecified vulnerability in subcomponent Optimizer (bsc#1005555) - CVE-2016-6663: Privilege Escalation / Race Condition (bsc#1001367) Bugfixes: - mysql_install_db can't find data files (bsc#1006539) - mariadb failing test sys_vars.optimizer_switch_basic (bsc#1003800) - Remove useless mysql at default.service (bsc#1004477) - Replace all occurrences of the string "@sysconfdir@" with "/etc" as it wasn't expanded properly (bsc#990890) - Notable changes: * XtraDB updated to 5.6.33-79.0 * TokuDB updated to 5.6.33-79.0 * Innodb updated to 5.6.33 * Performance Schema updated to 5.6.33 - Release notes and upstream changelog: * https://kb.askmonty.org/en/mariadb-10028-release-notes * https://kb.askmonty.org/en/mariadb-10028-changelog Patch Instructions: To install this SUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Workstation Extension 12-SP2: zypper in -t patch SUSE-SLE-WE-12-SP2-2016-1717=1 - SUSE Linux Enterprise Workstation Extension 12-SP1: zypper in -t patch SUSE-SLE-WE-12-SP1-2016-1717=1 - SUSE Linux Enterprise Software Development Kit 12-SP2: zypper in -t patch SUSE-SLE-SDK-12-SP2-2016-1717=1 - SUSE Linux Enterprise Software Development Kit 12-SP1: zypper in -t patch SUSE-SLE-SDK-12-SP1-2016-1717=1 - SUSE Linux Enterprise Server for Raspberry Pi 12-SP2: zypper in -t patch SUSE-SLE-RPI-12-SP2-2016-1717=1 - SUSE Linux Enterprise Server 12-SP2: zypper in -t patch SUSE-SLE-SERVER-12-SP2-2016-1717=1 - SUSE Linux Enterprise Server 12-SP1: zypper in -t patch SUSE-SLE-SERVER-12-SP1-2016-1717=1 - SUSE Linux Enterprise Desktop 12-SP2: zypper in -t patch SUSE-SLE-DESKTOP-12-SP2-2016-1717=1 - SUSE Linux Enterprise Desktop 12-SP1: zypper in -t patch SUSE-SLE-DESKTOP-12-SP1-2016-1717=1 To bring your system up-to-date, use "zypper patch". Package List: - SUSE Linux Enterprise Workstation Extension 12-SP2 (x86_64): libmysqlclient_r18-10.0.28-17.2 libmysqlclient_r18-32bit-10.0.28-17.2 mariadb-debuginfo-10.0.28-17.2 mariadb-debugsource-10.0.28-17.2 - SUSE Linux Enterprise Workstation Extension 12-SP1 (x86_64): libmysqlclient_r18-10.0.28-17.2 libmysqlclient_r18-32bit-10.0.28-17.2 mariadb-debuginfo-10.0.28-17.2 mariadb-debugsource-10.0.28-17.2 - SUSE Linux Enterprise Software Development Kit 12-SP2 (aarch64 ppc64le s390x x86_64): libmysqlclient-devel-10.0.28-17.2 libmysqlclient_r18-10.0.28-17.2 libmysqld-devel-10.0.28-17.2 libmysqld18-10.0.28-17.2 libmysqld18-debuginfo-10.0.28-17.2 mariadb-debuginfo-10.0.28-17.2 mariadb-debugsource-10.0.28-17.2 - SUSE Linux Enterprise Software Development Kit 12-SP1 (ppc64le s390x x86_64): libmysqlclient-devel-10.0.28-17.2 libmysqlclient_r18-10.0.28-17.2 libmysqld-devel-10.0.28-17.2 libmysqld18-10.0.28-17.2 libmysqld18-debuginfo-10.0.28-17.2 mariadb-debuginfo-10.0.28-17.2 mariadb-debugsource-10.0.28-17.2 - SUSE Linux Enterprise Server for Raspberry Pi 12-SP2 (aarch64): libmysqlclient18-10.0.28-17.2 libmysqlclient18-debuginfo-10.0.28-17.2 mariadb-10.0.28-17.2 mariadb-client-10.0.28-17.2 mariadb-client-debuginfo-10.0.28-17.2 mariadb-debuginfo-10.0.28-17.2 mariadb-debugsource-10.0.28-17.2 mariadb-errormessages-10.0.28-17.2 mariadb-tools-10.0.28-17.2 mariadb-tools-debuginfo-10.0.28-17.2 - SUSE Linux Enterprise Server 12-SP2 (aarch64 ppc64le x86_64): libmysqlclient18-10.0.28-17.2 libmysqlclient18-debuginfo-10.0.28-17.2 mariadb-10.0.28-17.2 mariadb-client-10.0.28-17.2 mariadb-client-debuginfo-10.0.28-17.2 mariadb-debuginfo-10.0.28-17.2 mariadb-debugsource-10.0.28-17.2 mariadb-errormessages-10.0.28-17.2 mariadb-tools-10.0.28-17.2 mariadb-tools-debuginfo-10.0.28-17.2 - SUSE Linux Enterprise Server 12-SP2 (x86_64): libmysqlclient18-32bit-10.0.28-17.2 libmysqlclient18-debuginfo-32bit-10.0.28-17.2 - SUSE Linux Enterprise Server 12-SP1 (ppc64le s390x x86_64): libmysqlclient18-10.0.28-17.2 libmysqlclient18-debuginfo-10.0.28-17.2 mariadb-10.0.28-17.2 mariadb-client-10.0.28-17.2 mariadb-client-debuginfo-10.0.28-17.2 mariadb-debuginfo-10.0.28-17.2 mariadb-debugsource-10.0.28-17.2 mariadb-errormessages-10.0.28-17.2 mariadb-tools-10.0.28-17.2 mariadb-tools-debuginfo-10.0.28-17.2 - SUSE Linux Enterprise Server 12-SP1 (s390x x86_64): libmysqlclient18-32bit-10.0.28-17.2 libmysqlclient18-debuginfo-32bit-10.0.28-17.2 - SUSE Linux Enterprise Desktop 12-SP2 (x86_64): libmysqlclient18-10.0.28-17.2 libmysqlclient18-32bit-10.0.28-17.2 libmysqlclient18-debuginfo-10.0.28-17.2 libmysqlclient18-debuginfo-32bit-10.0.28-17.2 libmysqlclient_r18-10.0.28-17.2 libmysqlclient_r18-32bit-10.0.28-17.2 mariadb-10.0.28-17.2 mariadb-client-10.0.28-17.2 mariadb-client-debuginfo-10.0.28-17.2 mariadb-debuginfo-10.0.28-17.2 mariadb-debugsource-10.0.28-17.2 mariadb-errormessages-10.0.28-17.2 - SUSE Linux Enterprise Desktop 12-SP1 (x86_64): libmysqlclient18-10.0.28-17.2 libmysqlclient18-32bit-10.0.28-17.2 libmysqlclient18-debuginfo-10.0.28-17.2 libmysqlclient18-debuginfo-32bit-10.0.28-17.2 libmysqlclient_r18-10.0.28-17.2 libmysqlclient_r18-32bit-10.0.28-17.2 mariadb-10.0.28-17.2 mariadb-client-10.0.28-17.2 mariadb-client-debuginfo-10.0.28-17.2 mariadb-debuginfo-10.0.28-17.2 mariadb-debugsource-10.0.28-17.2 mariadb-errormessages-10.0.28-17.2 References: https://www.suse.com/security/cve/CVE-2016-3492.html https://www.suse.com/security/cve/CVE-2016-5584.html https://www.suse.com/security/cve/CVE-2016-5616.html https://www.suse.com/security/cve/CVE-2016-5624.html https://www.suse.com/security/cve/CVE-2016-5626.html https://www.suse.com/security/cve/CVE-2016-5629.html https://www.suse.com/security/cve/CVE-2016-6663.html https://www.suse.com/security/cve/CVE-2016-7440.html https://www.suse.com/security/cve/CVE-2016-8283.html https://bugzilla.suse.com/1001367 https://bugzilla.suse.com/1003800 https://bugzilla.suse.com/1004477 https://bugzilla.suse.com/1005555 