From sle-updates at lists.suse.com Thu Jan 2 07:11:29 2020 From: sle-updates at lists.suse.com (sle-updates at lists.suse.com) Date: Thu, 2 Jan 2020 15:11:29 +0100 (CET) Subject: SUSE-SU-2020:0002-1: moderate: Security update for openssl-1_1 Message-ID: <20200102141129.48CB5F79E@maintenance.suse.de> SUSE Security Update: Security update for openssl-1_1 ______________________________________________________________________________ Announcement ID: SUSE-SU-2020:0002-1 Rating: moderate References: #1155346 #1157775 #1158101 #1158809 Cross-References: CVE-2019-1551 Affected Products: SUSE Linux Enterprise Module for Open Buildservice Development Tools 15 SUSE Linux Enterprise Module for Basesystem 15 ______________________________________________________________________________ An update that solves one vulnerability and has three fixes is now available. Description: This update for openssl-1_1 fixes the following issues: Security issue fixed: - CVE-2019-1551: Fixed an overflow bug in the x64_64 Montgomery squaring procedure used in exponentiation with 512-bit moduli (bsc#1158809). Various FIPS related improvements were done: - FIPS: Backport SSH KDF to openssl (jsc#SLE-8789, bsc#1157775). - Port FIPS patches from SLE-12 (bsc#1158101) - Use SHA-2 in the RSA pairwise consistency check (bsc#1155346) Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Module for Open Buildservice Development Tools 15: zypper in -t patch SUSE-SLE-Module-Development-Tools-OBS-15-2020-2=1 - SUSE Linux Enterprise Module for Basesystem 15: zypper in -t patch SUSE-SLE-Module-Basesystem-15-2020-2=1 Package List: - SUSE Linux Enterprise Module for Open Buildservice Development Tools 15 (x86_64): libopenssl-1_1-devel-32bit-1.1.0i-4.27.1 - SUSE Linux Enterprise Module for Open Buildservice Development Tools 15 (noarch): openssl-1_1-doc-1.1.0i-4.27.1 - SUSE Linux Enterprise Module for Basesystem 15 (aarch64 ppc64le s390x x86_64): libopenssl-1_1-devel-1.1.0i-4.27.1 libopenssl1_1-1.1.0i-4.27.1 libopenssl1_1-debuginfo-1.1.0i-4.27.1 libopenssl1_1-hmac-1.1.0i-4.27.1 openssl-1_1-1.1.0i-4.27.1 openssl-1_1-debuginfo-1.1.0i-4.27.1 openssl-1_1-debugsource-1.1.0i-4.27.1 - SUSE Linux Enterprise Module for Basesystem 15 (x86_64): libopenssl1_1-32bit-1.1.0i-4.27.1 libopenssl1_1-32bit-debuginfo-1.1.0i-4.27.1 libopenssl1_1-hmac-32bit-1.1.0i-4.27.1 References: https://www.suse.com/security/cve/CVE-2019-1551.html https://bugzilla.suse.com/1155346 https://bugzilla.suse.com/1157775 https://bugzilla.suse.com/1158101 https://bugzilla.suse.com/1158809 From sle-updates at lists.suse.com Thu Jan 2 07:12:27 2020 From: sle-updates at lists.suse.com (sle-updates at lists.suse.com) Date: Thu, 2 Jan 2020 15:12:27 +0100 (CET) Subject: SUSE-SU-2020:0001-1: moderate: Security update for java-1_8_0-ibm Message-ID: <20200102141227.B10FAF79E@maintenance.suse.de> SUSE Security Update: Security update for java-1_8_0-ibm ______________________________________________________________________________ Announcement ID: SUSE-SU-2020:0001-1 Rating: moderate References: #1154212 #1158442 Cross-References: CVE-2019-17631 CVE-2019-2933 CVE-2019-2945 CVE-2019-2958 CVE-2019-2962 CVE-2019-2964 CVE-2019-2973 CVE-2019-2975 CVE-2019-2978 CVE-2019-2981 CVE-2019-2983 CVE-2019-2988 CVE-2019-2989 CVE-2019-2992 CVE-2019-2996 CVE-2019-2999 Affected Products: SUSE Linux Enterprise Module for Open Buildservice Development Tools 15-SP1 SUSE Linux Enterprise Module for Legacy Software 15-SP1 SUSE Linux Enterprise Module for Legacy Software 15 ______________________________________________________________________________ An update that fixes 16 vulnerabilities is now available. Description: This update for java-1_8_0-ibm fixes the following issues: - Update to Java 8.0 Service Refresh 6 [bsc#1158442, bsc#1154212] * Security fixes: CVE-2019-2933 CVE-2019-2945 CVE-2019-2958 CVE-2019-2962 CVE-2019-2964 CVE-2019-2975 CVE-2019-2978 CVE-2019-2983 CVE-2019-2988 CVE-2019-2989 CVE-2019-2992 CVE-2019-2996 CVE-2019-2999 CVE-2019-2973 CVE-2019-2981 CVE-2019-17631 Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Module for Open Buildservice Development Tools 15-SP1: zypper in -t patch SUSE-SLE-Module-Development-Tools-OBS-15-SP1-2020-1=1 - SUSE Linux Enterprise Module for Legacy Software 15-SP1: zypper in -t patch SUSE-SLE-Module-Legacy-15-SP1-2020-1=1 - SUSE Linux Enterprise Module for Legacy Software 15: zypper in -t patch SUSE-SLE-Module-Legacy-15-2020-1=1 Package List: - SUSE Linux Enterprise Module for Open Buildservice Development Tools 15-SP1 (ppc64le s390x x86_64): java-1_8_0-ibm-demo-1.8.0_sr6.0-3.30.1 java-1_8_0-ibm-src-1.8.0_sr6.0-3.30.1 - SUSE Linux Enterprise Module for Open Buildservice Development Tools 15-SP1 (x86_64): java-1_8_0-ibm-32bit-1.8.0_sr6.0-3.30.1 java-1_8_0-ibm-devel-32bit-1.8.0_sr6.0-3.30.1 - SUSE Linux Enterprise Module for Legacy Software 15-SP1 (ppc64le s390x x86_64): java-1_8_0-ibm-1.8.0_sr6.0-3.30.1 java-1_8_0-ibm-devel-1.8.0_sr6.0-3.30.1 - SUSE Linux Enterprise Module for Legacy Software 15-SP1 (x86_64): java-1_8_0-ibm-alsa-1.8.0_sr6.0-3.30.1 java-1_8_0-ibm-plugin-1.8.0_sr6.0-3.30.1 - SUSE Linux Enterprise Module for Legacy Software 15 (ppc64le s390x x86_64): java-1_8_0-ibm-1.8.0_sr6.0-3.30.1 java-1_8_0-ibm-devel-1.8.0_sr6.0-3.30.1 - SUSE Linux Enterprise Module for Legacy Software 15 (x86_64): java-1_8_0-ibm-alsa-1.8.0_sr6.0-3.30.1 java-1_8_0-ibm-plugin-1.8.0_sr6.0-3.30.1 References: https://www.suse.com/security/cve/CVE-2019-17631.html https://www.suse.com/security/cve/CVE-2019-2933.html https://www.suse.com/security/cve/CVE-2019-2945.html https://www.suse.com/security/cve/CVE-2019-2958.html https://www.suse.com/security/cve/CVE-2019-2962.html https://www.suse.com/security/cve/CVE-2019-2964.html https://www.suse.com/security/cve/CVE-2019-2973.html https://www.suse.com/security/cve/CVE-2019-2975.html https://www.suse.com/security/cve/CVE-2019-2978.html https://www.suse.com/security/cve/CVE-2019-2981.html https://www.suse.com/security/cve/CVE-2019-2983.html https://www.suse.com/security/cve/CVE-2019-2988.html https://www.suse.com/security/cve/CVE-2019-2989.html https://www.suse.com/security/cve/CVE-2019-2992.html https://www.suse.com/security/cve/CVE-2019-2996.html https://www.suse.com/security/cve/CVE-2019-2999.html https://bugzilla.suse.com/1154212 https://bugzilla.suse.com/1158442 From sle-updates at lists.suse.com Thu Jan 2 10:11:17 2020 From: sle-updates at lists.suse.com (sle-updates at lists.suse.com) Date: Thu, 2 Jan 2020 18:11:17 +0100 (CET) Subject: SUSE-RU-2020:0012-1: Recommended update for dracut Message-ID: <20200102171117.817E3F79E@maintenance.suse.de> SUSE Recommended Update: Recommended update for dracut ______________________________________________________________________________ Announcement ID: SUSE-RU-2020:0012-1 Rating: low References: #1153944 Affected Products: SUSE Linux Enterprise Server 12-SP4 SUSE Linux Enterprise Desktop 12-SP4 ______________________________________________________________________________ An update that has one recommended fix can now be installed. Description: This update for dracut contains the following fix: - iscsiroot.sh: Clean up obsolete case statement fragments. (bsc#1153944) Patch Instructions: To install this SUSE Recommended Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Server 12-SP4: zypper in -t patch SUSE-SLE-SERVER-12-SP4-2020-12=1 - SUSE Linux Enterprise Desktop 12-SP4: zypper in -t patch SUSE-SLE-DESKTOP-12-SP4-2020-12=1 Package List: - SUSE Linux Enterprise Server 12-SP4 (aarch64 ppc64le s390x x86_64): dracut-044.2-10.21.1 dracut-debuginfo-044.2-10.21.1 dracut-debugsource-044.2-10.21.1 dracut-fips-044.2-10.21.1 - SUSE Linux Enterprise Desktop 12-SP4 (x86_64): dracut-044.2-10.21.1 dracut-debuginfo-044.2-10.21.1 dracut-debugsource-044.2-10.21.1 References: https://bugzilla.suse.com/1153944 From sle-updates at lists.suse.com Thu Jan 2 10:12:01 2020 From: sle-updates at lists.suse.com (sle-updates at lists.suse.com) Date: Thu, 2 Jan 2020 18:12:01 +0100 (CET) Subject: SUSE-RU-2020:0005-1: moderate: Recommended update for libgcrypt Message-ID: <20200102171201.01C9AF79E@maintenance.suse.de> SUSE Recommended Update: Recommended update for libgcrypt ______________________________________________________________________________ Announcement ID: SUSE-RU-2020:0005-1 Rating: moderate References: #1155337 #1155338 #1155339 Affected Products: SUSE Linux Enterprise Module for Open Buildservice Development Tools 15 SUSE Linux Enterprise Module for Basesystem 15 ______________________________________________________________________________ An update that has three recommended fixes can now be installed. Description: This update for libgcrypt fixes the following issues: Various FIPS related improvements were done: - FIPS: RSA/DSA/ECDSA are missing hashing operation (bsc#1155337) - Fix the following FIPS tests: basic benchmark bench-slope pubkey t-cv25519 t-secmem - Fix test dsa-rfc6979 in FIPS mode: Disabled tests in elliptic curves with 192 bits which are not recommended in FIPS mode - Added CMAC AES and TDES FIPS self-tests: (bsc#1155339, bsc#1155338) Patch Instructions: To install this SUSE Recommended Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Module for Open Buildservice Development Tools 15: zypper in -t patch SUSE-SLE-Module-Development-Tools-OBS-15-2020-5=1 - SUSE Linux Enterprise Module for Basesystem 15: zypper in -t patch SUSE-SLE-Module-Basesystem-15-2020-5=1 Package List: - SUSE Linux Enterprise Module for Open Buildservice Development Tools 15 (aarch64 ppc64le s390x x86_64): libgcrypt-cavs-1.8.2-6.23.1 libgcrypt-cavs-debuginfo-1.8.2-6.23.1 libgcrypt-debugsource-1.8.2-6.23.1 - SUSE Linux Enterprise Module for Basesystem 15 (aarch64 ppc64le s390x x86_64): libgcrypt-debugsource-1.8.2-6.23.1 libgcrypt-devel-1.8.2-6.23.1 libgcrypt-devel-debuginfo-1.8.2-6.23.1 libgcrypt20-1.8.2-6.23.1 libgcrypt20-debuginfo-1.8.2-6.23.1 libgcrypt20-hmac-1.8.2-6.23.1 - SUSE Linux Enterprise Module for Basesystem 15 (x86_64): libgcrypt20-32bit-1.8.2-6.23.1 libgcrypt20-32bit-debuginfo-1.8.2-6.23.1 libgcrypt20-hmac-32bit-1.8.2-6.23.1 References: https://bugzilla.suse.com/1155337 https://bugzilla.suse.com/1155338 https://bugzilla.suse.com/1155339 From sle-updates at lists.suse.com Thu Jan 2 10:12:53 2020 From: sle-updates at lists.suse.com (sle-updates at lists.suse.com) Date: Thu, 2 Jan 2020 18:12:53 +0100 (CET) Subject: SUSE-RU-2020:0004-1: moderate: Recommended update for xrdp Message-ID: <20200102171253.F2738F79E@maintenance.suse.de> SUSE Recommended Update: Recommended update for xrdp ______________________________________________________________________________ Announcement ID: SUSE-RU-2020:0004-1 Rating: moderate References: #1155952 #1157860 Affected Products: SUSE Linux Enterprise Server 12-SP4 SUSE Linux Enterprise Desktop 12-SP4 ______________________________________________________________________________ An update that has two recommended fixes can now be installed. Description: This update for xrdp fixes the following issues: - Fix error that couldn't let xrdp service restart. (bsc#1155952) - Don't try to create .vnc directory if it already exists. (bsc#1157860) Patch Instructions: To install this SUSE Recommended Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Server 12-SP4: zypper in -t patch SUSE-SLE-SERVER-12-SP4-2020-4=1 - SUSE Linux Enterprise Desktop 12-SP4: zypper in -t patch SUSE-SLE-DESKTOP-12-SP4-2020-4=1 Package List: - SUSE Linux Enterprise Server 12-SP4 (aarch64 ppc64le s390x x86_64): xrdp-0.9.0~git.1456906198.f422461-21.21.2 xrdp-debuginfo-0.9.0~git.1456906198.f422461-21.21.2 xrdp-debugsource-0.9.0~git.1456906198.f422461-21.21.2 - SUSE Linux Enterprise Desktop 12-SP4 (x86_64): xrdp-0.9.0~git.1456906198.f422461-21.21.2 xrdp-debuginfo-0.9.0~git.1456906198.f422461-21.21.2 xrdp-debugsource-0.9.0~git.1456906198.f422461-21.21.2 References: https://bugzilla.suse.com/1155952 https://bugzilla.suse.com/1157860 From sle-updates at lists.suse.com Thu Jan 2 10:13:39 2020 From: sle-updates at lists.suse.com (sle-updates at lists.suse.com) Date: Thu, 2 Jan 2020 18:13:39 +0100 (CET) Subject: SUSE-RU-2020:0011-1: moderate: Recommended update for pacemaker Message-ID: <20200102171339.B9723F79E@maintenance.suse.de> SUSE Recommended Update: Recommended update for pacemaker ______________________________________________________________________________ Announcement ID: SUSE-RU-2020:0011-1 Rating: moderate References: #1151007 Affected Products: SUSE Linux Enterprise Software Development Kit 12-SP5 SUSE Linux Enterprise High Availability 12-SP5 ______________________________________________________________________________ An update that has one recommended fix can now be installed. Description: This update for pacemaker fixes the following issues: - Fixes and improvements for fencer. (bsc#1151007) - Indicate fencing target in the logs when scheduling and executing fencing command and improved log messages. - Make sure concurrent fencing commands get triggered to execute. - Other commands and actions cannot be blocked by pending on the fencing. - No need to check the length of a non-empty list for pending fencing actions. Patch Instructions: To install this SUSE Recommended Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Software Development Kit 12-SP5: zypper in -t patch SUSE-SLE-SDK-12-SP5-2020-11=1 - SUSE Linux Enterprise High Availability 12-SP5: zypper in -t patch SUSE-SLE-HA-12-SP5-2020-11=1 Package List: - SUSE Linux Enterprise Software Development Kit 12-SP5 (aarch64 ppc64le s390x x86_64): libpacemaker-devel-1.1.21+20191108.0e5203148-3.3.1 pacemaker-cts-1.1.21+20191108.0e5203148-3.3.1 pacemaker-cts-debuginfo-1.1.21+20191108.0e5203148-3.3.1 pacemaker-debuginfo-1.1.21+20191108.0e5203148-3.3.1 pacemaker-debugsource-1.1.21+20191108.0e5203148-3.3.1 - SUSE Linux Enterprise High Availability 12-SP5 (ppc64le s390x x86_64): libpacemaker3-1.1.21+20191108.0e5203148-3.3.1 libpacemaker3-debuginfo-1.1.21+20191108.0e5203148-3.3.1 pacemaker-1.1.21+20191108.0e5203148-3.3.1 pacemaker-cli-1.1.21+20191108.0e5203148-3.3.1 pacemaker-cli-debuginfo-1.1.21+20191108.0e5203148-3.3.1 pacemaker-cts-1.1.21+20191108.0e5203148-3.3.1 pacemaker-cts-debuginfo-1.1.21+20191108.0e5203148-3.3.1 pacemaker-debuginfo-1.1.21+20191108.0e5203148-3.3.1 pacemaker-debugsource-1.1.21+20191108.0e5203148-3.3.1 pacemaker-remote-1.1.21+20191108.0e5203148-3.3.1 pacemaker-remote-debuginfo-1.1.21+20191108.0e5203148-3.3.1 References: https://bugzilla.suse.com/1151007 From sle-updates at lists.suse.com Thu Jan 2 10:14:18 2020 From: sle-updates at lists.suse.com (sle-updates at lists.suse.com) Date: Thu, 2 Jan 2020 18:14:18 +0100 (CET) Subject: SUSE-RU-2020:0007-1: moderate: Recommended update for tuned Message-ID: <20200102171418.27EB5F79E@maintenance.suse.de> SUSE Recommended Update: Recommended update for tuned ______________________________________________________________________________ Announcement ID: SUSE-RU-2020:0007-1 Rating: moderate References: #1139249 Affected Products: SUSE Linux Enterprise Server 12-SP5 ______________________________________________________________________________ An update that has one recommended fix can now be installed. Description: This update for tuned fixes the following issues: - Add support for xen related disks. (bsc#1139249) Patch Instructions: To install this SUSE Recommended Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Server 12-SP5: zypper in -t patch SUSE-SLE-SERVER-12-SP5-2020-7=1 Package List: - SUSE Linux Enterprise Server 12-SP5 (noarch): tuned-2.4.1-18.3.1 References: https://bugzilla.suse.com/1139249 From sle-updates at lists.suse.com Thu Jan 2 10:14:58 2020 From: sle-updates at lists.suse.com (sle-updates at lists.suse.com) Date: Thu, 2 Jan 2020 18:14:58 +0100 (CET) Subject: SUSE-RU-2020:0009-1: moderate: Recommended update for xfsprogs Message-ID: <20200102171458.660BFF79E@maintenance.suse.de> SUSE Recommended Update: Recommended update for xfsprogs ______________________________________________________________________________ Announcement ID: SUSE-RU-2020:0009-1 Rating: moderate References: #1157438 Affected Products: SUSE Linux Enterprise Module for Basesystem 15-SP1 SUSE Linux Enterprise Module for Basesystem 15 ______________________________________________________________________________ An update that has one recommended fix can now be installed. Description: This update for xfsprogs fixes the following issues: - Remove the 'xfs_scrub_all' script from the package, and the corresponding dependency of python. (bsc#1157438) Patch Instructions: To install this SUSE Recommended Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Module for Basesystem 15-SP1: zypper in -t patch SUSE-SLE-Module-Basesystem-15-SP1-2020-9=1 - SUSE Linux Enterprise Module for Basesystem 15: zypper in -t patch SUSE-SLE-Module-Basesystem-15-2020-9=1 Package List: - SUSE Linux Enterprise Module for Basesystem 15-SP1 (aarch64 ppc64le s390x x86_64): xfsprogs-4.15.0-4.19.2 xfsprogs-debuginfo-4.15.0-4.19.2 xfsprogs-debugsource-4.15.0-4.19.2 xfsprogs-devel-4.15.0-4.19.2 - SUSE Linux Enterprise Module for Basesystem 15 (aarch64 ppc64le s390x x86_64): xfsprogs-4.15.0-4.19.2 xfsprogs-debuginfo-4.15.0-4.19.2 xfsprogs-debugsource-4.15.0-4.19.2 xfsprogs-devel-4.15.0-4.19.2 References: https://bugzilla.suse.com/1157438 From sle-updates at lists.suse.com Thu Jan 2 10:15:37 2020 From: sle-updates at lists.suse.com (sle-updates at lists.suse.com) Date: Thu, 2 Jan 2020 18:15:37 +0100 (CET) Subject: SUSE-RU-2020:0006-1: moderate: Recommended update for pacemaker Message-ID: <20200102171537.30AF6F79E@maintenance.suse.de> SUSE Recommended Update: Recommended update for pacemaker ______________________________________________________________________________ Announcement ID: SUSE-RU-2020:0006-1 Rating: moderate References: #1032511 #1085515 #1094208 #1107270 #1114840 #1117381 #1117934 #1121272 #1121808 #1127716 #1128374 #1128772 #1130122 #1133866 #1136712 #1157232 #974108 Affected Products: SUSE Linux Enterprise High Availability 12-SP2 ______________________________________________________________________________ An update that has 17 recommended fixes can now be installed. Description: This update for pacemaker fixes the following issues: - Fix for scheduler: wait for probe actions to be complete preventing unnecessary restart/re-promote of dependent resources. (bsc#1130122, bsc#1032511) - Fix confirming cancellation of failed monitors and improve recurring action messages. (bsc#1133866, bsc#1157232) - Return error when applying XML diffs containing unknown operations and avoid possible use-of-NULL. (bsc#1127716) - Fix for deleting guard hash table preventing crash during update. (bsc#1136712) - Avoid use-of-NULL when searching for remote node. (bsc#1128772) - Delete resource from lrmd when appropriate. (bsc#1117381, bsc#1157232) - Respect order constraints when relevant resources are being probed. (bsc#1117934, bsc#1128374) - CTS: don't require nodes to be specified if only listing tests (bsc#1114840) - cts-exec: still run the tests for the other resource classes even without python systemd bindings (bsc#1121808) - Clear constraints on cluster nodes and resume any possibly frozen remote nodes. (bsc#1121272) - Handle fencing requested with nodeid by utilizing the membership cache of known nodes. (bsc#1094208, bsc#1107270, bsc#974108) - Add option to manually confirm that unseen nodes are down. (bsc#1094208, bsc#1107270) - Set "symmetrical" defaults to "false" for serialize orders. (bsc#1085515) Patch Instructions: To install this SUSE Recommended Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise High Availability 12-SP2: zypper in -t patch SUSE-SLE-HA-12-SP2-2020-6=1 Package List: - SUSE Linux Enterprise High Availability 12-SP2 (ppc64le s390x x86_64): libpacemaker3-1.1.15-23.6.1 libpacemaker3-debuginfo-1.1.15-23.6.1 pacemaker-1.1.15-23.6.1 pacemaker-cli-1.1.15-23.6.1 pacemaker-cli-debuginfo-1.1.15-23.6.1 pacemaker-cts-1.1.15-23.6.1 pacemaker-cts-debuginfo-1.1.15-23.6.1 pacemaker-debuginfo-1.1.15-23.6.1 pacemaker-debugsource-1.1.15-23.6.1 pacemaker-remote-1.1.15-23.6.1 pacemaker-remote-debuginfo-1.1.15-23.6.1 References: https://bugzilla.suse.com/1032511 https://bugzilla.suse.com/1085515 https://bugzilla.suse.com/1094208 https://bugzilla.suse.com/1107270 https://bugzilla.suse.com/1114840 https://bugzilla.suse.com/1117381 https://bugzilla.suse.com/1117934 https://bugzilla.suse.com/1121272 https://bugzilla.suse.com/1121808 https://bugzilla.suse.com/1127716 https://bugzilla.suse.com/1128374 https://bugzilla.suse.com/1128772 https://bugzilla.suse.com/1130122 https://bugzilla.suse.com/1133866 https://bugzilla.suse.com/1136712 https://bugzilla.suse.com/1157232 https://bugzilla.suse.com/974108 From sle-updates at lists.suse.com Thu Jan 2 10:18:21 2020 From: sle-updates at lists.suse.com (sle-updates at lists.suse.com) Date: Thu, 2 Jan 2020 18:18:21 +0100 (CET) Subject: SUSE-RU-2020:0010-1: moderate: Recommended update for gcc7 Message-ID: <20200102171821.794E2F79E@maintenance.suse.de> SUSE Recommended Update: Recommended update for gcc7 ______________________________________________________________________________ Announcement ID: SUSE-RU-2020:0010-1 Rating: moderate References: #1146475 Affected Products: SUSE Linux Enterprise Module for Open Buildservice Development Tools 15-SP1 SUSE Linux Enterprise Module for Open Buildservice Development Tools 15 SUSE Linux Enterprise Module for Development Tools 15-SP1 SUSE Linux Enterprise Module for Development Tools 15 SUSE Linux Enterprise Module for Basesystem 15-SP1 SUSE Linux Enterprise Module for Basesystem 15 ______________________________________________________________________________ An update that has one recommended fix can now be installed. Description: This update for gcc7 fixes the following issues: - Fix miscompilation with thread-safe localstatic initialization (gcc#85887). - Fix debug info created for array definitions that complete an earlier declaration (bsc#1146475). Patch Instructions: To install this SUSE Recommended Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Module for Open Buildservice Development Tools 15-SP1: zypper in -t patch SUSE-SLE-Module-Development-Tools-OBS-15-SP1-2020-10=1 - SUSE Linux Enterprise Module for Open Buildservice Development Tools 15: zypper in -t patch SUSE-SLE-Module-Development-Tools-OBS-15-2020-10=1 - SUSE Linux Enterprise Module for Development Tools 15-SP1: zypper in -t patch SUSE-SLE-Module-Development-Tools-15-SP1-2020-10=1 - SUSE Linux Enterprise Module for Development Tools 15: zypper in -t patch SUSE-SLE-Module-Development-Tools-15-2020-10=1 - SUSE Linux Enterprise Module for Basesystem 15-SP1: zypper in -t patch SUSE-SLE-Module-Basesystem-15-SP1-2020-10=1 - SUSE Linux Enterprise Module for Basesystem 15: zypper in -t patch SUSE-SLE-Module-Basesystem-15-2020-10=1 Package List: - SUSE Linux Enterprise Module for Open Buildservice Development Tools 15-SP1 (aarch64 ppc64le s390x x86_64): cross-arm-gcc7-7.5.0+r278197-4.12.1 cross-arm-gcc7-debuginfo-7.5.0+r278197-4.12.1 cross-arm-gcc7-debugsource-7.5.0+r278197-4.12.1 cross-arm-none-gcc7-bootstrap-7.5.0+r278197-4.12.1 cross-arm-none-gcc7-bootstrap-debuginfo-7.5.0+r278197-4.12.1 cross-arm-none-gcc7-bootstrap-debugsource-7.5.0+r278197-4.12.1 cross-avr-gcc7-bootstrap-7.5.0+r278197-4.12.1 cross-avr-gcc7-bootstrap-debuginfo-7.5.0+r278197-4.12.1 cross-avr-gcc7-bootstrap-debugsource-7.5.0+r278197-4.12.1 cross-epiphany-gcc7-bootstrap-7.5.0+r278197-4.12.1 cross-epiphany-gcc7-bootstrap-debuginfo-7.5.0+r278197-4.12.1 cross-epiphany-gcc7-bootstrap-debugsource-7.5.0+r278197-4.12.1 cross-hppa-gcc7-7.5.0+r278197-4.12.1 cross-hppa-gcc7-debuginfo-7.5.0+r278197-4.12.1 cross-hppa-gcc7-debugsource-7.5.0+r278197-4.12.1 cross-hppa-gcc7-icecream-backend-7.5.0+r278197-4.12.1 cross-i386-gcc7-7.5.0+r278197-4.12.1 cross-i386-gcc7-debuginfo-7.5.0+r278197-4.12.1 cross-i386-gcc7-debugsource-7.5.0+r278197-4.12.1 cross-i386-gcc7-icecream-backend-7.5.0+r278197-4.12.1 cross-m68k-gcc7-7.5.0+r278197-4.12.1 cross-m68k-gcc7-debuginfo-7.5.0+r278197-4.12.1 cross-m68k-gcc7-debugsource-7.5.0+r278197-4.12.1 cross-m68k-gcc7-icecream-backend-7.5.0+r278197-4.12.1 cross-mips-gcc7-7.5.0+r278197-4.12.1 cross-mips-gcc7-debuginfo-7.5.0+r278197-4.12.1 cross-mips-gcc7-debugsource-7.5.0+r278197-4.12.1 cross-mips-gcc7-icecream-backend-7.5.0+r278197-4.12.1 cross-ppc64-gcc7-7.5.0+r278197-4.12.1 cross-ppc64-gcc7-debuginfo-7.5.0+r278197-4.12.1 cross-ppc64-gcc7-debugsource-7.5.0+r278197-4.12.1 cross-ppc64-gcc7-icecream-backend-7.5.0+r278197-4.12.1 cross-rx-gcc7-bootstrap-7.5.0+r278197-4.12.1 cross-rx-gcc7-bootstrap-debuginfo-7.5.0+r278197-4.12.1 cross-rx-gcc7-bootstrap-debugsource-7.5.0+r278197-4.12.1 cross-sparc-gcc7-7.5.0+r278197-4.12.1 cross-sparc-gcc7-debuginfo-7.5.0+r278197-4.12.1 cross-sparc-gcc7-debugsource-7.5.0+r278197-4.12.1 cross-sparc64-gcc7-7.5.0+r278197-4.12.1 cross-sparc64-gcc7-debuginfo-7.5.0+r278197-4.12.1 cross-sparc64-gcc7-debugsource-7.5.0+r278197-4.12.1 cross-sparc64-gcc7-icecream-backend-7.5.0+r278197-4.12.1 cross-sparcv9-gcc7-icecream-backend-7.5.0+r278197-4.12.1 gcc7-debuginfo-7.5.0+r278197-4.12.1 gcc7-debugsource-7.5.0+r278197-4.12.1 gcc7-go-7.5.0+r278197-4.12.1 gcc7-go-debuginfo-7.5.0+r278197-4.12.1 gcc7-obj-c++-7.5.0+r278197-4.12.1 gcc7-obj-c++-debuginfo-7.5.0+r278197-4.12.1 gcc7-testresults-7.5.0+r278197-4.12.1 libatomic1-gcc7-7.5.0+r278197-4.12.1 libatomic1-gcc7-debuginfo-7.5.0+r278197-4.12.1 libgcc_s1-gcc7-7.5.0+r278197-4.12.1 libgcc_s1-gcc7-debuginfo-7.5.0+r278197-4.12.1 libgo11-7.5.0+r278197-4.12.1 libgo11-debuginfo-7.5.0+r278197-4.12.1 libgomp1-gcc7-7.5.0+r278197-4.12.1 libgomp1-gcc7-debuginfo-7.5.0+r278197-4.12.1 libitm1-gcc7-7.5.0+r278197-4.12.1 libitm1-gcc7-debuginfo-7.5.0+r278197-4.12.1 libstdc++6-gcc7-7.5.0+r278197-4.12.1 libstdc++6-gcc7-debuginfo-7.5.0+r278197-4.12.1 libstdc++6-gcc7-locale-7.5.0+r278197-4.12.1 - SUSE Linux Enterprise Module for Open Buildservice Development Tools 15-SP1 (aarch64 ppc64le x86_64): cross-s390x-gcc7-7.5.0+r278197-4.12.1 cross-s390x-gcc7-debuginfo-7.5.0+r278197-4.12.1 cross-s390x-gcc7-debugsource-7.5.0+r278197-4.12.1 cross-s390x-gcc7-icecream-backend-7.5.0+r278197-4.12.1 liblsan0-gcc7-7.5.0+r278197-4.12.1 liblsan0-gcc7-debuginfo-7.5.0+r278197-4.12.1 libtsan0-gcc7-7.5.0+r278197-4.12.1 libtsan0-gcc7-debuginfo-7.5.0+r278197-4.12.1 - SUSE Linux Enterprise Module for Open Buildservice Development Tools 15-SP1 (aarch64 ppc64le s390x): cross-x86_64-gcc7-7.5.0+r278197-4.12.1 cross-x86_64-gcc7-debuginfo-7.5.0+r278197-4.12.1 cross-x86_64-gcc7-debugsource-7.5.0+r278197-4.12.1 cross-x86_64-gcc7-icecream-backend-7.5.0+r278197-4.12.1 - SUSE Linux Enterprise Module for Open Buildservice Development Tools 15-SP1 (aarch64 s390x x86_64): cross-ppc64le-gcc7-7.5.0+r278197-4.12.1 cross-ppc64le-gcc7-debuginfo-7.5.0+r278197-4.12.1 cross-ppc64le-gcc7-debugsource-7.5.0+r278197-4.12.1 cross-ppc64le-gcc7-icecream-backend-7.5.0+r278197-4.12.1 - SUSE Linux Enterprise Module for Open Buildservice Development Tools 15-SP1 (ppc64le s390x x86_64): cross-aarch64-gcc7-7.5.0+r278197-4.12.1 cross-aarch64-gcc7-debuginfo-7.5.0+r278197-4.12.1 cross-aarch64-gcc7-debugsource-7.5.0+r278197-4.12.1 cross-aarch64-gcc7-icecream-backend-7.5.0+r278197-4.12.1 - SUSE Linux Enterprise Module for Open Buildservice Development Tools 15-SP1 (s390x x86_64): gcc7-ada-32bit-7.5.0+r278197-4.12.1 gcc7-go-32bit-7.5.0+r278197-4.12.1 gcc7-obj-c++-32bit-7.5.0+r278197-4.12.1 gcc7-objc-32bit-7.5.0+r278197-4.12.1 libada7-32bit-7.5.0+r278197-4.12.1 libada7-32bit-debuginfo-7.5.0+r278197-4.12.1 libatomic1-gcc7-32bit-7.5.0+r278197-4.12.1 libatomic1-gcc7-32bit-debuginfo-7.5.0+r278197-4.12.1 libgcc_s1-gcc7-32bit-7.5.0+r278197-4.12.1 libgcc_s1-gcc7-32bit-debuginfo-7.5.0+r278197-4.12.1 libgo11-32bit-7.5.0+r278197-4.12.1 libgo11-32bit-debuginfo-7.5.0+r278197-4.12.1 libgomp1-gcc7-32bit-7.5.0+r278197-4.12.1 libgomp1-gcc7-32bit-debuginfo-7.5.0+r278197-4.12.1 libitm1-gcc7-32bit-7.5.0+r278197-4.12.1 libitm1-gcc7-32bit-debuginfo-7.5.0+r278197-4.12.1 libobjc4-32bit-7.5.0+r278197-4.12.1 libobjc4-32bit-debuginfo-7.5.0+r278197-4.12.1 libstdc++6-gcc7-32bit-7.5.0+r278197-4.12.1 libstdc++6-gcc7-32bit-debuginfo-7.5.0+r278197-4.12.1 - SUSE Linux Enterprise Module for Open Buildservice Development Tools 15-SP1 (x86_64): libmpx2-gcc7-32bit-7.5.0+r278197-4.12.1 libmpx2-gcc7-32bit-debuginfo-7.5.0+r278197-4.12.1 libmpx2-gcc7-7.5.0+r278197-4.12.1 libmpx2-gcc7-debuginfo-7.5.0+r278197-4.12.1 libmpxwrappers2-gcc7-32bit-7.5.0+r278197-4.12.1 libmpxwrappers2-gcc7-32bit-debuginfo-7.5.0+r278197-4.12.1 libmpxwrappers2-gcc7-7.5.0+r278197-4.12.1 libmpxwrappers2-gcc7-debuginfo-7.5.0+r278197-4.12.1 libquadmath0-gcc7-32bit-7.5.0+r278197-4.12.1 libquadmath0-gcc7-32bit-debuginfo-7.5.0+r278197-4.12.1 libquadmath0-gcc7-7.5.0+r278197-4.12.1 libquadmath0-gcc7-debuginfo-7.5.0+r278197-4.12.1 - SUSE Linux Enterprise Module for Open Buildservice Development Tools 15-SP1 (s390x): gcc7-32bit-7.5.0+r278197-4.12.1 gcc7-c++-32bit-7.5.0+r278197-4.12.1 gcc7-fortran-32bit-7.5.0+r278197-4.12.1 libasan4-32bit-7.5.0+r278197-4.12.1 libasan4-32bit-debuginfo-7.5.0+r278197-4.12.1 libgfortran4-32bit-7.5.0+r278197-4.12.1 libgfortran4-32bit-debuginfo-7.5.0+r278197-4.12.1 libstdc++6-devel-gcc7-32bit-7.5.0+r278197-4.12.1 libubsan0-32bit-7.5.0+r278197-4.12.1 libubsan0-32bit-debuginfo-7.5.0+r278197-4.12.1 - SUSE Linux Enterprise Module for Open Buildservice Development Tools 15 (aarch64 ppc64le s390x x86_64): cross-arm-gcc7-7.5.0+r278197-4.12.1 cross-arm-gcc7-debuginfo-7.5.0+r278197-4.12.1 cross-arm-gcc7-debugsource-7.5.0+r278197-4.12.1 cross-arm-none-gcc7-bootstrap-7.5.0+r278197-4.12.1 cross-arm-none-gcc7-bootstrap-debuginfo-7.5.0+r278197-4.12.1 cross-arm-none-gcc7-bootstrap-debugsource-7.5.0+r278197-4.12.1 cross-avr-gcc7-bootstrap-7.5.0+r278197-4.12.1 cross-avr-gcc7-bootstrap-debuginfo-7.5.0+r278197-4.12.1 cross-avr-gcc7-bootstrap-debugsource-7.5.0+r278197-4.12.1 cross-epiphany-gcc7-bootstrap-7.5.0+r278197-4.12.1 cross-epiphany-gcc7-bootstrap-debuginfo-7.5.0+r278197-4.12.1 cross-epiphany-gcc7-bootstrap-debugsource-7.5.0+r278197-4.12.1 cross-hppa-gcc7-7.5.0+r278197-4.12.1 cross-hppa-gcc7-debuginfo-7.5.0+r278197-4.12.1 cross-hppa-gcc7-debugsource-7.5.0+r278197-4.12.1 cross-hppa-gcc7-icecream-backend-7.5.0+r278197-4.12.1 cross-i386-gcc7-7.5.0+r278197-4.12.1 cross-i386-gcc7-debuginfo-7.5.0+r278197-4.12.1 cross-i386-gcc7-debugsource-7.5.0+r278197-4.12.1 cross-i386-gcc7-icecream-backend-7.5.0+r278197-4.12.1 cross-m68k-gcc7-7.5.0+r278197-4.12.1 cross-m68k-gcc7-debuginfo-7.5.0+r278197-4.12.1 cross-m68k-gcc7-debugsource-7.5.0+r278197-4.12.1 cross-m68k-gcc7-icecream-backend-7.5.0+r278197-4.12.1 cross-mips-gcc7-7.5.0+r278197-4.12.1 cross-mips-gcc7-debuginfo-7.5.0+r278197-4.12.1 cross-mips-gcc7-debugsource-7.5.0+r278197-4.12.1 cross-mips-gcc7-icecream-backend-7.5.0+r278197-4.12.1 cross-ppc64-gcc7-7.5.0+r278197-4.12.1 cross-ppc64-gcc7-debuginfo-7.5.0+r278197-4.12.1 cross-ppc64-gcc7-debugsource-7.5.0+r278197-4.12.1 cross-ppc64-gcc7-icecream-backend-7.5.0+r278197-4.12.1 cross-rx-gcc7-bootstrap-7.5.0+r278197-4.12.1 cross-rx-gcc7-bootstrap-debuginfo-7.5.0+r278197-4.12.1 cross-rx-gcc7-bootstrap-debugsource-7.5.0+r278197-4.12.1 cross-sparc-gcc7-7.5.0+r278197-4.12.1 cross-sparc-gcc7-debuginfo-7.5.0+r278197-4.12.1 cross-sparc-gcc7-debugsource-7.5.0+r278197-4.12.1 cross-sparc64-gcc7-7.5.0+r278197-4.12.1 cross-sparc64-gcc7-debuginfo-7.5.0+r278197-4.12.1 cross-sparc64-gcc7-debugsource-7.5.0+r278197-4.12.1 cross-sparc64-gcc7-icecream-backend-7.5.0+r278197-4.12.1 cross-sparcv9-gcc7-icecream-backend-7.5.0+r278197-4.12.1 gcc7-debuginfo-7.5.0+r278197-4.12.1 gcc7-debugsource-7.5.0+r278197-4.12.1 gcc7-go-7.5.0+r278197-4.12.1 gcc7-go-debuginfo-7.5.0+r278197-4.12.1 gcc7-obj-c++-7.5.0+r278197-4.12.1 gcc7-obj-c++-debuginfo-7.5.0+r278197-4.12.1 gcc7-testresults-7.5.0+r278197-4.12.1 libgo11-7.5.0+r278197-4.12.1 libgo11-debuginfo-7.5.0+r278197-4.12.1 - SUSE Linux Enterprise Module for Open Buildservice Development Tools 15 (s390x x86_64): gcc7-ada-32bit-7.5.0+r278197-4.12.1 gcc7-go-32bit-7.5.0+r278197-4.12.1 gcc7-obj-c++-32bit-7.5.0+r278197-4.12.1 gcc7-objc-32bit-7.5.0+r278197-4.12.1 libada7-32bit-7.5.0+r278197-4.12.1 libada7-7.5.0+r278197-4.12.1 libada7-debuginfo-7.5.0+r278197-4.12.1 libgo11-32bit-7.5.0+r278197-4.12.1 libobjc4-32bit-7.5.0+r278197-4.12.1 libobjc4-7.5.0+r278197-4.12.1 libobjc4-debuginfo-7.5.0+r278197-4.12.1 - SUSE Linux Enterprise Module for Open Buildservice Development Tools 15 (s390x): gcc7-32bit-7.5.0+r278197-4.12.1 gcc7-c++-32bit-7.5.0+r278197-4.12.1 gcc7-fortran-32bit-7.5.0+r278197-4.12.1 libasan4-32bit-7.5.0+r278197-4.12.1 libgfortran4-32bit-7.5.0+r278197-4.12.1 libstdc++6-devel-gcc7-32bit-7.5.0+r278197-4.12.1 libubsan0-32bit-7.5.0+r278197-4.12.1 - SUSE Linux Enterprise Module for Development Tools 15-SP1 (aarch64 ppc64le s390x x86_64): gcc7-ada-7.5.0+r278197-4.12.1 gcc7-ada-debuginfo-7.5.0+r278197-4.12.1 gcc7-debuginfo-7.5.0+r278197-4.12.1 gcc7-debugsource-7.5.0+r278197-4.12.1 gcc7-locale-7.5.0+r278197-4.12.1 gcc7-objc-7.5.0+r278197-4.12.1 gcc7-objc-debuginfo-7.5.0+r278197-4.12.1 libada7-7.5.0+r278197-4.12.1 libada7-debuginfo-7.5.0+r278197-4.12.1 - SUSE Linux Enterprise Module for Development Tools 15-SP1 (x86_64): cross-nvptx-gcc7-7.5.0+r278197-4.12.1 cross-nvptx-newlib7-devel-7.5.0+r278197-4.12.1 gcc7-32bit-7.5.0+r278197-4.12.1 gcc7-c++-32bit-7.5.0+r278197-4.12.1 gcc7-fortran-32bit-7.5.0+r278197-4.12.1 libasan4-32bit-7.5.0+r278197-4.12.1 libasan4-32bit-debuginfo-7.5.0+r278197-4.12.1 libcilkrts5-32bit-7.5.0+r278197-4.12.1 libcilkrts5-32bit-debuginfo-7.5.0+r278197-4.12.1 libstdc++6-devel-gcc7-32bit-7.5.0+r278197-4.12.1 libubsan0-32bit-7.5.0+r278197-4.12.1 libubsan0-32bit-debuginfo-7.5.0+r278197-4.12.1 - SUSE Linux Enterprise Module for Development Tools 15-SP1 (noarch): gcc7-info-7.5.0+r278197-4.12.1 - SUSE Linux Enterprise Module for Development Tools 15 (aarch64 ppc64le s390x x86_64): gcc7-ada-7.5.0+r278197-4.12.1 gcc7-ada-debuginfo-7.5.0+r278197-4.12.1 gcc7-debuginfo-7.5.0+r278197-4.12.1 gcc7-debugsource-7.5.0+r278197-4.12.1 gcc7-locale-7.5.0+r278197-4.12.1 gcc7-objc-7.5.0+r278197-4.12.1 gcc7-objc-debuginfo-7.5.0+r278197-4.12.1 libada7-7.5.0+r278197-4.12.1 libada7-debuginfo-7.5.0+r278197-4.12.1 - SUSE Linux Enterprise Module for Development Tools 15 (x86_64): cross-nvptx-gcc7-7.5.0+r278197-4.12.1 cross-nvptx-newlib7-devel-7.5.0+r278197-4.12.1 gcc7-32bit-7.5.0+r278197-4.12.1 gcc7-c++-32bit-7.5.0+r278197-4.12.1 gcc7-fortran-32bit-7.5.0+r278197-4.12.1 libasan4-32bit-7.5.0+r278197-4.12.1 libasan4-32bit-debuginfo-7.5.0+r278197-4.12.1 libcilkrts5-32bit-7.5.0+r278197-4.12.1 libcilkrts5-32bit-debuginfo-7.5.0+r278197-4.12.1 libstdc++6-devel-gcc7-32bit-7.5.0+r278197-4.12.1 libubsan0-32bit-7.5.0+r278197-4.12.1 libubsan0-32bit-debuginfo-7.5.0+r278197-4.12.1 - SUSE Linux Enterprise Module for Development Tools 15 (noarch): gcc7-info-7.5.0+r278197-4.12.1 - SUSE Linux Enterprise Module for Basesystem 15-SP1 (aarch64 ppc64le s390x x86_64): cpp7-7.5.0+r278197-4.12.1 cpp7-debuginfo-7.5.0+r278197-4.12.1 gcc7-7.5.0+r278197-4.12.1 gcc7-c++-7.5.0+r278197-4.12.1 gcc7-c++-debuginfo-7.5.0+r278197-4.12.1 gcc7-debuginfo-7.5.0+r278197-4.12.1 gcc7-debugsource-7.5.0+r278197-4.12.1 gcc7-fortran-7.5.0+r278197-4.12.1 gcc7-fortran-debuginfo-7.5.0+r278197-4.12.1 libasan4-7.5.0+r278197-4.12.1 libasan4-debuginfo-7.5.0+r278197-4.12.1 libgfortran4-7.5.0+r278197-4.12.1 libgfortran4-debuginfo-7.5.0+r278197-4.12.1 libobjc4-7.5.0+r278197-4.12.1 libobjc4-debuginfo-7.5.0+r278197-4.12.1 libstdc++6-devel-gcc7-7.5.0+r278197-4.12.1 libubsan0-7.5.0+r278197-4.12.1 libubsan0-debuginfo-7.5.0+r278197-4.12.1 - SUSE Linux Enterprise Module for Basesystem 15-SP1 (x86_64): libcilkrts5-7.5.0+r278197-4.12.1 libcilkrts5-debuginfo-7.5.0+r278197-4.12.1 libgfortran4-32bit-7.5.0+r278197-4.12.1 libgfortran4-32bit-debuginfo-7.5.0+r278197-4.12.1 - SUSE Linux Enterprise Module for Basesystem 15 (aarch64 ppc64le s390x x86_64): cpp7-7.5.0+r278197-4.12.1 cpp7-debuginfo-7.5.0+r278197-4.12.1 gcc7-7.5.0+r278197-4.12.1 gcc7-c++-7.5.0+r278197-4.12.1 gcc7-c++-debuginfo-7.5.0+r278197-4.12.1 gcc7-debuginfo-7.5.0+r278197-4.12.1 gcc7-debugsource-7.5.0+r278197-4.12.1 gcc7-fortran-7.5.0+r278197-4.12.1 gcc7-fortran-debuginfo-7.5.0+r278197-4.12.1 libasan4-7.5.0+r278197-4.12.1 libasan4-debuginfo-7.5.0+r278197-4.12.1 libgfortran4-7.5.0+r278197-4.12.1 libgfortran4-debuginfo-7.5.0+r278197-4.12.1 libobjc4-7.5.0+r278197-4.12.1 libobjc4-debuginfo-7.5.0+r278197-4.12.1 libstdc++6-devel-gcc7-7.5.0+r278197-4.12.1 libubsan0-7.5.0+r278197-4.12.1 libubsan0-debuginfo-7.5.0+r278197-4.12.1 - SUSE Linux Enterprise Module for Basesystem 15 (x86_64): libcilkrts5-7.5.0+r278197-4.12.1 libcilkrts5-debuginfo-7.5.0+r278197-4.12.1 libgfortran4-32bit-7.5.0+r278197-4.12.1 libgfortran4-32bit-debuginfo-7.5.0+r278197-4.12.1 References: https://bugzilla.suse.com/1146475 From sle-updates at lists.suse.com Thu Jan 2 10:19:06 2020 From: sle-updates at lists.suse.com (sle-updates at lists.suse.com) Date: Thu, 2 Jan 2020 18:19:06 +0100 (CET) Subject: SUSE-RU-2020:0003-1: moderate: Recommended update for resource-agents Message-ID: <20200102171906.A5633F79E@maintenance.suse.de> SUSE Recommended Update: Recommended update for resource-agents ______________________________________________________________________________ Announcement ID: SUSE-RU-2020:0003-1 Rating: moderate References: #1153889 #1157709 Affected Products: SUSE Linux Enterprise High Availability 12-SP5 SUSE Linux Enterprise High Availability 12-SP4 ______________________________________________________________________________ An update that has two recommended fixes can now be installed. Description: This update for resource-agents fixes the following issues: - The incorrect condition results in a non-sense call of the info command which is where the unexpected messages come from. (bsc#1153889) - Fixed readlink output when a mountpoint did not exist (bsc#1157709) Patch Instructions: To install this SUSE Recommended Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise High Availability 12-SP5: zypper in -t patch SUSE-SLE-HA-12-SP5-2020-3=1 - SUSE Linux Enterprise High Availability 12-SP4: zypper in -t patch SUSE-SLE-HA-12-SP4-2020-3=1 Package List: - SUSE Linux Enterprise High Availability 12-SP5 (ppc64le s390x x86_64): ldirectord-4.3.018.a7fb5035-3.33.1 resource-agents-4.3.018.a7fb5035-3.33.1 resource-agents-debuginfo-4.3.018.a7fb5035-3.33.1 resource-agents-debugsource-4.3.018.a7fb5035-3.33.1 - SUSE Linux Enterprise High Availability 12-SP5 (noarch): monitoring-plugins-metadata-4.3.018.a7fb5035-3.33.1 - SUSE Linux Enterprise High Availability 12-SP4 (ppc64le s390x x86_64): ldirectord-4.3.018.a7fb5035-3.33.1 resource-agents-4.3.018.a7fb5035-3.33.1 resource-agents-debuginfo-4.3.018.a7fb5035-3.33.1 resource-agents-debugsource-4.3.018.a7fb5035-3.33.1 - SUSE Linux Enterprise High Availability 12-SP4 (noarch): monitoring-plugins-metadata-4.3.018.a7fb5035-3.33.1 References: https://bugzilla.suse.com/1153889 https://bugzilla.suse.com/1157709 From sle-updates at lists.suse.com Thu Jan 2 10:19:53 2020 From: sle-updates at lists.suse.com (sle-updates at lists.suse.com) Date: Thu, 2 Jan 2020 18:19:53 +0100 (CET) Subject: SUSE-RU-2020:0008-1: moderate: Recommended update for yast2-add-on Message-ID: <20200102171953.1CA1DF79E@maintenance.suse.de> SUSE Recommended Update: Recommended update for yast2-add-on ______________________________________________________________________________ Announcement ID: SUSE-RU-2020:0008-1 Rating: moderate References: #1156528 Affected Products: SUSE Linux Enterprise Module for Basesystem 15-SP1 ______________________________________________________________________________ An update that has one recommended fix can now be installed. Description: This update for yast2-add-on fixes the following issues: - Handle correctly the user input when going back. (bsc#1156528) Patch Instructions: To install this SUSE Recommended Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Module for Basesystem 15-SP1: zypper in -t patch SUSE-SLE-Module-Basesystem-15-SP1-2020-8=1 Package List: - SUSE Linux Enterprise Module for Basesystem 15-SP1 (noarch): yast2-add-on-4.1.14-3.10.3 References: https://bugzilla.suse.com/1156528 From sle-updates at lists.suse.com Tue Jan 7 07:12:14 2020 From: sle-updates at lists.suse.com (sle-updates at lists.suse.com) Date: Tue, 7 Jan 2020 15:12:14 +0100 (CET) Subject: SUSE-RU-2020:0018-1: moderate: Recommended update for suse-xsl-stylesheets Message-ID: <20200107141214.B94EDF79E@maintenance.suse.de> SUSE Recommended Update: Recommended update for suse-xsl-stylesheets ______________________________________________________________________________ Announcement ID: SUSE-RU-2020:0018-1 Rating: moderate References: #1052970 #1077375 #1157786 Affected Products: SUSE Linux Enterprise Software Development Kit 12-SP5 SUSE Linux Enterprise Software Development Kit 12-SP4 ______________________________________________________________________________ An update that has three recommended fixes can now be installed. Description: This update for suse-xsl-stylesheets fixes the following issues: - Remove 'liberation2-fonts' package from requirements. (bsc#1077375) - Unconditionally use 'liberation-fonts' instead of liberation2-fonts. (boo#1080244) - Add HTML bypass blocks for accessibility during writing/editing the documentation and release-notes in html format. (FATE#326549) - Correct documentation link to use https and subdomain instead of http and subdirectory. (bsc#1157786) - Remove 'aspell' and SUSE Dictionary from the package. (boo#1052970) Patch Instructions: To install this SUSE Recommended Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Software Development Kit 12-SP5: zypper in -t patch SUSE-SLE-SDK-12-SP5-2020-18=1 - SUSE Linux Enterprise Software Development Kit 12-SP4: zypper in -t patch SUSE-SLE-SDK-12-SP4-2020-18=1 Package List: - SUSE Linux Enterprise Software Development Kit 12-SP5 (noarch): suse-xsl-stylesheets-2.0.15-18.4.1 - SUSE Linux Enterprise Software Development Kit 12-SP4 (noarch): suse-xsl-stylesheets-2.0.15-18.4.1 References: https://bugzilla.suse.com/1052970 https://bugzilla.suse.com/1077375 https://bugzilla.suse.com/1157786 From sle-updates at lists.suse.com Tue Jan 7 07:13:21 2020 From: sle-updates at lists.suse.com (sle-updates at lists.suse.com) Date: Tue, 7 Jan 2020 15:13:21 +0100 (CET) Subject: SUSE-SU-2020:0016-1: important: Security update for virglrenderer Message-ID: <20200107141321.293A2F79E@maintenance.suse.de> SUSE Security Update: Security update for virglrenderer ______________________________________________________________________________ Announcement ID: SUSE-SU-2020:0016-1 Rating: important References: #1159478 #1159479 #1159482 #1159486 Cross-References: CVE-2019-18388 CVE-2019-18389 CVE-2019-18390 CVE-2019-18391 Affected Products: SUSE OpenStack Cloud Crowbar 8 SUSE OpenStack Cloud 8 SUSE OpenStack Cloud 7 SUSE Linux Enterprise Software Development Kit 12-SP5 SUSE Linux Enterprise Software Development Kit 12-SP4 SUSE Linux Enterprise Server for SAP 12-SP3 SUSE Linux Enterprise Server for SAP 12-SP2 SUSE Linux Enterprise Server 12-SP5 SUSE Linux Enterprise Server 12-SP4 SUSE Linux Enterprise Server 12-SP3-LTSS SUSE Linux Enterprise Server 12-SP3-BCL SUSE Linux Enterprise Server 12-SP2-LTSS SUSE Linux Enterprise Server 12-SP2-BCL SUSE Linux Enterprise Desktop 12-SP4 SUSE Enterprise Storage 5 HPE Helion Openstack 8 ______________________________________________________________________________ An update that fixes four vulnerabilities is now available. Description: This update for virglrenderer fixes the following issues: - CVE-2019-18388: Fixed a null pointer dereference which could have led to denial of service (bsc#1159479). - CVE-2019-18390: Fixed an out of bound read which could have led to denial of service (bsc#1159478). - CVE-2019-18389: Fixed a heap buffer overflow which could have led to guest escape or denial of service (bsc#1159482). - CVE-2019-18391: Fixed a heap based buffer overflow which could have led to guest escape or denial of service (bsc#1159486). Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE OpenStack Cloud Crowbar 8: zypper in -t patch SUSE-OpenStack-Cloud-Crowbar-8-2020-16=1 - SUSE OpenStack Cloud 8: zypper in -t patch SUSE-OpenStack-Cloud-8-2020-16=1 - SUSE OpenStack Cloud 7: zypper in -t patch SUSE-OpenStack-Cloud-7-2020-16=1 - SUSE Linux Enterprise Software Development Kit 12-SP5: zypper in -t patch SUSE-SLE-SDK-12-SP5-2020-16=1 - SUSE Linux Enterprise Software Development Kit 12-SP4: zypper in -t patch SUSE-SLE-SDK-12-SP4-2020-16=1 - SUSE Linux Enterprise Server for SAP 12-SP3: zypper in -t patch SUSE-SLE-SAP-12-SP3-2020-16=1 - SUSE Linux Enterprise Server for SAP 12-SP2: zypper in -t patch SUSE-SLE-SAP-12-SP2-2020-16=1 - SUSE Linux Enterprise Server 12-SP5: zypper in -t patch SUSE-SLE-SERVER-12-SP5-2020-16=1 - SUSE Linux Enterprise Server 12-SP4: zypper in -t patch SUSE-SLE-SERVER-12-SP4-2020-16=1 - SUSE Linux Enterprise Server 12-SP3-LTSS: zypper in -t patch SUSE-SLE-SERVER-12-SP3-2020-16=1 - SUSE Linux Enterprise Server 12-SP3-BCL: zypper in -t patch SUSE-SLE-SERVER-12-SP3-BCL-2020-16=1 - SUSE Linux Enterprise Server 12-SP2-LTSS: zypper in -t patch SUSE-SLE-SERVER-12-SP2-2020-16=1 - SUSE Linux Enterprise Server 12-SP2-BCL: zypper in -t patch SUSE-SLE-SERVER-12-SP2-BCL-2020-16=1 - SUSE Linux Enterprise Desktop 12-SP4: zypper in -t patch SUSE-SLE-DESKTOP-12-SP4-2020-16=1 - SUSE Enterprise Storage 5: zypper in -t patch SUSE-Storage-5-2020-16=1 - HPE Helion Openstack 8: zypper in -t patch HPE-Helion-OpenStack-8-2020-16=1 Package List: - SUSE OpenStack Cloud Crowbar 8 (x86_64): libvirglrenderer0-0.5.0-12.3.1 libvirglrenderer0-debuginfo-0.5.0-12.3.1 virglrenderer-debugsource-0.5.0-12.3.1 - SUSE OpenStack Cloud 8 (x86_64): libvirglrenderer0-0.5.0-12.3.1 libvirglrenderer0-debuginfo-0.5.0-12.3.1 virglrenderer-debugsource-0.5.0-12.3.1 - SUSE OpenStack Cloud 7 (s390x x86_64): libvirglrenderer0-0.5.0-12.3.1 libvirglrenderer0-debuginfo-0.5.0-12.3.1 virglrenderer-debugsource-0.5.0-12.3.1 - SUSE Linux Enterprise Software Development Kit 12-SP5 (aarch64 ppc64le s390x x86_64): virglrenderer-debugsource-0.5.0-12.3.1 virglrenderer-devel-0.5.0-12.3.1 - SUSE Linux Enterprise Software Development Kit 12-SP4 (aarch64 ppc64le s390x x86_64): virglrenderer-debugsource-0.5.0-12.3.1 virglrenderer-devel-0.5.0-12.3.1 - SUSE Linux Enterprise Server for SAP 12-SP3 (ppc64le x86_64): libvirglrenderer0-0.5.0-12.3.1 libvirglrenderer0-debuginfo-0.5.0-12.3.1 virglrenderer-debugsource-0.5.0-12.3.1 - SUSE Linux Enterprise Server for SAP 12-SP2 (ppc64le x86_64): libvirglrenderer0-0.5.0-12.3.1 libvirglrenderer0-debuginfo-0.5.0-12.3.1 virglrenderer-debugsource-0.5.0-12.3.1 - SUSE Linux Enterprise Server 12-SP5 (aarch64 ppc64le s390x x86_64): libvirglrenderer0-0.5.0-12.3.1 libvirglrenderer0-debuginfo-0.5.0-12.3.1 virglrenderer-debugsource-0.5.0-12.3.1 - SUSE Linux Enterprise Server 12-SP4 (aarch64 ppc64le s390x x86_64): libvirglrenderer0-0.5.0-12.3.1 libvirglrenderer0-debuginfo-0.5.0-12.3.1 virglrenderer-debugsource-0.5.0-12.3.1 - SUSE Linux Enterprise Server 12-SP3-LTSS (aarch64 ppc64le s390x x86_64): libvirglrenderer0-0.5.0-12.3.1 libvirglrenderer0-debuginfo-0.5.0-12.3.1 virglrenderer-debugsource-0.5.0-12.3.1 - SUSE Linux Enterprise Server 12-SP3-BCL (x86_64): libvirglrenderer0-0.5.0-12.3.1 libvirglrenderer0-debuginfo-0.5.0-12.3.1 virglrenderer-debugsource-0.5.0-12.3.1 - SUSE Linux Enterprise Server 12-SP2-LTSS (ppc64le s390x x86_64): libvirglrenderer0-0.5.0-12.3.1 libvirglrenderer0-debuginfo-0.5.0-12.3.1 virglrenderer-debugsource-0.5.0-12.3.1 - SUSE Linux Enterprise Server 12-SP2-BCL (x86_64): libvirglrenderer0-0.5.0-12.3.1 libvirglrenderer0-debuginfo-0.5.0-12.3.1 virglrenderer-debugsource-0.5.0-12.3.1 - SUSE Linux Enterprise Desktop 12-SP4 (x86_64): libvirglrenderer0-0.5.0-12.3.1 libvirglrenderer0-debuginfo-0.5.0-12.3.1 virglrenderer-debugsource-0.5.0-12.3.1 - SUSE Enterprise Storage 5 (aarch64 x86_64): libvirglrenderer0-0.5.0-12.3.1 libvirglrenderer0-debuginfo-0.5.0-12.3.1 virglrenderer-debugsource-0.5.0-12.3.1 - HPE Helion Openstack 8 (x86_64): libvirglrenderer0-0.5.0-12.3.1 libvirglrenderer0-debuginfo-0.5.0-12.3.1 virglrenderer-debugsource-0.5.0-12.3.1 References: https://www.suse.com/security/cve/CVE-2019-18388.html https://www.suse.com/security/cve/CVE-2019-18389.html https://www.suse.com/security/cve/CVE-2019-18390.html https://www.suse.com/security/cve/CVE-2019-18391.html https://bugzilla.suse.com/1159478 https://bugzilla.suse.com/1159479 https://bugzilla.suse.com/1159482 https://bugzilla.suse.com/1159486 From sle-updates at lists.suse.com Tue Jan 7 07:14:31 2020 From: sle-updates at lists.suse.com (sle-updates at lists.suse.com) Date: Tue, 7 Jan 2020 15:14:31 +0100 (CET) Subject: SUSE-SU-2020:0017-1: important: Security update for virglrenderer Message-ID: <20200107141431.9BD97F79E@maintenance.suse.de> SUSE Security Update: Security update for virglrenderer ______________________________________________________________________________ Announcement ID: SUSE-SU-2020:0017-1 Rating: important References: #1159478 #1159479 #1159482 #1159486 Cross-References: CVE-2019-18388 CVE-2019-18389 CVE-2019-18390 CVE-2019-18391 Affected Products: SUSE Linux Enterprise Module for Server Applications 15-SP1 SUSE Linux Enterprise Module for Server Applications 15 SUSE Linux Enterprise Module for Open Buildservice Development Tools 15-SP1 SUSE Linux Enterprise Module for Open Buildservice Development Tools 15 ______________________________________________________________________________ An update that fixes four vulnerabilities is now available. Description: This update for virglrenderer fixes the following issues: - CVE-2019-18388: Fixed a null pointer dereference which could have led to denial of service (bsc#1159479). - CVE-2019-18390: Fixed an out of bound read which could have led to denial of service (bsc#1159478). - CVE-2019-18389: Fixed a heap buffer overflow which could have led to guest escape or denial of service (bsc#1159482). - CVE-2019-18391: Fixed a heap based buffer overflow which could have led to guest escape or denial of service (bsc#1159486). Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Module for Server Applications 15-SP1: zypper in -t patch SUSE-SLE-Module-Server-Applications-15-SP1-2020-17=1 - SUSE Linux Enterprise Module for Server Applications 15: zypper in -t patch SUSE-SLE-Module-Server-Applications-15-2020-17=1 - SUSE Linux Enterprise Module for Open Buildservice Development Tools 15-SP1: zypper in -t patch SUSE-SLE-Module-Development-Tools-OBS-15-SP1-2020-17=1 - SUSE Linux Enterprise Module for Open Buildservice Development Tools 15: zypper in -t patch SUSE-SLE-Module-Development-Tools-OBS-15-2020-17=1 Package List: - SUSE Linux Enterprise Module for Server Applications 15-SP1 (aarch64 ppc64le s390x x86_64): libvirglrenderer0-0.6.0-4.3.1 libvirglrenderer0-debuginfo-0.6.0-4.3.1 virglrenderer-debuginfo-0.6.0-4.3.1 virglrenderer-debugsource-0.6.0-4.3.1 virglrenderer-devel-0.6.0-4.3.1 - SUSE Linux Enterprise Module for Server Applications 15 (aarch64 ppc64le s390x x86_64): libvirglrenderer0-0.6.0-4.3.1 libvirglrenderer0-debuginfo-0.6.0-4.3.1 virglrenderer-debuginfo-0.6.0-4.3.1 virglrenderer-debugsource-0.6.0-4.3.1 virglrenderer-devel-0.6.0-4.3.1 - SUSE Linux Enterprise Module for Open Buildservice Development Tools 15-SP1 (aarch64 ppc64le s390x x86_64): virglrenderer-debuginfo-0.6.0-4.3.1 virglrenderer-debugsource-0.6.0-4.3.1 virglrenderer-test-server-0.6.0-4.3.1 virglrenderer-test-server-debuginfo-0.6.0-4.3.1 - SUSE Linux Enterprise Module for Open Buildservice Development Tools 15 (aarch64 ppc64le s390x x86_64): virglrenderer-debuginfo-0.6.0-4.3.1 virglrenderer-debugsource-0.6.0-4.3.1 virglrenderer-test-server-0.6.0-4.3.1 virglrenderer-test-server-debuginfo-0.6.0-4.3.1 References: https://www.suse.com/security/cve/CVE-2019-18388.html https://www.suse.com/security/cve/CVE-2019-18389.html https://www.suse.com/security/cve/CVE-2019-18390.html https://www.suse.com/security/cve/CVE-2019-18391.html https://bugzilla.suse.com/1159478 https://bugzilla.suse.com/1159479 https://bugzilla.suse.com/1159482 https://bugzilla.suse.com/1159486 From sle-updates at lists.suse.com Tue Jan 7 07:15:36 2020 From: sle-updates at lists.suse.com (sle-updates at lists.suse.com) Date: Tue, 7 Jan 2020 15:15:36 +0100 (CET) Subject: SUSE-RU-2020:0015-1: moderate: Recommended update for lrbd Message-ID: <20200107141536.E1533F79E@maintenance.suse.de> SUSE Recommended Update: Recommended update for lrbd ______________________________________________________________________________ Announcement ID: SUSE-RU-2020:0015-1 Rating: moderate References: #1137518 Affected Products: SUSE Enterprise Storage 6 ______________________________________________________________________________ An update that has one recommended fix can now be installed. Description: This update for lrbd fixes the following issues: Version 2.4: - Prevent duplicate TPG creations (bsc#1137518). Patch Instructions: To install this SUSE Recommended Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Enterprise Storage 6: zypper in -t patch SUSE-Storage-6-2020-15=1 Package List: - SUSE Enterprise Storage 6 (noarch): lrbd-2.4-3.6.1 References: https://bugzilla.suse.com/1137518 From sle-updates at lists.suse.com Tue Jan 7 07:16:21 2020 From: sle-updates at lists.suse.com (sle-updates at lists.suse.com) Date: Tue, 7 Jan 2020 15:16:21 +0100 (CET) Subject: SUSE-RU-2020:0021-1: moderate: Recommended update for openCryptoki Message-ID: <20200107141621.DBCD2F79E@maintenance.suse.de> SUSE Recommended Update: Recommended update for openCryptoki ______________________________________________________________________________ Announcement ID: SUSE-RU-2020:0021-1 Rating: moderate References: #1157205 Affected Products: SUSE Linux Enterprise Software Development Kit 12-SP5 SUSE Linux Enterprise Server 12-SP5 ______________________________________________________________________________ An update that has one recommended fix can now be installed. Description: This update for openCryptoki fixes the following issues: - Fix for avoiding core dumps during testing with multithreaded code. (bsc#1157205) Patch Instructions: To install this SUSE Recommended Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Software Development Kit 12-SP5: zypper in -t patch SUSE-SLE-SDK-12-SP5-2020-21=1 - SUSE Linux Enterprise Server 12-SP5: zypper in -t patch SUSE-SLE-SERVER-12-SP5-2020-21=1 Package List: - SUSE Linux Enterprise Software Development Kit 12-SP5 (aarch64 ppc64le s390x x86_64): openCryptoki-debuginfo-3.11.1-5.3.1 openCryptoki-debugsource-3.11.1-5.3.1 openCryptoki-devel-3.11.1-5.3.1 - SUSE Linux Enterprise Server 12-SP5 (aarch64 ppc64le s390 s390x x86_64): openCryptoki-3.11.1-5.3.1 openCryptoki-debuginfo-3.11.1-5.3.1 openCryptoki-debugsource-3.11.1-5.3.1 - SUSE Linux Enterprise Server 12-SP5 (ppc64le s390x x86_64): openCryptoki-64bit-3.11.1-5.3.1 - SUSE Linux Enterprise Server 12-SP5 (s390): openCryptoki-32bit-3.11.1-5.3.1 References: https://bugzilla.suse.com/1157205 From sle-updates at lists.suse.com Tue Jan 7 07:17:05 2020 From: sle-updates at lists.suse.com (sle-updates at lists.suse.com) Date: Tue, 7 Jan 2020 15:17:05 +0100 (CET) Subject: SUSE-RU-2020:0013-1: moderate: Recommended update for nfs-ganesha Message-ID: <20200107141705.4E682F79E@maintenance.suse.de> SUSE Recommended Update: Recommended update for nfs-ganesha ______________________________________________________________________________ Announcement ID: SUSE-RU-2020:0013-1 Rating: moderate References: #1131944 Affected Products: SUSE Enterprise Storage 5 ______________________________________________________________________________ An update that has one recommended fix can now be installed. Description: This update for nfs-ganesha fixes the following issues: * Fix systemd reload, send SIGHUP instead of D-Bus message (bsc#1131944) Patch Instructions: To install this SUSE Recommended Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Enterprise Storage 5: zypper in -t patch SUSE-Storage-5-2020-13=1 Package List: - SUSE Enterprise Storage 5 (aarch64 x86_64): nfs-ganesha-2.5.5.0+git.1517219439.d8cbdf461-4.9.1 nfs-ganesha-ceph-2.5.5.0+git.1517219439.d8cbdf461-4.9.1 nfs-ganesha-ceph-debuginfo-2.5.5.0+git.1517219439.d8cbdf461-4.9.1 nfs-ganesha-debuginfo-2.5.5.0+git.1517219439.d8cbdf461-4.9.1 nfs-ganesha-debugsource-2.5.5.0+git.1517219439.d8cbdf461-4.9.1 nfs-ganesha-rgw-2.5.5.0+git.1517219439.d8cbdf461-4.9.1 nfs-ganesha-rgw-debuginfo-2.5.5.0+git.1517219439.d8cbdf461-4.9.1 nfs-ganesha-utils-2.5.5.0+git.1517219439.d8cbdf461-4.9.1 nfs-ganesha-utils-debuginfo-2.5.5.0+git.1517219439.d8cbdf461-4.9.1 References: https://bugzilla.suse.com/1131944 From sle-updates at lists.suse.com Tue Jan 7 07:17:50 2020 From: sle-updates at lists.suse.com (sle-updates at lists.suse.com) Date: Tue, 7 Jan 2020 15:17:50 +0100 (CET) Subject: SUSE-RU-2020:0020-1: moderate: Recommended update for lifecycle-data-sle-module-live-patching Message-ID: <20200107141750.6A32DF79E@maintenance.suse.de> SUSE Recommended Update: Recommended update for lifecycle-data-sle-module-live-patching ______________________________________________________________________________ Announcement ID: SUSE-RU-2020:0020-1 Rating: moderate References: #1020320 Affected Products: SUSE Linux Enterprise Module for Live Patching 15-SP1 SUSE Linux Enterprise Module for Live Patching 15 SUSE Linux Enterprise Live Patching 12-SP5 SUSE Linux Enterprise Live Patching 12-SP4 SUSE Linux Enterprise Live Patching 12-SP3 SUSE Linux Enterprise Live Patching 12 ______________________________________________________________________________ An update that has one recommended fix can now be installed. Description: This update for lifecycle-data-sle-module-live-patching fixes the following issues: - Added data for 4_12_14-150_38, 4_12_14-150_41, 4_12_14-197_18, 4_12_14-197_21, 4_12_14-197_26. (bsc#1020320) Patch Instructions: To install this SUSE Recommended Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Module for Live Patching 15-SP1: zypper in -t patch SUSE-SLE-Module-Live-Patching-15-SP1-2020-19=1 - SUSE Linux Enterprise Module for Live Patching 15: zypper in -t patch SUSE-SLE-Module-Live-Patching-15-2020-19=1 - SUSE Linux Enterprise Live Patching 12-SP5: zypper in -t patch SUSE-SLE-Live-Patching-12-SP5-2020-20=1 - SUSE Linux Enterprise Live Patching 12-SP4: zypper in -t patch SUSE-SLE-Live-Patching-12-SP4-2020-20=1 - SUSE Linux Enterprise Live Patching 12-SP3: zypper in -t patch SUSE-SLE-Live-Patching-12-SP3-2020-20=1 - SUSE Linux Enterprise Live Patching 12: zypper in -t patch SUSE-SLE-Live-Patching-12-2020-20=1 Package List: - SUSE Linux Enterprise Module for Live Patching 15-SP1 (noarch): lifecycle-data-sle-module-live-patching-15-4.21.1 - SUSE Linux Enterprise Module for Live Patching 15 (noarch): lifecycle-data-sle-module-live-patching-15-4.21.1 - SUSE Linux Enterprise Live Patching 12-SP5 (noarch): lifecycle-data-sle-live-patching-1-10.53.1 - SUSE Linux Enterprise Live Patching 12-SP4 (noarch): lifecycle-data-sle-live-patching-1-10.53.1 - SUSE Linux Enterprise Live Patching 12-SP3 (noarch): lifecycle-data-sle-live-patching-1-10.53.1 - SUSE Linux Enterprise Live Patching 12 (noarch): lifecycle-data-sle-live-patching-1-10.53.1 References: https://bugzilla.suse.com/1020320 From sle-updates at lists.suse.com Tue Jan 7 07:18:35 2020 From: sle-updates at lists.suse.com (sle-updates at lists.suse.com) Date: Tue, 7 Jan 2020 15:18:35 +0100 (CET) Subject: SUSE-RU-2020:0014-1: moderate: Recommended update for grafana Message-ID: <20200107141835.A9E6CF79E@maintenance.suse.de> SUSE Recommended Update: Recommended update for grafana ______________________________________________________________________________ Announcement ID: SUSE-RU-2020:0014-1 Rating: moderate References: #1158846 Affected Products: SUSE Enterprise Storage 6 ______________________________________________________________________________ An update that has one recommended fix can now be installed. Description: This update for grafana fixes the following issues: Change directory permissions and owner on /etc/grafana/provisioning/dashboard tree (bsc#1158846) * new owner and perms are root:root 755, to match grafana 6 * old version conflicts with packages that install dashboards Patch Instructions: To install this SUSE Recommended Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Enterprise Storage 6: zypper in -t patch SUSE-Storage-6-2020-14=1 Package List: - SUSE Enterprise Storage 6 (aarch64 x86_64): grafana-5.3.3-3.3.1 grafana-debuginfo-5.3.3-3.3.1 References: https://bugzilla.suse.com/1158846 From sle-updates at lists.suse.com Tue Jan 7 07:46:30 2020 From: sle-updates at lists.suse.com (sle-updates at lists.suse.com) Date: Tue, 7 Jan 2020 15:46:30 +0100 (CET) Subject: SUSE-CU-2020:1-1: Security update of suse/sle15 Message-ID: <20200107144630.55FD0F7BE@maintenance.suse.de> SUSE Container Update Advisory: suse/sle15 ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2020:1-1 Container Tags : suse/sle15:15.0 , suse/sle15:15.0.4.22.123 Severity : moderate Type : security References : 1155337 1155338 1155339 1155346 1157775 1158101 1158809 CVE-2019-1551 SLE-8789 ----------------------------------------------------------------- The container suse/sle15 was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2020:2-1 Released: Thu Jan 2 09:50:04 2020 Summary: Security update for openssl-1_1 Type: security Severity: moderate References: 1155346,1157775,1158101,1158809,CVE-2019-1551,SLE-8789 Description: This update for openssl-1_1 fixes the following issues: Security issue fixed: - CVE-2019-1551: Fixed an overflow bug in the x64_64 Montgomery squaring procedure used in exponentiation with 512-bit moduli (bsc#1158809). Various FIPS related improvements were done: - FIPS: Backport SSH KDF to openssl (jsc#SLE-8789, bsc#1157775). - Port FIPS patches from SLE-12 (bsc#1158101) - Use SHA-2 in the RSA pairwise consistency check (bsc#1155346) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:5-1 Released: Thu Jan 2 12:33:02 2020 Summary: Recommended update for libgcrypt Type: recommended Severity: moderate References: 1155337,1155338,1155339 Description: This update for libgcrypt fixes the following issues: Various FIPS related improvements were done: - FIPS: RSA/DSA/ECDSA are missing hashing operation (bsc#1155337) - Fix the following FIPS tests: basic benchmark bench-slope pubkey t-cv25519 t-secmem - Fix test dsa-rfc6979 in FIPS mode: Disabled tests in elliptic curves with 192 bits which are not recommended in FIPS mode - Added CMAC AES and TDES FIPS self-tests: (bsc#1155339, bsc#1155338) From sle-updates at lists.suse.com Tue Jan 7 10:11:44 2020 From: sle-updates at lists.suse.com (sle-updates at lists.suse.com) Date: Tue, 7 Jan 2020 18:11:44 +0100 (CET) Subject: SUSE-SU-2020:0026-1: moderate: Security update for sysstat Message-ID: <20200107171144.A24CEF79E@maintenance.suse.de> SUSE Security Update: Security update for sysstat ______________________________________________________________________________ Announcement ID: SUSE-SU-2020:0026-1 Rating: moderate References: #1144923 #1159104 Cross-References: CVE-2019-19725 Affected Products: SUSE Linux Enterprise Server 12-SP5 SUSE Linux Enterprise Server 12-SP4 SUSE Linux Enterprise Desktop 12-SP4 ______________________________________________________________________________ An update that solves one vulnerability and has one errata is now available. Description: This update for sysstat fixes the following issues: Security issue fixed: - CVE-2019-19725: Fixed double free in check_file_actlst in sa_common.c (bsc#1159104). Bug fixes: - Enable log information of starting/stoping services. (bsc#1144923, jsc#SLE-5958) Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Server 12-SP5: zypper in -t patch SUSE-SLE-SERVER-12-SP5-2020-26=1 - SUSE Linux Enterprise Server 12-SP4: zypper in -t patch SUSE-SLE-SERVER-12-SP4-2020-26=1 - SUSE Linux Enterprise Desktop 12-SP4: zypper in -t patch SUSE-SLE-DESKTOP-12-SP4-2020-26=1 Package List: - SUSE Linux Enterprise Server 12-SP5 (aarch64 ppc64le s390x x86_64): sysstat-12.0.2-10.36.1 sysstat-debuginfo-12.0.2-10.36.1 sysstat-debugsource-12.0.2-10.36.1 sysstat-isag-12.0.2-10.36.1 - SUSE Linux Enterprise Server 12-SP4 (aarch64 ppc64le s390x x86_64): sysstat-12.0.2-10.36.1 sysstat-debuginfo-12.0.2-10.36.1 sysstat-debugsource-12.0.2-10.36.1 sysstat-isag-12.0.2-10.36.1 - SUSE Linux Enterprise Desktop 12-SP4 (x86_64): sysstat-12.0.2-10.36.1 sysstat-debuginfo-12.0.2-10.36.1 sysstat-debugsource-12.0.2-10.36.1 References: https://www.suse.com/security/cve/CVE-2019-19725.html https://bugzilla.suse.com/1144923 https://bugzilla.suse.com/1159104 From sle-updates at lists.suse.com Tue Jan 7 10:12:42 2020 From: sle-updates at lists.suse.com (sle-updates at lists.suse.com) Date: Tue, 7 Jan 2020 18:12:42 +0100 (CET) Subject: SUSE-SU-2020:0024-1: moderate: Security update for java-1_8_0-ibm Message-ID: <20200107171242.2566EF79E@maintenance.suse.de> SUSE Security Update: Security update for java-1_8_0-ibm ______________________________________________________________________________ Announcement ID: SUSE-SU-2020:0024-1 Rating: moderate References: #1154212 #1158442 Cross-References: CVE-2019-17631 CVE-2019-2933 CVE-2019-2945 CVE-2019-2958 CVE-2019-2962 CVE-2019-2964 CVE-2019-2973 CVE-2019-2975 CVE-2019-2978 CVE-2019-2981 CVE-2019-2983 CVE-2019-2988 CVE-2019-2989 CVE-2019-2992 CVE-2019-2996 CVE-2019-2999 Affected Products: SUSE OpenStack Cloud Crowbar 8 SUSE OpenStack Cloud 8 SUSE OpenStack Cloud 7 SUSE Linux Enterprise Software Development Kit 12-SP5 SUSE Linux Enterprise Software Development Kit 12-SP4 SUSE Linux Enterprise Server for SAP 12-SP3 SUSE Linux Enterprise Server for SAP 12-SP2 SUSE Linux Enterprise Server for SAP 12-SP1 SUSE Linux Enterprise Server 12-SP5 SUSE Linux Enterprise Server 12-SP4 SUSE Linux Enterprise Server 12-SP3-LTSS SUSE Linux Enterprise Server 12-SP3-BCL SUSE Linux Enterprise Server 12-SP2-LTSS SUSE Linux Enterprise Server 12-SP2-BCL SUSE Linux Enterprise Server 12-SP1-LTSS SUSE Enterprise Storage 5 HPE Helion Openstack 8 ______________________________________________________________________________ An update that fixes 16 vulnerabilities is now available. Description: This update for java-1_8_0-ibm fixes the following issues: - Update to Java 8.0 Service Refresh 6 [bsc#1158442, bsc#1154212] * Security fixes: CVE-2019-2933 CVE-2019-2945 CVE-2019-2958 CVE-2019-2962 CVE-2019-2964 CVE-2019-2975 CVE-2019-2978 CVE-2019-2983 CVE-2019-2988 CVE-2019-2989 CVE-2019-2992 CVE-2019-2996 CVE-2019-2999 CVE-2019-2973 CVE-2019-2981 CVE-2019-17631 Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE OpenStack Cloud Crowbar 8: zypper in -t patch SUSE-OpenStack-Cloud-Crowbar-8-2020-24=1 - SUSE OpenStack Cloud 8: zypper in -t patch SUSE-OpenStack-Cloud-8-2020-24=1 - SUSE OpenStack Cloud 7: zypper in -t patch SUSE-OpenStack-Cloud-7-2020-24=1 - SUSE Linux Enterprise Software Development Kit 12-SP5: zypper in -t patch SUSE-SLE-SDK-12-SP5-2020-24=1 - SUSE Linux Enterprise Software Development Kit 12-SP4: zypper in -t patch SUSE-SLE-SDK-12-SP4-2020-24=1 - SUSE Linux Enterprise Server for SAP 12-SP3: zypper in -t patch SUSE-SLE-SAP-12-SP3-2020-24=1 - SUSE Linux Enterprise Server for SAP 12-SP2: zypper in -t patch SUSE-SLE-SAP-12-SP2-2020-24=1 - SUSE Linux Enterprise Server for SAP 12-SP1: zypper in -t patch SUSE-SLE-SAP-12-SP1-2020-24=1 - SUSE Linux Enterprise Server 12-SP5: zypper in -t patch SUSE-SLE-SERVER-12-SP5-2020-24=1 - SUSE Linux Enterprise Server 12-SP4: zypper in -t patch SUSE-SLE-SERVER-12-SP4-2020-24=1 - SUSE Linux Enterprise Server 12-SP3-LTSS: zypper in -t patch SUSE-SLE-SERVER-12-SP3-2020-24=1 - SUSE Linux Enterprise Server 12-SP3-BCL: zypper in -t patch SUSE-SLE-SERVER-12-SP3-BCL-2020-24=1 - SUSE Linux Enterprise Server 12-SP2-LTSS: zypper in -t patch SUSE-SLE-SERVER-12-SP2-2020-24=1 - SUSE Linux Enterprise Server 12-SP2-BCL: zypper in -t patch SUSE-SLE-SERVER-12-SP2-BCL-2020-24=1 - SUSE Linux Enterprise Server 12-SP1-LTSS: zypper in -t patch SUSE-SLE-SERVER-12-SP1-2020-24=1 - SUSE Enterprise Storage 5: zypper in -t patch SUSE-Storage-5-2020-24=1 - HPE Helion Openstack 8: zypper in -t patch HPE-Helion-OpenStack-8-2020-24=1 Package List: - SUSE OpenStack Cloud Crowbar 8 (x86_64): java-1_8_0-ibm-1.8.0_sr6.0-30.60.1 java-1_8_0-ibm-alsa-1.8.0_sr6.0-30.60.1 java-1_8_0-ibm-plugin-1.8.0_sr6.0-30.60.1 - SUSE OpenStack Cloud 8 (x86_64): java-1_8_0-ibm-1.8.0_sr6.0-30.60.1 java-1_8_0-ibm-alsa-1.8.0_sr6.0-30.60.1 java-1_8_0-ibm-plugin-1.8.0_sr6.0-30.60.1 - SUSE OpenStack Cloud 7 (s390x x86_64): java-1_8_0-ibm-1.8.0_sr6.0-30.60.1 java-1_8_0-ibm-devel-1.8.0_sr6.0-30.60.1 - SUSE OpenStack Cloud 7 (x86_64): java-1_8_0-ibm-alsa-1.8.0_sr6.0-30.60.1 java-1_8_0-ibm-plugin-1.8.0_sr6.0-30.60.1 - SUSE Linux Enterprise Software Development Kit 12-SP5 (ppc64le s390x x86_64): java-1_8_0-ibm-devel-1.8.0_sr6.0-30.60.1 - SUSE Linux Enterprise Software Development Kit 12-SP4 (ppc64le s390x x86_64): java-1_8_0-ibm-devel-1.8.0_sr6.0-30.60.1 - SUSE Linux Enterprise Server for SAP 12-SP3 (ppc64le x86_64): java-1_8_0-ibm-1.8.0_sr6.0-30.60.1 - SUSE Linux Enterprise Server for SAP 12-SP3 (x86_64): java-1_8_0-ibm-alsa-1.8.0_sr6.0-30.60.1 java-1_8_0-ibm-plugin-1.8.0_sr6.0-30.60.1 - SUSE Linux Enterprise Server for SAP 12-SP2 (ppc64le x86_64): java-1_8_0-ibm-1.8.0_sr6.0-30.60.1 java-1_8_0-ibm-devel-1.8.0_sr6.0-30.60.1 - SUSE Linux Enterprise Server for SAP 12-SP2 (x86_64): java-1_8_0-ibm-alsa-1.8.0_sr6.0-30.60.1 java-1_8_0-ibm-plugin-1.8.0_sr6.0-30.60.1 - SUSE Linux Enterprise Server for SAP 12-SP1 (x86_64): java-1_8_0-ibm-1.8.0_sr6.0-30.60.1 java-1_8_0-ibm-alsa-1.8.0_sr6.0-30.60.1 java-1_8_0-ibm-devel-1.8.0_sr6.0-30.60.1 java-1_8_0-ibm-plugin-1.8.0_sr6.0-30.60.1 - SUSE Linux Enterprise Server 12-SP5 (ppc64le s390x x86_64): java-1_8_0-ibm-1.8.0_sr6.0-30.60.1 - SUSE Linux Enterprise Server 12-SP5 (x86_64): java-1_8_0-ibm-alsa-1.8.0_sr6.0-30.60.1 java-1_8_0-ibm-plugin-1.8.0_sr6.0-30.60.1 - SUSE Linux Enterprise Server 12-SP4 (ppc64le s390x x86_64): java-1_8_0-ibm-1.8.0_sr6.0-30.60.1 - SUSE Linux Enterprise Server 12-SP4 (x86_64): java-1_8_0-ibm-alsa-1.8.0_sr6.0-30.60.1 java-1_8_0-ibm-plugin-1.8.0_sr6.0-30.60.1 - SUSE Linux Enterprise Server 12-SP3-LTSS (ppc64le s390x x86_64): java-1_8_0-ibm-1.8.0_sr6.0-30.60.1 - SUSE Linux Enterprise Server 12-SP3-LTSS (x86_64): java-1_8_0-ibm-alsa-1.8.0_sr6.0-30.60.1 java-1_8_0-ibm-plugin-1.8.0_sr6.0-30.60.1 - SUSE Linux Enterprise Server 12-SP3-BCL (x86_64): java-1_8_0-ibm-1.8.0_sr6.0-30.60.1 java-1_8_0-ibm-alsa-1.8.0_sr6.0-30.60.1 java-1_8_0-ibm-plugin-1.8.0_sr6.0-30.60.1 - SUSE Linux Enterprise Server 12-SP2-LTSS (ppc64le s390x x86_64): java-1_8_0-ibm-1.8.0_sr6.0-30.60.1 java-1_8_0-ibm-devel-1.8.0_sr6.0-30.60.1 - SUSE Linux Enterprise Server 12-SP2-LTSS (x86_64): java-1_8_0-ibm-alsa-1.8.0_sr6.0-30.60.1 java-1_8_0-ibm-plugin-1.8.0_sr6.0-30.60.1 - SUSE Linux Enterprise Server 12-SP2-BCL (x86_64): java-1_8_0-ibm-1.8.0_sr6.0-30.60.1 java-1_8_0-ibm-alsa-1.8.0_sr6.0-30.60.1 java-1_8_0-ibm-devel-1.8.0_sr6.0-30.60.1 java-1_8_0-ibm-plugin-1.8.0_sr6.0-30.60.1 - SUSE Linux Enterprise Server 12-SP1-LTSS (ppc64le s390x x86_64): java-1_8_0-ibm-1.8.0_sr6.0-30.60.1 java-1_8_0-ibm-devel-1.8.0_sr6.0-30.60.1 - SUSE Linux Enterprise Server 12-SP1-LTSS (x86_64): java-1_8_0-ibm-alsa-1.8.0_sr6.0-30.60.1 java-1_8_0-ibm-plugin-1.8.0_sr6.0-30.60.1 - SUSE Enterprise Storage 5 (x86_64): java-1_8_0-ibm-1.8.0_sr6.0-30.60.1 java-1_8_0-ibm-alsa-1.8.0_sr6.0-30.60.1 java-1_8_0-ibm-plugin-1.8.0_sr6.0-30.60.1 - HPE Helion Openstack 8 (x86_64): java-1_8_0-ibm-1.8.0_sr6.0-30.60.1 java-1_8_0-ibm-alsa-1.8.0_sr6.0-30.60.1 java-1_8_0-ibm-plugin-1.8.0_sr6.0-30.60.1 References: https://www.suse.com/security/cve/CVE-2019-17631.html https://www.suse.com/security/cve/CVE-2019-2933.html https://www.suse.com/security/cve/CVE-2019-2945.html https://www.suse.com/security/cve/CVE-2019-2958.html https://www.suse.com/security/cve/CVE-2019-2962.html https://www.suse.com/security/cve/CVE-2019-2964.html https://www.suse.com/security/cve/CVE-2019-2973.html https://www.suse.com/security/cve/CVE-2019-2975.html https://www.suse.com/security/cve/CVE-2019-2978.html https://www.suse.com/security/cve/CVE-2019-2981.html https://www.suse.com/security/cve/CVE-2019-2983.html https://www.suse.com/security/cve/CVE-2019-2988.html https://www.suse.com/security/cve/CVE-2019-2989.html https://www.suse.com/security/cve/CVE-2019-2992.html https://www.suse.com/security/cve/CVE-2019-2996.html https://www.suse.com/security/cve/CVE-2019-2999.html https://bugzilla.suse.com/1154212 https://bugzilla.suse.com/1158442 From sle-updates at lists.suse.com Tue Jan 7 10:13:35 2020 From: sle-updates at lists.suse.com (sle-updates at lists.suse.com) Date: Tue, 7 Jan 2020 18:13:35 +0100 (CET) Subject: SUSE-SU-2020:0025-1: moderate: Security update for java-1_8_0-openjdk Message-ID: <20200107171335.880B2F79E@maintenance.suse.de> SUSE Security Update: Security update for java-1_8_0-openjdk ______________________________________________________________________________ Announcement ID: SUSE-SU-2020:0025-1 Rating: moderate References: #1138529 #1152856 #1154212 Cross-References: CVE-2019-2894 CVE-2019-2933 CVE-2019-2945 CVE-2019-2949 CVE-2019-2958 CVE-2019-2962 CVE-2019-2964 CVE-2019-2973 CVE-2019-2975 CVE-2019-2978 CVE-2019-2981 CVE-2019-2983 CVE-2019-2987 CVE-2019-2988 CVE-2019-2989 CVE-2019-2992 CVE-2019-2999 Affected Products: SUSE Linux Enterprise Server 12-SP5 SUSE Linux Enterprise Server 12-SP4 SUSE Linux Enterprise Desktop 12-SP4 ______________________________________________________________________________ An update that fixes 17 vulnerabilities is now available. Description: This update for java-1_8_0-openjdk fixes the following issues: Update to version jdk8u232 (icedtea 3.14.0) (October 2019 CPU, bsc#1154212) Security issues fixed: - CVE-2019-2933: Windows file handling redux - CVE-2019-2945: Better socket support - CVE-2019-2949: Better Kerberos ccache handling - CVE-2019-2958: Build Better Processes - CVE-2019-2964: Better support for patterns - CVE-2019-2962: Better Glyph Images - CVE-2019-2973: Better pattern compilation - CVE-2019-2975: Unexpected exception in jjs - CVE-2019-2978: Improved handling of jar files - CVE-2019-2981: Better Path supports - CVE-2019-2983: Better serial attributes - CVE-2019-2987: Better rendering of native glyphs - CVE-2019-2988: Better Graphics2D drawing - CVE-2019-2989: Improve TLS connection support - CVE-2019-2992: Enhance font glyph mapping - CVE-2019-2999: Commentary on Javadoc comments - CVE-2019-2894: Enhance ECDSA operations (bsc#1152856) Bug fixes: - Add patch to fix hotspot-aarch64 (bsc#1138529). Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Server 12-SP5: zypper in -t patch SUSE-SLE-SERVER-12-SP5-2020-25=1 - SUSE Linux Enterprise Server 12-SP4: zypper in -t patch SUSE-SLE-SERVER-12-SP4-2020-25=1 - SUSE Linux Enterprise Desktop 12-SP4: zypper in -t patch SUSE-SLE-DESKTOP-12-SP4-2020-25=1 Package List: - SUSE Linux Enterprise Server 12-SP5 (aarch64 ppc64le s390x x86_64): java-1_8_0-openjdk-1.8.0.232-27.38.1 java-1_8_0-openjdk-debuginfo-1.8.0.232-27.38.1 java-1_8_0-openjdk-debugsource-1.8.0.232-27.38.1 java-1_8_0-openjdk-demo-1.8.0.232-27.38.1 java-1_8_0-openjdk-demo-debuginfo-1.8.0.232-27.38.1 java-1_8_0-openjdk-devel-1.8.0.232-27.38.1 java-1_8_0-openjdk-devel-debuginfo-1.8.0.232-27.38.1 java-1_8_0-openjdk-headless-1.8.0.232-27.38.1 java-1_8_0-openjdk-headless-debuginfo-1.8.0.232-27.38.1 - SUSE Linux Enterprise Server 12-SP4 (aarch64 ppc64le s390x x86_64): java-1_8_0-openjdk-1.8.0.232-27.38.1 java-1_8_0-openjdk-debuginfo-1.8.0.232-27.38.1 java-1_8_0-openjdk-debugsource-1.8.0.232-27.38.1 java-1_8_0-openjdk-demo-1.8.0.232-27.38.1 java-1_8_0-openjdk-demo-debuginfo-1.8.0.232-27.38.1 java-1_8_0-openjdk-devel-1.8.0.232-27.38.1 java-1_8_0-openjdk-devel-debuginfo-1.8.0.232-27.38.1 java-1_8_0-openjdk-headless-1.8.0.232-27.38.1 java-1_8_0-openjdk-headless-debuginfo-1.8.0.232-27.38.1 - SUSE Linux Enterprise Desktop 12-SP4 (x86_64): java-1_8_0-openjdk-1.8.0.232-27.38.1 java-1_8_0-openjdk-debuginfo-1.8.0.232-27.38.1 java-1_8_0-openjdk-debugsource-1.8.0.232-27.38.1 java-1_8_0-openjdk-headless-1.8.0.232-27.38.1 java-1_8_0-openjdk-headless-debuginfo-1.8.0.232-27.38.1 References: https://www.suse.com/security/cve/CVE-2019-2894.html https://www.suse.com/security/cve/CVE-2019-2933.html https://www.suse.com/security/cve/CVE-2019-2945.html https://www.suse.com/security/cve/CVE-2019-2949.html https://www.suse.com/security/cve/CVE-2019-2958.html https://www.suse.com/security/cve/CVE-2019-2962.html https://www.suse.com/security/cve/CVE-2019-2964.html https://www.suse.com/security/cve/CVE-2019-2973.html https://www.suse.com/security/cve/CVE-2019-2975.html https://www.suse.com/security/cve/CVE-2019-2978.html https://www.suse.com/security/cve/CVE-2019-2981.html https://www.suse.com/security/cve/CVE-2019-2983.html https://www.suse.com/security/cve/CVE-2019-2987.html https://www.suse.com/security/cve/CVE-2019-2988.html https://www.suse.com/security/cve/CVE-2019-2989.html https://www.suse.com/security/cve/CVE-2019-2992.html https://www.suse.com/security/cve/CVE-2019-2999.html https://bugzilla.suse.com/1138529 https://bugzilla.suse.com/1152856 https://bugzilla.suse.com/1154212 From sle-updates at lists.suse.com Tue Jan 7 10:14:28 2020 From: sle-updates at lists.suse.com (sle-updates at lists.suse.com) Date: Tue, 7 Jan 2020 18:14:28 +0100 (CET) Subject: SUSE-SU-2020:0023-1: moderate: Security update for libzypp Message-ID: <20200107171428.11B8CF79E@maintenance.suse.de> SUSE Security Update: Security update for libzypp ______________________________________________________________________________ Announcement ID: SUSE-SU-2020:0023-1 Rating: moderate References: #1158763 Cross-References: CVE-2019-18900 Affected Products: SUSE CaaS Platform 3.0 ______________________________________________________________________________ An update that fixes one vulnerability is now available. Description: This update for libzypp fixes the following issues: Security issue fixed: - CVE-2019-18900: Fixed assert cookie file that was world readable (bsc#1158763). Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE CaaS Platform 3.0: To install this update, use the SUSE CaaS Platform Velum dashboard. It will inform you if it detects new updates and let you then trigger updating of the complete cluster in a controlled way. Package List: - SUSE CaaS Platform 3.0 (x86_64): libzypp-16.21.2-27.68.1 libzypp-debuginfo-16.21.2-27.68.1 libzypp-debugsource-16.21.2-27.68.1 References: https://www.suse.com/security/cve/CVE-2019-18900.html https://bugzilla.suse.com/1158763 From sle-updates at lists.suse.com Tue Jan 7 10:15:08 2020 From: sle-updates at lists.suse.com (sle-updates at lists.suse.com) Date: Tue, 7 Jan 2020 18:15:08 +0100 (CET) Subject: SUSE-SU-2020:0028-1: moderate: Security update for openssl-1_0_0 Message-ID: <20200107171508.E9A46F79E@maintenance.suse.de> SUSE Security Update: Security update for openssl-1_0_0 ______________________________________________________________________________ Announcement ID: SUSE-SU-2020:0028-1 Rating: moderate References: #1158809 Cross-References: CVE-2019-1551 Affected Products: SUSE Linux Enterprise Software Development Kit 12-SP5 SUSE Linux Enterprise Software Development Kit 12-SP4 SUSE Linux Enterprise Server 12-SP5 SUSE Linux Enterprise Server 12-SP4 SUSE Linux Enterprise Desktop 12-SP4 ______________________________________________________________________________ An update that fixes one vulnerability is now available. Description: This update for openssl-1_0_0 fixes the following issues: Security issue fixed: - CVE-2019-1551: Fixed an overflow bug in the x64_64 Montgomery squaring procedure used in exponentiation with 512-bit moduli (bsc#1158809). Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Software Development Kit 12-SP5: zypper in -t patch SUSE-SLE-SDK-12-SP5-2020-28=1 - SUSE Linux Enterprise Software Development Kit 12-SP4: zypper in -t patch SUSE-SLE-SDK-12-SP4-2020-28=1 - SUSE Linux Enterprise Server 12-SP5: zypper in -t patch SUSE-SLE-SERVER-12-SP5-2020-28=1 - SUSE Linux Enterprise Server 12-SP4: zypper in -t patch SUSE-SLE-SERVER-12-SP4-2020-28=1 - SUSE Linux Enterprise Desktop 12-SP4: zypper in -t patch SUSE-SLE-DESKTOP-12-SP4-2020-28=1 Package List: - SUSE Linux Enterprise Software Development Kit 12-SP5 (aarch64 ppc64le s390x x86_64): libopenssl-1_0_0-devel-1.0.2p-3.14.1 openssl-1_0_0-debuginfo-1.0.2p-3.14.1 openssl-1_0_0-debugsource-1.0.2p-3.14.1 - SUSE Linux Enterprise Software Development Kit 12-SP4 (aarch64 ppc64le s390x x86_64): libopenssl-1_0_0-devel-1.0.2p-3.14.1 openssl-1_0_0-debuginfo-1.0.2p-3.14.1 openssl-1_0_0-debugsource-1.0.2p-3.14.1 - SUSE Linux Enterprise Server 12-SP5 (aarch64 ppc64le s390x x86_64): libopenssl-1_0_0-devel-1.0.2p-3.14.1 libopenssl1_0_0-1.0.2p-3.14.1 libopenssl1_0_0-debuginfo-1.0.2p-3.14.1 libopenssl1_0_0-hmac-1.0.2p-3.14.1 openssl-1_0_0-1.0.2p-3.14.1 openssl-1_0_0-debuginfo-1.0.2p-3.14.1 openssl-1_0_0-debugsource-1.0.2p-3.14.1 - SUSE Linux Enterprise Server 12-SP5 (s390x x86_64): libopenssl1_0_0-32bit-1.0.2p-3.14.1 libopenssl1_0_0-debuginfo-32bit-1.0.2p-3.14.1 libopenssl1_0_0-hmac-32bit-1.0.2p-3.14.1 - SUSE Linux Enterprise Server 12-SP5 (noarch): openssl-1_0_0-doc-1.0.2p-3.14.1 - SUSE Linux Enterprise Server 12-SP4 (aarch64 ppc64le s390x x86_64): libopenssl-1_0_0-devel-1.0.2p-3.14.1 libopenssl1_0_0-1.0.2p-3.14.1 libopenssl1_0_0-debuginfo-1.0.2p-3.14.1 libopenssl1_0_0-hmac-1.0.2p-3.14.1 openssl-1_0_0-1.0.2p-3.14.1 openssl-1_0_0-debuginfo-1.0.2p-3.14.1 openssl-1_0_0-debugsource-1.0.2p-3.14.1 - SUSE Linux Enterprise Server 12-SP4 (s390x x86_64): libopenssl1_0_0-32bit-1.0.2p-3.14.1 libopenssl1_0_0-debuginfo-32bit-1.0.2p-3.14.1 libopenssl1_0_0-hmac-32bit-1.0.2p-3.14.1 - SUSE Linux Enterprise Server 12-SP4 (noarch): openssl-1_0_0-doc-1.0.2p-3.14.1 - SUSE Linux Enterprise Desktop 12-SP4 (x86_64): libopenssl-1_0_0-devel-1.0.2p-3.14.1 libopenssl1_0_0-1.0.2p-3.14.1 libopenssl1_0_0-32bit-1.0.2p-3.14.1 libopenssl1_0_0-debuginfo-1.0.2p-3.14.1 libopenssl1_0_0-debuginfo-32bit-1.0.2p-3.14.1 openssl-1_0_0-1.0.2p-3.14.1 openssl-1_0_0-debuginfo-1.0.2p-3.14.1 openssl-1_0_0-debugsource-1.0.2p-3.14.1 References: https://www.suse.com/security/cve/CVE-2019-1551.html https://bugzilla.suse.com/1158809 From sle-updates at lists.suse.com Tue Jan 7 10:15:51 2020 From: sle-updates at lists.suse.com (sle-updates at lists.suse.com) Date: Tue, 7 Jan 2020 18:15:51 +0100 (CET) Subject: SUSE-RU-2020:0022-1: moderate: Recommended update for python-numpy Message-ID: <20200107171551.A1972F79E@maintenance.suse.de> SUSE Recommended Update: Recommended update for python-numpy ______________________________________________________________________________ Announcement ID: SUSE-RU-2020:0022-1 Rating: moderate References: #1149203 Affected Products: SUSE Linux Enterprise Module for HPC 15 SUSE Linux Enterprise Module for Basesystem 15 ______________________________________________________________________________ An update that has one recommended fix can now be installed. Description: This update for python-numpy fixes the following issues: - Add new random module including selectable random number generators: MT19937, PCG64, Philox and SFC64 (bsc#1149203) - NumPy's FFT implementation was changed from fftpack to pocketfft, resulting in faster, more accurate transforms and better handling of datasets of prime length. (bsc#1149203) - New radix sort and timsort sorting methods. (bsc#1149203) Patch Instructions: To install this SUSE Recommended Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Module for HPC 15: zypper in -t patch SUSE-SLE-Module-HPC-15-2020-22=1 - SUSE Linux Enterprise Module for Basesystem 15: zypper in -t patch SUSE-SLE-Module-Basesystem-15-2020-22=1 Package List: - SUSE Linux Enterprise Module for HPC 15 (aarch64 x86_64): python-numpy_1_17_3-gnu-hpc-debugsource-1.17.3-4.11.1 python3-numpy-gnu-hpc-1.17.3-4.11.1 python3-numpy-gnu-hpc-devel-1.17.3-4.11.1 python3-numpy_1_17_3-gnu-hpc-1.17.3-4.11.1 python3-numpy_1_17_3-gnu-hpc-debuginfo-1.17.3-4.11.1 python3-numpy_1_17_3-gnu-hpc-devel-1.17.3-4.11.1 - SUSE Linux Enterprise Module for Basesystem 15 (aarch64 ppc64le s390x x86_64): python-numpy-debugsource-1.17.3-4.11.1 python3-numpy-1.17.3-4.11.1 python3-numpy-debuginfo-1.17.3-4.11.1 python3-numpy-devel-1.17.3-4.11.1 References: https://bugzilla.suse.com/1149203 From sle-updates at lists.suse.com Tue Jan 7 10:16:34 2020 From: sle-updates at lists.suse.com (sle-updates at lists.suse.com) Date: Tue, 7 Jan 2020 18:16:34 +0100 (CET) Subject: SUSE-RU-2020:0027-1: moderate: Recommended update for rdma-core Message-ID: <20200107171634.0F27BF79E@maintenance.suse.de> SUSE Recommended Update: Recommended update for rdma-core ______________________________________________________________________________ Announcement ID: SUSE-RU-2020:0027-1 Rating: moderate References: #1137131 #1137132 #1140601 #1157891 Affected Products: SUSE Linux Enterprise Module for Server Applications 15-SP1 SUSE Linux Enterprise Module for Open Buildservice Development Tools 15-SP1 SUSE Linux Enterprise Module for Basesystem 15-SP1 ______________________________________________________________________________ An update that has four recommended fixes can now be installed. Description: This update for rdma-core fixes the following issues: - Add Broadcom fixes for libbnxtre. (bsc#1157891) - Disable libmlx dependencies for libibverbs on s390x 32 bits. (bsc#1140601) - Fix baselibs configuration removing conflict with -32b and older (early rdma-core) libraries. - Add missing Obsoletes/Conflicts/Provides to handle updates from SP2. (bsc#1137131, bsc#1137132) Patch Instructions: To install this SUSE Recommended Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Module for Server Applications 15-SP1: zypper in -t patch SUSE-SLE-Module-Server-Applications-15-SP1-2020-27=1 - SUSE Linux Enterprise Module for Open Buildservice Development Tools 15-SP1: zypper in -t patch SUSE-SLE-Module-Development-Tools-OBS-15-SP1-2020-27=1 - SUSE Linux Enterprise Module for Basesystem 15-SP1: zypper in -t patch SUSE-SLE-Module-Basesystem-15-SP1-2020-27=1 Package List: - SUSE Linux Enterprise Module for Server Applications 15-SP1 (aarch64 ppc64le s390x x86_64): ibacm-22.5-4.6.1 ibacm-debuginfo-22.5-4.6.1 iwpmd-22.5-4.6.1 iwpmd-debuginfo-22.5-4.6.1 libibverbs-utils-22.5-4.6.1 libibverbs-utils-debuginfo-22.5-4.6.1 librdmacm-utils-22.5-4.6.1 librdmacm-utils-debuginfo-22.5-4.6.1 rdma-core-debugsource-22.5-4.6.1 rdma-ndd-22.5-4.6.1 rdma-ndd-debuginfo-22.5-4.6.1 srp_daemon-22.5-4.6.1 srp_daemon-debuginfo-22.5-4.6.1 - SUSE Linux Enterprise Module for Open Buildservice Development Tools 15-SP1 (x86_64): libibumad3-32bit-22.5-4.6.1 libibumad3-32bit-debuginfo-22.5-4.6.1 libibverbs-32bit-22.5-4.6.1 libibverbs-32bit-debuginfo-22.5-4.6.1 libibverbs1-32bit-22.5-4.6.1 libibverbs1-32bit-debuginfo-22.5-4.6.1 libmlx4-1-32bit-22.5-4.6.1 libmlx4-1-32bit-debuginfo-22.5-4.6.1 libmlx5-1-32bit-22.5-4.6.1 libmlx5-1-32bit-debuginfo-22.5-4.6.1 librdmacm1-32bit-22.5-4.6.1 librdmacm1-32bit-debuginfo-22.5-4.6.1 rdma-core-debugsource-22.5-4.6.1 rdma-core-devel-32bit-22.5-4.6.1 rsocket-32bit-22.5-4.6.1 rsocket-32bit-debuginfo-22.5-4.6.1 - SUSE Linux Enterprise Module for Basesystem 15-SP1 (aarch64 ppc64le s390x x86_64): libibumad3-22.5-4.6.1 libibumad3-debuginfo-22.5-4.6.1 libibverbs-22.5-4.6.1 libibverbs-debuginfo-22.5-4.6.1 libibverbs1-22.5-4.6.1 libibverbs1-debuginfo-22.5-4.6.1 libmlx4-1-22.5-4.6.1 libmlx4-1-debuginfo-22.5-4.6.1 libmlx5-1-22.5-4.6.1 libmlx5-1-debuginfo-22.5-4.6.1 librdmacm1-22.5-4.6.1 librdmacm1-debuginfo-22.5-4.6.1 rdma-core-22.5-4.6.1 rdma-core-debugsource-22.5-4.6.1 rdma-core-devel-22.5-4.6.1 rsocket-22.5-4.6.1 rsocket-debuginfo-22.5-4.6.1 References: https://bugzilla.suse.com/1137131 https://bugzilla.suse.com/1137132 https://bugzilla.suse.com/1140601 https://bugzilla.suse.com/1157891 From sle-updates at lists.suse.com Tue Jan 7 13:11:10 2020 From: sle-updates at lists.suse.com (sle-updates at lists.suse.com) Date: Tue, 7 Jan 2020 21:11:10 +0100 (CET) Subject: SUSE-RU-2020:0031-1: moderate: Recommended update for cloud-netconfig Message-ID: <20200107201110.E26DBF79E@maintenance.suse.de> SUSE Recommended Update: Recommended update for cloud-netconfig ______________________________________________________________________________ Announcement ID: SUSE-RU-2020:0031-1 Rating: moderate References: #1135592 #1144282 #1157117 #1157190 Affected Products: SUSE Linux Enterprise Module for Public Cloud 15 ______________________________________________________________________________ An update that has four recommended fixes can now be installed. Description: This update for cloud-netconfig contains the following fixes: - Removed obsolete Group tag from spec file. - Update to version 1.3: + Fix IPv4 address handling on secondary NICs in Azure. - Update to version 1.2: + support AWS IMDSv2 token. - Update to version 1.1: + fix use of GATEWAY variable. (bsc#1157117, bsc#1157190) + remove secondary IPv4 address only when added by cloud-netconfig. (bsc#1144282) + simplify routing setup for single NIC systems (partly fixes bsc#1135592) Patch Instructions: To install this SUSE Recommended Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Module for Public Cloud 15: zypper in -t patch SUSE-SLE-Module-Public-Cloud-15-2020-31=1 Package List: - SUSE Linux Enterprise Module for Public Cloud 15 (noarch): cloud-netconfig-azure-1.3-5.12.1 cloud-netconfig-ec2-1.3-5.12.1 References: https://bugzilla.suse.com/1135592 https://bugzilla.suse.com/1144282 https://bugzilla.suse.com/1157117 https://bugzilla.suse.com/1157190 From sle-updates at lists.suse.com Tue Jan 7 13:12:16 2020 From: sle-updates at lists.suse.com (sle-updates at lists.suse.com) Date: Tue, 7 Jan 2020 21:12:16 +0100 (CET) Subject: SUSE-RU-2020:0032-1: moderate: Recommended update for rpmlint Message-ID: <20200107201216.0EEE1F79E@maintenance.suse.de> SUSE Recommended Update: Recommended update for rpmlint ______________________________________________________________________________ Announcement ID: SUSE-RU-2020:0032-1 Rating: moderate References: #1151418 #1157663 Affected Products: SUSE Linux Enterprise Module for Development Tools 15-SP1 SUSE Linux Enterprise Module for Development Tools 15 ______________________________________________________________________________ An update that has two recommended fixes can now be installed. Description: This update for rpmlint contains the following fixes: - Whitelist sssd infopipe. (bsc#1157663) - Whitelist sysprof3 D-Bus services. (bsc#1151418) Patch Instructions: To install this SUSE Recommended Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Module for Development Tools 15-SP1: zypper in -t patch SUSE-SLE-Module-Development-Tools-15-SP1-2020-32=1 - SUSE Linux Enterprise Module for Development Tools 15: zypper in -t patch SUSE-SLE-Module-Development-Tools-15-2020-32=1 Package List: - SUSE Linux Enterprise Module for Development Tools 15-SP1 (noarch): rpmlint-1.10-7.9.1 - SUSE Linux Enterprise Module for Development Tools 15 (noarch): rpmlint-1.10-7.9.1 References: https://bugzilla.suse.com/1151418 https://bugzilla.suse.com/1157663 From sle-updates at lists.suse.com Tue Jan 7 13:13:05 2020 From: sle-updates at lists.suse.com (sle-updates at lists.suse.com) Date: Tue, 7 Jan 2020 21:13:05 +0100 (CET) Subject: SUSE-RU-2020:0030-1: moderate: Recommended update for cloud-netconfig Message-ID: <20200107201305.3CE3AF79E@maintenance.suse.de> SUSE Recommended Update: Recommended update for cloud-netconfig ______________________________________________________________________________ Announcement ID: SUSE-RU-2020:0030-1 Rating: moderate References: #1135592 #1144282 #1157117 #1157190 Affected Products: SUSE Linux Enterprise Module for Public Cloud 12 ______________________________________________________________________________ An update that has four recommended fixes can now be installed. Description: This update for cloud-netconfig contains the following fixes: - Removed obsolete Group tag from spec file. - Update to version 1.3: + Fix IPv4 address handling on secondary NICs in Azure. - Update to version 1.2: + support AWS IMDSv2 token. - Update to version 1.1 + fix use of GATEWAY variable. (bsc#1157117, bsc#1157190) + remove secondary IPv4 address only when added by cloud-netconfig. (bsc#1144282) + simplify routing setup for single NIC systems (partly fixes bsc#1135592) Patch Instructions: To install this SUSE Recommended Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Module for Public Cloud 12: zypper in -t patch SUSE-SLE-Module-Public-Cloud-12-2020-30=1 Package List: - SUSE Linux Enterprise Module for Public Cloud 12 (noarch): cloud-netconfig-azure-1.3-14.1 cloud-netconfig-ec2-1.3-14.1 References: https://bugzilla.suse.com/1135592 https://bugzilla.suse.com/1144282 https://bugzilla.suse.com/1157117 https://bugzilla.suse.com/1157190 From sle-updates at lists.suse.com Tue Jan 7 13:14:06 2020 From: sle-updates at lists.suse.com (sle-updates at lists.suse.com) Date: Tue, 7 Jan 2020 21:14:06 +0100 (CET) Subject: SUSE-RU-2020:0033-1: moderate: Recommended update for suse-migration-sle15-activation Message-ID: <20200107201406.1A746F79E@maintenance.suse.de> SUSE Recommended Update: Recommended update for suse-migration-sle15-activation ______________________________________________________________________________ Announcement ID: SUSE-RU-2020:0033-1 Rating: moderate References: #1155192 Affected Products: SUSE Linux Enterprise Module for Public Cloud 12 ______________________________________________________________________________ An update that has one recommended fix can now be installed. Description: This update for suse-migration-sle15-activation contains the following fixes: - Migration failures from SLES12SP4 to SLES15SP1. (bsc#1155192) - Add requires for minimun version: Boolean expressions are available with rpm >= 4.13 and SLES_SAP provides product(SLES) = %{version}-%{release} - Disable use of bool expressions in Requires: Available with rpm >= 4.13. Thus we can't build for SLE12 because rpm is older there - Fixed Requires syntax: boolean expressions must be embedded into brackets According to https://rpm.org/user_doc/more_dependencies.html - Add OR condition properly - The minimum migration starting point should be: SLES 12 SP3 or SLES For SAP 12 SP3. Patch Instructions: To install this SUSE Recommended Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Module for Public Cloud 12: zypper in -t patch SUSE-SLE-Module-Public-Cloud-12-2020-33=1 Package List: - SUSE Linux Enterprise Module for Public Cloud 12 (noarch): suse-migration-sle15-activation-1.2.0-6.11.3 References: https://bugzilla.suse.com/1155192 From sle-updates at lists.suse.com Tue Jan 7 13:14:50 2020 From: sle-updates at lists.suse.com (sle-updates at lists.suse.com) Date: Tue, 7 Jan 2020 21:14:50 +0100 (CET) Subject: SUSE-SU-2020:0029-1: important: Security update for tomcat Message-ID: <20200107201450.0D67DF79E@maintenance.suse.de> SUSE Security Update: Security update for tomcat ______________________________________________________________________________ Announcement ID: SUSE-SU-2020:0029-1 Rating: important References: #1139924 #1159723 #1159729 Cross-References: CVE-2019-10072 CVE-2019-12418 CVE-2019-17563 Affected Products: SUSE Linux Enterprise Module for Web Scripting 15-SP1 SUSE Linux Enterprise Module for Open Buildservice Development Tools 15-SP1 ______________________________________________________________________________ An update that fixes three vulnerabilities is now available. Description: This update for tomcat to version 9.0.30 fixes the following issues: Security issue fixed: - CVE-2019-12418: Fixed a local privilege escalation through by manipulating the RMI registry and performing a man-in-the-middle attack (bsc#1159723). - CVE-2019-17563: Fixed a session fixation attack when using FORM authentication (bsc#1159729). Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Module for Web Scripting 15-SP1: zypper in -t patch SUSE-SLE-Module-Web-Scripting-15-SP1-2020-29=1 - SUSE Linux Enterprise Module for Open Buildservice Development Tools 15-SP1: zypper in -t patch SUSE-SLE-Module-Development-Tools-OBS-15-SP1-2020-29=1 Package List: - SUSE Linux Enterprise Module for Web Scripting 15-SP1 (noarch): tomcat-9.0.30-4.10.1 tomcat-admin-webapps-9.0.30-4.10.1 tomcat-el-3_0-api-9.0.30-4.10.1 tomcat-jsp-2_3-api-9.0.30-4.10.1 tomcat-lib-9.0.30-4.10.1 tomcat-servlet-4_0-api-9.0.30-4.10.1 tomcat-webapps-9.0.30-4.10.1 - SUSE Linux Enterprise Module for Open Buildservice Development Tools 15-SP1 (noarch): tomcat-docs-webapp-9.0.30-4.10.1 tomcat-embed-9.0.30-4.10.1 tomcat-javadoc-9.0.30-4.10.1 tomcat-jsvc-9.0.30-4.10.1 References: https://www.suse.com/security/cve/CVE-2019-10072.html https://www.suse.com/security/cve/CVE-2019-12418.html https://www.suse.com/security/cve/CVE-2019-17563.html https://bugzilla.suse.com/1139924 https://bugzilla.suse.com/1159723 https://bugzilla.suse.com/1159729 From sle-updates at lists.suse.com Wed Jan 8 03:54:58 2020 From: sle-updates at lists.suse.com (sle-updates at lists.suse.com) Date: Wed, 8 Jan 2020 11:54:58 +0100 (CET) Subject: SUSE-CU-2020:2-1: Security update of suse/sles12sp5 Message-ID: <20200108105458.79681F798@maintenance.suse.de> SUSE Container Update Advisory: suse/sles12sp5 ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2020:2-1 Container Tags : suse/sles12sp5:5.2.268 , suse/sles12sp5:latest Severity : moderate Type : security References : 1158809 CVE-2019-1551 ----------------------------------------------------------------- The container suse/sles12sp5 was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2020:28-1 Released: Tue Jan 7 15:10:53 2020 Summary: Security update for openssl-1_0_0 Type: security Severity: moderate References: 1158809,CVE-2019-1551 Description: This update for openssl-1_0_0 fixes the following issues: Security issue fixed: - CVE-2019-1551: Fixed an overflow bug in the x64_64 Montgomery squaring procedure used in exponentiation with 512-bit moduli (bsc#1158809). From sle-updates at lists.suse.com Wed Jan 8 04:00:04 2020 From: sle-updates at lists.suse.com (sle-updates at lists.suse.com) Date: Wed, 8 Jan 2020 12:00:04 +0100 (CET) Subject: SUSE-CU-2020:3-1: Security update of suse/sles12sp4 Message-ID: <20200108110004.13701F7BE@maintenance.suse.de> SUSE Container Update Advisory: suse/sles12sp4 ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2020:3-1 Container Tags : suse/sles12sp4:26.117 , suse/sles12sp4:latest Severity : moderate Type : security References : 1158809 CVE-2019-1551 ----------------------------------------------------------------- The container suse/sles12sp4 was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2020:28-1 Released: Tue Jan 7 15:10:53 2020 Summary: Security update for openssl-1_0_0 Type: security Severity: moderate References: 1158809,CVE-2019-1551 Description: This update for openssl-1_0_0 fixes the following issues: Security issue fixed: - CVE-2019-1551: Fixed an overflow bug in the x64_64 Montgomery squaring procedure used in exponentiation with 512-bit moduli (bsc#1158809). From sle-updates at lists.suse.com Wed Jan 8 04:11:44 2020 From: sle-updates at lists.suse.com (sle-updates at lists.suse.com) Date: Wed, 8 Jan 2020 12:11:44 +0100 (CET) Subject: SUSE-SU-2020:0035-1: moderate: Security update for containerd, docker, docker-runc, golang-github-docker-libnetwork Message-ID: <20200108111144.6B828F79E@maintenance.suse.de> SUSE Security Update: Security update for containerd, docker, docker-runc, golang-github-docker-libnetwork ______________________________________________________________________________ Announcement ID: SUSE-SU-2020:0035-1 Rating: moderate References: #1122469 #1143349 #1150397 #1152308 #1153367 #1158590 Cross-References: CVE-2019-16884 Affected Products: SUSE Linux Enterprise Module for Open Buildservice Development Tools 15-SP1 SUSE Linux Enterprise Module for Open Buildservice Development Tools 15 SUSE Linux Enterprise Module for Containers 15-SP1 SUSE Linux Enterprise Module for Containers 15 ______________________________________________________________________________ An update that solves one vulnerability and has 5 fixes is now available. Description: This update for containerd, docker, docker-runc, golang-github-docker-libnetwork fixes the following issues: Security issue fixed: - CVE-2019-16884: Fixed incomplete patch for LSM bypass via malicious Docker image that mount over a /proc directory (bsc#1152308). Bug fixes: - Update to Docker 19.03.5-ce (bsc#1158590). - Update to Docker 19.03.3-ce (bsc#1153367). - Update to Docker 19.03.2-ce (bsc#1150397). - Fixed default installation such that --userns-remap=default works properly (bsc#1143349). - Fixed nginx blocked by apparmor (bsc#1122469). Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Module for Open Buildservice Development Tools 15-SP1: zypper in -t patch SUSE-SLE-Module-Development-Tools-OBS-15-SP1-2020-35=1 - SUSE Linux Enterprise Module for Open Buildservice Development Tools 15: zypper in -t patch SUSE-SLE-Module-Development-Tools-OBS-15-2020-35=1 - SUSE Linux Enterprise Module for Containers 15-SP1: zypper in -t patch SUSE-SLE-Module-Containers-15-SP1-2020-35=1 - SUSE Linux Enterprise Module for Containers 15: zypper in -t patch SUSE-SLE-Module-Containers-15-2020-35=1 Package List: - SUSE Linux Enterprise Module for Open Buildservice Development Tools 15-SP1 (aarch64 ppc64le s390x x86_64): containerd-ctr-1.2.10-5.19.1 containerd-kubic-1.2.10-5.19.1 containerd-kubic-ctr-1.2.10-5.19.1 docker-debuginfo-19.03.5_ce-6.31.1 docker-kubic-19.03.5_ce-6.31.1 docker-kubic-debuginfo-19.03.5_ce-6.31.1 docker-kubic-kubeadm-criconfig-19.03.5_ce-6.31.1 docker-kubic-test-19.03.5_ce-6.31.1 docker-kubic-test-debuginfo-19.03.5_ce-6.31.1 docker-libnetwork-kubic-0.7.0.1+gitr2877_3eb39382bfa6-4.18.1 docker-libnetwork-kubic-debuginfo-0.7.0.1+gitr2877_3eb39382bfa6-4.18.1 docker-runc-kubic-1.0.0rc8+gitr3917_3e425f80a8c9-6.27.1 docker-runc-kubic-debuginfo-1.0.0rc8+gitr3917_3e425f80a8c9-6.27.1 docker-test-19.03.5_ce-6.31.1 docker-test-debuginfo-19.03.5_ce-6.31.1 golang-github-docker-libnetwork-0.7.0.1+gitr2877_3eb39382bfa6-4.18.1 golang-github-docker-libnetwork-kubic-0.7.0.1+gitr2877_3eb39382bfa6-4.18.1 - SUSE Linux Enterprise Module for Open Buildservice Development Tools 15-SP1 (noarch): docker-kubic-bash-completion-19.03.5_ce-6.31.1 docker-kubic-zsh-completion-19.03.5_ce-6.31.1 docker-zsh-completion-19.03.5_ce-6.31.1 - SUSE Linux Enterprise Module for Open Buildservice Development Tools 15 (aarch64 ppc64le s390x x86_64): containerd-ctr-1.2.10-5.19.1 docker-debuginfo-19.03.5_ce-6.31.1 docker-test-19.03.5_ce-6.31.1 docker-test-debuginfo-19.03.5_ce-6.31.1 golang-github-docker-libnetwork-0.7.0.1+gitr2877_3eb39382bfa6-4.18.1 - SUSE Linux Enterprise Module for Open Buildservice Development Tools 15 (noarch): docker-zsh-completion-19.03.5_ce-6.31.1 - SUSE Linux Enterprise Module for Containers 15-SP1 (aarch64 ppc64le s390x x86_64): containerd-1.2.10-5.19.1 docker-19.03.5_ce-6.31.1 docker-debuginfo-19.03.5_ce-6.31.1 docker-libnetwork-0.7.0.1+gitr2877_3eb39382bfa6-4.18.1 docker-libnetwork-debuginfo-0.7.0.1+gitr2877_3eb39382bfa6-4.18.1 docker-runc-1.0.0rc8+gitr3917_3e425f80a8c9-6.27.1 docker-runc-debuginfo-1.0.0rc8+gitr3917_3e425f80a8c9-6.27.1 - SUSE Linux Enterprise Module for Containers 15-SP1 (noarch): docker-bash-completion-19.03.5_ce-6.31.1 - SUSE Linux Enterprise Module for Containers 15 (ppc64le s390x x86_64): containerd-1.2.10-5.19.1 docker-19.03.5_ce-6.31.1 docker-debuginfo-19.03.5_ce-6.31.1 docker-libnetwork-0.7.0.1+gitr2877_3eb39382bfa6-4.18.1 docker-libnetwork-debuginfo-0.7.0.1+gitr2877_3eb39382bfa6-4.18.1 docker-runc-1.0.0rc8+gitr3917_3e425f80a8c9-6.27.1 docker-runc-debuginfo-1.0.0rc8+gitr3917_3e425f80a8c9-6.27.1 - SUSE Linux Enterprise Module for Containers 15 (noarch): docker-bash-completion-19.03.5_ce-6.31.1 References: https://www.suse.com/security/cve/CVE-2019-16884.html https://bugzilla.suse.com/1122469 https://bugzilla.suse.com/1143349 https://bugzilla.suse.com/1150397 https://bugzilla.suse.com/1152308 https://bugzilla.suse.com/1153367 https://bugzilla.suse.com/1158590 From sle-updates at lists.suse.com Wed Jan 8 10:11:49 2020 From: sle-updates at lists.suse.com (sle-updates at lists.suse.com) Date: Wed, 8 Jan 2020 18:11:49 +0100 (CET) Subject: SUSE-SU-2020:14263-1: moderate: Security update for java-1_7_1-ibm Message-ID: <20200108171149.F0A16F79E@maintenance.suse.de> SUSE Security Update: Security update for java-1_7_1-ibm ______________________________________________________________________________ Announcement ID: SUSE-SU-2020:14263-1 Rating: moderate References: #1154212 #1158442 Cross-References: CVE-2019-2933 CVE-2019-2945 CVE-2019-2962 CVE-2019-2964 CVE-2019-2973 CVE-2019-2978 CVE-2019-2981 CVE-2019-2983 CVE-2019-2989 CVE-2019-2992 CVE-2019-2999 Affected Products: SUSE Linux Enterprise Server 11-SP4-LTSS ______________________________________________________________________________ An update that fixes 11 vulnerabilities is now available. Description: This update for java-1_7_1-ibm fixes the following issues: - Update to 7.1 Service Refresh 4 Fix Pack 55 [bsc#1158442, bsc#1154212] * Security fixes: CVE-2019-2933 CVE-2019-2945 CVE-2019-2962 CVE-2019-2964 CVE-2019-2978 CVE-2019-2983 CVE-2019-2989 CVE-2019-2992 CVE-2019-2999 CVE-2019-2973 CVE-2019-2981 Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Server 11-SP4-LTSS: zypper in -t patch slessp4-java-1_7_1-ibm-14263=1 Package List: - SUSE Linux Enterprise Server 11-SP4-LTSS (i586 ppc64 s390x x86_64): java-1_7_1-ibm-1.7.1_sr4.55-26.47.1 java-1_7_1-ibm-devel-1.7.1_sr4.55-26.47.1 java-1_7_1-ibm-jdbc-1.7.1_sr4.55-26.47.1 - SUSE Linux Enterprise Server 11-SP4-LTSS (i586 x86_64): java-1_7_1-ibm-alsa-1.7.1_sr4.55-26.47.1 java-1_7_1-ibm-plugin-1.7.1_sr4.55-26.47.1 References: https://www.suse.com/security/cve/CVE-2019-2933.html https://www.suse.com/security/cve/CVE-2019-2945.html https://www.suse.com/security/cve/CVE-2019-2962.html https://www.suse.com/security/cve/CVE-2019-2964.html https://www.suse.com/security/cve/CVE-2019-2973.html https://www.suse.com/security/cve/CVE-2019-2978.html https://www.suse.com/security/cve/CVE-2019-2981.html https://www.suse.com/security/cve/CVE-2019-2983.html https://www.suse.com/security/cve/CVE-2019-2989.html https://www.suse.com/security/cve/CVE-2019-2992.html https://www.suse.com/security/cve/CVE-2019-2999.html https://bugzilla.suse.com/1154212 https://bugzilla.suse.com/1158442 From sle-updates at lists.suse.com Wed Jan 8 10:12:41 2020 From: sle-updates at lists.suse.com (sle-updates at lists.suse.com) Date: Wed, 8 Jan 2020 18:12:41 +0100 (CET) Subject: SUSE-RU-2020:0041-1: Recommended update for libyui-qt-pkg Message-ID: <20200108171241.C282EF79E@maintenance.suse.de> SUSE Recommended Update: Recommended update for libyui-qt-pkg ______________________________________________________________________________ Announcement ID: SUSE-RU-2020:0041-1 Rating: low References: #1137034 Affected Products: SUSE Linux Enterprise Module for Desktop Applications 15-SP1 SUSE Linux Enterprise Module for Basesystem 15-SP1 ______________________________________________________________________________ An update that has one recommended fix can now be installed. Description: This update for libyui-qt-pkg fixes the following issues: - Added an explanation for temporary menue options (bsc#1137034) Patch Instructions: To install this SUSE Recommended Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Module for Desktop Applications 15-SP1: zypper in -t patch SUSE-SLE-Module-Desktop-Applications-15-SP1-2020-41=1 - SUSE Linux Enterprise Module for Basesystem 15-SP1: zypper in -t patch SUSE-SLE-Module-Basesystem-15-SP1-2020-41=1 Package List: - SUSE Linux Enterprise Module for Desktop Applications 15-SP1 (aarch64 ppc64le s390x x86_64): libyui-qt-pkg-debugsource-2.45.28-3.6.1 libyui-qt-pkg-devel-2.45.28-3.6.1 - SUSE Linux Enterprise Module for Basesystem 15-SP1 (aarch64 ppc64le s390x x86_64): libyui-qt-pkg-debugsource-2.45.28-3.6.1 libyui-qt-pkg9-2.45.28-3.6.1 libyui-qt-pkg9-debuginfo-2.45.28-3.6.1 - SUSE Linux Enterprise Module for Basesystem 15-SP1 (noarch): libyui-qt-pkg-doc-2.45.28-3.6.1 References: https://bugzilla.suse.com/1137034 From sle-updates at lists.suse.com Wed Jan 8 10:13:25 2020 From: sle-updates at lists.suse.com (sle-updates at lists.suse.com) Date: Wed, 8 Jan 2020 18:13:25 +0100 (CET) Subject: SUSE-SU-2020:0043-1: important: Security update for nodejs8 Message-ID: <20200108171325.F1A7EF79E@maintenance.suse.de> SUSE Security Update: Security update for nodejs8 ______________________________________________________________________________ Announcement ID: SUSE-SU-2020:0043-1 Rating: important References: #1149792 #1159352 Cross-References: CVE-2019-16775 CVE-2019-16776 CVE-2019-16777 Affected Products: SUSE Linux Enterprise Module for Web Scripting 15-SP1 SUSE Linux Enterprise Module for Web Scripting 15 ______________________________________________________________________________ An update that fixes three vulnerabilities is now available. Description: This update for nodejs8 to version 8.17.0 fixes the following issues: Security issues fixed: - CVE-2019-16777, CVE-2019-16776, CVE-2019-16775: Updated npm to 6.13.4, fixing an arbitrary path overwrite and access via "bin" field (bsc#1159352). Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Module for Web Scripting 15-SP1: zypper in -t patch SUSE-SLE-Module-Web-Scripting-15-SP1-2020-43=1 - SUSE Linux Enterprise Module for Web Scripting 15: zypper in -t patch SUSE-SLE-Module-Web-Scripting-15-2020-43=1 Package List: - SUSE Linux Enterprise Module for Web Scripting 15-SP1 (aarch64 ppc64le s390x x86_64): nodejs8-8.17.0-3.25.1 nodejs8-debuginfo-8.17.0-3.25.1 nodejs8-debugsource-8.17.0-3.25.1 nodejs8-devel-8.17.0-3.25.1 npm8-8.17.0-3.25.1 - SUSE Linux Enterprise Module for Web Scripting 15-SP1 (noarch): nodejs8-docs-8.17.0-3.25.1 - SUSE Linux Enterprise Module for Web Scripting 15 (aarch64 ppc64le s390x x86_64): nodejs8-8.17.0-3.25.1 nodejs8-debuginfo-8.17.0-3.25.1 nodejs8-debugsource-8.17.0-3.25.1 nodejs8-devel-8.17.0-3.25.1 npm8-8.17.0-3.25.1 - SUSE Linux Enterprise Module for Web Scripting 15 (noarch): nodejs8-docs-8.17.0-3.25.1 References: https://www.suse.com/security/cve/CVE-2019-16775.html https://www.suse.com/security/cve/CVE-2019-16776.html https://www.suse.com/security/cve/CVE-2019-16777.html https://bugzilla.suse.com/1149792 https://bugzilla.suse.com/1159352 From sle-updates at lists.suse.com Wed Jan 8 10:14:19 2020 From: sle-updates at lists.suse.com (sle-updates at lists.suse.com) Date: Wed, 8 Jan 2020 18:14:19 +0100 (CET) Subject: SUSE-RU-2020:0042-1: important: Initial shipment of package sles-ltss-release Message-ID: <20200108171419.9507DF79E@maintenance.suse.de> SUSE Recommended Update: Initial shipment of package sles-ltss-release ______________________________________________________________________________ Announcement ID: SUSE-RU-2020:0042-1 Rating: important References: #1160312 Affected Products: SUSE Linux Enterprise Server for SAP 15 SUSE Linux Enterprise Server 15-LTSS ______________________________________________________________________________ An update that has one recommended fix can now be installed. Description: This patch ships the sles-ltss-release package to SUSE Linux Enterprise Server 15 customers. Patch Instructions: To install this SUSE Recommended Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Server for SAP 15: zypper in -t patch SUSE-SLE-Product-SLES_SAP-15-2020-42=1 - SUSE Linux Enterprise Server 15-LTSS: zypper in -t patch SUSE-SLE-Product-SLES-15-2020-42=1 Package List: - SUSE Linux Enterprise Server for SAP 15 (ppc64le x86_64): sles-ltss-release-15-1.5.1 - SUSE Linux Enterprise Server 15-LTSS (aarch64 s390x): sles-ltss-release-15-1.5.1 References: https://bugzilla.suse.com/1160312 From sle-updates at lists.suse.com Wed Jan 8 10:15:04 2020 From: sle-updates at lists.suse.com (sle-updates at lists.suse.com) Date: Wed, 8 Jan 2020 18:15:04 +0100 (CET) Subject: SUSE-RU-2020:0040-1: moderate: Recommended update for adcli Message-ID: <20200108171504.B6087F79E@maintenance.suse.de> SUSE Recommended Update: Recommended update for adcli ______________________________________________________________________________ Announcement ID: SUSE-RU-2020:0040-1 Rating: moderate References: #1157491 Affected Products: SUSE Linux Enterprise Module for Basesystem 15-SP1 SUSE Linux Enterprise Module for Basesystem 15 ______________________________________________________________________________ An update that has one recommended fix can now be installed. Description: This update for adcli fixes the following issues: - Fix for fully qualified domain name (FQDN) proper detection. (bsc#1157491) Patch Instructions: To install this SUSE Recommended Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Module for Basesystem 15-SP1: zypper in -t patch SUSE-SLE-Module-Basesystem-15-SP1-2020-40=1 - SUSE Linux Enterprise Module for Basesystem 15: zypper in -t patch SUSE-SLE-Module-Basesystem-15-2020-40=1 Package List: - SUSE Linux Enterprise Module for Basesystem 15-SP1 (aarch64 ppc64le s390x x86_64): adcli-0.8.2-1.6.2 adcli-debuginfo-0.8.2-1.6.2 adcli-debugsource-0.8.2-1.6.2 adcli-doc-0.8.2-1.6.2 - SUSE Linux Enterprise Module for Basesystem 15 (aarch64 ppc64le s390x x86_64): adcli-0.8.2-1.6.2 References: https://bugzilla.suse.com/1157491 From sle-updates at lists.suse.com Wed Jan 8 10:15:54 2020 From: sle-updates at lists.suse.com (sle-updates at lists.suse.com) Date: Wed, 8 Jan 2020 18:15:54 +0100 (CET) Subject: SUSE-SU-2020:0045-1: important: Security update for git Message-ID: <20200108171554.43814F79E@maintenance.suse.de> SUSE Security Update: Security update for git ______________________________________________________________________________ Announcement ID: SUSE-SU-2020:0045-1 Rating: important References: #1082023 #1149792 #1158785 #1158787 #1158788 #1158789 #1158790 #1158791 #1158792 #1158793 #1158795 Cross-References: CVE-2019-1348 CVE-2019-1349 CVE-2019-1350 CVE-2019-1351 CVE-2019-1352 CVE-2019-1353 CVE-2019-1354 CVE-2019-1387 CVE-2019-19604 Affected Products: SUSE Linux Enterprise Module for Open Buildservice Development Tools 15-SP1 SUSE Linux Enterprise Module for Open Buildservice Development Tools 15 SUSE Linux Enterprise Module for Development Tools 15-SP1 SUSE Linux Enterprise Module for Development Tools 15 SUSE Linux Enterprise Module for Basesystem 15-SP1 SUSE Linux Enterprise Module for Basesystem 15 ______________________________________________________________________________ An update that solves 9 vulnerabilities and has two fixes is now available. Description: This update for git fixes the following issues: Security issues fixed: - CVE-2019-1349: Fixed issue on Windows, when submodules are cloned recursively, under certain circumstances Git could be fooled into using the same Git directory twice (bsc#1158787). - CVE-2019-19604: Fixed a recursive clone followed by a submodule update could execute code contained within the repository without the user explicitly having asked for that (bsc#1158795). - CVE-2019-1387: Fixed recursive clones that are currently affected by a vulnerability that is caused by too-lax validation of submodule names, allowing very targeted attacks via remote code execution in recursive clones (bsc#1158793). - CVE-2019-1354: Fixed issue on Windows that refuses to write tracked files with filenames that contain backslashes (bsc#1158792). - CVE-2019-1353: Fixed issue when run in the Windows Subsystem for Linux while accessing a working directory on a regular Windows drive, none of the NTFS protections were active (bsc#1158791). - CVE-2019-1352: Fixed issue on Windows was unaware of NTFS Alternate Data Streams (bsc#1158790). - CVE-2019-1351: Fixed issue on Windows mistakes drive letters outside of the US-English alphabet as relative paths (bsc#1158789). - CVE-2019-1350: Fixed incorrect quoting of command-line arguments allowed remote code execution during a recursive clone in conjunction with SSH URLs (bsc#1158788). - CVE-2019-1348: Fixed the --export-marks option of fast-import is exposed also via the in-stream command feature export-marks=... and it allows overwriting arbitrary paths (bsc#1158785). - Fixes an issue where git send-email failed to authenticate with SMTP server (bsc#1082023) Bug fixes: - Add zlib dependency, which used to be provided by openssl-devel, so that package can compile successfully after openssl upgrade to 1.1.1. (bsc#1149792). Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Module for Open Buildservice Development Tools 15-SP1: zypper in -t patch SUSE-SLE-Module-Development-Tools-OBS-15-SP1-2020-45=1 - SUSE Linux Enterprise Module for Open Buildservice Development Tools 15: zypper in -t patch SUSE-SLE-Module-Development-Tools-OBS-15-2020-45=1 - SUSE Linux Enterprise Module for Development Tools 15-SP1: zypper in -t patch SUSE-SLE-Module-Development-Tools-15-SP1-2020-45=1 - SUSE Linux Enterprise Module for Development Tools 15: zypper in -t patch SUSE-SLE-Module-Development-Tools-15-2020-45=1 - SUSE Linux Enterprise Module for Basesystem 15-SP1: zypper in -t patch SUSE-SLE-Module-Basesystem-15-SP1-2020-45=1 - SUSE Linux Enterprise Module for Basesystem 15: zypper in -t patch SUSE-SLE-Module-Basesystem-15-2020-45=1 Package List: - SUSE Linux Enterprise Module for Open Buildservice Development Tools 15-SP1 (aarch64 ppc64le s390x x86_64): git-credential-gnome-keyring-2.16.4-3.17.2 git-credential-gnome-keyring-debuginfo-2.16.4-3.17.2 git-credential-libsecret-2.16.4-3.17.2 git-credential-libsecret-debuginfo-2.16.4-3.17.2 git-debuginfo-2.16.4-3.17.2 git-debugsource-2.16.4-3.17.2 git-p4-2.16.4-3.17.2 - SUSE Linux Enterprise Module for Open Buildservice Development Tools 15 (aarch64 ppc64le s390x x86_64): git-credential-gnome-keyring-2.16.4-3.17.2 git-credential-gnome-keyring-debuginfo-2.16.4-3.17.2 git-credential-libsecret-2.16.4-3.17.2 git-credential-libsecret-debuginfo-2.16.4-3.17.2 git-debuginfo-2.16.4-3.17.2 git-debugsource-2.16.4-3.17.2 git-p4-2.16.4-3.17.2 - SUSE Linux Enterprise Module for Development Tools 15-SP1 (aarch64 ppc64le s390x x86_64): git-2.16.4-3.17.2 git-arch-2.16.4-3.17.2 git-cvs-2.16.4-3.17.2 git-daemon-2.16.4-3.17.2 git-daemon-debuginfo-2.16.4-3.17.2 git-debuginfo-2.16.4-3.17.2 git-debugsource-2.16.4-3.17.2 git-email-2.16.4-3.17.2 git-gui-2.16.4-3.17.2 git-svn-2.16.4-3.17.2 git-svn-debuginfo-2.16.4-3.17.2 git-web-2.16.4-3.17.2 gitk-2.16.4-3.17.2 - SUSE Linux Enterprise Module for Development Tools 15-SP1 (noarch): git-doc-2.16.4-3.17.2 perl-Authen-SASL-2.16-1.3.1 perl-Net-SMTP-SSL-1.04-1.3.1 - SUSE Linux Enterprise Module for Development Tools 15 (aarch64 ppc64le s390x x86_64): git-2.16.4-3.17.2 git-arch-2.16.4-3.17.2 git-cvs-2.16.4-3.17.2 git-daemon-2.16.4-3.17.2 git-daemon-debuginfo-2.16.4-3.17.2 git-debuginfo-2.16.4-3.17.2 git-debugsource-2.16.4-3.17.2 git-email-2.16.4-3.17.2 git-gui-2.16.4-3.17.2 git-svn-2.16.4-3.17.2 git-svn-debuginfo-2.16.4-3.17.2 git-web-2.16.4-3.17.2 gitk-2.16.4-3.17.2 - SUSE Linux Enterprise Module for Development Tools 15 (noarch): git-doc-2.16.4-3.17.2 perl-Authen-SASL-2.16-1.3.1 perl-Net-SMTP-SSL-1.04-1.3.1 - SUSE Linux Enterprise Module for Basesystem 15-SP1 (aarch64 ppc64le s390x x86_64): git-core-2.16.4-3.17.2 git-core-debuginfo-2.16.4-3.17.2 git-debuginfo-2.16.4-3.17.2 git-debugsource-2.16.4-3.17.2 - SUSE Linux Enterprise Module for Basesystem 15 (aarch64 ppc64le s390x x86_64): git-core-2.16.4-3.17.2 git-core-debuginfo-2.16.4-3.17.2 git-debuginfo-2.16.4-3.17.2 git-debugsource-2.16.4-3.17.2 References: https://www.suse.com/security/cve/CVE-2019-1348.html https://www.suse.com/security/cve/CVE-2019-1349.html https://www.suse.com/security/cve/CVE-2019-1350.html https://www.suse.com/security/cve/CVE-2019-1351.html https://www.suse.com/security/cve/CVE-2019-1352.html https://www.suse.com/security/cve/CVE-2019-1353.html https://www.suse.com/security/cve/CVE-2019-1354.html https://www.suse.com/security/cve/CVE-2019-1387.html https://www.suse.com/security/cve/CVE-2019-19604.html https://bugzilla.suse.com/1082023 https://bugzilla.suse.com/1149792 https://bugzilla.suse.com/1158785 https://bugzilla.suse.com/1158787 https://bugzilla.suse.com/1158788 https://bugzilla.suse.com/1158789 https://bugzilla.suse.com/1158790 https://bugzilla.suse.com/1158791 https://bugzilla.suse.com/1158792 https://bugzilla.suse.com/1158793 https://bugzilla.suse.com/1158795 From sle-updates at lists.suse.com Wed Jan 8 10:17:48 2020 From: sle-updates at lists.suse.com (sle-updates at lists.suse.com) Date: Wed, 8 Jan 2020 18:17:48 +0100 (CET) Subject: SUSE-RU-2020:0038-1: moderate: Recommended update for openssl-1_1 Message-ID: <20200108171748.9FE0CF79E@maintenance.suse.de> SUSE Recommended Update: Recommended update for openssl-1_1 ______________________________________________________________________________ Announcement ID: SUSE-RU-2020:0038-1 Rating: moderate References: #1158499 #1160158 Affected Products: SUSE Linux Enterprise Module for Open Buildservice Development Tools 15 SUSE Linux Enterprise Module for Basesystem 15 ______________________________________________________________________________ An update that has two recommended fixes can now be installed. Description: This update for openssl-1_1 fixes the following issues: - Obsoleted libopenssl-1_0_0-hmac for a clean upgrade from SLE-12 (bsc#1158499) - Fixed a regression where EVP_PBE_scrypt() behavior changed (bsc#1160158). Patch Instructions: To install this SUSE Recommended Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Module for Open Buildservice Development Tools 15: zypper in -t patch SUSE-SLE-Module-Development-Tools-OBS-15-2020-38=1 - SUSE Linux Enterprise Module for Basesystem 15: zypper in -t patch SUSE-SLE-Module-Basesystem-15-2020-38=1 Package List: - SUSE Linux Enterprise Module for Open Buildservice Development Tools 15 (x86_64): libopenssl-1_1-devel-32bit-1.1.0i-4.30.1 - SUSE Linux Enterprise Module for Open Buildservice Development Tools 15 (noarch): openssl-1_1-doc-1.1.0i-4.30.1 - SUSE Linux Enterprise Module for Basesystem 15 (aarch64 ppc64le s390x x86_64): libopenssl-1_1-devel-1.1.0i-4.30.1 libopenssl1_1-1.1.0i-4.30.1 libopenssl1_1-debuginfo-1.1.0i-4.30.1 libopenssl1_1-hmac-1.1.0i-4.30.1 openssl-1_1-1.1.0i-4.30.1 openssl-1_1-debuginfo-1.1.0i-4.30.1 openssl-1_1-debugsource-1.1.0i-4.30.1 - SUSE Linux Enterprise Module for Basesystem 15 (x86_64): libopenssl1_1-32bit-1.1.0i-4.30.1 libopenssl1_1-32bit-debuginfo-1.1.0i-4.30.1 libopenssl1_1-hmac-32bit-1.1.0i-4.30.1 References: https://bugzilla.suse.com/1158499 https://bugzilla.suse.com/1160158 From sle-updates at lists.suse.com Wed Jan 8 13:10:54 2020 From: sle-updates at lists.suse.com (sle-updates at lists.suse.com) Date: Wed, 8 Jan 2020 21:10:54 +0100 (CET) Subject: SUSE-SU-2020:14265-1: moderate: Security update for java-1_7_0-ibm Message-ID: <20200108201054.2A259F79E@maintenance.suse.de> SUSE Security Update: Security update for java-1_7_0-ibm ______________________________________________________________________________ Announcement ID: SUSE-SU-2020:14265-1 Rating: moderate References: #1154212 #1158442 Cross-References: CVE-2019-2933 CVE-2019-2945 CVE-2019-2958 CVE-2019-2962 CVE-2019-2964 CVE-2019-2973 CVE-2019-2978 CVE-2019-2981 CVE-2019-2983 CVE-2019-2988 CVE-2019-2989 CVE-2019-2992 CVE-2019-2999 Affected Products: SUSE Linux Enterprise Point of Sale 11-SP3 ______________________________________________________________________________ An update that fixes 13 vulnerabilities is now available. Description: This update for java-1_7_0-ibm fixes the following issues: - Update to 7.0 Service Refresh 10 Fix Pack 55 [bsc#1158442, bsc#1154212] * Security fixes: CVE-2019-2933 CVE-2019-2945 CVE-2019-2958 CVE-2019-2962 CVE-2019-2964 CVE-2019-2978 CVE-2019-2983 CVE-2019-2988 CVE-2019-2989 CVE-2019-2992 CVE-2019-2999 CVE-2019-2973 CVE-2019-2981 Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Point of Sale 11-SP3: zypper in -t patch sleposp3-java-1_7_0-ibm-14265=1 Package List: - SUSE Linux Enterprise Point of Sale 11-SP3 (i586): java-1_7_0-ibm-1.7.0_sr10.55-65.45.1 java-1_7_0-ibm-alsa-1.7.0_sr10.55-65.45.1 java-1_7_0-ibm-devel-1.7.0_sr10.55-65.45.1 java-1_7_0-ibm-jdbc-1.7.0_sr10.55-65.45.1 java-1_7_0-ibm-plugin-1.7.0_sr10.55-65.45.1 References: https://www.suse.com/security/cve/CVE-2019-2933.html https://www.suse.com/security/cve/CVE-2019-2945.html https://www.suse.com/security/cve/CVE-2019-2958.html https://www.suse.com/security/cve/CVE-2019-2962.html https://www.suse.com/security/cve/CVE-2019-2964.html https://www.suse.com/security/cve/CVE-2019-2973.html https://www.suse.com/security/cve/CVE-2019-2978.html https://www.suse.com/security/cve/CVE-2019-2981.html https://www.suse.com/security/cve/CVE-2019-2983.html https://www.suse.com/security/cve/CVE-2019-2988.html https://www.suse.com/security/cve/CVE-2019-2989.html https://www.suse.com/security/cve/CVE-2019-2992.html https://www.suse.com/security/cve/CVE-2019-2999.html https://bugzilla.suse.com/1154212 https://bugzilla.suse.com/1158442 From sle-updates at lists.suse.com Wed Jan 8 13:11:42 2020 From: sle-updates at lists.suse.com (sle-updates at lists.suse.com) Date: Wed, 8 Jan 2020 21:11:42 +0100 (CET) Subject: SUSE-RU-2020:0049-1: moderate: Recommended update for libstorage-ng Message-ID: <20200108201142.A5903F79E@maintenance.suse.de> SUSE Recommended Update: Recommended update for libstorage-ng ______________________________________________________________________________ Announcement ID: SUSE-RU-2020:0049-1 Rating: moderate References: #1135341 #1149754 Affected Products: SUSE Linux Enterprise Module for Open Buildservice Development Tools 15-SP1 SUSE Linux Enterprise Module for Development Tools 15-SP1 SUSE Linux Enterprise Module for Basesystem 15-SP1 ______________________________________________________________________________ An update that has two recommended fixes can now be installed. Description: This update for libstorage-ng fixes the following issues: - Fixed handling of btrfs subvolumes with special (regex control) characters in the path. (bsc#1135341) - Translated using Weblate (Estonian) (bsc#1149754) - Translated using Weblate (Danish) (bsc#1149754) Patch Instructions: To install this SUSE Recommended Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Module for Open Buildservice Development Tools 15-SP1: zypper in -t patch SUSE-SLE-Module-Development-Tools-OBS-15-SP1-2020-49=1 - SUSE Linux Enterprise Module for Development Tools 15-SP1: zypper in -t patch SUSE-SLE-Module-Development-Tools-15-SP1-2020-49=1 - SUSE Linux Enterprise Module for Basesystem 15-SP1: zypper in -t patch SUSE-SLE-Module-Basesystem-15-SP1-2020-49=1 Package List: - SUSE Linux Enterprise Module for Open Buildservice Development Tools 15-SP1 (aarch64 ppc64le s390x x86_64): libstorage-ng-debuginfo-4.1.105-4.6.1 libstorage-ng-debugsource-4.1.105-4.6.1 libstorage-ng-integration-tests-4.1.105-4.6.1 libstorage-ng-python3-4.1.105-4.6.1 libstorage-ng-python3-debuginfo-4.1.105-4.6.1 - SUSE Linux Enterprise Module for Development Tools 15-SP1 (aarch64 ppc64le s390x x86_64): libstorage-ng-debuginfo-4.1.105-4.6.1 libstorage-ng-debugsource-4.1.105-4.6.1 libstorage-ng-utils-4.1.105-4.6.1 libstorage-ng-utils-debuginfo-4.1.105-4.6.1 - SUSE Linux Enterprise Module for Basesystem 15-SP1 (aarch64 ppc64le s390x x86_64): libstorage-ng-debuginfo-4.1.105-4.6.1 libstorage-ng-debugsource-4.1.105-4.6.1 libstorage-ng-devel-4.1.105-4.6.1 libstorage-ng-ruby-4.1.105-4.6.1 libstorage-ng-ruby-debuginfo-4.1.105-4.6.1 libstorage-ng1-4.1.105-4.6.1 libstorage-ng1-debuginfo-4.1.105-4.6.1 - SUSE Linux Enterprise Module for Basesystem 15-SP1 (noarch): libstorage-ng-lang-4.1.105-4.6.1 References: https://bugzilla.suse.com/1135341 https://bugzilla.suse.com/1149754 From sle-updates at lists.suse.com Wed Jan 8 13:12:31 2020 From: sle-updates at lists.suse.com (sle-updates at lists.suse.com) Date: Wed, 8 Jan 2020 21:12:31 +0100 (CET) Subject: SUSE-RU-2020:0048-1: moderate: Recommended update for kernel-firmware Message-ID: <20200108201231.30FA8F79E@maintenance.suse.de> SUSE Recommended Update: Recommended update for kernel-firmware ______________________________________________________________________________ Announcement ID: SUSE-RU-2020:0048-1 Rating: moderate References: #1154395 #1155307 Affected Products: SUSE Linux Enterprise Module for Basesystem 15-SP1 ______________________________________________________________________________ An update that has two recommended fixes can now be installed. Description: This update for kernel-firmware fixes the following issues: Update to version 20191118 (git commit e8a0f4c93147): * rtl_nic: add firmware rtl8168fp-3 * linux-firmware: Update NXP Management Complex firmware to version 10.18.0 Update to version 20191113 (git commit c62c3c26a5e7): * linux-firmware: Update firmware file for Intel Bluetooth AX201 * linux-firmware: Update firmware file for Intel Bluetooth AX200 * linux-firmware: Update firmware file for Intel Bluetooth 9560 * linux-firmware: Update firmware file for Intel Bluetooth 9260 * amdgpu: update navi14 vcn firmware * amdgpu: update navi10 vcn firmware Update to version 20191108 (git commit f1100ddf581f): (bsc#1154395): * i915: Add HuC firmware v7.0.3 for TGL * i915: Add GuC firmware v35.2.0 for TGL * i915: Add HuC firmware v9.0.0 for EHL * i915: Add GuC firmware v33.0.4 for EHL * rtw88: RTL8723D: add firmware file v48 * qed: Add firmware 8.40.33.0 * amdgpu: add new navi14 wks gfx firmware for 19.30 * amdgpu: update navi14 firmware for 19.30 * amdgpu: update raven firmware for 19.30 * linux-firmware: Add firmware file for Intel Bluetooth AX201 - Upgrade for SLE15-SP2 / Leap 15.2 (jsc#SLE-8379,bsc#1155307) - Chelsio driver loads firmware configuration file to allow firmware to distribute resources before chip bring up. Chelsio NIC driver, cxgb4 searches for firmware config file at /lib/firmware/cxgb4/ directory. - Add symlinks for Tegra VIC firmware binaries - Update the following firmwares: - amdgpu: update vega20 ucode for 19.30 - amdgpu: update vega12 ucode for 19.30 - amdgpu: update vega10 ucode for 19.30 - amdgpu: update picasso ucode for 19.30 - amdgpu: update raven2 ucode for 19.30 - amdgpu: update raven ucode for 19.30 - amdgpu: add new raven rlc firmware - amdgpu: update vega10 VCE firmware - amdgpu: update picasso vcn firmware - amdgpu: update raven vcn firmware - amdgpu: update tonga to latest 19.20 firmware - amdgpu: update vega12 to latest 19.20 firmware - amdgpu: update polaris12 to latest 19.20 firmware - amdgpu: update raven2 to latest 19.20 firmware - amdgpu: update raven to latest 19.20 firmware - amdgpu: add initial navi14 firmware form 19.30 - amdgpu: add initial navi10 firmware - ath10k: QCA9984 hw1.0: update board-2.bin - ath10k: QCA9984 hw1.0: update firmware-5.bin to 10.4-3.9.0.2-00046 - ath10k: QCA988X hw2.0: update firmware-5.bin to 10.2.4-1.0-00045 - ath10k: QCA9888 hw2.0: update board-2.bin - ath10k: QCA9888 hw2.0: update firmware-5.bin to 10.4-3.9.0.2-00040 - ath10k: QCA9887 hw1.0: update firmware-5.bin to 10.2.4-1.0-00045 - ath10k: QCA6174 hw3.0: update firmware-6.bin to WLAN.RM.4.4.1-00140-QCARMSWPZ-1 - ath10k: QCA4019 hw1.0: update board-2.bin - bnx2x: Add FW 7.13.15.0. - brcm: Add 43455 based AP6255 NVRAM for the Minix Neo Z83-4 Mini PC - brcm: Add 43340 based AP6234 NVRAM for the PoV TAB-P1006W-232 tablet - cxgb4: update firmware to revision 1.24.3.0 - drm/i915/firmware: Add v9.0.0 of HuC for Icelake - drm/i915/firmware: Add v4.0.0 of HuC for Cometlake - drm/i915/firmware: Add v4.0.0 of HuC for Geminilake - drm/i915/firmware: Add v2.0.0 of HuC for Broxton - drm/i915/firmware: Add v4.0.0 of HuC for Kabylake - drm/i915/firmware: Add v2.0.0 of HuC for Skylake - drm/i915/firmware: Add v33 of GuC for CML - drm/i915/firmware: Add v2.04 of DMC for TGL - drm/i915/firmware: Add v1.09 of DMC for ICL - drm/i915/firmware: Add v33 of GuC for ICL - drm/i915/firmware: Add v33 of GuC for KBL - drm/i915/firmware: Add v33 of GuC for SKL - drm/i915/firmware: Add v33 of GuC for GLK - drm/i915/firmware: Add v33 of GuC for BXT - ice: Fix up WHENCE entry and symlink - ice: Add package file for Intel E800 series driver - iwlwifi: add new firmwares for integrated 22000 series - iwlwifi: update FW for 22000 to Core45-96 - iwlwifi: update FWs for 9000 series to Core45-96 - iwlwifi: update Core45 FWs for 22260, 9000 and 9260 - iwlwifi: udpate -36 firmware for 8000 series - iwlwifi: update -48 FWs for Qu and cc - iwlwifi: update FWs for 3168, 7265D, 9000, 9260, 8000, 8265 and cc - iwlwifi: update FWs to core45-152 release - linux-firmware: Update firmware file for Intel Bluetooth AX201 - linux-firmware: Update firmware file for Intel Bluetooth 22161 - linux-firmware: Update firmware file for Intel Bluetooth 9560 - linux-firmware: Update firmware file for Intel Bluetooth 9260 - linux-firmware: Update firmware file for Intel Bluetooth AX200 - linux-firmware: Update firmware file for Intel Bluetooth AX201 - linux-firmware: Update firmware file for Intel Bluetooth 9560 - linux-firmware: Update firmware file for Intel Bluetooth 9260 - linux-firmware: Update AMD cpu microcode - linux-firmware: Update firmware file for Intel Bluetooth AX200 - linux-firmware: Update firmware file for Intel Bluetooth AX201 - linux-firmware: Update firmware file for Intel Bluetooth 9560 - linux-firmware: Update firmware file for Intel Bluetooth 9260 - linux-firmware: Update NXP Management Complex firmware to version 10.16.2 - linux-firmware: rsi: add firmware image for redpine 9116 chipset - Mellanox: Add new mlxsw_spectrum firmware 13.2000.1886 - Mellanox: Add new mlxsw_spectrum firmware 13.2000.1886 - Mellanox: Add new mlxsw_spectrum2 firmware 29.2000.2308 - Mellanox: Add new mlxsw_spectrum firmware 13.2000.2308 - nfp: update Agilio SmartNIC flower firmware to rev AOTC-2.10.A.38 - nvidia: Add XUSB firmware for Tegra186 - nvidia: add missing entries in WHENCE - nvidia: Update Tegra210 XUSB firmware to v50.24 - nvidia: Add XUSB firmware for Tegra194 - qcom: add firmware files for Adreno a630 - rtl_bt: Update configuration file for BT part of RTL8822CU - rtl_bt: Update RTL8822C BT FW to V0x098A_94A4 - rtl_bt: Update RTL8723D BT FW to 0x828A_96F1 - rtl_nic: add firmware rtl8125a-3 - rtl_nic: add firmware files for RTL8153 - rtlwifi: rtl8821ae: Add firmware for the RTL8812AE variant. - rtw88: add a README file - rtw88: RTL8822C: add WoW firmware v7.3 - rtw88: RTL8822C: update rtw8822c_fw.bin to v7.3 Patch Instructions: To install this SUSE Recommended Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Module for Basesystem 15-SP1: zypper in -t patch SUSE-SLE-Module-Basesystem-15-SP1-2020-48=1 Package List: - SUSE Linux Enterprise Module for Basesystem 15-SP1 (noarch): kernel-firmware-20191118-3.7.1 ucode-amd-20191118-3.7.1 References: https://bugzilla.suse.com/1154395 https://bugzilla.suse.com/1155307 From sle-updates at lists.suse.com Thu Jan 9 07:15:52 2020 From: sle-updates at lists.suse.com (sle-updates at lists.suse.com) Date: Thu, 9 Jan 2020 15:15:52 +0100 (CET) Subject: SUSE-SU-2020:14266-1: moderate: Security update for apache2-mod_perl Message-ID: <20200109141552.9ED59F79E@maintenance.suse.de> SUSE Security Update: Security update for apache2-mod_perl ______________________________________________________________________________ Announcement ID: SUSE-SU-2020:14266-1 Rating: moderate References: #1156944 Cross-References: CVE-2011-2767 Affected Products: SUSE Linux Enterprise Server 11-SP4-LTSS SUSE Linux Enterprise Point of Sale 11-SP3 SUSE Linux Enterprise Debuginfo 11-SP4 SUSE Linux Enterprise Debuginfo 11-SP3 ______________________________________________________________________________ An update that fixes one vulnerability is now available. Description: This update for apache2-mod_perl fixes the following issues: - CVE-2011-2767: Fixed a vulnerability which could have allowed perl code execution in the context of user account (bsc#1156944). Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Server 11-SP4-LTSS: zypper in -t patch slessp4-apache2-mod_perl-14266=1 - SUSE Linux Enterprise Point of Sale 11-SP3: zypper in -t patch sleposp3-apache2-mod_perl-14266=1 - SUSE Linux Enterprise Debuginfo 11-SP4: zypper in -t patch dbgsp4-apache2-mod_perl-14266=1 - SUSE Linux Enterprise Debuginfo 11-SP3: zypper in -t patch dbgsp3-apache2-mod_perl-14266=1 Package List: - SUSE Linux Enterprise Server 11-SP4-LTSS (i586 ppc64 s390x x86_64): apache2-mod_perl-2.0.4-40.63.3.3 - SUSE Linux Enterprise Point of Sale 11-SP3 (i586): apache2-mod_perl-2.0.4-40.63.3.3 - SUSE Linux Enterprise Debuginfo 11-SP4 (i586 ppc64 s390x x86_64): apache2-mod_perl-debuginfo-2.0.4-40.63.3.3 apache2-mod_perl-debugsource-2.0.4-40.63.3.3 - SUSE Linux Enterprise Debuginfo 11-SP3 (i586 s390x x86_64): apache2-mod_perl-debuginfo-2.0.4-40.63.3.3 apache2-mod_perl-debugsource-2.0.4-40.63.3.3 References: https://www.suse.com/security/cve/CVE-2011-2767.html https://bugzilla.suse.com/1156944 From sle-updates at lists.suse.com Thu Jan 9 07:11:42 2020 From: sle-updates at lists.suse.com (sle-updates at lists.suse.com) Date: Thu, 9 Jan 2020 15:11:42 +0100 (CET) Subject: SUSE-SU-2020:0053-1: important: Security update for log4j Message-ID: <20200109141142.F18B6F79E@maintenance.suse.de> SUSE Security Update: Security update for log4j ______________________________________________________________________________ Announcement ID: SUSE-SU-2020:0053-1 Rating: important References: #1159646 Cross-References: CVE-2019-17571 Affected Products: SUSE Linux Enterprise Module for Open Buildservice Development Tools 15-SP1 SUSE Linux Enterprise Module for Open Buildservice Development Tools 15 SUSE Linux Enterprise Module for Development Tools 15-SP1 SUSE Linux Enterprise Module for Development Tools 15 SUSE Linux Enterprise Module for Basesystem 15-SP1 SUSE Linux Enterprise Module for Basesystem 15 ______________________________________________________________________________ An update that fixes one vulnerability is now available. Description: This update for log4j fixes the following issues: - CVE-2019-17571: Fixed a remote code execution by deserialization of untrusted data in SocketServer (bsc#1159646). Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Module for Open Buildservice Development Tools 15-SP1: zypper in -t patch SUSE-SLE-Module-Development-Tools-OBS-15-SP1-2020-53=1 - SUSE Linux Enterprise Module for Open Buildservice Development Tools 15: zypper in -t patch SUSE-SLE-Module-Development-Tools-OBS-15-2020-53=1 - SUSE Linux Enterprise Module for Development Tools 15-SP1: zypper in -t patch SUSE-SLE-Module-Development-Tools-15-SP1-2020-53=1 - SUSE Linux Enterprise Module for Development Tools 15: zypper in -t patch SUSE-SLE-Module-Development-Tools-15-2020-53=1 - SUSE Linux Enterprise Module for Basesystem 15-SP1: zypper in -t patch SUSE-SLE-Module-Basesystem-15-SP1-2020-53=1 - SUSE Linux Enterprise Module for Basesystem 15: zypper in -t patch SUSE-SLE-Module-Basesystem-15-2020-53=1 Package List: - SUSE Linux Enterprise Module for Open Buildservice Development Tools 15-SP1 (noarch): log4j-javadoc-1.2.17-5.3.1 log4j-mini-1.2.17-5.3.1 - SUSE Linux Enterprise Module for Open Buildservice Development Tools 15 (noarch): log4j-javadoc-1.2.17-5.3.1 log4j-mini-1.2.17-5.3.1 - SUSE Linux Enterprise Module for Development Tools 15-SP1 (noarch): log4j-manual-1.2.17-5.3.1 - SUSE Linux Enterprise Module for Development Tools 15 (noarch): log4j-manual-1.2.17-5.3.1 - SUSE Linux Enterprise Module for Basesystem 15-SP1 (noarch): log4j-1.2.17-5.3.1 - SUSE Linux Enterprise Module for Basesystem 15 (noarch): log4j-1.2.17-5.3.1 References: https://www.suse.com/security/cve/CVE-2019-17571.html https://bugzilla.suse.com/1159646 From sle-updates at lists.suse.com Thu Jan 9 01:51:49 2020 From: sle-updates at lists.suse.com (sle-updates at lists.suse.com) Date: Thu, 9 Jan 2020 09:51:49 +0100 (CET) Subject: SUSE-CU-2020:4-1: Recommended update of suse/sle15 Message-ID: <20200109085149.CBDC5F79E@maintenance.suse.de> SUSE Container Update Advisory: suse/sle15 ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2020:4-1 Container Tags : suse/sle15:15.0 , suse/sle15:15.0.4.22.125 Severity : moderate Type : recommended References : 1158499 1160158 ----------------------------------------------------------------- The container suse/sle15 was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:38-1 Released: Wed Jan 8 13:05:11 2020 Summary: Recommended update for openssl-1_1 Type: recommended Severity: moderate References: 1158499,1160158 Description: This update for openssl-1_1 fixes the following issues: - Obsoleted libopenssl-1_0_0-hmac for a clean upgrade from SLE-12 (bsc#1158499) - Fixed a regression where EVP_PBE_scrypt() behavior changed (bsc#1160158). From sle-updates at lists.suse.com Thu Jan 9 07:14:09 2020 From: sle-updates at lists.suse.com (sle-updates at lists.suse.com) Date: Thu, 9 Jan 2020 15:14:09 +0100 (CET) Subject: SUSE-SU-2020:0050-1: moderate: Security update for mariadb Message-ID: <20200109141409.C9E87F79E@maintenance.suse.de> SUSE Security Update: Security update for mariadb ______________________________________________________________________________ Announcement ID: SUSE-SU-2020:0050-1 Rating: moderate References: #1154162 Cross-References: CVE-2019-2974 Affected Products: SUSE OpenStack Cloud Crowbar 8 SUSE OpenStack Cloud 8 SUSE OpenStack Cloud 7 SUSE Linux Enterprise Server for SAP 12-SP3 SUSE Linux Enterprise Server for SAP 12-SP2 SUSE Linux Enterprise Server for SAP 12-SP1 SUSE Linux Enterprise Server 12-SP3-LTSS SUSE Linux Enterprise Server 12-SP3-BCL SUSE Linux Enterprise Server 12-SP2-LTSS SUSE Linux Enterprise Server 12-SP2-BCL SUSE Linux Enterprise Server 12-SP1-LTSS SUSE Enterprise Storage 5 HPE Helion Openstack 8 ______________________________________________________________________________ An update that fixes one vulnerability is now available. Description: This update for mariadb fixes the following issues: Security issue fixed: - CVE-2019-2974: Fixed Server Optimizer (bsc#1154162). Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE OpenStack Cloud Crowbar 8: zypper in -t patch SUSE-OpenStack-Cloud-Crowbar-8-2020-50=1 - SUSE OpenStack Cloud 8: zypper in -t patch SUSE-OpenStack-Cloud-8-2020-50=1 - SUSE OpenStack Cloud 7: zypper in -t patch SUSE-OpenStack-Cloud-7-2020-50=1 - SUSE Linux Enterprise Server for SAP 12-SP3: zypper in -t patch SUSE-SLE-SAP-12-SP3-2020-50=1 - SUSE Linux Enterprise Server for SAP 12-SP2: zypper in -t patch SUSE-SLE-SAP-12-SP2-2020-50=1 - SUSE Linux Enterprise Server for SAP 12-SP1: zypper in -t patch SUSE-SLE-SAP-12-SP1-2020-50=1 - SUSE Linux Enterprise Server 12-SP3-LTSS: zypper in -t patch SUSE-SLE-SERVER-12-SP3-2020-50=1 - SUSE Linux Enterprise Server 12-SP3-BCL: zypper in -t patch SUSE-SLE-SERVER-12-SP3-BCL-2020-50=1 - SUSE Linux Enterprise Server 12-SP2-LTSS: zypper in -t patch SUSE-SLE-SERVER-12-SP2-2020-50=1 - SUSE Linux Enterprise Server 12-SP2-BCL: zypper in -t patch SUSE-SLE-SERVER-12-SP2-BCL-2020-50=1 - SUSE Linux Enterprise Server 12-SP1-LTSS: zypper in -t patch SUSE-SLE-SERVER-12-SP1-2020-50=1 - SUSE Enterprise Storage 5: zypper in -t patch SUSE-Storage-5-2020-50=1 - HPE Helion Openstack 8: zypper in -t patch HPE-Helion-OpenStack-8-2020-50=1 Package List: - SUSE OpenStack Cloud Crowbar 8 (x86_64): libmysqlclient18-10.0.40.2-29.35.1 libmysqlclient18-32bit-10.0.40.2-29.35.1 libmysqlclient18-debuginfo-10.0.40.2-29.35.1 libmysqlclient18-debuginfo-32bit-10.0.40.2-29.35.1 mariadb-10.0.40.2-29.35.1 mariadb-client-10.0.40.2-29.35.1 mariadb-client-debuginfo-10.0.40.2-29.35.1 mariadb-debuginfo-10.0.40.2-29.35.1 mariadb-debugsource-10.0.40.2-29.35.1 mariadb-errormessages-10.0.40.2-29.35.1 mariadb-tools-10.0.40.2-29.35.1 mariadb-tools-debuginfo-10.0.40.2-29.35.1 - SUSE OpenStack Cloud 8 (x86_64): libmysqlclient18-10.0.40.2-29.35.1 libmysqlclient18-32bit-10.0.40.2-29.35.1 libmysqlclient18-debuginfo-10.0.40.2-29.35.1 libmysqlclient18-debuginfo-32bit-10.0.40.2-29.35.1 mariadb-10.0.40.2-29.35.1 mariadb-client-10.0.40.2-29.35.1 mariadb-client-debuginfo-10.0.40.2-29.35.1 mariadb-debuginfo-10.0.40.2-29.35.1 mariadb-debugsource-10.0.40.2-29.35.1 mariadb-errormessages-10.0.40.2-29.35.1 mariadb-tools-10.0.40.2-29.35.1 mariadb-tools-debuginfo-10.0.40.2-29.35.1 - SUSE OpenStack Cloud 7 (s390x x86_64): libmysqlclient18-10.0.40.2-29.35.1 libmysqlclient18-32bit-10.0.40.2-29.35.1 libmysqlclient18-debuginfo-10.0.40.2-29.35.1 libmysqlclient18-debuginfo-32bit-10.0.40.2-29.35.1 mariadb-10.0.40.2-29.35.1 mariadb-client-10.0.40.2-29.35.1 mariadb-client-debuginfo-10.0.40.2-29.35.1 mariadb-debuginfo-10.0.40.2-29.35.1 mariadb-debugsource-10.0.40.2-29.35.1 mariadb-errormessages-10.0.40.2-29.35.1 mariadb-tools-10.0.40.2-29.35.1 mariadb-tools-debuginfo-10.0.40.2-29.35.1 - SUSE Linux Enterprise Server for SAP 12-SP3 (ppc64le x86_64): libmysqlclient18-10.0.40.2-29.35.1 libmysqlclient18-debuginfo-10.0.40.2-29.35.1 mariadb-10.0.40.2-29.35.1 mariadb-client-10.0.40.2-29.35.1 mariadb-client-debuginfo-10.0.40.2-29.35.1 mariadb-debuginfo-10.0.40.2-29.35.1 mariadb-debugsource-10.0.40.2-29.35.1 mariadb-errormessages-10.0.40.2-29.35.1 mariadb-tools-10.0.40.2-29.35.1 mariadb-tools-debuginfo-10.0.40.2-29.35.1 - SUSE Linux Enterprise Server for SAP 12-SP3 (x86_64): libmysqlclient18-32bit-10.0.40.2-29.35.1 libmysqlclient18-debuginfo-32bit-10.0.40.2-29.35.1 - SUSE Linux Enterprise Server for SAP 12-SP2 (ppc64le x86_64): libmysqlclient18-10.0.40.2-29.35.1 libmysqlclient18-debuginfo-10.0.40.2-29.35.1 mariadb-10.0.40.2-29.35.1 mariadb-client-10.0.40.2-29.35.1 mariadb-client-debuginfo-10.0.40.2-29.35.1 mariadb-debuginfo-10.0.40.2-29.35.1 mariadb-debugsource-10.0.40.2-29.35.1 mariadb-errormessages-10.0.40.2-29.35.1 mariadb-tools-10.0.40.2-29.35.1 mariadb-tools-debuginfo-10.0.40.2-29.35.1 - SUSE Linux Enterprise Server for SAP 12-SP2 (x86_64): libmysqlclient18-32bit-10.0.40.2-29.35.1 libmysqlclient18-debuginfo-32bit-10.0.40.2-29.35.1 - SUSE Linux Enterprise Server for SAP 12-SP1 (x86_64): libmysqlclient-devel-10.0.40.2-29.35.1 libmysqlclient18-10.0.40.2-29.35.1 libmysqlclient18-32bit-10.0.40.2-29.35.1 libmysqlclient18-debuginfo-10.0.40.2-29.35.1 libmysqlclient18-debuginfo-32bit-10.0.40.2-29.35.1 libmysqlclient_r18-10.0.40.2-29.35.1 libmysqld-devel-10.0.40.2-29.35.1 libmysqld18-10.0.40.2-29.35.1 libmysqld18-debuginfo-10.0.40.2-29.35.1 mariadb-10.0.40.2-29.35.1 mariadb-client-10.0.40.2-29.35.1 mariadb-client-debuginfo-10.0.40.2-29.35.1 mariadb-debuginfo-10.0.40.2-29.35.1 mariadb-debugsource-10.0.40.2-29.35.1 mariadb-errormessages-10.0.40.2-29.35.1 mariadb-tools-10.0.40.2-29.35.1 mariadb-tools-debuginfo-10.0.40.2-29.35.1 - SUSE Linux Enterprise Server 12-SP3-LTSS (aarch64 ppc64le s390x x86_64): libmysqlclient18-10.0.40.2-29.35.1 libmysqlclient18-debuginfo-10.0.40.2-29.35.1 mariadb-10.0.40.2-29.35.1 mariadb-client-10.0.40.2-29.35.1 mariadb-client-debuginfo-10.0.40.2-29.35.1 mariadb-debuginfo-10.0.40.2-29.35.1 mariadb-debugsource-10.0.40.2-29.35.1 mariadb-errormessages-10.0.40.2-29.35.1 mariadb-tools-10.0.40.2-29.35.1 mariadb-tools-debuginfo-10.0.40.2-29.35.1 - SUSE Linux Enterprise Server 12-SP3-LTSS (s390x x86_64): libmysqlclient18-32bit-10.0.40.2-29.35.1 libmysqlclient18-debuginfo-32bit-10.0.40.2-29.35.1 - SUSE Linux Enterprise Server 12-SP3-BCL (x86_64): libmysqlclient18-10.0.40.2-29.35.1 libmysqlclient18-32bit-10.0.40.2-29.35.1 libmysqlclient18-debuginfo-10.0.40.2-29.35.1 libmysqlclient18-debuginfo-32bit-10.0.40.2-29.35.1 mariadb-10.0.40.2-29.35.1 mariadb-client-10.0.40.2-29.35.1 mariadb-client-debuginfo-10.0.40.2-29.35.1 mariadb-debuginfo-10.0.40.2-29.35.1 mariadb-debugsource-10.0.40.2-29.35.1 mariadb-errormessages-10.0.40.2-29.35.1 mariadb-tools-10.0.40.2-29.35.1 mariadb-tools-debuginfo-10.0.40.2-29.35.1 - SUSE Linux Enterprise Server 12-SP2-LTSS (ppc64le s390x x86_64): libmysqlclient18-10.0.40.2-29.35.1 libmysqlclient18-debuginfo-10.0.40.2-29.35.1 mariadb-10.0.40.2-29.35.1 mariadb-client-10.0.40.2-29.35.1 mariadb-client-debuginfo-10.0.40.2-29.35.1 mariadb-debuginfo-10.0.40.2-29.35.1 mariadb-debugsource-10.0.40.2-29.35.1 mariadb-errormessages-10.0.40.2-29.35.1 mariadb-tools-10.0.40.2-29.35.1 mariadb-tools-debuginfo-10.0.40.2-29.35.1 - SUSE Linux Enterprise Server 12-SP2-LTSS (s390x x86_64): libmysqlclient18-32bit-10.0.40.2-29.35.1 libmysqlclient18-debuginfo-32bit-10.0.40.2-29.35.1 - SUSE Linux Enterprise Server 12-SP2-BCL (x86_64): libmysqlclient18-10.0.40.2-29.35.1 libmysqlclient18-32bit-10.0.40.2-29.35.1 libmysqlclient18-debuginfo-10.0.40.2-29.35.1 libmysqlclient18-debuginfo-32bit-10.0.40.2-29.35.1 mariadb-10.0.40.2-29.35.1 mariadb-client-10.0.40.2-29.35.1 mariadb-client-debuginfo-10.0.40.2-29.35.1 mariadb-debuginfo-10.0.40.2-29.35.1 mariadb-debugsource-10.0.40.2-29.35.1 mariadb-errormessages-10.0.40.2-29.35.1 mariadb-tools-10.0.40.2-29.35.1 mariadb-tools-debuginfo-10.0.40.2-29.35.1 - SUSE Linux Enterprise Server 12-SP1-LTSS (ppc64le s390x x86_64): libmysqlclient-devel-10.0.40.2-29.35.1 libmysqlclient18-10.0.40.2-29.35.1 libmysqlclient18-debuginfo-10.0.40.2-29.35.1 libmysqlclient_r18-10.0.40.2-29.35.1 libmysqld-devel-10.0.40.2-29.35.1 libmysqld18-10.0.40.2-29.35.1 libmysqld18-debuginfo-10.0.40.2-29.35.1 mariadb-10.0.40.2-29.35.1 mariadb-client-10.0.40.2-29.35.1 mariadb-client-debuginfo-10.0.40.2-29.35.1 mariadb-debuginfo-10.0.40.2-29.35.1 mariadb-debugsource-10.0.40.2-29.35.1 mariadb-errormessages-10.0.40.2-29.35.1 mariadb-tools-10.0.40.2-29.35.1 mariadb-tools-debuginfo-10.0.40.2-29.35.1 - SUSE Linux Enterprise Server 12-SP1-LTSS (s390x x86_64): libmysqlclient18-32bit-10.0.40.2-29.35.1 libmysqlclient18-debuginfo-32bit-10.0.40.2-29.35.1 - SUSE Enterprise Storage 5 (aarch64 x86_64): libmysqlclient18-10.0.40.2-29.35.1 libmysqlclient18-debuginfo-10.0.40.2-29.35.1 mariadb-10.0.40.2-29.35.1 mariadb-client-10.0.40.2-29.35.1 mariadb-client-debuginfo-10.0.40.2-29.35.1 mariadb-debuginfo-10.0.40.2-29.35.1 mariadb-debugsource-10.0.40.2-29.35.1 mariadb-errormessages-10.0.40.2-29.35.1 mariadb-tools-10.0.40.2-29.35.1 mariadb-tools-debuginfo-10.0.40.2-29.35.1 - SUSE Enterprise Storage 5 (x86_64): libmysqlclient18-32bit-10.0.40.2-29.35.1 libmysqlclient18-debuginfo-32bit-10.0.40.2-29.35.1 - HPE Helion Openstack 8 (x86_64): libmysqlclient18-10.0.40.2-29.35.1 libmysqlclient18-32bit-10.0.40.2-29.35.1 libmysqlclient18-debuginfo-10.0.40.2-29.35.1 libmysqlclient18-debuginfo-32bit-10.0.40.2-29.35.1 mariadb-10.0.40.2-29.35.1 mariadb-client-10.0.40.2-29.35.1 mariadb-client-debuginfo-10.0.40.2-29.35.1 mariadb-debuginfo-10.0.40.2-29.35.1 mariadb-debugsource-10.0.40.2-29.35.1 mariadb-errormessages-10.0.40.2-29.35.1 mariadb-tools-10.0.40.2-29.35.1 mariadb-tools-debuginfo-10.0.40.2-29.35.1 References: https://www.suse.com/security/cve/CVE-2019-2974.html https://bugzilla.suse.com/1154162 From sle-updates at lists.suse.com Thu Jan 9 07:14:58 2020 From: sle-updates at lists.suse.com (sle-updates at lists.suse.com) Date: Thu, 9 Jan 2020 15:14:58 +0100 (CET) Subject: SUSE-SU-2020:0051-1: moderate: Security update for java-1_7_1-ibm Message-ID: <20200109141458.BB268F79E@maintenance.suse.de> SUSE Security Update: Security update for java-1_7_1-ibm ______________________________________________________________________________ Announcement ID: SUSE-SU-2020:0051-1 Rating: moderate References: #1154212 #1158442 Cross-References: CVE-2019-2933 CVE-2019-2945 CVE-2019-2962 CVE-2019-2964 CVE-2019-2973 CVE-2019-2978 CVE-2019-2981 CVE-2019-2983 CVE-2019-2989 CVE-2019-2992 CVE-2019-2999 Affected Products: SUSE OpenStack Cloud Crowbar 8 SUSE OpenStack Cloud 8 SUSE OpenStack Cloud 7 SUSE Linux Enterprise Software Development Kit 12-SP5 SUSE Linux Enterprise Software Development Kit 12-SP4 SUSE Linux Enterprise Server for SAP 12-SP3 SUSE Linux Enterprise Server for SAP 12-SP2 SUSE Linux Enterprise Server for SAP 12-SP1 SUSE Linux Enterprise Server 12-SP5 SUSE Linux Enterprise Server 12-SP4 SUSE Linux Enterprise Server 12-SP3-LTSS SUSE Linux Enterprise Server 12-SP3-BCL SUSE Linux Enterprise Server 12-SP2-LTSS SUSE Linux Enterprise Server 12-SP2-BCL SUSE Linux Enterprise Server 12-SP1-LTSS SUSE Enterprise Storage 5 HPE Helion Openstack 8 ______________________________________________________________________________ An update that fixes 11 vulnerabilities is now available. Description: This update for java-1_7_1-ibm fixes the following issues: - Update to 7.1 Service Refresh 4 Fix Pack 55 [bsc#1158442, bsc#1154212] * Security fixes: CVE-2019-2933 CVE-2019-2945 CVE-2019-2962 CVE-2019-2964 CVE-2019-2978 CVE-2019-2983 CVE-2019-2989 CVE-2019-2992 CVE-2019-2999 CVE-2019-2973 CVE-2019-2981 Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE OpenStack Cloud Crowbar 8: zypper in -t patch SUSE-OpenStack-Cloud-Crowbar-8-2020-51=1 - SUSE OpenStack Cloud 8: zypper in -t patch SUSE-OpenStack-Cloud-8-2020-51=1 - SUSE OpenStack Cloud 7: zypper in -t patch SUSE-OpenStack-Cloud-7-2020-51=1 - SUSE Linux Enterprise Software Development Kit 12-SP5: zypper in -t patch SUSE-SLE-SDK-12-SP5-2020-51=1 - SUSE Linux Enterprise Software Development Kit 12-SP4: zypper in -t patch SUSE-SLE-SDK-12-SP4-2020-51=1 - SUSE Linux Enterprise Server for SAP 12-SP3: zypper in -t patch SUSE-SLE-SAP-12-SP3-2020-51=1 - SUSE Linux Enterprise Server for SAP 12-SP2: zypper in -t patch SUSE-SLE-SAP-12-SP2-2020-51=1 - SUSE Linux Enterprise Server for SAP 12-SP1: zypper in -t patch SUSE-SLE-SAP-12-SP1-2020-51=1 - SUSE Linux Enterprise Server 12-SP5: zypper in -t patch SUSE-SLE-SERVER-12-SP5-2020-51=1 - SUSE Linux Enterprise Server 12-SP4: zypper in -t patch SUSE-SLE-SERVER-12-SP4-2020-51=1 - SUSE Linux Enterprise Server 12-SP3-LTSS: zypper in -t patch SUSE-SLE-SERVER-12-SP3-2020-51=1 - SUSE Linux Enterprise Server 12-SP3-BCL: zypper in -t patch SUSE-SLE-SERVER-12-SP3-BCL-2020-51=1 - SUSE Linux Enterprise Server 12-SP2-LTSS: zypper in -t patch SUSE-SLE-SERVER-12-SP2-2020-51=1 - SUSE Linux Enterprise Server 12-SP2-BCL: zypper in -t patch SUSE-SLE-SERVER-12-SP2-BCL-2020-51=1 - SUSE Linux Enterprise Server 12-SP1-LTSS: zypper in -t patch SUSE-SLE-SERVER-12-SP1-2020-51=1 - SUSE Enterprise Storage 5: zypper in -t patch SUSE-Storage-5-2020-51=1 - HPE Helion Openstack 8: zypper in -t patch HPE-Helion-OpenStack-8-2020-51=1 Package List: - SUSE OpenStack Cloud Crowbar 8 (x86_64): java-1_7_1-ibm-1.7.1_sr4.55-38.44.1 java-1_7_1-ibm-alsa-1.7.1_sr4.55-38.44.1 java-1_7_1-ibm-jdbc-1.7.1_sr4.55-38.44.1 java-1_7_1-ibm-plugin-1.7.1_sr4.55-38.44.1 - SUSE OpenStack Cloud 8 (x86_64): java-1_7_1-ibm-1.7.1_sr4.55-38.44.1 java-1_7_1-ibm-alsa-1.7.1_sr4.55-38.44.1 java-1_7_1-ibm-jdbc-1.7.1_sr4.55-38.44.1 java-1_7_1-ibm-plugin-1.7.1_sr4.55-38.44.1 - SUSE OpenStack Cloud 7 (s390x x86_64): java-1_7_1-ibm-1.7.1_sr4.55-38.44.1 java-1_7_1-ibm-devel-1.7.1_sr4.55-38.44.1 java-1_7_1-ibm-jdbc-1.7.1_sr4.55-38.44.1 - SUSE OpenStack Cloud 7 (x86_64): java-1_7_1-ibm-alsa-1.7.1_sr4.55-38.44.1 java-1_7_1-ibm-plugin-1.7.1_sr4.55-38.44.1 - SUSE Linux Enterprise Software Development Kit 12-SP5 (ppc64le s390x x86_64): java-1_7_1-ibm-devel-1.7.1_sr4.55-38.44.1 - SUSE Linux Enterprise Software Development Kit 12-SP4 (ppc64le s390x x86_64): java-1_7_1-ibm-devel-1.7.1_sr4.55-38.44.1 - SUSE Linux Enterprise Server for SAP 12-SP3 (ppc64le x86_64): java-1_7_1-ibm-1.7.1_sr4.55-38.44.1 java-1_7_1-ibm-jdbc-1.7.1_sr4.55-38.44.1 - SUSE Linux Enterprise Server for SAP 12-SP3 (x86_64): java-1_7_1-ibm-alsa-1.7.1_sr4.55-38.44.1 java-1_7_1-ibm-plugin-1.7.1_sr4.55-38.44.1 - SUSE Linux Enterprise Server for SAP 12-SP2 (ppc64le x86_64): java-1_7_1-ibm-1.7.1_sr4.55-38.44.1 java-1_7_1-ibm-devel-1.7.1_sr4.55-38.44.1 java-1_7_1-ibm-jdbc-1.7.1_sr4.55-38.44.1 - SUSE Linux Enterprise Server for SAP 12-SP2 (x86_64): java-1_7_1-ibm-alsa-1.7.1_sr4.55-38.44.1 java-1_7_1-ibm-plugin-1.7.1_sr4.55-38.44.1 - SUSE Linux Enterprise Server for SAP 12-SP1 (x86_64): java-1_7_1-ibm-1.7.1_sr4.55-38.44.1 java-1_7_1-ibm-alsa-1.7.1_sr4.55-38.44.1 java-1_7_1-ibm-devel-1.7.1_sr4.55-38.44.1 java-1_7_1-ibm-jdbc-1.7.1_sr4.55-38.44.1 java-1_7_1-ibm-plugin-1.7.1_sr4.55-38.44.1 - SUSE Linux Enterprise Server 12-SP5 (ppc64le s390x x86_64): java-1_7_1-ibm-1.7.1_sr4.55-38.44.1 java-1_7_1-ibm-jdbc-1.7.1_sr4.55-38.44.1 - SUSE Linux Enterprise Server 12-SP5 (x86_64): java-1_7_1-ibm-alsa-1.7.1_sr4.55-38.44.1 java-1_7_1-ibm-plugin-1.7.1_sr4.55-38.44.1 - SUSE Linux Enterprise Server 12-SP4 (ppc64le s390x x86_64): java-1_7_1-ibm-1.7.1_sr4.55-38.44.1 java-1_7_1-ibm-jdbc-1.7.1_sr4.55-38.44.1 - SUSE Linux Enterprise Server 12-SP4 (x86_64): java-1_7_1-ibm-alsa-1.7.1_sr4.55-38.44.1 java-1_7_1-ibm-plugin-1.7.1_sr4.55-38.44.1 - SUSE Linux Enterprise Server 12-SP3-LTSS (ppc64le s390x x86_64): java-1_7_1-ibm-1.7.1_sr4.55-38.44.1 java-1_7_1-ibm-jdbc-1.7.1_sr4.55-38.44.1 - SUSE Linux Enterprise Server 12-SP3-LTSS (x86_64): java-1_7_1-ibm-alsa-1.7.1_sr4.55-38.44.1 java-1_7_1-ibm-plugin-1.7.1_sr4.55-38.44.1 - SUSE Linux Enterprise Server 12-SP3-BCL (x86_64): java-1_7_1-ibm-1.7.1_sr4.55-38.44.1 java-1_7_1-ibm-alsa-1.7.1_sr4.55-38.44.1 java-1_7_1-ibm-jdbc-1.7.1_sr4.55-38.44.1 java-1_7_1-ibm-plugin-1.7.1_sr4.55-38.44.1 - SUSE Linux Enterprise Server 12-SP2-LTSS (ppc64le s390x x86_64): java-1_7_1-ibm-1.7.1_sr4.55-38.44.1 java-1_7_1-ibm-devel-1.7.1_sr4.55-38.44.1 java-1_7_1-ibm-jdbc-1.7.1_sr4.55-38.44.1 - SUSE Linux Enterprise Server 12-SP2-LTSS (x86_64): java-1_7_1-ibm-alsa-1.7.1_sr4.55-38.44.1 java-1_7_1-ibm-plugin-1.7.1_sr4.55-38.44.1 - SUSE Linux Enterprise Server 12-SP2-BCL (x86_64): java-1_7_1-ibm-1.7.1_sr4.55-38.44.1 java-1_7_1-ibm-alsa-1.7.1_sr4.55-38.44.1 java-1_7_1-ibm-devel-1.7.1_sr4.55-38.44.1 java-1_7_1-ibm-jdbc-1.7.1_sr4.55-38.44.1 java-1_7_1-ibm-plugin-1.7.1_sr4.55-38.44.1 - SUSE Linux Enterprise Server 12-SP1-LTSS (ppc64le s390x x86_64): java-1_7_1-ibm-1.7.1_sr4.55-38.44.1 java-1_7_1-ibm-devel-1.7.1_sr4.55-38.44.1 java-1_7_1-ibm-jdbc-1.7.1_sr4.55-38.44.1 - SUSE Linux Enterprise Server 12-SP1-LTSS (x86_64): java-1_7_1-ibm-alsa-1.7.1_sr4.55-38.44.1 java-1_7_1-ibm-plugin-1.7.1_sr4.55-38.44.1 - SUSE Enterprise Storage 5 (x86_64): java-1_7_1-ibm-1.7.1_sr4.55-38.44.1 java-1_7_1-ibm-alsa-1.7.1_sr4.55-38.44.1 java-1_7_1-ibm-jdbc-1.7.1_sr4.55-38.44.1 java-1_7_1-ibm-plugin-1.7.1_sr4.55-38.44.1 - HPE Helion Openstack 8 (x86_64): java-1_7_1-ibm-1.7.1_sr4.55-38.44.1 java-1_7_1-ibm-alsa-1.7.1_sr4.55-38.44.1 java-1_7_1-ibm-jdbc-1.7.1_sr4.55-38.44.1 java-1_7_1-ibm-plugin-1.7.1_sr4.55-38.44.1 References: https://www.suse.com/security/cve/CVE-2019-2933.html https://www.suse.com/security/cve/CVE-2019-2945.html https://www.suse.com/security/cve/CVE-2019-2962.html https://www.suse.com/security/cve/CVE-2019-2964.html https://www.suse.com/security/cve/CVE-2019-2973.html https://www.suse.com/security/cve/CVE-2019-2978.html https://www.suse.com/security/cve/CVE-2019-2981.html https://www.suse.com/security/cve/CVE-2019-2983.html https://www.suse.com/security/cve/CVE-2019-2989.html https://www.suse.com/security/cve/CVE-2019-2992.html https://www.suse.com/security/cve/CVE-2019-2999.html https://bugzilla.suse.com/1154212 https://bugzilla.suse.com/1158442 From sle-updates at lists.suse.com Thu Jan 9 07:13:22 2020 From: sle-updates at lists.suse.com (sle-updates at lists.suse.com) Date: Thu, 9 Jan 2020 15:13:22 +0100 (CET) Subject: SUSE-SU-2020:0054-1: important: Security update for log4j Message-ID: <20200109141322.84F44F79E@maintenance.suse.de> SUSE Security Update: Security update for log4j ______________________________________________________________________________ Announcement ID: SUSE-SU-2020:0054-1 Rating: important References: #1159646 Cross-References: CVE-2019-17571 Affected Products: SUSE OpenStack Cloud Crowbar 8 SUSE OpenStack Cloud 8 SUSE OpenStack Cloud 7 SUSE Linux Enterprise Software Development Kit 12-SP5 SUSE Linux Enterprise Software Development Kit 12-SP4 SUSE Linux Enterprise Server for SAP 12-SP3 SUSE Linux Enterprise Server for SAP 12-SP2 SUSE Linux Enterprise Server for SAP 12-SP1 SUSE Linux Enterprise Server 12-SP5 SUSE Linux Enterprise Server 12-SP4 SUSE Linux Enterprise Server 12-SP3-LTSS SUSE Linux Enterprise Server 12-SP3-BCL SUSE Linux Enterprise Server 12-SP2-LTSS SUSE Linux Enterprise Server 12-SP2-BCL SUSE Linux Enterprise Server 12-SP1-LTSS SUSE Enterprise Storage 5 HPE Helion Openstack 8 ______________________________________________________________________________ An update that fixes one vulnerability is now available. Description: This update for log4j fixes the following issues: - CVE-2019-17571: Fixed a remote code execution by deserialization of untrusted data in SocketServer (bsc#1159646). Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE OpenStack Cloud Crowbar 8: zypper in -t patch SUSE-OpenStack-Cloud-Crowbar-8-2020-54=1 - SUSE OpenStack Cloud 8: zypper in -t patch SUSE-OpenStack-Cloud-8-2020-54=1 - SUSE OpenStack Cloud 7: zypper in -t patch SUSE-OpenStack-Cloud-7-2020-54=1 - SUSE Linux Enterprise Software Development Kit 12-SP5: zypper in -t patch SUSE-SLE-SDK-12-SP5-2020-54=1 - SUSE Linux Enterprise Software Development Kit 12-SP4: zypper in -t patch SUSE-SLE-SDK-12-SP4-2020-54=1 - SUSE Linux Enterprise Server for SAP 12-SP3: zypper in -t patch SUSE-SLE-SAP-12-SP3-2020-54=1 - SUSE Linux Enterprise Server for SAP 12-SP2: zypper in -t patch SUSE-SLE-SAP-12-SP2-2020-54=1 - SUSE Linux Enterprise Server for SAP 12-SP1: zypper in -t patch SUSE-SLE-SAP-12-SP1-2020-54=1 - SUSE Linux Enterprise Server 12-SP5: zypper in -t patch SUSE-SLE-SERVER-12-SP5-2020-54=1 - SUSE Linux Enterprise Server 12-SP4: zypper in -t patch SUSE-SLE-SERVER-12-SP4-2020-54=1 - SUSE Linux Enterprise Server 12-SP3-LTSS: zypper in -t patch SUSE-SLE-SERVER-12-SP3-2020-54=1 - SUSE Linux Enterprise Server 12-SP3-BCL: zypper in -t patch SUSE-SLE-SERVER-12-SP3-BCL-2020-54=1 - SUSE Linux Enterprise Server 12-SP2-LTSS: zypper in -t patch SUSE-SLE-SERVER-12-SP2-2020-54=1 - SUSE Linux Enterprise Server 12-SP2-BCL: zypper in -t patch SUSE-SLE-SERVER-12-SP2-BCL-2020-54=1 - SUSE Linux Enterprise Server 12-SP1-LTSS: zypper in -t patch SUSE-SLE-SERVER-12-SP1-2020-54=1 - SUSE Enterprise Storage 5: zypper in -t patch SUSE-Storage-5-2020-54=1 - HPE Helion Openstack 8: zypper in -t patch HPE-Helion-OpenStack-8-2020-54=1 Package List: - SUSE OpenStack Cloud Crowbar 8 (noarch): log4j-1.2.15-126.3.1 - SUSE OpenStack Cloud 8 (noarch): log4j-1.2.15-126.3.1 - SUSE OpenStack Cloud 7 (noarch): log4j-1.2.15-126.3.1 - SUSE Linux Enterprise Software Development Kit 12-SP5 (noarch): log4j-1.2.15-126.3.1 log4j-manual-1.2.15-126.3.1 - SUSE Linux Enterprise Software Development Kit 12-SP4 (noarch): log4j-1.2.15-126.3.1 log4j-manual-1.2.15-126.3.1 - SUSE Linux Enterprise Server for SAP 12-SP3 (noarch): log4j-1.2.15-126.3.1 - SUSE Linux Enterprise Server for SAP 12-SP2 (noarch): log4j-1.2.15-126.3.1 - SUSE Linux Enterprise Server for SAP 12-SP1 (noarch): log4j-1.2.15-126.3.1 - SUSE Linux Enterprise Server 12-SP5 (noarch): log4j-1.2.15-126.3.1 - SUSE Linux Enterprise Server 12-SP4 (noarch): log4j-1.2.15-126.3.1 - SUSE Linux Enterprise Server 12-SP3-LTSS (noarch): log4j-1.2.15-126.3.1 - SUSE Linux Enterprise Server 12-SP3-BCL (noarch): log4j-1.2.15-126.3.1 - SUSE Linux Enterprise Server 12-SP2-LTSS (noarch): log4j-1.2.15-126.3.1 - SUSE Linux Enterprise Server 12-SP2-BCL (noarch): log4j-1.2.15-126.3.1 - SUSE Linux Enterprise Server 12-SP1-LTSS (noarch): log4j-1.2.15-126.3.1 - SUSE Enterprise Storage 5 (noarch): log4j-1.2.15-126.3.1 - HPE Helion Openstack 8 (noarch): log4j-1.2.15-126.3.1 References: https://www.suse.com/security/cve/CVE-2019-17571.html https://bugzilla.suse.com/1159646 From sle-updates at lists.suse.com Thu Jan 9 07:12:31 2020 From: sle-updates at lists.suse.com (sle-updates at lists.suse.com) Date: Thu, 9 Jan 2020 15:12:31 +0100 (CET) Subject: SUSE-OU-2020:0052-1: Optional update for openslp Message-ID: <20200109141231.A83D6F79E@maintenance.suse.de> SUSE Optional Update: Optional update for openslp ______________________________________________________________________________ Announcement ID: SUSE-OU-2020:0052-1 Rating: low References: #1149792 Affected Products: SUSE Linux Enterprise Module for Server Applications 15-SP1 SUSE Linux Enterprise Module for Server Applications 15 SUSE Linux Enterprise Module for Basesystem 15-SP1 SUSE Linux Enterprise Module for Basesystem 15 ______________________________________________________________________________ An update that has one optional fix can now be installed. Description: This update for openslp doesn't fix any user visible bugs. Patch Instructions: To install this SUSE Optional Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Module for Server Applications 15-SP1: zypper in -t patch SUSE-SLE-Module-Server-Applications-15-SP1-2020-52=1 - SUSE Linux Enterprise Module for Server Applications 15: zypper in -t patch SUSE-SLE-Module-Server-Applications-15-2020-52=1 - SUSE Linux Enterprise Module for Basesystem 15-SP1: zypper in -t patch SUSE-SLE-Module-Basesystem-15-SP1-2020-52=1 - SUSE Linux Enterprise Module for Basesystem 15: zypper in -t patch SUSE-SLE-Module-Basesystem-15-2020-52=1 Package List: - SUSE Linux Enterprise Module for Server Applications 15-SP1 (aarch64 ppc64le s390x x86_64): openslp-debuginfo-2.0.0-6.9.1 openslp-debugsource-2.0.0-6.9.1 openslp-server-2.0.0-6.9.1 openslp-server-debuginfo-2.0.0-6.9.1 - SUSE Linux Enterprise Module for Server Applications 15 (aarch64 ppc64le s390x x86_64): openslp-debuginfo-2.0.0-6.9.1 openslp-debugsource-2.0.0-6.9.1 openslp-server-2.0.0-6.9.1 openslp-server-debuginfo-2.0.0-6.9.1 - SUSE Linux Enterprise Module for Basesystem 15-SP1 (aarch64 ppc64le s390x x86_64): openslp-2.0.0-6.9.1 openslp-debuginfo-2.0.0-6.9.1 openslp-debugsource-2.0.0-6.9.1 openslp-devel-2.0.0-6.9.1 - SUSE Linux Enterprise Module for Basesystem 15-SP1 (x86_64): openslp-32bit-2.0.0-6.9.1 openslp-32bit-debuginfo-2.0.0-6.9.1 - SUSE Linux Enterprise Module for Basesystem 15 (aarch64 ppc64le s390x x86_64): openslp-2.0.0-6.9.1 openslp-debuginfo-2.0.0-6.9.1 openslp-debugsource-2.0.0-6.9.1 openslp-devel-2.0.0-6.9.1 - SUSE Linux Enterprise Module for Basesystem 15 (x86_64): openslp-32bit-2.0.0-6.9.1 openslp-32bit-debuginfo-2.0.0-6.9.1 References: https://bugzilla.suse.com/1149792 From sle-updates at lists.suse.com Thu Jan 9 10:11:17 2020 From: sle-updates at lists.suse.com (sle-updates at lists.suse.com) Date: Thu, 9 Jan 2020 18:11:17 +0100 (CET) Subject: SUSE-SU-2020:0059-1: moderate: Security update for nodejs12 Message-ID: <20200109171117.C8A53F79E@maintenance.suse.de> SUSE Security Update: Security update for nodejs12 ______________________________________________________________________________ Announcement ID: SUSE-SU-2020:0059-1 Rating: moderate References: #1140290 #1146090 #1146091 #1146093 #1146094 #1146095 #1146097 #1146099 #1146100 #1149792 Cross-References: CVE-2019-13173 CVE-2019-9511 CVE-2019-9512 CVE-2019-9513 CVE-2019-9514 CVE-2019-9515 CVE-2019-9516 CVE-2019-9517 CVE-2019-9518 Affected Products: SUSE Linux Enterprise Module for Web Scripting 12 ______________________________________________________________________________ An update that solves 9 vulnerabilities and has one errata is now available. Description: This update for nodejs12 fixes the following issues: Update to LTS release 12.13.0 (jsc#SLE-8947). Security issues fixed: - CVE-2019-9511: Fixed the HTTP/2 implementation that was vulnerable to window size manipulations (bsc#1146091). - CVE-2019-9512: Fixed the HTTP/2 implementation that was vulnerable to floods using PING frames (bsc#1146099). - CVE-2019-9513: Fixed the HTTP/2 implementation that was vulnerable to resource loops, potentially leading to a denial of service (bsc#1146094). - CVE-2019-9514: Fixed the HTTP/2 implementation that was vulnerable to a reset flood, potentially leading to a denial of service (bsc#1146095). - CVE-2019-9515: Fixed the HTTP/2 implementation that was vulnerable to a SETTINGS frame flood (bsc#1146100). - CVE-2019-9516: Fixed the HTTP/2 implementation that was vulnerable to a header leak, potentially leading to a denial of service (bsc#1146090). - CVE-2019-9517: Fixed the HTTP/2 implementation that was vulnerable to unconstrained interal data buffering (bsc#1146097). - CVE-2019-9518: Fixed the HTTP/2 implementation that was vulnerable to a flood of empty frames, potentially leading to a denial of service (bsc#1146093). - CVE-2019-13173: Fixed a file overwrite in the fstream.DirWriter() function (bsc#1140290). Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Module for Web Scripting 12: zypper in -t patch SUSE-SLE-Module-Web-Scripting-12-2020-59=1 Package List: - SUSE Linux Enterprise Module for Web Scripting 12 (aarch64 ppc64le s390x x86_64): nodejs12-12.13.0-1.3.1 nodejs12-debuginfo-12.13.0-1.3.1 nodejs12-debugsource-12.13.0-1.3.1 nodejs12-devel-12.13.0-1.3.1 npm12-12.13.0-1.3.1 - SUSE Linux Enterprise Module for Web Scripting 12 (noarch): nodejs12-docs-12.13.0-1.3.1 References: https://www.suse.com/security/cve/CVE-2019-13173.html https://www.suse.com/security/cve/CVE-2019-9511.html https://www.suse.com/security/cve/CVE-2019-9512.html https://www.suse.com/security/cve/CVE-2019-9513.html https://www.suse.com/security/cve/CVE-2019-9514.html https://www.suse.com/security/cve/CVE-2019-9515.html https://www.suse.com/security/cve/CVE-2019-9516.html https://www.suse.com/security/cve/CVE-2019-9517.html https://www.suse.com/security/cve/CVE-2019-9518.html https://bugzilla.suse.com/1140290 https://bugzilla.suse.com/1146090 https://bugzilla.suse.com/1146091 https://bugzilla.suse.com/1146093 https://bugzilla.suse.com/1146094 https://bugzilla.suse.com/1146095 https://bugzilla.suse.com/1146097 https://bugzilla.suse.com/1146099 https://bugzilla.suse.com/1146100 https://bugzilla.suse.com/1149792 From sle-updates at lists.suse.com Thu Jan 9 10:13:01 2020 From: sle-updates at lists.suse.com (sle-updates at lists.suse.com) Date: Thu, 9 Jan 2020 18:13:01 +0100 (CET) Subject: SUSE-RU-2020:0057-1: moderate: Recommended update for s390-tools Message-ID: <20200109171301.7EB5DF79E@maintenance.suse.de> SUSE Recommended Update: Recommended update for s390-tools ______________________________________________________________________________ Announcement ID: SUSE-RU-2020:0057-1 Rating: moderate References: #1141823 #1155838 Affected Products: SUSE Linux Enterprise Server 12-SP5 ______________________________________________________________________________ An update that has two recommended fixes can now be installed. Description: This update for s390-tools fixes the following issues: - dasdfmt: Only query device characteristics in the formatting subtask, and output the number of cylinders for YaST to calculate percentages. (bsc#1141823, bsc#1155838) Patch Instructions: To install this SUSE Recommended Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Server 12-SP5: zypper in -t patch SUSE-SLE-SERVER-12-SP5-2020-57=1 Package List: - SUSE Linux Enterprise Server 12-SP5 (s390x): osasnmpd-2.1.0-18.3.10 osasnmpd-debuginfo-2.1.0-18.3.10 s390-tools-2.1.0-18.3.10 s390-tools-debuginfo-2.1.0-18.3.10 s390-tools-debugsource-2.1.0-18.3.10 s390-tools-hmcdrvfs-2.1.0-18.3.10 s390-tools-hmcdrvfs-debuginfo-2.1.0-18.3.10 s390-tools-zdsfs-2.1.0-18.3.10 s390-tools-zdsfs-debuginfo-2.1.0-18.3.10 References: https://bugzilla.suse.com/1141823 https://bugzilla.suse.com/1155838 From sle-updates at lists.suse.com Thu Jan 9 13:10:51 2020 From: sle-updates at lists.suse.com (sle-updates at lists.suse.com) Date: Thu, 9 Jan 2020 21:10:51 +0100 (CET) Subject: SUSE-RU-2020:0061-1: moderate: Recommended update for rdma-core Message-ID: <20200109201051.89416F79E@maintenance.suse.de> SUSE Recommended Update: Recommended update for rdma-core ______________________________________________________________________________ Announcement ID: SUSE-RU-2020:0061-1 Rating: moderate References: #1157891 Affected Products: SUSE Linux Enterprise Software Development Kit 12-SP5 SUSE Linux Enterprise Server 12-SP5 ______________________________________________________________________________ An update that has one recommended fix can now be installed. Description: This update for rdma-core fixes the following issues: - Add Broadcom fixes for libbnxtre. (bsc#1157891) Patch Instructions: To install this SUSE Recommended Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Software Development Kit 12-SP5: zypper in -t patch SUSE-SLE-SDK-12-SP5-2020-61=1 - SUSE Linux Enterprise Server 12-SP5: zypper in -t patch SUSE-SLE-SERVER-12-SP5-2020-61=1 Package List: - SUSE Linux Enterprise Software Development Kit 12-SP5 (aarch64 ppc64le s390x x86_64): rdma-core-debugsource-22.5-4.3.1 rdma-core-devel-22.5-4.3.1 rsocket-22.5-4.3.1 rsocket-debuginfo-22.5-4.3.1 - SUSE Linux Enterprise Software Development Kit 12-SP5 (s390x x86_64): rsocket-32bit-22.5-4.3.1 rsocket-debuginfo-32bit-22.5-4.3.1 - SUSE Linux Enterprise Server 12-SP5 (aarch64 ppc64le s390x x86_64): ibacm-22.5-4.3.1 ibacm-debuginfo-22.5-4.3.1 iwpmd-22.5-4.3.1 iwpmd-debuginfo-22.5-4.3.1 libibumad3-22.5-4.3.1 libibumad3-debuginfo-22.5-4.3.1 libibverbs-22.5-4.3.1 libibverbs-debuginfo-22.5-4.3.1 libibverbs-utils-22.5-4.3.1 libibverbs-utils-debuginfo-22.5-4.3.1 libibverbs1-22.5-4.3.1 libibverbs1-debuginfo-22.5-4.3.1 libmlx4-1-22.5-4.3.1 libmlx4-1-debuginfo-22.5-4.3.1 libmlx5-1-22.5-4.3.1 libmlx5-1-debuginfo-22.5-4.3.1 librdmacm-utils-22.5-4.3.1 librdmacm-utils-debuginfo-22.5-4.3.1 librdmacm1-22.5-4.3.1 librdmacm1-debuginfo-22.5-4.3.1 rdma-core-22.5-4.3.1 rdma-core-debugsource-22.5-4.3.1 rdma-ndd-22.5-4.3.1 rdma-ndd-debuginfo-22.5-4.3.1 srp_daemon-22.5-4.3.1 srp_daemon-debuginfo-22.5-4.3.1 - SUSE Linux Enterprise Server 12-SP5 (s390x x86_64): libibumad3-32bit-22.5-4.3.1 libibumad3-debuginfo-32bit-22.5-4.3.1 libibverbs-32bit-22.5-4.3.1 libibverbs-debuginfo-32bit-22.5-4.3.1 libibverbs1-32bit-22.5-4.3.1 libibverbs1-debuginfo-32bit-22.5-4.3.1 librdmacm1-32bit-22.5-4.3.1 librdmacm1-debuginfo-32bit-22.5-4.3.1 - SUSE Linux Enterprise Server 12-SP5 (x86_64): libmlx4-1-32bit-22.5-4.3.1 libmlx4-1-debuginfo-32bit-22.5-4.3.1 libmlx5-1-32bit-22.5-4.3.1 libmlx5-1-debuginfo-32bit-22.5-4.3.1 References: https://bugzilla.suse.com/1157891 From sle-updates at lists.suse.com Thu Jan 9 13:12:36 2020 From: sle-updates at lists.suse.com (sle-updates at lists.suse.com) Date: Thu, 9 Jan 2020 21:12:36 +0100 (CET) Subject: SUSE-SU-2020:14267-1: important: Security update for log4j Message-ID: <20200109201236.F0F33F79E@maintenance.suse.de> SUSE Security Update: Security update for log4j ______________________________________________________________________________ Announcement ID: SUSE-SU-2020:14267-1 Rating: important References: #1159646 Cross-References: CVE-2019-17571 Affected Products: SUSE Linux Enterprise Server 11-SP4-LTSS SUSE Linux Enterprise Point of Sale 11-SP3 ______________________________________________________________________________ An update that fixes one vulnerability is now available. Description: This update for log4j fixes the following issues: - CVE-2019-17571: Fixed a remote code execution by deserialization of untrusted data in SocketServer (bsc#1159646). Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Server 11-SP4-LTSS: zypper in -t patch slessp4-log4j-14267=1 - SUSE Linux Enterprise Point of Sale 11-SP3: zypper in -t patch sleposp3-log4j-14267=1 Package List: - SUSE Linux Enterprise Server 11-SP4-LTSS (noarch): log4j-1.2.15-26.32.14.1 - SUSE Linux Enterprise Point of Sale 11-SP3 (noarch): log4j-1.2.15-26.32.14.1 References: https://www.suse.com/security/cve/CVE-2019-17571.html https://bugzilla.suse.com/1159646 From sle-updates at lists.suse.com Fri Jan 10 07:11:11 2020 From: sle-updates at lists.suse.com (sle-updates at lists.suse.com) Date: Fri, 10 Jan 2020 15:11:11 +0100 (CET) Subject: SUSE-RU-2020:0067-1: moderate: Recommended update for SUSE Manager Server 3.2 Message-ID: <20200110141111.5AFACF796@maintenance.suse.de> SUSE Recommended Update: Recommended update for SUSE Manager Server 3.2 ______________________________________________________________________________ Announcement ID: SUSE-RU-2020:0067-1 Rating: moderate References: #1160043 Affected Products: SUSE Manager Server 3.2 ______________________________________________________________________________ An update that has one recommended fix can now be installed. Description: This update fixes the following issues: susemanager-sync-data: - Add SLE 15 LTSS and ESPOS channel families (bsc#1160043) - Add missing channel families for older products - Add RHEL 8 Base product - Changed RHEL 5, 6 and 7 products to released How to apply this update: 1. Log in as root user to the SUSE Manager server. 2. Stop the Spacewalk service: spacewalk-service stop 3. Apply the patch using either zypper patch or YaST Online Update. 4. Upgrade the database schema: spacewalk-schema-upgrade 5. Start the Spacewalk service: spacewalk-service start Patch Instructions: To install this SUSE Recommended Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Manager Server 3.2: zypper in -t patch SUSE-SUSE-Manager-Server-3.2-2020-67=1 Package List: - SUSE Manager Server 3.2 (noarch): susemanager-sync-data-3.2.18-3.32.2 References: https://bugzilla.suse.com/1160043 From sle-updates at lists.suse.com Fri Jan 10 07:11:50 2020 From: sle-updates at lists.suse.com (sle-updates at lists.suse.com) Date: Fri, 10 Jan 2020 15:11:50 +0100 (CET) Subject: SUSE-SU-2020:0063-1: important: Security update for nodejs10 Message-ID: <20200110141150.A3182F796@maintenance.suse.de> SUSE Security Update: Security update for nodejs10 ______________________________________________________________________________ Announcement ID: SUSE-SU-2020:0063-1 Rating: important References: #1149792 #1159352 #1159812 Cross-References: CVE-2019-16775 CVE-2019-16776 CVE-2019-16777 Affected Products: SUSE Linux Enterprise Module for Web Scripting 12 ______________________________________________________________________________ An update that fixes three vulnerabilities is now available. Description: This update for nodejs10 to version 10.18.0 fixes the following issues: Security issues fixed: - CVE-2019-16777, CVE-2019-16776, CVE-2019-16775: Updated npm to 6.13.4, fixing an arbitrary path overwrite and access via "bin" field (bsc#1159352). - Added support for chacha20-poly1305 for Authenticated encryption (AEAD). Non-security issues fixed: - Fix wrong path in gypi files (bsc#1159812) Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Module for Web Scripting 12: zypper in -t patch SUSE-SLE-Module-Web-Scripting-12-2020-63=1 Package List: - SUSE Linux Enterprise Module for Web Scripting 12 (aarch64 ppc64le s390x x86_64): nodejs10-10.18.0-1.15.1 nodejs10-debuginfo-10.18.0-1.15.1 nodejs10-debugsource-10.18.0-1.15.1 nodejs10-devel-10.18.0-1.15.1 npm10-10.18.0-1.15.1 - SUSE Linux Enterprise Module for Web Scripting 12 (noarch): nodejs10-docs-10.18.0-1.15.1 References: https://www.suse.com/security/cve/CVE-2019-16775.html https://www.suse.com/security/cve/CVE-2019-16776.html https://www.suse.com/security/cve/CVE-2019-16777.html https://bugzilla.suse.com/1149792 https://bugzilla.suse.com/1159352 https://bugzilla.suse.com/1159812 From sle-updates at lists.suse.com Fri Jan 10 07:12:45 2020 From: sle-updates at lists.suse.com (sle-updates at lists.suse.com) Date: Fri, 10 Jan 2020 15:12:45 +0100 (CET) Subject: SUSE-RU-2020:0066-1: moderate: Recommended update for SUSE Manager Server 4.0 Message-ID: <20200110141245.73855F796@maintenance.suse.de> SUSE Recommended Update: Recommended update for SUSE Manager Server 4.0 ______________________________________________________________________________ Announcement ID: SUSE-RU-2020:0066-1 Rating: moderate References: #1160043 Affected Products: SUSE Linux Enterprise Module for SUSE Manager Server 4.0 ______________________________________________________________________________ An update that has one recommended fix can now be installed. Description: This update fixes the following issues: susemanager-sync-data: - Add SLE 15 LTSS and ESPOS channel families (bsc#1160043) - Add missing channel families for older products Patch Instructions: To install this SUSE Recommended Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Module for SUSE Manager Server 4.0: zypper in -t patch SUSE-SLE-Module-SUSE-Manager-Server-4.0-2020-66=1 Package List: - SUSE Linux Enterprise Module for SUSE Manager Server 4.0 (noarch): susemanager-sync-data-4.0.15-3.12.3 References: https://bugzilla.suse.com/1160043 From sle-updates at lists.suse.com Fri Jan 10 07:13:27 2020 From: sle-updates at lists.suse.com (sle-updates at lists.suse.com) Date: Fri, 10 Jan 2020 15:13:27 +0100 (CET) Subject: SUSE-SU-2020:0064-1: moderate: Security update for openssl-1_0_0 Message-ID: <20200110141327.961BDF796@maintenance.suse.de> SUSE Security Update: Security update for openssl-1_0_0 ______________________________________________________________________________ Announcement ID: SUSE-SU-2020:0064-1 Rating: moderate References: #1158809 Cross-References: CVE-2019-1551 Affected Products: SUSE Linux Enterprise Module for Open Buildservice Development Tools 15-SP1 SUSE Linux Enterprise Module for Open Buildservice Development Tools 15 SUSE Linux Enterprise Module for Legacy Software 15-SP1 SUSE Linux Enterprise Module for Legacy Software 15 SUSE Enterprise Storage 6 ______________________________________________________________________________ An update that fixes one vulnerability is now available. Description: This update for openssl-1_0_0 fixes the following issues: Security issue fixed: - CVE-2019-1551: Fixed an overflow bug in the x64_64 Montgomery squaring procedure used in exponentiation with 512-bit moduli (bsc#1158809). Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Module for Open Buildservice Development Tools 15-SP1: zypper in -t patch SUSE-SLE-Module-Development-Tools-OBS-15-SP1-2020-64=1 - SUSE Linux Enterprise Module for Open Buildservice Development Tools 15: zypper in -t patch SUSE-SLE-Module-Development-Tools-OBS-15-2020-64=1 - SUSE Linux Enterprise Module for Legacy Software 15-SP1: zypper in -t patch SUSE-SLE-Module-Legacy-15-SP1-2020-64=1 - SUSE Linux Enterprise Module for Legacy Software 15: zypper in -t patch SUSE-SLE-Module-Legacy-15-2020-64=1 - SUSE Enterprise Storage 6: zypper in -t patch SUSE-Storage-6-2020-64=1 Package List: - SUSE Linux Enterprise Module for Open Buildservice Development Tools 15-SP1 (aarch64 ppc64le s390x x86_64): libopenssl1_0_0-hmac-1.0.2p-3.25.1 libopenssl1_0_0-steam-1.0.2p-3.25.1 libopenssl1_0_0-steam-debuginfo-1.0.2p-3.25.1 openssl-1_0_0-cavs-1.0.2p-3.25.1 openssl-1_0_0-cavs-debuginfo-1.0.2p-3.25.1 openssl-1_0_0-debuginfo-1.0.2p-3.25.1 openssl-1_0_0-debugsource-1.0.2p-3.25.1 - SUSE Linux Enterprise Module for Open Buildservice Development Tools 15-SP1 (x86_64): libopenssl-1_0_0-devel-32bit-1.0.2p-3.25.1 libopenssl1_0_0-32bit-1.0.2p-3.25.1 libopenssl1_0_0-32bit-debuginfo-1.0.2p-3.25.1 libopenssl1_0_0-hmac-32bit-1.0.2p-3.25.1 libopenssl1_0_0-steam-32bit-1.0.2p-3.25.1 libopenssl1_0_0-steam-32bit-debuginfo-1.0.2p-3.25.1 - SUSE Linux Enterprise Module for Open Buildservice Development Tools 15-SP1 (noarch): openssl-1_0_0-doc-1.0.2p-3.25.1 - SUSE Linux Enterprise Module for Open Buildservice Development Tools 15 (aarch64 ppc64le s390x x86_64): libopenssl1_0_0-hmac-1.0.2p-3.25.1 libopenssl1_0_0-steam-1.0.2p-3.25.1 libopenssl1_0_0-steam-debuginfo-1.0.2p-3.25.1 openssl-1_0_0-cavs-1.0.2p-3.25.1 openssl-1_0_0-cavs-debuginfo-1.0.2p-3.25.1 openssl-1_0_0-debuginfo-1.0.2p-3.25.1 openssl-1_0_0-debugsource-1.0.2p-3.25.1 - SUSE Linux Enterprise Module for Open Buildservice Development Tools 15 (noarch): openssl-1_0_0-doc-1.0.2p-3.25.1 - SUSE Linux Enterprise Module for Legacy Software 15-SP1 (aarch64 ppc64le s390x x86_64): libopenssl-1_0_0-devel-1.0.2p-3.25.1 libopenssl1_0_0-1.0.2p-3.25.1 libopenssl1_0_0-debuginfo-1.0.2p-3.25.1 openssl-1_0_0-1.0.2p-3.25.1 openssl-1_0_0-debuginfo-1.0.2p-3.25.1 openssl-1_0_0-debugsource-1.0.2p-3.25.1 - SUSE Linux Enterprise Module for Legacy Software 15 (aarch64 ppc64le s390x x86_64): libopenssl-1_0_0-devel-1.0.2p-3.25.1 libopenssl1_0_0-1.0.2p-3.25.1 libopenssl1_0_0-debuginfo-1.0.2p-3.25.1 openssl-1_0_0-1.0.2p-3.25.1 openssl-1_0_0-debuginfo-1.0.2p-3.25.1 openssl-1_0_0-debugsource-1.0.2p-3.25.1 - SUSE Enterprise Storage 6 (aarch64 x86_64): libopenssl1_0_0-1.0.2p-3.25.1 libopenssl1_0_0-debuginfo-1.0.2p-3.25.1 openssl-1_0_0-debuginfo-1.0.2p-3.25.1 openssl-1_0_0-debugsource-1.0.2p-3.25.1 References: https://www.suse.com/security/cve/CVE-2019-1551.html https://bugzilla.suse.com/1158809 From sle-updates at lists.suse.com Fri Jan 10 07:14:14 2020 From: sle-updates at lists.suse.com (sle-updates at lists.suse.com) Date: Fri, 10 Jan 2020 15:14:14 +0100 (CET) Subject: SUSE-SU-2020:0068-1: important: Security update for MozillaFirefox Message-ID: <20200110141414.2488FF796@maintenance.suse.de> SUSE Security Update: Security update for MozillaFirefox ______________________________________________________________________________ Announcement ID: SUSE-SU-2020:0068-1 Rating: important References: #1160305 #1160498 Cross-References: CVE-2019-17015 CVE-2019-17016 CVE-2019-17017 CVE-2019-17021 CVE-2019-17022 CVE-2019-17024 CVE-2019-17026 Affected Products: SUSE OpenStack Cloud Crowbar 8 SUSE OpenStack Cloud 8 SUSE OpenStack Cloud 7 SUSE Linux Enterprise Software Development Kit 12-SP5 SUSE Linux Enterprise Software Development Kit 12-SP4 SUSE Linux Enterprise Server for SAP 12-SP3 SUSE Linux Enterprise Server for SAP 12-SP2 SUSE Linux Enterprise Server for SAP 12-SP1 SUSE Linux Enterprise Server 12-SP5 SUSE Linux Enterprise Server 12-SP4 SUSE Linux Enterprise Server 12-SP3-LTSS SUSE Linux Enterprise Server 12-SP3-BCL SUSE Linux Enterprise Server 12-SP2-LTSS SUSE Linux Enterprise Server 12-SP2-BCL SUSE Linux Enterprise Server 12-SP1-LTSS SUSE Linux Enterprise Desktop 12-SP4 SUSE Enterprise Storage 5 HPE Helion Openstack 8 ______________________________________________________________________________ An update that fixes 7 vulnerabilities is now available. Description: This update for MozillaFirefox fixes the following issues: - Firefox Extended Support Release 68.4.1 ESR * Fixed: Security fix MFSA 2020-03 (bsc#1160498) * CVE-2019-17026 (bmo#1607443) IonMonkey type confusion with StoreElementHole and FallibleStoreElement - Firefox Extended Support Release 68.4.0 ESR * Fixed: Various security fixes MFSA 2020-02 (bsc#1160305) * CVE-2019-17015 (bmo#1599005) Memory corruption in parent process during new content process initialization on Windows * CVE-2019-17016 (bmo#1599181) Bypass of @namespace CSS sanitization during pasting * CVE-2019-17017 (bmo#1603055) Type Confusion in XPCVariant.cpp * CVE-2019-17021 (bmo#1599008) Heap address disclosure in parent process during content process initialization on Windows * CVE-2019-17022 (bmo#1602843) CSS sanitization does not escape HTML tags * CVE-2019-17024 (bmo#1507180, bmo#1595470, bmo#1598605, bmo#1601826) Memory safety bugs fixed in Firefox 72 and Firefox ESR 68.4 Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE OpenStack Cloud Crowbar 8: zypper in -t patch SUSE-OpenStack-Cloud-Crowbar-8-2020-68=1 - SUSE OpenStack Cloud 8: zypper in -t patch SUSE-OpenStack-Cloud-8-2020-68=1 - SUSE OpenStack Cloud 7: zypper in -t patch SUSE-OpenStack-Cloud-7-2020-68=1 - SUSE Linux Enterprise Software Development Kit 12-SP5: zypper in -t patch SUSE-SLE-SDK-12-SP5-2020-68=1 - SUSE Linux Enterprise Software Development Kit 12-SP4: zypper in -t patch SUSE-SLE-SDK-12-SP4-2020-68=1 - SUSE Linux Enterprise Server for SAP 12-SP3: zypper in -t patch SUSE-SLE-SAP-12-SP3-2020-68=1 - SUSE Linux Enterprise Server for SAP 12-SP2: zypper in -t patch SUSE-SLE-SAP-12-SP2-2020-68=1 - SUSE Linux Enterprise Server for SAP 12-SP1: zypper in -t patch SUSE-SLE-SAP-12-SP1-2020-68=1 - SUSE Linux Enterprise Server 12-SP5: zypper in -t patch SUSE-SLE-SERVER-12-SP5-2020-68=1 - SUSE Linux Enterprise Server 12-SP4: zypper in -t patch SUSE-SLE-SERVER-12-SP4-2020-68=1 - SUSE Linux Enterprise Server 12-SP3-LTSS: zypper in -t patch SUSE-SLE-SERVER-12-SP3-2020-68=1 - SUSE Linux Enterprise Server 12-SP3-BCL: zypper in -t patch SUSE-SLE-SERVER-12-SP3-BCL-2020-68=1 - SUSE Linux Enterprise Server 12-SP2-LTSS: zypper in -t patch SUSE-SLE-SERVER-12-SP2-2020-68=1 - SUSE Linux Enterprise Server 12-SP2-BCL: zypper in -t patch SUSE-SLE-SERVER-12-SP2-BCL-2020-68=1 - SUSE Linux Enterprise Server 12-SP1-LTSS: zypper in -t patch SUSE-SLE-SERVER-12-SP1-2020-68=1 - SUSE Linux Enterprise Desktop 12-SP4: zypper in -t patch SUSE-SLE-DESKTOP-12-SP4-2020-68=1 - SUSE Enterprise Storage 5: zypper in -t patch SUSE-Storage-5-2020-68=1 - HPE Helion Openstack 8: zypper in -t patch HPE-Helion-OpenStack-8-2020-68=1 Package List: - SUSE OpenStack Cloud Crowbar 8 (x86_64): MozillaFirefox-68.4.1-109.101.1 MozillaFirefox-debuginfo-68.4.1-109.101.1 MozillaFirefox-debugsource-68.4.1-109.101.1 MozillaFirefox-translations-common-68.4.1-109.101.1 - SUSE OpenStack Cloud 8 (x86_64): MozillaFirefox-68.4.1-109.101.1 MozillaFirefox-debuginfo-68.4.1-109.101.1 MozillaFirefox-debugsource-68.4.1-109.101.1 MozillaFirefox-translations-common-68.4.1-109.101.1 - SUSE OpenStack Cloud 7 (s390x x86_64): MozillaFirefox-68.4.1-109.101.1 MozillaFirefox-debuginfo-68.4.1-109.101.1 MozillaFirefox-debugsource-68.4.1-109.101.1 MozillaFirefox-devel-68.4.1-109.101.1 MozillaFirefox-translations-common-68.4.1-109.101.1 - SUSE Linux Enterprise Software Development Kit 12-SP5 (aarch64 ppc64le s390x x86_64): MozillaFirefox-debuginfo-68.4.1-109.101.1 MozillaFirefox-debugsource-68.4.1-109.101.1 MozillaFirefox-devel-68.4.1-109.101.1 - SUSE Linux Enterprise Software Development Kit 12-SP4 (aarch64 ppc64le s390x x86_64): MozillaFirefox-debuginfo-68.4.1-109.101.1 MozillaFirefox-debugsource-68.4.1-109.101.1 MozillaFirefox-devel-68.4.1-109.101.1 - SUSE Linux Enterprise Server for SAP 12-SP3 (ppc64le x86_64): MozillaFirefox-68.4.1-109.101.1 MozillaFirefox-debuginfo-68.4.1-109.101.1 MozillaFirefox-debugsource-68.4.1-109.101.1 MozillaFirefox-translations-common-68.4.1-109.101.1 - SUSE Linux Enterprise Server for SAP 12-SP2 (ppc64le x86_64): MozillaFirefox-68.4.1-109.101.1 MozillaFirefox-debuginfo-68.4.1-109.101.1 MozillaFirefox-debugsource-68.4.1-109.101.1 MozillaFirefox-devel-68.4.1-109.101.1 MozillaFirefox-translations-common-68.4.1-109.101.1 - SUSE Linux Enterprise Server for SAP 12-SP1 (x86_64): MozillaFirefox-68.4.1-109.101.1 MozillaFirefox-debuginfo-68.4.1-109.101.1 MozillaFirefox-debugsource-68.4.1-109.101.1 MozillaFirefox-devel-68.4.1-109.101.1 MozillaFirefox-translations-common-68.4.1-109.101.1 - SUSE Linux Enterprise Server 12-SP5 (aarch64 ppc64le s390x x86_64): MozillaFirefox-68.4.1-109.101.1 MozillaFirefox-debuginfo-68.4.1-109.101.1 MozillaFirefox-debugsource-68.4.1-109.101.1 MozillaFirefox-translations-common-68.4.1-109.101.1 - SUSE Linux Enterprise Server 12-SP4 (aarch64 ppc64le s390x x86_64): MozillaFirefox-68.4.1-109.101.1 MozillaFirefox-debuginfo-68.4.1-109.101.1 MozillaFirefox-debugsource-68.4.1-109.101.1 MozillaFirefox-translations-common-68.4.1-109.101.1 - SUSE Linux Enterprise Server 12-SP3-LTSS (aarch64 ppc64le s390x x86_64): MozillaFirefox-68.4.1-109.101.1 MozillaFirefox-debuginfo-68.4.1-109.101.1 MozillaFirefox-debugsource-68.4.1-109.101.1 MozillaFirefox-translations-common-68.4.1-109.101.1 - SUSE Linux Enterprise Server 12-SP3-BCL (x86_64): MozillaFirefox-68.4.1-109.101.1 MozillaFirefox-debuginfo-68.4.1-109.101.1 MozillaFirefox-debugsource-68.4.1-109.101.1 MozillaFirefox-translations-common-68.4.1-109.101.1 - SUSE Linux Enterprise Server 12-SP2-LTSS (ppc64le s390x x86_64): MozillaFirefox-68.4.1-109.101.1 MozillaFirefox-debuginfo-68.4.1-109.101.1 MozillaFirefox-debugsource-68.4.1-109.101.1 MozillaFirefox-devel-68.4.1-109.101.1 MozillaFirefox-translations-common-68.4.1-109.101.1 - SUSE Linux Enterprise Server 12-SP2-BCL (x86_64): MozillaFirefox-68.4.1-109.101.1 MozillaFirefox-debuginfo-68.4.1-109.101.1 MozillaFirefox-debugsource-68.4.1-109.101.1 MozillaFirefox-devel-68.4.1-109.101.1 MozillaFirefox-translations-common-68.4.1-109.101.1 - SUSE Linux Enterprise Server 12-SP1-LTSS (ppc64le s390x x86_64): MozillaFirefox-68.4.1-109.101.1 MozillaFirefox-debuginfo-68.4.1-109.101.1 MozillaFirefox-debugsource-68.4.1-109.101.1 MozillaFirefox-devel-68.4.1-109.101.1 MozillaFirefox-translations-common-68.4.1-109.101.1 - SUSE Linux Enterprise Desktop 12-SP4 (x86_64): MozillaFirefox-68.4.1-109.101.1 MozillaFirefox-debuginfo-68.4.1-109.101.1 MozillaFirefox-debugsource-68.4.1-109.101.1 MozillaFirefox-translations-common-68.4.1-109.101.1 - SUSE Enterprise Storage 5 (aarch64 x86_64): MozillaFirefox-68.4.1-109.101.1 MozillaFirefox-debuginfo-68.4.1-109.101.1 MozillaFirefox-debugsource-68.4.1-109.101.1 MozillaFirefox-translations-common-68.4.1-109.101.1 - HPE Helion Openstack 8 (x86_64): MozillaFirefox-68.4.1-109.101.1 MozillaFirefox-debuginfo-68.4.1-109.101.1 MozillaFirefox-debugsource-68.4.1-109.101.1 MozillaFirefox-translations-common-68.4.1-109.101.1 References: https://www.suse.com/security/cve/CVE-2019-17015.html https://www.suse.com/security/cve/CVE-2019-17016.html https://www.suse.com/security/cve/CVE-2019-17017.html https://www.suse.com/security/cve/CVE-2019-17021.html https://www.suse.com/security/cve/CVE-2019-17022.html https://www.suse.com/security/cve/CVE-2019-17024.html https://www.suse.com/security/cve/CVE-2019-17026.html https://bugzilla.suse.com/1160305 https://bugzilla.suse.com/1160498 From sle-updates at lists.suse.com Fri Jan 10 07:15:03 2020 From: sle-updates at lists.suse.com (sle-updates at lists.suse.com) Date: Fri, 10 Jan 2020 15:15:03 +0100 (CET) Subject: SUSE-SU-2020:0065-1: moderate: Security update for containerd, docker, docker-runc, golang-github-docker-libnetwork Message-ID: <20200110141503.D5AC5F796@maintenance.suse.de> SUSE Security Update: Security update for containerd, docker, docker-runc, golang-github-docker-libnetwork ______________________________________________________________________________ Announcement ID: SUSE-SU-2020:0065-1 Rating: moderate References: #1122469 #1143349 #1150397 #1152308 #1153367 #1158590 Cross-References: CVE-2019-16884 Affected Products: SUSE Linux Enterprise Module for Containers 12 SUSE CaaS Platform 3.0 ______________________________________________________________________________ An update that solves one vulnerability and has 5 fixes is now available. Description: This update for containerd, docker, docker-runc, golang-github-docker-libnetwork fixes the following issues: Security issue fixed: - CVE-2019-16884: Fixed incomplete patch for LSM bypass via malicious Docker image that mount over a /proc directory (bsc#1152308). Bug fixes: - Update to Docker 19.03.5-ce (bsc#1158590). - Update to Docker 19.03.3-ce (bsc#1153367). - Update to Docker 19.03.2-ce (bsc#1150397). - Fixed default installation such that --userns-remap=default works properly (bsc#1143349). - Fixed nginx blocked by apparmor (bsc#1122469). Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Module for Containers 12: zypper in -t patch SUSE-SLE-Module-Containers-12-2020-65=1 - SUSE CaaS Platform 3.0: To install this update, use the SUSE CaaS Platform Velum dashboard. It will inform you if it detects new updates and let you then trigger updating of the complete cluster in a controlled way. Package List: - SUSE Linux Enterprise Module for Containers 12 (ppc64le s390x x86_64): containerd-1.2.10-16.26.1 docker-19.03.5_ce-98.51.1 docker-debuginfo-19.03.5_ce-98.51.1 docker-libnetwork-0.7.0.1+gitr2877_3eb39382bfa6-28.1 docker-libnetwork-debuginfo-0.7.0.1+gitr2877_3eb39382bfa6-28.1 docker-runc-1.0.0rc8+gitr3917_3e425f80a8c9-1.35.1 - SUSE CaaS Platform 3.0 (x86_64): containerd-kubic-1.2.10-16.26.1 docker-kubic-19.03.5_ce-98.51.1 docker-kubic-debuginfo-19.03.5_ce-98.51.1 docker-libnetwork-kubic-0.7.0.1+gitr2877_3eb39382bfa6-28.1 docker-libnetwork-kubic-debuginfo-0.7.0.1+gitr2877_3eb39382bfa6-28.1 docker-runc-kubic-1.0.0rc8+gitr3917_3e425f80a8c9-1.35.1 docker-runc-kubic-debuginfo-1.0.0rc8+gitr3917_3e425f80a8c9-1.35.1 References: https://www.suse.com/security/cve/CVE-2019-16884.html https://bugzilla.suse.com/1122469 https://bugzilla.suse.com/1143349 https://bugzilla.suse.com/1150397 https://bugzilla.suse.com/1152308 https://bugzilla.suse.com/1153367 https://bugzilla.suse.com/1158590 From sle-updates at lists.suse.com Fri Jan 10 07:16:24 2020 From: sle-updates at lists.suse.com (sle-updates at lists.suse.com) Date: Fri, 10 Jan 2020 15:16:24 +0100 (CET) Subject: SUSE-RU-2020:0062-1: moderate: Recommended update for flex Message-ID: <20200110141624.D7E98F796@maintenance.suse.de> SUSE Recommended Update: Recommended update for flex ______________________________________________________________________________ Announcement ID: SUSE-RU-2020:0062-1 Rating: moderate References: #1026047 #1160201 Affected Products: SUSE OpenStack Cloud Crowbar 8 SUSE OpenStack Cloud 8 SUSE OpenStack Cloud 7 SUSE Linux Enterprise Software Development Kit 12-SP5 SUSE Linux Enterprise Software Development Kit 12-SP4 SUSE Linux Enterprise Server for SAP 12-SP3 SUSE Linux Enterprise Server for SAP 12-SP2 SUSE Linux Enterprise Server for SAP 12-SP1 SUSE Linux Enterprise Server 12-SP5 SUSE Linux Enterprise Server 12-SP4 SUSE Linux Enterprise Server 12-SP3-LTSS SUSE Linux Enterprise Server 12-SP3-BCL SUSE Linux Enterprise Server 12-SP2-LTSS SUSE Linux Enterprise Server 12-SP2-BCL SUSE Linux Enterprise Server 12-SP1-LTSS SUSE Enterprise Storage 5 HPE Helion Openstack 8 ______________________________________________________________________________ An update that has two recommended fixes can now be installed. Description: This update of flex fixes the following issues: Flex was updated to 2.6.4, fixing various bugs. The new subpackages libfl-devel and libfl2 were split out of the main flex package. Patch Instructions: To install this SUSE Recommended Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE OpenStack Cloud Crowbar 8: zypper in -t patch SUSE-OpenStack-Cloud-Crowbar-8-2020-62=1 - SUSE OpenStack Cloud 8: zypper in -t patch SUSE-OpenStack-Cloud-8-2020-62=1 - SUSE OpenStack Cloud 7: zypper in -t patch SUSE-OpenStack-Cloud-7-2020-62=1 - SUSE Linux Enterprise Software Development Kit 12-SP5: zypper in -t patch SUSE-SLE-SDK-12-SP5-2020-62=1 - SUSE Linux Enterprise Software Development Kit 12-SP4: zypper in -t patch SUSE-SLE-SDK-12-SP4-2020-62=1 - SUSE Linux Enterprise Server for SAP 12-SP3: zypper in -t patch SUSE-SLE-SAP-12-SP3-2020-62=1 - SUSE Linux Enterprise Server for SAP 12-SP2: zypper in -t patch SUSE-SLE-SAP-12-SP2-2020-62=1 - SUSE Linux Enterprise Server for SAP 12-SP1: zypper in -t patch SUSE-SLE-SAP-12-SP1-2020-62=1 - SUSE Linux Enterprise Server 12-SP5: zypper in -t patch SUSE-SLE-SERVER-12-SP5-2020-62=1 - SUSE Linux Enterprise Server 12-SP4: zypper in -t patch SUSE-SLE-SERVER-12-SP4-2020-62=1 - SUSE Linux Enterprise Server 12-SP3-LTSS: zypper in -t patch SUSE-SLE-SERVER-12-SP3-2020-62=1 - SUSE Linux Enterprise Server 12-SP3-BCL: zypper in -t patch SUSE-SLE-SERVER-12-SP3-BCL-2020-62=1 - SUSE Linux Enterprise Server 12-SP2-LTSS: zypper in -t patch SUSE-SLE-SERVER-12-SP2-2020-62=1 - SUSE Linux Enterprise Server 12-SP2-BCL: zypper in -t patch SUSE-SLE-SERVER-12-SP2-BCL-2020-62=1 - SUSE Linux Enterprise Server 12-SP1-LTSS: zypper in -t patch SUSE-SLE-SERVER-12-SP1-2020-62=1 - SUSE Enterprise Storage 5: zypper in -t patch SUSE-Storage-5-2020-62=1 - HPE Helion Openstack 8: zypper in -t patch HPE-Helion-OpenStack-8-2020-62=1 Package List: - SUSE OpenStack Cloud Crowbar 8 (x86_64): flex-2.6.4-9.3.1 flex-debuginfo-2.6.4-9.3.1 flex-debuginfo-32bit-2.6.4-9.3.1 flex-debugsource-2.6.4-9.3.1 libfl-devel-2.6.4-9.3.1 libfl2-2.6.4-9.3.1 libfl2-debuginfo-2.6.4-9.3.1 - SUSE OpenStack Cloud 8 (x86_64): flex-2.6.4-9.3.1 flex-debuginfo-2.6.4-9.3.1 flex-debuginfo-32bit-2.6.4-9.3.1 flex-debugsource-2.6.4-9.3.1 libfl-devel-2.6.4-9.3.1 libfl2-2.6.4-9.3.1 libfl2-debuginfo-2.6.4-9.3.1 - SUSE OpenStack Cloud 7 (s390x x86_64): flex-2.6.4-9.3.1 flex-debuginfo-2.6.4-9.3.1 flex-debuginfo-32bit-2.6.4-9.3.1 flex-debugsource-2.6.4-9.3.1 libfl-devel-2.6.4-9.3.1 libfl2-2.6.4-9.3.1 libfl2-debuginfo-2.6.4-9.3.1 - SUSE Linux Enterprise Software Development Kit 12-SP5 (aarch64 ppc64le s390x x86_64): flex-2.6.4-9.3.1 flex-debuginfo-2.6.4-9.3.1 flex-debugsource-2.6.4-9.3.1 libfl-devel-2.6.4-9.3.1 libfl2-2.6.4-9.3.1 libfl2-debuginfo-2.6.4-9.3.1 - SUSE Linux Enterprise Software Development Kit 12-SP4 (aarch64 ppc64le s390x x86_64): flex-2.6.4-9.3.1 flex-debuginfo-2.6.4-9.3.1 flex-debugsource-2.6.4-9.3.1 libfl-devel-2.6.4-9.3.1 libfl2-2.6.4-9.3.1 libfl2-debuginfo-2.6.4-9.3.1 - SUSE Linux Enterprise Server for SAP 12-SP3 (ppc64le x86_64): flex-2.6.4-9.3.1 flex-debuginfo-2.6.4-9.3.1 flex-debugsource-2.6.4-9.3.1 libfl-devel-2.6.4-9.3.1 libfl2-2.6.4-9.3.1 libfl2-debuginfo-2.6.4-9.3.1 - SUSE Linux Enterprise Server for SAP 12-SP3 (x86_64): flex-debuginfo-32bit-2.6.4-9.3.1 - SUSE Linux Enterprise Server for SAP 12-SP2 (ppc64le x86_64): flex-2.6.4-9.3.1 flex-debuginfo-2.6.4-9.3.1 flex-debugsource-2.6.4-9.3.1 libfl-devel-2.6.4-9.3.1 libfl2-2.6.4-9.3.1 libfl2-debuginfo-2.6.4-9.3.1 - SUSE Linux Enterprise Server for SAP 12-SP2 (x86_64): flex-debuginfo-32bit-2.6.4-9.3.1 - SUSE Linux Enterprise Server for SAP 12-SP1 (x86_64): flex-2.6.4-9.3.1 flex-debuginfo-2.6.4-9.3.1 flex-debuginfo-32bit-2.6.4-9.3.1 flex-debugsource-2.6.4-9.3.1 libfl-devel-2.6.4-9.3.1 libfl2-2.6.4-9.3.1 libfl2-debuginfo-2.6.4-9.3.1 - SUSE Linux Enterprise Server 12-SP5 (aarch64 ppc64le s390x x86_64): flex-2.6.4-9.3.1 flex-debuginfo-2.6.4-9.3.1 flex-debugsource-2.6.4-9.3.1 libfl-devel-2.6.4-9.3.1 libfl2-2.6.4-9.3.1 libfl2-debuginfo-2.6.4-9.3.1 - SUSE Linux Enterprise Server 12-SP5 (s390x x86_64): flex-debuginfo-32bit-2.6.4-9.3.1 - SUSE Linux Enterprise Server 12-SP4 (aarch64 ppc64le s390x x86_64): flex-2.6.4-9.3.1 flex-debuginfo-2.6.4-9.3.1 flex-debugsource-2.6.4-9.3.1 libfl-devel-2.6.4-9.3.1 libfl2-2.6.4-9.3.1 libfl2-debuginfo-2.6.4-9.3.1 - SUSE Linux Enterprise Server 12-SP4 (s390x x86_64): flex-debuginfo-32bit-2.6.4-9.3.1 - SUSE Linux Enterprise Server 12-SP3-LTSS (aarch64 ppc64le s390x x86_64): flex-2.6.4-9.3.1 flex-debuginfo-2.6.4-9.3.1 flex-debugsource-2.6.4-9.3.1 libfl-devel-2.6.4-9.3.1 libfl2-2.6.4-9.3.1 libfl2-debuginfo-2.6.4-9.3.1 - SUSE Linux Enterprise Server 12-SP3-LTSS (s390x x86_64): flex-debuginfo-32bit-2.6.4-9.3.1 - SUSE Linux Enterprise Server 12-SP3-BCL (x86_64): flex-2.6.4-9.3.1 flex-debuginfo-2.6.4-9.3.1 flex-debuginfo-32bit-2.6.4-9.3.1 flex-debugsource-2.6.4-9.3.1 libfl-devel-2.6.4-9.3.1 libfl2-2.6.4-9.3.1 libfl2-debuginfo-2.6.4-9.3.1 - SUSE Linux Enterprise Server 12-SP2-LTSS (ppc64le s390x x86_64): flex-2.6.4-9.3.1 flex-debuginfo-2.6.4-9.3.1 flex-debugsource-2.6.4-9.3.1 libfl-devel-2.6.4-9.3.1 libfl2-2.6.4-9.3.1 libfl2-debuginfo-2.6.4-9.3.1 - SUSE Linux Enterprise Server 12-SP2-LTSS (s390x x86_64): flex-debuginfo-32bit-2.6.4-9.3.1 - SUSE Linux Enterprise Server 12-SP2-BCL (x86_64): flex-2.6.4-9.3.1 flex-debuginfo-2.6.4-9.3.1 flex-debuginfo-32bit-2.6.4-9.3.1 flex-debugsource-2.6.4-9.3.1 libfl-devel-2.6.4-9.3.1 libfl2-2.6.4-9.3.1 libfl2-debuginfo-2.6.4-9.3.1 - SUSE Linux Enterprise Server 12-SP1-LTSS (ppc64le s390x x86_64): flex-2.6.4-9.3.1 flex-debuginfo-2.6.4-9.3.1 flex-debugsource-2.6.4-9.3.1 libfl-devel-2.6.4-9.3.1 libfl2-2.6.4-9.3.1 libfl2-debuginfo-2.6.4-9.3.1 - SUSE Linux Enterprise Server 12-SP1-LTSS (s390x x86_64): flex-debuginfo-32bit-2.6.4-9.3.1 - SUSE Enterprise Storage 5 (aarch64 x86_64): flex-2.6.4-9.3.1 flex-debuginfo-2.6.4-9.3.1 flex-debugsource-2.6.4-9.3.1 libfl-devel-2.6.4-9.3.1 libfl2-2.6.4-9.3.1 libfl2-debuginfo-2.6.4-9.3.1 - SUSE Enterprise Storage 5 (x86_64): flex-debuginfo-32bit-2.6.4-9.3.1 - HPE Helion Openstack 8 (x86_64): flex-2.6.4-9.3.1 flex-debuginfo-2.6.4-9.3.1 flex-debuginfo-32bit-2.6.4-9.3.1 flex-debugsource-2.6.4-9.3.1 libfl-devel-2.6.4-9.3.1 libfl2-2.6.4-9.3.1 libfl2-debuginfo-2.6.4-9.3.1 References: https://bugzilla.suse.com/1026047 https://bugzilla.suse.com/1160201 From sle-updates at lists.suse.com Fri Jan 10 10:11:06 2020 From: sle-updates at lists.suse.com (sle-updates at lists.suse.com) Date: Fri, 10 Jan 2020 18:11:06 +0100 (CET) Subject: SUSE-RU-2020:0073-1: important: Initial shipment of package SLE_HPC-ESPOS-release Message-ID: <20200110171106.2B060F798@maintenance.suse.de> SUSE Recommended Update: Initial shipment of package SLE_HPC-ESPOS-release ______________________________________________________________________________ Announcement ID: SUSE-RU-2020:0073-1 Rating: important References: #1160312 Affected Products: SUSE Linux Enterprise High Performance Computing 15-ESPOS ______________________________________________________________________________ An update that has one recommended fix can now be installed. Description: This patch ships the SLE_HPC-ESPOS-release package to SUSE Linux Enterprise Server HPC 15 customers. Patch Instructions: To install this SUSE Recommended Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise High Performance Computing 15-ESPOS: zypper in -t patch SUSE-SLE-Product-HPC-15-2020-73=1 Package List: - SUSE Linux Enterprise High Performance Computing 15-ESPOS (aarch64 x86_64): SLE_HPC-ESPOS-release-15-1.3.1 References: https://bugzilla.suse.com/1160312 From sle-updates at lists.suse.com Fri Jan 10 10:12:20 2020 From: sle-updates at lists.suse.com (sle-updates at lists.suse.com) Date: Fri, 10 Jan 2020 18:12:20 +0100 (CET) Subject: SUSE-RU-2020:0076-1: moderate: Recommended update for yast2-firstboot Message-ID: <20200110171220.07ADCF798@maintenance.suse.de> SUSE Recommended Update: Recommended update for yast2-firstboot ______________________________________________________________________________ Announcement ID: SUSE-RU-2020:0076-1 Rating: moderate References: #1158681 Affected Products: SUSE Linux Enterprise High Availability 12-SP3 ______________________________________________________________________________ An update that has one recommended fix can now be installed. Description: This update for yast2-firstboot fixes the following issues: - Fix the acl_version method when parsing the cib.xml (bsc#1158681) Patch Instructions: To install this SUSE Recommended Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise High Availability 12-SP3: zypper in -t patch SUSE-SLE-HA-12-SP3-2020-76=1 Package List: - SUSE Linux Enterprise High Availability 12-SP3 (ppc64le s390x x86_64): hawk2-2.1.0+git.1516013868.bada8da4-2.19.1 hawk2-debuginfo-2.1.0+git.1516013868.bada8da4-2.19.1 hawk2-debugsource-2.1.0+git.1516013868.bada8da4-2.19.1 References: https://bugzilla.suse.com/1158681 From sle-updates at lists.suse.com Fri Jan 10 10:13:01 2020 From: sle-updates at lists.suse.com (sle-updates at lists.suse.com) Date: Fri, 10 Jan 2020 18:13:01 +0100 (CET) Subject: SUSE-SU-2020:0069-1: moderate: Security update for openssl-1_1 Message-ID: <20200110171301.06545F798@maintenance.suse.de> SUSE Security Update: Security update for openssl-1_1 ______________________________________________________________________________ Announcement ID: SUSE-SU-2020:0069-1 Rating: moderate References: #1155346 #1157775 #1158101 #1158809 Cross-References: CVE-2019-1551 Affected Products: SUSE Linux Enterprise Module for Open Buildservice Development Tools 15-SP1 SUSE Linux Enterprise Module for Basesystem 15-SP1 ______________________________________________________________________________ An update that solves one vulnerability and has three fixes is now available. Description: This update for openssl-1_1 fixes the following issues: Security issue fixed: - CVE-2019-1551: Fixed an overflow bug in the x64_64 Montgomery squaring procedure used in exponentiation with 512-bit moduli (bsc#1158809). Various FIPS related improvements were done: - FIPS: Backport SSH KDF to openssl (jsc#SLE-8789, bsc#1157775). - Port FIPS patches from SLE-12 (bsc#1158101). - Use SHA-2 in the RSA pairwise consistency check (bsc#1155346). Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Module for Open Buildservice Development Tools 15-SP1: zypper in -t patch SUSE-SLE-Module-Development-Tools-OBS-15-SP1-2020-69=1 - SUSE Linux Enterprise Module for Basesystem 15-SP1: zypper in -t patch SUSE-SLE-Module-Basesystem-15-SP1-2020-69=1 Package List: - SUSE Linux Enterprise Module for Open Buildservice Development Tools 15-SP1 (noarch): openssl-1_1-doc-1.1.0i-14.6.1 - SUSE Linux Enterprise Module for Open Buildservice Development Tools 15-SP1 (x86_64): libopenssl-1_1-devel-32bit-1.1.0i-14.6.1 openssl-1_1-debugsource-1.1.0i-14.6.1 - SUSE Linux Enterprise Module for Basesystem 15-SP1 (aarch64 ppc64le s390x x86_64): libopenssl-1_1-devel-1.1.0i-14.6.1 libopenssl1_1-1.1.0i-14.6.1 libopenssl1_1-debuginfo-1.1.0i-14.6.1 libopenssl1_1-hmac-1.1.0i-14.6.1 openssl-1_1-1.1.0i-14.6.1 openssl-1_1-debuginfo-1.1.0i-14.6.1 openssl-1_1-debugsource-1.1.0i-14.6.1 - SUSE Linux Enterprise Module for Basesystem 15-SP1 (x86_64): libopenssl1_1-32bit-1.1.0i-14.6.1 libopenssl1_1-32bit-debuginfo-1.1.0i-14.6.1 libopenssl1_1-hmac-32bit-1.1.0i-14.6.1 References: https://www.suse.com/security/cve/CVE-2019-1551.html https://bugzilla.suse.com/1155346 https://bugzilla.suse.com/1157775 https://bugzilla.suse.com/1158101 https://bugzilla.suse.com/1158809 From sle-updates at lists.suse.com Fri Jan 10 10:14:03 2020 From: sle-updates at lists.suse.com (sle-updates at lists.suse.com) Date: Fri, 10 Jan 2020 18:14:03 +0100 (CET) Subject: SUSE-SU-2020:14268-1: important: Security update for MozillaFirefox Message-ID: <20200110171403.3BE41F798@maintenance.suse.de> SUSE Security Update: Security update for MozillaFirefox ______________________________________________________________________________ Announcement ID: SUSE-SU-2020:14268-1 Rating: important References: #1160305 #1160498 Cross-References: CVE-2019-17015 CVE-2019-17016 CVE-2019-17017 CVE-2019-17021 CVE-2019-17022 CVE-2019-17024 CVE-2019-17026 Affected Products: SUSE Linux Enterprise Server 11-SP4-LTSS ______________________________________________________________________________ An update that fixes 7 vulnerabilities is now available. Description: This update for MozillaFirefox fixes the following issues: - Firefox Extended Support Release 68.4.1 ESR * Fixed: Security fix MFSA 2020-03 (bsc#1160498) * CVE-2019-17026 (bmo#1607443) IonMonkey type confusion with StoreElementHole and FallibleStoreElement - Firefox Extended Support Release 68.4.0 ESR * Fixed: Various security fixes MFSA 2020-02 (bsc#1160305) * CVE-2019-17015 (bmo#1599005) Memory corruption in parent process during new content process initialization on Windows * CVE-2019-17016 (bmo#1599181) Bypass of @namespace CSS sanitization during pasting * CVE-2019-17017 (bmo#1603055) Type Confusion in XPCVariant.cpp * CVE-2019-17021 (bmo#1599008) Heap address disclosure in parent process during content process initialization on Windows * CVE-2019-17022 (bmo#1602843) CSS sanitization does not escape HTML tags * CVE-2019-17024 (bmo#1507180, bmo#1595470, bmo#1598605, bmo#1601826) Memory safety bugs fixed in Firefox 72 and Firefox ESR 68.4 Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Server 11-SP4-LTSS: zypper in -t patch slessp4-MozillaFirefox-14268=1 Package List: - SUSE Linux Enterprise Server 11-SP4-LTSS (x86_64): MozillaFirefox-68.4.1-78.57.1 MozillaFirefox-translations-common-68.4.1-78.57.1 MozillaFirefox-translations-other-68.4.1-78.57.1 References: https://www.suse.com/security/cve/CVE-2019-17015.html https://www.suse.com/security/cve/CVE-2019-17016.html https://www.suse.com/security/cve/CVE-2019-17017.html https://www.suse.com/security/cve/CVE-2019-17021.html https://www.suse.com/security/cve/CVE-2019-17022.html https://www.suse.com/security/cve/CVE-2019-17024.html https://www.suse.com/security/cve/CVE-2019-17026.html https://bugzilla.suse.com/1160305 https://bugzilla.suse.com/1160498 From sle-updates at lists.suse.com Fri Jan 10 10:14:53 2020 From: sle-updates at lists.suse.com (sle-updates at lists.suse.com) Date: Fri, 10 Jan 2020 18:14:53 +0100 (CET) Subject: SUSE-OU-2020:0074-1: Optional update for yast2-dhcp-server Message-ID: <20200110171453.3AA60F798@maintenance.suse.de> SUSE Optional Update: Optional update for yast2-dhcp-server ______________________________________________________________________________ Announcement ID: SUSE-OU-2020:0074-1 Rating: low References: #1103691 #1104644 Affected Products: SUSE Linux Enterprise Module for Basesystem 15 ______________________________________________________________________________ An update that has two optional fixes can now be installed. Description: This update for yast2-dhcp-server doesn't fix any user visible issues. Patch Instructions: To install this SUSE Optional Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Module for Basesystem 15: zypper in -t patch SUSE-SLE-Module-Basesystem-15-2020-74=1 Package List: - SUSE Linux Enterprise Module for Basesystem 15 (noarch): yast2-dhcp-server-4.0.3-3.6.129 References: https://bugzilla.suse.com/1103691 https://bugzilla.suse.com/1104644 From sle-updates at lists.suse.com Fri Jan 10 10:15:45 2020 From: sle-updates at lists.suse.com (sle-updates at lists.suse.com) Date: Fri, 10 Jan 2020 18:15:45 +0100 (CET) Subject: SUSE-RU-2020:0072-1: important: Initial shipment of package SLE_HPC-LTSS-release Message-ID: <20200110171545.063C7F79E@maintenance.suse.de> SUSE Recommended Update: Initial shipment of package SLE_HPC-LTSS-release ______________________________________________________________________________ Announcement ID: SUSE-RU-2020:0072-1 Rating: important References: #1160312 Affected Products: SUSE Linux Enterprise High Performance Computing 15-LTSS ______________________________________________________________________________ An update that has one recommended fix can now be installed. Description: This patch ships the SLE_HPC-LTSS-release package to SUSE Linux Enterprise Server HPC 15 customers. Patch Instructions: To install this SUSE Recommended Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise High Performance Computing 15-LTSS: zypper in -t patch SUSE-SLE-Product-HPC-15-2020-72=1 Package List: - SUSE Linux Enterprise High Performance Computing 15-LTSS (aarch64 x86_64): SLE_HPC-LTSS-release-15-1.4.1 References: https://bugzilla.suse.com/1160312 From sle-updates at lists.suse.com Fri Jan 10 13:10:46 2020 From: sle-updates at lists.suse.com (sle-updates at lists.suse.com) Date: Fri, 10 Jan 2020 21:10:46 +0100 (CET) Subject: SUSE-RU-2020:0077-1: moderate: Recommended update for drbd Message-ID: <20200110201046.87C7DF798@maintenance.suse.de> SUSE Recommended Update: Recommended update for drbd ______________________________________________________________________________ Announcement ID: SUSE-RU-2020:0077-1 Rating: moderate References: #1154084 Affected Products: SUSE Linux Enterprise Module for Open Buildservice Development Tools 15-SP1 SUSE Linux Enterprise High Availability 15-SP1 ______________________________________________________________________________ An update that has one recommended fix can now be installed. Description: This update for drbd fixes the following issues: - Fix for potential double call of drbd backing device. (bsc#1154084) Patch Instructions: To install this SUSE Recommended Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Module for Open Buildservice Development Tools 15-SP1: zypper in -t patch SUSE-SLE-Module-Development-Tools-OBS-15-SP1-2020-77=1 - SUSE Linux Enterprise High Availability 15-SP1: zypper in -t patch SUSE-SLE-Product-HA-15-SP1-2020-77=1 Package List: - SUSE Linux Enterprise Module for Open Buildservice Development Tools 15-SP1 (x86_64): drbd-kmp-rt-9.0.16+git.ab9777df_k4.12.14_14.14-8.6.7 drbd-kmp-rt-debuginfo-9.0.16+git.ab9777df_k4.12.14_14.14-8.6.7 - SUSE Linux Enterprise High Availability 15-SP1 (aarch64 ppc64le s390x x86_64): drbd-9.0.16+git.ab9777df-8.6.7 drbd-debugsource-9.0.16+git.ab9777df-8.6.7 drbd-kmp-default-9.0.16+git.ab9777df_k4.12.14_197.29-8.6.7 drbd-kmp-default-debuginfo-9.0.16+git.ab9777df_k4.12.14_197.29-8.6.7 References: https://bugzilla.suse.com/1154084 From sle-updates at lists.suse.com Sat Jan 11 02:37:04 2020 From: sle-updates at lists.suse.com (sle-updates at lists.suse.com) Date: Sat, 11 Jan 2020 10:37:04 +0100 (CET) Subject: SUSE-CU-2020:5-1: Security update of suse/sle15 Message-ID: <20200111093704.9FBE7F79E@maintenance.suse.de> SUSE Container Update Advisory: suse/sle15 ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2020:5-1 Container Tags : suse/sle15:15.1 , suse/sle15:15.1.6.2.138 Severity : moderate Type : security References : 1155346 1157775 1158101 1158809 CVE-2019-1551 SLE-8789 ----------------------------------------------------------------- The container suse/sle15 was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2020:69-1 Released: Fri Jan 10 12:33:59 2020 Summary: Security update for openssl-1_1 Type: security Severity: moderate References: 1155346,1157775,1158101,1158809,CVE-2019-1551,SLE-8789 Description: This update for openssl-1_1 fixes the following issues: Security issue fixed: - CVE-2019-1551: Fixed an overflow bug in the x64_64 Montgomery squaring procedure used in exponentiation with 512-bit moduli (bsc#1158809). Various FIPS related improvements were done: - FIPS: Backport SSH KDF to openssl (jsc#SLE-8789, bsc#1157775). - Port FIPS patches from SLE-12 (bsc#1158101). - Use SHA-2 in the RSA pairwise consistency check (bsc#1155346). From sle-updates at lists.suse.com Mon Jan 13 07:11:30 2020 From: sle-updates at lists.suse.com (sle-updates at lists.suse.com) Date: Mon, 13 Jan 2020 15:11:30 +0100 (CET) Subject: SUSE-SU-2020:0079-1: moderate: Security update for libzypp Message-ID: <20200113141130.7E28BF796@maintenance.suse.de> SUSE Security Update: Security update for libzypp ______________________________________________________________________________ Announcement ID: SUSE-SU-2020:0079-1 Rating: moderate References: #1158763 Cross-References: CVE-2019-18900 Affected Products: SUSE Linux Enterprise Software Development Kit 12-SP5 SUSE Linux Enterprise Software Development Kit 12-SP4 SUSE Linux Enterprise Server 12-SP5 SUSE Linux Enterprise Server 12-SP4 SUSE Linux Enterprise Desktop 12-SP4 ______________________________________________________________________________ An update that fixes one vulnerability is now available. Description: This update for libzypp fixes the following issues: Security issue fixed: - CVE-2019-18900: Fixed assert cookie file that was world readable (bsc#1158763). Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Software Development Kit 12-SP5: zypper in -t patch SUSE-SLE-SDK-12-SP5-2020-79=1 - SUSE Linux Enterprise Software Development Kit 12-SP4: zypper in -t patch SUSE-SLE-SDK-12-SP4-2020-79=1 - SUSE Linux Enterprise Server 12-SP5: zypper in -t patch SUSE-SLE-SERVER-12-SP5-2020-79=1 - SUSE Linux Enterprise Server 12-SP4: zypper in -t patch SUSE-SLE-SERVER-12-SP4-2020-79=1 - SUSE Linux Enterprise Desktop 12-SP4: zypper in -t patch SUSE-SLE-DESKTOP-12-SP4-2020-79=1 Package List: - SUSE Linux Enterprise Software Development Kit 12-SP5 (aarch64 ppc64le s390x x86_64): libzypp-debuginfo-16.21.2-2.45.1 libzypp-debugsource-16.21.2-2.45.1 libzypp-devel-16.21.2-2.45.1 libzypp-devel-doc-16.21.2-2.45.1 - SUSE Linux Enterprise Software Development Kit 12-SP4 (aarch64 ppc64le s390x x86_64): libzypp-debuginfo-16.21.2-2.45.1 libzypp-debugsource-16.21.2-2.45.1 libzypp-devel-16.21.2-2.45.1 libzypp-devel-doc-16.21.2-2.45.1 - SUSE Linux Enterprise Server 12-SP5 (aarch64 ppc64le s390x x86_64): libzypp-16.21.2-2.45.1 libzypp-debuginfo-16.21.2-2.45.1 libzypp-debugsource-16.21.2-2.45.1 - SUSE Linux Enterprise Server 12-SP4 (aarch64 ppc64le s390x x86_64): libzypp-16.21.2-2.45.1 libzypp-debuginfo-16.21.2-2.45.1 libzypp-debugsource-16.21.2-2.45.1 - SUSE Linux Enterprise Desktop 12-SP4 (x86_64): libzypp-16.21.2-2.45.1 libzypp-debuginfo-16.21.2-2.45.1 libzypp-debugsource-16.21.2-2.45.1 References: https://www.suse.com/security/cve/CVE-2019-18900.html https://bugzilla.suse.com/1158763 From sle-updates at lists.suse.com Mon Jan 13 07:12:11 2020 From: sle-updates at lists.suse.com (sle-updates at lists.suse.com) Date: Mon, 13 Jan 2020 15:12:11 +0100 (CET) Subject: SUSE-RU-2020:0082-1: moderate: Recommended update for sle-ha-geo-manuals_en Message-ID: <20200113141211.E7C97F796@maintenance.suse.de> SUSE Recommended Update: Recommended update for sle-ha-geo-manuals_en ______________________________________________________________________________ Announcement ID: SUSE-RU-2020:0082-1 Rating: moderate References: #1158022 Affected Products: SUSE Linux Enterprise High Availability GEO 12-SP5 ______________________________________________________________________________ An update that has one recommended fix can now be installed. Description: This update for sle-ha-geo-manuals_en fixes the following issues: - Updated English version of the Manuals for the SLE HA 12 SP5 public release. (bsc#1158022) Patch Instructions: To install this SUSE Recommended Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise High Availability GEO 12-SP5: zypper in -t patch SUSE-SLE-HA-GEO-12-SP5-2020-82=1 Package List: - SUSE Linux Enterprise High Availability GEO 12-SP5 (noarch): sle-ha-geo-manuals_en-12.5-3.3.8 sle-ha-geo-quick_en-pdf-12.5-3.3.8 References: https://bugzilla.suse.com/1158022 From sle-updates at lists.suse.com Mon Jan 13 07:12:51 2020 From: sle-updates at lists.suse.com (sle-updates at lists.suse.com) Date: Mon, 13 Jan 2020 15:12:51 +0100 (CET) Subject: SUSE-RU-2020:0080-1: moderate: Recommended update to sle-we-release Message-ID: <20200113141252.01871F796@maintenance.suse.de> SUSE Recommended Update: Recommended update to sle-we-release ______________________________________________________________________________ Announcement ID: SUSE-RU-2020:0080-1 Rating: moderate References: #1155556 Affected Products: SUSE Linux Enterprise Workstation Extension 12-SP5 ______________________________________________________________________________ An update that has one recommended fix can now be installed. Description: This update of the SUSE Linux Enterprise Workstation Extensions release package adjusts the EOL time to October 31st 2024. Patch Instructions: To install this SUSE Recommended Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Workstation Extension 12-SP5: zypper in -t patch SUSE-SLE-WE-12-SP5-2020-80=1 Package List: - SUSE Linux Enterprise Workstation Extension 12-SP5 (x86_64): sle-we-release-12.5-9.4.1 sle-we-release-POOL-12.5-9.4.1 References: https://bugzilla.suse.com/1155556 From sle-updates at lists.suse.com Mon Jan 13 07:13:32 2020 From: sle-updates at lists.suse.com (sle-updates at lists.suse.com) Date: Mon, 13 Jan 2020 15:13:32 +0100 (CET) Subject: SUSE-SU-2020:0081-1: moderate: Security update for crowbar-core, crowbar-openstack, openstack-horizon-plugin-monasca-ui, openstack-monasca-api, openstack-monasca-log-api, openstack-neutron, rubygem-puma, rubygem-rest-client Message-ID: <20200113141332.500A5F796@maintenance.suse.de> SUSE Security Update: Security update for crowbar-core, crowbar-openstack, openstack-horizon-plugin-monasca-ui, openstack-monasca-api, openstack-monasca-log-api, openstack-neutron, rubygem-puma, rubygem-rest-client ______________________________________________________________________________ Announcement ID: SUSE-SU-2020:0081-1 Rating: moderate References: #1157028 #1157482 #1158675 #917802 Cross-References: CVE-2015-3448 CVE-2019-13117 CVE-2019-16770 Affected Products: SUSE OpenStack Cloud 7 ______________________________________________________________________________ An update that solves three vulnerabilities and has one errata is now available. Description: This update for crowbar-core, crowbar-openstack, openstack-horizon-plugin-monasca-ui, openstack-monasca-api, openstack-monasca-log-api, openstack-neutron, rubygem-puma, rubygem-rest-client contains the following fixes: Security issue fixed for rubygem-puma: - CVE-2019-16770: Fixed a potential denial of service in Puma's reactor (bsc#1158675, jsc#SOC-10999) Security issue fixed for rubygem-rest-client: - CVE-2015-3448: Fixed a plain text local password disclosure. (bsc#917802) Updates for crowbar-core: - Update to version 4.0+git.1574788924.e4a6aeb0c: * Allow pacemaker remotes for upgrade (SOC-10133) - Update to version 4.0+git.1574713660.972029d1a: * Ignore CVE-2019-13117 in CI builds (bsc#1157028) Updates for crowbar-openstack: - Update to version 4.0+git.1574869671.9c7bade2d: * tempest: configure Kibana version (SOC-10131) - Update to version 4.0+git.1574764112.c260c70e5: * horizon: install lbaas horizon dashboard (SOC-10883) Updates for openstack-horizon-plugin-monasca-ui: - Refresh allow-raw-grafana-links.patch - update to version 1.5.5~dev3 * Replace openstack.org git:// URLs with https:// * Fix the partial missing metrics in Create Alarm Definition flow * import zuul job settings from project-config * Fix incorrect splitting of dimension in ProxyView * Fix Alarm status Panel on Overview page * Change IntegerField to ChoiceField for notification period * Imported Translations from Zanata * Display unique metric names for alarm * Fix Alarm Details section in Alarm History view * Fix validators for creating and editing notifications * Center the text for the button Deterministic * Adding title to Filter Alarms pop-up * Fix misleading validation error * Fix nit found in monasca-ui * Fix Breadcrumbs * Fix description for name field * Fixing 'Create Alarm Definition' for IE11 * Imported Translations from Zanata Updates to openstack-monasca-api: - added fix-metric-name-offset.patch (SOC-10131) - removed 0001-Fix-InfluxDB-repository-list_dimension_values-to-sup.patch (merged upstream) - update to version 1.7.1~dev18 * Replace openstack.org git:// URLs with https:// * import zuul job settings from project-config * Upgrade Apache Storm to 1.0.6 * Zuul: Remove project name Updates to openstack-monasca-log-api: - added fix-tempest-region.patch (SOC-10131) - update to version 1.4.3~dev3 * Replace openstack.org git:// URLs with https:// * import zuul job settings from project-config * Avoid tox\_install.sh for constraints support Updates to openstack-neutron: - neutron: Remove stop action from ovs-cleanup (bsc#1157482) backport of https://review.opendev.org/#/c/695867/ Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE OpenStack Cloud 7: zypper in -t patch SUSE-OpenStack-Cloud-7-2020-81=1 Package List: - SUSE OpenStack Cloud 7 (aarch64 s390x x86_64): crowbar-core-4.0+git.1574788924.e4a6aeb0c-9.60.2 crowbar-core-branding-upstream-4.0+git.1574788924.e4a6aeb0c-9.60.2 ruby2.1-rubygem-puma-2.16.0-4.3.1 ruby2.1-rubygem-puma-debuginfo-2.16.0-4.3.1 rubygem-puma-debugsource-2.16.0-4.3.1 - SUSE OpenStack Cloud 7 (noarch): crowbar-openstack-4.0+git.1574869671.9c7bade2d-9.65.1 grafana-monasca-ui-drilldown-1.5.5~dev3-8.1 openstack-horizon-plugin-monasca-ui-1.5.5~dev3-8.1 openstack-monasca-api-1.7.1~dev18-12.1 openstack-monasca-log-api-1.4.3~dev3-5.1 openstack-neutron-9.4.2~dev21-7.38.1 openstack-neutron-dhcp-agent-9.4.2~dev21-7.38.1 openstack-neutron-doc-9.4.2~dev21-7.38.1 openstack-neutron-ha-tool-9.4.2~dev21-7.38.1 openstack-neutron-l3-agent-9.4.2~dev21-7.38.1 openstack-neutron-linuxbridge-agent-9.4.2~dev21-7.38.1 openstack-neutron-macvtap-agent-9.4.2~dev21-7.38.1 openstack-neutron-metadata-agent-9.4.2~dev21-7.38.1 openstack-neutron-metering-agent-9.4.2~dev21-7.38.1 openstack-neutron-openvswitch-agent-9.4.2~dev21-7.38.1 openstack-neutron-server-9.4.2~dev21-7.38.1 python-horizon-plugin-monasca-ui-1.5.5~dev3-8.1 python-monasca-api-1.7.1~dev18-12.1 python-monasca-log-api-1.4.3~dev3-5.1 python-neutron-9.4.2~dev21-7.38.1 References: https://www.suse.com/security/cve/CVE-2015-3448.html https://www.suse.com/security/cve/CVE-2019-13117.html https://www.suse.com/security/cve/CVE-2019-16770.html https://bugzilla.suse.com/1157028 https://bugzilla.suse.com/1157482 https://bugzilla.suse.com/1158675 https://bugzilla.suse.com/917802 From sle-updates at lists.suse.com Mon Jan 13 07:14:34 2020 From: sle-updates at lists.suse.com (sle-updates at lists.suse.com) Date: Mon, 13 Jan 2020 15:14:34 +0100 (CET) Subject: SUSE-RU-2020:0083-1: moderate: Recommended update for drbd Message-ID: <20200113141434.A36BBF796@maintenance.suse.de> SUSE Recommended Update: Recommended update for drbd ______________________________________________________________________________ Announcement ID: SUSE-RU-2020:0083-1 Rating: moderate References: #1154084 Affected Products: SUSE Linux Enterprise High Availability 12-SP5 ______________________________________________________________________________ An update that has one recommended fix can now be installed. Description: This update for drbd fixes the following issues: - Fix for potential double call of drbd backing device. (bsc#1154084) Patch Instructions: To install this SUSE Recommended Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise High Availability 12-SP5: zypper in -t patch SUSE-SLE-HA-12-SP5-2020-83=1 Package List: - SUSE Linux Enterprise High Availability 12-SP5 (ppc64le s390x x86_64): drbd-9.0.14+git.62f906cf-11.3.7 drbd-debugsource-9.0.14+git.62f906cf-11.3.7 drbd-kmp-default-9.0.14+git.62f906cf_k4.12.14_122.12-11.3.7 drbd-kmp-default-debuginfo-9.0.14+git.62f906cf_k4.12.14_122.12-11.3.7 References: https://bugzilla.suse.com/1154084 From sle-updates at lists.suse.com Mon Jan 13 07:15:21 2020 From: sle-updates at lists.suse.com (sle-updates at lists.suse.com) Date: Mon, 13 Jan 2020 15:15:21 +0100 (CET) Subject: SUSE-SU-2020:0078-1: important: Security update for MozillaFirefox Message-ID: <20200113141521.546AEF796@maintenance.suse.de> SUSE Security Update: Security update for MozillaFirefox ______________________________________________________________________________ Announcement ID: SUSE-SU-2020:0078-1 Rating: important References: #1160305 #1160498 Cross-References: CVE-2019-17015 CVE-2019-17016 CVE-2019-17017 CVE-2019-17021 CVE-2019-17022 CVE-2019-17024 CVE-2019-17026 Affected Products: SUSE Linux Enterprise Module for Open Buildservice Development Tools 15-SP1 SUSE Linux Enterprise Module for Open Buildservice Development Tools 15 SUSE Linux Enterprise Module for Desktop Applications 15-SP1 SUSE Linux Enterprise Module for Desktop Applications 15 ______________________________________________________________________________ An update that fixes 7 vulnerabilities is now available. Description: This update for MozillaFirefox fixes the following issues: - Firefox Extended Support Release 68.4.1 ESR * Fixed: Security fix MFSA 2020-03 (bsc#1160498) * CVE-2019-17026 (bmo#1607443) IonMonkey type confusion with StoreElementHole and FallibleStoreElement - Firefox Extended Support Release 68.4.0 ESR * Fixed: Various security fixes MFSA 2020-02 (bsc#1160305) * CVE-2019-17015 (bmo#1599005) Memory corruption in parent process during new content process initialization on Windows * CVE-2019-17016 (bmo#1599181) Bypass of @namespace CSS sanitization during pasting * CVE-2019-17017 (bmo#1603055) Type Confusion in XPCVariant.cpp * CVE-2019-17021 (bmo#1599008) Heap address disclosure in parent process during content process initialization on Windows * CVE-2019-17022 (bmo#1602843) CSS sanitization does not escape HTML tags * CVE-2019-17024 (bmo#1507180, bmo#1595470, bmo#1598605, bmo#1601826) Memory safety bugs fixed in Firefox 72 and Firefox ESR 68.4 Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Module for Open Buildservice Development Tools 15-SP1: zypper in -t patch SUSE-SLE-Module-Development-Tools-OBS-15-SP1-2020-78=1 - SUSE Linux Enterprise Module for Open Buildservice Development Tools 15: zypper in -t patch SUSE-SLE-Module-Development-Tools-OBS-15-2020-78=1 - SUSE Linux Enterprise Module for Desktop Applications 15-SP1: zypper in -t patch SUSE-SLE-Module-Desktop-Applications-15-SP1-2020-78=1 - SUSE Linux Enterprise Module for Desktop Applications 15: zypper in -t patch SUSE-SLE-Module-Desktop-Applications-15-2020-78=1 Package List: - SUSE Linux Enterprise Module for Open Buildservice Development Tools 15-SP1 (aarch64 ppc64le s390x x86_64): MozillaFirefox-branding-upstream-68.4.1-3.66.1 MozillaFirefox-debuginfo-68.4.1-3.66.1 MozillaFirefox-debugsource-68.4.1-3.66.1 - SUSE Linux Enterprise Module for Open Buildservice Development Tools 15-SP1 (x86_64): MozillaFirefox-buildsymbols-68.4.1-3.66.1 - SUSE Linux Enterprise Module for Open Buildservice Development Tools 15-SP1 (s390x): MozillaFirefox-devel-68.4.1-3.66.1 - SUSE Linux Enterprise Module for Open Buildservice Development Tools 15 (aarch64 ppc64le s390x x86_64): MozillaFirefox-branding-upstream-68.4.1-3.66.1 MozillaFirefox-debuginfo-68.4.1-3.66.1 MozillaFirefox-debugsource-68.4.1-3.66.1 - SUSE Linux Enterprise Module for Desktop Applications 15-SP1 (aarch64 ppc64le s390x x86_64): MozillaFirefox-68.4.1-3.66.1 MozillaFirefox-debuginfo-68.4.1-3.66.1 MozillaFirefox-debugsource-68.4.1-3.66.1 MozillaFirefox-translations-common-68.4.1-3.66.1 MozillaFirefox-translations-other-68.4.1-3.66.1 - SUSE Linux Enterprise Module for Desktop Applications 15-SP1 (aarch64 ppc64le x86_64): MozillaFirefox-devel-68.4.1-3.66.1 - SUSE Linux Enterprise Module for Desktop Applications 15 (aarch64 ppc64le s390x x86_64): MozillaFirefox-68.4.1-3.66.1 MozillaFirefox-debuginfo-68.4.1-3.66.1 MozillaFirefox-debugsource-68.4.1-3.66.1 MozillaFirefox-devel-68.4.1-3.66.1 MozillaFirefox-translations-common-68.4.1-3.66.1 MozillaFirefox-translations-other-68.4.1-3.66.1 References: https://www.suse.com/security/cve/CVE-2019-17015.html https://www.suse.com/security/cve/CVE-2019-17016.html https://www.suse.com/security/cve/CVE-2019-17017.html https://www.suse.com/security/cve/CVE-2019-17021.html https://www.suse.com/security/cve/CVE-2019-17022.html https://www.suse.com/security/cve/CVE-2019-17024.html https://www.suse.com/security/cve/CVE-2019-17026.html https://bugzilla.suse.com/1160305 https://bugzilla.suse.com/1160498 From sle-updates at lists.suse.com Mon Jan 13 10:12:10 2020 From: sle-updates at lists.suse.com (sle-updates at lists.suse.com) Date: Mon, 13 Jan 2020 18:12:10 +0100 (CET) Subject: SUSE-SU-2020:0086-1: moderate: Security update for e2fsprogs Message-ID: <20200113171210.A66F6F798@maintenance.suse.de> SUSE Security Update: Security update for e2fsprogs ______________________________________________________________________________ Announcement ID: SUSE-SU-2020:0086-1 Rating: moderate References: #1160571 Cross-References: CVE-2019-5188 Affected Products: SUSE CaaS Platform 3.0 ______________________________________________________________________________ An update that fixes one vulnerability is now available. Description: This update for e2fsprogs fixes the following issues: - CVE-2019-5188: Fixed a code execution vulnerability in the directory rehashing functionality (bsc#1160571). Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE CaaS Platform 3.0: To install this update, use the SUSE CaaS Platform Velum dashboard. It will inform you if it detects new updates and let you then trigger updating of the complete cluster in a controlled way. Package List: - SUSE CaaS Platform 3.0 (x86_64): e2fsprogs-1.42.11-16.6.1 e2fsprogs-debuginfo-1.42.11-16.6.1 e2fsprogs-debugsource-1.42.11-16.6.1 libcom_err2-1.42.11-16.6.1 libcom_err2-debuginfo-1.42.11-16.6.1 libext2fs2-1.42.11-16.6.1 libext2fs2-debuginfo-1.42.11-16.6.1 References: https://www.suse.com/security/cve/CVE-2019-5188.html https://bugzilla.suse.com/1160571 From sle-updates at lists.suse.com Mon Jan 13 10:12:52 2020 From: sle-updates at lists.suse.com (sle-updates at lists.suse.com) Date: Mon, 13 Jan 2020 18:12:52 +0100 (CET) Subject: SUSE-RU-2020:0084-1: moderate: Recommended update for hawk2 Message-ID: <20200113171252.6E661F798@maintenance.suse.de> SUSE Recommended Update: Recommended update for hawk2 ______________________________________________________________________________ Announcement ID: SUSE-RU-2020:0084-1 Rating: moderate References: #1158681 Affected Products: SUSE Linux Enterprise High Availability 12-SP5 SUSE Linux Enterprise High Availability 12-SP4 ______________________________________________________________________________ An update that has one recommended fix can now be installed. Description: This update for hawk2 fixes the following issues: - Fix the 'acl_version' method when parsing the cib.xml avoid hanging of HAWK2 (bsc#1158681) Patch Instructions: To install this SUSE Recommended Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise High Availability 12-SP5: zypper in -t patch SUSE-SLE-HA-12-SP5-2020-84=1 - SUSE Linux Enterprise High Availability 12-SP4: zypper in -t patch SUSE-SLE-HA-12-SP4-2020-84=1 Package List: - SUSE Linux Enterprise High Availability 12-SP5 (ppc64le s390x x86_64): hawk2-2.1.0+git.1539075484.48179981-3.6.1 hawk2-debuginfo-2.1.0+git.1539075484.48179981-3.6.1 hawk2-debugsource-2.1.0+git.1539075484.48179981-3.6.1 - SUSE Linux Enterprise High Availability 12-SP4 (ppc64le s390x x86_64): hawk2-2.1.0+git.1539075484.48179981-3.6.1 hawk2-debuginfo-2.1.0+git.1539075484.48179981-3.6.1 hawk2-debugsource-2.1.0+git.1539075484.48179981-3.6.1 References: https://bugzilla.suse.com/1158681 From sle-updates at lists.suse.com Mon Jan 13 10:13:36 2020 From: sle-updates at lists.suse.com (sle-updates at lists.suse.com) Date: Mon, 13 Jan 2020 18:13:36 +0100 (CET) Subject: SUSE-SU-2020:0087-1: moderate: Security update for libsolv, libzypp, zypper Message-ID: <20200113171336.A47B8F796@maintenance.suse.de> SUSE Security Update: Security update for libsolv, libzypp, zypper ______________________________________________________________________________ Announcement ID: SUSE-SU-2020:0087-1 Rating: moderate References: #1135114 #1154804 #1154805 #1155198 #1155205 #1155298 #1155678 #1155819 #1156158 #1157377 #1158763 Cross-References: CVE-2019-18900 Affected Products: SUSE Linux Enterprise Module for Open Buildservice Development Tools 15-SP1 SUSE Linux Enterprise Module for Open Buildservice Development Tools 15 SUSE Linux Enterprise Module for Development Tools 15 SUSE Linux Enterprise Module for Basesystem 15 SUSE Linux Enterprise Installer 15 ______________________________________________________________________________ An update that solves one vulnerability and has 10 fixes is now available. Description: This update for libsolv, libzypp, zypper fixes the following issues: Security issue fixed: - CVE-2019-18900: Fixed assert cookie file that was world readable (bsc#1158763). Bug fixes - Fixed removing orphaned packages dropped by to-be-installed products (bsc#1155819). - Adds libzypp API to mark all obsolete kernels according to the existing purge-kernel script rules (bsc#1155198). - Do not enforce 'en' being in RequestedLocales If the user decides to have a system without explicit language support he may do so (bsc#1155678). - Load only target resolvables for zypper rm (bsc#1157377). - Fix broken search by filelist (bsc#1135114). - Replace python by a bash script in zypper-log (fixes#304, fixes#306, bsc#1156158). - Do not sort out requested locales which are not available (bsc#1155678). - Prevent listing duplicate matches in tables. XML result is provided within the new list-patches-byissue element (bsc#1154805). - XML add patch issue-date and issue-list (bsc#1154805). - Fix zypper lp --cve/bugzilla/issue options (bsc#1155298). - Always execute commit when adding/removing locales (fixes bsc#1155205). - Fix description of --table-style,-s in man page (bsc#1154804). Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Module for Open Buildservice Development Tools 15-SP1: zypper in -t patch SUSE-SLE-Module-Development-Tools-OBS-15-SP1-2020-87=1 - SUSE Linux Enterprise Module for Open Buildservice Development Tools 15: zypper in -t patch SUSE-SLE-Module-Development-Tools-OBS-15-2020-87=1 - SUSE Linux Enterprise Module for Development Tools 15: zypper in -t patch SUSE-SLE-Module-Development-Tools-15-2020-87=1 - SUSE Linux Enterprise Module for Basesystem 15: zypper in -t patch SUSE-SLE-Module-Basesystem-15-2020-87=1 - SUSE Linux Enterprise Installer 15: zypper in -t patch SUSE-SLE-INSTALLER-15-2020-87=1 Package List: - SUSE Linux Enterprise Module for Open Buildservice Development Tools 15-SP1 (aarch64 ppc64le s390x x86_64): python-solv-0.7.10-3.22.1 python-solv-debuginfo-0.7.10-3.22.1 - SUSE Linux Enterprise Module for Open Buildservice Development Tools 15 (aarch64 ppc64le s390x x86_64): libsolv-debuginfo-0.7.10-3.22.1 libsolv-debugsource-0.7.10-3.22.1 libsolv-demo-0.7.10-3.22.1 libsolv-demo-debuginfo-0.7.10-3.22.1 libzypp-debuginfo-17.19.0-3.34.1 libzypp-debugsource-17.19.0-3.34.1 libzypp-devel-doc-17.19.0-3.34.1 - SUSE Linux Enterprise Module for Open Buildservice Development Tools 15 (noarch): zypper-aptitude-1.14.33-3.29.1 - SUSE Linux Enterprise Module for Development Tools 15 (aarch64 ppc64le s390x x86_64): libsolv-debuginfo-0.7.10-3.22.1 libsolv-debugsource-0.7.10-3.22.1 perl-solv-0.7.10-3.22.1 perl-solv-debuginfo-0.7.10-3.22.1 python3-solv-0.7.10-3.22.1 python3-solv-debuginfo-0.7.10-3.22.1 ruby-solv-0.7.10-3.22.1 ruby-solv-debuginfo-0.7.10-3.22.1 - SUSE Linux Enterprise Module for Basesystem 15 (aarch64 ppc64le s390x x86_64): libsolv-debuginfo-0.7.10-3.22.1 libsolv-debugsource-0.7.10-3.22.1 libsolv-devel-0.7.10-3.22.1 libsolv-devel-debuginfo-0.7.10-3.22.1 libsolv-tools-0.7.10-3.22.1 libsolv-tools-debuginfo-0.7.10-3.22.1 libzypp-17.19.0-3.34.1 libzypp-debuginfo-17.19.0-3.34.1 libzypp-debugsource-17.19.0-3.34.1 libzypp-devel-17.19.0-3.34.1 python-solv-0.7.10-3.22.1 python-solv-debuginfo-0.7.10-3.22.1 zypper-1.14.33-3.29.1 zypper-debuginfo-1.14.33-3.29.1 zypper-debugsource-1.14.33-3.29.1 - SUSE Linux Enterprise Module for Basesystem 15 (noarch): zypper-log-1.14.33-3.29.1 - SUSE Linux Enterprise Installer 15 (aarch64 ppc64le s390x x86_64): libsolv-tools-0.7.10-3.22.1 libzypp-17.19.0-3.34.1 zypper-1.14.33-3.29.1 References: https://www.suse.com/security/cve/CVE-2019-18900.html https://bugzilla.suse.com/1135114 https://bugzilla.suse.com/1154804 https://bugzilla.suse.com/1154805 https://bugzilla.suse.com/1155198 https://bugzilla.suse.com/1155205 https://bugzilla.suse.com/1155298 https://bugzilla.suse.com/1155678 https://bugzilla.suse.com/1155819 https://bugzilla.suse.com/1156158 https://bugzilla.suse.com/1157377 https://bugzilla.suse.com/1158763 From sle-updates at lists.suse.com Mon Jan 13 16:15:20 2020 From: sle-updates at lists.suse.com (sle-updates at lists.suse.com) Date: Tue, 14 Jan 2020 00:15:20 +0100 (CET) Subject: SUSE-RU-2020:0091-1: moderate: Recommended update for sle-ha-install-quick_en Message-ID: <20200113231520.A6B43F798@maintenance.suse.de> SUSE Recommended Update: Recommended update for sle-ha-install-quick_en ______________________________________________________________________________ Announcement ID: SUSE-RU-2020:0091-1 Rating: moderate References: #1158022 Affected Products: SUSE Linux Enterprise High Availability 12-SP5 SUSE Linux Enterprise High Availability 12-SP4 ______________________________________________________________________________ An update that has one recommended fix can now be installed. Description: This update for sle-ha-install-quick_en fixes the following issues: - Updated English version of Installation Manuals for the SLE HA 12 SP5 public release. (bsc#1158022) Patch Instructions: To install this SUSE Recommended Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise High Availability 12-SP5: zypper in -t patch SUSE-SLE-HA-12-SP5-2020-91=1 - SUSE Linux Enterprise High Availability 12-SP4: zypper in -t patch SUSE-SLE-HA-12-SP4-2020-91=1 Package List: - SUSE Linux Enterprise High Availability 12-SP5 (noarch): sle-ha-install-quick_en-12.5-3.3.9 - SUSE Linux Enterprise High Availability 12-SP4 (noarch): sle-ha-install-quick_en-12.5-3.3.9 References: https://bugzilla.suse.com/1158022 From sle-updates at lists.suse.com Mon Jan 13 16:15:59 2020 From: sle-updates at lists.suse.com (sle-updates at lists.suse.com) Date: Tue, 14 Jan 2020 00:15:59 +0100 (CET) Subject: SUSE-FU-2020:0089-1: moderate: Update to kubernetes 1.16, supportconfig update, and helm security fix (CVE-2019-18658) Message-ID: <20200113231559.9688EF798@maintenance.suse.de> SUSE Feature Update: Update to kubernetes 1.16, supportconfig update, and helm security fix (CVE-2019-18658) ______________________________________________________________________________ Announcement ID: SUSE-FU-2020:0089-1 Rating: moderate References: #1100838 #1118897 #1118898 #1118899 #1143813 #1144065 #1146991 #1147142 #1152861 #1155810 #1156646 Affected Products: SUSE CaaS Platform 4.0 ______________________________________________________________________________ An update that has 11 feature fixes can now be installed. Description: = Required Actions == Skuba and helm update Instructions Update skuba and helm on your management workstation as you would do with any othe package. Refer to: link:https://documentation.suse.com/sles/15-SP1/single-html/SLES-admin/#sec -zypper-softup [WARNING] ==== When running helm-init you may hit a link:https://bugzilla.suse.com/show_bug.cgi?id=1159047[known bug on the certificate validation]: ---- https://kubernetes-charts.storage.googleapis.com is not a valid chart repository or cannot be reached: Get https://kubernetes-charts.storage.googleapis.com/index.yaml: x509: certificate signed by unknown authority ---- In order to fix this, run: ---- sudo update-ca-certificates ---- ==== After updating helm to latest version on the management host, you have to also upgrade the helm-tiller image in the cluster, by running: ---- helm init \ --tiller-image registry.suse.com/caasp/v4/helm-tiller:2.16.1 \ --service-account tiller --upgrade ---- == Update Your Kubernetes Manifests for Kubernetes 1.16.2: Some API resources are moved to stable, while others have been moved to different groups or deprecated. The following will impact your deployment manifests: * `DaemonSet`, `Deployment`, `StatefulSet`, and `ReplicaSet` in `extensions/` (both `v1beta1` and `v1beta2`) is deprecated. Migrate to `apps/v1` group instead for all those objects. Please note that `kubectl convert` can help you migrate all the necessary fields. * `PodSecurityPolicy` in `extensions/v1beta1` is deprecated. Migrate to `policy/v1beta1` group for `PodSecurityPolicy`. Please note that `kubectl convert` can help you migrate all the necessary fields. * `NetworkPolicy` in `extensions/v1beta1` is deprecated. Migrate to `networking.k8s.io/v1` group for `NetworkPolicy`. Please note that `kubectl convert` can help you migrate all the necessary fields. * `Ingress` in `extensions/v1beta1` is being phased out. Migrate to `networking.k8s.io/v1beta1` as soon as possible. This new API does not need to update other API fields and therefore only a path change is necessary. * Custom resource definitions have moved from `apiextensions.k8s.io/v1beta1` to `apiextensions.k8s.io/v1`. Please also see https://kubernetes.io/blog/2019/07/18/api-deprecations-in-1-16/ for more details. = Documentation Updates * Switched examples to use SUSE supported helm, Prometheus, nginx-ingress and Grafana charts and images * link:{docurl}caasp-admin/single-html/_security.html#_deployment_with_a_cust om_ca_certificate[Added instructions on how to replace {kube} certificates with custom CA certificate] * link:{docurl}caasp-admin/single-html/_security.html#_replace_server_certifi cate_signed_by_a_trusted_ca_certificate[Added instructions to configure custom certificates for gangway and dex] * link:{docurl}caasp-admin/single-html/_software_management.html#_installing_ tiller[Added instructions for secured Tiller deployment] * link:{docurl}caasp-deployment/single-html/#machine-id[Added notes about unique `machine-id` requirement] * link:{docurl}caasp-deployment/single-html/#_autoyast_preparation[Added timezone configuration example for {ay}] * link:https://github.com/SUSE/doc-caasp/pulls?q=is%3Apr+is%3Aclosed+sort%3Au pdated-desc[Various minor bugfixes and improvements] = Known issue: skuba upgrade could not parse "Unknown" as version ==== Running "skuba node upgrade plan" might fail with the error "could not parse "Unknown" as version" when a worker, after running "skuba node upgrade apply", had not fully started yet. If you are running into this issue, please add some delay after running "skuba node upgrade apply" and prior to running "skuba node upgrade plan". This is tracked in link:https://bugzilla.suse.com/show_bug.cgi?id=1159452[bsc#1159452] Patch Instructions: To install this SUSE Feature Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE CaaS Platform 4.0: To install this update, use the SUSE CaaS Platform Velum dashboard. It will inform you if it detects new updates and let you then trigger updating of the complete cluster in a controlled way. Package List: - SUSE CaaS Platform 4.0 (noarch): release-notes-caasp-4.1.20191218-4.16.2 skuba-update-1.2.1-3.21.1 - SUSE CaaS Platform 4.0 (x86_64): caasp-release-4.1.0-24.9.1 conmon-2.0.0-1.7.1 cri-o-1.16.0-3.22.2 cri-o-kubeadm-criconfig-1.16.0-3.22.2 cri-tools-1.16.1-3.7.1 helm-2.16.1-3.7.1 kubernetes-client-1.16.2-4.7.1 kubernetes-common-1.16.2-4.7.1 kubernetes-kubeadm-1.16.2-4.7.1 kubernetes-kubelet-1.16.2-4.7.1 patterns-caasp-Node-1.15-1.16-1.2-3.11.1 patterns-caasp-Node-1.16-1.2-3.11.2 skuba-1.2.1-3.21.1 References: https://bugzilla.suse.com/1100838 https://bugzilla.suse.com/1118897 https://bugzilla.suse.com/1118898 https://bugzilla.suse.com/1118899 https://bugzilla.suse.com/1143813 https://bugzilla.suse.com/1144065 https://bugzilla.suse.com/1146991 https://bugzilla.suse.com/1147142 https://bugzilla.suse.com/1152861 https://bugzilla.suse.com/1155810 https://bugzilla.suse.com/1156646 From sle-updates at lists.suse.com Mon Jan 13 16:24:40 2020 From: sle-updates at lists.suse.com (sle-updates at lists.suse.com) Date: Tue, 14 Jan 2020 00:24:40 +0100 (CET) Subject: SUSE-RU-2020:0090-1: moderate: Recommended update for supportutils-plugin-ses Message-ID: <20200113232440.85067F798@maintenance.suse.de> SUSE Recommended Update: Recommended update for supportutils-plugin-ses ______________________________________________________________________________ Announcement ID: SUSE-RU-2020:0090-1 Rating: moderate References: #1142789 #1146928 #1147148 Affected Products: SUSE Enterprise Storage 5 ______________________________________________________________________________ An update that has three recommended fixes can now be installed. Description: This update for supportutils-plugin-ses fixes the following issues: - Add ceph daemon mds get subtrees (bsc#1147148). - Add config file from /srv/salt/ceph/configuration/files (bsc#1146928). - Include `lrbd -o` output (bsc#1142789). Patch Instructions: To install this SUSE Recommended Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Enterprise Storage 5: zypper in -t patch SUSE-Storage-5-2020-90=1 Package List: - SUSE Enterprise Storage 5 (noarch): supportutils-plugin-ses-5.0+git.1568626595.5ca49a6-3.12.12 References: https://bugzilla.suse.com/1142789 https://bugzilla.suse.com/1146928 https://bugzilla.suse.com/1147148 From sle-updates at lists.suse.com Mon Jan 13 16:28:06 2020 From: sle-updates at lists.suse.com (sle-updates at lists.suse.com) Date: Tue, 14 Jan 2020 00:28:06 +0100 (CET) Subject: SUSE-RU-2020:0092-1: Recommended update for crash Message-ID: <20200113232806.82CF3F798@maintenance.suse.de> SUSE Recommended Update: Recommended update for crash ______________________________________________________________________________ Announcement ID: SUSE-RU-2020:0092-1 Rating: low References: #1104743 Affected Products: SUSE Linux Enterprise Module for Realtime 15-SP1 SUSE Linux Enterprise Module for Open Buildservice Development Tools 15-SP1 SUSE Linux Enterprise Module for Development Tools 15-SP1 ______________________________________________________________________________ An update that has one recommended fix can now be installed. Description: This update for crash fixes the following issues: - Update the recognition of x86_64 CPU_ENTRY_AREA (bsc#1104743, bsc#1090127) - Apply initial changes to support kernel address space layout randomization (KASLR) for s390X. (jsc#SLE-9797) - Fix to allow automated detection of s390x kernels that have been configured with 'CONFIG_RANDOMIZE_BASE=y' (KASLR). (jsc#SLE-9797) Patch Instructions: To install this SUSE Recommended Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Module for Realtime 15-SP1: zypper in -t patch SUSE-SLE-Module-RT-15-SP1-2020-92=1 - SUSE Linux Enterprise Module for Open Buildservice Development Tools 15-SP1: zypper in -t patch SUSE-SLE-Module-Development-Tools-OBS-15-SP1-2020-92=1 - SUSE Linux Enterprise Module for Development Tools 15-SP1: zypper in -t patch SUSE-SLE-Module-Development-Tools-15-SP1-2020-92=1 Package List: - SUSE Linux Enterprise Module for Realtime 15-SP1 (x86_64): crash-kmp-rt-7.2.1_k4.12.14_14.11-9.5.1 crash-kmp-rt-debuginfo-7.2.1_k4.12.14_14.11-9.5.1 - SUSE Linux Enterprise Module for Open Buildservice Development Tools 15-SP1 (aarch64 ppc64le s390x x86_64): crash-debuginfo-7.2.1-9.5.1 crash-debugsource-7.2.1-9.5.1 crash-doc-7.2.1-9.5.1 crash-eppic-7.2.1-9.5.1 crash-eppic-debuginfo-7.2.1-9.5.1 - SUSE Linux Enterprise Module for Open Buildservice Development Tools 15-SP1 (x86_64): crash-gcore-7.2.1-9.5.1 crash-gcore-debuginfo-7.2.1-9.5.1 - SUSE Linux Enterprise Module for Development Tools 15-SP1 (aarch64 ppc64le s390x x86_64): crash-7.2.1-9.5.1 crash-debuginfo-7.2.1-9.5.1 crash-debugsource-7.2.1-9.5.1 crash-devel-7.2.1-9.5.1 crash-kmp-default-7.2.1_k4.12.14_197.26-9.5.1 crash-kmp-default-debuginfo-7.2.1_k4.12.14_197.26-9.5.1 References: https://bugzilla.suse.com/1104743 From sle-updates at lists.suse.com Mon Jan 13 16:32:58 2020 From: sle-updates at lists.suse.com (sle-updates at lists.suse.com) Date: Tue, 14 Jan 2020 00:32:58 +0100 (CET) Subject: SUSE-SU-2020:0088-1: moderate: Security update for mozilla-nspr, mozilla-nss Message-ID: <20200113233258.0B600F798@maintenance.suse.de> SUSE Security Update: Security update for mozilla-nspr, mozilla-nss ______________________________________________________________________________ Announcement ID: SUSE-SU-2020:0088-1 Rating: moderate References: #1141322 #1158527 #1159819 Cross-References: CVE-2019-11745 CVE-2019-17006 Affected Products: SUSE OpenStack Cloud Crowbar 8 SUSE OpenStack Cloud 8 SUSE OpenStack Cloud 7 SUSE Linux Enterprise Software Development Kit 12-SP5 SUSE Linux Enterprise Software Development Kit 12-SP4 SUSE Linux Enterprise Server for SAP 12-SP3 SUSE Linux Enterprise Server for SAP 12-SP2 SUSE Linux Enterprise Server for SAP 12-SP1 SUSE Linux Enterprise Server 12-SP5 SUSE Linux Enterprise Server 12-SP4 SUSE Linux Enterprise Server 12-SP3-LTSS SUSE Linux Enterprise Server 12-SP3-BCL SUSE Linux Enterprise Server 12-SP2-LTSS SUSE Linux Enterprise Server 12-SP2-BCL SUSE Linux Enterprise Server 12-SP1-LTSS SUSE Linux Enterprise Desktop 12-SP4 SUSE Enterprise Storage 5 SUSE CaaS Platform 3.0 HPE Helion Openstack 8 ______________________________________________________________________________ An update that solves two vulnerabilities and has one errata is now available. Description: This update for mozilla-nspr, mozilla-nss fixes the following issues: mozilla-nss was updated to NSS 3.47.1: Security issues fixed: - CVE-2019-17006: Added length checks for cryptographic primitives (bsc#1159819). - CVE-2019-11745: EncryptUpdate should use maxout, not block size (bsc#1158527). - CVE-2019-11727: Fixed vulnerability sign CertificateVerify with PKCS#1 v1.5 signatures issue (bsc#1141322). mozilla-nspr was updated to version 4.23: - Whitespace in C files was cleaned up and no longer uses tab characters for indenting. Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE OpenStack Cloud Crowbar 8: zypper in -t patch SUSE-OpenStack-Cloud-Crowbar-8-2020-88=1 - SUSE OpenStack Cloud 8: zypper in -t patch SUSE-OpenStack-Cloud-8-2020-88=1 - SUSE OpenStack Cloud 7: zypper in -t patch SUSE-OpenStack-Cloud-7-2020-88=1 - SUSE Linux Enterprise Software Development Kit 12-SP5: zypper in -t patch SUSE-SLE-SDK-12-SP5-2020-88=1 - SUSE Linux Enterprise Software Development Kit 12-SP4: zypper in -t patch SUSE-SLE-SDK-12-SP4-2020-88=1 - SUSE Linux Enterprise Server for SAP 12-SP3: zypper in -t patch SUSE-SLE-SAP-12-SP3-2020-88=1 - SUSE Linux Enterprise Server for SAP 12-SP2: zypper in -t patch SUSE-SLE-SAP-12-SP2-2020-88=1 - SUSE Linux Enterprise Server for SAP 12-SP1: zypper in -t patch SUSE-SLE-SAP-12-SP1-2020-88=1 - SUSE Linux Enterprise Server 12-SP5: zypper in -t patch SUSE-SLE-SERVER-12-SP5-2020-88=1 - SUSE Linux Enterprise Server 12-SP4: zypper in -t patch SUSE-SLE-SERVER-12-SP4-2020-88=1 - SUSE Linux Enterprise Server 12-SP3-LTSS: zypper in -t patch SUSE-SLE-SERVER-12-SP3-2020-88=1 - SUSE Linux Enterprise Server 12-SP3-BCL: zypper in -t patch SUSE-SLE-SERVER-12-SP3-BCL-2020-88=1 - SUSE Linux Enterprise Server 12-SP2-LTSS: zypper in -t patch SUSE-SLE-SERVER-12-SP2-2020-88=1 - SUSE Linux Enterprise Server 12-SP2-BCL: zypper in -t patch SUSE-SLE-SERVER-12-SP2-BCL-2020-88=1 - SUSE Linux Enterprise Server 12-SP1-LTSS: zypper in -t patch SUSE-SLE-SERVER-12-SP1-2020-88=1 - SUSE Linux Enterprise Desktop 12-SP4: zypper in -t patch SUSE-SLE-DESKTOP-12-SP4-2020-88=1 - SUSE Enterprise Storage 5: zypper in -t patch SUSE-Storage-5-2020-88=1 - SUSE CaaS Platform 3.0: To install this update, use the SUSE CaaS Platform Velum dashboard. It will inform you if it detects new updates and let you then trigger updating of the complete cluster in a controlled way. - HPE Helion Openstack 8: zypper in -t patch HPE-Helion-OpenStack-8-2020-88=1 Package List: - SUSE OpenStack Cloud Crowbar 8 (x86_64): libfreebl3-3.47.1-58.34.1 libfreebl3-32bit-3.47.1-58.34.1 libfreebl3-debuginfo-3.47.1-58.34.1 libfreebl3-debuginfo-32bit-3.47.1-58.34.1 libfreebl3-hmac-3.47.1-58.34.1 libfreebl3-hmac-32bit-3.47.1-58.34.1 libsoftokn3-3.47.1-58.34.1 libsoftokn3-32bit-3.47.1-58.34.1 libsoftokn3-debuginfo-3.47.1-58.34.1 libsoftokn3-debuginfo-32bit-3.47.1-58.34.1 libsoftokn3-hmac-3.47.1-58.34.1 libsoftokn3-hmac-32bit-3.47.1-58.34.1 mozilla-nspr-32bit-4.23-19.12.1 mozilla-nspr-4.23-19.12.1 mozilla-nspr-debuginfo-32bit-4.23-19.12.1 mozilla-nspr-debuginfo-4.23-19.12.1 mozilla-nspr-debugsource-4.23-19.12.1 mozilla-nspr-devel-4.23-19.12.1 mozilla-nss-3.47.1-58.34.1 mozilla-nss-32bit-3.47.1-58.34.1 mozilla-nss-certs-3.47.1-58.34.1 mozilla-nss-certs-32bit-3.47.1-58.34.1 mozilla-nss-certs-debuginfo-3.47.1-58.34.1 mozilla-nss-certs-debuginfo-32bit-3.47.1-58.34.1 mozilla-nss-debuginfo-3.47.1-58.34.1 mozilla-nss-debuginfo-32bit-3.47.1-58.34.1 mozilla-nss-debugsource-3.47.1-58.34.1 mozilla-nss-devel-3.47.1-58.34.1 mozilla-nss-sysinit-3.47.1-58.34.1 mozilla-nss-sysinit-32bit-3.47.1-58.34.1 mozilla-nss-sysinit-debuginfo-3.47.1-58.34.1 mozilla-nss-sysinit-debuginfo-32bit-3.47.1-58.34.1 mozilla-nss-tools-3.47.1-58.34.1 mozilla-nss-tools-debuginfo-3.47.1-58.34.1 - SUSE OpenStack Cloud 8 (x86_64): libfreebl3-3.47.1-58.34.1 libfreebl3-32bit-3.47.1-58.34.1 libfreebl3-debuginfo-3.47.1-58.34.1 libfreebl3-debuginfo-32bit-3.47.1-58.34.1 libfreebl3-hmac-3.47.1-58.34.1 libfreebl3-hmac-32bit-3.47.1-58.34.1 libsoftokn3-3.47.1-58.34.1 libsoftokn3-32bit-3.47.1-58.34.1 libsoftokn3-debuginfo-3.47.1-58.34.1 libsoftokn3-debuginfo-32bit-3.47.1-58.34.1 libsoftokn3-hmac-3.47.1-58.34.1 libsoftokn3-hmac-32bit-3.47.1-58.34.1 mozilla-nspr-32bit-4.23-19.12.1 mozilla-nspr-4.23-19.12.1 mozilla-nspr-debuginfo-32bit-4.23-19.12.1 mozilla-nspr-debuginfo-4.23-19.12.1 mozilla-nspr-debugsource-4.23-19.12.1 mozilla-nspr-devel-4.23-19.12.1 mozilla-nss-3.47.1-58.34.1 mozilla-nss-32bit-3.47.1-58.34.1 mozilla-nss-certs-3.47.1-58.34.1 mozilla-nss-certs-32bit-3.47.1-58.34.1 mozilla-nss-certs-debuginfo-3.47.1-58.34.1 mozilla-nss-certs-debuginfo-32bit-3.47.1-58.34.1 mozilla-nss-debuginfo-3.47.1-58.34.1 mozilla-nss-debuginfo-32bit-3.47.1-58.34.1 mozilla-nss-debugsource-3.47.1-58.34.1 mozilla-nss-devel-3.47.1-58.34.1 mozilla-nss-sysinit-3.47.1-58.34.1 mozilla-nss-sysinit-32bit-3.47.1-58.34.1 mozilla-nss-sysinit-debuginfo-3.47.1-58.34.1 mozilla-nss-sysinit-debuginfo-32bit-3.47.1-58.34.1 mozilla-nss-tools-3.47.1-58.34.1 mozilla-nss-tools-debuginfo-3.47.1-58.34.1 - SUSE OpenStack Cloud 7 (s390x x86_64): libfreebl3-3.47.1-58.34.1 libfreebl3-32bit-3.47.1-58.34.1 libfreebl3-debuginfo-3.47.1-58.34.1 libfreebl3-debuginfo-32bit-3.47.1-58.34.1 libfreebl3-hmac-3.47.1-58.34.1 libfreebl3-hmac-32bit-3.47.1-58.34.1 libsoftokn3-3.47.1-58.34.1 libsoftokn3-32bit-3.47.1-58.34.1 libsoftokn3-debuginfo-3.47.1-58.34.1 libsoftokn3-debuginfo-32bit-3.47.1-58.34.1 libsoftokn3-hmac-3.47.1-58.34.1 libsoftokn3-hmac-32bit-3.47.1-58.34.1 mozilla-nspr-32bit-4.23-19.12.1 mozilla-nspr-4.23-19.12.1 mozilla-nspr-debuginfo-32bit-4.23-19.12.1 mozilla-nspr-debuginfo-4.23-19.12.1 mozilla-nspr-debugsource-4.23-19.12.1 mozilla-nss-3.47.1-58.34.1 mozilla-nss-32bit-3.47.1-58.34.1 mozilla-nss-certs-3.47.1-58.34.1 mozilla-nss-certs-32bit-3.47.1-58.34.1 mozilla-nss-certs-debuginfo-3.47.1-58.34.1 mozilla-nss-certs-debuginfo-32bit-3.47.1-58.34.1 mozilla-nss-debuginfo-3.47.1-58.34.1 mozilla-nss-debuginfo-32bit-3.47.1-58.34.1 mozilla-nss-debugsource-3.47.1-58.34.1 mozilla-nss-sysinit-3.47.1-58.34.1 mozilla-nss-sysinit-32bit-3.47.1-58.34.1 mozilla-nss-sysinit-debuginfo-3.47.1-58.34.1 mozilla-nss-sysinit-debuginfo-32bit-3.47.1-58.34.1 mozilla-nss-tools-3.47.1-58.34.1 mozilla-nss-tools-debuginfo-3.47.1-58.34.1 - SUSE Linux Enterprise Software Development Kit 12-SP5 (aarch64 ppc64le s390x x86_64): mozilla-nspr-debuginfo-4.23-19.12.1 mozilla-nspr-debugsource-4.23-19.12.1 mozilla-nspr-devel-4.23-19.12.1 mozilla-nss-debuginfo-3.47.1-58.34.1 mozilla-nss-debugsource-3.47.1-58.34.1 mozilla-nss-devel-3.47.1-58.34.1 - SUSE Linux Enterprise Software Development Kit 12-SP4 (aarch64 ppc64le s390x x86_64): mozilla-nspr-debuginfo-4.23-19.12.1 mozilla-nspr-debugsource-4.23-19.12.1 mozilla-nspr-devel-4.23-19.12.1 mozilla-nss-debuginfo-3.47.1-58.34.1 mozilla-nss-debugsource-3.47.1-58.34.1 mozilla-nss-devel-3.47.1-58.34.1 - SUSE Linux Enterprise Server for SAP 12-SP3 (ppc64le x86_64): libfreebl3-3.47.1-58.34.1 libfreebl3-debuginfo-3.47.1-58.34.1 libfreebl3-hmac-3.47.1-58.34.1 libsoftokn3-3.47.1-58.34.1 libsoftokn3-debuginfo-3.47.1-58.34.1 libsoftokn3-hmac-3.47.1-58.34.1 mozilla-nspr-4.23-19.12.1 mozilla-nspr-debuginfo-4.23-19.12.1 mozilla-nspr-debugsource-4.23-19.12.1 mozilla-nspr-devel-4.23-19.12.1 mozilla-nss-3.47.1-58.34.1 mozilla-nss-certs-3.47.1-58.34.1 mozilla-nss-certs-debuginfo-3.47.1-58.34.1 mozilla-nss-debuginfo-3.47.1-58.34.1 mozilla-nss-debugsource-3.47.1-58.34.1 mozilla-nss-devel-3.47.1-58.34.1 mozilla-nss-sysinit-3.47.1-58.34.1 mozilla-nss-sysinit-debuginfo-3.47.1-58.34.1 mozilla-nss-tools-3.47.1-58.34.1 mozilla-nss-tools-debuginfo-3.47.1-58.34.1 - SUSE Linux Enterprise Server for SAP 12-SP3 (x86_64): libfreebl3-32bit-3.47.1-58.34.1 libfreebl3-debuginfo-32bit-3.47.1-58.34.1 libfreebl3-hmac-32bit-3.47.1-58.34.1 libsoftokn3-32bit-3.47.1-58.34.1 libsoftokn3-debuginfo-32bit-3.47.1-58.34.1 libsoftokn3-hmac-32bit-3.47.1-58.34.1 mozilla-nspr-32bit-4.23-19.12.1 mozilla-nspr-debuginfo-32bit-4.23-19.12.1 mozilla-nss-32bit-3.47.1-58.34.1 mozilla-nss-certs-32bit-3.47.1-58.34.1 mozilla-nss-certs-debuginfo-32bit-3.47.1-58.34.1 mozilla-nss-debuginfo-32bit-3.47.1-58.34.1 mozilla-nss-sysinit-32bit-3.47.1-58.34.1 mozilla-nss-sysinit-debuginfo-32bit-3.47.1-58.34.1 - SUSE Linux Enterprise Server for SAP 12-SP2 (ppc64le x86_64): libfreebl3-3.47.1-58.34.1 libfreebl3-debuginfo-3.47.1-58.34.1 libfreebl3-hmac-3.47.1-58.34.1 libsoftokn3-3.47.1-58.34.1 libsoftokn3-debuginfo-3.47.1-58.34.1 libsoftokn3-hmac-3.47.1-58.34.1 mozilla-nspr-4.23-19.12.1 mozilla-nspr-debuginfo-4.23-19.12.1 mozilla-nspr-debugsource-4.23-19.12.1 mozilla-nss-3.47.1-58.34.1 mozilla-nss-certs-3.47.1-58.34.1 mozilla-nss-certs-debuginfo-3.47.1-58.34.1 mozilla-nss-debuginfo-3.47.1-58.34.1 mozilla-nss-debugsource-3.47.1-58.34.1 mozilla-nss-sysinit-3.47.1-58.34.1 mozilla-nss-sysinit-debuginfo-3.47.1-58.34.1 mozilla-nss-tools-3.47.1-58.34.1 mozilla-nss-tools-debuginfo-3.47.1-58.34.1 - SUSE Linux Enterprise Server for SAP 12-SP2 (x86_64): libfreebl3-32bit-3.47.1-58.34.1 libfreebl3-debuginfo-32bit-3.47.1-58.34.1 libfreebl3-hmac-32bit-3.47.1-58.34.1 libsoftokn3-32bit-3.47.1-58.34.1 libsoftokn3-debuginfo-32bit-3.47.1-58.34.1 libsoftokn3-hmac-32bit-3.47.1-58.34.1 mozilla-nspr-32bit-4.23-19.12.1 mozilla-nspr-debuginfo-32bit-4.23-19.12.1 mozilla-nss-32bit-3.47.1-58.34.1 mozilla-nss-certs-32bit-3.47.1-58.34.1 mozilla-nss-certs-debuginfo-32bit-3.47.1-58.34.1 mozilla-nss-debuginfo-32bit-3.47.1-58.34.1 mozilla-nss-sysinit-32bit-3.47.1-58.34.1 mozilla-nss-sysinit-debuginfo-32bit-3.47.1-58.34.1 - SUSE Linux Enterprise Server for SAP 12-SP1 (x86_64): libfreebl3-3.47.1-58.34.1 libfreebl3-32bit-3.47.1-58.34.1 libfreebl3-debuginfo-3.47.1-58.34.1 libfreebl3-debuginfo-32bit-3.47.1-58.34.1 libfreebl3-hmac-3.47.1-58.34.1 libfreebl3-hmac-32bit-3.47.1-58.34.1 libsoftokn3-3.47.1-58.34.1 libsoftokn3-32bit-3.47.1-58.34.1 libsoftokn3-debuginfo-3.47.1-58.34.1 libsoftokn3-debuginfo-32bit-3.47.1-58.34.1 libsoftokn3-hmac-3.47.1-58.34.1 libsoftokn3-hmac-32bit-3.47.1-58.34.1 mozilla-nspr-32bit-4.23-19.12.1 mozilla-nspr-4.23-19.12.1 mozilla-nspr-debuginfo-32bit-4.23-19.12.1 mozilla-nspr-debuginfo-4.23-19.12.1 mozilla-nspr-debugsource-4.23-19.12.1 mozilla-nspr-devel-4.23-19.12.1 mozilla-nss-3.47.1-58.34.1 mozilla-nss-32bit-3.47.1-58.34.1 mozilla-nss-certs-3.47.1-58.34.1 mozilla-nss-certs-32bit-3.47.1-58.34.1 mozilla-nss-certs-debuginfo-3.47.1-58.34.1 mozilla-nss-certs-debuginfo-32bit-3.47.1-58.34.1 mozilla-nss-debuginfo-3.47.1-58.34.1 mozilla-nss-debuginfo-32bit-3.47.1-58.34.1 mozilla-nss-debugsource-3.47.1-58.34.1 mozilla-nss-devel-3.47.1-58.34.1 mozilla-nss-sysinit-3.47.1-58.34.1 mozilla-nss-sysinit-32bit-3.47.1-58.34.1 mozilla-nss-sysinit-debuginfo-3.47.1-58.34.1 mozilla-nss-sysinit-debuginfo-32bit-3.47.1-58.34.1 mozilla-nss-tools-3.47.1-58.34.1 mozilla-nss-tools-debuginfo-3.47.1-58.34.1 - SUSE Linux Enterprise Server 12-SP5 (aarch64 ppc64le s390x x86_64): libfreebl3-3.47.1-58.34.1 libfreebl3-debuginfo-3.47.1-58.34.1 libfreebl3-hmac-3.47.1-58.34.1 libsoftokn3-3.47.1-58.34.1 libsoftokn3-debuginfo-3.47.1-58.34.1 libsoftokn3-hmac-3.47.1-58.34.1 mozilla-nspr-4.23-19.12.1 mozilla-nspr-debuginfo-4.23-19.12.1 mozilla-nspr-debugsource-4.23-19.12.1 mozilla-nss-3.47.1-58.34.1 mozilla-nss-certs-3.47.1-58.34.1 mozilla-nss-certs-debuginfo-3.47.1-58.34.1 mozilla-nss-debuginfo-3.47.1-58.34.1 mozilla-nss-debugsource-3.47.1-58.34.1 mozilla-nss-sysinit-3.47.1-58.34.1 mozilla-nss-sysinit-debuginfo-3.47.1-58.34.1 mozilla-nss-tools-3.47.1-58.34.1 mozilla-nss-tools-debuginfo-3.47.1-58.34.1 - SUSE Linux Enterprise Server 12-SP5 (s390x x86_64): libfreebl3-32bit-3.47.1-58.34.1 libfreebl3-debuginfo-32bit-3.47.1-58.34.1 libfreebl3-hmac-32bit-3.47.1-58.34.1 libsoftokn3-32bit-3.47.1-58.34.1 libsoftokn3-debuginfo-32bit-3.47.1-58.34.1 libsoftokn3-hmac-32bit-3.47.1-58.34.1 mozilla-nspr-32bit-4.23-19.12.1 mozilla-nspr-debuginfo-32bit-4.23-19.12.1 mozilla-nss-32bit-3.47.1-58.34.1 mozilla-nss-certs-32bit-3.47.1-58.34.1 mozilla-nss-certs-debuginfo-32bit-3.47.1-58.34.1 mozilla-nss-debuginfo-32bit-3.47.1-58.34.1 mozilla-nss-sysinit-32bit-3.47.1-58.34.1 mozilla-nss-sysinit-debuginfo-32bit-3.47.1-58.34.1 - SUSE Linux Enterprise Server 12-SP4 (aarch64 ppc64le s390x x86_64): libfreebl3-3.47.1-58.34.1 libfreebl3-debuginfo-3.47.1-58.34.1 libfreebl3-hmac-3.47.1-58.34.1 libsoftokn3-3.47.1-58.34.1 libsoftokn3-debuginfo-3.47.1-58.34.1 libsoftokn3-hmac-3.47.1-58.34.1 mozilla-nspr-4.23-19.12.1 mozilla-nspr-debuginfo-4.23-19.12.1 mozilla-nspr-debugsource-4.23-19.12.1 mozilla-nss-3.47.1-58.34.1 mozilla-nss-certs-3.47.1-58.34.1 mozilla-nss-certs-debuginfo-3.47.1-58.34.1 mozilla-nss-debuginfo-3.47.1-58.34.1 mozilla-nss-debugsource-3.47.1-58.34.1 mozilla-nss-sysinit-3.47.1-58.34.1 mozilla-nss-sysinit-debuginfo-3.47.1-58.34.1 mozilla-nss-tools-3.47.1-58.34.1 mozilla-nss-tools-debuginfo-3.47.1-58.34.1 - SUSE Linux Enterprise Server 12-SP4 (s390x x86_64): libfreebl3-32bit-3.47.1-58.34.1 libfreebl3-debuginfo-32bit-3.47.1-58.34.1 libfreebl3-hmac-32bit-3.47.1-58.34.1 libsoftokn3-32bit-3.47.1-58.34.1 libsoftokn3-debuginfo-32bit-3.47.1-58.34.1 libsoftokn3-hmac-32bit-3.47.1-58.34.1 mozilla-nspr-32bit-4.23-19.12.1 mozilla-nspr-debuginfo-32bit-4.23-19.12.1 mozilla-nss-32bit-3.47.1-58.34.1 mozilla-nss-certs-32bit-3.47.1-58.34.1 mozilla-nss-certs-debuginfo-32bit-3.47.1-58.34.1 mozilla-nss-debuginfo-32bit-3.47.1-58.34.1 mozilla-nss-sysinit-32bit-3.47.1-58.34.1 mozilla-nss-sysinit-debuginfo-32bit-3.47.1-58.34.1 - SUSE Linux Enterprise Server 12-SP3-LTSS (aarch64 ppc64le s390x x86_64): libfreebl3-3.47.1-58.34.1 libfreebl3-debuginfo-3.47.1-58.34.1 libfreebl3-hmac-3.47.1-58.34.1 libsoftokn3-3.47.1-58.34.1 libsoftokn3-debuginfo-3.47.1-58.34.1 libsoftokn3-hmac-3.47.1-58.34.1 mozilla-nspr-4.23-19.12.1 mozilla-nspr-debuginfo-4.23-19.12.1 mozilla-nspr-debugsource-4.23-19.12.1 mozilla-nspr-devel-4.23-19.12.1 mozilla-nss-3.47.1-58.34.1 mozilla-nss-certs-3.47.1-58.34.1 mozilla-nss-certs-debuginfo-3.47.1-58.34.1 mozilla-nss-debuginfo-3.47.1-58.34.1 mozilla-nss-debugsource-3.47.1-58.34.1 mozilla-nss-devel-3.47.1-58.34.1 mozilla-nss-sysinit-3.47.1-58.34.1 mozilla-nss-sysinit-debuginfo-3.47.1-58.34.1 mozilla-nss-tools-3.47.1-58.34.1 mozilla-nss-tools-debuginfo-3.47.1-58.34.1 - SUSE Linux Enterprise Server 12-SP3-LTSS (s390x x86_64): libfreebl3-32bit-3.47.1-58.34.1 libfreebl3-debuginfo-32bit-3.47.1-58.34.1 libfreebl3-hmac-32bit-3.47.1-58.34.1 libsoftokn3-32bit-3.47.1-58.34.1 libsoftokn3-debuginfo-32bit-3.47.1-58.34.1 libsoftokn3-hmac-32bit-3.47.1-58.34.1 mozilla-nspr-32bit-4.23-19.12.1 mozilla-nspr-debuginfo-32bit-4.23-19.12.1 mozilla-nss-32bit-3.47.1-58.34.1 mozilla-nss-certs-32bit-3.47.1-58.34.1 mozilla-nss-certs-debuginfo-32bit-3.47.1-58.34.1 mozilla-nss-debuginfo-32bit-3.47.1-58.34.1 mozilla-nss-sysinit-32bit-3.47.1-58.34.1 mozilla-nss-sysinit-debuginfo-32bit-3.47.1-58.34.1 - SUSE Linux Enterprise Server 12-SP3-BCL (x86_64): libfreebl3-3.47.1-58.34.1 libfreebl3-32bit-3.47.1-58.34.1 libfreebl3-debuginfo-3.47.1-58.34.1 libfreebl3-debuginfo-32bit-3.47.1-58.34.1 libfreebl3-hmac-3.47.1-58.34.1 libfreebl3-hmac-32bit-3.47.1-58.34.1 libsoftokn3-3.47.1-58.34.1 libsoftokn3-32bit-3.47.1-58.34.1 libsoftokn3-debuginfo-3.47.1-58.34.1 libsoftokn3-debuginfo-32bit-3.47.1-58.34.1 libsoftokn3-hmac-3.47.1-58.34.1 libsoftokn3-hmac-32bit-3.47.1-58.34.1 mozilla-nspr-32bit-4.23-19.12.1 mozilla-nspr-4.23-19.12.1 mozilla-nspr-debuginfo-32bit-4.23-19.12.1 mozilla-nspr-debuginfo-4.23-19.12.1 mozilla-nspr-debugsource-4.23-19.12.1 mozilla-nss-3.47.1-58.34.1 mozilla-nss-32bit-3.47.1-58.34.1 mozilla-nss-certs-3.47.1-58.34.1 mozilla-nss-certs-32bit-3.47.1-58.34.1 mozilla-nss-certs-debuginfo-3.47.1-58.34.1 mozilla-nss-certs-debuginfo-32bit-3.47.1-58.34.1 mozilla-nss-debuginfo-3.47.1-58.34.1 mozilla-nss-debuginfo-32bit-3.47.1-58.34.1 mozilla-nss-debugsource-3.47.1-58.34.1 mozilla-nss-sysinit-3.47.1-58.34.1 mozilla-nss-sysinit-32bit-3.47.1-58.34.1 mozilla-nss-sysinit-debuginfo-3.47.1-58.34.1 mozilla-nss-sysinit-debuginfo-32bit-3.47.1-58.34.1 mozilla-nss-tools-3.47.1-58.34.1 mozilla-nss-tools-debuginfo-3.47.1-58.34.1 - SUSE Linux Enterprise Server 12-SP2-LTSS (ppc64le s390x x86_64): libfreebl3-3.47.1-58.34.1 libfreebl3-debuginfo-3.47.1-58.34.1 libfreebl3-hmac-3.47.1-58.34.1 libsoftokn3-3.47.1-58.34.1 libsoftokn3-debuginfo-3.47.1-58.34.1 libsoftokn3-hmac-3.47.1-58.34.1 mozilla-nspr-4.23-19.12.1 mozilla-nspr-debuginfo-4.23-19.12.1 mozilla-nspr-debugsource-4.23-19.12.1 mozilla-nss-3.47.1-58.34.1 mozilla-nss-certs-3.47.1-58.34.1 mozilla-nss-certs-debuginfo-3.47.1-58.34.1 mozilla-nss-debuginfo-3.47.1-58.34.1 mozilla-nss-debugsource-3.47.1-58.34.1 mozilla-nss-sysinit-3.47.1-58.34.1 mozilla-nss-sysinit-debuginfo-3.47.1-58.34.1 mozilla-nss-tools-3.47.1-58.34.1 mozilla-nss-tools-debuginfo-3.47.1-58.34.1 - SUSE Linux Enterprise Server 12-SP2-LTSS (s390x x86_64): libfreebl3-32bit-3.47.1-58.34.1 libfreebl3-debuginfo-32bit-3.47.1-58.34.1 libfreebl3-hmac-32bit-3.47.1-58.34.1 libsoftokn3-32bit-3.47.1-58.34.1 libsoftokn3-debuginfo-32bit-3.47.1-58.34.1 libsoftokn3-hmac-32bit-3.47.1-58.34.1 mozilla-nspr-32bit-4.23-19.12.1 mozilla-nspr-debuginfo-32bit-4.23-19.12.1 mozilla-nss-32bit-3.47.1-58.34.1 mozilla-nss-certs-32bit-3.47.1-58.34.1 mozilla-nss-certs-debuginfo-32bit-3.47.1-58.34.1 mozilla-nss-debuginfo-32bit-3.47.1-58.34.1 mozilla-nss-sysinit-32bit-3.47.1-58.34.1 mozilla-nss-sysinit-debuginfo-32bit-3.47.1-58.34.1 - SUSE Linux Enterprise Server 12-SP2-BCL (x86_64): libfreebl3-3.47.1-58.34.1 libfreebl3-32bit-3.47.1-58.34.1 libfreebl3-debuginfo-3.47.1-58.34.1 libfreebl3-debuginfo-32bit-3.47.1-58.34.1 libfreebl3-hmac-3.47.1-58.34.1 libfreebl3-hmac-32bit-3.47.1-58.34.1 libsoftokn3-3.47.1-58.34.1 libsoftokn3-32bit-3.47.1-58.34.1 libsoftokn3-debuginfo-3.47.1-58.34.1 libsoftokn3-debuginfo-32bit-3.47.1-58.34.1 libsoftokn3-hmac-3.47.1-58.34.1 libsoftokn3-hmac-32bit-3.47.1-58.34.1 mozilla-nspr-32bit-4.23-19.12.1 mozilla-nspr-4.23-19.12.1 mozilla-nspr-debuginfo-32bit-4.23-19.12.1 mozilla-nspr-debuginfo-4.23-19.12.1 mozilla-nspr-debugsource-4.23-19.12.1 mozilla-nss-3.47.1-58.34.1 mozilla-nss-32bit-3.47.1-58.34.1 mozilla-nss-certs-3.47.1-58.34.1 mozilla-nss-certs-32bit-3.47.1-58.34.1 mozilla-nss-certs-debuginfo-3.47.1-58.34.1 mozilla-nss-certs-debuginfo-32bit-3.47.1-58.34.1 mozilla-nss-debuginfo-3.47.1-58.34.1 mozilla-nss-debuginfo-32bit-3.47.1-58.34.1 mozilla-nss-debugsource-3.47.1-58.34.1 mozilla-nss-sysinit-3.47.1-58.34.1 mozilla-nss-sysinit-32bit-3.47.1-58.34.1 mozilla-nss-sysinit-debuginfo-3.47.1-58.34.1 mozilla-nss-sysinit-debuginfo-32bit-3.47.1-58.34.1 mozilla-nss-tools-3.47.1-58.34.1 mozilla-nss-tools-debuginfo-3.47.1-58.34.1 - SUSE Linux Enterprise Server 12-SP1-LTSS (ppc64le s390x x86_64): libfreebl3-3.47.1-58.34.1 libfreebl3-debuginfo-3.47.1-58.34.1 libfreebl3-hmac-3.47.1-58.34.1 libsoftokn3-3.47.1-58.34.1 libsoftokn3-debuginfo-3.47.1-58.34.1 libsoftokn3-hmac-3.47.1-58.34.1 mozilla-nspr-4.23-19.12.1 mozilla-nspr-debuginfo-4.23-19.12.1 mozilla-nspr-debugsource-4.23-19.12.1 mozilla-nspr-devel-4.23-19.12.1 mozilla-nss-3.47.1-58.34.1 mozilla-nss-certs-3.47.1-58.34.1 mozilla-nss-certs-debuginfo-3.47.1-58.34.1 mozilla-nss-debuginfo-3.47.1-58.34.1 mozilla-nss-debugsource-3.47.1-58.34.1 mozilla-nss-devel-3.47.1-58.34.1 mozilla-nss-sysinit-3.47.1-58.34.1 mozilla-nss-sysinit-debuginfo-3.47.1-58.34.1 mozilla-nss-tools-3.47.1-58.34.1 mozilla-nss-tools-debuginfo-3.47.1-58.34.1 - SUSE Linux Enterprise Server 12-SP1-LTSS (s390x x86_64): libfreebl3-32bit-3.47.1-58.34.1 libfreebl3-debuginfo-32bit-3.47.1-58.34.1 libfreebl3-hmac-32bit-3.47.1-58.34.1 libsoftokn3-32bit-3.47.1-58.34.1 libsoftokn3-debuginfo-32bit-3.47.1-58.34.1 libsoftokn3-hmac-32bit-3.47.1-58.34.1 mozilla-nspr-32bit-4.23-19.12.1 mozilla-nspr-debuginfo-32bit-4.23-19.12.1 mozilla-nss-32bit-3.47.1-58.34.1 mozilla-nss-certs-32bit-3.47.1-58.34.1 mozilla-nss-certs-debuginfo-32bit-3.47.1-58.34.1 mozilla-nss-debuginfo-32bit-3.47.1-58.34.1 mozilla-nss-sysinit-32bit-3.47.1-58.34.1 mozilla-nss-sysinit-debuginfo-32bit-3.47.1-58.34.1 - SUSE Linux Enterprise Desktop 12-SP4 (x86_64): libfreebl3-3.47.1-58.34.1 libfreebl3-32bit-3.47.1-58.34.1 libfreebl3-debuginfo-3.47.1-58.34.1 libfreebl3-debuginfo-32bit-3.47.1-58.34.1 libsoftokn3-3.47.1-58.34.1 libsoftokn3-32bit-3.47.1-58.34.1 libsoftokn3-debuginfo-3.47.1-58.34.1 libsoftokn3-debuginfo-32bit-3.47.1-58.34.1 mozilla-nspr-32bit-4.23-19.12.1 mozilla-nspr-4.23-19.12.1 mozilla-nspr-debuginfo-32bit-4.23-19.12.1 mozilla-nspr-debuginfo-4.23-19.12.1 mozilla-nspr-debugsource-4.23-19.12.1 mozilla-nss-3.47.1-58.34.1 mozilla-nss-32bit-3.47.1-58.34.1 mozilla-nss-certs-3.47.1-58.34.1 mozilla-nss-certs-32bit-3.47.1-58.34.1 mozilla-nss-certs-debuginfo-3.47.1-58.34.1 mozilla-nss-certs-debuginfo-32bit-3.47.1-58.34.1 mozilla-nss-debuginfo-3.47.1-58.34.1 mozilla-nss-debuginfo-32bit-3.47.1-58.34.1 mozilla-nss-debugsource-3.47.1-58.34.1 mozilla-nss-sysinit-3.47.1-58.34.1 mozilla-nss-sysinit-32bit-3.47.1-58.34.1 mozilla-nss-sysinit-debuginfo-3.47.1-58.34.1 mozilla-nss-sysinit-debuginfo-32bit-3.47.1-58.34.1 mozilla-nss-tools-3.47.1-58.34.1 mozilla-nss-tools-debuginfo-3.47.1-58.34.1 - SUSE Enterprise Storage 5 (aarch64 x86_64): libfreebl3-3.47.1-58.34.1 libfreebl3-debuginfo-3.47.1-58.34.1 libfreebl3-hmac-3.47.1-58.34.1 libsoftokn3-3.47.1-58.34.1 libsoftokn3-debuginfo-3.47.1-58.34.1 libsoftokn3-hmac-3.47.1-58.34.1 mozilla-nspr-4.23-19.12.1 mozilla-nspr-debuginfo-4.23-19.12.1 mozilla-nspr-debugsource-4.23-19.12.1 mozilla-nspr-devel-4.23-19.12.1 mozilla-nss-3.47.1-58.34.1 mozilla-nss-certs-3.47.1-58.34.1 mozilla-nss-certs-debuginfo-3.47.1-58.34.1 mozilla-nss-debuginfo-3.47.1-58.34.1 mozilla-nss-debugsource-3.47.1-58.34.1 mozilla-nss-devel-3.47.1-58.34.1 mozilla-nss-sysinit-3.47.1-58.34.1 mozilla-nss-sysinit-debuginfo-3.47.1-58.34.1 mozilla-nss-tools-3.47.1-58.34.1 mozilla-nss-tools-debuginfo-3.47.1-58.34.1 - SUSE Enterprise Storage 5 (x86_64): libfreebl3-32bit-3.47.1-58.34.1 libfreebl3-debuginfo-32bit-3.47.1-58.34.1 libfreebl3-hmac-32bit-3.47.1-58.34.1 libsoftokn3-32bit-3.47.1-58.34.1 libsoftokn3-debuginfo-32bit-3.47.1-58.34.1 libsoftokn3-hmac-32bit-3.47.1-58.34.1 mozilla-nspr-32bit-4.23-19.12.1 mozilla-nspr-debuginfo-32bit-4.23-19.12.1 mozilla-nss-32bit-3.47.1-58.34.1 mozilla-nss-certs-32bit-3.47.1-58.34.1 mozilla-nss-certs-debuginfo-32bit-3.47.1-58.34.1 mozilla-nss-debuginfo-32bit-3.47.1-58.34.1 mozilla-nss-sysinit-32bit-3.47.1-58.34.1 mozilla-nss-sysinit-debuginfo-32bit-3.47.1-58.34.1 - SUSE CaaS Platform 3.0 (x86_64): libfreebl3-3.47.1-58.34.1 libfreebl3-debuginfo-3.47.1-58.34.1 libsoftokn3-3.47.1-58.34.1 libsoftokn3-debuginfo-3.47.1-58.34.1 mozilla-nspr-4.23-19.12.1 mozilla-nspr-debuginfo-4.23-19.12.1 mozilla-nspr-debugsource-4.23-19.12.1 mozilla-nss-3.47.1-58.34.1 mozilla-nss-certs-3.47.1-58.34.1 mozilla-nss-certs-debuginfo-3.47.1-58.34.1 mozilla-nss-debuginfo-3.47.1-58.34.1 mozilla-nss-debugsource-3.47.1-58.34.1 - HPE Helion Openstack 8 (x86_64): libfreebl3-3.47.1-58.34.1 libfreebl3-32bit-3.47.1-58.34.1 libfreebl3-debuginfo-3.47.1-58.34.1 libfreebl3-debuginfo-32bit-3.47.1-58.34.1 libfreebl3-hmac-3.47.1-58.34.1 libfreebl3-hmac-32bit-3.47.1-58.34.1 libsoftokn3-3.47.1-58.34.1 libsoftokn3-32bit-3.47.1-58.34.1 libsoftokn3-debuginfo-3.47.1-58.34.1 libsoftokn3-debuginfo-32bit-3.47.1-58.34.1 libsoftokn3-hmac-3.47.1-58.34.1 libsoftokn3-hmac-32bit-3.47.1-58.34.1 mozilla-nspr-32bit-4.23-19.12.1 mozilla-nspr-4.23-19.12.1 mozilla-nspr-debuginfo-32bit-4.23-19.12.1 mozilla-nspr-debuginfo-4.23-19.12.1 mozilla-nspr-debugsource-4.23-19.12.1 mozilla-nspr-devel-4.23-19.12.1 mozilla-nss-3.47.1-58.34.1 mozilla-nss-32bit-3.47.1-58.34.1 mozilla-nss-certs-3.47.1-58.34.1 mozilla-nss-certs-32bit-3.47.1-58.34.1 mozilla-nss-certs-debuginfo-3.47.1-58.34.1 mozilla-nss-certs-debuginfo-32bit-3.47.1-58.34.1 mozilla-nss-debuginfo-3.47.1-58.34.1 mozilla-nss-debuginfo-32bit-3.47.1-58.34.1 mozilla-nss-debugsource-3.47.1-58.34.1 mozilla-nss-devel-3.47.1-58.34.1 mozilla-nss-sysinit-3.47.1-58.34.1 mozilla-nss-sysinit-32bit-3.47.1-58.34.1 mozilla-nss-sysinit-debuginfo-3.47.1-58.34.1 mozilla-nss-sysinit-debuginfo-32bit-3.47.1-58.34.1 mozilla-nss-tools-3.47.1-58.34.1 mozilla-nss-tools-debuginfo-3.47.1-58.34.1 References: https://www.suse.com/security/cve/CVE-2019-11745.html https://www.suse.com/security/cve/CVE-2019-17006.html https://bugzilla.suse.com/1141322 https://bugzilla.suse.com/1158527 https://bugzilla.suse.com/1159819 From sle-updates at lists.suse.com Mon Jan 13 23:41:52 2020 From: sle-updates at lists.suse.com (sle-updates at lists.suse.com) Date: Tue, 14 Jan 2020 07:41:52 +0100 (CET) Subject: SUSE-CU-2020:6-1: Security update of suse/sle15 Message-ID: <20200114064152.60754F796@maintenance.suse.de> SUSE Container Update Advisory: suse/sle15 ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2020:6-1 Container Tags : suse/sle15:15.0 , suse/sle15:15.0.4.22.127 Severity : moderate Type : security References : 1135114 1154804 1154805 1155198 1155205 1155298 1155678 1155819 1156158 1157377 1158763 CVE-2019-18900 ----------------------------------------------------------------- The container suse/sle15 was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2020:87-1 Released: Mon Jan 13 14:12:32 2020 Summary: Security update for libsolv, libzypp, zypper Type: security Severity: moderate References: 1135114,1154804,1154805,1155198,1155205,1155298,1155678,1155819,1156158,1157377,1158763,CVE-2019-18900 Description: This update for libsolv, libzypp, zypper fixes the following issues: Security issue fixed: - CVE-2019-18900: Fixed assert cookie file that was world readable (bsc#1158763). Bug fixes - Fixed removing orphaned packages dropped by to-be-installed products (bsc#1155819). - Adds libzypp API to mark all obsolete kernels according to the existing purge-kernel script rules (bsc#1155198). - Do not enforce 'en' being in RequestedLocales If the user decides to have a system without explicit language support he may do so (bsc#1155678). - Load only target resolvables for zypper rm (bsc#1157377). - Fix broken search by filelist (bsc#1135114). - Replace python by a bash script in zypper-log (fixes#304, fixes#306, bsc#1156158). - Do not sort out requested locales which are not available (bsc#1155678). - Prevent listing duplicate matches in tables. XML result is provided within the new list-patches-byissue element (bsc#1154805). - XML add patch issue-date and issue-list (bsc#1154805). - Fix zypper lp --cve/bugzilla/issue options (bsc#1155298). - Always execute commit when adding/removing locales (fixes bsc#1155205). - Fix description of --table-style,-s in man page (bsc#1154804). From sle-updates at lists.suse.com Mon Jan 13 23:42:53 2020 From: sle-updates at lists.suse.com (sle-updates at lists.suse.com) Date: Tue, 14 Jan 2020 07:42:53 +0100 (CET) Subject: SUSE-CU-2020:7-1: Security update of suse/sles12sp5 Message-ID: <20200114064253.9BD77F796@maintenance.suse.de> SUSE Container Update Advisory: suse/sles12sp5 ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2020:7-1 Container Tags : suse/sles12sp5:5.2.272 , suse/sles12sp5:latest Severity : moderate Type : security References : 1158763 CVE-2019-18900 ----------------------------------------------------------------- The container suse/sles12sp5 was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2020:79-1 Released: Mon Jan 13 10:37:34 2020 Summary: Security update for libzypp Type: security Severity: moderate References: 1158763,CVE-2019-18900 Description: This update for libzypp fixes the following issues: Security issue fixed: - CVE-2019-18900: Fixed assert cookie file that was world readable (bsc#1158763). From sle-updates at lists.suse.com Mon Jan 13 23:48:00 2020 From: sle-updates at lists.suse.com (sle-updates at lists.suse.com) Date: Tue, 14 Jan 2020 07:48:00 +0100 (CET) Subject: SUSE-CU-2020:8-1: Security update of suse/sles12sp4 Message-ID: <20200114064800.54CC8F796@maintenance.suse.de> SUSE Container Update Advisory: suse/sles12sp4 ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2020:8-1 Container Tags : suse/sles12sp4:26.119 , suse/sles12sp4:latest Severity : moderate Type : security References : 1158763 CVE-2019-18900 ----------------------------------------------------------------- The container suse/sles12sp4 was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2020:79-1 Released: Mon Jan 13 10:37:34 2020 Summary: Security update for libzypp Type: security Severity: moderate References: 1158763,CVE-2019-18900 Description: This update for libzypp fixes the following issues: Security issue fixed: - CVE-2019-18900: Fixed assert cookie file that was world readable (bsc#1158763). From sle-updates at lists.suse.com Mon Jan 13 23:51:37 2020 From: sle-updates at lists.suse.com (sle-updates at lists.suse.com) Date: Tue, 14 Jan 2020 07:51:37 +0100 (CET) Subject: SUSE-CU-2020:9-1: Security update of suse/sles12sp3 Message-ID: <20200114065137.0D9BAF796@maintenance.suse.de> SUSE Container Update Advisory: suse/sles12sp3 ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2020:9-1 Container Tags : suse/sles12sp3:2.0.2 , suse/sles12sp3:24.97 , suse/sles12sp3:latest Severity : moderate Type : security References : 1158763 1160571 CVE-2019-18900 CVE-2019-5188 ----------------------------------------------------------------- The container suse/sles12sp3 was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2020:79-1 Released: Mon Jan 13 10:37:34 2020 Summary: Security update for libzypp Type: security Severity: moderate References: 1158763,CVE-2019-18900 Description: This update for libzypp fixes the following issues: Security issue fixed: - CVE-2019-18900: Fixed assert cookie file that was world readable (bsc#1158763). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2020:86-1 Released: Mon Jan 13 14:12:22 2020 Summary: Security update for e2fsprogs Type: security Severity: moderate References: 1160571,CVE-2019-5188 Description: This update for e2fsprogs fixes the following issues: - CVE-2019-5188: Fixed a code execution vulnerability in the directory rehashing functionality (bsc#1160571). From sle-updates at lists.suse.com Tue Jan 14 00:04:45 2020 From: sle-updates at lists.suse.com (sle-updates at lists.suse.com) Date: Tue, 14 Jan 2020 08:04:45 +0100 (CET) Subject: SUSE-CU-2020:10-1: Security update of caasp/v4/coredns Message-ID: <20200114070445.C31E0F79E@maintenance.suse.de> SUSE Container Update Advisory: caasp/v4/coredns ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2020:10-1 Container Tags : caasp/v4/coredns:1.6.2 , caasp/v4/coredns:1.6.2-rev3 , caasp/v4/coredns:1.6.2-rev3-build3.9.1 Severity : important Type : security References : 1007715 1049825 1051143 1073313 1081947 1081947 1082293 1084934 1085196 1092100 1093414 1100838 1103320 1106214 1110797 1111388 1114592 1114845 1116995 1118897 1118898 1118899 1120629 1120630 1120631 1121197 1121753 1122417 1123919 1125886 1127155 1127608 1127701 1130306 1131113 1131823 1133773 1134226 1135254 1135534 1135708 1135749 1137977 1138869 1139459 1139795 1140039 1140631 1141113 1141897 1142649 1142654 1143055 1143194 1143273 1143813 1144047 1144065 1144169 1145023 1145521 1145554 1145716 1146027 1146415 1146415 1146866 1146947 1146991 1147142 1148517 1148987 1149145 1149495 1149496 1149511 1150003 1150137 1150250 1150595 1150734 1151023 1152101 1152755 1152861 1153351 1153557 1153936 1154019 1154036 1154037 1154295 1154871 1154884 1154887 1155199 1155338 1155339 1155346 1155810 1156646 1157198 1157278 1157775 1158095 1158101 1158809 353876 859480 CVE-2017-17740 CVE-2018-1122 CVE-2018-1123 CVE-2018-1124 CVE-2018-1125 CVE-2018-1126 CVE-2018-20532 CVE-2018-20533 CVE-2018-20534 CVE-2019-12290 CVE-2019-13057 CVE-2019-13565 CVE-2019-13627 CVE-2019-14250 CVE-2019-14866 CVE-2019-14889 CVE-2019-1547 CVE-2019-1551 CVE-2019-1563 CVE-2019-15847 CVE-2019-16168 CVE-2019-17543 CVE-2019-17594 CVE-2019-17595 CVE-2019-18224 CVE-2019-3688 CVE-2019-3690 CVE-2019-5094 CVE-2019-5481 CVE-2019-5482 SLE-6533 SLE-6536 SLE-7687 SLE-8789 SLE-9132 SLE-9171 ----------------------------------------------------------------- The container caasp/v4/coredns was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:2241-1 Released: Wed Aug 28 14:58:49 2019 Summary: Recommended update for ca-certificates-mozilla Type: recommended Severity: moderate References: 1144169 Description: This update for ca-certificates-mozilla fixes the following issues: ca-certificates-mozillawas updated to 2.34 state of the Mozilla NSS Certificate store (bsc#1144169) Removed CAs: - Certinomis - Root CA Includes new root CAs from the 2.32 version: - emSign ECC Root CA - C3 (email and server auth) - emSign ECC Root CA - G3 (email and server auth) - emSign Root CA - C1 (email and server auth) - emSign Root CA - G1 (email and server auth) - Hongkong Post Root CA 3 (server auth) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:2307-1 Released: Thu Sep 5 14:45:08 2019 Summary: Security update for util-linux and shadow Type: security Severity: moderate References: 1081947,1082293,1085196,1106214,1121197,1122417,1125886,1127701,1135534,1135708,1141113,353876 Description: This update for util-linux and shadow fixes the following issues: util-linux: - Fixed an issue where PATH settings in /etc/default/su being ignored (bsc#1121197) - Prevent outdated pam files (bsc#1082293). - De-duplicate fstrim -A properly (bsc#1127701). - Do not trim read-only volumes (bsc#1106214). - Integrate pam_keyinit pam module to login (bsc#1081947). - Perform one-time reset of /etc/default/su (bsc#1121197). - Fix problems in reading of login.defs values (bsc#1121197) - libmount: To prevent incorrect behavior, recognize more pseudofs and netfs (bsc#1122417). - raw.service: Add RemainAfterExit=yes (bsc#1135534). - agetty: Return previous response of agetty for special characters (bsc#1085196, bsc#1125886) - libmount: print a blacklist hint for "unknown filesystem type" (jsc#SUSE-4085, fate#326832) - Fix /etc/default/su comments and create /etc/default/runuser (bsc#1121197). shadow: - Fixed an issue where PATH settings in /etc/default/su being ignored (bsc#1121197) - Fix segfault in useradd during setting password inactivity period. (bsc#1141113) - Hardening for su wrappers (bsc#353876) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:2361-1 Released: Thu Sep 12 07:54:54 2019 Summary: Recommended update for krb5 Type: recommended Severity: moderate References: 1081947,1144047 Description: This update for krb5 contains the following fixes: - Integrate pam_keyinit PAM module, ksu-pam.d. (bsc#1081947) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:2373-1 Released: Thu Sep 12 14:18:53 2019 Summary: Security update for curl Type: security Severity: important References: 1149495,1149496,CVE-2019-5481,CVE-2019-5482 Description: This update for curl fixes the following issues: Security issues fixed: - CVE-2019-5481: Fixed FTP-KRB double-free during kerberos FTP data transfer (bsc#1149495). - CVE-2019-5482: Fixed TFTP small blocksize heap buffer overflow (bsc#1149496). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:2395-1 Released: Wed Sep 18 08:31:38 2019 Summary: Security update for openldap2 Type: security Severity: moderate References: 1073313,1111388,1114845,1143194,1143273,CVE-2017-17740,CVE-2019-13057,CVE-2019-13565 Description: This update for openldap2 fixes the following issues: Security issue fixed: - CVE-2019-13565: Fixed an authentication bypass when using SASL authentication and session encryption (bsc#1143194). - CVE-2019-13057: Fixed an issue with delegated database admin privileges (bsc#1143273). - CVE-2017-17740: When both the nops module and the member of overlay are enabled, attempts to free a buffer that was allocated on the stack, which allows remote attackers to cause a denial of service (slapd crash) via a member MODDN operation. (bsc#1073313) Non-security issues fixed: - Fixed broken shebang line in openldap_update_modules_path.sh (bsc#1114845). - Create files in /var/lib/ldap/ during initial start to allow for transactional updates (bsc#1111388) - Fixed incorrect post script call causing tmpfiles creation not to be run (bsc#1111388). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:2403-1 Released: Wed Sep 18 16:14:29 2019 Summary: Security update for openssl-1_1 Type: security Severity: moderate References: 1150003,1150250,CVE-2019-1547,CVE-2019-1563 Description: This update for openssl-1_1 fixes the following issues: OpenSSL Security Advisory [10 September 2019] * CVE-2019-1547: Added EC_GROUP_set_generator side channel attack avoidance. (bsc#1150003) * CVE-2019-1563: Fixed Bleichenbacher attack against cms/pkcs7 encryption transported key (bsc#1150250) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:2423-1 Released: Fri Sep 20 16:41:45 2019 Summary: Recommended update for aaa_base Type: recommended Severity: moderate References: 1146866,SLE-9132 Description: This update for aaa_base fixes the following issues: Added sysctl.d/51-network.conf to tighten network security (bsc#1146866) (jira#SLE-9132) Following settings have been tightened (and set to 0): - net.ipv4.conf.all.accept_redirects - net.ipv4.conf.default.accept_redirects - net.ipv4.conf.default.accept_source_route - net.ipv6.conf.all.accept_redirects - net.ipv6.conf.default.accept_redirects ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:2533-1 Released: Thu Oct 3 15:02:50 2019 Summary: Security update for sqlite3 Type: security Severity: moderate References: 1150137,CVE-2019-16168 Description: This update for sqlite3 fixes the following issues: Security issue fixed: - CVE-2019-16168: Fixed improper validation of sqlite_stat1 field that could lead to denial of service (bsc#1150137). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:2626-1 Released: Thu Oct 10 17:22:35 2019 Summary: Recommended update for permissions Type: recommended Severity: moderate References: 1110797 Description: This update for permissions fixes the following issues: - Updated permissons for amanda. (bsc#1110797) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:2676-1 Released: Tue Oct 15 21:06:54 2019 Summary: Recommended update for e2fsprogs Type: recommended Severity: moderate References: 1145716,1152101,CVE-2019-5094 Description: This update for e2fsprogs fixes the following issues: Security issue fixed: - CVE-2019-5094: Fixed an arbitrary code execution via specially crafted ext4 file systems. (bsc#1152101) Non-security issue fixed: - libext2fs: Call fsync(2) to clear stale errors for a new a unix I/O channel. (bsc#1145716) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:2730-1 Released: Mon Oct 21 16:04:57 2019 Summary: Security update for procps Type: security Severity: important References: 1092100,1121753,CVE-2018-1122,CVE-2018-1123,CVE-2018-1124,CVE-2018-1125,CVE-2018-1126 Description: This update for procps fixes the following issues: procps was updated to 3.3.15. (bsc#1092100) Following security issues were fixed: - CVE-2018-1122: Prevent local privilege escalation in top. If a user ran top with HOME unset in an attacker-controlled directory, the attacker could have achieved privilege escalation by exploiting one of several vulnerabilities in the config_file() function (bsc#1092100). - CVE-2018-1123: Prevent denial of service in ps via mmap buffer overflow. Inbuilt protection in ps maped a guard page at the end of the overflowed buffer, ensuring that the impact of this flaw is limited to a crash (temporary denial of service) (bsc#1092100). - CVE-2018-1124: Prevent multiple integer overflows leading to a heap corruption in file2strvec function. This allowed a privilege escalation for a local attacker who can create entries in procfs by starting processes, which could result in crashes or arbitrary code execution in proc utilities run by other users (bsc#1092100). - CVE-2018-1125: Prevent stack buffer overflow in pgrep. This vulnerability was mitigated by FORTIFY limiting the impact to a crash (bsc#1092100). - CVE-2018-1126: Ensure correct integer size in proc/alloc.* to prevent truncation/integer overflow issues (bsc#1092100). Also this non-security issue was fixed: - Fix CPU summary showing old data. (bsc#1121753) The update to 3.3.15 contains the following fixes: * library: Increment to 8:0:1 No removals, no new functions Changes: slab and pid structures * library: Just check for SIGLOST and don't delete it * library: Fix integer overflow and LPE in file2strvec CVE-2018-1124 * library: Use size_t for alloc functions CVE-2018-1126 * library: Increase comm size to 64 * pgrep: Fix stack-based buffer overflow CVE-2018-1125 * pgrep: Remove >15 warning as comm can be longer * ps: Fix buffer overflow in output buffer, causing DOS CVE-2018-1123 * ps: Increase command name selection field to 64 * top: Don't use cwd for location of config CVE-2018-1122 * update translations * library: build on non-glibc systems * free: fix scaling on 32-bit systems * Revert "Support running with child namespaces" * library: Increment to 7:0:1 No changes, no removals New fuctions: numa_init, numa_max_node, numa_node_of_cpu, numa_uninit, xalloc_err_handler * doc: Document I idle state in ps.1 and top.1 * free: fix some of the SI multiples * kill: -l space between name parses correctly * library: dont use vm_min_free on non Linux * library: don't strip off wchan prefixes (ps & top) * pgrep: warn about 15+ char name only if -f not used * pgrep/pkill: only match in same namespace by default * pidof: specify separator between pids * pkill: Return 0 only if we can kill process * pmap: fix duplicate output line under '-x' option * ps: avoid eip/esp address truncations * ps: recognizes SCHED_DEADLINE as valid CPU scheduler * ps: display NUMA node under which a thread ran * ps: Add seconds display for cputime and time * ps: Add LUID field * sysctl: Permit empty string for value * sysctl: Don't segv when file not available * sysctl: Read and write large buffers * top: add config file support for XDG specification * top: eliminated minor libnuma memory leak * top: show fewer memory decimal places (configurable) * top: provide command line switch for memory scaling * top: provide command line switch for CPU States * top: provides more accurate cpu usage at startup * top: display NUMA node under which a thread ran * top: fix argument parsing quirk resulting in SEGV * top: delay interval accepts non-locale radix point * top: address a wishlist man page NLS suggestion * top: fix potential distortion in 'Mem' graph display * top: provide proper multi-byte string handling * top: startup defaults are fully customizable * watch: define HOST_NAME_MAX where not defined * vmstat: Fix alignment for disk partition format * watch: Support ANSI 39,49 reset sequences ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:2742-1 Released: Tue Oct 22 15:40:16 2019 Summary: Recommended update for libzypp, zypper, libsolv and PackageKit Type: recommended Severity: important References: 1049825,1116995,1120629,1120630,1120631,1127155,1127608,1130306,1131113,1131823,1134226,1135749,1137977,1139795,1140039,1145521,1146027,1146415,1146947,1153557,859480,CVE-2018-20532,CVE-2018-20533,CVE-2018-20534 Description: This update for libzypp, zypper, libsolv and PackageKit fixes the following issues: Security issues fixed in libsolv: - CVE-2018-20532: Fixed NULL pointer dereference at ext/testcase.c (function testcase_read) (bsc#1120629). - CVE-2018-20533: Fixed NULL pointer dereference at ext/testcase.c (function testcase_str2dep_complex) in libsolvext.a (bsc#1120630). - CVE-2018-20534: Fixed illegal address access at src/pool.h (function pool_whatprovides) in libsolv.a (bsc#1120631). Other issues addressed in libsolv: - Fixed an issue where libsolv failed to build against swig 4.0 by updating the version to 0.7.5 (bsc#1135749). - Fixed an issue with the package name (bsc#1131823). - repo_add_rpmdb: do not copy bad solvables from the old solv file - Fixed an issue with cleandeps updates in which all packages were not updated - Experimental DISTTYPE_CONDA and REL_CONDA support - Fixed cleandeps jobs when using patterns (bsc#1137977) - Fixed favorq leaking between solver runs if the solver is reused - Fixed SOLVER_FLAG_FOCUS_BEST updateing packages without reason - Be more correct with multiversion packages that obsolete their own name (bnc#1127155) - Fix repository priority handling for multiversion packages - Make code compatible with swig 4.0, remove obj0 instances - repo2solv: support zchunk compressed data - Remove NO_BRP_STRIP_DEBUG=true as brp-15-strip-debug will not strip debug info for archives Issues fixed in libzypp: - Fix empty metalink downloads if filesize is unknown (bsc#1153557) - Recognize riscv64 as architecture - Fix installation of new header file (fixes #185) - zypp.conf: Introduce `solver.focus` to define the resolvers general attitude when resolving jobs. (bsc#1146415) - New container detection algorithm for zypper ps (bsc#1146947) - Fix leaking filedescriptors in MediaCurl. (bsc#1116995) - Run file conflict check on dry-run. (bsc#1140039) - Do not remove orphan products if the .prod file is owned by a package. (bsc#1139795) - Rephrase file conflict check summary. (bsc#1140039) - Fix bash completions option detection. (bsc#1049825) - Fixes a bug where zypper exited on SIGPIPE when downloading packages (bsc#1145521) - Fixes an issue where zypper exited with a segmentation fault when updating via YaST2 (bsc#1146027) - PublicKey::algoName: supply key algorithm and length Issues fixed in zypper: - Update to version 1.14.30 - Ignore SIGPIPE while STDOUT/STDERR are OK (bsc#1145521) - Dump stacktrace on SIGPIPE (bsc#1145521) - info: The requested info must be shown in QUIET mode (fixes #287) - Fix local/remote url classification. - Rephrase file conflict check summary (bsc#1140039) - Fix bash completions option detection (bsc#1049825) - man: split '--with[out]' like options to ease searching. - Unhided 'ps' command in help - Added option to show more conflict information - Rephrased `zypper ps` hint (bsc#859480) - Fixed repo refresh not returning 106-ZYPPER_EXIT_INF_REPOS_SKIPPED if --root is used (bsc#1134226) - Fixed unknown package handling in zypper install (bsc#1127608) - Re-show progress bar after pressing retry upon install error (bsc#1131113) Issues fixed in PackageKit: - Port the cron configuration variables to the systemd timer script, and add -sendwait parameter to mail in the script(bsc#1130306). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:2757-1 Released: Wed Oct 23 17:21:17 2019 Summary: Security update for lz4 Type: security Severity: moderate References: 1153936,CVE-2019-17543 Description: This update for lz4 fixes the following issues: - CVE-2019-17543: Fixed a heap-based buffer overflow in LZ4_write32 (bsc#1153936). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:2812-1 Released: Tue Oct 29 14:57:55 2019 Summary: Recommended update for systemd Type: recommended Severity: moderate References: 1139459,1140631,1145023,1150595,SLE-7687 Description: This update for systemd provides the following fixes: - Fix a problem that would cause invoking try-restart to an inactive service to hang when a daemon-reload is invoked before the try-restart returned. (bsc#1139459) - man: Add a note about _netdev usage. - units: Replace remote-cryptsetup-pre.target with remote-fs-pre.target. - units: Add [Install] section to remote-cryptsetup.target. - cryptsetup: Ignore _netdev, since it is used in generator. - cryptsetup-generator: Use remote-cryptsetup.target when _netdev is present. (jsc#SLE-7687) - cryptsetup-generator: Add a helper utility to create symlinks. - units: Add remote-cryptsetup.target and remote-cryptsetup-pre.target. - man: Add an explicit description of _netdev to systemd.mount(5). - man: Order fields alphabetically in crypttab(5). - man: Make crypttab(5) a bit easier to read. - units: Order cryptsetup-pre.target before cryptsetup.target. - Fix reporting of enabled-runtime units. - sd-bus: Deal with cookie overruns. (bsc#1150595) - rules: Add by-id symlinks for persistent memory. (bsc#1140631) - Buildrequire polkit so /usr/share/polkit-1/rules.d subdir can be only owned by polkit. (bsc#1145023) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:2870-1 Released: Thu Oct 31 08:09:14 2019 Summary: Recommended update for aaa_base Type: recommended Severity: moderate References: 1051143,1138869,1151023 Description: This update for aaa_base provides the following fixes: - Check if variables can be set before modifying them to avoid warnings on login with a restricted shell. (bsc#1138869) - Add s390x compressed kernel support. (bsc#1151023) - service: Check if there is a second argument before using it. (bsc#1051143) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:2418-1 Released: Thu Nov 14 11:53:03 2019 Summary: Recommended update for bash Type: recommended Severity: moderate References: 1133773,1143055 Description: This update for bash fixes the following issues: - Rework patch readline-7.0-screen (bsc#1143055): map all "screen(-xxx)?.yyy(-zzz)?" to "screen" as well as map "konsole(-xxx)?" and "gnome(-xxx)?" to "xterm" - Add a backport from bash 5.0 to perform better with large numbers of sub processes. (bsc#1133773) ----------------------------------------------------------------- Advisory ID: SUSE-OU-2019:2980-1 Released: Thu Nov 14 22:45:33 2019 Summary: Optional update for curl Type: optional Severity: low References: 1154019 Description: This update for curl doesn't address any user visible issues. ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:2997-1 Released: Mon Nov 18 15:16:38 2019 Summary: Security update for ncurses Type: security Severity: moderate References: 1103320,1154036,1154037,CVE-2019-17594,CVE-2019-17595 Description: This update for ncurses fixes the following issues: Security issues fixed: - CVE-2019-17594: Fixed a heap-based buffer over-read in the _nc_find_entry function (bsc#1154036). - CVE-2019-17595: Fixed a heap-based buffer over-read in the fmt_entry function (bsc#1154037). Non-security issue fixed: - Removed screen.xterm from terminfo database (bsc#1103320). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:3010-1 Released: Tue Nov 19 18:10:58 2019 Summary: Recommended update for zypper and libsolv Type: recommended Severity: moderate References: 1145554,1146415,1149511,1153351,SLE-9171 Description: This update for zypper and libsolv fixes the following issues: Package: zypper - Improved the documentation of $releasever and --releasever usescases (bsc#1149511) - zypper will now ask only once when multiple packages share the same license text (bsc#1145554) - Added a new 'solver.focus' option for /etc/zypp/zypp.conf to define systemwide focus mode when resolving jobs (bsc#1146415) - Fixes an issue where 'zypper lu' didn't list all available package updates (bsc#1153351) - Added a new --repo option to the 'download' command to allow to specify a repository (jsc#SLE-9171) Package: libsolv - Fixes issues when updating too many packages in focusbest mode - Fixes the handling of disabled and installed packages in distupgrade ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:3059-1 Released: Mon Nov 25 17:33:07 2019 Summary: Security update for cpio Type: security Severity: moderate References: 1155199,CVE-2019-14866 Description: This update for cpio fixes the following issues: - CVE-2019-14866: Fixed an improper validation of the values written in the header of a TAR file through the to_oct() function which could have led to unexpected TAR generation (bsc#1155199). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:3061-1 Released: Mon Nov 25 17:34:22 2019 Summary: Security update for gcc9 Type: security Severity: moderate References: 1114592,1135254,1141897,1142649,1142654,1148517,1149145,CVE-2019-14250,CVE-2019-15847,SLE-6533,SLE-6536 Description: This update includes the GNU Compiler Collection 9. A full changelog is provided by the GCC team on: https://www.gnu.org/software/gcc/gcc-9/changes.html The base system compiler libraries libgcc_s1, libstdc++6 and others are now built by the gcc 9 packages. To use it, install "gcc9" or "gcc9-c++" or other compiler brands and use CC=gcc-9 / CXX=g++-9 during configuration for using it. Security issues fixed: - CVE-2019-15847: Fixed a miscompilation in the POWER9 back end, that optimized multiple calls of the __builtin_darn intrinsic into a single call. (bsc#1149145) - CVE-2019-14250: Fixed a heap overflow in the LTO linker. (bsc#1142649) Non-security issues fixed: - Split out libstdc++ pretty-printers into a separate package supplementing gdb and the installed runtime. (bsc#1135254) - Fixed miscompilation for vector shift on s390. (bsc#1141897) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:3070-1 Released: Tue Nov 26 12:39:29 2019 Summary: Recommended update for gpg2 Type: recommended Severity: low References: 1152755 Description: This update for gpg2 provides the following fix: - Remove a build requirement on self. This is causing Leap 15.2 bootstrap to fail. (bsc#1152755) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:3086-1 Released: Thu Nov 28 10:02:24 2019 Summary: Security update for libidn2 Type: security Severity: moderate References: 1154884,1154887,CVE-2019-12290,CVE-2019-18224 Description: This update for libidn2 to version 2.2.0 fixes the following issues: - CVE-2019-12290: Fixed an improper round-trip check when converting A-labels to U-labels (bsc#1154884). - CVE-2019-18224: Fixed a heap-based buffer overflow that was caused by long domain strings (bsc#1154887). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:3087-1 Released: Thu Nov 28 10:03:00 2019 Summary: Security update for libxml2 Type: security Severity: low References: 1123919 Description: This update for libxml2 doesn't fix any additional security issues, but correct its rpm changelog to reflect all CVEs that have been fixed over the past. ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:3118-1 Released: Fri Nov 29 14:41:35 2019 Summary: Recommended update for e2fsprogs Type: recommended Severity: moderate References: 1154295 Description: This update for e2fsprogs fixes the following issues: - Make minimum size estimates more reliable for mounted filesystem. (bsc#1154295) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:3166-1 Released: Wed Dec 4 11:24:42 2019 Summary: Recommended update for aaa_base Type: recommended Severity: moderate References: 1007715,1084934,1157278 Description: This update for aaa_base fixes the following issues: - Use official key binding functions in inputrc that is replace up-history with previous-history, down-history with next-history and backward-delete-word with backward-kill-word. (bsc#1084934) - Add some missed key escape sequences for urxvt-unicode terminal as well. (bsc#1007715) - Clear broken ghost entry in patch which breaks 'readline'. (bsc#1157278) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:3181-1 Released: Thu Dec 5 11:43:07 2019 Summary: Security update for permissions Type: security Severity: moderate References: 1093414,1150734,1157198,CVE-2019-3688,CVE-2019-3690 Description: This update for permissions fixes the following issues: - CVE-2019-3688: Changed wrong ownership in /usr/sbin/pinger to root:squid which could have allowed a squid user to gain persistence by changing the binary (bsc#1093414). - CVE-2019-3690: Fixed a privilege escalation through untrusted symbolic links (bsc#1150734). - Fixed a regression which caused sagmentation fault (bsc#1157198). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:3240-1 Released: Tue Dec 10 10:40:19 2019 Summary: Recommended update for ca-certificates-mozilla, p11-kit Type: recommended Severity: moderate References: 1154871 Description: This update for ca-certificates-mozilla, p11-kit fixes the following issues: Changes in ca-certificates-mozilla: - export correct p11kit trust attributes so Firefox detects built in certificates (bsc#1154871). Changes in p11-kit: - support loading NSS attribute CKA_NSS_MOZILLA_CA_POLICY so Firefox detects built in certificates (bsc#1154871) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:3267-1 Released: Wed Dec 11 11:19:53 2019 Summary: Security update for libssh Type: security Severity: important References: 1158095,CVE-2019-14889 Description: This update for libssh fixes the following issues: - CVE-2019-14889: Fixed an arbitrary command execution (bsc#1158095). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:3392-1 Released: Fri Dec 27 13:33:29 2019 Summary: Security update for libgcrypt Type: security Severity: moderate References: 1148987,1155338,1155339,CVE-2019-13627 Description: This update for libgcrypt fixes the following issues: Security issues fixed: - CVE-2019-13627: Mitigation against an ECDSA timing attack (bsc#1148987). Bug fixes: - Added CMAC AES self test (bsc#1155339). - Added CMAC TDES self test missing (bsc#1155338). - Fix test dsa-rfc6979 in FIPS mode. ----------------------------------------------------------------- Advisory ID: SUSE-SU-2020:69-1 Released: Fri Jan 10 12:33:59 2020 Summary: Security update for openssl-1_1 Type: security Severity: moderate References: 1155346,1157775,1158101,1158809,CVE-2019-1551,SLE-8789 Description: This update for openssl-1_1 fixes the following issues: Security issue fixed: - CVE-2019-1551: Fixed an overflow bug in the x64_64 Montgomery squaring procedure used in exponentiation with 512-bit moduli (bsc#1158809). Various FIPS related improvements were done: - FIPS: Backport SSH KDF to openssl (jsc#SLE-8789, bsc#1157775). - Port FIPS patches from SLE-12 (bsc#1158101). - Use SHA-2 in the RSA pairwise consistency check (bsc#1155346). ----------------------------------------------------------------- Advisory ID: SUSE-feature-2020:89-1 Released: Mon Jan 13 16:07:20 2020 Summary: Update to kubernetes 1.16, supportconfig update, and helm security fix (CVE-2019-18658) Type: feature Severity: moderate References: 1100838,1118897,1118898,1118899,1143813,1144065,1146991,1147142,1152861,1155810,1156646 Description: = Required Actions == Skuba and helm update Instructions Update skuba and helm on your management workstation as you would do with any othe package. Refer to: link:https://documentation.suse.com/sles/15-SP1/single-html/SLES-admin/#sec-zypper-softup [WARNING] ==== When running helm-init you may hit a link:https://bugzilla.suse.com/show_bug.cgi?id=1159047[known bug on the certificate validation]: ---- https://kubernetes-charts.storage.googleapis.com is not a valid chart repository or cannot be reached: Get https://kubernetes-charts.storage.googleapis.com/index.yaml: x509: certificate signed by unknown authority ---- In order to fix this, run: ---- sudo update-ca-certificates ---- ==== After updating helm to latest version on the management host, you have to also upgrade the helm-tiller image in the cluster, by running: ---- helm init \ --tiller-image registry.suse.com/caasp/v4/helm-tiller:2.16.1 \ --service-account tiller --upgrade ---- == Update Your Kubernetes Manifests for Kubernetes 1.16.2: Some API resources are moved to stable, while others have been moved to different groups or deprecated. The following will impact your deployment manifests: * `DaemonSet`, `Deployment`, `StatefulSet`, and `ReplicaSet` in `extensions/` (both `v1beta1` and `v1beta2`) is deprecated. Migrate to `apps/v1` group instead for all those objects. Please note that `kubectl convert` can help you migrate all the necessary fields. * `PodSecurityPolicy` in `extensions/v1beta1` is deprecated. Migrate to `policy/v1beta1` group for `PodSecurityPolicy`. Please note that `kubectl convert` can help you migrate all the necessary fields. * `NetworkPolicy` in `extensions/v1beta1` is deprecated. Migrate to `networking.k8s.io/v1` group for `NetworkPolicy`. Please note that `kubectl convert` can help you migrate all the necessary fields. * `Ingress` in `extensions/v1beta1` is being phased out. Migrate to `networking.k8s.io/v1beta1` as soon as possible. This new API does not need to update other API fields and therefore only a path change is necessary. * Custom resource definitions have moved from `apiextensions.k8s.io/v1beta1` to `apiextensions.k8s.io/v1`. Please also see https://kubernetes.io/blog/2019/07/18/api-deprecations-in-1-16/ for more details. = Documentation Updates * Switched examples to use SUSE supported helm, Prometheus, nginx-ingress and Grafana charts and images * link:{docurl}caasp-admin/single-html/_security.html#_deployment_with_a_custom_ca_certificate[Added instructions on how to replace {kube} certificates with custom CA certificate] * link:{docurl}caasp-admin/single-html/_security.html#_replace_server_certificate_signed_by_a_trusted_ca_certificate[Added instructions to configure custom certificates for gangway and dex] * link:{docurl}caasp-admin/single-html/_software_management.html#_installing_tiller[Added instructions for secured Tiller deployment] * link:{docurl}caasp-deployment/single-html/#machine-id[Added notes about unique `machine-id` requirement] * link:{docurl}caasp-deployment/single-html/#_autoyast_preparation[Added timezone configuration example for {ay}] * link:https://github.com/SUSE/doc-caasp/pulls?q=is%3Apr+is%3Aclosed+sort%3Aupdated-desc[Various minor bugfixes and improvements] = Known issue: skuba upgrade could not parse "Unknown" as version ==== Running "skuba node upgrade plan" might fail with the error "could not parse "Unknown" as version" when a worker, after running "skuba node upgrade apply", had not fully started yet. If you are running into this issue, please add some delay after running "skuba node upgrade apply" and prior to running "skuba node upgrade plan". This is tracked in link:https://bugzilla.suse.com/show_bug.cgi?id=1159452[bsc#1159452] From sle-updates at lists.suse.com Tue Jan 14 00:06:18 2020 From: sle-updates at lists.suse.com (sle-updates at lists.suse.com) Date: Tue, 14 Jan 2020 08:06:18 +0100 (CET) Subject: SUSE-CU-2020:11-1: Security update of caasp/v4/etcd Message-ID: <20200114070618.B77D8F79E@maintenance.suse.de> SUSE Container Update Advisory: caasp/v4/etcd ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2020:11-1 Container Tags : caasp/v4/etcd:3.3.15 , caasp/v4/etcd:3.3.15-rev3 , caasp/v4/etcd:3.3.15-rev3-build3.9.1 Severity : important Type : security References : 1007715 1049825 1051143 1073313 1081947 1081947 1082293 1082318 1084934 1085196 1092100 1093414 1100838 1103320 1106214 1110797 1111388 1114592 1114845 1116995 1118897 1118898 1118899 1120629 1120630 1120631 1121197 1121753 1122417 1122666 1123919 1125886 1127155 1127608 1127701 1128828 1130306 1131113 1131823 1133773 1134226 1135254 1135534 1135708 1135749 1135984 1137296 1137977 1138869 1139459 1139795 1140039 1140631 1141113 1141897 1142614 1142649 1142654 1143055 1143194 1143273 1143813 1144047 1144065 1144169 1145023 1145231 1145521 1145554 1145716 1146027 1146415 1146415 1146866 1146947 1146991 1147142 1148517 1148987 1149145 1149429 1149495 1149496 1149511 1150003 1150137 1150250 1150595 1150734 1151023 1152101 1152755 1152861 1153351 1153557 1153936 1154019 1154036 1154037 1154295 1154871 1154884 1154887 1155199 1155338 1155339 1155346 1155668 1155810 1156646 1157198 1157278 1157775 1158095 1158101 1158809 353876 859480 CVE-2017-17740 CVE-2018-1122 CVE-2018-1123 CVE-2018-1124 CVE-2018-1125 CVE-2018-1126 CVE-2018-20532 CVE-2018-20533 CVE-2018-20534 CVE-2019-12290 CVE-2019-13057 CVE-2019-13565 CVE-2019-13627 CVE-2019-14250 CVE-2019-14866 CVE-2019-14889 CVE-2019-1547 CVE-2019-1551 CVE-2019-1563 CVE-2019-15847 CVE-2019-15903 CVE-2019-16168 CVE-2019-17543 CVE-2019-17594 CVE-2019-17595 CVE-2019-18224 CVE-2019-3688 CVE-2019-3690 CVE-2019-5094 CVE-2019-5481 CVE-2019-5482 CVE-2019-9893 SLE-6533 SLE-6536 SLE-7687 SLE-8789 SLE-9132 SLE-9171 ----------------------------------------------------------------- The container caasp/v4/etcd was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:2241-1 Released: Wed Aug 28 14:58:49 2019 Summary: Recommended update for ca-certificates-mozilla Type: recommended Severity: moderate References: 1144169 Description: This update for ca-certificates-mozilla fixes the following issues: ca-certificates-mozillawas updated to 2.34 state of the Mozilla NSS Certificate store (bsc#1144169) Removed CAs: - Certinomis - Root CA Includes new root CAs from the 2.32 version: - emSign ECC Root CA - C3 (email and server auth) - emSign ECC Root CA - G3 (email and server auth) - emSign Root CA - C1 (email and server auth) - emSign Root CA - G1 (email and server auth) - Hongkong Post Root CA 3 (server auth) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:2307-1 Released: Thu Sep 5 14:45:08 2019 Summary: Security update for util-linux and shadow Type: security Severity: moderate References: 1081947,1082293,1085196,1106214,1121197,1122417,1125886,1127701,1135534,1135708,1141113,353876 Description: This update for util-linux and shadow fixes the following issues: util-linux: - Fixed an issue where PATH settings in /etc/default/su being ignored (bsc#1121197) - Prevent outdated pam files (bsc#1082293). - De-duplicate fstrim -A properly (bsc#1127701). - Do not trim read-only volumes (bsc#1106214). - Integrate pam_keyinit pam module to login (bsc#1081947). - Perform one-time reset of /etc/default/su (bsc#1121197). - Fix problems in reading of login.defs values (bsc#1121197) - libmount: To prevent incorrect behavior, recognize more pseudofs and netfs (bsc#1122417). - raw.service: Add RemainAfterExit=yes (bsc#1135534). - agetty: Return previous response of agetty for special characters (bsc#1085196, bsc#1125886) - libmount: print a blacklist hint for "unknown filesystem type" (jsc#SUSE-4085, fate#326832) - Fix /etc/default/su comments and create /etc/default/runuser (bsc#1121197). shadow: - Fixed an issue where PATH settings in /etc/default/su being ignored (bsc#1121197) - Fix segfault in useradd during setting password inactivity period. (bsc#1141113) - Hardening for su wrappers (bsc#353876) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:2361-1 Released: Thu Sep 12 07:54:54 2019 Summary: Recommended update for krb5 Type: recommended Severity: moderate References: 1081947,1144047 Description: This update for krb5 contains the following fixes: - Integrate pam_keyinit PAM module, ksu-pam.d. (bsc#1081947) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:2367-1 Released: Thu Sep 12 12:59:37 2019 Summary: Recommended update for lvm2 Type: recommended Severity: moderate References: 1122666,1135984,1137296 Description: This update for lvm2 fixes the following issues: - Fix unknown feature in status message (bsc#1135984) - Fix using device aliases with lvmetad (bsc#1137296) - Fix devices drop open error message (bsc#1122666) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:2373-1 Released: Thu Sep 12 14:18:53 2019 Summary: Security update for curl Type: security Severity: important References: 1149495,1149496,CVE-2019-5481,CVE-2019-5482 Description: This update for curl fixes the following issues: Security issues fixed: - CVE-2019-5481: Fixed FTP-KRB double-free during kerberos FTP data transfer (bsc#1149495). - CVE-2019-5482: Fixed TFTP small blocksize heap buffer overflow (bsc#1149496). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:2395-1 Released: Wed Sep 18 08:31:38 2019 Summary: Security update for openldap2 Type: security Severity: moderate References: 1073313,1111388,1114845,1143194,1143273,CVE-2017-17740,CVE-2019-13057,CVE-2019-13565 Description: This update for openldap2 fixes the following issues: Security issue fixed: - CVE-2019-13565: Fixed an authentication bypass when using SASL authentication and session encryption (bsc#1143194). - CVE-2019-13057: Fixed an issue with delegated database admin privileges (bsc#1143273). - CVE-2017-17740: When both the nops module and the member of overlay are enabled, attempts to free a buffer that was allocated on the stack, which allows remote attackers to cause a denial of service (slapd crash) via a member MODDN operation. (bsc#1073313) Non-security issues fixed: - Fixed broken shebang line in openldap_update_modules_path.sh (bsc#1114845). - Create files in /var/lib/ldap/ during initial start to allow for transactional updates (bsc#1111388) - Fixed incorrect post script call causing tmpfiles creation not to be run (bsc#1111388). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:2403-1 Released: Wed Sep 18 16:14:29 2019 Summary: Security update for openssl-1_1 Type: security Severity: moderate References: 1150003,1150250,CVE-2019-1547,CVE-2019-1563 Description: This update for openssl-1_1 fixes the following issues: OpenSSL Security Advisory [10 September 2019] * CVE-2019-1547: Added EC_GROUP_set_generator side channel attack avoidance. (bsc#1150003) * CVE-2019-1563: Fixed Bleichenbacher attack against cms/pkcs7 encryption transported key (bsc#1150250) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:2423-1 Released: Fri Sep 20 16:41:45 2019 Summary: Recommended update for aaa_base Type: recommended Severity: moderate References: 1146866,SLE-9132 Description: This update for aaa_base fixes the following issues: Added sysctl.d/51-network.conf to tighten network security (bsc#1146866) (jira#SLE-9132) Following settings have been tightened (and set to 0): - net.ipv4.conf.all.accept_redirects - net.ipv4.conf.default.accept_redirects - net.ipv4.conf.default.accept_source_route - net.ipv6.conf.all.accept_redirects - net.ipv6.conf.default.accept_redirects ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:2429-1 Released: Mon Sep 23 09:28:40 2019 Summary: Security update for expat Type: security Severity: moderate References: 1149429,CVE-2019-15903 Description: This update for expat fixes the following issues: Security issues fixed: - CVE-2019-15903: Fixed heap-based buffer over-read caused by crafted XML input. (bsc#1149429) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:2517-1 Released: Wed Oct 2 10:49:20 2019 Summary: Security update for libseccomp Type: security Severity: moderate References: 1082318,1128828,1142614,CVE-2019-9893 Description: This update for libseccomp fixes the following issues: Security issues fixed: - CVE-2019-9893: An incorrect generation of syscall filters in libseccomp was fixed (bsc#1128828) libseccomp was updated to new upstream release 2.4.1: - Fix a BPF generation bug where the optimizer mistakenly identified duplicate BPF code blocks. libseccomp was updated to 2.4.0 (bsc#1128828 CVE-2019-9893): - Update the syscall table for Linux v5.0-rc5 - Added support for the SCMP_ACT_KILL_PROCESS action - Added support for the SCMP_ACT_LOG action and SCMP_FLTATR_CTL_LOG attribute - Added explicit 32-bit (SCMP_AX_32(...)) and 64-bit (SCMP_AX_64(...)) argument comparison macros to help protect against unexpected sign extension - Added support for the parisc and parisc64 architectures - Added the ability to query and set the libseccomp API level via seccomp_api_get(3) and seccomp_api_set(3) - Return -EDOM on an endian mismatch when adding an architecture to a filter - Renumber the pseudo syscall number for subpage_prot() so it no longer conflicts with spu_run() - Fix PFC generation when a syscall is prioritized, but no rule exists - Numerous fixes to the seccomp-bpf filter generation code - Switch our internal hashing function to jhash/Lookup3 to MurmurHash3 - Numerous tests added to the included test suite, coverage now at ~92% - Update our Travis CI configuration to use Ubuntu 16.04 - Numerous documentation fixes and updates libseccomp was updated to release 2.3.3: - Updated the syscall table for Linux v4.15-rc7 ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:2533-1 Released: Thu Oct 3 15:02:50 2019 Summary: Security update for sqlite3 Type: security Severity: moderate References: 1150137,CVE-2019-16168 Description: This update for sqlite3 fixes the following issues: Security issue fixed: - CVE-2019-16168: Fixed improper validation of sqlite_stat1 field that could lead to denial of service (bsc#1150137). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:2626-1 Released: Thu Oct 10 17:22:35 2019 Summary: Recommended update for permissions Type: recommended Severity: moderate References: 1110797 Description: This update for permissions fixes the following issues: - Updated permissons for amanda. (bsc#1110797) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:2676-1 Released: Tue Oct 15 21:06:54 2019 Summary: Recommended update for e2fsprogs Type: recommended Severity: moderate References: 1145716,1152101,CVE-2019-5094 Description: This update for e2fsprogs fixes the following issues: Security issue fixed: - CVE-2019-5094: Fixed an arbitrary code execution via specially crafted ext4 file systems. (bsc#1152101) Non-security issue fixed: - libext2fs: Call fsync(2) to clear stale errors for a new a unix I/O channel. (bsc#1145716) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:2730-1 Released: Mon Oct 21 16:04:57 2019 Summary: Security update for procps Type: security Severity: important References: 1092100,1121753,CVE-2018-1122,CVE-2018-1123,CVE-2018-1124,CVE-2018-1125,CVE-2018-1126 Description: This update for procps fixes the following issues: procps was updated to 3.3.15. (bsc#1092100) Following security issues were fixed: - CVE-2018-1122: Prevent local privilege escalation in top. If a user ran top with HOME unset in an attacker-controlled directory, the attacker could have achieved privilege escalation by exploiting one of several vulnerabilities in the config_file() function (bsc#1092100). - CVE-2018-1123: Prevent denial of service in ps via mmap buffer overflow. Inbuilt protection in ps maped a guard page at the end of the overflowed buffer, ensuring that the impact of this flaw is limited to a crash (temporary denial of service) (bsc#1092100). - CVE-2018-1124: Prevent multiple integer overflows leading to a heap corruption in file2strvec function. This allowed a privilege escalation for a local attacker who can create entries in procfs by starting processes, which could result in crashes or arbitrary code execution in proc utilities run by other users (bsc#1092100). - CVE-2018-1125: Prevent stack buffer overflow in pgrep. This vulnerability was mitigated by FORTIFY limiting the impact to a crash (bsc#1092100). - CVE-2018-1126: Ensure correct integer size in proc/alloc.* to prevent truncation/integer overflow issues (bsc#1092100). Also this non-security issue was fixed: - Fix CPU summary showing old data. (bsc#1121753) The update to 3.3.15 contains the following fixes: * library: Increment to 8:0:1 No removals, no new functions Changes: slab and pid structures * library: Just check for SIGLOST and don't delete it * library: Fix integer overflow and LPE in file2strvec CVE-2018-1124 * library: Use size_t for alloc functions CVE-2018-1126 * library: Increase comm size to 64 * pgrep: Fix stack-based buffer overflow CVE-2018-1125 * pgrep: Remove >15 warning as comm can be longer * ps: Fix buffer overflow in output buffer, causing DOS CVE-2018-1123 * ps: Increase command name selection field to 64 * top: Don't use cwd for location of config CVE-2018-1122 * update translations * library: build on non-glibc systems * free: fix scaling on 32-bit systems * Revert "Support running with child namespaces" * library: Increment to 7:0:1 No changes, no removals New fuctions: numa_init, numa_max_node, numa_node_of_cpu, numa_uninit, xalloc_err_handler * doc: Document I idle state in ps.1 and top.1 * free: fix some of the SI multiples * kill: -l space between name parses correctly * library: dont use vm_min_free on non Linux * library: don't strip off wchan prefixes (ps & top) * pgrep: warn about 15+ char name only if -f not used * pgrep/pkill: only match in same namespace by default * pidof: specify separator between pids * pkill: Return 0 only if we can kill process * pmap: fix duplicate output line under '-x' option * ps: avoid eip/esp address truncations * ps: recognizes SCHED_DEADLINE as valid CPU scheduler * ps: display NUMA node under which a thread ran * ps: Add seconds display for cputime and time * ps: Add LUID field * sysctl: Permit empty string for value * sysctl: Don't segv when file not available * sysctl: Read and write large buffers * top: add config file support for XDG specification * top: eliminated minor libnuma memory leak * top: show fewer memory decimal places (configurable) * top: provide command line switch for memory scaling * top: provide command line switch for CPU States * top: provides more accurate cpu usage at startup * top: display NUMA node under which a thread ran * top: fix argument parsing quirk resulting in SEGV * top: delay interval accepts non-locale radix point * top: address a wishlist man page NLS suggestion * top: fix potential distortion in 'Mem' graph display * top: provide proper multi-byte string handling * top: startup defaults are fully customizable * watch: define HOST_NAME_MAX where not defined * vmstat: Fix alignment for disk partition format * watch: Support ANSI 39,49 reset sequences ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:2742-1 Released: Tue Oct 22 15:40:16 2019 Summary: Recommended update for libzypp, zypper, libsolv and PackageKit Type: recommended Severity: important References: 1049825,1116995,1120629,1120630,1120631,1127155,1127608,1130306,1131113,1131823,1134226,1135749,1137977,1139795,1140039,1145521,1146027,1146415,1146947,1153557,859480,CVE-2018-20532,CVE-2018-20533,CVE-2018-20534 Description: This update for libzypp, zypper, libsolv and PackageKit fixes the following issues: Security issues fixed in libsolv: - CVE-2018-20532: Fixed NULL pointer dereference at ext/testcase.c (function testcase_read) (bsc#1120629). - CVE-2018-20533: Fixed NULL pointer dereference at ext/testcase.c (function testcase_str2dep_complex) in libsolvext.a (bsc#1120630). - CVE-2018-20534: Fixed illegal address access at src/pool.h (function pool_whatprovides) in libsolv.a (bsc#1120631). Other issues addressed in libsolv: - Fixed an issue where libsolv failed to build against swig 4.0 by updating the version to 0.7.5 (bsc#1135749). - Fixed an issue with the package name (bsc#1131823). - repo_add_rpmdb: do not copy bad solvables from the old solv file - Fixed an issue with cleandeps updates in which all packages were not updated - Experimental DISTTYPE_CONDA and REL_CONDA support - Fixed cleandeps jobs when using patterns (bsc#1137977) - Fixed favorq leaking between solver runs if the solver is reused - Fixed SOLVER_FLAG_FOCUS_BEST updateing packages without reason - Be more correct with multiversion packages that obsolete their own name (bnc#1127155) - Fix repository priority handling for multiversion packages - Make code compatible with swig 4.0, remove obj0 instances - repo2solv: support zchunk compressed data - Remove NO_BRP_STRIP_DEBUG=true as brp-15-strip-debug will not strip debug info for archives Issues fixed in libzypp: - Fix empty metalink downloads if filesize is unknown (bsc#1153557) - Recognize riscv64 as architecture - Fix installation of new header file (fixes #185) - zypp.conf: Introduce `solver.focus` to define the resolvers general attitude when resolving jobs. (bsc#1146415) - New container detection algorithm for zypper ps (bsc#1146947) - Fix leaking filedescriptors in MediaCurl. (bsc#1116995) - Run file conflict check on dry-run. (bsc#1140039) - Do not remove orphan products if the .prod file is owned by a package. (bsc#1139795) - Rephrase file conflict check summary. (bsc#1140039) - Fix bash completions option detection. (bsc#1049825) - Fixes a bug where zypper exited on SIGPIPE when downloading packages (bsc#1145521) - Fixes an issue where zypper exited with a segmentation fault when updating via YaST2 (bsc#1146027) - PublicKey::algoName: supply key algorithm and length Issues fixed in zypper: - Update to version 1.14.30 - Ignore SIGPIPE while STDOUT/STDERR are OK (bsc#1145521) - Dump stacktrace on SIGPIPE (bsc#1145521) - info: The requested info must be shown in QUIET mode (fixes #287) - Fix local/remote url classification. - Rephrase file conflict check summary (bsc#1140039) - Fix bash completions option detection (bsc#1049825) - man: split '--with[out]' like options to ease searching. - Unhided 'ps' command in help - Added option to show more conflict information - Rephrased `zypper ps` hint (bsc#859480) - Fixed repo refresh not returning 106-ZYPPER_EXIT_INF_REPOS_SKIPPED if --root is used (bsc#1134226) - Fixed unknown package handling in zypper install (bsc#1127608) - Re-show progress bar after pressing retry upon install error (bsc#1131113) Issues fixed in PackageKit: - Port the cron configuration variables to the systemd timer script, and add -sendwait parameter to mail in the script(bsc#1130306). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:2757-1 Released: Wed Oct 23 17:21:17 2019 Summary: Security update for lz4 Type: security Severity: moderate References: 1153936,CVE-2019-17543 Description: This update for lz4 fixes the following issues: - CVE-2019-17543: Fixed a heap-based buffer overflow in LZ4_write32 (bsc#1153936). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:2812-1 Released: Tue Oct 29 14:57:55 2019 Summary: Recommended update for systemd Type: recommended Severity: moderate References: 1139459,1140631,1145023,1150595,SLE-7687 Description: This update for systemd provides the following fixes: - Fix a problem that would cause invoking try-restart to an inactive service to hang when a daemon-reload is invoked before the try-restart returned. (bsc#1139459) - man: Add a note about _netdev usage. - units: Replace remote-cryptsetup-pre.target with remote-fs-pre.target. - units: Add [Install] section to remote-cryptsetup.target. - cryptsetup: Ignore _netdev, since it is used in generator. - cryptsetup-generator: Use remote-cryptsetup.target when _netdev is present. (jsc#SLE-7687) - cryptsetup-generator: Add a helper utility to create symlinks. - units: Add remote-cryptsetup.target and remote-cryptsetup-pre.target. - man: Add an explicit description of _netdev to systemd.mount(5). - man: Order fields alphabetically in crypttab(5). - man: Make crypttab(5) a bit easier to read. - units: Order cryptsetup-pre.target before cryptsetup.target. - Fix reporting of enabled-runtime units. - sd-bus: Deal with cookie overruns. (bsc#1150595) - rules: Add by-id symlinks for persistent memory. (bsc#1140631) - Buildrequire polkit so /usr/share/polkit-1/rules.d subdir can be only owned by polkit. (bsc#1145023) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:2870-1 Released: Thu Oct 31 08:09:14 2019 Summary: Recommended update for aaa_base Type: recommended Severity: moderate References: 1051143,1138869,1151023 Description: This update for aaa_base provides the following fixes: - Check if variables can be set before modifying them to avoid warnings on login with a restricted shell. (bsc#1138869) - Add s390x compressed kernel support. (bsc#1151023) - service: Check if there is a second argument before using it. (bsc#1051143) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:2418-1 Released: Thu Nov 14 11:53:03 2019 Summary: Recommended update for bash Type: recommended Severity: moderate References: 1133773,1143055 Description: This update for bash fixes the following issues: - Rework patch readline-7.0-screen (bsc#1143055): map all "screen(-xxx)?.yyy(-zzz)?" to "screen" as well as map "konsole(-xxx)?" and "gnome(-xxx)?" to "xterm" - Add a backport from bash 5.0 to perform better with large numbers of sub processes. (bsc#1133773) ----------------------------------------------------------------- Advisory ID: SUSE-OU-2019:2980-1 Released: Thu Nov 14 22:45:33 2019 Summary: Optional update for curl Type: optional Severity: low References: 1154019 Description: This update for curl doesn't address any user visible issues. ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:2997-1 Released: Mon Nov 18 15:16:38 2019 Summary: Security update for ncurses Type: security Severity: moderate References: 1103320,1154036,1154037,CVE-2019-17594,CVE-2019-17595 Description: This update for ncurses fixes the following issues: Security issues fixed: - CVE-2019-17594: Fixed a heap-based buffer over-read in the _nc_find_entry function (bsc#1154036). - CVE-2019-17595: Fixed a heap-based buffer over-read in the fmt_entry function (bsc#1154037). Non-security issue fixed: - Removed screen.xterm from terminfo database (bsc#1103320). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:3010-1 Released: Tue Nov 19 18:10:58 2019 Summary: Recommended update for zypper and libsolv Type: recommended Severity: moderate References: 1145554,1146415,1149511,1153351,SLE-9171 Description: This update for zypper and libsolv fixes the following issues: Package: zypper - Improved the documentation of $releasever and --releasever usescases (bsc#1149511) - zypper will now ask only once when multiple packages share the same license text (bsc#1145554) - Added a new 'solver.focus' option for /etc/zypp/zypp.conf to define systemwide focus mode when resolving jobs (bsc#1146415) - Fixes an issue where 'zypper lu' didn't list all available package updates (bsc#1153351) - Added a new --repo option to the 'download' command to allow to specify a repository (jsc#SLE-9171) Package: libsolv - Fixes issues when updating too many packages in focusbest mode - Fixes the handling of disabled and installed packages in distupgrade ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:3040-1 Released: Fri Nov 22 11:59:52 2019 Summary: Recommended update for lvm2 Type: recommended Severity: moderate References: 1145231 Description: This update for lvm2 fixes the following issues: - Adds a fix to detect MD devices by LVM2 with metadata=1.0/0.9 (bsc#1145231) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:3059-1 Released: Mon Nov 25 17:33:07 2019 Summary: Security update for cpio Type: security Severity: moderate References: 1155199,CVE-2019-14866 Description: This update for cpio fixes the following issues: - CVE-2019-14866: Fixed an improper validation of the values written in the header of a TAR file through the to_oct() function which could have led to unexpected TAR generation (bsc#1155199). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:3061-1 Released: Mon Nov 25 17:34:22 2019 Summary: Security update for gcc9 Type: security Severity: moderate References: 1114592,1135254,1141897,1142649,1142654,1148517,1149145,CVE-2019-14250,CVE-2019-15847,SLE-6533,SLE-6536 Description: This update includes the GNU Compiler Collection 9. A full changelog is provided by the GCC team on: https://www.gnu.org/software/gcc/gcc-9/changes.html The base system compiler libraries libgcc_s1, libstdc++6 and others are now built by the gcc 9 packages. To use it, install "gcc9" or "gcc9-c++" or other compiler brands and use CC=gcc-9 / CXX=g++-9 during configuration for using it. Security issues fixed: - CVE-2019-15847: Fixed a miscompilation in the POWER9 back end, that optimized multiple calls of the __builtin_darn intrinsic into a single call. (bsc#1149145) - CVE-2019-14250: Fixed a heap overflow in the LTO linker. (bsc#1142649) Non-security issues fixed: - Split out libstdc++ pretty-printers into a separate package supplementing gdb and the installed runtime. (bsc#1135254) - Fixed miscompilation for vector shift on s390. (bsc#1141897) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:3070-1 Released: Tue Nov 26 12:39:29 2019 Summary: Recommended update for gpg2 Type: recommended Severity: low References: 1152755 Description: This update for gpg2 provides the following fix: - Remove a build requirement on self. This is causing Leap 15.2 bootstrap to fail. (bsc#1152755) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:3086-1 Released: Thu Nov 28 10:02:24 2019 Summary: Security update for libidn2 Type: security Severity: moderate References: 1154884,1154887,CVE-2019-12290,CVE-2019-18224 Description: This update for libidn2 to version 2.2.0 fixes the following issues: - CVE-2019-12290: Fixed an improper round-trip check when converting A-labels to U-labels (bsc#1154884). - CVE-2019-18224: Fixed a heap-based buffer overflow that was caused by long domain strings (bsc#1154887). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:3087-1 Released: Thu Nov 28 10:03:00 2019 Summary: Security update for libxml2 Type: security Severity: low References: 1123919 Description: This update for libxml2 doesn't fix any additional security issues, but correct its rpm changelog to reflect all CVEs that have been fixed over the past. ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:3118-1 Released: Fri Nov 29 14:41:35 2019 Summary: Recommended update for e2fsprogs Type: recommended Severity: moderate References: 1154295 Description: This update for e2fsprogs fixes the following issues: - Make minimum size estimates more reliable for mounted filesystem. (bsc#1154295) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:3166-1 Released: Wed Dec 4 11:24:42 2019 Summary: Recommended update for aaa_base Type: recommended Severity: moderate References: 1007715,1084934,1157278 Description: This update for aaa_base fixes the following issues: - Use official key binding functions in inputrc that is replace up-history with previous-history, down-history with next-history and backward-delete-word with backward-kill-word. (bsc#1084934) - Add some missed key escape sequences for urxvt-unicode terminal as well. (bsc#1007715) - Clear broken ghost entry in patch which breaks 'readline'. (bsc#1157278) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:3181-1 Released: Thu Dec 5 11:43:07 2019 Summary: Security update for permissions Type: security Severity: moderate References: 1093414,1150734,1157198,CVE-2019-3688,CVE-2019-3690 Description: This update for permissions fixes the following issues: - CVE-2019-3688: Changed wrong ownership in /usr/sbin/pinger to root:squid which could have allowed a squid user to gain persistence by changing the binary (bsc#1093414). - CVE-2019-3690: Fixed a privilege escalation through untrusted symbolic links (bsc#1150734). - Fixed a regression which caused sagmentation fault (bsc#1157198). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:3240-1 Released: Tue Dec 10 10:40:19 2019 Summary: Recommended update for ca-certificates-mozilla, p11-kit Type: recommended Severity: moderate References: 1154871 Description: This update for ca-certificates-mozilla, p11-kit fixes the following issues: Changes in ca-certificates-mozilla: - export correct p11kit trust attributes so Firefox detects built in certificates (bsc#1154871). Changes in p11-kit: - support loading NSS attribute CKA_NSS_MOZILLA_CA_POLICY so Firefox detects built in certificates (bsc#1154871) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:3267-1 Released: Wed Dec 11 11:19:53 2019 Summary: Security update for libssh Type: security Severity: important References: 1158095,CVE-2019-14889 Description: This update for libssh fixes the following issues: - CVE-2019-14889: Fixed an arbitrary command execution (bsc#1158095). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:3343-1 Released: Thu Dec 19 11:05:27 2019 Summary: Recommended update for lvm2 Type: recommended Severity: moderate References: 1155668 Description: This update for lvm2 fixes the following issues: - Fix seeing a 90 Second delay during shutdown and reboot. (bsc#1155668) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:3392-1 Released: Fri Dec 27 13:33:29 2019 Summary: Security update for libgcrypt Type: security Severity: moderate References: 1148987,1155338,1155339,CVE-2019-13627 Description: This update for libgcrypt fixes the following issues: Security issues fixed: - CVE-2019-13627: Mitigation against an ECDSA timing attack (bsc#1148987). Bug fixes: - Added CMAC AES self test (bsc#1155339). - Added CMAC TDES self test missing (bsc#1155338). - Fix test dsa-rfc6979 in FIPS mode. ----------------------------------------------------------------- Advisory ID: SUSE-SU-2020:69-1 Released: Fri Jan 10 12:33:59 2020 Summary: Security update for openssl-1_1 Type: security Severity: moderate References: 1155346,1157775,1158101,1158809,CVE-2019-1551,SLE-8789 Description: This update for openssl-1_1 fixes the following issues: Security issue fixed: - CVE-2019-1551: Fixed an overflow bug in the x64_64 Montgomery squaring procedure used in exponentiation with 512-bit moduli (bsc#1158809). Various FIPS related improvements were done: - FIPS: Backport SSH KDF to openssl (jsc#SLE-8789, bsc#1157775). - Port FIPS patches from SLE-12 (bsc#1158101). - Use SHA-2 in the RSA pairwise consistency check (bsc#1155346). ----------------------------------------------------------------- Advisory ID: SUSE-feature-2020:89-1 Released: Mon Jan 13 16:07:20 2020 Summary: Update to kubernetes 1.16, supportconfig update, and helm security fix (CVE-2019-18658) Type: feature Severity: moderate References: 1100838,1118897,1118898,1118899,1143813,1144065,1146991,1147142,1152861,1155810,1156646 Description: = Required Actions == Skuba and helm update Instructions Update skuba and helm on your management workstation as you would do with any othe package. Refer to: link:https://documentation.suse.com/sles/15-SP1/single-html/SLES-admin/#sec-zypper-softup [WARNING] ==== When running helm-init you may hit a link:https://bugzilla.suse.com/show_bug.cgi?id=1159047[known bug on the certificate validation]: ---- https://kubernetes-charts.storage.googleapis.com is not a valid chart repository or cannot be reached: Get https://kubernetes-charts.storage.googleapis.com/index.yaml: x509: certificate signed by unknown authority ---- In order to fix this, run: ---- sudo update-ca-certificates ---- ==== After updating helm to latest version on the management host, you have to also upgrade the helm-tiller image in the cluster, by running: ---- helm init \ --tiller-image registry.suse.com/caasp/v4/helm-tiller:2.16.1 \ --service-account tiller --upgrade ---- == Update Your Kubernetes Manifests for Kubernetes 1.16.2: Some API resources are moved to stable, while others have been moved to different groups or deprecated. The following will impact your deployment manifests: * `DaemonSet`, `Deployment`, `StatefulSet`, and `ReplicaSet` in `extensions/` (both `v1beta1` and `v1beta2`) is deprecated. Migrate to `apps/v1` group instead for all those objects. Please note that `kubectl convert` can help you migrate all the necessary fields. * `PodSecurityPolicy` in `extensions/v1beta1` is deprecated. Migrate to `policy/v1beta1` group for `PodSecurityPolicy`. Please note that `kubectl convert` can help you migrate all the necessary fields. * `NetworkPolicy` in `extensions/v1beta1` is deprecated. Migrate to `networking.k8s.io/v1` group for `NetworkPolicy`. Please note that `kubectl convert` can help you migrate all the necessary fields. * `Ingress` in `extensions/v1beta1` is being phased out. Migrate to `networking.k8s.io/v1beta1` as soon as possible. This new API does not need to update other API fields and therefore only a path change is necessary. * Custom resource definitions have moved from `apiextensions.k8s.io/v1beta1` to `apiextensions.k8s.io/v1`. Please also see https://kubernetes.io/blog/2019/07/18/api-deprecations-in-1-16/ for more details. = Documentation Updates * Switched examples to use SUSE supported helm, Prometheus, nginx-ingress and Grafana charts and images * link:{docurl}caasp-admin/single-html/_security.html#_deployment_with_a_custom_ca_certificate[Added instructions on how to replace {kube} certificates with custom CA certificate] * link:{docurl}caasp-admin/single-html/_security.html#_replace_server_certificate_signed_by_a_trusted_ca_certificate[Added instructions to configure custom certificates for gangway and dex] * link:{docurl}caasp-admin/single-html/_software_management.html#_installing_tiller[Added instructions for secured Tiller deployment] * link:{docurl}caasp-deployment/single-html/#machine-id[Added notes about unique `machine-id` requirement] * link:{docurl}caasp-deployment/single-html/#_autoyast_preparation[Added timezone configuration example for {ay}] * link:https://github.com/SUSE/doc-caasp/pulls?q=is%3Apr+is%3Aclosed+sort%3Aupdated-desc[Various minor bugfixes and improvements] = Known issue: skuba upgrade could not parse "Unknown" as version ==== Running "skuba node upgrade plan" might fail with the error "could not parse "Unknown" as version" when a worker, after running "skuba node upgrade apply", had not fully started yet. If you are running into this issue, please add some delay after running "skuba node upgrade apply" and prior to running "skuba node upgrade plan". This is tracked in link:https://bugzilla.suse.com/show_bug.cgi?id=1159452[bsc#1159452] From sle-updates at lists.suse.com Tue Jan 14 00:06:30 2020 From: sle-updates at lists.suse.com (sle-updates at lists.suse.com) Date: Tue, 14 Jan 2020 08:06:30 +0100 (CET) Subject: SUSE-CU-2019:695-1: Security update of caasp/v4/tiller Message-ID: <20200114070630.0B95CF79E@maintenance.suse.de> SUSE Container Update Advisory: caasp/v4/tiller ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2019:695-1 Container Tags : caasp/v4/tiller:2.8.2 , caasp/v4/tiller:2.8.2-rev1 , caasp/v4/tiller:2.8.2-rev1-build1.2 Severity : important Type : security References : 1000396 1000662 1000677 1001299 1001790 1001912 1002975 1003577 1003579 1003580 1003714 1003978 1004094 1004289 1004995 1004995 1004995 1005023 1005063 1005404 1005544 1005633 1005634 1005635 1005637 1005638 1005640 1005642 1005643 1005645 1005646 1006175 1006372 1006469 1006687 1006690 1007851 1008325 1009269 1009470 1009528 1009532 1009745 1009905 1009966 1010220 1010675 1010845 1010880 1012266 1012390 1012523 1012591 1012818 1012973 1013286 1013882 1013930 1013989 1014471 1014560 1014566 1014873 1015254 1015332 1015515 1015565 1015943 1017034 1017497 1018214 1018399 1019276 1019470 1019637 1019637 1019900 1020108 1020143 1020601 1021641 1022014 1022047 1022085 1022086 1022271 1023283 1023895 1024989 1025176 1025398 1025560 1025598 1025630 1025886 1026224 1026567 1026825 1027079 1027379 1027688 1027712 1027908 1027925 1028263 1028281 1028304 1028304 1028305 1028410 1028485 1028610 1028723 1029102 1029102 1029183 1029516 1029516 1029523 1029561 1029691 1029725 1029900 1030290 1030621 1031355 1031643 1031702 1031998 1032029 1032029 1032309 1032445 1032538 1032660 1032680 1033238 1033238 1033855 1034563 1034565 1035062 1035371 1035386 1035445 1035818 1036304 1036659 1036736 1036873 1036873 1037120 1037120 1037396 1037824 1037930 1038189 1038194 1038444 1038865 1038865 1038984 1038984 1039063 1039063 1039064 1039064 1039066 1039066 1039069 1039069 1039099 1039099 1039276 1039357 1039661 1039661 1039941 1040043 1040153 1040153 1040258 1040258 1040614 1040614 1040800 1040942 1040942 1040968 1040968 1040968 1041764 1042326 1042392 1042781 1043059 1043218 1043237 1043333 1043333 1043580 1043615 1043758 1043758 1043900 1043900 1044095 1044107 1044175 1044337 1044840 1044887 1044894 1045092 1045290 1045290 1045384 1045472 1045628 1045735 1045735 1045735 1045943 1045987 1046173 1046173 1046268 1046417 1046607 1046659 1046750 1046750 1046853 1046853 1046858 1046858 1047008 1047178 1047233 1047236 1047240 1047247 1047379 1047785 1047785 1047937 1047964 1047965 1048315 1048510 1048605 1048605 1048645 1048679 1049344 1049825 1050152 1050467 1050767 1050943 1051042 1051465 1051626 1051643 1051644 1051791 1052261 1053137 1053188 1053409 1053595 1053671 1054028 1054088 1054171 1054671 1055446 1055641 1055825 1055920 1056058 1056126 1056127 1056127 1056128 1056128 1056129 1056129 1056131 1056131 1056132 1056132 1056136 1056136 1056437 1056449 1056450 1056995 1057150 1057188 1057452 1057634 1057640 1057662 1057721 1057724 1057900 1057974 1058695 1058722 1058783 1059065 1059723 1060653 1060738 1061384 1061667 1061876 1062303 1062561 1062591 1062592 1063051 1063249 1063269 1063675 1063824 1063910 1064397 1064455 1064455 1064455 1064569 1064580 1064583 1064999 1065083 1065274 1065276 1065363 1065448 1065448 1066156 1066242 1066422 1066500 1067312 1067605 1067891 1068251 1068565 1068565 1068588 1068708 1068967 1069222 1069226 1069468 1069934 1070209 1070428 1070431 1070431 1070851 1070878 1070905 1070958 1071224 1071311 1071319 1071321 1071466 1071558 1071568 1071698 1071905 1071906 1072947 1072947 1073231 1073313 1073879 1073990 1074254 1074293 1074293 1074621 1074687 1075449 1075724 1075743 1075801 1075804 1075978 1076192 1076308 1076415 1076696 1076810 1076832 1076909 1077001 1077635 1077692 1077787 1077787 1077925 1077993 1078358 1078662 1078662 1078806 1078813 1079036 1079334 1079991 1080078 1080382 1080740 1080740 1081170 1081294 1081556 1081725 1082004 1082216 1082216 1082216 1082233 1082233 1082233 1082234 1082234 1082234 1082318 1082485 1082485 1083158 1083290 1083926 1083927 1083946 1084300 1084300 1084521 1084524 1084532 1084626 1084812 1084812 1084842 1085062 1085432 1086247 1086602 1086690 1086785 1086825 1087102 1087323 1087550 1087550 1087930 1088052 1088279 1088601 1088705 1088769 1088890 1088921 1089039 1089533 1089640 1089761 1089761 1089884 1090765 1090766 1090766 1090766 1090785 1090944 1091265 1091624 1091677 1092098 1092100 1092100 1092413 1092640 1092640 1093753 1093851 1094121 1094150 1094154 1094161 1094222 1095096 1095148 1096282 1096282 1096282 1096718 1096718 1096745 1096803 1097158 1097410 1097410 1097410 1097624 1097665 1098592 1099310 1099310 1099310 1099452 1099847 1099982 1100028 1101040 1101246 1101349 1101470 1101591 1102046 1102429 1102564 1103910 1104789 1105031 1105166 1105236 1106019 1106197 1106914 1106923 1107430 1107640 1107941 1108835 1109197 1109252 1109877 1110445 1110661 1111251 1111278 1111965 1112024 1112209 1112758 1112858 1113083 1113100 1113117 1113125 1113534 1113632 1113652 1113660 1113665 1113742 1114981 1115518 1115929 1117355 1119971 1120323 1120489 1121450 360993 408814 556664 658010 661410 675317 825385 829717 830805 874665 888308 889138 889990 892431 894610 896202 896435 897422 898003 899524 899871 900275 900276 901202 901845 901924 902364 902367 903543 905483 906574 906574 906803 906858 907074 907456 908128 908516 909418 910252 910252 910253 910253 911228 911363 911662 912229 912715 912922 913209 913650 913651 915402 915846 917152 917169 918089 918090 918346 919274 920057 920057 920386 921070 922534 923241 924525 924687 924960 924960 926412 926826 927556 927607 927608 927746 927993 928292 928533 928740 929919 930176 931932 932232 932894 933029 933288 933288 933336 933878 933878 934333 934689 934920 936050 936227 936227 936676 937823 938343 938657 939392 939460 940315 942865 942865 943457 943457 944903 945340 945842 945899 952151 952347 953130 953532 953659 953807 953831 954002 954661 955382 955753 955770 957566 957566 957567 957567 957598 957598 957600 957600 958369 958562 959693 960273 960820 960837 960837 961964 962765 962983 962996 963290 963448 963942 964063 964468 965322 965780 965902 966220 967026 967082 967728 967838 968771 969569 970260 970882 971741 971741 972127 972127 972331 974691 978055 979261 979436 979441 979629 979906 980391 980486 981114 981616 982303 982303 983206 983215 983216 983754 984906 984958 986216 986216 986783 986935 987887 988311 989788 989831 990189 990190 990191 990538 991389 991390 991391 991443 991746 991901 992966 994157 994794 995936 996511 997043 997420 997682 998760 998893 998906 999735 999878 CVE-2012-6702 CVE-2013-6435 CVE-2014-3591 CVE-2014-3707 CVE-2014-3710 CVE-2014-8116 CVE-2014-8116 CVE-2014-8117 CVE-2014-8117 CVE-2014-8118 CVE-2014-8150 CVE-2014-8964 CVE-2014-8964 CVE-2014-9087 CVE-2014-9112 CVE-2014-9447 CVE-2014-9620 CVE-2014-9621 CVE-2014-9653 CVE-2015-0247 CVE-2015-0837 CVE-2015-1283 CVE-2015-1572 CVE-2015-1606 CVE-2015-1607 CVE-2015-1782 CVE-2015-2059 CVE-2015-2325 CVE-2015-2325 CVE-2015-2327 CVE-2015-2327 CVE-2015-2328 CVE-2015-2328 CVE-2015-3143 CVE-2015-3144 CVE-2015-3145 CVE-2015-3148 CVE-2015-3153 CVE-2015-3210 CVE-2015-3210 CVE-2015-3217 CVE-2015-3217 CVE-2015-3238 CVE-2015-5073 CVE-2015-5073 CVE-2015-5276 CVE-2015-7511 CVE-2015-8380 CVE-2015-8380 CVE-2015-8381 CVE-2015-8381 CVE-2015-8382 CVE-2015-8382 CVE-2015-8383 CVE-2015-8383 CVE-2015-8384 CVE-2015-8384 CVE-2015-8385 CVE-2015-8385 CVE-2015-8386 CVE-2015-8386 CVE-2015-8387 CVE-2015-8387 CVE-2015-8388 CVE-2015-8388 CVE-2015-8389 CVE-2015-8389 CVE-2015-8390 CVE-2015-8390 CVE-2015-8391 CVE-2015-8391 CVE-2015-8392 CVE-2015-8392 CVE-2015-8393 CVE-2015-8393 CVE-2015-8394 CVE-2015-8394 CVE-2015-8395 CVE-2015-8395 CVE-2015-8853 CVE-2015-8948 CVE-2016-0634 CVE-2016-0718 CVE-2016-0755 CVE-2016-0787 CVE-2016-10156 CVE-2016-1238 CVE-2016-1283 CVE-2016-1283 CVE-2016-1839 CVE-2016-2037 CVE-2016-2381 CVE-2016-3191 CVE-2016-3191 CVE-2016-4574 CVE-2016-4579 CVE-2016-4658 CVE-2016-5131 CVE-2016-5300 CVE-2016-5419 CVE-2016-5420 CVE-2016-5421 CVE-2016-6185 CVE-2016-6252 CVE-2016-6252 CVE-2016-6252 CVE-2016-6261 CVE-2016-6262 CVE-2016-6263 CVE-2016-6313 CVE-2016-6318 CVE-2016-7055 CVE-2016-7141 CVE-2016-7167 CVE-2016-7543 CVE-2016-8615 CVE-2016-8616 CVE-2016-8617 CVE-2016-8618 CVE-2016-8619 CVE-2016-8620 CVE-2016-8621 CVE-2016-8622 CVE-2016-8623 CVE-2016-8624 CVE-2016-9063 CVE-2016-9318 CVE-2016-9401 CVE-2016-9586 CVE-2016-9597 CVE-2016-9840 CVE-2016-9841 CVE-2016-9842 CVE-2016-9843 CVE-2017-0663 CVE-2017-1000100 CVE-2017-1000101 CVE-2017-1000254 CVE-2017-1000257 CVE-2017-1000366 CVE-2017-1000408 CVE-2017-1000409 CVE-2017-10684 CVE-2017-10684 CVE-2017-10685 CVE-2017-10685 CVE-2017-11112 CVE-2017-11113 CVE-2017-11462 CVE-2017-12132 CVE-2017-12133 CVE-2017-12424 CVE-2017-12837 CVE-2017-12883 CVE-2017-13728 CVE-2017-13728 CVE-2017-13729 CVE-2017-13729 CVE-2017-13730 CVE-2017-13730 CVE-2017-13731 CVE-2017-13731 CVE-2017-13732 CVE-2017-13732 CVE-2017-13733 CVE-2017-13733 CVE-2017-13734 CVE-2017-14062 CVE-2017-15088 CVE-2017-15412 CVE-2017-15670 CVE-2017-15671 CVE-2017-15804 CVE-2017-15908 CVE-2017-16997 CVE-2017-17740 CVE-2017-18078 CVE-2017-18258 CVE-2017-18269 CVE-2017-3731 CVE-2017-3732 CVE-2017-3735 CVE-2017-3736 CVE-2017-3737 CVE-2017-3738 CVE-2017-5130 CVE-2017-5969 CVE-2017-6512 CVE-2017-7375 CVE-2017-7376 CVE-2017-7407 CVE-2017-7435 CVE-2017-7436 CVE-2017-7436 CVE-2017-7500 CVE-2017-7500 CVE-2017-7501 CVE-2017-7501 CVE-2017-7526 CVE-2017-7555 CVE-2017-8804 CVE-2017-8816 CVE-2017-8817 CVE-2017-8872 CVE-2017-9047 CVE-2017-9047 CVE-2017-9048 CVE-2017-9048 CVE-2017-9049 CVE-2017-9049 CVE-2017-9050 CVE-2017-9050 CVE-2017-9217 CVE-2017-9217 CVE-2017-9233 CVE-2017-9269 CVE-2017-9269 CVE-2017-9287 CVE-2017-9445 CVE-2017-9445 CVE-2017-9526 CVE-2018-0495 CVE-2018-0495 CVE-2018-0495 CVE-2018-0732 CVE-2018-0734 CVE-2018-0737 CVE-2018-0739 CVE-2018-1000001 CVE-2018-1000001 CVE-2018-1000007 CVE-2018-1000120 CVE-2018-1000121 CVE-2018-1000122 CVE-2018-1000301 CVE-2018-1049 CVE-2018-1122 CVE-2018-1122 CVE-2018-1123 CVE-2018-1123 CVE-2018-11236 CVE-2018-11237 CVE-2018-1124 CVE-2018-1124 CVE-2018-1125 CVE-2018-1125 CVE-2018-1126 CVE-2018-1126 CVE-2018-12015 CVE-2018-12015 CVE-2018-12020 CVE-2018-14404 CVE-2018-14567 CVE-2018-14618 CVE-2018-15686 CVE-2018-15688 CVE-2018-16840 CVE-2018-16842 CVE-2018-16864 CVE-2018-16865 CVE-2018-16866 CVE-2018-19211 CVE-2018-20217 CVE-2018-5407 CVE-2018-5729 CVE-2018-5730 CVE-2018-6003 CVE-2018-6485 CVE-2018-6551 CVE-2018-6797 CVE-2018-6797 CVE-2018-6797 CVE-2018-6798 CVE-2018-6798 CVE-2018-6798 CVE-2018-6913 CVE-2018-6913 CVE-2018-6913 CVE-2018-7169 CVE-2018-7685 CVE-2018-7738 CVE-2018-7738 CVE-2018-9251 ----------------------------------------------------------------- The container caasp/v4/tiller was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-RU-2014:85-1 Released: Tue Nov 4 16:29:29 2014 Summary: Recommended update for dirmngr Type: recommended Severity: moderate References: 901845 Description: This update for dirmngr fixes a segmentation fault at start up. (bnc#901845) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2014:66-1 Released: Thu Nov 6 06:23:15 2014 Summary: Recommended update for gcc48 Type: recommended Severity: moderate References: 899871 Description: This update for gcc48 fixes a performance degradation issue caused by generation of unneeded code whe using option -pg. ----------------------------------------------------------------- Advisory ID: SUSE-SU-2014:97-1 Released: Fri Nov 28 10:20:32 2014 Summary: Security update for file Type: security Severity: moderate References: 888308,902367,CVE-2014-3710 Description: file was updated to fix one security issue. This security issue was fixed: - Out-of-bounds read in elf note headers (CVE-2014-3710). This non-security issues was fixed: - Correctly identify GDBM files created by libgdbm4 (bnc#888308). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2014:113-1 Released: Tue Dec 2 18:17:57 2014 Summary: Security update for cpio Type: security Severity: moderate References: 658010,907456,CVE-2014-9112 Description: This cpio security update fixes the following buffer overflow issue and two non security issues: - fix an OOB write with cpio -i (bnc#907456) (CVE-2014-9112) - prevent cpio from extracting over a symlink (bnc#658010) - fix a truncation check in mt ----------------------------------------------------------------- Advisory ID: SUSE-SU-2015:16-1 Released: Thu Dec 11 09:25:27 2014 Summary: Security update for libksba Type: security Severity: moderate References: 907074,CVE-2014-9087 Description: This libksba update fixes the following security issue: - bnc#907074: buffer overflow in OID processing (CVE-2014-9087) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2014:126-1 Released: Fri Dec 19 20:16:00 2014 Summary: Security update for file Type: security Severity: moderate References: 910252,910253,CVE-2014-8116,CVE-2014-8117 Description: This file update fixes the following security issues: - bsc#910252: multiple denial of service issues (resource consumption) (CVE-2014-8116) - bsc#910253: denial of service issue (resource consumption) (CVE-2014-8117) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2015:29-1 Released: Mon Jan 12 11:37:43 2015 Summary: Security update for curl Type: security Severity: moderate References: 901924,911363,CVE-2014-3707,CVE-2014-8150 Description: This update fixes the following security issues - CVE-2014-8150: URL request injection vulnerability (bnc#911363) - CVE-2014-3707: duphandle read out of bounds (bnc#901924) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2015:40-1 Released: Thu Jan 15 18:35:11 2015 Summary: Security update for rpm Type: security Severity: important References: 892431,906803,908128,911228,CVE-2013-6435,CVE-2014-8118 Description: This rpm update fixes the following security and non-security issues: - bnc#908128: Check for bad invalid name sizes (CVE-2014-8118) - bnc#906803: Create files with mode 0 (CVE-2013-6435) - bnc#892431: Honor --noglob in install mode - bnc#911228: Fix noglob patch, it broke files with space. ----------------------------------------------------------------- Advisory ID: SUSE-RU-2015:64-1 Released: Thu Jan 15 23:21:45 2015 Summary: Recommended update for e2fsprogs Type: recommended Severity: moderate References: 912229 Description: This update for e2fsprogs fixes a "use after free" issue in fsck(8). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2015:76-1 Released: Fri Jan 30 15:01:03 2015 Summary: Security update for elfutils Type: security Severity: moderate References: 911662,CVE-2014-9447 Description: elfutils was updated to fix one security issue. This security issue was fixed: - Directory traversal vulnerability in the read_long_names function (CVE-2014-9447). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2015:55-1 Released: Tue Feb 3 14:51:17 2015 Summary: Recommended update for curl Type: recommended Severity: moderate References: 913209 Description: curl was updated to fix problems when operating in FIPS mode. This patch reenables following methods: - NTLM authentication (e.g. for proxies) (allowing its usage of MD4 and MD5) - HTTP Digest authentication (allowing its usage of MD5) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2015:121-1 Released: Tue Feb 3 16:30:16 2015 Summary: Recommended update for pam Type: recommended Severity: low References: 912922 Description: This update for pam fixes updating of NIS passwords. ----------------------------------------------------------------- Advisory ID: SUSE-SU-2015:157-1 Released: Tue Mar 10 09:01:41 2015 Summary: Security update for libssh2_org Type: security Severity: moderate References: 921070,CVE-2015-1782 Description: The ssh client library libssh2_org was updated to fix a security issue. CVE-2015-1782: A malicious server could send a crafted SSH_MSG_KEXINIT packet, that could lead to a buffer overread and to a crash of the libssh2_org using application. ----------------------------------------------------------------- Advisory ID: SUSE-RU-2015:275-1 Released: Wed Mar 18 18:21:44 2015 Summary: Recommended update for procps Type: recommended Severity: low References: 901202,908516 Description: This update for procps provides the following fixes: - Add description of pgrep's --list-full parameter to usage instructions (--help). (bsc#901202) - Fix handling of arguments to -s option in free(1). (bsc#908516) - Correct package name in descriptions: procps, not props. ----------------------------------------------------------------- Advisory ID: SUSE-SU-2015:235-1 Released: Wed Apr 29 19:05:01 2015 Summary: Security update for curl Type: security Severity: moderate References: 927556,927607,927608,927746,928533,CVE-2015-3143,CVE-2015-3144,CVE-2015-3145,CVE-2015-3148,CVE-2015-3153 Description: curl was updated to fix five security issues. The following vulnerabilities were fixed: * CVE-2015-3143: curl could re-use NTML authenticateds connections * CVE-2015-3144: curl could access memory out of bounds with zero length host names * CVE-2015-3145: curl cookie parser could access memory out of boundary * CVE-2015-3148: curl could treat Negotiate as not connection-oriented * CVE-2015-3153: curl could have sent sensitive HTTP headers also to proxies ----------------------------------------------------------------- Advisory ID: SUSE-SU-2015:296-1 Released: Thu Jun 11 15:46:59 2015 Summary: Security update for libgcrypt Type: security Severity: moderate References: 896202,896435,898003,899524,900275,900276,905483,920057,928740,929919,CVE-2014-3591 Description: This update of libgcrypt fixes one security issue and brings various FIPS 140-2 related improvements. libgcrypt now uses ciphertext blinding for Elgamal decryption (CVE-2014-3591) FIPS 140-2 related changes: * The library performs its self-tests when the module is complete (the -hmac file is also installed). * Added a NIST 800-90a compliant DRBG. * Change DSA key generation to be FIPS 186-4 compliant. * Change RSA key generation to be FIPS 186-4 compliant. * Enable HW support in fips mode (bnc#896435) * Make DSA selftest use 2048 bit keys (bnc#898003) * Added ECDSA selftests and add support for it to the CAVS testing framework (bnc#896202) * Various CAVS testing improvements. ----------------------------------------------------------------- Advisory ID: SUSE-SU-2015:366-1 Released: Mon Jun 29 10:13:43 2015 Summary: Security update for e2fsprogs Type: security Severity: low References: 915402,918346,CVE-2015-0247,CVE-2015-1572 Description: Two security issues were fixed in e2fsprogs: Security issues fixed: * CVE-2015-0247: Various heap overflows were fixed in e2fsprogs (fsck, dumpe2fs, e2image...). * CVE-2015-1572: Fixed a potential buffer overflow in closefs() (bsc#918346 ) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2015:361-1 Released: Wed Jul 15 08:26:27 2015 Summary: Recommended update for gcc48, libffi48, libgcj48 Type: recommended Severity: moderate References: 889990,917169,919274,922534,924525,924687,927993,930176,934689 Description: The system compiler gcc48 was updated to the GCC 4.8.5 release, fixing a lot of bugs and bringing some improvements. It includes various bug fixes found by our customers: * Fixes bogus integer overflow in constant expression. [bnc#934689] * Fixes ICE with atomics on aarch64. [bnc#930176] * Includes fix for -imacros bug. [bnc#917169] * Includes fix for incorrect -Warray-bounds warnings. [bnc#919274] * Includes updated -mhotpatch for s390x. [bnc#924525] * Includes fix for ppc64le issue with doubleword vector extract. [bnc#924687] * Includes patches to allow building against ISL 0.14. * Backport rework of the memory allocator for C++ exceptions used in OOM situations. [bnc#889990] * Fix a reload issue on S390 (GCC PR66306). * Avoid accessing invalid memory when passing aggregates by value. [bnc#922534] ----------------------------------------------------------------- Advisory ID: SUSE-OU-2015:422-1 Released: Tue Jul 28 06:25:51 2015 Summary: The Toolchain module containing GCC 5.2 Type: optional Severity: low References: 926412,936050,937823 Description: This update contains the release of the new SUSE Linux Enterprise Toolchain module. Its major feature is the GNU Compiler Collection 5.2, please see https://gcc.gnu.org/gcc-5/changes.html for important changes. This update also includes a version update of binutils to 2.25 release branch to provide features and bugfixes. Following features have been added to binutils: * IBM zSeries z13 hardware support (fate#318036, bnc#936050). * various IBM Power8 improvements (fate#318238, bnc#926412). * AVX512 support on the Intel EM64T platform (fate#318520). The GNU Debugger gdb was updated to version 7.9.1 bringing various features and lots of bugfixes. Also IBM zSeries z13 hardware support has been added to gdb. (fate#318039) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2015:500-1 Released: Mon Aug 17 11:36:33 2015 Summary: Security update for libgcrypt Type: security Severity: moderate References: 920057,938343,CVE-2015-0837 Description: This update fixes the following issues: Security: * Fixed data-dependent timing variations in modular exponentiation [related to CVE-2015-0837, Last-Level Cache Side-Channel Attacks are Practical] (bsc#920057) Bugfixes: * don't drop privileges when locking secure memory (bsc#938343) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2015:530-1 Released: Wed Aug 26 03:07:07 2015 Summary: Recommended update for sed Type: recommended Severity: low References: 933029 Description: This update for sed fixes the behavior of --follow-symlinks when reading from the standard input (stdin). The behavior of "sed --follow-symlinks -" is now identical to "sed -". In both cases, sed will read from the standard input and no longer from a file named '-'. ----------------------------------------------------------------- Advisory ID: SUSE-RU-2015:568-1 Released: Wed Sep 16 13:30:12 2015 Summary: Recommended update for grep Type: recommended Severity: low References: 920386 Description: This update for grep fixes undefined behaviour with -P and non-utf-8 data. ----------------------------------------------------------------- Advisory ID: SUSE-SU-2015:922-1 Released: Tue Dec 22 08:44:25 2015 Summary: Security update for gpg2 Type: security Severity: moderate References: 918089,918090,952347,955753,CVE-2015-1606,CVE-2015-1607 Description: The gpg2 package was updated to fix the following security and non security issues: - CVE-2015-1606: Fixed invalid memory read using a garbled keyring (bsc#918089). - CVE-2015-1607: Fixed memcpy with overlapping ranges (bsc#918090). - bsc#955753: Fixed a regression of "gpg --recv" due to keyserver import filter (also boo#952347). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2015:869-1 Released: Wed Dec 23 10:01:16 2015 Summary: Recommended update for libksba Type: security Severity: moderate References: 926826 Description: The libksba package was updated to fix the following security issues: - Fixed an integer overflow, an out of bounds read and a stack overflow issues (bsc#926826). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2015:862-1 Released: Wed Dec 23 17:40:51 2015 Summary: Recommended update for acl Type: recommended Severity: moderate References: 945899 Description: This update for acl provides the following fixes: - Fix segmentation fault of getfacl -e on overly long group name. - Make sure that acl_from_text() always sets errno when it fails. - Fix memory and resource leaks in getfacl. ----------------------------------------------------------------- Advisory ID: SUSE-RU-2016:46-1 Released: Fri Jan 8 12:37:34 2016 Summary: Recommended update for gcr, gnome-keyring, libgcrypt, libsecret Type: recommended Severity: moderate References: 932232 Description: This update for gcr, gnome-keyring, libgcrypt, libsecret fixes issues when the system operates in FIPS mode. The various GNOME libraries and tool have been changed to use the default libgcrypt allocators. GNOME keyring was changed not to use MD5 anymore. libgcrypt was adjusted to free the DRBG on exit to avoid crashes. ----------------------------------------------------------------- Advisory ID: SUSE-SU-2016:201-1 Released: Thu Feb 4 15:51:22 2016 Summary: Security update for curl Type: security Severity: moderate References: 934333,936676,962983,962996,CVE-2016-0755 Description: This update for curl fixes the following issues: - CVE-2016-0755: libcurl would reuse NTLM-authenticated proxy connections without properly making sure that the connection was authenticated with the same credentials as set for this transfer (bsc#962983) The following non-security bugs were fixed: - bsc#936676: secure_getenv or __secure_getenv may not be detected correctly at build time The following tracked bugs only affect the test suite: - bsc#962996: Expired cookie in test 46 caused test failures - bsc#934333: Curl test suite was not run, is now enabled during build ----------------------------------------------------------------- Advisory ID: SUSE-RU-2016:371-1 Released: Thu Mar 3 15:58:18 2016 Summary: Recommended update for insserv-compat Type: recommended Severity: low References: 960820 Description: This update for insserv-compat fixes the name of the ntpd service. ----------------------------------------------------------------- Advisory ID: SUSE-SU-2016:413-1 Released: Fri Mar 11 10:17:57 2016 Summary: Security update for libssh2_org Type: security Severity: moderate References: 933336,961964,967026,CVE-2016-0787 Description: This update for libssh2_org fixes the following issues: Security issue fixed: - CVE-2016-0787 (bsc#967026): Weakness in diffie-hellman secret key generation lead to much shorter DH groups then needed, which could be used to retrieve server keys. A feature was added: - Support of SHA256 digests for DH group exchanges was added (fate#320343, bsc#961964) Bug fixed: - Properly detect EVP_aes_128_ctr at configure time (bsc#933336) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2016:462-1 Released: Wed Mar 16 18:17:59 2016 Summary: Recommended update for libcap Type: recommended Severity: low References: 967838 Description: This update for libcap adds two new capabilities (CAP_WAKE_ALARM and CAP_BLOCK_SUSPEND) which are available in Linux Kernel 3.12. ----------------------------------------------------------------- Advisory ID: SUSE-RU-2016:543-1 Released: Fri Apr 1 18:44:16 2016 Summary: Recommended update for libgcrypt Type: recommended Severity: moderate References: 970882 Description: This update for libgcrypt fixes a crash in GPG key generation when operating in FIPS mode. (bsc#970882) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2016:565-1 Released: Wed Apr 6 16:26:42 2016 Summary: Security update for gcc5 Type: security Severity: moderate References: 939460,945842,952151,953831,954002,955382,962765,964468,966220,968771,CVE-2015-5276 Description: The GNU Compiler Collection was updated to version 5.3.1, which brings several fixes and enhancements. The following security issue has been fixed: - Fix C++11 std::random_device short read issue that could lead to predictable randomness. (CVE-2015-5276, bsc#945842) The following non-security issues have been fixed: - Enable frame pointer for TARGET_64BIT_MS_ABI when stack is misaligned. Fixes internal compiler error when building Wine. (bsc#966220) - Fix a PowerPC specific issue in gcc-go that broke compilation of newer versions of Docker. (bsc#964468) - Fix HTM built-ins on PowerPC. (bsc#955382) - Fix libgo certificate lookup. (bsc#953831) - Suppress deprecated-declarations warnings for inline definitions of deprecated virtual methods. (bsc#939460) - Build s390[x] with "--with-tune=z9-109 --with-arch=z900" on SLE11 again. (bsc#954002) - Revert accidental libffi ABI breakage on aarch64. (bsc#968771) - On x86_64, set default 32bit code generation to -march=x86-64 rather than -march=i586. - Add experimental File System TS library. ----------------------------------------------------------------- Advisory ID: SUSE-SU-2016:636-1 Released: Mon Apr 18 09:18:19 2016 Summary: Security update for libgcrypt Type: security Severity: moderate References: 965902,CVE-2015-7511 Description: libgcrypt was updated to fix one security issue. This security issue was fixed: - CVE-2015-7511: Side-channel attack on ECDH with Weierstrass curves (bsc#965902). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2016:643-1 Released: Tue Apr 19 09:23:39 2016 Summary: Recommended update for bzip2 Type: recommended Severity: low References: 970260 Description: This update for bzip2 fixes the following issues: - Fix bzgrep wrapper that always returns 0 as exit code when working on multiple archives, even when the pattern is not found. ----------------------------------------------------------------- Advisory ID: SUSE-RU-2016:697-1 Released: Thu Apr 28 16:03:24 2016 Summary: Recommended update for libssh2_org Type: recommended Severity: important References: 974691 Description: This update for libssh2_org fixes a regression introduced by a previous update which could result in a segmentation fault in EVP_DigestInit_Ex(). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2016:801-1 Released: Thu May 19 22:38:01 2016 Summary: Recommended update for curl Type: recommended Severity: moderate References: 915846 Description: This update for curl fixes the following issue: - Fix "Network is unreachable" error when ipv6 is not available but ipv4. This fixes the same error in applications using libcurl4 (like zypper). (bsc#915846) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2016:835-1 Released: Wed May 25 18:27:30 2016 Summary: Recommended update for libgcrypt Type: recommended Severity: moderate References: 979629 Description: This update for libgcrypt fixes the following issue: - Fix failing reboot after installing fips pattern (bsc#979629) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2016:898-1 Released: Tue Jun 7 09:48:12 2016 Summary: Security update for expat Type: security Severity: important References: 979441,980391,CVE-2015-1283,CVE-2016-0718 Description: This update for expat fixes the following issues: Security issue fixed: - CVE-2016-0718: Fix Expat XML parser that mishandles certain kinds of malformed input documents. (bsc#979441) - CVE-2015-1283: Fix multiple integer overflows. (bnc#980391) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2016:900-1 Released: Tue Jun 7 10:58:37 2016 Summary: Security update for libksba Type: security Severity: moderate References: 979261,979906,CVE-2016-4574,CVE-2016-4579 Description: This update for libksba fixes the following issues: - CVE-2016-4579: Out-of-bounds read in _ksba_ber_parse_tl() - CVE-2016-4574: two OOB read access bugs (remote DoS) (bsc#979261) Also adding reliability fixes from v1.3.4. ----------------------------------------------------------------- Advisory ID: SUSE-RU-2016:987-1 Released: Wed Jun 22 14:32:18 2016 Summary: Recommended update for procps Type: recommended Severity: low References: 981616 Description: This update for procps fixes the following issues: - Improve pmap(1) to be compatible with kernel 4.4. (bsc#981616) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2016:1028-1 Released: Thu Jul 7 11:50:47 2016 Summary: Recommended update for findutils Type: recommended Severity: moderate References: 986935 Description: This update for findutils fixes the following issues: - find -exec + would not pass all arguments for certain specific filename lengths (bsc#986935) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2016:1126-1 Released: Sat Jul 30 00:39:03 2016 Summary: Recommended update for kmod Type: recommended Severity: low References: 983754,989788 Description: This update for kmod fixes libkmod to handle very long lines in /proc/modules. ----------------------------------------------------------------- Advisory ID: SUSE-RU-2016:1205-1 Released: Thu Aug 11 15:02:18 2016 Summary: Recommended update for rpm Type: recommended Severity: low References: 829717,894610,940315,953532,965322,967728 Description: This update for rpm provides the following fixes: - Add is_opensuse and leap_version macros to suse_macros. (bsc#940315) - Add option to make postinstall scriptlet errors fatal. (bsc#967728) - Normalize big blocksizes to 4096 bytes. (bsc#894610, bsc#829717, bsc#965322) - Fix updating of sources/patches when recursing because of a BuildArch. (bsc#953532) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2016:1228-1 Released: Tue Aug 16 09:29:01 2016 Summary: Security update for libidn Type: security Severity: moderate References: 923241,990189,990190,990191,CVE-2015-2059,CVE-2015-8948,CVE-2016-6261,CVE-2016-6262,CVE-2016-6263 Description: This update for libidn fixes the following issues: - CVE-2016-6262 and CVE-2015-8948: Out-of-bounds-read when reading one zero byte as input (bsc#990189) - CVE-2016-6261: Out-of-bounds stack read in idna_to_ascii_4i (bsc#990190) - CVE-2016-6263: stringprep_utf8_nfkc_normalize reject invalid UTF-8 (bsc#990191) - CVE-2015-2059: out-of-bounds read with stringprep on invalid UTF-8 (bsc#923241) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2016:1247-1 Released: Fri Aug 19 12:58:39 2016 Summary: Security update for cracklib Type: security Severity: moderate References: 992966,CVE-2016-6318 Description: This update for cracklib fixes the following issues: - Add patch to fix a buffer overflow in GECOS parser (bsc#992966 CVE-2016-6318) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2016:1326-1 Released: Thu Sep 8 11:37:44 2016 Summary: Security update for perl Type: security Severity: moderate References: 928292,932894,967082,984906,987887,988311,CVE-2015-8853,CVE-2016-1238,CVE-2016-2381,CVE-2016-6185 Description: This update for Perl fixes the following issues: - CVE-2016-6185: Xsloader looking at a "(eval)" directory. (bsc#988311) - CVE-2016-1238: Searching current directory for optional modules. (bsc#987887) - CVE-2015-8853: Regular expression engine hanging on bad utf8. (bsc) - CVE-2016-2381: Environment dup handling bug. (bsc#967082) - "Insecure dependency in require" error in taint mode. (bsc#984906) - Memory leak in 'use utf8' handling. (bsc#928292) - Missing lock prototype to the debugger. (bsc#932894) ----------------------------------------------------------------- Advisory ID: SUSE-OU-2016:1358-1 Released: Thu Sep 15 20:54:21 2016 Summary: Optional update for gcc6 Type: optional Severity: low References: 983206 Description: This update ships the GNU Compiler Collection (GCC) in version 6.2. This update is shipped in two parts: - SUSE Linux Enterprise Server 12 and Desktop: The runtime libraries libgcc_s1, libstdc++6, libatomic1, libgomp1, libitm1 and some others can now be used by GCC 6 built binaries. - SUSE Linux Enterprise 12 Toolchain Module: The Toolchain module received the GCC 6 compiler suite with this update. Changes: - The default mode for C++ is now -std=gnu++14 instead of -std=gnu++98. Generic Optimization improvements: - UndefinedBehaviorSanitizer gained a new sanitization option, -fsanitize=bounds-strict, which enables strict checking of array bounds. In particular, it enables -fsanitize=bounds as well as instrumentation of flexible array member-like arrays. - Type-based alias analysis now disambiguates accesses to different pointers. This improves precision of the alias oracle by about 20-30% on higher-level C++ programs. Programs doing invalid type punning of pointer types may now need -fno-strict-aliasing to work correctly. - Alias analysis now correctly supports weakref and alias attributes. This makes it possible to access both a variable and its alias in one translation unit which is common with link-time optimization. - Value range propagation now assumes that the this pointer of C++ member functions is non-null. This eliminates common null pointer checks but also breaks some non-conforming code-bases (such as Qt-5, Chromium, KDevelop). As a temporary work-around -fno-delete-null-pointer-checks can be used. Wrong code can be identified by using -fsanitize=undefined. - Various Link-time optimization improvements. - Inter-procedural optimization improvements: - Basic jump threading is now performed before profile construction and inline analysis, resulting in more realistic size and time estimates that drive the heuristics of the of inliner and function cloning passes. - Function cloning now more aggressively eliminates unused function parameters. - Compared to GCC 5, the GCC 6 release series includes a much improved implementation of the OpenACC 2.0a specification. C language specific improvements: - Version 4.5 of the OpenMP specification is now supported in the C and C++ compilers. - Source locations for the C and C++ compilers are now tracked as ranges, rather than just points, making it easier to identify the subexpression of interest within a complicated expression. In addition, there is now initial support for precise diagnostic locations within strings, - Diagnostics can now contain "fix-it hints", which are displayed in context underneath the relevant source code. - The C and C++ compilers now offer suggestions for misspelled field names. - New command-line options have been added for the C and C++ compilers: - -Wshift-negative-value warns about left shifting a negative value. - -Wshift-overflow warns about left shift overflows. This warning is enabled by default. -Wshift-overflow=2 also warns about left-shifting 1 into the sign bit. - -Wtautological-compare warns if a self-comparison always evaluates to true or false. This warning is enabled by -Wall. - -Wnull-dereference warns if the compiler detects paths that trigger erroneous or undefined behavior due to dereferencing a null pointer. This option is only active when -fdelete-null-pointer-checks is active, which is enabled by optimizations in most targets. The precision of the warnings depends on the optimization options used. - -Wduplicated-cond warns about duplicated conditions in an if-else-if chain. - -Wmisleading-indentation warns about places where the indentation of the code gives a misleading idea of the block structure of the code to a human reader. This warning is enabled by -Wall. - The C and C++ compilers now emit saner error messages if merge-conflict markers are present in a source file. C improvements: - It is possible to disable warnings when an initialized field of a structure or a union with side effects is being overridden when using designated initializers via a new warning option -Woverride-init-side-effects. - A new type attribute scalar_storage_order applying to structures and unions has been introduced. It specifies the storage order (aka endianness) in memory of scalar fields in structures or unions. C++ improvements: - The default mode has been changed to -std=gnu++14. - C++ Concepts are now supported when compiling with -fconcepts. - -flifetime-dse is more aggressive in dead-store elimination in situations where a memory store to a location precedes a constructor to that memory location. - G++ now supports C++17 fold expressions, u8 character literals, extended static_assert, and nested namespace definitions. - G++ now allows constant evaluation for all non-type template arguments. - G++ now supports C++ Transactional Memory when compiling with -fgnu-tm. libstdc++ improvements: - Extensions to the C++ Library to support mathematical special functions (ISO/IEC 29124:2010), thanks to Edward Smith-Rowland. - Experimental support for C++17. - An experimental implementation of the File System TS. - Experimental support for most features of the second version of the Library Fundamentals TS. This includes polymorphic memory resources and array support in shared_ptr, thanks to Fan You. - Some assertions checked by Debug Mode can now also be enabled by _GLIBCXX_ASSERTIONS. The subset of checks enabled by the new macro have less run-time overhead than the full _GLIBCXX_DEBUG checks and don't affect the library ABI, so can be enabled per-translation unit. Fortran improvements: - Fortran 2008 SUBMODULE support. - Fortran 2015 EVENT_TYPE, EVENT_POST, EVENT_WAIT, and EVENT_QUERY support. - Improved support for Fortran 2003 deferred-length character variables. - Improved support for OpenMP and OpenACC. - The MATMUL intrinsic is now inlined for straightforward cases if front-end optimization is active. The maximum size for inlining can be set to n with the -finline-matmul-limit=n option and turned off with -finline-matmul-limit=0. - The -Wconversion-extra option will warn about REAL constants which have excess precision for their kind. - The -Winteger-division option has been added, which warns about divisions of integer constants which are truncated. This option is included in -Wall by default. Architecture improvements: - AArch64 received a lot of improvements. IA-32/x86-64 improvements: - GCC now supports the Intel CPU named Skylake with AVX-512 extensions through -march=skylake-avx512. The switch enables the following ISA extensions: AVX-512F, AVX512VL, AVX-512CD, AVX-512BW, AVX-512DQ. - Support for new AMD instructions monitorx and mwaitx has been added. This includes new intrinsic and built-in support. It is enabled through option -mmwaitx. The instructions monitorx and mwaitx implement the same functionality as the old monitor and mwait instructions. In addition mwaitx adds a configurable timer. The timer value is received as third argument and stored in register %ebx. - x86-64 targets now allow stack realignment from a word-aligned stack pointer using the command-line option -mstackrealign or __attribute__ ((force_align_arg_pointer)). This allows functions compiled with a vector-aligned stack to be invoked from objects that keep only word-alignment. - Support for address spaces __seg_fs, __seg_gs, and __seg_tls. These can be used to access data via the %fs and %gs segments without having to resort to inline assembly. - Support for AMD Zen (family 17h) processors is now available through the -march=znver1 and -mtune=znver1 options. PowerPC / PowerPC64 / RS6000 improvements: - PowerPC64 now supports IEEE 128-bit floating-point using the __float128 data type. In GCC 6, this is not enabled by default, but you can enable it with -mfloat128. The IEEE 128-bit floating-point support requires the use of the VSX instruction set. IEEE 128-bit floating-point values are passed and returned as a single vector value. The software emulator for IEEE 128-bit floating-point support is only built on PowerPC GNU/Linux systems where the default CPU is at least power7. On future ISA 3.0 systems (POWER 9 and later), you will be able to use the -mfloat128-hardware option to use the ISA 3.0 instructions that support IEEE 128-bit floating-point. An additional type (__ibm128) has been added to refer to the IBM extended double type that normally implements long double. This will allow for a future transition to implementing long double with IEEE 128-bit floating-point. - Basic support has been added for POWER9 hardware that will use the recently published OpenPOWER ISA 3.0 instructions. The following new switches are available: - -mcpu=power9: Implement all of the ISA 3.0 instructions supported by the compiler. - -mtune=power9: In the future, apply tuning for POWER9 systems. Currently, POWER8 tunings are used. - -mmodulo: Generate code using the ISA 3.0 integer instructions (modulus, count trailing zeros, array index support, integer multiply/add). - -mpower9-fusion: Generate code to suitably fuse instruction sequences for a POWER9 system. - -mpower9-dform: Generate code to use the new D-form (register+offset) memory instructions for the vector registers. - -mpower9-vector: Generate code using the new ISA 3.0 vector (VSX or Altivec) instructions. - -mpower9-minmax: Reserved for future development. - -mtoc-fusion: Keep TOC entries together to provide more fusion opportunities. - New constraints have been added to support IEEE 128-bit floating-point and ISA 3.0 instructions. - Support has been added for __builtin_cpu_is() and __builtin_cpu_supports(), allowing for very fast access to AT_PLATFORM, AT_HWCAP, and AT_HWCAP2 values. This requires use of glibc 2.23 or later. - All hardware transactional memory builtins now correctly behave as memory barriers. Programmers can use #ifdef __TM_FENCE__ to determine whether their "old" compiler treats the builtins as barriers. - Split-stack support has been added for gccgo on PowerPC64 for both big- and little-endian (but not for 32-bit). The gold linker from at least binutils 2.25.1 must be available in the PATH when configuring and building gccgo to enable split stack. (The requirement for binutils 2.25.1 applies to PowerPC64 only.) The split-stack feature allows a small initial stack size to be allocated for each goroutine, which increases as needed. - GCC on PowerPC now supports the standard lround function. - The "q", "S", "T", and "t" asm-constraints have been removed. - The "b", "B", "m", "M", and "W" format modifiers have been removed. S/390, System z, IBM z Systems improvements: - Support for the IBM z13 processor has been added. When using the -march=z13 option, the compiler will generate code making use of the new instructions and registers introduced with the vector extension facility. The -mtune=z13 option enables z13 specific instruction scheduling without making use of new instructions. - Compiling code with -march=z13 reduces the default alignment of vector types bigger than 8 bytes to 8. This is an ABI change and care must be taken when linking modules compiled with different arch levels which interchange variables containing vector type values. For newly compiled code the GNU linker will emit a warning. - The -mzvector option enables a C/C++ language extension. This extension provides a new keyword vector which can be used to define vector type variables. (Note: This is not available when enforcing strict standard compliance e.g. with -std=c99. Either enable GNU extensions with e.g. -std=gnu99 or use __vector instead of vector.) - Additionally a set of overloaded builtins is provided which is partially compatible to the PowerPC Altivec builtins. In order to make use of these builtins the vecintrin.h header file needs to be included. - The new command line options -march=native, and -mtune=native are now available on native IBM z Systems. Specifying these options will cause GCC to auto-detect the host CPU and rewrite these options to the optimal setting for that system. If GCC is unable to detect the host CPU these options have no effect. - The IBM z Systems port now supports target attributes and pragmas. Please refer to the documentation for details of available attributes and pragmas as well as usage instructions. - -fsplit-stack is now supported as part of the IBM z Systems port. This feature requires a recent gold linker to be used. - Support for the g5 and g6 -march=/-mtune= CPU level switches has been deprecated and will be removed in a future GCC release. -m31 from now on defaults to -march=z900 if not specified otherwise. -march=native on a g5/g6 machine will default to -march=z900. An even more detailed list of features can be found at: https://gcc.gnu.org/gcc-6/changes.html ----------------------------------------------------------------- Advisory ID: SUSE-SU-2016:1364-1 Released: Fri Sep 16 17:13:43 2016 Summary: Security update for curl Type: security Severity: moderate References: 991389,991390,991391,991746,997420,CVE-2016-5419,CVE-2016-5420,CVE-2016-5421,CVE-2016-7141 Description: This update for curl fixes the following issues: Security issues fixed: - CVE-2016-5419: TLS session resumption client cert bypass (bsc#991389) - CVE-2016-5420: Re-using connections with wrong client cert (bsc#991390) - CVE-2016-5421: use of connection struct after free (bsc#991391) - CVE-2016-7141: Fixed incorrect reuse of client certificates with NSS (bsc#997420) Also the following bug was fixed: - fixing a performance issue (bsc#991746) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2016:1370-1 Released: Wed Sep 21 12:58:14 2016 Summary: Security update for libgcrypt Type: security Severity: moderate References: 994157,CVE-2016-6313 Description: This update for libgcrypt fixes the following issues: - RNG prediction vulnerability (bsc#994157, CVE-2016-6313) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2016:1591-1 Released: Wed Nov 2 12:07:51 2016 Summary: Security update for curl Type: security Severity: important References: 1005633,1005634,1005635,1005637,1005638,1005640,1005642,1005643,1005645,1005646,998760,CVE-2016-7167,CVE-2016-8615,CVE-2016-8616,CVE-2016-8617,CVE-2016-8618,CVE-2016-8619,CVE-2016-8620,CVE-2016-8621,CVE-2016-8622,CVE-2016-8623,CVE-2016-8624 Description: This update for curl fixes the following security issues: - CVE-2016-8624: invalid URL parsing with '#' (bsc#1005646) - CVE-2016-8623: Use-after-free via shared cookies (bsc#1005645) - CVE-2016-8622: URL unescape heap overflow via integer truncation (bsc#1005643) - CVE-2016-8621: curl_getdate read out of bounds (bsc#1005642) - CVE-2016-8620: glob parser write/read out of bounds (bsc#1005640) - CVE-2016-8619: double-free in krb5 code (bsc#1005638) - CVE-2016-8618: double-free in curl_maprintf (bsc#1005637) - CVE-2016-8617: OOB write via unchecked multiplication (bsc#1005635) - CVE-2016-8616: case insensitive password comparison (bsc#1005634) - CVE-2016-8615: cookie injection for other servers (bsc#1005633) - CVE-2016-7167: escape and unescape integer overflows (bsc#998760) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2016:1614-1 Released: Mon Nov 7 20:01:31 2016 Summary: Recommended update for shadow Type: recommended Severity: low References: 1002975 Description: This update for shadow fixes the following issues: - Set file modes according to the permissions package and don't attempt to manipulate them in %files section. (bsc#1002975) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2016:1641-1 Released: Thu Nov 10 20:02:04 2016 Summary: Recommended update for sg3_utils Type: recommended Severity: moderate References: 1006469,958369,979436 Description: This update for sg3_utils provides the following fixes: - Adjust 55-scsi-sg3_id.rules to correctly handle VPD page 0x80. This issue could prevent some IBM Power systems from booting after installation. (bsc#1006469) - Fix 55-scsi_sg3_id.rules to skip sg_inq on recent kernels. (bsc#979436) - In some circumstances, the rescan-scsi-bus.sh script failed to identify new LUNs that have been added to the server. (bsc#958369) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2016:1744-1 Released: Fri Dec 2 11:42:41 2016 Summary: Security update for pcre Type: security Severity: moderate References: 906574,924960,933288,933878,936227,942865,957566,957567,957598,957600,960837,971741,972127,CVE-2014-8964,CVE-2015-2325,CVE-2015-2327,CVE-2015-2328,CVE-2015-3210,CVE-2015-3217,CVE-2015-5073,CVE-2015-8380,CVE-2015-8381,CVE-2015-8382,CVE-2015-8383,CVE-2015-8384,CVE-2015-8385,CVE-2015-8386,CVE-2015-8387,CVE-2015-8388,CVE-2015-8389,CVE-2015-8390,CVE-2015-8391,CVE-2015-8392,CVE-2015-8393,CVE-2015-8394,CVE-2015-8395,CVE-2016-1283,CVE-2016-3191 Description: This update for pcre to version 8.39 (bsc#972127) fixes several issues. If you use pcre extensively please be aware that this is an update to a new version. Please make sure that your software works with the updated version. This version fixes a number of vulnerabilities that affect pcre and applications using the libary when accepting untrusted input as regular expressions or as part thereof. Remote attackers could have caused the application to crash, disclose information or potentially execute arbitrary code. These security issues were fixed: - CVE-2014-8964: Heap-based buffer overflow in PCRE allowed remote attackers to cause a denial of service (crash) or have other unspecified impact via a crafted regular expression, related to an assertion that allows zero repeats (bsc#906574). - CVE-2015-2325: Heap buffer overflow in compile_branch() (bsc#924960). - CVE-2015-3210: Heap buffer overflow in pcre_compile2() / compile_regex() (bsc#933288) - CVE-2015-3217: PCRE Library Call Stack Overflow Vulnerability in match() (bsc#933878). - CVE-2015-5073: Library Heap Overflow Vulnerability in find_fixedlength() (bsc#936227). - bsc#942865: heap overflow in compile_regex() - CVE-2015-8380: The pcre_exec function in pcre_exec.c mishandled a // pattern with a \01 string, which allowed remote attackers to cause a denial of service (heap-based buffer overflow) or possibly have unspecified other impact via a crafted regular expression, as demonstrated by a JavaScript RegExp object encountered by Konqueror (bsc#957566). - CVE-2015-2327: PCRE mishandled certain patterns with internal recursive back references, which allowed remote attackers to cause a denial of service (segmentation fault) or possibly have unspecified other impact via a crafted regular expression, as demonstrated by a JavaScript RegExp object encountered by Konqueror (bsc#957567). - bsc#957598: Various security issues - CVE-2015-8381: Heap Overflow in compile_regex() (bsc#957598). - CVE-2015-8382: Regular Expression Uninitialized Pointer Information Disclosure Vulnerability (ZDI-CAN-2547)(bsc#957598). - CVE-2015-8383: Buffer overflow caused by repeated conditional group(bsc#957598). - CVE-2015-8384: Buffer overflow caused by recursive back reference by name within certain group(bsc#957598). - CVE-2015-8385: Buffer overflow caused by forward reference by name to certain group(bsc#957598). - CVE-2015-8386: Buffer overflow caused by lookbehind assertion(bsc#957598). - CVE-2015-8387: Integer overflow in subroutine calls(bsc#957598). - CVE-2015-8388: Buffer overflow caused by certain patterns with an unmatched closing parenthesis(bsc#957598). - CVE-2015-8389: Infinite recursion in JIT compiler when processing certain patterns(bsc#957598). - CVE-2015-8390: Reading from uninitialized memory when processing certain patterns(bsc#957598). - CVE-2015-8391: Some pathological patterns causes pcre_compile() to run for a very long time(bsc#957598). - CVE-2015-8392: Buffer overflow caused by certain patterns with duplicated named groups(bsc#957598). - CVE-2015-8393: Information leak when running pcgrep -q on crafted binary(bsc#957598). - CVE-2015-8394: Integer overflow caused by missing check for certain conditions(bsc#957598). - CVE-2015-8395: Buffer overflow caused by certain references(bsc#957598). - CVE-2015-2328: PCRE mishandled the /((?(R)a|(?1)))+/ pattern and related patterns with certain recursion, which allowed remote attackers to cause a denial of service (segmentation fault) or possibly have unspecified other impact via a crafted regular expression (bsc#957600). - CVE-2016-1283: The pcre_compile2 function in pcre_compile.c in PCRE mishandled certain patterns with named subgroups, which allowed remote attackers to cause a denial of service (heap-based buffer overflow) or possibly have unspecified other impact via a crafted regular expression (bsc#960837). - CVE-2016-3191: The compile_branch function in pcre_compile.c in pcre2_compile.c mishandled patterns containing an (*ACCEPT) substring in conjunction with nested parentheses, which allowed remote attackers to execute arbitrary code or cause a denial of service (stack-based buffer overflow) via a crafted regular expression (bsc#971741). These non-security issues were fixed: - JIT compiler improvements - performance improvements - The Unicode data tables have been updated to Unicode 7.0.0. ----------------------------------------------------------------- Advisory ID: SUSE-RU-2016:1782-1 Released: Fri Dec 9 13:35:02 2016 Summary: Recommended update for systemd Type: recommended Severity: moderate References: 1001790,1004289,1005404,1006372,1006690,989831,991443 Description: This update for systemd provides the following fixes: - Allow to redirect confirmation messages to a different console. (bsc#1006690) - Do not bind a mount unit to a device, if it was from mountinfo. (bsc#989831) - Decrease systemd-nspawn's non-fatal mount errors to debug level. (bsc#1004289) - Don't emit space usage message right after opening the persistent journal. (bsc#991443) - Change owner of /var/log/journal/remote and create /var/lib/systemd/journal-upload. (bsc#1006372) - Document that *KeyIgnoreInhibited only apply to a subset of locks. - Revert "logind: really handle *KeyIgnoreInhibited options in logind.conf". (bsc#1001790, bsc#1005404) - Revert "kbd-model-map: add more mappings offered by Yast". - Don't busy loop when we get a notification message we can't process. - Rename kbd-model-map-extra into kbd-model-map.legacy. - Add kbd-model-map-extra file which contains the additional maps needed by YaST. - Drop localfs.service: unused and not needed anymore. ----------------------------------------------------------------- Advisory ID: SUSE-SU-2016:1827-1 Released: Thu Dec 15 12:41:10 2016 Summary: Security update for pcre Type: security Severity: moderate References: 906574,924960,933288,933878,936227,942865,957566,957567,957598,957600,960837,971741,972127,CVE-2014-8964,CVE-2015-2325,CVE-2015-2327,CVE-2015-2328,CVE-2015-3210,CVE-2015-3217,CVE-2015-5073,CVE-2015-8380,CVE-2015-8381,CVE-2015-8382,CVE-2015-8383,CVE-2015-8384,CVE-2015-8385,CVE-2015-8386,CVE-2015-8387,CVE-2015-8388,CVE-2015-8389,CVE-2015-8390,CVE-2015-8391,CVE-2015-8392,CVE-2015-8393,CVE-2015-8394,CVE-2015-8395,CVE-2016-1283,CVE-2016-3191 Description: This update for pcre to version 8.39 (bsc#972127) fixes several issues. If you use pcre extensively please be aware that this is an update to a new version. Please make sure that your software works with the updated version. This version fixes a number of vulnerabilities that affect pcre and applications using the libary when accepting untrusted input as regular expressions or as part thereof. Remote attackers could have caused the application to crash, disclose information or potentially execute arbitrary code. These security issues were fixed: - CVE-2014-8964: Heap-based buffer overflow in PCRE allowed remote attackers to cause a denial of service (crash) or have other unspecified impact via a crafted regular expression, related to an assertion that allows zero repeats (bsc#906574). - CVE-2015-2325: Heap buffer overflow in compile_branch() (bsc#924960). - CVE-2015-3210: Heap buffer overflow in pcre_compile2() / compile_regex() (bsc#933288) - CVE-2015-3217: PCRE Library Call Stack Overflow Vulnerability in match() (bsc#933878). - CVE-2015-5073: Library Heap Overflow Vulnerability in find_fixedlength() (bsc#936227). - bsc#942865: heap overflow in compile_regex() - CVE-2015-8380: The pcre_exec function in pcre_exec.c mishandled a // pattern with a \01 string, which allowed remote attackers to cause a denial of service (heap-based buffer overflow) or possibly have unspecified other impact via a crafted regular expression, as demonstrated by a JavaScript RegExp object encountered by Konqueror (bsc#957566). - CVE-2015-2327: PCRE mishandled certain patterns with internal recursive back references, which allowed remote attackers to cause a denial of service (segmentation fault) or possibly have unspecified other impact via a crafted regular expression, as demonstrated by a JavaScript RegExp object encountered by Konqueror (bsc#957567). - bsc#957598: Various security issues - CVE-2015-8381: Heap Overflow in compile_regex() (bsc#957598). - CVE-2015-8382: Regular Expression Uninitialized Pointer Information Disclosure Vulnerability (ZDI-CAN-2547)(bsc#957598). - CVE-2015-8383: Buffer overflow caused by repeated conditional group(bsc#957598). - CVE-2015-8384: Buffer overflow caused by recursive back reference by name within certain group(bsc#957598). - CVE-2015-8385: Buffer overflow caused by forward reference by name to certain group(bsc#957598). - CVE-2015-8386: Buffer overflow caused by lookbehind assertion(bsc#957598). - CVE-2015-8387: Integer overflow in subroutine calls(bsc#957598). - CVE-2015-8388: Buffer overflow caused by certain patterns with an unmatched closing parenthesis(bsc#957598). - CVE-2015-8389: Infinite recursion in JIT compiler when processing certain patterns(bsc#957598). - CVE-2015-8390: Reading from uninitialized memory when processing certain patterns(bsc#957598). - CVE-2015-8391: Some pathological patterns causes pcre_compile() to run for a very long time(bsc#957598). - CVE-2015-8392: Buffer overflow caused by certain patterns with duplicated named groups(bsc#957598). - CVE-2015-8393: Information leak when running pcgrep -q on crafted binary(bsc#957598). - CVE-2015-8394: Integer overflow caused by missing check for certain conditions(bsc#957598). - CVE-2015-8395: Buffer overflow caused by certain references(bsc#957598). - CVE-2015-2328: PCRE mishandled the /((?(R)a|(?1)))+/ pattern and related patterns with certain recursion, which allowed remote attackers to cause a denial of service (segmentation fault) or possibly have unspecified other impact via a crafted regular expression (bsc#957600). - CVE-2016-1283: The pcre_compile2 function in pcre_compile.c in PCRE mishandled certain patterns with named subgroups, which allowed remote attackers to cause a denial of service (heap-based buffer overflow) or possibly have unspecified other impact via a crafted regular expression (bsc#960837). - CVE-2016-3191: The compile_branch function in pcre_compile.c in pcre2_compile.c mishandled patterns containing an (*ACCEPT) substring in conjunction with nested parentheses, which allowed remote attackers to execute arbitrary code or cause a denial of service (stack-based buffer overflow) via a crafted regular expression (bsc#971741). These non-security issues were fixed: - JIT compiler improvements - performance improvements - The Unicode data tables have been updated to Unicode 7.0.0. ----------------------------------------------------------------- Advisory ID: SUSE-RU-2016:1863-1 Released: Wed Dec 21 10:41:35 2016 Summary: Recommended updated for pth Type: recommended Severity: low References: 1013286 Description: This update adds the 32bit version of libpth20 to SUSE Linux Enterprise 12 SP1 and 12 SP2. ----------------------------------------------------------------- Advisory ID: SUSE-SU-2017:2-1 Released: Mon Jan 2 08:35:08 2017 Summary: Security update for zlib Type: security Severity: moderate References: 1003577,1003579,1003580,1013882,CVE-2016-9840,CVE-2016-9841,CVE-2016-9842,CVE-2016-9843 Description: This update for zlib fixes the following issues: CVE-2016-9843: Big-endian out-of-bounds pointer CVE-2016-9842: Undefined Left Shift of Negative Number (bsc#1003580) CVE-2016-9840 CVE-2016-9841: Out-of-bounds pointer arithmetic in inftrees.c (bsc#1003579) Incompatible declarations for external linkage function deflate (bsc#1003577) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2017:6-1 Released: Tue Jan 3 15:01:58 2017 Summary: Recommended update for systemd Type: recommended Severity: moderate References: 1012390,1012591,1012818,1013989,1015515,909418,912715,945340,953807,963290,990538 Description: This update for systemd fixes the following issues: - core: Make mount units from /proc/self/mountinfo possibly bind to a device. Fixes unmounting issues when ejecting CDs or DVDs. (bsc#909418, bsc#912715, bsc#945340) - fstab-generator: Remove bogus condition that leads to warnings on boot. (bsc#1013989) - coredumpctl: Let gdb handle the SIGINT signal. (bsc#1012591) - Ship kbd-model-map with the correct contents. (bsc#1015515) - rules: Set SYSTEMD_READY=0 on DM_UDEV_DISABLE_OTHER_RULES_FLAG=1 only with ADD event. (bsc#963290, bsc#990538) - tmpfiles: Don't skip path_set_perms on error. (bsc#953807) - nspawn: Properly handle image/directory paths that are symbolic links. (bsc#1012390) - systemctl: Fix 'is-enabled' exit status on failure when executed in chroot. (bsc#1012818) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2017:32-1 Released: Mon Jan 9 11:50:42 2017 Summary: Recommended update for dirmngr Type: recommended Severity: low References: 994794 Description: This update for dirmngr enables support for daemon mode. ----------------------------------------------------------------- Advisory ID: SUSE-RU-2017:47-1 Released: Wed Jan 11 11:42:43 2017 Summary: Recommended update for systemd Type: recommended Severity: important References: 1018214,1018399 Description: This update for systemd fixes the following two issues: - A regression in the previous update (SUSE-RU-2017:0013-1, bsc#909418) could have caused systemd to freeze. (bsc#1018399) - Warnings emitted when udev socket units are restarted during package upgrade were silenced. (bsc#1018214) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2017:98-1 Released: Thu Jan 19 10:17:55 2017 Summary: Recommended update for kmod Type: recommended Severity: low References: 998906 Description: This update for kmod fixes a rare race condition while loading modules. ----------------------------------------------------------------- Advisory ID: SUSE-SU-2017:149-1 Released: Wed Jan 25 09:17:08 2017 Summary: Security update for systemd Type: security Severity: important References: 1012266,1014560,1014566,1020601,997682,CVE-2016-10156 Description: This update for systemd fixes the following issues: This security issue was fixed: - CVE-2016-10156: Fix permissions set on permanent timer timestamp files, preventing local unprivileged users from escalating privileges (bsc#1020601). These non-security issues were fixed: - Fix permission set on /var/lib/systemd/linger/* - install: follow config_path symlink (#3362) - install: fix disable when /etc/systemd/system is a symlink (bsc#1014560) - run: make --slice= work in conjunction with --scope (bsc#1014566) - core: don't dispatch load queue when setting Slice= for transient units - systemctl: remove duplicate entries showed by list-dependencies (#5049) (bsc#1012266) - rule: don't automatically online standby memory on s390x (bsc#997682) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2017:185-1 Released: Thu Feb 2 18:22:37 2017 Summary: Security update for cpio Type: security Severity: moderate References: 1020108,963448,CVE-2016-2037 Description: This update for cpio fixes two issues. This security issue was fixed: - CVE-2016-2037: The cpio_safer_name_suffix function in util.c in cpio allowed remote attackers to cause a denial of service (out-of-bounds write) via a crafted cpio file (bsc#963448). This non-security issue was fixed: - bsc#1020108: Always use 32 bit CRC to prevent checksum errors for files greater than 32MB ----------------------------------------------------------------- Advisory ID: SUSE-SU-2017:192-1 Released: Fri Feb 3 18:46:05 2017 Summary: Security update for libxml2 Type: security Severity: moderate References: 1005544,1010675,1013930,1014873,1017497,CVE-2016-4658,CVE-2016-9318,CVE-2016-9597 Description: This update for libxml2 fixes the following issues: * CVE-2016-4658: use-after-free error could lead to crash [bsc#1005544] * Fix NULL dereference in xpointer.c when in recovery mode [bsc#1014873] * CVE-2016-9597: An XML document with many opening tags could have caused a overflow of the stack not detected by the recursion limits, allowing for DoS (bsc#1017497). For CVE-2016-9318 we decided not to ship a fix since it can break existing setups. Please take appropriate actions if you parse untrusted XML files and use the new -noxxe flag if possible (bnc#1010675, bnc#1013930). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2017:209-1 Released: Tue Feb 7 17:00:47 2017 Summary: Recommended update for libseccomp Type: recommended Severity: low References: 1019900 Description: This update provides libseccomp version 2.3.1 which fixes the following issues: - Fixed a problem with 32-bit x86 socket syscalls on some systems (fate#321647, bsc#1019900) - Fixed problems with ipc syscalls on 32-bit x86 - Fixed problems with socket and ipc syscalls on s390 and s390x ----------------------------------------------------------------- Advisory ID: SUSE-SU-2017:212-1 Released: Wed Feb 8 13:07:24 2017 Summary: Security update for expat Type: security Severity: moderate References: 983215,983216,CVE-2012-6702,CVE-2016-5300 Description: This update for expat fixes the following security issues: - CVE-2012-6702: Expat, when used in a parser that has not called XML_SetHashSalt or passed it a seed of 0, made it easier for context-dependent attackers to defeat cryptographic protection mechanisms via vectors involving use of the srand function. (bsc#983215) - CVE-2016-5300: The XML parser in Expat did not use sufficient entropy for hash initialization, which allowed context-dependent attackers to cause a denial of service (CPU consumption) via crafted identifiers in an XML document. NOTE: this vulnerability exists because of an incomplete fix for CVE-2012-0876. (bsc#983216) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2017:228-1 Released: Fri Feb 10 15:39:32 2017 Summary: Security update for openssl Type: security Severity: moderate References: 1000677,1001912,1009528,1019637,1021641,1022085,1022086,1022271,CVE-2016-7055,CVE-2017-3731,CVE-2017-3732 Description: This update for openssl fixes the following issues contained in the OpenSSL Security Advisory [26 Jan 2017] (bsc#1021641) Security issues fixed: - CVE-2016-7055: The x86_64 optimized montgomery multiplication may produce incorrect results (bsc#1009528) - CVE-2017-3731: Truncated packet could crash via OOB read (bsc#1022085) - CVE-2017-3732: BN_mod_exp may produce incorrect results on x86_64 (bsc#1022086) - Degrade the 3DES cipher to MEDIUM in SSLv2 (bsc#1001912) Non-security issues fixed: - fix crash in openssl speed (bsc#1000677) - fix X509_CERT_FILE path (bsc#1022271) - AES XTS key parts must not be identical in FIPS mode (bsc#1019637) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2017:261-1 Released: Mon Feb 20 11:00:28 2017 Summary: Recommended update for dirmngr Type: recommended Severity: low References: 1019276 Description: This update for dirmngr fixes the following issues: - Properly initialize the dirmngr tmpfilesd files right away and not just during reboot - Own the /usr/lib/tmpfiles.d/ folder as it is needed in older systemds wrt (bsc#1019276) - Proprely require logrotate as we need it for the dirmngr configs ----------------------------------------------------------------- Advisory ID: SUSE-RU-2017:365-1 Released: Fri Mar 10 15:16:59 2017 Summary: Recommended update for sg3_utils Type: recommended Severity: low References: 1006175 Description: This update for sg3_utils fixes the following issue: - Add udev rules to handle legacy CCISS devices (bsc#1006175) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2017:389-1 Released: Thu Mar 16 14:16:43 2017 Summary: Recommended update for systemd Type: recommended Severity: moderate References: 1004094,1006687,1019470,1022014,1022047,1025598,995936 Description: This update for systemd provides the following fixes: - core: Fix memory leak in transient units. (bsc#1025598) - core: Destroy all name watching bus slots when we are kicked off the bus. (bsc#1006687) - sd-event: Fix incorrect assertion. (bsc#995936, bsc#1022014) - journald: Don't flush to /var/log/journal before we get asked to. (bsc#1004094) - core: Downgrade warning about duplicate device names. (bsc#1022047) - units: Remove no longer needed ldconfig service. (bsc#1019470) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2017:439-1 Released: Tue Mar 21 10:48:47 2017 Summary: Recommended update for netcfg Type: recommended Severity: low References: 1028305,959693 Description: This update for netcfg provides the following fixes: - Update script to generate services to use UTF8 by default. (bsc#1028305) - Repack services.bz2 with latest from upstream and adjust the script to not add all the names and emails at the bottom of the file. (bsc#959693) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2017:462-1 Released: Fri Mar 24 21:58:07 2017 Summary: Recommended update for lvm2 Type: recommended Severity: moderate References: 1012973,1015943,1017034,1023283,1025560,1025630 Description: This update for lvm2 fixes the following issues: - Fix clvmd segmentation fault on ppc64le architecture. (bsc#1025630) - Fix several trivial issues about clvmd/cmirrord resource agents. (bsc#1023283, bsc#1025560) - Use {local,remote}-fs-pre.target instead of {local,remote}-fs.target. (bsc#1017034) - Simplify special-case for md in 69-dm-lvm-metadata.rules. (bsc#1012973) - Add systemd_requires to device-mapper package. (bsc#1015943) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2017:464-1 Released: Mon Mar 27 15:50:51 2017 Summary: Recommended update for glibc Type: recommended Severity: moderate References: 1007851,1029725,1029900 Description: This update for glibc fixes a potential segmentation fault in libpthread: - Fork in libpthread cannot use IFUNC resolver. (bsc#1007851, bsc#1029725, bsc#1029900) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2017:580-1 Released: Wed Apr 12 23:58:47 2017 Summary: Recommended update for cpio Type: recommended Severity: important References: 1028410 Description: This update for cpio fixes the following issues: - A regression caused cpio to crash for tar and ustar archive types [bsc#1028410] ----------------------------------------------------------------- Advisory ID: SUSE-SU-2017:609-1 Released: Tue Apr 18 11:28:14 2017 Summary: Security update for curl Type: security Severity: moderate References: 1015332,1027712,1032309,CVE-2016-9586,CVE-2017-7407 Description: This update for curl fixes the following issues: Security issue fixed: - CVE-2016-9586: libcurl printf floating point buffer overflow (bsc#1015332) - CVE-2017-7407: The ourWriteOut function in tool_writeout.c in curl might have allowed physically proximate attackers to obtain sensitive information from process memory in opportunistic circumstances by reading a workstation screen during use of a --write-out argument ending in a '%' character, which lead to a heap-based buffer over-read (bsc#1032309). With this release new default ciphers are active (SUSE_DEFAULT, bsc#1027712). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2017:732-1 Released: Wed May 10 14:03:43 2017 Summary: Recommended update for procps Type: recommended Severity: low References: 1030621 Description: This update for procps fixes the following issues: - Command w(1) with option -n doesn't work. (bsc#1030621) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2017:735-1 Released: Wed May 10 15:43:46 2017 Summary: Recommended update for gpg2 Type: recommended Severity: low References: 1036736,986783 Description: This update for gpg2 provides the following fixes: - Do not install CAcert and other root certificates which are not needed with Let's Encrypt. (bsc#1036736) - Initialize the trustdb before import attempt. (bsc#986783) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2017:751-1 Released: Thu May 11 17:14:30 2017 Summary: Recommended update for systemd Type: recommended Severity: moderate References: 1010220,1025398,1025886,1028263,1028610,1029183,1029691,1030290,1031355,1032538,1032660,1033855,1034565,955770 Description: This update for systemd provides the following fixes: - logind: Update empty and "infinity" handling for [User]TasksMax. (bsc#1031355) - importd: Support SUSE style checksums. (fate#322054) - journal: Don't remove leading spaces. (bsc#1033855) - Make sure all swap units are ordered before the swap target. (bsc#955770, bsc#1034565) - hwdb: Fix warning "atkbd serio0: Unknown key pressed". (bsc#1010220) - logind: Restart logind on package update only on SLE12 distros. (bsc#1032660) - core: Treat masked files as "unchanged". (bsc#1032538) - units: Move Before deps for quota services to remote-fs.target. (bsc#1028263) - udev: Support predictable ifnames on vio buses. (bsc#1029183) - udev: Add a persistent rule for ibmvnic devices. (bsc#1029183) - units: Do not throw a warning in emergency mode if plymouth is not installed. (bsc#1025398) - core: Downgrade "Time has been changed" message to debug level. (bsc#1028610) - vconsole: Don't do GIO_SCRNMAP / GIO_UNISCRNMAP. (bsc#1029691) - udev-rules: Perform whitespace replacement for symlink subst values. (bsc#1025886) - Consider chroot updates in fix-machines-subvol-for-rollbacks.sh. (bsc#1030290) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2017:794-1 Released: Tue May 16 15:41:09 2017 Summary: Security update for bash Type: security Severity: moderate References: 1010845,1035371,CVE-2016-9401 Description: This update for bash fixes an issue that could lead to syntax errors when parsing scripts that use expr(1) inside loops. Additionally, the popd build-in now ensures that the normalized stack offset is within bounds before trying to free that stack entry. This fixes a segmentation fault. ----------------------------------------------------------------- Advisory ID: SUSE-RU-2017:799-1 Released: Wed May 17 00:21:13 2017 Summary: Recommended update for glibc Type: recommended Severity: low References: 1026224,1035445 Description: This update for glibc introduces basic support for IBM POWER9 systems. Additionally, an improper assert in dlclose() has been removed. ----------------------------------------------------------------- Advisory ID: SUSE-SU-2017:865-1 Released: Wed May 24 16:23:20 2017 Summary: Security update for pam Type: security Severity: moderate References: 1015565,1037824,934920,CVE-2015-3238 Description: This update for pam fixes the following issues: - CVE-2015-3238: pam_unix in conjunction with SELinux allowed for DoS attacks (bsc#934920). - log a hint to syslog if /etc/nologin is present, but empty (bsc#1015565). - If /etc/nologin is present, but empty, log a hint to syslog. (bsc#1015565) - Added support for libowcrypt.so, if present, to configure support for BLOWFISH (bsc#1037824) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2017:873-1 Released: Fri May 26 16:19:47 2017 Summary: Recommended update for e2fsprogs Type: recommended Severity: low References: 1009532,960273 Description: This update for e2fsprogs provides the following fixes: - Fix 32/64-bit overflow when multiplying by blocks/clusters per group. This allows resize2fs(8) to resize file systems larger than 20 TB. (bsc#1009532) - Update spec file to regenerate initrd when e2fsprogs is updated or uninstalled. (bsc#960273) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2017:877-1 Released: Mon May 29 15:11:48 2017 Summary: Recommended update for cryptsetup Type: recommended Severity: low References: 1031998 Description: This update for cryptsetup provides the following fix: - Don't use a zero-filled empty key, because in FIPS, XTS mode key parts mustn't be equivalent (bsc#1031998) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2017:891-1 Released: Tue May 30 22:28:21 2017 Summary: Security update for libxml2 Type: security Severity: moderate References: 1039063,1039064,1039066,1039069,1039661,981114,CVE-2016-1839,CVE-2017-9047,CVE-2017-9048,CVE-2017-9049,CVE-2017-9050 Description: This update for libxml2 fixes the following issues: - CVE-2017-9047, CVE-2017-9048: The function xmlSnprintfElementContent in valid.c was vulnerable to a stack buffer overflow (bsc#1039063, bsc#1039064) - CVE-2017-9049: The function xmlDictComputeFastKey in dict.c was vulnerable to a heap-based buffer over-read. (bsc#1039066) - CVE-2017-9050: The function xmlDictAddString was vulnerable to a heap-based buffer over-read (bsc#1039661) - CVE-2016-1839: heap-based buffer overflow (xmlDictAddString func) (bnc#1039069) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2017:907-1 Released: Thu Jun 1 14:23:36 2017 Summary: Recommended update for shadow Type: recommended Severity: low References: 1003978,1031643 Description: This update for shadow fixes the following issues: - Dynamically added users via pam_group are not listed in groups databases but are still valid. (bsc#1031643) - useradd(8) and groupadd(8) performance issue when using SSSD. Previously the entire possible UID/GID was iterated to find an available UID/GID. This could take long time over a network device. Instead, find available UID/GID locally, and then check only those values over network. (bsc#1003978) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2017:918-1 Released: Tue Jun 6 12:35:44 2017 Summary: Recommended update for libsemanage, selinux-policy Type: recommended Severity: moderate References: 1020143,1032445,1035818,1038189 Description: This update for libsemanage, selinux-policy fixes the following issues: - Limit to policy version 29 by default. - Fix policy module build failures and wrong policy path on SLE 12 SP2 (bsc#1038189, bsc#1035818, bsc#1020143, bsc#1032445) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2017:939-1 Released: Mon Jun 12 10:56:22 2017 Summary: Security update for libxml2 Type: security Severity: moderate References: 1039063,1039064,1039066,1039069,1039661,CVE-2017-9047,CVE-2017-9048,CVE-2017-9049,CVE-2017-9050 Description: This update for libxml2 fixes the following security issues: * CVE-2017-9050: A heap-based buffer over-read in xmlDictAddString (bsc#1039069, bsc#1039661) * CVE-2017-9049: A heap-based buffer overflow in xmlDictComputeFastKey (bsc#1039066) * CVE-2017-9048: A stack overflow vulnerability in xmlSnprintfElementContent (bsc#1039063) * CVE-2017-9047: A stack overflow vulnerability in xmlSnprintfElementContent (bsc#1039064) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2017:959-1 Released: Wed Jun 14 14:38:11 2017 Summary: Recommended update for gcc5 Type: recommended Severity: low References: 1043580 Description: This update for gcc5 fixes the version of libffi in its pkg-config configuration file. ----------------------------------------------------------------- Advisory ID: SUSE-SU-2017:962-1 Released: Wed Jun 14 16:33:07 2017 Summary: Security update for openldap2 Type: security Severity: moderate References: 1009470,1037396,1041764,972331,CVE-2017-9287 Description: This update for openldap2 fixes the following issues: Security issues fixed: - CVE-2017-9287: A double free vulnerability in the mdb backend during search with page size 0 was fixed (bsc#1041764) Non security bugs fixed: - Let OpenLDAP read system-wide certificates by default and don't hide the error if the user-specified CA location cannot be read. (bsc#1009470) - Fix an uninitialised variable that causes startup failure (bsc#1037396) - Fix an issue with transaction management that can cause server crash (bsc#972331) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2017:985-1 Released: Mon Jun 19 14:57:41 2017 Summary: Security update for libgcrypt Type: security Severity: moderate References: 1042326,931932,CVE-2017-9526 Description: This update for libgcrypt fixes the following issues: - CVE-2017-9526: Store the session key in secure memory to ensure that constant time point operations are used in the MPI library. (bsc#1042326) - Don't require secure memory for the fips selftests, this prevents the "Oops, secure memory pool already initialized" warning. (bsc#931932) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2017:990-1 Released: Mon Jun 19 17:19:44 2017 Summary: Security update for glibc Type: security Severity: important References: 1039357,1040043,CVE-2017-1000366 Description: This update for glibc fixes the following issues: - CVE-2017-1000366: Fix a potential privilege escalation vulnerability that allowed unprivileged system users to manipulate the stack of setuid binaries to gain special privileges. [bsc#1039357] - A bug in glibc that could result in deadlocks between malloc() and fork() has been fixed. [bsc#1040043] ----------------------------------------------------------------- Advisory ID: SUSE-RU-2017:1033-1 Released: Fri Jun 23 16:38:55 2017 Summary: Recommended update for e2fsprogs Type: recommended Severity: low References: 1038194 Description: This update for e2fsprogs provides the following fixes: - Don't ignore fsync errors in libext2fs. (bsc#1038194) - Fix fsync(2) detection in libext2fs. (bsc#1038194) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2017:1036-1 Released: Mon Jun 26 08:12:24 2017 Summary: Security update for libxml2 Type: security Severity: moderate References: 1024989,1044337,CVE-2017-0663,CVE-2017-5969 Description: This update for libxml2 fixes the following issues: Security issues fixed: * CVE-2017-0663: Fixed a heap buffer overflow in xmlAddID (bsc#1044337) * CVE-2017-5969: Fixed a NULL pointer deref in xmlDumpElementContent (bsc#1024989) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2017:1040-1 Released: Mon Jun 26 13:22:26 2017 Summary: Recommended update for libsemanage, policycoreutils Type: recommended Severity: low References: 1043237 Description: This update for libsemanage, policycoreutils fixes the following issue: - Show version numbers of modules where they are available (bsc#1043237) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2017:1082-1 Released: Fri Jun 30 10:54:06 2017 Summary: Recommended update for dirmngr Type: recommended Severity: low References: 1045943 Description: This update for dirmngr provides the following fix: - Change logrotate from Requires to Recommends (bsc#1045943) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2017:1086-1 Released: Fri Jun 30 15:36:17 2017 Summary: Security update for libxml2 Type: security Severity: moderate References: 1044887,1044894,CVE-2017-7375,CVE-2017-7376 Description: This update for libxml2 fixes the following issues: Security issues fixed: * CVE-2017-7376: Increase buffer space for port in HTTP redirect support (bsc#1044887) * CVE-2017-7375: Prevent unwanted external entity reference [bsc#1044894, ] ----------------------------------------------------------------- Advisory ID: SUSE-SU-2017:1104-1 Released: Tue Jul 4 16:13:55 2017 Summary: Security update for systemd Type: security Severity: moderate References: 1004995,1029102,1029516,1036873,1038865,1040258,1040614,1040942,1043758,982303,CVE-2017-9217 Description: This update for systemd fixes the following issues: Security issue fixed: - CVE-2017-9217: resolved: Fix null pointer p->question dereferencing that could lead to resolved aborting (bsc#1040614) The update also fixed several non-security bugs: - core/mount: Use the "-c" flag to not canonicalize paths when calling /bin/umount - automount: Handle expire_tokens when the mount unit changes its state (bsc#1040942) - automount: Rework propagation between automount and mount units - build: Make sure tmpfiles.d/systemd-remote.conf get installed when necessary - build: Fix systemd-journal-upload installation - basic: Detect XEN Dom0 as no virtualization (bsc#1036873) - virt: Make sure some errors are not ignored - fstab-generator: Do not skip Before= ordering for noauto mountpoints - fstab-gen: Do not convert device timeout into seconds when initializing JobTimeoutSec - core/device: Use JobRunningTimeoutSec= for device units (bsc#1004995) - fstab-generator: Apply the _netdev option also to device units (bsc#1004995) - job: Add JobRunningTimeoutSec for JOB_RUNNING state (bsc#1004995) - job: Ensure JobRunningTimeoutSec= survives serialization (bsc#1004995) - rules: Export NVMe WWID udev attribute (bsc#1038865) - rules: Introduce disk/by-id (model_serial) symbolic links for NVMe drives - rules: Add rules for NVMe devices - sysusers: Make group shadow support configurable (bsc#1029516) - core: When deserializing a unit, fully restore its cgroup state (bsc#1029102) - core: Introduce cg_mask_from_string()/cg_mask_to_string() - core:execute: Fix handling failures of calling fork() in exec_spawn() (bsc#1040258) - Fix systemd-sysv-convert when a package starts shipping service units (bsc#982303) The database might be missing when upgrading a package which was shipping no sysv init scripts nor unit files (at the time --save was called) but the new version start shipping unit files. - Disable group shadow support (bsc#1029516) - Only check signature job error if signature job exists (bsc#1043758) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2017:1116-1 Released: Thu Jul 6 11:37:18 2017 Summary: Security update for libgcrypt Type: security Severity: moderate References: 1046607,CVE-2017-7526 Description: This update for libgcrypt fixes the following issues: - CVE-2017-7526: Hardening against a local side-channel attack in RSA key handling has been added (bsc#1046607) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2017:1119-1 Released: Fri Jul 7 11:23:20 2017 Summary: Recommended update for ncurses Type: security Severity: important References: 1000662,1046853,1046858,CVE-2017-10684,CVE-2017-10685 Description: This update for ncurses fixes the following issues: Security issues fixed: - CVE-2017-10684: Possible RCE via stack-based buffer overflow in the fmt_entry function. (bsc#1046858) - CVE-2017-10685: Possible RCE with format string vulnerability in the fmt_entry function. (bsc#1046853) Bugfixes: - Drop patch ncurses-5.9-environment.dif as YaST2 ncurses GUI does not need it anymore and as well as it causes bug bsc#1000662 ----------------------------------------------------------------- Advisory ID: SUSE-RU-2017:1160-1 Released: Fri Jul 14 17:20:26 2017 Summary: Recommended update for openldap2 Type: recommended Severity: low References: 1031702 Description: This update for openldap2 provides the following fix: - Fix a regression in handling of non-blocking connection (bsc#1031702) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2017:1174-1 Released: Wed Jul 19 11:12:51 2017 Summary: Security update for systemd, dracut Type: security Severity: important References: 1032029,1033238,1037120,1040153,1040968,1043900,1045290,1046750,986216,CVE-2017-9445 Description: This update for systemd and dracut fixes the following issues: Security issues fixed: - CVE-2017-9445: Possible out-of-bounds write triggered by a specially crafted TCP payload from a DNS server. (bsc#1045290) Non-security issues fixed in systemd: - Automounter issue in combination with NFS volumes (bsc#1040968) - Missing symbolic link for SAS device in /dev/disk/by-path (bsc#1040153) - Add minimal support for boot.d/* scripts in systemd-sysv-convert (bsc#1046750) Non-security issues fixed in dracut: - Bail out if module directory does not exist. (bsc#1043900) - Suppress bogus error message. (bsc#1032029) - Fix module force loading with systemd. (bsc#986216) - Ship udev files required by systemd. (bsc#1040153) - Ignore module resolution errors (e.g. with kgraft). (bsc#1037120) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2017:1222-1 Released: Wed Jul 26 17:15:18 2017 Summary: Recommended update for procps Type: recommended Severity: low References: 1034563,1039941 Description: This update for procps provides the following fixes: - Make pmap handle LazyFree in /proc/smaps (bsc#1034563) - Allow reading and writing content lines longer than 1024 characters under /proc/sys (bsc#1039941) - Avoid printing messages when /proc/sys/net/ipv6/conf/*/stable_secret is not set ----------------------------------------------------------------- Advisory ID: SUSE-SU-2017:1245-1 Released: Thu Aug 3 10:43:15 2017 Summary: Security update for systemd Type: security Severity: moderate References: 1004995,1029102,1029516,1032029,1033238,1036873,1037120,1038865,1040153,1040258,1040614,1040942,1040968,1043758,1043900,1045290,1046750,982303,986216,CVE-2017-9217,CVE-2017-9445 Description: This update for systemd provides several fixes and enhancements. Security issues fixed: - CVE-2017-9217: Null pointer dereferencing that could lead to resolved aborting. (bsc#1040614) - CVE-2017-9445: Possible out-of-bounds write triggered by a specially crafted TCP payload from a DNS server. (bsc#1045290) The update also fixed several non-security bugs: - core/mount: Use the "-c" flag to not canonicalize paths when calling /bin/umount - automount: Handle expire_tokens when the mount unit changes its state (bsc#1040942) - automount: Rework propagation between automount and mount units - build: Make sure tmpfiles.d/systemd-remote.conf get installed when necessary - build: Fix systemd-journal-upload installation - basic: Detect XEN Dom0 as no virtualization (bsc#1036873) - virt: Make sure some errors are not ignored - fstab-generator: Do not skip Before= ordering for noauto mountpoints - fstab-gen: Do not convert device timeout into seconds when initializing JobTimeoutSec - core/device: Use JobRunningTimeoutSec= for device units (bsc#1004995) - fstab-generator: Apply the _netdev option also to device units (bsc#1004995) - job: Add JobRunningTimeoutSec for JOB_RUNNING state (bsc#1004995) - job: Ensure JobRunningTimeoutSec= survives serialization (bsc#1004995) - rules: Export NVMe WWID udev attribute (bsc#1038865) - rules: Introduce disk/by-id (model_serial) symbolic links for NVMe drives - rules: Add rules for NVMe devices - sysusers: Make group shadow support configurable (bsc#1029516) - core: When deserializing a unit, fully restore its cgroup state (bsc#1029102) - core: Introduce cg_mask_from_string()/cg_mask_to_string() - core:execute: Fix handling failures of calling fork() in exec_spawn() (bsc#1040258) - Fix systemd-sysv-convert when a package starts shipping service units (bsc#982303) The database might be missing when upgrading a package which was shipping no sysv init scripts nor unit files (at the time --save was called) but the new version start shipping unit files. - Disable group shadow support (bsc#1029516) - Only check signature job error if signature job exists (bsc#1043758) - Automounter issue in combination with NFS volumes (bsc#1040968) - Missing symbolic link for SAS device in /dev/disk/by-path (bsc#1040153) - Add minimal support for boot.d/* scripts in systemd-sysv-convert (bsc#1046750) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2017:1268-1 Released: Mon Aug 7 10:09:19 2017 Summary: Recommended update for openssl Type: recommended Severity: moderate References: 1019637,1027079,1027688,1027908,1028281,1028723,1029523,1042392,1044095,1044107,1044175,902364 Description: This update for openssl fixes the following issues including fixes for our ongoing FIPS 140-2 evaluation: - Remove DES-CBC3-SHA based ciphers from DEFAULT_SUSE to address SWEET32 problem (bsc#1027908) - Use getrandom syscall instead of reading from /dev/urandom to get at least 128 bits of entropy to comply with FIPS 140.2 IG 7.14 (bsc#1027079 bsc#1044175) - Fix x86 extended feature detection (bsc#1029523) - Allow runtime switching of s390x capabilities via the "OPENSSL_s390xcap" environmental variable (bsc#1028723) - s_client sent empty client certificate (bsc#1028281) Add back certificate initialization set_cert_key_stuff() which was removed in a previous update. - Fix a bug in XTS key handling (bsc#1019637) - Don't run FIPS power-up self-tests when the checksum files aren't installed (bsc#1042392) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2017:1279-1 Released: Mon Aug 7 14:46:40 2017 Summary: Security update for ncurses Type: security Severity: moderate References: 1046853,1046858,1047964,1047965,1049344,CVE-2017-10684,CVE-2017-10685,CVE-2017-11112,CVE-2017-11113 Description: This update for ncurses fixes the following issues: Security issues fixed: - CVE-2017-11112: Illegal address access in append_acs. (bsc#1047964) - CVE-2017-11113: Dereferencing NULL pointer in _nc_parse_entry. (bsc#1047965) - CVE-2017-10684, CVE-2017-10685: Add modified upstream fix from ncurses 6.0 to avoid broken termcap format (bsc#1046853, bsc#1046858, bsc#1049344) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2017:1316-1 Released: Thu Aug 10 13:54:27 2017 Summary: Recommended update for cyrus-sasl Type: recommended Severity: moderate References: 1014471,1026825,1044840,938657 Description: This update for cyrus-sasl provides the following fixes: - Fix SASL GSSAPI mechanism acceptor wrongly returns zero maxbufsize - Fix unknown authentication mechanism: kerberos5 (bsc#1026825) - Really use SASLAUTHD_PARAMS variable (bsc#938657) - Make sure /usr/sbin/rcsaslauthd exists - Add /usr/sbin/rcsaslauthd symbolic link to /usr/sbin/service (bsc#1014471) - Silence "GSSAPI client step 1" debug log message (bsc#1044840) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2017:1326-1 Released: Fri Aug 11 16:59:04 2017 Summary: Security update for libxml2 Type: security Severity: low References: 1038444,CVE-2017-8872 Description: This update for libxml2 fixes the following issues: Security issues fixed: - CVE-2017-8872: Out-of-bounds read in htmlParseTryOrFinish. (bsc#1038444) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2017:1330-1 Released: Mon Aug 14 18:41:29 2017 Summary: Recommended update for sed Type: recommended Severity: low References: 954661 Description: This update for sed provides the following fixes: - Don't terminate with a segmentation fault if close of last file descriptor fails. (bsc#954661) ----------------------------------------------------------------- Advisory ID: SUSE-OU-2017:1333-1 Released: Tue Aug 15 17:59:30 2017 Summary: Optional update for libverto Type: optional Severity: low References: 1029561 Description: This update adds the libverto library to OpenStack Cloud Magnum Orchestration channels. ----------------------------------------------------------------- Advisory ID: SUSE-RU-2017:1334-1 Released: Tue Aug 15 20:09:03 2017 Summary: Recommended update for systemd Type: recommended Severity: important References: 1048679,874665 Description: This update for systemd fixes the following issues: - compat-rules: Don't rely on ID_SERIAL when generating 'by-id' links for NVMe devices. (bsc#1048679) - fstab-generator: Handle NFS "bg" mounts correctly. (bsc#874665, fate#323464) - timesyncd: Don't use compiled-in list if FallbackNTP has been configured explicitly. ----------------------------------------------------------------- Advisory ID: SUSE-SU-2017:1335-1 Released: Wed Aug 16 11:24:21 2017 Summary: Security update for curl Type: security Severity: moderate References: 1051643,1051644,CVE-2017-1000100,CVE-2017-1000101 Description: This update for curl fixes the following issues: - CVE-2017-1000100: TFP sends more than buffer size and it could lead to a denial of service (bsc#1051644) - CVE-2017-1000101: URL globbing out of bounds read could lead to a denial of service (bsc#1051643) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2017:1347-1 Released: Fri Aug 18 11:03:57 2017 Summary: Recommended update for procps Type: recommended Severity: important References: 1053409 Description: This update for procps fixes the following issues: - Fix a regression introduced in a previous update that would result in sysctl dying with a SIGSEGV error (bsc#1053409). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2017:1349-1 Released: Fri Aug 18 12:31:07 2017 Summary: Recommended update for lua51 Type: recommended Severity: low References: 1051626 Description: This update for lua51 provides the following fixes: - Add Lua(API) and Lua(devel) symbols to fix building of lua51-luasocket. (bsc#1051626) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2017:1390-1 Released: Fri Aug 25 15:14:27 2017 Summary: Security update for libzypp Type: security Severity: important References: 1009745,1036659,1038984,1043218,1045735,1046417,1047785,1048315,CVE-2017-7435,CVE-2017-7436,CVE-2017-9269 Description: The Software Update Stack was updated to receive fixes and enhancements. libzypp: - CVE-2017-7435, CVE-2017-7436, CVE-2017-9269: Fix GPG check workflows, mainly for unsigned repositories and packages. (bsc#1045735, bsc#1038984) - Fix gpg-pubkey release (creation time) computation. (bsc#1036659) - Update lsof blacklist. (bsc#1046417) - Re-probe on refresh if the repository type changes. (bsc#1048315) - Propagate proper error code to DownloadProgressReport. (bsc#1047785) - Allow to trigger an appdata refresh unconditionally. (bsc#1009745) - Support custom repo variables defined in /etc/zypp/vars.d. yast2-pkg-bindings: - Do not crash when the repository URL is not defined. (bsc#1043218) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2017:1419-1 Released: Wed Aug 30 15:38:22 2017 Summary: Security update for expat Type: security Severity: moderate References: 1047236,1047240,CVE-2016-9063,CVE-2017-9233 Description: This update for expat fixes the following issues: - CVE-2016-9063: Possible integer overflow to fix inside XML_Parse leading to unexpected behaviour (bsc#1047240) - CVE-2017-9233: External Entity Vulnerability could lead to denial of service (bsc#1047236) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2017:1439-1 Released: Fri Sep 1 15:31:05 2017 Summary: Recommended update for systemd Type: recommended Severity: important References: 1045384,1045987,1046268,1047379,1048605 Description: This update for systemd fixes the following issues: - Revert fix for bsc#1004995 which could have caused boot failure on LVM (bsc#1048605) - compat-rules: drop the bogus 'import everything' rule (bsc#1046268) - core: use an AF_UNIX/SOCK_DGRAM socket for cgroup agent notification (bsc#1045384 bsc#1047379) - udev/path_id: introduce support for NVMe devices (bsc#1045987) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2017:1447-1 Released: Mon Sep 4 15:38:20 2017 Summary: Security update for libzypp, zypper Type: security Severity: important References: 1008325,1038984,1045735,1047785,1054088,1054671,1055920,CVE-2017-7436 Description: The Software Update Stack was updated to receive fixes and enhancements. libzypp: - Adapt to work with GnuPG 2.1.23. (bsc#1054088) - Support signing with subkeys. (bsc#1008325) - Enhance sort order for media.1/products. (bsc#1054671) zypper: - Also show a gpg key's subkeys. (bsc#1008325) - Improve signature check callback messages. (bsc#1045735) - Add options to tune the GPG check settings. (bsc#1045735) - Adapt download callback to report and handle unsigned packages. (bsc#1038984, CVE-2017-7436) - Report missing/optional files as 'not found' rather than 'error'. (bsc#1047785) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2017:1450-1 Released: Mon Sep 4 16:36:07 2017 Summary: Recommended update for insserv-compat Type: recommended Severity: low References: 1035062,944903 Description: This update for insserv-compat fixes the following issues: - Add /etc/init.d hierarchy from former "filesystem" package. (bsc#1035062) - Fix directory argument parsing. (bsc#944903) - Add perl(Getopt::Long) to list of requirements. ----------------------------------------------------------------- Advisory ID: SUSE-RU-2017:1453-1 Released: Mon Sep 4 21:23:50 2017 Summary: Recommended update for libgcrypt Type: recommended Severity: moderate References: 1043333,1046659,1047008 Description: This update for libgcrypt fixes the following issues: - libgcrypt stored an open file descriptor to the random device in a static variable between invocations. gnome-keyring-daemon on initialization reopened descriptors 0-2 with /dev/null which caused an infinite loop when libgcrypt attempted to read from the random device (bsc#1043333) - Avoid seeding the DRBG during FIPS power-up selftests (bsc#1046659) * don't call gcry_drbg_instantiate() in healthcheck sanity test to save entropy * turn off blinding for RSA decryption in selftests_rsa to avoid allocation of a random integer - fix a bug in gcry_drbg_healthcheck_sanity() which caused skipping some of the tests (bsc#1046659) - dlsym returns PLT address on s390x, dlopen libgcrypt20.so before calling dlsym (bsc#1047008) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2017:1548-1 Released: Fri Sep 15 18:19:12 2017 Summary: Recommended update for sg3_utils Type: recommended Severity: moderate References: 1005063,1009269,1012523,1025176,1050767,1050943 Description: This update for sg3_utils provides the following fixes: - Add lunsearch filter to findresized() so that only LUNs specified using --luns are rescanned or resized. (bsc#1025176) - In case the VPD sysfs attributes are missing or cannot be accessed, fallback to use sg_inq --page when using multipath devices in AutoYast2 installations. (bsc#1012523) - Generate /dev/disk/by-path links based on WWPN for Fibre Channel NPIV setups. (bsc#1005063) - Fix dumping data in hexadecimal format in sg_vpd when using the --hex option. (bsc#1050943) - Fix ID_SERIAL values for KVM disks by exporting all NAA values and removing some validity checking. (bsc#1050767) - Make sure initrd is rebuilt on sg3_utils updates. (bsc#1009269) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2017:1592-1 Released: Tue Sep 26 17:38:03 2017 Summary: Recommended update for lvm2 Type: recommended Severity: moderate References: 1028485,1045628,978055,998893,999878 Description: This update for lvm2 provides the following fixes: - Create /dev/disk/by-part{label,uuid} and gpt-auto-root links. (bsc#1028485) - Try to refresh clvmd's device cache on the first failure. (bsc#978055) - Fix stale device cache in clvmd. (bsc#978055) - Warn if PV size in metadata is larger than disk device size. (bsc#999878) - Fix lvm2 activation issue when used on top of multipath. (bsc#998893) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2017:1644-1 Released: Mon Oct 9 07:52:24 2017 Summary: Security update for krb5 Type: security Severity: moderate References: 1032680,1054028,1056995,903543,CVE-2017-11462 Description: This update for krb5 fixes several issues. This security issue was fixed: - CVE-2017-11462: Prevent automatic security context deletion to prevent double-free (bsc#1056995) These non-security issues were fixed: - Set "rdns" and "dns_canonicalize_hostname" to false in krb5.conf in order to improve client security in handling service principle names. (bsc#1054028) - Prevent kadmind.service startup failure caused by absence of LDAP service. (bsc#903543) - Remove main package's dependency on systemd (bsc#1032680) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2017:1663-1 Released: Tue Oct 10 12:05:09 2017 Summary: Recommended update for dbus-1 Type: recommended Severity: moderate References: 1043615,1046173 Description: This update for dbus-1 provides the following fixes: - Fix systemd-logind dbus disconnection by ensuring all required timeouts are restarted. (bsc#1043615) - Remove call to initscripts related macros from the spec file as dbus-1 does not ship any initscript anymore. (bsc#1046173) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2017:1703-1 Released: Tue Oct 17 13:20:12 2017 Summary: Recommended update for audit Type: recommended Severity: low References: 1042781 Description: This update for audit provides the following fix: - Make auditd start by forking the systemd service to fix some initialization failures. (bsc#1042781) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2017:1758-1 Released: Mon Oct 23 08:47:47 2017 Summary: Security update for curl Type: security Severity: moderate References: 1060653,1061876,1063824,CVE-2017-1000254,CVE-2017-1000257 Description: This update for curl fixes the following issues: Security issues fixed: - CVE-2017-1000254: FTP PWD response parser out of bounds read (bsc#1061876) - CVE-2017-1000257: IMAP FETCH response out of bounds read (bsc#1063824) Bugs fixed: - Fixed error "error:1408F10B:SSL routines" when connecting to ftps via proxy (bsc#1060653) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2017:1796-1 Released: Fri Oct 27 21:25:06 2017 Summary: Recommended update for pcre Type: recommended Severity: moderate References: 1058722 Description: This update for pcre fixes the following issues: - Fixed the pcre stack frame size detection because modern compilers break it due to cloning and inlining pcre match() function (bsc#1058722) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2017:1797-1 Released: Sat Oct 28 12:06:19 2017 Summary: Recommended update for permissions Type: recommended Severity: moderate References: 1028304,1048645,1060738 Description: This update for permissions fixes the following issues: - Allows users to install the HPC "singularity" toolkit for managing singularity containers in setuid root mode. (bsc#1028304) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2017:1826-1 Released: Wed Nov 8 08:47:17 2017 Summary: Security update for krb5 Type: security Severity: important References: 1065274,CVE-2017-15088 Description: This update for krb5 fixes the following issues: Security issues fixed: - CVE-2017-15088: A buffer overflow in get_matching_data() was fixed that could under specific circumstances be used to execute code (bsc#1065274) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2017:1829-1 Released: Wed Nov 8 08:50:00 2017 Summary: Security update for shadow Type: security Severity: moderate References: 1023895,1052261,980486,CVE-2017-12424 Description: This update for shadow fixes several issues. This security issue was fixed: - CVE-2017-12424: The newusers tool could have been forced to manipulate internal data structures in ways unintended by the authors. Malformed input may have lead to crashes (with a buffer overflow or other memory corruption) or other unspecified behaviors (bsc#1052261). These non-security issues were fixed: - bsc#1023895: Fixed man page to not contain invalid options and also prevent warnings when using these options in certain settings - bsc#980486: Reset user in /var/log/tallylog because of the usage of pam_tally2 ----------------------------------------------------------------- Advisory ID: SUSE-SU-2017:1881-1 Released: Wed Nov 22 16:29:58 2017 Summary: Security update for file Type: security Severity: moderate References: 1009966,1063269,910252,910253,913650,913651,917152,996511,CVE-2014-8116,CVE-2014-8117,CVE-2014-9620,CVE-2014-9621,CVE-2014-9653 Description: The GNU file utility was updated to version 5.22. Security issues fixed: - CVE-2014-9621: The ELF parser in file allowed remote attackers to cause a denial of service via a long string. (bsc#913650) - CVE-2014-9620: The ELF parser in file allowed remote attackers to cause a denial of service via a large number of notes. (bsc#913651) - CVE-2014-9653: readelf.c in file did not consider that pread calls sometimes read only a subset of the available data, which allows remote attackers to cause a denial of service (uninitialized memory access) or possibly have unspecified other impact via a crafted ELF file. (bsc#917152) - CVE-2014-8116: The ELF parser (readelf.c) in file allowed remote attackers to cause a denial of service (CPU consumption or crash) via a large number of (1) program or (2) section headers or (3) invalid capabilities. (bsc#910253) - CVE-2014-8117: softmagic.c in file did not properly limit recursion, which allowed remote attackers to cause a denial of service (CPU consumption or crash) via unspecified vectors. (bsc#910253) Version update to file version 5.22 * add indirect relative for TIFF/Exif * restructure elf note printing to avoid repeated messages * add note limit, suggested by Alexander Cherepanov * Bail out on partial pread()'s (Alexander Cherepanov) * Fix incorrect bounds check in file_printable (Alexander Cherepanov) * PR/405: ignore SIGPIPE from uncompress programs * change printable -> file_printable and use it in more places for safety * in ELF, instead of "(uses dynamic libraries)" when PT_INTERP is present print the interpreter name. Version update to file version 5.21 * there was an incorrect free in magic_load_buffers() * there was an out of bounds read for some pascal strings * there was a memory leak in magic lists * don't interpret strings printed from files using the current locale, convert them to ascii format first. * there was an out of bounds read in elf note reads Update to file version 5.20 * recognize encrypted CDF documents * add magic_load_buffers from Brooks Davis * add thumbs.db support Additional non-security bug fixes: * Fixed a memory corruption during rpmbuild (bsc#1063269) * Backport of a fix for an increased printable string length as found in file 5.30 (bsc#996511) * file command throws "Composite Document File V2 Document, corrupt: Can't read SSAT" error against excel 97/2003 file format. (bsc#1009966) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2017:1903-1 Released: Fri Nov 24 16:19:37 2017 Summary: Security update for perl Type: security Severity: moderate References: 1047178,1057721,1057724,999735,CVE-2017-12837,CVE-2017-12883,CVE-2017-6512 Description: This update for perl fixes the following issues: Security issues fixed: - CVE-2017-12837: Heap-based buffer overflow in the S_regatom function in regcomp.c in Perl 5 before 5.24.3-RC1 and 5.26.x before 5.26.1-RC1 allows remote attackers to cause a denial of service (out-of-bounds write) via a regular expression with a '\N{}' escape and the case-insensitive modifier. (bnc#1057724) - CVE-2017-12883: Buffer overflow in the S_grok_bslash_N function in regcomp.c in Perl 5 before 5.24.3-RC1 and 5.26.x before 5.26.1-RC1 allows remote attackers to disclose sensitive information or cause a denial of service (application crash) via a crafted regular expression with an invalid '\N{U+...