https://bugzilla.suse.com/1005558 https://bugzilla.suse.com/1005562 https://bugzilla.suse.com/1005564 https://bugzilla.suse.com/1005566 https://bugzilla.suse.com/1005569 https://bugzilla.suse.com/1005581 https://bugzilla.suse.com/1005582 https://bugzilla.suse.com/1006539 https://bugzilla.suse.com/1008318 https://bugzilla.suse.com/990890 From sle-security-updates at lists.suse.com Tue Nov 29 06:07:08 2016 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Tue, 29 Nov 2016 14:07:08 +0100 (CET) Subject: SUSE-SU-2016:2936-1: important: Security update for qemu Message-ID: <20161129130708.040B6FFD3@maintenance.suse.de> SUSE Security Update: Security update for qemu ______________________________________________________________________________ Announcement ID: SUSE-SU-2016:2936-1 Rating: important References: #1001151 #1002116 #1002550 #1002557 #1003878 #1003893 #1003894 #1004702 #1004707 #1006536 #1006538 #1007391 #1007450 #1007454 #1007493 #1007494 #1007495 #998516 #999661 Cross-References: CVE-2016-7161 CVE-2016-7170 CVE-2016-7421 CVE-2016-7908 CVE-2016-7909 CVE-2016-8576 CVE-2016-8577 CVE-2016-8578 CVE-2016-8667 CVE-2016-8669 CVE-2016-8909 CVE-2016-8910 CVE-2016-9101 CVE-2016-9102 CVE-2016-9103 CVE-2016-9104 CVE-2016-9105 CVE-2016-9106 Affected Products: SUSE Linux Enterprise Server for SAP 12 SUSE Linux Enterprise Server 12-LTSS ______________________________________________________________________________ An update that solves 18 vulnerabilities and has one errata is now available. Description: This update for qemu fixes the following issues: - Patch queue updated from https://gitlab.suse.de/virtualization/qemu.git SLE12 - Change package post script udevadm trigger calls to be device specific (bsc#1002116) - Address various security/stability issues * Fix OOB access in xlnx.xpx-ethernetlite emulation (CVE-2016-7161 bsc#1001151) * Fix OOB access in VMware SVGA emulation (CVE-2016-7170 bsc#998516) * Fix DOS in Vmware pv scsi interface (CVE-2016-7421 bsc#999661) * Fix DOS in ColdFire Fast Ethernet Controller emulation (CVE-2016-7908 bsc#1002550) * Fix DOS in USB xHCI emulation (CVE-2016-8576 bsc#1003878) * Fix DOS in virtio-9pfs (CVE-2016-8578 bsc#1003894) * Fix DOS in virtio-9pfs (CVE-2016-9105 bsc#1007494) * Fix DOS in virtio-9pfs (CVE-2016-8577 bsc#1003893) * Plug data leak in virtio-9pfs interface (CVE-2016-9103 bsc#1007454) * Fix DOS in virtio-9pfs interface (CVE-2016-9102 bsc#1007450) * Fix DOS in virtio-9pfs (CVE-2016-9106 bsc#1007495) * Fix DOS in 16550A UART emulation (CVE-2016-8669 bsc#1004707) * Fix DOS in PC-Net II emulation (CVE-2016-7909 bsc#1002557) * Fix DOS in PRO100 emulation (CVE-2016-9101 bsc#1007391) * Fix DOS in RTL8139 emulation (CVE-2016-8910 bsc#1006538) * Fix DOS in Intel HDA controller emulation (CVE-2016-8909 bsc#1006536) * Fix DOS in virtio-9pfs (CVE-2016-9104 bsc#1007493) * Fix DOS in JAZZ RC4030 emulation (CVE-2016-8667 bsc#1004702) Patch Instructions: To install this SUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Server for SAP 12: zypper in -t patch SUSE-SLE-SAP-12-2016-1719=1 - SUSE Linux Enterprise Server 12-LTSS: zypper in -t patch SUSE-SLE-SERVER-12-2016-1719=1 To bring your system up-to-date, use "zypper patch". Package List: - SUSE Linux Enterprise Server for SAP 12 (x86_64): qemu-2.0.2-48.25.1 qemu-block-curl-2.0.2-48.25.1 qemu-block-curl-debuginfo-2.0.2-48.25.1 qemu-block-rbd-2.0.2-48.25.1 qemu-block-rbd-debuginfo-2.0.2-48.25.1 qemu-debugsource-2.0.2-48.25.1 qemu-guest-agent-2.0.2-48.25.1 qemu-guest-agent-debuginfo-2.0.2-48.25.1 qemu-kvm-2.0.2-48.25.1 qemu-lang-2.0.2-48.25.1 qemu-tools-2.0.2-48.25.1 qemu-tools-debuginfo-2.0.2-48.25.1 qemu-x86-2.0.2-48.25.1 qemu-x86-debuginfo-2.0.2-48.25.1 - SUSE Linux Enterprise Server for SAP 12 (noarch): qemu-ipxe-1.0.0-48.25.1 qemu-seabios-1.7.4-48.25.1 qemu-sgabios-8-48.25.1 qemu-vgabios-1.7.4-48.25.1 - SUSE Linux Enterprise Server 12-LTSS (ppc64le s390x x86_64): qemu-2.0.2-48.25.1 qemu-block-curl-2.0.2-48.25.1 qemu-block-curl-debuginfo-2.0.2-48.25.1 qemu-debugsource-2.0.2-48.25.1 qemu-guest-agent-2.0.2-48.25.1 qemu-guest-agent-debuginfo-2.0.2-48.25.1 qemu-lang-2.0.2-48.25.1 qemu-tools-2.0.2-48.25.1 qemu-tools-debuginfo-2.0.2-48.25.1 - SUSE Linux Enterprise Server 12-LTSS (s390x x86_64): qemu-kvm-2.0.2-48.25.1 - SUSE Linux Enterprise Server 12-LTSS (ppc64le): qemu-ppc-2.0.2-48.25.1 qemu-ppc-debuginfo-2.0.2-48.25.1 - SUSE Linux Enterprise Server 12-LTSS (x86_64): qemu-block-rbd-2.0.2-48.25.1 qemu-block-rbd-debuginfo-2.0.2-48.25.1 qemu-x86-2.0.2-48.25.1 qemu-x86-debuginfo-2.0.2-48.25.1 - SUSE Linux Enterprise Server 12-LTSS (noarch): qemu-ipxe-1.0.0-48.25.1 qemu-seabios-1.7.4-48.25.1 qemu-sgabios-8-48.25.1 qemu-vgabios-1.7.4-48.25.1 - SUSE Linux Enterprise Server 12-LTSS (s390x): qemu-s390-2.0.2-48.25.1 qemu-s390-debuginfo-2.0.2-48.25.1 References: https://www.suse.com/security/cve/CVE-2016-7161.html https://www.suse.com/security/cve/CVE-2016-7170.html https://www.suse.com/security/cve/CVE-2016-7421.html https://www.suse.com/security/cve/CVE-2016-7908.html https://www.suse.com/security/cve/CVE-2016-7909.html https://www.suse.com/security/cve/CVE-2016-8576.html https://www.suse.com/security/cve/CVE-2016-8577.html https://www.suse.com/security/cve/CVE-2016-8578.html https://www.suse.com/security/cve/CVE-2016-8667.html https://www.suse.com/security/cve/CVE-2016-8669.html https://www.suse.com/security/cve/CVE-2016-8909.html https://www.suse.com/security/cve/CVE-2016-8910.html https://www.suse.com/security/cve/CVE-2016-9101.html https://www.suse.com/security/cve/CVE-2016-9102.html https://www.suse.com/security/cve/CVE-2016-9103.html https://www.suse.com/security/cve/CVE-2016-9104.html https://www.suse.com/security/cve/CVE-2016-9105.html https://www.suse.com/security/cve/CVE-2016-9106.html https://bugzilla.suse.com/1001151 https://bugzilla.suse.com/1002116 https://bugzilla.suse.com/1002550 https://bugzilla.suse.com/1002557 https://bugzilla.suse.com/1003878 https://bugzilla.suse.com/1003893 https://bugzilla.suse.com/1003894 https://bugzilla.suse.com/1004702 https://bugzilla.suse.com/1004707 https://bugzilla.suse.com/1006536 https://bugzilla.suse.com/1006538 https://bugzilla.suse.com/1007391 https://bugzilla.suse.com/1007450 https://bugzilla.suse.com/1007454 https://bugzilla.suse.com/1007493 https://bugzilla.suse.com/1007494 https://bugzilla.suse.com/1007495 https://bugzilla.suse.com/998516 https://bugzilla.suse.com/999661 From sle-security-updates at lists.suse.com Tue Nov 29 09:07:20 2016 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Tue, 29 Nov 2016 17:07:20 +0100 (CET) Subject: SUSE-SU-2016:2938-1: important: Security update for vim Message-ID: <20161129160720.28941FFC0@maintenance.suse.de> SUSE Security Update: Security update for vim ______________________________________________________________________________ Announcement ID: SUSE-SU-2016:2938-1 Rating: important References: #1010685 Cross-References: CVE-2016-1248 Affected Products: SUSE Linux Enterprise Server 11-SP4 SUSE Linux Enterprise Debuginfo 11-SP4 ______________________________________________________________________________ An update that fixes one vulnerability is now available. Description: This update for vim fixes the following security issues: - Fixed CVE-2016-1248, an arbitrary command execution vulnerability (bsc#1010685) Patch Instructions: To install this SUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Server 11-SP4: zypper in -t patch slessp4-vim-12862=1 - SUSE Linux Enterprise Debuginfo 11-SP4: zypper in -t patch dbgsp4-vim-12862=1 To bring your system up-to-date, use "zypper patch". Package List: - SUSE Linux Enterprise Server 11-SP4 (i586 ia64 ppc64 s390x x86_64): gvim-7.2-8.17.1 vim-7.2-8.17.1 vim-base-7.2-8.17.1 vim-data-7.2-8.17.1 - SUSE Linux Enterprise Debuginfo 11-SP4 (i586 ia64 ppc64 s390x x86_64): vim-debuginfo-7.2-8.17.1 vim-debugsource-7.2-8.17.1 References: https://www.suse.com/security/cve/CVE-2016-1248.html https://bugzilla.suse.com/1010685 From sle-security-updates at lists.suse.com Tue Nov 29 09:08:30 2016 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Tue, 29 Nov 2016 17:08:30 +0100 (CET) Subject: SUSE-SU-2016:2941-1: moderate: Security update for php7 Message-ID: <20161129160830.7D9C5FFC0@maintenance.suse.de> SUSE Security Update: Security update for php7 ______________________________________________________________________________ Announcement ID: SUSE-SU-2016:2941-1 Rating: moderate References: #1008029 #988486 Cross-References: CVE-2016-5385 CVE-2016-9137 Affected Products: SUSE Linux Enterprise Software Development Kit 12-SP2 SUSE Linux Enterprise Software Development Kit 12-SP1 SUSE Linux Enterprise Module for Web Scripting 12 ______________________________________________________________________________ An update that fixes two vulnerabilities is now available. Description: This update for php7 fixes the following security issues: - CVE-2016-5385: Setting HTTP_PROXY environment variable via Proxy header (httpoxy) (bsc#988486). - CVE-2016-9137: Fixing a Use After Free in unserialize() (bsc#1008029). Patch Instructions: To install this SUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Software Development Kit 12-SP2: zypper in -t patch SUSE-SLE-SDK-12-SP2-2016-1722=1 - SUSE Linux Enterprise Software Development Kit 12-SP1: zypper in -t patch SUSE-SLE-SDK-12-SP1-2016-1722=1 - SUSE Linux Enterprise Module for Web Scripting 12: zypper in -t patch SUSE-SLE-Module-Web-Scripting-12-2016-1722=1 To bring your system up-to-date, use "zypper patch". Package List: - SUSE Linux Enterprise Software Development Kit 12-SP2 (aarch64 ppc64le s390x x86_64): php7-debuginfo-7.0.7-25.1 php7-debugsource-7.0.7-25.1 php7-devel-7.0.7-25.1 - SUSE Linux Enterprise Software Development Kit 12-SP1 (ppc64le s390x x86_64): php7-debuginfo-7.0.7-25.1 php7-debugsource-7.0.7-25.1 php7-devel-7.0.7-25.1 - SUSE Linux Enterprise Module for Web Scripting 12 (aarch64 ppc64le s390x x86_64): apache2-mod_php7-7.0.7-25.1 apache2-mod_php7-debuginfo-7.0.7-25.1 php7-7.0.7-25.1 php7-bcmath-7.0.7-25.1 php7-bcmath-debuginfo-7.0.7-25.1 php7-bz2-7.0.7-25.1 php7-bz2-debuginfo-7.0.7-25.1 php7-calendar-7.0.7-25.1 php7-calendar-debuginfo-7.0.7-25.1 php7-ctype-7.0.7-25.1 php7-ctype-debuginfo-7.0.7-25.1 php7-curl-7.0.7-25.1 php7-curl-debuginfo-7.0.7-25.1 php7-dba-7.0.7-25.1 php7-dba-debuginfo-7.0.7-25.1 php7-debuginfo-7.0.7-25.1 php7-debugsource-7.0.7-25.1 php7-dom-7.0.7-25.1 php7-dom-debuginfo-7.0.7-25.1 php7-enchant-7.0.7-25.1 php7-enchant-debuginfo-7.0.7-25.1 php7-exif-7.0.7-25.1 php7-exif-debuginfo-7.0.7-25.1 php7-fastcgi-7.0.7-25.1 php7-fastcgi-debuginfo-7.0.7-25.1 php7-fileinfo-7.0.7-25.1 php7-fileinfo-debuginfo-7.0.7-25.1 php7-fpm-7.0.7-25.1 php7-fpm-debuginfo-7.0.7-25.1 php7-ftp-7.0.7-25.1 php7-ftp-debuginfo-7.0.7-25.1 php7-gd-7.0.7-25.1 php7-gd-debuginfo-7.0.7-25.1 php7-gettext-7.0.7-25.1 php7-gettext-debuginfo-7.0.7-25.1 php7-gmp-7.0.7-25.1 php7-gmp-debuginfo-7.0.7-25.1 php7-iconv-7.0.7-25.1 php7-iconv-debuginfo-7.0.7-25.1 php7-imap-7.0.7-25.1 php7-imap-debuginfo-7.0.7-25.1 php7-intl-7.0.7-25.1 php7-intl-debuginfo-7.0.7-25.1 php7-json-7.0.7-25.1 php7-json-debuginfo-7.0.7-25.1 php7-ldap-7.0.7-25.1 php7-ldap-debuginfo-7.0.7-25.1 php7-mbstring-7.0.7-25.1 php7-mbstring-debuginfo-7.0.7-25.1 php7-mcrypt-7.0.7-25.1 php7-mcrypt-debuginfo-7.0.7-25.1 php7-mysql-7.0.7-25.1 php7-mysql-debuginfo-7.0.7-25.1 php7-odbc-7.0.7-25.1 php7-odbc-debuginfo-7.0.7-25.1 php7-opcache-7.0.7-25.1 php7-opcache-debuginfo-7.0.7-25.1 php7-openssl-7.0.7-25.1 