}' escape. (bnc#1057721) - CVE-2017-6512: Race condition in the rmtree and remove_tree functions in the File-Path module before 2.13 for Perl allows attackers to set the mode on arbitrary files via vectors involving directory-permission loosening logic. (bnc#1047178) Bug fixes: - backport set_capture_string changes from upstream (bsc#999735) - reformat baselibs.conf as source validator workaround ----------------------------------------------------------------- Advisory ID: SUSE-RU-2017:1916-1 Released: Fri Nov 24 20:15:01 2017 Summary: Recommended update for libgcrypt Type: recommended Severity: important References: 1043333,1059723 Description: This update for libgcrypt provides the following fix: - Fix a regression in a previous update which caused libgcrypt to leak file descriptors causing failures when starting rtkit-daemon. (bsc#1059723) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2017:1917-1 Released: Mon Nov 27 13:32:07 2017 Summary: Optional update for gcc7 Type: recommended Severity: low References: 1056437,1062591,1062592 Description: The GNU Compiler GCC 7 is being added to the Toolchain Module by this update. New features: - Support for specific IBM Power9 processor instructions. - Support for specific IBM zSeries z14 processor instructions. - New packages cross-npvtx-gcc7 and nvptx-tools added to the Toolchain Module for specific NVIDIA Card offload support. The update also supplies gcc7 compatible libstdc++, libgcc_s1 and other gcc derived libraries for the base products of SUSE Linux Enterprise 12. Various optimizers have been improved in GCC 7, several of bugs fixed, quite some new warnings added and the error pin-pointing and fix-suggestions have been greatly improved. The GNU Compiler page for GCC 7 contains a summary of all the changes that have happened: https://gcc.gnu.org/gcc-7/changes.html ----------------------------------------------------------------- Advisory ID: SUSE-RU-2017:1965-1 Released: Thu Nov 30 12:48:45 2017 Summary: Recommended update for libsolv, libzypp, zypper Type: recommended Severity: moderate References: 1047233,1053671,1057188,1057634,1058695,1058783,1059065,1061384,1062561,1064999,661410 Description: The Software Update Stack was updated to receive fixes and enhancements. libsolv: - Many fixes and improvements for cleandeps. - Always create dup rules for "distupgrade" jobs. - Use recommends also for ordering packages. - Fix splitprovides handling with addalreadyrecommended turned off. (bsc#1059065) - Expose solver_get_recommendations() in bindings. - Fix bug in solver_prune_to_highest_prio_per_name resulting in bad output from solver_get_recommendations(). - Support 'without' and 'unless' dependencies. - Use same heuristic as upstream to determine source RPMs. - Fix memory leak in bindings. - Add pool_best_solvables() function. - Fix 64bit integer parsing from RPM headers. - Enable bzip2 and xz/lzma compression support. - Enable complex/rich dependencies on distributions with RPM 4.13+. libzypp: - Fix media handling in presence of a repo path prefix. (bsc#1062561) - Fix RepoProvideFile ignoring a repo path prefix. (bsc#1062561) - Remove unused legacy notify-message script. (bsc#1058783) - Support multiple product licenses in repomd. (fate#322276) - Propagate 'rpm --import' errors. (bsc#1057188) - Fix typos in zypp.conf. zypper: - Locale: Fix possible segmentation fault. (bsc#1064999) - Add summary hint if product is better updated by a different command. This is mainly used by rolling distributions like openSUSE Tumbleweed to remind their users to use 'zypper dup' to update (not zypper up or patch). (bsc#1061384) - Unify '(add|modify)(repo|service)' property related arguments. - Fixed 'add' commands supporting to set only a subset of properties. - Introduced '-f/-F' as preferred short option for --[no-]refresh in all four commands. (bsc#661410, bsc#1053671) - Fix missing package names in installation report. (bsc#1058695) - Differ between unsupported and packages with unknown support status. (bsc#1057634) - Return error code '107' if an RPM's %post configuration script fails, but only if ZYPPER_ON_CODE12_RETURN_107=1 is set in the environment. (bsc#1047233) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2017:1966-1 Released: Thu Nov 30 13:45:24 2017 Summary: Recommended update for systemd Type: recommended Severity: moderate References: 1004995,1035386,1039099,1040800,1045472,1048605,1050152,1053137,1053595,1055641,1063249 Description: This update for systemd fixes the following issues: - unit: When JobTimeoutSec= is turned off, implicitly turn off JobRunningTimeoutSec= too. (bsc#1048605, bsc#1004995) - compat-rules: Generate compat by-id symlinks with 'nvme' prefix missing and warn users that have broken symlinks. (bsc#1063249) - compat-rules: Allow to specify the generation number through the kernel command line. - scsi_id: Fixup prefix for pre-SPC inquiry reply. (bsc#1039099) - tmpfiles: Remove old ICE and X11 sockets at boot. - tmpfiles: Silently ignore any path that passes through autofs. (bsc#1045472) - pam_logind: Skip leading /dev/ from PAM_TTY field before passing it on. - shared/machine-pool: Fix another mkfs.btrfs checking. (bsc#1053595) - shutdown: Fix incorrect fscanf() result check. - shutdown: Don't remount,ro network filesystems. (bsc#1035386) - shutdown: Don't be fooled when detaching DM devices with BTRFS. (bsc#1055641) - bash-completion: Add support for --now. (bsc#1053137) - Add convert-lib-udev-path.sh script to convert /lib/udev directory into a symlink pointing to /usr/lib/udev when upgrading from SLE11. (bsc#1050152) - Add a rule to teach hotplug to offline containers transparently. (bsc#1040800) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2017:1968-1 Released: Thu Nov 30 19:49:33 2017 Summary: Recommended update for coreutils Type: recommended Severity: low References: 1026567,1043059,965780 Description: This update for coreutils provides the following fixes: - Fix df(1) to no longer interact with excluded file system types, so for example specifying -x nfs no longer hangs with problematic nfs mounts. (bsc#1026567) - Ensure df -l no longer interacts with dummy file system types, so for example no longer hangs with problematic NFS mounted via system.automount(5). (bsc#1043059) - Significantly speed up df(1) for huge mount lists. (bsc#965780) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2017:1970-1 Released: Thu Nov 30 22:55:41 2017 Summary: Security update for openssl Type: security Severity: moderate References: 1055825,1056058,1065363,1066242,CVE-2017-3735,CVE-2017-3736 Description: This update for openssl fixes the following issues: Security issues fixed: - CVE-2017-3735: openssl1,openssl: Malformed X.509 IPAdressFamily could cause OOB read (bsc#1056058) - CVE-2017-3736: openssl: bn_sqrx8x_internal carry bug on x86_64 (bsc#1066242) - Out of bounds read+crash in DES_fcrypt (bsc#1065363) - openssl DEFAULT_SUSE cipher list is missing ECDHE-ECDSA ciphers (bsc#1055825) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2017:2021-1 Released: Fri Dec 8 10:11:04 2017 Summary: Recommended update for file Type: recommended Severity: moderate References: 1070878,1070958 Description: This update for file fixes detection of JPEG files. ----------------------------------------------------------------- Advisory ID: SUSE-RU-2017:2031-1 Released: Mon Dec 11 12:55:57 2017 Summary: Recommended update for gzip Type: recommended Severity: low References: 1067891 Description: This update for gzip provides the following fix: - Fix mishandling of leading zeros in the end-of-block code (bsc#1067891) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2017:2036-1 Released: Wed Dec 13 16:34:21 2017 Summary: Recommended update for util-linux Type: recommended Severity: low References: 1039276,1040968,1055446,1066500 Description: This update for util-linux provides the following fixes: - Allow unmounting of filesystems without calling stat() on the mount point, when "-c" is used. (bsc#1040968) - Fix an infinite loop, a crash and report the correct minimum and maximum frequencies in lscpu for some processors. (bsc#1055446) - Fix a lscpu failure on Sydney Amazon EC2 region. (bsc#1066500) - If multiple subvolumes are mounted, report the default subvolume. (bsc#1039276) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2017:2097-1 Released: Sat Dec 16 01:59:00 2017 Summary: Security update for openssl Type: security Severity: important References: 1071905,1071906,CVE-2017-3737,CVE-2017-3738 Description: This update for openssl fixes the following issues: - OpenSSL Security Advisory [07 Dec 2017] * CVE-2017-3737: OpenSSL 1.0.2 (starting from version 1.0.2b) introduced an \"error state\" mechanism. The intent was that if a fatal error occurred during a handshake then OpenSSL would move into the error state and would immediately fail if you attempted to continue the handshake. This works as designed for the explicit handshake functions (SSL_do_handshake(), SSL_accept() and SSL_connect()), however due to a bug it does not work correctly if SSL_read() or SSL_write() is called directly. In that scenario, if the handshake fails then a fatal error will be returned in the initial function call. If SSL_read()/SSL_write() is subsequently called by the application for the same SSL object then it will succeed and the data is passed without being decrypted/encrypted directly from the SSL/TLS record layer. In order to exploit this issue an application bug would have to be present that resulted in a call to SSL_read()/SSL_write() being issued after having already received a fata l error. OpenSSL version 1.0.2b-1.0.2m are affected. Fixed in OpenSSL 1.0.2n. OpenSSL 1.1.0 is not affected. (bsc#1071905) * CVE-2017-3738: There is an overflow bug in the AVX2 Montgomery multiplication procedure used in exponentiation with 1024-bit moduli. No EC algorithms are affected. Analysis suggests that attacks against RSA and DSA as a result of this defect would be very difficult to perform and are not believed likely. Attacks against DH1024 are considered just feasible, because most of the work necessary to deduce information about a private key may be performed offline. The amount of resources required for such an attack would be significant. However, for an attack on TLS to be meaningful, the server would have to share the DH1024 private key among multiple clients, which is no longer an option since CVE-2016-0701. This only affects processors that support the AVX2 but not ADX extensions like Intel Haswell (4th generation). Note: The impact from this issue is similar to CVE-2017-3736, CVE-2017-3732 and CVE-2015-3193. (bsc#1071906) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2017:2137-1 Released: Thu Dec 21 17:49:12 2017 Summary: Recommended update for dbus-1 Type: recommended Severity: moderate References: 1046173,1071698 Description: This update for dbus-1 provides the following fixes: - The previously released fix for systemd-logind dbus disconnections was missing in some parts of the package, so properly apply it. (bsc#1071698) - Remove call to initscripts related macros from the spec file as dbus-1 does not ship any initscript anymore. (bsc#1046173) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2018:4-1 Released: Tue Jan 2 15:58:20 2018 Summary: Recommended update for libzypp, zypper Type: recommended Severity: moderate References: 1057640,1067605,1068708,1071466,969569 Description: The Software Update Stack was updated to receive fixes and enhancements. libzypp: - Don't store duplicated locks. (bsc#969569) - Fix default for solver.allowNameChange. (bsc#1071466) - Don't filter procs with a different mnt namespace. (bsc#1068708) - Support repo variables in an URIs host:port component. (bsc#1057640, bsc#1067605) zypper: - Update manpage regarding custom repository variable fixes. (bsc#1057640, bsc#1067605) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2018:38-1 Released: Tue Jan 9 14:56:43 2018 Summary: Recommended update for kmod Type: recommended Severity: low References: 1070209 Description: This update for kmod provides the following fix: - Fix resolving .TOC. in modules on 4.4 and older kernel (bsc#1070209) - Fix kernel master build for ppc64le (bsc#1070209) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:55-1 Released: Fri Jan 12 09:45:49 2018 Summary: Security update for glibc Type: security Severity: important References: 1051042,1053188,1063675,1064569,1064580,1064583,1070905,1071319,1073231,1074293,CVE-2017-1000408,CVE-2017-1000409,CVE-2017-15670,CVE-2017-15671,CVE-2017-15804,CVE-2017-16997,CVE-2018-1000001 Description: This update for glibc fixes the following issues: - A privilege escalation bug in the realpath() function has been fixed. [CVE-2018-1000001, bsc#1074293] - A memory leak and a buffer overflow in the dynamic ELF loader has been fixed. [CVE-2017-1000408, CVE-2017-1000409, bsc#1071319] - An issue in the code handling RPATHs was fixed that could have been exploited by an attacker to execute code loaded from arbitrary libraries. [CVE-2017-16997, bsc#1073231] - A potential crash caused by a use-after-free bug in pthread_create() has been fixed. [bsc#1053188] - A bug that prevented users to build shared objects which use the optimized libmvec.so API has been fixed. [bsc#1070905] - A memory leak in the glob() function has been fixed. [CVE-2017-15670, CVE-2017-15671, CVE-2017-15804, bsc#1064569, bsc#1064580, bsc#1064583] - A bug that would lose the syscall error code value in case of crashes has been fixed. [bsc#1063675] ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:86-1 Released: Wed Jan 17 09:38:17 2018 Summary: Security update for ncurses Type: security Severity: moderate References: 1056127,1056128,1056129,1056131,1056132,1056136,CVE-2017-13728,CVE-2017-13729,CVE-2017-13730,CVE-2017-13731,CVE-2017-13732,CVE-2017-13733 Description: This update for ncurses fixes the following issues: Security issues fixed: - CVE-2017-13728: Fix infinite loop in the next_char function in comp_scan.c (bsc#1056136). - CVE-2017-13730: Fix illegal address access in the function _nc_read_entry_source() (bsc#1056131). - CVE-2017-13733: Fix illegal address access in the fmt_entry function (bsc#1056127). - CVE-2017-13729: Fix illegal address access in the _nc_save_str (bsc#1056132). - CVE-2017-13732: Fix illegal address access in the function dump_uses() (bsc#1056128). - CVE-2017-13731: Fix illegal address access in the function postprocess_termcap() (bsc#1056129). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:88-1 Released: Wed Jan 17 14:41:17 2018 Summary: Security update for curl Type: security Severity: moderate References: 1069222,1069226,CVE-2017-8816,CVE-2017-8817 Description: This update for curl fixes the following issues: Security issues fixed: - CVE-2017-8816: Buffer overrun flaw in the NTLM authentication code (bsc#1069226). - CVE-2017-8817: Read out of bounds flaw in the FTP wildcard function (bsc#1069222). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2018:90-1 Released: Wed Jan 17 14:44:33 2018 Summary: Recommended update for lvm2 Type: recommended Severity: low References: 1063051,1067312 Description: This update for lvm2 provides the following fix: - Backport various upstream fixes for clvmd. (bsc#1063051) - Don't print error messages on testing the connection to the daemon. (bsc#1063051) - Fix handling of udev CHANGE events with systemd. (bsc#1067312) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2018:146-1 Released: Thu Jan 25 11:44:23 2018 Summary: Recommended update for openldap2 Type: recommended Severity: moderate References: 1064397,1065083 Description: This update for openldap2 provides the following fixes: - Fix a leak of sockets in case of unsuccessful connection attempts. (bsc#1065083) - Fix a crash that would happen under heavy load when using back-relay. (bsc#1064397) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:149-1 Released: Thu Jan 25 13:38:37 2018 Summary: Security update for curl Type: security Severity: moderate References: 1077001,CVE-2018-1000007 Description: This update for curl fixes one issues. This security issue was fixed: - CVE-2018-1000007: Prevent leaking authentication data to third parties when following redirects (bsc#1077001) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:209-1 Released: Tue Jan 30 10:53:43 2018 Summary: Security update for ncurses Type: security Severity: moderate References: 1056126,1056127,1056128,1056129,1056131,1056132,1056136,CVE-2017-13728,CVE-2017-13729,CVE-2017-13730,CVE-2017-13731,CVE-2017-13732,CVE-2017-13733,CVE-2017-13734 Description: This update for ncurses fixes several issues. These security issues were fixed: - CVE-2017-13734: Prevent illegal address access in the _nc_safe_strcat function in strings.c that might have lead to a remote denial of service attack (bsc#1056126). - CVE-2017-13733: Prevent illegal address access in the fmt_entry function in progs/dump_entry.c that might have lead to a remote denial of service attack (bsc#1056127). - CVE-2017-13732: Prevent illegal address access in the function dump_uses() in progs/dump_entry.c that might have lead to a remote denial of service attack (bsc#1056128). - CVE-2017-13731: Prevent illegal address access in the function postprocess_termcap() in parse_entry.c that might have lead to a remote denial of service attack (bsc#1056129). - CVE-2017-13730: Prevent illegal address access in the function _nc_read_entry_source() in progs/tic.c that might have lead to a remote denial of service attack (bsc#1056131). - CVE-2017-13729: Prevent illegal address access in the _nc_save_str function in alloc_entry.c that might have lead to a remote denial of service attack (bsc#1056132). - CVE-2017-13728: Prevent infinite loop in the next_char function in comp_scan.c that might have lead to a remote denial of service attack (bsc#1056136). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:213-1 Released: Tue Jan 30 14:36:40 2018 Summary: Security update for systemd Type: security Severity: moderate References: 1048510,1065276,1066156,1068251,1070428,1071558,1074254,1075724,1076308,897422,CVE-2017-15908,CVE-2018-1049 Description: This update for systemd fixes several issues. This security issue was fixed: - CVE-2018-1049: Prevent race that can lead to DoS when using automounts (bsc#1076308). These non-security issues were fixed: - core: don't choke if a unit another unit triggers vanishes during reload - delta: don't ignore PREFIX when the given argument is PREFIX/SUFFIX - delta: extend skip logic to work on full directory paths (prefix+suffix) (bsc#1070428) - delta: check if a prefix needs to be skipped only once - delta: skip symlink paths when split-usr is enabled (#4591) - sysctl: use raw file descriptor in sysctl_write (#7753) - sd-netlink: don't take possesion of netlink fd from caller on failure (bsc#1074254) - Fix the regexp used to detect broken by-id symlinks in /etc/crypttab It was missing the following case: "/dev/disk/by-id/cr_-xxx". - sysctl: disable buffer while writing to /proc (bsc#1071558) - Use read_line() and LONG_LINE_MAX to read values configuration files. (bsc#1071558) - sysctl: no need to check for eof twice - def: add new constant LONG_LINE_MAX - fileio: add new helper call read_line() as bounded getline() replacement - service: Don't stop unneeded units needed by restarted service (#7526) (bsc#1066156) - gpt-auto-generator: fix the handling of the value returned by fstab_has_fstype() in add_swap() (#6280) - gpt-auto-generator: disable gpt auto logic for swaps if at least one is defined in fstab (bsc#897422) - fstab-util: introduce fstab_has_fstype() helper - fstab-generator: ignore root=/dev/nfs (#3591) - fstab-generator: don't process root= if it happens to be "gpt-auto" (#3452) - virt: use XENFEAT_dom0 to detect the hardware domain (#6442, #6662) (#7581) (bsc#1048510) - analyze: replace --no-man with --man=no in the man page (bsc#1068251) - udev: net_setup_link: don't error out when we couldn't apply link config (#7328) - Add missing /etc/systemd/network directory - Fix parsing of features in detect_vm_xen_dom0 (#7890) (bsc#1048510) - sd-bus: use -- when passing arguments to ssh (#6706) - systemctl: make sure we terminate the bus connection first, and then close the pager (#3550) - sd-bus: bump message queue size (bsc#1075724) - tmpfiles: downgrade warning about duplicate line ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:214-1 Released: Tue Jan 30 14:37:42 2018 Summary: Security update for libtasn1 Type: security Severity: moderate References: 1076832,CVE-2018-6003 Description: This update for libtasn1 fixes one issue. This security issue was fixed: - CVE-2018-6003: Prevent a stack exhaustion in _asn1_decode_simple_ber (lib/decoding.c) when decoding BER encoded structure allowed for DoS (bsc#1076832). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:276-1 Released: Thu Feb 8 17:47:43 2018 Summary: Security update for libxml2 Type: security Severity: moderate References: 1077993,1078806,1078813,CVE-2016-5131,CVE-2017-15412,CVE-2017-5130 Description: This update for libxml2 fixes one issue. This security issue was fixed: - CVE-2017-15412: Prevent use after free when calling XPath extension functions that allowed remote attackers to cause DoS or potentially RCE (bsc#1077993) - CVE-2016-5131: Use-after-free vulnerability in libxml2 allowed remote attackers to cause a denial of service or possibly have unspecified other impact via vectors related to the XPointer range-to function. (bsc#1078813) - CVE-2017-5130: Fixed a potential remote buffer overflow in function xmlMemoryStrdup() (bsc#1078806) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2018:291-1 Released: Mon Feb 12 11:50:39 2018 Summary: Recommended update for bash Type: recommended Severity: low References: 1057452,1076909 Description: This update for bash provides the following fix: - Allow process group assignment on all kernel versions to fix the usage of debug traps. (bsc#1057452) - Fix a crash when filesystem is full. (bsc#1076909) - Enable multi-byte characters by default. ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:314-1 Released: Thu Feb 15 14:47:35 2018 Summary: Security update for glibc Type: security Severity: important References: 1037930,1051791,1073990,1074293,1079036,CVE-2017-12132,CVE-2017-8804,CVE-2018-1000001,CVE-2018-6485,CVE-2018-6551 Description: This update for glibc fixes the following issues: Security issues fixed: - CVE-2017-8804: Fix memory leak after deserialization failure in xdr_bytes, xdr_string (bsc#1037930) - CVE-2017-12132: Reduce EDNS payload size to 1200 bytes (bsc#1051791) - CVE-2018-6485,CVE-2018-6551: Fix integer overflows in internal memalign and malloc functions (bsc#1079036) - CVE-2018-1000001: Avoid underflow of malloced area (bsc#1074293) Non security bugs fixed: - Release read lock after resetting timeout (bsc#1073990) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:355-1 Released: Mon Feb 26 16:34:46 2018 Summary: Security update for systemd Type: security Severity: moderate References: 1057974,1068588,1071224,1071311,1075801,1077925,CVE-2017-18078 Description: This update for systemd fixes the following issues: Security issue fixed: - CVE-2017-18078: tmpfiles: refuse to chown()/chmod() files which are hardlinked, unless protected_hardlinks sysctl is on. This could be used by local attackers to gain privileges (bsc#1077925) Non Security issues fixed: - core: use id unit when retrieving unit file state (#8038) (bsc#1075801) - cryptsetup-generator: run cryptsetup service before swap unit (#5480) - udev-rules: all values can contain escaped double quotes now (#6890) - strv: fix buffer size calculation in strv_join_quoted() - tmpfiles: change ownership of symlinks too - stdio-bridge: Correctly propagate error - stdio-bridge: remove dead code - remove bus-proxyd (bsc#1057974) - core/timer: Prevent timer looping when unit cannot start (bsc#1068588) - Make systemd-timesyncd use the openSUSE NTP servers by default Previously systemd-timesyncd used the Google Public NTP servers time{1..4}.google.com - Don't ship /usr/lib/systemd/system/tmp.mnt at all (bsc#1071224) But we still ship a copy in /var. Users who want to use tmpfs on /tmp are supposed to add a symlink in /etc/ pointing to the copy shipped in /var. To support the update path we automatically create the symlink if tmp.mount in use is located in /usr. - Enable systemd-networkd on Leap distros only (bsc#1071311) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2018:375-1 Released: Wed Feb 28 16:33:37 2018 Summary: Recommended update for net-tools Type: recommended Severity: low References: 1009905,1063910 Description: This update for net-tools provides the following fix: - netstat: fix handling of large socket numbers (bsc#1063910) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:439-1 Released: Fri Mar 9 14:05:22 2018 Summary: Security update for augeas Type: security Severity: low References: 1054171,CVE-2017-7555 Description: This update for augeas fixes the following issues: Security issue fixed: - CVE-2017-7555: Fix a memory corruption bug could have lead to arbitrary code execution by passing crafted strings that would be mis-handled by parse_name() (bsc#1054171). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:443-1 Released: Fri Mar 9 18:02:14 2018 Summary: Security update for glibc Type: security Severity: moderate References: 1081556,CVE-2017-12133 Description: This update for glibc fixes the following issues: - CVE-2017-12133: Avoid use-after-free read access in clntudp_call (bsc#1081556) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:446-1 Released: Mon Mar 12 13:13:55 2018 Summary: Security update for shadow Type: security Severity: moderate References: 1081294,CVE-2018-7169 Description: This update for shadow fixes the following issues: - CVE-2018-7169: Fixed an privilege escalation in newgidmap, which allowed an unprivileged user to be placed in a user namespace where setgroups(2) is allowed. (bsc#1081294) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2018:465-1 Released: Thu Mar 15 07:38:52 2018 Summary: Recommended update for systemd Type: recommended Severity: moderate References: 1075743,1078358,1081170 Description: This update for systemd fixes the following issues: - Add dmi/id conditions to 80-acpi-container-hotplug.rules to restrict the rule that it can only be triggered on Huawei Kunlun 9008, 9016 and 9032 machines. (bsc#1078358, bsc#1081170, bsc#1075743) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2018:472-1 Released: Thu Mar 15 10:47:40 2018 Summary: Recommended update for libsolv, libzypp, zypper Type: recommended Severity: low References: 1074687,1075449,1076415,1079334,953130 Description: This update for libsolv, libzypp and zypper provides the following fixes: libsolv: - Fix a bug that could make fileconflict detection very slow in some cases. (bnc#953130) - Add new configuration options: ENABLE_RPMDB_LIBRPM and ENABLE_RPMPKG_LIBRPM. - Add a new function to change the whatprovides data: pool_set_whatprovides. - Significant improvements in the selection code. libzypp: - Make sure deleted keys are also removed from rpmdb. (bsc#1075449) - plugin: Don't reject header values containing ':'. (bsc#1074687) - RpmDb::checkPackage: Fix parsing localized rpm output. (bsc#1076415) zypper: - Do not recommend cron as it is not a direct dependency of zypper. (bsc#1079334) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:522-1 Released: Thu Mar 22 08:20:46 2018 Summary: Security update for curl Type: security Severity: moderate References: 1084521,1084524,1084532,CVE-2018-1000120,CVE-2018-1000121,CVE-2018-1000122 Description: This update for curl fixes the following issues: Following security issues were fixed: - CVE-2018-1000120: A buffer overflow exists in the FTP URL handling that allowed an attacker to cause a denial of service or possible code execution (bsc#1084521). - CVE-2018-1000121: A NULL pointer dereference exists in the LDAP code that allowed an attacker to cause a denial of service (bsc#1084524). - CVE-2018-1000122: A buffer over-read exists in the RTSP+RTP handling code that allowed an attacker to cause a denial of service or information leakage (bsc#1084532). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:567-1 Released: Thu Mar 29 14:02:08 2018 Summary: Security update for krb5 Type: security Severity: moderate References: 1057662,1081725,1083926,1083927,CVE-2018-5729,CVE-2018-5730 Description: This update for krb5 provides the following fixes: Security issues fixed: - CVE-2018-5730: DN container check bypass by supplying special crafted data (bsc#1083927). - CVE-2018-5729: Null pointer dereference in kadmind or DN container check bypass by supplying special crafted data (bsc#1083926). Non-security issues fixed: - Make it possible for legacy applications (e.g. SAP Netweaver) to remain compatible with newer Kerberos. System administrators who are experiencing this kind of compatibility issues may set the environment variable GSSAPI_ASSUME_MECH_MATCH to a non-empty value, and make sure the environment variable is visible and effective to the application startup script. (bsc#1057662) - Fix a GSS failure in legacy applications by not indicating deprecated GSS mechanisms in gss_indicate_mech() list. (bsc#1081725) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:594-1 Released: Thu Apr 5 17:22:37 2018 Summary: Security update for libidn Type: security Severity: moderate References: 1056450,CVE-2017-14062 Description: This update for libidn fixes one issues. This security issue was fixed: - CVE-2017-14062: Prevent integer overflow in the decode_digit function that allowed remote attackers to cause a denial of service or possibly have unspecified other impact (bsc#1056450). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:624-1 Released: Wed Apr 11 18:02:57 2018 Summary: Security update for openssl Type: security Severity: moderate References: 1087102,CVE-2018-0739 Description: This update for openssl fixes the following issues: - CVE-2018-0739: Constructed ASN.1 types with a recursive definition (such as can be found in PKCS7) could eventually exceed the stack given malicious input with excessive recursion. This could result in a Denial Of Service attack. There are no such structures used within SSL/TLS that come from untrusted sources so this is considered safe. (bsc#1087102). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:730-1 Released: Wed Apr 25 14:14:41 2018 Summary: Security update for perl Type: security Severity: moderate References: 1082216,1082233,1082234,CVE-2018-6797,CVE-2018-6798,CVE-2018-6913 Description: This update for perl fixes the following issues: Security issues fixed: - CVE-2018-6913: Fixed space calculation issues in pp_pack.c (bsc#1082216). - CVE-2018-6798: Fixed heap buffer overflow in regexec.c (bsc#1082233). - CVE-2018-6797: Fixed sharp-s regexp overflow (bsc#1082234). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2018:736-1 Released: Wed Apr 25 14:23:49 2018 Summary: Recommended update for libsolv, libzypp Type: recommended Severity: moderate References: 1075978,1077635,1079991,1082318,1086602 Description: This update for libsolv, libzypp provides the following fixes: Changes in libsolv: - Make sure the product file comes from /etc/products.d for the fallback product search. (bsc#1086602) - Also make use of suggests for ordering packages. (bsc#1077635) - Fix bad assignment in solution refinement that led to a memory leak. (bsc#1075978) - Use license tag instead of doc in the spec file. (bsc#1082318) Changes in libzypp: - Make sure the product file comes from /etc/products.d for the fallback product search. (bsc#1086602) - Fix a memory leak in Digest.cc. (bsc#1075978) - Add /var/lib/gdm to CheckAccessDeleted blacklist to prevent showing superfluous `zypper ps -s` messages. (bsc#1079991) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2018:779-1 Released: Wed May 2 22:16:26 2018 Summary: Recommended update for rpm Type: recommended Severity: low References: 1003714,1027925,1069934 Description: This update for rpm provides the following fixes: - Fix find-lang.sh to handle special case of .qm file paths correctly. (bsc#1027925) - Add %sle_version macro to suse_macros. (bsc#1003714) - Added a %rpm_vercmp macro which accepts two versions as parameters and returns -1, 0, 1 if the first version is less than, equal or greater than the second version respectively. - Added a %pkg_version macro that accepts a package or capability name as argument and returns the version number of the installed package. If no package provides the argument, it returns the string "~~~". - Added a %pkg_vcmp macro that accepts 3 parameters. The first parameter is a package name or provided capability name, the second argument is an operator ( < <= = >= > != ) and the third parameter is a version string to be compared to the installed version of the first argument. - Added a %pkg_version_cmp macro which accepts a package or capability name as first argument and a version number as second argument and returns -1, 0, 1 or "~~~". The number values have the same meaning as in %rpm_vercmp and the "~~~" string is returned if the package or capability can't be found. (bsc#1069934) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2018:797-1 Released: Mon May 7 07:07:38 2018 Summary: Recommended update for gcc7 Type: recommended Severity: important References: 1061667,1068967,1074621,1083290,1083946,1084812,1087550,1087930 Description: This update for gcc7 to 7.3 release fixes the following issues: - Update to GCC 7.3 release and further updated to gcc-7-branch head (r258812). - The Spectre v2 mitigation patch for s390x is now included. [bsc#1083946] - Adds backport of x86 retpoline support via -mindirect-branch=, -mfunction-return= and friends. [bsc#1074621] - Update includes a fix for chromium build failure. [bsc#1083290] - Various AArch64 compile fixes are included: * Picks fix to no longer enable -mpc-relative-literal-loads by default with --enable-fix-cortex-a53-843419. * Enable --enable-fix-cortex-a53-843419 for aarch64. [bsc#1084812] [bsc#1087930] * Enable --enable-fix-cortex-a53-835769 for aarch64. * Contains fix for PR82445 which is about a RPI1 bootloader miscompile. [bsc#1061667] * Fixed bogus stack probe instruction on ARM. [bsc#1068967] - Revert the ios_base::failure ABI back to compatible behavior with the default ABI. [bsc#1087550] - Fix nvptx offload target compiler install so GCC can pick up required files. Split out the newlib part into cross-nvptx-newlib7-devel and avoid conflicts with GCC 8 variant via Provides/Conflicts of cross-nvptx-newlib-devel. ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:939-1 Released: Thu May 17 08:41:30 2018 Summary: Security update for curl Type: security Severity: moderate References: 1086825,1092098,CVE-2018-1000301 Description: This update for curl fixes several issues: Security issues fixed: - CVE-2018-1000301: Fixed a RTSP bad headers buffer over-read could crash the curl client (bsc#1092098) Non security issues fixed: - If the DEFAULT_SUSE cipher list is not available use the HIGH cipher alias before failing. (bsc#1086825) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2018:974-1 Released: Wed May 23 16:46:50 2018 Summary: Recommended update for systemd Type: recommended Severity: moderate References: 1045092,1051465,1066422,1075804,1082485,1084626,1085062,1086785,1087323 Description: This update for systemd provides the following fixes: - sysusers: Do not append entries after the NIS ones. (bsc#1085062, bsc#1045092) - sysusers: Also add support for NIS entries in /etc/shadow. - sysusers: Make sure to reset errno before calling fget*ent(). - coredump: Respect ulimit -c 0 settings. (bsc#1075804) - systemctl: Don't make up unit states, and don't eat up errors too eagerly. (bsc#1084626) - systemctl: Don't mangle unit names in check_unit_generic(). - rules, compat-rules: Fix errors detected by the rule syntax checker. - python: Use raw strings for regexp patterns. - compat-rules: Make path_id_compat build with meson. - compat-rules: Get rid of scsi_id when generating compat symlinks for NVMe devices. (bsc#1051465) - Fix memory hotplugging. - systemd: Add offline environmental condition to the udev rules for acpi container to prevent them from being triggered by the "udevadm trigger" from user space. (bsc#1082485) - systemd-udevd: Limit children-max by the available memory. (bsc#1086785, bsc#1066422) - Rename the tarball to reflect the exact version used, so that it is clear that it contains some additional patches on top of the upstream version. Use the commit hash in the name so the exact version can easily be identified. (bsc#1087323) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:977-1 Released: Wed May 23 17:14:16 2018 Summary: Security update for bash Type: security Severity: moderate References: 1000396,1001299,1086247,CVE-2016-0634,CVE-2016-7543 Description: This update for bash fixes the following issues: Security issues fixed: - CVE-2016-7543: A code execution possibility via SHELLOPTS+PS4 variable was fixed (bsc#1001299) - CVE-2016-0634: Arbitrary code execution via malicious hostname was fixed (bsc#1000396) Non-security issues fixed: - Fix repeating self-calling of traps due the combination of a non-interactive shell, a trap handler for SIGINT, an external process in the trap handler, and a SIGINT within the trap after the external process runs. (bsc#1086247) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2018:978-1 Released: Wed May 23 17:18:39 2018 Summary: Recommended update for zlib Type: recommended Severity: moderate References: 1071321 Description: This update for zlib fixes the following issues: - Fix a segmentation fault which was raised when converting a negative value into an unsigned integer (bsc#1071321) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2018:1028-1 Released: Tue Jun 5 13:20:44 2018 Summary: Recommended update for pam Type: recommended Severity: low References: 1089884 Description: This update for pam fixes the following issues: - Fix order of accessed configuration files in man page. (bsc#1089884) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:1077-1 Released: Wed Jun 6 11:44:25 2018 Summary: Security update for glibc Type: security Severity: important References: 1086690,1094150,1094154,1094161,CVE-2017-18269,CVE-2018-11236,CVE-2018-11237 Description: This update for glibc fixes the following issues: - CVE-2017-18269: Fix SSE2 memmove issue when crossing 2GB boundary (bsc#1094150) - CVE-2018-11236: Fix overflow in path length computation (bsc#1094161) - CVE-2018-11237: Don't write beyond buffer destination in __mempcpy_avx512_no_vzeroupper (bsc#1094154) Non security bugs fixed: - Fix crash in resolver on memory allocation failure (bsc#1086690) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2018:1082-1 Released: Thu Jun 7 12:58:56 2018 Summary: Recommended update for rpm Type: recommended Severity: moderate References: 1073879,1080078,964063 Description: This update for rpm fixes the following issues: - Backport support for no_recompute_build_ids macro. (bsc#964063) - Fix code execution when evaluating common python-related macros. (bsc#1080078) Additionally, this update adds python3-rpm to the SUSE Linux Enterprise Server. ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:1141-1 Released: Fri Jun 15 13:41:08 2018 Summary: Security update for gpg2 Type: security Severity: important References: 1096745,CVE-2018-12020 Description: This update for gpg2 fixes the following security issue: - CVE-2018-12020: GnuPG mishandled the original filename during decryption and verification actions, which allowed remote attackers to spoof the output that GnuPG sends on file descriptor 2 to other programs that use the "--status-fd 2" option (bsc#1096745) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2018:1145-1 Released: Fri Jun 15 19:19:51 2018 Summary: Recommended update for openssl Type: recommended Severity: moderate References: 1090765 Description: This update for openssl provides the following fix: - Suggest libopenssl1_0_0-hmac from libopenssl1_0_0 package to avoid dependency issues during updates. (bsc#1090765) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:1242-1 Released: Thu Jun 28 13:44:16 2018 Summary: Security update for procps Type: security Severity: moderate References: 1092100,CVE-2018-1122,CVE-2018-1123,CVE-2018-1124,CVE-2018-1125,CVE-2018-1126 Description: This update for procps fixes the following security issues: - CVE-2018-1122: Prevent local privilege escalation in top. If a user ran top with HOME unset in an attacker-controlled directory, the attacker could have achieved privilege escalation by exploiting one of several vulnerabilities in the config_file() function (bsc#1092100). - CVE-2018-1123: Prevent denial of service in ps via mmap buffer overflow. Inbuilt protection in ps maped a guard page at the end of the overflowed buffer, ensuring that the impact of this flaw is limited to a crash (temporary denial of service) (bsc#1092100). - CVE-2018-1124: Prevent multiple integer overflows leading to a heap corruption in file2strvec function. This allowed a privilege escalation for a local attacker who can create entries in procfs by starting processes, which could result in crashes or arbitrary code execution in proc utilities run by other users (bsc#1092100). - CVE-2018-1125: Prevent stack buffer overflow in pgrep. This vulnerability was mitigated by FORTIFY limiting the impact to a crash (bsc#1092100). - CVE-2018-1126: Ensure correct integer size in proc/alloc.* to prevent truncation/integer overflow issues (bsc#1092100). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:1276-1 Released: Thu Jul 5 08:36:17 2018 Summary: Security update for openssl Type: security Severity: moderate References: 1097158,1097624,1098592,CVE-2018-0732 Description: This update for openssl fixes the following issues: - CVE-2018-0732: During key agreement in a TLS handshake using a DH(E) based ciphersuite a malicious server could have sent a very large prime value to the client. This caused the client to spend an unreasonably long period of time generating a key for this prime resulting in a hang until the client has finished. This could be exploited in a Denial Of Service attack (bsc#1097158). - Blinding enhancements for ECDSA and DSA (bsc#1097624, bsc#1098592) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:1328-1 Released: Tue Jul 17 08:07:57 2018 Summary: Security update for perl Type: security Severity: important References: 1068565,1082216,1082233,1082234,1096718,CVE-2018-12015,CVE-2018-6797,CVE-2018-6798,CVE-2018-6913 Description: This update for perl fixes the following issues: These security issue were fixed: - CVE-2018-6913: Fixed space calculation issues in pp_pack.c (bsc#1082216). - CVE-2018-6798: Fixed heap buffer overflow in regexec.c (bsc#1082233). - CVE-2018-6797: Fixed sharp-s regexp overflow (bsc#1082234). - CVE-2018-12015: The Archive::Tar module allowed remote attackers to bypass a directory-traversal protection mechanism and overwrite arbitrary files (bsc#1096718) This non-security issue was fixed: - fix debugger crash in tab completion with Term::ReadLine::Gnu [bsc#1068565] ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:1351-1 Released: Thu Jul 19 09:43:21 2018 Summary: Security update for shadow Type: security Severity: important References: 1099310,CVE-2016-6252 Description: This update for shadow fixes the following issues: - CVE-2016-6252: Incorrect integer handling could results in local privilege escalation (bsc#1099310) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:1400-1 Released: Thu Jul 26 16:32:29 2018 Summary: Security update for util-linux Type: security Severity: moderate References: 1072947,1078662,1080740,1084300,CVE-2018-7738 Description: This update for util-linux fixes the following issues: This non-security issue was fixed: - CVE-2018-7738: bash-completion/umount allowed local users to gain privileges by embedding shell commands in a mountpoint name, which was mishandled during a umount command by a different user (bsc#1084300). These non-security issues were fixed: - Fixed crash loop in lscpu (bsc#1072947). - Fixed possible segfault of umount -a - Fixed mount -a on NFS bind mounts (bsc#1080740). - Fixed lsblk on NVMe (bsc#1078662). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:1413-1 Released: Fri Jul 27 12:41:13 2018 Summary: Security update for libgcrypt Type: security Severity: moderate References: 1064455,1090766,1097410,CVE-2018-0495 Description: This update for libgcrypt fixes the following issues: The following security vulnerability was addressed: - CVE-2018-0495: Mitigate a novel side-channel attack by enabling blinding for ECDSA signatures (bsc#1097410). The following other issues were fixed: - Extended the fipsdrv dsa-sign and dsa-verify commands with the --algo parameter for the FIPS testing of DSA SigVer and SigGen (bsc#1064455). - Ensure libgcrypt20-hmac and libgcrypt20 are installed in the correct order. (bsc#1090766) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2018:1450-1 Released: Mon Jul 30 10:10:45 2018 Summary: Recommended update for pam Type: recommended Severity: low References: 1096282 Description: This update for pam provides the following fix: - Added /etc/security/limits.d to the pam package. (bsc#1096282) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2018:1549-1 Released: Mon Aug 13 13:41:22 2018 Summary: Recommended update for sg3_utils Type: recommended Severity: low References: 1065448,1070431,1077787,1092640 Description: This update for sg3_utils provides the following fix: - Decode standard INQUIRY for CD-ROMs correctly. (bsc#1065448, bsc#1070431) - Fix page decoding. (bsc#1077787) - Remove initrd rebuild macros for libsgutils2 subpackage. (bsc#1092640) - Use %post -p for ldconfig. (bsc#1092640) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:1610-1 Released: Thu Aug 16 14:04:25 2018 Summary: Security update for libgcrypt Type: security Severity: moderate References: 1064455,1090766,1097410,CVE-2018-0495 Description: This update for libgcrypt fixes the following issues: The following security vulnerability was addressed: - CVE-2018-0495: Mitigate a novel side-channel attack by enabling blinding for ECDSA signatures (bsc#1097410). The following other issues were fixed: - Extended the fipsdrv dsa-sign and dsa-verify commands with the --algo parameter for the FIPS testing of DSA SigVer and SigGen (bsc#1064455). - Ensure libgcrypt20-hmac and libgcrypt20 are installed in the correct order. (bsc#1090766) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:1620-1 Released: Thu Aug 16 14:49:45 2018 Summary: Security update for shadow Type: security Severity: important References: 1099310,CVE-2016-6252 Description: This update for shadow fixes the following issues: - CVE-2016-6252: Incorrect integer handling could results in local privilege escalation (bsc#1099310) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2018:1632-1 Released: Thu Aug 16 15:27:04 2018 Summary: Recommended update for systemd Type: recommended Severity: moderate References: 1039099,1080382,1082004,1082485,1083158,1088052,1088769,1088890,1089761,1090785,1091265,1093851,1095096 Description: This update for systemd fixes the following issues: - core: In --user mode, report READY=1 as soon as basic.target is reached. - sd-bus: Extend D-Bus authentication timeout considerably. - scsi_id: Fixup prefix for pre-SPC inquiry reply. (bsc#1039099) - udev: Use MAC address match only for ibmveth/ibmvnic/mlx4. (bsc#1095096) - compat-rules: Generate more compat by-id symlinks for NVMe devices. (bsc#1095096) - udev: Whitelist mlx4_core locally-administered MAC addresses in the persistent rule generator. (bsc#1083158) - udev: Don't create by-partlabel/primary and .../logical symlinks. (bsc#1089761) - rules: Add /dev/disk/by-partuuid symlinks also for dos partition tables. - device: Make sure to always retroactively start device dependencies. (bsc#1088052) - device: Skip deserialization of device units when udevd is not running. - install: "user" and "global" scopes are equivalent for user presets. (bsc#1093851) - install: Search preset files in /run. - man: Updated systemd-analyze blame description for service-units with Type=simple. (bsc#1091265) - logind: Fix crash when shutdown is not issued from a tty. (bsc#1088890) - logind: Do not use an uninitialized variable. (bsc#1088890) - Disable user services by default. (bsc#1090785) - Ship 99-sysctl.conf instead of creating it during package installation/update. (bsc#1088769) Previously this symlink was created in /etc/sysctl.d during %post which made the symlink not owned and more importantly it was created only if /etc/sysctl.conf is already installed which is not always the case during the installation process it seems. So ship the symlink unconditionally and put it in /usr/lib/sysctl.d instead since it's a distro default behavior that might be overriden by sysadmin later. - systemd: Add offline environmental condition to 80-acpi-container-hotplug.rules. (bsc#1080382, bsc#1082485) Add the offline event environmental condition to restrict the rule that is can only be triggered when the change event is received with the "offline" environmental data. The 27664c581 "ACPI / scan: Send change uevent with offine environmental data" kernel patch changed the corresponding code in kernel. This change prevents the udev rules for acpi container be triggered by "udevadm trigger" from user space. - build-sys: Explicitly require python3. (bsc#1082004) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2018:1636-1 Released: Thu Aug 16 15:30:11 2018 Summary: Recommended update for pam Type: recommended Severity: low References: 1096282 Description: This update for pam provides the following fix: - Added /etc/security/limits.d to the pam package. (bsc#1096282) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2018:1689-1 Released: Mon Aug 20 09:02:24 2018 Summary: Recommended update for pam Type: recommended Severity: low References: 1096282 Description: This update for pam provides the following fix: - Added /etc/security/limits.d to the pam package. (bsc#1096282) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2018:1691-1 Released: Mon Aug 20 09:04:17 2018 Summary: Recommended update for sg3_utils Type: recommended Severity: low References: 1065448,1070431,1077787,1092640 Description: This update for sg3_utils provides the following fix: - Decode standard INQUIRY for CD-ROMs correctly. (bsc#1065448, bsc#1070431) - Fix page decoding. (bsc#1077787) - Remove initrd rebuild macros for libsgutils2 subpackage. (bsc#1092640) - Use %post -p for ldconfig. (bsc#1092640) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:1695-1 Released: Mon Aug 20 09:19:20 2018 Summary: Security update for perl Type: security Severity: important References: 1068565,1082216,1082233,1082234,1096718,CVE-2018-12015,CVE-2018-6797,CVE-2018-6798,CVE-2018-6913 Description: This update for perl fixes the following issues: These security issue were fixed: - CVE-2018-6913: Fixed space calculation issues in pp_pack.c (bsc#1082216). - CVE-2018-6798: Fixed heap buffer overflow in regexec.c (bsc#1082233). - CVE-2018-6797: Fixed sharp-s regexp overflow (bsc#1082234). - CVE-2018-12015: The Archive::Tar module allowed remote attackers to bypass a directory-traversal protection mechanism and overwrite arbitrary files (bsc#1096718) This non-security issue was fixed: - fix debugger crash in tab completion with Term::ReadLine::Gnu [bsc#1068565] ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:1698-1 Released: Mon Aug 20 09:19:28 2018 Summary: Security update for shadow Type: security Severity: important References: 1099310,CVE-2016-6252 Description: This update for shadow fixes the following issues: - CVE-2016-6252: Incorrect integer handling could results in local privilege escalation (bsc#1099310) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2018:1834-1 Released: Wed Sep 5 10:17:42 2018 Summary: Recommended update for systemd Type: recommended Severity: moderate References: 1089761,1090944,1101040,1103910 Description: This update for systemd fixes the following issues: - cryptsetup: Add support for sector-size= option. (fate#325634) - resolved: Apply epoch to system time from PID 1. (bsc#1103910) - core/service: Rework the hold-off time over message. - core: Don't freeze OnCalendar= timer units when the clock goes back a lot. (bsc#1090944) - man: SystemMaxUse= clarification in journald.conf(5). (bsc#1101040) - Add udev.no-partlabel-links kernel command-line option. This option can be used to disable the generation of the by-partlabel symlinks regardless of the name used. (bsc#1089761) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:1903-1 Released: Fri Sep 14 12:46:21 2018 Summary: Security update for curl Type: security Severity: moderate References: 1089533,1106019,CVE-2018-14618 Description: This update for curl fixes the following issues: This security issue was fixed: - CVE-2018-14618: Prevent integer overflow in the NTLM authentication code (bsc#1106019) This non-security issue was fixed: - Fixed erroneous debug message when paired with OpenSSL (bsc#1089533) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:1969-1 Released: Mon Sep 24 08:06:42 2018 Summary: Security update for libzypp, zypper Type: security Severity: important References: 1036304,1045735,1049825,1070851,1076192,1088705,1091624,1092413,1096803,1099847,1100028,1101349,1102429,CVE-2017-9269,CVE-2018-7685 Description: This update for libzypp, zypper fixes the following issues: Update libzypp to version 16.17.20: Security issues fixed: - PackageProvider: Validate deta rpms before caching (bsc#1091624, bsc#1088705, CVE-2018-7685) - PackageProvider: Validate downloaded rpm package signatures before caching (bsc#1091624, bsc#1088705, CVE-2018-7685) Other bugs fixed: - lsof: use '-K i' if lsof supports it (bsc#1099847, bsc#1036304) - Handle http error 502 Bad Gateway in curl backend (bsc#1070851) - RepoManager: Explicitly request repo2solv to generate application pseudo packages. - libzypp-devel should not require cmake (bsc#1101349) - HardLocksFile: Prevent against empty commit without Target having been been loaded (bsc#1096803) - Avoid zombie tar processes (bsc#1076192) Update to zypper to version 1.13.45: Security issues fixed: - Improve signature check callback messages (bsc#1045735, CVE-2017-9269) - add/modify repo: Add options to tune the GPG check settings (bsc#1045735, CVE-2017-9269) Other bugs fixed: - XML <install-summary> attribute `packages-to-change` added (bsc#1102429) - man: Strengthen that `--config FILE' affects zypper.conf, not zypp.conf (bsc#1100028) - Prevent nested calls to exit() if aborted by a signal (bsc#1092413) - ansi.h: Prevent ESC sequence strings from going out of scope (bsc#1092413) - Fix: zypper bash completion expands non-existing options (bsc#1049825) - Improve signature check callback messages (bsc#1045735) - add/modify repo: Add options to tune the GPG check settings (bsc#1045735) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2018:1985-1 Released: Mon Sep 24 11:56:08 2018 Summary: Recommended update for openldap2 Type: recommended Severity: moderate References: 1089640 Description: This update for openldap2 provides the following fix: - Fix slapd segfaults in mdb_env_reader_dest. (bsc#1089640) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:1994-1 Released: Mon Sep 24 12:55:57 2018 Summary: Security update for shadow Type: security Severity: moderate References: 1106914 Description: This update for shadow fixes the following security issue: - Prevent useradd from creating intermediate directories with mode 0777 (bsc#1106914) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:2069-1 Released: Fri Sep 28 08:01:25 2018 Summary: Security update for openssl Type: security Severity: moderate References: 1089039,1101246,1101470,1104789,1106197,997043,CVE-2018-0737 Description: This update for openssl fixes the following issues: These security issues were fixed: - Prevent One&Done side-channel attack on RSA that allowed physically near attackers to use EM emanations to recover information (bsc#1104789) - CVE-2018-0737: The RSA Key generation algorithm has been shown to be vulnerable to a cache timing side channel attack. An attacker with sufficient access to mount cache timing attacks during the RSA key generation process could have recovered the private key (bsc#1089039) These non-security issues were fixed: - Add openssl(cli) Provide so the packages that require the openssl binary can require this instead of the new openssl meta package (bsc#1101470) - Fixed path to the engines which are under /lib64 on SLE-12 (bsc#1101246, bsc#997043) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2018:2162-1 Released: Fri Oct 5 14:46:53 2018 Summary: Recommended update for krb5 Type: recommended Severity: moderate References: 1088921 Description: This update for krb5 provides the following fix: - Resolve krb5 GSS credentials immediately if the application requests the lifetime. (bsc#1088921) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:2181-1 Released: Tue Oct 9 11:08:20 2018 Summary: Security update for libxml2 Type: security Severity: moderate References: 1088279,1088601,1102046,1105166,CVE-2017-18258,CVE-2018-14404,CVE-2018-14567,CVE-2018-9251 Description: This update for libxml2 fixes the following security issues: - CVE-2018-9251: The xz_decomp function allowed remote attackers to cause a denial of service (infinite loop) via a crafted XML file that triggers LZMA_MEMLIMIT_ERROR, as demonstrated by xmllint (bsc#1088279). - CVE-2018-14567: Prevent denial of service (infinite loop) via a crafted XML file that triggers LZMA_MEMLIMIT_ERROR, as demonstrated by xmllint (bsc#1105166). - CVE-2018-14404: Prevent NULL pointer dereference in the xmlXPathCompOpEval() function when parsing an invalid XPath expression in the XPATH_OP_AND or XPATH_OP_OR case leading to a denial of service attack (bsc#1102046). - CVE-2017-18258: The xz_head function allowed remote attackers to cause a denial of service (memory consumption) via a crafted LZMA file, because the decoder functionality did not restrict memory usage to what is required for a legitimate file (bsc#1088601). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2018:2196-1 Released: Thu Oct 11 07:45:16 2018 Summary: Optional update for gcc8 Type: recommended Severity: low References: 1084812,1084842,1087550,1094222,1102564 Description: The GNU Compiler GCC 8 is being added to the Toolchain Module by this update. The update also supplies gcc8 compatible libstdc++, libgcc_s1 and other gcc derived libraries for the base products of SUSE Linux Enterprise 12. Various optimizers have been improved in GCC 8, several of bugs fixed, quite some new warnings added and the error pin-pointing and fix-suggestions have been greatly improved. The GNU Compiler page for GCC 8 contains a summary of all the changes that have happened: https://gcc.gnu.org/gcc-8/changes.html Also changes needed or common pitfalls when porting software are described on: https://gcc.gnu.org/gcc-8/porting_to.html ----------------------------------------------------------------- Advisory ID: SUSE-RU-2018:2217-1 Released: Fri Oct 12 15:07:24 2018 Summary: Recommended update for bash Type: recommended Severity: moderate References: 1094121,1107430 Description: This update for bash provides the following fixes: - Fix an inconsistent behaviour regarding expansion of here strings. (bsc#1094121) - Fix mis-matching of null string with '*' pattern. (bsc#1107430) - Fix a crash when the lastpipe option is enabled. - Fix a typo that was preventing the `compat42' shopt option from working as intended. - Help the shell to process any pending traps at redirection. - Fix a crashe due to incorrect conversion from an indexed to associative array. - Avoid the expansion of escape sequences in HOSTNAME in prompt. - Avoid `xtrace' attack over $PS4. ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:2373-1 Released: Mon Oct 22 14:43:47 2018 Summary: Security update for rpm Type: security Severity: moderate References: 1077692,943457,CVE-2017-7500,CVE-2017-7501 Description: This update for rpm fixes the following issues: These security issues were fixed: - CVE-2017-7500: rpm did not properly handle RPM installations when a destination path was a symbolic link to a directory, possibly changing ownership and permissions of an arbitrary directory, and RPM files being placed in an arbitrary destination (bsc#943457). - CVE-2017-7501: rpm used temporary files with predictable names when installing an RPM. An attacker with ability to write in a directory where files will be installed could create symbolic links to an arbitrary location and modify content, and possibly permissions to arbitrary files, which could be used for denial of service or possibly privilege escalation (bsc#943457) This non-security issue was fixed: - Use ksym-provides tool [bsc#1077692] ----------------------------------------------------------------- Advisory ID: SUSE-RU-2018:2435-1 Released: Wed Oct 24 14:42:43 2018 Summary: Recommended update for systemd Type: recommended Severity: important References: 1015254,1091677,1093753,1105031,1107640,1107941,1109197,991901 Description: This update for systemd fixes the following issues: - detect-virt: do not try to read all of /proc/cpuinfo (bsc#1109197) - emergency: make sure console password agents don't interfere with the emergency shell - units: remove udev control socket when systemd stops the socket unit (#4039) (bsc#1015254) - man: document that 'nofail' also has an effect on ordering - journald: take leading spaces into account in syslog_parse_identifier - journal: do not remove multiple spaces after identifier in syslog message - syslog: fix segfault in syslog_parse_priority() - journal: fix syslog_parse_identifier() - tmpfiles: don't adjust qgroups on existing subvolumes (bsc#1093753) - socket-util: attempt SO_RCVBUFFORCE/SO_SNDBUFFORCE only if SO_RCVBUF/SO_SNDBUF fails (bsc#991901) - user at .service: don't kill user manager at runlevel switch (bsc#1091677) - units: make sure user at .service runs with dbus still up - fix race between daemon-reload and other commands (bsc#1105031) - nspawn: always use mode 555 for /sys (bsc#1107640) - cryptsetup: do not define arg_sector_size if libgcrypt is v1.x (#9990) - Enable or disable machines.target according to the presets (bsc#1107941) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2018:2475-1 Released: Thu Oct 25 16:56:24 2018 Summary: Recommended update for libzypp Type: recommended Severity: moderate References: 1099982,1109877,408814,556664,939392 Description: This update for libzypp fixes the following issues: - Add filesize check for downloads with known size (bsc#408814) - Fix conversion of string and glob to regex when compiling queries (bsc#1099982, bsc#939392, bsc#556664) - Fix blocking wait for finished child process (bsc#1109877) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2018:2488-1 Released: Fri Oct 26 12:39:59 2018 Summary: Recommended update for cpio Type: recommended Severity: low References: 1076810,889138 Description: This update for cpio provides the following fix: - Remove an obsolete patch that was causing cpio not to preserve folder permissions. (bsc#1076810, bsc#889138) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2018:2516-1 Released: Mon Oct 29 16:14:48 2018 Summary: Recommended update for console-setup, kbd Type: recommended Severity: moderate References: 1010880,1027379,1056449,1062303,1069468,1085432,360993,675317,825385,830805,958562,963942,984958 Description: This update for kbd and console-setup provides the following fixes: Changes in console-setup: - Add console-setup to SLE 12 to make it possible for kbd to provide converted X keymaps. (fate#325454, fate#318426) - Make the package build reproducible. (bsc#1062303) - Removed unneeded requires to kbd in order to resolve build cycle between kbd and console-setup. (bsc#963942) Changes in kbd: - Update to version 2.0.4, including the following fixes (FATE#325454): * Disable characters greater than or equal to =U+F000 as they do not work properly. (bsc#1085432) * Move initial NumLock handling from systemd back to kbd: * Add kbdsettings service. (bsc#1010880) * Exclude numlockbios support for non x86 platforms * Drop references to KEYTABLE and COMPOSETABLE. (bsc#1010880) * Drop from some fill-up templates and a couple of sysconfig variables not read by systemd anymore. (fate#319454) * Replace references to /var/adm/fillup-templates with new %_fillupdir macro. (bsc#1069468) * Add vlock.pamd PAM file. (bsc#1056449) * Enable vlock (bsc#1056449). * Revert dropping of kdb-legacy requirement as there are still packages and installation flows that needs this to be present. (bsc#1027379) * Fix data/keymaps/i386/querty/br-abnt2.map. (bsc#984958) * Fix missing dependency on coreutils for initrd macros. (bsc#958562) * Call missing initrd macro at postun. (bsc#958562) * Add the genmap4systemd.sh tool to generate entries for systemd's kbd-model-map table from xkeyboard-config converted keymaps. (fate#318426) * genmap4systemd.sh: Use 'abnt2' model for 'br' layouts, 'jp106' model for 'jp' layouts and 'microsoftpro' for anything else (instead of 'pc105' previously used). (fate#318426) * Include xkb layouts from xkeyboard-config converted to console keymaps. (fate#318426) * euro.map, euro1.map and euro2.map now produce correct unicode character for Euro sign. (bsc#360993) * Drop doshell reference from openvt.1 man page. (bsc#675317) * Drop the --userwait option as it is not used. (bsc#830805) * Fix a typo in the mac-querty-layout.inc. (bsc#825385) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2018:2525-1 Released: Tue Oct 30 09:22:45 2018 Summary: Recommended update for bash Type: recommended Severity: important References: 1113117 Description: This update for bash fixes the following issues: Recently released update introduced a change of behavior which resulted in broken customers scripts. (bsc#1113117) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:2563-1 Released: Fri Nov 2 17:09:49 2018 Summary: Security update for curl Type: security Severity: moderate References: 1112758,1113660,CVE-2018-16840,CVE-2018-16842 Description: This update for curl fixes the following issues: - CVE-2018-16840: A use after free in closing SASL handles was fixed (bsc#1112758) - CVE-2018-16842: A Out-of-bounds Read in tool_msgs.c was fixed which could lead to crashes (bsc#1113660) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2018:2567-1 Released: Fri Nov 2 18:59:06 2018 Summary: Recommended update for apparmor Type: recommended Severity: moderate References: 1047937,1057150,1057900,1099452,906858 Description: This update for apparmor provides the following fixes: - Add profile for usr.bin.lessopen.sh (bsc#906858) - Fix dovecot apparmor profile (bsc#1057150) - Fix creating profile rules from scanned logs when the chown operation is used (bsc#1047937) - Fix the traceroute profile to allow ipv6 usage (bsc#1057900) - Fix duplicate entry of capability when performing aa-logprof (bsc#1099452) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2018:2593-1 Released: Wed Nov 7 11:04:00 2018 Summary: Recommended update for rpm Type: recommended Severity: moderate References: 1095148,1113100 Description: This update for rpm fixes the following issues: - Fix superfluous TOC. dependency on PowerPC64 (bsc#1113100) - Update to current find-provides.ksyms and find-requires.ksyms scripts (bsc#1095148) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:2659-1 Released: Wed Nov 14 14:14:41 2018 Summary: Security update for systemd Type: security Severity: important References: 1106923,1108835,1109252,1110445,1111278,1112024,1113083,1113632,1113665,CVE-2018-15686,CVE-2018-15688 Description: This update for systemd fixes the following issues: Security issues fixed: - CVE-2018-15688: A buffer overflow vulnerability in the dhcp6 client of systemd allowed a malicious dhcp6 server to overwrite heap memory in systemd-networkd. (bsc#1113632) - CVE-2018-15686: A vulnerability in unit_deserialize of systemd allows an attacker to supply arbitrary state across systemd re-execution via NotifyAccess. This can be used to improperly influence systemd execution and possibly lead to root privilege escalation. (bsc#1113665) Non-security issues fixed: - dhcp6: split assert_return() to be more debuggable when hit - core: skip unit deserialization and move to the next one when unit_deserialize() fails - core: properly handle deserialization of unknown unit types (#6476) - core: don't create Requires for workdir if "missing ok" (bsc#1113083) - logind: use manager_get_user_by_pid() where appropriate - logind: rework manager_get_{user|session}_by_pid() a bit - login: fix user at .service case, so we don't allow nested sessions (#8051) (bsc#1112024) - core: be more defensive if we can't determine per-connection socket peer (#7329) - socket-util: introduce port argument in sockaddr_port() - service: fixup ExecStop for socket-activated shutdown (#4120) - service: Continue shutdown on socket activated unit on termination (#4108) (bsc#1106923) - cryptsetup: build fixes for "add support for sector-size= option" - udev-rules: IMPORT cmdline does not recognize keys with similar names (bsc#1111278) - core: keep the kernel coredump defaults when systemd-coredump is disabled - core: shorten main() a bit, split out coredump initialization - core: set RLIMIT_CORE to unlimited by default (bsc#1108835) - core/mount: fstype may be NULL - journald: don't ship systemd-journald-audit.socket (bsc#1109252) - core: make "tmpfs" dependencies on swapfs a "default" dep, not an "implicit" (bsc#1110445) - mount: make sure we unmount tmpfs mounts before we deactivate swaps (#7076) - tmp.mount.hm4: After swap.target (#3087) - Ship systemd-sysv-install helper via the main package This script was part of systemd-sysvinit sub-package but it was wrong since systemd-sysv-install is a script used to redirect enable/disable operations to chkconfig when the unit targets are sysv init scripts. Therefore it's never been a SySV init tool. ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:2760-1 Released: Thu Nov 22 16:25:38 2018 Summary: Security update for openssl Type: security Severity: moderate References: 1112209,1113534,1113652,1113742,CVE-2018-0734,CVE-2018-5407 Description: This update for openssl fixes the following issues: Security issues fixed: - CVE-2018-0734: Fixed timing vulnerability in DSA signature generation (bsc#1113652). - CVE-2018-5407: Fixed elliptic curve scalar multiplication timing attack defenses (bsc#1113534). - Add missing timing side channel patch for DSA signature generation (bsc#1113742). Non-security issues fixed: - Fixed infinite loop in DSA generation with incorrect parameters (bsc#1112209). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:2766-1 Released: Fri Nov 23 17:07:27 2018 Summary: Security update for rpm Type: security Severity: important References: 943457,CVE-2017-7500,CVE-2017-7501 Description: This update for rpm fixes the following issues: These security issues were fixed: - CVE-2017-7500: rpm did not properly handle RPM installations when a destination path was a symbolic link to a directory, possibly changing ownership and permissions of an arbitrary directory, and RPM files being placed in an arbitrary destination (bsc#943457). - CVE-2017-7501: rpm used temporary files with predictable names when installing an RPM. An attacker with ability to write in a directory where files will be installed could create symbolic links to an arbitrary location and modify content, and possibly permissions to arbitrary files, which could be used for denial of service or possibly privilege escalation (bsc#943457) This is a reissue of the above security fixes for SUSE Linux Enterprise 12 GA, SP1 and SP2 LTSS, they have already been released for SUSE Linux Enterprise Server 12 SP3. ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:1697-1 Released: Fri Nov 23 17:08:32 2018 Summary: Security update for libgcrypt Type: security Severity: moderate References: 1064455,1090766,1097410,CVE-2018-0495 Description: This update for libgcrypt fixes the following issues: The following security vulnerability was addressed: - CVE-2018-0495: Mitigate a novel side-channel attack by enabling blinding for ECDSA signatures (bsc#1097410). The following other issues were fixed: - Extended the fipsdrv dsa-sign and dsa-verify commands with the --algo parameter for the FIPS testing of DSA SigVer and SigGen (bsc#1064455). - Ensure libgcrypt20-hmac and libgcrypt20 are installed in the correct order. (bsc#1090766) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:1696-1 Released: Mon Nov 26 17:46:39 2018 Summary: Security update for procps Type: security Severity: moderate References: 1092100,CVE-2018-1122,CVE-2018-1123,CVE-2018-1124,CVE-2018-1125,CVE-2018-1126 Description: This update for procps fixes the following security issues: - CVE-2018-1122: Prevent local privilege escalation in top. If a user ran top with HOME unset in an attacker-controlled directory, the attacker could have achieved privilege escalation by exploiting one of several vulnerabilities in the config_file() function (bsc#1092100). - CVE-2018-1123: Prevent denial of service in ps via mmap buffer overflow. Inbuilt protection in ps maped a guard page at the end of the overflowed buffer, ensuring that the impact of this flaw is limited to a crash (temporary denial of service) (bsc#1092100). - CVE-2018-1124: Prevent multiple integer overflows leading to a heap corruption in file2strvec function. This allowed a privilege escalation for a local attacker who can create entries in procfs by starting processes, which could result in crashes or arbitrary code execution in proc utilities run by other users (bsc#1092100). - CVE-2018-1125: Prevent stack buffer overflow in pgrep. This vulnerability was mitigated by FORTIFY limiting the impact to a crash (bsc#1092100). - CVE-2018-1126: Ensure correct integer size in proc/alloc.* to prevent truncation/integer overflow issues (bsc#1092100). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:1618-1 Released: Tue Nov 27 13:39:49 2018 Summary: Security update for util-linux Type: security Severity: moderate References: 1072947,1078662,1080740,1084300,CVE-2018-7738 Description: This update for util-linux fixes the following issues: This non-security issue was fixed: - CVE-2018-7738: bash-completion/umount allowed local users to gain privileges by embedding shell commands in a mountpoint name, which was mishandled during a umount command by a different user (bsc#1084300). These non-security issues were fixed: - Fixed crash loop in lscpu (bsc#1072947). - Fixed possible segfault of umount -a - Fixed mount -a on NFS bind mounts (bsc#1080740). - Fixed lsblk on NVMe (bsc#1078662). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:2824-1 Released: Mon Dec 3 15:34:09 2018 Summary: Security update for ncurses Type: security Severity: important References: 1115929,CVE-2018-19211 Description: This update for ncurses fixes the following issue: Security issue fixed: - CVE-2018-19211: Fixed denial of service issue that was triggered by a NULL pointer dereference at function _nc_parse_entry (bsc#1115929). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2018:2836-1 Released: Wed Dec 5 09:29:31 2018 Summary: Recommended update for apparmor Type: recommended Severity: moderate References: 1111965,1113125 Description: This update for apparmor fixes the following issues: - Systemd aware apparmor.spec, remove old insserv from spec file (bsc#1113125) - Fix warnings produced because of use of uninitialized variables (bsc#1111965) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2018:2840-1 Released: Wed Dec 5 09:57:54 2018 Summary: Recommended update for permissions Type: recommended Severity: moderate References: 1028304,1047247,1050467,1097665,1111251 Description: This update for permissions fixes the following issues: - Allow setuid root for start-suid tool of singularity (group only) bsc#1028304 - Allow setuid root for authbind binary (bsc#1111251) - A incorrect error message was adjusted (bsc#1047247 bsc#1097665) - Make btmp root:utmp (bsc#1050467) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2018:2841-1 Released: Wed Dec 5 09:59:45 2018 Summary: Recommended update for glibc Type: recommended Severity: moderate References: 1105236,1110661,1112858 Description: This update for glibc fixes the following issues: - Added more checks for valid ld.so.cache file (bsc#1110661) - Rewrite elf_machine_load_address using _DYNAMIC symbol (bsc#1112858) - Always use __IPC_64 on powerpc as required by the kernel (bsc#1105236) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2018:2906-1 Released: Tue Dec 11 21:48:05 2018 Summary: Recommended update for blog Type: recommended Severity: moderate References: 1071568 Description: This update for blog fixes the following issues: - Hardening of the console list generation (bsc#1071568) - Changed description of blog-plymouth in same manner as used by the release notes ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:2947-1 Released: Mon Dec 17 08:51:28 2018 Summary: Security update for openldap2 Type: security Severity: moderate References: 1073313,CVE-2017-17740 Description: This update for openldap2 fixes the following issues: Security issue fixed: - CVE-2017-17740: When both the nops module and the memberof overlay are enabled, attempts to free a buffer that was allocated on the stack, which allows remote attackers to cause a denial of service (slapd crash) via a member MODDN operation. (bsc#1073313) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2018:3029-1 Released: Fri Dec 21 17:34:05 2018 Summary: Recommended update for libgcrypt Type: recommended Severity: moderate References: 1117355 Description: This update for libgcrypt provides the following fix: - Fail selftests when checksum file is missing in FIPS mode only. (bsc#1117355) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:43-1 Released: Tue Jan 8 13:07:17 2019 Summary: Recommended update for acl Type: recommended Severity: low References: 953659 Description: This update for acl fixes the following issues: - quote: Escape literal backslashes (bsc#953659). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:111-1 Released: Thu Jan 17 14:18:31 2019 Summary: Security update for krb5 Type: security Severity: important References: 1120489,CVE-2018-20217 Description: This update for krb5 fixes the following issues: Security issue fixed: - CVE-2018-20217: Fixed an assertion issue with older encryption types (bsc#1120489) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:135-1 Released: Mon Jan 21 13:53:58 2019 Summary: Security update for systemd Type: security Severity: moderate References: 1005023,1076696,1101591,1114981,1115518,1119971,1120323,CVE-2018-16864,CVE-2018-16865,CVE-2018-16866 Description: This update for systemd provides the following fixes: Security issues fixed: - CVE-2018-16864, CVE-2018-16865: Fixed two memory corruptions through attacker-controlled alloca()s (bsc#1120323) - CVE-2018-16866: Fixed an information leak in journald (bsc#1120323) - Fixed an issue during system startup in relation to encrypted swap disks (bsc#1119971) Non-security issues fixed: - core: Queue loading transient units after setting their properties. (bsc#1115518) - logind: Stop managing VT switches if no sessions are registered on that VT. (bsc#1101591) - terminal-util: introduce vt_release() and vt_restore() helpers. - terminal: Unify code for resetting kbd utf8 mode a bit. - terminal Reset should honour default_utf8 kernel setting. - logind: Make session_restore_vt() static. - udev: Downgrade message when settting inotify watch up fails. (bsc#1005023) - log: Never log into foreign fd #2 in PID 1 or its pre-execve() children. (bsc#1114981) - udev: Ignore the exit code of systemd-detect-virt for memory hot-add. In SLE-12-SP3, 80-hotplug-cpu-mem.rules has a memory hot-add rule that uses systemd-detect-virt to detect non-zvm environment. The systemd-detect-virt returns exit failure code when it detected _none_ state. The exit failure code causes that the hot-add memory block can not be set to online. (bsc#1076696) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:143-1 Released: Tue Jan 22 14:21:55 2019 Summary: Recommended update for ncurses Type: recommended Severity: important References: 1121450 Description: This update for ncurses fixes the following issues: - ncurses applications freezing (bsc#1121450) From sle-updates at lists.suse.com Tue Jan 14 00:06:39 2020 From: sle-updates at lists.suse.com (sle-updates at lists.suse.com) Date: Tue, 14 Jan 2020 08:06:39 +0100 (CET) Subject: SUSE-CU-2019:696-1: Recommended update of caasp/v4/tiller Message-ID: <20200114070639.E8767F79E@maintenance.suse.de> SUSE Container Update Advisory: caasp/v4/tiller ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2019:696-1 Container Tags : caasp/v4/tiller:2.8.2 , caasp/v4/tiller:2.8.2-rev1 , caasp/v4/tiller:2.8.2-rev1-build2.1 , caasp/v4/tiller:beta1 Severity : low Type : recommended References : ----------------------------------------------------------------- The container caasp/v4/tiller was updated. The following patches have been included in this update: From sle-updates at lists.suse.com Tue Jan 14 00:06:48 2020 From: sle-updates at lists.suse.com (sle-updates at lists.suse.com) Date: Tue, 14 Jan 2020 08:06:48 +0100 (CET) Subject: SUSE-CU-2019:697-1: Security update of caasp/v4/helm-tiller Message-ID: <20200114070648.37836F79E@maintenance.suse.de> SUSE Container Update Advisory: caasp/v4/helm-tiller ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2019:697-1 Container Tags : caasp/v4/helm-tiller:2.8.2 , caasp/v4/helm-tiller:2.8.2-rev1 , caasp/v4/helm-tiller:2.8.2-rev1-build1.1 , caasp/v4/helm-tiller:beta Severity : important Type : security References : 1005023 1009532 1033084 1033085 1033086 1033087 1033088 1033089 1033090 1036463 1038194 1039099 1044840 1045723 1047002 1063675 1065270 1071321 1072183 1076696 1080919 1082318 1083158 1084812 1084842 1086367 1086367 1087550 1088052 1088279 1088524 1089640 1089761 1090944 1091265 1091677 1092877 1093753 1093753 1093851 1094150 1094154 1094161 1094222 1094735 1095096 1095148 1095661 1095670 1095973 1096191 1096718 1096745 1096974 1096984 1097158 1098569 1099793 1100396 1100415 1100488 1101040 1101470 1101470 1101591 1102046 1102310 1102526 1102564 1102908 1103320 1104531 1104780 1105031 1105166 1105435 1105437 1105459 1105460 1106019 1106390 1107066 1107067 1107640 1107941 1109197 1109252 1110304 1110445 1110700 1111019 1111498 1111973 1112024 1112570 1112723 1112726 1112758 1113083 1113100 1113632 1113660 1113665 1114135 1114407 1114674 1114675 1114681 1114686 1114933 1114984 1114993 1115640 1115929 1117025 1117063 1118086 1118087 1118087 1118364 1119414 1119687 1119971 1120323 1120346 1120689 1121051 1121446 1121563 1121563 1122000 1122729 1123043 1123333 1123371 1123377 1123378 1123685 1123727 1123892 1124122 1124153 1124223 1125007 1125352 1125352 1125410 1125604 1126056 1126096 1126117 1126118 1126119 1126327 1126377 1126590 1127557 1128246 1128383 1129576 1129598 1129753 1130045 1130230 1130325 1130326 1130681 1130682 1131060 1131686 1132348 1132400 1132721 1133506 1133509 1134524 1134856 1135170 915402 918346 943457 953659 960273 985657 991901 CVE-2015-0247 CVE-2015-1572 CVE-2016-10739 CVE-2016-3189 CVE-2017-10790 CVE-2017-18269 CVE-2017-7500 CVE-2017-7607 CVE-2017-7608 CVE-2017-7609 CVE-2017-7610 CVE-2017-7611 CVE-2017-7612 CVE-2017-7613 CVE-2018-0500 CVE-2018-0732 CVE-2018-1000654 CVE-2018-1000858 CVE-2018-10360 CVE-2018-10844 CVE-2018-10845 CVE-2018-10846 CVE-2018-11236 CVE-2018-11237 CVE-2018-12015 CVE-2018-12020 CVE-2018-14404 CVE-2018-14567 CVE-2018-14618 CVE-2018-15686 CVE-2018-15688 CVE-2018-16062 CVE-2018-16402 CVE-2018-16403 CVE-2018-16839 CVE-2018-16840 CVE-2018-16842 CVE-2018-16864 CVE-2018-16865 CVE-2018-16866 CVE-2018-16868 CVE-2018-16868 CVE-2018-16869 CVE-2018-16890 CVE-2018-17953 CVE-2018-18310 CVE-2018-18311 CVE-2018-18312 CVE-2018-18313 CVE-2018-18314 CVE-2018-18520 CVE-2018-18521 CVE-2018-19211 CVE-2018-20346 CVE-2018-6954 CVE-2018-9251 CVE-2019-3822 CVE-2019-3823 CVE-2019-3829 CVE-2019-3836 CVE-2019-3842 CVE-2019-3843 CVE-2019-3844 CVE-2019-3880 CVE-2019-5021 CVE-2019-5436 CVE-2019-6454 CVE-2019-6454 CVE-2019-6706 CVE-2019-7150 CVE-2019-7665 CVE-2019-8905 CVE-2019-8906 CVE-2019-8907 CVE-2019-9936 CVE-2019-9937 SLE-3853 SLE-4117 SLE-5933 ----------------------------------------------------------------- The container caasp/v4/helm-tiller was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:1223-1 Released: Tue Jun 26 11:41:00 2018 Summary: Security update for gpg2 Type: security Severity: important References: 1096745,CVE-2018-12020 Description: This update for gpg2 fixes the following security issue: - CVE-2018-12020: GnuPG mishandled the original filename during decryption and verification actions, which allowed remote attackers to spoof the output that GnuPG sends on file descriptor 2 to other programs that use the "--status-fd 2" option (bsc#1096745). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2018:1264-1 Released: Tue Jul 3 10:56:12 2018 Summary: Recommended update for curl Type: recommended Severity: moderate References: 1086367 Description: This update for curl provides the following fix: - Use OPENSSL_config() instead of CONF_modules_load_file() to avoid crashes due to conflicting openssl engines. (bsc#1086367) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:1327-1 Released: Tue Jul 17 08:07:24 2018 Summary: Security update for perl Type: security Severity: moderate References: 1096718,CVE-2018-12015 Description: This update for perl fixes the following issues: - CVE-2018-12015: The Archive::Tar module allowed remote attackers to bypass a directory-traversal protection mechanism and overwrite arbitrary files (bsc#1096718) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:1346-1 Released: Thu Jul 19 09:25:08 2018 Summary: Security update for glibc Type: security Severity: moderate References: 1082318,1092877,1094150,1094154,1094161,CVE-2017-18269,CVE-2018-11236,CVE-2018-11237 Description: This update for glibc fixes the following security issues: - CVE-2017-18269: An SSE2-optimized memmove implementation for i386 did not correctly perform the overlapping memory check if the source memory range spaned the middle of the address space, resulting in corrupt data being produced by the copy operation. This may have disclosed information to context-dependent attackers, resulted in a denial of service or code execution (bsc#1094150). - CVE-2018-11236: Prevent integer overflow on 32-bit architectures when processing very long pathname arguments to the realpath function, leading to a stack-based buffer overflow (bsc#1094161). - CVE-2018-11237: An AVX-512-optimized implementation of the mempcpy function may have writen data beyond the target buffer, leading to a buffer overflow in __mempcpy_avx512_no_vzeroupper (bsc#1092877, bsc#1094154). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:1353-1 Released: Thu Jul 19 09:50:32 2018 Summary: Security update for e2fsprogs Type: security Severity: moderate References: 1009532,1038194,915402,918346,960273,CVE-2015-0247,CVE-2015-1572 Description: This update for e2fsprogs fixes the following issues: Security issues fixed: - CVE-2015-0247: Fixed couple of heap overflows in e2fsprogs (fsck, dumpe2fs, e2image...) (bsc#915402). - CVE-2015-1572: Fixed potential buffer overflow in closefs() (bsc#918346). Bug fixes: - bsc#1038194: generic/405 test fails with /dev/mapper/thin-vol is inconsistent on ext4 file system. - bsc#1009532: resize2fs hangs when trying to resize a large ext4 file system. - bsc#960273: xfsprogs does not call %{?regenerate_initrd_post}. ----------------------------------------------------------------- Advisory ID: SUSE-RU-2018:1362-1 Released: Thu Jul 19 12:47:33 2018 Summary: Recommended update for ca-certificates-mozilla Type: recommended Severity: moderate References: 1100415 Description: ca-certificates-mozilla was updated to the 2.24 state of the Mozilla NSS Certificate store. (bsc#1100415) Following CAs were removed: * S-TRUST_Universal_Root_CA * TC_TrustCenter_Class_3_CA_II * TUeRKTRUST_Elektronik_Sertifika_Hizmet_Saglayicisi_H5 ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:1396-1 Released: Thu Jul 26 16:23:09 2018 Summary: Security update for rpm Type: security Severity: moderate References: 1094735,1095148,943457,CVE-2017-7500 Description: This update for rpm fixes the following issues: This security vulnerability was fixed: - CVE-2017-7500: Fixed symlink attacks during RPM installation (bsc#943457) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2018:1409-1 Released: Fri Jul 27 06:45:10 2018 Summary: Recommended update for systemd Type: recommended Severity: moderate References: 1039099,1083158,1088052,1091265,1093851,1095096,1095973,1098569 Description: This update for systemd provides the following fixes: - systemctl: Mask always reports the same unit names when different unknown units are passed. (bsc#1095973) - systemctl: Check the existence of all units, not just the first one. - scsi_id: Fix the prefix for pre-SPC inquiry reply. (bsc#1039099) - device: Make sure to always retroactively start device dependencies. (bsc#1088052) - locale-util: On overlayfs FTW_MOUNT causes nftw(3) to not list *any* files. - Fix pattern to detect distribution. - install: The "user" and "global" scopes are equivalent for user presets. (bsc#1093851) - install: Search for preset files in /run (#7715) - install: Consider globally enabled units as "enabled" for the user. (bsc#1093851) - install: Consider non-Alias=/non-DefaultInstance= symlinks as "indirect" enablement. - install: Only consider names in Alias= as "enabling". - udev: Whitelist mlx4_core locally-administered MAC addresses in the persistent rule generator. (bsc#1083158) - man: Updated systemd-analyze blame description for service-units with Type=simple. (bsc#1091265) - fileio: Support writing atomic files with timestamp. - fileio.c: Fix incorrect mtime - Drop runtime dependency on dracut, otherwise systemd pulls in tools to generate the initrd even in container/chroot installations that don't have a kernel. For environments where initrd matters, dracut should be pulled via a pattern. (bsc#1098569) - An update broke booting with encrypted partitions on NVMe (bsc#1095096) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:1685-1 Released: Fri Aug 17 18:20:58 2018 Summary: Security update for curl Type: security Severity: moderate References: 1099793,CVE-2018-0500 Description: This update for curl fixes the following issues: Security issue fixed: - CVE-2018-0500: Fix a SMTP send heap buffer overflow (bsc#1099793). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2018:1754-1 Released: Fri Aug 24 16:40:21 2018 Summary: Recommended update for ca-certificates-mozilla Type: recommended Severity: moderate References: 1104780 Description: This update for ca-certificates-mozilla fixes the following issues: Updated to the 2.26 state of the Mozilla NSS Certificate store. (bsc#1104780) - removed server auth rights from following CAs: - Certplus Root CA G1 - Certplus Root CA G2 - OpenTrust Root CA G1 - OpenTrust Root CA G2 - OpenTrust Root CA G3 - removed CA - ComSign CA - new CA added: - GlobalSign ----------------------------------------------------------------- Advisory ID: SUSE-RU-2018:1760-1 Released: Fri Aug 24 17:14:53 2018 Summary: Recommended update for libtirpc Type: recommended Severity: moderate References: 1072183 Description: This update for libtirpc fixes the following issues: - rpcinfo: send RPC getport call as specified via parameter (bsc#1072183) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:1904-1 Released: Fri Sep 14 12:46:39 2018 Summary: Security update for curl Type: security Severity: moderate References: 1086367,1106019,CVE-2018-14618 Description: This update for curl fixes the following issues: This security issue was fixed: - CVE-2018-14618: Prevent integer overflow in the NTLM authentication code (bsc#1106019) This non-security issue was fixed: - Use OPENSSL_config instead of CONF_modules_load_file() to avoid crashes due to openssl engines conflicts (bsc#1086367) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2018:1999-1 Released: Tue Sep 25 08:20:35 2018 Summary: Recommended update for zlib Type: recommended Severity: moderate References: 1071321 Description: This update for zlib provides the following fixes: - Speedup zlib on power8. (fate#325307) - Add safeguard against negative values in uInt. (bsc#1071321) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2018:2055-1 Released: Thu Sep 27 14:30:14 2018 Summary: Recommended update for openldap2 Type: recommended Severity: moderate References: 1089640 Description: This update for openldap2 provides the following fix: - Fix slapd segfaults in mdb_env_reader_dest. (bsc#1089640) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:2070-1 Released: Fri Sep 28 08:02:02 2018 Summary: Security update for gnutls Type: security Severity: moderate References: 1047002,1105437,1105459,1105460,CVE-2017-10790,CVE-2018-10844,CVE-2018-10845,CVE-2018-10846 Description: This update for gnutls fixes the following security issues: - Improved mitigations against Lucky 13 class of attacks - CVE-2018-10846: "Just in Time" PRIME + PROBE cache-based side channel attack can lead to plaintext recovery (bsc#1105460) - CVE-2018-10845: HMAC-SHA-384 vulnerable to Lucky thirteen attack due to use of wrong constant (bsc#1105459) - CVE-2018-10844: HMAC-SHA-256 vulnerable to Lucky thirteen attack due to not enough dummy function calls (bsc#1105437) - CVE-2017-10790: The _asn1_check_identifier function in Libtasn1 caused a NULL pointer dereference and crash (bsc#1047002) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:2083-1 Released: Sun Sep 30 14:06:33 2018 Summary: Security update for openssl-1_1 Type: security Severity: moderate References: 1097158,1101470,CVE-2018-0732 Description: This update for openssl-1_1 to 1.1.0i fixes the following issues: These security issues were fixed: - CVE-2018-0732: During key agreement in a TLS handshake using a DH(E) based ciphersuite a malicious server could have sent a very large prime value to the client. This caused the client to spend an unreasonably long period of time generating a key for this prime resulting in a hang until the client has finished. This could be exploited in a Denial Of Service attack (bsc#1097158) - Make problematic ECDSA sign addition length-invariant - Add blinding to ECDSA and DSA signatures to protect against side channel attacks These non-security issues were fixed: - When unlocking a pass phrase protected PEM file or PKCS#8 container, we now allow empty (zero character) pass phrases. - Certificate time validation (X509_cmp_time) enforces stricter compliance with RFC 5280. Fractional seconds and timezone offsets are no longer allowed. - Fixed a text canonicalisation bug in CMS - Add openssl(cli) Provide so the packages that require the openssl binary can require this instead of the new openssl meta package (bsc#1101470) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2018:2155-1 Released: Fri Oct 5 14:41:17 2018 Summary: Recommended update for ca-certificates Type: recommended Severity: moderate References: 1101470 Description: This update for ca-certificates fixes the following issues: - Changed "openssl" requirement to "openssl(cli)" (bsc#1101470) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2018:2177-1 Released: Tue Oct 9 09:00:13 2018 Summary: Recommended update for bash Type: recommended Severity: moderate References: 1095661,1095670,1100488 Description: This update for bash provides the following fixes: - Bugfix: Parse settings in inputrc for all screen TERM variables starting with "screen." (bsc#1095661) - Make the generation of bash.html reproducible. (bsc#1100488) - Use initgroups(3) instead of setgroups(2) to fix the usage of suid programs. (bsc#1095670) - Fix a problem that could cause hash table bash uses to store exit statuses from asynchronous processes to develop loops in circumstances involving long-running scripts that create and reap many processes. - Fix a problem that could cause the shell to loop if a SIGINT is received inside of a SIGINT trap handler. - Fix cases where a failing readline command (e.g., delete-char at the end of a line) can cause a multi-character key sequence to 'back up' and attempt to re-read some of the characters in the sequence. - Fix a problem when sourcing a file from an interactive shell, that setting the SIGINT handler to the default and typing ^C would cause the shell to exit. ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:2182-1 Released: Tue Oct 9 11:08:36 2018 Summary: Security update for libxml2 Type: security Severity: moderate References: 1088279,1102046,1105166,CVE-2018-14404,CVE-2018-14567,CVE-2018-9251 Description: This update for libxml2 fixes the following security issues: - CVE-2018-9251: The xz_decomp function allowed remote attackers to cause a denial of service (infinite loop) via a crafted XML file that triggers LZMA_MEMLIMIT_ERROR, as demonstrated by xmllint (bsc#1088279) - CVE-2018-14567: Prevent denial of service (infinite loop) via a crafted XML file that triggers LZMA_MEMLIMIT_ERROR, as demonstrated by xmllint (bsc#1105166) - CVE-2018-14404: Prevent NULL pointer dereference in the xmlXPathCompOpEval() function when parsing an invalid XPath expression in the XPATH_OP_AND or XPATH_OP_OR case leading to a denial of service attack (bsc#1102046) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2018:2370-1 Released: Mon Oct 22 14:02:01 2018 Summary: Recommended update for aaa_base Type: recommended Severity: moderate References: 1102310,1104531 Description: This update for aaa_base provides the following fixes: - Let bash.bashrc work even for (m)ksh. (bsc#1104531) - Fix an error at login if java system directory is empty. (bsc#1102310) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2018:2487-1 Released: Fri Oct 26 12:39:07 2018 Summary: Recommended update for glibc Type: recommended Severity: moderate References: 1102526 Description: This update for glibc fixes the following issues: - Fix build on aarch64 with binutils newer than 2.30. - Fix year 2039 bug for localtime with 64-bit time_t (bsc#1102526) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2018:2539-1 Released: Tue Oct 30 16:17:23 2018 Summary: Recommended update for rpm Type: recommended Severity: moderate References: 1113100 Description: This update for rpm fixes the following issues: - On PowerPC64 fix the superfluous TOC. dependency (bsc#1113100) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2018:2569-1 Released: Fri Nov 2 19:00:18 2018 Summary: Recommended update for pam Type: recommended Severity: moderate References: 1110700 Description: This update for pam fixes the following issues: - Remove limits for nproc from /etc/security/limits.conf (bsc#1110700) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:2578-1 Released: Mon Nov 5 17:55:35 2018 Summary: Security update for curl Type: security Severity: moderate References: 1112758,1113660,CVE-2018-16839,CVE-2018-16840,CVE-2018-16842 Description: This update for curl fixes the following issues: - CVE-2018-16839: A SASL password overflow via integer overflow was fixed which could lead to crashes (bsc#1112758) - CVE-2018-16840: A use-after-free in SASL handle close was fixed which could lead to crashes (bsc#1112758) - CVE-2018-16842: A Out-of-bounds Read in tool_msgs.c was fixed which could lead to crashes (bsc#1113660) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:2595-1 Released: Wed Nov 7 11:14:42 2018 Summary: Security update for systemd Type: security Severity: important References: 1089761,1090944,1091677,1093753,1101040,1102908,1105031,1107640,1107941,1109197,1109252,1110445,1112024,1113083,1113632,1113665,1114135,991901,CVE-2018-15686,CVE-2018-15688 Description: This update for systemd fixes the following issues: Security issues fixed: - CVE-2018-15688: A buffer overflow vulnerability in the dhcp6 client of systemd allowed a malicious dhcp6 server to overwrite heap memory in systemd-networkd. (bsc#1113632) - CVE-2018-15686: A vulnerability in unit_deserialize of systemd allows an attacker to supply arbitrary state across systemd re-execution via NotifyAccess. This can be used to improperly influence systemd execution and possibly lead to root privilege escalation. (bsc#1113665) Non security issues fixed: - dhcp6: split assert_return() to be more debuggable when hit - core: skip unit deserialization and move to the next one when unit_deserialize() fails - core: properly handle deserialization of unknown unit types (#6476) - core: don't create Requires for workdir if "missing ok" (bsc#1113083) - logind: use manager_get_user_by_pid() where appropriate - logind: rework manager_get_{user|session}_by_pid() a bit - login: fix user at .service case, so we don't allow nested sessions (#8051) (bsc#1112024) - core: be more defensive if we can't determine per-connection socket peer (#7329) - core: introduce systemd.early_core_pattern= kernel cmdline option - core: add missing 'continue' statement - core/mount: fstype may be NULL - journald: don't ship systemd-journald-audit.socket (bsc#1109252) - core: make "tmpfs" dependencies on swapfs a "default" dep, not an "implicit" (bsc#1110445) - mount: make sure we unmount tmpfs mounts before we deactivate swaps (#7076) - detect-virt: do not try to read all of /proc/cpuinfo (bsc#1109197) - emergency: make sure console password agents don't interfere with the emergency shell - man: document that 'nofail' also has an effect on ordering - journald: take leading spaces into account in syslog_parse_identifier - journal: do not remove multiple spaces after identifier in syslog message - syslog: fix segfault in syslog_parse_priority() - journal: fix syslog_parse_identifier() - install: drop left-over debug message (#6913) - Ship systemd-sysv-install helper via the main package This script was part of systemd-sysvinit sub-package but it was wrong since systemd-sysv-install is a script used to redirect enable/disable operations to chkconfig when the unit targets are sysv init scripts. Therefore it's never been a SySV init tool. - Add udev.no-partlabel-links kernel command-line option. This option can be used to disable the generation of the by-partlabel symlinks regardless of the name used. (bsc#1089761) - man: SystemMaxUse= clarification in journald.conf(5). (bsc#1101040) - systemctl: load unit if needed in "systemctl is-active" (bsc#1102908) - core: don't freeze OnCalendar= timer units when the clock goes back a lot (bsc#1090944) - Enable or disable machines.target according to the presets (bsc#1107941) - cryptsetup: add support for sector-size= option (fate#325697) - nspawn: always use permission mode 555 for /sys (bsc#1107640) - Bugfix for a race condition between daemon-reload and other commands (bsc#1105031) - Fixes an issue where login with root credentials was not possible in init level 5 (bsc#1091677) - Fix an issue where services of type "notify" harmless DENIED log entries. (bsc#991901) - Does no longer adjust qgroups on existing subvolumes (bsc#1093753) - cryptsetup: add support for sector-size= option (#9936) (fate#325697 bsc#1114135) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2018:2607-1 Released: Wed Nov 7 15:42:48 2018 Summary: Optional update for gcc8 Type: recommended Severity: low References: 1084812,1084842,1087550,1094222,1102564 Description: The GNU Compiler GCC 8 is being added to the Development Tools Module by this update. The update also supplies gcc8 compatible libstdc++, libgcc_s1 and other gcc derived libraries for the Basesystem module of SUSE Linux Enterprise 15. Various optimizers have been improved in GCC 8, several of bugs fixed, quite some new warnings added and the error pin-pointing and fix-suggestions have been greatly improved. The GNU Compiler page for GCC 8 contains a summary of all the changes that have happened: https://gcc.gnu.org/gcc-8/changes.html Also changes needed or common pitfalls when porting software are described on: https://gcc.gnu.org/gcc-8/porting_to.html ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:2825-1 Released: Mon Dec 3 15:35:02 2018 Summary: Security update for pam Type: security Severity: important References: 1115640,CVE-2018-17953 Description: This update for pam fixes the following issue: Security issue fixed: - CVE-2018-17953: Fixed IP address and subnet handling of pam_access.so that was not honoured correctly when a single host was specified (bsc#1115640). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:2861-1 Released: Thu Dec 6 14:32:01 2018 Summary: Security update for ncurses Type: security Severity: important References: 1103320,1115929,CVE-2018-19211 Description: This update for ncurses fixes the following issues: Security issue fixed: - CVE-2018-19211: Fixed denial of service issue that was triggered by a NULL pointer dereference at function _nc_parse_entry (bsc#1115929). Non-security issue fixed: - Remove scree.xterm from terminfo data base as with this screen uses fallback TERM=screen (bsc#1103320). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:2984-1 Released: Wed Dec 19 11:32:39 2018 Summary: Security update for perl Type: security Severity: moderate References: 1114674,1114675,1114681,1114686,CVE-2018-18311,CVE-2018-18312,CVE-2018-18313,CVE-2018-18314 Description: This update for perl fixes the following issues: Secuirty issues fixed: - CVE-2018-18311: Fixed integer overflow with oversize environment (bsc#1114674). - CVE-2018-18312: Fixed heap-buffer-overflow write / reg_node overrun (bsc#1114675). - CVE-2018-18313: Fixed heap-buffer-overflow read if regex contains \0 chars (bsc#1114681). - CVE-2018-18314: Fixed heap-buffer-overflow in regex (bsc#1114686). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:2986-1 Released: Wed Dec 19 13:53:22 2018 Summary: Security update for libnettle Type: security Severity: moderate References: 1118086,CVE-2018-16869 Description: This update for libnettle fixes the following issues: Security issues fixed: - CVE-2018-16869: Fixed a leaky data conversion exposing a manager oracle (bsc#1118086) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:23-1 Released: Mon Jan 7 16:30:33 2019 Summary: Security update for gpg2 Type: security Severity: moderate References: 1120346,CVE-2018-1000858 Description: This update for gpg2 fixes the following issue: Security issue fixed: - CVE-2018-1000858: Fixed a Cross Site Request Forgery(CSRF) vulnerability in dirmngr that can result in Attacker controlled CSRF (bsc#1120346). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:44-1 Released: Tue Jan 8 13:07:32 2019 Summary: Recommended update for acl Type: recommended Severity: low References: 953659 Description: This update for acl fixes the following issues: - test: Add helper library to fake passwd/group files. - quote: Escape literal backslashes. (bsc#953659) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:137-1 Released: Mon Jan 21 15:52:45 2019 Summary: Security update for systemd Type: security Severity: important References: 1005023,1045723,1076696,1080919,1093753,1101591,1111498,1114933,1117063,1119971,1120323,CVE-2018-16864,CVE-2018-16865,CVE-2018-16866,CVE-2018-6954 Description: This update for systemd provides the following fixes: Security issues fixed: - CVE-2018-16864, CVE-2018-16865: Fixed two memory corruptions through attacker-controlled alloca()s (bsc#1120323) - CVE-2018-16866: Fixed an information leak in journald (bsc#1120323) - CVE-2018-6954: Fix mishandling of symlinks present in non-terminal path components (bsc#1080919) - Fixed an issue during system startup in relation to encrypted swap disks (bsc#1119971) Non-security issues fixed: - pam_systemd: Fix 'Cannot create session: Already running in a session' (bsc#1111498) - systemd-vconsole-setup: vconsole setup fails, fonts will not be copied to tty (bsc#1114933) - systemd-tmpfiles-setup: symlinked /tmp to /var/tmp breaking multiple units (bsc#1045723) - Fixed installation issue with /etc/machine-id during update (bsc#1117063) - btrfs: qgroups are assigned to parent qgroups after reboot (bsc#1093753) - logind: Stop managing VT switches if no sessions are registered on that VT. (bsc#1101591) - udev: Downgrade message when settting inotify watch up fails. (bsc#1005023) - udev: Ignore the exit code of systemd-detect-virt for memory hot-add. In SLE-12-SP3, 80-hotplug-cpu-mem.rules has a memory hot-add rule that uses systemd-detect-virt to detect non-zvm environment. The systemd-detect-virt returns exit failure code when it detected _none_ state. The exit failure code causes that the hot-add memory block can not be set to online. (bsc#1076696) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:147-1 Released: Wed Jan 23 17:57:31 2019 Summary: Recommended update for ca-certificates-mozilla Type: recommended Severity: moderate References: 1121446 Description: This update for ca-certificates-mozilla fixes the following issues: The package was updated to the 2.30 version of the Mozilla NSS Certificate store. (bsc#1121446) Removed Root CAs: - AC Raiz Certicamara S.A. - Certplus Root CA G1 - Certplus Root CA G2 - OpenTrust Root CA G1 - OpenTrust Root CA G2 - OpenTrust Root CA G3 - Visa eCommerce Root Added Root CAs: - Certigna Root CA (email and server auth) - GTS Root R1 (server auth) - GTS Root R2 (server auth) - GTS Root R3 (server auth) - GTS Root R4 (server auth) - OISTE WISeKey Global Root GC CA (email and server auth) - UCA Extended Validation Root (server auth) - UCA Global G2 Root (email and server auth) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:189-1 Released: Mon Jan 28 14:14:46 2019 Summary: Recommended update for rpm Type: recommended Severity: moderate References: Description: This update for rpm fixes the following issues: - Add kmod(module) provides to kernel and KMPs (fate#326579). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:247-1 Released: Wed Feb 6 07:18:45 2019 Summary: Security update for lua53 Type: security Severity: moderate References: 1123043,CVE-2019-6706 Description: This update for lua53 fixes the following issues: Security issue fixed: - CVE-2019-6706: Fixed a use-after-free bug in the lua_upvaluejoin function of lapi.c (bsc#1123043) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:248-1 Released: Wed Feb 6 08:35:20 2019 Summary: Security update for curl Type: security Severity: important References: 1123371,1123377,1123378,CVE-2018-16890,CVE-2019-3822,CVE-2019-3823 Description: This update for curl fixes the following issues: Security issues fixed: - CVE-2019-3823: Fixed a heap out-of-bounds read in the code handling the end-of-response for SMTP (bsc#1123378). - CVE-2019-3822: Fixed a stack based buffer overflow in the function creating an outgoing NTLM type-3 message (bsc#1123377). - CVE-2018-16890: Fixed a heap buffer out-of-bounds read in the function handling incoming NTLM type-2 messages (bsc#1123371). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:369-1 Released: Wed Feb 13 14:01:42 2019 Summary: Recommended update for itstool Type: recommended Severity: moderate References: 1065270,1111019 Description: This update for itstool and python-libxml2-python fixes the following issues: Package: itstool - Updated version to support Python3. (bnc#1111019) Package: python-libxml2-python - Fix segfault when parsing invalid data. (bsc#1065270) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:426-1 Released: Mon Feb 18 17:46:55 2019 Summary: Security update for systemd Type: security Severity: important References: 1117025,1121563,1122000,1123333,1123727,1123892,1124153,1125352,CVE-2019-6454 Description: This update for systemd fixes the following issues: - CVE-2019-6454: Overlong DBUS messages could be used to crash systemd (bsc#1125352) - units: make sure initrd-cleanup.service terminates before switching to rootfs (bsc#1123333) - logind: fix bad error propagation - login: log session state "closing" (as well as New/Removed) - logind: fix borked r check - login: don't remove all devices from PID1 when only one was removed - login: we only allow opening character devices - login: correct comment in session_device_free() - login: remember that fds received from PID1 need to be removed eventually - login: fix FDNAME in call to sd_pid_notify_with_fds() - logind: fd 0 is a valid fd - logind: rework sd_eviocrevoke() - logind: check file is device node before using .st_rdev - logind: use the new FDSTOREREMOVE=1 sd_notify() message (bsc#1124153) - core: add a new sd_notify() message for removing fds from the FD store again - logind: make sure we don't trip up on half-initialized session devices (bsc#1123727) - fd-util: accept that kcmp might fail with EPERM/EACCES - core: Fix use after free case in load_from_path() (bsc#1121563) - core: include Found state in device dumps - device: fix serialization and deserialization of DeviceFound - fix path in btrfs rule (#6844) - assemble multidevice btrfs volumes without external tools (#6607) (bsc#1117025) - Update systemd-system.conf.xml (bsc#1122000) - units: inform user that the default target is started after exiting from rescue or emergency mode - core: free lines after reading them (bsc#1123892) - sd-bus: if we receive an invalid dbus message, ignore and proceeed - automount: don't pass non-blocking pipe to kernel. ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:571-1 Released: Thu Mar 7 18:13:46 2019 Summary: Security update for file Type: security Severity: moderate References: 1096974,1096984,1126117,1126118,1126119,CVE-2018-10360,CVE-2019-8905,CVE-2019-8906,CVE-2019-8907 Description: This update for file fixes the following issues: The following security vulnerabilities were addressed: - CVE-2018-10360: Fixed an out-of-bounds read in the function do_core_note in readelf.c, which allowed remote attackers to cause a denial of service (application crash) via a crafted ELF file (bsc#1096974) - CVE-2019-8905: Fixed a stack-based buffer over-read in do_core_note in readelf.c (bsc#1126118) - CVE-2019-8906: Fixed an out-of-bounds read in do_core_note in readelf. c (bsc#1126119) - CVE-2019-8907: Fixed a stack corruption in do_core_note in readelf.c (bsc#1126117) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:641-1 Released: Tue Mar 19 13:17:28 2019 Summary: Recommended update for glibc Type: recommended Severity: moderate References: 1112570,1114984,1114993 Description: This update for glibc provides the following fixes: - Fix Haswell CPU string flags. (bsc#1114984) - Fix waiters-after-spinning case. (bsc#1114993) - Do not relocate absolute symbols. (bsc#1112570) - Add glibc-locale-base subpackage containing only C, C.UTF-8 and en_US.UTF-8 locales. (fate#326551) - Add HWCAP_ATOMICS to HWCAP_IMPORTANT (fate#325962) - Remove slow paths from math routines. (fate#325815, fate#325879, fate#325880, fate#325881, fate#325882) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:664-1 Released: Wed Mar 20 14:54:12 2019 Summary: Recommended update for gpgme Type: recommended Severity: low References: 1121051 Description: This update for gpgme provides the following fix: - Re-generate keys in Qt tests to not expire. (bsc#1121051) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:700-1 Released: Thu Mar 21 19:54:00 2019 Summary: Recommended update for cyrus-sasl Type: recommended Severity: moderate References: 1044840 Description: This update for cyrus-sasl provides the following fix: - Fix a problem that was causing syslog to be polluted with messages "GSSAPI client step 1". By server context the connection will be sent to the log function but the client content does not have log level information, so there is no way to stop DEBUG level logs. (bsc#1044840) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:713-1 Released: Fri Mar 22 15:55:05 2019 Summary: Recommended update for glibc Type: recommended Severity: moderate References: 1063675,1126590 Description: This update for glibc fixes the following issues: - Add MAP_SYNC from Linux 4.15 (bsc#1126590) - Add MAP_SHARED_VALIDATE from Linux 4.15 (bsc#1126590) - nptl: Preserve error in setxid thread broadcast in coredumps (bsc#1063675, BZ #22153) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:732-1 Released: Mon Mar 25 14:10:04 2019 Summary: Recommended update for aaa_base Type: recommended Severity: moderate References: 1088524,1118364,1128246 Description: This update for aaa_base fixes the following issues: - Restore old position of ssh/sudo source of profile (bsc#1118364). - Update logic for JRE_HOME env variable (bsc#1128246) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:788-1 Released: Thu Mar 28 11:55:06 2019 Summary: Security update for sqlite3 Type: security Severity: moderate References: 1119687,CVE-2018-20346 Description: This update for sqlite3 to version 3.27.2 fixes the following issue: Security issue fixed: - CVE-2018-20346: Fixed a remote code execution vulnerability in FTS3 (Magellan) (bsc#1119687). Release notes: https://www.sqlite.org/releaselog/3_27_2.html ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:791-1 Released: Thu Mar 28 12:06:50 2019 Summary: Security update for libnettle Type: recommended Severity: moderate References: 1129598 Description: This update for libnettle to version 3.4.1 fixes the following issues: Issues addressed and new features: - Updated to 3.4.1 (fate#327114 and bsc#1129598) - Fixed a missing break statements in the parsing of PEM input files in pkcs1-conv. - Fixed a link error on the pss-mgf1-test which was affecting builds without public key support. - All functions using RSA private keys are now side-channel silent. This applies both to the bignum calculations, which now use GMP's mpn_sec_* family of functions, and the processing of PKCS#1 padding needed for RSA decryption. - Changes in behavior: The functions rsa_decrypt and rsa_decrypt_tr may now clobber all of the provided message buffer, independent of the actual message length. They are side-channel silent, in that branches and memory accesses don't depend on the validity or length of the message. Side-channel leakage from the caller's use of length and return value may still provide an oracle useable for a Bleichenbacher-style chosen ciphertext attack. Which is why the new function rsa_sec_decrypt is recommended. ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:858-1 Released: Wed Apr 3 15:50:37 2019 Summary: Recommended update for libtirpc Type: recommended Severity: moderate References: 1120689,1126096 Description: This update for libtirpc fixes the following issues: - Fix a yp_bind_client_create_v3: RPC: Unknown host error (bsc#1126096). - add an option to enforce connection via protocol version 2 first (bsc#1120689). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:894-1 Released: Fri Apr 5 17:16:23 2019 Summary: Recommended update for rpm Type: recommended Severity: moderate References: 1119414,1126327,1129753,SLE-3853,SLE-4117 Description: This update for rpm fixes the following issues: - This update shortens RPM changelog to after a certain cut off date (bsc#1129753) - Translate dashes to underscores in kmod provides (FATE#326579, jsc#SLE-4117, jsc#SLE-3853, bsc#1119414). - Re-add symset-table from SLE 12 (bsc#1126327). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:903-1 Released: Mon Apr 8 15:41:44 2019 Summary: Security update for glibc Type: security Severity: moderate References: 1100396,1122729,1130045,CVE-2016-10739 Description: This update for glibc fixes the following issues: Security issue fixed: - CVE-2016-10739: Fixed an improper implementation of getaddrinfo function which could allow applications to incorrectly assume that had parsed a valid string, without the possibility of embedded HTTP headers or other potentially dangerous substrings (bsc#1122729). Other issue fixed: - Fixed an issue where pthread_mutex_trylock did not use a correct order of instructions while maintained the robust mutex list due to missing compiler barriers (bsc#1130045). - Added new Japanese Era name support (bsc#1100396). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:1002-1 Released: Wed Apr 24 10:13:34 2019 Summary: Recommended update for zlib Type: recommended Severity: moderate References: 1110304,1129576 Description: This update for zlib fixes the following issues: - Fixes a segmentation fault error (bsc#1110304, bsc#1129576) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:1040-1 Released: Thu Apr 25 17:09:21 2019 Summary: Security update for samba Type: security Severity: important References: 1114407,1124223,1125410,1126377,1131060,1131686,CVE-2019-3880 Description: This update for samba fixes the following issues: Security issue fixed: - CVE-2019-3880: Fixed a path/symlink traversal vulnerability, which allowed an unprivileged user to save registry files outside a share (bsc#1131060). ldb was updated to version 1.2.4 (bsc#1125410 bsc#1131686): - Out of bound read in ldb_wildcard_compare - Hold at most 10 outstanding paged result cookies - Put "results_store" into a doubly linked list - Refuse to build Samba against a newer minor version of ldb Non-security issues fixed: - Fixed update-apparmor-samba-profile script after apparmor switched to using named profiles (bsc#1126377). - Abide to the load_printers parameter in smb.conf (bsc#1124223). - Provide the 32bit samba winbind PAM module and its dependend 32bit libraries. ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:1121-1 Released: Tue Apr 30 18:02:43 2019 Summary: Security update for gnutls Type: security Severity: important References: 1118087,1130681,1130682,CVE-2018-16868,CVE-2019-3829,CVE-2019-3836 Description: This update for gnutls fixes to version 3.6.7 the following issues: Security issued fixed: - CVE-2019-3836: Fixed an invalid pointer access via malformed TLS1.3 async messages (bsc#1130682). - CVE-2019-3829: Fixed a double free vulnerability in the certificate verification API (bsc#1130681). - CVE-2018-16868: Fixed Bleichenbacher-like side channel leakage in PKCS#1 v1.5 verification and padding oracle verification (bsc#1118087) Non-security issue fixed: - Update gnutls to support TLS 1.3 (fate#327114) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:1127-1 Released: Thu May 2 09:39:24 2019 Summary: Security update for sqlite3 Type: security Severity: moderate References: 1130325,1130326,CVE-2019-9936,CVE-2019-9937 Description: This update for sqlite3 to version 3.28.0 fixes the following issues: Security issues fixed: - CVE-2019-9936: Fixed a heap-based buffer over-read, when running fts5 prefix queries inside transaction (bsc#1130326). - CVE-2019-9937: Fixed a denial of service related to interleaving reads and writes in a single transaction with an fts5 virtual table (bsc#1130325). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:1206-1 Released: Fri May 10 14:01:55 2019 Summary: Security update for bzip2 Type: security Severity: low References: 985657,CVE-2016-3189 Description: This update for bzip2 fixes the following issues: Security issue fixed: - CVE-2016-3189: Fixed a use-after-free in bzip2recover (bsc#985657). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:1312-1 Released: Wed May 22 12:19:12 2019 Summary: Recommended update for aaa_base Type: recommended Severity: moderate References: 1096191 Description: This update for aaa_base fixes the following issue: * Shell detection in /etc/profile and /etc/bash.bashrc was broken within AppArmor-confined containers (bsc#1096191) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:1351-1 Released: Fri May 24 14:41:10 2019 Summary: Security update for gnutls Type: security Severity: important References: 1118087,1134856,CVE-2018-16868 Description: This update for gnutls fixes the following issues: Security issue fixed: - CVE-2018-16868: Fixed Bleichenbacher-like side channel leakage in PKCS#1 v1.5 verification (bsc#1118087). Non-security issue fixed: - Explicitly require libnettle 3.4.1 to prevent missing symbol errors (bsc#1134856). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:1357-1 Released: Mon May 27 13:29:15 2019 Summary: Security update for curl Type: security Severity: important References: 1135170,CVE-2019-5436 Description: This update for curl fixes the following issues: Security issue fixed: - CVE-2019-5436: Fixed a heap buffer overflow exists in tftp_receive_packet that receives data from a TFTP server (bsc#1135170). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:1364-1 Released: Tue May 28 10:51:38 2019 Summary: Security update for systemd Type: security Severity: moderate References: 1036463,1121563,1124122,1125352,1125604,1126056,1127557,1130230,1132348,1132400,1132721,1133506,1133509,CVE-2019-3842,CVE-2019-3843,CVE-2019-3844,CVE-2019-6454,SLE-5933 Description: This update for systemd fixes the following issues: Security issues fixed: - CVE-2019-3842: Fixed a privilege escalation in pam_systemd which could be exploited by a local user (bsc#1132348). - CVE-2019-6454: Fixed a denial of service via crafted D-Bus message (bsc#1125352). - CVE-2019-3843, CVE-2019-3844: Fixed a privilege escalation where services with DynamicUser could gain new privileges or create SUID/SGID binaries (bsc#1133506, bsc#1133509). Non-security issued fixed: - logind: fix killing of scopes (bsc#1125604) - namespace: make MountFlags=shared work again (bsc#1124122) - rules: load drivers only on "add" events (bsc#1126056) - sysctl: Don't pass null directive argument to '%s' (bsc#1121563) - systemd-coredump: generate a stack trace of all core dumps and log into the journal (jsc#SLE-5933) - udevd: notify when max number value of children is reached only once per batch of events (bsc#1132400) - sd-bus: bump message queue size again (bsc#1132721) - Do not automatically online memory on s390x (bsc#1127557) - Removed sg.conf (bsc#1036463) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:1368-1 Released: Tue May 28 13:15:38 2019 Summary: Recommended update for sles12sp3-docker-image, sles12sp4-image, system-user-root Type: security Severity: important References: 1134524,CVE-2019-5021 Description: This update for sles12sp3-docker-image, sles12sp4-image, system-user-root fixes the following issues: - CVE-2019-5021: Include an invalidated root password by default, not an empty one (bsc#1134524) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:1372-1 Released: Tue May 28 16:53:28 2019 Summary: Security update for libtasn1 Type: security Severity: moderate References: 1105435,CVE-2018-1000654 Description: This update for libtasn1 fixes the following issues: Security issue fixed: - CVE-2018-1000654: Fixed a denial of service in the asn1 parser (bsc#1105435). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:1484-1 Released: Thu Jun 13 07:46:46 2019 Summary: Recommended update for e2fsprogs Type: recommended Severity: moderate References: 1128383 Description: This update for e2fsprogs fixes the following issues: - Check and fix tails of all bitmap blocks (bsc#1128383) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:1486-1 Released: Thu Jun 13 09:40:24 2019 Summary: Security update for elfutils Type: security Severity: moderate References: 1033084,1033085,1033086,1033087,1033088,1033089,1033090,1106390,1107066,1107067,1111973,1112723,1112726,1123685,1125007,CVE-2017-7607,CVE-2017-7608,CVE-2017-7609,CVE-2017-7610,CVE-2017-7611,CVE-2017-7612,CVE-2017-7613,CVE-2018-16062,CVE-2018-16402,CVE-2018-16403,CVE-2018-18310,CVE-2018-18520,CVE-2018-18521,CVE-2019-7150,CVE-2019-7665 Description: This update for elfutils fixes the following issues: Security issues fixed: - CVE-2017-7607: Fixed a heap-based buffer overflow in handle_gnu_hash (bsc#1033084) - CVE-2017-7608: Fixed a heap-based buffer overflow in ebl_object_note_type_name() (bsc#1033085) - CVE-2017-7609: Fixed a memory allocation failure in __libelf_decompress (bsc#1033086) - CVE-2017-7610: Fixed a heap-based buffer overflow in check_group (bsc#1033087) - CVE-2017-7611: Fixed a denial of service via a crafted ELF file (bsc#1033088) - CVE-2017-7612: Fixed a denial of service in check_sysv_hash() via a crafted ELF file (bsc#1033089) - CVE-2017-7613: Fixed denial of service caused by the missing validation of the number of sections and the number of segments in a crafted ELF file (bsc#1033090) - CVE-2018-16062: Fixed a heap-buffer overflow in /elfutils/libdw/dwarf_getaranges.c:156 (bsc#1106390) - CVE-2018-16402: Fixed a denial of service/double free on an attempt to decompress the same section twice (bsc#1107066) - CVE-2018-16403: Fixed a heap buffer overflow in readelf (bsc#1107067) - CVE-2018-18310: Fixed an invalid address read problem in dwfl_segment_report_module.c (bsc#1111973) - CVE-2018-18520: Fixed bad handling of ar files inside are files (bsc#1112726) - CVE-2018-18521: Fixed a denial of service vulnerabilities in the function arlib_add_symbols() used by eu-ranlib (bsc#1112723) - CVE-2019-7150: dwfl_segment_report_module doesn't check whether the dyn data read from core file is truncated (bsc#1123685) - CVE-2019-7665: NT_PLATFORM core file note should be a zero terminated string (bsc#1125007) From sle-updates at lists.suse.com Tue Jan 14 00:06:53 2020 From: sle-updates at lists.suse.com (sle-updates at lists.suse.com) Date: Tue, 14 Jan 2020 08:06:53 +0100 (CET) Subject: SUSE-CU-2019:698-1: Recommended update of caasp/v4/helm-tiller Message-ID: <20200114070653.94ED4F79E@maintenance.suse.de> SUSE Container Update Advisory: caasp/v4/helm-tiller ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2019:698-1 Container Tags : caasp/v4/helm-tiller:2.8.2 , caasp/v4/helm-tiller:2.8.2-rev1 , caasp/v4/helm-tiller:2.8.2-rev1-build2.1 , caasp/v4/helm-tiller:beta Severity : moderate Type : recommended References : 1128598 ----------------------------------------------------------------- The container caasp/v4/helm-tiller was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:1590-1 Released: Thu Jun 20 19:49:57 2019 Summary: Recommended update for permissions Type: recommended Severity: moderate References: 1128598 Description: This update for permissions fixes the following issues: - Added whitelisting for /usr/lib/singularity/bin/starter-suid in the new singularity 3.1 version. (bsc#1128598) From sle-updates at lists.suse.com Tue Jan 14 00:07:01 2020 From: sle-updates at lists.suse.com (sle-updates at lists.suse.com) Date: Tue, 14 Jan 2020 08:07:01 +0100 (CET) Subject: SUSE-CU-2019:699-1: Security update of caasp/v4/helm-tiller Message-ID: <20200114070701.AFEB5F79E@maintenance.suse.de> SUSE Container Update Advisory: caasp/v4/helm-tiller ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2019:699-1 Container Tags : caasp/v4/helm-tiller:2.8.2 , caasp/v4/helm-tiller:2.8.2-rev2 , caasp/v4/helm-tiller:2.8.2-rev2-build1.1 , caasp/v4/helm-tiller:beta Severity : important Type : security References : 1107617 1117993 1123710 1124847 1127223 1127308 1131330 1133808 1134193 1134217 1135123 1135709 1137053 1138939 1139083 1139083 1141093 CVE-2009-5155 CVE-2019-12900 CVE-2019-12900 CVE-2019-12904 CVE-2019-13050 CVE-2019-9169 ----------------------------------------------------------------- The container caasp/v4/helm-tiller was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:1631-1 Released: Fri Jun 21 11:17:21 2019 Summary: Recommended update for xz Type: recommended Severity: low References: 1135709 Description: This update for xz fixes the following issues: Add SUSE-Public-Domain licence as some parts of xz utils (liblzma, xz, xzdec, lzmadec, documentation, translated messages, tests, debug, extra directory) are in public domain licence [bsc#1135709] ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:1635-1 Released: Fri Jun 21 12:45:53 2019 Summary: Recommended update for krb5 Type: recommended Severity: moderate References: 1134217 Description: This update for krb5 provides the following fix: - Move LDAP schema files from /usr/share/doc/packages/krb5 to /usr/share/kerberos/ldap. (bsc#1134217) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:1700-1 Released: Tue Jun 25 13:19:21 2019 Summary: Security update for libssh Type: recommended Severity: moderate References: 1134193 Description: This update for libssh fixes the following issue: Issue addressed: - Added support for new AES-GCM encryption types (bsc#1134193). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:1808-1 Released: Wed Jul 10 13:16:29 2019 Summary: Recommended update for libgcrypt Type: recommended Severity: moderate References: 1133808 Description: This update for libgcrypt fixes the following issues: - Fixed redundant fips tests in some situations causing sudo to stop working when pam-kwallet is installed. bsc#1133808 ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:1846-1 Released: Mon Jul 15 11:36:33 2019 Summary: Security update for bzip2 Type: security Severity: important References: 1139083,CVE-2019-12900 Description: This update for bzip2 fixes the following issues: Security issue fixed: - CVE-2019-12900: Fixed an out-of-bounds write in decompress.c with many selectors (bsc#1139083). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:1853-1 Released: Mon Jul 15 16:03:36 2019 Summary: Recommended update for systemd Type: recommended Severity: moderate References: 1107617,1137053 Description: This update for systemd fixes the following issues: - conf-parse: remove 4K line length limit (bsc#1137053) - udevd: change the default value of udev.children-max (again) (bsc#1107617) - meson: stop creating enablement symlinks in /etc during installation (sequel) - Fixed build for openSUSE Leap 15+ - Make sure we don't ship any static enablement symlinks in /etc Those symlinks must only be created by the presets. There are no changes in practice since systemd/udev doesn't ship such symlinks in /etc but let's make sure no future changes will introduce new ones by mistake. ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:1877-1 Released: Thu Jul 18 11:31:46 2019 Summary: Security update for glibc Type: security Severity: moderate References: 1117993,1123710,1127223,1127308,1131330,CVE-2009-5155,CVE-2019-9169 Description: This update for glibc fixes the following issues: Security issues fixed: - CVE-2019-9169: Fixed a heap-based buffer over-read via an attempted case-insensitive regular-expression match (bsc#1127308). - CVE-2009-5155: Fixed a denial of service in parse_reg_exp() (bsc#1127223). Non-security issues fixed: - Does no longer compress debug sections in crt*.o files (bsc#1123710) - Fixes a concurrency problem in ldconfig (bsc#1117993) - Fixes a race condition in pthread_mutex_lock while promoting to PTHREAD_MUTEX_ELISION_NP (bsc#1131330) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:1971-1 Released: Thu Jul 25 14:58:52 2019 Summary: Security update for libgcrypt Type: security Severity: moderate References: 1138939,CVE-2019-12904 Description: This update for libgcrypt fixes the following issues: Security issue fixed: - CVE-2019-12904: Fixed a flush-and-reload side-channel attack in the AES implementation (bsc#1138939). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:1994-1 Released: Fri Jul 26 16:12:05 2019 Summary: Recommended update for libxml2 Type: recommended Severity: moderate References: 1135123 Description: This update for libxml2 fixes the following issues: - Added a new configurable variable XPATH_DEFAULT_MAX_NODESET_LENGTH to avoid nodeset limit when processing large XML files. (bsc#1135123) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:2004-1 Released: Mon Jul 29 13:01:59 2019 Summary: Security update for bzip2 Type: security Severity: important References: 1139083,CVE-2019-12900 Description: This update for bzip2 fixes the following issues: - Fixed a regression with the fix for CVE-2019-12900, which caused incompatibilities with files that used many selectors (bsc#1139083). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:2006-1 Released: Mon Jul 29 13:02:49 2019 Summary: Security update for gpg2 Type: security Severity: important References: 1124847,1141093,CVE-2019-13050 Description: This update for gpg2 fixes the following issues: Security issue fixed: - CVE-2019-13050: Fixed a denial of service attacks via big keys (bsc#1141093). Non-security issue fixed: - Allow coredumps in X11 desktop sessions (bsc#1124847) From sle-updates at lists.suse.com Tue Jan 14 00:07:08 2020 From: sle-updates at lists.suse.com (sle-updates at lists.suse.com) Date: Tue, 14 Jan 2020 08:07:08 +0100 (CET) Subject: SUSE-CU-2019:700-1: Recommended update of caasp/v4/helm-tiller Message-ID: <20200114070708.6D3BEF79E@maintenance.suse.de> SUSE Container Update Advisory: caasp/v4/helm-tiller ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2019:700-1 Container Tags : caasp/v4/helm-tiller:2.14.2 , caasp/v4/helm-tiller:2.14.2-rev2 , caasp/v4/helm-tiller:2.14.2-rev2-build1.6 , caasp/v4/helm-tiller:beta Severity : important Type : recommended References : 1097073 ----------------------------------------------------------------- The container caasp/v4/helm-tiller was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:2097-1 Released: Fri Aug 9 09:31:17 2019 Summary: Recommended update for libgcrypt Type: recommended Severity: important References: 1097073 Description: This update for libgcrypt fixes the following issues: - Fixed a regression where system were unable to boot in fips mode, caused by an incomplete implementation of previous change (bsc#1097073). From sle-updates at lists.suse.com Tue Jan 14 00:07:14 2020 From: sle-updates at lists.suse.com (sle-updates at lists.suse.com) Date: Tue, 14 Jan 2020 08:07:14 +0100 (CET) Subject: SUSE-CU-2019:701-1: Recommended update of caasp/v4/helm-tiller Message-ID: <20200114070714.E9CB2F79E@maintenance.suse.de> SUSE Container Update Advisory: caasp/v4/helm-tiller ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2019:701-1 Container Tags : caasp/v4/helm-tiller:2.14.2 , caasp/v4/helm-tiller:2.14.2-rev3 , caasp/v4/helm-tiller:2.14.2-rev3-build1.1 Severity : moderate Type : recommended References : 1136717 1137624 1140647 1141059 1141883 SLE-5807 ----------------------------------------------------------------- The container caasp/v4/helm-tiller was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:2134-1 Released: Wed Aug 14 11:54:56 2019 Summary: Recommended update for zlib Type: recommended Severity: moderate References: 1136717,1137624,1141059,SLE-5807 Description: This update for zlib fixes the following issues: - Update the s390 patchset. (bsc#1137624) - Tweak zlib-power8 to have type of crc32_vpmsum conform to usage. (bsc#1141059) - Use FAT LTO objects in order to provide proper static library. - Do not enable the previous patchset on s390 but just s390x. (bsc#1137624) - Add patchset for s390 improvements. (jsc#SLE-5807, bsc#1136717) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:2188-1 Released: Wed Aug 21 10:10:29 2019 Summary: Recommended update for aaa_base Type: recommended Severity: moderate References: 1140647 Description: This update for aaa_base fixes the following issues: - Make systemd detection cgroup oblivious. (bsc#1140647) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:2218-1 Released: Mon Aug 26 11:29:57 2019 Summary: Recommended update for pinentry Type: recommended Severity: moderate References: 1141883 Description: This update for pinentry fixes the following issues: - Fix a dangling pointer in qt/main.cpp that caused crashes. (bsc#1141883) From sle-updates at lists.suse.com Tue Jan 14 00:07:21 2020 From: sle-updates at lists.suse.com (sle-updates at lists.suse.com) Date: Tue, 14 Jan 2020 08:07:21 +0100 (CET) Subject: SUSE-CU-2020:12-1: Security update of caasp/v4/helm-tiller Message-ID: <20200114070721.0FF05F79E@maintenance.suse.de> SUSE Container Update Advisory: caasp/v4/helm-tiller ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2020:12-1 Container Tags : caasp/v4/helm-tiller:2.16.1 , caasp/v4/helm-tiller:2.16.1-rev3 , caasp/v4/helm-tiller:2.16.1-rev3-build3.9.1 Severity : important Type : security References : 1007715 1049825 1051143 1073313 1081947 1081947 1082293 1084934 1085196 1092100 1093414 1100838 1103320 1106214 1110797 1111388 1114592 1114845 1116995 1118897 1118898 1118899 1120629 1120630 1120631 1121197 1121753 1122417 1123919 1125886 1127155 1127608 1127701 1130306 1131113 1131823 1133773 1134226 1135254 1135534 1135708 1135749 1137977 1138869 1139459 1139795 1140039 1140631 1141113 1141897 1142649 1142654 1143055 1143194 1143273 1143813 1144047 1144065 1144169 1145023 1145521 1145554 1145716 1146027 1146415 1146415 1146866 1146947 1146991 1147142 1148517 1148987 1149145 1149495 1149496 1149511 1150003 1150137 1150250 1150595 1150734 1151023 1152101 1152755 1152861 1153351 1153557 1153936 1154019 1154036 1154037 1154295 1154871 1154884 1154887 1155199 1155338 1155339 1155346 1155810 1156646 1157198 1157278 1157775 1158095 1158101 1158809 353876 859480 CVE-2017-17740 CVE-2018-1122 CVE-2018-1123 CVE-2018-1124 CVE-2018-1125 CVE-2018-1126 CVE-2018-20532 CVE-2018-20533 CVE-2018-20534 CVE-2019-12290 CVE-2019-13057 CVE-2019-13565 CVE-2019-13627 CVE-2019-14250 CVE-2019-14866 CVE-2019-14889 CVE-2019-1547 CVE-2019-1551 CVE-2019-1563 CVE-2019-15847 CVE-2019-16168 CVE-2019-17543 CVE-2019-17594 CVE-2019-17595 CVE-2019-18224 CVE-2019-3688 CVE-2019-3690 CVE-2019-5094 CVE-2019-5481 CVE-2019-5482 SLE-6533 SLE-6536 SLE-7687 SLE-8789 SLE-9132 SLE-9171 ----------------------------------------------------------------- The container caasp/v4/helm-tiller was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:2241-1 Released: Wed Aug 28 14:58:49 2019 Summary: Recommended update for ca-certificates-mozilla Type: recommended Severity: moderate References: 1144169 Description: This update for ca-certificates-mozilla fixes the following issues: ca-certificates-mozillawas updated to 2.34 state of the Mozilla NSS Certificate store (bsc#1144169) Removed CAs: - Certinomis - Root CA Includes new root CAs from the 2.32 version: - emSign ECC Root CA - C3 (email and server auth) - emSign ECC Root CA - G3 (email and server auth) - emSign Root CA - C1 (email and server auth) - emSign Root CA - G1 (email and server auth) - Hongkong Post Root CA 3 (server auth) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:2307-1 Released: Thu Sep 5 14:45:08 2019 Summary: Security update for util-linux and shadow Type: security Severity: moderate References: 1081947,1082293,1085196,1106214,1121197,1122417,1125886,1127701,1135534,1135708,1141113,353876 Description: This update for util-linux and shadow fixes the following issues: util-linux: - Fixed an issue where PATH settings in /etc/default/su being ignored (bsc#1121197) - Prevent outdated pam files (bsc#1082293). - De-duplicate fstrim -A properly (bsc#1127701). - Do not trim read-only volumes (bsc#1106214). - Integrate pam_keyinit pam module to login (bsc#1081947). - Perform one-time reset of /etc/default/su (bsc#1121197). - Fix problems in reading of login.defs values (bsc#1121197) - libmount: To prevent incorrect behavior, recognize more pseudofs and netfs (bsc#1122417). - raw.service: Add RemainAfterExit=yes (bsc#1135534). - agetty: Return previous response of agetty for special characters (bsc#1085196, bsc#1125886) - libmount: print a blacklist hint for "unknown filesystem type" (jsc#SUSE-4085, fate#326832) - Fix /etc/default/su comments and create /etc/default/runuser (bsc#1121197). shadow: - Fixed an issue where PATH settings in /etc/default/su being ignored (bsc#1121197) - Fix segfault in useradd during setting password inactivity period. (bsc#1141113) - Hardening for su wrappers (bsc#353876) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:2361-1 Released: Thu Sep 12 07:54:54 2019 Summary: Recommended update for krb5 Type: recommended Severity: moderate References: 1081947,1144047 Description: This update for krb5 contains the following fixes: - Integrate pam_keyinit PAM module, ksu-pam.d. (bsc#1081947) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:2373-1 Released: Thu Sep 12 14:18:53 2019 Summary: Security update for curl Type: security Severity: important References: 1149495,1149496,CVE-2019-5481,CVE-2019-5482 Description: This update for curl fixes the following issues: Security issues fixed: - CVE-2019-5481: Fixed FTP-KRB double-free during kerberos FTP data transfer (bsc#1149495). - CVE-2019-5482: Fixed TFTP small blocksize heap buffer overflow (bsc#1149496). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:2395-1 Released: Wed Sep 18 08:31:38 2019 Summary: Security update for openldap2 Type: security Severity: moderate References: 1073313,1111388,1114845,1143194,1143273,CVE-2017-17740,CVE-2019-13057,CVE-2019-13565 Description: This update for openldap2 fixes the following issues: Security issue fixed: - CVE-2019-13565: Fixed an authentication bypass when using SASL authentication and session encryption (bsc#1143194). - CVE-2019-13057: Fixed an issue with delegated database admin privileges (bsc#1143273). - CVE-2017-17740: When both the nops module and the member of overlay are enabled, attempts to free a buffer that was allocated on the stack, which allows remote attackers to cause a denial of service (slapd crash) via a member MODDN operation. (bsc#1073313) Non-security issues fixed: - Fixed broken shebang line in openldap_update_modules_path.sh (bsc#1114845). - Create files in /var/lib/ldap/ during initial start to allow for transactional updates (bsc#1111388) - Fixed incorrect post script call causing tmpfiles creation not to be run (bsc#1111388). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:2403-1 Released: Wed Sep 18 16:14:29 2019 Summary: Security update for openssl-1_1 Type: security Severity: moderate References: 1150003,1150250,CVE-2019-1547,CVE-2019-1563 Description: This update for openssl-1_1 fixes the following issues: OpenSSL Security Advisory [10 September 2019] * CVE-2019-1547: Added EC_GROUP_set_generator side channel attack avoidance. (bsc#1150003) * CVE-2019-1563: Fixed Bleichenbacher attack against cms/pkcs7 encryption transported key (bsc#1150250) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:2423-1 Released: Fri Sep 20 16:41:45 2019 Summary: Recommended update for aaa_base Type: recommended Severity: moderate References: 1146866,SLE-9132 Description: This update for aaa_base fixes the following issues: Added sysctl.d/51-network.conf to tighten network security (bsc#1146866) (jira#SLE-9132) Following settings have been tightened (and set to 0): - net.ipv4.conf.all.accept_redirects - net.ipv4.conf.default.accept_redirects - net.ipv4.conf.default.accept_source_route - net.ipv6.conf.all.accept_redirects - net.ipv6.conf.default.accept_redirects ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:2533-1 Released: Thu Oct 3 15:02:50 2019 Summary: Security update for sqlite3 Type: security Severity: moderate References: 1150137,CVE-2019-16168 Description: This update for sqlite3 fixes the following issues: Security issue fixed: - CVE-2019-16168: Fixed improper validation of sqlite_stat1 field that could lead to denial of service (bsc#1150137). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:2626-1 Released: Thu Oct 10 17:22:35 2019 Summary: Recommended update for permissions Type: recommended Severity: moderate References: 1110797 Description: This update for permissions fixes the following issues: - Updated permissons for amanda. (bsc#1110797) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:2676-1 Released: Tue Oct 15 21:06:54 2019 Summary: Recommended update for e2fsprogs Type: recommended Severity: moderate References: 1145716,1152101,CVE-2019-5094 Description: This update for e2fsprogs fixes the following issues: Security issue fixed: - CVE-2019-5094: Fixed an arbitrary code execution via specially crafted ext4 file systems. (bsc#1152101) Non-security issue fixed: - libext2fs: Call fsync(2) to clear stale errors for a new a unix I/O channel. (bsc#1145716) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:2730-1 Released: Mon Oct 21 16:04:57 2019 Summary: Security update for procps Type: security Severity: important References: 1092100,1121753,CVE-2018-1122,CVE-2018-1123,CVE-2018-1124,CVE-2018-1125,CVE-2018-1126 Description: This update for procps fixes the following issues: procps was updated to 3.3.15. (bsc#1092100) Following security issues were fixed: - CVE-2018-1122: Prevent local privilege escalation in top. If a user ran top with HOME unset in an attacker-controlled directory, the attacker could have achieved privilege escalation by exploiting one of several vulnerabilities in the config_file() function (bsc#1092100). - CVE-2018-1123: Prevent denial of service in ps via mmap buffer overflow. Inbuilt protection in ps maped a guard page at the end of the overflowed buffer, ensuring that the impact of this flaw is limited to a crash (temporary denial of service) (bsc#1092100). - CVE-2018-1124: Prevent multiple integer overflows leading to a heap corruption in file2strvec function. This allowed a privilege escalation for a local attacker who can create entries in procfs by starting processes, which could result in crashes or arbitrary code execution in proc utilities run by other users (bsc#1092100). - CVE-2018-1125: Prevent stack buffer overflow in pgrep. This vulnerability was mitigated by FORTIFY limiting the impact to a crash (bsc#1092100). - CVE-2018-1126: Ensure correct integer size in proc/alloc.* to prevent truncation/integer overflow issues (bsc#1092100). Also this non-security issue was fixed: - Fix CPU summary showing old data. (bsc#1121753) The update to 3.3.15 contains the following fixes: * library: Increment to 8:0:1 No removals, no new functions Changes: slab and pid structures * library: Just check for SIGLOST and don't delete it * library: Fix integer overflow and LPE in file2strvec CVE-2018-1124 * library: Use size_t for alloc functions CVE-2018-1126 * library: Increase comm size to 64 * pgrep: Fix stack-based buffer overflow CVE-2018-1125 * pgrep: Remove >15 warning as comm can be longer * ps: Fix buffer overflow in output buffer, causing DOS CVE-2018-1123 * ps: Increase command name selection field to 64 * top: Don't use cwd for location of config CVE-2018-1122 * update translations * library: build on non-glibc systems * free: fix scaling on 32-bit systems * Revert "Support running with child namespaces" * library: Increment to 7:0:1 No changes, no removals New fuctions: numa_init, numa_max_node, numa_node_of_cpu, numa_uninit, xalloc_err_handler * doc: Document I idle state in ps.1 and top.1 * free: fix some of the SI multiples * kill: -l space between name parses correctly * library: dont use vm_min_free on non Linux * library: don't strip off wchan prefixes (ps & top) * pgrep: warn about 15+ char name only if -f not used * pgrep/pkill: only match in same namespace by default * pidof: specify separator between pids * pkill: Return 0 only if we can kill process * pmap: fix duplicate output line under '-x' option * ps: avoid eip/esp address truncations * ps: recognizes SCHED_DEADLINE as valid CPU scheduler * ps: display NUMA node under which a thread ran * ps: Add seconds display for cputime and time * ps: Add LUID field * sysctl: Permit empty string for value * sysctl: Don't segv when file not available * sysctl: Read and write large buffers * top: add config file support for XDG specification * top: eliminated minor libnuma memory leak * top: show fewer memory decimal places (configurable) * top: provide command line switch for memory scaling * top: provide command line switch for CPU States * top: provides more accurate cpu usage at startup * top: display NUMA node under which a thread ran * top: fix argument parsing quirk resulting in SEGV * top: delay interval accepts non-locale radix point * top: address a wishlist man page NLS suggestion * top: fix potential distortion in 'Mem' graph display * top: provide proper multi-byte string handling * top: startup defaults are fully customizable * watch: define HOST_NAME_MAX where not defined * vmstat: Fix alignment for disk partition format * watch: Support ANSI 39,49 reset sequences ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:2742-1 Released: Tue Oct 22 15:40:16 2019 Summary: Recommended update for libzypp, zypper, libsolv and PackageKit Type: recommended Severity: important References: 1049825,1116995,1120629,1120630,1120631,1127155,1127608,1130306,1131113,1131823,1134226,1135749,1137977,1139795,1140039,1145521,1146027,1146415,1146947,1153557,859480,CVE-2018-20532,CVE-2018-20533,CVE-2018-20534 Description: This update for libzypp, zypper, libsolv and PackageKit fixes the following issues: Security issues fixed in libsolv: - CVE-2018-20532: Fixed NULL pointer dereference at ext/testcase.c (function testcase_read) (bsc#1120629). - CVE-2018-20533: Fixed NULL pointer dereference at ext/testcase.c (function testcase_str2dep_complex) in libsolvext.a (bsc#1120630). - CVE-2018-20534: Fixed illegal address access at src/pool.h (function pool_whatprovides) in libsolv.a (bsc#1120631). Other issues addressed in libsolv: - Fixed an issue where libsolv failed to build against swig 4.0 by updating the version to 0.7.5 (bsc#1135749). - Fixed an issue with the package name (bsc#1131823). - repo_add_rpmdb: do not copy bad solvables from the old solv file - Fixed an issue with cleandeps updates in which all packages were not updated - Experimental DISTTYPE_CONDA and REL_CONDA support - Fixed cleandeps jobs when using patterns (bsc#1137977) - Fixed favorq leaking between solver runs if the solver is reused - Fixed SOLVER_FLAG_FOCUS_BEST updateing packages without reason - Be more correct with multiversion packages that obsolete their own name (bnc#1127155) - Fix repository priority handling for multiversion packages - Make code compatible with swig 4.0, remove obj0 instances - repo2solv: support zchunk compressed data - Remove NO_BRP_STRIP_DEBUG=true as brp-15-strip-debug will not strip debug info for archives Issues fixed in libzypp: - Fix empty metalink downloads if filesize is unknown (bsc#1153557) - Recognize riscv64 as architecture - Fix installation of new header file (fixes #185) - zypp.conf: Introduce `solver.focus` to define the resolvers general attitude when resolving jobs. (bsc#1146415) - New container detection algorithm for zypper ps (bsc#1146947) - Fix leaking filedescriptors in MediaCurl. (bsc#1116995) - Run file conflict check on dry-run. (bsc#1140039) - Do not remove orphan products if the .prod file is owned by a package. (bsc#1139795) - Rephrase file conflict check summary. (bsc#1140039) - Fix bash completions option detection. (bsc#1049825) - Fixes a bug where zypper exited on SIGPIPE when downloading packages (bsc#1145521) - Fixes an issue where zypper exited with a segmentation fault when updating via YaST2 (bsc#1146027) - PublicKey::algoName: supply key algorithm and length Issues fixed in zypper: - Update to version 1.14.30 - Ignore SIGPIPE while STDOUT/STDERR are OK (bsc#1145521) - Dump stacktrace on SIGPIPE (bsc#1145521) - info: The requested info must be shown in QUIET mode (fixes #287) - Fix local/remote url classification. - Rephrase file conflict check summary (bsc#1140039) - Fix bash completions option detection (bsc#1049825) - man: split '--with[out]' like options to ease searching. - Unhided 'ps' command in help - Added option to show more conflict information - Rephrased `zypper ps` hint (bsc#859480) - Fixed repo refresh not returning 106-ZYPPER_EXIT_INF_REPOS_SKIPPED if --root is used (bsc#1134226) - Fixed unknown package handling in zypper install (bsc#1127608) - Re-show progress bar after pressing retry upon install error (bsc#1131113) Issues fixed in PackageKit: - Port the cron configuration variables to the systemd timer script, and add -sendwait parameter to mail in the script(bsc#1130306). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:2757-1 Released: Wed Oct 23 17:21:17 2019 Summary: Security update for lz4 Type: security Severity: moderate References: 1153936,CVE-2019-17543 Description: This update for lz4 fixes the following issues: - CVE-2019-17543: Fixed a heap-based buffer overflow in LZ4_write32 (bsc#1153936). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:2812-1 Released: Tue Oct 29 14:57:55 2019 Summary: Recommended update for systemd Type: recommended Severity: moderate References: 1139459,1140631,1145023,1150595,SLE-7687 Description: This update for systemd provides the following fixes: - Fix a problem that would cause invoking try-restart to an inactive service to hang when a daemon-reload is invoked before the try-restart returned. (bsc#1139459) - man: Add a note about _netdev usage. - units: Replace remote-cryptsetup-pre.target with remote-fs-pre.target. - units: Add [Install] section to remote-cryptsetup.target. - cryptsetup: Ignore _netdev, since it is used in generator. - cryptsetup-generator: Use remote-cryptsetup.target when _netdev is present. (jsc#SLE-7687) - cryptsetup-generator: Add a helper utility to create symlinks. - units: Add remote-cryptsetup.target and remote-cryptsetup-pre.target. - man: Add an explicit description of _netdev to systemd.mount(5). - man: Order fields alphabetically in crypttab(5). - man: Make crypttab(5) a bit easier to read. - units: Order cryptsetup-pre.target before cryptsetup.target. - Fix reporting of enabled-runtime units. - sd-bus: Deal with cookie overruns. (bsc#1150595) - rules: Add by-id symlinks for persistent memory. (bsc#1140631) - Buildrequire polkit so /usr/share/polkit-1/rules.d subdir can be only owned by polkit. (bsc#1145023) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:2870-1 Released: Thu Oct 31 08:09:14 2019 Summary: Recommended update for aaa_base Type: recommended Severity: moderate References: 1051143,1138869,1151023 Description: This update for aaa_base provides the following fixes: - Check if variables can be set before modifying them to avoid warnings on login with a restricted shell. (bsc#1138869) - Add s390x compressed kernel support. (bsc#1151023) - service: Check if there is a second argument before using it. (bsc#1051143) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:2418-1 Released: Thu Nov 14 11:53:03 2019 Summary: Recommended update for bash Type: recommended Severity: moderate References: 1133773,1143055 Description: This update for bash fixes the following issues: - Rework patch readline-7.0-screen (bsc#1143055): map all "screen(-xxx)?.yyy(-zzz)?" to "screen" as well as map "konsole(-xxx)?" and "gnome(-xxx)?" to "xterm" - Add a backport from bash 5.0 to perform better with large numbers of sub processes. (bsc#1133773) ----------------------------------------------------------------- Advisory ID: SUSE-OU-2019:2980-1 Released: Thu Nov 14 22:45:33 2019 Summary: Optional update for curl Type: optional Severity: low References: 1154019 Description: This update for curl doesn't address any user visible issues. ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:2997-1 Released: Mon Nov 18 15:16:38 2019 Summary: Security update for ncurses Type: security Severity: moderate References: 1103320,1154036,1154037,CVE-2019-17594,CVE-2019-17595 Description: This update for ncurses fixes the following issues: Security issues fixed: - CVE-2019-17594: Fixed a heap-based buffer over-read in the _nc_find_entry function (bsc#1154036). - CVE-2019-17595: Fixed a heap-based buffer over-read in the fmt_entry function (bsc#1154037). Non-security issue fixed: - Removed screen.xterm from terminfo database (bsc#1103320). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:3010-1 Released: Tue Nov 19 18:10:58 2019 Summary: Recommended update for zypper and libsolv Type: recommended Severity: moderate References: 1145554,1146415,1149511,1153351,SLE-9171 Description: This update for zypper and libsolv fixes the following issues: Package: zypper - Improved the documentation of $releasever and --releasever usescases (bsc#1149511) - zypper will now ask only once when multiple packages share the same license text (bsc#1145554) - Added a new 'solver.focus' option for /etc/zypp/zypp.conf to define systemwide focus mode when resolving jobs (bsc#1146415) - Fixes an issue where 'zypper lu' didn't list all available package updates (bsc#1153351) - Added a new --repo option to the 'download' command to allow to specify a repository (jsc#SLE-9171) Package: libsolv - Fixes issues when updating too many packages in focusbest mode - Fixes the handling of disabled and installed packages in distupgrade ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:3059-1 Released: Mon Nov 25 17:33:07 2019 Summary: Security update for cpio Type: security Severity: moderate References: 1155199,CVE-2019-14866 Description: This update for cpio fixes the following issues: - CVE-2019-14866: Fixed an improper validation of the values written in the header of a TAR file through the to_oct() function which could have led to unexpected TAR generation (bsc#1155199). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:3061-1 Released: Mon Nov 25 17:34:22 2019 Summary: Security update for gcc9 Type: security Severity: moderate References: 1114592,1135254,1141897,1142649,1142654,1148517,1149145,CVE-2019-14250,CVE-2019-15847,SLE-6533,SLE-6536 Description: This update includes the GNU Compiler Collection 9. A full changelog is provided by the GCC team on: https://www.gnu.org/software/gcc/gcc-9/changes.html The base system compiler libraries libgcc_s1, libstdc++6 and others are now built by the gcc 9 packages. To use it, install "gcc9" or "gcc9-c++" or other compiler brands and use CC=gcc-9 / CXX=g++-9 during configuration for using it. Security issues fixed: - CVE-2019-15847: Fixed a miscompilation in the POWER9 back end, that optimized multiple calls of the __builtin_darn intrinsic into a single call. (bsc#1149145) - CVE-2019-14250: Fixed a heap overflow in the LTO linker. (bsc#1142649) Non-security issues fixed: - Split out libstdc++ pretty-printers into a separate package supplementing gdb and the installed runtime. (bsc#1135254) - Fixed miscompilation for vector shift on s390. (bsc#1141897) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:3070-1 Released: Tue Nov 26 12:39:29 2019 Summary: Recommended update for gpg2 Type: recommended Severity: low References: 1152755 Description: This update for gpg2 provides the following fix: - Remove a build requirement on self. This is causing Leap 15.2 bootstrap to fail. (bsc#1152755) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:3086-1 Released: Thu Nov 28 10:02:24 2019 Summary: Security update for libidn2 Type: security Severity: moderate References: 1154884,1154887,CVE-2019-12290,CVE-2019-18224 Description: This update for libidn2 to version 2.2.0 fixes the following issues: - CVE-2019-12290: Fixed an improper round-trip check when converting A-labels to U-labels (bsc#1154884). - CVE-2019-18224: Fixed a heap-based buffer overflow that was caused by long domain strings (bsc#1154887). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:3087-1 Released: Thu Nov 28 10:03:00 2019 Summary: Security update for libxml2 Type: security Severity: low References: 1123919 Description: This update for libxml2 doesn't fix any additional security issues, but correct its rpm changelog to reflect all CVEs that have been fixed over the past. ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:3118-1 Released: Fri Nov 29 14:41:35 2019 Summary: Recommended update for e2fsprogs Type: recommended Severity: moderate References: 1154295 Description: This update for e2fsprogs fixes the following issues: - Make minimum size estimates more reliable for mounted filesystem. (bsc#1154295) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:3166-1 Released: Wed Dec 4 11:24:42 2019 Summary: Recommended update for aaa_base Type: recommended Severity: moderate References: 1007715,1084934,1157278 Description: This update for aaa_base fixes the following issues: - Use official key binding functions in inputrc that is replace up-history with previous-history, down-history with next-history and backward-delete-word with backward-kill-word. (bsc#1084934) - Add some missed key escape sequences for urxvt-unicode terminal as well. (bsc#1007715) - Clear broken ghost entry in patch which breaks 'readline'. (bsc#1157278) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:3181-1 Released: Thu Dec 5 11:43:07 2019 Summary: Security update for permissions Type: security Severity: moderate References: 1093414,1150734,1157198,CVE-2019-3688,CVE-2019-3690 Description: This update for permissions fixes the following issues: - CVE-2019-3688: Changed wrong ownership in /usr/sbin/pinger to root:squid which could have allowed a squid user to gain persistence by changing the binary (bsc#1093414). - CVE-2019-3690: Fixed a privilege escalation through untrusted symbolic links (bsc#1150734). - Fixed a regression which caused sagmentation fault (bsc#1157198). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:3240-1 Released: Tue Dec 10 10:40:19 2019 Summary: Recommended update for ca-certificates-mozilla, p11-kit Type: recommended Severity: moderate References: 1154871 Description: This update for ca-certificates-mozilla, p11-kit fixes the following issues: Changes in ca-certificates-mozilla: - export correct p11kit trust attributes so Firefox detects built in certificates (bsc#1154871). Changes in p11-kit: - support loading NSS attribute CKA_NSS_MOZILLA_CA_POLICY so Firefox detects built in certificates (bsc#1154871) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:3267-1 Released: Wed Dec 11 11:19:53 2019 Summary: Security update for libssh Type: security Severity: important References: 1158095,CVE-2019-14889 Description: This update for libssh fixes the following issues: - CVE-2019-14889: Fixed an arbitrary command execution (bsc#1158095). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:3392-1 Released: Fri Dec 27 13:33:29 2019 Summary: Security update for libgcrypt Type: security Severity: moderate References: 1148987,1155338,1155339,CVE-2019-13627 Description: This update for libgcrypt fixes the following issues: Security issues fixed: - CVE-2019-13627: Mitigation against an ECDSA timing attack (bsc#1148987). Bug fixes: - Added CMAC AES self test (bsc#1155339). - Added CMAC TDES self test missing (bsc#1155338). - Fix test dsa-rfc6979 in FIPS mode. ----------------------------------------------------------------- Advisory ID: SUSE-SU-2020:69-1 Released: Fri Jan 10 12:33:59 2020 Summary: Security update for openssl-1_1 Type: security Severity: moderate References: 1155346,1157775,1158101,1158809,CVE-2019-1551,SLE-8789 Description: This update for openssl-1_1 fixes the following issues: Security issue fixed: - CVE-2019-1551: Fixed an overflow bug in the x64_64 Montgomery squaring procedure used in exponentiation with 512-bit moduli (bsc#1158809). Various FIPS related improvements were done: - FIPS: Backport SSH KDF to openssl (jsc#SLE-8789, bsc#1157775). - Port FIPS patches from SLE-12 (bsc#1158101). - Use SHA-2 in the RSA pairwise consistency check (bsc#1155346). ----------------------------------------------------------------- Advisory ID: SUSE-feature-2020:89-1 Released: Mon Jan 13 16:07:20 2020 Summary: Update to kubernetes 1.16, supportconfig update, and helm security fix (CVE-2019-18658) Type: feature Severity: moderate References: 1100838,1118897,1118898,1118899,1143813,1144065,1146991,1147142,1152861,1155810,1156646 Description: = Required Actions == Skuba and helm update Instructions Update skuba and helm on your management workstation as you would do with any othe package. Refer to: link:https://documentation.suse.com/sles/15-SP1/single-html/SLES-admin/#sec-zypper-softup [WARNING] ==== When running helm-init you may hit a link:https://bugzilla.suse.com/show_bug.cgi?id=1159047[known bug on the certificate validation]: ---- https://kubernetes-charts.storage.googleapis.com is not a valid chart repository or cannot be reached: Get https://kubernetes-charts.storage.googleapis.com/index.yaml: x509: certificate signed by unknown authority ---- In order to fix this, run: ---- sudo update-ca-certificates ---- ==== After updating helm to latest version on the management host, you have to also upgrade the helm-tiller image in the cluster, by running: ---- helm init \ --tiller-image registry.suse.com/caasp/v4/helm-tiller:2.16.1 \ --service-account tiller --upgrade ---- == Update Your Kubernetes Manifests for Kubernetes 1.16.2: Some API resources are moved to stable, while others have been moved to different groups or deprecated. The following will impact your deployment manifests: * `DaemonSet`, `Deployment`, `StatefulSet`, and `ReplicaSet` in `extensions/` (both `v1beta1` and `v1beta2`) is deprecated. Migrate to `apps/v1` group instead for all those objects. Please note that `kubectl convert` can help you migrate all the necessary fields. * `PodSecurityPolicy` in `extensions/v1beta1` is deprecated. Migrate to `policy/v1beta1` group for `PodSecurityPolicy`. Please note that `kubectl convert` can help you migrate all the necessary fields. * `NetworkPolicy` in `extensions/v1beta1` is deprecated. Migrate to `networking.k8s.io/v1` group for `NetworkPolicy`. Please note that `kubectl convert` can help you migrate all the necessary fields. * `Ingress` in `extensions/v1beta1` is being phased out. Migrate to `networking.k8s.io/v1beta1` as soon as possible. This new API does not need to update other API fields and therefore only a path change is necessary. * Custom resource definitions have moved from `apiextensions.k8s.io/v1beta1` to `apiextensions.k8s.io/v1`. Please also see https://kubernetes.io/blog/2019/07/18/api-deprecations-in-1-16/ for more details. = Documentation Updates * Switched examples to use SUSE supported helm, Prometheus, nginx-ingress and Grafana charts and images * link:{docurl}caasp-admin/single-html/_security.html#_deployment_with_a_custom_ca_certificate[Added instructions on how to replace {kube} certificates with custom CA certificate] * link:{docurl}caasp-admin/single-html/_security.html#_replace_server_certificate_signed_by_a_trusted_ca_certificate[Added instructions to configure custom certificates for gangway and dex] * link:{docurl}caasp-admin/single-html/_software_management.html#_installing_tiller[Added instructions for secured Tiller deployment] * link:{docurl}caasp-deployment/single-html/#machine-id[Added notes about unique `machine-id` requirement] * link:{docurl}caasp-deployment/single-html/#_autoyast_preparation[Added timezone configuration example for {ay}] * link:https://github.com/SUSE/doc-caasp/pulls?q=is%3Apr+is%3Aclosed+sort%3Aupdated-desc[Various minor bugfixes and improvements] = Known issue: skuba upgrade could not parse "Unknown" as version ==== Running "skuba node upgrade plan" might fail with the error "could not parse "Unknown" as version" when a worker, after running "skuba node upgrade apply", had not fully started yet. If you are running into this issue, please add some delay after running "skuba node upgrade apply" and prior to running "skuba node upgrade plan". This is tracked in link:https://bugzilla.suse.com/show_bug.cgi?id=1159452[bsc#1159452] From sle-updates at lists.suse.com Tue Jan 14 00:09:17 2020 From: sle-updates at lists.suse.com (sle-updates at lists.suse.com) Date: Tue, 14 Jan 2020 08:09:17 +0100 (CET) Subject: SUSE-CU-2020:13-1: Security update of caasp/v4/hyperkube Message-ID: <20200114070917.D2858F79E@maintenance.suse.de> SUSE Container Update Advisory: caasp/v4/hyperkube ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2020:13-1 Container Tags : caasp/v4/hyperkube:v1.16.2 , caasp/v4/hyperkube:v1.16.2-rev5 , caasp/v4/hyperkube:v1.16.2-rev5-build3.9.1 Severity : important Type : security References : 1007715 1049825 1051143 1073313 1081947 1081947 1082293 1082318 1084934 1085196 1092100 1093414 1100838 1103320 1106214 1110797 1111388 1114592 1114845 1116995 1118897 1118898 1118899 1120629 1120630 1120631 1121197 1121753 1122417 1122666 1123919 1125886 1127155 1127608 1127701 1128828 1129071 1130306 1131113 1131823 1132663 1132767 1132900 1133773 1134226 1134444 1135254 1135534 1135584 1135708 1135749 1135984 1137131 1137132 1137189 1137296 1137503 1137977 1138869 1139459 1139795 1140039 1140491 1140601 1140631 1141113 1141174 1141322 1141897 1142614 1142649 1142654 1143055 1143194 1143273 1143813 1144047 1144065 1145023 1145093 1145231 1145521 1145554 1145617 1145618 1145716 1145759 1146027 1146415 1146415 1146656 1146866 1146947 1146991 1147132 1147142 1148244 1148517 1148987 1149093 1149121 1149145 1149429 1149495 1149496 1149511 1149792 1149955 1150003 1150137 1150250 1150406 1150595 1150734 1150895 1151023 1151439 1151490 1151990 1151991 1151992 1151993 1151994 1151995 1152002 1152101 1152755 1152861 1153238 1153351 1153557 1153936 1154019 1154036 1154037 1154295 1154871 1154884 1154887 1155199 1155338 1155339 1155346 1155668 1155810 1156282 1156646 1157198 1157278 1157775 1157891 1158095 1158101 1158527 1158809 1159819 353876 859480 CVE-2017-17740 CVE-2018-1122 CVE-2018-1123 CVE-2018-1124 CVE-2018-1125 CVE-2018-1126 CVE-2018-18508 CVE-2018-20532 CVE-2018-20533 CVE-2018-20534 CVE-2019-10222 CVE-2019-11236 CVE-2019-11324 CVE-2019-11745 CVE-2019-12290 CVE-2019-13057 CVE-2019-13565 CVE-2019-13627 CVE-2019-14250 CVE-2019-14866 CVE-2019-14889 CVE-2019-1547 CVE-2019-1551 CVE-2019-1563 CVE-2019-15847 CVE-2019-15903 CVE-2019-16056 CVE-2019-16168 CVE-2019-16935 CVE-2019-17006 CVE-2019-17543 CVE-2019-17594 CVE-2019-17595 CVE-2019-18224 CVE-2019-3688 CVE-2019-3690 CVE-2019-5094 CVE-2019-5481 CVE-2019-5482 CVE-2019-9740 CVE-2019-9893 PM-1350 SLE-6533 SLE-6536 SLE-7687 SLE-8789 SLE-9132 SLE-9171 SLE-9426 ----------------------------------------------------------------- The container caasp/v4/hyperkube was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:2307-1 Released: Thu Sep 5 14:45:08 2019 Summary: Security update for util-linux and shadow Type: security Severity: moderate References: 1081947,1082293,1085196,1106214,1121197,1122417,1125886,1127701,1135534,1135708,1141113,353876 Description: This update for util-linux and shadow fixes the following issues: util-linux: - Fixed an issue where PATH settings in /etc/default/su being ignored (bsc#1121197) - Prevent outdated pam files (bsc#1082293). - De-duplicate fstrim -A properly (bsc#1127701). - Do not trim read-only volumes (bsc#1106214). - Integrate pam_keyinit pam module to login (bsc#1081947). - Perform one-time reset of /etc/default/su (bsc#1121197). - Fix problems in reading of login.defs values (bsc#1121197) - libmount: To prevent incorrect behavior, recognize more pseudofs and netfs (bsc#1122417). - raw.service: Add RemainAfterExit=yes (bsc#1135534). - agetty: Return previous response of agetty for special characters (bsc#1085196, bsc#1125886) - libmount: print a blacklist hint for "unknown filesystem type" (jsc#SUSE-4085, fate#326832) - Fix /etc/default/su comments and create /etc/default/runuser (bsc#1121197). shadow: - Fixed an issue where PATH settings in /etc/default/su being ignored (bsc#1121197) - Fix segfault in useradd during setting password inactivity period. (bsc#1141113) - Hardening for su wrappers (bsc#353876) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:2332-1 Released: Mon Sep 9 10:17:16 2019 Summary: Security update for python-urllib3 Type: security Severity: moderate References: 1129071,1132663,1132900,CVE-2019-11236,CVE-2019-11324,CVE-2019-9740 Description: This update for python-urllib3 fixes the following issues: Security issues fixed: - CVE-2019-9740: Fixed CRLF injection issue (bsc#1129071). - CVE-2019-11324: Fixed invalid CA certificat verification (bsc#1132900). - CVE-2019-11236: Fixed CRLF injection via request parameter (bsc#1132663). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:2361-1 Released: Thu Sep 12 07:54:54 2019 Summary: Recommended update for krb5 Type: recommended Severity: moderate References: 1081947,1144047 Description: This update for krb5 contains the following fixes: - Integrate pam_keyinit PAM module, ksu-pam.d. (bsc#1081947) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:2367-1 Released: Thu Sep 12 12:59:37 2019 Summary: Recommended update for lvm2 Type: recommended Severity: moderate References: 1122666,1135984,1137296 Description: This update for lvm2 fixes the following issues: - Fix unknown feature in status message (bsc#1135984) - Fix using device aliases with lvmetad (bsc#1137296) - Fix devices drop open error message (bsc#1122666) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:2373-1 Released: Thu Sep 12 14:18:53 2019 Summary: Security update for curl Type: security Severity: important References: 1149495,1149496,CVE-2019-5481,CVE-2019-5482 Description: This update for curl fixes the following issues: Security issues fixed: - CVE-2019-5481: Fixed FTP-KRB double-free during kerberos FTP data transfer (bsc#1149495). - CVE-2019-5482: Fixed TFTP small blocksize heap buffer overflow (bsc#1149496). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:2394-1 Released: Tue Sep 17 22:39:07 2019 Summary: Recommended update for ceph Type: recommended Severity: important References: 1137189 Description: This update for ceph fixes the following issues: - rgw: Move upload_info declaration out of conditional. (bsc#1137189) - rgw: asio: Check the remote endpoint before processing requests. ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:2395-1 Released: Wed Sep 18 08:31:38 2019 Summary: Security update for openldap2 Type: security Severity: moderate References: 1073313,1111388,1114845,1143194,1143273,CVE-2017-17740,CVE-2019-13057,CVE-2019-13565 Description: This update for openldap2 fixes the following issues: Security issue fixed: - CVE-2019-13565: Fixed an authentication bypass when using SASL authentication and session encryption (bsc#1143194). - CVE-2019-13057: Fixed an issue with delegated database admin privileges (bsc#1143273). - CVE-2017-17740: When both the nops module and the member of overlay are enabled, attempts to free a buffer that was allocated on the stack, which allows remote attackers to cause a denial of service (slapd crash) via a member MODDN operation. (bsc#1073313) Non-security issues fixed: - Fixed broken shebang line in openldap_update_modules_path.sh (bsc#1114845). - Create files in /var/lib/ldap/ during initial start to allow for transactional updates (bsc#1111388) - Fixed incorrect post script call causing tmpfiles creation not to be run (bsc#1111388). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:2403-1 Released: Wed Sep 18 16:14:29 2019 Summary: Security update for openssl-1_1 Type: security Severity: moderate References: 1150003,1150250,CVE-2019-1547,CVE-2019-1563 Description: This update for openssl-1_1 fixes the following issues: OpenSSL Security Advisory [10 September 2019] * CVE-2019-1547: Added EC_GROUP_set_generator side channel attack avoidance. (bsc#1150003) * CVE-2019-1563: Fixed Bleichenbacher attack against cms/pkcs7 encryption transported key (bsc#1150250) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:2422-1 Released: Fri Sep 20 16:36:43 2019 Summary: Recommended update for python-urllib3 Type: recommended Severity: moderate References: 1150895 Description: This update for python-urllib3 fixes the following issues: - Add missing dependency on python-six (bsc#1150895) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:2423-1 Released: Fri Sep 20 16:41:45 2019 Summary: Recommended update for aaa_base Type: recommended Severity: moderate References: 1146866,SLE-9132 Description: This update for aaa_base fixes the following issues: Added sysctl.d/51-network.conf to tighten network security (bsc#1146866) (jira#SLE-9132) Following settings have been tightened (and set to 0): - net.ipv4.conf.all.accept_redirects - net.ipv4.conf.default.accept_redirects - net.ipv4.conf.default.accept_source_route - net.ipv6.conf.all.accept_redirects - net.ipv6.conf.default.accept_redirects ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:2429-1 Released: Mon Sep 23 09:28:40 2019 Summary: Security update for expat Type: security Severity: moderate References: 1149429,CVE-2019-15903 Description: This update for expat fixes the following issues: Security issues fixed: - CVE-2019-15903: Fixed heap-based buffer over-read caused by crafted XML input. (bsc#1149429) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:2517-1 Released: Wed Oct 2 10:49:20 2019 Summary: Security update for libseccomp Type: security Severity: moderate References: 1082318,1128828,1142614,CVE-2019-9893 Description: This update for libseccomp fixes the following issues: Security issues fixed: - CVE-2019-9893: An incorrect generation of syscall filters in libseccomp was fixed (bsc#1128828) libseccomp was updated to new upstream release 2.4.1: - Fix a BPF generation bug where the optimizer mistakenly identified duplicate BPF code blocks. libseccomp was updated to 2.4.0 (bsc#1128828 CVE-2019-9893): - Update the syscall table for Linux v5.0-rc5 - Added support for the SCMP_ACT_KILL_PROCESS action - Added support for the SCMP_ACT_LOG action and SCMP_FLTATR_CTL_LOG attribute - Added explicit 32-bit (SCMP_AX_32(...)) and 64-bit (SCMP_AX_64(...)) argument comparison macros to help protect against unexpected sign extension - Added support for the parisc and parisc64 architectures - Added the ability to query and set the libseccomp API level via seccomp_api_get(3) and seccomp_api_set(3) - Return -EDOM on an endian mismatch when adding an architecture to a filter - Renumber the pseudo syscall number for subpage_prot() so it no longer conflicts with spu_run() - Fix PFC generation when a syscall is prioritized, but no rule exists - Numerous fixes to the seccomp-bpf filter generation code - Switch our internal hashing function to jhash/Lookup3 to MurmurHash3 - Numerous tests added to the included test suite, coverage now at ~92% - Update our Travis CI configuration to use Ubuntu 16.04 - Numerous documentation fixes and updates libseccomp was updated to release 2.3.3: - Updated the syscall table for Linux v4.15-rc7 ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:2533-1 Released: Thu Oct 3 15:02:50 2019 Summary: Security update for sqlite3 Type: security Severity: moderate References: 1150137,CVE-2019-16168 Description: This update for sqlite3 fixes the following issues: Security issue fixed: - CVE-2019-16168: Fixed improper validation of sqlite_stat1 field that could lead to denial of service (bsc#1150137). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:2626-1 Released: Thu Oct 10 17:22:35 2019 Summary: Recommended update for permissions Type: recommended Severity: moderate References: 1110797 Description: This update for permissions fixes the following issues: - Updated permissons for amanda. (bsc#1110797) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:2676-1 Released: Tue Oct 15 21:06:54 2019 Summary: Recommended update for e2fsprogs Type: recommended Severity: moderate References: 1145716,1152101,CVE-2019-5094 Description: This update for e2fsprogs fixes the following issues: Security issue fixed: - CVE-2019-5094: Fixed an arbitrary code execution via specially crafted ext4 file systems. (bsc#1152101) Non-security issue fixed: - libext2fs: Call fsync(2) to clear stale errors for a new a unix I/O channel. (bsc#1145716) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:2681-1 Released: Tue Oct 15 22:01:40 2019 Summary: Recommended update for libdb-4_8 Type: recommended Severity: moderate References: 1148244 Description: This update for libdb-4_8 fixes the following issues: - Add off-page deadlock patch as found and documented by Red Hat. (bsc#1148244) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:2730-1 Released: Mon Oct 21 16:04:57 2019 Summary: Security update for procps Type: security Severity: important References: 1092100,1121753,CVE-2018-1122,CVE-2018-1123,CVE-2018-1124,CVE-2018-1125,CVE-2018-1126 Description: This update for procps fixes the following issues: procps was updated to 3.3.15. (bsc#1092100) Following security issues were fixed: - CVE-2018-1122: Prevent local privilege escalation in top. If a user ran top with HOME unset in an attacker-controlled directory, the attacker could have achieved privilege escalation by exploiting one of several vulnerabilities in the config_file() function (bsc#1092100). - CVE-2018-1123: Prevent denial of service in ps via mmap buffer overflow. Inbuilt protection in ps maped a guard page at the end of the overflowed buffer, ensuring that the impact of this flaw is limited to a crash (temporary denial of service) (bsc#1092100). - CVE-2018-1124: Prevent multiple integer overflows leading to a heap corruption in file2strvec function. This allowed a privilege escalation for a local attacker who can create entries in procfs by starting processes, which could result in crashes or arbitrary code execution in proc utilities run by other users (bsc#1092100). - CVE-2018-1125: Prevent stack buffer overflow in pgrep. This vulnerability was mitigated by FORTIFY limiting the impact to a crash (bsc#1092100). - CVE-2018-1126: Ensure correct integer size in proc/alloc.* to prevent truncation/integer overflow issues (bsc#1092100). Also this non-security issue was fixed: - Fix CPU summary showing old data. (bsc#1121753) The update to 3.3.15 contains the following fixes: * library: Increment to 8:0:1 No removals, no new functions Changes: slab and pid structures * library: Just check for SIGLOST and don't delete it * library: Fix integer overflow and LPE in file2strvec CVE-2018-1124 * library: Use size_t for alloc functions CVE-2018-1126 * library: Increase comm size to 64 * pgrep: Fix stack-based buffer overflow CVE-2018-1125 * pgrep: Remove >15 warning as comm can be longer * ps: Fix buffer overflow in output buffer, causing DOS CVE-2018-1123 * ps: Increase command name selection field to 64 * top: Don't use cwd for location of config CVE-2018-1122 * update translations * library: build on non-glibc systems * free: fix scaling on 32-bit systems * Revert "Support running with child namespaces" * library: Increment to 7:0:1 No changes, no removals New fuctions: numa_init, numa_max_node, numa_node_of_cpu, numa_uninit, xalloc_err_handler * doc: Document I idle state in ps.1 and top.1 * free: fix some of the SI multiples * kill: -l space between name parses correctly * library: dont use vm_min_free on non Linux * library: don't strip off wchan prefixes (ps & top) * pgrep: warn about 15+ char name only if -f not used * pgrep/pkill: only match in same namespace by default * pidof: specify separator between pids * pkill: Return 0 only if we can kill process * pmap: fix duplicate output line under '-x' option * ps: avoid eip/esp address truncations * ps: recognizes SCHED_DEADLINE as valid CPU scheduler * ps: display NUMA node under which a thread ran * ps: Add seconds display for cputime and time * ps: Add LUID field * sysctl: Permit empty string for value * sysctl: Don't segv when file not available * sysctl: Read and write large buffers * top: add config file support for XDG specification * top: eliminated minor libnuma memory leak * top: show fewer memory decimal places (configurable) * top: provide command line switch for memory scaling * top: provide command line switch for CPU States * top: provides more accurate cpu usage at startup * top: display NUMA node under which a thread ran * top: fix argument parsing quirk resulting in SEGV * top: delay interval accepts non-locale radix point * top: address a wishlist man page NLS suggestion * top: fix potential distortion in 'Mem' graph display * top: provide proper multi-byte string handling * top: startup defaults are fully customizable * watch: define HOST_NAME_MAX where not defined * vmstat: Fix alignment for disk partition format * watch: Support ANSI 39,49 reset sequences ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:2736-1 Released: Tue Oct 22 11:07:31 2019 Summary: Security update for ceph, ceph-iscsi, ses-manual_en Type: security Severity: moderate References: 1132767,1134444,1135584,1137503,1140491,1141174,1145093,1145617,1145618,1145759,1146656,1147132,1149093,1150406,1151439,1151990,1151991,1151992,1151993,1151994,1151995,1152002,CVE-2019-10222 Description: This update for ceph, ceph-iscsi and ses-manual_en fixes the following issues: Security issues fixed: - CVE-2019-10222: Fixed RGW crash caused by unauthenticated clients. (bsc#1145093) Non-security issues-fixed: - ceph-volume: prints errors to stdout with --format json (bsc#1132767) - mgr/dashboard: Changing rgw-api-host does not get effective without disable/enable dashboard mgr module (bsc#1137503) - mgr/dashboard: Silence Alertmanager alerts (bsc#1141174) - mgr/dashboard: Fix e2e failures caused by webdriver version (bsc#1145759) - librbd: always try to acquire exclusive lock when removing image (bsc#1149093) - The no{up,down,in,out} related commands have been revamped (bsc#1151990) - radosgw-admin gets two new subcommands for managing expire-stale objects. (bsc#1151991) - Deploying a single new BlueStore OSD on a cluster upgraded to SES6 from SES5 breaks pool utilization stats reported by ceph df (bsc#1151992) - Ceph cluster will no longer issue a health warning if CRUSH tunables are older than "hammer" (bsc#1151993) - Nautilus-based librbd clients can not open images on Jewel clusters (bsc#1151994) - The RGW num_rados_handles has been removed in Ceph 14.2.3 (bsc#1151995) - "osd_deep_scrub_large_omap_object_key_threshold" has been lowered in Nautilus 14.2.3 (bsc#1152002) - Support iSCSI target-level CHAP authentication (bsc#1145617) - Validation and render of iSCSI controls based "type" (bsc#1140491) - Fix error editing iSCSI image advanced settings (bsc#1146656) - Fix error during iSCSI target edit Fixes in ses-manual_en: - Added a new chapter with changelogs of Ceph releases. (bsc#1135584) - Rewrote rolling updates and replaced running stage.0 with manual commands to prevent infinite loop. (bsc#1134444) - Improved name of CaaSP to its fuller version. (bsc#1151439) - Verify which OSD's are going to be removed before running stage.5. (bsc#1150406) - Added two additional steps to recovering an OSD. (bsc#1147132) Fixes in ceph-iscsi: - Validate kernel LIO controls type and value (bsc#1140491) - TPG lun_id persistence (bsc#1145618) - Target level CHAP authentication (bsc#1145617) ceph-iscsi was updated to the upstream 3.2 release: - Always use host FQDN instead of shortname - Validate min/max value for target controls and rbd:user/tcmu-runner image controls (bsc#1140491) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:2742-1 Released: Tue Oct 22 15:40:16 2019 Summary: Recommended update for libzypp, zypper, libsolv and PackageKit Type: recommended Severity: important References: 1049825,1116995,1120629,1120630,1120631,1127155,1127608,1130306,1131113,1131823,1134226,1135749,1137977,1139795,1140039,1145521,1146027,1146415,1146947,1153557,859480,CVE-2018-20532,CVE-2018-20533,CVE-2018-20534 Description: This update for libzypp, zypper, libsolv and PackageKit fixes the following issues: Security issues fixed in libsolv: - CVE-2018-20532: Fixed NULL pointer dereference at ext/testcase.c (function testcase_read) (bsc#1120629). - CVE-2018-20533: Fixed NULL pointer dereference at ext/testcase.c (function testcase_str2dep_complex) in libsolvext.a (bsc#1120630). - CVE-2018-20534: Fixed illegal address access at src/pool.h (function pool_whatprovides) in libsolv.a (bsc#1120631). Other issues addressed in libsolv: - Fixed an issue where libsolv failed to build against swig 4.0 by updating the version to 0.7.5 (bsc#1135749). - Fixed an issue with the package name (bsc#1131823). - repo_add_rpmdb: do not copy bad solvables from the old solv file - Fixed an issue with cleandeps updates in which all packages were not updated - Experimental DISTTYPE_CONDA and REL_CONDA support - Fixed cleandeps jobs when using patterns (bsc#1137977) - Fixed favorq leaking between solver runs if the solver is reused - Fixed SOLVER_FLAG_FOCUS_BEST updateing packages without reason - Be more correct with multiversion packages that obsolete their own name (bnc#1127155) - Fix repository priority handling for multiversion packages - Make code compatible with swig 4.0, remove obj0 instances - repo2solv: support zchunk compressed data - Remove NO_BRP_STRIP_DEBUG=true as brp-15-strip-debug will not strip debug info for archives Issues fixed in libzypp: - Fix empty metalink downloads if filesize is unknown (bsc#1153557) - Recognize riscv64 as architecture - Fix installation of new header file (fixes #185) - zypp.conf: Introduce `solver.focus` to define the resolvers general attitude when resolving jobs. (bsc#1146415) - New container detection algorithm for zypper ps (bsc#1146947) - Fix leaking filedescriptors in MediaCurl. (bsc#1116995) - Run file conflict check on dry-run. (bsc#1140039) - Do not remove orphan products if the .prod file is owned by a package. (bsc#1139795) - Rephrase file conflict check summary. (bsc#1140039) - Fix bash completions option detection. (bsc#1049825) - Fixes a bug where zypper exited on SIGPIPE when downloading packages (bsc#1145521) - Fixes an issue where zypper exited with a segmentation fault when updating via YaST2 (bsc#1146027) - PublicKey::algoName: supply key algorithm and length Issues fixed in zypper: - Update to version 1.14.30 - Ignore SIGPIPE while STDOUT/STDERR are OK (bsc#1145521) - Dump stacktrace on SIGPIPE (bsc#1145521) - info: The requested info must be shown in QUIET mode (fixes #287) - Fix local/remote url classification. - Rephrase file conflict check summary (bsc#1140039) - Fix bash completions option detection (bsc#1049825) - man: split '--with[out]' like options to ease searching. - Unhided 'ps' command in help - Added option to show more conflict information - Rephrased `zypper ps` hint (bsc#859480) - Fixed repo refresh not returning 106-ZYPPER_EXIT_INF_REPOS_SKIPPED if --root is used (bsc#1134226) - Fixed unknown package handling in zypper install (bsc#1127608) - Re-show progress bar after pressing retry upon install error (bsc#1131113) Issues fixed in PackageKit: - Port the cron configuration variables to the systemd timer script, and add -sendwait parameter to mail in the script(bsc#1130306). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:2757-1 Released: Wed Oct 23 17:21:17 2019 Summary: Security update for lz4 Type: security Severity: moderate References: 1153936,CVE-2019-17543 Description: This update for lz4 fixes the following issues: - CVE-2019-17543: Fixed a heap-based buffer overflow in LZ4_write32 (bsc#1153936). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:2802-1 Released: Tue Oct 29 11:39:05 2019 Summary: Security update for python3 Type: security Severity: moderate References: 1149121,1149792,1149955,1151490,1153238,CVE-2019-16056,CVE-2019-16935,PM-1350,SLE-9426 Description: This update for python3 to 3.6.9 fixes the following issues: Security issues fixed: - CVE-2019-16056: Fixed a parser issue in the email module. (bsc#1149955) - CVE-2019-16935: Fixed a reflected XSS in python/Lib/DocXMLRPCServer.py (bsc#1153238). Non-security issues fixed: - Fixed regression of OpenSSL 1.1.1b-1 in EVP_PBE_scrypt() with salt=NULL. (bsc#1151490) - Improved locale handling by implementing PEP 538. ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:2812-1 Released: Tue Oct 29 14:57:55 2019 Summary: Recommended update for systemd Type: recommended Severity: moderate References: 1139459,1140631,1145023,1150595,SLE-7687 Description: This update for systemd provides the following fixes: - Fix a problem that would cause invoking try-restart to an inactive service to hang when a daemon-reload is invoked before the try-restart returned. (bsc#1139459) - man: Add a note about _netdev usage. - units: Replace remote-cryptsetup-pre.target with remote-fs-pre.target. - units: Add [Install] section to remote-cryptsetup.target. - cryptsetup: Ignore _netdev, since it is used in generator. - cryptsetup-generator: Use remote-cryptsetup.target when _netdev is present. (jsc#SLE-7687) - cryptsetup-generator: Add a helper utility to create symlinks. - units: Add remote-cryptsetup.target and remote-cryptsetup-pre.target. - man: Add an explicit description of _netdev to systemd.mount(5). - man: Order fields alphabetically in crypttab(5). - man: Make crypttab(5) a bit easier to read. - units: Order cryptsetup-pre.target before cryptsetup.target. - Fix reporting of enabled-runtime units. - sd-bus: Deal with cookie overruns. (bsc#1150595) - rules: Add by-id symlinks for persistent memory. (bsc#1140631) - Buildrequire polkit so /usr/share/polkit-1/rules.d subdir can be only owned by polkit. (bsc#1145023) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:2870-1 Released: Thu Oct 31 08:09:14 2019 Summary: Recommended update for aaa_base Type: recommended Severity: moderate References: 1051143,1138869,1151023 Description: This update for aaa_base provides the following fixes: - Check if variables can be set before modifying them to avoid warnings on login with a restricted shell. (bsc#1138869) - Add s390x compressed kernel support. (bsc#1151023) - service: Check if there is a second argument before using it. (bsc#1051143) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:2418-1 Released: Thu Nov 14 11:53:03 2019 Summary: Recommended update for bash Type: recommended Severity: moderate References: 1133773,1143055 Description: This update for bash fixes the following issues: - Rework patch readline-7.0-screen (bsc#1143055): map all "screen(-xxx)?.yyy(-zzz)?" to "screen" as well as map "konsole(-xxx)?" and "gnome(-xxx)?" to "xterm" - Add a backport from bash 5.0 to perform better with large numbers of sub processes. (bsc#1133773) ----------------------------------------------------------------- Advisory ID: SUSE-OU-2019:2980-1 Released: Thu Nov 14 22:45:33 2019 Summary: Optional update for curl Type: optional Severity: low References: 1154019 Description: This update for curl doesn't address any user visible issues. ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:2990-1 Released: Mon Nov 18 09:35:01 2019 Summary: Recommended update for ceph Type: recommended Severity: important References: 1156282 Description: This update for ceph fixes the following issue: - A previous update introduced a regression with the potential to cause RocksDB data corruption in Nautilus (bsc#1156282). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:2997-1 Released: Mon Nov 18 15:16:38 2019 Summary: Security update for ncurses Type: security Severity: moderate References: 1103320,1154036,1154037,CVE-2019-17594,CVE-2019-17595 Description: This update for ncurses fixes the following issues: Security issues fixed: - CVE-2019-17594: Fixed a heap-based buffer over-read in the _nc_find_entry function (bsc#1154036). - CVE-2019-17595: Fixed a heap-based buffer over-read in the fmt_entry function (bsc#1154037). Non-security issue fixed: - Removed screen.xterm from terminfo database (bsc#1103320). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:3010-1 Released: Tue Nov 19 18:10:58 2019 Summary: Recommended update for zypper and libsolv Type: recommended Severity: moderate References: 1145554,1146415,1149511,1153351,SLE-9171 Description: This update for zypper and libsolv fixes the following issues: Package: zypper - Improved the documentation of $releasever and --releasever usescases (bsc#1149511) - zypper will now ask only once when multiple packages share the same license text (bsc#1145554) - Added a new 'solver.focus' option for /etc/zypp/zypp.conf to define systemwide focus mode when resolving jobs (bsc#1146415) - Fixes an issue where 'zypper lu' didn't list all available package updates (bsc#1153351) - Added a new --repo option to the 'download' command to allow to specify a repository (jsc#SLE-9171) Package: libsolv - Fixes issues when updating too many packages in focusbest mode - Fixes the handling of disabled and installed packages in distupgrade ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:3040-1 Released: Fri Nov 22 11:59:52 2019 Summary: Recommended update for lvm2 Type: recommended Severity: moderate References: 1145231 Description: This update for lvm2 fixes the following issues: - Adds a fix to detect MD devices by LVM2 with metadata=1.0/0.9 (bsc#1145231) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:3059-1 Released: Mon Nov 25 17:33:07 2019 Summary: Security update for cpio Type: security Severity: moderate References: 1155199,CVE-2019-14866 Description: This update for cpio fixes the following issues: - CVE-2019-14866: Fixed an improper validation of the values written in the header of a TAR file through the to_oct() function which could have led to unexpected TAR generation (bsc#1155199). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:3061-1 Released: Mon Nov 25 17:34:22 2019 Summary: Security update for gcc9 Type: security Severity: moderate References: 1114592,1135254,1141897,1142649,1142654,1148517,1149145,CVE-2019-14250,CVE-2019-15847,SLE-6533,SLE-6536 Description: This update includes the GNU Compiler Collection 9. A full changelog is provided by the GCC team on: https://www.gnu.org/software/gcc/gcc-9/changes.html The base system compiler libraries libgcc_s1, libstdc++6 and others are now built by the gcc 9 packages. To use it, install "gcc9" or "gcc9-c++" or other compiler brands and use CC=gcc-9 / CXX=g++-9 during configuration for using it. Security issues fixed: - CVE-2019-15847: Fixed a miscompilation in the POWER9 back end, that optimized multiple calls of the __builtin_darn intrinsic into a single call. (bsc#1149145) - CVE-2019-14250: Fixed a heap overflow in the LTO linker. (bsc#1142649) Non-security issues fixed: - Split out libstdc++ pretty-printers into a separate package supplementing gdb and the installed runtime. (bsc#1135254) - Fixed miscompilation for vector shift on s390. (bsc#1141897) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:3070-1 Released: Tue Nov 26 12:39:29 2019 Summary: Recommended update for gpg2 Type: recommended Severity: low References: 1152755 Description: This update for gpg2 provides the following fix: - Remove a build requirement on self. This is causing Leap 15.2 bootstrap to fail. (bsc#1152755) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:3086-1 Released: Thu Nov 28 10:02:24 2019 Summary: Security update for libidn2 Type: security Severity: moderate References: 1154884,1154887,CVE-2019-12290,CVE-2019-18224 Description: This update for libidn2 to version 2.2.0 fixes the following issues: - CVE-2019-12290: Fixed an improper round-trip check when converting A-labels to U-labels (bsc#1154884). - CVE-2019-18224: Fixed a heap-based buffer overflow that was caused by long domain strings (bsc#1154887). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:3087-1 Released: Thu Nov 28 10:03:00 2019 Summary: Security update for libxml2 Type: security Severity: low References: 1123919 Description: This update for libxml2 doesn't fix any additional security issues, but correct its rpm changelog to reflect all CVEs that have been fixed over the past. ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:3118-1 Released: Fri Nov 29 14:41:35 2019 Summary: Recommended update for e2fsprogs Type: recommended Severity: moderate References: 1154295 Description: This update for e2fsprogs fixes the following issues: - Make minimum size estimates more reliable for mounted filesystem. (bsc#1154295) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:3166-1 Released: Wed Dec 4 11:24:42 2019 Summary: Recommended update for aaa_base Type: recommended Severity: moderate References: 1007715,1084934,1157278 Description: This update for aaa_base fixes the following issues: - Use official key binding functions in inputrc that is replace up-history with previous-history, down-history with next-history and backward-delete-word with backward-kill-word. (bsc#1084934) - Add some missed key escape sequences for urxvt-unicode terminal as well. (bsc#1007715) - Clear broken ghost entry in patch which breaks 'readline'. (bsc#1157278) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:3181-1 Released: Thu Dec 5 11:43:07 2019 Summary: Security update for permissions Type: security Severity: moderate References: 1093414,1150734,1157198,CVE-2019-3688,CVE-2019-3690 Description: This update for permissions fixes the following issues: - CVE-2019-3688: Changed wrong ownership in /usr/sbin/pinger to root:squid which could have allowed a squid user to gain persistence by changing the binary (bsc#1093414). - CVE-2019-3690: Fixed a privilege escalation through untrusted symbolic links (bsc#1150734). - Fixed a regression which caused sagmentation fault (bsc#1157198). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:3240-1 Released: Tue Dec 10 10:40:19 2019 Summary: Recommended update for ca-certificates-mozilla, p11-kit Type: recommended Severity: moderate References: 1154871 Description: This update for ca-certificates-mozilla, p11-kit fixes the following issues: Changes in ca-certificates-mozilla: - export correct p11kit trust attributes so Firefox detects built in certificates (bsc#1154871). Changes in p11-kit: - support loading NSS attribute CKA_NSS_MOZILLA_CA_POLICY so Firefox detects built in certificates (bsc#1154871) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:3267-1 Released: Wed Dec 11 11:19:53 2019 Summary: Security update for libssh Type: security Severity: important References: 1158095,CVE-2019-14889 Description: This update for libssh fixes the following issues: - CVE-2019-14889: Fixed an arbitrary command execution (bsc#1158095). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:3343-1 Released: Thu Dec 19 11:05:27 2019 Summary: Recommended update for lvm2 Type: recommended Severity: moderate References: 1155668 Description: This update for lvm2 fixes the following issues: - Fix seeing a 90 Second delay during shutdown and reboot. (bsc#1155668) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:3392-1 Released: Fri Dec 27 13:33:29 2019 Summary: Security update for libgcrypt Type: security Severity: moderate References: 1148987,1155338,1155339,CVE-2019-13627 Description: This update for libgcrypt fixes the following issues: Security issues fixed: - CVE-2019-13627: Mitigation against an ECDSA timing attack (bsc#1148987). Bug fixes: - Added CMAC AES self test (bsc#1155339). - Added CMAC TDES self test missing (bsc#1155338). - Fix test dsa-rfc6979 in FIPS mode. ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:3395-1 Released: Mon Dec 30 14:05:06 2019 Summary: Security update for mozilla-nspr, mozilla-nss Type: security Severity: moderate References: 1141322,1158527,1159819,CVE-2018-18508,CVE-2019-11745,CVE-2019-17006 Description: This update for mozilla-nspr, mozilla-nss fixes the following issues: mozilla-nss was updated to NSS 3.47.1: Security issues fixed: - CVE-2019-17006: Added length checks for cryptographic primitives (bsc#1159819). - CVE-2019-11745: EncryptUpdate should use maxout, not block size (bsc#1158527). - CVE-2019-11727: Fixed vulnerability sign CertificateVerify with PKCS#1 v1.5 signatures issue (bsc#1141322). mozilla-nspr was updated to version 4.23: - Whitespace in C files was cleaned up and no longer uses tab characters for indenting. ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:27-1 Released: Tue Jan 7 14:47:07 2020 Summary: Recommended update for rdma-core Type: recommended Severity: moderate References: 1137131,1137132,1140601,1157891 Description: This update for rdma-core fixes the following issues: - Add Broadcom fixes for libbnxtre. (bsc#1157891) - Disable libmlx dependencies for libibverbs on s390x 32 bits. (bsc#1140601) - Fix baselibs configuration removing conflict with -32b and older (early rdma-core) libraries. - Add missing Obsoletes/Conflicts/Provides to handle updates from SP2. (bsc#1137131, bsc#1137132) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2020:69-1 Released: Fri Jan 10 12:33:59 2020 Summary: Security update for openssl-1_1 Type: security Severity: moderate References: 1155346,1157775,1158101,1158809,CVE-2019-1551,SLE-8789 Description: This update for openssl-1_1 fixes the following issues: Security issue fixed: - CVE-2019-1551: Fixed an overflow bug in the x64_64 Montgomery squaring procedure used in exponentiation with 512-bit moduli (bsc#1158809). Various FIPS related improvements were done: - FIPS: Backport SSH KDF to openssl (jsc#SLE-8789, bsc#1157775). - Port FIPS patches from SLE-12 (bsc#1158101). - Use SHA-2 in the RSA pairwise consistency check (bsc#1155346). ----------------------------------------------------------------- Advisory ID: SUSE-feature-2020:89-1 Released: Mon Jan 13 16:07:20 2020 Summary: Update to kubernetes 1.16, supportconfig update, and helm security fix (CVE-2019-18658) Type: feature Severity: moderate References: 1100838,1118897,1118898,1118899,1143813,1144065,1146991,1147142,1152861,1155810,1156646 Description: = Required Actions == Skuba and helm update Instructions Update skuba and helm on your management workstation as you would do with any othe package. Refer to: link:https://documentation.suse.com/sles/15-SP1/single-html/SLES-admin/#sec-zypper-softup [WARNING] ==== When running helm-init you may hit a link:https://bugzilla.suse.com/show_bug.cgi?id=1159047[known bug on the certificate validation]: ---- https://kubernetes-charts.storage.googleapis.com is not a valid chart repository or cannot be reached: Get https://kubernetes-charts.storage.googleapis.com/index.yaml: x509: certificate signed by unknown authority ---- In order to fix this, run: ---- sudo update-ca-certificates ---- ==== After updating helm to latest version on the management host, you have to also upgrade the helm-tiller image in the cluster, by running: ---- helm init \ --tiller-image registry.suse.com/caasp/v4/helm-tiller:2.16.1 \ --service-account tiller --upgrade ---- == Update Your Kubernetes Manifests for Kubernetes 1.16.2: Some API resources are moved to stable, while others have been moved to different groups or deprecated. The following will impact your deployment manifests: * `DaemonSet`, `Deployment`, `StatefulSet`, and `ReplicaSet` in `extensions/` (both `v1beta1` and `v1beta2`) is deprecated. Migrate to `apps/v1` group instead for all those objects. Please note that `kubectl convert` can help you migrate all the necessary fields. * `PodSecurityPolicy` in `extensions/v1beta1` is deprecated. Migrate to `policy/v1beta1` group for `PodSecurityPolicy`. Please note that `kubectl convert` can help you migrate all the necessary fields. * `NetworkPolicy` in `extensions/v1beta1` is deprecated. Migrate to `networking.k8s.io/v1` group for `NetworkPolicy`. Please note that `kubectl convert` can help you migrate all the necessary fields. * `Ingress` in `extensions/v1beta1` is being phased out. Migrate to `networking.k8s.io/v1beta1` as soon as possible. This new API does not need to update other API fields and therefore only a path change is necessary. * Custom resource definitions have moved from `apiextensions.k8s.io/v1beta1` to `apiextensions.k8s.io/v1`. Please also see https://kubernetes.io/blog/2019/07/18/api-deprecations-in-1-16/ for more details. = Documentation Updates * Switched examples to use SUSE supported helm, Prometheus, nginx-ingress and Grafana charts and images * link:{docurl}caasp-admin/single-html/_security.html#_deployment_with_a_custom_ca_certificate[Added instructions on how to replace {kube} certificates with custom CA certificate] * link:{docurl}caasp-admin/single-html/_security.html#_replace_server_certificate_signed_by_a_trusted_ca_certificate[Added instructions to configure custom certificates for gangway and dex] * link:{docurl}caasp-admin/single-html/_software_management.html#_installing_tiller[Added instructions for secured Tiller deployment] * link:{docurl}caasp-deployment/single-html/#machine-id[Added notes about unique `machine-id` requirement] * link:{docurl}caasp-deployment/single-html/#_autoyast_preparation[Added timezone configuration example for {ay}] * link:https://github.com/SUSE/doc-caasp/pulls?q=is%3Apr+is%3Aclosed+sort%3Aupdated-desc[Various minor bugfixes and improvements] = Known issue: skuba upgrade could not parse "Unknown" as version ==== Running "skuba node upgrade plan" might fail with the error "could not parse "Unknown" as version" when a worker, after running "skuba node upgrade apply", had not fully started yet. If you are running into this issue, please add some delay after running "skuba node upgrade apply" and prior to running "skuba node upgrade plan". This is tracked in link:https://bugzilla.suse.com/show_bug.cgi?id=1159452[bsc#1159452] From sle-updates at lists.suse.com Tue Jan 14 00:44:36 2020 From: sle-updates at lists.suse.com (sle-updates at lists.suse.com) Date: Tue, 14 Jan 2020 08:44:36 +0100 (CET) Subject: SUSE-CU-2020:14-1: Security update of caasp/v4/kured Message-ID: <20200114074436.CBCBCF796@maintenance.suse.de> SUSE Container Update Advisory: caasp/v4/kured ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2020:14-1 Container Tags : caasp/v4/kured:1.2.0 , caasp/v4/kured:1.2.0-rev4 , caasp/v4/kured:1.2.0-rev4-build3.9.1 Severity : important Type : security References : 1007715 1049825 1051143 1073313 1081947 1081947 1082293 1084934 1085196 1092100 1093414 1100838 1103320 1106214 1110797 1111388 1114592 1114845 1116995 1118897 1118898 1118899 1120629 1120630 1120631 1121197 1121753 1122417 1123919 1125886 1127155 1127608 1127701 1130306 1131113 1131823 1133773 1134226 1135254 1135534 1135708 1135749 1137977 1138869 1139459 1139795 1140039 1140631 1141113 1141897 1142649 1142654 1143055 1143194 1143273 1143813 1144047 1144065 1145023 1145521 1145554 1145716 1146027 1146415 1146415 1146866 1146947 1146991 1147142 1148517 1148987 1149145 1149495 1149496 1149511 1150003 1150137 1150250 1150595 1150734 1151023 1152101 1152755 1152861 1153351 1153557 1153936 1154019 1154036 1154037 1154295 1154871 1154884 1154887 1155199 1155338 1155339 1155346 1155810 1156646 1157198 1157278 1157775 1158095 1158101 1158809 353876 859480 CVE-2017-17740 CVE-2018-1122 CVE-2018-1123 CVE-2018-1124 CVE-2018-1125 CVE-2018-1126 CVE-2018-20532 CVE-2018-20533 CVE-2018-20534 CVE-2019-12290 CVE-2019-13057 CVE-2019-13565 CVE-2019-13627 CVE-2019-14250 CVE-2019-14866 CVE-2019-14889 CVE-2019-1547 CVE-2019-1551 CVE-2019-1563 CVE-2019-15847 CVE-2019-16168 CVE-2019-17543 CVE-2019-17594 CVE-2019-17595 CVE-2019-18224 CVE-2019-3688 CVE-2019-3690 CVE-2019-5094 CVE-2019-5481 CVE-2019-5482 SLE-6533 SLE-6536 SLE-7687 SLE-8789 SLE-9132 SLE-9171 ----------------------------------------------------------------- The container caasp/v4/kured was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:2307-1 Released: Thu Sep 5 14:45:08 2019 Summary: Security update for util-linux and shadow Type: security Severity: moderate References: 1081947,1082293,1085196,1106214,1121197,1122417,1125886,1127701,1135534,1135708,1141113,353876 Description: This update for util-linux and shadow fixes the following issues: util-linux: - Fixed an issue where PATH settings in /etc/default/su being ignored (bsc#1121197) - Prevent outdated pam files (bsc#1082293). - De-duplicate fstrim -A properly (bsc#1127701). - Do not trim read-only volumes (bsc#1106214). - Integrate pam_keyinit pam module to login (bsc#1081947). - Perform one-time reset of /etc/default/su (bsc#1121197). - Fix problems in reading of login.defs values (bsc#1121197) - libmount: To prevent incorrect behavior, recognize more pseudofs and netfs (bsc#1122417). - raw.service: Add RemainAfterExit=yes (bsc#1135534). - agetty: Return previous response of agetty for special characters (bsc#1085196, bsc#1125886) - libmount: print a blacklist hint for "unknown filesystem type" (jsc#SUSE-4085, fate#326832) - Fix /etc/default/su comments and create /etc/default/runuser (bsc#1121197). shadow: - Fixed an issue where PATH settings in /etc/default/su being ignored (bsc#1121197) - Fix segfault in useradd during setting password inactivity period. (bsc#1141113) - Hardening for su wrappers (bsc#353876) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:2361-1 Released: Thu Sep 12 07:54:54 2019 Summary: Recommended update for krb5 Type: recommended Severity: moderate References: 1081947,1144047 Description: This update for krb5 contains the following fixes: - Integrate pam_keyinit PAM module, ksu-pam.d. (bsc#1081947) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:2373-1 Released: Thu Sep 12 14:18:53 2019 Summary: Security update for curl Type: security Severity: important References: 1149495,1149496,CVE-2019-5481,CVE-2019-5482 Description: This update for curl fixes the following issues: Security issues fixed: - CVE-2019-5481: Fixed FTP-KRB double-free during kerberos FTP data transfer (bsc#1149495). - CVE-2019-5482: Fixed TFTP small blocksize heap buffer overflow (bsc#1149496). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:2395-1 Released: Wed Sep 18 08:31:38 2019 Summary: Security update for openldap2 Type: security Severity: moderate References: 1073313,1111388,1114845,1143194,1143273,CVE-2017-17740,CVE-2019-13057,CVE-2019-13565 Description: This update for openldap2 fixes the following issues: Security issue fixed: - CVE-2019-13565: Fixed an authentication bypass when using SASL authentication and session encryption (bsc#1143194). - CVE-2019-13057: Fixed an issue with delegated database admin privileges (bsc#1143273). - CVE-2017-17740: When both the nops module and the member of overlay are enabled, attempts to free a buffer that was allocated on the stack, which allows remote attackers to cause a denial of service (slapd crash) via a member MODDN operation. (bsc#1073313) Non-security issues fixed: - Fixed broken shebang line in openldap_update_modules_path.sh (bsc#1114845). - Create files in /var/lib/ldap/ during initial start to allow for transactional updates (bsc#1111388) - Fixed incorrect post script call causing tmpfiles creation not to be run (bsc#1111388). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:2403-1 Released: Wed Sep 18 16:14:29 2019 Summary: Security update for openssl-1_1 Type: security Severity: moderate References: 1150003,1150250,CVE-2019-1547,CVE-2019-1563 Description: This update for openssl-1_1 fixes the following issues: OpenSSL Security Advisory [10 September 2019] * CVE-2019-1547: Added EC_GROUP_set_generator side channel attack avoidance. (bsc#1150003) * CVE-2019-1563: Fixed Bleichenbacher attack against cms/pkcs7 encryption transported key (bsc#1150250) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:2423-1 Released: Fri Sep 20 16:41:45 2019 Summary: Recommended update for aaa_base Type: recommended Severity: moderate References: 1146866,SLE-9132 Description: This update for aaa_base fixes the following issues: Added sysctl.d/51-network.conf to tighten network security (bsc#1146866) (jira#SLE-9132) Following settings have been tightened (and set to 0): - net.ipv4.conf.all.accept_redirects - net.ipv4.conf.default.accept_redirects - net.ipv4.conf.default.accept_source_route - net.ipv6.conf.all.accept_redirects - net.ipv6.conf.default.accept_redirects ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:2533-1 Released: Thu Oct 3 15:02:50 2019 Summary: Security update for sqlite3 Type: security Severity: moderate References: 1150137,CVE-2019-16168 Description: This update for sqlite3 fixes the following issues: Security issue fixed: - CVE-2019-16168: Fixed improper validation of sqlite_stat1 field that could lead to denial of service (bsc#1150137). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:2626-1 Released: Thu Oct 10 17:22:35 2019 Summary: Recommended update for permissions Type: recommended Severity: moderate References: 1110797 Description: This update for permissions fixes the following issues: - Updated permissons for amanda. (bsc#1110797) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:2676-1 Released: Tue Oct 15 21:06:54 2019 Summary: Recommended update for e2fsprogs Type: recommended Severity: moderate References: 1145716,1152101,CVE-2019-5094 Description: This update for e2fsprogs fixes the following issues: Security issue fixed: - CVE-2019-5094: Fixed an arbitrary code execution via specially crafted ext4 file systems. (bsc#1152101) Non-security issue fixed: - libext2fs: Call fsync(2) to clear stale errors for a new a unix I/O channel. (bsc#1145716) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:2730-1 Released: Mon Oct 21 16:04:57 2019 Summary: Security update for procps Type: security Severity: important References: 1092100,1121753,CVE-2018-1122,CVE-2018-1123,CVE-2018-1124,CVE-2018-1125,CVE-2018-1126 Description: This update for procps fixes the following issues: procps was updated to 3.3.15. (bsc#1092100) Following security issues were fixed: - CVE-2018-1122: Prevent local privilege escalation in top. If a user ran top with HOME unset in an attacker-controlled directory, the attacker could have achieved privilege escalation by exploiting one of several vulnerabilities in the config_file() function (bsc#1092100). - CVE-2018-1123: Prevent denial of service in ps via mmap buffer overflow. Inbuilt protection in ps maped a guard page at the end of the overflowed buffer, ensuring that the impact of this flaw is limited to a crash (temporary denial of service) (bsc#1092100). - CVE-2018-1124: Prevent multiple integer overflows leading to a heap corruption in file2strvec function. This allowed a privilege escalation for a local attacker who can create entries in procfs by starting processes, which could result in crashes or arbitrary code execution in proc utilities run by other users (bsc#1092100). - CVE-2018-1125: Prevent stack buffer overflow in pgrep. This vulnerability was mitigated by FORTIFY limiting the impact to a crash (bsc#1092100). - CVE-2018-1126: Ensure correct integer size in proc/alloc.* to prevent truncation/integer overflow issues (bsc#1092100). Also this non-security issue was fixed: - Fix CPU summary showing old data. (bsc#1121753) The update to 3.3.15 contains the following fixes: * library: Increment to 8:0:1 No removals, no new functions Changes: slab and pid structures * library: Just check for SIGLOST and don't delete it * library: Fix integer overflow and LPE in file2strvec CVE-2018-1124 * library: Use size_t for alloc functions CVE-2018-1126 * library: Increase comm size to 64 * pgrep: Fix stack-based buffer overflow CVE-2018-1125 * pgrep: Remove >15 warning as comm can be longer * ps: Fix buffer overflow in output buffer, causing DOS CVE-2018-1123 * ps: Increase command name selection field to 64 * top: Don't use cwd for location of config CVE-2018-1122 * update translations * library: build on non-glibc systems * free: fix scaling on 32-bit systems * Revert "Support running with child namespaces" * library: Increment to 7:0:1 No changes, no removals New fuctions: numa_init, numa_max_node, numa_node_of_cpu, numa_uninit, xalloc_err_handler * doc: Document I idle state in ps.1 and top.1 * free: fix some of the SI multiples * kill: -l space between name parses correctly * library: dont use vm_min_free on non Linux * library: don't strip off wchan prefixes (ps & top) * pgrep: warn about 15+ char name only if -f not used * pgrep/pkill: only match in same namespace by default * pidof: specify separator between pids * pkill: Return 0 only if we can kill process * pmap: fix duplicate output line under '-x' option * ps: avoid eip/esp address truncations * ps: recognizes SCHED_DEADLINE as valid CPU scheduler * ps: display NUMA node under which a thread ran * ps: Add seconds display for cputime and time * ps: Add LUID field * sysctl: Permit empty string for value * sysctl: Don't segv when file not available * sysctl: Read and write large buffers * top: add config file support for XDG specification * top: eliminated minor libnuma memory leak * top: show fewer memory decimal places (configurable) * top: provide command line switch for memory scaling * top: provide command line switch for CPU States * top: provides more accurate cpu usage at startup * top: display NUMA node under which a thread ran * top: fix argument parsing quirk resulting in SEGV * top: delay interval accepts non-locale radix point * top: address a wishlist man page NLS suggestion * top: fix potential distortion in 'Mem' graph display * top: provide proper multi-byte string handling * top: startup defaults are fully customizable * watch: define HOST_NAME_MAX where not defined * vmstat: Fix alignment for disk partition format * watch: Support ANSI 39,49 reset sequences ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:2742-1 Released: Tue Oct 22 15:40:16 2019 Summary: Recommended update for libzypp, zypper, libsolv and PackageKit Type: recommended Severity: important References: 1049825,1116995,1120629,1120630,1120631,1127155,1127608,1130306,1131113,1131823,1134226,1135749,1137977,1139795,1140039,1145521,1146027,1146415,1146947,1153557,859480,CVE-2018-20532,CVE-2018-20533,CVE-2018-20534 Description: This update for libzypp, zypper, libsolv and PackageKit fixes the following issues: Security issues fixed in libsolv: - CVE-2018-20532: Fixed NULL pointer dereference at ext/testcase.c (function testcase_read) (bsc#1120629). - CVE-2018-20533: Fixed NULL pointer dereference at ext/testcase.c (function testcase_str2dep_complex) in libsolvext.a (bsc#1120630). - CVE-2018-20534: Fixed illegal address access at src/pool.h (function pool_whatprovides) in libsolv.a (bsc#1120631). Other issues addressed in libsolv: - Fixed an issue where libsolv failed to build against swig 4.0 by updating the version to 0.7.5 (bsc#1135749). - Fixed an issue with the package name (bsc#1131823). - repo_add_rpmdb: do not copy bad solvables from the old solv file - Fixed an issue with cleandeps updates in which all packages were not updated - Experimental DISTTYPE_CONDA and REL_CONDA support - Fixed cleandeps jobs when using patterns (bsc#1137977) - Fixed favorq leaking between solver runs if the solver is reused - Fixed SOLVER_FLAG_FOCUS_BEST updateing packages without reason - Be more correct with multiversion packages that obsolete their own name (bnc#1127155) - Fix repository priority handling for multiversion packages - Make code compatible with swig 4.0, remove obj0 instances - repo2solv: support zchunk compressed data - Remove NO_BRP_STRIP_DEBUG=true as brp-15-strip-debug will not strip debug info for archives Issues fixed in libzypp: - Fix empty metalink downloads if filesize is unknown (bsc#1153557) - Recognize riscv64 as architecture - Fix installation of new header file (fixes #185) - zypp.conf: Introduce `solver.focus` to define the resolvers general attitude when resolving jobs. (bsc#1146415) - New container detection algorithm for zypper ps (bsc#1146947) - Fix leaking filedescriptors in MediaCurl. (bsc#1116995) - Run file conflict check on dry-run. (bsc#1140039) - Do not remove orphan products if the .prod file is owned by a package. (bsc#1139795) - Rephrase file conflict check summary. (bsc#1140039) - Fix bash completions option detection. (bsc#1049825) - Fixes a bug where zypper exited on SIGPIPE when downloading packages (bsc#1145521) - Fixes an issue where zypper exited with a segmentation fault when updating via YaST2 (bsc#1146027) - PublicKey::algoName: supply key algorithm and length Issues fixed in zypper: - Update to version 1.14.30 - Ignore SIGPIPE while STDOUT/STDERR are OK (bsc#1145521) - Dump stacktrace on SIGPIPE (bsc#1145521) - info: The requested info must be shown in QUIET mode (fixes #287) - Fix local/remote url classification. - Rephrase file conflict check summary (bsc#1140039) - Fix bash completions option detection (bsc#1049825) - man: split '--with[out]' like options to ease searching. - Unhided 'ps' command in help - Added option to show more conflict information - Rephrased `zypper ps` hint (bsc#859480) - Fixed repo refresh not returning 106-ZYPPER_EXIT_INF_REPOS_SKIPPED if --root is used (bsc#1134226) - Fixed unknown package handling in zypper install (bsc#1127608) - Re-show progress bar after pressing retry upon install error (bsc#1131113) Issues fixed in PackageKit: - Port the cron configuration variables to the systemd timer script, and add -sendwait parameter to mail in the script(bsc#1130306). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:2757-1 Released: Wed Oct 23 17:21:17 2019 Summary: Security update for lz4 Type: security Severity: moderate References: 1153936,CVE-2019-17543 Description: This update for lz4 fixes the following issues: - CVE-2019-17543: Fixed a heap-based buffer overflow in LZ4_write32 (bsc#1153936). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:2812-1 Released: Tue Oct 29 14:57:55 2019 Summary: Recommended update for systemd Type: recommended Severity: moderate References: 1139459,1140631,1145023,1150595,SLE-7687 Description: This update for systemd provides the following fixes: - Fix a problem that would cause invoking try-restart to an inactive service to hang when a daemon-reload is invoked before the try-restart returned. (bsc#1139459) - man: Add a note about _netdev usage. - units: Replace remote-cryptsetup-pre.target with remote-fs-pre.target. - units: Add [Install] section to remote-cryptsetup.target. - cryptsetup: Ignore _netdev, since it is used in generator. - cryptsetup-generator: Use remote-cryptsetup.target when _netdev is present. (jsc#SLE-7687) - cryptsetup-generator: Add a helper utility to create symlinks. - units: Add remote-cryptsetup.target and remote-cryptsetup-pre.target. - man: Add an explicit description of _netdev to systemd.mount(5). - man: Order fields alphabetically in crypttab(5). - man: Make crypttab(5) a bit easier to read. - units: Order cryptsetup-pre.target before cryptsetup.target. - Fix reporting of enabled-runtime units. - sd-bus: Deal with cookie overruns. (bsc#1150595) - rules: Add by-id symlinks for persistent memory. (bsc#1140631) - Buildrequire polkit so /usr/share/polkit-1/rules.d subdir can be only owned by polkit. (bsc#1145023) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:2870-1 Released: Thu Oct 31 08:09:14 2019 Summary: Recommended update for aaa_base Type: recommended Severity: moderate References: 1051143,1138869,1151023 Description: This update for aaa_base provides the following fixes: - Check if variables can be set before modifying them to avoid warnings on login with a restricted shell. (bsc#1138869) - Add s390x compressed kernel support. (bsc#1151023) - service: Check if there is a second argument before using it. (bsc#1051143) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:2418-1 Released: Thu Nov 14 11:53:03 2019 Summary: Recommended update for bash Type: recommended Severity: moderate References: 1133773,1143055 Description: This update for bash fixes the following issues: - Rework patch readline-7.0-screen (bsc#1143055): map all "screen(-xxx)?.yyy(-zzz)?" to "screen" as well as map "konsole(-xxx)?" and "gnome(-xxx)?" to "xterm" - Add a backport from bash 5.0 to perform better with large numbers of sub processes. (bsc#1133773) ----------------------------------------------------------------- Advisory ID: SUSE-OU-2019:2980-1 Released: Thu Nov 14 22:45:33 2019 Summary: Optional update for curl Type: optional Severity: low References: 1154019 Description: This update for curl doesn't address any user visible issues. ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:2997-1 Released: Mon Nov 18 15:16:38 2019 Summary: Security update for ncurses Type: security Severity: moderate References: 1103320,1154036,1154037,CVE-2019-17594,CVE-2019-17595 Description: This update for ncurses fixes the following issues: Security issues fixed: - CVE-2019-17594: Fixed a heap-based buffer over-read in the _nc_find_entry function (bsc#1154036). - CVE-2019-17595: Fixed a heap-based buffer over-read in the fmt_entry function (bsc#1154037). Non-security issue fixed: - Removed screen.xterm from terminfo database (bsc#1103320). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:3010-1 Released: Tue Nov 19 18:10:58 2019 Summary: Recommended update for zypper and libsolv Type: recommended Severity: moderate References: 1145554,1146415,1149511,1153351,SLE-9171 Description: This update for zypper and libsolv fixes the following issues: Package: zypper - Improved the documentation of $releasever and --releasever usescases (bsc#1149511) - zypper will now ask only once when multiple packages share the same license text (bsc#1145554) - Added a new 'solver.focus' option for /etc/zypp/zypp.conf to define systemwide focus mode when resolving jobs (bsc#1146415) - Fixes an issue where 'zypper lu' didn't list all available package updates (bsc#1153351) - Added a new --repo option to the 'download' command to allow to specify a repository (jsc#SLE-9171) Package: libsolv - Fixes issues when updating too many packages in focusbest mode - Fixes the handling of disabled and installed packages in distupgrade ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:3059-1 Released: Mon Nov 25 17:33:07 2019 Summary: Security update for cpio Type: security Severity: moderate References: 1155199,CVE-2019-14866 Description: This update for cpio fixes the following issues: - CVE-2019-14866: Fixed an improper validation of the values written in the header of a TAR file through the to_oct() function which could have led to unexpected TAR generation (bsc#1155199). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:3061-1 Released: Mon Nov 25 17:34:22 2019 Summary: Security update for gcc9 Type: security Severity: moderate References: 1114592,1135254,1141897,1142649,1142654,1148517,1149145,CVE-2019-14250,CVE-2019-15847,SLE-6533,SLE-6536 Description: This update includes the GNU Compiler Collection 9. A full changelog is provided by the GCC team on: https://www.gnu.org/software/gcc/gcc-9/changes.html The base system compiler libraries libgcc_s1, libstdc++6 and others are now built by the gcc 9 packages. To use it, install "gcc9" or "gcc9-c++" or other compiler brands and use CC=gcc-9 / CXX=g++-9 during configuration for using it. Security issues fixed: - CVE-2019-15847: Fixed a miscompilation in the POWER9 back end, that optimized multiple calls of the __builtin_darn intrinsic into a single call. (bsc#1149145) - CVE-2019-14250: Fixed a heap overflow in the LTO linker. (bsc#1142649) Non-security issues fixed: - Split out libstdc++ pretty-printers into a separate package supplementing gdb and the installed runtime. (bsc#1135254) - Fixed miscompilation for vector shift on s390. (bsc#1141897) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:3070-1 Released: Tue Nov 26 12:39:29 2019 Summary: Recommended update for gpg2 Type: recommended Severity: low References: 1152755 Description: This update for gpg2 provides the following fix: - Remove a build requirement on self. This is causing Leap 15.2 bootstrap to fail. (bsc#1152755) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:3086-1 Released: Thu Nov 28 10:02:24 2019 Summary: Security update for libidn2 Type: security Severity: moderate References: 1154884,1154887,CVE-2019-12290,CVE-2019-18224 Description: This update for libidn2 to version 2.2.0 fixes the following issues: - CVE-2019-12290: Fixed an improper round-trip check when converting A-labels to U-labels (bsc#1154884). - CVE-2019-18224: Fixed a heap-based buffer overflow that was caused by long domain strings (bsc#1154887). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:3087-1 Released: Thu Nov 28 10:03:00 2019 Summary: Security update for libxml2 Type: security Severity: low References: 1123919 Description: This update for libxml2 doesn't fix any additional security issues, but correct its rpm changelog to reflect all CVEs that have been fixed over the past. ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:3118-1 Released: Fri Nov 29 14:41:35 2019 Summary: Recommended update for e2fsprogs Type: recommended Severity: moderate References: 1154295 Description: This update for e2fsprogs fixes the following issues: - Make minimum size estimates more reliable for mounted filesystem. (bsc#1154295) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:3166-1 Released: Wed Dec 4 11:24:42 2019 Summary: Recommended update for aaa_base Type: recommended Severity: moderate References: 1007715,1084934,1157278 Description: This update for aaa_base fixes the following issues: - Use official key binding functions in inputrc that is replace up-history with previous-history, down-history with next-history and backward-delete-word with backward-kill-word. (bsc#1084934) - Add some missed key escape sequences for urxvt-unicode terminal as well. (bsc#1007715) - Clear broken ghost entry in patch which breaks 'readline'. (bsc#1157278) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:3181-1 Released: Thu Dec 5 11:43:07 2019 Summary: Security update for permissions Type: security Severity: moderate References: 1093414,1150734,1157198,CVE-2019-3688,CVE-2019-3690 Description: This update for permissions fixes the following issues: - CVE-2019-3688: Changed wrong ownership in /usr/sbin/pinger to root:squid which could have allowed a squid user to gain persistence by changing the binary (bsc#1093414). - CVE-2019-3690: Fixed a privilege escalation through untrusted symbolic links (bsc#1150734). - Fixed a regression which caused sagmentation fault (bsc#1157198). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:3240-1 Released: Tue Dec 10 10:40:19 2019 Summary: Recommended update for ca-certificates-mozilla, p11-kit Type: recommended Severity: moderate References: 1154871 Description: This update for ca-certificates-mozilla, p11-kit fixes the following issues: Changes in ca-certificates-mozilla: - export correct p11kit trust attributes so Firefox detects built in certificates (bsc#1154871). Changes in p11-kit: - support loading NSS attribute CKA_NSS_MOZILLA_CA_POLICY so Firefox detects built in certificates (bsc#1154871) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:3267-1 Released: Wed Dec 11 11:19:53 2019 Summary: Security update for libssh Type: security Severity: important References: 1158095,CVE-2019-14889 Description: This update for libssh fixes the following issues: - CVE-2019-14889: Fixed an arbitrary command execution (bsc#1158095). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:3392-1 Released: Fri Dec 27 13:33:29 2019 Summary: Security update for libgcrypt Type: security Severity: moderate References: 1148987,1155338,1155339,CVE-2019-13627 Description: This update for libgcrypt fixes the following issues: Security issues fixed: - CVE-2019-13627: Mitigation against an ECDSA timing attack (bsc#1148987). Bug fixes: - Added CMAC AES self test (bsc#1155339). - Added CMAC TDES self test missing (bsc#1155338). - Fix test dsa-rfc6979 in FIPS mode. ----------------------------------------------------------------- Advisory ID: SUSE-SU-2020:69-1 Released: Fri Jan 10 12:33:59 2020 Summary: Security update for openssl-1_1 Type: security Severity: moderate References: 1155346,1157775,1158101,1158809,CVE-2019-1551,SLE-8789 Description: This update for openssl-1_1 fixes the following issues: Security issue fixed: - CVE-2019-1551: Fixed an overflow bug in the x64_64 Montgomery squaring procedure used in exponentiation with 512-bit moduli (bsc#1158809). Various FIPS related improvements were done: - FIPS: Backport SSH KDF to openssl (jsc#SLE-8789, bsc#1157775). - Port FIPS patches from SLE-12 (bsc#1158101). - Use SHA-2 in the RSA pairwise consistency check (bsc#1155346). ----------------------------------------------------------------- Advisory ID: SUSE-feature-2020:89-1 Released: Mon Jan 13 16:07:20 2020 Summary: Update to kubernetes 1.16, supportconfig update, and helm security fix (CVE-2019-18658) Type: feature Severity: moderate References: 1100838,1118897,1118898,1118899,1143813,1144065,1146991,1147142,1152861,1155810,1156646 Description: = Required Actions == Skuba and helm update Instructions Update skuba and helm on your management workstation as you would do with any othe package. Refer to: link:https://documentation.suse.com/sles/15-SP1/single-html/SLES-admin/#sec-zypper-softup [WARNING] ==== When running helm-init you may hit a link:https://bugzilla.suse.com/show_bug.cgi?id=1159047[known bug on the certificate validation]: ---- https://kubernetes-charts.storage.googleapis.com is not a valid chart repository or cannot be reached: Get https://kubernetes-charts.storage.googleapis.com/index.yaml: x509: certificate signed by unknown authority ---- In order to fix this, run: ---- sudo update-ca-certificates ---- ==== After updating helm to latest version on the management host, you have to also upgrade the helm-tiller image in the cluster, by running: ---- helm init \ --tiller-image registry.suse.com/caasp/v4/helm-tiller:2.16.1 \ --service-account tiller --upgrade ---- == Update Your Kubernetes Manifests for Kubernetes 1.16.2: Some API resources are moved to stable, while others have been moved to different groups or deprecated. The following will impact your deployment manifests: * `DaemonSet`, `Deployment`, `StatefulSet`, and `ReplicaSet` in `extensions/` (both `v1beta1` and `v1beta2`) is deprecated. Migrate to `apps/v1` group instead for all those objects. Please note that `kubectl convert` can help you migrate all the necessary fields. * `PodSecurityPolicy` in `extensions/v1beta1` is deprecated. Migrate to `policy/v1beta1` group for `PodSecurityPolicy`. Please note that `kubectl convert` can help you migrate all the necessary fields. * `NetworkPolicy` in `extensions/v1beta1` is deprecated. Migrate to `networking.k8s.io/v1` group for `NetworkPolicy`. Please note that `kubectl convert` can help you migrate all the necessary fields. * `Ingress` in `extensions/v1beta1` is being phased out. Migrate to `networking.k8s.io/v1beta1` as soon as possible. This new API does not need to update other API fields and therefore only a path change is necessary. * Custom resource definitions have moved from `apiextensions.k8s.io/v1beta1` to `apiextensions.k8s.io/v1`. Please also see https://kubernetes.io/blog/2019/07/18/api-deprecations-in-1-16/ for more details. = Documentation Updates * Switched examples to use SUSE supported helm, Prometheus, nginx-ingress and Grafana charts and images * link:{docurl}caasp-admin/single-html/_security.html#_deployment_with_a_custom_ca_certificate[Added instructions on how to replace {kube} certificates with custom CA certificate] * link:{docurl}caasp-admin/single-html/_security.html#_replace_server_certificate_signed_by_a_trusted_ca_certificate[Added instructions to configure custom certificates for gangway and dex] * link:{docurl}caasp-admin/single-html/_software_management.html#_installing_tiller[Added instructions for secured Tiller deployment] * link:{docurl}caasp-deployment/single-html/#machine-id[Added notes about unique `machine-id` requirement] * link:{docurl}caasp-deployment/single-html/#_autoyast_preparation[Added timezone configuration example for {ay}] * link:https://github.com/SUSE/doc-caasp/pulls?q=is%3Apr+is%3Aclosed+sort%3Aupdated-desc[Various minor bugfixes and improvements] = Known issue: skuba upgrade could not parse "Unknown" as version ==== Running "skuba node upgrade plan" might fail with the error "could not parse "Unknown" as version" when a worker, after running "skuba node upgrade apply", had not fully started yet. If you are running into this issue, please add some delay after running "skuba node upgrade apply" and prior to running "skuba node upgrade plan". This is tracked in link:https://bugzilla.suse.com/show_bug.cgi?id=1159452[bsc#1159452] From sle-updates at lists.suse.com Tue Jan 14 08:00:37 2020 From: sle-updates at lists.suse.com (sle-updates at lists.suse.com) Date: Tue, 14 Jan 2020 16:00:37 +0100 (CET) Subject: SUSE-RU-2020:0094-1: important: Recommended update for icu Message-ID: <20200114150037.85BAFF798@maintenance.suse.de> SUSE Recommended Update: Recommended update for icu ______________________________________________________________________________ Announcement ID: SUSE-RU-2020:0094-1 Rating: important References: #1103893 #1146907 Affected Products: SUSE Linux Enterprise Module for Open Buildservice Development Tools 15-SP1 SUSE Linux Enterprise Module for Open Buildservice Development Tools 15 SUSE Linux Enterprise Module for Basesystem 15-SP1 SUSE Linux Enterprise Module for Basesystem 15 ______________________________________________________________________________ An update that has two recommended fixes can now be installed. Description: This update for icu fixes the following issues: - Porting upstream's Japanese new era name support. (bsc#1103893, fate#325570, fate#325419) - Remove old obsoletes/provides for migration from very old products, as they break our shared library policy. (bsc#1146907) - IMPORTANT: Please force this update to install with 'zypper -f' to override the major version if you already installed the version 64. Patch Instructions: To install this SUSE Recommended Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Module for Open Buildservice Development Tools 15-SP1: zypper in -t patch SUSE-SLE-Module-Development-Tools-OBS-15-SP1-2020-94=1 - SUSE Linux Enterprise Module for Open Buildservice Development Tools 15: zypper in -t patch SUSE-SLE-Module-Development-Tools-OBS-15-2020-94=1 - SUSE Linux Enterprise Module for Basesystem 15-SP1: zypper in -t patch SUSE-SLE-Module-Basesystem-15-SP1-2020-94=1 - SUSE Linux Enterprise Module for Basesystem 15: zypper in -t patch SUSE-SLE-Module-Basesystem-15-2020-94=1 Package List: - SUSE Linux Enterprise Module for Open Buildservice Development Tools 15-SP1 (aarch64 ppc64le s390x x86_64): icu-60.2-3.3.1 icu-debuginfo-60.2-3.3.1 icu-debugsource-60.2-3.3.1 libicu-doc-60.2-3.3.1 - SUSE Linux Enterprise Module for Open Buildservice Development Tools 15-SP1 (x86_64): libicu-devel-32bit-60.2-3.3.1 - SUSE Linux Enterprise Module for Open Buildservice Development Tools 15 (aarch64 ppc64le s390x x86_64): icu-60.2-3.3.1 icu-debuginfo-60.2-3.3.1 icu-debugsource-60.2-3.3.1 libicu-doc-60.2-3.3.1 - SUSE Linux Enterprise Module for Basesystem 15-SP1 (aarch64 ppc64le s390x x86_64): icu-debuginfo-60.2-3.3.1 icu-debugsource-60.2-3.3.1 libicu-devel-60.2-3.3.1 libicu60_2-60.2-3.3.1 libicu60_2-debuginfo-60.2-3.3.1 - SUSE Linux Enterprise Module for Basesystem 15-SP1 (noarch): libicu60_2-bedata-60.2-3.3.1 libicu60_2-ledata-60.2-3.3.1 - SUSE Linux Enterprise Module for Basesystem 15 (aarch64 ppc64le s390x x86_64): icu-debuginfo-60.2-3.3.1 icu-debugsource-60.2-3.3.1 libicu-devel-60.2-3.3.1 libicu60_2-60.2-3.3.1 libicu60_2-debuginfo-60.2-3.3.1 - SUSE Linux Enterprise Module for Basesystem 15 (noarch): libicu60_2-bedata-60.2-3.3.1 libicu60_2-ledata-60.2-3.3.1 References: https://bugzilla.suse.com/1103893 https://bugzilla.suse.com/1146907 From sle-updates at lists.suse.com Tue Jan 14 07:11:59 2020 From: sle-updates at lists.suse.com (sle-updates at lists.suse.com) Date: Tue, 14 Jan 2020 15:11:59 +0100 (CET) Subject: SUSE-SU-2020:0093-1: important: Security update for the Linux Kernel Message-ID: <20200114141159.C4EE3F796@maintenance.suse.de> SUSE Security Update: Security update for the Linux Kernel ______________________________________________________________________________ Announcement ID: SUSE-SU-2020:0093-1 Rating: important References: #1046299 #1046303 #1046305 #1048942 #1050244 #1050536 #1050545 #1051510 #1055117 #1055186 #1061840 #1064802 #1065600 #1065729 #1066129 #1071995 #1073513 #1078248 #1082555 #1082635 #1083647 #1086323 #1087092 #1089644 #1090631 #1090888 #1091041 #1093205 #1096254 #1097583 #1097584 #1097585 #1097586 #1097587 #1097588 #1098291 #1101674 #1103989 #1103990 #1103991 #1104353 #1104427 #1104745 #1104967 #1106434 #1108043 #1108382 #1109158 #1109837 #1111666 #1112178 #1112374 #1113722 #1113956 #1113994 #1114279 #1115026 #1117169 #1117665 #1118661 #1119086 #1119113 #1119461 #1119465 #1120853 #1120902 #1122363 #1123034 #1123080 #1123105 #1126206 #1126390 #1127155 #1127354 #1127371 #1127611 #1127988 #1129770 #1131107 #1131304 #1131489 #1133140 #1134476 #1134973 #1134983 #1135642 #1135854 #1135873 #1135966 #1135967 #1136261 #1137040 #1137069 #1137223 #1137236 #1137799 #1137861 #1137865 #1137959 #1137982 #1138039 #1138190 #1139073 #1140090 #1140155 #1140729 #1140845 #1140883 #1140948 #1141013 #1141340 #1141543 #1142076 #1142095 #1142635 #1142667 #1142924 #1143706 #1143959 #1144333 #1144338 #1144375 #1144449 #1144653 #1144903 #1145099 #1145661 #1146042 #1146519 #1146544 #1146612 #1146664 #1148133 #1148410 #1148712 #1148859 #1148868 #1149083 #1149119 #1149224 #1149446 #1149448 #1149555 #1149652 #1149713 #1149853 #1149940 #1149959 #1149963 #1149976 #1150025 #1150033 #1150112 #1150305 #1150381 #1150423 #1150452 #1150457 #1150465 #1150466 #1150562 #1150727 #1150846 #1150860 #1150861 #1150875 #1150933 #1151021 #1151067 #1151192 #1151225 #1151350 #1151508 #1151548 #1151610 #1151661 #1151662 #1151667 #1151671 #1151680 #1151807 #1151891 #1151900 #1151910 #1151955 #1152024 #1152025 #1152026 #1152033 #1152107 #1152161 #1152187 #1152325 #1152446 #1152457 #1152460 #1152466 #1152497 #1152505 #1152506 #1152525 #1152624 #1152631 #1152665 #1152685 #1152696 #1152697 #1152782 #1152788 #1152790 #1152791 #1152885 #1152972 #1152974 #1152975 #1153108 #1153112 #1153158 #1153236 #1153263 #1153476 #1153509 #1153607 #1153628 #1153646 #1153681 #1153713 #1153717 #1153718 #1153719 #1153811 #1153969 #1154043 #1154048 #1154058 #1154108 #1154124 #1154189 #1154242 #1154244 #1154268 #1154354 #1154355 #1154372 #1154521 #1154526 #1154578 #1154601 #1154607 #1154608 #1154610 #1154611 #1154651 #1154737 #1154768 #1154848 #1154858 #1154905 #1154916 #1154956 #1154959 #1155021 #1155061 #1155178 #1155179 #1155184 #1155186 #1155331 #1155334 #1155671 #1155689 #1155692 #1155812 #1155817 #1155836 #1155897 #1155921 #1155945 #1156187 #1156258 #1156259 #1156286 #1156429 #1156462 #1156466 #1156471 #1156494 #1156609 #1156700 #1156729 #1156882 #1156928 #1157032 #1157038 #1157042 #1157044 #1157045 #1157046 #1157049 #1157070 #1157115 #1157143 #1157145 #1157158 #1157160 #1157162 #1157169 #1157171 #1157173 #1157178 #1157180 #1157182 #1157183 #1157184 #1157191 #1157193 #1157197 #1157298 #1157303 #1157304 #1157307 #1157324 #1157333 #1157386 #1157424 #1157463 #1157499 #1157678 #1157698 #1157778 #1157853 #1157895 #1157908 #1158021 #1158049 #1158063 #1158064 #1158065 #1158066 #1158067 #1158068 #1158071 #1158082 #1158094 #1158132 #1158381 #1158394 #1158398 #1158407 #1158410 #1158413 #1158417 #1158427 #1158445 #1158533 #1158637 #1158638 #1158639 #1158640 #1158641 #1158643 #1158644 #1158645 #1158646 #1158647 #1158649 #1158651 #1158652 #1158819 #1158823 #1158824 #1158827 #1158834 #1158893 #1158900 #1158903 #1158904 #1158954 #1159024 #1159096 #1159297 #1159483 #1159484 #1159500 #1159569 #1159841 #1159908 #1159909 #1159910 #972655 Cross-References: CVE-2017-18595 CVE-2018-12207 CVE-2019-0154 CVE-2019-0155 CVE-2019-10220 CVE-2019-11135 CVE-2019-14821 CVE-2019-14835 CVE-2019-14895 CVE-2019-14901 CVE-2019-15030 CVE-2019-15031 CVE-2019-15213 CVE-2019-15916 CVE-2019-16231 CVE-2019-16232 CVE-2019-16233 CVE-2019-16234 CVE-2019-16746 CVE-2019-16995 CVE-2019-17055 CVE-2019-17056 CVE-2019-17133 CVE-2019-17666 CVE-2019-18660 CVE-2019-18683 CVE-2019-18805 CVE-2019-18808 CVE-2019-18809 CVE-2019-19046 CVE-2019-19049 CVE-2019-19051 CVE-2019-19052 CVE-2019-19056 CVE-2019-19057 CVE-2019-19058 CVE-2019-19060 CVE-2019-19062 CVE-2019-19063 CVE-2019-19065 CVE-2019-19066 CVE-2019-19067 CVE-2019-19068 CVE-2019-19073 CVE-2019-19074 CVE-2019-19075 CVE-2019-19077 CVE-2019-19078 CVE-2019-19080 CVE-2019-19081 CVE-2019-19082 CVE-2019-19083 CVE-2019-19227 CVE-2019-19319 CVE-2019-19332 CVE-2019-19338 CVE-2019-19447 CVE-2019-19523 CVE-2019-19524 CVE-2019-19525 CVE-2019-19526 CVE-2019-19527 CVE-2019-19528 CVE-2019-19529 CVE-2019-19530 CVE-2019-19531 CVE-2019-19532 CVE-2019-19533 CVE-2019-19534 CVE-2019-19535 CVE-2019-19536 CVE-2019-19537 CVE-2019-19543 CVE-2019-19767 CVE-2019-19966 CVE-2019-20054 CVE-2019-20095 CVE-2019-20096 CVE-2019-9456 CVE-2019-9506 Affected Products: SUSE Linux Enterprise Server 12-SP5 ______________________________________________________________________________ An update that solves 80 vulnerabilities and has 310 fixes is now available. Description: The SUSE Linux Enterprise 12 SP5 Azure kernel was updated to receive various security and bugfixes. The following security bugs were fixed: - CVE-2019-20095: mwifiex_tm_cmd in drivers/net/wireless/marvell/mwifiex/cfg80211.c had some error-handling cases that did not free allocated hostcmd memory. This will cause a memory leak and denial of service (bnc#1159909). - CVE-2019-20054: Fixed a a NULL pointer dereference in drop_sysctl_table() in fs/proc/proc_sysctl.c, related to put_links (bnc#1159910). - CVE-2019-20096: Fixed a memory leak in __feat_register_sp() in net/dccp/feat.c, which may cause denial of service (bnc#1159908). - CVE-2019-19966: Fixed a use-after-free in cpia2_exit() in drivers/media/usb/cpia2/cpia2_v4l.c that will cause denial of service (bnc#1159841). - CVE-2019-19447: Mounting a crafted ext4 filesystem image, performing some operations, and unmounting can lead to a use-after-free in ext4_put_super in fs/ext4/super.c, related to dump_orphan_list in fs/ext4/super.c (bnc#1158819). - CVE-2019-19319: A setxattr operation, after a mount of a crafted ext4 image, can cause a slab-out-of-bounds write access because of an ext4_xattr_set_entry use-after-free in fs/ext4/xattr.c when a large old_size value is used in a memset call (bnc#1158021). - CVE-2019-19767: Fixed mishandling of ext4_expand_extra_isize, as demonstrated by use-after-free errors in __ext4_expand_extra_isize and ext4_xattr_set_entry, related to fs/ext4/inode.c and fs/ext4/super.c (bnc#1159297). - CVE-2019-18808: A memory leak in the ccp_run_sha_cmd() function in drivers/crypto/ccp/ccp-ops.c allowed attackers to cause a denial of service (memory consumption) (bnc#1156259). - CVE-2019-16746: An issue was discovered in net/wireless/nl80211.c where the length of variable elements in a beacon head were not checked, leading to a buffer overflow (bnc#1152107). - CVE-2019-19066: A memory leak in the bfad_im_get_stats() function in drivers/scsi/bfa/bfad_attr.c allowed attackers to cause a denial of service (memory consumption) by triggering bfa_port_get_stats() failures (bnc#1157303). - CVE-2019-19051: There was a memory leak in the i2400m_op_rfkill_sw_toggle() function in drivers/net/wimax/i2400m/op-rfkill.c in the Linux kernel allowed attackers to cause a denial of service (memory consumption) (bnc#1159024). - CVE-2019-19338: There was an incomplete fix for Transaction Asynchronous Abort (TAA) (bnc#1158954). - CVE-2019-19332: There was an OOB memory write via kvm_dev_ioctl_get_cpuid (bnc#1158827). - CVE-2019-19537: There was a race condition bug that can be caused by a malicious USB device in the USB character device driver layer (bnc#1158904). - CVE-2019-19535: There was an info-leak bug that can be caused by a malicious USB device in the drivers/net/can/usb/peak_usb/pcan_usb_fd.c driver (bnc#1158903). - CVE-2019-19527: There was a use-after-free bug that can be caused by a malicious USB device in the drivers/hid/usbhid/hiddev.c driver (bnc#1158900). - CVE-2019-19526: There was a use-after-free bug that can be caused by a malicious USB device in the drivers/nfc/pn533/usb.c driver (bnc#1158893). - CVE-2019-19533: There was an info-leak bug that can be caused by a malicious USB device in the drivers/media/usb/ttusb-dec/ttusb_dec.c driver (bnc#1158834). - CVE-2019-19532: There were multiple out-of-bounds write bugs that can be caused by a malicious USB device in the Linux kernel HID drivers (bnc#1158824). - CVE-2019-19523: There was a use-after-free bug that can be caused by a malicious USB device in the drivers/usb/misc/adutux.c driver, aka CID-44efc269db79 (bnc#1158381 1158823 1158834). - CVE-2019-15213: There was a use-after-free caused by a malicious USB device in the drivers/media/usb/dvb-usb/dvb-usb-init.c driver (bnc#1146544). - CVE-2019-19531: There was a use-after-free bug that can be caused by a malicious USB device in the drivers/usb/misc/yurex.c driver (bnc#1158445). - CVE-2019-19543: There was a use-after-free in serial_ir_init_module() in drivers/media/rc/serial_ir.c (bnc#1158427). - CVE-2019-19525: There was a use-after-free bug that can be caused by a malicious USB device in the drivers/net/ieee802154/atusb.c driver (bnc#1158417). - CVE-2019-19530: There was a use-after-free bug that can be caused by a malicious USB device in the drivers/usb/class/cdc-acm.c driver (bnc#1158410). - CVE-2019-19536: There was an info-leak bug that can be caused by a malicious USB device in the drivers/net/can/usb/peak_usb/pcan_usb_pro.c driver (bnc#1158394). - CVE-2019-19524: There was a use-after-free bug that can be caused by a malicious USB device in the drivers/input/ff-memless.c driver (bnc#1158413). - CVE-2019-19528: There was a use-after-free bug that can be caused by a malicious USB device in the drivers/usb/misc/iowarrior.c driver (bnc#1158407). - CVE-2019-19534: There was an info-leak bug that can be caused by a malicious USB device in the drivers/net/can/usb/peak_usb/pcan_usb_core.c driver (bnc#1158398). - CVE-2019-19529: There was a use-after-free bug that can be caused by a malicious USB device in the drivers/net/can/usb/mcba_usb.c driver (bnc#1158381). - CVE-2019-14901: A heap overflow flaw was found in the Linux kernel in Marvell WiFi chip driver. The vulnerability allowed a remote attacker to cause a system crash, resulting in a denial of service, or execute arbitrary code. The highest threat with this vulnerability is with the availability of the system. If code execution occurs, the code will run with the permissions of root. This will affect both confidentiality and integrity of files on the system (bnc#1157042). - CVE-2019-14895: A heap-based buffer overflow was discovered in the Linux kernel in Marvell WiFi chip driver. The flaw could occur when the station attempts a connection negotiation during the handling of the remote devices country settings. This could have allowed the remote device to cause a denial of service (system crash) or possibly execute arbitrary code (bnc#1157158). - CVE-2019-18660: The Linux kernel on powerpc allowed Information Exposure because the Spectre-RSB mitigation is not in place for all applicable CPUs. This is related to arch/powerpc/kernel/entry_64.S and arch/powerpc/kernel/security.c (bnc#1157038). - CVE-2019-18683: An issue was discovered in drivers/media/platform/vivid in the Linux kernel. It is exploitable for privilege escalation on some Linux distributions where local users have /dev/video0 access, but only if the driver happens to be loaded. There are multiple race conditions during streaming stopping in this driver (part of the V4L2 subsystem). These issues are caused by wrong mutex locking in vivid_stop_generating_vid_cap(), vivid_stop_generating_vid_out(), sdr_cap_stop_streaming(), and the corresponding kthreads. At least one of these race conditions leads to a use-after-free (bnc#1155897). - CVE-2019-18809: A memory leak in the af9005_identify_state() function in drivers/media/usb/dvb-usb/af9005.c in the Linux kernel allowed attackers to cause a denial of service (memory consumption) (bnc#1156258). - CVE-2019-19046: A memory leak in the __ipmi_bmc_register() function in drivers/char/ipmi/ipmi_msghandler.c in the Linux kernel allowed attackers to cause a denial of service (memory consumption) by triggering ida_simple_get() failure (bnc#1157304). - CVE-2019-19078: A memory leak in the ath10k_usb_hif_tx_sg() function in drivers/net/wireless/ath/ath10k/usb.c in the Linux kernel allowed attackers to cause a denial of service (memory consumption) by triggering usb_submit_urb() failures (bnc#1157032). - CVE-2019-19062: A memory leak in the crypto_report() function in crypto/crypto_user_base.c in the Linux kernel allowed attackers to cause a denial of service (memory consumption) by triggering crypto_report_alg() failures (bnc#1157333). - CVE-2019-19057: Two memory leaks in the mwifiex_pcie_init_evt_ring() function in drivers/net/wireless/marvell/mwifiex/pcie.c in the Linux kernel allowed attackers to cause a denial of service (memory consumption) by triggering mwifiex_map_pci_memory() failures (bnc#1157197). - CVE-2019-19056: A memory leak in the mwifiex_pcie_alloc_cmdrsp_buf() function in drivers/net/wireless/marvell/mwifiex/pcie.c in the Linux kernel allowed attackers to cause a denial of service (memory consumption) by triggering mwifiex_map_pci_memory() failures (bnc#1157197). - CVE-2019-19068: A memory leak in the rtl8xxxu_submit_int_urb() function in drivers/net/wireless/realtek/rtl8xxxu/rtl8xxxu_core.c in the Linux kernel allowed attackers to cause a denial of service (memory consumption) by triggering usb_submit_urb() failures (bnc#1157307). - CVE-2019-19063: Two memory leaks in the rtl_usb_probe() function in drivers/net/wireless/realtek/rtlwifi/usb.c in the Linux kernel allowed attackers to cause a denial of service (memory consumption) (bnc#1157298). - CVE-2019-19227: In the AppleTalk subsystem in the Linux kernel there was a potential NULL pointer dereference because register_snap_client may return NULL. This will lead to denial of service in net/appletalk/aarp.c and net/appletalk/ddp.c, as demonstrated by unregister_snap_client (bnc#1157678). - CVE-2019-19081: A memory leak in the nfp_flower_spawn_vnic_reprs() function in drivers/net/ethernet/netronome/nfp/flower/main.c in the Linux kernel allowed attackers to cause a denial of service (memory consumption) (bnc#1157045). - CVE-2019-19080: Four memory leaks in the nfp_flower_spawn_phy_reprs() function in drivers/net/ethernet/netronome/nfp/flower/main.c in the Linux kernel allowed attackers to cause a denial of service (memory consumption) (bnc#1157044). - CVE-2019-19065: A memory leak in the sdma_init() function in drivers/infiniband/hw/hfi1/sdma.c in the Linux kernel allowed attackers to cause a denial of service (memory consumption) by triggering rhashtable_init() failures (bnc#1157191). - CVE-2019-19077: A memory leak in the bnxt_re_create_srq() function in drivers/infiniband/hw/bnxt_re/ib_verbs.c in the Linux kernel allowed attackers to cause a denial of service (memory consumption) by triggering copy to udata failures (bnc#1157171). - CVE-2019-19052: A memory leak in the gs_can_open() function in drivers/net/can/usb/gs_usb.c in the Linux kernel allowed attackers to cause a denial of service (memory consumption) by triggering usb_submit_urb() failures (bnc#1157324). - CVE-2019-19067: Four memory leaks in the acp_hw_init() function in drivers/gpu/drm/amd/amdgpu/amdgpu_acp.c in the Linux kernel allowed attackers to cause a denial of service (memory consumption) by triggering mfd_add_hotplug_devices() or pm_genpd_add_device() failures (bsc#1157180). - CVE-2019-19060: A memory leak in the adis_update_scan_mode() function in drivers/iio/imu/adis_buffer.c in the Linux kernel allowed attackers to cause a denial of service (memory consumption) (bnc#1157178). - CVE-2019-19049: A memory leak in the unittest_data_add() function in drivers/of/unittest.c in the Linux kernel allowed attackers to cause a denial of service (memory consumption) by triggering of_fdt_unflatten_tree() failures (bsc#1157173). - CVE-2019-19075: A memory leak in the ca8210_probe() function in drivers/net/ieee802154/ca8210.c in the Linux kernel allowed attackers to cause a denial of service (memory consumption) by triggering ca8210_get_platform_data() failures (bnc#1157162). - CVE-2019-19058: A memory leak in the alloc_sgtable() function in drivers/net/wireless/intel/iwlwifi/fw/dbg.c in the Linux kernel allowed attackers to cause a denial of service (memory consumption) by triggering alloc_page() failures (bnc#1157145). - CVE-2019-19074: A memory leak in the ath9k_wmi_cmd() function in drivers/net/wireless/ath/ath9k/wmi.c in the Linux kernel allowed attackers to cause a denial of service (memory consumption) (bnc#1157143). - CVE-2019-19073: Fixed memory leaks in drivers/net/wireless/ath/ath9k/htc_hst.c allowed attackers to cause a denial of service (memory consumption) by triggering wait_for_completion_timeout() failures (bnc#1157070). - CVE-2019-19083: Memory leaks in *clock_source_create() functions under drivers/gpu/drm/amd/display/dc in the Linux kernel allowed attackers to cause a denial of service (memory consumption) (bnc#1157049). - CVE-2019-19082: Memory leaks in *create_resource_pool() functions under drivers/gpu/drm/amd/display/dc in the Linux kernel allowed attackers to cause a denial of service (memory consumption) (bnc#1157046). - CVE-2019-15916: An issue was discovered in the Linux kernel There was a memory leak in register_queue_kobjects() in net/core/net-sysfs.c, which will cause denial of service (bnc#1149448). - CVE-2019-0154: Insufficient access control in subsystem for Intel (R) processor graphics in 6th, 7th, 8th and 9th Generation Intel(R) Core(TM) Processor Families; Intel(R) Pentium(R) Processor J, N, Silver and Gold Series; Intel(R) Celeron(R) Processor J, N, G3900 and G4900 Series; Intel(R) Atom(R) Processor A and E3900 Series; Intel(R) Xeon(R) Processor E3-1500 v5 and v6 and E-2100 Processor Families may have allowed an authenticated user to potentially enable denial of service via local access (bnc#1135966). - CVE-2019-0155: Insufficient access control in a subsystem for Intel (R) processor graphics in 6th, 7th, 8th and 9th Generation Intel(R) Core(TM) Processor Families; Intel(R) Pentium(R) Processor J, N, Silver and Gold Series; Intel(R) Celeron(R) Processor J, N, G3900 and G4900 Series; Intel(R) Atom(R) Processor A and E3900 Series; Intel(R) Xeon(R) Processor E3-1500 v5 and v6, E-2100 and E-2200 Processor Families; Intel(R) Graphics Driver for Windows (DCH) or 26.20.100.6812 and before 21.20.x.5077 (aka15.45.5077), i915 Linux Driver for Intel(R) Processor Graphics before versions 5.4-rc7, 5.3.11, 4.19.84, 4.14.154, 4.9.201, 4.4.201 may have allowed an authenticated user to potentially enable escalation of privilege via local access (bnc#1135967). - CVE-2019-16231: drivers/net/fjes/fjes_main.c in the Linux kernel 5.2.14 did not check the alloc_workqueue return value, leading to a NULL pointer dereference (bnc#1150466). - CVE-2019-18805: An issue was discovered in net/ipv4/sysctl_net_ipv4.c in the Linux kernel There was a net/ipv4/tcp_input.c signed integer overflow in tcp_ack_update_rtt() when userspace writes a very large integer to /proc/sys/net/ipv4/tcp_min_rtt_wlen, leading to a denial of service or possibly unspecified other impact (bnc#1156187). - CVE-2019-17055: base_sock_create in drivers/isdn/mISDN/socket.c in the AF_ISDN network module in the Linux kernel did not enforce CAP_NET_RAW, which means that unprivileged users can create a raw socket (bnc#1152782). - CVE-2019-16995: In the Linux kernel before 5.0.3, a memory leak exits in hsr_dev_finalize() in net/hsr/hsr_device.c if hsr_add_port fails to add a port, which may cause denial of service, aka CID-6caabe7f197d (bnc#1152685). - CVE-2019-11135: TSX Asynchronous Abort condition on some CPUs utilizing speculative execution may have allowed an authenticated user to potentially enable information disclosure via a side channel with local access (bnc#1139073). - CVE-2019-16233: drivers/scsi/qla2xxx/qla_os.c in the Linux kernel 5.2.14 did not check the alloc_workqueue return value, leading to a NULL pointer dereference (bnc#1150457). - CVE-2018-12207: Improper invalidation for page table updates by a virtual guest operating system for multiple Intel(R) Processors may have allowed an authenticated user to potentially enable denial of service of the host system via local access (bnc#1117665). - CVE-2019-10220: Linux kernel CIFS implementation, version 4.9.0 is vulnerable to a relative paths injection in directory entry lists (bnc#1144903). - CVE-2019-17666: rtl_p2p_noa_ie in drivers/net/wireless/realtek/rtlwifi/ps.c in the Linux kernel lacks a certain upper-bound check, leading to a buffer overflow (bnc#1154372). - CVE-2019-16232: drivers/net/wireless/marvell/libertas/if_sdio.c did not check the alloc_workqueue return value, leading to a NULL pointer dereference (bnc#1150465). - CVE-2019-16234: drivers/net/wireless/intel/iwlwifi/pcie/trans.c did not check the alloc_workqueue return value, leading to a NULL pointer dereference (bnc#1150452). - CVE-2019-17133: cfg80211_mgd_wext_giwessid in net/wireless/wext-sme.c did not reject a long SSID IE, leading to a Buffer Overflow (bnc#1153158). - CVE-2019-17056: llcp_sock_create in net/nfc/llcp_sock.c in the AF_NFC network module in the Linux kernel did not enforce CAP_NET_RAW, which means that unprivileged users can create a raw socket, aka CID-3a359798b176 (bnc#1152788). - CVE-2019-14821: An out-of-bounds access issue was found in the way Linux kernel's KVM hypervisor implements the Coalesced MMIO write operation (bnc#1151350). - CVE-2017-18595: An issue was discovered in the Linux kernel A double free may be caused by the function allocate_trace_buffer in the file kernel/trace/trace.c (bnc#1149555). - CVE-2019-9506: The Bluetooth BR/EDR specification up to and including version 5.1 permits sufficiently low encryption key length and did not prevent an attacker from influencing the key length negotiation. This allowed practical brute-force attacks (aka "KNOB") that can decrypt traffic and inject arbitrary ciphertext without the victim noticing (bnc#1146042). - CVE-2019-14835: A buffer overflow flaw was found in the way Linux kernel's vhost functionality that translates virtqueue buffers to IOVs, logged the buffer descriptors during migration (bnc#1150112). - CVE-2019-9456: Ther is an issue inside the USB monitor driver that can lead to a possible OOB write due to a missing bounds check (bnc#1150025). - CVE-2019-15031: In the Linux kernel on the powerpc platform, a local user can read vector registers of other users' processes via an interrupt (bnc#1149713). - CVE-2019-15030: In the Linux kernel on the powerpc platform, a local user can read vector registers of other users' processes via a Facility Unavailable exception (bnc#1149713). The following non-security bugs were fixed: - 9p: avoid attaching writeback_fid on mmap with type PRIVATE (bsc#1051510). - ACPI / APEI: Do not wait to serialise with oops messages when panic()ing (bsc#1051510). - ACPI / CPPC: do not require the _PSD method (bsc#1051510). - ACPI / LPSS: Exclude I2C busses shared with PUNIT from pmc_atom_d3_mask (bsc#1051510). - ACPI / LPSS: Ignore acpi_device_fix_up_power() return value (bsc#1051510). - ACPI / PCI: fix acpi_pci_irq_enable() memory leak (bsc#1051510). - ACPI / SBS: Fix rare oops when removing modules (bsc#1051510). - ACPI / hotplug / PCI: Allocate resources directly under the non-hotplug bridge (bsc#1111666). - ACPI / processor: do not print errors for processorIDs == 0xff (bsc#1051510). - ACPI / property: Fix acpi_graph_get_remote_endpoint() name in kerneldoc (bsc#1051510). - ACPI: CPPC: Set pcc_data[pcc_ss_id] to NULL in acpi_cppc_processor_exit() (bsc#1051510). - ACPI: OSL: only free map once in osl.c (bsc#1051510). - ACPI: bus: Fix NULL pointer check in acpi_bus_get_private_data() (bsc#1051510). - ACPI: custom_method: fix memory leaks (bsc#1051510). - ACPI: sysfs: Change ACPI_MASKABLE_GPE_MAX to 0x100 (bsc#1051510). - ACPICA: Increase total number of possible Owner IDs (bsc#1148859). - ACPICA: Never run _REG on system_memory and system_IO (bsc#1051510). - ACPICA: Use %d for signed int print formatting instead of %u (bsc#1051510). - ALSA: 6fire: Drop the dead code (git-fixes). - ALSA: aoa: onyx: always initialize register read value (bsc#1051510). - ALSA: bebob: Fix prototype of helper function to return negative value (bsc#1051510). - ALSA: bebob: fix to detect configured source of sampling clock for Focusrite Saffire Pro i/o series (git-fixes). - ALSA: cs4236: fix error return comparison of an unsigned integer (git-fixes). - ALSA: echoaudio: simplify get_audio_levels (bsc#1051510). - ALSA: fireface: fix return value in error path of isochronous resources reservation (bsc#1051510). - ALSA: firewire-motu: Correct a typo in the clock proc string (git-fixes). - ALSA: firewire-motu: add support for MOTU 4pre (bsc#1111666). - ALSA: firewire-tascam: check intermediate state of clock status and retry (bsc#1051510). - ALSA: firewire-tascam: handle error code when getting current source of clock (bsc#1051510). - ALSA: hda - Add a quirk model for fixing Huawei Matebook X right speaker (bsc#1051510). - ALSA: hda - Add laptop imic fixup for ASUS M9V laptop (bsc#1051510). - ALSA: hda - Add mute led support for HP ProBook 645 G4 (git-fixes). - ALSA: hda - Apply AMD controller workaround for Raven platform (bsc#1051510). - ALSA: hda - Define a fallback_pin_fixup_tbl for alc269 family (bsc#1051510). - ALSA: hda - Downgrade error message for single-cmd fallback (git-fixes). - ALSA: hda - Drop unsol event handler for Intel HDMI codecs (bsc#1051510). - ALSA: hda - Expand pin_match function to match upcoming new tbls (bsc#1051510). - ALSA: hda - Fix pending unsol events at shutdown (git-fixes). - ALSA: hda - Fix potential endless loop at applying quirks (bsc#1051510). - ALSA: hda - Force runtime PM on Nvidia HDMI codecs (bsc#1051510). - ALSA: hda - Inform too slow responses (bsc#1051510). - ALSA: hda - Show the fatal CORB/RIRB error more clearly (bsc#1051510). - ALSA: hda - fixup for the bass speaker on Lenovo Carbon X1 7th gen (git-fixes). - ALSA: hda/ca0132 - Avoid endless loop (git-fixes). - ALSA: hda/ca0132 - Fix possible workqueue stall (bsc#1155836). - ALSA: hda/ca0132 - Fix work handling in delayed HP detection (git-fixes). - ALSA: hda/ca0132 - Keep power on during processing DSP response (git-fixes). - ALSA: hda/hdmi - Add new pci ids for AMD GPU display audio (git-fixes). - ALSA: hda/hdmi - Clear codec->relaxed_resume flag at unbinding (git-fixes). - ALSA: hda/hdmi - Do not report spurious jack state changes (bsc#1051510). - ALSA: hda/hdmi - Fix duplicate unref of pci_dev (bsc#1051510). - ALSA: hda/hdmi - fix atpx_present when CLASS is not VGA (bsc#1051510). - ALSA: hda/hdmi - fix vgaswitcheroo detection for AMD (git-fixes). - ALSA: hda/hdmi: remove redundant assignment to variable pcm_idx (bsc#1051510). - ALSA: hda/intel: add CometLake PCI IDs (bsc#1156729). - ALSA: hda/realtek - Add headset Mic no shutup for ALC283 (bsc#1051510). - ALSA: hda/realtek - Add quirk for HP Pavilion 15 (bsc#1051510). - ALSA: hda/realtek - Add support for ALC623 (bsc#1051510). - ALSA: hda/realtek - Add support for ALC711 (bsc#1051510). - ALSA: hda/realtek - Blacklist PC beep for Lenovo ThinkCentre M73/93 (bsc#1051510). - ALSA: hda/realtek - Check beep whitelist before assigning in all codecs (bsc#1051510). - ALSA: hda/realtek - Dell headphone has noise on unmute for ALC236 (git-fixes). - ALSA: hda/realtek - Enable headset mic on Asus MJ401TA (bsc#1051510). - ALSA: hda/realtek - Enable internal speaker and headset mic of ASUS UX431FL (bsc#1051510). - ALSA: hda/realtek - Enable internal speaker of ASUS UX431FLC (git-fixes). - ALSA: hda/realtek - Enable the headset-mic on a Xiaomi's laptop (git-fixes). - ALSA: hda/realtek - Fix 2 front mics of codec 0x623 (bsc#1051510). - ALSA: hda/realtek - Fix alienware headset mic (bsc#1051510). - ALSA: hda/realtek - Fix inverted bass GPIO pin on Acer 8951G (git-fixes). - ALSA: hda/realtek - Fix overridden device-specific initialization (bsc#1051510). - ALSA: hda/realtek - Fix the problem of two front mics on a ThinkCentre (bsc#1051510). - ALSA: hda/realtek - Line-out jack does not work on a Dell AIO (bsc#1051510). - ALSA: hda/realtek - Move some alc236 pintbls to fallback table (git-fixes). - ALSA: hda/realtek - Move some alc256 pintbls to fallback table (git-fixes). - ALSA: hda/realtek - PCI quirk for Medion E4254 (bsc#1051510). - ALSA: hda/realtek: Reduce the Headphone static noise on XPS 9350/9360 (bsc#1051510). - ALSA: hda/sigmatel - remove unused variable 'stac9200_core_init' (bsc#1051510). - ALSA: hda: Add Cometlake-S PCI ID (git-fixes). - ALSA: hda: Add Elkhart Lake PCI ID (bsc#1051510). - ALSA: hda: Add Tigerlake/Jasperlake PCI ID (bsc#1051510). - ALSA: hda: Add support of Zhaoxin controller (bsc#1051510). - ALSA: hda: Fix racy display power access (bsc#1156928). - ALSA: hda: Flush interrupts on disabling (bsc#1051510). - ALSA: hda: Set fifo_size for both playback and capture streams (bsc#1051510). - ALSA: hda: hdmi - fix port numbering for ICL and TGL platforms (git-fixes). - ALSA: hda: hdmi - remove redundant code comments (git-fixes). - ALSA: hda: kabi workaround for generic parser flag (bsc#1051510). - ALSA: i2c/cs8427: Fix int to char conversion (bsc#1051510). - ALSA: i2c: ak4xxx-adda: Fix a possible null pointer dereference in build_adc_controls() (bsc#1051510). - ALSA: ice1724: Fix sleep-in-atomic in Infrasonic Quartet support code (bsc#1051510). - ALSA: intel8x0m: Register irq handler after register initializations (bsc#1051510). - ALSA: line6: sizeof (byte) is always 1, use that fact (bsc#1051510). - ALSA: oxfw: fix return value in error path of isochronous resources reservation (bsc#1051510). - ALSA: pcm: Avoid possible info leaks from PCM stream buffers (git-fixes). - ALSA: pcm: Fix stream lock usage in snd_pcm_period_elapsed() (git-fixes). - ALSA: pcm: Yet another missing check of non-cached buffer type (bsc#1111666). - ALSA: pcm: oss: Avoid potential buffer overflows (git-fixes). - ALSA: pcm: signedness bug in snd_pcm_plug_alloc() (bsc#1051510). - ALSA: seq: Do error checks at creating system ports (bsc#1051510). - ALSA: timer: Fix incorrectly assigned timer instance (git-fixes). - ALSA: timer: Fix mutex deadlock at releasing card (bsc#1051510). - ALSA: usb-audio: Add DSD support for EVGA NU Audio (bsc#1051510). - ALSA: usb-audio: Add DSD support for Gustard U16/X26 USB Interface (bsc#1051510). - ALSA: usb-audio: Add Hiby device family to quirks for native DSD support (bsc#1051510). - ALSA: usb-audio: Add Pioneer DDJ-SX3 PCM quirck (bsc#1051510). - ALSA: usb-audio: Add skip_validation option (git-fixes). - ALSA: usb-audio: Clean up check_input_term() (bsc#1051510). - ALSA: usb-audio: DSD auto-detection for Playback Designs (bsc#1051510). - ALSA: usb-audio: Disable quirks for BOSS Katana amplifiers (bsc#1051510). - ALSA: usb-audio: Disable quirks for BOSS Katana amplifiers (bsc#1111666). - ALSA: usb-audio: Fix Focusrite Scarlett 6i6 gen1 - input handling (git-fixes). - ALSA: usb-audio: Fix NULL dereference at parsing BADD (git-fixes). - ALSA: usb-audio: Fix copy and paste error in the validator (bsc#1111666). - ALSA: usb-audio: Fix incorrect NULL check in create_yamaha_midi_quirk() (git-fixes). - ALSA: usb-audio: Fix incorrect size check for processing/extension units (git-fixes). - ALSA: usb-audio: Fix missing error check at mixer resolution test (git-fixes). - ALSA: usb-audio: Fix possible NULL dereference at create_yamaha_midi_quirk() (bsc#1051510). - ALSA: usb-audio: More validations of descriptor units (bsc#1051510). - ALSA: usb-audio: Remove superfluous bLength checks (bsc#1051510). - ALSA: usb-audio: Simplify parse_audio_unit() (bsc#1051510). - ALSA: usb-audio: Skip bSynchAddress endpoint check if it is invalid (bsc#1051510). - ALSA: usb-audio: Unify audioformat release code (bsc#1051510). - ALSA: usb-audio: Unify the release of usb_mixer_elem_info objects (bsc#1051510). - ALSA: usb-audio: Update DSD support quirks for Oppo and Rotel (bsc#1051510). - ALSA: usb-audio: fix PCM device order (bsc#1051510). - ALSA: usb-audio: fix set_format altsetting sanity check (bsc#1051510). - ALSA: usb-audio: not submit urb for stopped endpoint (git-fixes). - ALSA: usb-audio: remove some dead code (bsc#1051510). - ALSA: usb-audio: sound: usb: usb true/false for bool return type (git-fixes). - ASoC: Define a set of DAPM pre/post-up events (bsc#1051510). - ASoC: Intel: Baytrail: Fix implicit fallthrough warning (bsc#1051510). - ASoC: Intel: Fix use of potentially uninitialized variable (bsc#1051510). - ASoC: Intel: NHLT: Fix debug print format (bsc#1051510). - ASoC: Intel: hdac_hdmi: Limit sampling rates at dai creation (bsc#1051510). - ASoC: Jack: Fix NULL pointer dereference in snd_soc_jack_report (bsc#1051510). - ASoC: compress: fix unsigned integer overflow check (bsc#1051510). - ASoC: davinci-mcasp: Handle return value of devm_kasprintf (stable 4.14.y). - ASoC: davinci: Kill BUG_ON() usage (stable 4.14.y). - ASoC: dmaengine: Make the pcm->name equal to pcm->id if the name is not set (bsc#1051510). - ASoC: dpcm: Properly initialise hw->rate_max (bsc#1051510). - ASoC: es8328: Fix copy-paste error in es8328_right_line_controls (bsc#1051510). - ASoC: kirkwood: fix external clock probe defer (git-fixes). - ASoC: msm8916-wcd-analog: Fix RX1 selection in RDAC2 MUX (git-fixes). - ASoC: rsnd: Reinitialize bit clock inversion flag for every format setting (bsc#1051510). - ASoC: sgtl5000: Fix charge pump source assignment (bsc#1051510). - ASoC: sgtl5000: avoid division by zero if lo_vag is zero (bsc#1051510). - ASoC: sun4i-i2s: RX and TX counter registers are swapped (bsc#1051510). - ASoC: tegra_sgtl5000: fix device_node refcounting (bsc#1051510). - ASoC: tlv320aic31xx: Handle inverted BCLK in non-DSP modes (stable 4.14.y). - ASoC: tlv320dac31xx: mark expected switch fall-through (stable 4.14.y). - ASoC: wm8737: Fix copy-paste error in wm8737_snd_controls (bsc#1051510). - ASoC: wm8962: fix lambda value (git-fixes). - ASoC: wm8988: fix typo in wm8988_right_line_controls (bsc#1051510). - ASoc: rockchip: i2s: Fix RPM imbalance (bsc#1051510). - Add 3 not-needeed commits to blacklist.conf from git-fixes. - Add Acer Aspire Ethos 8951G model quirk (bsc#1051510). - Add kernel module compression support (bsc#1135854). - Add some qedf commits to blacklist file (bsc#1149976). - Bluetooth: Fix invalid-free in bcsp_close() (git-fixes). - Bluetooth: Fix memory leak in hci_connect_le_scan (bsc#1051510). - Bluetooth: L2CAP: Detect if remote is not able to use the whole MPS (bsc#1051510). - Bluetooth: btqca: Add a short delay before downloading the NVM (bsc#1051510). - Bluetooth: btrtl: Additional Realtek 8822CE Bluetooth devices (bsc#1051510). - Bluetooth: btusb: fix PM leak in error case of setup (bsc#1051510). - Bluetooth: delete a stray unlock (bsc#1051510). - Bluetooth: hci_bcm: Handle specific unknown packets after firmware loading (bsc#1051510). - Bluetooth: hci_core: fix init for HCI_USER_CHANNEL (bsc#1051510). - Btrfs: add missing extents release on file extent cluster relocation error (bsc#1159483). - Btrfs: avoid fallback to transaction commit during fsync of files with holes (bsc#1159569). - Btrfs: bail out gracefully rather than BUG_ON (bsc#1153646). - Btrfs: check for the full sync flag while holding the inode lock during fsync (bsc#1153713). - Btrfs: check for the full sync flag while holding the inode lock during fsync (bsc#1153713). - Btrfs: do not abort transaction at btrfs_update_root() after failure to COW path (bsc#1150933). - Btrfs: fix assertion failure during fsync and use of stale transaction (bsc#1150562). - Btrfs: fix log context list corruption after rename exchange operation (bsc#1156494). - Btrfs: fix use-after-free when using the tree modification log (bsc#1151891). - CDC-NCM: handle incomplete transfer of MTU (networking-stable-19_11_10). - CIFS: Fix SMB2 oplock break processing (bsc#1144333, bsc#1154355). - CIFS: Fix oplock handling for SMB 2.1+ protocols (bsc#1144333, bsc#1154355). - CIFS: Fix retry mid list corruption on reconnects (bsc#1144333, bsc#1154355). - CIFS: Fix use after free of file info structures (bsc#1144333, bsc#1154355). - CIFS: Force reval dentry if LOOKUP_REVAL flag is set (bsc#1144333, bsc#1154355). - CIFS: Force revalidate inode when dentry is stale (bsc#1144333, bsc#1154355). - CIFS: Gracefully handle QueryInfo errors during open (bsc#1144333, bsc#1154355). - CIFS: avoid using MID 0xFFFF (bsc#1144333, bsc#1154355). - CIFS: fix max ea value size (bsc#1144333, bsc#1154355). - Compile nvme.ko as module (bsc#1150846) - Disable CONFIG_DEBUG_PAGEALLOC (bsc#1159096). - Documentation: debugfs: Document debugfs helper for unsigned long values (git-fixes). - Documentation: x86: convert protection-keys.txt to reST (bsc#1078248). - Drop an ASoC fix that was reverted in 4.14.y stable - Drop multiversion(kernel) from the KMP template (bsc#1127155). - EDAC/amd64: Adjust printed chip select sizes when interleaved (bsc#1131489). - EDAC/amd64: Cache secondary Chip Select registers (bsc#1131489). - EDAC/amd64: Decode syndrome before translating address (bsc#1114279). - EDAC/amd64: Decode syndrome before translating address (bsc#1131489). - EDAC/amd64: Find Chip Select memory size using Address Mask (bsc#1131489). - EDAC/amd64: Initialize DIMM info for systems with more than two channels (bsc#1131489). - EDAC/amd64: Recognize DRAM device type ECC capability (bsc#1131489). - EDAC/amd64: Recognize x16 symbol size (bsc#1131489). - EDAC/amd64: Set maximum channel layer size depending on family (bsc#1131489). - EDAC/amd64: Support asymmetric dual-rank DIMMs (bsc#1131489). - EDAC/amd64: Support more than two Unified Memory Controllers (bsc#1131489). - EDAC/amd64: Support more than two controllers for chip selects handling (bsc#1131489). - EDAC/amd64: Use a macro for iterating over Unified Memory Controllers (bsc#1131489). - EDAC/ghes: Fix Use after free in ghes_edac remove path (bsc#1114279). - EDAC/ghes: Fix locking and memory barrier issues (bsc#1114279). EDAC/ghes: Do not warn when incrementing refcount on 0 (bsc#1114279). - HID: Add ASUS T100CHI keyboard dock battery quirks (bsc#1051510). - HID: Add quirk for Microsoft PIXART OEM mouse (bsc#1051510). - HID: Fix assumption that devices have inputs (git-fixes). - HID: apple: Fix stuck function keys when using FN (bsc#1051510). - HID: asus: Add T100CHI bluetooth keyboard dock special keys mapping (bsc#1051510). - HID: cp2112: prevent sleeping function called from invalid context (bsc#1051510). - HID: doc: fix wrong data structure reference for UHID_OUTPUT (bsc#1051510). - HID: fix error message in hid_open_report() (bsc#1051510). - HID: hidraw: Fix invalid read in hidraw_ioctl (bsc#1051510). - HID: intel-ish-hid: fixes incorrect error handling (bsc#1051510). - HID: logitech-hidpp: do all FF cleanup in hidpp_ff_destroy() (bsc#1051510). - HID: logitech: Fix general protection fault caused by Logitech driver (bsc#1051510). - HID: prodikeys: Fix general protection fault during probe (bsc#1051510). - HID: sony: Fix memory corruption issue on cleanup (bsc#1051510). - HID: wacom: generic: Treat serial number and related fields as unsigned (git-fixes). - IB/core, ipoib: Do not overreact to SM LID change event (bsc#1154108) - IB/core: Add mitigation for Spectre V1 (bsc#1155671) - IB/hfi1: Remove overly conservative VM_EXEC flag check (bsc#1144449). - IB/mlx5: Consolidate use_umr checks into single function (bsc#1093205). - IB/mlx5: Fix MR re-registration flow to use UMR properly (bsc#1093205). - IB/mlx5: Fix steering rule of drop and count (bsc#1103991 ). - IB/mlx5: Free mpi in mp_slave mode (bsc#1103991). - IB/mlx5: Remove dead code (bsc#1103991). - IB/mlx5: Report correctly tag matching rendezvous capability (bsc#1046305). - IB/mlx5: Support MLX5_CMD_OP_QUERY_LAG as a DEVX general command (bsc#1103991). - Input: cyttsp4_core - fix use after free bug (bsc#1051510). - Input: da9063 - fix capability and drop KEY_SLEEP (bsc#1051510). - Input: elan_i2c - remove Lenovo Legion Y7000 PnpID (bsc#1051510). - Input: ff-memless - kill timer in destroy() (bsc#1051510). - Input: goodix - add upside-down quirk for Teclast X89 tablet (bsc#1051510). - Input: silead - try firmware reload after unsuccessful resume (bsc#1051510). - Input: st1232 - set INPUT_PROP_DIRECT property (bsc#1051510). - Input: synaptics - switch another X1 Carbon 6 to RMI/SMbus (bsc#1051510). - Input: synaptics-rmi4 - avoid processing unknown IRQs (bsc#1051510). - Input: synaptics-rmi4 - clear IRQ enables for F54 (bsc#1051510). - Input: synaptics-rmi4 - destroy F54 poller workqueue when removing (bsc#1051510). - Input: synaptics-rmi4 - disable the relative position IRQ in the F12 driver (bsc#1051510). - Input: synaptics-rmi4 - do not consume more data than we have (F11, F12) (bsc#1051510). - Input: synaptics-rmi4 - do not increment rmiaddr for SMBus transfers (bsc#1051510). - Input: synaptics-rmi4 - fix video buffer size (git-fixes). - KABI protect struct vmem_altmap (bsc#1150305). - KVM: MMU: drop vcpu param in gpte_access (bsc#1117665). - KVM: PPC: Book3S HV: Check for MMU ready on piggybacked virtual cores (bsc#1061840). - KVM: PPC: Book3S HV: Do not lose pending doorbell request on migration on P9 (bsc#1061840). - KVM: PPC: Book3S HV: Do not push XIVE context when not using XIVE device (bsc#1061840). - KVM: PPC: Book3S HV: Fix lockdep warning when entering the guest (bsc#1061840). - KVM: PPC: Book3S HV: Fix race in re-enabling XIVE escalation interrupts (bsc#1061840). - KVM: PPC: Book3S HV: Handle virtual mode in XIVE VCPU push code (bsc#1061840). - KVM: PPC: Book3S HV: XIVE: Free escalation interrupts before disabling the VP (bsc#1061840). - KVM: PPC: Book3S HV: use smp_mb() when setting/clearing host_ipi flag (bsc#1061840). - KVM: PPC: Book3S: Fix incorrect guest-to-user-translation error handling (bsc#1061840). - KVM: SVM: Guard against DEACTIVATE when performing WBINVD/DF_FLUSH (bsc#1114279). - KVM: SVM: Serialize access to the SEV ASID bitmap (bsc#1114279). - KVM: VMX: Consider PID.PIR to determine if vCPU has pending interrupts (bsc#1158064). - KVM: VMX: Fix conditions for guest IA32_XSS support (bsc#1158065). - KVM: X86: Reduce the overhead when lapic_timer_advance is disabled (bsc#1149083). - KVM: X86: Reduce the overhead when lapic_timer_advance is disabled (bsc#1149083). - KVM: arm/arm64: Clean dcache to PoC when changing PTE due to CoW (jsc#ECO-561,jsc#SLE-10671). - KVM: arm/arm64: Detangle kvm_mmu.h from kvm_hyp.h (jsc#ECO-561,jsc#SLE-10671). - KVM: arm/arm64: Drop vcpu parameter from guest cache maintenance operartions (jsc#ECO-561,jsc#SLE-10671). - KVM: arm/arm64: Limit icache invalidation to prefetch aborts (jsc#ECO-561,jsc#SLE-10671). - KVM: arm/arm64: Only clean the dcache on translation fault (jsc#ECO-561,jsc#SLE-10671). - KVM: arm/arm64: Preserve Exec permission across R/W permission faults (jsc#ECO-561,jsc#SLE-10671). - KVM: arm/arm64: Split dcache/icache flushing (jsc#ECO-561,jsc#SLE-10671). - KVM: arm64: Set SCTLR_EL2.DSSBS if SSBD is forcefully disabled and !vhe (jsc#ECO-561). - KVM: s390: Do not leak kernel stack data in the KVM_S390_INTERRUPT ioctl (git-fixes). - KVM: s390: Test for bad access register and size at the start of S390_MEM_OP (git-fixes). - KVM: s390: fix __insn32_query() inline assembly (git-fixes). - KVM: s390: vsie: Do not shadow CRYCB when no AP and no keys (git-fixes). - KVM: s390: vsie: Return correct values for Invalid CRYCB format (git-fixes). - KVM: vmx, svm: always run with EFER.NXE=1 when shadow paging is active (bsc#1117665). - KVM: x86/mmu: Take slots_lock when using kvm_mmu_zap_all_fast() (bsc#1158067). - KVM: x86: Introduce vcpu->arch.xsaves_enabled (bsc#1158066). - KVM: x86: Remove a spurious export of a static function (bsc#1158954). - KVM: x86: add tracepoints around __direct_map and FNAME(fetch) (bsc#1117665). - KVM: x86: add tracepoints around __direct_map and FNAME(fetch) (bsc#1117665). - KVM: x86: adjust kvm_mmu_page member to save 8 bytes (bsc#1117665). - KVM: x86: adjust kvm_mmu_page member to save 8 bytes (bsc#1117665). - KVM: x86: change kvm_mmu_page_get_gfn BUG_ON to WARN_ON (bsc#1117665). - KVM: x86: change kvm_mmu_page_get_gfn BUG_ON to WARN_ON (bsc#1117665). - KVM: x86: make FNAME(fetch) and __direct_map more similar (bsc#1117665). - KVM: x86: make FNAME(fetch) and __direct_map more similar (bsc#1117665). - KVM: x86: remove now unneeded hugepage gfn adjustment (bsc#1117665). - KVM: x86: remove now unneeded hugepage gfn adjustment (bsc#1117665). - NFC: fdp: fix incorrect free object (networking-stable-19_11_10). - NFC: fix attrs checks in netlink interface (bsc#1051510). - NFC: nxp-nci: Fix NULL pointer dereference after I2C communication error (git-fixes). - NFC: pn533: fix use-after-free and memleaks (bsc#1051510). - NFC: st21nfca: fix double free (networking-stable-19_11_10). - NFS: Do not interrupt file writeout due to fatal errors (git-fixes). - NFS: Do not open code clearing of delegation state (git-fixes). - NFS: Ensure O_DIRECT reports an error if the bytes read/written is 0 (git-fixes). - NFS: Fix regression whereby fscache errors are appearing on 'nofsc' mounts (git-fixes). - NFS: Forbid setting AF_INET6 to "struct sockaddr_in"->sin_family (git-fixes). - NFS: Refactor nfs_lookup_revalidate() (git-fixes). - NFS: Remove redundant semicolon (git-fixes). - NFS4: Fix v4.0 client state corruption when mount (git-fixes). - NFSv4.1 - backchannel request should hold ref on xprt (bsc#1152624). - NFSv4.1: Again fix a race where CB_NOTIFY_LOCK fails to wake a waiter (git-fixes). - NFSv4.1: Fix open stateid recovery (git-fixes). - NFSv4.1: Only reap expired delegations (git-fixes). - NFSv4/pnfs: Fix a page lock leak in nfs_pageio_resend() (git-fixes). - NFSv4: Fix OPEN / CLOSE race (git-fixes). - NFSv4: Fix a potential sleep while atomic in nfs4_do_reclaim() (git-fixes). - NFSv4: Fix an Oops in nfs4_do_setattr (git-fixes). - NFSv4: Fix delegation state recovery (git-fixes). - NFSv4: Fix lookup revalidate of regular files (git-fixes). - NFSv4: Handle the special Linux file open access mode (git-fixes). - NFSv4: Only pass the delegation to setattr if we're sending a truncate (git-fixes). - PCI/ACPI: Correct error message for ASPM disabling (bsc#1051510). - PCI/MSI: Fix incorrect MSI-X masking on resume (bsc#1051510). - PCI/MSI: Return -ENOSPC from pci_alloc_irq_vectors_affinity() (bsc#1051510). - PCI/PM: Clear PCIe PME Status even for legacy power management (bsc#1111666). - PCI/PME: Fix possible use-after-free on remove (git-fixes). - PCI/PTM: Remove spurious "d" from granularity message (bsc#1051510). - PCI/VPD: Prevent VPD access for Amazon's Annapurna Labs Root Port (bsc#1152187,bsc#1152525). - PCI: Add ACS quirk for Amazon Annapurna Labs root ports (bsc#1152187,bsc#1152525). - PCI: Add Amazon's Annapurna Labs vendor ID (bsc#1152187,bsc#1152525). - PCI: Add quirk to disable MSI-X support for Amazon's Annapurna Labs Root Port (bsc#1152187,bsc#1152525). - PCI: Apply Cavium ACS quirk to ThunderX2 and ThunderX3 (bsc#1051510). - PCI: Correct pci=resource_alignment parameter example (bsc#1051510). - PCI: Fix Intel ACS quirk UPDCR register address (bsc#1051510). - PCI: PM: Fix pci_power_up() (bsc#1051510). - PCI: al: Add Amazon Annapurna Labs PCIe host controller driver (SLE-9332). - PCI: dra7xx: Fix legacy INTD IRQ handling (bsc#1087092). - PCI: dwc: Fix find_next_bit() usage (bsc#1051510). - PCI: hv: Detect and fix Hyper-V PCI domain number collision (bsc#1150423). - PCI: hv: Use bytes 4 and 5 from instance ID as the PCI domain numbers (bsc#1153263). - PCI: pciehp: Avoid returning prematurely from sysfs requests (git-fixes). - PCI: pciehp: Do not disable interrupt twice on suspend (bsc#1111666). - PCI: rcar: Fix missing MACCTLR register setting in initialization sequence (bsc#1051510). - PCI: sysfs: Ignore lockdep for remove attribute (git-fixes). - PCI: tegra: Enable Relaxed Ordering only for Tegra20 and Tegra30 (git-fixes). - PM / AVS: SmartReflex: NULL check before some freeing functions is not needed (bsc#1051510). - PM / Domains: Deal with multiple states but no governor in genpd (bsc#1051510). - PM / devfreq: Check NULL governor in available_governors_show (git-fixes). - PM / devfreq: Lock devfreq in trans_stat_show (git-fixes). - PM / devfreq: exynos-bus: Correct clock enable sequence (bsc#1051510). - PM / devfreq: passive: Use non-devm notifiers (bsc#1051510). - PM / devfreq: passive: fix compiler warning (bsc#1051510). - PM / hibernate: Check the success of generating md5 digest before hibernation (bsc#1051510). - PM: sleep: Fix possible overflow in pm_system_cancel_wakeup() (bsc#1051510). - PNFS fallback to MDS if no deviceid found (git-fixes). - RDMA/bnxt_re: Enable SRIOV VF support on Broadcom's 57500 adapter series (bsc#1154916). - RDMA/bnxt_re: Fix chip number validation Broadcom's Gen P5 series (bsc#1157895). - RDMA/bnxt_re: Fix missing le16_to_cpu (bsc#1157895). - RDMA/bnxt_re: Fix spelling mistake "missin_resp" -> "missing_resp" (bsc#1050244). - RDMA/bnxt_re: Fix stat push into dma buffer on gen p5 devices (bsc#1157115) - RDMA/efa: Add Amazon EFA driver (jsc#SLE-4805) - RDMA/efa: Clear the admin command buffer prior to its submission (git-fixes) Patch was already picked through Amazon driver repo but was not marked with a Git-commit tag - RDMA/hns: Add mtr support for mixed multihop addressing (bsc#1104427). - RDMA/hns: Add reset process for function-clear (bsc#1155061). - RDMA/hns: Bugfix for calculating qp buffer size (bsc#1104427 ). - RDMA/hns: Bugfix for filling the sge of srq (bsc#1104427 ). - RDMA/hns: Bugfix for qpc/cqc timer configuration (bsc#1104427 bsc#1126206). - RDMA/hns: Correct the value of srq_desc_size (bsc#1104427 ). - RDMA/hns: Fix an error code in hns_roce_set_user_sq_size() (bsc#1104427). - RDMA/hns: Fix comparison of unsigned long variable 'end' with less than zero (bsc#1104427 bsc#1137236). - RDMA/hns: Fix to support 64K page for srq (bsc#1104427 ). - RDMA/hns: Fix wrong assignment of qp_access_flags (bsc#1104427 ). - RDMA/hns: Fixs hw access invalid dma memory error (bsc#1104427 ). - RDMA/hns: Fixup qp release bug (bsc#1104427). - RDMA/hns: Modify ba page size for cqe (bsc#1104427). - RDMA/hns: Prevent memory leaks of eq->buf_list (bsc#1104427 ). - RDMA/hns: Remove set but not used variable 'fclr_write_fail_flag' (bsc#1104427). - RDMA/hns: Remove the some magic number (bsc#1155061). - RDMA/hns: Remove unnecessary print message in aeq (bsc#1104427 ). - RDMA/hns: Replace magic numbers with #defines (bsc#1104427 ). - RDMA/hns: Set reset flag when hw resetting (bsc#1104427 ). - RDMA/hns: Use %pK format pointer print (bsc#1104427 ). - RDMA/hns: fix inverted logic of readl read and shift (bsc#1104427). - RDMA/hns: reset function when removing module (bsc#1104427 ). - RDMA/restrack: Track driver QP types in resource tracker (jsc#SLE-4805) - RDMA: Fix goto target to release the allocated memory (bsc#1050244). - RDMa/hns: Do not stuck in endless timeout loop (bsc#1104427 ). - README.BRANCH: Add Denis as branch maintainer - README.BRANCH: Removing myself from the maintainer list - README.BRANCH: Removing myself from the maintainer list. - README.BRANCH: removing myself from the maintainer list - Revert "mmc: sdhci: Fix incorrect switch to HS mode" (bsc#1051510). - SUNRPC fix regression in umount of a secure mount (git-fixes). - SUNRPC/nfs: Fix return value for nfs4_callback_compound() (git-fixes). - SUNRPC: Handle connection breakages correctly in call_status() (git-fixes). - UAS: Revert commit 3ae62a42090f ("UAS: fix alignment of scatter/gather segments"). - USB: Allow USB device to be warm reset in suspended state (bsc#1051510). - USB: adutux: fix NULL-derefs on disconnect (bsc#1142635). - USB: adutux: fix interface sanity check (bsc#1051510). - USB: adutux: fix use-after-free on disconnect (bsc#1142635). - USB: adutux: fix use-after-free on release (bsc#1051510). - USB: chaoskey: fix error case of a timeout (git-fixes). - USB: chaoskey: fix use-after-free on release (bsc#1051510). - USB: core: urb: fix URB structure initialization function (bsc#1051510). - USB: documentation: flags on usb-storage versus UAS (bsc#1051510). - USB: dummy-hcd: fix power budget for SuperSpeed mode (bsc#1051510). - USB: dwc3: debugfs: Properly print/set link state for HS (bsc#1051510). - USB: dwc3: do not log probe deferrals; but do log other error codes (bsc#1051510). - USB: dwc3: ep0: Clear started flag on completion (bsc#1051510). - USB: gadget: Reject endpoints with 0 maxpacket value (bsc#1051510). - USB: gadget: pch_udc: fix use after free (bsc#1051510). - USB: gadget: u_serial: add missing port entry locking (bsc#1051510). - USB: idmouse: fix interface sanity checks (bsc#1051510). - USB: iowarrior: fix use-after-free after driver unbind (bsc#1051510). - USB: iowarrior: fix use-after-free on disconnect (bsc#1051510). - USB: iowarrior: fix use-after-free on release (bsc#1051510). - USB: ldusb: fix NULL-derefs on driver unbind (bsc#1051510). - USB: ldusb: fix control-message timeout (bsc#1051510). - USB: ldusb: fix memleak on disconnect (bsc#1051510). - USB: ldusb: fix read info leaks (bsc#1051510). - USB: ldusb: fix ring-buffer locking (bsc#1051510). - USB: legousbtower: fix a signedness bug in tower_probe() (bsc#1051510). - USB: legousbtower: fix deadlock on disconnect (bsc#1142635). - USB: legousbtower: fix memleak on disconnect (bsc#1051510). - USB: legousbtower: fix open after failed reset request (bsc#1142635). - USB: legousbtower: fix potential NULL-deref on disconnect (bsc#1142635). - USB: legousbtower: fix slab info leak at probe (bsc#1142635). - USB: legousbtower: fix use-after-free on release (bsc#1051510). - USB: microtek: fix info-leak at probe (bsc#1142635). - USB: misc: appledisplay: fix backlight update_status return code (bsc#1051510). - USB: mon: Fix a deadlock in usbmon between mmap and read (bsc#1051510). - USB: mtu3: fix dbginfo in qmu_tx_zlp_error_handler (bsc#1051510). - USB: serial: fix runtime PM after driver unbind (bsc#1051510). - USB: serial: ftdi_sio: add device IDs for Sienna and Echelon PL-20 (bsc#1051510). - USB: serial: ftdi_sio: add device IDs for U-Blox C099-F9P (bsc#1051510). - USB: serial: io_edgeport: fix epic endpoint lookup (bsc#1051510). - USB: serial: keyspan: fix NULL-derefs on open() and write() (bsc#1051510). - USB: serial: mos7720: fix remote wakeup (git-fixes). - USB: serial: mos7840: add USB ID to support Moxa UPort 2210 (bsc#1051510). - USB: serial: mos7840: fix remote wakeup (git-fixes). - USB: serial: option: add Telit FN980 compositions (bsc#1051510). - USB: serial: option: add support for Cinterion CLS8 devices (bsc#1051510). - USB: serial: option: add support for DW5821e with eSIM support (bsc#1051510). - USB: serial: option: add support for Foxconn T77W968 LTE modules (bsc#1051510). - USB: serial: ti_usb_3410_5052: fix port-close races (bsc#1051510). - USB: serial: whiteheat: fix line-speed endianness (bsc#1051510). - USB: serial: whiteheat: fix potential slab corruption (bsc#1051510). - USB: storage: ums-realtek: Update module parameter description for auto_delink_en (bsc#1051510). - USB: storage: ums-realtek: Whitelist auto-delink support (bsc#1051510). - USB: uas: heed CAPACITY_HEURISTICS (bsc#1051510). - USB: uas: honor flag to avoid CAPACITY16 (bsc#1051510). - USB: usb-skeleton: fix NULL-deref on disconnect (bsc#1051510). - USB: usb-skeleton: fix runtime PM after driver unbind (bsc#1051510). - USB: usb-skeleton: fix use-after-free after driver unbind (bsc#1051510). - USB: usbcore: Fix slab-out-of-bounds bug during device reset (bsc#1051510). - USB: usblcd: fix I/O after disconnect (bsc#1142635). - USB: usblp: fix runtime PM after driver unbind (bsc#1051510). - USB: usblp: fix use-after-free on disconnect (bsc#1051510). - USB: xhci: Fix build warning seen with CONFIG_PM=n (bsc#1051510). - USB: xhci: only set D3hot for pci device (bsc#1051510). - USB: yurex: Do not retry on unexpected errors (bsc#1051510). - USB: yurex: fix NULL-derefs on disconnect (bsc#1051510). - USBIP: add config dependency for SGL_ALLOC (git-fixes). - acpi/nfit, device-dax: Identify differentiated memory with a unique numa-node (bsc#1158071). - act_mirred: Fix mirred_init_module error handling (bsc#1051510). - alarmtimer: Use EOPNOTSUPP instead of ENOTSUPP (bsc#1151680). - apparmor: fix unsigned len comparison with less than zero (git-fixes). - appledisplay: fix error handling in the scheduled work (git-fixes). - appletalk: enforce CAP_NET_RAW for raw sockets (bsc#1051510). - ar5523: check NULL before memcpy() in ar5523_cmd() (bsc#1051510). - arcnet: provide a buffer big enough to actually receive packets (networking-stable-19_09_30). - arm64/cpufeature: Convert hook_lock to raw_spin_lock_t in cpu_enable_ssbs() (jsc#ECO-561). - arm64: Add decoding macros for CP15_32 and CP15_64 traps (jsc#ECO-561). - arm64: Add part number for Neoverse N1 (jsc#ECO-561). - arm64: Add silicon-errata.txt entry for ARM erratum 1188873 (jsc#ECO-561). - arm64: Apply ARM64_ERRATUM_1188873 to Neoverse-N1 (jsc#ECO-561). - arm64: Fake the IminLine size on systems affected by Neoverse-N1 #1542419 (jsc#ECO-561,jsc#SLE-10671). - arm64: Fix mismatched cache line size detection (jsc#ECO-561,jsc#SLE-10671). - arm64: Fix silly typo in comment (jsc#ECO-561). - arm64: Force SSBS on context switch (jsc#ECO-561). - arm64: Handle erratum 1418040 as a superset of erratum 1188873 (jsc#ECO-561). - arm64: Introduce sysreg_clear_set() (jsc#ECO-561). - arm64: KVM: Add invalidate_icache_range helper (jsc#ECO-561,jsc#SLE-10671). - arm64: KVM: PTE/PMD S2 XN bit definition (jsc#ECO-561,jsc#SLE-10671). - arm64: Make ARM64_ERRATUM_1188873 depend on COMPAT (jsc#ECO-561). - arm64: PCI: Preserve firmware configuration when desired (SLE-9332). - arm64: Restrict ARM64_ERRATUM_1188873 mitigation to AArch32 (jsc#ECO-561). - arm64: Update config files. (bsc#1156466) Enable HW_RANDOM_OMAP driver and mark driver omap-rng as supported. - arm64: arch_timer: Add workaround for ARM erratum 1188873 (jsc#ECO-561). - arm64: arch_timer: avoid unused function warning (jsc#ECO-561). - arm64: compat: Add CNTFRQ trap handler (jsc#ECO-561). - arm64: compat: Add CNTVCT trap handler (jsc#ECO-561). - arm64: compat: Add condition code checks and IT advance (jsc#ECO-561). - arm64: compat: Add cp15_32 and cp15_64 handler arrays (jsc#ECO-561). - arm64: compat: Add separate CP15 trapping hook (jsc#ECO-561). - arm64: compat: Workaround Neoverse-N1 #1542419 for compat user-space (jsc#ECO-561,jsc#SLE-10671). - arm64: cpu: Move errata and feature enable callbacks closer to callers (jsc#ECO-561). - arm64: cpu_errata: Remove ARM64_MISMATCHED_CACHE_LINE_SIZE (jsc#ECO-561,jsc#SLE-10671). - arm64: cpufeature: Detect SSBS and advertise to userspace (jsc#ECO-561). - arm64: cpufeature: Fix handling of CTR_EL0.IDC field (jsc#ECO-561,jsc#SLE-10671). - arm64: cpufeature: Trap CTR_EL0 access only where it is necessary (jsc#ECO-561,jsc#SLE-10671). - arm64: cpufeature: ctr: Fix cpu capability check for late CPUs (jsc#ECO-561,jsc#SLE-10671). - arm64: entry: Allow handling of undefined instructions from EL1 (jsc#ECO-561). - arm64: errata: Hide CTR_EL0.DIC on systems affected by Neoverse-N1 #1542419 (jsc#ECO-561,jsc#SLE-10671). - arm64: fix SSBS sanitization (jsc#ECO-561). - arm64: force_signal_inject: WARN if called from kernel context (jsc#ECO-561). - arm64: kill change_cpacr() (jsc#ECO-561). - arm64: kill config_sctlr_el1() (jsc#ECO-561). - arm64: move SCTLR_EL{1,2} assertions to asm/sysreg.h (jsc#ECO-561). - arm64: ssbd: Add support for PSTATE.SSBS rather than trapping to EL3 (jsc#ECO-561). - arm64: ssbd: Drop #ifdefs for PR_SPEC_STORE_BYPASS (jsc#ECO-561). - arm: KVM: Add optimized PIPT icache flushing (jsc#ECO-561,jsc#SLE-10671). - ata: ep93xx: Use proper enums for directions (bsc#1051510). - ath10k: Correct error handling of dma_map_single() (bsc#1111666). - ath10k: adjust skb length in ath10k_sdio_mbox_rx_packet (bsc#1111666). - ath10k: allocate small size dma memory in ath10k_pci_diag_write_mem (bsc#1111666). - ath10k: assign 'n_cipher_suites = 11' for WCN3990 to enable WPA3 (bsc#1111666). - ath10k: avoid possible memory access violation (bsc#1111666). - ath10k: fix fw crash by moving chip reset after napi disabled (bsc#1051510). - ath10k: fix kernel panic by moving pci flush after napi_disable (bsc#1051510). - ath10k: fix vdev-start timeout on error (bsc#1051510). - ath10k: limit available channels via DT ieee80211-freq-limit (bsc#1051510). - ath10k: skip resetting rx filter for WCN3990 (bsc#1111666). - ath10k: wmi: disable softirq's while calling ieee80211_rx (bsc#1051510). - ath6kl: Fix off by one error in scan completion (bsc#1051510). - ath9k: Fix a locking bug in ath9k_add_interface() (bsc#1051510). - ath9k: add back support for using active monitor interfaces for tx99 (bsc#1051510). - ath9k: dynack: fix possible deadlock in ath_dynack_node_{de}init (bsc#1051510). - ath9k: fix reporting calculated new FFT upper max (bsc#1051510). - ath9k: fix tx99 with monitor mode interface (bsc#1051510). - ath9k_hw: fix uninitialized variable data (bsc#1051510). - atl1e: checking the status of atl1e_write_phy_reg (bsc#1051510). - atm: iphase: Fix Spectre v1 vulnerability (networking-stable-19_08_08). - audit: Allow auditd to set pid to 0 to end auditing (bsc#1158094). - auxdisplay: panel: need to delete scan_timer when misc_register fails in panel_attach (bsc#1051510). - ax25: enforce CAP_NET_RAW for raw sockets (bsc#1051510). - ax88172a: fix information leak on short answers (bsc#1051510). - backlight: lm3639: Unconditionally call led_classdev_unregister (bsc#1051510). - bcma: fix incorrect update of BCMA_CORE_PCI_MDIO_DATA (bsc#1051510). - blk-flush: do not run queue for requests bypassing flush (bsc#1137959). - blk-flush: use blk_mq_request_bypass_insert() (bsc#1137959). - blk-mq-sched: decide how to handle flush rq via RQF_FLUSH_SEQ (bsc#1137959). - blk-mq: Fix memory leak in blk_mq_init_allocated_queue error handling (bsc#1151610). - blk-mq: backport fixes for blk_mq_complete_e_request_sync() (bsc#1145661). - blk-mq: do not allocate driver tag upfront for flush rq (bsc#1137959). - blk-mq: insert rq with DONTPREP to hctx dispatch list when requeue (bsc#1137959). - blk-mq: introduce blk_mq_complete_request_sync() (bsc#1145661). - blk-mq: introduce blk_mq_request_completed() (bsc#1149446). - blk-mq: introduce blk_mq_tagset_wait_completed_request() (bsc#1149446). - blk-mq: kABI fixes for blk-mq.h (bsc#1137959). - blk-mq: move blk_mq_put_driver_tag*() into blk-mq.h (bsc#1137959). - blk-mq: punt failed direct issue to dispatch list (bsc#1137959). - blk-mq: put the driver tag of nxt rq before first one is requeued (bsc#1137959). - blk-wbt: Avoid lock contention and thundering herd issue in wbt_wait (bsc#1141543). - blk-wbt: abstract out end IO completion handler (bsc#1135873). - blk-wbt: fix has-sleeper queueing check (bsc#1135873). - blk-wbt: improve waking of tasks (bsc#1135873). - blk-wbt: move disable check into get_limit() (bsc#1135873). - blk-wbt: use wq_has_sleeper() for wq active check (bsc#1135873). - block: add io timeout to sysfs (bsc#1148410). - block: do not show io_timeout if driver has no timeout handler (bsc#1148410). - block: fix timeout changes for legacy request drivers (bsc#1149446). - block: kABI fixes for BLK_EH_DONE renaming (bsc#1142076). - block: rename BLK_EH_NOT_HANDLED to BLK_EH_DONE (bsc#1142076). - bnx2x: Disable multi-cos feature (networking-stable-19_08_08). - bnx2x: Fix VF's VLAN reconfiguration in reload (bsc#1086323 ). - bnxt_en: Add PCI IDs for 57500 series NPAR devices (bsc#1153607). - bnxt_en: Fix VNIC clearing logic for 57500 chips (bsc#1104745 ). - bnxt_en: Fix to include flow direction in L2 key (bsc#1104745 ). - bnxt_en: Improve RX doorbell sequence (bsc#1104745). - bnxt_en: Increase timeout for HWRM_DBG_COREDUMP_XX commands (bsc#1104745). - bnxt_en: Update firmware interface spec. to 1.10.0.47 (bsc#1157115) - bnxt_en: Update firmware interface spec. to 1.10.0.89 (bsc#1157115) - bnxt_en: Update firmware interface to 1.10.0.69 (bsc#1157115) - bnxt_en: Use correct src_fid to determine direction of the flow (bsc#1104745). - bonding/802.3ad: fix link_failure_count tracking (bsc#1137069 bsc#1141013). - bonding/802.3ad: fix slave link initialization transition states (bsc#1137069 bsc#1141013). - bonding: Add vlan tx offload to hw_enc_features (networking-stable-19_08_21). - bonding: fix active-backup transition after link failure (git-fixes). - bonding: fix slave stuck in BOND_LINK_FAIL state (networking-stable-19_11_10). - bonding: fix state transition issue in link monitoring (networking-stable-19_11_10). - bonding: set default miimon value for non-arp modes if not set (bsc#1137069 bsc#1141013). - bonding: speed/duplex update at NETDEV_UP event (bsc#1137069 bsc#1141013). - bpf, offload: Unlock on error in bpf_offload_dev_create() (bsc#1109837). - bpf/stackmap: Fix deadlock with rq_lock in bpf_get_stack() (bsc#1083647). - bpf: Fix use after free in subprog's jited symbol removal (bsc#1109837). - bpf: Make use of probe_user_write in probe write helper (bsc#1083647). - bpf: fix BTF limits (bsc#1109837). - bpf: fix BTF verification of enums (bsc#1109837). - bpf: fix use after free in prog symbol exposure (bsc#1083647). - bpf: skmsg, fix potential psock NULL pointer dereference (bsc#1109837). - brcmfmac: fix full timeout waiting for action frame on-channel tx (bsc#1051510). - brcmfmac: fix wrong strnchr usage (bsc#1111666). - brcmfmac: increase buffer for obtaining firmware capabilities (bsc#1111666). - brcmfmac: reduce timeout for action frame scan (bsc#1051510). - brcmfmac: sdio: Disable auto-tuning around commands expected to fail (bsc#1111666). - brcmfmac: sdio: Do not tune while the card is off (bsc#1111666). - brcmfmac: set F2 watermark to 256 for 4373 (bsc#1111666). - brcmfmac: set SDIO F1 MesBusyCtrl for CYW4373 (bsc#1111666). - brcmsmac: AP mode: update beacon when TIM changes (bsc#1051510). - brcmsmac: Use kvmalloc() for ucode allocations (bsc#1111666). - brcmsmac: never log "tid x is not agg'able" by default (bsc#1051510). - bridge/mdb: remove wrong use of NLM_F_MULTI (networking-stable-19_09_15). - btrfs: Ensure btrfs_init_dev_replace_tgtdev sees up to date values (bsc#1154651). - btrfs: Ensure replaced device does not have pending chunk allocation (bsc#1154607). - btrfs: Ensure we trim ranges across block group boundary (bsc#1151910). - btrfs: block-group: Fix a memory leak due to missing btrfs_put_block_group() (bsc#1155178). - btrfs: harden agaist duplicate fsid on scanned devices (bsc#1134973). - btrfs: qgroup: Always free PREALLOC META reserve in btrfs_delalloc_release_extents() (bsc#1155179). - btrfs: qgroup: Fix reserved data space leak if we have multiple reserve calls (bsc#1152975). - btrfs: qgroup: Fix the wrong target io_tree when freeing reserved data space (bsc#1152974). - btrfs: relocation: fix use-after-free on dead relocation roots (bsc#1152972). - btrfs: remove wrong use of volume_mutex from btrfs_dev_replace_start (bsc#1154651). - btrfs: simplify inode locking for RWF_NOWAIT (git-fixes). - btrfs: tracepoints: Fix bad entry members of qgroup events (bsc#1155186). - btrfs: tracepoints: Fix wrong parameter order for qgroup events (bsc#1155184). - btrfs: volumes: Use more straightforward way to calculate map length (bsc#1151910). - can: c_can: D_CAN: c_can_chip_config(): perform a sofware reset on open (bsc#1051510). - can: c_can: c_can_poll(): only read status register after status IRQ (git-fixes). - can: dev: call netif_carrier_off() in register_candev() (bsc#1051510). - can: mcba_usb: fix use-after-free on disconnect (git-fixes). - can: mcp251x: mcp251x_hw_reset(): allow more time after a reset (bsc#1051510). - can: peak_usb: fix a potential out-of-sync while decoding packets (git-fixes). - can: peak_usb: fix slab info leak (git-fixes). - can: peak_usb: report bus recovery as well (bsc#1051510). - can: rx-offload: can_rx_offload_irq_offload_fifo(): continue on error (bsc#1051510). - can: rx-offload: can_rx_offload_irq_offload_timestamp(): continue on error (bsc#1051510). - can: rx-offload: can_rx_offload_offload_one(): do not increase the skb_queue beyond skb_queue_len_max (git-fixes). - can: rx-offload: can_rx_offload_offload_one(): increment rx_fifo_errors on queue overflow or OOM (bsc#1051510). - can: rx-offload: can_rx_offload_offload_one(): use ERR_PTR() to propagate error value in case of errors (bsc#1051510). - can: rx-offload: can_rx_offload_queue_sorted(): fix error handling, avoid skb mem leak (git-fixes). - can: rx-offload: can_rx_offload_queue_tail(): fix error handling, avoid skb mem leak (git-fixes). - can: slcan: Fix use-after-free Read in slcan_open (bsc#1051510). - can: usb_8dev: fix use-after-free on disconnect (git-fixes). - can: xilinx_can: xcan_probe(): skip error message on deferred probe (bsc#1051510). - cdc_ether: fix rndis support for Mediatek based smartphones (networking-stable-19_09_15). - cdc_ncm: fix divide-by-zero caused by invalid wMaxPacketSize (bsc#1051510). - ceph: add missing check in d_revalidate snapdir handling (bsc#1157183). - ceph: do not try to handle hashed dentries in non-O_CREAT atomic_open (bsc#1157184). - ceph: fix directories inode i_blkbits initialization (bsc#1153717). - ceph: fix use-after-free in __ceph_remove_cap() (bsc#1154058). - ceph: just skip unrecognized info in ceph_reply_info_extra (bsc#1157182). - ceph: reconnect connection if