php7-openssl-debuginfo-7.0.7-25.1 php7-pcntl-7.0.7-25.1 php7-pcntl-debuginfo-7.0.7-25.1 php7-pdo-7.0.7-25.1 php7-pdo-debuginfo-7.0.7-25.1 php7-pgsql-7.0.7-25.1 php7-pgsql-debuginfo-7.0.7-25.1 php7-phar-7.0.7-25.1 php7-phar-debuginfo-7.0.7-25.1 php7-posix-7.0.7-25.1 php7-posix-debuginfo-7.0.7-25.1 php7-pspell-7.0.7-25.1 php7-pspell-debuginfo-7.0.7-25.1 php7-shmop-7.0.7-25.1 php7-shmop-debuginfo-7.0.7-25.1 php7-snmp-7.0.7-25.1 php7-snmp-debuginfo-7.0.7-25.1 php7-soap-7.0.7-25.1 php7-soap-debuginfo-7.0.7-25.1 php7-sockets-7.0.7-25.1 php7-sockets-debuginfo-7.0.7-25.1 php7-sqlite-7.0.7-25.1 php7-sqlite-debuginfo-7.0.7-25.1 php7-sysvmsg-7.0.7-25.1 php7-sysvmsg-debuginfo-7.0.7-25.1 php7-sysvsem-7.0.7-25.1 php7-sysvsem-debuginfo-7.0.7-25.1 php7-sysvshm-7.0.7-25.1 php7-sysvshm-debuginfo-7.0.7-25.1 php7-tokenizer-7.0.7-25.1 php7-tokenizer-debuginfo-7.0.7-25.1 php7-wddx-7.0.7-25.1 php7-wddx-debuginfo-7.0.7-25.1 php7-xmlreader-7.0.7-25.1 php7-xmlreader-debuginfo-7.0.7-25.1 php7-xmlrpc-7.0.7-25.1 php7-xmlrpc-debuginfo-7.0.7-25.1 php7-xmlwriter-7.0.7-25.1 php7-xmlwriter-debuginfo-7.0.7-25.1 php7-xsl-7.0.7-25.1 php7-xsl-debuginfo-7.0.7-25.1 php7-zip-7.0.7-25.1 php7-zip-debuginfo-7.0.7-25.1 php7-zlib-7.0.7-25.1 php7-zlib-debuginfo-7.0.7-25.1 - SUSE Linux Enterprise Module for Web Scripting 12 (noarch): php7-pear-7.0.7-25.1 php7-pear-Archive_Tar-7.0.7-25.1 References: https://www.suse.com/security/cve/CVE-2016-5385.html https://www.suse.com/security/cve/CVE-2016-9137.html https://bugzilla.suse.com/1008029 https://bugzilla.suse.com/988486 From sle-security-updates at lists.suse.com Tue Nov 29 09:09:10 2016 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Tue, 29 Nov 2016 17:09:10 +0100 (CET) Subject: SUSE-SU-2016:2942-1: important: Security update for vim Message-ID: <20161129160910.49AFEFFC0@maintenance.suse.de> SUSE Security Update: Security update for vim ______________________________________________________________________________ Announcement ID: SUSE-SU-2016:2942-1 Rating: important References: #1010685 #988903 Cross-References: CVE-2016-1248 Affected Products: SUSE Linux Enterprise Server for Raspberry Pi 12-SP2 SUSE Linux Enterprise Server 12-SP2 SUSE Linux Enterprise Server 12-SP1 SUSE Linux Enterprise Desktop 12-SP2 SUSE Linux Enterprise Desktop 12-SP1 ______________________________________________________________________________ An update that solves one vulnerability and has one errata is now available. Description: This update for vim fixes the following security issues: - Fixed CVE-2016-1248 an arbitrary command execution vulnerability (bsc#1010685) This update for vim fixes the following issues: - Fix build with Python 3.5. (bsc#988903) Patch Instructions: To install this SUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Server for Raspberry Pi 12-SP2: zypper in -t patch SUSE-SLE-RPI-12-SP2-2016-1721=1 - SUSE Linux Enterprise Server 12-SP2: zypper in -t patch SUSE-SLE-SERVER-12-SP2-2016-1721=1 - SUSE Linux Enterprise Server 12-SP1: zypper in -t patch SUSE-SLE-SERVER-12-SP1-2016-1721=1 - SUSE Linux Enterprise Desktop 12-SP2: zypper in -t patch SUSE-SLE-DESKTOP-12-SP2-2016-1721=1 - SUSE Linux Enterprise Desktop 12-SP1: zypper in -t patch SUSE-SLE-DESKTOP-12-SP1-2016-1721=1 To bring your system up-to-date, use "zypper patch". Package List: - SUSE Linux Enterprise Server for Raspberry Pi 12-SP2 (aarch64): gvim-7.4.326-7.1 gvim-debuginfo-7.4.326-7.1 vim-7.4.326-7.1 vim-debuginfo-7.4.326-7.1 vim-debugsource-7.4.326-7.1 - SUSE Linux Enterprise Server for Raspberry Pi 12-SP2 (noarch): vim-data-7.4.326-7.1 - SUSE Linux Enterprise Server 12-SP2 (aarch64 ppc64le x86_64): gvim-7.4.326-7.1 gvim-debuginfo-7.4.326-7.1 vim-7.4.326-7.1 vim-debuginfo-7.4.326-7.1 vim-debugsource-7.4.326-7.1 - SUSE Linux Enterprise Server 12-SP2 (noarch): vim-data-7.4.326-7.1 - SUSE Linux Enterprise Server 12-SP1 (ppc64le s390x x86_64): gvim-7.4.326-7.1 gvim-debuginfo-7.4.326-7.1 vim-7.4.326-7.1 vim-debuginfo-7.4.326-7.1 vim-debugsource-7.4.326-7.1 - SUSE Linux Enterprise Server 12-SP1 (noarch): vim-data-7.4.326-7.1 - SUSE Linux Enterprise Desktop 12-SP2 (noarch): vim-data-7.4.326-7.1 - SUSE Linux Enterprise Desktop 12-SP2 (x86_64): gvim-7.4.326-7.1 gvim-debuginfo-7.4.326-7.1 vim-7.4.326-7.1 vim-debuginfo-7.4.326-7.1 vim-debugsource-7.4.326-7.1 - SUSE Linux Enterprise Desktop 12-SP1 (noarch): vim-data-7.4.326-7.1 - SUSE Linux Enterprise Desktop 12-SP1 (x86_64): gvim-7.4.326-7.1 gvim-debuginfo-7.4.326-7.1 vim-7.4.326-7.1 vim-debuginfo-7.4.326-7.1 vim-debugsource-7.4.326-7.1 References: https://www.suse.com/security/cve/CVE-2016-1248.html https://bugzilla.suse.com/1010685 https://bugzilla.suse.com/988903 From sle-security-updates at lists.suse.com Wed Nov 30 06:07:21 2016 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Wed, 30 Nov 2016 14:07:21 +0100 (CET) Subject: SUSE-SU-2016:2952-1: moderate: Security update for ImageMagick Message-ID: <20161130130721.DB91CFFD0@maintenance.suse.de> SUSE Security Update: Security update for ImageMagick ______________________________________________________________________________ Announcement ID: SUSE-SU-2016:2952-1 Rating: moderate References: #1001066 #1007245 Cross-References: CVE-2016-6823 CVE-2016-8862 Affected Products: SUSE Linux Enterprise Workstation Extension 12-SP2 SUSE Linux Enterprise Workstation Extension 12-SP1 SUSE Linux Enterprise Software Development Kit 12-SP2 SUSE Linux Enterprise Software Development Kit 12-SP1 SUSE Linux Enterprise Server for Raspberry Pi 12-SP2 SUSE Linux Enterprise Server 12-SP2 SUSE Linux Enterprise Server 12-SP1 SUSE Linux Enterprise Desktop 12-SP2 SUSE Linux Enterprise Desktop 12-SP1 ______________________________________________________________________________ An update that fixes two vulnerabilities is now available. Description: This update for ImageMagick fixes the following issues: - Memory allocation failure in AcquireMagickMemory (CVE-2016-8862) [bsc#1007245] - update incomplete patch of CVE-2016-6823 [bsc#1001066] Patch Instructions: To install this SUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Workstation Extension 12-SP2: zypper in -t patch SUSE-SLE-WE-12-SP2-2016-1726=1 - SUSE Linux Enterprise Workstation Extension 12-SP1: zypper in -t patch SUSE-SLE-WE-12-SP1-2016-1726=1 - SUSE Linux Enterprise Software Development Kit 12-SP2: zypper in -t patch SUSE-SLE-SDK-12-SP2-2016-1726=1 - SUSE Linux Enterprise Software Development Kit 12-SP1: zypper in -t patch SUSE-SLE-SDK-12-SP1-2016-1726=1 - SUSE Linux Enterprise Server for Raspberry Pi 12-SP2: zypper in -t patch SUSE-SLE-RPI-12-SP2-2016-1726=1 - SUSE Linux Enterprise Server 12-SP2: zypper in -t patch SUSE-SLE-SERVER-12-SP2-2016-1726=1 - SUSE Linux Enterprise Server 12-SP1: zypper in -t patch SUSE-SLE-SERVER-12-SP1-2016-1726=1 - SUSE Linux Enterprise Desktop 12-SP2: zypper in -t patch SUSE-SLE-DESKTOP-12-SP2-2016-1726=1 - SUSE Linux Enterprise Desktop 12-SP1: zypper in -t patch SUSE-SLE-DESKTOP-12-SP1-2016-1726=1 To bring your system up-to-date, use "zypper patch". Package List: - SUSE Linux Enterprise Workstation Extension 12-SP2 (x86_64): ImageMagick-6.8.8.1-47.1 ImageMagick-debuginfo-6.8.8.1-47.1 ImageMagick-debugsource-6.8.8.1-47.1 libMagick++-6_Q16-3-6.8.8.1-47.1 libMagick++-6_Q16-3-debuginfo-6.8.8.1-47.1 libMagickCore-6_Q16-1-32bit-6.8.8.1-47.1 libMagickCore-6_Q16-1-debuginfo-32bit-6.8.8.1-47.1 - SUSE Linux Enterprise Workstation Extension 12-SP1 (x86_64): ImageMagick-6.8.8.1-47.1 ImageMagick-debuginfo-6.8.8.1-47.1 ImageMagick-debugsource-6.8.8.1-47.1 libMagick++-6_Q16-3-6.8.8.1-47.1 libMagick++-6_Q16-3-debuginfo-6.8.8.1-47.1 libMagickCore-6_Q16-1-32bit-6.8.8.1-47.1 libMagickCore-6_Q16-1-debuginfo-32bit-6.8.8.1-47.1 - SUSE Linux Enterprise Software Development Kit 12-SP2 (aarch64 ppc64le s390x x86_64): ImageMagick-6.8.8.1-47.1 ImageMagick-debuginfo-6.8.8.1-47.1 ImageMagick-debugsource-6.8.8.1-47.1 ImageMagick-devel-6.8.8.1-47.1 libMagick++-6_Q16-3-6.8.8.1-47.1 libMagick++-6_Q16-3-debuginfo-6.8.8.1-47.1 libMagick++-devel-6.8.8.1-47.1 perl-PerlMagick-6.8.8.1-47.1 perl-PerlMagick-debuginfo-6.8.8.1-47.1 - SUSE Linux Enterprise Software Development Kit 12-SP1 (ppc64le s390x x86_64): ImageMagick-6.8.8.1-47.1 ImageMagick-debuginfo-6.8.8.1-47.1 ImageMagick-debugsource-6.8.8.1-47.1 ImageMagick-devel-6.8.8.1-47.1 libMagick++-6_Q16-3-6.8.8.1-47.1 libMagick++-6_Q16-3-debuginfo-6.8.8.1-47.1 libMagick++-devel-6.8.8.1-47.1 perl-PerlMagick-6.8.8.1-47.1 perl-PerlMagick-debuginfo-6.8.8.1-47.1 - SUSE Linux Enterprise Server for Raspberry Pi 12-SP2 (aarch64): ImageMagick-debuginfo-6.8.8.1-47.1 ImageMagick-debugsource-6.8.8.1-47.1 libMagickCore-6_Q16-1-6.8.8.1-47.1 libMagickCore-6_Q16-1-debuginfo-6.8.8.1-47.1 libMagickWand-6_Q16-1-6.8.8.1-47.1 libMagickWand-6_Q16-1-debuginfo-6.8.8.1-47.1 - SUSE Linux Enterprise Server 12-SP2 (aarch64 ppc64le x86_64): ImageMagick-debuginfo-6.8.8.1-47.1 ImageMagick-debugsource-6.8.8.1-47.1 libMagickCore-6_Q16-1-6.8.8.1-47.1 libMagickCore-6_Q16-1-debuginfo-6.8.8.1-47.1 libMagickWand-6_Q16-1-6.8.8.1-47.1 libMagickWand-6_Q16-1-debuginfo-6.8.8.1-47.1 - SUSE Linux Enterprise Server 12-SP1 (ppc64le s390x x86_64): ImageMagick-debuginfo-6.8.8.1-47.1 ImageMagick-debugsource-6.8.8.1-47.1 libMagickCore-6_Q16-1-6.8.8.1-47.1 libMagickCore-6_Q16-1-debuginfo-6.8.8.1-47.1 libMagickWand-6_Q16-1-6.8.8.1-47.1 libMagickWand-6_Q16-1-debuginfo-6.8.8.1-47.1 - SUSE Linux Enterprise Desktop 12-SP2 (x86_64): ImageMagick-6.8.8.1-47.1 ImageMagick-debuginfo-6.8.8.1-47.1 ImageMagick-debugsource-6.8.8.1-47.1 libMagick++-6_Q16-3-6.8.8.1-47.1 libMagick++-6_Q16-3-debuginfo-6.8.8.1-47.1 libMagickCore-6_Q16-1-32bit-6.8.8.1-47.1 libMagickCore-6_Q16-1-6.8.8.1-47.1 libMagickCore-6_Q16-1-debuginfo-32bit-6.8.8.1-47.1 libMagickCore-6_Q16-1-debuginfo-6.8.8.1-47.1 libMagickWand-6_Q16-1-6.8.8.1-47.1 libMagickWand-6_Q16-1-debuginfo-6.8.8.1-47.1 - SUSE Linux Enterprise Desktop 12-SP1 (x86_64): ImageMagick-6.8.8.1-47.1 ImageMagick-debuginfo-6.8.8.1-47.1 ImageMagick-debugsource-6.8.8.1-47.1 libMagick++-6_Q16-3-6.8.8.1-47.1 libMagick++-6_Q16-3-debuginfo-6.8.8.1-47.1 libMagickCore-6_Q16-1-32bit-6.8.8.1-47.1 libMagickCore-6_Q16-1-6.8.8.1-47.1 libMagickCore-6_Q16-1-debuginfo-32bit-6.8.8.1-47.1 libMagickCore-6_Q16-1-debuginfo-6.8.8.1-47.1 libMagickWand-6_Q16-1-6.8.8.1-47.1 libMagickWand-6_Q16-1-debuginfo-6.8.8.1-47.1 References: https://www.suse.com/security/cve/CVE-2016-6823.html https://www.suse.com/security/cve/CVE-2016-8862.html https://bugzilla.suse.com/1001066 https://bugzilla.suse.com/1007245 From sle-security-updates at lists.suse.com Wed Nov 30 06:08:03 2016 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Wed, 30 Nov 2016 14:08:03 +0100 (CET) Subject: SUSE-SU-2016:2953-1: moderate: Security update for java-1_7_0-openjdk Message-ID: <20161130130803.01B0CFFC0@maintenance.suse.de> SUSE Security Update: Security update for java-1_7_0-openjdk ______________________________________________________________________________ Announcement ID: SUSE-SU-2016:2953-1 Rating: moderate References: #1005522 #1005523 #1005524 #1005525 #1005526 #1005527 #1005528 Cross-References: CVE-2016-5542 CVE-2016-5554 CVE-2016-5556 CVE-2016-5568 CVE-2016-5573 CVE-2016-5582 CVE-2016-5597 Affected Products: SUSE Linux Enterprise Server for Raspberry Pi 12-SP2 SUSE Linux Enterprise Server 12-SP2 SUSE Linux Enterprise Server 12-SP1 SUSE Linux Enterprise Desktop 12-SP2 SUSE Linux Enterprise Desktop 12-SP1 ______________________________________________________________________________ An update that fixes 7 vulnerabilities is now available. Description: This update for java-1_7_0-openjdk fixes the following issues: - Update to 2.6.8 - OpenJDK 7u121 * Security fixes + S8151921: Improved page resolution + S8155968: Update command line options + S8155973, CVE-2016-5542: Tighten jar checks (bsc#1005522) + S8157176: Improved classfile parsing + S8157739, CVE-2016-5554: Classloader Consistency Checking (bsc#1005523) + S8157749: Improve handling of DNS error replies + S8157753: Audio replay enhancement + S8157759: LCMS Transform Sampling Enhancement + S8157764: Better handling of interpolation plugins + S8158302: Handle contextual glyph substitutions + S8158993, CVE-2016-5568: Service Menu services (bsc#1005525) + S8159495: Fix index offsets + S8159503: Amend Annotation Actions + S8159511: Stack map validation + S8159515: Improve indy validation + S8159519, CVE-2016-5573: Reformat JDWP messages (bsc#1005526) + S8160090: Better signature handling in pack200 + S8160094: Improve pack200 layout + S8160098: Clean up color profiles + S8160591, CVE-2016-5582: Improve internal array handling (bsc#1005527) + S8160838, CVE-2016-5597: Better HTTP service (bsc#1005528) + PR3207, RH1367357: lcms2: Out-of-bounds read in Type_MLU_Read() + CVE-2016-5556 (bsc#1005524) * Import of OpenJDK 7 u121 build 0 + S6624200: Regression test fails: test/closed/javax/swing/JMenuItem/4654927/bug4654927.java + S6882559: new JEditorPane("text/plain","") fails for null context class loader + S7090158: Networking Libraries don't build with javac -Werror + S7125055: ContentHandler.getContent API changed in error + S7145960: sun/security/mscapi/ShortRSAKey1024.sh failing on windows + S7187051: ShortRSAKeynnn.sh tests should do cleanup before start test + S8000626: Implement dead key detection for KeyEvent on Linux + S8003890: corelibs test scripts should pass TESTVMOPTS + S8005629: javac warnings compiling java.awt.EventDispatchThread and sun.awt.X11.XIconWindow + S8010297: Missing isLoggable() checks in logging code + S8010782: clean up source files containing carriage return characters + S8014431: cleanup warnings indicated by the -Wunused-value compiler option on linux + S8015265: revise the fix for 8007037 + S8016747: Replace deprecated PlatformLogger isLoggable(int) with isLoggable(Level) + S8020708: NLS mnemonics missing in SwingSet2/JInternalFrame demo + S8024756: method grouping tabs are not selectable + S8026741: jdk8 l10n resource file translation update 5 + S8048147: Privilege tests with JAAS Subject.doAs + S8048357: PKCS basic tests + S8049171: Additional tests for jarsigner's warnings + S8059177: jdk8u40 l10n resource file translation update 1 + S8075584: test for 8067364 depends on hardwired text advance + S8076486: [TESTBUG] javax/security/auth/Subject/doAs/NestedActions.java fails if extra VM options are given + S8077953: [TEST_BUG] com/sun/management/OperatingSystemMXBean/TestTotalSwap.java Compilation failed after JDK-8077387 + S8080628: No mnemonics on Open and Save buttons in JFileChooser + S8083601: jdk8u60 l10n resource file translation update 2 + S8140530: Creating a VolatileImage with size 0,0 results in no longer working g2d.drawString + S8142926: OutputAnalyzer's shouldXXX() calls return this + S8143134: L10n resource file translation update + S8147077: IllegalArgumentException thrown by api/java_awt/Component/FlipBufferStrategy/indexTGF_General + S8148127: IllegalArgumentException thrown by JCK test api/java_awt/Component/FlipBufferStrategy/indexTGF_General in opengl pipeline + S8150611: Security problem on sun.misc.resources.Messages* + S8157653: [Parfait] Uninitialised variable in awt_Font.cpp + S8158734: JEditorPane.createEditorKitForContentType throws NPE after 6882559 + S8159684: (tz) Support tzdata2016f + S8160934: isnan() is not available on older MSVC compilers + S8162411: Service Menu services 2 + S8162419: closed/com/oracle/jfr/runtime/TestVMInfoEvent.sh failing after JDK-8155968 + S8162511: 8u111 L10n resource file updates + S8162792: Remove constraint DSA keySize < 1024 from jdk.jar.disabledAlgorithms in jdk8 + S8164452: 8u111 L10n resource file update - msgdrop 20 + S8165816: jarsigner -verify shows jar unsigned if it was signed with a weak algorithm + S8166381: Back out changes to the java.security file to not disable MD5 * Backports + S6604109, PR3162: javax.print.PrintServiceLookup.lookupPrintServices fails SOMETIMES for Cups + S6907252, PR3162: ZipFileInputStream Not Thread-Safe + S8024046, PR3162: Test sun/security/krb5/runNameEquals.sh failed on 7u45 Embedded linux-ppc* + S8028479, PR3162: runNameEquals still cannot precisely detect if a usable native krb5 is available + S8034057, PR3162: Files.getFileStore and Files.isWritable do not work with SUBST'ed drives (win) + S8038491, PR3162: Improve synchronization in ZipFile.read() + S8038502, PR3162: Deflater.needsInput() should use synchronization + S8059411, PR3162: RowSetWarning does not correctly chain warnings + S8062198, PR3162: Add RowSetMetaDataImpl Tests and add column range validation to isdefinitlyWritable + S8066188, PR3162: BaseRowSet returns the wrong default value for escape processing + S8072466, PR3162: Deadlock when initializing MulticastSocket and DatagramSocket + S8075118, PR3162: JVM stuck in infinite loop during verification + S8076579, PR3162: Popping a stack frame after exception breakpoint sets last method param to exception + S8078495, PR3162: End time checking for native TGT is wrong + S8078668, PR3162: jar usage string mentions unsupported option '-n' + S8080115, PR3162: (fs) Crash in libgio when calling Files.probeContentType(path) from parallel threads + S8081794, PR3162: ParsePosition getErrorIndex returns 0 for TimeZone parsing problem + S8129957, PR3162: Deadlock in JNDI LDAP implementation when closing the LDAP context + S8130136, PR3162: Swing window sometimes fails to repaint partially when it becomes exposed + S8130274, PR3162: java/nio/file/FileStore/Basic.java fails when two successive stores in an iteration are determined to be equal + S8132551, PR3162: Initialize local variables before returning them in p11_convert.c + S8133207, PR3162: [TEST_BUG] ParallelProbes.java test fails after changes for JDK-8080115 + S8133666, PR3162: OperatingSystemMXBean reports abnormally high machine CPU consumption on Linux + S8135002, PR3162: Fix or remove broken links in objectMonitor.cpp comments + S8137121, PR3162: (fc) Infinite loop FileChannel.truncate + S8137230, PR3162: TEST_BUG: java/nio/channels/FileChannel/LoopingTruncate.java timed out + S8139373, PR3162: [TEST_BUG] java/net/MulticastSocket/MultiDead.java failed with timeout + S8140249, PR3162: JVM Crashing During startUp If Flight Recording is enabled + S8141491, PR3160, G592292: Unaligned memory access in Bits.c + S8144483, PR3162: One long Safepoint pause directly after each GC log rotation + S8149611, PR3160, G592292: Add tests for Unsafe.copySwapMemory * Bug fixes + S8078628, PR3151: Zero build fails with pre-compiled headers disabled + PR3128: pax-mark-vm script calls "exit -1" which is invalid in dash + PR3131: PaX marking fails on filesystems which don't support extended attributes + PR3135: Makefile.am rule stamps/add/tzdata-support-debug.stamp has a typo in add-tzdata dependency + PR3141: Pass $(CC) and $(CXX) to OpenJDK build + PR3166: invalid zip timestamp handling leads to error building bootstrap-javac + PR3202: Update infinality configure test + PR3212: Disable ARM32 JIT by default * CACAO + PR3136: CACAO is broken due to 2 new native methods in sun.misc.Unsafe (from S8158260) * JamVM + PR3134: JamVM is broken due to 2 new native methods in sun.misc.Unsafe (from S8158260) * AArch64 port + S8167200, PR3204: AArch64: Broken stack pointer adjustment in interpreter + S8168888: Port 8160591: Improve internal array handling to AArch64. + PR3211: AArch64 build fails with pre-compiled headers disabled - Changed patch: * java-1_7_0-openjdk-gcc6.patch + Rediff to changed context - Disable arm32 JIT, since its build broken (http://icedtea.classpath.org/bugzilla/show_bug.cgi?id=2942) Patch Instructions: To install this SUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Server for Raspberry Pi 12-SP2: zypper in -t patch SUSE-SLE-RPI-12-SP2-2016-1727=1 - SUSE Linux Enterprise Server 12-SP2: zypper in -t patch SUSE-SLE-SERVER-12-SP2-2016-1727=1 - SUSE Linux Enterprise Server 12-SP1: zypper in -t patch SUSE-SLE-SERVER-12-SP1-2016-1727=1 - SUSE Linux Enterprise Desktop 12-SP2: zypper in -t patch SUSE-SLE-DESKTOP-12-SP2-2016-1727=1 - SUSE Linux Enterprise Desktop 12-SP1: zypper in -t patch SUSE-SLE-DESKTOP-12-SP1-2016-1727=1 To bring your system up-to-date, use "zypper patch". Package List: - SUSE Linux Enterprise Server for Raspberry Pi 12-SP2 (aarch64): java-1_7_0-openjdk-1.7.0.121-36.2 java-1_7_0-openjdk-debuginfo-1.7.0.121-36.2 java-1_7_0-openjdk-debugsource-1.7.0.121-36.2 java-1_7_0-openjdk-demo-1.7.0.121-36.2 java-1_7_0-openjdk-demo-debuginfo-1.7.0.121-36.2 java-1_7_0-openjdk-devel-1.7.0.121-36.2 java-1_7_0-openjdk-devel-debuginfo-1.7.0.121-36.2 java-1_7_0-openjdk-headless-1.7.0.121-36.2 java-1_7_0-openjdk-headless-debuginfo-1.7.0.121-36.2 - SUSE Linux Enterprise Server 12-SP2 (aarch64 ppc64le x86_64): java-1_7_0-openjdk-1.7.0.121-36.2 java-1_7_0-openjdk-debuginfo-1.7.0.121-36.2 java-1_7_0-openjdk-debugsource-1.7.0.121-36.2 java-1_7_0-openjdk-demo-1.7.0.121-36.2 java-1_7_0-openjdk-demo-debuginfo-1.7.0.121-36.2 java-1_7_0-openjdk-devel-1.7.0.121-36.2 java-1_7_0-openjdk-devel-debuginfo-1.7.0.121-36.2 java-1_7_0-openjdk-headless-1.7.0.121-36.2 java-1_7_0-openjdk-headless-debuginfo-1.7.0.121-36.2 - SUSE Linux Enterprise Server 12-SP1 (ppc64le s390x x86_64): java-1_7_0-openjdk-1.7.0.121-36.2 java-1_7_0-openjdk-debuginfo-1.7.0.121-36.2 java-1_7_0-openjdk-debugsource-1.7.0.121-36.2 java-1_7_0-openjdk-demo-1.7.0.121-36.2 java-1_7_0-openjdk-demo-debuginfo-1.7.0.121-36.2 java-1_7_0-openjdk-devel-1.7.0.121-36.2 java-1_7_0-openjdk-devel-debuginfo-1.7.0.121-36.2 java-1_7_0-openjdk-headless-1.7.0.121-36.2 java-1_7_0-openjdk-headless-debuginfo-1.7.0.121-36.2 - SUSE Linux Enterprise Desktop 12-SP2 (x86_64): java-1_7_0-openjdk-1.7.0.121-36.2 java-1_7_0-openjdk-debuginfo-1.7.0.121-36.2 java-1_7_0-openjdk-debugsource-1.7.0.121-36.2 java-1_7_0-openjdk-headless-1.7.0.121-36.2 java-1_7_0-openjdk-headless-debuginfo-1.7.0.121-36.2 - SUSE Linux Enterprise Desktop 12-SP1 (x86_64): java-1_7_0-openjdk-1.7.0.121-36.2 java-1_7_0-openjdk-debuginfo-1.7.0.121-36.2 java-1_7_0-openjdk-debugsource-1.7.0.121-36.2 java-1_7_0-openjdk-headless-1.7.0.121-36.2 java-1_7_0-openjdk-headless-debuginfo-1.7.0.121-36.2 References: https://www.suse.com/security/cve/CVE-2016-5542.html https://www.suse.com/security/cve/CVE-2016-5554.html https://www.suse.com/security/cve/CVE-2016-5556.html https://www.suse.com/security/cve/CVE-2016-5568.html https://www.suse.com/security/cve/CVE-2016-5573.html https://www.suse.com/security/cve/CVE-2016-5582.html https://www.suse.com/security/cve/CVE-2016-5597.html https://bugzilla.suse.com/1005522 https://bugzilla.suse.com/1005523 https://bugzilla.suse.com/1005524 https://bugzilla.suse.com/1005525 https://bugzilla.suse.com/1005526 https://bugzilla.suse.com/1005527 https://bugzilla.suse.com/1005528 From sle-security-updates at lists.suse.com Wed Nov 30 09:06:54 2016 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Wed, 30 Nov 2016 17:06:54 +0100 (CET) Subject: SUSE-SU-2016:2954-1: moderate: Security update for util-linux Message-ID: <20161130160654.5E8E4FFD0@maintenance.suse.de> SUSE Security Update: Security update for util-linux ______________________________________________________________________________ Announcement ID: SUSE-SU-2016:2954-1 Rating: moderate References: #947494 #966891 #982331 #987176 #988361 #990531 #994399 Cross-References: CVE-2016-5011 Affected Products: SUSE Linux Enterprise Workstation Extension 12-SP2 SUSE Linux Enterprise Software Development Kit 12-SP2 SUSE Linux Enterprise Server for Raspberry Pi 12-SP2 SUSE Linux Enterprise Server 12-SP2 SUSE Linux Enterprise Desktop 12-SP2 ______________________________________________________________________________ An update that solves one vulnerability and has 6 fixes is now available. Description: This update for util-linux fixes the following issues: - Consider redundant slashes when comparing paths (bsc#982331, util-linux-libmount-ignore-redundant-slashes.patch, affects backport of util-linux-libmount-cifs-is_mounted.patch). - Use upstream compatibility patches for --show-pt-geometry with obsolescence and deprecation warning (bsc#990531) - Replace cifs mount detection patch with upstream one that covers all cases (bsc#987176). - Reuse existing loop device to prevent possible data corruption when multiple -o loop are used to mount a single file (bsc#947494) - Safe loop re-use in libmount, mount and losetup (bsc#947494) - UPSTREAM DIVERGENCE!!! losetup -L continues to use SLE12 SP1 and SP2 specific meaning --logical-blocksize instead of upstream --nooverlap (bsc#966891). - Make release-dependent conflict with old sysvinit-tools SLE specific, as it is required only for SLE 11 upgrade, and breaks openSUSE staging builds (bsc#994399). - Extended partition loop in MBR partition table leads to DoS (bsc#988361, CVE-2016-5011) Patch Instructions: To install this SUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Workstation Extension 12-SP2: zypper in -t patch SUSE-SLE-WE-12-SP2-2016-1729=1 - SUSE Linux Enterprise Software Development Kit 12-SP2: zypper in -t patch SUSE-SLE-SDK-12-SP2-2016-1729=1 - SUSE Linux Enterprise Server for Raspberry Pi 12-SP2: zypper in -t patch SUSE-SLE-RPI-12-SP2-2016-1729=1 - SUSE Linux Enterprise Server 12-SP2: zypper in -t patch SUSE-SLE-SERVER-12-SP2-2016-1729=1 - SUSE Linux Enterprise Desktop 12-SP2: zypper in -t patch SUSE-SLE-DESKTOP-12-SP2-2016-1729=1 To bring your system up-to-date, use "zypper patch". Package List: - SUSE Linux Enterprise Workstation Extension 12-SP2 (x86_64): libuuid-devel-2.28-42.1 util-linux-debuginfo-2.28-42.1 util-linux-debugsource-2.28-42.1 - SUSE Linux Enterprise Software Development Kit 12-SP2 (aarch64 ppc64le s390x x86_64): libblkid-devel-2.28-42.1 libmount-devel-2.28-42.1 libsmartcols-devel-2.28-42.1 libuuid-devel-2.28-42.1 util-linux-debuginfo-2.28-42.1 util-linux-debugsource-2.28-42.1 - SUSE Linux Enterprise Server for Raspberry Pi 12-SP2 (aarch64): libblkid1-2.28-42.1 libblkid1-debuginfo-2.28-42.1 libfdisk1-2.28-42.1 libfdisk1-debuginfo-2.28-42.1 libmount1-2.28-42.1 libmount1-debuginfo-2.28-42.1 libsmartcols1-2.28-42.1 libsmartcols1-debuginfo-2.28-42.1 libuuid1-2.28-42.1 libuuid1-debuginfo-2.28-42.1 python-libmount-2.28-42.4 python-libmount-debuginfo-2.28-42.4 python-libmount-debugsource-2.28-42.4 util-linux-2.28-42.1 util-linux-debuginfo-2.28-42.1 util-linux-debugsource-2.28-42.1 util-linux-systemd-2.28-42.3 util-linux-systemd-debuginfo-2.28-42.3 util-linux-systemd-debugsource-2.28-42.3 uuidd-2.28-42.3 uuidd-debuginfo-2.28-42.3 - SUSE Linux Enterprise Server for Raspberry Pi 12-SP2 (noarch): util-linux-lang-2.28-42.1 - SUSE Linux Enterprise Server 12-SP2 (aarch64 ppc64le x86_64): libblkid1-2.28-42.1 libblkid1-debuginfo-2.28-42.1 libfdisk1-2.28-42.1 libfdisk1-debuginfo-2.28-42.1 libmount1-2.28-42.1 libmount1-debuginfo-2.28-42.1 libsmartcols1-2.28-42.1 libsmartcols1-debuginfo-2.28-42.1 libuuid1-2.28-42.1 libuuid1-debuginfo-2.28-42.1 python-libmount-2.28-42.4 python-libmount-debuginfo-2.28-42.4 python-libmount-debugsource-2.28-42.4 util-linux-2.28-42.1 util-linux-debuginfo-2.28-42.1 util-linux-debugsource-2.28-42.1 util-linux-systemd-2.28-42.3 util-linux-systemd-debuginfo-2.28-42.3 util-linux-systemd-debugsource-2.28-42.3 uuidd-2.28-42.3 uuidd-debuginfo-2.28-42.3 - SUSE Linux Enterprise Server 12-SP2 (noarch): util-linux-lang-2.28-42.1 - SUSE Linux Enterprise Server 12-SP2 (x86_64): libblkid1-32bit-2.28-42.1 libblkid1-debuginfo-32bit-2.28-42.1 libmount1-32bit-2.28-42.1 libmount1-debuginfo-32bit-2.28-42.1 libuuid1-32bit-2.28-42.1 libuuid1-debuginfo-32bit-2.28-42.1 - SUSE Linux Enterprise Desktop 12-SP2 (noarch): util-linux-lang-2.28-42.1 - SUSE Linux Enterprise Desktop 12-SP2 (x86_64): libblkid1-2.28-42.1 libblkid1-32bit-2.28-42.1 libblkid1-debuginfo-2.28-42.1 libblkid1-debuginfo-32bit-2.28-42.1 libfdisk1-2.28-42.1 libfdisk1-debuginfo-2.28-42.1 libmount1-2.28-42.1 libmount1-32bit-2.28-42.1 libmount1-debuginfo-2.28-42.1 libmount1-debuginfo-32bit-2.28-42.1 libsmartcols1-2.28-42.1 libsmartcols1-debuginfo-2.28-42.1 libuuid-devel-2.28-42.1 libuuid1-2.28-42.1 libuuid1-32bit-2.28-42.1 libuuid1-debuginfo-2.28-42.1 libuuid1-debuginfo-32bit-2.28-42.1 python-libmount-2.28-42.4 python-libmount-debuginfo-2.28-42.4 python-libmount-debugsource-2.28-42.4 util-linux-2.28-42.1 util-linux-debuginfo-2.28-42.1 util-linux-debugsource-2.28-42.1 util-linux-systemd-2.28-42.3 util-linux-systemd-debuginfo-2.28-42.3 util-linux-systemd-debugsource-2.28-42.3 uuidd-2.28-42.3 uuidd-debuginfo-2.28-42.3 References: https://www.suse.com/security/cve/CVE-2016-5011.html https://bugzilla.suse.com/947494 https://bugzilla.suse.com/966891 https://bugzilla.suse.com/982331 https://bugzilla.suse.com/987176 https://bugzilla.suse.com/988361 https://bugzilla.suse.com/990531 https://bugzilla.suse.com/994399