session hang in opening state (bsc#1153718). - ceph: update the mtime when truncating up (bsc#1153719). - ceph: use ceph_evict_inode to cleanup inode's resource (bsc#1148133). - cfg80211: Avoid regulatory restore when COUNTRY_IE_IGNORE is set (bsc#1051510). - cfg80211: Prevent regulatory restore during STA disconnect in concurrent interfaces (bsc#1051510). - cfg80211: Purge frame registrations on iftype change (bsc#1051510). - cfg80211: add and use strongly typed element iteration macros (bsc#1051510). - cfg80211: call disconnect_wk when AP stops (bsc#1051510). - cfg80211: validate wmm rule when setting (bsc#1111666). - cgroup,writeback: do not switch wbs immediately on dead wbs if the memcg is dead (bsc#1158645). - cifs: Fix cifsInodeInfo lock_sem deadlock when reconnect occurs (bsc#1144333, bsc#1154355). - cifs: Fix missed free operations (bsc#1144333, bsc#1154355). - cifs: Use kzfree() to zero out the password (bsc#1144333, bsc#1154355). - cifs: add a helper to find an existing readable handle to a file (bsc#1144333, bsc#1154355). - cifs: create a helper to find a writeable handle by path name (bsc#1144333, bsc#1154355). - cifs: handle netapp error codes (bsc#1136261). - cifs: move cifsFileInfo_put logic into a work-queue (bsc#1144333, bsc#1154355). - cifs: prepare SMB2_Flush to be usable in compounds (bsc#1144333, bsc#1154355). - cifs: set domainName when a domain-key is used in multiuser (bsc#1144333, bsc#1154355). - cifs: use cifsInodeInfo->open_file_lock while iterating to avoid a panic (bsc#1144333, bsc#1154355). - cifs: use existing handle for compound_op(OP_SET_INFO) when possible (bsc#1144333, bsc#1154355). - clk: at91: avoid sleeping early (git-fixes). - clk: at91: fix update bit maps on CFG_MOR write (bsc#1051510). - clk: at91: select parent if main oscillator or bypass is enabled (bsc#1051510). - clk: pxa: fix one of the pxa RTC clocks (bsc#1051510). - clk: qoriq: Fix -Wunused-const-variable (bsc#1051510). - clk: samsung: Use clk_hw API for calling clk framework from clk notifiers (bsc#1051510). - clk: samsung: exynos5420: Preserve CPU clocks configuration during suspend/resume (bsc#1051510). - clk: samsung: exynos5420: Preserve PLL configuration during suspend/resume (git-fixes). - clk: sirf: Do not reference clk_init_data after registration (bsc#1051510). - clk: sunxi-ng: a80: fix the zero'ing of bits 16 and 18 (git-fixes). - clk: sunxi-ng: v3s: add missing clock slices for MMC2 module clocks (bsc#1051510). - clk: sunxi-ng: v3s: add the missing PLL_DDR1 (bsc#1051510). - clk: zx296718: Do not reference clk_init_data after registration (bsc#1051510). - clocksource/drivers/sh_cmt: Fix clocksource width for 32-bit machines (bsc#1051510). - clocksource/drivers/sh_cmt: Fixup for 64-bit machines (bsc#1051510). - compat_ioctl: handle SIOCOUTQNSD (bsc#1051510). - component: fix loop condition to call unbind() if bind() fails (bsc#1051510). - config: arm64: enable erratum 1418040 and 1542419 - configfs_register_group() shouldn't be (and isn't) called in rmdirable parts (bsc#1051510). - cpufreq/pasemi: fix use-after-free in pas_cpufreq_cpu_init() (bsc#1051510). - cpufreq: Skip cpufreq resume if it's not suspended (bsc#1051510). - cpufreq: intel_pstate: Register when ACPI PCCH is present (bsc#1051510). - cpufreq: powernv: fix stack bloat and hard limit on number of CPUs (bsc#1051510). - cpufreq: ti-cpufreq: add missing of_node_put() (bsc#1051510). - cpupower : Fix cpupower working when cpu0 is offline (bsc#1051510). - cpupower : frequency-set -r option misses the last cpu in related cpu list (bsc#1051510). - cpupower: Fix coredump on VMWare (bsc#1051510). - crypto: DRBG - add FIPS 140-2 CTRNG for noise source (bsc#1155334). - crypto: af_alg - Fix race around ctx->rcvused by making it atomic_t (bsc#1154737). - crypto: af_alg - Initialize sg_num_bytes in error code path (bsc#1051510). - crypto: af_alg - cast ki_complete ternary op to int (bsc#1051510). - crypto: af_alg - consolidation of duplicate code (bsc#1154737). - crypto: af_alg - fix race accessing cipher request (bsc#1154737). - crypto: af_alg - remove locking in async callback (bsc#1154737). - crypto: af_alg - update correct dst SGL entry (bsc#1051510). - crypto: af_alg - wait for data at beginning of recvmsg (bsc#1154737). - crypto: algif - return error code when no data was processed (bsc#1154737). - crypto: algif_aead - copy AAD from src to dst (bsc#1154737). - crypto: algif_aead - fix reference counting of null skcipher (bsc#1154737). - crypto: algif_aead - overhaul memory management (bsc#1154737). - crypto: algif_aead - skip SGL entries with NULL page (bsc#1154737). - crypto: algif_skcipher - overhaul memory management (bsc#1154737). - crypto: caam - fix concurrency issue in givencrypt descriptor (bsc#1051510). - crypto: caam - free resources in case caam_rng registration failed (bsc#1051510). - crypto: caam/qi - fix error handling in ERN handler (bsc#1111666). - crypto: cavium/zip - Add missing single_release() (bsc#1051510). - crypto: ccp - Reduce maximum stack usage (bsc#1051510). - crypto: ccp - fix uninitialized list head (bsc#1051510). - crypto: crypto4xx - fix double-free in crypto4xx_destroy_sdr (bsc#1051510). - crypto: dh - add public key verification test (bsc#1155331). - crypto: dh - fix calculating encoded key size (bsc#1155331). - crypto: dh - fix memory leak (bsc#1155331). - crypto: dh - update test for public key verification (bsc#1155331). - crypto: ecdh - add public key verification test (bsc#1155331). - crypto: ecdh - fix big endian bug in ECC library (bsc#1051510). - crypto: ecdh - fix typo of P-192 b value (bsc#1155331). - crypto: fix a memory leak in rsa-kcs1pad's encryption mode (bsc#1051510). - crypto: geode-aes - switch to skcipher for cbc(aes) fallback (bsc#1051510). - crypto: mxc-scc - fix build warnings on ARM64 (bsc#1051510). - crypto: mxs-dcp - Fix AES issues (bsc#1051510). - crypto: mxs-dcp - Fix SHA null hashes and output length (bsc#1051510). - crypto: mxs-dcp - make symbols 'sha1_null_hash' and 'sha256_null_hash' static (bsc#1051510). - crypto: qat - Silence smp_processor_id() warning (bsc#1051510). - crypto: s5p-sss: Fix Fix argument list alignment (bsc#1051510). - crypto: skcipher - Unmap pages after an external error (bsc#1051510). - crypto: talitos - fix missing break in switch statement (bsc#1142635). - crypto: tgr192 - remove unneeded semicolon (bsc#1051510). - cw1200: Fix a signedness bug in cw1200_load_firmware() (bsc#1051510). - cx82310_eth: fix a memory leak bug (bsc#1051510). - cxgb4: Signedness bug in init_one() (bsc#1097585 bsc#1097586 bsc#1097587 bsc#1097588 bsc#1097583 bsc#1097584). - cxgb4: do not dma memory off of the stack (bsc#1152790). - cxgb4: fix endianness for vlan value in cxgb4_tc_flower (bsc#1064802 bsc#1066129). - cxgb4: fix panic when attaching to ULD fail (networking-stable-19_11_05). - cxgb4: offload VLAN flows regardless of VLAN ethtype (bsc#1064802 bsc#1066129). - cxgb4: reduce kernel stack usage in cudbg_collect_mem_region() (bsc#1073513). - cxgb4: request the TX CIDX updates to status page (bsc#1127354 bsc#1127371). - cxgb4: request the TX CIDX updates to status page (bsc#1127371). - cxgb4: smt: Add lock for atomic_dec_and_test (bsc#1064802 bsc#1066129). - cxgb4:Fix out-of-bounds MSI-X info array access (networking-stable-19_10_05). - dasd_fba: Display '00000000' for zero page when dumping sense (bsc#1123080). - dccp: do not leak jiffies on the wire (networking-stable-19_11_05). - dlm: do not leak kernel pointer to userspace (bsc#1051510). - dlm: fix invalid free (bsc#1051510). - dma-buf/sw_sync: Synchronize signal vs syncpt free (bsc#1111666). - dma-buf: Fix memory leak in sync_file_merge() (git-fixes). - dmaengine: bcm2835: Print error in case setting DMA mask fails (bsc#1051510). - dmaengine: dma-jz4780: Do not depend on MACH_JZ4780 (bsc#1051510). - dmaengine: dma-jz4780: Further residue status fix (bsc#1051510). - dmaengine: dw: platform: Switch to acpi_dma_controller_register() (bsc#1051510). - dmaengine: ep93xx: Return proper enum in ep93xx_dma_chan_direction (bsc#1051510). - dmaengine: imx-sdma: fix size check for sdma script_number (bsc#1051510). - dmaengine: imx-sdma: fix use-after-free on probe error path (bsc#1051510). - dmaengine: iop-adma.c: fix printk format warning (bsc#1051510). - dmaengine: rcar-dmac: set scatter/gather max segment size (bsc#1051510). - dmaengine: timb_dma: Use proper enum in td_prep_slave_sg (bsc#1051510). - docs: move protection-keys.rst to the core-api book (bsc#1078248). - drivers/base/platform.c: kmemleak ignore a known leak (bsc#1051510). - drivers/regulator: fix a missing check of return value (bsc#1051510). - drivers: thermal: int340x_thermal: Fix sysfs race condition (bsc#1051510). - drm/amd/display: Restore backlight brightness after system resume (bsc#1112178) - drm/amd/display: fix issue where 252-255 values are clipped (bsc#1111666). - drm/amd/display: fix odm combine pipe reset (bsc#1111666). - drm/amd/display: reprogram VM config when system resume (bsc#1111666). - drm/amd/display: support spdif (bsc#1111666). - drm/amd/dm: Understand why attaching path/tile properties are needed (bsc#1111666). - drm/amd/powerplay/smu7: enforce minimal VBITimeout (v2) (bsc#1051510). - drm/amd/powerplay: issue no PPSMC_MSG_GetCurrPkgPwr on unsupported (bsc#1113956) - drm/amd/pp: Fix truncated clock value when set watermark (bsc#1111666). - drm/amdgpu/gfx9: Update gfx9 golden settings (bsc#1111666). - drm/amdgpu/powerplay/vega10: allow undervolting in p7 (bsc#1111666). - drm/amdgpu/si: fix ASIC tests (git-fixes). - drm/amdgpu: Add APTX quirk for Dell Latitude 5495 (bsc#1142635) - drm/amdgpu: Check for valid number of registers to read (bsc#1051510). - drm/amdgpu: Fix KFD-related kernel oops on Hawaii (bsc#1111666). - drm/amdgpu: Update gc_9_0 golden settings (bsc#1111666). - drm/amdgpu: fix bad DMA from INTERRUPT_CNTL2 (bsc#1111666). - drm/amdgpu: fix bad DMA from INTERRUPT_CNTL2 (bsc#1114279) - drm/amdgpu: fix memory leak (bsc#1111666). - drm/amdkfd: Add missing Polaris10 ID (bsc#1111666). - drm/amdkfd: fix a use after free race with mmu_notifer unregister (bsc#1154048) - drm/ast: Fixed reboot test may cause system hanged (bsc#1051510). - drm/atomic_helper: Allow DPMS On/Off changes for unregistered connectors (bsc#1111666). - drm/atomic_helper: Disallow new modesets on unregistered connectors (bsc#1111666). - drm/atomic_helper: Stop modesets on unregistered connectors harder (bsc#1111666). - drm/bridge: tc358767: Increase AUX transfer length limit (bsc#1051510). - drm/bridge: tfp410: fix memleak in get_modes() (bsc#1111666). - drm/edid: Add 6 bpc quirk for SDC panel in Lenovo G50 (bsc#1051510). - drm/etnaviv: fix dumping of iommuv2 (bsc#1113722) - drm/i915/cmdparser: Add support for backward jumps (bsc#1135967) - drm/i915/cmdparser: Ignore Length operands during (bsc#1135967) - drm/i915/cmdparser: Ignore Length operands during command matching (bsc#1135967) - drm/i915/cmdparser: Use explicit goto for error paths (bsc#1135967) - drm/i915/cml: Add second PCH ID for CMP (bsc#1111666). - drm/i915/gen8+: Add RC6 CTX corruption WA (bsc#1135967) - drm/i915/gtt: Add read only pages to gen8_pte_encode (bsc#1135967) - drm/i915/gtt: Disable read-only support under GVT (bsc#1135967) - drm/i915/gtt: Read-only pages for insert_entries on bdw (bsc#1135967) - drm/i915/gvt: fix dropping obj reference twice (bsc#1111666). - drm/i915/gvt: update vgpu workload head pointer correctly (bsc#1112178) - drm/i915/ilk: Fix warning when reading emon_status with no output (bsc#1111666). - drm/i915/pmu: "Frequency" is reported as accumulated cycles (bsc#1112178) - drm/i915: Add gen9 BCS cmdparsing (bsc#1135967) - drm/i915: Add support for mandatory cmdparsing (bsc#1135967) - drm/i915: Allow parsing of unsized batches (bsc#1135967) - drm/i915: Cleanup gt powerstate from gem (bsc#1111666). - drm/i915: Disable Secure Batches for gen6+ (bsc#1135967) - drm/i915: Do not deballoon unused ggtt drm_mm_node in linux guest (bsc#1142635) - drm/i915: Do not dereference request if it may have been retired when (bsc#1142635) - drm/i915: Fix and improve MCR selection logic (bsc#1112178) - drm/i915: Fix intel_dp_mst_best_encoder() (bsc#1111666). - drm/i915: Fix various tracepoints for gen2 (bsc#1113722) - drm/i915: Lock the engine while dumping the active request (bsc#1142635) - drm/i915: Lower RM timeout to avoid DSI hard hangs (bsc#1135967) - drm/i915: Prevent writing into a read-only object via a GGTT mmap (bsc#1135967) - drm/i915: Reacquire priolist cache after dropping the engine lock (bsc#1129770) - drm/i915: Remove Master tables from cmdparser (bsc#1135967) - drm/i915: Rename gen7 cmdparser tables (bsc#1135967) - drm/i915: Restore relaxed padding (OCL_OOB_SUPPRES_ENABLE) for skl+ (bsc#1142635) - drm/i915: Restore sane defaults for KMS on GEM error load (bsc#1111666). - drm/i915: Skip modeset for cdclk changes if possible (bsc#1156928). - drm/i915: Support ro ppgtt mapped cmdparser shadow (bsc#1135967) - drm/i915: Support ro ppgtt mapped cmdparser shadow buffers (bsc#1135967) - drm/imx: Drop unused imx-ipuv3-crtc.o build (bsc#1113722) - drm/mediatek: set DMA max segment size (bsc#1111666). - drm/msm/dpu: handle failures while initializing displays (bsc#1111666). - drm/msm/dsi: Fix return value check for clk_get_parent (bsc#1111666). - drm/msm/dsi: Implement reset correctly (bsc#1051510). - drm/msm/dsi: Implement reset correctly (bsc#1154048) - drm/msm: fix memleak on release (bsc#1111666). - drm/msm: include linux/sched/task.h (bsc#1112178) - drm/nouveau/disp/nv50-: fix center/aspect-corrected scaling (bsc#1111666). - drm/nouveau/kms/nv50-: Do not create MSTMs for eDP connectors (bsc#1112178) - drm/nouveau/volt: Fix for some cards having 0 maximum voltage (bsc#1111666). - drm/omap: fix max fclk divider for omap36xx (bsc#1111666). - drm/omap: fix max fclk divider for omap36xx (bsc#1113722) - drm/panel: check failure cases in the probe func (bsc#1111666). - drm/panel: make drm_panel.h self-contained (bsc#1111666). - drm/panel: simple: fix AUO g185han01 horizontal blanking (bsc#1051510). - drm/radeon: Bail earlier when radeon.cik_/si_support=0 is passed (bsc#1111666). - drm/radeon: Fix EEH during kexec (bsc#1051510). - drm/radeon: fix bad DMA from INTERRUPT_CNTL2 (git-fixes). - drm/radeon: fix si_enable_smc_cac() failed issue (bsc#1113722) - drm/rockchip: Check for fast link training before enabling psr (bsc#1111666). - drm/rockchip: Round up _before_ giving to the clock framework (bsc#1114279) - drm/stm: attach gem fence to atomic state (bsc#1111666). - drm/tilcdc: Register cpufreq notifier after we have initialized crtc (bsc#1051510). - drm/vmwgfx: Fix double free in vmw_recv_msg() (bsc#1051510). - drm: Flush output polling on shutdown (bsc#1051510). - drm: add __user attribute to ptr_to_compat() (bsc#1111666). - drm: fix module name in edid_firmware log message (bsc#1113956) - drm: meson: venc: cvbs: fix CVBS mode matching (bsc#1051510). - drm: panel-lvds: Potential Oops in probe error handling (bsc#1114279) - drm: panel-orientation-quirks: Add extra quirk table entry for GPD MicroPC (bsc#1111666). - drm: rcar-du: lvds: Fix bridge_to_rcar_lvds (bsc#1111666). - e1000e: Add support for Comet Lake (bsc#1158533). - e1000e: Add support for Tiger Lake (bsc#1158533). - e1000e: Drop unnecessary __E1000_DOWN bit twiddling (bsc#1158049). - e1000e: Increase pause and refresh time (bsc#1158533). - e1000e: Use dev_get_drvdata where possible (bsc#1158049). - e1000e: Use rtnl_lock to prevent race conditions between net and pci/pm (bsc#1158049). - e1000e: add workaround for possible stalled packet (bsc#1051510). - e100: Fix passing zero to 'PTR_ERR' warning in e100_load_ucode_wait (bsc#1051510). - ecryptfs_lookup_interpose(): lower_dentry->d_inode is not stable (bsc#1158646). - ecryptfs_lookup_interpose(): lower_dentry->d_parent is not stable either (bsc#1158647). - eeprom: at24: make spd world-readable again (git-fixes). - efi/arm: Show SMBIOS bank/device location in CPER and GHES error logs (bsc#1152033). - efi/memattr: Do not bail on zero VA if it equals the region's PA (bsc#1051510). - efi: cper: print AER info of PCIe fatal error (bsc#1051510). - efivar/ssdt: Do not iterate over EFI vars if no SSDT override was specified (bsc#1051510). - ext4: fix punch hole for inline_data file systems (bsc#1158640). - ext4: fix warning inside ext4_convert_unwritten_extents_endio (bsc#1152025). - ext4: set error return correctly when ext4_htree_store_dirent fails (bsc#1152024). - ext4: update direct I/O read lock pattern for IOCB_NOWAIT (bsc#1158639). - extcon: cht-wc: Return from default case to avoid warnings (bsc#1051510). - fbdev: sbuslib: integer overflow in sbusfb_ioctl_helper() (bsc#1051510). - fbdev: sbuslib: use checked version of put_user() (bsc#1051510). - firmware: dmi: Fix unlikely out-of-bounds read in save_mem_devices (git-fixes). - fix SCTP regression (bsc#1158082) - floppy: fix usercopy direction (bsc#1111666). - ftrace: Introduce PERMANENT ftrace_ops flag (bsc#1120853). - genirq: Prevent NULL pointer dereference in resend_irqs() (bsc#1051510). - genirq: Properly pair kobject_del() with kobject_add() (bsc#1051510). - gpio: Move gpiochip_lock/unlock_as_irq to gpio/driver.h (bsc#1051510). - gpio: fix line flag validation in lineevent_create (bsc#1051510). - gpio: fix line flag validation in linehandle_create (bsc#1051510). - gpio: mpc8xxx: Do not overwrite default irq_set_type callback (bsc#1051510). - gpio: syscon: Fix possible NULL ptr usage (bsc#1051510). - gpiolib: acpi: Add Terra Pad 1061 to the run_edge_events_on_boot_blacklist (bsc#1051510). - gpiolib: acpi: Add gpiolib_acpi_run_edge_events_on_boot option and blacklist (bsc#1051510). - gpiolib: only check line handle flags once (bsc#1051510). - gpu: drm: radeon: Fix a possible null-pointer dereference in radeon_connector_set_property() (bsc#1051510). - gsmi: Fix bug in append_to_eventlog sysfs handler (bsc#1051510). - hso: fix NULL-deref on tty open (bsc#1051510). - hwmon: (acpi_power_meter) Change log level for 'unsafe software power cap' (bsc#1051510). - hwmon: (ina3221) Fix INA3221_CONFIG_MODE macros (bsc#1051510). - hwmon: (lm75) Fix write operations for negative temperatures (bsc#1051510). - hwmon: (pwm-fan) Silence error on probe deferral (bsc#1051510). - hwmon: (shtc1) fix shtc1 and shtw1 id mask (bsc#1051510). - hwrng: core - do not wait on add_early_randomness() (git-fixes). - hwrng: omap - Fix RNG wait loop timeout (bsc#1051510). - hwrng: omap3-rom - Call clk_disable_unprepare() on exit only if not idled (bsc#1051510). - hwrng: stm32 - fix unbalanced pm_runtime_enable (bsc#1051510). - hyperv: set nvme msi interrupts to unmanaged (jsc#SLE-8953, jsc#SLE-9221, jsc#SLE-4941, bsc#1119461, bsc#1119465, bsc#1138190, bsc#1154905). - hypfs: Fix error number left in struct pointer member (bsc#1051510). - i2c: designware: Synchronize IRQs when unregistering slave client (bsc#1111666). - i2c: emev2: avoid race when unregistering slave client (bsc#1051510). - i2c: of: Try to find an I2C adapter matching the parent (bsc#1129770) - i2c: piix4: Fix port selection for AMD Family 16h Model 30h (bsc#1051510). - i2c: riic: Clear NACK in tend isr (bsc#1051510). - i40e: Add support for X710 device (bsc#1151067). - i40e: enable X710 support (bsc#1151067). - ibmveth: Detect unsupported packets before sending to the hypervisor (bsc#1159484 ltc#182983). - ibmvnic: Bound waits for device queries (bsc#1155689 ltc#182047). - ibmvnic: Bound waits for device queries (bsc#1155689 ltc#182047). - ibmvnic: Do not process reset during or after device removal (bsc#1149652 ltc#179635). - ibmvnic: Fix completion structure initialization (bsc#1155689 ltc#182047). - ibmvnic: Fix completion structure initialization (bsc#1155689 ltc#182047). - ibmvnic: Serialize device queries (bsc#1155689 ltc#182047). - ibmvnic: Serialize device queries (bsc#1155689 ltc#182047). - ibmvnic: Terminate waiting device threads after loss of service (bsc#1155689 ltc#182047). - ibmvnic: Terminate waiting device threads after loss of service (bsc#1155689 ltc#182047). - ice: fix potential infinite loop because loop counter being too small (bsc#1118661). - ice: fix stack leakage (bsc#1118661). - idr: Fix idr_alloc_u32 on 32-bit systems (bsc#1051510). - ieee802154: atusb: fix use-after-free at disconnect (bsc#1051510). - ieee802154: ca8210: prevent memory leak (bsc#1051510). - ieee802154: enforce CAP_NET_RAW for raw sockets (bsc#1051510). - ife: error out when nla attributes are empty (networking-stable-19_08_08). - iio: adc: ad799x: fix probe error handling (bsc#1051510). - iio: adc: max9611: explicitly cast gain_selectors (bsc#1051510). - iio: adc: stm32-adc: fix stopping dma (git-fixes). - iio: dac: ad5380: fix incorrect assignment to val (bsc#1051510). - iio: dac: mcp4922: fix error handling in mcp4922_write_raw (bsc#1051510). - iio: imu: adis16480: assign bias value only if operation succeeded (git-fixes). - iio: imu: adis16480: make sure provided frequency is positive (git-fixes). - iio: imu: adis: assign read val in debugfs hook only if op successful (git-fixes). - iio: imu: adis: assign value only if return code zero in read funcs (git-fixes). - iio: light: opt3001: fix mutex unlock race (bsc#1051510). - ima: always return negative code for error (bsc#1051510). - include/linux/bitrev.h: fix constant bitrev (bsc#1114279). - inet: stop leaking jiffies on the wire (networking-stable-19_11_05). - integrity: prevent deadlock during digsig verification (bsc#1090631). - intel_th: Fix a double put_device() in error path (git-fixes). - intel_th: pci: Add Tiger Lake support (bsc#1051510). - intel_th: pci: Add support for another Lewisburg PCH (bsc#1051510). - iomap: Fix pipe page leakage during splicing (bsc#1158651). - iommu/amd: Apply the same IVRS IOAPIC workaround to Acer Aspire A315-41 (bsc#1137799). - iommu/amd: Check PM_LEVEL_SIZE() condition in locked section (bsc#1154608). - iommu/amd: Fix race in increase_address_space() (bsc#1150860). - iommu/amd: Flush old domains in kdump kernel (bsc#1150861). - iommu/amd: Override wrong IVRS IOAPIC on Raven Ridge systems (bsc#1137799). - iommu/amd: Remove domain->updated (bsc#1154610). - iommu/amd: Wait for completion of IOTLB flush in attach_device (bsc#1154611). - iommu/dma: Fix for dereferencing before null checking (bsc#1151667). - iommu/iova: Avoid false sharing on fq_timer_on (bsc#1151662). - iommu/iova: Avoid false sharing on fq_timer_on (bsc#1151671). - iommu/vt-d: Fix QI_DEV_IOTLB_PFSID and QI_DEV_EIOTLB_PFSID macros (bsc#1158063). - iommu: Do not use sme_active() in generic code (bsc#1151661). - ip6_tunnel: fix possible use-after-free on xmit (networking-stable-19_08_08). - ipmi: Do not allow device module unload when in use (bsc#1154768). - ipmi:dmi: Ignore IPMI SMBIOS entries with a zero base address (bsc#1051510). - ipmi_si: Only schedule continuously in the thread in maintenance mode (bsc#1051510). - ipv4: Fix table id reference in fib_sync_down_addr (networking-stable-19_11_10). - ipv4: Return -ENETUNREACH if we can't create route but saddr is valid (networking-stable-19_10_24). - ipv6/addrconf: allow adding multicast addr if IFA_F_MCAUTOJOIN is set (networking-stable-19_08_28). - ipv6: Fix the link time qualifier of 'ping_v6_proc_exit_net()' (networking-stable-19_09_15). - ipv6: Handle missing host route in __ipv6_ifa_notify (networking-stable-19_10_05). - ipv6: drop incoming packets having a v4mapped source address (networking-stable-19_10_05). - irqchip/gic-v2m: Add support for Amazon Graviton variant of GICv3+GICv2m (SLE-9332). - irqchip/gic-v3-its: Fix LPI release for Multi-MSI devices (jsc#ECO-561). - irqchip/gic-v3-its: Fix command queue pointer comparison bug (jsc#ECO-561). - irqchip/gic-v3-its: Fix misuse of GENMASK macro (jsc#ECO-561). - irqdomain: Add the missing assignment of domain->fwnode for named fwnode (bsc#1111666). - isdn/capi: check message length in capi_write() (bsc#1051510). - iwlwifi: api: annotate compressed BA notif array sizes (bsc#1051510). - iwlwifi: check kasprintf() return value (bsc#1051510). - iwlwifi: do not panic in error path on non-msix systems (bsc#1155692). - iwlwifi: drop packets with bad status in CD (bsc#1111666). - iwlwifi: exclude GEO SAR support for 3168 (bsc#1111666). - iwlwifi: fix bad dma handling in page_mem dumping flow (bsc#1120902). - iwlwifi: fw: do not send GEO_TX_POWER_LIMIT command to FW version 36 (bsc#1111666). - iwlwifi: fw: use helper to determine whether to dump paging (bsc#1106434). Patch needed to be adjusted, because our tree does not have the global variable IWL_FW_ERROR_DUMP_PAGING - iwlwifi: mvm: Send non offchannel traffic via AP sta (bsc#1051510). - iwlwifi: mvm: avoid sending too many BARs (bsc#1051510). - iwlwifi: mvm: do not send keys when entering D3 (bsc#1051510). - iwlwifi: mvm: force TCM re-evaluation on TCM resume (bsc#1111666). - iwlwifi: mvm: synchronize TID queue removal (bsc#1051510). - iwlwifi: mvm: use correct FIFO length (bsc#1111666). - iwlwifi: pcie: fit reclaim msg to MAX_MSG_LEN (bsc#1111666). - iwlwifi: pcie: fix erroneous print (bsc#1111666). - iwlwifi: pcie: fix memory leaks in iwl_pcie_ctxt_info_gen3_init (bsc#1111666). - iwlwifi: pcie: read correct prph address for newer devices (bsc#1111666). - ixgbe: Fix secpath usage for IPsec TX offload (bsc#1113994 bsc#1151807). - ixgbe: Prevent u8 wrapping of ITR value to something less than 10us (bsc#1101674). - ixgbe: fix double clean of Tx descriptors with xdp (bsc#1113994 ). - ixgbe: fix possible deadlock in ixgbe_service_task() (bsc#1113994). - ixgbe: sync the first fragment unconditionally (bsc#1133140). - ixgbevf: Fix secpath usage for IPsec Tx offload (bsc#1113994 ). - kABI fix for "ipmi: Do not allow device module unload when in use" (bsc#1154768). - kABI fixup alloc_dax_region (bsc#1158071). - kABI workaround for ath10k hw_filter_reset_required field (bsc#1111666). - kABI workaround for ath10k last_wmi_vdev_start_status field (bsc#1051510). - kABI workaround for crypto/af_alg changes (bsc#1154737). - kABI workaround for drm_connector.registered type changes (bsc#1111666). - kABI workaround for drm_vma_offset_node readonly field addition (bsc#1135967) - kABI workaround for iwlwifi iwl_rx_cmd_buffer change (bsc#1111666). - kABI workaround for mmc_host retune_crc_disable flag addition (bsc#1111666). - kABI workaround for snd_hda_pick_pin_fixup() changes (bsc#1051510). - kABI workaround for struct mwifiex_power_cfg change (bsc#1051510). - kABI: Fix for "KVM: x86: Introduce vcpu->arch.xsaves_enabled" (bsc#1158066). - kABI: add _q suffix to exports that take struct dh (bsc#1155331). - kABI: media: em28xx: fix handler for vidioc_s_input() (bsc#1051510). fixes kABI - kABI: media: em28xx: stop rewriting device's struct (bsc#1051510). fixes kABI - kabi protect enum RDMA_DRIVER_EFA (jsc#SLE-4805) - kabi/severities: Whitelist a couple of xive functions xive_cleanup_irq_data and xive_native_populate_irq_data are exported by the xive interupt controller driver and used by KVM. I do not expect any out-of-tree driver can sanely use these. - kabi/severities: Whitelist functions internal to radix mm. To call these functions you have to first detect if you are running in radix mm mode which can't be expected of OOT code. - kabi: net: sched: act_sample: fix psample group handling on overwrite (networking-stable-19_09_05). - kabi: s390: struct subchannel (git-fixes). - kernel-binary.spec.in: Fix build of non-modular kernels (boo#1154578). - kernel-subpackage-build: create zero size ghost for uncompressed vmlinux (bsc#1154354). - kernel/sysctl.c: do not override max_threads provided by userspace (bnc#1150875). - kernfs: Fix range checks in kernfs_get_target_path (bsc#1051510). - kexec: bail out upon SIGKILL when allocating memory (git-fixes). - keys: Fix missing null pointer check in request_key_auth_describe() (bsc#1051510). - ksm: cleanup stable_node chain collapse case (bnc#1144338). - ksm: fix use after free with merge_across_nodes = 0 (bnc#1144338). - ksm: introduce ksm_max_page_sharing per page deduplication limit (bnc#1144338). - ksm: optimize refile of stable_node_dup at the head of the chain (bnc#1144338). - ksm: swap the two output parameters of chain/chain_prune (bnc#1144338). - kvm: Convert kvm_lock to a mutex (bsc#1117665). - kvm: x86, powerpc: do not allow clearing largepages debugfs entry (bsc#1117665). - kvm: x86: Do not release the page inside mmu_set_spte() (bsc#1117665). - lan78xx: Fix memory leaks (bsc#1051510). - leds: leds-lp5562 allow firmware files up to the maximum length (bsc#1051510). - leds: trigger: gpio: GPIO 0 is valid (bsc#1051510). - lib/mpi: Fix karactx leak in mpi_powm (bsc#1051510). - lib/scatterlist: Fix chaining support in sgl_alloc_order() (git-fixes). - lib/scatterlist: Introduce sgl_alloc() and sgl_free() (git-fixes). - libertas: Add missing sentinel at end of if_usb.c fw_table (bsc#1051510). - libertas_tf: Use correct channel range in lbtf_geo_init (bsc#1051510). - libiscsi: do not try to bypass SCSI EH (bsc#1142076). - libnvdimm/altmap: Track namespace boundaries in altmap (bsc#1150305). - libnvdimm/security: provide fix for secure-erase to use zero-key (bsc#1149853). - libnvdimm: Export the target_node attribute for regions and namespaces (bsc#1158071). - libnvdimm: prevent nvdimm from requesting key when security is disabled (bsc#1137982). - lightnvm: remove dependencies on BLK_DEV_NVME and PCI (bsc#1150846). - liquidio: add cleanup in octeon_setup_iq() (bsc#1051510). - liquidio: fix race condition in instruction completion processing (bsc#1051510). - livepatch: Allow to distinguish different version of system state changes (bsc#1071995). - livepatch: Basic API to track system state changes (bsc#1071995 ). - livepatch: Keep replaced patches until post_patch callback is called (bsc#1071995). - livepatch: Nullify obj->mod in klp_module_coming()'s error path (bsc#1071995). - livepatch: Selftests of the API for tracking system state changes (bsc#1071995). - loop: add ioctl for changing logical block size (bsc#1108043). - loop: fix no-unmap write-zeroes request behavior (bsc#1158637). - lpfc: Add FA-WWN Async Event reporting (bsc#1154521). - lpfc: Add FC-AL support to lpe32000 models (bsc#1154521). - lpfc: Add additional discovery log messages (bsc#1154521). - lpfc: Add log macros to allow print by serverity or verbocity setting (bsc#1154521). - lpfc: Fix SLI3 hba in loop mode not discovering devices (bsc#1154521). - lpfc: Fix bad ndlp ptr in xri aborted handling (bsc#1154521). - lpfc: Fix hardlockup in lpfc_abort_handler (bsc#1154521). - lpfc: Fix lockdep errors in sli_ringtx_put (bsc#1154521). - lpfc: Fix reporting of read-only fw error errors (bsc#1154521). - lpfc: Make FW logging dynamically configurable (bsc#1154521). - lpfc: Remove lock contention target write path (bsc#1154521). - lpfc: Revise interrupt coalescing for missing scenarios (bsc#1154521). - lpfc: Slight fast-path Performance optimizations (bsc#1154521). - lpfc: Update lpfc version to 12.6.0.0 (bsc#1154521). - lpfc: fix coverity error of dereference after null check (bsc#1154521). - lpfc: fix lpfc_nvmet_mrq to be bound by hdw queue count (bsc#1154521). - lpfc: size cpu map by last cpu id set (bsc#1157160). - mISDN: Fix type of switch control variable in ctrl_teimanager (bsc#1051510). - mISDN: enforce CAP_NET_RAW for raw sockets (bsc#1051510). - mac80211: Reject malformed SSID elements (bsc#1051510). - mac80211: accept deauth frames in IBSS mode (bsc#1051510). - mac80211: consider QoS Null frames for STA_NULLFUNC_ACKED (bsc#1051510). - mac80211: fix station inactive_time shortly after boot (bsc#1051510). - mac80211: fix txq null pointer dereference (bsc#1051510). - mac80211: minstrel: fix CCK rate group streams value (bsc#1051510). - mac80211: minstrel: fix sampling/reporting of CCK rates in HT mode (bsc#1051510). - mac80211: minstrel_ht: fix per-group max throughput rate initialization (bsc#1051510). - macsec: drop skb sk before calling gro_cells_receive (bsc#1051510). - macvlan: schedule bc_work even if error (bsc#1051510). - mailbox: mailbox-test: fix null pointer if no mmio (bsc#1051510). - mailbox: reset txdone_method TXDONE_BY_POLL if client knows_txdone (git-fixes). - md/raid0: avoid RAID0 data corruption due to layout confusion (bsc#1140090). - md/raid0: fix warning message for parameter default_layout (bsc#1140090). - md/raid6: Set R5_ReadError when there is read failure on parity disk (git-fixes). - md: do not report active array_state until after revalidate_disk() completes (git-fixes). - md: only call set_in_sync() when it is expected to succeed (git-fixes). - media: Revert "[media] marvell-ccic: reset ccic phy when stop streaming for stability" (bsc#1051510). - media: atmel: atmel-isc: fix asd memory allocation (bsc#1135642). - media: atmel: atmel-isi: fix timeout value for stop streaming (bsc#1051510). - media: au0828: Fix incorrect error messages (bsc#1051510). - media: bdisp: fix memleak on release (git-fixes). - media: cec.h: CEC_OP_REC_FLAG_ values were swapped (bsc#1051510). - media: cec: report Vendor ID after initialization (bsc#1051510). - media: cpia2_usb: fix memory leaks (bsc#1051510). - media: cxusb: detect cxusb_ctrl_msg error in query (bsc#1051510). - media: davinci: Fix implicit enum conversion warning (bsc#1051510). - media: dib0700: fix link error for dibx000_i2c_set_speed (bsc#1051510). - media: dvb-core: fix a memory leak bug (bsc#1051510). - media: em28xx: fix handler for vidioc_s_input() (bsc#1051510). - media: em28xx: stop rewriting device's struct (bsc#1051510). - media: exynos4-is: Fix recursive locking in isp_video_release() (git-fixes). - media: exynos4-is: fix leaked of_node references (bsc#1051510). - media: fdp1: Reduce FCP not found message level to debug (bsc#1051510). - media: fix: media: pci: meye: validate offset to avoid arbitrary access (bsc#1051510). - media: flexcop-usb: ensure -EIO is returned on error condition (git-fixes). - media: gspca: zero usb_buf on error (bsc#1051510). - media: hdpvr: Add device num check and handling (bsc#1051510). - media: hdpvr: add terminating 0 at end of string (bsc#1051510). - media: i2c: ov5645: Fix power sequence (bsc#1051510). - media: iguanair: add sanity checks (bsc#1051510). - media: imon: invalid dereference in imon_touch_event (bsc#1051510). - media: isif: fix a NULL pointer dereference bug (bsc#1051510). - media: marvell-ccic: do not generate EOF on parallel bus (bsc#1051510). - media: mc-device.c: do not memset __user pointer contents (bsc#1051510). - media: omap3isp: Do not set streaming state on random subdevs (bsc#1051510). - media: omap3isp: Set device on omap3isp subdevs (bsc#1051510). - media: ov6650: Fix control handler not freed on init error (git-fixes). - media: ov6650: Fix sensor possibly not detected on probe (bsc#1051510). - media: ov6650: Move v4l2_clk_get() to ov6650_video_probe() helper (bsc#1051510). - media: ov9650: add a sanity check (bsc#1051510). - media: pci: ivtv: Fix a sleep-in-atomic-context bug in ivtv_yuv_init() (bsc#1051510). - media: pulse8-cec: return 0 when invalidating the logical address (bsc#1051510). - media: pxa_camera: Fix check for pdev->dev.of_node (bsc#1051510). - media: radio/si470x: kill urb on error (bsc#1051510). - media: radio: wl1273: fix interrupt masking on release (git-fixes). - media: replace strcpy() by strscpy() (bsc#1051510). - media: saa7134: fix terminology around saa7134_i2c_eeprom_md7134_gate() (bsc#1051510). - media: saa7146: add cleanup in hexium_attach() (bsc#1051510). - media: sn9c20x: Add MSI MS-1039 laptop to flip_dmi_table (bsc#1051510). - media: stkwebcam: Bugfix for wrong return values (bsc#1051510). - media: stkwebcam: fix runtime PM after driver unbind (bsc#1051510). - media: technisat-usb2: break out of loop at end of buffer (bsc#1051510). - media: ti-vpe: vpe: Fix Motion Vector vpdma stride (git-fixes). - media: tm6000: double free if usb disconnect while streaming (bsc#1051510). - media: ttusb-dec: Fix info-leak in ttusb_dec_send_command() (bsc#1051510). - media: usbvision: Fix races among open, close, and disconnect (bsc#1051510). - media: uvcvideo: Fix error path in control parsing failure (git-fixes). - media: v4l2-ctrl: fix flags for DO_WHITE_BALANCE (bsc#1051510). - media: vb2: Fix videobuf2 to map correct area (bsc#1051510). - media: vim2m: Fix abort issue (git-fixes). - media: vivid: Set vid_cap_streaming and vid_out_streaming to true (bsc#1051510). - mei: bus: prefix device names on bus with the bus name (bsc#1051510). - mei: fix modalias documentation (git-fixes). - mei: samples: fix a signedness bug in amt_host_if_call() (bsc#1051510). - memstick: jmb38x_ms: Fix an error handling path in 'jmb38x_ms_probe()' (bsc#1051510). - mfd: intel-lpss: Add default I2C device properties for Gemini Lake (bsc#1051510). - mfd: intel-lpss: Remove D3cold delay (bsc#1051510). - mfd: max8997: Enale irq-wakeup unconditionally (bsc#1051510). - mfd: mc13xxx-core: Fix PMIC shutdown when reading ADC values (bsc#1051510). - mfd: palmas: Assign the right powerhold mask for tps65917 (git-fixes). - mfd: ti_am335x_tscadc: Keep ADC interface on if child is wakeup capable (bsc#1051510). - mic: avoid statically declaring a 'struct device' (bsc#1051510). - mld: fix memory leak in mld_del_delrec() (networking-stable-19_09_05). - mlx5: add parameter to disable enhanced IPoIB (bsc#1142095) - mlxsw: spectrum_flower: Fail in case user specifies multiple mirror actions (bsc#1112374). - mlxsw: spectrum_router: Fix determining underlay for a GRE tunnel (bsc#1112374). - mm, memory_hotplug: do not clear numa_node association after hot_remove (bnc#1115026). - mm, page_owner, debug_pagealloc: save and dump freeing stack trace (jsc#SLE-8956, bsc#1144653, VM Debug Functionality). - mm, page_owner: decouple freeing stack trace from debug_pagealloc (jsc#SLE-8956, bsc#1144653, VM Debug Functionality). - mm, page_owner: fix off-by-one error in __set_page_owner_handle() (jsc#SLE-8956, bsc#1144653, VM Debug Functionality). - mm, page_owner: keep owner info when freeing the page (jsc#SLE-8956, bsc#1144653, VM Debug Functionality). - mm, page_owner: make init_pages_in_zone() faster (jsc#SLE-8956, bsc#1144653, VM Debug Functionality). - mm, page_owner: record page owner for each subpage (jsc#SLE-8956, bsc#1144653, VM Debug Functionality). - mm, page_owner: rename flag indicating that page is allocated (jsc#SLE-8956, bsc#1144653, VM Debug Functionality). - mm, thp: Do not make page table dirty unconditionally in touch_p[mu]d() (git fixes (mm/gup)). - mm/compaction.c: clear total_{migrate,free}_scanned before scanning a new zone (git fixes (mm/compaction)). - mm/debug.c: PageAnon() is true for PageKsm() pages (git fixes (mm/debug)). - mm/memcontrol.c: fix use after free in mem_cgroup_iter() (bsc#1149224, VM Functionality). - mmc: core: API to temporarily disable retuning for SDIO CRC errors (bsc#1111666). - mmc: core: Add sdio_retune_hold_now() and sdio_retune_release() (bsc#1111666). - mmc: core: Fix init of SD cards reporting an invalid VDD range (bsc#1051510). - mmc: core: fix wl1251 sdio quirks (git-fixes). - mmc: host: omap_hsmmc: add code for special init of wl1251 to get rid of pandora_wl1251_init_card (git-fixes). - mmc: mediatek: fix CMD_TA to 2 for MT8173 HS200/HS400 mode (bsc#1051510). - mmc: mediatek: fix cannot receive new request when msdc_cmd_is_ready fail (bsc#1051510). - mmc: sdhci-esdhc-imx: correct the fix of ERR004536 (git-fixes). - mmc: sdhci-msm: fix mutex while in spinlock (bsc#1142635). - mmc: sdhci-of-arasan: Do now show error message in case of deffered probe (bsc#1119086). - mmc: sdhci-of-at91: fix quirk2 overwrite (git-fixes). - mmc: sdhci-of-esdhc: Revert "mmc: sdhci-of-esdhc: add erratum A-009204 support" (bsc#1051510). - mmc: sdhci-of-esdhc: fix P2020 errata handling (bsc#1051510). - mmc: sdhci-of-esdhc: set DMA snooping based on DMA coherence (bsc#1051510). - mmc: sdhci: Fix incorrect switch to HS mode (bsc#1051510). - mmc: sdhci: improve ADMA error reporting (bsc#1051510). - mmc: sdio: fix wl1251 vendor id (git-fixes). - moduleparam: fix parameter description mismatch (bsc#1051510). - mqprio: Fix out-of-bounds access in mqprio_dump (bsc#1109837). - mt7601u: fix bbp version check in mt7601u_wait_bbp_ready (bsc#1051510). - mt76x0: init hw capabilities. - mtd: nand: mtk: fix incorrect register setting order about ecc irq. - mtd: spear_smi: Fix Write Burst mode (bsc#1051510). - mtd: spi-nor: Fix Cadence QSPI RCU Schedule Stall (bsc#1051510). - mtd: spi-nor: fix silent truncation in spi_nor_read() (bsc#1051510). - mvpp2: refactor MTU change code (networking-stable-19_08_08). - mwifex: free rx_cmd skb in suspended state (bsc#1111666). - mwifiex: Fix NL80211_TX_POWER_LIMITED (bsc#1051510). - mwifiex: debugfs: correct histogram spacing, formatting (bsc#1051510). - mwifiex: do no submit URB in suspended state (bsc#1111666). - mwifiex: fix potential NULL dereference and use after free (bsc#1051510). - nbd: prevent memory leak (bsc#1158638). - net/ibmvnic: Fix EOI when running in XIVE mode (bsc#1089644, ltc#166495, ltc#165544, git-fixes). - net/ibmvnic: Fix missing { in __ibmvnic_reset (bsc#1149652 ltc#179635). - net/ibmvnic: Fix typo in retry check (bsc#1155689 ltc#182047). - net/ibmvnic: Ignore H_FUNCTION return from H_EOI to tolerate XIVE mode (bsc#1089644, ltc#166495, ltc#165544, git-fixes). - net/ibmvnic: free reset work of removed device from queue (bsc#1149652 ltc#179635). - net/ibmvnic: prevent more than one thread from running in reset (bsc#1152457 ltc#174432). - net/ibmvnic: unlock rtnl_lock in reset so linkwatch_event can run (bsc#1152457 ltc#174432). - net/mlx4_core: Dynamically set guaranteed amount of counters per VF (networking-stable-19_11_05). - net/mlx4_en: Fix wrong limitation for number of TX rings (bsc#1103989). - net/mlx4_en: fix a memory leak bug (bsc#1046299). - net/mlx5: Accumulate levels for chains prio namespaces (bsc#1103990). - net/mlx5: Add device ID of upcoming BlueField-2 (bsc#1046303 ). - net/mlx5: FWTrace, Reduce stack usage (bsc#1103990). - net/mlx5: Fix error handling in mlx5_load() (bsc#1046305 ). - net/mlx5: Update the list of the PCI supported devices (bsc#1127611). - net/mlx5: Use reversed order when unregister devices (networking-stable-19_08_08). - net/mlx5: prevent memory leak in mlx5_fpga_conn_create_cq (bsc#1046303). - net/mlx5e: Fix SFF 8472 eeprom length (git-fixes). - net/mlx5e: Fix eswitch debug print of max fdb flow (bsc#1103990 ). - net/mlx5e: Fix ethtool self test: link speed (bsc#1103990 ). - net/mlx5e: Fix handling of compressed CQEs in case of low NAPI budget (networking-stable-19_11_05). - net/mlx5e: Only support tx/rx pause setting for port owner (networking-stable-19_08_21). - net/mlx5e: Print a warning when LRO feature is dropped or not allowed (bsc#1103990). - net/mlx5e: Query global pause state before setting prio2buffer (bsc#1103990). - net/mlx5e: Use flow keys dissector to parse packets for ARFS (networking-stable-19_08_21). - net/packet: fix race in tpacket_snd() (networking-stable-19_08_21). - net/phy: fix DP83865 10 Mbps HDX loopback disable function (networking-stable-19_09_30). - net/rds: Fix error handling in rds_ib_add_one() (networking-stable-19_10_05). - net/rds: fix warn in rds_message_alloc_sgs (bsc#1154848). - net/rds: remove user triggered WARN_ON in rds_sendmsg (bsc#1154848). - net/sched: act_sample: do not push mac header on ip6gre ingress (networking-stable-19_09_30). - net/sched: cbs: Fix not adding cbs instance to list (bsc#1109837). - net/sched: cbs: Set default link speed to 10 Mbps in cbs_set_port_rate (bsc#1109837). - net/smc: Fix error path in smc_init (git-fixes). - net/smc: avoid fallback in case of non-blocking connect (git-fixes). - net/smc: do not schedule tx_work in SMC_CLOSED state (git-fixes). - net/smc: fix SMCD link group creation with VLAN id (git-fixes). - net/smc: fix closing of fallback SMC sockets (git-fixes). - net/smc: fix ethernet interface refcounting (git-fixes). - net/smc: fix fastopen for non-blocking connect() (git-fixes). - net/smc: fix refcount non-blocking connect() -part 2 (git-fixes). - net/smc: fix refcounting for non-blocking connect() (git-fixes). - net/smc: keep vlan_id for SMC-R in smc_listen_work() (git-fixes). - net/smc: make sure EPOLLOUT is raised (networking-stable-19_08_28). - net/smc: original socket family in inet_sock_diag (bsc#1149959). - net: Fix null de-reference of device refcount (networking-stable-19_09_15). - net: Replace NF_CT_ASSERT() with WARN_ON() (bsc#1146612). - net: Unpublish sk from sk_reuseport_cb before call_rcu (networking-stable-19_10_05). - net: Zeroing the structure ethtool_wolinfo in ethtool_get_wol() (networking-stable-19_11_05). - net: add READ_ONCE() annotation in __skb_wait_for_more_packets() (networking-stable-19_11_05). - net: add skb_queue_empty_lockless() (networking-stable-19_11_05). - net: annotate accesses to sk->sk_incoming_cpu (networking-stable-19_11_05). - net: annotate lockless accesses to sk->sk_napi_id (networking-stable-19_11_05). - net: avoid potential infinite loop in tc_ctl_action() (networking-stable-19_10_24). - net: bcmgenet: Fix RGMII_MODE_EN value for GENET v1/2/3 (networking-stable-19_10_24). - net: bcmgenet: Set phydev->dev_flags only for internal PHYs (networking-stable-19_10_24). - net: bcmgenet: reset 40nm EPHY on energy detect (networking-stable-19_11_05). - net: cdc_ncm: Signedness bug in cdc_ncm_set_dgram_size() (git-fixes). - net: dsa: b53: Do not clear existing mirrored port mask (networking-stable-19_11_05). - net: dsa: bcm_sf2: Fix IMP setup for port different than 8 (networking-stable-19_11_05). - net: dsa: fix switch tree list (networking-stable-19_11_05). - net: ethernet: ftgmac100: Fix DMA coherency issue with SW checksum (networking-stable-19_11_05). - net: ethernet: octeon_mgmt: Account for second possible VLAN header (networking-stable-19_11_10). - net: fix data-race in neigh_event_send() (networking-stable-19_11_10). - net: fix ifindex collision during namespace removal (networking-stable-19_08_08). - net: fix sk_page_frag() recursion from memory reclaim (networking-stable-19_11_05). - net: fix skb use after free in netpoll (networking-stable-19_09_05). - net: gso: Fix skb_segment splat when splitting gso_size mangled skb having linear-headed frag_list (networking-stable-19_09_15). - net: hisilicon: Fix ping latency when deal with high throughput (networking-stable-19_11_05). - net: hns3: Add missing newline at end of file (bsc#1104353 ). - net: hns3: add Asym Pause support to fix autoneg problem (bsc#1104353). - net: hns3: add a check to pointer in error_detected and slot_reset (bsc#1104353). - net: hns3: add aRFS support for PF (bsc#1104353). - net: hns3: add all IMP return code (bsc#1104353). - net: hns3: add check to number of buffer descriptors (bsc#1104353). - net: hns3: add default value for tc_size and tc_offset (bsc#1104353). - net: hns3: add exception handling when enable NIC HW error interrupts (bsc#1104353). - net: hns3: add handling of two bits in MAC tunnel interrupts (bsc#1104353). - net: hns3: add handshake with hardware while doing reset (bsc#1104353). - net: hns3: add opcode about query and clear RAS and MSI-X to special opcode (bsc#1104353). - net: hns3: add recovery for the H/W errors occurred before the HNS dev initialization (bsc#1104353). - net: hns3: add some error checking in hclge_tm module (bsc#1104353). - net: hns3: add support for dump firmware statistics by debugfs (bsc#1104353). - net: hns3: adjust hns3_uninit_phy()'s location in the hns3_client_uninit() (bsc#1104353). - net: hns3: bitwise operator should use unsigned type (bsc#1104353). - net: hns3: change GFP flag during lock period (bsc#1104353 ). - net: hns3: change SSU's buffer allocation according to UM (bsc#1104353). - net: hns3: check msg_data before memcpy in hclgevf_send_mbx_msg (bsc#1104353). - net: hns3: clear restting state when initializing HW device (bsc#1104353). - net: hns3: code optimizaition of hclge_handle_hw_ras_error() (bsc#1104353). - net: hns3: delay and separate enabling of NIC and ROCE HW errors (bsc#1104353). - net: hns3: delay ring buffer clearing during reset (bsc#1104353 ). - net: hns3: delay setting of reset level for hw errors until slot_reset is called (bsc#1104353). - net: hns3: delete the redundant user NIC codes (bsc#1104353 ). - net: hns3: do not configure new VLAN ID into VF VLAN table when it's full (bsc#1104353). - net: hns3: do not query unsupported commands in debugfs (bsc#1104353). - net: hns3: enable DCB when TC num is one and pfc_en is non-zero (bsc#1104353). - net: hns3: enable broadcast promisc mode when initializing VF (bsc#1104353). - net: hns3: extract handling of mpf/pf msi-x errors into functions (bsc#1104353). - net: hns3: fix ETS bandwidth validation bug (bsc#1104353 ). - net: hns3: fix GFP flag error in hclge_mac_update_stats() (bsc#1126390). - net: hns3: fix VLAN filter restore issue after reset (bsc#1104353). - net: hns3: fix __QUEUE_STATE_STACK_XOFF not cleared issue (bsc#1104353). - net: hns3: fix a -Wformat-nonliteral compile warning (bsc#1104353). - net: hns3: fix a memory leak issue for hclge_map_unmap_ring_to_vf_vector (bsc#1104353). - net: hns3: fix a statistics issue about l3l4 checksum error (bsc#1104353). - net: hns3: fix avoid unnecessary resetting for the H/W errors which do not require reset (bsc#1104353). - net: hns3: fix compile warning without CONFIG_RFS_ACCEL (bsc#1104353). - net: hns3: fix dereference of ae_dev before it is null checked (bsc#1104353). - net: hns3: fix flow control configure issue for fibre port (bsc#1104353). - net: hns3: fix for dereferencing before null checking (bsc#1104353). - net: hns3: fix for skb leak when doing selftest (bsc#1104353 ). - net: hns3: fix race conditions between reset and module loading and unloading (bsc#1104353). - net: hns3: fix some coding style issues (bsc#1104353 ). - net: hns3: fix some reset handshake issue (bsc#1104353 ). - net: hns3: fix wrong size of mailbox responding data (bsc#1104353). - net: hns3: fixes wrong place enabling ROCE HW error when loading (bsc#1104353). - net: hns3: free irq when exit from abnormal branch (bsc#1104353 ). - net: hns3: handle empty unknown interrupt (bsc#1104353 ). - net: hns3: initialize CPU reverse mapping (bsc#1104353 ). - net: hns3: log detail error info of ROCEE ECC and AXI errors (bsc#1104353). - net: hns3: make HW GRO handling compliant with SW GRO (bsc#1104353). - net: hns3: modify handling of out of memory in hclge_err.c (bsc#1104353). - net: hns3: modify hclge_init_client_instance() (bsc#1104353 ). - net: hns3: modify hclgevf_init_client_instance() (bsc#1104353 ). - net: hns3: optimize the CSQ cmd error handling (bsc#1104353 ). - net: hns3: prevent unnecessary MAC TNL interrupt (bsc#1104353 bsc#1134983). - net: hns3: process H/W errors occurred before HNS dev initialization (bsc#1104353). - net: hns3: re-schedule reset task while VF reset fail (bsc#1104353). - net: hns3: refactor PF/VF RSS hash key configuration (bsc#1104353). - net: hns3: refactor hns3_get_new_int_gl function (bsc#1104353 ). - net: hns3: refine the flow director handle (bsc#1104353 ). - net: hns3: remove RXD_VLD check in hns3_handle_bdinfo (bsc#1104353). - net: hns3: remove VF VLAN filter entry inexistent warning print (bsc#1104353). - net: hns3: remove override_pci_need_reset (bsc#1104353 ). - net: hns3: remove redundant core reset (bsc#1104353 ). - net: hns3: remove setting bit of reset_requests when handling mac tunnel interrupts (bsc#1104353). - net: hns3: remove unused linkmode definition (bsc#1104353 ). - net: hns3: replace numa_node_id with numa_mem_id for buffer reusing (bsc#1104353). - net: hns3: set default value for param "type" in hclgevf_bind_ring_to_vector (bsc#1104353). - net: hns3: set maximum length to resp_data_len for exceptional case (bsc#1104353). - net: hns3: set ops to null when unregister ad_dev (bsc#1104353 ). - net: hns3: set the port shaper according to MAC speed (bsc#1104353). - net: hns3: small changes for magic numbers (bsc#1104353 ). - net: hns3: some changes of MSI-X bits in PPU(RCB) (bsc#1104353 ). - net: hns3: some modifications to simplify and optimize code (bsc#1104353). - net: hns3: some variable modification (bsc#1104353). - net: hns3: stop schedule reset service while unloading driver (bsc#1104353). - net: hns3: sync VLAN filter entries when kill VLAN ID failed (bsc#1104353). - net: hns3: trigger VF reset if a VF had an over_8bd_nfe_err (bsc#1104353). - net: hns3: typo in the name of a constant (bsc#1104353 ). - net: hns3: use HCLGEVF_STATE_NIC_REGISTERED to indicate VF NIC client has registered (bsc#1104353). - net: hns3: use HCLGE_STATE_NIC_REGISTERED to indicate PF NIC client has registered (bsc#1104353). - net: hns3: use HCLGE_STATE_ROCE_REGISTERED to indicate PF ROCE client has registered (bsc#1104353). - net: hns3: use macros instead of magic numbers (bsc#1104353 ). - net: hns: Fix the stray netpoll locks causing deadlock in NAPI path (bsc#1104353). - net: hns: add support for vlan TSO (bsc#1104353). - net: openvswitch: free vport unless register_netdevice() succeeds (git-fixes). - net: phy: Check against net_device being NULL (bsc#1051510). - net: phy: Fix not to call phy_resume() if PHY is not attached (bsc#1051510). - net: phy: Fix the register offsets in Broadcom iProc mdio mux driver (bsc#1051510). - net: phy: at803x: Change error to EINVAL for invalid MAC (bsc#1051510). - net: phy: bcm7xxx: define soft_reset for 40nm EPHY (bsc#1119113 ). - net: phy: broadcom: Use strlcpy() for ethtool::get_strings (bsc#1051510). - net: phy: dp83867: Set up RGMII TX delay (bsc#1051510). - net: phy: fixed_phy: Fix fixed_phy not checking GPIO (bsc#1051510). - net: phy: marvell: Use strlcpy() for ethtool::get_strings (bsc#1051510). - net: phy: marvell: clear wol event before setting it (bsc#1051510). - net: phy: meson-gxl: check phy_write return value (bsc#1051510). - net: phy: micrel: Use strlcpy() for ethtool::get_strings (bsc#1051510). - net: phy: mscc: read 'vsc8531, edge-slowdown' as an u32 (bsc#1051510). - net: phy: mscc: read 'vsc8531,vddmac' as an u32 (bsc#1051510). - net: phy: xgene: disable clk on error paths (bsc#1051510). - net: phy: xgmiitorgmii: Check phy_driver ready before accessing (bsc#1051510). - net: phy: xgmiitorgmii: Check read_status results (bsc#1051510). - net: phy: xgmiitorgmii: Support generic PHY status read (bsc#1051510). - net: phylink: Fix flow control resolution (bsc#1119113 ). - net: qlogic: Fix memory leak in ql_alloc_large_buffers (networking-stable-19_10_05). - net: qrtr: Stop rx_worker before freeing node (networking-stable-19_09_30). - net: sched: Fix a possible null-pointer dereference in dequeue_func() (networking-stable-19_08_08). - net: sched: act_sample: fix psample group handling on overwrite (networking-stable-19_09_05). - net: sched: cbs: Avoid division by zero when calculating the port rate (bsc#1109837). - net: sched: ensure opts_len <= IP_TUNNEL_OPTS_MAX in act_tunnel_key (bsc#1109837). - net: sched: fix dump qlen for sch_mq/sch_mqprio with NOLOCK subqueues (bsc#1109837). - net: sched: fix possible crash in tcf_action_destroy() (bsc#1109837). - net: sched: fix reordering issues (bsc#1109837). - net: sock_map, fix missing ulp check in sock hash case (bsc#1109837). - net: stmmac: disable/enable ptp_ref_clk in suspend/resume flow (networking-stable-19_10_24). - net: stmmac: dwmac-rk: Do not fail if phy regulator is absent (networking-stable-19_09_05). - net: usb: qmi_wwan: add support for DW5821e with eSIM support (networking-stable-19_11_10). - net: use skb_queue_empty_lockless() in busy poll contexts (networking-stable-19_11_05). - net: use skb_queue_empty_lockless() in poll() handlers (networking-stable-19_11_05). - net: wireless: ti: remove local VENDOR_ID and DEVICE_ID definitions (git-fixes). - net: wireless: ti: wl1251 use new SDIO_VENDOR_ID_TI_WL1251 definition (git-fixes). - net_sched: add policy validation for action attributes (networking-stable-19_09_30). - net_sched: fix backward compatibility for TCA_ACT_KIND (git-fixes). - netfilter: nf_nat: do not bug when mapping already exists (bsc#1146612). - netfilter: nf_queue: enqueue skbs with NULL dst (git-fixes). - netns: fix GFP flags in rtnl_net_notifyid() (networking-stable-19_11_05). - nfc: fix memory leak in llcp_sock_bind() (bsc#1051510). - nfc: netlink: fix double device reference drop (git-fixes). - nfc: port100: handle command failure cleanly (git-fixes). - nfp: flower: fix memory leak in nfp_flower_spawn_vnic_reprs (bsc#1109837). - nfp: flower: prevent memory leak in nfp_flower_spawn_phy_reprs (bsc#1109837). - nfsd: Do not release the callback slot unless it was actually held (git-fixes). - nfsd: Fix overflow causing non-working mounts on 1 TB machines (bsc#1150381). - nfsd: degraded slot-count more gracefully as allocation nears exhaustion (bsc#1150381). - nfsd: fix performance-limiting session calculation (bsc#1150381). - nfsd: give out fewer session slots as limit approaches (bsc#1150381). - nfsd: handle drc over-allocation gracefully (bsc#1150381). - nfsd: increase DRC cache limit (bsc#1150381). - nl80211: Fix a GET_KEY reply attribute (bsc#1051510). - nl80211: Fix possible Spectre-v1 for CQM RSSI thresholds (bsc#1051510). - nl80211: fix null pointer dereference (bsc#1051510). - null_blk: complete requests from ->timeout (bsc#1149446). - null_blk: wire up timeouts (bsc#1149446). - nvme-fc: fix module unloads while lports still pending (bsc#1150033). - nvme-multipath: relax ANA state check (bsc#1123105). - nvme-rdma: Allow DELETING state change failure in (bsc#1104967,). - nvme-rdma: centralize admin/io queue teardown sequence (bsc#1142076). - nvme-rdma: centralize controller setup sequence (bsc#1142076). - nvme-rdma: fix a NULL deref when an admin connect times out (bsc#1149446). - nvme-rdma: fix a NULL deref when an admin connect times out (bsc#1149446). - nvme-rdma: fix timeout handler (bsc#1149446). - nvme-rdma: fix timeout handler (bsc#1149446). - nvme-rdma: remove redundant reference between ib_device and tagset (bsc#149446). - nvme-rdma: stop admin queue before freeing it (bsc#1140155). - nvme-rdma: support up to 4 segments of inline data (bsc#1142076). - nvme-rdma: unquiesce queues when deleting the controller (bsc#1142076). - nvme-rdma: use dynamic dma mapping per command (bsc#1149446). - nvme-tcp: fix a NULL deref when an admin connect times out (bsc#1149446). - nvme-tcp: fix timeout handler (bsc#1149446). - nvme-tcp: support C2HData with SUCCESS flag (bsc#1157386). - nvme: cancel request synchronously (bsc#1145661). - nvme: do not abort completed request in nvme_cancel_request (bsc#1149446). - nvme: fix multipath crash when ANA is deactivated (bsc#1149446). - nvme: remove ns sibling before clearing path (bsc#1140155). - nvme: return BLK_EH_DONE from ->timeout (bsc#1142076). - nvme: wait until all completed request's complete fn is called (bsc#1149446). - nvmem: Use the same permissions for eeprom as for nvmem (git-fixes). - objtool: Clobber user CFLAGS variable (bsc#1153236). - ocfs2: fix panic due to ocfs2_wq is null (bsc#1158644). - ocfs2: fix passing zero to 'PTR_ERR' warning (bsc#1158649). - openvswitch: change type of UPCALL_PID attribute to NLA_UNSPEC (networking-stable-19_09_30). - openvswitch: fix flow command message size (git-fixes). - pNFS/flexfiles: Turn off soft RPC calls (git-fixes). - padata: use smp_mb in padata_reorder to avoid orphaned padata jobs (git-fixes). - perf/x86/amd: Change/fix NMI latency mitigation to use a timestamp (bsc#1142924). - phy: phy-twl4030-usb: fix denied runtime access (git-fixes). - phy: renesas: rcar-gen3-usb2: Disable clearing VBUS in over-current (bsc#1051510). - phylink: fix kernel-doc warnings (bsc#1111666). - pinctl: ti: iodelay: fix error checking on pinctrl_count_index_with_args call (git-fixes). - pinctrl: at91: do not use the same irqchip with multiple gpiochips (git-fixes). - pinctrl: cherryview: Allocate IRQ chip dynamic (git-fixes). - pinctrl: cherryview: restore Strago DMI workaround for all versions (bsc#1111666). - pinctrl: lewisburg: Update pin list according to v1.1v6 (bsc#1051510). - pinctrl: lpc18xx: Use define directive for PIN_CONFIG_GPIO_PIN_INT (bsc#1051510). - pinctrl: qcom: spmi-gpio: fix gpio-hog related boot issues (bsc#1051510). - pinctrl: samsung: Fix device node refcount leaks in S3C24xx wakeup controller init (bsc#1051510). - pinctrl: samsung: Fix device node refcount leaks in S3C64xx wakeup controller init (bsc#1051510). - pinctrl: samsung: Fix device node refcount leaks in init code (bsc#1051510). - pinctrl: sunxi: Fix a memory leak in 'sunxi_pinctrl_build_state()' (bsc#1051510). - pinctrl: tegra: Fix write barrier placement in pmx_writel (bsc#1051510). - pinctrl: xway: fix gpio-hog related boot issues (bsc#1051510). - pinctrl: zynq: Use define directive for PIN_CONFIG_IO_STANDARD (bsc#1051510). - pktcdvd: remove warning on attempting to register non-passthrough dev (bsc#1051510). - platform/x86: classmate-laptop: remove unused variable (bsc#1051510). - platform/x86: hp-wmi: Fix ACPI errors caused by passing 0 as input size (bsc#1051510). - platform/x86: hp-wmi: Fix ACPI errors caused by too small buffer (bsc#1051510). - platform/x86: hp-wmi: Make buffer for HPWMI_FEATURE2_QUERY 128 bytes (bsc#1051510). - platform/x86: i2c-multi-instantiate: Derive the device name from parent (bsc#1111666). - platform/x86: i2c-multi-instantiate: Fail the probe if no IRQ provided (bsc#1111666). - platform/x86: pmc_atom: Add Siemens CONNECT X300 to critclk_systems DMI table (bsc#1051510). - platform/x86: pmc_atom: Add Siemens SIMATIC IPC227E to critclk_systems DMI table (bsc#1051510). - pnfs/flexfiles: Fix PTR_ERR() dereferences in ff_layout_track_ds_error (git-fixes). - power: reset: at91-poweroff: do not procede if at91_shdwc is allocated (bsc#1051510). - power: reset: gpio-restart: Fix typo when gpio reset is not found (bsc#1051510). - power: supply: Init device wakeup after device_add() (bsc#1051510). - power: supply: ab8500_fg: silence uninitialized variable warnings (bsc#1051510). - power: supply: max14656: fix potential use-after-free (bsc#1051510). - power: supply: sysfs: ratelimit property read error message (bsc#1051510). - power: supply: twl4030_charger: disable eoc interrupt on linear charge (bsc#1051510). - power: supply: twl4030_charger: fix charging current out-of-bounds (bsc#1051510). - powerpc/64: Make meltdown reporting Book3S 64 specific (bsc#1091041). - powerpc/64: Make sys_switch_endian() traceable (bsc#1065729). - powerpc/64s/pseries: radix flush translations before MMU is enabled at boot (bsc#1055186). - powerpc/64s/radix: Fix MADV_[FREE|DONTNEED] TLB flush miss problem with THP (bsc#1152161 ltc#181664). - powerpc/64s/radix: Fix memory hot-unplug page table split (bsc#1065729). - powerpc/64s/radix: Fix memory hotplug section page table creation (bsc#1065729). - powerpc/64s/radix: Implement _tlbie(l)_va_range flush functions (bsc#1152161 ltc#181664). - powerpc/64s/radix: Improve TLB flushing for page table freeing (bsc#1152161 ltc#181664). - powerpc/64s/radix: Improve preempt handling in TLB code (bsc#1152161 ltc#181664). - powerpc/64s/radix: Introduce local single page ceiling for TLB range - powerpc/64s/radix: Optimize flush_tlb_range (bsc#1152161 ltc#181664). - powerpc/64s/radix: keep kernel ERAT over local process/guest invalidates (bsc#1055186). - powerpc/64s/radix: tidy up TLB flushing code (bsc#1055186). - powerpc/64s: Rename PPC_INVALIDATE_ERAT to PPC_ISA_3_0_INVALIDATE_ERAT (bsc#1055186). - powerpc/archrandom: fix arch_get_random_seed_int() (bsc#1065729). - powerpc/book3s64/hash: Use secondary hash for bolted mapping if the primary is full (bsc#1157778 ltc#182520). - powerpc/book3s64/mm: Do not do tlbie fixup for some hardware revisions (bsc#1152161 ltc#181664). - powerpc/book3s64/radix: Rename CPU_FTR_P9_TLBIE_BUG feature flag (bsc#1152161 ltc#181664). - powerpc/bpf: Fix tail call implementation (bsc#1157698). - powerpc/bpf: use unsigned division instruction for 64-bit operations (bsc#1065729). - powerpc/irq: Do not WARN continuously in arch_local_irq_restore() (bsc#1065729). - powerpc/irq: drop arch_early_irq_init() (bsc#1065729). - powerpc/mm/book3s64: Move book3s64 code to pgtable-book3s64 (bsc#1055186). - powerpc/mm/radix: Drop unneeded NULL check (bsc#1152161 ltc#181664). - powerpc/mm/radix: implement LPID based TLB flushes to be used by KVM (bsc#1152161 ltc#181664). - powerpc/mm/radix: mark __radix__flush_tlb_range_psize() as __always_inline (bsc#1055186). - powerpc/mm/radix: mark as __tlbie_pid() and friends as__always_inline (bsc#1055186). - powerpc/mm: Fixup tlbie vs mtpidr/mtlpidr ordering issue on POWER9 (bsc#1152161 ltc#181664). - powerpc/mm: Properly invalidate when setting process table base (bsc#1055186). - powerpc/mm: Simplify page_is_ram by using memblock_is_memory (bsc#1065729). - powerpc/mm: Use memblock API for PPC32 page_is_ram (bsc#1065729). - powerpc/mm: mark more tlb functions as __always_inline (bsc#1055186). - powerpc/module64: Fix comment in R_PPC64_ENTRY handling (bsc#1065729). - powerpc/powernv/ioda2: Allocate TCE table levels on demand for default DMA window (bsc#1061840). - powerpc/powernv/ioda: Fix race in TCE level allocation (bsc#1061840). - powerpc/powernv/npu: Remove obsolete comment about TCE_KILL_INVAL_ALL (bsc#1065729). - powerpc/powernv: Disable native PCIe port management (bsc#1065729). - powerpc/powernv: Fix compile without CONFIG_TRACEPOINTS (bsc#1065729). - powerpc/powernv: Flush console before platform error reboot (bsc#1149940 ltc#179958). - powerpc/powernv: Restrict OPAL symbol map to only be readable by root (bsc#1152885). - powerpc/powernv: Use kernel crash path for machine checks (bsc#1149940 ltc#179958). - powerpc/powernv: move OPAL call wrapper tracing and interrupt handling to C (bsc#1065729). - powerpc/pseries, ps3: panic flush kernel messages before halting system (bsc#1149940 ltc#179958). - powerpc/pseries/memory-hotplug: Fix return value type of find_aa_index (bsc#1065729). - powerpc/pseries/mobility: notify network peers after migration (bsc#1152631 ltc#181798). - powerpc/pseries/mobility: use cond_resched when updating device tree (bsc#1153112 ltc#181778). - powerpc/pseries: Call H_BLOCK_REMOVE when supported (bsc#1109158). - powerpc/pseries: Do not fail hash page table insert for bolted mapping (bsc#1157778 ltc#182520). - powerpc/pseries: Do not opencode HPTE_V_BOLTED (bsc#1157778 ltc#182520). - powerpc/pseries: Drop pointless static qualifier in vpa_debugfs_init() (git-fixes). - powerpc/pseries: Export maximum memory value (bsc#1122363). - powerpc/pseries: Export raw per-CPU VPA data via debugfs (). - powerpc/pseries: Fix cpu_hotplug_lock acquisition in resize_hpt() (bsc#1065729). - powerpc/pseries: Read TLB Block Invalidate Characteristics (bsc#1109158). - powerpc/pseries: Remove confusing warning message (bsc#1109158). - powerpc/pseries: address checkpatch warnings in dlpar_offline_cpu (bsc#1156700 ltc#182459). - powerpc/pseries: correctly track irq state in default idle (bsc#1150727 ltc#178925). - powerpc/pseries: safely roll back failed DLPAR cpu add (bsc#1156700 ltc#182459). - powerpc/ptrace: Simplify vr_get/set() to avoid GCC warning (bsc#1148868). - powerpc/rtas: allow rescheduling while changing cpu states (bsc#1153112 ltc#181778). - powerpc/security/book3s64: Report L1TF status in sysfs (bsc#1091041). - powerpc/security: Fix wrong message when RFI Flush is disable (bsc#1131107). - powerpc/xive: Fix bogus error code returned by OPAL (bsc#1065729). - powerpc/xive: Implement get_irqchip_state method for XIVE to fix shutdown race (bsc#1065729). - powerpc/xive: Prevent page fault issues in the machine crash handler (bsc#1156882 ltc#182435). - powerpc/xmon: Fix opcode being uninitialized in print_insn_powerpc (bsc#1065729). - powerpc: Drop page_is_ram() and walk_system_ram_range() (bsc#1065729). - powerpc: Fix vDSO clock_getres() (bsc#1065729). - powerpc: bpf: Fix generation of load/store DW instructions (bsc#1065729). - powerpc: dump kernel log before carrying out fadump or kdump (bsc#1149940 ltc#179958). - powerplay: Respect units on max dcfclk watermark (bsc#1111666). - ppdev: fix PPGETTIME/PPSETTIME ioctls (bsc#1051510). - ppp: Fix memory leak in ppp_write (git-fixes). - prevent active file list thrashing due to refault detection (VM Performance, bsc#1156286). - printk/panic: Avoid deadlock in printk() after stopping CPUs by NMI (bsc#1148712). - printk: Do not lose last line in kmsg buffer dump (bsc#1152460). - printk: Export console_printk (bsc#1071995). - printk: fix printk_time race (bsc#1152466). - pwm: Clear chip_data in pwm_put() (bsc#1051510). - pwm: bcm-iproc: Prevent unloading the driver module while in use (git-fixes). - pwm: clps711x: Fix period calculation (bsc#1051510). - pwm: lpss: Only set update bit if we are actually changing the settings (bsc#1051510). - qed: iWARP - Fix default window size to be based on chip (bsc#1050536 bsc#1050545). - qed: iWARP - Fix tc for MPA ll2 connection (bsc#1050536 bsc#1050545). - qed: iWARP - Use READ_ONCE and smp_store_release to access ep->state (bsc#1050536 bsc#1050545). - qed: iWARP - fix uninitialized callback (bsc#1050536 bsc#1050545). - qede: fix NULL pointer deref in __qede_remove() (networking-stable-19_11_10). - qla2xxx: kABI fixes for v10.01.00.18-k (bsc#1123034 bsc#1131304 bsc#1127988). - qla2xxx: remove SGI SN2 support (bsc#1123034 bsc#1131304 bsc#1127988). - qmi_wwan: add support for Cinterion CLS8 devices (networking-stable-19_10_05). - quota: fix wrong condition in is_quota_modification() (bsc#1152026). - qxl: fix null-pointer crash during suspend (bsc#1111666). - r8152: Set macpassthru in reset_resume callback (bsc#1051510). - r8152: Set memory to all 0xFFs on failed reg reads (bsc#1051510). - r8152: add device id for Lenovo ThinkPad USB-C Dock Gen 2 (networking-stable-19_11_05). - random: move FIPS continuous test to output functions (bsc#1155334). - rds: Fix warning (bsc#1154848). - regulator: ab8500: Remove AB8505 USB regulator (bsc#1051510). - regulator: ab8500: Remove SYSCLKREQ from enum ab8505_regulator_id (bsc#1051510). - regulator: lm363x: Fix off-by-one n_voltages for lm3632 ldo_vpos/ldo_vneg (bsc#1051510). - regulator: tps65910: fix a missing check of return value (bsc#1051510). - reiserfs: fix extended attributes on the root directory (bsc#1151225). - remoteproc: Check for NULL firmwares in sysfs interface (git-fixes). - reset: Fix potential use-after-free in __of_reset_control_get() (bsc#1051510). - reset: fix of_reset_simple_xlate kerneldoc comment (bsc#1051510). - reset: fix reset_control_get_exclusive kerneldoc comment (bsc#1051510). - reset: fix reset_control_ops kerneldoc comment (bsc#1051510). - resource: fix locking in find_next_iomem_res() (bsc#1114279). - rpm/config.sh: Enable kgraft. - rpm/config.sh: Enable livepatch. - rpm/constraints.in: lower disk space required for ARM With a requirement of 35GB, only 2 slow workers are usable for ARM. Current aarch64 build requires 27G and armv6/7 requires 14G. Set requirements respectively to 30GB and 20GB. - rpm/dtb.spec.in.in: do not make dtb directory inaccessible There is no reason to lock down the dtb directory for ordinary users. - rpm/kernel-binary.spec.in: Fix kernel-livepatch description typo. - rpm/kernel-binary.spec.in: add COMPRESS_VMLINUX (bnc#1155921) Let COMPRESS_VMLINUX determine the compression used for vmlinux. By default (historically), it is gz. - rpm/kernel-binary.spec.in: handle modules.builtin.modinfo It was added in 5.2. - rpm/kernel-binary.spec.in: remove code duplicated by merge. - rpm/kernel-binary.spec.in: support partial rt debug config. - rpm/kernel-source.spec.in: Fix dependency of kernel-devel (bsc#1154043) - rpm/kernel-subpackage-spec: Exclude kernel-firmware recommends (bsc#1143959) For reducing the dependency on kernel-firmware in sub packages - rpm/kernel-subpackage-spec: Fix empty Recommends tag (bsc#1143959) - rpm/kernel-subpackage-spec: Mention debuginfo in the subpackage description (bsc#1149119). - rpm/kernel-subpackage-spec: Unify dependency handling. - rpm/kernel-subpackage-spec: fix kernel-default-base build There were some issues with recent changes to subpackage dependencies handling: - rpm/macros.kernel-source: KMPs should depend on kmod-compat to build. kmod-compat links are used in find-provides.ksyms, find-requires.ksyms, and find-supplements.ksyms in rpm-config-SUSE. - rpm/mkspec: Correct tarball URL for rc kernels. - rpm/mkspec: Make building DTBs optional. - rpm/modflist: Simplify compression support. - rpm/modules.fips: update module list (bsc#1157853) - rpm: raise required disk space for binary packages Current disk space constraints (10 GB on s390x, 25 GB on other architectures) no longer suffice for 5.3 kernel builds. The statistics show ~30 GB of disk consumption on x86_64 and ~11 GB on s390x so raise the constraints to 35 GB in general and 14 GB on s390x. - rpm: support compressed modules Some of our scripts and scriptlets in rpm/ do not expect module files not ending with ".ko" which currently leads to failure in preuninstall scriptlet of cluster-md-kmp-default (and probably also other subpackages). Let those which could be run on compressed module files recognize ".ko.xz" in addition to ".ko". - rt2800: remove errornous duplicate condition (git-fixes). - rtl8187: Fix warning generated when strncpy() destination length matches the sixe argument (bsc#1051510). - rtl818x: fix potential use after free (bsc#1051510). - rtlwifi: Fix file release memory leak (bsc#1111666). - rtlwifi: Remove unnecessary NULL check in rtl_regd_init (bsc#1051510). - rtlwifi: btcoex: Use proper enumerated types for Wi-Fi only interface (bsc#1111666). - rtlwifi: rtl8192cu: Fix value set in descriptor (bsc#1142635). - rtlwifi: rtl8192de: Fix misleading REG_MCUFWDL information (bsc#1051510). - rtlwifi: rtl8192de: Fix missing callback that tests for hw release of buffer (bsc#1111666). - rtlwifi: rtl8192de: Fix missing code to retrieve RX buffer address (bsc#1051510). - rtlwifi: rtl8192de: Fix missing enable interrupt flag (bsc#1051510). - s390/bpf: fix lcgr instruction encoding (bsc#1051510). - s390/bpf: use 32-bit index for tail calls (bsc#1051510). - s390/cio: avoid calling strlen on null pointer (bsc#1051510). - s390/cio: exclude subchannels with no parent from pseudo check (bsc#1051510). - s390/cio: fix virtio-ccw DMA without PV (git-fixes). - s390/cmf: set_schib_wait add timeout (bsc#1153509, bsc#1153476). - s390/cmm: fix information leak in cmm_timeout_handler() (bsc#1051510). - s390/cpumsf: Check for CPU Measurement sampling (bsc#1153681 LTC#181855). - s390/crypto: fix gcm-aes-s390 selftest failures (bsc#1137861 LTC#178091). - s390/idle: fix cpu idle time calculation (bsc#1051510). - s390/mm: properly clear _PAGE_NOEXEC bit when it is not supported (bsc#1051510). - s390/pci: add mio_enabled attribute (bsc#1152665 LTC#181729). - s390/pci: correctly handle MIO opt-out (bsc#1152665 LTC#181729). - s390/pci: deal with devices that have no support for MIO instructions (bsc#1152665 LTC#181729). - s390/pci: fix MSI message data (bsc#1152697 LTC#181730). - s390/process: avoid potential reading of freed stack (bsc#1051510). - s390/qdio: (re-)initialize tiqdio list entries (bsc#1051510). - s390/qdio: do not touch the dsci in tiqdio_add_input_queues() (bsc#1051510). - s390/qeth: clean up page frag creation (git-fixes). - s390/qeth: consolidate skb allocation (git-fixes). - s390/qeth: ensure linear access to packet headers (git-fixes). - s390/qeth: guard against runt packets (git-fixes). - s390/qeth: return proper errno on IO error (bsc#1051510). - s390/setup: fix boot crash for machine without EDAT-1 (bsc#1051510 bsc#1140948). - s390/setup: fix early warning messages (bsc#1051510 bsc#1140948). - s390/topology: avoid firing events before kobjs are created (bsc#1051510). - s390/zcrypt: fix memleak at release (git-fixes). - s390: add support for IBM z15 machines (bsc#1152696 LTC#181731). - s390: fix setting of mio addressing control (bsc#1152665 LTC#181729). - s390: fix stfle zero padding (bsc#1051510). - s390: vfio-ccw: Do not attempt to free no-op, test and tic cda (bsc#1154244). - s390: vsie: Use effective CRYCBD.31 to check CRYCBD validity (git-fixes). - sc16is7xx: Fix for "Unexpected interrupt: 8" (bsc#1051510). - sch_cbq: validate TCA_CBQ_WRROPT to avoid crash (networking-stable-19_10_05). - sch_dsmark: fix potential NULL deref in dsmark_init() (networking-stable-19_10_05). - sch_hhf: ensure quantum and hhf_non_hh_weight are non-zero (networking-stable-19_09_15). - sch_netem: fix a divide by zero in tabledist() (networking-stable-19_09_30). - sched/fair: Add tmp_alone_branch assertion (bnc#1156462). - sched/fair: Avoid divide by zero when rebalancing domains (bsc#1096254). - sched/fair: Fix O(nr_cgroups) in the load balancing path (bnc#1156462). - sched/fair: Fix insertion in rq->leaf_cfs_rq_list (bnc#1156462). - sched/fair: Optimize update_blocked_averages() (bnc#1156462). - sched/fair: WARN() and refuse to set buddy when !se->on_rq (bsc#1158132). - scripts/arch-symbols: add missing link. - scripts/git_sort/git_sort.py: - scripts/run_oldconfig.sh: Fix update-vanilla When CC is set we want to use it for native only. Cross-compilation still needs the crosscompilers. flush (bsc#1055117 bsc#1152161 ltc#181664). - scsi: bfa: convert to strlcpy/strlcat (git-fixes). - scsi: cxlflash: Prevent deadlock when adapter probe fails (git-fixes). - scsi: lpfc: Add enablement of multiple adapter dumps (bsc#1154601). - scsi: lpfc: Add registration for CPU Offline/Online events (bsc#1154601). - scsi: lpfc: Change default IRQ model on AMD architectures (bsc#1154601). - scsi: lpfc: Check queue pointer before use (bsc#1154242). - scsi: lpfc: Clarify FAWNN error message (bsc#1154601). - scsi: lpfc: Complete removal of FCoE T10 PI support on SLI-4 adapters (bsc#1154521). - scsi: lpfc: Convert existing %pf users to %ps (bsc#1154521). - scsi: lpfc: Fix GPF on scsi command completion (bsc#1154521). - scsi: lpfc: Fix NULL check before mempool_destroy is not needed (bsc#1154601). - scsi: lpfc: Fix NVME io abort failures causing hangs (bsc#1154521). - scsi: lpfc: Fix NVMe ABTS in response to receiving an ABTS (bsc#1154521). - scsi: lpfc: Fix Oops in nvme_register with target logout/login (bsc#1151900). - scsi: lpfc: Fix a kernel warning triggered by lpfc_get_sgl_per_hdwq() (bsc#1154601). - scsi: lpfc: Fix a kernel warning triggered by lpfc_sli4_enable_intr() (bsc#1154601). - scsi: lpfc: Fix configuration of BB credit recovery in service parameters (bsc#1154601). - scsi: lpfc: Fix coverity errors on NULL pointer checks (bsc#1154521). - scsi: lpfc: Fix device recovery errors after PLOGI failures (bsc#1154521). - scsi: lpfc: Fix devices that do not return after devloss followed by rediscovery (bsc#1137040). - scsi: lpfc: Fix discovery failures when target device connectivity bounces (bsc#1154521). - scsi: lpfc: Fix duplicate unreg_rpi error in port offline flow (bsc#1154601). - scsi: lpfc: Fix dynamic fw log enablement check (bsc#1154601). - scsi: lpfc: Fix hdwq sgl locks and irq handling (bsc#1154521). - scsi: lpfc: Fix host hang at boot or slow boot (bsc#1154521). - scsi: lpfc: Fix kernel crash at lpfc_nvme_info_show during remote port bounce (bsc#1154601). - scsi: lpfc: Fix list corruption detected in lpfc_put_sgl_per_hdwq (bsc#1154521). - scsi: lpfc: Fix list corruption in lpfc_sli_get_iocbq (bsc#1154521). - scsi: lpfc: Fix locking on mailbox command completion (bsc#1154521). - scsi: lpfc: Fix lpfc_cpumask_of_node_init() (bsc#1154601). - scsi: lpfc: Fix miss of register read failure check (bsc#1154521). - scsi: lpfc: Fix null ptr oops updating lpfc_devloss_tmo via sysfs attribute (bsc#1140845). - scsi: lpfc: Fix premature re-enabling of interrupts in lpfc_sli_host_down (bsc#1154521). - scsi: lpfc: Fix propagation of devloss_tmo setting to nvme transport (bsc#1140883). - scsi: lpfc: Fix pt2pt discovery on SLI3 HBAs (bsc#1154521). - scsi: lpfc: Fix reset recovery paths that are not recovering (bsc#1144375). - scsi: lpfc: Fix rpi release when deleting vport (bsc#1154521). - scsi: lpfc: Fix spinlock_irq issues in lpfc_els_flush_cmd() (bsc#1154521). - scsi: lpfc: Fix unexpected error messages during RSCN handling (bsc#1154601). - scsi: lpfc: Honor module parameter lpfc_use_adisc (bsc#1153628). - scsi: lpfc: Honor module parameter lpfc_use_adisc (bsc#1154601). - scsi: lpfc: Initialize cpu_map for not present cpus (bsc#1154601). - scsi: lpfc: Limit xri count for kdump environment (bsc#1154124). - scsi: lpfc: Make function lpfc_defer_pt2pt_acc static (bsc#1154521). - scsi: lpfc: Make lpfc_debugfs_ras_log_data static (bsc#1154601). - scsi: lpfc: Mitigate high memory pre-allocation by SCSI-MQ (bsc#1154601). - scsi: lpfc: Raise config max for lpfc_fcp_mq_threshold variable (bsc#1154601). - scsi: lpfc: Remove bg debugfs buffers (bsc#1144375). - scsi: lpfc: Remove bg debugfs buffers (bsc#1144375). - scsi: lpfc: Resolve checker warning for lpfc_new_io_buf() (bsc#1144375). - scsi: lpfc: Sync with FC-NVMe-2 SLER change to require Conf with SLER (bsc#1154601). - scsi: lpfc: Update async event logging (bsc#1154521). - scsi: lpfc: Update lpfc version to 12.4.0.1 (bsc#1154521). - scsi: lpfc: Update lpfc version to 12.6.0.1 (bsc#1154601). - scsi: lpfc: Update lpfc version to 12.6.0.2 (bsc#1154601). - scsi: lpfc: cleanup: remove unused fcp_txcmlpq_cnt (bsc#1154521). - scsi: lpfc: fix build error of lpfc_debugfs.c for vfree/vmalloc (bsc#1154601). - scsi: lpfc: fix inlining of lpfc_sli4_cleanup_poll_list() (bsc#1154601). - scsi: lpfc: fix spelling error in MAGIC_NUMER_xxx (bsc#1154601). - scsi: lpfc: fix: Coverity: lpfc_cmpl_els_rsp(): Null pointer dereferences (bsc#1154601). - scsi: lpfc: fix: Coverity: lpfc_get_scsi_buf_s3(): Null pointer dereferences (bsc#1154601). - scsi: lpfc: lpfc_attr: Fix Use plain integer as NULL pointer (bsc#1154601). - scsi: lpfc: lpfc_nvmet: Fix Use plain integer as NULL pointer (bsc#1154601). - scsi: lpfc: remove left-over BUILD_NVME defines (bsc#1154268). - scsi: lpfc: remove left-over BUILD_NVME defines (bsc#1154268). - scsi: lpfc: revise nvme max queues to be hdwq count (bsc#1154601). - scsi: lpfc: use hdwq assigned cpu for allocation (bsc#1157160). - scsi: qedf: Add debug information for unsolicited processing (bsc#1149976). - scsi: qedf: Add shutdown callback handler (bsc#1149976). - scsi: qedf: Add support for 20 Gbps speed (bsc#1149976). - scsi: qedf: Check both the FCF and fabric ID before servicing clear virtual link (bsc#1149976). - scsi: qedf: Check for link state before processing LL2 packets and send fipvlan retries (bsc#1149976). - scsi: qedf: Check for module unloading bit before processing link update AEN (bsc#1149976). - scsi: qedf: Decrease the LL2 MTU size to 2500 (bsc#1149976). - scsi: qedf: Fix race betwen fipvlan request and response path (bsc#1149976). - scsi: qedf: Initiator fails to re-login to switch after link down (bsc#1149976). - scsi: qedf: Modify abort and tmf handler to handle edge condition and flush (bsc#1098291). - scsi: qedf: Print message during bailout conditions (bsc#1149976). - scsi: qedf: Stop sending fipvlan request on unload (bsc#1149976). - scsi: qedf: Update module description string (bsc#1149976). - scsi: qedf: Update the driver version to 8.37.25.20 (bsc#1149976). - scsi: qedf: Update the version to 8.42.3.0 (bsc#1149976). - scsi: qedf: Use discovery list to traverse rports (bsc#1149976). - scsi: qedf: fc_rport_priv reference counting fixes (bsc#1098291). - scsi: qedf: remove set but not used variables (bsc#1149976). - scsi: qedi: remove declaration of nvm_image from stack (git-fixes). - scsi: qla2xxx: Add 28xx flash primary/secondary status/image mechanism (bsc#1123034 bsc#1131304 bsc#1127988). - scsi: qla2xxx: Add Device ID for ISP28XX (bsc#1123034 bsc#1131304 bsc#1127988). - scsi: qla2xxx: Add First Burst support for FC-NVMe devices (bsc#1123034 bsc#1131304 bsc#1127988). - scsi: qla2xxx: Add Serdes support for ISP28XX (bsc#1123034 bsc#1131304 bsc#1127988). - scsi: qla2xxx: Add debug dump of LOGO payload and ELS IOCB (bsc#1157424, bsc#1157908. bsc#1117169, bsc#1151548). - scsi: qla2xxx: Add error handling for PLOGI ELS passthrough (bsc#1123034 bsc#1131304 bsc#1127988). - scsi: qla2xxx: Add error handling for PLOGI ELS passthrough (bsc#1143706 bsc#1082635 bsc#1123034). - scsi: qla2xxx: Add error handling for PLOGI ELS passthrough (bsc#1143706 bsc#1082635 bsc#1123034). - scsi: qla2xxx: Add fw_attr and port_no SysFS node (bsc#1123034 bsc#1131304 bsc#1127988). - scsi: qla2xxx: Add new FW dump template entry types (bsc#1123034 bsc#1131304 bsc#1127988). - scsi: qla2xxx: Add pci function reset support (bsc#1123034 bsc#1131304 bsc#1127988). - scsi: qla2xxx: Add protection mask module parameters (bsc#1123034 bsc#1131304 bsc#1127988). - scsi: qla2xxx: Add support for multiple fwdump templates/segments (bsc#1123034 bsc#1131304 bsc#1127988). - scsi: qla2xxx: Add support for setting port speed (bsc#1123034 bsc#1131304 bsc#1127988). - scsi: qla2xxx: Added support for MPI and PEP regions for ISP28XX (bsc#1157424, bsc#1157908, bsc#1157169, bsc#1151548). - scsi: qla2xxx: Allow NVMe IO to resume with short cable pull (bsc#1123034 bsc#1131304 bsc#1127988). - scsi: qla2xxx: Allow PLOGI in target mode (bsc#1157424, bsc#1157908. bsc#1117169, bsc#1151548). - scsi: qla2xxx: Always check the qla2x00_wait_for_hba_online() return value (bsc#1123034 bsc#1131304 bsc#1127988). - scsi: qla2xxx: Always check the qla2x00_wait_for_hba_online() return value (bsc#1143706). - scsi: qla2xxx: Avoid PCI IRQ affinity mapping when multiqueue is not supported (bsc#1123034 bsc#1131304 bsc#1127988). - scsi: qla2xxx: Avoid that Coverity complains about dereferencing a NULL rport pointer (bsc#1123034 bsc#1131304 bsc#1127988). - scsi: qla2xxx: Avoid that lockdep complains about unsafe locking in tcm_qla2xxx_close_session() (bsc#1123034 bsc#1131304 bsc#1127988). - scsi: qla2xxx: Avoid that qla2x00_mem_free() crashes if called twice (bsc#1123034 bsc#1131304 bsc#1127988). - scsi: qla2xxx: Capture FW dump on MPI heartbeat stop event (bsc#1123034 bsc#1131304 bsc#1127988). - scsi: qla2xxx: Capture FW dump on MPI heartbeat stop event (bsc#1143706 bsc#1082635 bsc#1123034). - scsi: qla2xxx: Capture FW dump on MPI heartbeat stop event (bsc#1143706 bsc#1082635 bsc#1123034). - scsi: qla2xxx: Change abort wait_loop from msleep to wait_event_timeout (bsc#1123034 bsc#1131304 bsc#1127988). - scsi: qla2xxx: Change data_dsd into an array (bsc#1123034 bsc#1131304 bsc#1127988). - scsi: qla2xxx: Change data_dsd into an array (bsc#1143706). - scsi: qla2xxx: Change default ZIO threshold (bsc#1123034 bsc#1131304 bsc#1127988). - scsi: qla2xxx: Change discovery state before PLOGI (bsc#1157424, bsc#1157908. bsc#1117169, bsc#1151548). - scsi: qla2xxx: Change the return type of qla24xx_read_flash_data() (bsc#1123034 bsc#1131304 bsc#1127988). - scsi: qla2xxx: Change the return type of qla24xx_read_flash_data() (bsc#1143706). - scsi: qla2xxx: Change the return type of qla2x00_update_ms_fdmi_iocb() into void (bsc#1123034 bsc#1131304 bsc#1127988). - scsi: qla2xxx: Change the return type of qla2x00_update_ms_fdmi_iocb() into void (bsc#1143706). - scsi: qla2xxx: Check for FW started flag before aborting (bsc#1123034 bsc#1131304 bsc#1127988). - scsi: qla2xxx: Check for MB timeout while capturing ISP27/28xx FW dump (bsc#1123034 bsc#1131304 bsc#1127988). - scsi: qla2xxx: Check for MB timeout while capturing ISP27/28xx FW dump (bsc#1143706 bsc#1082635 bsc#1123034). - scsi: qla2xxx: Check for MB timeout while capturing ISP27/28xx FW dump (bsc#1143706 bsc#1082635 bsc#1123034). - scsi: qla2xxx: Check secondary image if reading the primary image fails (bsc#1123034 bsc#1131304 bsc#1127988). - scsi: qla2xxx: Check secondary image if reading the primary image fails (bsc#1143706). - scsi: qla2xxx: Check the PCI info string output buffer size (bsc#1123034 bsc#1131304 bsc#1127988). - scsi: qla2xxx: Check the PCI info string output buffer size (bsc#1143706). - scsi: qla2xxx: Check the size of firmware data structures at compile time (bsc#1123034 bsc#1131304 bsc#1127988). - scsi: qla2xxx: Cleanup fcport memory to prevent leak (bsc#1123034 bsc#1131304 bsc#1127988). - scsi: qla2xxx: Cleanup redundant qla2x00_abort_all_cmds during unload (bsc#1123034 bsc#1131304 bsc#1127988). - scsi: qla2xxx: Cleanups for NVRAM/Flash read/write path (bsc#1123034 bsc#1131304 bsc#1127988). - scsi: qla2xxx: Complain if a command is released that is owned by the firmware (bsc#1123034 bsc#1131304 bsc#1127988). - scsi: qla2xxx: Complain if a mailbox command times out (bsc#1123034 bsc#1131304 bsc#1127988). - scsi: qla2xxx: Complain if a mailbox command times out (bsc#1143706). - scsi: qla2xxx: Complain if a soft reset fails (bsc#1123034 bsc#1131304 bsc#1127988). - scsi: qla2xxx: Complain if a soft reset fails (bsc#1143706). - scsi: qla2xxx: Complain if parsing the version string fails (bsc#1123034 bsc#1131304 bsc#1127988). - scsi: qla2xxx: Complain if parsing the version string fails (bsc#1143706). - scsi: qla2xxx: Complain if sp->done() is not called from the completion path (bsc#1123034 bsc#1131304 bsc#1127988). - scsi: qla2xxx: Complain if sp->done() is not called from the completion path (bsc#1143706). - scsi: qla2xxx: Complain if waiting for pending commands times out (bsc#1123034 bsc#1131304 bsc#1127988). - scsi: qla2xxx: Complain if waiting for pending commands times out (bsc#1143706). - scsi: qla2xxx: Complain loudly about reference count underflow (bsc#1123034 bsc#1131304 bsc#1127988). - scsi: qla2xxx: Configure local loop for N2N target (bsc#1157424, bsc#1157908. bsc#1117169, bsc#1151548). - scsi: qla2xxx: Correct error handling during initialization failures (bsc#1123034 bsc#1131304 bsc#1127988). - scsi: qla2xxx: Correction and improvement to fwdt processing (bsc#1123034 bsc#1131304 bsc#1127988). - scsi: qla2xxx: Correctly report max/min supported speeds (bsc#1123034 bsc#1131304 bsc#1127988). - scsi: qla2xxx: Correctly retrieve and interpret active flash region (bsc#1157424, bsc#1157908, bsc#1157169, bsc#1151548). - scsi: qla2xxx: Declare fourth qla2x00_set_model_info() argument const (bsc#1123034 bsc#1131304 bsc#1127988). - scsi: qla2xxx: Declare fourth qla2x00_set_model_info() argument const (bsc#1143706). - scsi: qla2xxx: Declare local symbols static (bsc#1123034 bsc#1131304 bsc#1127988). - scsi: qla2xxx: Declare qla24xx_build_scsi_crc_2_iocbs() static (bsc#1123034 bsc#1131304 bsc#1127988). - scsi: qla2xxx: Declare qla2x00_find_new_loop_id() static (bsc#1123034 bsc#1131304 bsc#1127988). - scsi: qla2xxx: Declare qla_tgt_cmd.cdb const (bsc#1123034 bsc#1131304 bsc#1127988). - scsi: qla2xxx: Declare qla_tgt_cmd.cdb const (bsc#1143706). - scsi: qla2xxx: Declare the fourth ql_dump_buffer() argument const (bsc#1123034 bsc#1131304 bsc#1127988). - scsi: qla2xxx: Declare the fourth ql_dump_buffer() argument const (bsc#1143706). - scsi: qla2xxx: Disable T10-DIF feature with FC-NVMe during probe (bsc#1123034 bsc#1131304 bsc#1127988). - scsi: qla2xxx: Do command completion on abort timeout (bsc#1143706 bsc#1082635 bsc#1154526 bsc#1048942). - scsi: qla2xxx: Do not call qlt_async_event twice (bsc#1157424, bsc#1157908. bsc#1117169, bsc#1151548). - scsi: qla2xxx: Do not corrupt vha->plogi_ack_list (bsc#1123034 bsc#1131304 bsc#1127988). - scsi: qla2xxx: Do not corrupt vha->plogi_ack_list (bsc#1143706). - scsi: qla2xxx: Do not defer relogin unconditonally (bsc#1157424, bsc#1157908. bsc#1117169, bsc#1151548). - scsi: qla2xxx: Downgrade driver to 10.01.00.19-k There are upstream bug reports against 10.01.00.19-k which haven't been resolved. Also the newer version failed to get a proper review. For time being it's better to got with the older version and do not introduce new bugs. - scsi: qla2xxx: Drop superfluous INIT_WORK of del_work (bsc#1157424, bsc#1157908. bsc#1117169, bsc#1151548). - scsi: qla2xxx: Dual FCP-NVMe target port support (bsc#1123034 bsc#1131304 bsc#1127988). - scsi: qla2xxx: Dual FCP-NVMe target port support (bsc#1143706 bsc#1082635 bsc#1123034). - scsi: qla2xxx: Dual FCP-NVMe target port support (bsc#1143706 bsc#1082635 bsc#1123034). - scsi: qla2xxx: Enable type checking for the SRB free and done callback functions (bsc#1123034 bsc#1131304 bsc#1127988). - scsi: qla2xxx: Enable type checking for the SRB free and done callback functions (bsc#1143706). - scsi: qla2xxx: Fix DMA error when the DIF sg buffer crosses 4GB boundary (bsc#1123034 bsc#1131304 bsc#1127988). - scsi: qla2xxx: Fix DMA unmap leak (bsc#1123034 bsc#1131304 bsc#1127988). - scsi: qla2xxx: Fix LUN discovery if loop id is not assigned yet by firmware (bsc#1123034 bsc#1131304 bsc#1127988). - scsi: qla2xxx: Fix N2N link reset (bsc#1123034 bsc#1131304 bsc#1127988). - scsi: qla2xxx: Fix N2N link reset (bsc#1143706 bsc#1082635 bsc#1123034). - scsi: qla2xxx: Fix N2N link reset (bsc#1143706 bsc#1082635 bsc#1123034). - scsi: qla2xxx: Fix N2N link up fail (bsc#1123034 bsc#1131304 bsc#1127988). - scsi: qla2xxx: Fix N2N link up fail (bsc#1143706 bsc#1082635 bsc#1123034). - scsi: qla2xxx: Fix N2N link up fail (bsc#1143706 bsc#1082635 bsc#1123034). - scsi: qla2xxx: Fix NULL pointer crash due to stale CPUID (bsc#1123034 bsc#1131304 bsc#1127988). - scsi: qla2xxx: Fix NVME cmd and LS cmd timeout race condition (bsc#1123034 bsc#1131304 bsc#1127988). - scsi: qla2xxx: Fix NVMe port discovery after a short device port loss (bsc#1123034 bsc#1131304 bsc#1127988). - scsi: qla2xxx: Fix Nport ID display value (bsc#1123034 bsc#1131304 bsc#1127988). - scsi: qla2xxx: Fix PLOGI payload and ELS IOCB dump length (bsc#1157424, bsc#1157908. bsc#1117169, bsc#1151548). - scsi: qla2xxx: Fix Relogin to prevent modifying scan_state flag (bsc#1123034 bsc#1131304 bsc#1127988). - scsi: qla2xxx: Fix SRB allocation flag to avoid sleeping in IRQ context (bsc#1123034 bsc#1131304 bsc#1127988). - scsi: qla2xxx: Fix SRB leak on switch command timeout (bsc#1143706 bsc#1082635 bsc#1154526 bsc#1048942). - scsi: qla2xxx: Fix a NULL pointer dereference (bsc#1123034 bsc#1131304 bsc#1127988). - scsi: qla2xxx: Fix a NULL pointer dereference (bsc#1143706). - scsi: qla2xxx: Fix a dma_pool_free() call (bsc#1143706 bsc#1082635 bsc#1154526 bsc#1048942). - scsi: qla2xxx: Fix a qla24xx_enable_msix() error path (bsc#1123034 bsc#1131304 bsc#1127988). - scsi: qla2xxx: Fix a race condition between aborting and completing a SCSI command (bsc#1123034 bsc#1131304 bsc#1127988). - scsi: qla2xxx: Fix a race condition between aborting and completing a SCSI command (bsc#1143706). - scsi: qla2xxx: Fix a recently introduced kernel warning (bsc#1123034 bsc#1131304 bsc#1127988). - scsi: qla2xxx: Fix a small typo in qla_bsg.c (bsc#1123034 bsc#1131304 bsc#1127988). - scsi: qla2xxx: Fix abort timeout race condition (bsc#1123034 bsc#1131304 bsc#1127988). - scsi: qla2xxx: Fix code indentation for qla27xx_fwdt_entry (bsc#1123034 bsc#1131304 bsc#1127988). - scsi: qla2xxx: Fix comment alignment in qla_bsg.c (bsc#1123034 bsc#1131304 bsc#1127988). - scsi: qla2xxx: Fix comment in MODULE_PARM_DESC in qla2xxx (bsc#1123034 bsc#1131304 bsc#1127988). - scsi: qla2xxx: Fix device connect issues in P2P configuration (bsc#1143706 bsc#1082635 bsc#1154526 bsc#1048942). - scsi: qla2xxx: Fix different size DMA Alloc/Unmap (bsc#1123034 bsc#1131304 bsc#1127988). - scsi: qla2xxx: Fix double scsi_done for abort path (bsc#1143706 bsc#1082635 bsc#1154526 bsc#1048942). - scsi: qla2xxx: Fix driver reload for ISP82xx (bsc#1123034 bsc#1131304 bsc#1127988). - scsi: qla2xxx: Fix driver reload for ISP82xx (bsc#1143706). - scsi: qla2xxx: Fix driver unload hang (bsc#1143706 bsc#1082635 bsc#1154526 bsc#1048942). - scsi: qla2xxx: Fix driver unload when FC-NVMe LUNs are connected (bsc#1123034 bsc#1131304 bsc#1127988). - scsi: qla2xxx: Fix flash read for Qlogic ISPs (bsc#1123034 bsc#1131304 bsc#1127988). - scsi: qla2xxx: Fix flash read for Qlogic ISPs (bsc#1143706). - scsi: qla2xxx: Fix formatting of pointer types (bsc#1123034 bsc#1131304 bsc#1127988). - scsi: qla2xxx: Fix fw dump corruption (bsc#1123034 bsc#1131304 bsc#1127988). - scsi: qla2xxx: Fix fw options handle eh_bus_reset() (bsc#1123034 bsc#1131304 bsc#1127988). - scsi: qla2xxx: Fix gnl.l memory leak on adapter init failure (bsc#1123034 bsc#1131304 bsc#1127988). - scsi: qla2xxx: Fix hang in fcport delete path (bsc#1123034 bsc#1131304 bsc#1127988). - scsi: qla2xxx: Fix hardirq-unsafe locking (bsc#1123034 bsc#1131304 bsc#1127988). - scsi: qla2xxx: Fix hardlockup in abort command during driver remove (bsc#1123034 bsc#1131304 bsc#1127988). - scsi: qla2xxx: Fix incorrect SFUB length used for Secure Flash Update MB Cmd (bsc#1157424, bsc#1157908, bsc#1157169, bsc#1151548). - scsi: qla2xxx: Fix kernel crash after disconnecting NVMe devices (bsc#1123034 bsc#1131304 bsc#1127988). - scsi: qla2xxx: Fix memory leak when sending I/O fails (bsc#1143706 bsc#1082635 bsc#1154526 bsc#1048942). - scsi: qla2xxx: Fix message indicating vectors used by driver (bsc#1123034 bsc#1131304 bsc#1127988). - scsi: qla2xxx: Fix message indicating vectors used by driver (bsc#1143706). - scsi: qla2xxx: Fix panic from use after free in qla2x00_async_tm_cmd (bsc#1123034 bsc#1131304 bsc#1127988). - scsi: qla2xxx: Fix partial flash write of MBI (bsc#1143706 bsc#1082635 bsc#1123034). - scsi: qla2xxx: Fix possible fcport null-pointer dereferences (bsc#1123034 bsc#1131304 bsc#1127988). - scsi: qla2xxx: Fix premature timer expiration (bsc#1123034 bsc#1131304 bsc#1127988). - scsi: qla2xxx: Fix qla24xx_process_bidir_cmd() (bsc#1123034 bsc#1131304 bsc#1127988). - scsi: qla2xxx: Fix qla24xx_process_bidir_cmd() (bsc#1143706). - scsi: qla2xxx: Fix qla2x00_request_irqs() for MSI (bsc#1157424, bsc#1157908. bsc#1117169, bsc#1151548). - scsi: qla2xxx: Fix race conditions in the code for aborting SCSI commands (bsc#1123034 bsc#1131304 bsc#1127988). - scsi: qla2xxx: Fix read offset in qla24xx_load_risc_flash() (bsc#1123034 bsc#1131304 bsc#1127988). - scsi: qla2xxx: Fix routine qla27xx_dump_{mpi|ram}() (bsc#1123034 bsc#1131304 bsc#1127988). - scsi: qla2xxx: Fix session cleanup hang (bsc#1123034 bsc#1131304 bsc#1127988). - scsi: qla2xxx: Fix session lookup in qlt_abort_work() (bsc#1123034 bsc#1131304 bsc#1127988). - scsi: qla2xxx: Fix session lookup in qlt_abort_work() (bsc#1143706). - scsi: qla2xxx: Fix stale mem access on driver unload (bsc#1123034 bsc#1131304 bsc#1127988). - scsi: qla2xxx: Fix stale mem access on driver unload (bsc#1143706 bsc#1082635 bsc#1123034). - scsi: qla2xxx: Fix stale mem access on driver unload (bsc#1143706 bsc#1082635 bsc#1123034). - scsi: qla2xxx: Fix stale session (bsc#1123034 bsc#1131304 bsc#1127988). - scsi: qla2xxx: Fix stale session (bsc#1143706). - scsi: qla2xxx: Fix stuck login session (bsc#1123034 bsc#1131304 bsc#1127988). - scsi: qla2xxx: Fix stuck login session (bsc#1143706). - scsi: qla2xxx: Fix unbound sleep in fcport delete path (bsc#1123034 bsc#1131304 bsc#1127988). - scsi: qla2xxx: Fix unbound sleep in fcport delete path (bsc#1143706 bsc#1082635 bsc#1123034). - scsi: qla2xxx: Fix unbound sleep in fcport delete path (bsc#1143706 bsc#1082635 bsc#1123034). - scsi: qla2xxx: Fix unload when NVMe devices are configured (bsc#1123034 bsc#1131304 bsc#1127988). - scsi: qla2xxx: Fix use-after-free issues in qla2xxx_qpair_sp_free_dma() (bsc#1123034 bsc#1131304 bsc#1127988). - scsi: qla2xxx: Fix wait condition in loop (bsc#1143706 bsc#1082635 bsc#1123034). - scsi: qla2xxx: Further limit FLASH region write access from SysFS (bsc#1123034 bsc#1131304 bsc#1127988). - scsi: qla2xxx: Ignore NULL pointer in tcm_qla2xxx_free_mcmd (bsc#1157424, bsc#1157908. bsc#1117169, bsc#1151548). - scsi: qla2xxx: Ignore PORT UPDATE after N2N PLOGI (bsc#1157424, bsc#1157908. bsc#1117169, bsc#1151548). - scsi: qla2xxx: Improve Linux kernel coding style conformance (bsc#1123034 bsc#1131304 bsc#1127988). - scsi: qla2xxx: Improve Linux kernel coding style conformance (bsc#1143706). - scsi: qla2xxx: Improve logging for scan thread (bsc#1123034 bsc#1131304 bsc#1127988). - scsi: qla2xxx: Improve logging for scan thread (bsc#1143706 bsc#1082635 bsc#1123034). - scsi: qla2xxx: Improve logging for scan thread (bsc#1143706 bsc#1082635 bsc#1123034). - scsi: qla2xxx: Include the asm/unaligned.h header file from qla_dsd.h (bsc#1123034 bsc#1131304 bsc#1127988). - scsi: qla2xxx: Include the asm/unaligned.h header file from qla_dsd.h (bsc#1143706). - scsi: qla2xxx: Increase the max_sgl_segments to 1024 (bsc#1123034 bsc#1131304 bsc#1127988). - scsi: qla2xxx: Increase the size of the mailbox arrays from 4 to 8 (bsc#1123034 bsc#1131304 bsc#1127988). - scsi: qla2xxx: Initialize free_work before flushing it (bsc#1157424, bsc#1157908. bsc#1117169, bsc#1151548). - scsi: qla2xxx: Initialized mailbox to prevent driver load failure (bsc#1143706 bsc#1082635 bsc#1123034). - scsi: qla2xxx: Inline the qla2x00_fcport_event_handler() function (bsc#1123034 bsc#1131304 bsc#1127988). - scsi: qla2xxx: Inline the qla2x00_fcport_event_handler() function (bsc#1143706). - scsi: qla2xxx: Insert spaces where required (bsc#1123034 bsc#1131304 bsc#1127988). - scsi: qla2xxx: Introduce qla2x00_els_dcmd2_free() (bsc#1123034 bsc#1131304 bsc#1127988). - scsi: qla2xxx: Introduce qla2x00_els_dcmd2_free() (bsc#1143706). - scsi: qla2xxx: Introduce qla2xxx_get_next_handle() (bsc#1123034 bsc#1131304 bsc#1127988). - scsi: qla2xxx: Introduce qla2xxx_get_next_handle() (bsc#1143706). - scsi: qla2xxx: Introduce the be_id_t and le_id_t data types for FC src/dst IDs (bsc#1123034 bsc#1131304 bsc#1127988). - scsi: qla2xxx: Introduce the be_id_t and le_id_t data types for FC src/dst IDs (bsc#1143706). - scsi: qla2xxx: Introduce the dsd32 and dsd64 data structures (bsc#1082635 bsc#1141340 bsc#1143706). - scsi: qla2xxx: Introduce the dsd32 and dsd64 data structures (bsc#1123034 bsc#1131304 bsc#1127988). - scsi: qla2xxx: Introduce the function qla2xxx_init_sp() (bsc#1123034 bsc#1131304 bsc#1127988). - scsi: qla2xxx: Introduce the function qla2xxx_init_sp() (bsc#1143706). - scsi: qla2xxx: Leave a blank line after declarations (bsc#1123034 bsc#1131304 bsc#1127988). - scsi: qla2xxx: Let the compiler check the type of the SCSI command context pointer (bsc#1123034 bsc#1131304 bsc#1127988). - scsi: qla2xxx: Let the compiler check the type of the SCSI command context pointer (bsc#1143706). - scsi: qla2xxx: Log the status code if a firmware command fails (bsc#1123034 bsc#1131304 bsc#1127988). - scsi: qla2xxx: Make it explicit that ELS pass-through IOCBs use little endian (bsc#1123034 bsc#1131304 bsc#1127988). - scsi: qla2xxx: Make it explicit that ELS pass-through IOCBs use little endian (bsc#1143706). - scsi: qla2xxx: Make qla24xx_async_abort_cmd() static (bsc#1123034 bsc#1131304 bsc#1127988). - scsi: qla2xxx: Make qla2x00_abort_srb() again decrease the sp reference count (bsc#1123034 bsc#1131304 bsc#1127988). - scsi: qla2xxx: Make qla2x00_abort_srb() again decrease the sp reference count (bsc#1143706). - scsi: qla2xxx: Make qla2x00_mem_free() easier to verify (bsc#1123034 bsc#1131304 bsc#1127988). - scsi: qla2xxx: Make qla2x00_process_response_queue() easier to read (bsc#1123034 bsc#1131304 bsc#1127988). - scsi: qla2xxx: Make qlt_handle_abts_completion() more robust (bsc#1123034 bsc#1131304 bsc#1127988). - scsi: qla2xxx: Make qlt_handle_abts_completion() more robust (bsc#1143706). - scsi: qla2xxx: Make sure that aborted commands are freed (bsc#1123034 bsc#1131304 bsc#1127988). - scsi: qla2xxx: Make sure that aborted commands are freed (bsc#1143706). - scsi: qla2xxx: Modify NVMe include directives (bsc#1123034 bsc#1131304 bsc#1127988). - scsi: qla2xxx: Modify NVMe include directives (bsc#1143706). - scsi: qla2xxx: Move debug messages before sending srb preventing panic (bsc#1123034 bsc#1131304 bsc#1127988). - scsi: qla2xxx: Move marker request behind QPair (bsc#1123034 bsc#1131304 bsc#1127988). - scsi: qla2xxx: Move qla2x00_clear_loop_id() from qla_inline.h into qla_init.c (bsc#1123034 bsc#1131304 bsc#1127988). - scsi: qla2xxx: Move qla2x00_is_reserved_id() from qla_inline.h into qla_init.c (bsc#1123034 bsc#1131304 bsc#1127988). - scsi: qla2xxx: Move qla2x00_set_fcport_state() from a .h into a .c file (bsc#1123034 bsc#1131304 bsc#1127988). - scsi: qla2xxx: Move qla2x00_set_reserved_loop_ids() definition (bsc#1123034 bsc#1131304 bsc#1127988). - scsi: qla2xxx: Move the linux/io-64-nonatomic-lo-hi.h include directive (bsc#1123034 bsc#1131304 bsc#1127988). - scsi: qla2xxx: Move the port_state_str definition from a .h to a .c file (bsc#1123034 bsc#1131304 bsc#1127988). - scsi: qla2xxx: Optimize NPIV tear down process (bsc#1123034 bsc#1131304 bsc#1127988). - scsi: qla2xxx: Optimize NPIV tear down process (bsc#1143706 bsc#1082635 bsc#1123034). - scsi: qla2xxx: Optimize NPIV tear down process (bsc#1143706 bsc#1082635 bsc#1123034). - scsi: qla2xxx: Pass little-endian values to the firmware (bsc#1123034 bsc#1131304 bsc#1127988). - scsi: qla2xxx: Prevent SysFS access when chip is down (bsc#1123034 bsc#1131304 bsc#1127988). - scsi: qla2xxx: Prevent memory leak for CT req/rsp allocation (bsc#1123034 bsc#1131304 bsc#1127988). - scsi: qla2xxx: Prevent multiple ADISC commands per session (bsc#1123034 bsc#1131304 bsc#1127988). - scsi: qla2xxx: Really fix qla2xxx_eh_abort() (bsc#1123034 bsc#1131304 bsc#1127988). - scsi: qla2xxx: Really fix qla2xxx_eh_abort() (bsc#1143706). - scsi: qla2xxx: Reduce the number of casts in GID list code (bsc#1123034 bsc#1131304 bsc#1127988). - scsi: qla2xxx: Reduce the number of casts in GID list code (bsc#1143706). - scsi: qla2xxx: Reduce the number of forward declarations (bsc#1123034 bsc#1131304 bsc#1127988). - scsi: qla2xxx: Reduce the scope of three local variables in qla2xxx_queuecommand() (bsc#1123034 bsc#1131304 bsc#1127988). - scsi: qla2xxx: Reduce the scope of three local variables in qla2xxx_queuecommand() (bsc#1143706). - scsi: qla2xxx: Reject EH_{abort|device_reset|target_request} (bsc#1123034 bsc#1131304 bsc#1127988). - scsi: qla2xxx: Remove FW default template (bsc#1123034 bsc#1131304 bsc#1127988). - scsi: qla2xxx: Remove WARN_ON_ONCE in qla2x00_status_cont_entry() (bsc#1123034 bsc#1131304 bsc#1127988). - scsi: qla2xxx: Remove WARN_ON_ONCE in qla2x00_status_cont_entry() (bsc#1143706 bsc#1082635 bsc#1123034). - scsi: qla2xxx: Remove a comment that refers to the SCSI host lock (bsc#1123034 bsc#1131304 bsc#1127988). - scsi: qla2xxx: Remove a set-but-not-used variable (bsc#1123034 bsc#1131304 bsc#1127988). - scsi: qla2xxx: Remove a superfluous forward declaration (bsc#1123034 bsc#1131304 bsc#1127988). - scsi: qla2xxx: Remove a superfluous forward declaration (bsc#1143706). - scsi: qla2xxx: Remove a superfluous pointer check (bsc#1123034 bsc#1131304 bsc#1127988). - scsi: qla2xxx: Remove a superfluous pointer check (bsc#1143706). - scsi: qla2xxx: Remove an include directive (bsc#1143706 bsc#1082635 bsc#1154526 bsc#1048942). - scsi: qla2xxx: Remove an include directive from qla_mr.c (bsc#1123034 bsc#1131304 bsc#1127988). - scsi: qla2xxx: Remove an include directive from qla_mr.c (bsc#1143706). - scsi: qla2xxx: Remove dead code (bsc#1123034 bsc#1131304 bsc#1127988). - scsi: qla2xxx: Remove dead code (bsc#1143706). - scsi: qla2xxx: Remove qla_tgt_cmd.data_work and qla_tgt_cmd.data_work_free (bsc#1123034 bsc#1131304 bsc#1127988). - scsi: qla2xxx: Remove qla_tgt_cmd.released (bsc#1123034 bsc#1131304 bsc#1127988). - scsi: qla2xxx: Remove set but not used variable 'ptr_dma' (bsc#1123034 bsc#1131304 bsc#1127988). - scsi: qla2xxx: Remove superfluous sts_entry_* casts (bsc#1123034 bsc#1131304 bsc#1127988). - scsi: qla2xxx: Remove superfluous sts_entry_* casts (bsc#1143706). - scsi: qla2xxx: Remove the fcport test from qla_nvme_abort_work() (bsc#1123034 bsc#1131304 bsc#1127988). - scsi: qla2xxx: Remove two superfluous casts (bsc#1123034 bsc#1131304 bsc#1127988). - scsi: qla2xxx: Remove two superfluous if-tests (bsc#1123034 bsc#1131304 bsc#1127988). - scsi: qla2xxx: Remove two superfluous if-tests (bsc#1143706). - scsi: qla2xxx: Remove two superfluous tests (bsc#1123034 bsc#1131304 bsc#1127988). - scsi: qla2xxx: Remove two superfluous tests (bsc#1143706). - scsi: qla2xxx: Remove unnecessary locking from the target code (bsc#1123034 bsc#1131304 bsc#1127988). - scsi: qla2xxx: Remove unnecessary null check (bsc#1123034 bsc#1131304 bsc#1127988). - scsi: qla2xxx: Remove unreachable code from qla83xx_idc_lock() (bsc#1123034 bsc#1131304 bsc#1127988). - scsi: qla2xxx: Remove unreachable code from qla83xx_idc_lock() (bsc#1143706). - scsi: qla2xxx: Remove useless set memory to zero use memset() (bsc#1123034 bsc#1131304 bsc#1127988). - scsi: qla2xxx: Replace vmalloc + memset with vzalloc (bsc#1123034 bsc#1131304 bsc#1127988). - scsi: qla2xxx: Report invalid mailbox status codes (bsc#1123034 bsc#1131304 bsc#1127988). - scsi: qla2xxx: Report invalid mailbox status codes (bsc#1143706). - scsi: qla2xxx: Report the firmware status code if a mailbox command fails (bsc#1123034 bsc#1131304 bsc#1127988). - scsi: qla2xxx: Report the firmware status code if a mailbox command fails (bsc#1143706). - scsi: qla2xxx: Reset the FCF_ASYNC_{SENT|ACTIVE} flags (bsc#1123034 bsc#1131304 bsc#1127988). - scsi: qla2xxx: Restore FAWWPN of Physical Port only for loop down (bsc#1123034 bsc#1131304 bsc#1127988). - scsi: qla2xxx: Retry PLOGI on FC-NVMe PRLI failure (bsc#1143706 bsc#1082635 bsc#1154526 bsc#1048942). - scsi: qla2xxx: Retry fabric Scan on IOCB queue full (bsc#1123034 bsc#1131304 bsc#1127988). - scsi: qla2xxx: Rework key encoding in qlt_find_host_by_d_id() (bsc#1123034 bsc#1131304 bsc#1127988). - scsi: qla2xxx: Rework key encoding in qlt_find_host_by_d_id() (bsc#1143706). - scsi: qla2xxx: Secure flash update support for ISP28XX (bsc#1123034 bsc#1131304 bsc#1127988). - scsi: qla2xxx: Send Notify ACK after N2N PLOGI (bsc#1157424, bsc#1157908. bsc#1117169, bsc#1151548). - scsi: qla2xxx: Set remote port devloss timeout to 0 (bsc#1123034 bsc#1131304 bsc#1127988). - scsi: qla2xxx: Set remove flag for all VP (bsc#1123034 bsc#1131304 bsc#1127988). - scsi: qla2xxx: Set remove flag for all VP (bsc#1143706 bsc#1082635 bsc#1123034). - scsi: qla2xxx: Set remove flag for all VP (bsc#1143706 bsc#1082635 bsc#1123034). - scsi: qla2xxx: Set the SCSI command result before calling the command done (bsc#1123034 bsc#1131304 bsc#1127988). - scsi: qla2xxx: Set the qpair in SRB to NULL when SRB is released (bsc#1123034 bsc#1131304 bsc#1127988). - scsi: qla2xxx: Set the responder mode if appropriate for ELS pass-through IOCBs (bsc#1123034 bsc#1131304 bsc#1127988). - scsi: qla2xxx: Set the responder mode if appropriate for ELS pass-through IOCBs (bsc#1143706). - scsi: qla2xxx: Silence Successful ELS IOCB message (bsc#1123034 bsc#1131304 bsc#1127988). - scsi: qla2xxx: Silence fwdump template message (bsc#1123034 bsc#1131304 bsc#1127988). - scsi: qla2xxx: Silence fwdump template message (bsc#1143706 bsc#1082635 bsc#1123034). - scsi: qla2xxx: Silence fwdump template message (bsc#1143706 bsc#1082635 bsc#1123034). - scsi: qla2xxx: Simplification of register address used in qla_tmpl.c (bsc#1123034 bsc#1131304 bsc#1127988). - scsi: qla2xxx: Simplify a debug statement (bsc#1123034 bsc#1131304 bsc#1127988). - scsi: qla2xxx: Simplify a debug statement (bsc#1143706). - scsi: qla2xxx: Simplify conditional check again (bsc#1123034 bsc#1131304 bsc#1127988). - scsi: qla2xxx: Simplify qla24xx_abort_sp_done() (bsc#1123034 bsc#1131304 bsc#1127988). - scsi: qla2xxx: Simplify qla24xx_abort_sp_done() (bsc#1143706). - scsi: qla2xxx: Simplify qla24xx_async_abort_cmd() (bsc#1123034 bsc#1131304 bsc#1127988). - scsi: qla2xxx: Simplify qla24xx_async_abort_cmd() (bsc#1143706). - scsi: qla2xxx: Simplify qlt_lport_dump() (bsc#1123034 bsc#1131304 bsc#1127988). - scsi: qla2xxx: Simplify qlt_lport_dump() (bsc#1143706). - scsi: qla2xxx: Simplify qlt_send_term_imm_notif() (bsc#1123034 bsc#1131304 bsc#1127988). - scsi: qla2xxx: Skip FW dump on LOOP initialization error (bsc#1123034 bsc#1131304 bsc#1127988). - scsi: qla2xxx: Suppress a Coveritiy complaint about integer overflow (bsc#1123034 bsc#1131304 bsc#1127988). - scsi: qla2xxx: Suppress a Coveritiy complaint about integer overflow (bsc#1143706). - scsi: qla2xxx: Suppress multiple Coverity complaint about out-of-bounds accesses (bsc#1123034 bsc#1131304 bsc#1127988). - scsi: qla2xxx: Suppress multiple Coverity complaint about out-of-bounds accesses (bsc#1143706). - scsi: qla2xxx: Uninline qla2x00_init_timer() (bsc#1123034 bsc#1131304 bsc#1127988). - scsi: qla2xxx: Unregister resources in the opposite order of the registration order (bsc#1123034 bsc#1131304 bsc#1127988). - scsi: qla2xxx: Update driver version to 10.00.00.13-k (bsc#1123034 bsc#1131304 bsc#1127988). - scsi: qla2xxx: Update driver version to 10.00.00.14-k (bsc#1123034 bsc#1131304 bsc#1127988). - scsi: qla2xxx: Update driver version to 10.01.00.15-k (bsc#1123034 bsc#1131304 bsc#1127988). - scsi: qla2xxx: Update driver version to 10.01.00.16-k (bsc#1123034 bsc#1131304 bsc#1127988). - scsi: qla2xxx: Update driver version to 10.01.00.18-k (bsc#1123034 bsc#1131304 bsc#1127988). - scsi: qla2xxx: Update driver version to 10.01.00.19-k (bsc#1123034 bsc#1131304 bsc#1127988). - scsi: qla2xxx: Update driver version to 10.01.00.19-k (bsc#1143706). - scsi: qla2xxx: Update driver version to 10.01.00.20-k (bsc#1123034 bsc#1131304 bsc#1127988). - scsi: qla2xxx: Update driver version to 10.01.00.20-k (bsc#1143706 bsc#1082635 bsc#1123034). - scsi: qla2xxx: Update driver version to 10.01.00.20-k (bsc#1143706 bsc#1082635 bsc#1123034). - scsi: qla2xxx: Update driver version to 10.01.00.21-k (bsc#1143706 bsc#1082635 bsc#1154526 bsc#1048942). - scsi: qla2xxx: Update flash read/write routine (bsc#1123034 bsc#1131304 bsc#1127988). - scsi: qla2xxx: Use ARRAY_SIZE() in the definition of QLA_LAST_SPEED (bsc#1123034 bsc#1131304 bsc#1127988). - scsi: qla2xxx: Use Correct index for Q-Pair array (bsc#1123034 bsc#1131304 bsc#1127988). - scsi: qla2xxx: Use __le64 instead of uint32_t for sending DMA addresses to firmware (bsc#1123034 bsc#1131304 bsc#1127988). - scsi: qla2xxx: Use __le64 instead of uint32_t[2] for sending DMA addresses to firmware (bsc#1082635 bsc#1141340 bsc#1143706). - scsi: qla2xxx: Use an on-stack completion in qla24xx_control_vp() (bsc#1123034 bsc#1131304 bsc#1127988). - scsi: qla2xxx: Use common update-firmware-options routine for ISP27xx+ (bsc#1123034 bsc#1131304 bsc#1127988). - scsi: qla2xxx: Use complete switch scan for RSCN events (bsc#1123034 bsc#1131304 bsc#1127988). - scsi: qla2xxx: Use correct number of vectors for online CPUs (bsc#1137223). - scsi: qla2xxx: Use dma_pool_zalloc() (bsc#1123034 bsc#1131304 bsc#1127988). - scsi: qla2xxx: Use explicit LOGO in target mode (bsc#1157424, bsc#1157908. bsc#1117169, bsc#1151548). - scsi: qla2xxx: Use get/put_unaligned where appropriate (bsc#1123034 bsc#1131304 bsc#1127988). - scsi: qla2xxx: Use memcpy() and strlcpy() instead of strcpy() and strncpy() (bsc#1123034 bsc#1131304 bsc#1127988). - scsi: qla2xxx: Use memcpy() and strlcpy() instead of strcpy() and strncpy() (bsc#1143706). - scsi: qla2xxx: Use mutex protection during qla2x00_sysfs_read_fw_dump() (bsc#1123034 bsc#1131304 bsc#1127988). - scsi: qla2xxx: Use strlcpy() instead of strncpy() (bsc#1123034 bsc#1131304 bsc#1127988). - scsi: qla2xxx: Use strlcpy() instead of strncpy() (bsc#1143706). - scsi: qla2xxx: Use tabs instead of spaces for indentation (bsc#1123034 bsc#1131304 bsc#1127988). - scsi: qla2xxx: Use tabs instead of spaces for indentation (bsc#1143706). - scsi: qla2xxx: Use tabs to indent code (bsc#1123034 bsc#1131304 bsc#1127988). - scsi: qla2xxx: Verify locking assumptions at runtime (bsc#1123034 bsc#1131304 bsc#1127988). - scsi: qla2xxx: Verify locking assumptions at runtime (bsc#1143706). - scsi: qla2xxx: allow session delete to finish before create (bsc#1123034 bsc#1131304 bsc#1127988). - scsi: qla2xxx: avoid printf format warning (bsc#1123034 bsc#1131304 bsc#1127988). - scsi: qla2xxx: check for kstrtol() failure (bsc#1123034 bsc#1131304 bsc#1127988). - scsi: qla2xxx: cleanup trace buffer initialization (bsc#1123034 bsc#1131304 bsc#1127988). - scsi: qla2xxx: cleanup trace buffer initialization (bsc#1134476). - scsi: qla2xxx: deadlock by configfs_depend_item (bsc#1123034 bsc#1131304 bsc#1127988). - scsi: qla2xxx: do not use zero for FC4_PRIORITY_NVME (bsc#1143706 bsc#1082635 bsc#1154526 bsc#1048942). - scsi: qla2xxx: fix fcport null pointer access (bsc#1123034 bsc#1131304 bsc#1127988). - scsi: qla2xxx: fix rports not being mark as lost in sync fabric scan (bsc#1138039). - scsi: qla2xxx: fix spelling mistake "alredy" -> "already" (bsc#1123034 bsc#1131304 bsc#1127988). - scsi: qla2xxx: fix spelling mistake "initializatin" -> "initialization" (bsc#1123034 bsc#1131304 bsc#1127988). - scsi: qla2xxx: fixup incorrect usage of host_byte (bsc#1143706 bsc#1082635 bsc#1123034). - scsi: qla2xxx: flush IO on chip reset or sess delete (bsc#1123034 bsc#1131304 bsc#1127988). - scsi: qla2xxx: initialize fc4_type_priority (bsc#1143706 bsc#1082635 bsc#1154526 bsc#1048942). - scsi: qla2xxx: move IO flush to the front of NVME rport unregistration (bsc#1123034 bsc#1131304 bsc#1127988). - scsi: qla2xxx: no need to check return value of debugfs_create functions (bsc#1123034 bsc#1131304 bsc#1127988). - scsi: qla2xxx: on session delete, return nvme cmd (bsc#1123034 bsc#1131304 bsc#1127988). - scsi: qla2xxx: qla2x00_alloc_fw_dump: set ha->eft (bsc#1123034 bsc#1131304 bsc#1127988). - scsi: qla2xxx: remove double assignment in qla2x00_update_fcport (bsc#1123034 bsc#1131304 bsc#1127988). - scsi: qla2xxx: remove redundant assignment to pointer host (bsc#1143706 bsc#1082635 bsc#1123034). - scsi: qla2xxx: remove redundant assignment to pointer host (bsc#1143706 bsc#1082635 bsc#1123034). - scsi: qla2xxx: remove redundant null check on pointer sess (bsc#1123034 bsc#1131304 bsc#1127988). - scsi: qla2xxx: stop timer in shutdown path (bsc#1143706 bsc#1082635 bsc#1123034). - scsi: qla2xxx: target: Fix offline port handling and host reset handling (bsc#1123034 bsc#1131304 bsc#1127988). - scsi: qla2xxx: unregister ports after GPN_FT failure (bsc#1138039). - scsi: scsi_transport_fc: nvme: display FC-NVMe port roles (bsc#1123034 bsc#1131304 bsc#1127988). - scsi: sd: Defer spinning up drive while SANITIZE is in progress (git-fixes). - scsi: sd: Fix a race between closing an sd device and sd I/O (git-fixes). - scsi: sd: Fix cache_type_store() (git-fixes). - scsi: sd: Ignore a failure to sync cache due to lack of authorization (git-fixes). - scsi: sd: Optimal I/O size should be a multiple of physical block size (git-fixes). - scsi: sd: Quiesce warning if device does not report optimal I/O size (git-fixes). - scsi: sd_zbc: Fix potential memory leak (git-fixes). - scsi: sr: Avoid that opening a CD-ROM hangs with runtime power management enabled (git-fixes). - scsi: storvsc: Add ability to change scsi queue depth (bsc#1155021). - scsi: storvsc: setup 1:1 mapping between hardware queue and CPU queue (bsc#1140729). - scsi: tcm_qla2xxx: Minimize #include directives (bsc#1123034 bsc#1131304 bsc#1127988). - scsi: ufs: fix wrong command type of UTRD for UFSHCI v2.1 (git-fixes). - scsi: use dma_get_cache_alignment() as minimum DMA alignment (git-fixes). - scsi: virtio_scsi: do not send sc payload with tmfs (git-fixes). - scsi: zfcp: fix reaction on bit error threshold notification (bsc#1154956 LTC#182054). - scsi: zfcp: fix request object use-after-free in send path causing wrong traces (bsc#1051510). - scsi: zfcp: trace channel log even for FCP command responses (git-fixes). - scsi_transport_fc: complete requests from ->timeout (bsc#1142076). - sctp: Fix regression (bsc#1158082). - sctp: Fix the link time qualifier of 'sctp_ctrlsock_exit()' (networking-stable-19_09_15). - sctp: change sctp_prot .no_autobind with true (networking-stable-19_10_24). - sctp: fix the transport error_count check (networking-stable-19_08_21). - sctp: use transport pf_retrans in sctp_do_8_2_transport_strike (networking-stable-19_09_15). - selftests: net: reuseport_dualstack: fix uninitalized parameter (networking-stable-19_11_05). - serial: fix kernel-doc warning in comments (bsc#1051510). - serial: max310x: Fix tx_empty() callback (bsc#1051510). - serial: mctrl_gpio: Check for NULL pointer (bsc#1051510). - serial: mxs-auart: Fix potential infinite loop (bsc#1051510). - serial: samsung: Enable baud clock for UART reset procedure in resume (bsc#1051510). - serial: uartlite: fix exit path null pointer (bsc#1051510). - serial: uartps: Fix suspend functionality (bsc#1051510). - series.conf: Move iommu patches into sorted section. - signal: Properly set TRACE_SIGNAL_LOSE_INFO in __send_signal (bsc#1157463). - skge: fix checksum byte order (networking-stable-19_09_30). - sky2: Disable MSI on yet another ASUS boards (P6Xxxx) (bsc#1051510). - slcan: Fix memory leak in error path (bsc#1051510). - slip: Fix memory leak in slip_open error path (bsc#1051510). - slip: Fix use-after-free Read in slip_open (bsc#1051510). - slip: make slhc_free() silently accept an error pointer (bsc#1051510). - slip: sl_alloc(): remove unused parameter "dev_t line" (bsc#1051510). - smb3: Incorrect size for netname negotiate context (bsc#1144333, bsc#1154355). - smb3: fix leak in "open on server" perf counter (bsc#1144333, bsc#1154355). - smb3: fix signing verification of large reads (bsc#1144333, bsc#1154355). - smb3: fix unmount hang in open_shroot (bsc#1144333, bsc#1154355). - smb3: improve handling of share deleted (and share recreated) (bsc#1144333, bsc#1154355). - soc: imx: gpc: fix PDN delay (bsc#1051510). - soc: qcom: wcnss_ctrl: Avoid string overflow (bsc#1051510). - sock_diag: fix autoloading of the raw_diag module (bsc#1152791). - sock_diag: request _diag module only when the family or proto has been registered (bsc#1152791). - spi: atmel: Fix CS high support (bsc#1051510). - spi: atmel: fix handling of cs_change set on non-last xfer (bsc#1051510). - spi: bcm2835aux: fix corruptions for longer spi transfers (bsc#1051510). - spi: bcm2835aux: remove dangerous uncontrolled read of fifo (bsc#1051510). - spi: bcm2835aux: unifying code between polling and interrupt driven code (bsc#1051510). - spi: fsl-lpspi: Prevent FIFO under/overrun by default (bsc#1051510). - spi: mediatek: Do not modify spi_transfer when transfer (bsc#1051510). - spi: mediatek: use correct mata->xfer_len when in fifo transfer (bsc#1051510). - spi: omap2-mcspi: Fix DMA and FIFO event trigger size mismatch (bsc#1051510). - spi: omap2-mcspi: Set FIFO DMA trigger level to word length (bsc#1051510). - spi: pic32: Use proper enum in dmaengine_prep_slave_rg (bsc#1051510). - spi: rockchip: initialize dma_slave_config properly (bsc#1051510). - spi: spi-fsl-dspi: Exit the ISR with IRQ_NONE when it's not ours (bsc#1111666). - spi: spidev: Fix OF tree warning logic (bsc#1051510). - staging: bcm2835-audio: Fix draining behavior regression (bsc#1111666). - staging: rtl8188eu: fix null dereference when kzalloc fails (bsc#1051510). - staging: rtl8192e: fix potential use after free (bsc#1051510). - staging: rtl8723bs: Add 024c:0525 to the list of SDIO device-ids (bsc#1051510). - staging: rtl8723bs: Drop ACPI device ids (bsc#1051510). - staging: vt6655: Fix memory leak in vt6655_probe (bsc#1051510). - staging: wlan-ng: fix exit return when sme->key_idx >= NUM_WEPKEYS (bsc#1051510). - stm class: Fix a double free of stm_source_device (bsc#1051510). - supporte.conf: add efivarfs to kernel-default-base (bsc#1154858). - supported.conf: - supported.conf: Mark vfio_ccw supported by SUSE, because bugs can be routed to IBM via SUSE support (jsc#SLE-6138, bsc#1151192). - synclink_gt(): fix compat_ioctl() (bsc#1051510). - tcp: Do not dequeue SYN/FIN-segments from write-queue (git-gixes). - tcp: fix tcp_ecn_withdraw_cwr() to clear TCP_ECN_QUEUE_CWR (networking-stable-19_09_15). - tcp: inherit timestamp on mtu probe (networking-stable-19_09_05). - tcp: make sure EPOLLOUT wont be missed (networking-stable-19_08_28). - tcp: remove empty skb from write queue in error cases (networking-stable-19_09_05). - tcp_nv: fix potential integer overflow in tcpnv_acked (bsc#1051510). - team: Add vlan tx offload to hw_enc_features (bsc#1051510). - team: Add vlan tx offload to hw_enc_features (networking-stable-19_08_21). - temporarily disable debug_pagealloc (bsc#1159096). - thermal: Fix deadlock in thermal thermal_zone_device_check (bsc#1051510). - thermal: Fix use-after-free when unregistering thermal zone device (bsc#1051510). - thermal_hwmon: Sanitize thermal_zone type (bsc#1051510). - thunderbolt: Fix lockdep circular locking depedency warning (git-fixes). - tipc: Avoid copying bytes beyond the supplied data (bsc#1051510). - tipc: add NULL pointer check before calling kfree_rcu (networking-stable-19_09_15). - tipc: check bearer name with right length in tipc_nl_compat_bearer_enable (bsc#1051510). - tipc: check link name with right length in tipc_nl_compat_link_set (bsc#1051510). - tipc: check msg->req data len in tipc_nl_compat_bearer_disable (bsc#1051510). - tipc: compat: allow tipc commands without arguments (bsc#1051510). - tipc: fix a missing check of genlmsg_put (bsc#1051510). - tipc: fix link name length check (bsc#1051510). - tipc: fix link name length check (git-fixes). - tipc: fix memory leak in tipc_nl_compat_publ_dump (bsc#1051510). - tipc: fix skb may be leaky in tipc_link_input (bsc#1051510). - tipc: fix tipc_mon_delete() oops in tipc_enable_bearer() error path (bsc#1051510). - tipc: fix unlimited bundling of small messages (networking-stable-19_10_05). - tipc: fix wrong timeout input for tipc_wait_for_cond() (bsc#1051510). - tipc: handle the err returned from cmd header function (bsc#1051510). - tipc: pass tunnel dev as NULL to udp_tunnel(6)_xmit_skb (bsc#1051510). - tipc: tipc clang warning (bsc#1051510). - tools/power/x86/intel-speed-select: Fix a read overflow in isst_set_tdp_level_msr() (bsc#1111666). - tools: bpftool: close prog FD before exit on showing a single program (bsc#1109837). - tools: bpftool: fix arguments for p_err() in do_event_pipe() (bsc#1109837). - tools: bpftool: fix error message (prog -> object) (bsc#1109837). - tpm: add check after commands attribs tab allocation (bsc#1051510). - tpm_tis_core: Set TPM_CHIP_FLAG_IRQ before probing for interrupts (bsc#1082555). - tracing: Get trace_array reference for available_tracers files (bsc#1156429). - tracing: Initialize iter->seq after zeroing in tracing_read_pipe() (bsc#1151508). - tty: serial: fsl_lpuart: Use appropriate lpuart32_* I/O funcs (bsc#1111666). - tty: serial: fsl_lpuart: use the sg count from dma_map_sg (bsc#1051510). - tty: serial: imx: use the sg count from dma_map_sg (bsc#1051510). - tty: serial: msm_serial: Fix flow control (bsc#1051510). - tty: serial: pch_uart: correct usage of dma_unmap_sg (bsc#1051510). - tun: fix data-race in gro_normal_list() (bsc#1111666). - tun: fix use-after-free when register netdev failed (bsc#1111666). - tun: fix use-after-free when register netdev failed (networking-stable-19_09_15). - tuntap: correctly set SOCKWQ_ASYNC_NOSPACE (bsc#1145099). - tuntap: correctly set SOCKWQ_ASYNC_NOSPACE (bsc#1145099). - uaccess: Add non-pagefault user-space write function (bsc#1083647). - ubifs: Correctly initialize c->min_log_bytes (bsc#1158641). - ubifs: Limit the number of pages in shrink_liability (bsc#1158643). - udp: use skb_queue_empty_lockless() (networking-stable-19_11_05). - usb-serial: cp201x: support Mark-10 digital force gauge (bsc#1051510). - usb-storage: Add new JMS567 revision to unusual_devs (bsc#1051510). - usb-storage: Revert commit 747668dbc061 ("usb-storage: Set virt_boundary_mask to avoid SG overflows") (bsc#1051510). - usb: chipidea: Fix otg event handler (bsc#1051510). - usb: chipidea: imx: enable OTG overcurrent in case USB subsystem is already started (bsc#1051510). - usb: chipidea: udc: do not do hardware access if gadget has stopped (bsc#1051510). - usb: dwc3: gadget: Check ENBLSLPM before sending ep command (bsc#1051510). - usb: gadget: composite: Clear "suspended" on reset/disconnect (bsc#1051510). - usb: gadget: udc: atmel: Fix interrupt storm in FIFO mode (bsc#1051510). - usb: gadget: udc: fotg210-udc: Fix a sleep-in-atomic-context bug in fotg210_get_status() (bsc#1051510). - usb: gadget: uvc: Factor out video USB request queueing (bsc#1051510). - usb: gadget: uvc: Only halt video streaming endpoint in bulk mode (bsc#1051510). - usb: gadget: uvc: configfs: Drop leaked references to config items (bsc#1051510). - usb: gadget: uvc: configfs: Prevent format changes after linking header (bsc#1051510). - usb: handle warm-reset port requests on hub resume (bsc#1051510). - usb: host: fotg2: restart hcd after port reset (bsc#1051510). - usb: host: ohci: fix a race condition between shutdown and irq (bsc#1051510). - usb: udc: lpc32xx: fix bad bit shift operation (bsc#1051510). - usb: xhci-mtk: fix ISOC error when interval is zero (bsc#1051510). - usb: xhci: wait for CNR controller not ready bit in xhci resume (bsc#1051510). - usbip: Fix free of unallocated memory in vhci tx (git-fixes). - usbip: Fix receive error in vhci-hcd when using scatter-gather (bsc#1051510). - usbip: Fix vhci_urb_enqueue() URB null transfer buffer error path (git-fixes). - usbip: Implement SG support to vhci-hcd and stub driver (git-fixes). - usbip: tools: fix fd leakage in the function of read_attr_usbip_status (git-fixes). - usbnet: ignore endpoints with invalid wMaxPacketSize (bsc#1051510). - usbnet: sanity checking of packet sizes and device mtu (bsc#1051510). - vfio-ccw: Fix misleading comment when setting orb.cmd.c64 (bsc#1051510). - vfio-ccw: Set pa_nr to 0 if memory allocation fails for pa_iova_pfn (bsc#1051510). - vfio: ccw: fix bad ptr math for TIC cda translation (bsc#1154244). - vfio: ccw: push down unsupported IDA check (bsc#1156471 LTC#182362). - vfio_pci: Restore original state on release (bsc#1051510). - vfs: fix preadv64v2 and pwritev64v2 compat syscalls with offset == -1 (bsc#1051510). - vhost/test: fix build for vhost test (bsc#1111666). - vhost_net: conditionally enable tx polling (bsc#1145099). - vhost_net: conditionally enable tx polling (bsc#1145099). - video/hdmi: Fix AVI bar unpack (git-fixes). - video: backlight: Add devres versions of of_find_backlight (bsc#1090888) Taken for 6010831dde5. - video: backlight: Add of_find_backlight helper in backlight.c (bsc#1090888) Taken for 6010831dde5. - video: of: display_timing: Add of_node_put() in of_get_display_timing() (bsc#1051510). - video: ssd1307fb: Start page range at page_offset (bsc#1113722) - video: ssd1307fb: Start page range at page_offset (bsc#1152446) - virtio/s390: fix race on airq_areas (bsc#1051510). - virtio_console: allocate inbufs in add_port() only if it is needed (git-fixes). - virtio_ring: fix return code on DMA mapping fails (git-fixes). - vmxnet3: turn off lro when rxcsum is disabled (bsc#1157499). - vsock/virtio: fix sock refcnt holding during the shutdown (git-fixes). - vsock: Fix a lockdep warning in __vsock_release() (networking-stable-19_10_05). - watchdog: bcm2835_wdt: Fix module autoload (bsc#1051510). - watchdog: fix compile time error of pretimeout governors (bsc#1051510). - watchdog: imx2_wdt: fix min() calculation in imx2_wdt_set_timeout (bsc#1051510). - watchdog: meson: Fix the wrong value of left time (bsc#1051510). - watchdog: sama5d4: fix WDD value to be always set to max (bsc#1051510). - wcn36xx: use dynamic allocation for large variables (bsc#1111666). - wil6210: drop Rx multicast packets that are looped-back to STA (bsc#1111666). - wil6210: fix L2 RX status handling (bsc#1111666). - wil6210: fix RGF_CAF_ICR address for Talyn-MB (bsc#1111666). - wil6210: fix debugfs memory access alignment (bsc#1111666). - wil6210: fix freeing of rx buffers in EDMA mode (bsc#1111666). - wil6210: fix invalid memory access for rx_buff_mgmt debugfs (bsc#1111666). - wil6210: fix locking in wmi_call (bsc#1111666). - wil6210: prevent usage of tx ring 0 for eDMA (bsc#1111666). - wil6210: set edma variables only for Talyn-MB devices (bsc#1111666). - wimax/i2400m: fix a memory leak bug (bsc#1051510). - x86/CPU/AMD: Clear RDRAND CPUID bit on AMD family 15h/16h (bsc#1114279). - x86/alternatives: Add int3_emulate_call() selftest (bsc#1153811). - x86/alternatives: Fix int3_emulate_call() selftest stack corruption (bsc#1153811). - x86/asm: Fix MWAITX C-state hint value (bsc#1114279). - x86/boot/64: Make level2_kernel_pgt pages invalid outside kernel area (bnc#1153969). - x86/boot/64: Round memory hole size up to next PMD page (bnc#1153969). - x86/entry/64/compat: Fix stack switching for XEN PV (bsc#1108382). - x86/fpu: Add FPU state copying quirk to handle XRSTOR failure on Intel Skylake CPUs (bsc#1151955). - x86/mm/pkeys: Fix typo in Documentation/x86/protection-keys.txt (bsc#1078248). - x86/mm: Use WRITE_ONCE() when setting PTEs (bsc#1114279). - x86/pkeys: Update documentation about availability (bsc#1078248). - x86/resctrl: Fix potential lockdep warning (bsc#1114279). - x86/resctrl: Prevent NULL pointer dereference when reading mondata (bsc#1114279). - x86/speculation/taa: Fix printing of TAA_MSG_SMT on IBRS_ALL CPUs (bsc#1158068). - x86/speculation: Fix incorrect MDS/TAA mitigation status (bsc#1114279). - x86/speculation: Fix redundant MDS mitigation message (bsc#1114279). - x86/tls: Fix possible spectre-v1 in do_get_thread_area() (bsc#1114279). - xdp: unpin xdp umem pages in error path (bsc#1109837). - xen-netfront: do not assume sk_buff_head list is empty in error handling (bsc#1065600). - xen-netfront: do not use ~0U as error return value for xennet_fill_frags() (bsc#1065600). - xen/blkback: Avoid unmapping unmapped grant pages (bsc#1065600). - xen/netback: Reset nr_frags before freeing skb (networking-stable-19_08_21). - xen/netback: fix error path of xenvif_connect_data() (bsc#1065600). - xen/pv: Fix Xen PV guest int3 handling (bsc#1153811). - xen/xenbus: fix self-deadlock after killing user process (bsc#1065600). - xfrm: Fix xfrm sel prefix length validation (git-fixes). - xfrm: fix sa selector validation (bsc#1156609). - xfs: Sanity check flags of Q_XQUOTARM call (bsc#1158652). - xhci: Check all endpoints for LPM timeout (bsc#1051510). - xhci: Fix false warning message about wrong bounce buffer write length (bsc#1051510). - xhci: Increase STS_HALT timeout in xhci_suspend() (bsc#1051510). - xhci: Increase STS_SAVE timeout in xhci_suspend() (bsc#1051510). - xhci: Prevent device initiated U1/U2 link pm if exit latency is too long (bsc#1051510). - xhci: handle some XHCI_TRUST_TX_LENGTH quirks cases as default behaviour (bsc#1051510). - xsk: Fix registration of Rx-only sockets (bsc#1109837). - xsk: avoid store-tearing when assigning queues (bsc#1111666). - xsk: avoid store-tearing when assigning umem (bsc#1111666). - xsk: relax UMEM headroom alignment (bsc#1109837). Special Instructions and Notes: Please reboot the system after installing this update. Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Server 12-SP5: zypper in -t patch SUSE-SLE-SERVER-12-SP5-2020-93=1 Package List: - SUSE Linux Enterprise Server 12-SP5 (x86_64): kernel-azure-4.12.14-16.7.1 kernel-azure-base-4.12.14-16.7.1 kernel-azure-base-debuginfo-4.12.14-16.7.1 kernel-azure-debuginfo-4.12.14-16.7.1 kernel-azure-debugsource-4.12.14-16.7.1 kernel-azure-devel-4.12.14-16.7.1 kernel-syms-azure-4.12.14-16.7.1 - SUSE Linux Enterprise Server 12-SP5 (noarch): kernel-devel-azure-4.12.14-16.7.1 kernel-source-azure-4.12.14-16.7.1 References: https://www.suse.com/security/cve/CVE-2017-18595.html https://www.suse.com/security/cve/CVE-2018-12207.html https://www.suse.com/security/cve/CVE-2019-0154.html https://www.suse.com/security/cve/CVE-2019-0155.html https://www.suse.com/security/cve/CVE-2019-10220.html https://www.suse.com/security/cve/CVE-2019-11135.html https://www.suse.com/security/cve/CVE-2019-14821.html https://www.suse.com/security/cve/CVE-2019-14835.html https://www.suse.com/security/cve/CVE-2019-14895.html https://www.suse.com/security/cve/CVE-2019-14901.html https://www.suse.com/security/cve/CVE-2019-15030.html https://www.suse.com/security/cve/CVE-2019-15031.html https://www.suse.com/security/cve/CVE-2019-15213.html https://www.suse.com/security/cve/CVE-2019-15916.html https://www.suse.com/security/cve/CVE-2019-16231.html https://www.suse.com/security/cve/CVE-2019-16232.html https://www.suse.com/security/cve/CVE-2019-16233.html https://www.suse.com/security/cve/CVE-2019-16234.html https://www.suse.com/security/cve/CVE-2019-16746.html https://www.suse.com/security/cve/CVE-2019-16995.html https://www.suse.com/security/cve/CVE-2019-17055.html https://www.suse.com/security/cve/CVE-2019-17056.html https://www.suse.com/security/cve/CVE-2019-17133.html https://www.suse.com/security/cve/CVE-2019-17666.html https://www.suse.com/security/cve/CVE-2019-18660.html https://www.suse.com/security/cve/CVE-2019-18683.html https://www.suse.com/security/cve/CVE-2019-18805.html https://www.suse.com/security/cve/CVE-2019-18808.html https://www.suse.com/security/cve/CVE-2019-18809.html https://www.suse.com/security/cve/CVE-2019-19046.html https://www.suse.com/security/cve/CVE-2019-19049.html https://www.suse.com/security/cve/CVE-2019-19051.html https://www.suse.com/security/cve/CVE-2019-19052.html https://www.suse.com/security/cve/CVE-2019-19056.html https://www.suse.com/security/cve/CVE-2019-19057.html https://www.suse.com/security/cve/CVE-2019-19058.html https://www.suse.com/security/cve/CVE-2019-19060.html https://www.suse.com/security/cve/CVE-2019-19062.html https://www.suse.com/security/cve/CVE-2019-19063.html https://www.suse.com/security/cve/CVE-2019-19065.html https://www.suse.com/security/cve/CVE-2019-19066.html https://www.suse.com/security/cve/CVE-2019-19067.html https://www.suse.com/security/cve/CVE-2019-19068.html https://www.suse.com/security/cve/CVE-2019-19073.html https://www.suse.com/security/cve/CVE-2019-19074.html https://www.suse.com/security/cve/CVE-2019-19075.html https://www.suse.com/security/cve/CVE-2019-19077.html https://www.suse.com/security/cve/CVE-2019-19078.html https://www.suse.com/security/cve/CVE-2019-19080.html https://www.suse.com/security/cve/CVE-2019-19081.html https://www.suse.com/security/cve/CVE-2019-19082.html https://www.suse.com/security/cve/CVE-2019-19083.html https://www.suse.com/security/cve/CVE-2019-19227.html https://www.suse.com/security/cve/CVE-2019-19319.html https://www.suse.com/security/cve/CVE-2019-19332.html https://www.suse.com/security/cve/CVE-2019-19338.html https://www.suse.com/security/cve/CVE-2019-19447.html https://www.suse.com/security/cve/CVE-2019-19523.html https://www.suse.com/security/cve/CVE-2019-19524.html https://www.suse.com/security/cve/CVE-2019-19525.html https://www.suse.com/security/cve/CVE-2019-19526.html https://www.suse.com/security/cve/CVE-2019-19527.html https://www.suse.com/security/cve/CVE-2019-19528.html https://www.suse.com/security/cve/CVE-2019-19529.html https://www.suse.com/security/cve/CVE-2019-19530.html https://www.suse.com/security/cve/CVE-2019-19531.html https://www.suse.com/security/cve/CVE-2019-19532.html https://www.suse.com/security/cve/CVE-2019-19533.html https://www.suse.com/security/cve/CVE-2019-19534.html https://www.suse.com/security/cve/CVE-2019-19535.html https://www.suse.com/security/cve/CVE-2019-19536.html https://www.suse.com/security/cve/CVE-2019-19537.html https://www.suse.com/security/cve/CVE-2019-19543.html https://www.suse.com/security/cve/CVE-2019-19767.html https://www.suse.com/security/cve/CVE-2019-19966.html https://www.suse.com/security/cve/CVE-2019-20054.html https://www.suse.com/security/cve/CVE-2019-20095.html https://www.suse.com/security/cve/CVE-2019-20096.html https://www.suse.com/security/cve/CVE-2019-9456.html https://www.suse.com/security/cve/CVE-2019-9506.html https://bugzilla.suse.com/1046299 https://bugzilla.suse.com/1046303 https://bugzilla.suse.com/1046305 https://bugzilla.suse.com/1048942 https://bugzilla.suse.com/1050244 https://bugzilla.suse.com/1050536 https://bugzilla.suse.com/1050545 https://bugzilla.suse.com/1051510 https://bugzilla.suse.com/1055117 https://bugzilla.suse.com/1055186 https://bugzilla.suse.com/1061840 https://bugzilla.suse.com/1064802 https://bugzilla.suse.com/1065600 https://bugzilla.suse.com/1065729 https://bugzilla.suse.com/1066129 https://bugzilla.suse.com/1071995 https://bugzilla.suse.com/1073513 https://bugzilla.suse.com/1078248 https://bugzilla.suse.com/1082555 https://bugzilla.suse.com/1082635 https://bugzilla.suse.com/1083647 https://bugzilla.suse.com/1086323 https://bugzilla.suse.com/1087092 https://bugzilla.suse.com/1089644 https://bugzilla.suse.com/1090631 https://bugzilla.suse.com/1090888 https://bugzilla.suse.com/1091041 https://bugzilla.suse.com/1093205 https://bugzilla.suse.com/1096254 https://bugzilla.suse.com/1097583 https://bugzilla.suse.com/1097584 https://bugzilla.suse.com/1097585 https://bugzilla.suse.com/1097586 https://bugzilla.suse.com/1097587 https://bugzilla.suse.com/1097588 https://bugzilla.suse.com/1098291 https://bugzilla.suse.com/1101674 https://bugzilla.suse.com/1103989 https://bugzilla.suse.com/1103990 https://bugzilla.suse.com/1103991 https://bugzilla.suse.com/1104353 https://bugzilla.suse.com/1104427 https://bugzilla.suse.com/1104745 https://bugzilla.suse.com/1104967 https://bugzilla.suse.com/1106434 https://bugzilla.suse.com/1108043 https://bugzilla.suse.com/1108382 https://bugzilla.suse.com/1109158 https://bugzilla.suse.com/1109837 https://bugzilla.suse.com/1111666 https://bugzilla.suse.com/1112178 https://bugzilla.suse.com/1112374 https://bugzilla.suse.com/1113722 https://bugzilla.suse.com/1113956 https://bugzilla.suse.com/1113994 https://bugzilla.suse.com/1114279 https://bugzilla.suse.com/1115026 https://bugzilla.suse.com/1117169 https://bugzilla.suse.com/1117665 https://bugzilla.suse.com/1118661 https://bugzilla.suse.com/1119086 https://bugzilla.suse.com/1119113 https://bugzilla.suse.com/1119461 https://bugzilla.suse.com/1119465 https://bugzilla.suse.com/1120853 https://bugzilla.suse.com/1120902 https://bugzilla.suse.com/1122363 https://bugzilla.suse.com/1123034 https://bugzilla.suse.com/1123080 https://bugzilla.suse.com/1123105 https://bugzilla.suse.com/1126206 https://bugzilla.suse.com/1126390 https://bugzilla.suse.com/1127155 https://bugzilla.suse.com/1127354 https://bugzilla.suse.com/1127371 https://bugzilla.suse.com/1127611 https://bugzilla.suse.com/1127988 https://bugzilla.suse.com/1129770 https://bugzilla.suse.com/1131107 https://bugzilla.suse.com/1131304 https://bugzilla.suse.com/1131489 https://bugzilla.suse.com/1133140 https://bugzilla.suse.com/1134476 https://bugzilla.suse.com/1134973 https://bugzilla.suse.com/1134983 https://bugzilla.suse.com/1135642 https://bugzilla.suse.com/1135854 https://bugzilla.suse.com/1135873 https://bugzilla.suse.com/1135966 https://bugzilla.suse.com/1135967 https://bugzilla.suse.com/1136261 https://bugzilla.suse.com/1137040 https://bugzilla.suse.com/1137069 https://bugzilla.suse.com/1137223 https://bugzilla.suse.com/1137236 https://bugzilla.suse.com/1137799 https://bugzilla.suse.com/1137861 https://bugzilla.suse.com/1137865 https://bugzilla.suse.com/1137959 https://bugzilla.suse.com/1137982 https://bugzilla.suse.com/1138039 https://bugzilla.suse.com/1138190 https://bugzilla.suse.com/1139073 https://bugzilla.suse.com/1140090 https://bugzilla.suse.com/1140155 https://bugzilla.suse.com/1140729 https://bugzilla.suse.com/1140845 https://bugzilla.suse.com/1140883 https://bugzilla.suse.com/1140948 https://bugzilla.suse.com/1141013 https://bugzilla.suse.com/1141340 https://bugzilla.suse.com/1141543 https://bugzilla.suse.com/1142076 https://bugzilla.suse.com/1142095 https://bugzilla.suse.com/1142635 https://bugzilla.suse.com/1142667 https://bugzilla.suse.com/1142924 https://bugzilla.suse.com/1143706 https://bugzilla.suse.com/1143959 https://bugzilla.suse.com/1144333 https://bugzilla.suse.com/1144338 https://bugzilla.suse.com/1144375 https://bugzilla.suse.com/1144449 https://bugzilla.suse.com/1144653 https://bugzilla.suse.com/1144903 https://bugzilla.suse.com/1145099 https://bugzilla.suse.com/1145661 https://bugzilla.suse.com/1146042 https://bugzilla.suse.com/1146519 https://bugzilla.suse.com/1146544 https://bugzilla.suse.com/1146612 https://bugzilla.suse.com/1146664 https://bugzilla.suse.com/1148133 https://bugzilla.suse.com/1148410 https://bugzilla.suse.com/1148712 https://bugzilla.suse.com/1148859 https://bugzilla.suse.com/1148868 https://bugzilla.suse.com/1149083 https://bugzilla.suse.com/1149119 https://bugzilla.suse.com/1149224 https://bugzilla.suse.com/1149446 https://bugzilla.suse.com/1149448 https://bugzilla.suse.com/1149555 https://bugzilla.suse.com/1149652 https://bugzilla.suse.com/1149713 https://bugzilla.suse.com/1149853 https://bugzilla.suse.com/1149940 https://bugzilla.suse.com/1149959 https://bugzilla.suse.com/1149963 https://bugzilla.suse.com/1149976 https://bugzilla.suse.com/1150025 https://bugzilla.suse.com/1150033 https://bugzilla.suse.com/1150112 https://bugzilla.suse.com/1150305 https://bugzilla.suse.com/1150381 https://bugzilla.suse.com/1150423 https://bugzilla.suse.com/1150452 https://bugzilla.suse.com/1150457 https://bugzilla.suse.com/1150465 https://bugzilla.suse.com/1150466 https://bugzilla.suse.com/1150562 https://bugzilla.suse.com/1150727 https://bugzilla.suse.com/1150846 https://bugzilla.suse.com/1150860 https://bugzilla.suse.com/1150861 https://bugzilla.suse.com/1150875 https://bugzilla.suse.com/1150933 https://bugzilla.suse.com/1151021 https://bugzilla.suse.com/1151067 https://bugzilla.suse.com/1151192 https://bugzilla.suse.com/1151225 https://bugzilla.suse.com/1151350 https://bugzilla.suse.com/1151508 https://bugzilla.suse.com/1151548 https://bugzilla.suse.com/1151610 https://bugzilla.suse.com/1151661 https://bugzilla.suse.com/1151662 https://bugzilla.suse.com/1151667 https://bugzilla.suse.com/1151671 https://bugzilla.suse.com/1151680 https://bugzilla.suse.com/1151807 https://bugzilla.suse.com/1151891 https://bugzilla.suse.com/1151900 https://bugzilla.suse.com/1151910 https://bugzilla.suse.com/1151955 https://bugzilla.suse.com/1152024 https://bugzilla.suse.com/1152025 https://bugzilla.suse.com/1152026 https://bugzilla.suse.com/1152033 https://bugzilla.suse.com/1152107 https://bugzilla.suse.com/1152161 https://bugzilla.suse.com/1152187 https://bugzilla.suse.com/1152325 https://bugzilla.suse.com/1152446 https://bugzilla.suse.com/1152457 https://bugzilla.suse.com/1152460 https://bugzilla.suse.com/1152466 https://bugzilla.suse.com/1152497 https://bugzilla.suse.com/1152505 https://bugzilla.suse.com/1152506 https://bugzilla.suse.com/1152525 https://bugzilla.suse.com/1152624 https://bugzilla.suse.com/1152631 https://bugzilla.suse.com/1152665 https://bugzilla.suse.com/1152685 https://bugzilla.suse.com/1152696 https://bugzilla.suse.com/1152697 https://bugzilla.suse.com/1152782 https://bugzilla.suse.com/1152788 https://bugzilla.suse.com/1152790 https://bugzilla.suse.com/1152791 https://bugzilla.suse.com/1152885 https://bugzilla.suse.com/1152972 https://bugzilla.suse.com/1152974 https://bugzilla.suse.com/1152975 https://bugzilla.suse.com/1153108 https://bugzilla.suse.com/1153112 https://bugzilla.suse.com/1153158 https://bugzilla.suse.com/1153236 https://bugzilla.suse.com/1153263 https://bugzilla.suse.com/1153476 https://bugzilla.suse.com/1153509 https://bugzilla.suse.com/1153607 https://bugzilla.suse.com/1153628 https://bugzilla.suse.com/1153646 https://bugzilla.suse.com/1153681 https://bugzilla.suse.com/1153713 https://bugzilla.suse.com/1153717 https://bugzilla.suse.com/1153718 https://bugzilla.suse.com/1153719 https://bugzilla.suse.com/1153811 https://bugzilla.suse.com/1153969 https://bugzilla.suse.com/1154043 https://bugzilla.suse.com/1154048 https://bugzilla.suse.com/1154058 https://bugzilla.suse.com/1154108 https://bugzilla.suse.com/1154124 https://bugzilla.suse.com/1154189 https://bugzilla.suse.com/1154242 https://bugzilla.suse.com/1154244 https://bugzilla.suse.com/1154268 https://bugzilla.suse.com/1154354 https://bugzilla.suse.com/1154355 https://bugzilla.suse.com/1154372 https://bugzilla.suse.com/1154521 https://bugzilla.suse.com/1154526 https://bugzilla.suse.com/1154578 https://bugzilla.suse.com/1154601 https://bugzilla.suse.com/1154607 https://bugzilla.suse.com/1154608 https://bugzilla.suse.com/1154610 https://bugzilla.suse.com/1154611 https://bugzilla.suse.com/1154651 https://bugzilla.suse.com/1154737 https://bugzilla.suse.com/1154768 https://bugzilla.suse.com/1154848 https://bugzilla.suse.com/1154858 https://bugzilla.suse.com/1154905 https://bugzilla.suse.com/1154916 https://bugzilla.suse.com/1154956 https://bugzilla.suse.com/1154959 https://bugzilla.suse.com/1155021 https://bugzilla.suse.com/1155061 https://bugzilla.suse.com/1155178 https://bugzilla.suse.com/1155179 https://bugzilla.suse.com/1155184 https://bugzilla.suse.com/1155186 https://bugzilla.suse.com/1155331 https://bugzilla.suse.com/1155334 https://bugzilla.suse.com/1155671 https://bugzilla.suse.com/1155689 https://bugzilla.suse.com/1155692 https://bugzilla.suse.com/1155812 https://bugzilla.suse.com/1155817 https://bugzilla.suse.com/1155836 https://bugzilla.suse.com/1155897 https://bugzilla.suse.com/1155921 https://bugzilla.suse.com/1155945 https://bugzilla.suse.com/1156187 https://bugzilla.suse.com/1156258 https://bugzilla.suse.com/1156259 https://bugzilla.suse.com/1156286 https://bugzilla.suse.com/1156429 https://bugzilla.suse.com/1156462 https://bugzilla.suse.com/1156466 https://bugzilla.suse.com/1156471 https://bugzilla.suse.com/1156494 https://bugzilla.suse.com/1156609 https://bugzilla.suse.com/1156700 https://bugzilla.suse.com/1156729 https://bugzilla.suse.com/1156882 https://bugzilla.suse.com/1156928 https://bugzilla.suse.com/1157032 https://bugzilla.suse.com/1157038 https://bugzilla.suse.com/1157042 https://bugzilla.suse.com/1157044 https://bugzilla.suse.com/1157045 https://bugzilla.suse.com/1157046 https://bugzilla.suse.com/1157049 https://bugzilla.suse.com/1157070 https://bugzilla.suse.com/1157115 https://bugzilla.suse.com/1157143 https://bugzilla.suse.com/1157145 https://bugzilla.suse.com/1157158 https://bugzilla.suse.com/1157160 https://bugzilla.suse.com/1157162 https://bugzilla.suse.com/1157169 https://bugzilla.suse.com/1157171 https://bugzilla.suse.com/1157173 https://bugzilla.suse.com/1157178 https://bugzilla.suse.com/1157180 https://bugzilla.suse.com/1157182 https://bugzilla.suse.com/1157183 https://bugzilla.suse.com/1157184 https://bugzilla.suse.com/1157191 https://bugzilla.suse.com/1157193 https://bugzilla.suse.com/1157197 https://bugzilla.suse.com/1157298 https://bugzilla.suse.com/1157303 https://bugzilla.suse.com/1157304 https://bugzilla.suse.com/1157307 https://bugzilla.suse.com/1157324 https://bugzilla.suse.com/1157333 https://bugzilla.suse.com/1157386 https://bugzilla.suse.com/1157424 https://bugzilla.suse.com/1157463 https://bugzilla.suse.com/1157499 https://bugzilla.suse.com/1157678 https://bugzilla.suse.com/1157698 https://bugzilla.suse.com/1157778 https://bugzilla.suse.com/1157853 https://bugzilla.suse.com/1157895 https://bugzilla.suse.com/1157908 https://bugzilla.suse.com/1158021 https://bugzilla.suse.com/1158049 https://bugzilla.suse.com/1158063 https://bugzilla.suse.com/1158064 https://bugzilla.suse.com/1158065 https://bugzilla.suse.com/1158066 https://bugzilla.suse.com/1158067 https://bugzilla.suse.com/1158068 https://bugzilla.suse.com/1158071 https://bugzilla.suse.com/1158082 https://bugzilla.suse.com/1158094 https://bugzilla.suse.com/1158132 https://bugzilla.suse.com/1158381 https://bugzilla.suse.com/1158394 https://bugzilla.suse.com/1158398 https://bugzilla.suse.com/1158407 https://bugzilla.suse.com/1158410 https://bugzilla.suse.com/1158413 https://bugzilla.suse.com/1158417 https://bugzilla.suse.com/1158427 https://bugzilla.suse.com/1158445 https://bugzilla.suse.com/1158533 https://bugzilla.suse.com/1158637 https://bugzilla.suse.com/1158638 https://bugzilla.suse.com/1158639 https://bugzilla.suse.com/1158640 https://bugzilla.suse.com/1158641 https://bugzilla.suse.com/1158643 https://bugzilla.suse.com/1158644 https://bugzilla.suse.com/1158645 https://bugzilla.suse.com/1158646 https://bugzilla.suse.com/1158647 https://bugzilla.suse.com/1158649 https://bugzilla.suse.com/1158651 https://bugzilla.suse.com/1158652 https://bugzilla.suse.com/1158819 https://bugzilla.suse.com/1158823 https://bugzilla.suse.com/1158824 https://bugzilla.suse.com/1158827 https://bugzilla.suse.com/1158834 https://bugzilla.suse.com/1158893 https://bugzilla.suse.com/1158900 https://bugzilla.suse.com/1158903 https://bugzilla.suse.com/1158904 https://bugzilla.suse.com/1158954 https://bugzilla.suse.com/1159024 https://bugzilla.suse.com/1159096 https://bugzilla.suse.com/1159297 https://bugzilla.suse.com/1159483 https://bugzilla.suse.com/1159484 https://bugzilla.suse.com/1159500 https://bugzilla.suse.com/1159569 https://bugzilla.suse.com/1159841 https://bugzilla.suse.com/1159908 https://bugzilla.suse.com/1159909 https://bugzilla.suse.com/1159910 https://bugzilla.suse.com/972655 From sle-updates at lists.suse.com Tue Jan 14 10:11:44 2020 From: sle-updates at lists.suse.com (sle-updates at lists.suse.com) Date: Tue, 14 Jan 2020 18:11:44 +0100 (CET) Subject: SUSE-OU-2020:0097-1: Optional update for yast2-samba-server Message-ID: <20200114171144.E5FC6F796@maintenance.suse.de> SUSE Optional Update: Optional update for yast2-samba-server ______________________________________________________________________________ Announcement ID: SUSE-OU-2020:0097-1 Rating: low References: #1103691 #1104644 Affected Products: SUSE Linux Enterprise Module for Basesystem 15 ______________________________________________________________________________ An update that has two optional fixes can now be installed. Description: This update for yast2-samba-server doesn't fix any user visible issues. Patch Instructions: To install this SUSE Optional Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Module for Basesystem 15: zypper in -t patch SUSE-SLE-Module-Basesystem-15-2020-97=1 Package List: - SUSE Linux Enterprise Module for Basesystem 15 (noarch): yast2-samba-server-4.0.4-3.6.140 References: https://bugzilla.suse.com/1103691 https://bugzilla.suse.com/1104644 From sle-updates at lists.suse.com Tue Jan 14 10:12:31 2020 From: sle-updates at lists.suse.com (sle-updates at lists.suse.com) Date: Tue, 14 Jan 2020 18:12:31 +0100 (CET) Subject: SUSE-RU-2020:0095-1: moderate: Recommended update for mksusecd Message-ID: <20200114171231.8AC47F796@maintenance.suse.de> SUSE Recommended Update: Recommended update for mksusecd ______________________________________________________________________________ Announcement ID: SUSE-RU-2020:0095-1 Rating: moderate References: #1141223 #1158131 Affected Products: SUSE Linux Enterprise Module for Development Tools 15-SP1 ______________________________________________________________________________ An update that has two recommended fixes can now be installed. Description: This update for mksusecd fixes the following issues: - Choose correct kernel image name for aarch64. (bsc#1158131) - Adjust boot files for s390x architecture. (bsc#1141223) Patch Instructions: To install this SUSE Recommended Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Module for Development Tools 15-SP1: zypper in -t patch SUSE-SLE-Module-Development-Tools-15-SP1-2020-95=1 Package List: - SUSE Linux Enterprise Module for Development Tools 15-SP1 (aarch64 ppc64le s390x x86_64): mksusecd-1.71-7.6.1 mksusecd-debuginfo-1.71-7.6.1 mksusecd-debugsource-1.71-7.6.1 References: https://bugzilla.suse.com/1141223 https://bugzilla.suse.com/1158131 From sle-updates at lists.suse.com Tue Jan 14 10:13:18 2020 From: sle-updates at lists.suse.com (sle-updates at lists.suse.com) Date: Tue, 14 Jan 2020 18:13:18 +0100 (CET) Subject: SUSE-RU-2020:0096-1: moderate: Recommended update for mksusecd Message-ID: <20200114171318.62135F796@maintenance.suse.de> SUSE Recommended Update: Recommended update for mksusecd ______________________________________________________________________________ Announcement ID: SUSE-RU-2020:0096-1 Rating: moderate References: #1141223 #1158131 Affected Products: SUSE Linux Enterprise Module for Development Tools 15 ______________________________________________________________________________ An update that has two recommended fixes can now be installed. Description: This update for mksusecd fixes the following issues: - Choose correct kernel image name for aarch64. (bsc#1158131) - Adjust boot files for s390x architecture. (bsc#1141223) Patch Instructions: To install this SUSE Recommended Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Module for Development Tools 15: zypper in -t patch SUSE-SLE-Module-Development-Tools-15-2020-96=1 Package List: - SUSE Linux Enterprise Module for Development Tools 15 (aarch64 ppc64le s390x x86_64): mksusecd-1.71-3.6.1 mksusecd-debuginfo-1.71-3.6.1 mksusecd-debugsource-1.71-3.6.1 References: https://bugzilla.suse.com/1141223 https://bugzilla.suse.com/1158131 From sle-updates at lists.suse.com Tue Jan 14 10:15:18 2020 From: sle-updates at lists.suse.com (sle-updates at lists.suse.com) Date: Tue, 14 Jan 2020 18:15:18 +0100 (CET) Subject: SUSE-RU-2020:0098-1: Recommended update for gcc48 Message-ID: <20200114171518.50B64F798@maintenance.suse.de> SUSE Recommended Update: Recommended update for gcc48 ______________________________________________________________________________ Announcement ID: SUSE-RU-2020:0098-1 Rating: low References: #1071995 Affected Products: SUSE Linux Enterprise Workstation Extension 12-SP5 SUSE Linux Enterprise Workstation Extension 12-SP4 SUSE Linux Enterprise Software Development Kit 12-SP5 SUSE Linux Enterprise Software Development Kit 12-SP4 SUSE Linux Enterprise Server 12-SP5 SUSE Linux Enterprise Server 12-SP4 SUSE Linux Enterprise Desktop 12-SP4 ______________________________________________________________________________ An update that has one recommended fix can now be installed. Description: This update for gcc48 fixes the following issues: - Add changes needed for SLE15 live patching. (bsc#1071995, fate#323487) - Provide .ipa-clones dump files. (bsc#1071995, fate#323487) Patch Instructions: To install this SUSE Recommended Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Workstation Extension 12-SP5: zypper in -t patch SUSE-SLE-WE-12-SP5-2020-98=1 - SUSE Linux Enterprise Workstation Extension 12-SP4: zypper in -t patch SUSE-SLE-WE-12-SP4-2020-98=1 - SUSE Linux Enterprise Software Development Kit 12-SP5: zypper in -t patch SUSE-SLE-SDK-12-SP5-2020-98=1 - SUSE Linux Enterprise Software Development Kit 12-SP4: zypper in -t patch SUSE-SLE-SDK-12-SP4-2020-98=1 - SUSE Linux Enterprise Server 12-SP5: zypper in -t patch SUSE-SLE-SERVER-12-SP5-2020-98=1 - SUSE Linux Enterprise Server 12-SP4: zypper in -t patch SUSE-SLE-SERVER-12-SP4-2020-98=1 - SUSE Linux Enterprise Desktop 12-SP4: zypper in -t patch SUSE-SLE-DESKTOP-12-SP4-2020-98=1 Package List: - SUSE Linux Enterprise Workstation Extension 12-SP5 (x86_64): gcc48-gij-32bit-4.8.5-31.23.2 gcc48-gij-4.8.5-31.23.2 gcc48-gij-debuginfo-32bit-4.8.5-31.23.2 gcc48-gij-debuginfo-4.8.5-31.23.2 libgcj48-32bit-4.8.5-31.23.2 libgcj48-4.8.5-31.23.2 libgcj48-debuginfo-32bit-4.8.5-31.23.2 libgcj48-debuginfo-4.8.5-31.23.2 libgcj48-debugsource-4.8.5-31.23.2 libgcj48-jar-4.8.5-31.23.2 libgcj_bc1-4.8.5-31.23.2 - SUSE Linux Enterprise Workstation Extension 12-SP4 (x86_64): gcc48-gij-32bit-4.8.5-31.23.2 gcc48-gij-4.8.5-31.23.2 gcc48-gij-debuginfo-32bit-4.8.5-31.23.2 gcc48-gij-debuginfo-4.8.5-31.23.2 libgcj48-32bit-4.8.5-31.23.2 libgcj48-4.8.5-31.23.2 libgcj48-debuginfo-32bit-4.8.5-31.23.2 libgcj48-debuginfo-4.8.5-31.23.2 libgcj48-debugsource-4.8.5-31.23.2 libgcj48-jar-4.8.5-31.23.2 libgcj_bc1-4.8.5-31.23.2 - SUSE Linux Enterprise Software Development Kit 12-SP5 (aarch64 ppc64le s390x x86_64): gcc48-debuginfo-4.8.5-31.23.2 gcc48-debugsource-4.8.5-31.23.2 gcc48-fortran-4.8.5-31.23.2 gcc48-fortran-debuginfo-4.8.5-31.23.2 gcc48-gij-4.8.5-31.23.2 gcc48-gij-debuginfo-4.8.5-31.23.2 gcc48-java-4.8.5-31.23.2 gcc48-java-debuginfo-4.8.5-31.23.2 gcc48-obj-c++-4.8.5-31.23.2 gcc48-obj-c++-debuginfo-4.8.5-31.23.2 gcc48-objc-4.8.5-31.23.2 gcc48-objc-debuginfo-4.8.5-31.23.2 libffi48-debugsource-4.8.5-31.23.2 libffi48-devel-4.8.5-31.23.2 libgcj48-4.8.5-31.23.2 libgcj48-debuginfo-4.8.5-31.23.2 libgcj48-debugsource-4.8.5-31.23.2 libgcj48-devel-4.8.5-31.23.2 libgcj48-devel-debuginfo-4.8.5-31.23.2 libgcj48-jar-4.8.5-31.23.2 libgcj_bc1-4.8.5-31.23.2 libobjc4-4.8.5-31.23.2 libobjc4-debuginfo-4.8.5-31.23.2 - SUSE Linux Enterprise Software Development Kit 12-SP5 (s390x x86_64): gcc48-objc-32bit-4.8.5-31.23.2 libobjc4-32bit-4.8.5-31.23.2 - SUSE Linux Enterprise Software Development Kit 12-SP5 (aarch64): gcc48-4.8.5-31.23.2 gcc48-c++-4.8.5-31.23.2 gcc48-c++-debuginfo-4.8.5-31.23.2 gcc48-locale-4.8.5-31.23.2 libstdc++48-devel-4.8.5-31.23.2 - SUSE Linux Enterprise Software Development Kit 12-SP5 (x86_64): gcc48-ada-4.8.5-31.23.2 gcc48-ada-debuginfo-4.8.5-31.23.2 libada48-4.8.5-31.23.2 libada48-debuginfo-4.8.5-31.23.2 - SUSE Linux Enterprise Software Development Kit 12-SP5 (noarch): gcc48-info-4.8.5-31.23.2 - SUSE Linux Enterprise Software Development Kit 12-SP4 (aarch64 ppc64le s390x x86_64): gcc48-debuginfo-4.8.5-31.23.2 gcc48-debugsource-4.8.5-31.23.2 gcc48-fortran-4.8.5-31.23.2 gcc48-fortran-debuginfo-4.8.5-31.23.2 gcc48-gij-4.8.5-31.23.2 gcc48-gij-debuginfo-4.8.5-31.23.2 gcc48-java-4.8.5-31.23.2 gcc48-java-debuginfo-4.8.5-31.23.2 gcc48-obj-c++-4.8.5-31.23.2 gcc48-obj-c++-debuginfo-4.8.5-31.23.2 gcc48-objc-4.8.5-31.23.2 gcc48-objc-debuginfo-4.8.5-31.23.2 libffi48-debugsource-4.8.5-31.23.2 libffi48-devel-4.8.5-31.23.2 libgcj48-4.8.5-31.23.2 libgcj48-debuginfo-4.8.5-31.23.2 libgcj48-debugsource-4.8.5-31.23.2 libgcj48-devel-4.8.5-31.23.2 libgcj48-devel-debuginfo-4.8.5-31.23.2 libgcj48-jar-4.8.5-31.23.2 libgcj_bc1-4.8.5-31.23.2 libobjc4-4.8.5-31.23.2 libobjc4-debuginfo-4.8.5-31.23.2 - SUSE Linux Enterprise Software Development Kit 12-SP4 (s390x x86_64): gcc48-objc-32bit-4.8.5-31.23.2 libobjc4-32bit-4.8.5-31.23.2 - SUSE Linux Enterprise Software Development Kit 12-SP4 (aarch64): gcc48-4.8.5-31.23.2 gcc48-c++-4.8.5-31.23.2 gcc48-c++-debuginfo-4.8.5-31.23.2 gcc48-locale-4.8.5-31.23.2 libstdc++48-devel-4.8.5-31.23.2 - SUSE Linux Enterprise Software Development Kit 12-SP4 (x86_64): gcc48-ada-4.8.5-31.23.2 gcc48-ada-debuginfo-4.8.5-31.23.2 libada48-4.8.5-31.23.2 libada48-debuginfo-4.8.5-31.23.2 - SUSE Linux Enterprise Software Development Kit 12-SP4 (noarch): gcc48-info-4.8.5-31.23.2 - SUSE Linux Enterprise Server 12-SP5 (aarch64 ppc64le s390x x86_64): cpp48-4.8.5-31.23.2 cpp48-debuginfo-4.8.5-31.23.2 gcc48-debuginfo-4.8.5-31.23.2 gcc48-debugsource-4.8.5-31.23.2 - SUSE Linux Enterprise Server 12-SP5 (ppc64le s390x x86_64): gcc48-4.8.5-31.23.2 gcc48-c++-4.8.5-31.23.2 gcc48-c++-debuginfo-4.8.5-31.23.2 gcc48-locale-4.8.5-31.23.2 libstdc++48-devel-4.8.5-31.23.2 - SUSE Linux Enterprise Server 12-SP5 (s390x x86_64): gcc48-32bit-4.8.5-31.23.2 libstdc++48-devel-32bit-4.8.5-31.23.2 - SUSE Linux Enterprise Server 12-SP5 (noarch): gcc48-info-4.8.5-31.23.2 - SUSE Linux Enterprise Server 12-SP5 (x86_64): libasan0-32bit-4.8.5-31.23.2 libasan0-4.8.5-31.23.2 libasan0-debuginfo-4.8.5-31.23.2 - SUSE Linux Enterprise Server 12-SP4 (aarch64 ppc64le s390x x86_64): cpp48-4.8.5-31.23.2 cpp48-debuginfo-4.8.5-31.23.2 gcc48-debuginfo-4.8.5-31.23.2 gcc48-debugsource-4.8.5-31.23.2 - SUSE Linux Enterprise Server 12-SP4 (ppc64le s390x x86_64): gcc48-4.8.5-31.23.2 gcc48-c++-4.8.5-31.23.2 gcc48-c++-debuginfo-4.8.5-31.23.2 gcc48-locale-4.8.5-31.23.2 libstdc++48-devel-4.8.5-31.23.2 - SUSE Linux Enterprise Server 12-SP4 (s390x x86_64): gcc48-32bit-4.8.5-31.23.2 libstdc++48-devel-32bit-4.8.5-31.23.2 - SUSE Linux Enterprise Server 12-SP4 (x86_64): libasan0-32bit-4.8.5-31.23.2 libasan0-4.8.5-31.23.2 libasan0-debuginfo-4.8.5-31.23.2 - SUSE Linux Enterprise Server 12-SP4 (noarch): gcc48-info-4.8.5-31.23.2 - SUSE Linux Enterprise Desktop 12-SP4 (x86_64): cpp48-4.8.5-31.23.2 cpp48-debuginfo-4.8.5-31.23.2 gcc48-32bit-4.8.5-31.23.2 gcc48-4.8.5-31.23.2 gcc48-c++-4.8.5-31.23.2 gcc48-c++-debuginfo-4.8.5-31.23.2 gcc48-debuginfo-4.8.5-31.23.2 gcc48-debugsource-4.8.5-31.23.2 gcc48-gij-32bit-4.8.5-31.23.2 gcc48-gij-4.8.5-31.23.2 gcc48-gij-debuginfo-32bit-4.8.5-31.23.2 gcc48-gij-debuginfo-4.8.5-31.23.2 libasan0-32bit-4.8.5-31.23.2 libasan0-4.8.5-31.23.2 libasan0-debuginfo-4.8.5-31.23.2 libgcj48-32bit-4.8.5-31.23.2 libgcj48-4.8.5-31.23.2 libgcj48-debuginfo-32bit-4.8.5-31.23.2 libgcj48-debuginfo-4.8.5-31.23.2 libgcj48-debugsource-4.8.5-31.23.2 libgcj48-jar-4.8.5-31.23.2 libgcj_bc1-4.8.5-31.23.2 libstdc++48-devel-32bit-4.8.5-31.23.2 libstdc++48-devel-4.8.5-31.23.2 - SUSE Linux Enterprise Desktop 12-SP4 (noarch): gcc48-info-4.8.5-31.23.2 References: https://bugzilla.suse.com/1071995 From sle-updates at lists.suse.com Tue Jan 14 13:14:22 2020 From: sle-updates at lists.suse.com (sle-updates at lists.suse.com) Date: Tue, 14 Jan 2020 21:14:22 +0100 (CET) Subject: SUSE-SU-2020:0102-1: moderate: Security update for man Message-ID: <20200114201422.1BCEDF796@maintenance.suse.de> SUSE Security Update: Security update for man ______________________________________________________________________________ Announcement ID: SUSE-SU-2020:0102-1 Rating: moderate References: #1159105 Affected Products: SUSE Linux Enterprise Server 12-SP5 SUSE Linux Enterprise Server 12-SP4 SUSE Linux Enterprise Desktop 12-SP4 ______________________________________________________________________________ An update that contains security fixes can now be installed. Description: This update for man fixes the following issues: - Skip using 'safe-rm' in cron job below cache directory (bsc#1159105). Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Server 12-SP5: zypper in -t patch SUSE-SLE-SERVER-12-SP5-2020-102=1 - SUSE Linux Enterprise Server 12-SP4: zypper in -t patch SUSE-SLE-SERVER-12-SP4-2020-102=1 - SUSE Linux Enterprise Desktop 12-SP4: zypper in -t patch SUSE-SLE-DESKTOP-12-SP4-2020-102=1 Package List: - SUSE Linux Enterprise Server 12-SP5 (aarch64 ppc64le s390x x86_64): man-2.6.6-4.3.1 man-debuginfo-2.6.6-4.3.1 man-debugsource-2.6.6-4.3.1 - SUSE Linux Enterprise Server 12-SP4 (aarch64 ppc64le s390x x86_64): man-2.6.6-4.3.1 man-debuginfo-2.6.6-4.3.1 man-debugsource-2.6.6-4.3.1 - SUSE Linux Enterprise Desktop 12-SP4 (x86_64): man-2.6.6-4.3.1 man-debuginfo-2.6.6-4.3.1 man-debugsource-2.6.6-4.3.1 References: https://bugzilla.suse.com/1159105 From sle-updates at lists.suse.com Tue Jan 14 13:15:02 2020 From: sle-updates at lists.suse.com (sle-updates at lists.suse.com) Date: Tue, 14 Jan 2020 21:15:02 +0100 (CET) Subject: SUSE-RU-2020:0100-1: moderate: Recommended update for rpmlint Message-ID: <20200114201502.46869F798@maintenance.suse.de> SUSE Recommended Update: Recommended update for rpmlint ______________________________________________________________________________ Announcement ID: SUSE-RU-2020:0100-1 Rating: moderate References: #1151418 #1157663 Affected Products: SUSE Linux Enterprise Module for Development Tools 15 ______________________________________________________________________________ An update that has two recommended fixes can now be installed. Description: This update for rpmlint contains the following fixes: - Whitelist sssd infopipe. (bsc#1157663) - Whitelist sysprof3 D-Bus services. (bsc#1151418) Patch Instructions: To install this SUSE Recommended Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Module for Development Tools 15: zypper in -t patch SUSE-SLE-Module-Development-Tools-15-2020-100=1 Package List: - SUSE Linux Enterprise Module for Development Tools 15 (aarch64 ppc64le s390x x86_64): rpmlint-mini-1.10-5.10.1 rpmlint-mini-debuginfo-1.10-5.10.1 rpmlint-mini-debugsource-1.10-5.10.1 References: https://bugzilla.suse.com/1151418 https://bugzilla.suse.com/1157663 From sle-updates at lists.suse.com Tue Jan 14 13:15:52 2020 From: sle-updates at lists.suse.com (sle-updates at lists.suse.com) Date: Tue, 14 Jan 2020 21:15:52 +0100 (CET) Subject: SUSE-SU-2020:0099-1: moderate: Security update for openssl-1_1 Message-ID: <20200114201552.0486BF798@maintenance.suse.de> SUSE Security Update: Security update for openssl-1_1 ______________________________________________________________________________ Announcement ID: SUSE-SU-2020:0099-1 Rating: moderate References: #1133925 #1140277 #1150003 #1150247 #1150250 #1158809 Cross-References: CVE-2019-1547 CVE-2019-1549 CVE-2019-1551 CVE-2019-1563 Affected Products: SUSE Linux Enterprise Software Development Kit 12-SP5 SUSE Linux Enterprise Software Development Kit 12-SP4 SUSE Linux Enterprise Server 12-SP5 SUSE Linux Enterprise Server 12-SP4 SUSE Linux Enterprise Desktop 12-SP4 ______________________________________________________________________________ An update that solves four vulnerabilities and has two fixes is now available. Description: This update for openssl-1_1 fixes the following issues: Security issue fixed: - CVE-2019-1551: Fixed an overflow bug in the x64_64 Montgomery squaring procedure used in exponentiation with 512-bit moduli (bsc#1158809). - CVE-2019-1563: Fixed bleichenbacher attack against cms/pkcs7 encryptioon transported key (bsc#1150250). - CVE-2019-1551: Fixed integer overflow in RSAZ modular exponentiation on x86_64 (bsc#1158809). - CVE-2019-1549: Fixed fork problem with random generator (bsc#1150247). - CVE-2019-1547: Fixed EC_GROUP_set_generator side channel attack avoidance (bsc#1150003). Bug fixes: - Ship the openssl 1.1.1 binary as openssl-1_1, and make it installable in parallel with the system openssl (bsc#1140277). - Update to 1.1.1d (bsc#1133925, jsc#SLE-6430). Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Software Development Kit 12-SP5: zypper in -t patch SUSE-SLE-SDK-12-SP5-2020-99=1 - SUSE Linux Enterprise Software Development Kit 12-SP4: zypper in -t patch SUSE-SLE-SDK-12-SP4-2020-99=1 - SUSE Linux Enterprise Server 12-SP5: zypper in -t patch SUSE-SLE-SERVER-12-SP5-2020-99=1 - SUSE Linux Enterprise Server 12-SP4: zypper in -t patch SUSE-SLE-SERVER-12-SP4-2020-99=1 - SUSE Linux Enterprise Desktop 12-SP4: zypper in -t patch SUSE-SLE-DESKTOP-12-SP4-2020-99=1 Package List: - SUSE Linux Enterprise Software Development Kit 12-SP5 (aarch64 ppc64le s390x x86_64): libopenssl-1_1-devel-1.1.1d-2.20.1 openssl-1_1-debuginfo-1.1.1d-2.20.1 openssl-1_1-debugsource-1.1.1d-2.20.1 - SUSE Linux Enterprise Software Development Kit 12-SP5 (s390x x86_64): libopenssl-1_1-devel-32bit-1.1.1d-2.20.1 - SUSE Linux Enterprise Software Development Kit 12-SP4 (aarch64 ppc64le s390x x86_64): libopenssl-1_1-devel-1.1.1d-2.20.1 openssl-1_1-debuginfo-1.1.1d-2.20.1 openssl-1_1-debugsource-1.1.1d-2.20.1 - SUSE Linux Enterprise Software Development Kit 12-SP4 (s390x x86_64): libopenssl-1_1-devel-32bit-1.1.1d-2.20.1 - SUSE Linux Enterprise Server 12-SP5 (aarch64 ppc64le s390x x86_64): libopenssl1_1-1.1.1d-2.20.1 libopenssl1_1-debuginfo-1.1.1d-2.20.1 openssl-1_1-debuginfo-1.1.1d-2.20.1 openssl-1_1-debugsource-1.1.1d-2.20.1 - SUSE Linux Enterprise Server 12-SP5 (s390x x86_64): libopenssl1_1-32bit-1.1.1d-2.20.1 libopenssl1_1-debuginfo-32bit-1.1.1d-2.20.1 - SUSE Linux Enterprise Server 12-SP4 (aarch64 ppc64le s390x x86_64): libopenssl1_1-1.1.1d-2.20.1 libopenssl1_1-debuginfo-1.1.1d-2.20.1 openssl-1_1-1.1.1d-2.20.1 openssl-1_1-debuginfo-1.1.1d-2.20.1 openssl-1_1-debugsource-1.1.1d-2.20.1 - SUSE Linux Enterprise Server 12-SP4 (s390x x86_64): libopenssl1_1-32bit-1.1.1d-2.20.1 libopenssl1_1-debuginfo-32bit-1.1.1d-2.20.1 - SUSE Linux Enterprise Desktop 12-SP4 (x86_64): libopenssl1_1-1.1.1d-2.20.1 libopenssl1_1-32bit-1.1.1d-2.20.1 libopenssl1_1-debuginfo-1.1.1d-2.20.1 libopenssl1_1-debuginfo-32bit-1.1.1d-2.20.1 openssl-1_1-1.1.1d-2.20.1 openssl-1_1-debuginfo-1.1.1d-2.20.1 openssl-1_1-debugsource-1.1.1d-2.20.1 References: https://www.suse.com/security/cve/CVE-2019-1547.html https://www.suse.com/security/cve/CVE-2019-1549.html https://www.suse.com/security/cve/CVE-2019-1551.html https://www.suse.com/security/cve/CVE-2019-1563.html https://bugzilla.suse.com/1133925 https://bugzilla.suse.com/1140277 https://bugzilla.suse.com/1150003 https://bugzilla.suse.com/1150247 https://bugzilla.suse.com/1150250 https://bugzilla.suse.com/1158809 From sle-updates at lists.suse.com Tue Jan 14 16:12:19 2020 From: sle-updates at lists.suse.com (sle-updates at lists.suse.com) Date: Wed, 15 Jan 2020 00:12:19 +0100 (CET) Subject: SUSE-SU-2020:0101-1: moderate: Security update for php7 Message-ID: <20200114231219.C5C8AF796@maintenance.suse.de> SUSE Security Update: Security update for php7 ______________________________________________________________________________ Announcement ID: SUSE-SU-2020:0101-1 Rating: moderate References: #1159922 #1159923 #1159924 #1159927 Cross-References: CVE-2019-11045 CVE-2019-11046 CVE-2019-11047 CVE-2019-11050 Affected Products: SUSE Linux Enterprise Module for Web Scripting 15-SP1 SUSE Linux Enterprise Module for Web Scripting 15 SUSE Linux Enterprise Module for Packagehub Subpackages 15 SUSE Linux Enterprise Module for Open Buildservice Development Tools 15-SP1 SUSE Linux Enterprise Module for Open Buildservice Development Tools 15 ______________________________________________________________________________ An update that fixes four vulnerabilities is now available. Description: This update for php7 fixes the following issues: - CVE-2019-11045: Fixed an issue with improper input validation in the filename handling of the DirectoryIterator class (bsc#1159923). - CVE-2019-11046: Fixed an information leak in bc_shift_addsub() (bsc#1159924). - CVE-2019-11047, CVE-2019-11050: Fixed multiple information leaks in exif_read_data() (bsc#1159922, bsc#1159927). Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Module for Web Scripting 15-SP1: zypper in -t patch SUSE-SLE-Module-Web-Scripting-15-SP1-2020-101=1 - SUSE Linux Enterprise Module for Web Scripting 15: zypper in -t patch SUSE-SLE-Module-Web-Scripting-15-2020-101=1 - SUSE Linux Enterprise Module for Packagehub Subpackages 15: zypper in -t patch SUSE-SLE-Module-Packagehub-Subpackages-15-2020-101=1 - SUSE Linux Enterprise Module for Open Buildservice Development Tools 15-SP1: zypper in -t patch SUSE-SLE-Module-Development-Tools-OBS-15-SP1-2020-101=1 - SUSE Linux Enterprise Module for Open Buildservice Development Tools 15: zypper in -t patch SUSE-SLE-Module-Development-Tools-OBS-15-2020-101=1 Package List: - SUSE Linux Enterprise Module for Web Scripting 15-SP1 (aarch64 ppc64le s390x x86_64): apache2-mod_php7-7.2.5-4.49.1 apache2-mod_php7-debuginfo-7.2.5-4.49.1 php7-7.2.5-4.49.1 php7-bcmath-7.2.5-4.49.1 php7-bcmath-debuginfo-7.2.5-4.49.1 php7-bz2-7.2.5-4.49.1 php7-bz2-debuginfo-7.2.5-4.49.1 php7-calendar-7.2.5-4.49.1 php7-calendar-debuginfo-7.2.5-4.49.1 php7-ctype-7.2.5-4.49.1 php7-ctype-debuginfo-7.2.5-4.49.1 php7-curl-7.2.5-4.49.1 php7-curl-debuginfo-7.2.5-4.49.1 php7-dba-7.2.5-4.49.1 php7-dba-debuginfo-7.2.5-4.49.1 php7-debuginfo-7.2.5-4.49.1 php7-debugsource-7.2.5-4.49.1 php7-devel-7.2.5-4.49.1 php7-dom-7.2.5-4.49.1 php7-dom-debuginfo-7.2.5-4.49.1 php7-enchant-7.2.5-4.49.1 php7-enchant-debuginfo-7.2.5-4.49.1 php7-exif-7.2.5-4.49.1 php7-exif-debuginfo-7.2.5-4.49.1 php7-fastcgi-7.2.5-4.49.1 php7-fastcgi-debuginfo-7.2.5-4.49.1 php7-fileinfo-7.2.5-4.49.1 php7-fileinfo-debuginfo-7.2.5-4.49.1 php7-fpm-7.2.5-4.49.1 php7-fpm-debuginfo-7.2.5-4.49.1 php7-ftp-7.2.5-4.49.1 php7-ftp-debuginfo-7.2.5-4.49.1 php7-gd-7.2.5-4.49.1 php7-gd-debuginfo-7.2.5-4.49.1 php7-gettext-7.2.5-4.49.1 php7-gettext-debuginfo-7.2.5-4.49.1 php7-gmp-7.2.5-4.49.1 php7-gmp-debuginfo-7.2.5-4.49.1 php7-iconv-7.2.5-4.49.1 php7-iconv-debuginfo-7.2.5-4.49.1 php7-intl-7.2.5-4.49.1 php7-intl-debuginfo-7.2.5-4.49.1 php7-json-7.2.5-4.49.1 php7-json-debuginfo-7.2.5-4.49.1 php7-ldap-7.2.5-4.49.1 php7-ldap-debuginfo-7.2.5-4.49.1 php7-mbstring-7.2.5-4.49.1 php7-mbstring-debuginfo-7.2.5-4.49.1 php7-mysql-7.2.5-4.49.1 php7-mysql-debuginfo-7.2.5-4.49.1 php7-odbc-7.2.5-4.49.1 php7-odbc-debuginfo-7.2.5-4.49.1 php7-opcache-7.2.5-4.49.1 php7-opcache-debuginfo-7.2.5-4.49.1 php7-openssl-7.2.5-4.49.1 php7-openssl-debuginfo-7.2.5-4.49.1 php7-pcntl-7.2.5-4.49.1 php7-pcntl-debuginfo-7.2.5-4.49.1 php7-pdo-7.2.5-4.49.1 php7-pdo-debuginfo-7.2.5-4.49.1 php7-pgsql-7.2.5-4.49.1 php7-pgsql-debuginfo-7.2.5-4.49.1 php7-phar-7.2.5-4.49.1 php7-phar-debuginfo-7.2.5-4.49.1 php7-posix-7.2.5-4.49.1 php7-posix-debuginfo-7.2.5-4.49.1 php7-shmop-7.2.5-4.49.1 php7-shmop-debuginfo-7.2.5-4.49.1 php7-snmp-7.2.5-4.49.1 php7-snmp-debuginfo-7.2.5-4.49.1 php7-soap-7.2.5-4.49.1 php7-soap-debuginfo-7.2.5-4.49.1 php7-sockets-7.2.5-4.49.1 php7-sockets-debuginfo-7.2.5-4.49.1 php7-sodium-7.2.5-4.49.1 php7-sodium-debuginfo-7.2.5-4.49.1 php7-sqlite-7.2.5-4.49.1 php7-sqlite-debuginfo-7.2.5-4.49.1 php7-sysvmsg-7.2.5-4.49.1 php7-sysvmsg-debuginfo-7.2.5-4.49.1 php7-sysvsem-7.2.5-4.49.1 php7-sysvsem-debuginfo-7.2.5-4.49.1 php7-sysvshm-7.2.5-4.49.1 php7-sysvshm-debuginfo-7.2.5-4.49.1 php7-tokenizer-7.2.5-4.49.1 php7-tokenizer-debuginfo-7.2.5-4.49.1 php7-wddx-7.2.5-4.49.1 php7-wddx-debuginfo-7.2.5-4.49.1 php7-xmlreader-7.2.5-4.49.1 php7-xmlreader-debuginfo-7.2.5-4.49.1 php7-xmlrpc-7.2.5-4.49.1 php7-xmlrpc-debuginfo-7.2.5-4.49.1 php7-xmlwriter-7.2.5-4.49.1 php7-xmlwriter-debuginfo-7.2.5-4.49.1 php7-xsl-7.2.5-4.49.1 php7-xsl-debuginfo-7.2.5-4.49.1 php7-zip-7.2.5-4.49.1 php7-zip-debuginfo-7.2.5-4.49.1 php7-zlib-7.2.5-4.49.1 php7-zlib-debuginfo-7.2.5-4.49.1 - SUSE Linux Enterprise Module for Web Scripting 15-SP1 (noarch): php7-pear-7.2.5-4.49.1 php7-pear-Archive_Tar-7.2.5-4.49.1 - SUSE Linux Enterprise Module for Web Scripting 15 (aarch64 ppc64le s390x x86_64): apache2-mod_php7-7.2.5-4.49.1 apache2-mod_php7-debuginfo-7.2.5-4.49.1 php7-7.2.5-4.49.1 php7-bcmath-7.2.5-4.49.1 php7-bcmath-debuginfo-7.2.5-4.49.1 php7-bz2-7.2.5-4.49.1 php7-bz2-debuginfo-7.2.5-4.49.1 php7-calendar-7.2.5-4.49.1 php7-calendar-debuginfo-7.2.5-4.49.1 php7-ctype-7.2.5-4.49.1 php7-ctype-debuginfo-7.2.5-4.49.1 php7-curl-7.2.5-4.49.1 php7-curl-debuginfo-7.2.5-4.49.1 php7-dba-7.2.5-4.49.1 php7-dba-debuginfo-7.2.5-4.49.1 php7-debuginfo-7.2.5-4.49.1 php7-debugsource-7.2.5-4.49.1 php7-devel-7.2.5-4.49.1 php7-dom-7.2.5-4.49.1 php7-dom-debuginfo-7.2.5-4.49.1 php7-enchant-7.2.5-4.49.1 php7-enchant-debuginfo-7.2.5-4.49.1 php7-exif-7.2.5-4.49.1 php7-exif-debuginfo-7.2.5-4.49.1 php7-fastcgi-7.2.5-4.49.1 php7-fastcgi-debuginfo-7.2.5-4.49.1 php7-fileinfo-7.2.5-4.49.1 php7-fileinfo-debuginfo-7.2.5-4.49.1 php7-fpm-7.2.5-4.49.1 php7-fpm-debuginfo-7.2.5-4.49.1 php7-ftp-7.2.5-4.49.1 php7-ftp-debuginfo-7.2.5-4.49.1 php7-gd-7.2.5-4.49.1 php7-gd-debuginfo-7.2.5-4.49.1 php7-gettext-7.2.5-4.49.1 php7-gettext-debuginfo-7.2.5-4.49.1 php7-gmp-7.2.5-4.49.1 php7-gmp-debuginfo-7.2.5-4.49.1 php7-iconv-7.2.5-4.49.1 php7-iconv-debuginfo-7.2.5-4.49.1 php7-intl-7.2.5-4.49.1 php7-intl-debuginfo-7.2.5-4.49.1 php7-json-7.2.5-4.49.1 php7-json-debuginfo-7.2.5-4.49.1 php7-ldap-7.2.5-4.49.1 php7-ldap-debuginfo-7.2.5-4.49.1 php7-mbstring-7.2.5-4.49.1 php7-mbstring-debuginfo-7.2.5-4.49.1 php7-mysql-7.2.5-4.49.1 php7-mysql-debuginfo-7.2.5-4.49.1 php7-odbc-7.2.5-4.49.1 php7-odbc-debuginfo-7.2.5-4.49.1 php7-opcache-7.2.5-4.49.1 php7-opcache-debuginfo-7.2.5-4.49.1 php7-openssl-7.2.5-4.49.1 php7-openssl-debuginfo-7.2.5-4.49.1 php7-pcntl-7.2.5-4.49.1 php7-pcntl-debuginfo-7.2.5-4.49.1 php7-pdo-7.2.5-4.49.1 php7-pdo-debuginfo-7.2.5-4.49.1 php7-pgsql-7.2.5-4.49.1 php7-pgsql-debuginfo-7.2.5-4.49.1 php7-phar-7.2.5-4.49.1 php7-phar-debuginfo-7.2.5-4.49.1 php7-posix-7.2.5-4.49.1 php7-posix-debuginfo-7.2.5-4.49.1 php7-shmop-7.2.5-4.49.1 php7-shmop-debuginfo-7.2.5-4.49.1 php7-snmp-7.2.5-4.49.1 php7-snmp-debuginfo-7.2.5-4.49.1 php7-soap-7.2.5-4.49.1 php7-soap-debuginfo-7.2.5-4.49.1 php7-sockets-7.2.5-4.49.1 php7-sockets-debuginfo-7.2.5-4.49.1 php7-sodium-7.2.5-4.49.1 php7-sodium-debuginfo-7.2.5-4.49.1 php7-sqlite-7.2.5-4.49.1 php7-sqlite-debuginfo-7.2.5-4.49.1 php7-sysvmsg-7.2.5-4.49.1 php7-sysvmsg-debuginfo-7.2.5-4.49.1 php7-sysvsem-7.2.5-4.49.1 php7-sysvsem-debuginfo-7.2.5-4.49.1 php7-sysvshm-7.2.5-4.49.1 php7-sysvshm-debuginfo-7.2.5-4.49.1 php7-tokenizer-7.2.5-4.49.1 php7-tokenizer-debuginfo-7.2.5-4.49.1 php7-wddx-7.2.5-4.49.1 php7-wddx-debuginfo-7.2.5-4.49.1 php7-xmlreader-7.2.5-4.49.1 php7-xmlreader-debuginfo-7.2.5-4.49.1 php7-xmlrpc-7.2.5-4.49.1 php7-xmlrpc-debuginfo-7.2.5-4.49.1 php7-xmlwriter-7.2.5-4.49.1 php7-xmlwriter-debuginfo-7.2.5-4.49.1 php7-xsl-7.2.5-4.49.1 php7-xsl-debuginfo-7.2.5-4.49.1 php7-zip-7.2.5-4.49.1 php7-zip-debuginfo-7.2.5-4.49.1 php7-zlib-7.2.5-4.49.1 php7-zlib-debuginfo-7.2.5-4.49.1 - SUSE Linux Enterprise Module for Web Scripting 15 (noarch): php7-pear-7.2.5-4.49.1 php7-pear-Archive_Tar-7.2.5-4.49.1 - SUSE Linux Enterprise Module for Packagehub Subpackages 15 (aarch64 ppc64le s390x x86_64): php7-debuginfo-7.2.5-4.49.1 php7-debugsource-7.2.5-4.49.1 php7-embed-7.2.5-4.49.1 php7-embed-debuginfo-7.2.5-4.49.1 - SUSE Linux Enterprise Module for Open Buildservice Development Tools 15-SP1 (aarch64 ppc64le s390x x86_64): php7-debuginfo-7.2.5-4.49.1 php7-debugsource-7.2.5-4.49.1 php7-embed-7.2.5-4.49.1 php7-embed-debuginfo-7.2.5-4.49.1 php7-readline-7.2.5-4.49.1 php7-readline-debuginfo-7.2.5-4.49.1 php7-sodium-7.2.5-4.49.1 php7-sodium-debuginfo-7.2.5-4.49.1 php7-tidy-7.2.5-4.49.1 php7-tidy-debuginfo-7.2.5-4.49.1 - SUSE Linux Enterprise Module for Open Buildservice Development Tools 15 (aarch64 ppc64le s390x x86_64): php7-debuginfo-7.2.5-4.49.1 php7-debugsource-7.2.5-4.49.1 php7-embed-7.2.5-4.49.1 php7-embed-debuginfo-7.2.5-4.49.1 php7-readline-7.2.5-4.49.1 php7-readline-debuginfo-7.2.5-4.49.1 php7-sodium-7.2.5-4.49.1 php7-sodium-debuginfo-7.2.5-4.49.1 php7-tidy-7.2.5-4.49.1 php7-tidy-debuginfo-7.2.5-4.49.1 References: https://www.suse.com/security/cve/CVE-2019-11045.html https://www.suse.com/security/cve/CVE-2019-11046.html https://www.suse.com/security/cve/CVE-2019-11047.html https://www.suse.com/security/cve/CVE-2019-11050.html https://bugzilla.suse.com/1159922 https://bugzilla.suse.com/1159923 https://bugzilla.suse.com/1159924 https://bugzilla.suse.com/1159927 From sle-updates at lists.suse.com Wed Jan 15 07:12:07 2020 From: sle-updates at lists.suse.com (sle-updates at lists.suse.com) Date: Wed, 15 Jan 2020 15:12:07 +0100 (CET) Subject: SUSE-SU-2020:0104-1: important: Security update for nodejs10 Message-ID: <20200115141207.61973F796@maintenance.suse.de> SUSE Security Update: Security update for nodejs10 ______________________________________________________________________________ Announcement ID: SUSE-SU-2020:0104-1 Rating: important References: #1149792 #1159352 #1159812 Cross-References: CVE-2019-16775 CVE-2019-16776 CVE-2019-16777 Affected Products: SUSE Linux Enterprise Module for Web Scripting 15-SP1 SUSE Linux Enterprise Module for Web Scripting 15 ______________________________________________________________________________ An update that fixes three vulnerabilities is now available. Description: This update for nodejs10 to version 10.18.0 fixes the following issues: Security issues fixed: - CVE-2019-16777, CVE-2019-16776, CVE-2019-16775: Updated npm to 6.13.4, fixing an arbitrary path overwrite and access via "bin" field (bsc#1159352). - Added support for chacha20-poly1305 for Authenticated encryption (AEAD). Non-security issues fixed: - Fixed wrong path in gypi files (bsc#1159812). Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Module for Web Scripting 15-SP1: zypper in -t patch SUSE-SLE-Module-Web-Scripting-15-SP1-2020-104=1 - SUSE Linux Enterprise Module for Web Scripting 15: zypper in -t patch SUSE-SLE-Module-Web-Scripting-15-2020-104=1 Package List: - SUSE Linux Enterprise Module for Web Scripting 15-SP1 (aarch64 ppc64le s390x x86_64): nodejs10-10.18.0-1.15.1 nodejs10-debuginfo-10.18.0-1.15.1 nodejs10-debugsource-10.18.0-1.15.1 nodejs10-devel-10.18.0-1.15.1 npm10-10.18.0-1.15.1 - SUSE Linux Enterprise Module for Web Scripting 15-SP1 (noarch): nodejs10-docs-10.18.0-1.15.1 - SUSE Linux Enterprise Module for Web Scripting 15 (aarch64 ppc64le s390x x86_64): nodejs10-10.18.0-1.15.1 nodejs10-debuginfo-10.18.0-1.15.1 nodejs10-debugsource-10.18.0-1.15.1 nodejs10-devel-10.18.0-1.15.1 npm10-10.18.0-1.15.1 - SUSE Linux Enterprise Module for Web Scripting 15 (noarch): nodejs10-docs-10.18.0-1.15.1 References: https://www.suse.com/security/cve/CVE-2019-16775.html https://www.suse.com/security/cve/CVE-2019-16776.html https://www.suse.com/security/cve/CVE-2019-16777.html https://bugzilla.suse.com/1149792 https://bugzilla.suse.com/1159352 https://bugzilla.suse.com/1159812 From sle-updates at lists.suse.com Wed Jan 15 07:13:03 2020 From: sle-updates at lists.suse.com (sle-updates at lists.suse.com) Date: Wed, 15 Jan 2020 15:13:03 +0100 (CET) Subject: SUSE-RU-2020:0105-1: moderate: Recommended update for open-iscsi Message-ID: <20200115141303.B5E09F796@maintenance.suse.de> SUSE Recommended Update: Recommended update for open-iscsi ______________________________________________________________________________ Announcement ID: SUSE-RU-2020:0105-1 Rating: moderate References: #1158939 Affected Products: SUSE CaaS Platform 3.0 ______________________________________________________________________________ An update that has one recommended fix can now be installed. Description: This update for open-iscsi fixes the following issues: - Fixes issues with DHCP and ICMP (bsc#1158939). Patch Instructions: To install this SUSE Recommended Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE CaaS Platform 3.0: To install this update, use the SUSE CaaS Platform Velum dashboard. It will inform you if it detects new updates and let you then trigger updating of the complete cluster in a controlled way. Package List: - SUSE CaaS Platform 3.0 (x86_64): iscsiuio-0.7.8.2-53.28.2 iscsiuio-debuginfo-0.7.8.2-53.28.2 libopeniscsiusr0_2_0-2.0.876-53.28.2 libopeniscsiusr0_2_0-debuginfo-2.0.876-53.28.2 open-iscsi-2.0.876-53.28.2 open-iscsi-debuginfo-2.0.876-53.28.2 open-iscsi-debugsource-2.0.876-53.28.2 References: https://bugzilla.suse.com/1158939 From sle-updates at lists.suse.com Wed Jan 15 10:12:36 2020 From: sle-updates at lists.suse.com (sle-updates at lists.suse.com) Date: Wed, 15 Jan 2020 18:12:36 +0100 (CET) Subject: SUSE-RU-2020:0109-1: moderate: Recommended update for hawk2 Message-ID: <20200115171236.E6B87F798@maintenance.suse.de> SUSE Recommended Update: Recommended update for hawk2 ______________________________________________________________________________ Announcement ID: SUSE-RU-2020:0109-1 Rating: moderate References: #1158681 Affected Products: SUSE Linux Enterprise High Availability 15-SP1 SUSE Linux Enterprise High Availability 15 ______________________________________________________________________________ An update that has one recommended fix can now be installed. Description: This update for hawk2 fixes the following issues: - Fix the 'acl_version' method when parsing the cib.xml avoid hanging of HAWK2 (bsc#1158681) Patch Instructions: To install this SUSE Recommended Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise High Availability 15-SP1: zypper in -t patch SUSE-SLE-Product-HA-15-SP1-2020-109=1 - SUSE Linux Enterprise High Availability 15: zypper in -t patch SUSE-SLE-Product-HA-15-2020-109=1 Package List: - SUSE Linux Enterprise High Availability 15-SP1 (aarch64 ppc64le s390x x86_64): hawk2-2.1.0+git.1526638315.05cdaf9d-3.6.1 hawk2-debuginfo-2.1.0+git.1526638315.05cdaf9d-3.6.1 hawk2-debugsource-2.1.0+git.1526638315.05cdaf9d-3.6.1 - SUSE Linux Enterprise High Availability 15 (aarch64 ppc64le s390x x86_64): hawk2-2.1.0+git.1526638315.05cdaf9d-3.6.1 hawk2-debuginfo-2.1.0+git.1526638315.05cdaf9d-3.6.1 hawk2-debugsource-2.1.0+git.1526638315.05cdaf9d-3.6.1 References: https://bugzilla.suse.com/1158681 From sle-updates at lists.suse.com Wed Jan 15 10:13:25 2020 From: sle-updates at lists.suse.com (sle-updates at lists.suse.com) Date: Wed, 15 Jan 2020 18:13:25 +0100 (CET) Subject: SUSE-RU-2020:0106-1: important: Recommended update for libgcrypt Message-ID: <20200115171325.23BDEF798@maintenance.suse.de> SUSE Recommended Update: Recommended update for libgcrypt ______________________________________________________________________________ Announcement ID: SUSE-RU-2020:0106-1 Rating: important References: #1155338 #1155339 Affected Products: SUSE OpenStack Cloud Crowbar 8 SUSE OpenStack Cloud 8 SUSE OpenStack Cloud 7 SUSE Linux Enterprise Software Development Kit 12-SP5 SUSE Linux Enterprise Software Development Kit 12-SP4 SUSE Linux Enterprise Server for SAP 12-SP3 SUSE Linux Enterprise Server for SAP 12-SP2 SUSE Linux Enterprise Server for SAP 12-SP1 SUSE Linux Enterprise Server 12-SP5 SUSE Linux Enterprise Server 12-SP4 SUSE Linux Enterprise Server 12-SP3-LTSS SUSE Linux Enterprise Server 12-SP3-BCL SUSE Linux Enterprise Server 12-SP2-LTSS SUSE Linux Enterprise Server 12-SP2-BCL SUSE Linux Enterprise Server 12-SP1-LTSS SUSE Linux Enterprise Desktop 12-SP4 SUSE Enterprise Storage 5 SUSE CaaS Platform 3.0 HPE Helion Openstack 8 ______________________________________________________________________________ An update that has two recommended fixes can now be installed. Description: This update for libgcrypt fixes the following issues: - Fix test dsa-rfc6979 in FIPS mode: Disabled tests in elliptic curves with 192 bits which are not recommended in FIPS mode - Added CMAC AES and TDES FIPS self-tests: (bsc#1155339, bsc#1155338) Patch Instructions: To install this SUSE Recommended Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE OpenStack Cloud Crowbar 8: zypper in -t patch SUSE-OpenStack-Cloud-Crowbar-8-2020-106=1 - SUSE OpenStack Cloud 8: zypper in -t patch SUSE-OpenStack-Cloud-8-2020-106=1 - SUSE OpenStack Cloud 7: zypper in -t patch SUSE-OpenStack-Cloud-7-2020-106=1 - SUSE Linux Enterprise Software Development Kit 12-SP5: zypper in -t patch SUSE-SLE-SDK-12-SP5-2020-106=1 - SUSE Linux Enterprise Software Development Kit 12-SP4: zypper in -t patch SUSE-SLE-SDK-12-SP4-2020-106=1 - SUSE Linux Enterprise Server for SAP 12-SP3: zypper in -t patch SUSE-SLE-SAP-12-SP3-2020-106=1 - SUSE Linux Enterprise Server for SAP 12-SP2: zypper in -t patch SUSE-SLE-SAP-12-SP2-2020-106=1 - SUSE Linux Enterprise Server for SAP 12-SP1: zypper in -t patch SUSE-SLE-SAP-12-SP1-2020-106=1 - SUSE Linux Enterprise Server 12-SP5: zypper in -t patch SUSE-SLE-SERVER-12-SP5-2020-106=1 - SUSE Linux Enterprise Server 12-SP4: zypper in -t patch SUSE-SLE-SERVER-12-SP4-2020-106=1 - SUSE Linux Enterprise Server 12-SP3-LTSS: zypper in -t patch SUSE-SLE-SERVER-12-SP3-2020-106=1 - SUSE Linux Enterprise Server 12-SP3-BCL: zypper in -t patch SUSE-SLE-SERVER-12-SP3-BCL-2020-106=1 - SUSE Linux Enterprise Server 12-SP2-LTSS: zypper in -t patch SUSE-SLE-SERVER-12-SP2-2020-106=1 - SUSE Linux Enterprise Server 12-SP2-BCL: zypper in -t patch SUSE-SLE-SERVER-12-SP2-BCL-2020-106=1 - SUSE Linux Enterprise Server 12-SP1-LTSS: zypper in -t patch SUSE-SLE-SERVER-12-SP1-2020-106=1 - SUSE Linux Enterprise Desktop 12-SP4: zypper in -t patch SUSE-SLE-DESKTOP-12-SP4-2020-106=1 - SUSE Enterprise Storage 5: zypper in -t patch SUSE-Storage-5-2020-106=1 - SUSE CaaS Platform 3.0: To install this update, use the SUSE CaaS Platform Velum dashboard. It will inform you if it detects new updates and let you then trigger updating of the complete cluster in a controlled way. - HPE Helion Openstack 8: zypper in -t patch HPE-Helion-OpenStack-8-2020-106=1 Package List: - SUSE OpenStack Cloud Crowbar 8 (x86_64): libgcrypt-debugsource-1.6.1-16.71.3 libgcrypt20-1.6.1-16.71.3 libgcrypt20-32bit-1.6.1-16.71.3 libgcrypt20-debuginfo-1.6.1-16.71.3 libgcrypt20-debuginfo-32bit-1.6.1-16.71.3 libgcrypt20-hmac-1.6.1-16.71.3 libgcrypt20-hmac-32bit-1.6.1-16.71.3 - SUSE OpenStack Cloud 8 (x86_64): libgcrypt-debugsource-1.6.1-16.71.3 libgcrypt20-1.6.1-16.71.3 libgcrypt20-32bit-1.6.1-16.71.3 libgcrypt20-debuginfo-1.6.1-16.71.3 libgcrypt20-debuginfo-32bit-1.6.1-16.71.3 libgcrypt20-hmac-1.6.1-16.71.3 libgcrypt20-hmac-32bit-1.6.1-16.71.3 - SUSE OpenStack Cloud 7 (s390x x86_64): libgcrypt-debugsource-1.6.1-16.71.3 libgcrypt20-1.6.1-16.71.3 libgcrypt20-32bit-1.6.1-16.71.3 libgcrypt20-debuginfo-1.6.1-16.71.3 libgcrypt20-debuginfo-32bit-1.6.1-16.71.3 libgcrypt20-hmac-1.6.1-16.71.3 libgcrypt20-hmac-32bit-1.6.1-16.71.3 - SUSE Linux Enterprise Software Development Kit 12-SP5 (aarch64 ppc64le s390x x86_64): libgcrypt-debugsource-1.6.1-16.71.3 libgcrypt-devel-1.6.1-16.71.3 libgcrypt-devel-debuginfo-1.6.1-16.71.3 - SUSE Linux Enterprise Software Development Kit 12-SP4 (aarch64 ppc64le s390x x86_64): libgcrypt-debugsource-1.6.1-16.71.3 libgcrypt-devel-1.6.1-16.71.3 libgcrypt-devel-debuginfo-1.6.1-16.71.3 - SUSE Linux Enterprise Server for SAP 12-SP3 (ppc64le x86_64): libgcrypt-debugsource-1.6.1-16.71.3 libgcrypt20-1.6.1-16.71.3 libgcrypt20-debuginfo-1.6.1-16.71.3 libgcrypt20-hmac-1.6.1-16.71.3 - SUSE Linux Enterprise Server for SAP 12-SP3 (x86_64): libgcrypt20-32bit-1.6.1-16.71.3 libgcrypt20-debuginfo-32bit-1.6.1-16.71.3 libgcrypt20-hmac-32bit-1.6.1-16.71.3 - SUSE Linux Enterprise Server for SAP 12-SP2 (ppc64le x86_64): libgcrypt-debugsource-1.6.1-16.71.3 libgcrypt20-1.6.1-16.71.3 libgcrypt20-debuginfo-1.6.1-16.71.3 libgcrypt20-hmac-1.6.1-16.71.3 - SUSE Linux Enterprise Server for SAP 12-SP2 (x86_64): libgcrypt20-32bit-1.6.1-16.71.3 libgcrypt20-debuginfo-32bit-1.6.1-16.71.3 libgcrypt20-hmac-32bit-1.6.1-16.71.3 - SUSE Linux Enterprise Server for SAP 12-SP1 (x86_64): libgcrypt-debugsource-1.6.1-16.71.3 libgcrypt20-1.6.1-16.71.3 libgcrypt20-32bit-1.6.1-16.71.3 libgcrypt20-debuginfo-1.6.1-16.71.3 libgcrypt20-debuginfo-32bit-1.6.1-16.71.3 libgcrypt20-hmac-1.6.1-16.71.3 libgcrypt20-hmac-32bit-1.6.1-16.71.3 - SUSE Linux Enterprise Server 12-SP5 (aarch64 ppc64le s390x x86_64): libgcrypt-debugsource-1.6.1-16.71.3 libgcrypt20-1.6.1-16.71.3 libgcrypt20-debuginfo-1.6.1-16.71.3 libgcrypt20-hmac-1.6.1-16.71.3 - SUSE Linux Enterprise Server 12-SP5 (s390x x86_64): libgcrypt20-32bit-1.6.1-16.71.3 libgcrypt20-debuginfo-32bit-1.6.1-16.71.3 libgcrypt20-hmac-32bit-1.6.1-16.71.3 - SUSE Linux Enterprise Server 12-SP4 (aarch64 ppc64le s390x x86_64): libgcrypt-debugsource-1.6.1-16.71.3 libgcrypt20-1.6.1-16.71.3 libgcrypt20-debuginfo-1.6.1-16.71.3 libgcrypt20-hmac-1.6.1-16.71.3 - SUSE Linux Enterprise Server 12-SP4 (s390x x86_64): libgcrypt20-32bit-1.6.1-16.71.3 libgcrypt20-debuginfo-32bit-1.6.1-16.71.3 libgcrypt20-hmac-32bit-1.6.1-16.71.3 - SUSE Linux Enterprise Server 12-SP3-LTSS (aarch64 ppc64le s390x x86_64): libgcrypt-debugsource-1.6.1-16.71.3 libgcrypt20-1.6.1-16.71.3 libgcrypt20-debuginfo-1.6.1-16.71.3 libgcrypt20-hmac-1.6.1-16.71.3 - SUSE Linux Enterprise Server 12-SP3-LTSS (s390x x86_64): libgcrypt20-32bit-1.6.1-16.71.3 libgcrypt20-debuginfo-32bit-1.6.1-16.71.3 libgcrypt20-hmac-32bit-1.6.1-16.71.3 - SUSE Linux Enterprise Server 12-SP3-BCL (x86_64): libgcrypt-debugsource-1.6.1-16.71.3 libgcrypt20-1.6.1-16.71.3 libgcrypt20-32bit-1.6.1-16.71.3 libgcrypt20-debuginfo-1.6.1-16.71.3 libgcrypt20-debuginfo-32bit-1.6.1-16.71.3 libgcrypt20-hmac-1.6.1-16.71.3 libgcrypt20-hmac-32bit-1.6.1-16.71.3 - SUSE Linux Enterprise Server 12-SP2-LTSS (ppc64le s390x x86_64): libgcrypt-debugsource-1.6.1-16.71.3 libgcrypt20-1.6.1-16.71.3 libgcrypt20-debuginfo-1.6.1-16.71.3 libgcrypt20-hmac-1.6.1-16.71.3 - SUSE Linux Enterprise Server 12-SP2-LTSS (s390x x86_64): libgcrypt20-32bit-1.6.1-16.71.3 libgcrypt20-debuginfo-32bit-1.6.1-16.71.3 libgcrypt20-hmac-32bit-1.6.1-16.71.3 - SUSE Linux Enterprise Server 12-SP2-BCL (x86_64): libgcrypt-debugsource-1.6.1-16.71.3 libgcrypt20-1.6.1-16.71.3 libgcrypt20-32bit-1.6.1-16.71.3 libgcrypt20-debuginfo-1.6.1-16.71.3 libgcrypt20-debuginfo-32bit-1.6.1-16.71.3 libgcrypt20-hmac-1.6.1-16.71.3 libgcrypt20-hmac-32bit-1.6.1-16.71.3 - SUSE Linux Enterprise Server 12-SP1-LTSS (ppc64le s390x x86_64): libgcrypt-debugsource-1.6.1-16.71.3 libgcrypt20-1.6.1-16.71.3 libgcrypt20-debuginfo-1.6.1-16.71.3 libgcrypt20-hmac-1.6.1-16.71.3 - SUSE Linux Enterprise Server 12-SP1-LTSS (s390x x86_64): libgcrypt20-32bit-1.6.1-16.71.3 libgcrypt20-debuginfo-32bit-1.6.1-16.71.3 libgcrypt20-hmac-32bit-1.6.1-16.71.3 - SUSE Linux Enterprise Desktop 12-SP4 (x86_64): libgcrypt-debugsource-1.6.1-16.71.3 libgcrypt20-1.6.1-16.71.3 libgcrypt20-32bit-1.6.1-16.71.3 libgcrypt20-debuginfo-1.6.1-16.71.3 libgcrypt20-debuginfo-32bit-1.6.1-16.71.3 - SUSE Enterprise Storage 5 (aarch64 x86_64): libgcrypt-debugsource-1.6.1-16.71.3 libgcrypt20-1.6.1-16.71.3 libgcrypt20-debuginfo-1.6.1-16.71.3 libgcrypt20-hmac-1.6.1-16.71.3 - SUSE Enterprise Storage 5 (x86_64): libgcrypt20-32bit-1.6.1-16.71.3 libgcrypt20-debuginfo-32bit-1.6.1-16.71.3 libgcrypt20-hmac-32bit-1.6.1-16.71.3 - SUSE CaaS Platform 3.0 (x86_64): libgcrypt-debugsource-1.6.1-16.71.3 libgcrypt20-1.6.1-16.71.3 libgcrypt20-debuginfo-1.6.1-16.71.3 - HPE Helion Openstack 8 (x86_64): libgcrypt-debugsource-1.6.1-16.71.3 libgcrypt20-1.6.1-16.71.3 libgcrypt20-32bit-1.6.1-16.71.3 libgcrypt20-debuginfo-1.6.1-16.71.3 libgcrypt20-debuginfo-32bit-1.6.1-16.71.3 libgcrypt20-hmac-1.6.1-16.71.3 libgcrypt20-hmac-32bit-1.6.1-16.71.3 References: https://bugzilla.suse.com/1155338 https://bugzilla.suse.com/1155339 From sle-updates at lists.suse.com Wed Jan 15 11:24:24 2020 From: sle-updates at lists.suse.com (sle-updates at lists.suse.com) Date: Wed, 15 Jan 2020 19:24:24 +0100 (CET) Subject: SUSE-CU-2019:702-1: Security update of caasp/v4/caaspctl-tooling Message-ID: <20200115182424.933ACF798@maintenance.suse.de> SUSE Container Update Advisory: caasp/v4/caaspctl-tooling ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2019:702-1 Container Tags : caasp/v4/caaspctl-tooling:0.1.0 , caasp/v4/caaspctl-tooling:0.1.0-rev1 , caasp/v4/caaspctl-tooling:0.1.0-rev1-build1.49 , caasp/v4/caaspctl-tooling:beta Severity : important Type : security References : 1005023 1009532 1038194 1039099 1044840 1045723 1047002 1063675 1065270 1071321 1072183 1076696 1080919 1082318 1083158 1084812 1084842 1086367 1086367 1087550 1088052 1088279 1088524 1089640 1089761 1090944 1091265 1091677 1092877 1093753 1093753 1093851 1094150 1094154 1094161 1094222 1094735 1095096 1095148 1095661 1095670 1095973 1096718 1096745 1096974 1096984 1097158 1098569 1099793 1100396 1100415 1100488 1101040 1101470 1101470 1101591 1102046 1102310 1102526 1102564 1102908 1103320 1104531 1104780 1105031 1105166 1105437 1105459 1105460 1106019 1107640 1107941 1109197 1109252 1110304 1110445 1110700 1111019 1111498 1112024 1112570 1112758 1113083 1113100 1113632 1113660 1113665 1114135 1114407 1114674 1114675 1114681 1114686 1114933 1114984 1114993 1115640 1115929 1117025 1117063 1118086 1118087 1118364 1119414 1119687 1119971 1120323 1120346 1120689 1121051 1121446 1121563 1122000 1122729 1123043 1123333 1123371 1123377 1123378 1123727 1123892 1124153 1124223 1125352 1125410 1126096 1126117 1126118 1126119 1126327 1126377 1126590 1128246 1129576 1129598 1129753 1130045 1130325 1130326 1130681 1130682 1131060 1131686 915402 918346 943457 953659 960273 985657 991901 CVE-2015-0247 CVE-2015-1572 CVE-2016-10739 CVE-2016-3189 CVE-2017-10790 CVE-2017-18269 CVE-2017-7500 CVE-2018-0500 CVE-2018-0732 CVE-2018-1000858 CVE-2018-10360 CVE-2018-10844 CVE-2018-10845 CVE-2018-10846 CVE-2018-11236 CVE-2018-11237 CVE-2018-12015 CVE-2018-12020 CVE-2018-14404 CVE-2018-14567 CVE-2018-14618 CVE-2018-15686 CVE-2018-15688 CVE-2018-16839 CVE-2018-16840 CVE-2018-16842 CVE-2018-16864 CVE-2018-16865 CVE-2018-16866 CVE-2018-16868 CVE-2018-16869 CVE-2018-16890 CVE-2018-17953 CVE-2018-18311 CVE-2018-18312 CVE-2018-18313 CVE-2018-18314 CVE-2018-19211 CVE-2018-20346 CVE-2018-6954 CVE-2018-9251 CVE-2019-3822 CVE-2019-3823 CVE-2019-3829 CVE-2019-3836 CVE-2019-3880 CVE-2019-6454 CVE-2019-6706 CVE-2019-8905 CVE-2019-8906 CVE-2019-8907 CVE-2019-9936 CVE-2019-9937 SLE-3853 SLE-4117 ----------------------------------------------------------------- The container caasp/v4/caaspctl-tooling was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:1223-1 Released: Tue Jun 26 11:41:00 2018 Summary: Security update for gpg2 Type: security Severity: important References: 1096745,CVE-2018-12020 Description: This update for gpg2 fixes the following security issue: - CVE-2018-12020: GnuPG mishandled the original filename during decryption and verification actions, which allowed remote attackers to spoof the output that GnuPG sends on file descriptor 2 to other programs that use the '--status-fd 2' option (bsc#1096745). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2018:1264-1 Released: Tue Jul 3 10:56:12 2018 Summary: Recommended update for curl Type: recommended Severity: moderate References: 1086367 Description: This update for curl provides the following fix: - Use OPENSSL_config() instead of CONF_modules_load_file() to avoid crashes due to conflicting openssl engines. (bsc#1086367) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:1327-1 Released: Tue Jul 17 08:07:24 2018 Summary: Security update for perl Type: security Severity: moderate References: 1096718,CVE-2018-12015 Description: This update for perl fixes the following issues: - CVE-2018-12015: The Archive::Tar module allowed remote attackers to bypass a directory-traversal protection mechanism and overwrite arbitrary files (bsc#1096718) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:1346-1 Released: Thu Jul 19 09:25:08 2018 Summary: Security update for glibc Type: security Severity: moderate References: 1082318,1092877,1094150,1094154,1094161,CVE-2017-18269,CVE-2018-11236,CVE-2018-11237 Description: This update for glibc fixes the following security issues: - CVE-2017-18269: An SSE2-optimized memmove implementation for i386 did not correctly perform the overlapping memory check if the source memory range spaned the middle of the address space, resulting in corrupt data being produced by the copy operation. This may have disclosed information to context-dependent attackers, resulted in a denial of service or code execution (bsc#1094150). - CVE-2018-11236: Prevent integer overflow on 32-bit architectures when processing very long pathname arguments to the realpath function, leading to a stack-based buffer overflow (bsc#1094161). - CVE-2018-11237: An AVX-512-optimized implementation of the mempcpy function may have writen data beyond the target buffer, leading to a buffer overflow in __mempcpy_avx512_no_vzeroupper (bsc#1092877, bsc#1094154). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:1353-1 Released: Thu Jul 19 09:50:32 2018 Summary: Security update for e2fsprogs Type: security Severity: moderate References: 1009532,1038194,915402,918346,960273,CVE-2015-0247,CVE-2015-1572 Description: This update for e2fsprogs fixes the following issues: Security issues fixed: - CVE-2015-0247: Fixed couple of heap overflows in e2fsprogs (fsck, dumpe2fs, e2image...) (bsc#915402). - CVE-2015-1572: Fixed potential buffer overflow in closefs() (bsc#918346). Bug fixes: - bsc#1038194: generic/405 test fails with /dev/mapper/thin-vol is inconsistent on ext4 file system. - bsc#1009532: resize2fs hangs when trying to resize a large ext4 file system. - bsc#960273: xfsprogs does not call %{?regenerate_initrd_post}. ----------------------------------------------------------------- Advisory ID: SUSE-RU-2018:1362-1 Released: Thu Jul 19 12:47:33 2018 Summary: Recommended update for ca-certificates-mozilla Type: recommended Severity: moderate References: 1100415 Description: ca-certificates-mozilla was updated to the 2.24 state of the Mozilla NSS Certificate store. (bsc#1100415) Following CAs were removed: * S-TRUST_Universal_Root_CA * TC_TrustCenter_Class_3_CA_II * TUeRKTRUST_Elektronik_Sertifika_Hizmet_Saglayicisi_H5 ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:1396-1 Released: Thu Jul 26 16:23:09 2018 Summary: Security update for rpm Type: security Severity: moderate References: 1094735,1095148,943457,CVE-2017-7500 Description: This update for rpm fixes the following issues: This security vulnerability was fixed: - CVE-2017-7500: Fixed symlink attacks during RPM installation (bsc#943457) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2018:1409-1 Released: Fri Jul 27 06:45:10 2018 Summary: Recommended update for systemd Type: recommended Severity: moderate References: 1039099,1083158,1088052,1091265,1093851,1095096,1095973,1098569 Description: This update for systemd provides the following fixes: - systemctl: Mask always reports the same unit names when different unknown units are passed. (bsc#1095973) - systemctl: Check the existence of all units, not just the first one. - scsi_id: Fix the prefix for pre-SPC inquiry reply. (bsc#1039099) - device: Make sure to always retroactively start device dependencies. (bsc#1088052) - locale-util: On overlayfs FTW_MOUNT causes nftw(3) to not list *any* files. - Fix pattern to detect distribution. - install: The 'user' and 'global' scopes are equivalent for user presets. (bsc#1093851) - install: Search for preset files in /run (#7715) - install: Consider globally enabled units as 'enabled' for the user. (bsc#1093851) - install: Consider non-Alias=/non-DefaultInstance= symlinks as 'indirect' enablement. - install: Only consider names in Alias= as 'enabling'. - udev: Whitelist mlx4_core locally-administered MAC addresses in the persistent rule generator. (bsc#1083158) - man: Updated systemd-analyze blame description for service-units with Type=simple. (bsc#1091265) - fileio: Support writing atomic files with timestamp. - fileio.c: Fix incorrect mtime - Drop runtime dependency on dracut, otherwise systemd pulls in tools to generate the initrd even in container/chroot installations that don't have a kernel. For environments where initrd matters, dracut should be pulled via a pattern. (bsc#1098569) - An update broke booting with encrypted partitions on NVMe (bsc#1095096) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:1685-1 Released: Fri Aug 17 18:20:58 2018 Summary: Security update for curl Type: security Severity: moderate References: 1099793,CVE-2018-0500 Description: This update for curl fixes the following issues: Security issue fixed: - CVE-2018-0500: Fix a SMTP send heap buffer overflow (bsc#1099793). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2018:1754-1 Released: Fri Aug 24 16:40:21 2018 Summary: Recommended update for ca-certificates-mozilla Type: recommended Severity: moderate References: 1104780 Description: This update for ca-certificates-mozilla fixes the following issues: Updated to the 2.26 state of the Mozilla NSS Certificate store. (bsc#1104780) - removed server auth rights from following CAs: - Certplus Root CA G1 - Certplus Root CA G2 - OpenTrust Root CA G1 - OpenTrust Root CA G2 - OpenTrust Root CA G3 - removed CA - ComSign CA - new CA added: - GlobalSign ----------------------------------------------------------------- Advisory ID: SUSE-RU-2018:1760-1 Released: Fri Aug 24 17:14:53 2018 Summary: Recommended update for libtirpc Type: recommended Severity: moderate References: 1072183 Description: This update for libtirpc fixes the following issues: - rpcinfo: send RPC getport call as specified via parameter (bsc#1072183) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:1904-1 Released: Fri Sep 14 12:46:39 2018 Summary: Security update for curl Type: security Severity: moderate References: 1086367,1106019,CVE-2018-14618 Description: This update for curl fixes the following issues: This security issue was fixed: - CVE-2018-14618: Prevent integer overflow in the NTLM authentication code (bsc#1106019) This non-security issue was fixed: - Use OPENSSL_config instead of CONF_modules_load_file() to avoid crashes due to openssl engines conflicts (bsc#1086367) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2018:1999-1 Released: Tue Sep 25 08:20:35 2018 Summary: Recommended update for zlib Type: recommended Severity: moderate References: 1071321 Description: This update for zlib provides the following fixes: - Speedup zlib on power8. (fate#325307) - Add safeguard against negative values in uInt. (bsc#1071321) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2018:2055-1 Released: Thu Sep 27 14:30:14 2018 Summary: Recommended update for openldap2 Type: recommended Severity: moderate References: 1089640 Description: This update for openldap2 provides the following fix: - Fix slapd segfaults in mdb_env_reader_dest. (bsc#1089640) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:2070-1 Released: Fri Sep 28 08:02:02 2018 Summary: Security update for gnutls Type: security Severity: moderate References: 1047002,1105437,1105459,1105460,CVE-2017-10790,CVE-2018-10844,CVE-2018-10845,CVE-2018-10846 Description: This update for gnutls fixes the following security issues: - Improved mitigations against Lucky 13 class of attacks - CVE-2018-10846: 'Just in Time' PRIME + PROBE cache-based side channel attack can lead to plaintext recovery (bsc#1105460) - CVE-2018-10845: HMAC-SHA-384 vulnerable to Lucky thirteen attack due to use of wrong constant (bsc#1105459) - CVE-2018-10844: HMAC-SHA-256 vulnerable to Lucky thirteen attack due to not enough dummy function calls (bsc#1105437) - CVE-2017-10790: The _asn1_check_identifier function in Libtasn1 caused a NULL pointer dereference and crash (bsc#1047002) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:2083-1 Released: Sun Sep 30 14:06:33 2018 Summary: Security update for openssl-1_1 Type: security Severity: moderate References: 1097158,1101470,CVE-2018-0732 Description: This update for openssl-1_1 to 1.1.0i fixes the following issues: These security issues were fixed: - CVE-2018-0732: During key agreement in a TLS handshake using a DH(E) based ciphersuite a malicious server could have sent a very large prime value to the client. This caused the client to spend an unreasonably long period of time generating a key for this prime resulting in a hang until the client has finished. This could be exploited in a Denial Of Service attack (bsc#1097158) - Make problematic ECDSA sign addition length-invariant - Add blinding to ECDSA and DSA signatures to protect against side channel attacks These non-security issues were fixed: - When unlocking a pass phrase protected PEM file or PKCS#8 container, we now allow empty (zero character) pass phrases. - Certificate time validation (X509_cmp_time) enforces stricter compliance with RFC 5280. Fractional seconds and timezone offsets are no longer allowed. - Fixed a text canonicalisation bug in CMS - Add openssl(cli) Provide so the packages that require the openssl binary can require this instead of the new openssl meta package (bsc#1101470) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2018:2155-1 Released: Fri Oct 5 14:41:17 2018 Summary: Recommended update for ca-certificates Type: recommended Severity: moderate References: 1101470 Description: This update for ca-certificates fixes the following issues: - Changed 'openssl' requirement to 'openssl(cli)' (bsc#1101470) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2018:2177-1 Released: Tue Oct 9 09:00:13 2018 Summary: Recommended update for bash Type: recommended Severity: moderate References: 1095661,1095670,1100488 Description: This update for bash provides the following fixes: - Bugfix: Parse settings in inputrc for all screen TERM variables starting with 'screen.' (bsc#1095661) - Make the generation of bash.html reproducible. (bsc#1100488) - Use initgroups(3) instead of setgroups(2) to fix the usage of suid programs. (bsc#1095670) - Fix a problem that could cause hash table bash uses to store exit statuses from asynchronous processes to develop loops in circumstances involving long-running scripts that create and reap many processes. - Fix a problem that could cause the shell to loop if a SIGINT is received inside of a SIGINT trap handler. - Fix cases where a failing readline command (e.g., delete-char at the end of a line) can cause a multi-character key sequence to 'back up' and attempt to re-read some of the characters in the sequence. - Fix a problem when sourcing a file from an interactive shell, that setting the SIGINT handler to the default and typing ^C would cause the shell to exit. ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:2182-1 Released: Tue Oct 9 11:08:36 2018 Summary: Security update for libxml2 Type: security Severity: moderate References: 1088279,1102046,1105166,CVE-2018-14404,CVE-2018-14567,CVE-2018-9251 Description: This update for libxml2 fixes the following security issues: - CVE-2018-9251: The xz_decomp function allowed remote attackers to cause a denial of service (infinite loop) via a crafted XML file that triggers LZMA_MEMLIMIT_ERROR, as demonstrated by xmllint (bsc#1088279) - CVE-2018-14567: Prevent denial of service (infinite loop) via a crafted XML file that triggers LZMA_MEMLIMIT_ERROR, as demonstrated by xmllint (bsc#1105166) - CVE-2018-14404: Prevent NULL pointer dereference in the xmlXPathCompOpEval() function when parsing an invalid XPath expression in the XPATH_OP_AND or XPATH_OP_OR case leading to a denial of service attack (bsc#1102046) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2018:2370-1 Released: Mon Oct 22 14:02:01 2018 Summary: Recommended update for aaa_base Type: recommended Severity: moderate References: 1102310,1104531 Description: This update for aaa_base provides the following fixes: - Let bash.bashrc work even for (m)ksh. (bsc#1104531) - Fix an error at login if java system directory is empty. (bsc#1102310) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2018:2487-1 Released: Fri Oct 26 12:39:07 2018 Summary: Recommended update for glibc Type: recommended Severity: moderate References: 1102526 Description: This update for glibc fixes the following issues: - Fix build on aarch64 with binutils newer than 2.30. - Fix year 2039 bug for localtime with 64-bit time_t (bsc#1102526) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2018:2539-1 Released: Tue Oct 30 16:17:23 2018 Summary: Recommended update for rpm Type: recommended Severity: moderate References: 1113100 Description: This update for rpm fixes the following issues: - On PowerPC64 fix the superfluous TOC. dependency (bsc#1113100) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2018:2569-1 Released: Fri Nov 2 19:00:18 2018 Summary: Recommended update for pam Type: recommended Severity: moderate References: 1110700 Description: This update for pam fixes the following issues: - Remove limits for nproc from /etc/security/limits.conf (bsc#1110700) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:2578-1 Released: Mon Nov 5 17:55:35 2018 Summary: Security update for curl Type: security Severity: moderate References: 1112758,1113660,CVE-2018-16839,CVE-2018-16840,CVE-2018-16842 Description: This update for curl fixes the following issues: - CVE-2018-16839: A SASL password overflow via integer overflow was fixed which could lead to crashes (bsc#1112758) - CVE-2018-16840: A use-after-free in SASL handle close was fixed which could lead to crashes (bsc#1112758) - CVE-2018-16842: A Out-of-bounds Read in tool_msgs.c was fixed which could lead to crashes (bsc#1113660) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:2595-1 Released: Wed Nov 7 11:14:42 2018 Summary: Security update for systemd Type: security Severity: important References: 1089761,1090944,1091677,1093753,1101040,1102908,1105031,1107640,1107941,1109197,1109252,1110445,1112024,1113083,1113632,1113665,1114135,991901,CVE-2018-15686,CVE-2018-15688 Description: This update for systemd fixes the following issues: Security issues fixed: - CVE-2018-15688: A buffer overflow vulnerability in the dhcp6 client of systemd allowed a malicious dhcp6 server to overwrite heap memory in systemd-networkd. (bsc#1113632) - CVE-2018-15686: A vulnerability in unit_deserialize of systemd allows an attacker to supply arbitrary state across systemd re-execution via NotifyAccess. This can be used to improperly influence systemd execution and possibly lead to root privilege escalation. (bsc#1113665) Non security issues fixed: - dhcp6: split assert_return() to be more debuggable when hit - core: skip unit deserialization and move to the next one when unit_deserialize() fails - core: properly handle deserialization of unknown unit types (#6476) - core: don't create Requires for workdir if 'missing ok' (bsc#1113083) - logind: use manager_get_user_by_pid() where appropriate - logind: rework manager_get_{user|session}_by_pid() a bit - login: fix user at .service case, so we don't allow nested sessions (#8051) (bsc#1112024) - core: be more defensive if we can't determine per-connection socket peer (#7329) - core: introduce systemd.early_core_pattern= kernel cmdline option - core: add missing 'continue' statement - core/mount: fstype may be NULL - journald: don't ship systemd-journald-audit.socket (bsc#1109252) - core: make 'tmpfs' dependencies on swapfs a 'default' dep, not an 'implicit' (bsc#1110445) - mount: make sure we unmount tmpfs mounts before we deactivate swaps (#7076) - detect-virt: do not try to read all of /proc/cpuinfo (bsc#1109197) - emergency: make sure console password agents don't interfere with the emergency shell - man: document that 'nofail' also has an effect on ordering - journald: take leading spaces into account in syslog_parse_identifier - journal: do not remove multiple spaces after identifier in syslog message - syslog: fix segfault in syslog_parse_priority() - journal: fix syslog_parse_identifier() - install: drop left-over debug message (#6913) - Ship systemd-sysv-install helper via the main package This script was part of systemd-sysvinit sub-package but it was wrong since systemd-sysv-install is a script used to redirect enable/disable operations to chkconfig when the unit targets are sysv init scripts. Therefore it's never been a SySV init tool. - Add udev.no-partlabel-links kernel command-line option. This option can be used to disable the generation of the by-partlabel symlinks regardless of the name used. (bsc#1089761) - man: SystemMaxUse= clarification in journald.conf(5). (bsc#1101040) - systemctl: load unit if needed in 'systemctl is-active' (bsc#1102908) - core: don't freeze OnCalendar= timer units when the clock goes back a lot (bsc#1090944) - Enable or disable machines.target according to the presets (bsc#1107941) - cryptsetup: add support for sector-size= option (fate#325697) - nspawn: always use permission mode 555 for /sys (bsc#1107640) - Bugfix for a race condition between daemon-reload and other commands (bsc#1105031) - Fixes an issue where login with root credentials was not possible in init level 5 (bsc#1091677) - Fix an issue where services of type 'notify' harmless DENIED log entries. (bsc#991901) - Does no longer adjust qgroups on existing subvolumes (bsc#1093753) - cryptsetup: add support for sector-size= option (#9936) (fate#325697 bsc#1114135) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2018:2607-1 Released: Wed Nov 7 15:42:48 2018 Summary: Optional update for gcc8 Type: recommended Severity: low References: 1084812,1084842,1087550,1094222,1102564 Description: The GNU Compiler GCC 8 is being added to the Development Tools Module by this update. The update also supplies gcc8 compatible libstdc++, libgcc_s1 and other gcc derived libraries for the Basesystem module of SUSE Linux Enterprise 15. Various optimizers have been improved in GCC 8, several of bugs fixed, quite some new warnings added and the error pin-pointing and fix-suggestions have been greatly improved. The GNU Compiler page for GCC 8 contains a summary of all the changes that have happened: https://gcc.gnu.org/gcc-8/changes.html Also changes needed or common pitfalls when porting software are described on: https://gcc.gnu.org/gcc-8/porting_to.html ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:2825-1 Released: Mon Dec 3 15:35:02 2018 Summary: Security update for pam Type: security Severity: important References: 1115640,CVE-2018-17953 Description: This update for pam fixes the following issue: Security issue fixed: - CVE-2018-17953: Fixed IP address and subnet handling of pam_access.so that was not honoured correctly when a single host was specified (bsc#1115640). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:2861-1 Released: Thu Dec 6 14:32:01 2018 Summary: Security update for ncurses Type: security Severity: important References: 1103320,1115929,CVE-2018-19211 Description: This update for ncurses fixes the following issues: Security issue fixed: - CVE-2018-19211: Fixed denial of service issue that was triggered by a NULL pointer dereference at function _nc_parse_entry (bsc#1115929). Non-security issue fixed: - Remove scree.xterm from terminfo data base as with this screen uses fallback TERM=screen (bsc#1103320). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:2984-1 Released: Wed Dec 19 11:32:39 2018 Summary: Security update for perl Type: security Severity: moderate References: 1114674,1114675,1114681,1114686,CVE-2018-18311,CVE-2018-18312,CVE-2018-18313,CVE-2018-18314 Description: This update for perl fixes the following issues: Secuirty issues fixed: - CVE-2018-18311: Fixed integer overflow with oversize environment (bsc#1114674). - CVE-2018-18312: Fixed heap-buffer-overflow write / reg_node overrun (bsc#1114675). - CVE-2018-18313: Fixed heap-buffer-overflow read if regex contains \0 chars (bsc#1114681). - CVE-2018-18314: Fixed heap-buffer-overflow in regex (bsc#1114686). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:2986-1 Released: Wed Dec 19 13:53:22 2018 Summary: Security update for libnettle Type: security Severity: moderate References: 1118086,CVE-2018-16869 Description: This update for libnettle fixes the following issues: Security issues fixed: - CVE-2018-16869: Fixed a leaky data conversion exposing a manager oracle (bsc#1118086) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:23-1 Released: Mon Jan 7 16:30:33 2019 Summary: Security update for gpg2 Type: security Severity: moderate References: 1120346,CVE-2018-1000858 Description: This update for gpg2 fixes the following issue: Security issue fixed: - CVE-2018-1000858: Fixed a Cross Site Request Forgery(CSRF) vulnerability in dirmngr that can result in Attacker controlled CSRF (bsc#1120346). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:44-1 Released: Tue Jan 8 13:07:32 2019 Summary: Recommended update for acl Type: recommended Severity: low References: 953659 Description: This update for acl fixes the following issues: - test: Add helper library to fake passwd/group files. - quote: Escape literal backslashes. (bsc#953659) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:137-1 Released: Mon Jan 21 15:52:45 2019 Summary: Security update for systemd Type: security Severity: important References: 1005023,1045723,1076696,1080919,1093753,1101591,1111498,1114933,1117063,1119971,1120323,CVE-2018-16864,CVE-2018-16865,CVE-2018-16866,CVE-2018-6954 Description: This update for systemd provides the following fixes: Security issues fixed: - CVE-2018-16864, CVE-2018-16865: Fixed two memory corruptions through attacker-controlled alloca()s (bsc#1120323) - CVE-2018-16866: Fixed an information leak in journald (bsc#1120323) - CVE-2018-6954: Fix mishandling of symlinks present in non-terminal path components (bsc#1080919) - Fixed an issue during system startup in relation to encrypted swap disks (bsc#1119971) Non-security issues fixed: - pam_systemd: Fix 'Cannot create session: Already running in a session' (bsc#1111498) - systemd-vconsole-setup: vconsole setup fails, fonts will not be copied to tty (bsc#1114933) - systemd-tmpfiles-setup: symlinked /tmp to /var/tmp breaking multiple units (bsc#1045723) - Fixed installation issue with /etc/machine-id during update (bsc#1117063) - btrfs: qgroups are assigned to parent qgroups after reboot (bsc#1093753) - logind: Stop managing VT switches if no sessions are registered on that VT. (bsc#1101591) - udev: Downgrade message when settting inotify watch up fails. (bsc#1005023) - udev: Ignore the exit code of systemd-detect-virt for memory hot-add. In SLE-12-SP3, 80-hotplug-cpu-mem.rules has a memory hot-add rule that uses systemd-detect-virt to detect non-zvm environment. The systemd-detect-virt returns exit failure code when it detected _none_ state. The exit failure code causes that the hot-add memory block can not be set to online. (bsc#1076696) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:147-1 Released: Wed Jan 23 17:57:31 2019 Summary: Recommended update for ca-certificates-mozilla Type: recommended Severity: moderate References: 1121446 Description: This update for ca-certificates-mozilla fixes the following issues: The package was updated to the 2.30 version of the Mozilla NSS Certificate store. (bsc#1121446) Removed Root CAs: - AC Raiz Certicamara S.A. - Certplus Root CA G1 - Certplus Root CA G2 - OpenTrust Root CA G1 - OpenTrust Root CA G2 - OpenTrust Root CA G3 - Visa eCommerce Root Added Root CAs: - Certigna Root CA (email and server auth) - GTS Root R1 (server auth) - GTS Root R2 (server auth) - GTS Root R3 (server auth) - GTS Root R4 (server auth) - OISTE WISeKey Global Root GC CA (email and server auth) - UCA Extended Validation Root (server auth) - UCA Global G2 Root (email and server auth) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:189-1 Released: Mon Jan 28 14:14:46 2019 Summary: Recommended update for rpm Type: recommended Severity: moderate References: Description: This update for rpm fixes the following issues: - Add kmod(module) provides to kernel and KMPs (fate#326579). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:247-1 Released: Wed Feb 6 07:18:45 2019 Summary: Security update for lua53 Type: security Severity: moderate References: 1123043,CVE-2019-6706 Description: This update for lua53 fixes the following issues: Security issue fixed: - CVE-2019-6706: Fixed a use-after-free bug in the lua_upvaluejoin function of lapi.c (bsc#1123043) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:248-1 Released: Wed Feb 6 08:35:20 2019 Summary: Security update for curl Type: security Severity: important References: 1123371,1123377,1123378,CVE-2018-16890,CVE-2019-3822,CVE-2019-3823 Description: This update for curl fixes the following issues: Security issues fixed: - CVE-2019-3823: Fixed a heap out-of-bounds read in the code handling the end-of-response for SMTP (bsc#1123378). - CVE-2019-3822: Fixed a stack based buffer overflow in the function creating an outgoing NTLM type-3 message (bsc#1123377). - CVE-2018-16890: Fixed a heap buffer out-of-bounds read in the function handling incoming NTLM type-2 messages (bsc#1123371). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:369-1 Released: Wed Feb 13 14:01:42 2019 Summary: Recommended update for itstool Type: recommended Severity: moderate References: 1065270,1111019 Description: This update for itstool and python-libxml2-python fixes the following issues: Package: itstool - Updated version to support Python3. (bnc#1111019) Package: python-libxml2-python - Fix segfault when parsing invalid data. (bsc#1065270) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:426-1 Released: Mon Feb 18 17:46:55 2019 Summary: Security update for systemd Type: security Severity: important References: 1117025,1121563,1122000,1123333,1123727,1123892,1124153,1125352,CVE-2019-6454 Description: This update for systemd fixes the following issues: - CVE-2019-6454: Overlong DBUS messages could be used to crash systemd (bsc#1125352) - units: make sure initrd-cleanup.service terminates before switching to rootfs (bsc#1123333) - logind: fix bad error propagation - login: log session state 'closing' (as well as New/Removed) - logind: fix borked r check - login: don't remove all devices from PID1 when only one was removed - login: we only allow opening character devices - login: correct comment in session_device_free() - login: remember that fds received from PID1 need to be removed eventually - login: fix FDNAME in call to sd_pid_notify_with_fds() - logind: fd 0 is a valid fd - logind: rework sd_eviocrevoke() - logind: check file is device node before using .st_rdev - logind: use the new FDSTOREREMOVE=1 sd_notify() message (bsc#1124153) - core: add a new sd_notify() message for removing fds from the FD store again - logind: make sure we don't trip up on half-initialized session devices (bsc#1123727) - fd-util: accept that kcmp might fail with EPERM/EACCES - core: Fix use after free case in load_from_path() (bsc#1121563) - core: include Found state in device dumps - device: fix serialization and deserialization of DeviceFound - fix path in btrfs rule (#6844) - assemble multidevice btrfs volumes without external tools (#6607) (bsc#1117025) - Update systemd-system.conf.xml (bsc#1122000) - units: inform user that the default target is started after exiting from rescue or emergency mode - core: free lines after reading them (bsc#1123892) - sd-bus: if we receive an invalid dbus message, ignore and proceeed - automount: don't pass non-blocking pipe to kernel. ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:571-1 Released: Thu Mar 7 18:13:46 2019 Summary: Security update for file Type: security Severity: moderate References: 1096974,1096984,1126117,1126118,1126119,CVE-2018-10360,CVE-2019-8905,CVE-2019-8906,CVE-2019-8907 Description: This update for file fixes the following issues: The following security vulnerabilities were addressed: - CVE-2018-10360: Fixed an out-of-bounds read in the function do_core_note in readelf.c, which allowed remote attackers to cause a denial of service (application crash) via a crafted ELF file (bsc#1096974) - CVE-2019-8905: Fixed a stack-based buffer over-read in do_core_note in readelf.c (bsc#1126118) - CVE-2019-8906: Fixed an out-of-bounds read in do_core_note in readelf. c (bsc#1126119) - CVE-2019-8907: Fixed a stack corruption in do_core_note in readelf.c (bsc#1126117) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:641-1 Released: Tue Mar 19 13:17:28 2019 Summary: Recommended update for glibc Type: recommended Severity: moderate References: 1112570,1114984,1114993 Description: This update for glibc provides the following fixes: - Fix Haswell CPU string flags. (bsc#1114984) - Fix waiters-after-spinning case. (bsc#1114993) - Do not relocate absolute symbols. (bsc#1112570) - Add glibc-locale-base subpackage containing only C, C.UTF-8 and en_US.UTF-8 locales. (fate#326551) - Add HWCAP_ATOMICS to HWCAP_IMPORTANT (fate#325962) - Remove slow paths from math routines. (fate#325815, fate#325879, fate#325880, fate#325881, fate#325882) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:664-1 Released: Wed Mar 20 14:54:12 2019 Summary: Recommended update for gpgme Type: recommended Severity: low References: 1121051 Description: This update for gpgme provides the following fix: - Re-generate keys in Qt tests to not expire. (bsc#1121051) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:700-1 Released: Thu Mar 21 19:54:00 2019 Summary: Recommended update for cyrus-sasl Type: recommended Severity: moderate References: 1044840 Description: This update for cyrus-sasl provides the following fix: - Fix a problem that was causing syslog to be polluted with messages 'GSSAPI client step 1'. By server context the connection will be sent to the log function but the client content does not have log level information, so there is no way to stop DEBUG level logs. (bsc#1044840) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:713-1 Released: Fri Mar 22 15:55:05 2019 Summary: Recommended update for glibc Type: recommended Severity: moderate References: 1063675,1126590 Description: This update for glibc fixes the following issues: - Add MAP_SYNC from Linux 4.15 (bsc#1126590) - Add MAP_SHARED_VALIDATE from Linux 4.15 (bsc#1126590) - nptl: Preserve error in setxid thread broadcast in coredumps (bsc#1063675, BZ #22153) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:732-1 Released: Mon Mar 25 14:10:04 2019 Summary: Recommended update for aaa_base Type: recommended Severity: moderate References: 1088524,1118364,1128246 Description: This update for aaa_base fixes the following issues: - Restore old position of ssh/sudo source of profile (bsc#1118364). - Update logic for JRE_HOME env variable (bsc#1128246) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:788-1 Released: Thu Mar 28 11:55:06 2019 Summary: Security update for sqlite3 Type: security Severity: moderate References: 1119687,CVE-2018-20346 Description: This update for sqlite3 to version 3.27.2 fixes the following issue: Security issue fixed: - CVE-2018-20346: Fixed a remote code execution vulnerability in FTS3 (Magellan) (bsc#1119687). Release notes: https://www.sqlite.org/releaselog/3_27_2.html ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:791-1 Released: Thu Mar 28 12:06:50 2019 Summary: Security update for libnettle Type: recommended Severity: moderate References: 1129598 Description: This update for libnettle to version 3.4.1 fixes the following issues: Issues addressed and new features: - Updated to 3.4.1 (fate#327114 and bsc#1129598) - Fixed a missing break statements in the parsing of PEM input files in pkcs1-conv. - Fixed a link error on the pss-mgf1-test which was affecting builds without public key support. - All functions using RSA private keys are now side-channel silent. This applies both to the bignum calculations, which now use GMP's mpn_sec_* family of functions, and the processing of PKCS#1 padding needed for RSA decryption. - Changes in behavior: The functions rsa_decrypt and rsa_decrypt_tr may now clobber all of the provided message buffer, independent of the actual message length. They are side-channel silent, in that branches and memory accesses don't depend on the validity or length of the message. Side-channel leakage from the caller's use of length and return value may still provide an oracle useable for a Bleichenbacher-style chosen ciphertext attack. Which is why the new function rsa_sec_decrypt is recommended. ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:858-1 Released: Wed Apr 3 15:50:37 2019 Summary: Recommended update for libtirpc Type: recommended Severity: moderate References: 1120689,1126096 Description: This update for libtirpc fixes the following issues: - Fix a yp_bind_client_create_v3: RPC: Unknown host error (bsc#1126096). - add an option to enforce connection via protocol version 2 first (bsc#1120689). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:894-1 Released: Fri Apr 5 17:16:23 2019 Summary: Recommended update for rpm Type: recommended Severity: moderate References: 1119414,1126327,1129753,SLE-3853,SLE-4117 Description: This update for rpm fixes the following issues: - This update shortens RPM changelog to after a certain cut off date (bsc#1129753) - Translate dashes to underscores in kmod provides (FATE#326579, jsc#SLE-4117, jsc#SLE-3853, bsc#1119414). - Re-add symset-table from SLE 12 (bsc#1126327). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:903-1 Released: Mon Apr 8 15:41:44 2019 Summary: Security update for glibc Type: security Severity: moderate References: 1100396,1122729,1130045,CVE-2016-10739 Description: This update for glibc fixes the following issues: Security issue fixed: - CVE-2016-10739: Fixed an improper implementation of getaddrinfo function which could allow applications to incorrectly assume that had parsed a valid string, without the possibility of embedded HTTP headers or other potentially dangerous substrings (bsc#1122729). Other issue fixed: - Fixed an issue where pthread_mutex_trylock did not use a correct order of instructions while maintained the robust mutex list due to missing compiler barriers (bsc#1130045). - Added new Japanese Era name support (bsc#1100396). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:1002-1 Released: Wed Apr 24 10:13:34 2019 Summary: Recommended update for zlib Type: recommended Severity: moderate References: 1110304,1129576 Description: This update for zlib fixes the following issues: - Fixes a segmentation fault error (bsc#1110304, bsc#1129576) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:1040-1 Released: Thu Apr 25 17:09:21 2019 Summary: Security update for samba Type: security Severity: important References: 1114407,1124223,1125410,1126377,1131060,1131686,CVE-2019-3880 Description: This update for samba fixes the following issues: Security issue fixed: - CVE-2019-3880: Fixed a path/symlink traversal vulnerability, which allowed an unprivileged user to save registry files outside a share (bsc#1131060). ldb was updated to version 1.2.4 (bsc#1125410 bsc#1131686): - Out of bound read in ldb_wildcard_compare - Hold at most 10 outstanding paged result cookies - Put 'results_store' into a doubly linked list - Refuse to build Samba against a newer minor version of ldb Non-security issues fixed: - Fixed update-apparmor-samba-profile script after apparmor switched to using named profiles (bsc#1126377). - Abide to the load_printers parameter in smb.conf (bsc#1124223). - Provide the 32bit samba winbind PAM module and its dependend 32bit libraries. ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:1121-1 Released: Tue Apr 30 18:02:43 2019 Summary: Security update for gnutls Type: security Severity: important References: 1118087,1130681,1130682,CVE-2018-16868,CVE-2019-3829,CVE-2019-3836 Description: This update for gnutls fixes to version 3.6.7 the following issues: Security issued fixed: - CVE-2019-3836: Fixed an invalid pointer access via malformed TLS1.3 async messages (bsc#1130682). - CVE-2019-3829: Fixed a double free vulnerability in the certificate verification API (bsc#1130681). - CVE-2018-16868: Fixed Bleichenbacher-like side channel leakage in PKCS#1 v1.5 verification and padding oracle verification (bsc#1118087) Non-security issue fixed: - Update gnutls to support TLS 1.3 (fate#327114) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:1127-1 Released: Thu May 2 09:39:24 2019 Summary: Security update for sqlite3 Type: security Severity: moderate References: 1130325,1130326,CVE-2019-9936,CVE-2019-9937 Description: This update for sqlite3 to version 3.28.0 fixes the following issues: Security issues fixed: - CVE-2019-9936: Fixed a heap-based buffer over-read, when running fts5 prefix queries inside transaction (bsc#1130326). - CVE-2019-9937: Fixed a denial of service related to interleaving reads and writes in a single transaction with an fts5 virtual table (bsc#1130325). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:1206-1 Released: Fri May 10 14:01:55 2019 Summary: Security update for bzip2 Type: security Severity: low References: 985657,CVE-2016-3189 Description: This update for bzip2 fixes the following issues: Security issue fixed: - CVE-2016-3189: Fixed a use-after-free in bzip2recover (bsc#985657). From sle-updates at lists.suse.com Wed Jan 15 11:24:29 2020 From: sle-updates at lists.suse.com (sle-updates at lists.suse.com) Date: Wed, 15 Jan 2020 19:24:29 +0100 (CET) Subject: SUSE-CU-2019:703-1: Security update of caasp/v4/caaspctl-tooling Message-ID: <20200115182429.51117F798@maintenance.suse.de> SUSE Container Update Advisory: caasp/v4/caaspctl-tooling ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2019:703-1 Container Tags : caasp/v4/caaspctl-tooling:0.1.0 , caasp/v4/caaspctl-tooling:0.1.0-rev1 , caasp/v4/caaspctl-tooling:0.1.0-rev1-build1.62 , caasp/v4/caaspctl-tooling:beta Severity : important Type : security References : 1033084 1033085 1033086 1033087 1033088 1033089 1033090 1036463 1096191 1105435 1106390 1107066 1107067 1111973 1112723 1112726 1118087 1121563 1123685 1124122 1125007 1125352 1125604 1126056 1127557 1128383 1130230 1132348 1132400 1132721 1133506 1133509 1134524 1134856 1135170 CVE-2017-7607 CVE-2017-7608 CVE-2017-7609 CVE-2017-7610 CVE-2017-7611 CVE-2017-7612 CVE-2017-7613 CVE-2018-1000654 CVE-2018-16062 CVE-2018-16402 CVE-2018-16403 CVE-2018-16868 CVE-2018-18310 CVE-2018-18520 CVE-2018-18521 CVE-2019-3842 CVE-2019-3843 CVE-2019-3844 CVE-2019-5021 CVE-2019-5436 CVE-2019-6454 CVE-2019-7150 CVE-2019-7665 SLE-5933 ----------------------------------------------------------------- The container caasp/v4/caaspctl-tooling was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:1312-1 Released: Wed May 22 12:19:12 2019 Summary: Recommended update for aaa_base Type: recommended Severity: moderate References: 1096191 Description: This update for aaa_base fixes the following issue: * Shell detection in /etc/profile and /etc/bash.bashrc was broken within AppArmor-confined containers (bsc#1096191) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:1351-1 Released: Fri May 24 14:41:10 2019 Summary: Security update for gnutls Type: security Severity: important References: 1118087,1134856,CVE-2018-16868 Description: This update for gnutls fixes the following issues: Security issue fixed: - CVE-2018-16868: Fixed Bleichenbacher-like side channel leakage in PKCS#1 v1.5 verification (bsc#1118087). Non-security issue fixed: - Explicitly require libnettle 3.4.1 to prevent missing symbol errors (bsc#1134856). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:1357-1 Released: Mon May 27 13:29:15 2019 Summary: Security update for curl Type: security Severity: important References: 1135170,CVE-2019-5436 Description: This update for curl fixes the following issues: Security issue fixed: - CVE-2019-5436: Fixed a heap buffer overflow exists in tftp_receive_packet that receives data from a TFTP server (bsc#1135170). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:1364-1 Released: Tue May 28 10:51:38 2019 Summary: Security update for systemd Type: security Severity: moderate References: 1036463,1121563,1124122,1125352,1125604,1126056,1127557,1130230,1132348,1132400,1132721,1133506,1133509,CVE-2019-3842,CVE-2019-3843,CVE-2019-3844,CVE-2019-6454,SLE-5933 Description: This update for systemd fixes the following issues: Security issues fixed: - CVE-2019-3842: Fixed a privilege escalation in pam_systemd which could be exploited by a local user (bsc#1132348). - CVE-2019-6454: Fixed a denial of service via crafted D-Bus message (bsc#1125352). - CVE-2019-3843, CVE-2019-3844: Fixed a privilege escalation where services with DynamicUser could gain new privileges or create SUID/SGID binaries (bsc#1133506, bsc#1133509). Non-security issued fixed: - logind: fix killing of scopes (bsc#1125604) - namespace: make MountFlags=shared work again (bsc#1124122) - rules: load drivers only on 'add' events (bsc#1126056) - sysctl: Don't pass null directive argument to '%s' (bsc#1121563) - systemd-coredump: generate a stack trace of all core dumps and log into the journal (jsc#SLE-5933) - udevd: notify when max number value of children is reached only once per batch of events (bsc#1132400) - sd-bus: bump message queue size again (bsc#1132721) - Do not automatically online memory on s390x (bsc#1127557) - Removed sg.conf (bsc#1036463) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:1368-1 Released: Tue May 28 13:15:38 2019 Summary: Recommended update for sles12sp3-docker-image, sles12sp4-image, system-user-root Type: security Severity: important References: 1134524,CVE-2019-5021 Description: This update for sles12sp3-docker-image, sles12sp4-image, system-user-root fixes the following issues: - CVE-2019-5021: Include an invalidated root password by default, not an empty one (bsc#1134524) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:1372-1 Released: Tue May 28 16:53:28 2019 Summary: Security update for libtasn1 Type: security Severity: moderate References: 1105435,CVE-2018-1000654 Description: This update for libtasn1 fixes the following issues: Security issue fixed: - CVE-2018-1000654: Fixed a denial of service in the asn1 parser (bsc#1105435). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:1484-1 Released: Thu Jun 13 07:46:46 2019 Summary: Recommended update for e2fsprogs Type: recommended Severity: moderate References: 1128383 Description: This update for e2fsprogs fixes the following issues: - Check and fix tails of all bitmap blocks (bsc#1128383) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:1486-1 Released: Thu Jun 13 09:40:24 2019 Summary: Security update for elfutils Type: security Severity: moderate References: 1033084,1033085,1033086,1033087,1033088,1033089,1033090,1106390,1107066,1107067,1111973,1112723,1112726,1123685,1125007,CVE-2017-7607,CVE-2017-7608,CVE-2017-7609,CVE-2017-7610,CVE-2017-7611,CVE-2017-7612,CVE-2017-7613,CVE-2018-16062,CVE-2018-16402,CVE-2018-16403,CVE-2018-18310,CVE-2018-18520,CVE-2018-18521,CVE-2019-7150,CVE-2019-7665 Description: This update for elfutils fixes the following issues: Security issues fixed: - CVE-2017-7607: Fixed a heap-based buffer overflow in handle_gnu_hash (bsc#1033084) - CVE-2017-7608: Fixed a heap-based buffer overflow in ebl_object_note_type_name() (bsc#1033085) - CVE-2017-7609: Fixed a memory allocation failure in __libelf_decompress (bsc#1033086) - CVE-2017-7610: Fixed a heap-based buffer overflow in check_group (bsc#1033087) - CVE-2017-7611: Fixed a denial of service via a crafted ELF file (bsc#1033088) - CVE-2017-7612: Fixed a denial of service in check_sysv_hash() via a crafted ELF file (bsc#1033089) - CVE-2017-7613: Fixed denial of service caused by the missing validation of the number of sections and the number of segments in a crafted ELF file (bsc#1033090) - CVE-2018-16062: Fixed a heap-buffer overflow in /elfutils/libdw/dwarf_getaranges.c:156 (bsc#1106390) - CVE-2018-16402: Fixed a denial of service/double free on an attempt to decompress the same section twice (bsc#1107066) - CVE-2018-16403: Fixed a heap buffer overflow in readelf (bsc#1107067) - CVE-2018-18310: Fixed an invalid address read problem in dwfl_segment_report_module.c (bsc#1111973) - CVE-2018-18520: Fixed bad handling of ar files inside are files (bsc#1112726) - CVE-2018-18521: Fixed a denial of service vulnerabilities in the function arlib_add_symbols() used by eu-ranlib (bsc#1112723) - CVE-2019-7150: dwfl_segment_report_module doesn't check whether the dyn data read from core file is truncated (bsc#1123685) - CVE-2019-7665: NT_PLATFORM core file note should be a zero terminated string (bsc#1125007) From sle-updates at lists.suse.com Wed Jan 15 16:11:39 2020 From: sle-updates at lists.suse.com (sle-updates at lists.suse.com) Date: Thu, 16 Jan 2020 00:11:39 +0100 (CET) Subject: SUSE-RU-2020:0108-1: moderate: Recommended update for ClusterTools2 Message-ID: <20200115231139.ECFD0F798@maintenance.suse.de> SUSE Recommended Update: Recommended update for ClusterTools2 ______________________________________________________________________________ Announcement ID: SUSE-RU-2020:0108-1 Rating: moderate References: #1084925 #1097134 Affected Products: SUSE Linux Enterprise Module for SAP Applications 15-SP1 ______________________________________________________________________________ An update that has two recommended fixes can now be installed. Description: This update for ClusterTools2 fixes the following issues: - Replace cron jobs with systemd timers. (bsc#1097134, jsc#SLE-9199) - Script refinement and first steps for an adaption to SLE15 codestream using 'shellcheck' to find and correct syntax problems, spelling errors and other problems. - Added /etc/ClusterTools2/cs_make_sbd_devices avoiding stuck and exit in case of doing a dump. (bsc#1084925) Patch Instructions: To install this SUSE Recommended Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Module for SAP Applications 15-SP1: zypper in -t patch SUSE-SLE-Module-SAP-Applications-15-SP1-2020-108=1 Package List: - SUSE Linux Enterprise Module for SAP Applications 15-SP1 (noarch): ClusterTools2-3.1.0-8.3.1 References: https://bugzilla.suse.com/1084925 https://bugzilla.suse.com/1097134 From sle-updates at lists.suse.com Wed Jan 15 16:12:50 2020 From: sle-updates at lists.suse.com (sle-updates at lists.suse.com) Date: Thu, 16 Jan 2020 00:12:50 +0100 (CET) Subject: SUSE-RU-2020:0107-1: moderate: Recommended update for yast2-storage-ng Message-ID: <20200115231250.5F5E0F798@maintenance.suse.de> SUSE Recommended Update: Recommended update for yast2-storage-ng ______________________________________________________________________________ Announcement ID: SUSE-RU-2020:0107-1 Rating: moderate References: #1141006 #1154070 Affected Products: SUSE Linux Enterprise Module for Basesystem 15 SUSE Linux Enterprise Installer 15 ______________________________________________________________________________ An update that has two recommended fixes can now be installed. Description: This update for yast2-storage-ng fixes the following issues: - Initial: consider only up to ten disks. (bsc#1154070) - Add execute permissions to test files. (bsc#1141006) Patch Instructions: To install this SUSE Recommended Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Module for Basesystem 15: zypper in -t patch SUSE-SLE-Module-Basesystem-15-2020-107=1 - SUSE Linux Enterprise Installer 15: zypper in -t patch SUSE-SLE-INSTALLER-15-2020-107=1 Package List: - SUSE Linux Enterprise Module for Basesystem 15 (aarch64 ppc64le s390x x86_64): yast2-storage-ng-4.0.223-3.48.1 - SUSE Linux Enterprise Installer 15 (aarch64 ppc64le s390x x86_64): yast2-storage-ng-4.0.223-3.48.1 References: https://bugzilla.suse.com/1141006 https://bugzilla.suse.com/1154070 From sle-updates at lists.suse.com Thu Jan 16 07:12:12 2020 From: sle-updates at lists.suse.com (sle-updates at lists.suse.com) Date: Thu, 16 Jan 2020 15:12:12 +0100 (CET) Subject: SUSE-SU-2020:0114-1: important: Security update for python3 Message-ID: <20200116141212.A3638F798@maintenance.suse.de> SUSE Security Update: Security update for python3 ______________________________________________________________________________ Announcement ID: SUSE-SU-2020:0114-1 Rating: important References: #1027282 #1029377 #1029902 #1040164 #1042670 #1070853 #1079761 #1081750 #1083507 #1086001 #1088004 #1088009 #1088573 #1094814 #1107030 #1109663 #1109847 #1120644 #1122191 #1129346 #1130840 #1133452 #1137942 #1138459 #1141853 #1149121 #1149792 #1149955 #1151490 #1153238 #1159035 #1159622 #637176 #658604 #673071 #709442 #743787 #747125 #751718 #754447 #754677 #787526 #809831 #831629 #834601 #871152 #885662 #885882 #917607 #942751 #951166 #983582 #984751 #985177 #985348 #989523 Cross-References: CVE-2011-3389 CVE-2011-4944 CVE-2012-0845 CVE-2012-1150 CVE-2013-1752 CVE-2013-4238 CVE-2014-2667 CVE-2014-4650 CVE-2016-0772 CVE-2016-1000110 CVE-2016-5636 CVE-2016-5699 CVE-2017-18207 CVE-2018-1000802 CVE-2018-1060 CVE-2018-1061 CVE-2018-14647 CVE-2018-20406 CVE-2018-20852 CVE-2019-10160 CVE-2019-15903 CVE-2019-16056 CVE-2019-16935 CVE-2019-5010 CVE-2019-9636 CVE-2019-9947 Affected Products: SUSE Linux Enterprise Module for Open Buildservice Development Tools 15-SP1 SUSE Linux Enterprise Module for Open Buildservice Development Tools 15 SUSE Linux Enterprise Module for Development Tools 15-SP1 SUSE Linux Enterprise Module for Development Tools 15 SUSE Linux Enterprise Module for Basesystem 15-SP1 SUSE Linux Enterprise Module for Basesystem 15 ______________________________________________________________________________ An update that solves 26 vulnerabilities and has 30 fixes is now available. Description: This update for python3 to version 3.6.10 fixes the following issues: - CVE-2017-18207: Fixed a denial of service in Wave_read._read_fmt_chunk() (bsc#1083507). - CVE-2019-16056: Fixed an issue where email parsing could fail for multiple @ (bsc#1149955). - CVE-2019-15903: Fixed a heap-based buffer over-read in libexpat (bsc#1149429). Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Module for Open Buildservice Development Tools 15-SP1: zypper in -t patch SUSE-SLE-Module-Development-Tools-OBS-15-SP1-2020-114=1 - SUSE Linux Enterprise Module for Open Buildservice Development Tools 15: zypper in -t patch SUSE-SLE-Module-Development-Tools-OBS-15-2020-114=1 - SUSE Linux Enterprise Module for Development Tools 15-SP1: zypper in -t patch SUSE-SLE-Module-Development-Tools-15-SP1-2020-114=1 - SUSE Linux Enterprise Module for Development Tools 15: zypper in -t patch SUSE-SLE-Module-Development-Tools-15-2020-114=1 - SUSE Linux Enterprise Module for Basesystem 15-SP1: zypper in -t patch SUSE-SLE-Module-Basesystem-15-SP1-2020-114=1 - SUSE Linux Enterprise Module for Basesystem 15: zypper in -t patch SUSE-SLE-Module-Basesystem-15-2020-114=1 Package List: - SUSE Linux Enterprise Module for Open Buildservice Development Tools 15-SP1 (aarch64 ppc64le s390x x86_64): python3-base-debuginfo-3.6.10-3.42.2 python3-base-debugsource-3.6.10-3.42.2 python3-testsuite-3.6.10-3.42.2 python3-testsuite-debuginfo-3.6.10-3.42.2 - SUSE Linux Enterprise Module for Open Buildservice Development Tools 15-SP1 (noarch): python3-doc-3.6.10-3.42.3 - SUSE Linux Enterprise Module for Open Buildservice Development Tools 15-SP1 (x86_64): libpython3_6m1_0-32bit-3.6.10-3.42.2 libpython3_6m1_0-32bit-debuginfo-3.6.10-3.42.2 python3-32bit-3.6.10-3.42.2 python3-32bit-debuginfo-3.6.10-3.42.2 python3-base-32bit-3.6.10-3.42.2 python3-base-32bit-debuginfo-3.6.10-3.42.2 python3-debugsource-3.6.10-3.42.2 - SUSE Linux Enterprise Module for Open Buildservice Development Tools 15 (aarch64 ppc64le s390x x86_64): python3-base-debuginfo-3.6.10-3.42.2 python3-base-debugsource-3.6.10-3.42.2 python3-testsuite-3.6.10-3.42.2 python3-testsuite-debuginfo-3.6.10-3.42.2 - SUSE Linux Enterprise Module for Open Buildservice Development Tools 15 (noarch): python3-doc-3.6.10-3.42.3 - SUSE Linux Enterprise Module for Open Buildservice Development Tools 15 (x86_64): libpython3_6m1_0-32bit-3.6.10-3.42.2 python3-32bit-3.6.10-3.42.2 python3-base-32bit-3.6.10-3.42.2 - SUSE Linux Enterprise Module for Development Tools 15-SP1 (aarch64 ppc64le s390x x86_64): python3-base-debuginfo-3.6.10-3.42.2 python3-base-debugsource-3.6.10-3.42.2 python3-tools-3.6.10-3.42.2 - SUSE Linux Enterprise Module for Development Tools 15 (aarch64 ppc64le s390x x86_64): python3-base-debuginfo-3.6.10-3.42.2 python3-base-debugsource-3.6.10-3.42.2 python3-tools-3.6.10-3.42.2 - SUSE Linux Enterprise Module for Basesystem 15-SP1 (aarch64 ppc64le s390x x86_64): libpython3_6m1_0-3.6.10-3.42.2 libpython3_6m1_0-debuginfo-3.6.10-3.42.2 python3-3.6.10-3.42.2 python3-base-3.6.10-3.42.2 python3-base-debuginfo-3.6.10-3.42.2 python3-base-debugsource-3.6.10-3.42.2 python3-curses-3.6.10-3.42.2 python3-curses-debuginfo-3.6.10-3.42.2 python3-dbm-3.6.10-3.42.2 python3-dbm-debuginfo-3.6.10-3.42.2 python3-debuginfo-3.6.10-3.42.2 python3-debugsource-3.6.10-3.42.2 python3-devel-3.6.10-3.42.2 python3-devel-debuginfo-3.6.10-3.42.2 python3-idle-3.6.10-3.42.2 python3-tk-3.6.10-3.42.2 python3-tk-debuginfo-3.6.10-3.42.2 - SUSE Linux Enterprise Module for Basesystem 15 (aarch64 ppc64le s390x x86_64): libpython3_6m1_0-3.6.10-3.42.2 libpython3_6m1_0-debuginfo-3.6.10-3.42.2 python3-3.6.10-3.42.2 python3-base-3.6.10-3.42.2 python3-base-debuginfo-3.6.10-3.42.2 python3-base-debugsource-3.6.10-3.42.2 python3-curses-3.6.10-3.42.2 python3-curses-debuginfo-3.6.10-3.42.2 python3-dbm-3.6.10-3.42.2 python3-dbm-debuginfo-3.6.10-3.42.2 python3-debuginfo-3.6.10-3.42.2 python3-debugsource-3.6.10-3.42.2 python3-devel-3.6.10-3.42.2 python3-devel-debuginfo-3.6.10-3.42.2 python3-idle-3.6.10-3.42.2 python3-tk-3.6.10-3.42.2 python3-tk-debuginfo-3.6.10-3.42.2 References: https://www.suse.com/security/cve/CVE-2011-3389.html https://www.suse.com/security/cve/CVE-2011-4944.html https://www.suse.com/security/cve/CVE-2012-0845.html https://www.suse.com/security/cve/CVE-2012-1150.html https://www.suse.com/security/cve/CVE-2013-1752.html https://www.suse.com/security/cve/CVE-2013-4238.html https://www.suse.com/security/cve/CVE-2014-2667.html https://www.suse.com/security/cve/CVE-2014-4650.html https://www.suse.com/security/cve/CVE-2016-0772.html https://www.suse.com/security/cve/CVE-2016-1000110.html https://www.suse.com/security/cve/CVE-2016-5636.html https://www.suse.com/security/cve/CVE-2016-5699.html https://www.suse.com/security/cve/CVE-2017-18207.html https://www.suse.com/security/cve/CVE-2018-1000802.html https://www.suse.com/security/cve/CVE-2018-1060.html https://www.suse.com/security/cve/CVE-2018-1061.html https://www.suse.com/security/cve/CVE-2018-14647.html https://www.suse.com/security/cve/CVE-2018-20406.html https://www.suse.com/security/cve/CVE-2018-20852.html https://www.suse.com/security/cve/CVE-2019-10160.html https://www.suse.com/security/cve/CVE-2019-15903.html https://www.suse.com/security/cve/CVE-2019-16056.html https://www.suse.com/security/cve/CVE-2019-16935.html https://www.suse.com/security/cve/CVE-2019-5010.html https://www.suse.com/security/cve/CVE-2019-9636.html https://www.suse.com/security/cve/CVE-2019-9947.html https://bugzilla.suse.com/1027282 https://bugzilla.suse.com/1029377 https://bugzilla.suse.com/1029902 https://bugzilla.suse.com/1040164 https://bugzilla.suse.com/1042670 https://bugzilla.suse.com/1070853 https://bugzilla.suse.com/1079761 https://bugzilla.suse.com/1081750 https://bugzilla.suse.com/1083507 https://bugzilla.suse.com/1086001 https://bugzilla.suse.com/1088004 https://bugzilla.suse.com/1088009 https://bugzilla.suse.com/1088573 https://bugzilla.suse.com/1094814 https://bugzilla.suse.com/1107030 https://bugzilla.suse.com/1109663 https://bugzilla.suse.com/1109847 https://bugzilla.suse.com/1120644 https://bugzilla.suse.com/1122191 https://bugzilla.suse.com/1129346 https://bugzilla.suse.com/1130840 https://bugzilla.suse.com/1133452 https://bugzilla.suse.com/1137942 https://bugzilla.suse.com/1138459 https://bugzilla.suse.com/1141853 https://bugzilla.suse.com/1149121 https://bugzilla.suse.com/1149792 https://bugzilla.suse.com/1149955 https://bugzilla.suse.com/1151490 https://bugzilla.suse.com/1153238 https://bugzilla.suse.com/1159035 https://bugzilla.suse.com/1159622 https://bugzilla.suse.com/637176 https://bugzilla.suse.com/658604 https://bugzilla.suse.com/673071 https://bugzilla.suse.com/709442 https://bugzilla.suse.com/743787 https://bugzilla.suse.com/747125 https://bugzilla.suse.com/751718 https://bugzilla.suse.com/754447 https://bugzilla.suse.com/754677 https://bugzilla.suse.com/787526 https://bugzilla.suse.com/809831 https://bugzilla.suse.com/831629 https://bugzilla.suse.com/834601 https://bugzilla.suse.com/871152 https://bugzilla.suse.com/885662 https://bugzilla.suse.com/885882 https://bugzilla.suse.com/917607 https://bugzilla.suse.com/942751 https://bugzilla.suse.com/951166 https://bugzilla.suse.com/983582 https://bugzilla.suse.com/984751 https://bugzilla.suse.com/985177 https://bugzilla.suse.com/985348 https://bugzilla.suse.com/989523 From sle-updates at lists.suse.com Thu Jan 16 07:11:23 2020 From: sle-updates at lists.suse.com (sle-updates at lists.suse.com) Date: Thu, 16 Jan 2020 15:11:23 +0100 (CET) Subject: SUSE-SU-2020:0115-1: moderate: Security update for shibboleth-sp Message-ID: <20200116141123.C7892F798@maintenance.suse.de> SUSE Security Update: Security update for shibboleth-sp ______________________________________________________________________________ Announcement ID: SUSE-SU-2020:0115-1 Rating: moderate References: #1157471 Cross-References: CVE-2019-19191 Affected Products: SUSE OpenStack Cloud Crowbar 8 SUSE OpenStack Cloud 8 SUSE OpenStack Cloud 7 SUSE Linux Enterprise Software Development Kit 12-SP5 SUSE Linux Enterprise Software Development Kit 12-SP4 SUSE Linux Enterprise Server for SAP 12-SP3 SUSE Linux Enterprise Server for SAP 12-SP2 SUSE Linux Enterprise Server for SAP 12-SP1 SUSE Linux Enterprise Server 12-SP5 SUSE Linux Enterprise Server 12-SP4 SUSE Linux Enterprise Server 12-SP3-LTSS SUSE Linux Enterprise Server 12-SP3-BCL SUSE Linux Enterprise Server 12-SP2-LTSS SUSE Linux Enterprise Server 12-SP2-BCL SUSE Linux Enterprise Server 12-SP1-LTSS SUSE Enterprise Storage 5 HPE Helion Openstack 8 ______________________________________________________________________________ An update that fixes one vulnerability is now available. Description: This update for shibboleth-sp fixes the following issues: Security issue fixed: - CVE-2019-19191: Fixed escalation to root by fixing ownership of log files (bsc#1157471). Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE OpenStack Cloud Crowbar 8: zypper in -t patch SUSE-OpenStack-Cloud-Crowbar-8-2020-115=1 - SUSE OpenStack Cloud 8: zypper in -t patch SUSE-OpenStack-Cloud-8-2020-115=1 - SUSE OpenStack Cloud 7: zypper in -t patch SUSE-OpenStack-Cloud-7-2020-115=1 - SUSE Linux Enterprise Software Development Kit 12-SP5: zypper in -t patch SUSE-SLE-SDK-12-SP5-2020-115=1 - SUSE Linux Enterprise Software Development Kit 12-SP4: zypper in -t patch SUSE-SLE-SDK-12-SP4-2020-115=1 - SUSE Linux Enterprise Server for SAP 12-SP3: zypper in -t patch SUSE-SLE-SAP-12-SP3-2020-115=1 - SUSE Linux Enterprise Server for SAP 12-SP2: zypper in -t patch SUSE-SLE-SAP-12-SP2-2020-115=1 - SUSE Linux Enterprise Server for SAP 12-SP1: zypper in -t patch SUSE-SLE-SAP-12-SP1-2020-115=1 - SUSE Linux Enterprise Server 12-SP5: zypper in -t patch SUSE-SLE-SERVER-12-SP5-2020-115=1 - SUSE Linux Enterprise Server 12-SP4: zypper in -t patch SUSE-SLE-SERVER-12-SP4-2020-115=1 - SUSE Linux Enterprise Server 12-SP3-LTSS: zypper in -t patch SUSE-SLE-SERVER-12-SP3-2020-115=1 - SUSE Linux Enterprise Server 12-SP3-BCL: zypper in -t patch SUSE-SLE-SERVER-12-SP3-BCL-2020-115=1 - SUSE Linux Enterprise Server 12-SP2-LTSS: zypper in -t patch SUSE-SLE-SERVER-12-SP2-2020-115=1 - SUSE Linux Enterprise Server 12-SP2-BCL: zypper in -t patch SUSE-SLE-SERVER-12-SP2-BCL-2020-115=1 - SUSE Linux Enterprise Server 12-SP1-LTSS: zypper in -t patch SUSE-SLE-SERVER-12-SP1-2020-115=1 - SUSE Enterprise Storage 5: zypper in -t patch SUSE-Storage-5-2020-115=1 - HPE Helion Openstack 8: zypper in -t patch HPE-Helion-OpenStack-8-2020-115=1 Package List: - SUSE OpenStack Cloud Crowbar 8 (x86_64): libshibsp-lite6-2.5.5-6.6.1 libshibsp-lite6-debuginfo-2.5.5-6.6.1 libshibsp6-2.5.5-6.6.1 libshibsp6-debuginfo-2.5.5-6.6.1 shibboleth-sp-2.5.5-6.6.1 shibboleth-sp-debuginfo-2.5.5-6.6.1 shibboleth-sp-debugsource-2.5.5-6.6.1 - SUSE OpenStack Cloud 8 (x86_64): libshibsp-lite6-2.5.5-6.6.1 libshibsp-lite6-debuginfo-2.5.5-6.6.1 libshibsp6-2.5.5-6.6.1 libshibsp6-debuginfo-2.5.5-6.6.1 shibboleth-sp-2.5.5-6.6.1 shibboleth-sp-debuginfo-2.5.5-6.6.1 shibboleth-sp-debugsource-2.5.5-6.6.1 - SUSE OpenStack Cloud 7 (s390x x86_64): libshibsp-lite6-2.5.5-6.6.1 libshibsp-lite6-debuginfo-2.5.5-6.6.1 libshibsp6-2.5.5-6.6.1 libshibsp6-debuginfo-2.5.5-6.6.1 shibboleth-sp-2.5.5-6.6.1 shibboleth-sp-debuginfo-2.5.5-6.6.1 shibboleth-sp-debugsource-2.5.5-6.6.1 - SUSE Linux Enterprise Software Development Kit 12-SP5 (aarch64 ppc64le s390x x86_64): shibboleth-sp-debuginfo-2.5.5-6.6.1 shibboleth-sp-debugsource-2.5.5-6.6.1 shibboleth-sp-devel-2.5.5-6.6.1 - SUSE Linux Enterprise Software Development Kit 12-SP4 (aarch64 ppc64le s390x x86_64): shibboleth-sp-debuginfo-2.5.5-6.6.1 shibboleth-sp-debugsource-2.5.5-6.6.1 shibboleth-sp-devel-2.5.5-6.6.1 - SUSE Linux Enterprise Server for SAP 12-SP3 (ppc64le x86_64): libshibsp-lite6-2.5.5-6.6.1 libshibsp-lite6-debuginfo-2.5.5-6.6.1 libshibsp6-2.5.5-6.6.1 libshibsp6-debuginfo-2.5.5-6.6.1 shibboleth-sp-2.5.5-6.6.1 shibboleth-sp-debuginfo-2.5.5-6.6.1 shibboleth-sp-debugsource-2.5.5-6.6.1 - SUSE Linux Enterprise Server for SAP 12-SP2 (ppc64le x86_64): libshibsp-lite6-2.5.5-6.6.1 libshibsp-lite6-debuginfo-2.5.5-6.6.1 libshibsp6-2.5.5-6.6.1 libshibsp6-debuginfo-2.5.5-6.6.1 shibboleth-sp-2.5.5-6.6.1 shibboleth-sp-debuginfo-2.5.5-6.6.1 shibboleth-sp-debugsource-2.5.5-6.6.1 - SUSE Linux Enterprise Server for SAP 12-SP1 (x86_64): libshibsp-lite6-2.5.5-6.6.1 libshibsp-lite6-debuginfo-2.5.5-6.6.1 libshibsp6-2.5.5-6.6.1 libshibsp6-debuginfo-2.5.5-6.6.1 shibboleth-sp-2.5.5-6.6.1 shibboleth-sp-debuginfo-2.5.5-6.6.1 shibboleth-sp-debugsource-2.5.5-6.6.1 - SUSE Linux Enterprise Server 12-SP5 (aarch64 ppc64le s390x x86_64): libshibsp-lite6-2.5.5-6.6.1 libshibsp-lite6-debuginfo-2.5.5-6.6.1 libshibsp6-2.5.5-6.6.1 libshibsp6-debuginfo-2.5.5-6.6.1 shibboleth-sp-2.5.5-6.6.1 shibboleth-sp-debuginfo-2.5.5-6.6.1 shibboleth-sp-debugsource-2.5.5-6.6.1 - SUSE Linux Enterprise Server 12-SP4 (aarch64 ppc64le s390x x86_64): libshibsp-lite6-2.5.5-6.6.1 libshibsp-lite6-debuginfo-2.5.5-6.6.1 libshibsp6-2.5.5-6.6.1 libshibsp6-debuginfo-2.5.5-6.6.1 shibboleth-sp-2.5.5-6.6.1 shibboleth-sp-debuginfo-2.5.5-6.6.1 shibboleth-sp-debugsource-2.5.5-6.6.1 - SUSE Linux Enterprise Server 12-SP3-LTSS (aarch64 ppc64le s390x x86_64): libshibsp-lite6-2.5.5-6.6.1 libshibsp-lite6-debuginfo-2.5.5-6.6.1 libshibsp6-2.5.5-6.6.1 libshibsp6-debuginfo-2.5.5-6.6.1 shibboleth-sp-2.5.5-6.6.1 shibboleth-sp-debuginfo-2.5.5-6.6.1 shibboleth-sp-debugsource-2.5.5-6.6.1 - SUSE Linux Enterprise Server 12-SP3-BCL (x86_64): libshibsp-lite6-2.5.5-6.6.1 libshibsp-lite6-debuginfo-2.5.5-6.6.1 libshibsp6-2.5.5-6.6.1 libshibsp6-debuginfo-2.5.5-6.6.1 shibboleth-sp-2.5.5-6.6.1 shibboleth-sp-debuginfo-2.5.5-6.6.1 shibboleth-sp-debugsource-2.5.5-6.6.1 - SUSE Linux Enterprise Server 12-SP2-LTSS (ppc64le s390x x86_64): libshibsp-lite6-2.5.5-6.6.1 libshibsp-lite6-debuginfo-2.5.5-6.6.1 libshibsp6-2.5.5-6.6.1 libshibsp6-debuginfo-2.5.5-6.6.1 shibboleth-sp-2.5.5-6.6.1 shibboleth-sp-debuginfo-2.5.5-6.6.1 shibboleth-sp-debugsource-2.5.5-6.6.1 - SUSE Linux Enterprise Server 12-SP2-BCL (x86_64): libshibsp-lite6-2.5.5-6.6.1 libshibsp-lite6-debuginfo-2.5.5-6.6.1 libshibsp6-2.5.5-6.6.1 libshibsp6-debuginfo-2.5.5-6.6.1 shibboleth-sp-2.5.5-6.6.1 shibboleth-sp-debuginfo-2.5.5-6.6.1 shibboleth-sp-debugsource-2.5.5-6.6.1 - SUSE Linux Enterprise Server 12-SP1-LTSS (ppc64le s390x x86_64): libshibsp-lite6-2.5.5-6.6.1 libshibsp-lite6-debuginfo-2.5.5-6.6.1 libshibsp6-2.5.5-6.6.1 libshibsp6-debuginfo-2.5.5-6.6.1 shibboleth-sp-2.5.5-6.6.1 shibboleth-sp-debuginfo-2.5.5-6.6.1 shibboleth-sp-debugsource-2.5.5-6.6.1 - SUSE Enterprise Storage 5 (aarch64 x86_64): libshibsp-lite6-2.5.5-6.6.1 libshibsp-lite6-debuginfo-2.5.5-6.6.1 libshibsp6-2.5.5-6.6.1 libshibsp6-debuginfo-2.5.5-6.6.1 shibboleth-sp-2.5.5-6.6.1 shibboleth-sp-debuginfo-2.5.5-6.6.1 shibboleth-sp-debugsource-2.5.5-6.6.1 - HPE Helion Openstack 8 (x86_64): libshibsp-lite6-2.5.5-6.6.1 libshibsp-lite6-debuginfo-2.5.5-6.6.1 libshibsp6-2.5.5-6.6.1 libshibsp6-debuginfo-2.5.5-6.6.1 shibboleth-sp-2.5.5-6.6.1 shibboleth-sp-debuginfo-2.5.5-6.6.1 shibboleth-sp-debugsource-2.5.5-6.6.1 References: https://www.suse.com/security/cve/CVE-2019-19191.html https://bugzilla.suse.com/1157471 From sle-updates at lists.suse.com Thu Jan 16 07:22:23 2020 From: sle-updates at lists.suse.com (sle-updates at lists.suse.com) Date: Thu, 16 Jan 2020 15:22:23 +0100 (CET) Subject: SUSE-SU-2020:0111-1: moderate: Security update for Mesa Message-ID: <20200116142223.65FD9F798@maintenance.suse.de> SUSE Security Update: Security update for Mesa ______________________________________________________________________________ Announcement ID: SUSE-SU-2020:0111-1 Rating: moderate References: #1156015 Cross-References: CVE-2019-5068 Affected Products: SUSE Linux Enterprise Workstation Extension 15-SP1 SUSE Linux Enterprise Module for Open Buildservice Development Tools 15-SP1 SUSE Linux Enterprise Module for Basesystem 15-SP1 ______________________________________________________________________________ An update that fixes one vulnerability is now available. Description: This update for Mesa fixes the following issues: Security issue fixed: - CVE-2019-5068: Fixed exploitable shared memory permissions vulnerability (bsc#1156015). Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Workstation Extension 15-SP1: zypper in -t patch SUSE-SLE-Product-WE-15-SP1-2020-111=1 - SUSE Linux Enterprise Module for Open Buildservice Development Tools 15-SP1: zypper in -t patch SUSE-SLE-Module-Development-Tools-OBS-15-SP1-2020-111=1 - SUSE Linux Enterprise Module for Basesystem 15-SP1: zypper in -t patch SUSE-SLE-Module-Basesystem-15-SP1-2020-111=1 Package List: - SUSE Linux Enterprise Workstation Extension 15-SP1 (x86_64): Mesa-dri-nouveau-18.3.2-34.9.1 Mesa-dri-nouveau-debuginfo-18.3.2-34.9.1 Mesa-drivers-debugsource-18.3.2-34.9.1 libXvMC_nouveau-18.3.2-34.9.1 libXvMC_nouveau-debuginfo-18.3.2-34.9.1 libvdpau_nouveau-18.3.2-34.9.1 libvdpau_nouveau-debuginfo-18.3.2-34.9.1 - SUSE Linux Enterprise Module for Open Buildservice Development Tools 15-SP1 (aarch64 ppc64le s390x x86_64): Mesa-drivers-debugsource-18.3.2-34.9.1 Mesa-libOpenCL-18.3.2-34.9.1 Mesa-libOpenCL-debuginfo-18.3.2-34.9.1 - SUSE Linux Enterprise Module for Open Buildservice Development Tools 15-SP1 (aarch64 ppc64le x86_64): libXvMC_r600-18.3.2-34.9.1 libXvMC_r600-debuginfo-18.3.2-34.9.1 - SUSE Linux Enterprise Module for Open Buildservice Development Tools 15-SP1 (ppc64le): Mesa-dri-nouveau-18.3.2-34.9.1 Mesa-dri-nouveau-debuginfo-18.3.2-34.9.1 libXvMC_nouveau-18.3.2-34.9.1 libXvMC_nouveau-debuginfo-18.3.2-34.9.1 libvdpau_nouveau-18.3.2-34.9.1 libvdpau_nouveau-debuginfo-18.3.2-34.9.1 - SUSE Linux Enterprise Module for Open Buildservice Development Tools 15-SP1 (aarch64): Mesa-libd3d-18.3.2-34.9.1 Mesa-libd3d-debuginfo-18.3.2-34.9.1 Mesa-libd3d-devel-18.3.2-34.9.1 - SUSE Linux Enterprise Module for Open Buildservice Development Tools 15-SP1 (x86_64): Mesa-debugsource-18.3.2-34.9.1 Mesa-dri-nouveau-32bit-18.3.2-34.9.1 Mesa-dri-nouveau-32bit-debuginfo-18.3.2-34.9.1 Mesa-libd3d-32bit-18.3.2-34.9.1 Mesa-libd3d-32bit-debuginfo-18.3.2-34.9.1 Mesa-libd3d-devel-32bit-18.3.2-34.9.1 Mesa-libglapi-devel-32bit-18.3.2-34.9.1 libOSMesa-devel-32bit-18.3.2-34.9.1 libOSMesa8-32bit-18.3.2-34.9.1 libOSMesa8-32bit-debuginfo-18.3.2-34.9.1 libXvMC_nouveau-32bit-18.3.2-34.9.1 libXvMC_nouveau-32bit-debuginfo-18.3.2-34.9.1 libXvMC_r600-32bit-18.3.2-34.9.1 libXvMC_r600-32bit-debuginfo-18.3.2-34.9.1 libgbm-devel-32bit-18.3.2-34.9.1 libvdpau_nouveau-32bit-18.3.2-34.9.1 libvdpau_nouveau-32bit-debuginfo-18.3.2-34.9.1 libvdpau_r300-32bit-18.3.2-34.9.1 libvdpau_r300-32bit-debuginfo-18.3.2-34.9.1 libvdpau_r600-32bit-18.3.2-34.9.1 libvdpau_r600-32bit-debuginfo-18.3.2-34.9.1 libvdpau_radeonsi-32bit-18.3.2-34.9.1 libvdpau_radeonsi-32bit-debuginfo-18.3.2-34.9.1 libvulkan_intel-32bit-18.3.2-34.9.1 libvulkan_intel-32bit-debuginfo-18.3.2-34.9.1 libvulkan_radeon-32bit-18.3.2-34.9.1 libvulkan_radeon-32bit-debuginfo-18.3.2-34.9.1 - SUSE Linux Enterprise Module for Basesystem 15-SP1 (aarch64 ppc64le s390x x86_64): Mesa-18.3.2-34.9.1 Mesa-KHR-devel-18.3.2-34.9.1 Mesa-debugsource-18.3.2-34.9.1 Mesa-devel-18.3.2-34.9.1 Mesa-dri-18.3.2-34.9.1 Mesa-dri-debuginfo-18.3.2-34.9.1 Mesa-dri-devel-18.3.2-34.9.1 Mesa-drivers-debugsource-18.3.2-34.9.1 Mesa-gallium-18.3.2-34.9.1 Mesa-gallium-debuginfo-18.3.2-34.9.1 Mesa-libEGL-devel-18.3.2-34.9.1 Mesa-libEGL1-18.3.2-34.9.1 Mesa-libEGL1-debuginfo-18.3.2-34.9.1 Mesa-libGL-devel-18.3.2-34.9.1 Mesa-libGL1-18.3.2-34.9.1 Mesa-libGL1-debuginfo-18.3.2-34.9.1 Mesa-libGLESv1_CM-devel-18.3.2-34.9.1 Mesa-libGLESv1_CM1-18.3.2-34.9.1 Mesa-libGLESv2-2-18.3.2-34.9.1 Mesa-libGLESv2-devel-18.3.2-34.9.1 Mesa-libGLESv3-devel-18.3.2-34.9.1 Mesa-libglapi-devel-18.3.2-34.9.1 Mesa-libglapi0-18.3.2-34.9.1 Mesa-libglapi0-debuginfo-18.3.2-34.9.1 libOSMesa-devel-18.3.2-34.9.1 libOSMesa8-18.3.2-34.9.1 libOSMesa8-debuginfo-18.3.2-34.9.1 libgbm-devel-18.3.2-34.9.1 libgbm1-18.3.2-34.9.1 libgbm1-debuginfo-18.3.2-34.9.1 - SUSE Linux Enterprise Module for Basesystem 15-SP1 (aarch64 ppc64le x86_64): Mesa-libva-18.3.2-34.9.1 Mesa-libva-debuginfo-18.3.2-34.9.1 libvdpau_r300-18.3.2-34.9.1 libvdpau_r300-debuginfo-18.3.2-34.9.1 libvdpau_r600-18.3.2-34.9.1 libvdpau_r600-debuginfo-18.3.2-34.9.1 libxatracker-devel-1.0.0-34.9.1 libxatracker2-1.0.0-34.9.1 libxatracker2-debuginfo-1.0.0-34.9.1 - SUSE Linux Enterprise Module for Basesystem 15-SP1 (x86_64): Mesa-32bit-18.3.2-34.9.1 Mesa-dri-32bit-18.3.2-34.9.1 Mesa-dri-32bit-debuginfo-18.3.2-34.9.1 Mesa-gallium-32bit-18.3.2-34.9.1 Mesa-gallium-32bit-debuginfo-18.3.2-34.9.1 Mesa-libEGL1-32bit-18.3.2-34.9.1 Mesa-libEGL1-32bit-debuginfo-18.3.2-34.9.1 Mesa-libGL1-32bit-18.3.2-34.9.1 Mesa-libGL1-32bit-debuginfo-18.3.2-34.9.1 Mesa-libVulkan-devel-18.3.2-34.9.1 Mesa-libd3d-18.3.2-34.9.1 Mesa-libd3d-debuginfo-18.3.2-34.9.1 Mesa-libd3d-devel-18.3.2-34.9.1 Mesa-libglapi0-32bit-18.3.2-34.9.1 Mesa-libglapi0-32bit-debuginfo-18.3.2-34.9.1 libgbm1-32bit-18.3.2-34.9.1 libgbm1-32bit-debuginfo-18.3.2-34.9.1 libvdpau_radeonsi-18.3.2-34.9.1 libvdpau_radeonsi-debuginfo-18.3.2-34.9.1 libvulkan_intel-18.3.2-34.9.1 libvulkan_intel-debuginfo-18.3.2-34.9.1 libvulkan_radeon-18.3.2-34.9.1 libvulkan_radeon-debuginfo-18.3.2-34.9.1 References: https://www.suse.com/security/cve/CVE-2019-5068.html https://bugzilla.suse.com/1156015 From sle-updates at lists.suse.com Thu Jan 16 07:23:05 2020 From: sle-updates at lists.suse.com (sle-updates at lists.suse.com) Date: Thu, 16 Jan 2020 15:23:05 +0100 (CET) Subject: SUSE-SU-2020:0110-1: important: Security update for slurm Message-ID: <20200116142305.8B5DAF798@maintenance.suse.de> SUSE Security Update: Security update for slurm ______________________________________________________________________________ Announcement ID: SUSE-SU-2020:0110-1 Rating: important References: #1140709 #1153095 #1153259 #1155784 #1158696 #1159692 Cross-References: CVE-2019-12838 CVE-2019-19727 CVE-2019-19728 Affected Products: SUSE Linux Enterprise Module for Open Buildservice Development Tools 15-SP1 SUSE Linux Enterprise Module for HPC 15-SP1 ______________________________________________________________________________ An update that solves three vulnerabilities and has three fixes is now available. Description: This update for slurm to version 18.08.9 fixes the following issues: Security issues fixed: - CVE-2019-19728: Fixed a privilege escalation with srun, where --uid might have unintended side effects (bsc#1159692). - CVE-2019-12838: Fixed SchedMD Slurm SQL Injection issue (bnc#1140709). - CVE-2019-19727: Fixed permissions of slurmdbd.conf (bsc#1155784). Bug fixes: - Fix ownership of /var/spool/slurm on new installations and upgrade (bsc#1158696). - Fix %posttrans macro _res_update to cope with added newline (bsc#1153259). - Move srun from 'slurm' to 'slurm-node': srun is required on the nodes as well so sbatch will work. 'slurm-node' is a requirement when 'slurm' is installed (bsc#1153095). Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Module for Open Buildservice Development Tools 15-SP1: zypper in -t patch SUSE-SLE-Module-Development-Tools-OBS-15-SP1-2020-110=1 - SUSE Linux Enterprise Module for HPC 15-SP1: zypper in -t patch SUSE-SLE-Module-HPC-15-SP1-2020-110=1 Package List: - SUSE Linux Enterprise Module for Open Buildservice Development Tools 15-SP1 (aarch64 ppc64le s390x x86_64): slurm-debuginfo-18.08.9-3.10.1 slurm-debugsource-18.08.9-3.10.1 slurm-openlava-18.08.9-3.10.1 slurm-seff-18.08.9-3.10.1 slurm-sjstat-18.08.9-3.10.1 slurm-sview-18.08.9-3.10.1 slurm-sview-debuginfo-18.08.9-3.10.1 - SUSE Linux Enterprise Module for Open Buildservice Development Tools 15-SP1 (ppc64le s390x): libpmi0-18.08.9-3.10.1 libpmi0-debuginfo-18.08.9-3.10.1 libslurm33-18.08.9-3.10.1 libslurm33-debuginfo-18.08.9-3.10.1 perl-slurm-18.08.9-3.10.1 perl-slurm-debuginfo-18.08.9-3.10.1 slurm-18.08.9-3.10.1 slurm-auth-none-18.08.9-3.10.1 slurm-auth-none-debuginfo-18.08.9-3.10.1 slurm-config-18.08.9-3.10.1 slurm-config-man-18.08.9-3.10.1 slurm-devel-18.08.9-3.10.1 slurm-doc-18.08.9-3.10.1 slurm-lua-18.08.9-3.10.1 slurm-lua-debuginfo-18.08.9-3.10.1 slurm-munge-18.08.9-3.10.1 slurm-munge-debuginfo-18.08.9-3.10.1 slurm-node-18.08.9-3.10.1 slurm-node-debuginfo-18.08.9-3.10.1 slurm-pam_slurm-18.08.9-3.10.1 slurm-pam_slurm-debuginfo-18.08.9-3.10.1 slurm-plugins-18.08.9-3.10.1 slurm-plugins-debuginfo-18.08.9-3.10.1 slurm-slurmdbd-18.08.9-3.10.1 slurm-slurmdbd-debuginfo-18.08.9-3.10.1 slurm-sql-18.08.9-3.10.1 slurm-sql-debuginfo-18.08.9-3.10.1 slurm-torque-18.08.9-3.10.1 slurm-torque-debuginfo-18.08.9-3.10.1 - SUSE Linux Enterprise Module for HPC 15-SP1 (aarch64 x86_64): libpmi0-18.08.9-3.10.1 libpmi0-debuginfo-18.08.9-3.10.1 libslurm33-18.08.9-3.10.1 libslurm33-debuginfo-18.08.9-3.10.1 perl-slurm-18.08.9-3.10.1 perl-slurm-debuginfo-18.08.9-3.10.1 slurm-18.08.9-3.10.1 slurm-auth-none-18.08.9-3.10.1 slurm-auth-none-debuginfo-18.08.9-3.10.1 slurm-config-18.08.9-3.10.1 slurm-config-man-18.08.9-3.10.1 slurm-debuginfo-18.08.9-3.10.1 slurm-debugsource-18.08.9-3.10.1 slurm-devel-18.08.9-3.10.1 slurm-doc-18.08.9-3.10.1 slurm-lua-18.08.9-3.10.1 slurm-lua-debuginfo-18.08.9-3.10.1 slurm-munge-18.08.9-3.10.1 slurm-munge-debuginfo-18.08.9-3.10.1 slurm-node-18.08.9-3.10.1 slurm-node-debuginfo-18.08.9-3.10.1 slurm-pam_slurm-18.08.9-3.10.1 slurm-pam_slurm-debuginfo-18.08.9-3.10.1 slurm-plugins-18.08.9-3.10.1 slurm-plugins-debuginfo-18.08.9-3.10.1 slurm-slurmdbd-18.08.9-3.10.1 slurm-slurmdbd-debuginfo-18.08.9-3.10.1 slurm-sql-18.08.9-3.10.1 slurm-sql-debuginfo-18.08.9-3.10.1 slurm-sview-18.08.9-3.10.1 slurm-sview-debuginfo-18.08.9-3.10.1 slurm-torque-18.08.9-3.10.1 slurm-torque-debuginfo-18.08.9-3.10.1 References: https://www.suse.com/security/cve/CVE-2019-12838.html https://www.suse.com/security/cve/CVE-2019-19727.html https://www.suse.com/security/cve/CVE-2019-19728.html https://bugzilla.suse.com/1140709 https://bugzilla.suse.com/1153095 https://bugzilla.suse.com/1153259 https://bugzilla.suse.com/1155784 https://bugzilla.suse.com/1158696 https://bugzilla.suse.com/1159692 From sle-updates at lists.suse.com Thu Jan 16 07:19:23 2020 From: sle-updates at lists.suse.com (sle-updates at lists.suse.com) Date: Thu, 16 Jan 2020 15:19:23 +0100 (CET) Subject: SUSE-SU-2020:0113-1: important: Security update for tigervnc Message-ID: <20200116141923.837EDF798@maintenance.suse.de> SUSE Security Update: Security update for tigervnc ______________________________________________________________________________ Announcement ID: SUSE-SU-2020:0113-1 Rating: important References: #1159856 #1159858 #1159860 #1160250 #1160251 Cross-References: CVE-2019-15691 CVE-2019-15692 CVE-2019-15693 CVE-2019-15694 CVE-2019-15695 Affected Products: SUSE Linux Enterprise Module for Open Buildservice Development Tools 15-SP1 SUSE Linux Enterprise Module for Desktop Applications 15-SP1 SUSE Linux Enterprise Module for Basesystem 15-SP1 ______________________________________________________________________________ An update that fixes 5 vulnerabilities is now available. Description: This update for tigervnc fixes the following issues: - CVE-2019-15691: Fixed a use-after-return due to incorrect usage of stack memory in ZRLEDecoder (bsc#1159856). - CVE-2019-15692: Fixed a heap-based buffer overflow in CopyRectDecode (bsc#1160250). - CVE-2019-15693: Fixed a heap-based buffer overflow in TightDecoder::FilterGradient (bsc#1159858). - CVE-2019-15694: Fixed a heap-based buffer overflow, caused by improper error handling in processing MemOutStream (bsc#1160251). - CVE-2019-15695: Fixed a stack-based buffer overflow, which could be triggered from CMsgReader::readSetCursor (bsc#1159860). Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Module for Open Buildservice Development Tools 15-SP1: zypper in -t patch SUSE-SLE-Module-Development-Tools-OBS-15-SP1-2020-113=1 - SUSE Linux Enterprise Module for Desktop Applications 15-SP1: zypper in -t patch SUSE-SLE-Module-Desktop-Applications-15-SP1-2020-113=1 - SUSE Linux Enterprise Module for Basesystem 15-SP1: zypper in -t patch SUSE-SLE-Module-Basesystem-15-SP1-2020-113=1 Package List: - SUSE Linux Enterprise Module for Open Buildservice Development Tools 15-SP1 (noarch): tigervnc-x11vnc-1.9.0-19.3.1 xorg-x11-Xvnc-java-1.9.0-19.3.1 - SUSE Linux Enterprise Module for Desktop Applications 15-SP1 (aarch64 ppc64le s390x x86_64): libXvnc-devel-1.9.0-19.3.1 tigervnc-debuginfo-1.9.0-19.3.1 tigervnc-debugsource-1.9.0-19.3.1 - SUSE Linux Enterprise Module for Basesystem 15-SP1 (aarch64 ppc64le s390x x86_64): libXvnc1-1.9.0-19.3.1 libXvnc1-debuginfo-1.9.0-19.3.1 tigervnc-1.9.0-19.3.1 tigervnc-debuginfo-1.9.0-19.3.1 tigervnc-debugsource-1.9.0-19.3.1 xorg-x11-Xvnc-1.9.0-19.3.1 xorg-x11-Xvnc-debuginfo-1.9.0-19.3.1 - SUSE Linux Enterprise Module for Basesystem 15-SP1 (aarch64 ppc64le x86_64): xorg-x11-Xvnc-module-1.9.0-19.3.1 xorg-x11-Xvnc-module-debuginfo-1.9.0-19.3.1 - SUSE Linux Enterprise Module for Basesystem 15-SP1 (noarch): xorg-x11-Xvnc-novnc-1.9.0-19.3.1 References: https://www.suse.com/security/cve/CVE-2019-15691.html https://www.suse.com/security/cve/CVE-2019-15692.html https://www.suse.com/security/cve/CVE-2019-15693.html https://www.suse.com/security/cve/CVE-2019-15694.html https://www.suse.com/security/cve/CVE-2019-15695.html https://bugzilla.suse.com/1159856 https://bugzilla.suse.com/1159858 https://bugzilla.suse.com/1159860 https://bugzilla.suse.com/1160250 https://bugzilla.suse.com/1160251 From sle-updates at lists.suse.com Thu Jan 16 07:21:14 2020 From: sle-updates at lists.suse.com (sle-updates at lists.suse.com) Date: Thu, 16 Jan 2020 15:21:14 +0100 (CET) Subject: SUSE-SU-2020:0112-1: important: Security update for tigervnc Message-ID: <20200116142114.3D4FFF798@maintenance.suse.de> SUSE Security Update: Security update for tigervnc ______________________________________________________________________________ Announcement ID: SUSE-SU-2020:0112-1 Rating: important References: #1159856 #1159858 #1159860 #1160250 #1160251 Cross-References: CVE-2019-15691 CVE-2019-15692 CVE-2019-15693 CVE-2019-15694 CVE-2019-15695 Affected Products: SUSE Linux Enterprise Module for Open Buildservice Development Tools 15 SUSE Linux Enterprise Module for Desktop Applications 15 SUSE Linux Enterprise Module for Basesystem 15 ______________________________________________________________________________ An update that fixes 5 vulnerabilities is now available. Description: This update for tigervnc fixes the following issues: - CVE-2019-15691: Fixed a use-after-return due to incorrect usage of stack memory in ZRLEDecoder (bsc#1159856). - CVE-2019-15692: Fixed a heap-based buffer overflow in CopyRectDecode (bsc#1160250). - CVE-2019-15693: Fixed a heap-based buffer overflow in TightDecoder::FilterGradient (bsc#1159858). - CVE-2019-15694: Fixed a heap-based buffer overflow, caused by improper error handling in processing MemOutStream (bsc#1160251). - CVE-2019-15695: Fixed a stack-based buffer overflow, which could be triggered from CMsgReader::readSetCursor (bsc#1159860). Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Module for Open Buildservice Development Tools 15: zypper in -t patch SUSE-SLE-Module-Development-Tools-OBS-15-2020-112=1 - SUSE Linux Enterprise Module for Desktop Applications 15: zypper in -t patch SUSE-SLE-Module-Desktop-Applications-15-2020-112=1 - SUSE Linux Enterprise Module for Basesystem 15: zypper in -t patch SUSE-SLE-Module-Basesystem-15-2020-112=1 Package List: - SUSE Linux Enterprise Module for Open Buildservice Development Tools 15 (noarch): tigervnc-x11vnc-1.8.0-13.11.1 xorg-x11-Xvnc-java-1.8.0-13.11.1 - SUSE Linux Enterprise Module for Desktop Applications 15 (aarch64 ppc64le s390x x86_64): libXvnc-devel-1.8.0-13.11.1 tigervnc-debuginfo-1.8.0-13.11.1 tigervnc-debugsource-1.8.0-13.11.1 - SUSE Linux Enterprise Module for Basesystem 15 (aarch64 ppc64le s390x x86_64): libXvnc1-1.8.0-13.11.1 libXvnc1-debuginfo-1.8.0-13.11.1 tigervnc-1.8.0-13.11.1 tigervnc-debuginfo-1.8.0-13.11.1 tigervnc-debugsource-1.8.0-13.11.1 xorg-x11-Xvnc-1.8.0-13.11.1 xorg-x11-Xvnc-debuginfo-1.8.0-13.11.1 - SUSE Linux Enterprise Module for Basesystem 15 (noarch): xorg-x11-Xvnc-novnc-1.8.0-13.11.1 References: https://www.suse.com/security/cve/CVE-2019-15691.html https://www.suse.com/security/cve/CVE-2019-15692.html https://www.suse.com/security/cve/CVE-2019-15693.html https://www.suse.com/security/cve/CVE-2019-15694.html https://www.suse.com/security/cve/CVE-2019-15695.html https://bugzilla.suse.com/1159856 https://bugzilla.suse.com/1159858 https://bugzilla.suse.com/1159860 https://bugzilla.suse.com/1160250 https://bugzilla.suse.com/1160251 From sle-updates at lists.suse.com Thu Jan 16 07:20:33 2020 From: sle-updates at lists.suse.com (sle-updates at lists.suse.com) Date: Thu, 16 Jan 2020 15:20:33 +0100 (CET) Subject: SUSE-RU-2020:0116-1: Recommended update for release-notes-caasp Message-ID: <20200116142033.60512F798@maintenance.suse.de> SUSE Recommended Update: Recommended update for release-notes-caasp ______________________________________________________________________________ Announcement ID: SUSE-RU-2020:0116-1 Rating: low References: #1160992 Affected Products: SUSE CaaS Platform 4.0 ______________________________________________________________________________ An update that has one recommended fix can now be installed. Description: This update for release-notes-caasp fixes the following issues: - Added stratos to 4.1.0 (bsc#1160992) Patch Instructions: To install this SUSE Recommended Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE CaaS Platform 4.0: To install this update, use the SUSE CaaS Platform Velum dashboard. It will inform you if it detects new updates and let you then trigger updating of the complete cluster in a controlled way. Package List: - SUSE CaaS Platform 4.0 (noarch): release-notes-caasp-4.1.20200115-4.19.1 References: https://bugzilla.suse.com/1160992 From sle-updates at lists.suse.com Thu Jan 16 10:11:34 2020 From: sle-updates at lists.suse.com (sle-updates at lists.suse.com) Date: Thu, 16 Jan 2020 18:11:34 +0100 (CET) Subject: SUSE-RU-2020:0117-1: moderate: Recommended update for deepsea Message-ID: <20200116171134.5AFD9F798@maintenance.suse.de> SUSE Recommended Update: Recommended update for deepsea ______________________________________________________________________________ Announcement ID: SUSE-RU-2020:0117-1 Rating: moderate References: #1154518 #1157469 #1158196 Affected Products: SUSE Enterprise Storage 6 ______________________________________________________________________________ An update that has three recommended fixes can now be installed. Description: This update for deepsea fixes the following issues: - Fixed a bug where disks.list threw an exception (Could not detect OSD type) (bsc#1158196) - Fixed a bug where an exception was thrown when replacing OSD's during an upgrade from SUSE Enterprise Storage 5.5 to 6 (bsc#1157469) - Adds an option to allow the configuration of custom grafana endpoints (bsc#1154518) Patch Instructions: To install this SUSE Recommended Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Enterprise Storage 6: zypper in -t patch SUSE-Storage-6-2020-117=1 Package List: - SUSE Enterprise Storage 6 (noarch): deepsea-0.9.27+git.0.93a84d2ea-3.9.1 deepsea-cli-0.9.27+git.0.93a84d2ea-3.9.1 References: https://bugzilla.suse.com/1154518 https://bugzilla.suse.com/1157469 https://bugzilla.suse.com/1158196 From sle-updates at lists.suse.com Thu Jan 16 09:57:31 2020 From: sle-updates at lists.suse.com (sle-updates at lists.suse.com) Date: Thu, 16 Jan 2020 17:57:31 +0100 (CET) Subject: SUSE-CU-2019:712-1: Security update of caasp/v4/kubedns Message-ID: <20200116165731.C7A77F796@maintenance.suse.de> SUSE Container Update Advisory: caasp/v4/kubedns ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2019:712-1 Container Tags : caasp/v4/kubedns:1.14.1 , caasp/v4/kubedns:1.14.1-rev1 , caasp/v4/kubedns:1.14.1-rev1-build1.1 Severity : important Type : security References : 1000396 1000662 1000677 1001299 1001790 1001912 1002975 1003577 1003579 1003580 1003714 1003978 1004094 1004289 1004995 1004995 1004995 1005023 1005063 1005404 1005544 1005633 1005634 1005635 1005637 1005638 1005640 1005642 1005643 1005645 1005646 1006175 1006372 1006469 1006687 1006690 1007851 1008325 1009269 1009470 1009528 1009532 1009745 1009905 1009966 1010220 1010675 1010845 1010880 1012266 1012390 1012523 1012591 1012818 1012973 1013286 1013882 1013930 1013989 1014471 1014560 1014566 1014873 1015254 1015332 1015515 1015565 1015943 1017034 1017497 1018214 1018399 1019276 1019470 1019637 1019637 1019900 1020108 1020143 1020601 1021641 1022014 1022047 1022085 1022086 1022271 1023283 1023895 1024989 1025176 1025398 1025560 1025598 1025630 1025886 1026224 1026567 1026825 1027079 1027379 1027688 1027712 1027908 1027925 1028263 1028281 1028304 1028304 1028305 1028410 1028485 1028610 1028723 1029102 1029102 1029183 1029516 1029516 1029523 1029561 1029691 1029725 1029900 1030290 1030621 1031355 1031643 1031702 1031998 1032029 1032029 1032309 1032445 1032538 1032660 1032680 1033238 1033238 1033855 1034563 1034565 1035062 1035371 1035386 1035445 1035818 1036304 1036659 1036736 1036873 1036873 1037120 1037120 1037396 1037824 1037930 1038189 1038194 1038444 1038865 1038865 1038984 1038984 1039063 1039063 1039064 1039064 1039066 1039066 1039069 1039069 1039099 1039099 1039276 1039357 1039661 1039661 1039941 1040043 1040153 1040153 1040258 1040258 1040614 1040614 1040800 1040942 1040942 1040968 1040968 1040968 1041764 1042326 1042392 1042781 1043059 1043218 1043237 1043333 1043333 1043580 1043615 1043758 1043758 1043900 1043900 1044095 1044107 1044175 1044337 1044840 1044887 1044894 1045092 1045290 1045290 1045384 1045472 1045628 1045735 1045735 1045735 1045943 1045987 1046173 1046173 1046268 1046417 1046607 1046659 1046750 1046750 1046853 1046853 1046858 1046858 1047008 1047178 1047233 1047236 1047240 1047247 1047379 1047785 1047785 1047937 1047964 1047965 1048315 1048510 1048605 1048605 1048645 1048679 1049344 1049825 1050152 1050467 1050767 1050943 1051042 1051465 1051626 1051643 1051644 1051791 1052261 1053137 1053188 1053409 1053595 1053671 1054028 1054088 1054171 1054671 1055446 1055641 1055825 1055920 1056058 1056126 1056127 1056127 1056128 1056128 1056129 1056129 1056131 1056131 1056132 1056132 1056136 1056136 1056437 1056449 1056450 1056995 1057150 1057188 1057452 1057634 1057640 1057662 1057721 1057724 1057900 1057974 1058695 1058722 1058783 1059065 1059723 1060653 1060738 1061384 1061667 1061876 1062303 1062561 1062591 1062592 1063051 1063249 1063269 1063675 1063824 1063910 1064397 1064455 1064455 1064455 1064569 1064580 1064583 1064999 1065083 1065274 1065276 1065363 1065448 1065448 1066156 1066242 1066422 1066500 1067312 1067605 1067891 1068251 1068565 1068565 1068588 1068708 1068967 1069222 1069226 1069468 1069934 1070209 1070428 1070431 1070431 1070851 1070878 1070905 1070958 1071224 1071311 1071319 1071321 1071466 1071558 1071568 1071698 1071905 1071906 1072947 1072947 1073231 1073313 1073879 1073990 1074254 1074293 1074293 1074621 1074687 1075449 1075724 1075743 1075801 1075804 1075978 1076192 1076308 1076415 1076696 1076810 1076832 1076909 1077001 1077635 1077692 1077787 1077787 1077925 1077993 1078358 1078662 1078662 1078806 1078813 1079036 1079334 1079991 1080078 1080382 1080740 1080740 1081170 1081294 1081556 1081725 1082004 1082216 1082216 1082216 1082233 1082233 1082233 1082234 1082234 1082234 1082318 1082485 1082485 1083158 1083290 1083926 1083927 1083946 1084300 1084300 1084521 1084524 1084532 1084626 1084812 1084812 1084842 1085062 1085432 1086247 1086602 1086690 1086785 1086825 1087102 1087323 1087550 1087550 1087930 1088052 1088279 1088601 1088705 1088769 1088890 1088921 1089039 1089533 1089640 1089761 1089761 1089884 1090765 1090766 1090766 1090766 1090785 1090944 1091265 1091624 1091677 1092098 1092100 1092100 1092413 1092640 1092640 1093753 1093851 1094121 1094150 1094154 1094161 1094222 1095096 1095148 1096282 1096282 1096282 1096718 1096718 1096745 1096803 1097158 1097410 1097410 1097410 1097624 1097665 1098592 1099310 1099310 1099310 1099452 1099847 1099982 1100028 1101040 1101246 1101349 1101470 1101591 1102046 1102429 1102564 1103910 1104789 1105031 1105166 1105236 1106019 1106197 1106914 1106923 1107430 1107640 1107941 1108835 1109197 1109252 1109877 1110445 1110661 1111251 1111278 1111965 1112024 1112209 1112758 1112858 1113083 1113100 1113117 1113125 1113534 1113632 1113652 1113660 1113665 1113742 1114981 1115518 1115929 1117355 1119971 1120323 1120489 1121450 360993 408814 556664 658010 661410 675317 825385 829717 830805 874665 888308 889138 889990 892431 894610 896202 896435 897422 898003 899524 899871 900275 900276 901202 901845 901924 902364 902367 903543 905483 906574 906574 906803 906858 907074 907456 908128 908516 909418 910252 910252 910253 910253 911228 911363 911662 912229 912715 912922 913209 913650 913651 915402 915846 917152 917169 918089 918090 918346 919274 920057 920057 920386 921070 922534 923241 924525 924687 924960 924960 926412 926826 927556 927607 927608 927746 927993 928292 928533 928740 929919 930176 931932 932232 932894 933029 933288 933288 933336 933878 933878 934333 934689 934920 936050 936227 936227 936676 937823 938343 938657 939392 939460 940315 942865 942865 943457 943457 944903 945340 945842 945899 952151 952347 953130 953532 953659 953807 953831 954002 954661 955382 955753 955770 957566 957566 957567 957567 957598 957598 957600 957600 958369 958562 959693 960273 960820 960837 960837 961964 962765 962983 962996 963290 963448 963942 964063 964468 965322 965780 965902 966220 967026 967082 967728 967838 968771 969569 970260 970882 971741 971741 972127 972127 972331 974691 978055 979261 979436 979441 979629 979906 980391 980486 981114 981616 982303 982303 983206 983215 983216 983754 984906 984958 986216 986216 986783 986935 987887 988311 989788 989831 990189 990190 990191 990538 991389 991390 991391 991443 991746 991901 992966 994157 994794 995936 996511 997043 997420 997682 998760 998893 998906 999735 999878 CVE-2012-6702 CVE-2013-6435 CVE-2014-3591 CVE-2014-3707 CVE-2014-3710 CVE-2014-8116 CVE-2014-8116 CVE-2014-8117 CVE-2014-8117 CVE-2014-8118 CVE-2014-8150 CVE-2014-8964 CVE-2014-8964 CVE-2014-9087 CVE-2014-9112 CVE-2014-9447 CVE-2014-9620 CVE-2014-9621 CVE-2014-9653 CVE-2015-0247 CVE-2015-0837 CVE-2015-1283 CVE-2015-1572 CVE-2015-1606 CVE-2015-1607 CVE-2015-1782 CVE-2015-2059 CVE-2015-2325 CVE-2015-2325 CVE-2015-2327 CVE-2015-2327 CVE-2015-2328 CVE-2015-2328 CVE-2015-3143 CVE-2015-3144 CVE-2015-3145 CVE-2015-3148 CVE-2015-3153 CVE-2015-3210 CVE-2015-3210 CVE-2015-3217 CVE-2015-3217 CVE-2015-3238 CVE-2015-5073 CVE-2015-5073 CVE-2015-5276 CVE-2015-7511 CVE-2015-8380 CVE-2015-8380 CVE-2015-8381 CVE-2015-8381 CVE-2015-8382 CVE-2015-8382 CVE-2015-8383 CVE-2015-8383 CVE-2015-8384 CVE-2015-8384 CVE-2015-8385 CVE-2015-8385 CVE-2015-8386 CVE-2015-8386 CVE-2015-8387 CVE-2015-8387 CVE-2015-8388 CVE-2015-8388 CVE-2015-8389 CVE-2015-8389 CVE-2015-8390 CVE-2015-8390 CVE-2015-8391 CVE-2015-8391 CVE-2015-8392 CVE-2015-8392 CVE-2015-8393 CVE-2015-8393 CVE-2015-8394 CVE-2015-8394 CVE-2015-8395 CVE-2015-8395 CVE-2015-8853 CVE-2015-8948 CVE-2016-0634 CVE-2016-0718 CVE-2016-0755 CVE-2016-0787 CVE-2016-10156 CVE-2016-1238 CVE-2016-1283 CVE-2016-1283 CVE-2016-1839 CVE-2016-2037 CVE-2016-2381 CVE-2016-3191 CVE-2016-3191 CVE-2016-4574 CVE-2016-4579 CVE-2016-4658 CVE-2016-5131 CVE-2016-5300 CVE-2016-5419 CVE-2016-5420 CVE-2016-5421 CVE-2016-6185 CVE-2016-6252 CVE-2016-6252 CVE-2016-6252 CVE-2016-6261 CVE-2016-6262 CVE-2016-6263 CVE-2016-6313 CVE-2016-6318 CVE-2016-7055 CVE-2016-7141 CVE-2016-7167 CVE-2016-7543 CVE-2016-8615 CVE-2016-8616 CVE-2016-8617 CVE-2016-8618 CVE-2016-8619 CVE-2016-8620 CVE-2016-8621 CVE-2016-8622 CVE-2016-8623 CVE-2016-8624 CVE-2016-9063 CVE-2016-9318 CVE-2016-9401 CVE-2016-9586 CVE-2016-9597 CVE-2016-9840 CVE-2016-9841 CVE-2016-9842 CVE-2016-9843 CVE-2017-0663 CVE-2017-1000100 CVE-2017-1000101 CVE-2017-1000254 CVE-2017-1000257 CVE-2017-1000366 CVE-2017-1000408 CVE-2017-1000409 CVE-2017-10684 CVE-2017-10684 CVE-2017-10685 CVE-2017-10685 CVE-2017-11112 CVE-2017-11113 CVE-2017-11462 CVE-2017-12132 CVE-2017-12133 CVE-2017-12424 CVE-2017-12837 CVE-2017-12883 CVE-2017-13728 CVE-2017-13728 CVE-2017-13729 CVE-2017-13729 CVE-2017-13730 CVE-2017-13730 CVE-2017-13731 CVE-2017-13731 CVE-2017-13732 CVE-2017-13732 CVE-2017-13733 CVE-2017-13733 CVE-2017-13734 CVE-2017-14062 CVE-2017-15088 CVE-2017-15412 CVE-2017-15670 CVE-2017-15671 CVE-2017-15804 CVE-2017-15908 CVE-2017-16997 CVE-2017-17740 CVE-2017-18078 CVE-2017-18258 CVE-2017-18269 CVE-2017-3731 CVE-2017-3732 CVE-2017-3735 CVE-2017-3736 CVE-2017-3737 CVE-2017-3738 CVE-2017-5130 CVE-2017-5969 CVE-2017-6512 CVE-2017-7375 CVE-2017-7376 CVE-2017-7407 CVE-2017-7435 CVE-2017-7436 CVE-2017-7436 CVE-2017-7500 CVE-2017-7500 CVE-2017-7501 CVE-2017-7501 CVE-2017-7526 CVE-2017-7555 CVE-2017-8804 CVE-2017-8816 CVE-2017-8817 CVE-2017-8872 CVE-2017-9047 CVE-2017-9047 CVE-2017-9048 CVE-2017-9048 CVE-2017-9049 CVE-2017-9049 CVE-2017-9050 CVE-2017-9050 CVE-2017-9217 CVE-2017-9217 CVE-2017-9233 CVE-2017-9269 CVE-2017-9269 CVE-2017-9287 CVE-2017-9445 CVE-2017-9445 CVE-2017-9526 CVE-2018-0495 CVE-2018-0495 CVE-2018-0495 CVE-2018-0732 CVE-2018-0734 CVE-2018-0737 CVE-2018-0739 CVE-2018-1000001 CVE-2018-1000001 CVE-2018-1000007 CVE-2018-1000120 CVE-2018-1000121 CVE-2018-1000122 CVE-2018-1000301 CVE-2018-1049 CVE-2018-1122 CVE-2018-1122 CVE-2018-1123 CVE-2018-1123 CVE-2018-11236 CVE-2018-11237 CVE-2018-1124 CVE-2018-1124 CVE-2018-1125 CVE-2018-1125 CVE-2018-1126 CVE-2018-1126 CVE-2018-12015 CVE-2018-12015 CVE-2018-12020 CVE-2018-14404 CVE-2018-14567 CVE-2018-14618 CVE-2018-15686 CVE-2018-15688 CVE-2018-16840 CVE-2018-16842 CVE-2018-16864 CVE-2018-16865 CVE-2018-16866 CVE-2018-19211 CVE-2018-20217 CVE-2018-5407 CVE-2018-5729 CVE-2018-5730 CVE-2018-6003 CVE-2018-6485 CVE-2018-6551 CVE-2018-6797 CVE-2018-6797 CVE-2018-6797 CVE-2018-6798 CVE-2018-6798 CVE-2018-6798 CVE-2018-6913 CVE-2018-6913 CVE-2018-6913 CVE-2018-7169 CVE-2018-7685 CVE-2018-7738 CVE-2018-7738 CVE-2018-9251 ----------------------------------------------------------------- The container caasp/v4/kubedns was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-RU-2014:85-1 Released: Tue Nov 4 16:29:29 2014 Summary: Recommended update for dirmngr Type: recommended Severity: moderate References: 901845 Description: This update for dirmngr fixes a segmentation fault at start up. (bnc#901845) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2014:66-1 Released: Thu Nov 6 06:23:15 2014 Summary: Recommended update for gcc48 Type: recommended Severity: moderate References: 899871 Description: This update for gcc48 fixes a performance degradation issue caused by generation of unneeded code whe using option -pg. ----------------------------------------------------------------- Advisory ID: SUSE-SU-2014:97-1 Released: Fri Nov 28 10:20:32 2014 Summary: Security update for file Type: security Severity: moderate References: 888308,902367,CVE-2014-3710 Description: file was updated to fix one security issue. This security issue was fixed: - Out-of-bounds read in elf note headers (CVE-2014-3710). This non-security issues was fixed: - Correctly identify GDBM files created by libgdbm4 (bnc#888308). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2014:113-1 Released: Tue Dec 2 18:17:57 2014 Summary: Security update for cpio Type: security Severity: moderate References: 658010,907456,CVE-2014-9112 Description: This cpio security update fixes the following buffer overflow issue and two non security issues: - fix an OOB write with cpio -i (bnc#907456) (CVE-2014-9112) - prevent cpio from extracting over a symlink (bnc#658010) - fix a truncation check in mt ----------------------------------------------------------------- Advisory ID: SUSE-SU-2015:16-1 Released: Thu Dec 11 09:25:27 2014 Summary: Security update for libksba Type: security Severity: moderate References: 907074,CVE-2014-9087 Description: This libksba update fixes the following security issue: - bnc#907074: buffer overflow in OID processing (CVE-2014-9087) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2014:126-1 Released: Fri Dec 19 20:16:00 2014 Summary: Security update for file Type: security Severity: moderate References: 910252,910253,CVE-2014-8116,CVE-2014-8117 Description: This file update fixes the following security issues: - bsc#910252: multiple denial of service issues (resource consumption) (CVE-2014-8116) - bsc#910253: denial of service issue (resource consumption) (CVE-2014-8117) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2015:29-1 Released: Mon Jan 12 11:37:43 2015 Summary: Security update for curl Type: security Severity: moderate References: 901924,911363,CVE-2014-3707,CVE-2014-8150 Description: This update fixes the following security issues - CVE-2014-8150: URL request injection vulnerability (bnc#911363) - CVE-2014-3707: duphandle read out of bounds (bnc#901924) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2015:40-1 Released: Thu Jan 15 18:35:11 2015 Summary: Security update for rpm Type: security Severity: important References: 892431,906803,908128,911228,CVE-2013-6435,CVE-2014-8118 Description: This rpm update fixes the following security and non-security issues: - bnc#908128: Check for bad invalid name sizes (CVE-2014-8118) - bnc#906803: Create files with mode 0 (CVE-2013-6435) - bnc#892431: Honor --noglob in install mode - bnc#911228: Fix noglob patch, it broke files with space. ----------------------------------------------------------------- Advisory ID: SUSE-RU-2015:64-1 Released: Thu Jan 15 23:21:45 2015 Summary: Recommended update for e2fsprogs Type: recommended Severity: moderate References: 912229 Description: This update for e2fsprogs fixes a 'use after free' issue in fsck(8). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2015:76-1 Released: Fri Jan 30 15:01:03 2015 Summary: Security update for elfutils Type: security Severity: moderate References: 911662,CVE-2014-9447 Description: elfutils was updated to fix one security issue. This security issue was fixed: - Directory traversal vulnerability in the read_long_names function (CVE-2014-9447). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2015:55-1 Released: Tue Feb 3 14:51:17 2015 Summary: Recommended update for curl Type: recommended Severity: moderate References: 913209 Description: curl was updated to fix problems when operating in FIPS mode. This patch reenables following methods: - NTLM authentication (e.g. for proxies) (allowing its usage of MD4 and MD5) - HTTP Digest authentication (allowing its usage of MD5) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2015:121-1 Released: Tue Feb 3 16:30:16 2015 Summary: Recommended update for pam Type: recommended Severity: low References: 912922 Description: This update for pam fixes updating of NIS passwords. ----------------------------------------------------------------- Advisory ID: SUSE-SU-2015:157-1 Released: Tue Mar 10 09:01:41 2015 Summary: Security update for libssh2_org Type: security Severity: moderate References: 921070,CVE-2015-1782 Description: The ssh client library libssh2_org was updated to fix a security issue. CVE-2015-1782: A malicious server could send a crafted SSH_MSG_KEXINIT packet, that could lead to a buffer overread and to a crash of the libssh2_org using application. ----------------------------------------------------------------- Advisory ID: SUSE-RU-2015:275-1 Released: Wed Mar 18 18:21:44 2015 Summary: Recommended update for procps Type: recommended Severity: low References: 901202,908516 Description: This update for procps provides the following fixes: - Add description of pgrep's --list-full parameter to usage instructions (--help). (bsc#901202) - Fix handling of arguments to -s option in free(1). (bsc#908516) - Correct package name in descriptions: procps, not props. ----------------------------------------------------------------- Advisory ID: SUSE-SU-2015:235-1 Released: Wed Apr 29 19:05:01 2015 Summary: Security update for curl Type: security Severity: moderate References: 927556,927607,927608,927746,928533,CVE-2015-3143,CVE-2015-3144,CVE-2015-3145,CVE-2015-3148,CVE-2015-3153 Description: curl was updated to fix five security issues. The following vulnerabilities were fixed: * CVE-2015-3143: curl could re-use NTML authenticateds connections * CVE-2015-3144: curl could access memory out of bounds with zero length host names * CVE-2015-3145: curl cookie parser could access memory out of boundary * CVE-2015-3148: curl could treat Negotiate as not connection-oriented * CVE-2015-3153: curl could have sent sensitive HTTP headers also to proxies ----------------------------------------------------------------- Advisory ID: SUSE-SU-2015:296-1 Released: Thu Jun 11 15:46:59 2015 Summary: Security update for libgcrypt Type: security Severity: moderate References: 896202,896435,898003,899524,900275,900276,905483,920057,928740,929919,CVE-2014-3591 Description: This update of libgcrypt fixes one security issue and brings various FIPS 140-2 related improvements. libgcrypt now uses ciphertext blinding for Elgamal decryption (CVE-2014-3591) FIPS 140-2 related changes: * The library performs its self-tests when the module is complete (the -hmac file is also installed). * Added a NIST 800-90a compliant DRBG. * Change DSA key generation to be FIPS 186-4 compliant. * Change RSA key generation to be FIPS 186-4 compliant. * Enable HW support in fips mode (bnc#896435) * Make DSA selftest use 2048 bit keys (bnc#898003) * Added ECDSA selftests and add support for it to the CAVS testing framework (bnc#896202) * Various CAVS testing improvements. ----------------------------------------------------------------- Advisory ID: SUSE-SU-2015:366-1 Released: Mon Jun 29 10:13:43 2015 Summary: Security update for e2fsprogs Type: security Severity: low References: 915402,918346,CVE-2015-0247,CVE-2015-1572 Description: Two security issues were fixed in e2fsprogs: Security issues fixed: * CVE-2015-0247: Various heap overflows were fixed in e2fsprogs (fsck, dumpe2fs, e2image...). * CVE-2015-1572: Fixed a potential buffer overflow in closefs() (bsc#918346 ) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2015:361-1 Released: Wed Jul 15 08:26:27 2015 Summary: Recommended update for gcc48, libffi48, libgcj48 Type: recommended Severity: moderate References: 889990,917169,919274,922534,924525,924687,927993,930176,934689 Description: The system compiler gcc48 was updated to the GCC 4.8.5 release, fixing a lot of bugs and bringing some improvements. It includes various bug fixes found by our customers: * Fixes bogus integer overflow in constant expression. [bnc#934689] * Fixes ICE with atomics on aarch64. [bnc#930176] * Includes fix for -imacros bug. [bnc#917169] * Includes fix for incorrect -Warray-bounds warnings. [bnc#919274] * Includes updated -mhotpatch for s390x. [bnc#924525] * Includes fix for ppc64le issue with doubleword vector extract. [bnc#924687] * Includes patches to allow building against ISL 0.14. * Backport rework of the memory allocator for C++ exceptions used in OOM situations. [bnc#889990] * Fix a reload issue on S390 (GCC PR66306). * Avoid accessing invalid memory when passing aggregates by value. [bnc#922534] ----------------------------------------------------------------- Advisory ID: SUSE-OU-2015:422-1 Released: Tue Jul 28 06:25:51 2015 Summary: The Toolchain module containing GCC 5.2 Type: optional Severity: low References: 926412,936050,937823 Description: This update contains the release of the new SUSE Linux Enterprise Toolchain module. Its major feature is the GNU Compiler Collection 5.2, please see https://gcc.gnu.org/gcc-5/changes.html for important changes. This update also includes a version update of binutils to 2.25 release branch to provide features and bugfixes. Following features have been added to binutils: * IBM zSeries z13 hardware support (fate#318036, bnc#936050). * various IBM Power8 improvements (fate#318238, bnc#926412). * AVX512 support on the Intel EM64T platform (fate#318520). The GNU Debugger gdb was updated to version 7.9.1 bringing various features and lots of bugfixes. Also IBM zSeries z13 hardware support has been added to gdb. (fate#318039) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2015:500-1 Released: Mon Aug 17 11:36:33 2015 Summary: Security update for libgcrypt Type: security Severity: moderate References: 920057,938343,CVE-2015-0837 Description: This update fixes the following issues: Security: * Fixed data-dependent timing variations in modular exponentiation [related to CVE-2015-0837, Last-Level Cache Side-Channel Attacks are Practical] (bsc#920057) Bugfixes: * don't drop privileges when locking secure memory (bsc#938343) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2015:530-1 Released: Wed Aug 26 03:07:07 2015 Summary: Recommended update for sed Type: recommended Severity: low References: 933029 Description: This update for sed fixes the behavior of --follow-symlinks when reading from the standard input (stdin). The behavior of 'sed --follow-symlinks -' is now identical to 'sed -'. In both cases, sed will read from the standard input and no longer from a file named '-'. ----------------------------------------------------------------- Advisory ID: SUSE-RU-2015:568-1 Released: Wed Sep 16 13:30:12 2015 Summary: Recommended update for grep Type: recommended Severity: low References: 920386 Description: This update for grep fixes undefined behaviour with -P and non-utf-8 data. ----------------------------------------------------------------- Advisory ID: SUSE-SU-2015:922-1 Released: Tue Dec 22 08:44:25 2015 Summary: Security update for gpg2 Type: security Severity: moderate References: 918089,918090,952347,955753,CVE-2015-1606,CVE-2015-1607 Description: The gpg2 package was updated to fix the following security and non security issues: - CVE-2015-1606: Fixed invalid memory read using a garbled keyring (bsc#918089). - CVE-2015-1607: Fixed memcpy with overlapping ranges (bsc#918090). - bsc#955753: Fixed a regression of 'gpg --recv' due to keyserver import filter (also boo#952347). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2015:869-1 Released: Wed Dec 23 10:01:16 2015 Summary: Recommended update for libksba Type: security Severity: moderate References: 926826 Description: The libksba package was updated to fix the following security issues: - Fixed an integer overflow, an out of bounds read and a stack overflow issues (bsc#926826). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2015:862-1 Released: Wed Dec 23 17:40:51 2015 Summary: Recommended update for acl Type: recommended Severity: moderate References: 945899 Description: This update for acl provides the following fixes: - Fix segmentation fault of getfacl -e on overly long group name. - Make sure that acl_from_text() always sets errno when it fails. - Fix memory and resource leaks in getfacl. ----------------------------------------------------------------- Advisory ID: SUSE-RU-2016:46-1 Released: Fri Jan 8 12:37:34 2016 Summary: Recommended update for gcr, gnome-keyring, libgcrypt, libsecret Type: recommended Severity: moderate References: 932232 Description: This update for gcr, gnome-keyring, libgcrypt, libsecret fixes issues when the system operates in FIPS mode. The various GNOME libraries and tool have been changed to use the default libgcrypt allocators. GNOME keyring was changed not to use MD5 anymore. libgcrypt was adjusted to free the DRBG on exit to avoid crashes. ----------------------------------------------------------------- Advisory ID: SUSE-SU-2016:201-1 Released: Thu Feb 4 15:51:22 2016 Summary: Security update for curl Type: security Severity: moderate References: 934333,936676,962983,962996,CVE-2016-0755 Description: This update for curl fixes the following issues: - CVE-2016-0755: libcurl would reuse NTLM-authenticated proxy connections without properly making sure that the connection was authenticated with the same credentials as set for this transfer (bsc#962983) The following non-security bugs were fixed: - bsc#936676: secure_getenv or __secure_getenv may not be detected correctly at build time The following tracked bugs only affect the test suite: - bsc#962996: Expired cookie in test 46 caused test failures - bsc#934333: Curl test suite was not run, is now enabled during build ----------------------------------------------------------------- Advisory ID: SUSE-RU-2016:371-1 Released: Thu Mar 3 15:58:18 2016 Summary: Recommended update for insserv-compat Type: recommended Severity: low References: 960820 Description: This update for insserv-compat fixes the name of the ntpd service. ----------------------------------------------------------------- Advisory ID: SUSE-SU-2016:413-1 Released: Fri Mar 11 10:17:57 2016 Summary: Security update for libssh2_org Type: security Severity: moderate References: 933336,961964,967026,CVE-2016-0787 Description: This update for libssh2_org fixes the following issues: Security issue fixed: - CVE-2016-0787 (bsc#967026): Weakness in diffie-hellman secret key generation lead to much shorter DH groups then needed, which could be used to retrieve server keys. A feature was added: - Support of SHA256 digests for DH group exchanges was added (fate#320343, bsc#961964) Bug fixed: - Properly detect EVP_aes_128_ctr at configure time (bsc#933336) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2016:462-1 Released: Wed Mar 16 18:17:59 2016 Summary: Recommended update for libcap Type: recommended Severity: low References: 967838 Description: This update for libcap adds two new capabilities (CAP_WAKE_ALARM and CAP_BLOCK_SUSPEND) which are available in Linux Kernel 3.12. ----------------------------------------------------------------- Advisory ID: SUSE-RU-2016:543-1 Released: Fri Apr 1 18:44:16 2016 Summary: Recommended update for libgcrypt Type: recommended Severity: moderate References: 970882 Description: This update for libgcrypt fixes a crash in GPG key generation when operating in FIPS mode. (bsc#970882) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2016:565-1 Released: Wed Apr 6 16:26:42 2016 Summary: Security update for gcc5 Type: security Severity: moderate References: 939460,945842,952151,953831,954002,955382,962765,964468,966220,968771,CVE-2015-5276 Description: The GNU Compiler Collection was updated to version 5.3.1, which brings several fixes and enhancements. The following security issue has been fixed: - Fix C++11 std::random_device short read issue that could lead to predictable randomness. (CVE-2015-5276, bsc#945842) The following non-security issues have been fixed: - Enable frame pointer for TARGET_64BIT_MS_ABI when stack is misaligned. Fixes internal compiler error when building Wine. (bsc#966220) - Fix a PowerPC specific issue in gcc-go that broke compilation of newer versions of Docker. (bsc#964468) - Fix HTM built-ins on PowerPC. (bsc#955382) - Fix libgo certificate lookup. (bsc#953831) - Suppress deprecated-declarations warnings for inline definitions of deprecated virtual methods. (bsc#939460) - Build s390[x] with '--with-tune=z9-109 --with-arch=z900' on SLE11 again. (bsc#954002) - Revert accidental libffi ABI breakage on aarch64. (bsc#968771) - On x86_64, set default 32bit code generation to -march=x86-64 rather than -march=i586. - Add experimental File System TS library. ----------------------------------------------------------------- Advisory ID: SUSE-SU-2016:636-1 Released: Mon Apr 18 09:18:19 2016 Summary: Security update for libgcrypt Type: security Severity: moderate References: 965902,CVE-2015-7511 Description: libgcrypt was updated to fix one security issue. This security issue was fixed: - CVE-2015-7511: Side-channel attack on ECDH with Weierstrass curves (bsc#965902). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2016:643-1 Released: Tue Apr 19 09:23:39 2016 Summary: Recommended update for bzip2 Type: recommended Severity: low References: 970260 Description: This update for bzip2 fixes the following issues: - Fix bzgrep wrapper that always returns 0 as exit code when working on multiple archives, even when the pattern is not found. ----------------------------------------------------------------- Advisory ID: SUSE-RU-2016:697-1 Released: Thu Apr 28 16:03:24 2016 Summary: Recommended update for libssh2_org Type: recommended Severity: important References: 974691 Description: This update for libssh2_org fixes a regression introduced by a previous update which could result in a segmentation fault in EVP_DigestInit_Ex(). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2016:801-1 Released: Thu May 19 22:38:01 2016 Summary: Recommended update for curl Type: recommended Severity: moderate References: 915846 Description: This update for curl fixes the following issue: - Fix 'Network is unreachable' error when ipv6 is not available but ipv4. This fixes the same error in applications using libcurl4 (like zypper). (bsc#915846) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2016:835-1 Released: Wed May 25 18:27:30 2016 Summary: Recommended update for libgcrypt Type: recommended Severity: moderate References: 979629 Description: This update for libgcrypt fixes the following issue: - Fix failing reboot after installing fips pattern (bsc#979629) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2016:898-1 Released: Tue Jun 7 09:48:12 2016 Summary: Security update for expat Type: security Severity: important References: 979441,980391,CVE-2015-1283,CVE-2016-0718 Description: This update for expat fixes the following issues: Security issue fixed: - CVE-2016-0718: Fix Expat XML parser that mishandles certain kinds of malformed input documents. (bsc#979441) - CVE-2015-1283: Fix multiple integer overflows. (bnc#980391) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2016:900-1 Released: Tue Jun 7 10:58:37 2016 Summary: Security update for libksba Type: security Severity: moderate References: 979261,979906,CVE-2016-4574,CVE-2016-4579 Description: This update for libksba fixes the following issues: - CVE-2016-4579: Out-of-bounds read in _ksba_ber_parse_tl() - CVE-2016-4574: two OOB read access bugs (remote DoS) (bsc#979261) Also adding reliability fixes from v1.3.4. ----------------------------------------------------------------- Advisory ID: SUSE-RU-2016:987-1 Released: Wed Jun 22 14:32:18 2016 Summary: Recommended update for procps Type: recommended Severity: low References: 981616 Description: This update for procps fixes the following issues: - Improve pmap(1) to be compatible with kernel 4.4. (bsc#981616) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2016:1028-1 Released: Thu Jul 7 11:50:47 2016 Summary: Recommended update for findutils Type: recommended Severity: moderate References: 986935 Description: This update for findutils fixes the following issues: - find -exec + would not pass all arguments for certain specific filename lengths (bsc#986935) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2016:1126-1 Released: Sat Jul 30 00:39:03 2016 Summary: Recommended update for kmod Type: recommended Severity: low References: 983754,989788 Description: This update for kmod fixes libkmod to handle very long lines in /proc/modules. ----------------------------------------------------------------- Advisory ID: SUSE-RU-2016:1205-1 Released: Thu Aug 11 15:02:18 2016 Summary: Recommended update for rpm Type: recommended Severity: low References: 829717,894610,940315,953532,965322,967728 Description: This update for rpm provides the following fixes: - Add is_opensuse and leap_version macros to suse_macros. (bsc#940315) - Add option to make postinstall scriptlet errors fatal. (bsc#967728) - Normalize big blocksizes to 4096 bytes. (bsc#894610, bsc#829717, bsc#965322) - Fix updating of sources/patches when recursing because of a BuildArch. (bsc#953532) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2016:1228-1 Released: Tue Aug 16 09:29:01 2016 Summary: Security update for libidn Type: security Severity: moderate References: 923241,990189,990190,990191,CVE-2015-2059,CVE-2015-8948,CVE-2016-6261,CVE-2016-6262,CVE-2016-6263 Description: This update for libidn fixes the following issues: - CVE-2016-6262 and CVE-2015-8948: Out-of-bounds-read when reading one zero byte as input (bsc#990189) - CVE-2016-6261: Out-of-bounds stack read in idna_to_ascii_4i (bsc#990190) - CVE-2016-6263: stringprep_utf8_nfkc_normalize reject invalid UTF-8 (bsc#990191) - CVE-2015-2059: out-of-bounds read with stringprep on invalid UTF-8 (bsc#923241) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2016:1247-1 Released: Fri Aug 19 12:58:39 2016 Summary: Security update for cracklib Type: security Severity: moderate References: 992966,CVE-2016-6318 Description: This update for cracklib fixes the following issues: - Add patch to fix a buffer overflow in GECOS parser (bsc#992966 CVE-2016-6318) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2016:1326-1 Released: Thu Sep 8 11:37:44 2016 Summary: Security update for perl Type: security Severity: moderate References: 928292,932894,967082,984906,987887,988311,CVE-2015-8853,CVE-2016-1238,CVE-2016-2381,CVE-2016-6185 Description: This update for Perl fixes the following issues: - CVE-2016-6185: Xsloader looking at a '(eval)' directory. (bsc#988311) - CVE-2016-1238: Searching current directory for optional modules. (bsc#987887) - CVE-2015-8853: Regular expression engine hanging on bad utf8. (bsc) - CVE-2016-2381: Environment dup handling bug. (bsc#967082) - 'Insecure dependency in require' error in taint mode. (bsc#984906) - Memory leak in 'use utf8' handling. (bsc#928292) - Missing lock prototype to the debugger. (bsc#932894) ----------------------------------------------------------------- Advisory ID: SUSE-OU-2016:1358-1 Released: Thu Sep 15 20:54:21 2016 Summary: Optional update for gcc6 Type: optional Severity: low References: 983206 Description: This update ships the GNU Compiler Collection (GCC) in version 6.2. This update is shipped in two parts: - SUSE Linux Enterprise Server 12 and Desktop: The runtime libraries libgcc_s1, libstdc++6, libatomic1, libgomp1, libitm1 and some others can now be used by GCC 6 built binaries. - SUSE Linux Enterprise 12 Toolchain Module: The Toolchain module received the GCC 6 compiler suite with this update. Changes: - The default mode for C++ is now -std=gnu++14 instead of -std=gnu++98. Generic Optimization improvements: - UndefinedBehaviorSanitizer gained a new sanitization option, -fsanitize=bounds-strict, which enables strict checking of array bounds. In particular, it enables -fsanitize=bounds as well as instrumentation of flexible array member-like arrays. - Type-based alias analysis now disambiguates accesses to different pointers. This improves precision of the alias oracle by about 20-30% on higher-level C++ programs. Programs doing invalid type punning of pointer types may now need -fno-strict-aliasing to work correctly. - Alias analysis now correctly supports weakref and alias attributes. This makes it possible to access both a variable and its alias in one translation unit which is common with link-time optimization. - Value range propagation now assumes that the this pointer of C++ member functions is non-null. This eliminates common null pointer checks but also breaks some non-conforming code-bases (such as Qt-5, Chromium, KDevelop). As a temporary work-around -fno-delete-null-pointer-checks can be used. Wrong code can be identified by using -fsanitize=undefined. - Various Link-time optimization improvements. - Inter-procedural optimization improvements: - Basic jump threading is now performed before profile construction and inline analysis, resulting in more realistic size and time estimates that drive the heuristics of the of inliner and function cloning passes. - Function cloning now more aggressively eliminates unused function parameters. - Compared to GCC 5, the GCC 6 release series includes a much improved implementation of the OpenACC 2.0a specification. C language specific improvements: - Version 4.5 of the OpenMP specification is now supported in the C and C++ compilers. - Source locations for the C and C++ compilers are now tracked as ranges, rather than just points, making it easier to identify the subexpression of interest within a complicated expression. In addition, there is now initial support for precise diagnostic locations within strings, - Diagnostics can now contain 'fix-it hints', which are displayed in context underneath the relevant source code. - The C and C++ compilers now offer suggestions for misspelled field names. - New command-line options have been added for the C and C++ compilers: - -Wshift-negative-value warns about left shifting a negative value. - -Wshift-overflow warns about left shift overflows. This warning is enabled by default. -Wshift-overflow=2 also warns about left-shifting 1 into the sign bit. - -Wtautological-compare warns if a self-comparison always evaluates to true or false. This warning is enabled by -Wall. - -Wnull-dereference warns if the compiler detects paths that trigger erroneous or undefined behavior due to dereferencing a null pointer. This option is only active when -fdelete-null-pointer-checks is active, which is enabled by optimizations in most targets. The precision of the warnings depends on the optimization options used. - -Wduplicated-cond warns about duplicated conditions in an if-else-if chain. - -Wmisleading-indentation warns about places where the indentation of the code gives a misleading idea of the block structure of the code to a human reader. This warning is enabled by -Wall. - The C and C++ compilers now emit saner error messages if merge-conflict markers are present in a source file. C improvements: - It is possible to disable warnings when an initialized field of a structure or a union with side effects is being overridden when using designated initializers via a new warning option -Woverride-init-side-effects. - A new type attribute scalar_storage_order applying to structures and unions has been introduced. It specifies the storage order (aka endianness) in memory of scalar fields in structures or unions. C++ improvements: - The default mode has been changed to -std=gnu++14. - C++ Concepts are now supported when compiling with -fconcepts. - -flifetime-dse is more aggressive in dead-store elimination in situations where a memory store to a location precedes a constructor to that memory location. - G++ now supports C++17 fold expressions, u8 character literals, extended static_assert, and nested namespace definitions. - G++ now allows constant evaluation for all non-type template arguments. - G++ now supports C++ Transactional Memory when compiling with -fgnu-tm. libstdc++ improvements: - Extensions to the C++ Library to support mathematical special functions (ISO/IEC 29124:2010), thanks to Edward Smith-Rowland. - Experimental support for C++17. - An experimental implementation of the File System TS. - Experimental support for most features of the second version of the Library Fundamentals TS. This includes polymorphic memory resources and array support in shared_ptr, thanks to Fan You. - Some assertions checked by Debug Mode can now also be enabled by _GLIBCXX_ASSERTIONS. The subset of checks enabled by the new macro have less run-time overhead than the full _GLIBCXX_DEBUG checks and don't affect the library ABI, so can be enabled per-translation unit. Fortran improvements: - Fortran 2008 SUBMODULE support. - Fortran 2015 EVENT_TYPE, EVENT_POST, EVENT_WAIT, and EVENT_QUERY support. - Improved support for Fortran 2003 deferred-length character variables. - Improved support for OpenMP and OpenACC. - The MATMUL intrinsic is now inlined for straightforward cases if front-end optimization is active. The maximum size for inlining can be set to n with the -finline-matmul-limit=n option and turned off with -finline-matmul-limit=0. - The -Wconversion-extra option will warn about REAL constants which have excess precision for their kind. - The -Winteger-division option has been added, which warns about divisions of integer constants which are truncated. This option is included in -Wall by default. Architecture improvements: - AArch64 received a lot of improvements. IA-32/x86-64 improvements: - GCC now supports the Intel CPU named Skylake with AVX-512 extensions through -march=skylake-avx512. The switch enables the following ISA extensions: AVX-512F, AVX512VL, AVX-512CD, AVX-512BW, AVX-512DQ. - Support for new AMD instructions monitorx and mwaitx has been added. This includes new intrinsic and built-in support. It is enabled through option -mmwaitx. The instructions monitorx and mwaitx implement the same functionality as the old monitor and mwait instructions. In addition mwaitx adds a configurable timer. The timer value is received as third argument and stored in register %ebx. - x86-64 targets now allow stack realignment from a word-aligned stack pointer using the command-line option -mstackrealign or __attribute__ ((force_align_arg_pointer)). This allows functions compiled with a vector-aligned stack to be invoked from objects that keep only word-alignment. - Support for address spaces __seg_fs, __seg_gs, and __seg_tls. These can be used to access data via the %fs and %gs segments without having to resort to inline assembly. - Support for AMD Zen (family 17h) processors is now available through the -march=znver1 and -mtune=znver1 options. PowerPC / PowerPC64 / RS6000 improvements: - PowerPC64 now supports IEEE 128-bit floating-point using the __float128 data type. In GCC 6, this is not enabled by default, but you can enable it with -mfloat128. The IEEE 128-bit floating-point support requires the use of the VSX instruction set. IEEE 128-bit floating-point values are passed and returned as a single vector value. The software emulator for IEEE 128-bit floating-point support is only built on PowerPC GNU/Linux systems where the default CPU is at least power7. On future ISA 3.0 systems (POWER 9 and later), you will be able to use the -mfloat128-hardware option to use the ISA 3.0 instructions that support IEEE 128-bit floating-point. An additional type (__ibm128) has been added to refer to the IBM extended double type that normally implements long double. This will allow for a future transition to implementing long double with IEEE 128-bit floating-point. - Basic support has been added for POWER9 hardware that will use the recently published OpenPOWER ISA 3.0 instructions. The following new switches are available: - -mcpu=power9: Implement all of the ISA 3.0 instructions supported by the compiler. - -mtune=power9: In the future, apply tuning for POWER9 systems. Currently, POWER8 tunings are used. - -mmodulo: Generate code using the ISA 3.0 integer instructions (modulus, count trailing zeros, array index support, integer multiply/add). - -mpower9-fusion: Generate code to suitably fuse instruction sequences for a POWER9 system. - -mpower9-dform: Generate code to use the new D-form (register+offset) memory instructions for the vector registers. - -mpower9-vector: Generate code using the new ISA 3.0 vector (VSX or Altivec) instructions. - -mpower9-minmax: Reserved for future development. - -mtoc-fusion: Keep TOC entries together to provide more fusion opportunities. - New constraints have been added to support IEEE 128-bit floating-point and ISA 3.0 instructions. - Support has been added for __builtin_cpu_is() and __builtin_cpu_supports(), allowing for very fast access to AT_PLATFORM, AT_HWCAP, and AT_HWCAP2 values. This requires use of glibc 2.23 or later. - All hardware transactional memory builtins now correctly behave as memory barriers. Programmers can use #ifdef __TM_FENCE__ to determine whether their 'old' compiler treats the builtins as barriers. - Split-stack support has been added for gccgo on PowerPC64 for both big- and little-endian (but not for 32-bit). The gold linker from at least binutils 2.25.1 must be available in the PATH when configuring and building gccgo to enable split stack. (The requirement for binutils 2.25.1 applies to PowerPC64 only.) The split-stack feature allows a small initial stack size to be allocated for each goroutine, which increases as needed. - GCC on PowerPC now supports the standard lround function. - The 'q', 'S', 'T', and 't' asm-constraints have been removed. - The 'b', 'B', 'm', 'M', and 'W' format modifiers have been removed. S/390, System z, IBM z Systems improvements: - Support for the IBM z13 processor has been added. When using the -march=z13 option, the compiler will generate code making use of the new instructions and registers introduced with the vector extension facility. The -mtune=z13 option enables z13 specific instruction scheduling without making use of new instructions. - Compiling code with -march=z13 reduces the default alignment of vector types bigger than 8 bytes to 8. This is an ABI change and care must be taken when linking modules compiled with different arch levels which interchange variables containing vector type values. For newly compiled code the GNU linker will emit a warning. - The -mzvector option enables a C/C++ language extension. This extension provides a new keyword vector which can be used to define vector type variables. (Note: This is not available when enforcing strict standard compliance e.g. with -std=c99. Either enable GNU extensions with e.g. -std=gnu99 or use __vector instead of vector.) - Additionally a set of overloaded builtins is provided which is partially compatible to the PowerPC Altivec builtins. In order to make use of these builtins the vecintrin.h header file needs to be included. - The new command line options -march=native, and -mtune=native are now available on native IBM z Systems. Specifying these options will cause GCC to auto-detect the host CPU and rewrite these options to the optimal setting for that system. If GCC is unable to detect the host CPU these options have no effect. - The IBM z Systems port now supports target attributes and pragmas. Please refer to the documentation for details of available attributes and pragmas as well as usage instructions. - -fsplit-stack is now supported as part of the IBM z Systems port. This feature requires a recent gold linker to be used. - Support for the g5 and g6 -march=/-mtune= CPU level switches has been deprecated and will be removed in a future GCC release. -m31 from now on defaults to -march=z900 if not specified otherwise. -march=native on a g5/g6 machine will default to -march=z900. An even more detailed list of features can be found at: https://gcc.gnu.org/gcc-6/changes.html ----------------------------------------------------------------- Advisory ID: SUSE-SU-2016:1364-1 Released: Fri Sep 16 17:13:43 2016 Summary: Security update for curl Type: security Severity: moderate References: 991389,991390,991391,991746,997420,CVE-2016-5419,CVE-2016-5420,CVE-2016-5421,CVE-2016-7141 Description: This update for curl fixes the following issues: Security issues fixed: - CVE-2016-5419: TLS session resumption client cert bypass (bsc#991389) - CVE-2016-5420: Re-using connections with wrong client cert (bsc#991390) - CVE-2016-5421: use of connection struct after free (bsc#991391) - CVE-2016-7141: Fixed incorrect reuse of client certificates with NSS (bsc#997420) Also the following bug was fixed: - fixing a performance issue (bsc#991746) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2016:1370-1 Released: Wed Sep 21 12:58:14 2016 Summary: Security update for libgcrypt Type: security Severity: moderate References: 994157,CVE-2016-6313 Description: This update for libgcrypt fixes the following issues: - RNG prediction vulnerability (bsc#994157, CVE-2016-6313) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2016:1591-1 Released: Wed Nov 2 12:07:51 2016 Summary: Security update for curl Type: security Severity: important References: 1005633,1005634,1005635,1005637,1005638,1005640,1005642,1005643,1005645,1005646,998760,CVE-2016-7167,CVE-2016-8615,CVE-2016-8616,CVE-2016-8617,CVE-2016-8618,CVE-2016-8619,CVE-2016-8620,CVE-2016-8621,CVE-2016-8622,CVE-2016-8623,CVE-2016-8624 Description: This update for curl fixes the following security issues: - CVE-2016-8624: invalid URL parsing with '#' (bsc#1005646) - CVE-2016-8623: Use-after-free via shared cookies (bsc#1005645) - CVE-2016-8622: URL unescape heap overflow via integer truncation (bsc#1005643) - CVE-2016-8621: curl_getdate read out of bounds (bsc#1005642) - CVE-2016-8620: glob parser write/read out of bounds (bsc#1005640) - CVE-2016-8619: double-free in krb5 code (bsc#1005638) - CVE-2016-8618: double-free in curl_maprintf (bsc#1005637) - CVE-2016-8617: OOB write via unchecked multiplication (bsc#1005635) - CVE-2016-8616: case insensitive password comparison (bsc#1005634) - CVE-2016-8615: cookie injection for other servers (bsc#1005633) - CVE-2016-7167: escape and unescape integer overflows (bsc#998760) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2016:1614-1 Released: Mon Nov 7 20:01:31 2016 Summary: Recommended update for shadow Type: recommended Severity: low References: 1002975 Description: This update for shadow fixes the following issues: - Set file modes according to the permissions package and don't attempt to manipulate them in %files section. (bsc#1002975) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2016:1641-1 Released: Thu Nov 10 20:02:04 2016 Summary: Recommended update for sg3_utils Type: recommended Severity: moderate References: 1006469,958369,979436 Description: This update for sg3_utils provides the following fixes: - Adjust 55-scsi-sg3_id.rules to correctly handle VPD page 0x80. This issue could prevent some IBM Power systems from booting after installation. (bsc#1006469) - Fix 55-scsi_sg3_id.rules to skip sg_inq on recent kernels. (bsc#979436) - In some circumstances, the rescan-scsi-bus.sh script failed to identify new LUNs that have been added to the server. (bsc#958369) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2016:1744-1 Released: Fri Dec 2 11:42:41 2016 Summary: Security update for pcre Type: security Severity: moderate References: 906574,924960,933288,933878,936227,942865,957566,957567,957598,957600,960837,971741,972127,CVE-2014-8964,CVE-2015-2325,CVE-2015-2327,CVE-2015-2328,CVE-2015-3210,CVE-2015-3217,CVE-2015-5073,CVE-2015-8380,CVE-2015-8381,CVE-2015-8382,CVE-2015-8383,CVE-2015-8384,CVE-2015-8385,CVE-2015-8386,CVE-2015-8387,CVE-2015-8388,CVE-2015-8389,CVE-2015-8390,CVE-2015-8391,CVE-2015-8392,CVE-2015-8393,CVE-2015-8394,CVE-2015-8395,CVE-2016-1283,CVE-2016-3191 Description: This update for pcre to version 8.39 (bsc#972127) fixes several issues. If you use pcre extensively please be aware that this is an update to a new version. Please make sure that your software works with the updated version. This version fixes a number of vulnerabilities that affect pcre and applications using the libary when accepting untrusted input as regular expressions or as part thereof. Remote attackers could have caused the application to crash, disclose information or potentially execute arbitrary code. These security issues were fixed: - CVE-2014-8964: Heap-based buffer overflow in PCRE allowed remote attackers to cause a denial of service (crash) or have other unspecified impact via a crafted regular expression, related to an assertion that allows zero repeats (bsc#906574). - CVE-2015-2325: Heap buffer overflow in compile_branch() (bsc#924960). - CVE-2015-3210: Heap buffer overflow in pcre_compile2() / compile_regex() (bsc#933288) - CVE-2015-3217: PCRE Library Call Stack Overflow Vulnerability in match() (bsc#933878). - CVE-2015-5073: Library Heap Overflow Vulnerability in find_fixedlength() (bsc#936227). - bsc#942865: heap overflow in compile_regex() - CVE-2015-8380: The pcre_exec function in pcre_exec.c mishandled a // pattern with a \01 string, which allowed remote attackers to cause a denial of service (heap-based buffer overflow) or possibly have unspecified other impact via a crafted regular expression, as demonstrated by a JavaScript RegExp object encountered by Konqueror (bsc#957566). - CVE-2015-2327: PCRE mishandled certain patterns with internal recursive back references, which allowed remote attackers to cause a denial of service (segmentation fault) or possibly have unspecified other impact via a crafted regular expression, as demonstrated by a JavaScript RegExp object encountered by Konqueror (bsc#957567). - bsc#957598: Various security issues - CVE-2015-8381: Heap Overflow in compile_regex() (bsc#957598). - CVE-2015-8382: Regular Expression Uninitialized Pointer Information Disclosure Vulnerability (ZDI-CAN-2547)(bsc#957598). - CVE-2015-8383: Buffer overflow caused by repeated conditional group(bsc#957598). - CVE-2015-8384: Buffer overflow caused by recursive back reference by name within certain group(bsc#957598). - CVE-2015-8385: Buffer overflow caused by forward reference by name to certain group(bsc#957598). - CVE-2015-8386: Buffer overflow caused by lookbehind assertion(bsc#957598). - CVE-2015-8387: Integer overflow in subroutine calls(bsc#957598). - CVE-2015-8388: Buffer overflow caused by certain patterns with an unmatched closing parenthesis(bsc#957598). - CVE-2015-8389: Infinite recursion in JIT compiler when processing certain patterns(bsc#957598). - CVE-2015-8390: Reading from uninitialized memory when processing certain patterns(bsc#957598). - CVE-2015-8391: Some pathological patterns causes pcre_compile() to run for a very long time(bsc#957598). - CVE-2015-8392: Buffer overflow caused by certain patterns with duplicated named groups(bsc#957598). - CVE-2015-8393: Information leak when running pcgrep -q on crafted binary(bsc#957598). - CVE-2015-8394: Integer overflow caused by missing check for certain conditions(bsc#957598). - CVE-2015-8395: Buffer overflow caused by certain references(bsc#957598). - CVE-2015-2328: PCRE mishandled the /((?(R)a|(?1)))+/ pattern and related patterns with certain recursion, which allowed remote attackers to cause a denial of service (segmentation fault) or possibly have unspecified other impact via a crafted regular expression (bsc#957600). - CVE-2016-1283: The pcre_compile2 function in pcre_compile.c in PCRE mishandled certain patterns with named subgroups, which allowed remote attackers to cause a denial of service (heap-based buffer overflow) or possibly have unspecified other impact via a crafted regular expression (bsc#960837). - CVE-2016-3191: The compile_branch function in pcre_compile.c in pcre2_compile.c mishandled patterns containing an (*ACCEPT) substring in conjunction with nested parentheses, which allowed remote attackers to execute arbitrary code or cause a denial of service (stack-based buffer overflow) via a crafted regular expression (bsc#971741). These non-security issues were fixed: - JIT compiler improvements - performance improvements - The Unicode data tables have been updated to Unicode 7.0.0. ----------------------------------------------------------------- Advisory ID: SUSE-RU-2016:1782-1 Released: Fri Dec 9 13:35:02 2016 Summary: Recommended update for systemd Type: recommended Severity: moderate References: 1001790,1004289,1005404,1006372,1006690,989831,991443 Description: This update for systemd provides the following fixes: - Allow to redirect confirmation messages to a different console. (bsc#1006690) - Do not bind a mount unit to a device, if it was from mountinfo. (bsc#989831) - Decrease systemd-nspawn's non-fatal mount errors to debug level. (bsc#1004289) - Don't emit space usage message right after opening the persistent journal. (bsc#991443) - Change owner of /var/log/journal/remote and create /var/lib/systemd/journal-upload. (bsc#1006372) - Document that *KeyIgnoreInhibited only apply to a subset of locks. - Revert 'logind: really handle *KeyIgnoreInhibited options in logind.conf'. (bsc#1001790, bsc#1005404) - Revert 'kbd-model-map: add more mappings offered by Yast'. - Don't busy loop when we get a notification message we can't process. - Rename kbd-model-map-extra into kbd-model-map.legacy. - Add kbd-model-map-extra file which contains the additional maps needed by YaST. - Drop localfs.service: unused and not needed anymore. ----------------------------------------------------------------- Advisory ID: SUSE-SU-2016:1827-1 Released: Thu Dec 15 12:41:10 2016 Summary: Security update for pcre Type: security Severity: moderate References: 906574,924960,933288,933878,936227,942865,957566,957567,957598,957600,960837,971741,972127,CVE-2014-8964,CVE-2015-2325,CVE-2015-2327,CVE-2015-2328,CVE-2015-3210,CVE-2015-3217,CVE-2015-5073,CVE-2015-8380,CVE-2015-8381,CVE-2015-8382,CVE-2015-8383,CVE-2015-8384,CVE-2015-8385,CVE-2015-8386,CVE-2015-8387,CVE-2015-8388,CVE-2015-8389,CVE-2015-8390,CVE-2015-8391,CVE-2015-8392,CVE-2015-8393,CVE-2015-8394,CVE-2015-8395,CVE-2016-1283,CVE-2016-3191 Description: This update for pcre to version 8.39 (bsc#972127) fixes several issues. If you use pcre extensively please be aware that this is an update to a new version. Please make sure that your software works with the updated version. This version fixes a number of vulnerabilities that affect pcre and applications using the libary when accepting untrusted input as regular expressions or as part thereof. Remote attackers could have caused the application to crash, disclose information or potentially execute arbitrary code. These security issues were fixed: - CVE-2014-8964: Heap-based buffer overflow in PCRE allowed remote attackers to cause a denial of service (crash) or have other unspecified impact via a crafted regular expression, related to an assertion that allows zero repeats (bsc#906574). - CVE-2015-2325: Heap buffer overflow in compile_branch() (bsc#924960). - CVE-2015-3210: Heap buffer overflow in pcre_compile2() / compile_regex() (bsc#933288) - CVE-2015-3217: PCRE Library Call Stack Overflow Vulnerability in match() (bsc#933878). - CVE-2015-5073: Library Heap Overflow Vulnerability in find_fixedlength() (bsc#936227). - bsc#942865: heap overflow in compile_regex() - CVE-2015-8380: The pcre_exec function in pcre_exec.c mishandled a // pattern with a \01 string, which allowed remote attackers to cause a denial of service (heap-based buffer overflow) or possibly have unspecified other impact via a crafted regular expression, as demonstrated by a JavaScript RegExp object encountered by Konqueror (bsc#957566). - CVE-2015-2327: PCRE mishandled certain patterns with internal recursive back references, which allowed remote attackers to cause a denial of service (segmentation fault) or possibly have unspecified other impact via a crafted regular expression, as demonstrated by a JavaScript RegExp object encountered by Konqueror (bsc#957567). - bsc#957598: Various security issues - CVE-2015-8381: Heap Overflow in compile_regex() (bsc#957598). - CVE-2015-8382: Regular Expression Uninitialized Pointer Information Disclosure Vulnerability (ZDI-CAN-2547)(bsc#957598). - CVE-2015-8383: Buffer overflow caused by repeated conditional group(bsc#957598). - CVE-2015-8384: Buffer overflow caused by recursive back reference by name within certain group(bsc#957598). - CVE-2015-8385: Buffer overflow caused by forward reference by name to certain group(bsc#957598). - CVE-2015-8386: Buffer overflow caused by lookbehind assertion(bsc#957598). - CVE-2015-8387: Integer overflow in subroutine calls(bsc#957598). - CVE-2015-8388: Buffer overflow caused by certain patterns with an unmatched closing parenthesis(bsc#957598). - CVE-2015-8389: Infinite recursion in JIT compiler when processing certain patterns(bsc#957598). - CVE-2015-8390: Reading from uninitialized memory when processing certain patterns(bsc#957598). - CVE-2015-8391: Some pathological patterns causes pcre_compile() to run for a very long time(bsc#957598). - CVE-2015-8392: Buffer overflow caused by certain patterns with duplicated named groups(bsc#957598). - CVE-2015-8393: Information leak when running pcgrep -q on crafted binary(bsc#957598). - CVE-2015-8394: Integer overflow caused by missing check for certain conditions(bsc#957598). - CVE-2015-8395: Buffer overflow caused by certain references(bsc#957598). - CVE-2015-2328: PCRE mishandled the /((?(R)a|(?1)))+/ pattern and related patterns with certain recursion, which allowed remote attackers to cause a denial of service (segmentation fault) or possibly have unspecified other impact via a crafted regular expression (bsc#957600). - CVE-2016-1283: The pcre_compile2 function in pcre_compile.c in PCRE mishandled certain patterns with named subgroups, which allowed remote attackers to cause a denial of service (heap-based buffer overflow) or possibly have unspecified other impact via a crafted regular expression (bsc#960837). - CVE-2016-3191: The compile_branch function in pcre_compile.c in pcre2_compile.c mishandled patterns containing an (*ACCEPT) substring in conjunction with nested parentheses, which allowed remote attackers to execute arbitrary code or cause a denial of service (stack-based buffer overflow) via a crafted regular expression (bsc#971741). These non-security issues were fixed: - JIT compiler improvements - performance improvements - The Unicode data tables have been updated to Unicode 7.0.0. ----------------------------------------------------------------- Advisory ID: SUSE-RU-2016:1863-1 Released: Wed Dec 21 10:41:35 2016 Summary: Recommended updated for pth Type: recommended Severity: low References: 1013286 Description: This update adds the 32bit version of libpth20 to SUSE Linux Enterprise 12 SP1 and 12 SP2. ----------------------------------------------------------------- Advisory ID: SUSE-SU-2017:2-1 Released: Mon Jan 2 08:35:08 2017 Summary: Security update for zlib Type: security Severity: moderate References: 1003577,1003579,1003580,1013882,CVE-2016-9840,CVE-2016-9841,CVE-2016-9842,CVE-2016-9843 Description: This update for zlib fixes the following issues: CVE-2016-9843: Big-endian out-of-bounds pointer CVE-2016-9842: Undefined Left Shift of Negative Number (bsc#1003580) CVE-2016-9840 CVE-2016-9841: Out-of-bounds pointer arithmetic in inftrees.c (bsc#1003579) Incompatible declarations for external linkage function deflate (bsc#1003577) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2017:6-1 Released: Tue Jan 3 15:01:58 2017 Summary: Recommended update for systemd Type: recommended Severity: moderate References: 1012390,1012591,1012818,1013989,1015515,909418,912715,945340,953807,963290,990538 Description: This update for systemd fixes the following issues: - core: Make mount units from /proc/self/mountinfo possibly bind to a device. Fixes unmounting issues when ejecting CDs or DVDs. (bsc#909418, bsc#912715, bsc#945340) - fstab-generator: Remove bogus condition that leads to warnings on boot. (bsc#1013989) - coredumpctl: Let gdb handle the SIGINT signal. (bsc#1012591) - Ship kbd-model-map with the correct contents. (bsc#1015515) - rules: Set SYSTEMD_READY=0 on DM_UDEV_DISABLE_OTHER_RULES_FLAG=1 only with ADD event. (bsc#963290, bsc#990538) - tmpfiles: Don't skip path_set_perms on error. (bsc#953807) - nspawn: Properly handle image/directory paths that are symbolic links. (bsc#1012390) - systemctl: Fix 'is-enabled' exit status on failure when executed in chroot. (bsc#1012818) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2017:32-1 Released: Mon Jan 9 11:50:42 2017 Summary: Recommended update for dirmngr Type: recommended Severity: low References: 994794 Description: This update for dirmngr enables support for daemon mode. ----------------------------------------------------------------- Advisory ID: SUSE-RU-2017:47-1 Released: Wed Jan 11 11:42:43 2017 Summary: Recommended update for systemd Type: recommended Severity: important References: 1018214,1018399 Description: This update for systemd fixes the following two issues: - A regression in the previous update (SUSE-RU-2017:0013-1, bsc#909418) could have caused systemd to freeze. (bsc#1018399) - Warnings emitted when udev socket units are restarted during package upgrade were silenced. (bsc#1018214) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2017:98-1 Released: Thu Jan 19 10:17:55 2017 Summary: Recommended update for kmod Type: recommended Severity: low References: 998906 Description: This update for kmod fixes a rare race condition while loading modules. ----------------------------------------------------------------- Advisory ID: SUSE-SU-2017:149-1 Released: Wed Jan 25 09:17:08 2017 Summary: Security update for systemd Type: security Severity: important References: 1012266,1014560,1014566,1020601,997682,CVE-2016-10156 Description: This update for systemd fixes the following issues: This security issue was fixed: - CVE-2016-10156: Fix permissions set on permanent timer timestamp files, preventing local unprivileged users from escalating privileges (bsc#1020601). These non-security issues were fixed: - Fix permission set on /var/lib/systemd/linger/* - install: follow config_path symlink (#3362) - install: fix disable when /etc/systemd/system is a symlink (bsc#1014560) - run: make --slice= work in conjunction with --scope (bsc#1014566) - core: don't dispatch load queue when setting Slice= for transient units - systemctl: remove duplicate entries showed by list-dependencies (#5049) (bsc#1012266) - rule: don't automatically online standby memory on s390x (bsc#997682) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2017:185-1 Released: Thu Feb 2 18:22:37 2017 Summary: Security update for cpio Type: security Severity: moderate References: 1020108,963448,CVE-2016-2037 Description: This update for cpio fixes two issues. This security issue was fixed: - CVE-2016-2037: The cpio_safer_name_suffix function in util.c in cpio allowed remote attackers to cause a denial of service (out-of-bounds write) via a crafted cpio file (bsc#963448). This non-security issue was fixed: - bsc#1020108: Always use 32 bit CRC to prevent checksum errors for files greater than 32MB ----------------------------------------------------------------- Advisory ID: SUSE-SU-2017:192-1 Released: Fri Feb 3 18:46:05 2017 Summary: Security update for libxml2 Type: security Severity: moderate References: 1005544,1010675,1013930,1014873,1017497,CVE-2016-4658,CVE-2016-9318,CVE-2016-9597 Description: This update for libxml2 fixes the following issues: * CVE-2016-4658: use-after-free error could lead to crash [bsc#1005544] * Fix NULL dereference in xpointer.c when in recovery mode [bsc#1014873] * CVE-2016-9597: An XML document with many opening tags could have caused a overflow of the stack not detected by the recursion limits, allowing for DoS (bsc#1017497). For CVE-2016-9318 we decided not to ship a fix since it can break existing setups. Please take appropriate actions if you parse untrusted XML files and use the new -noxxe flag if possible (bnc#1010675, bnc#1013930). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2017:209-1 Released: Tue Feb 7 17:00:47 2017 Summary: Recommended update for libseccomp Type: recommended Severity: low References: 1019900 Description: This update provides libseccomp version 2.3.1 which fixes the following issues: - Fixed a problem with 32-bit x86 socket syscalls on some systems (fate#321647, bsc#1019900) - Fixed problems with ipc syscalls on 32-bit x86 - Fixed problems with socket and ipc syscalls on s390 and s390x ----------------------------------------------------------------- Advisory ID: SUSE-SU-2017:212-1 Released: Wed Feb 8 13:07:24 2017 Summary: Security update for expat Type: security Severity: moderate References: 983215,983216,CVE-2012-6702,CVE-2016-5300 Description: This update for expat fixes the following security issues: - CVE-2012-6702: Expat, when used in a parser that has not called XML_SetHashSalt or passed it a seed of 0, made it easier for context-dependent attackers to defeat cryptographic protection mechanisms via vectors involving use of the srand function. (bsc#983215) - CVE-2016-5300: The XML parser in Expat did not use sufficient entropy for hash initialization, which allowed context-dependent attackers to cause a denial of service (CPU consumption) via crafted identifiers in an XML document. NOTE: this vulnerability exists because of an incomplete fix for CVE-2012-0876. (bsc#983216) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2017:228-1 Released: Fri Feb 10 15:39:32 2017 Summary: Security update for openssl Type: security Severity: moderate References: 1000677,1001912,1009528,1019637,1021641,1022085,1022086,1022271,CVE-2016-7055,CVE-2017-3731,CVE-2017-3732 Description: This update for openssl fixes the following issues contained in the OpenSSL Security Advisory [26 Jan 2017] (bsc#1021641) Security issues fixed: - CVE-2016-7055: The x86_64 optimized montgomery multiplication may produce incorrect results (bsc#1009528) - CVE-2017-3731: Truncated packet could crash via OOB read (bsc#1022085) - CVE-2017-3732: BN_mod_exp may produce incorrect results on x86_64 (bsc#1022086) - Degrade the 3DES cipher to MEDIUM in SSLv2 (bsc#1001912) Non-security issues fixed: - fix crash in openssl speed (bsc#1000677) - fix X509_CERT_FILE path (bsc#1022271) - AES XTS key parts must not be identical in FIPS mode (bsc#1019637) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2017:261-1 Released: Mon Feb 20 11:00:28 2017 Summary: Recommended update for dirmngr Type: recommended Severity: low References: 1019276 Description: This update for dirmngr fixes the following issues: - Properly initialize the dirmngr tmpfilesd files right away and not just during reboot - Own the /usr/lib/tmpfiles.d/ folder as it is needed in older systemds wrt (bsc#1019276) - Proprely require logrotate as we need it for the dirmngr configs ----------------------------------------------------------------- Advisory ID: SUSE-RU-2017:365-1 Released: Fri Mar 10 15:16:59 2017 Summary: Recommended update for sg3_utils Type: recommended Severity: low References: 1006175 Description: This update for sg3_utils fixes the following issue: - Add udev rules to handle legacy CCISS devices (bsc#1006175) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2017:389-1 Released: Thu Mar 16 14:16:43 2017 Summary: Recommended update for systemd Type: recommended Severity: moderate References: 1004094,1006687,1019470,1022014,1022047,1025598,995936 Description: This update for systemd provides the following fixes: - core: Fix memory leak in transient units. (bsc#1025598) - core: Destroy all name watching bus slots when we are kicked off the bus. (bsc#1006687) - sd-event: Fix incorrect assertion. (bsc#995936, bsc#1022014) - journald: Don't flush to /var/log/journal before we get asked to. (bsc#1004094) - core: Downgrade warning about duplicate device names. (bsc#1022047) - units: Remove no longer needed ldconfig service. (bsc#1019470) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2017:439-1 Released: Tue Mar 21 10:48:47 2017 Summary: Recommended update for netcfg Type: recommended Severity: low References: 1028305,959693 Description: This update for netcfg provides the following fixes: - Update script to generate services to use UTF8 by default. (bsc#1028305) - Repack services.bz2 with latest from upstream and adjust the script to not add all the names and emails at the bottom of the file. (bsc#959693) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2017:462-1 Released: Fri Mar 24 21:58:07 2017 Summary: Recommended update for lvm2 Type: recommended Severity: moderate References: 1012973,1015943,1017034,1023283,1025560,1025630 Description: This update for lvm2 fixes the following issues: - Fix clvmd segmentation fault on ppc64le architecture. (bsc#1025630) - Fix several trivial issues about clvmd/cmirrord resource agents. (bsc#1023283, bsc#1025560) - Use {local,remote}-fs-pre.target instead of {local,remote}-fs.target. (bsc#1017034) - Simplify special-case for md in 69-dm-lvm-metadata.rules. (bsc#1012973) - Add systemd_requires to device-mapper package. (bsc#1015943) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2017:464-1 Released: Mon Mar 27 15:50:51 2017 Summary: Recommended update for glibc Type: recommended Severity: moderate References: 1007851,1029725,1029900 Description: This update for glibc fixes a potential segmentation fault in libpthread: - Fork in libpthread cannot use IFUNC resolver. (bsc#1007851, bsc#1029725, bsc#1029900) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2017:580-1 Released: Wed Apr 12 23:58:47 2017 Summary: Recommended update for cpio Type: recommended Severity: important References: 1028410 Description: This update for cpio fixes the following issues: - A regression caused cpio to crash for tar and ustar archive types [bsc#1028410] ----------------------------------------------------------------- Advisory ID: SUSE-SU-2017:609-1 Released: Tue Apr 18 11:28:14 2017 Summary: Security update for curl Type: security Severity: moderate References: 1015332,1027712,1032309,CVE-2016-9586,CVE-2017-7407 Description: This update for curl fixes the following issues: Security issue fixed: - CVE-2016-9586: libcurl printf floating point buffer overflow (bsc#1015332) - CVE-2017-7407: The ourWriteOut function in tool_writeout.c in curl might have allowed physically proximate attackers to obtain sensitive information from process memory in opportunistic circumstances by reading a workstation screen during use of a --write-out argument ending in a '%' character, which lead to a heap-based buffer over-read (bsc#1032309). With this release new default ciphers are active (SUSE_DEFAULT, bsc#1027712). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2017:732-1 Released: Wed May 10 14:03:43 2017 Summary: Recommended update for procps Type: recommended Severity: low References: 1030621 Description: This update for procps fixes the following issues: - Command w(1) with option -n doesn't work. (bsc#1030621) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2017:735-1 Released: Wed May 10 15:43:46 2017 Summary: Recommended update for gpg2 Type: recommended Severity: low References: 1036736,986783 Description: This update for gpg2 provides the following fixes: - Do not install CAcert and other root certificates which are not needed with Let's Encrypt. (bsc#1036736) - Initialize the trustdb before import attempt. (bsc#986783) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2017:751-1 Released: Thu May 11 17:14:30 2017 Summary: Recommended update for systemd Type: recommended Severity: moderate References: 1010220,1025398,1025886,1028263,1028610,1029183,1029691,1030290,1031355,1032538,1032660,1033855,1034565,955770 Description: This update for systemd provides the following fixes: - logind: Update empty and 'infinity' handling for [User]TasksMax. (bsc#1031355) - importd: Support SUSE style checksums. (fate#322054) - journal: Don't remove leading spaces. (bsc#1033855) - Make sure all swap units are ordered before the swap target. (bsc#955770, bsc#1034565) - hwdb: Fix warning 'atkbd serio0: Unknown key pressed'. (bsc#1010220) - logind: Restart logind on package update only on SLE12 distros. (bsc#1032660) - core: Treat masked files as 'unchanged'. (bsc#1032538) - units: Move Before deps for quota services to remote-fs.target. (bsc#1028263) - udev: Support predictable ifnames on vio buses. (bsc#1029183) - udev: Add a persistent rule for ibmvnic devices. (bsc#1029183) - units: Do not throw a warning in emergency mode if plymouth is not installed. (bsc#1025398) - core: Downgrade 'Time has been changed' message to debug level. (bsc#1028610) - vconsole: Don't do GIO_SCRNMAP / GIO_UNISCRNMAP. (bsc#1029691) - udev-rules: Perform whitespace replacement for symlink subst values. (bsc#1025886) - Consider chroot updates in fix-machines-subvol-for-rollbacks.sh. (bsc#1030290) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2017:794-1 Released: Tue May 16 15:41:09 2017 Summary: Security update for bash Type: security Severity: moderate References: 1010845,1035371,CVE-2016-9401 Description: This update for bash fixes an issue that could lead to syntax errors when parsing scripts that use expr(1) inside loops. Additionally, the popd build-in now ensures that the normalized stack offset is within bounds before trying to free that stack entry. This fixes a segmentation fault. ----------------------------------------------------------------- Advisory ID: SUSE-RU-2017:799-1 Released: Wed May 17 00:21:13 2017 Summary: Recommended update for glibc Type: recommended Severity: low References: 1026224,1035445 Description: This update for glibc introduces basic support for IBM POWER9 systems. Additionally, an improper assert in dlclose() has been removed. ----------------------------------------------------------------- Advisory ID: SUSE-SU-2017:865-1 Released: Wed May 24 16:23:20 2017 Summary: Security update for pam Type: security Severity: moderate References: 1015565,1037824,934920,CVE-2015-3238 Description: This update for pam fixes the following issues: - CVE-2015-3238: pam_unix in conjunction with SELinux allowed for DoS attacks (bsc#934920). - log a hint to syslog if /etc/nologin is present, but empty (bsc#1015565). - If /etc/nologin is present, but empty, log a hint to syslog. (bsc#1015565) - Added support for libowcrypt.so, if present, to configure support for BLOWFISH (bsc#1037824) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2017:873-1 Released: Fri May 26 16:19:47 2017 Summary: Recommended update for e2fsprogs Type: recommended Severity: low References: 1009532,960273 Description: This update for e2fsprogs provides the following fixes: - Fix 32/64-bit overflow when multiplying by blocks/clusters per group. This allows resize2fs(8) to resize file systems larger than 20 TB. (bsc#1009532) - Update spec file to regenerate initrd when e2fsprogs is updated or uninstalled. (bsc#960273) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2017:877-1 Released: Mon May 29 15:11:48 2017 Summary: Recommended update for cryptsetup Type: recommended Severity: low References: 1031998 Description: This update for cryptsetup provides the following fix: - Don't use a zero-filled empty key, because in FIPS, XTS mode key parts mustn't be equivalent (bsc#1031998) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2017:891-1 Released: Tue May 30 22:28:21 2017 Summary: Security update for libxml2 Type: security Severity: moderate References: 1039063,1039064,1039066,1039069,1039661,981114,CVE-2016-1839,CVE-2017-9047,CVE-2017-9048,CVE-2017-9049,CVE-2017-9050 Description: This update for libxml2 fixes the following issues: - CVE-2017-9047, CVE-2017-9048: The function xmlSnprintfElementContent in valid.c was vulnerable to a stack buffer overflow (bsc#1039063, bsc#1039064) - CVE-2017-9049: The function xmlDictComputeFastKey in dict.c was vulnerable to a heap-based buffer over-read. (bsc#1039066) - CVE-2017-9050: The function xmlDictAddString was vulnerable to a heap-based buffer over-read (bsc#1039661) - CVE-2016-1839: heap-based buffer overflow (xmlDictAddString func) (bnc#1039069) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2017:907-1 Released: Thu Jun 1 14:23:36 2017 Summary: Recommended update for shadow Type: recommended Severity: low References: 1003978,1031643 Description: This update for shadow fixes the following issues: - Dynamically added users via pam_group are not listed in groups databases but are still valid. (bsc#1031643) - useradd(8) and groupadd(8) performance issue when using SSSD. Previously the entire possible UID/GID was iterated to find an available UID/GID. This could take long time over a network device. Instead, find available UID/GID locally, and then check only those values over network. (bsc#1003978) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2017:918-1 Released: Tue Jun 6 12:35:44 2017 Summary: Recommended update for libsemanage, selinux-policy Type: recommended Severity: moderate References: 1020143,1032445,1035818,1038189 Description: This update for libsemanage, selinux-policy fixes the following issues: - Limit to policy version 29 by default. - Fix policy module build failures and wrong policy path on SLE 12 SP2 (bsc#1038189, bsc#1035818, bsc#1020143, bsc#1032445) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2017:939-1 Released: Mon Jun 12 10:56:22 2017 Summary: Security update for libxml2 Type: security Severity: moderate References: 1039063,1039064,1039066,1039069,1039661,CVE-2017-9047,CVE-2017-9048,CVE-2017-9049,CVE-2017-9050 Description: This update for libxml2 fixes the following security issues: * CVE-2017-9050: A heap-based buffer over-read in xmlDictAddString (bsc#1039069, bsc#1039661) * CVE-2017-9049: A heap-based buffer overflow in xmlDictComputeFastKey (bsc#1039066) * CVE-2017-9048: A stack overflow vulnerability in xmlSnprintfElementContent (bsc#1039063) * CVE-2017-9047: A stack overflow vulnerability in xmlSnprintfElementContent (bsc#1039064) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2017:959-1 Released: Wed Jun 14 14:38:11 2017 Summary: Recommended update for gcc5 Type: recommended Severity: low References: 1043580 Description: This update for gcc5 fixes the version of libffi in its pkg-config configuration file. ----------------------------------------------------------------- Advisory ID: SUSE-SU-2017:962-1 Released: Wed Jun 14 16:33:07 2017 Summary: Security update for openldap2 Type: security Severity: moderate References: 1009470,1037396,1041764,972331,CVE-2017-9287 Description: This update for openldap2 fixes the following issues: Security issues fixed: - CVE-2017-9287: A double free vulnerability in the mdb backend during search with page size 0 was fixed (bsc#1041764) Non security bugs fixed: - Let OpenLDAP read system-wide certificates by default and don't hide the error if the user-specified CA location cannot be read. (bsc#1009470) - Fix an uninitialised variable that causes startup failure (bsc#1037396) - Fix an issue with transaction management that can cause server crash (bsc#972331) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2017:985-1 Released: Mon Jun 19 14:57:41 2017 Summary: Security update for libgcrypt Type: security Severity: moderate References: 1042326,931932,CVE-2017-9526 Description: This update for libgcrypt fixes the following issues: - CVE-2017-9526: Store the session key in secure memory to ensure that constant time point operations are used in the MPI library. (bsc#1042326) - Don't require secure memory for the fips selftests, this prevents the 'Oops, secure memory pool already initialized' warning. (bsc#931932) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2017:990-1 Released: Mon Jun 19 17:19:44 2017 Summary: Security update for glibc Type: security Severity: important References: 1039357,1040043,CVE-2017-1000366 Description: This update for glibc fixes the following issues: - CVE-2017-1000366: Fix a potential privilege escalation vulnerability that allowed unprivileged system users to manipulate the stack of setuid binaries to gain special privileges. [bsc#1039357] - A bug in glibc that could result in deadlocks between malloc() and fork() has been fixed. [bsc#1040043] ----------------------------------------------------------------- Advisory ID: SUSE-RU-2017:1033-1 Released: Fri Jun 23 16:38:55 2017 Summary: Recommended update for e2fsprogs Type: recommended Severity: low References: 1038194 Description: This update for e2fsprogs provides the following fixes: - Don't ignore fsync errors in libext2fs. (bsc#1038194) - Fix fsync(2) detection in libext2fs. (bsc#1038194) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2017:1036-1 Released: Mon Jun 26 08:12:24 2017 Summary: Security update for libxml2 Type: security Severity: moderate References: 1024989,1044337,CVE-2017-0663,CVE-2017-5969 Description: This update for libxml2 fixes the following issues: Security issues fixed: * CVE-2017-0663: Fixed a heap buffer overflow in xmlAddID (bsc#1044337) * CVE-2017-5969: Fixed a NULL pointer deref in xmlDumpElementContent (bsc#1024989) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2017:1040-1 Released: Mon Jun 26 13:22:26 2017 Summary: Recommended update for libsemanage, policycoreutils Type: recommended Severity: low References: 1043237 Description: This update for libsemanage, policycoreutils fixes the following issue: - Show version numbers of modules where they are available (bsc#1043237) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2017:1082-1 Released: Fri Jun 30 10:54:06 2017 Summary: Recommended update for dirmngr Type: recommended Severity: low References: 1045943 Description: This update for dirmngr provides the following fix: - Change logrotate from Requires to Recommends (bsc#1045943) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2017:1086-1 Released: Fri Jun 30 15:36:17 2017 Summary: Security update for libxml2 Type: security Severity: moderate References: 1044887,1044894,CVE-2017-7375,CVE-2017-7376 Description: This update for libxml2 fixes the following issues: Security issues fixed: * CVE-2017-7376: Increase buffer space for port in HTTP redirect support (bsc#1044887) * CVE-2017-7375: Prevent unwanted external entity reference [bsc#1044894, ] ----------------------------------------------------------------- Advisory ID: SUSE-SU-2017:1104-1 Released: Tue Jul 4 16:13:55 2017 Summary: Security update for systemd Type: security Severity: moderate References: 1004995,1029102,1029516,1036873,1038865,1040258,1040614,1040942,1043758,982303,CVE-2017-9217 Description: This update for systemd fixes the following issues: Security issue fixed: - CVE-2017-9217: resolved: Fix null pointer p->question dereferencing that could lead to resolved aborting (bsc#1040614) The update also fixed several non-security bugs: - core/mount: Use the '-c' flag to not canonicalize paths when calling /bin/umount - automount: Handle expire_tokens when the mount unit changes its state (bsc#1040942) - automount: Rework propagation between automount and mount units - build: Make sure tmpfiles.d/systemd-remote.conf get installed when necessary - build: Fix systemd-journal-upload installation - basic: Detect XEN Dom0 as no virtualization (bsc#1036873) - virt: Make sure some errors are not ignored - fstab-generator: Do not skip Before= ordering for noauto mountpoints - fstab-gen: Do not convert device timeout into seconds when initializing JobTimeoutSec - core/device: Use JobRunningTimeoutSec= for device units (bsc#1004995) - fstab-generator: Apply the _netdev option also to device units (bsc#1004995) - job: Add JobRunningTimeoutSec for JOB_RUNNING state (bsc#1004995) - job: Ensure JobRunningTimeoutSec= survives serialization (bsc#1004995) - rules: Export NVMe WWID udev attribute (bsc#1038865) - rules: Introduce disk/by-id (model_serial) symbolic links for NVMe drives - rules: Add rules for NVMe devices - sysusers: Make group shadow support configurable (bsc#1029516) - core: When deserializing a unit, fully restore its cgroup state (bsc#1029102) - core: Introduce cg_mask_from_string()/cg_mask_to_string() - core:execute: Fix handling failures of calling fork() in exec_spawn() (bsc#1040258) - Fix systemd-sysv-convert when a package starts shipping service units (bsc#982303) The database might be missing when upgrading a package which was shipping no sysv init scripts nor unit files (at the time --save was called) but the new version start shipping unit files. - Disable group shadow support (bsc#1029516) - Only check signature job error if signature job exists (bsc#1043758) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2017:1116-1 Released: Thu Jul 6 11:37:18 2017 Summary: Security update for libgcrypt Type: security Severity: moderate References: 1046607,CVE-2017-7526 Description: This update for libgcrypt fixes the following issues: - CVE-2017-7526: Hardening against a local side-channel attack in RSA key handling has been added (bsc#1046607) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2017:1119-1 Released: Fri Jul 7 11:23:20 2017 Summary: Recommended update for ncurses Type: security Severity: important References: 1000662,1046853,1046858,CVE-2017-10684,CVE-2017-10685 Description: This update for ncurses fixes the following issues: Security issues fixed: - CVE-2017-10684: Possible RCE via stack-based buffer overflow in the fmt_entry function. (bsc#1046858) - CVE-2017-10685: Possible RCE with format string vulnerability in the fmt_entry function. (bsc#1046853) Bugfixes: - Drop patch ncurses-5.9-environment.dif as YaST2 ncurses GUI does not need it anymore and as well as it causes bug bsc#1000662 ----------------------------------------------------------------- Advisory ID: SUSE-RU-2017:1160-1 Released: Fri Jul 14 17:20:26 2017 Summary: Recommended update for openldap2 Type: recommended Severity: low References: 1031702 Description: This update for openldap2 provides the following fix: - Fix a regression in handling of non-blocking connection (bsc#1031702) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2017:1174-1 Released: Wed Jul 19 11:12:51 2017 Summary: Security update for systemd, dracut Type: security Severity: important References: 1032029,1033238,1037120,1040153,1040968,1043900,1045290,1046750,986216,CVE-2017-9445 Description: This update for systemd and dracut fixes the following issues: Security issues fixed: - CVE-2017-9445: Possible out-of-bounds write triggered by a specially crafted TCP payload from a DNS server. (bsc#1045290) Non-security issues fixed in systemd: - Automounter issue in combination with NFS volumes (bsc#1040968) - Missing symbolic link for SAS device in /dev/disk/by-path (bsc#1040153) - Add minimal support for boot.d/* scripts in systemd-sysv-convert (bsc#1046750) Non-security issues fixed in dracut: - Bail out if module directory does not exist. (bsc#1043900) - Suppress bogus error message. (bsc#1032029) - Fix module force loading with systemd. (bsc#986216) - Ship udev files required by systemd. (bsc#1040153) - Ignore module resolution errors (e.g. with kgraft). (bsc#1037120) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2017:1222-1 Released: Wed Jul 26 17:15:18 2017 Summary: Recommended update for procps Type: recommended Severity: low References: 1034563,1039941 Description: This update for procps provides the following fixes: - Make pmap handle LazyFree in /proc/smaps (bsc#1034563) - Allow reading and writing content lines longer than 1024 characters under /proc/sys (bsc#1039941) - Avoid printing messages when /proc/sys/net/ipv6/conf/*/stable_secret is not set ----------------------------------------------------------------- Advisory ID: SUSE-SU-2017:1245-1 Released: Thu Aug 3 10:43:15 2017 Summary: Security update for systemd Type: security Severity: moderate References: 1004995,1029102,1029516,1032029,1033238,1036873,1037120,1038865,1040153,1040258,1040614,1040942,1040968,1043758,1043900,1045290,1046750,982303,986216,CVE-2017-9217,CVE-2017-9445 Description: This update for systemd provides several fixes and enhancements. Security issues fixed: - CVE-2017-9217: Null pointer dereferencing that could lead to resolved aborting. (bsc#1040614) - CVE-2017-9445: Possible out-of-bounds write triggered by a specially crafted TCP payload from a DNS server. (bsc#1045290) The update also fixed several non-security bugs: - core/mount: Use the '-c' flag to not canonicalize paths when calling /bin/umount - automount: Handle expire_tokens when the mount unit changes its state (bsc#1040942) - automount: Rework propagation between automount and mount units - build: Make sure tmpfiles.d/systemd-remote.conf get installed when necessary - build: Fix systemd-journal-upload installation - basic: Detect XEN Dom0 as no virtualization (bsc#1036873) - virt: Make sure some errors are not ignored - fstab-generator: Do not skip Before= ordering for noauto mountpoints - fstab-gen: Do not convert device timeout into seconds when initializing JobTimeoutSec - core/device: Use JobRunningTimeoutSec= for device units (bsc#1004995) - fstab-generator: Apply the _netdev option also to device units (bsc#1004995) - job: Add JobRunningTimeoutSec for JOB_RUNNING state (bsc#1004995) - job: Ensure JobRunningTimeoutSec= survives serialization (bsc#1004995) - rules: Export NVMe WWID udev attribute (bsc#1038865) - rules: Introduce disk/by-id (model_serial) symbolic links for NVMe drives - rules: Add rules for NVMe devices - sysusers: Make group shadow support configurable (bsc#1029516) - core: When deserializing a unit, fully restore its cgroup state (bsc#1029102) - core: Introduce cg_mask_from_string()/cg_mask_to_string() - core:execute: Fix handling failures of calling fork() in exec_spawn() (bsc#1040258) - Fix systemd-sysv-convert when a package starts shipping service units (bsc#982303) The database might be missing when upgrading a package which was shipping no sysv init scripts nor unit files (at the time --save was called) but the new version start shipping unit files. - Disable group shadow support (bsc#1029516) - Only check signature job error if signature job exists (bsc#1043758) - Automounter issue in combination with NFS volumes (bsc#1040968) - Missing symbolic link for SAS device in /dev/disk/by-path (bsc#1040153) - Add minimal support for boot.d/* scripts in systemd-sysv-convert (bsc#1046750) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2017:1268-1 Released: Mon Aug 7 10:09:19 2017 Summary: Recommended update for openssl Type: recommended Severity: moderate References: 1019637,1027079,1027688,1027908,1028281,1028723,1029523,1042392,1044095,1044107,1044175,902364 Description: This update for openssl fixes the following issues including fixes for our ongoing FIPS 140-2 evaluation: - Remove DES-CBC3-SHA based ciphers from DEFAULT_SUSE to address SWEET32 problem (bsc#1027908) - Use getrandom syscall instead of reading from /dev/urandom to get at least 128 bits of entropy to comply with FIPS 140.2 IG 7.14 (bsc#1027079 bsc#1044175) - Fix x86 extended feature detection (bsc#1029523) - Allow runtime switching of s390x capabilities via the 'OPENSSL_s390xcap' environmental variable (bsc#1028723) - s_client sent empty client certificate (bsc#1028281) Add back certificate initialization set_cert_key_stuff() which was removed in a previous update. - Fix a bug in XTS key handling (bsc#1019637) - Don't run FIPS power-up self-tests when the checksum files aren't installed (bsc#1042392) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2017:1279-1 Released: Mon Aug 7 14:46:40 2017 Summary: Security update for ncurses Type: security Severity: moderate References: 1046853,1046858,1047964,1047965,1049344,CVE-2017-10684,CVE-2017-10685,CVE-2017-11112,CVE-2017-11113 Description: This update for ncurses fixes the following issues: Security issues fixed: - CVE-2017-11112: Illegal address access in append_acs. (bsc#1047964) - CVE-2017-11113: Dereferencing NULL pointer in _nc_parse_entry. (bsc#1047965) - CVE-2017-10684, CVE-2017-10685: Add modified upstream fix from ncurses 6.0 to avoid broken termcap format (bsc#1046853, bsc#1046858, bsc#1049344) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2017:1316-1 Released: Thu Aug 10 13:54:27 2017 Summary: Recommended update for cyrus-sasl Type: recommended Severity: moderate References: 1014471,1026825,1044840,938657 Description: This update for cyrus-sasl provides the following fixes: - Fix SASL GSSAPI mechanism acceptor wrongly returns zero maxbufsize - Fix unknown authentication mechanism: kerberos5 (bsc#1026825) - Really use SASLAUTHD_PARAMS variable (bsc#938657) - Make sure /usr/sbin/rcsaslauthd exists - Add /usr/sbin/rcsaslauthd symbolic link to /usr/sbin/service (bsc#1014471) - Silence 'GSSAPI client step 1' debug log message (bsc#1044840) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2017:1326-1 Released: Fri Aug 11 16:59:04 2017 Summary: Security update for libxml2 Type: security Severity: low References: 1038444,CVE-2017-8872 Description: This update for libxml2 fixes the following issues: Security issues fixed: - CVE-2017-8872: Out-of-bounds read in htmlParseTryOrFinish. (bsc#1038444) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2017:1330-1 Released: Mon Aug 14 18:41:29 2017 Summary: Recommended update for sed Type: recommended Severity: low References: 954661 Description: This update for sed provides the following fixes: - Don't terminate with a segmentation fault if close of last file descriptor fails. (bsc#954661) ----------------------------------------------------------------- Advisory ID: SUSE-OU-2017:1333-1 Released: Tue Aug 15 17:59:30 2017 Summary: Optional update for libverto Type: optional Severity: low References: 1029561 Description: This update adds the libverto library to OpenStack Cloud Magnum Orchestration channels. ----------------------------------------------------------------- Advisory ID: SUSE-RU-2017:1334-1 Released: Tue Aug 15 20:09:03 2017 Summary: Recommended update for systemd Type: recommended Severity: important References: 1048679,874665 Description: This update for systemd fixes the following issues: - compat-rules: Don't rely on ID_SERIAL when generating 'by-id' links for NVMe devices. (bsc#1048679) - fstab-generator: Handle NFS 'bg' mounts correctly. (bsc#874665, fate#323464) - timesyncd: Don't use compiled-in list if FallbackNTP has been configured explicitly. ----------------------------------------------------------------- Advisory ID: SUSE-SU-2017:1335-1 Released: Wed Aug 16 11:24:21 2017 Summary: Security update for curl Type: security Severity: moderate References: 1051643,1051644,CVE-2017-1000100,CVE-2017-1000101 Description: This update for curl fixes the following issues: - CVE-2017-1000100: TFP sends more than buffer size and it could lead to a denial of service (bsc#1051644) - CVE-2017-1000101: URL globbing out of bounds read could lead to a denial of service (bsc#1051643) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2017:1347-1 Released: Fri Aug 18 11:03:57 2017 Summary: Recommended update for procps Type: recommended Severity: important References: 1053409 Description: This update for procps fixes the following issues: - Fix a regression introduced in a previous update that would result in sysctl dying with a SIGSEGV error (bsc#1053409). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2017:1349-1 Released: Fri Aug 18 12:31:07 2017 Summary: Recommended update for lua51 Type: recommended Severity: low References: 1051626 Description: This update for lua51 provides the following fixes: - Add Lua(API) and Lua(devel) symbols to fix building of lua51-luasocket. (bsc#1051626) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2017:1390-1 Released: Fri Aug 25 15:14:27 2017 Summary: Security update for libzypp Type: security Severity: important References: 1009745,1036659,1038984,1043218,1045735,1046417,1047785,1048315,CVE-2017-7435,CVE-2017-7436,CVE-2017-9269 Description: The Software Update Stack was updated to receive fixes and enhancements. libzypp: - CVE-2017-7435, CVE-2017-7436, CVE-2017-9269: Fix GPG check workflows, mainly for unsigned repositories and packages. (bsc#1045735, bsc#1038984) - Fix gpg-pubkey release (creation time) computation. (bsc#1036659) - Update lsof blacklist. (bsc#1046417) - Re-probe on refresh if the repository type changes. (bsc#1048315) - Propagate proper error code to DownloadProgressReport. (bsc#1047785) - Allow to trigger an appdata refresh unconditionally. (bsc#1009745) - Support custom repo variables defined in /etc/zypp/vars.d. yast2-pkg-bindings: - Do not crash when the repository URL is not defined. (bsc#1043218) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2017:1419-1 Released: Wed Aug 30 15:38:22 2017 Summary: Security update for expat Type: security Severity: moderate References: 1047236,1047240,CVE-2016-9063,CVE-2017-9233 Description: This update for expat fixes the following issues: - CVE-2016-9063: Possible integer overflow to fix inside XML_Parse leading to unexpected behaviour (bsc#1047240) - CVE-2017-9233: External Entity Vulnerability could lead to denial of service (bsc#1047236) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2017:1439-1 Released: Fri Sep 1 15:31:05 2017 Summary: Recommended update for systemd Type: recommended Severity: important References: 1045384,1045987,1046268,1047379,1048605 Description: This update for systemd fixes the following issues: - Revert fix for bsc#1004995 which could have caused boot failure on LVM (bsc#1048605) - compat-rules: drop the bogus 'import everything' rule (bsc#1046268) - core: use an AF_UNIX/SOCK_DGRAM socket for cgroup agent notification (bsc#1045384 bsc#1047379) - udev/path_id: introduce support for NVMe devices (bsc#1045987) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2017:1447-1 Released: Mon Sep 4 15:38:20 2017 Summary: Security update for libzypp, zypper Type: security Severity: important References: 1008325,1038984,1045735,1047785,1054088,1054671,1055920,CVE-2017-7436 Description: The Software Update Stack was updated to receive fixes and enhancements. libzypp: - Adapt to work with GnuPG 2.1.23. (bsc#1054088) - Support signing with subkeys. (bsc#1008325) - Enhance sort order for media.1/products. (bsc#1054671) zypper: - Also show a gpg key's subkeys. (bsc#1008325) - Improve signature check callback messages. (bsc#1045735) - Add options to tune the GPG check settings. (bsc#1045735) - Adapt download callback to report and handle unsigned packages. (bsc#1038984, CVE-2017-7436) - Report missing/optional files as 'not found' rather than 'error'. (bsc#1047785) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2017:1450-1 Released: Mon Sep 4 16:36:07 2017 Summary: Recommended update for insserv-compat Type: recommended Severity: low References: 1035062,944903 Description: This update for insserv-compat fixes the following issues: - Add /etc/init.d hierarchy from former 'filesystem' package. (bsc#1035062) - Fix directory argument parsing. (bsc#944903) - Add perl(Getopt::Long) to list of requirements. ----------------------------------------------------------------- Advisory ID: SUSE-RU-2017:1453-1 Released: Mon Sep 4 21:23:50 2017 Summary: Recommended update for libgcrypt Type: recommended Severity: moderate References: 1043333,1046659,1047008 Description: This update for libgcrypt fixes the following issues: - libgcrypt stored an open file descriptor to the random device in a static variable between invocations. gnome-keyring-daemon on initialization reopened descriptors 0-2 with /dev/null which caused an infinite loop when libgcrypt attempted to read from the random device (bsc#1043333) - Avoid seeding the DRBG during FIPS power-up selftests (bsc#1046659) * don't call gcry_drbg_instantiate() in healthcheck sanity test to save entropy * turn off blinding for RSA decryption in selftests_rsa to avoid allocation of a random integer - fix a bug in gcry_drbg_healthcheck_sanity() which caused skipping some of the tests (bsc#1046659) - dlsym returns PLT address on s390x, dlopen libgcrypt20.so before calling dlsym (bsc#1047008) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2017:1548-1 Released: Fri Sep 15 18:19:12 2017 Summary: Recommended update for sg3_utils Type: recommended Severity: moderate References: 1005063,1009269,1012523,1025176,1050767,1050943 Description: This update for sg3_utils provides the following fixes: - Add lunsearch filter to findresized() so that only LUNs specified using --luns are rescanned or resized. (bsc#1025176) - In case the VPD sysfs attributes are missing or cannot be accessed, fallback to use sg_inq --page when using multipath devices in AutoYast2 installations. (bsc#1012523) - Generate /dev/disk/by-path links based on WWPN for Fibre Channel NPIV setups. (bsc#1005063) - Fix dumping data in hexadecimal format in sg_vpd when using the --hex option. (bsc#1050943) - Fix ID_SERIAL values for KVM disks by exporting all NAA values and removing some validity checking. (bsc#1050767) - Make sure initrd is rebuilt on sg3_utils updates. (bsc#1009269) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2017:1592-1 Released: Tue Sep 26 17:38:03 2017 Summary: Recommended update for lvm2 Type: recommended Severity: moderate References: 1028485,1045628,978055,998893,999878 Description: This update for lvm2 provides the following fixes: - Create /dev/disk/by-part{label,uuid} and gpt-auto-root links. (bsc#1028485) - Try to refresh clvmd's device cache on the first failure. (bsc#978055) - Fix stale device cache in clvmd. (bsc#978055) - Warn if PV size in metadata is larger than disk device size. (bsc#999878) - Fix lvm2 activation issue when used on top of multipath. (bsc#998893) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2017:1644-1 Released: Mon Oct 9 07:52:24 2017 Summary: Security update for krb5 Type: security Severity: moderate References: 1032680,1054028,1056995,903543,CVE-2017-11462 Description: This update for krb5 fixes several issues. This security issue was fixed: - CVE-2017-11462: Prevent automatic security context deletion to prevent double-free (bsc#1056995) These non-security issues were fixed: - Set 'rdns' and 'dns_canonicalize_hostname' to false in krb5.conf in order to improve client security in handling service principle names. (bsc#1054028) - Prevent kadmind.service startup failure caused by absence of LDAP service. (bsc#903543) - Remove main package's dependency on systemd (bsc#1032680) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2017:1663-1 Released: Tue Oct 10 12:05:09 2017 Summary: Recommended update for dbus-1 Type: recommended Severity: moderate References: 1043615,1046173 Description: This update for dbus-1 provides the following fixes: - Fix systemd-logind dbus disconnection by ensuring all required timeouts are restarted. (bsc#1043615) - Remove call to initscripts related macros from the spec file as dbus-1 does not ship any initscript anymore. (bsc#1046173) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2017:1703-1 Released: Tue Oct 17 13:20:12 2017 Summary: Recommended update for audit Type: recommended Severity: low References: 1042781 Description: This update for audit provides the following fix: - Make auditd start by forking the systemd service to fix some initialization failures. (bsc#1042781) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2017:1758-1 Released: Mon Oct 23 08:47:47 2017 Summary: Security update for curl Type: security Severity: moderate References: 1060653,1061876,1063824,CVE-2017-1000254,CVE-2017-1000257 Description: This update for curl fixes the following issues: Security issues fixed: - CVE-2017-1000254: FTP PWD response parser out of bounds read (bsc#1061876) - CVE-2017-1000257: IMAP FETCH response out of bounds read (bsc#1063824) Bugs fixed: - Fixed error 'error:1408F10B:SSL routines' when connecting to ftps via proxy (bsc#1060653) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2017:1796-1 Released: Fri Oct 27 21:25:06 2017 Summary: Recommended update for pcre Type: recommended Severity: moderate References: 1058722 Description: This update for pcre fixes the following issues: - Fixed the pcre stack frame size detection because modern compilers break it due to cloning and inlining pcre match() function (bsc#1058722) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2017:1797-1 Released: Sat Oct 28 12:06:19 2017 Summary: Recommended update for permissions Type: recommended Severity: moderate References: 1028304,1048645,1060738 Description: This update for permissions fixes the following issues: - Allows users to install the HPC 'singularity' toolkit for managing singularity containers in setuid root mode. (bsc#1028304) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2017:1826-1 Released: Wed Nov 8 08:47:17 2017 Summary: Security update for krb5 Type: security Severity: important References: 1065274,CVE-2017-15088 Description: This update for krb5 fixes the following issues: Security issues fixed: - CVE-2017-15088: A buffer overflow in get_matching_data() was fixed that could under specific circumstances be used to execute code (bsc#1065274) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2017:1829-1 Released: Wed Nov 8 08:50:00 2017 Summary: Security update for shadow Type: security Severity: moderate References: 1023895,1052261,980486,CVE-2017-12424 Description: This update for shadow fixes several issues. This security issue was fixed: - CVE-2017-12424: The newusers tool could have been forced to manipulate internal data structures in ways unintended by the authors. Malformed input may have lead to crashes (with a buffer overflow or other memory corruption) or other unspecified behaviors (bsc#1052261). These non-security issues were fixed: - bsc#1023895: Fixed man page to not contain invalid options and also prevent warnings when using these options in certain settings - bsc#980486: Reset user in /var/log/tallylog because of the usage of pam_tally2 ----------------------------------------------------------------- Advisory ID: SUSE-SU-2017:1881-1 Released: Wed Nov 22 16:29:58 2017 Summary: Security update for file Type: security Severity: moderate References: 1009966,1063269,910252,910253,913650,913651,917152,996511,CVE-2014-8116,CVE-2014-8117,CVE-2014-9620,CVE-2014-9621,CVE-2014-9653 Description: The GNU file utility was updated to version 5.22. Security issues fixed: - CVE-2014-9621: The ELF parser in file allowed remote attackers to cause a denial of service via a long string. (bsc#913650) - CVE-2014-9620: The ELF parser in file allowed remote attackers to cause a denial of service via a large number of notes. (bsc#913651) - CVE-2014-9653: readelf.c in file did not consider that pread calls sometimes read only a subset of the available data, which allows remote attackers to cause a denial of service (uninitialized memory access) or possibly have unspecified other impact via a crafted ELF file. (bsc#917152) - CVE-2014-8116: The ELF parser (readelf.c) in file allowed remote attackers to cause a denial of service (CPU consumption or crash) via a large number of (1) program or (2) section headers or (3) invalid capabilities. (bsc#910253) - CVE-2014-8117: softmagic.c in file did not properly limit recursion, which allowed remote attackers to cause a denial of service (CPU consumption or crash) via unspecified vectors. (bsc#910253) Version update to file version 5.22 * add indirect relative for TIFF/Exif * restructure elf note printing to avoid repeated messages * add note limit, suggested by Alexander Cherepanov * Bail out on partial pread()'s (Alexander Cherepanov) * Fix incorrect bounds check in file_printable (Alexander Cherepanov) * PR/405: ignore SIGPIPE from uncompress programs * change printable -> file_printable and use it in more places for safety * in ELF, instead of '(uses dynamic libraries)' when PT_INTERP is present print the interpreter name. Version update to file version 5.21 * there was an incorrect free in magic_load_buffers() * there was an out of bounds read for some pascal strings * there was a memory leak in magic lists * don't interpret strings printed from files using the current locale, convert them to ascii format first. * there was an out of bounds read in elf note reads Update to file version 5.20 * recognize encrypted CDF documents * add magic_load_buffers from Brooks Davis * add thumbs.db support Additional non-security bug fixes: * Fixed a memory corruption during rpmbuild (bsc#1063269) * Backport of a fix for an increased printable string length as found in file 5.30 (bsc#996511) * file command throws 'Composite Document File V2 Document, corrupt: Can't read SSAT' error against excel 97/2003 file format. (bsc#1009966) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2017:1903-1 Released: Fri Nov 24 16:19:37 2017 Summary: Security update for perl Type: security Severity: moderate References: 1047178,1057721,1057724,999735,CVE-2017-12837,CVE-2017-12883,CVE-2017-6512 Description: This update for perl fixes the following issues: Security issues fixed: - CVE-2017-12837: Heap-based buffer overflow in the S_regatom function in regcomp.c in Perl 5 before 5.24.3-RC1 and 5.26.x before 5.26.1-RC1 allows remote attackers to cause a denial of service (out-of-bounds write) via a regular expression with a '\N{}' escape and the case-insensitive modifier. (bnc#1057724) - CVE-2017-12883: Buffer overflow in the S_grok_bslash_N function in regcomp.c in Perl 5 before 5.24.3-RC1 and 5.26.x before 5.26.1-RC1 allows remote attackers to disclose sensitive information or cause a denial of service (application crash) via a crafted regular expression with an invalid '\N{U+...}' escape. (bnc#1057721) - CVE-2017-6512: Race condition in the rmtree and remove_tree functions in the File-Path module before 2.13 for Perl allows attackers to set the mode on arbitrary files via vectors involving directory-permission loosening logic. (bnc#1047178) Bug fixes: - backport set_capture_string changes from upstream (bsc#999735) - reformat baselibs.conf as source validator workaround ----------------------------------------------------------------- Advisory ID: SUSE-RU-2017:1916-1 Released: Fri Nov 24 20:15:01 2017 Summary: Recommended update for libgcrypt Type: recommended Severity: important References: 1043333,1059723 Description: This update for libgcrypt provides the following fix: - Fix a regression in a previous update which caused libgcrypt to leak file descriptors causing failures when starting rtkit-daemon. (bsc#1059723) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2017:1917-1 Released: Mon Nov 27 13:32:07 2017 Summary: Optional update for gcc7 Type: recommended Severity: low References: 1056437,1062591,1062592 Description: The GNU Compiler GCC 7 is being added to the Toolchain Module by this update. New features: - Support for specific IBM Power9 processor instructions. - Support for specific IBM zSeries z14 processor instructions. - New packages cross-npvtx-gcc7 and nvptx-tools added to the Toolchain Module for specific NVIDIA Card offload support. The update also supplies gcc7 compatible libstdc++, libgcc_s1 and other gcc derived libraries for the base products of SUSE Linux Enterprise 12. Various optimizers have been improved in GCC 7, several of bugs fixed, quite some new warnings added and the error pin-pointing and fix-suggestions have been greatly improved. The GNU Compiler page for GCC 7 contains a summary of all the changes that have happened: https://gcc.gnu.org/gcc-7/changes.html ----------------------------------------------------------------- Advisory ID: SUSE-RU-2017:1965-1 Released: Thu Nov 30 12:48:45 2017 Summary: Recommended update for libsolv, libzypp, zypper Type: recommended Severity: moderate References: 1047233,1053671,1057188,1057634,1058695,1058783,1059065,1061384,1062561,1064999,661410 Description: The Software Update Stack was updated to receive fixes and enhancements. libsolv: - Many fixes and improvements for cleandeps. - Always create dup rules for 'distupgrade' jobs. - Use recommends also for ordering packages. - Fix splitprovides handling with addalreadyrecommended turned off. (bsc#1059065) - Expose solver_get_recommendations() in bindings. - Fix bug in solver_prune_to_highest_prio_per_name resulting in bad output from solver_get_recommendations(). - Support 'without' and 'unless' dependencies. - Use same heuristic as upstream to determine source RPMs. - Fix memory leak in bindings. - Add pool_best_solvables() function. - Fix 64bit integer parsing from RPM headers. - Enable bzip2 and xz/lzma compression support. - Enable complex/rich dependencies on distributions with RPM 4.13+. libzypp: - Fix media handling in presence of a repo path prefix. (bsc#1062561) - Fix RepoProvideFile ignoring a repo path prefix. (bsc#1062561) - Remove unused legacy notify-message script. (bsc#1058783) - Support multiple product licenses in repomd. (fate#322276) - Propagate 'rpm --import' errors. (bsc#1057188) - Fix typos in zypp.conf. zypper: - Locale: Fix possible segmentation fault. (bsc#1064999) - Add summary hint if product is better updated by a different command. This is mainly used by rolling distributions like openSUSE Tumbleweed to remind their users to use 'zypper dup' to update (not zypper up or patch). (bsc#1061384) - Unify '(add|modify)(repo|service)' property related arguments. - Fixed 'add' commands supporting to set only a subset of properties. - Introduced '-f/-F' as preferred short option for --[no-]refresh in all four commands. (bsc#661410, bsc#1053671) - Fix missing package names in installation report. (bsc#1058695) - Differ between unsupported and packages with unknown support status. (bsc#1057634) - Return error code '107' if an RPM's %post configuration script fails, but only if ZYPPER_ON_CODE12_RETURN_107=1 is set in the environment. (bsc#1047233) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2017:1966-1 Released: Thu Nov 30 13:45:24 2017 Summary: Recommended update for systemd Type: recommended Severity: moderate References: 1004995,1035386,1039099,1040800,1045472,1048605,1050152,1053137,1053595,1055641,1063249 Description: This update for systemd fixes the following issues: - unit: When JobTimeoutSec= is turned off, implicitly turn off JobRunningTimeoutSec= too. (bsc#1048605, bsc#1004995) - compat-rules: Generate compat by-id symlinks with 'nvme' prefix missing and warn users that have broken symlinks. (bsc#1063249) - compat-rules: Allow to specify the generation number through the kernel command line. - scsi_id: Fixup prefix for pre-SPC inquiry reply. (bsc#1039099) - tmpfiles: Remove old ICE and X11 sockets at boot. - tmpfiles: Silently ignore any path that passes through autofs. (bsc#1045472) - pam_logind: Skip leading /dev/ from PAM_TTY field before passing it on. - shared/machine-pool: Fix another mkfs.btrfs checking. (bsc#1053595) - shutdown: Fix incorrect fscanf() result check. - shutdown: Don't remount,ro network filesystems. (bsc#1035386) - shutdown: Don't be fooled when detaching DM devices with BTRFS. (bsc#1055641) - bash-completion: Add support for --now. (bsc#1053137) - Add convert-lib-udev-path.sh script to convert /lib/udev directory into a symlink pointing to /usr/lib/udev when upgrading from SLE11. (bsc#1050152) - Add a rule to teach hotplug to offline containers transparently. (bsc#1040800) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2017:1968-1 Released: Thu Nov 30 19:49:33 2017 Summary: Recommended update for coreutils Type: recommended Severity: low References: 1026567,1043059,965780 Description: This update for coreutils provides the following fixes: - Fix df(1) to no longer interact with excluded file system types, so for example specifying -x nfs no longer hangs with problematic nfs mounts. (bsc#1026567) - Ensure df -l no longer interacts with dummy file system types, so for example no longer hangs with problematic NFS mounted via system.automount(5). (bsc#1043059) - Significantly speed up df(1) for huge mount lists. (bsc#965780) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2017:1970-1 Released: Thu Nov 30 22:55:41 2017 Summary: Security update for openssl Type: security Severity: moderate References: 1055825,1056058,1065363,1066242,CVE-2017-3735,CVE-2017-3736 Description: This update for openssl fixes the following issues: Security issues fixed: - CVE-2017-3735: openssl1,openssl: Malformed X.509 IPAdressFamily could cause OOB read (bsc#1056058) - CVE-2017-3736: openssl: bn_sqrx8x_internal carry bug on x86_64 (bsc#1066242) - Out of bounds read+crash in DES_fcrypt (bsc#1065363) - openssl DEFAULT_SUSE cipher list is missing ECDHE-ECDSA ciphers (bsc#1055825) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2017:2021-1 Released: Fri Dec 8 10:11:04 2017 Summary: Recommended update for file Type: recommended Severity: moderate References: 1070878,1070958 Description: This update for file fixes detection of JPEG files. ----------------------------------------------------------------- Advisory ID: SUSE-RU-2017:2031-1 Released: Mon Dec 11 12:55:57 2017 Summary: Recommended update for gzip Type: recommended Severity: low References: 1067891 Description: This update for gzip provides the following fix: - Fix mishandling of leading zeros in the end-of-block code (bsc#1067891) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2017:2036-1 Released: Wed Dec 13 16:34:21 2017 Summary: Recommended update for util-linux Type: recommended Severity: low References: 1039276,1040968,1055446,1066500 Description: This update for util-linux provides the following fixes: - Allow unmounting of filesystems without calling stat() on the mount point, when '-c' is used. (bsc#1040968) - Fix an infinite loop, a crash and report the correct minimum and maximum frequencies in lscpu for some processors. (bsc#1055446) - Fix a lscpu failure on Sydney Amazon EC2 region. (bsc#1066500) - If multiple subvolumes are mounted, report the default subvolume. (bsc#1039276) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2017:2097-1 Released: Sat Dec 16 01:59:00 2017 Summary: Security update for openssl Type: security Severity: important References: 1071905,1071906,CVE-2017-3737,CVE-2017-3738 Description: This update for openssl fixes the following issues: - OpenSSL Security Advisory [07 Dec 2017] * CVE-2017-3737: OpenSSL 1.0.2 (starting from version 1.0.2b) introduced an \'error state\' mechanism. The intent was that if a fatal error occurred during a handshake then OpenSSL would move into the error state and would immediately fail if you attempted to continue the handshake. This works as designed for the explicit handshake functions (SSL_do_handshake(), SSL_accept() and SSL_connect()), however due to a bug it does not work correctly if SSL_read() or SSL_write() is called directly. In that scenario, if the handshake fails then a fatal error will be returned in the initial function call. If SSL_read()/SSL_write() is subsequently called by the application for the same SSL object then it will succeed and the data is passed without being decrypted/encrypted directly from the SSL/TLS record layer. In order to exploit this issue an application bug would have to be present that resulted in a call to SSL_read()/SSL_write() being issued after having already received a fatal error. O penSSL version 1.0.2b-1.0.2m are affected. Fixed in OpenSSL 1.0.2n. OpenSSL 1.1.0 is not affected. (bsc#1071905) * CVE-2017-3738: There is an overflow bug in the AVX2 Montgomery multiplication procedure used in exponentiation with 1024-bit moduli. No EC algorithms are affected. Analysis suggests that attacks against RSA and DSA as a result of this defect would be very difficult to perform and are not believed likely. Attacks against DH1024 are considered just feasible, because most of the work necessary to deduce information about a private key may be performed offline. The amount of resources required for such an attack would be significant. However, for an attack on TLS to be meaningful, the server would have to share the DH1024 private key among multiple clients, which is no longer an option since CVE-2016-0701. This only affects processors that support the AVX2 but not ADX extensions like Intel Haswell (4th generation). Note: The impact from this issue is similar to CVE-2017-3736, CVE-2017-3732 and CVE-2015-3193. (bsc#1071906) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2017:2137-1 Released: Thu Dec 21 17:49:12 2017 Summary: Recommended update for dbus-1 Type: recommended Severity: moderate References: 1046173,1071698 Description: This update for dbus-1 provides the following fixes: - The previously released fix for systemd-logind dbus disconnections was missing in some parts of the package, so properly apply it. (bsc#1071698) - Remove call to initscripts related macros from the spec file as dbus-1 does not ship any initscript anymore. (bsc#1046173) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2018:4-1 Released: Tue Jan 2 15:58:20 2018 Summary: Recommended update for libzypp, zypper Type: recommended Severity: moderate References: 1057640,1067605,1068708,1071466,969569 Description: The Software Update Stack was updated to receive fixes and enhancements. libzypp: - Don't store duplicated locks. (bsc#969569) - Fix default for solver.allowNameChange. (bsc#1071466) - Don't filter procs with a different mnt namespace. (bsc#1068708) - Support repo variables in an URIs host:port component. (bsc#1057640, bsc#1067605) zypper: - Update manpage regarding custom repository variable fixes. (bsc#1057640, bsc#1067605) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2018:38-1 Released: Tue Jan 9 14:56:43 2018 Summary: Recommended update for kmod Type: recommended Severity: low References: 1070209 Description: This update for kmod provides the following fix: - Fix resolving .TOC. in modules on 4.4 and older kernel (bsc#1070209) - Fix kernel master build for ppc64le (bsc#1070209) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:55-1 Released: Fri Jan 12 09:45:49 2018 Summary: Security update for glibc Type: security Severity: important References: 1051042,1053188,1063675,1064569,1064580,1064583,1070905,1071319,1073231,1074293,CVE-2017-1000408,CVE-2017-1000409,CVE-2017-15670,CVE-2017-15671,CVE-2017-15804,CVE-2017-16997,CVE-2018-1000001 Description: This update for glibc fixes the following issues: - A privilege escalation bug in the realpath() function has been fixed. [CVE-2018-1000001, bsc#1074293] - A memory leak and a buffer overflow in the dynamic ELF loader has been fixed. [CVE-2017-1000408, CVE-2017-1000409, bsc#1071319] - An issue in the code handling RPATHs was fixed that could have been exploited by an attacker to execute code loaded from arbitrary libraries. [CVE-2017-16997, bsc#1073231] - A potential crash caused by a use-after-free bug in pthread_create() has been fixed. [bsc#1053188] - A bug that prevented users to build shared objects which use the optimized libmvec.so API has been fixed. [bsc#1070905] - A memory leak in the glob() function has been fixed. [CVE-2017-15670, CVE-2017-15671, CVE-2017-15804, bsc#1064569, bsc#1064580, bsc#1064583] - A bug that would lose the syscall error code value in case of crashes has been fixed. [bsc#1063675] ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:86-1 Released: Wed Jan 17 09:38:17 2018 Summary: Security update for ncurses Type: security Severity: moderate References: 1056127,1056128,1056129,1056131,1056132,1056136,CVE-2017-13728,CVE-2017-13729,CVE-2017-13730,CVE-2017-13731,CVE-2017-13732,CVE-2017-13733 Description: This update for ncurses fixes the following issues: Security issues fixed: - CVE-2017-13728: Fix infinite loop in the next_char function in comp_scan.c (bsc#1056136). - CVE-2017-13730: Fix illegal address access in the function _nc_read_entry_source() (bsc#1056131). - CVE-2017-13733: Fix illegal address access in the fmt_entry function (bsc#1056127). - CVE-2017-13729: Fix illegal address access in the _nc_save_str (bsc#1056132). - CVE-2017-13732: Fix illegal address access in the function dump_uses() (bsc#1056128). - CVE-2017-13731: Fix illegal address access in the function postprocess_termcap() (bsc#1056129). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:88-1 Released: Wed Jan 17 14:41:17 2018 Summary: Security update for curl Type: security Severity: moderate References: 1069222,1069226,CVE-2017-8816,CVE-2017-8817 Description: This update for curl fixes the following issues: Security issues fixed: - CVE-2017-8816: Buffer overrun flaw in the NTLM authentication code (bsc#1069226). - CVE-2017-8817: Read out of bounds flaw in the FTP wildcard function (bsc#1069222). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2018:90-1 Released: Wed Jan 17 14:44:33 2018 Summary: Recommended update for lvm2 Type: recommended Severity: low References: 1063051,1067312 Description: This update for lvm2 provides the following fix: - Backport various upstream fixes for clvmd. (bsc#1063051) - Don't print error messages on testing the connection to the daemon. (bsc#1063051) - Fix handling of udev CHANGE events with systemd. (bsc#1067312) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2018:146-1 Released: Thu Jan 25 11:44:23 2018 Summary: Recommended update for openldap2 Type: recommended Severity: moderate References: 1064397,1065083 Description: This update for openldap2 provides the following fixes: - Fix a leak of sockets in case of unsuccessful connection attempts. (bsc#1065083) - Fix a crash that would happen under heavy load when using back-relay. (bsc#1064397) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:149-1 Released: Thu Jan 25 13:38:37 2018 Summary: Security update for curl Type: security Severity: moderate References: 1077001,CVE-2018-1000007 Description: This update for curl fixes one issues. This security issue was fixed: - CVE-2018-1000007: Prevent leaking authentication data to third parties when following redirects (bsc#1077001) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:209-1 Released: Tue Jan 30 10:53:43 2018 Summary: Security update for ncurses Type: security Severity: moderate References: 1056126,1056127,1056128,1056129,1056131,1056132,1056136,CVE-2017-13728,CVE-2017-13729,CVE-2017-13730,CVE-2017-13731,CVE-2017-13732,CVE-2017-13733,CVE-2017-13734 Description: This update for ncurses fixes several issues. These security issues were fixed: - CVE-2017-13734: Prevent illegal address access in the _nc_safe_strcat function in strings.c that might have lead to a remote denial of service attack (bsc#1056126). - CVE-2017-13733: Prevent illegal address access in the fmt_entry function in progs/dump_entry.c that might have lead to a remote denial of service attack (bsc#1056127). - CVE-2017-13732: Prevent illegal address access in the function dump_uses() in progs/dump_entry.c that might have lead to a remote denial of service attack (bsc#1056128). - CVE-2017-13731: Prevent illegal address access in the function postprocess_termcap() in parse_entry.c that might have lead to a remote denial of service attack (bsc#1056129). - CVE-2017-13730: Prevent illegal address access in the function _nc_read_entry_source() in progs/tic.c that might have lead to a remote denial of service attack (bsc#1056131). - CVE-2017-13729: Prevent illegal address access in the _nc_save_str function in alloc_entry.c that might have lead to a remote denial of service attack (bsc#1056132). - CVE-2017-13728: Prevent infinite loop in the next_char function in comp_scan.c that might have lead to a remote denial of service attack (bsc#1056136). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:213-1 Released: Tue Jan 30 14:36:40 2018 Summary: Security update for systemd Type: security Severity: moderate References: 1048510,1065276,1066156,1068251,1070428,1071558,1074254,1075724,1076308,897422,CVE-2017-15908,CVE-2018-1049 Description: This update for systemd fixes several issues. This security issue was fixed: - CVE-2018-1049: Prevent race that can lead to DoS when using automounts (bsc#1076308). These non-security issues were fixed: - core: don't choke if a unit another unit triggers vanishes during reload - delta: don't ignore PREFIX when the given argument is PREFIX/SUFFIX - delta: extend skip logic to work on full directory paths (prefix+suffix) (bsc#1070428) - delta: check if a prefix needs to be skipped only once - delta: skip symlink paths when split-usr is enabled (#4591) - sysctl: use raw file descriptor in sysctl_write (#7753) - sd-netlink: don't take possesion of netlink fd from caller on failure (bsc#1074254) - Fix the regexp used to detect broken by-id symlinks in /etc/crypttab It was missing the following case: '/dev/disk/by-id/cr_-xxx'. - sysctl: disable buffer while writing to /proc (bsc#1071558) - Use read_line() and LONG_LINE_MAX to read values configuration files. (bsc#1071558) - sysctl: no need to check for eof twice - def: add new constant LONG_LINE_MAX - fileio: add new helper call read_line() as bounded getline() replacement - service: Don't stop unneeded units needed by restarted service (#7526) (bsc#1066156) - gpt-auto-generator: fix the handling of the value returned by fstab_has_fstype() in add_swap() (#6280) - gpt-auto-generator: disable gpt auto logic for swaps if at least one is defined in fstab (bsc#897422) - fstab-util: introduce fstab_has_fstype() helper - fstab-generator: ignore root=/dev/nfs (#3591) - fstab-generator: don't process root= if it happens to be 'gpt-auto' (#3452) - virt: use XENFEAT_dom0 to detect the hardware domain (#6442, #6662) (#7581) (bsc#1048510) - analyze: replace --no-man with --man=no in the man page (bsc#1068251) - udev: net_setup_link: don't error out when we couldn't apply link config (#7328) - Add missing /etc/systemd/network directory - Fix parsing of features in detect_vm_xen_dom0 (#7890) (bsc#1048510) - sd-bus: use -- when passing arguments to ssh (#6706) - systemctl: make sure we terminate the bus connection first, and then close the pager (#3550) - sd-bus: bump message queue size (bsc#1075724) - tmpfiles: downgrade warning about duplicate line ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:214-1 Released: Tue Jan 30 14:37:42 2018 Summary: Security update for libtasn1 Type: security Severity: moderate References: 1076832,CVE-2018-6003 Description: This update for libtasn1 fixes one issue. This security issue was fixed: - CVE-2018-6003: Prevent a stack exhaustion in _asn1_decode_simple_ber (lib/decoding.c) when decoding BER encoded structure allowed for DoS (bsc#1076832). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:276-1 Released: Thu Feb 8 17:47:43 2018 Summary: Security update for libxml2 Type: security Severity: moderate References: 1077993,1078806,1078813,CVE-2016-5131,CVE-2017-15412,CVE-2017-5130 Description: This update for libxml2 fixes one issue. This security issue was fixed: - CVE-2017-15412: Prevent use after free when calling XPath extension functions that allowed remote attackers to cause DoS or potentially RCE (bsc#1077993) - CVE-2016-5131: Use-after-free vulnerability in libxml2 allowed remote attackers to cause a denial of service or possibly have unspecified other impact via vectors related to the XPointer range-to function. (bsc#1078813) - CVE-2017-5130: Fixed a potential remote buffer overflow in function xmlMemoryStrdup() (bsc#1078806) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2018:291-1 Released: Mon Feb 12 11:50:39 2018 Summary: Recommended update for bash Type: recommended Severity: low References: 1057452,1076909 Description: This update for bash provides the following fix: - Allow process group assignment on all kernel versions to fix the usage of debug traps. (bsc#1057452) - Fix a crash when filesystem is full. (bsc#1076909) - Enable multi-byte characters by default. ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:314-1 Released: Thu Feb 15 14:47:35 2018 Summary: Security update for glibc Type: security Severity: important References: 1037930,1051791,1073990,1074293,1079036,CVE-2017-12132,CVE-2017-8804,CVE-2018-1000001,CVE-2018-6485,CVE-2018-6551 Description: This update for glibc fixes the following issues: Security issues fixed: - CVE-2017-8804: Fix memory leak after deserialization failure in xdr_bytes, xdr_string (bsc#1037930) - CVE-2017-12132: Reduce EDNS payload size to 1200 bytes (bsc#1051791) - CVE-2018-6485,CVE-2018-6551: Fix integer overflows in internal memalign and malloc functions (bsc#1079036) - CVE-2018-1000001: Avoid underflow of malloced area (bsc#1074293) Non security bugs fixed: - Release read lock after resetting timeout (bsc#1073990) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:355-1 Released: Mon Feb 26 16:34:46 2018 Summary: Security update for systemd Type: security Severity: moderate References: 1057974,1068588,1071224,1071311,1075801,1077925,CVE-2017-18078 Description: This update for systemd fixes the following issues: Security issue fixed: - CVE-2017-18078: tmpfiles: refuse to chown()/chmod() files which are hardlinked, unless protected_hardlinks sysctl is on. This could be used by local attackers to gain privileges (bsc#1077925) Non Security issues fixed: - core: use id unit when retrieving unit file state (#8038) (bsc#1075801) - cryptsetup-generator: run cryptsetup service before swap unit (#5480) - udev-rules: all values can contain escaped double quotes now (#6890) - strv: fix buffer size calculation in strv_join_quoted() - tmpfiles: change ownership of symlinks too - stdio-bridge: Correctly propagate error - stdio-bridge: remove dead code - remove bus-proxyd (bsc#1057974) - core/timer: Prevent timer looping when unit cannot start (bsc#1068588) - Make systemd-timesyncd use the openSUSE NTP servers by default Previously systemd-timesyncd used the Google Public NTP servers time{1..4}.google.com - Don't ship /usr/lib/systemd/system/tmp.mnt at all (bsc#1071224) But we still ship a copy in /var. Users who want to use tmpfs on /tmp are supposed to add a symlink in /etc/ pointing to the copy shipped in /var. To support the update path we automatically create the symlink if tmp.mount in use is located in /usr. - Enable systemd-networkd on Leap distros only (bsc#1071311) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2018:375-1 Released: Wed Feb 28 16:33:37 2018 Summary: Recommended update for net-tools Type: recommended Severity: low References: 1009905,1063910 Description: This update for net-tools provides the following fix: - netstat: fix handling of large socket numbers (bsc#1063910) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:439-1 Released: Fri Mar 9 14:05:22 2018 Summary: Security update for augeas Type: security Severity: low References: 1054171,CVE-2017-7555 Description: This update for augeas fixes the following issues: Security issue fixed: - CVE-2017-7555: Fix a memory corruption bug could have lead to arbitrary code execution by passing crafted strings that would be mis-handled by parse_name() (bsc#1054171). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:443-1 Released: Fri Mar 9 18:02:14 2018 Summary: Security update for glibc Type: security Severity: moderate References: 1081556,CVE-2017-12133 Description: This update for glibc fixes the following issues: - CVE-2017-12133: Avoid use-after-free read access in clntudp_call (bsc#1081556) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:446-1 Released: Mon Mar 12 13:13:55 2018 Summary: Security update for shadow Type: security Severity: moderate References: 1081294,CVE-2018-7169 Description: This update for shadow fixes the following issues: - CVE-2018-7169: Fixed an privilege escalation in newgidmap, which allowed an unprivileged user to be placed in a user namespace where setgroups(2) is allowed. (bsc#1081294) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2018:465-1 Released: Thu Mar 15 07:38:52 2018 Summary: Recommended update for systemd Type: recommended Severity: moderate References: 1075743,1078358,1081170 Description: This update for systemd fixes the following issues: - Add dmi/id conditions to 80-acpi-container-hotplug.rules to restrict the rule that it can only be triggered on Huawei Kunlun 9008, 9016 and 9032 machines. (bsc#1078358, bsc#1081170, bsc#1075743) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2018:472-1 Released: Thu Mar 15 10:47:40 2018 Summary: Recommended update for libsolv, libzypp, zypper Type: recommended Severity: low References: 1074687,1075449,1076415,1079334,953130 Description: This update for libsolv, libzypp and zypper provides the following fixes: libsolv: - Fix a bug that could make fileconflict detection very slow in some cases. (bnc#953130) - Add new configuration options: ENABLE_RPMDB_LIBRPM and ENABLE_RPMPKG_LIBRPM. - Add a new function to change the whatprovides data: pool_set_whatprovides. - Significant improvements in the selection code. libzypp: - Make sure deleted keys are also removed from rpmdb. (bsc#1075449) - plugin: Don't reject header values containing ':'. (bsc#1074687) - RpmDb::checkPackage: Fix parsing localized rpm output. (bsc#1076415) zypper: - Do not recommend cron as it is not a direct dependency of zypper. (bsc#1079334) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:522-1 Released: Thu Mar 22 08:20:46 2018 Summary: Security update for curl Type: security Severity: moderate References: 1084521,1084524,1084532,CVE-2018-1000120,CVE-2018-1000121,CVE-2018-1000122 Description: This update for curl fixes the following issues: Following security issues were fixed: - CVE-2018-1000120: A buffer overflow exists in the FTP URL handling that allowed an attacker to cause a denial of service or possible code execution (bsc#1084521). - CVE-2018-1000121: A NULL pointer dereference exists in the LDAP code that allowed an attacker to cause a denial of service (bsc#1084524). - CVE-2018-1000122: A buffer over-read exists in the RTSP+RTP handling code that allowed an attacker to cause a denial of service or information leakage (bsc#1084532). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:567-1 Released: Thu Mar 29 14:02:08 2018 Summary: Security update for krb5 Type: security Severity: moderate References: 1057662,1081725,1083926,1083927,CVE-2018-5729,CVE-2018-5730 Description: This update for krb5 provides the following fixes: Security issues fixed: - CVE-2018-5730: DN container check bypass by supplying special crafted data (bsc#1083927). - CVE-2018-5729: Null pointer dereference in kadmind or DN container check bypass by supplying special crafted data (bsc#1083926). Non-security issues fixed: - Make it possible for legacy applications (e.g. SAP Netweaver) to remain compatible with newer Kerberos. System administrators who are experiencing this kind of compatibility issues may set the environment variable GSSAPI_ASSUME_MECH_MATCH to a non-empty value, and make sure the environment variable is visible and effective to the application startup script. (bsc#1057662) - Fix a GSS failure in legacy applications by not indicating deprecated GSS mechanisms in gss_indicate_mech() list. (bsc#1081725) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:594-1 Released: Thu Apr 5 17:22:37 2018 Summary: Security update for libidn Type: security Severity: moderate References: 1056450,CVE-2017-14062 Description: This update for libidn fixes one issues. This security issue was fixed: - CVE-2017-14062: Prevent integer overflow in the decode_digit function that allowed remote attackers to cause a denial of service or possibly have unspecified other impact (bsc#1056450). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:624-1 Released: Wed Apr 11 18:02:57 2018 Summary: Security update for openssl Type: security Severity: moderate References: 1087102,CVE-2018-0739 Description: This update for openssl fixes the following issues: - CVE-2018-0739: Constructed ASN.1 types with a recursive definition (such as can be found in PKCS7) could eventually exceed the stack given malicious input with excessive recursion. This could result in a Denial Of Service attack. There are no such structures used within SSL/TLS that come from untrusted sources so this is considered safe. (bsc#1087102). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:730-1 Released: Wed Apr 25 14:14:41 2018 Summary: Security update for perl Type: security Severity: moderate References: 1082216,1082233,1082234,CVE-2018-6797,CVE-2018-6798,CVE-2018-6913 Description: This update for perl fixes the following issues: Security issues fixed: - CVE-2018-6913: Fixed space calculation issues in pp_pack.c (bsc#1082216). - CVE-2018-6798: Fixed heap buffer overflow in regexec.c (bsc#1082233). - CVE-2018-6797: Fixed sharp-s regexp overflow (bsc#1082234). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2018:736-1 Released: Wed Apr 25 14:23:49 2018 Summary: Recommended update for libsolv, libzypp Type: recommended Severity: moderate References: 1075978,1077635,1079991,1082318,1086602 Description: This update for libsolv, libzypp provides the following fixes: Changes in libsolv: - Make sure the product file comes from /etc/products.d for the fallback product search. (bsc#1086602) - Also make use of suggests for ordering packages. (bsc#1077635) - Fix bad assignment in solution refinement that led to a memory leak. (bsc#1075978) - Use license tag instead of doc in the spec file. (bsc#1082318) Changes in libzypp: - Make sure the product file comes from /etc/products.d for the fallback product search. (bsc#1086602) - Fix a memory leak in Digest.cc. (bsc#1075978) - Add /var/lib/gdm to CheckAccessDeleted blacklist to prevent showing superfluous `zypper ps -s` messages. (bsc#1079991) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2018:779-1 Released: Wed May 2 22:16:26 2018 Summary: Recommended update for rpm Type: recommended Severity: low References: 1003714,1027925,1069934 Description: This update for rpm provides the following fixes: - Fix find-lang.sh to handle special case of .qm file paths correctly. (bsc#1027925) - Add %sle_version macro to suse_macros. (bsc#1003714) - Added a %rpm_vercmp macro which accepts two versions as parameters and returns -1, 0, 1 if the first version is less than, equal or greater than the second version respectively. - Added a %pkg_version macro that accepts a package or capability name as argument and returns the version number of the installed package. If no package provides the argument, it returns the string '~~~'. - Added a %pkg_vcmp macro that accepts 3 parameters. The first parameter is a package name or provided capability name, the second argument is an operator ( < <= = >= > != ) and the third parameter is a version string to be compared to the installed version of the first argument. - Added a %pkg_version_cmp macro which accepts a package or capability name as first argument and a version number as second argument and returns -1, 0, 1 or '~~~'. The number values have the same meaning as in %rpm_vercmp and the '~~~' string is returned if the package or capability can't be found. (bsc#1069934) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2018:797-1 Released: Mon May 7 07:07:38 2018 Summary: Recommended update for gcc7 Type: recommended Severity: important References: 1061667,1068967,1074621,1083290,1083946,1084812,1087550,1087930 Description: This update for gcc7 to 7.3 release fixes the following issues: - Update to GCC 7.3 release and further updated to gcc-7-branch head (r258812). - The Spectre v2 mitigation patch for s390x is now included. [bsc#1083946] - Adds backport of x86 retpoline support via -mindirect-branch=, -mfunction-return= and friends. [bsc#1074621] - Update includes a fix for chromium build failure. [bsc#1083290] - Various AArch64 compile fixes are included: * Picks fix to no longer enable -mpc-relative-literal-loads by default with --enable-fix-cortex-a53-843419. * Enable --enable-fix-cortex-a53-843419 for aarch64. [bsc#1084812] [bsc#1087930] * Enable --enable-fix-cortex-a53-835769 for aarch64. * Contains fix for PR82445 which is about a RPI1 bootloader miscompile. [bsc#1061667] * Fixed bogus stack probe instruction on ARM. [bsc#1068967] - Revert the ios_base::failure ABI back to compatible behavior with the default ABI. [bsc#1087550] - Fix nvptx offload target compiler install so GCC can pick up required files. Split out the newlib part into cross-nvptx-newlib7-devel and avoid conflicts with GCC 8 variant via Provides/Conflicts of cross-nvptx-newlib-devel. ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:939-1 Released: Thu May 17 08:41:30 2018 Summary: Security update for curl Type: security Severity: moderate References: 1086825,1092098,CVE-2018-1000301 Description: This update for curl fixes several issues: Security issues fixed: - CVE-2018-1000301: Fixed a RTSP bad headers buffer over-read could crash the curl client (bsc#1092098) Non security issues fixed: - If the DEFAULT_SUSE cipher list is not available use the HIGH cipher alias before failing. (bsc#1086825) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2018:974-1 Released: Wed May 23 16:46:50 2018 Summary: Recommended update for systemd Type: recommended Severity: moderate References: 1045092,1051465,1066422,1075804,1082485,1084626,1085062,1086785,1087323 Description: This update for systemd provides the following fixes: - sysusers: Do not append entries after the NIS ones. (bsc#1085062, bsc#1045092) - sysusers: Also add support for NIS entries in /etc/shadow. - sysusers: Make sure to reset errno before calling fget*ent(). - coredump: Respect ulimit -c 0 settings. (bsc#1075804) - systemctl: Don't make up unit states, and don't eat up errors too eagerly. (bsc#1084626) - systemctl: Don't mangle unit names in check_unit_generic(). - rules, compat-rules: Fix errors detected by the rule syntax checker. - python: Use raw strings for regexp patterns. - compat-rules: Make path_id_compat build with meson. - compat-rules: Get rid of scsi_id when generating compat symlinks for NVMe devices. (bsc#1051465) - Fix memory hotplugging. - systemd: Add offline environmental condition to the udev rules for acpi container to prevent them from being triggered by the 'udevadm trigger' from user space. (bsc#1082485) - systemd-udevd: Limit children-max by the available memory. (bsc#1086785, bsc#1066422) - Rename the tarball to reflect the exact version used, so that it is clear that it contains some additional patches on top of the upstream version. Use the commit hash in the name so the exact version can easily be identified. (bsc#1087323) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:977-1 Released: Wed May 23 17:14:16 2018 Summary: Security update for bash Type: security Severity: moderate References: 1000396,1001299,1086247,CVE-2016-0634,CVE-2016-7543 Description: This update for bash fixes the following issues: Security issues fixed: - CVE-2016-7543: A code execution possibility via SHELLOPTS+PS4 variable was fixed (bsc#1001299) - CVE-2016-0634: Arbitrary code execution via malicious hostname was fixed (bsc#1000396) Non-security issues fixed: - Fix repeating self-calling of traps due the combination of a non-interactive shell, a trap handler for SIGINT, an external process in the trap handler, and a SIGINT within the trap after the external process runs. (bsc#1086247) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2018:978-1 Released: Wed May 23 17:18:39 2018 Summary: Recommended update for zlib Type: recommended Severity: moderate References: 1071321 Description: This update for zlib fixes the following issues: - Fix a segmentation fault which was raised when converting a negative value into an unsigned integer (bsc#1071321) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2018:1028-1 Released: Tue Jun 5 13:20:44 2018 Summary: Recommended update for pam Type: recommended Severity: low References: 1089884 Description: This update for pam fixes the following issues: - Fix order of accessed configuration files in man page. (bsc#1089884) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:1077-1 Released: Wed Jun 6 11:44:25 2018 Summary: Security update for glibc Type: security Severity: important References: 1086690,1094150,1094154,1094161,CVE-2017-18269,CVE-2018-11236,CVE-2018-11237 Description: This update for glibc fixes the following issues: - CVE-2017-18269: Fix SSE2 memmove issue when crossing 2GB boundary (bsc#1094150) - CVE-2018-11236: Fix overflow in path length computation (bsc#1094161) - CVE-2018-11237: Don't write beyond buffer destination in __mempcpy_avx512_no_vzeroupper (bsc#1094154) Non security bugs fixed: - Fix crash in resolver on memory allocation failure (bsc#1086690) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2018:1082-1 Released: Thu Jun 7 12:58:56 2018 Summary: Recommended update for rpm Type: recommended Severity: moderate References: 1073879,1080078,964063 Description: This update for rpm fixes the following issues: - Backport support for no_recompute_build_ids macro. (bsc#964063) - Fix code execution when evaluating common python-related macros. (bsc#1080078) Additionally, this update adds python3-rpm to the SUSE Linux Enterprise Server. ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:1141-1 Released: Fri Jun 15 13:41:08 2018 Summary: Security update for gpg2 Type: security Severity: important References: 1096745,CVE-2018-12020 Description: This update for gpg2 fixes the following security issue: - CVE-2018-12020: GnuPG mishandled the original filename during decryption and verification actions, which allowed remote attackers to spoof the output that GnuPG sends on file descriptor 2 to other programs that use the '--status-fd 2' option (bsc#1096745) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2018:1145-1 Released: Fri Jun 15 19:19:51 2018 Summary: Recommended update for openssl Type: recommended Severity: moderate References: 1090765 Description: This update for openssl provides the following fix: - Suggest libopenssl1_0_0-hmac from libopenssl1_0_0 package to avoid dependency issues during updates. (bsc#1090765) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:1242-1 Released: Thu Jun 28 13:44:16 2018 Summary: Security update for procps Type: security Severity: moderate References: 1092100,CVE-2018-1122,CVE-2018-1123,CVE-2018-1124,CVE-2018-1125,CVE-2018-1126 Description: This update for procps fixes the following security issues: - CVE-2018-1122: Prevent local privilege escalation in top. If a user ran top with HOME unset in an attacker-controlled directory, the attacker could have achieved privilege escalation by exploiting one of several vulnerabilities in the config_file() function (bsc#1092100). - CVE-2018-1123: Prevent denial of service in ps via mmap buffer overflow. Inbuilt protection in ps maped a guard page at the end of the overflowed buffer, ensuring that the impact of this flaw is limited to a crash (temporary denial of service) (bsc#1092100). - CVE-2018-1124: Prevent multiple integer overflows leading to a heap corruption in file2strvec function. This allowed a privilege escalation for a local attacker who can create entries in procfs by starting processes, which could result in crashes or arbitrary code execution in proc utilities run by other users (bsc#1092100). - CVE-2018-1125: Prevent stack buffer overflow in pgrep. This vulnerability was mitigated by FORTIFY limiting the impact to a crash (bsc#1092100). - CVE-2018-1126: Ensure correct integer size in proc/alloc.* to prevent truncation/integer overflow issues (bsc#1092100). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:1276-1 Released: Thu Jul 5 08:36:17 2018 Summary: Security update for openssl Type: security Severity: moderate References: 1097158,1097624,1098592,CVE-2018-0732 Description: This update for openssl fixes the following issues: - CVE-2018-0732: During key agreement in a TLS handshake using a DH(E) based ciphersuite a malicious server could have sent a very large prime value to the client. This caused the client to spend an unreasonably long period of time generating a key for this prime resulting in a hang until the client has finished. This could be exploited in a Denial Of Service attack (bsc#1097158). - Blinding enhancements for ECDSA and DSA (bsc#1097624, bsc#1098592) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:1328-1 Released: Tue Jul 17 08:07:57 2018 Summary: Security update for perl Type: security Severity: important References: 1068565,1082216,1082233,1082234,1096718,CVE-2018-12015,CVE-2018-6797,CVE-2018-6798,CVE-2018-6913 Description: This update for perl fixes the following issues: These security issue were fixed: - CVE-2018-6913: Fixed space calculation issues in pp_pack.c (bsc#1082216). - CVE-2018-6798: Fixed heap buffer overflow in regexec.c (bsc#1082233). - CVE-2018-6797: Fixed sharp-s regexp overflow (bsc#1082234). - CVE-2018-12015: The Archive::Tar module allowed remote attackers to bypass a directory-traversal protection mechanism and overwrite arbitrary files (bsc#1096718) This non-security issue was fixed: - fix debugger crash in tab completion with Term::ReadLine::Gnu [bsc#1068565] ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:1351-1 Released: Thu Jul 19 09:43:21 2018 Summary: Security update for shadow Type: security Severity: important References: 1099310,CVE-2016-6252 Description: This update for shadow fixes the following issues: - CVE-2016-6252: Incorrect integer handling could results in local privilege escalation (bsc#1099310) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:1400-1 Released: Thu Jul 26 16:32:29 2018 Summary: Security update for util-linux Type: security Severity: moderate References: 1072947,1078662,1080740,1084300,CVE-2018-7738 Description: This update for util-linux fixes the following issues: This non-security issue was fixed: - CVE-2018-7738: bash-completion/umount allowed local users to gain privileges by embedding shell commands in a mountpoint name, which was mishandled during a umount command by a different user (bsc#1084300). These non-security issues were fixed: - Fixed crash loop in lscpu (bsc#1072947). - Fixed possible segfault of umount -a - Fixed mount -a on NFS bind mounts (bsc#1080740). - Fixed lsblk on NVMe (bsc#1078662). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:1413-1 Released: Fri Jul 27 12:41:13 2018 Summary: Security update for libgcrypt Type: security Severity: moderate References: 1064455,1090766,1097410,CVE-2018-0495 Description: This update for libgcrypt fixes the following issues: The following security vulnerability was addressed: - CVE-2018-0495: Mitigate a novel side-channel attack by enabling blinding for ECDSA signatures (bsc#1097410). The following other issues were fixed: - Extended the fipsdrv dsa-sign and dsa-verify commands with the --algo parameter for the FIPS testing of DSA SigVer and SigGen (bsc#1064455). - Ensure libgcrypt20-hmac and libgcrypt20 are installed in the correct order. (bsc#1090766) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2018:1450-1 Released: Mon Jul 30 10:10:45 2018 Summary: Recommended update for pam Type: recommended Severity: low References: 1096282 Description: This update for pam provides the following fix: - Added /etc/security/limits.d to the pam package. (bsc#1096282) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2018:1549-1 Released: Mon Aug 13 13:41:22 2018 Summary: Recommended update for sg3_utils Type: recommended Severity: low References: 1065448,1070431,1077787,1092640 Description: This update for sg3_utils provides the following fix: - Decode standard INQUIRY for CD-ROMs correctly. (bsc#1065448, bsc#1070431) - Fix page decoding. (bsc#1077787) - Remove initrd rebuild macros for libsgutils2 subpackage. (bsc#1092640) - Use %post -p for ldconfig. (bsc#1092640) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:1610-1 Released: Thu Aug 16 14:04:25 2018 Summary: Security update for libgcrypt Type: security Severity: moderate References: 1064455,1090766,1097410,CVE-2018-0495 Description: This update for libgcrypt fixes the following issues: The following security vulnerability was addressed: - CVE-2018-0495: Mitigate a novel side-channel attack by enabling blinding for ECDSA signatures (bsc#1097410). The following other issues were fixed: - Extended the fipsdrv dsa-sign and dsa-verify commands with the --algo parameter for the FIPS testing of DSA SigVer and SigGen (bsc#1064455). - Ensure libgcrypt20-hmac and libgcrypt20 are installed in the correct order. (bsc#1090766) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:1620-1 Released: Thu Aug 16 14:49:45 2018 Summary: Security update for shadow Type: security Severity: important References: 1099310,CVE-2016-6252 Description: This update for shadow fixes the following issues: - CVE-2016-6252: Incorrect integer handling could results in local privilege escalation (bsc#1099310) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2018:1632-1 Released: Thu Aug 16 15:27:04 2018 Summary: Recommended update for systemd Type: recommended Severity: moderate References: 1039099,1080382,1082004,1082485,1083158,1088052,1088769,1088890,1089761,1090785,1091265,1093851,1095096 Description: This update for systemd fixes the following issues: - core: In --user mode, report READY=1 as soon as basic.target is reached. - sd-bus: Extend D-Bus authentication timeout considerably. - scsi_id: Fixup prefix for pre-SPC inquiry reply. (bsc#1039099) - udev: Use MAC address match only for ibmveth/ibmvnic/mlx4. (bsc#1095096) - compat-rules: Generate more compat by-id symlinks for NVMe devices. (bsc#1095096) - udev: Whitelist mlx4_core locally-administered MAC addresses in the persistent rule generator. (bsc#1083158) - udev: Don't create by-partlabel/primary and .../logical symlinks. (bsc#1089761) - rules: Add /dev/disk/by-partuuid symlinks also for dos partition tables. - device: Make sure to always retroactively start device dependencies. (bsc#1088052) - device: Skip deserialization of device units when udevd is not running. - install: 'user' and 'global' scopes are equivalent for user presets. (bsc#1093851) - install: Search preset files in /run. - man: Updated systemd-analyze blame description for service-units with Type=simple. (bsc#1091265) - logind: Fix crash when shutdown is not issued from a tty. (bsc#1088890) - logind: Do not use an uninitialized variable. (bsc#1088890) - Disable user services by default. (bsc#1090785) - Ship 99-sysctl.conf instead of creating it during package installation/update. (bsc#1088769) Previously this symlink was created in /etc/sysctl.d during %post which made the symlink not owned and more importantly it was created only if /etc/sysctl.conf is already installed which is not always the case during the installation process it seems. So ship the symlink unconditionally and put it in /usr/lib/sysctl.d instead since it's a distro default behavior that might be overriden by sysadmin later. - systemd: Add offline environmental condition to 80-acpi-container-hotplug.rules. (bsc#1080382, bsc#1082485) Add the offline event environmental condition to restrict the rule that is can only be triggered when the change event is received with the 'offline' environmental data. The 27664c581 'ACPI / scan: Send change uevent with offine environmental data' kernel patch changed the corresponding code in kernel. This change prevents the udev rules for acpi container be triggered by 'udevadm trigger' from user space. - build-sys: Explicitly require python3. (bsc#1082004) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2018:1636-1 Released: Thu Aug 16 15:30:11 2018 Summary: Recommended update for pam Type: recommended Severity: low References: 1096282 Description: This update for pam provides the following fix: - Added /etc/security/limits.d to the pam package. (bsc#1096282) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2018:1689-1 Released: Mon Aug 20 09:02:24 2018 Summary: Recommended update for pam Type: recommended Severity: low References: 1096282 Description: This update for pam provides the following fix: - Added /etc/security/limits.d to the pam package. (bsc#1096282) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2018:1691-1 Released: Mon Aug 20 09:04:17 2018 Summary: Recommended update for sg3_utils Type: recommended Severity: low References: 1065448,1070431,1077787,1092640 Description: This update for sg3_utils provides the following fix: - Decode standard INQUIRY for CD-ROMs correctly. (bsc#1065448, bsc#1070431) - Fix page decoding. (bsc#1077787) - Remove initrd rebuild macros for libsgutils2 subpackage. (bsc#1092640) - Use %post -p for ldconfig. (bsc#1092640) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:1695-1 Released: Mon Aug 20 09:19:20 2018 Summary: Security update for perl Type: security Severity: important References: 1068565,1082216,1082233,1082234,1096718,CVE-2018-12015,CVE-2018-6797,CVE-2018-6798,CVE-2018-6913 Description: This update for perl fixes the following issues: These security issue were fixed: - CVE-2018-6913: Fixed space calculation issues in pp_pack.c (bsc#1082216). - CVE-2018-6798: Fixed heap buffer overflow in regexec.c (bsc#1082233). - CVE-2018-6797: Fixed sharp-s regexp overflow (bsc#1082234). - CVE-2018-12015: The Archive::Tar module allowed remote attackers to bypass a directory-traversal protection mechanism and overwrite arbitrary files (bsc#1096718) This non-security issue was fixed: - fix debugger crash in tab completion with Term::ReadLine::Gnu [bsc#1068565] ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:1698-1 Released: Mon Aug 20 09:19:28 2018 Summary: Security update for shadow Type: security Severity: important References: 1099310,CVE-2016-6252 Description: This update for shadow fixes the following issues: - CVE-2016-6252: Incorrect integer handling could results in local privilege escalation (bsc#1099310) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2018:1834-1 Released: Wed Sep 5 10:17:42 2018 Summary: Recommended update for systemd Type: recommended Severity: moderate References: 1089761,1090944,1101040,1103910 Description: This update for systemd fixes the following issues: - cryptsetup: Add support for sector-size= option. (fate#325634) - resolved: Apply epoch to system time from PID 1. (bsc#1103910) - core/service: Rework the hold-off time over message. - core: Don't freeze OnCalendar= timer units when the clock goes back a lot. (bsc#1090944) - man: SystemMaxUse= clarification in journald.conf(5). (bsc#1101040) - Add udev.no-partlabel-links kernel command-line option. This option can be used to disable the generation of the by-partlabel symlinks regardless of the name used. (bsc#1089761) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:1903-1 Released: Fri Sep 14 12:46:21 2018 Summary: Security update for curl Type: security Severity: moderate References: 1089533,1106019,CVE-2018-14618 Description: This update for curl fixes the following issues: This security issue was fixed: - CVE-2018-14618: Prevent integer overflow in the NTLM authentication code (bsc#1106019) This non-security issue was fixed: - Fixed erroneous debug message when paired with OpenSSL (bsc#1089533) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:1969-1 Released: Mon Sep 24 08:06:42 2018 Summary: Security update for libzypp, zypper Type: security Severity: important References: 1036304,1045735,1049825,1070851,1076192,1088705,1091624,1092413,1096803,1099847,1100028,1101349,1102429,CVE-2017-9269,CVE-2018-7685 Description: This update for libzypp, zypper fixes the following issues: Update libzypp to version 16.17.20: Security issues fixed: - PackageProvider: Validate deta rpms before caching (bsc#1091624, bsc#1088705, CVE-2018-7685) - PackageProvider: Validate downloaded rpm package signatures before caching (bsc#1091624, bsc#1088705, CVE-2018-7685) Other bugs fixed: - lsof: use '-K i' if lsof supports it (bsc#1099847, bsc#1036304) - Handle http error 502 Bad Gateway in curl backend (bsc#1070851) - RepoManager: Explicitly request repo2solv to generate application pseudo packages. - libzypp-devel should not require cmake (bsc#1101349) - HardLocksFile: Prevent against empty commit without Target having been been loaded (bsc#1096803) - Avoid zombie tar processes (bsc#1076192) Update to zypper to version 1.13.45: Security issues fixed: - Improve signature check callback messages (bsc#1045735, CVE-2017-9269) - add/modify repo: Add options to tune the GPG check settings (bsc#1045735, CVE-2017-9269) Other bugs fixed: - XML attribute `packages-to-change` added (bsc#1102429) - man: Strengthen that `--config FILE' affects zypper.conf, not zypp.conf (bsc#1100028) - Prevent nested calls to exit() if aborted by a signal (bsc#1092413) - ansi.h: Prevent ESC sequence strings from going out of scope (bsc#1092413) - Fix: zypper bash completion expands non-existing options (bsc#1049825) - Improve signature check callback messages (bsc#1045735) - add/modify repo: Add options to tune the GPG check settings (bsc#1045735) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2018:1985-1 Released: Mon Sep 24 11:56:08 2018 Summary: Recommended update for openldap2 Type: recommended Severity: moderate References: 1089640 Description: This update for openldap2 provides the following fix: - Fix slapd segfaults in mdb_env_reader_dest. (bsc#1089640) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:1994-1 Released: Mon Sep 24 12:55:57 2018 Summary: Security update for shadow Type: security Severity: moderate References: 1106914 Description: This update for shadow fixes the following security issue: - Prevent useradd from creating intermediate directories with mode 0777 (bsc#1106914) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:2069-1 Released: Fri Sep 28 08:01:25 2018 Summary: Security update for openssl Type: security Severity: moderate References: 1089039,1101246,1101470,1104789,1106197,997043,CVE-2018-0737 Description: This update for openssl fixes the following issues: These security issues were fixed: - Prevent One&Done side-channel attack on RSA that allowed physically near attackers to use EM emanations to recover information (bsc#1104789) - CVE-2018-0737: The RSA Key generation algorithm has been shown to be vulnerable to a cache timing side channel attack. An attacker with sufficient access to mount cache timing attacks during the RSA key generation process could have recovered the private key (bsc#1089039) These non-security issues were fixed: - Add openssl(cli) Provide so the packages that require the openssl binary can require this instead of the new openssl meta package (bsc#1101470) - Fixed path to the engines which are under /lib64 on SLE-12 (bsc#1101246, bsc#997043) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2018:2162-1 Released: Fri Oct 5 14:46:53 2018 Summary: Recommended update for krb5 Type: recommended Severity: moderate References: 1088921 Description: This update for krb5 provides the following fix: - Resolve krb5 GSS credentials immediately if the application requests the lifetime. (bsc#1088921) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:2181-1 Released: Tue Oct 9 11:08:20 2018 Summary: Security update for libxml2 Type: security Severity: moderate References: 1088279,1088601,1102046,1105166,CVE-2017-18258,CVE-2018-14404,CVE-2018-14567,CVE-2018-9251 Description: This update for libxml2 fixes the following security issues: - CVE-2018-9251: The xz_decomp function allowed remote attackers to cause a denial of service (infinite loop) via a crafted XML file that triggers LZMA_MEMLIMIT_ERROR, as demonstrated by xmllint (bsc#1088279). - CVE-2018-14567: Prevent denial of service (infinite loop) via a crafted XML file that triggers LZMA_MEMLIMIT_ERROR, as demonstrated by xmllint (bsc#1105166). - CVE-2018-14404: Prevent NULL pointer dereference in the xmlXPathCompOpEval() function when parsing an invalid XPath expression in the XPATH_OP_AND or XPATH_OP_OR case leading to a denial of service attack (bsc#1102046). - CVE-2017-18258: The xz_head function allowed remote attackers to cause a denial of service (memory consumption) via a crafted LZMA file, because the decoder functionality did not restrict memory usage to what is required for a legitimate file (bsc#1088601). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2018:2196-1 Released: Thu Oct 11 07:45:16 2018 Summary: Optional update for gcc8 Type: recommended Severity: low References: 1084812,1084842,1087550,1094222,1102564 Description: The GNU Compiler GCC 8 is being added to the Toolchain Module by this update. The update also supplies gcc8 compatible libstdc++, libgcc_s1 and other gcc derived libraries for the base products of SUSE Linux Enterprise 12. Various optimizers have been improved in GCC 8, several of bugs fixed, quite some new warnings added and the error pin-pointing and fix-suggestions have been greatly improved. The GNU Compiler page for GCC 8 contains a summary of all the changes that have happened: https://gcc.gnu.org/gcc-8/changes.html Also changes needed or common pitfalls when porting software are described on: https://gcc.gnu.org/gcc-8/porting_to.html ----------------------------------------------------------------- Advisory ID: SUSE-RU-2018:2217-1 Released: Fri Oct 12 15:07:24 2018 Summary: Recommended update for bash Type: recommended Severity: moderate References: 1094121,1107430 Description: This update for bash provides the following fixes: - Fix an inconsistent behaviour regarding expansion of here strings. (bsc#1094121) - Fix mis-matching of null string with '*' pattern. (bsc#1107430) - Fix a crash when the lastpipe option is enabled. - Fix a typo that was preventing the `compat42' shopt option from working as intended. - Help the shell to process any pending traps at redirection. - Fix a crashe due to incorrect conversion from an indexed to associative array. - Avoid the expansion of escape sequences in HOSTNAME in prompt. - Avoid `xtrace' attack over $PS4. ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:2373-1 Released: Mon Oct 22 14:43:47 2018 Summary: Security update for rpm Type: security Severity: moderate References: 1077692,943457,CVE-2017-7500,CVE-2017-7501 Description: This update for rpm fixes the following issues: These security issues were fixed: - CVE-2017-7500: rpm did not properly handle RPM installations when a destination path was a symbolic link to a directory, possibly changing ownership and permissions of an arbitrary directory, and RPM files being placed in an arbitrary destination (bsc#943457). - CVE-2017-7501: rpm used temporary files with predictable names when installing an RPM. An attacker with ability to write in a directory where files will be installed could create symbolic links to an arbitrary location and modify content, and possibly permissions to arbitrary files, which could be used for denial of service or possibly privilege escalation (bsc#943457) This non-security issue was fixed: - Use ksym-provides tool [bsc#1077692] ----------------------------------------------------------------- Advisory ID: SUSE-RU-2018:2435-1 Released: Wed Oct 24 14:42:43 2018 Summary: Recommended update for systemd Type: recommended Severity: important References: 1015254,1091677,1093753,1105031,1107640,1107941,1109197,991901 Description: This update for systemd fixes the following issues: - detect-virt: do not try to read all of /proc/cpuinfo (bsc#1109197) - emergency: make sure console password agents don't interfere with the emergency shell - units: remove udev control socket when systemd stops the socket unit (#4039) (bsc#1015254) - man: document that 'nofail' also has an effect on ordering - journald: take leading spaces into account in syslog_parse_identifier - journal: do not remove multiple spaces after identifier in syslog message - syslog: fix segfault in syslog_parse_priority() - journal: fix syslog_parse_identifier() - tmpfiles: don't adjust qgroups on existing subvolumes (bsc#1093753) - socket-util: attempt SO_RCVBUFFORCE/SO_SNDBUFFORCE only if SO_RCVBUF/SO_SNDBUF fails (bsc#991901) - user at .service: don't kill user manager at runlevel switch (bsc#1091677) - units: make sure user at .service runs with dbus still up - fix race between daemon-reload and other commands (bsc#1105031) - nspawn: always use mode 555 for /sys (bsc#1107640) - cryptsetup: do not define arg_sector_size if libgcrypt is v1.x (#9990) - Enable or disable machines.target according to the presets (bsc#1107941) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2018:2475-1 Released: Thu Oct 25 16:56:24 2018 Summary: Recommended update for libzypp Type: recommended Severity: moderate References: 1099982,1109877,408814,556664,939392 Description: This update for libzypp fixes the following issues: - Add filesize check for downloads with known size (bsc#408814) - Fix conversion of string and glob to regex when compiling queries (bsc#1099982, bsc#939392, bsc#556664) - Fix blocking wait for finished child process (bsc#1109877) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2018:2488-1 Released: Fri Oct 26 12:39:59 2018 Summary: Recommended update for cpio Type: recommended Severity: low References: 1076810,889138 Description: This update for cpio provides the following fix: - Remove an obsolete patch that was causing cpio not to preserve folder permissions. (bsc#1076810, bsc#889138) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2018:2516-1 Released: Mon Oct 29 16:14:48 2018 Summary: Recommended update for console-setup, kbd Type: recommended Severity: moderate References: 1010880,1027379,1056449,1062303,1069468,1085432,360993,675317,825385,830805,958562,963942,984958 Description: This update for kbd and console-setup provides the following fixes: Changes in console-setup: - Add console-setup to SLE 12 to make it possible for kbd to provide converted X keymaps. (fate#325454, fate#318426) - Make the package build reproducible. (bsc#1062303) - Removed unneeded requires to kbd in order to resolve build cycle between kbd and console-setup. (bsc#963942) Changes in kbd: - Update to version 2.0.4, including the following fixes (FATE#325454): * Disable characters greater than or equal to =U+F000 as they do not work properly. (bsc#1085432) * Move initial NumLock handling from systemd back to kbd: * Add kbdsettings service. (bsc#1010880) * Exclude numlockbios support for non x86 platforms * Drop references to KEYTABLE and COMPOSETABLE. (bsc#1010880) * Drop from some fill-up templates and a couple of sysconfig variables not read by systemd anymore. (fate#319454) * Replace references to /var/adm/fillup-templates with new %_fillupdir macro. (bsc#1069468) * Add vlock.pamd PAM file. (bsc#1056449) * Enable vlock (bsc#1056449). * Revert dropping of kdb-legacy requirement as there are still packages and installation flows that needs this to be present. (bsc#1027379) * Fix data/keymaps/i386/querty/br-abnt2.map. (bsc#984958) * Fix missing dependency on coreutils for initrd macros. (bsc#958562) * Call missing initrd macro at postun. (bsc#958562) * Add the genmap4systemd.sh tool to generate entries for systemd's kbd-model-map table from xkeyboard-config converted keymaps. (fate#318426) * genmap4systemd.sh: Use 'abnt2' model for 'br' layouts, 'jp106' model for 'jp' layouts and 'microsoftpro' for anything else (instead of 'pc105' previously used). (fate#318426) * Include xkb layouts from xkeyboard-config converted to console keymaps. (fate#318426) * euro.map, euro1.map and euro2.map now produce correct unicode character for Euro sign. (bsc#360993) * Drop doshell reference from openvt.1 man page. (bsc#675317) * Drop the --userwait option as it is not used. (bsc#830805) * Fix a typo in the mac-querty-layout.inc. (bsc#825385) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2018:2525-1 Released: Tue Oct 30 09:22:45 2018 Summary: Recommended update for bash Type: recommended Severity: important References: 1113117 Description: This update for bash fixes the following issues: Recently released update introduced a change of behavior which resulted in broken customers scripts. (bsc#1113117) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:2563-1 Released: Fri Nov 2 17:09:49 2018 Summary: Security update for curl Type: security Severity: moderate References: 1112758,1113660,CVE-2018-16840,CVE-2018-16842 Description: This update for curl fixes the following issues: - CVE-2018-16840: A use after free in closing SASL handles was fixed (bsc#1112758) - CVE-2018-16842: A Out-of-bounds Read in tool_msgs.c was fixed which could lead to crashes (bsc#1113660) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2018:2567-1 Released: Fri Nov 2 18:59:06 2018 Summary: Recommended update for apparmor Type: recommended Severity: moderate References: 1047937,1057150,1057900,1099452,906858 Description: This update for apparmor provides the following fixes: - Add profile for usr.bin.lessopen.sh (bsc#906858) - Fix dovecot apparmor profile (bsc#1057150) - Fix creating profile rules from scanned logs when the chown operation is used (bsc#1047937) - Fix the traceroute profile to allow ipv6 usage (bsc#1057900) - Fix duplicate entry of capability when performing aa-logprof (bsc#1099452) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2018:2593-1 Released: Wed Nov 7 11:04:00 2018 Summary: Recommended update for rpm Type: recommended Severity: moderate References: 1095148,1113100 Description: This update for rpm fixes the following issues: - Fix superfluous TOC. dependency on PowerPC64 (bsc#1113100) - Update to current find-provides.ksyms and find-requires.ksyms scripts (bsc#1095148) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:2659-1 Released: Wed Nov 14 14:14:41 2018 Summary: Security update for systemd Type: security Severity: important References: 1106923,1108835,1109252,1110445,1111278,1112024,1113083,1113632,1113665,CVE-2018-15686,CVE-2018-15688 Description: This update for systemd fixes the following issues: Security issues fixed: - CVE-2018-15688: A buffer overflow vulnerability in the dhcp6 client of systemd allowed a malicious dhcp6 server to overwrite heap memory in systemd-networkd. (bsc#1113632) - CVE-2018-15686: A vulnerability in unit_deserialize of systemd allows an attacker to supply arbitrary state across systemd re-execution via NotifyAccess. This can be used to improperly influence systemd execution and possibly lead to root privilege escalation. (bsc#1113665) Non-security issues fixed: - dhcp6: split assert_return() to be more debuggable when hit - core: skip unit deserialization and move to the next one when unit_deserialize() fails - core: properly handle deserialization of unknown unit types (#6476) - core: don't create Requires for workdir if 'missing ok' (bsc#1113083) - logind: use manager_get_user_by_pid() where appropriate - logind: rework manager_get_{user|session}_by_pid() a bit - login: fix user at .service case, so we don't allow nested sessions (#8051) (bsc#1112024) - core: be more defensive if we can't determine per-connection socket peer (#7329) - socket-util: introduce port argument in sockaddr_port() - service: fixup ExecStop for socket-activated shutdown (#4120) - service: Continue shutdown on socket activated unit on termination (#4108) (bsc#1106923) - cryptsetup: build fixes for 'add support for sector-size= option' - udev-rules: IMPORT cmdline does not recognize keys with similar names (bsc#1111278) - core: keep the kernel coredump defaults when systemd-coredump is disabled - core: shorten main() a bit, split out coredump initialization - core: set RLIMIT_CORE to unlimited by default (bsc#1108835) - core/mount: fstype may be NULL - journald: don't ship systemd-journald-audit.socket (bsc#1109252) - core: make 'tmpfs' dependencies on swapfs a 'default' dep, not an 'implicit' (bsc#1110445) - mount: make sure we unmount tmpfs mounts before we deactivate swaps (#7076) - tmp.mount.hm4: After swap.target (#3087) - Ship systemd-sysv-install helper via the main package This script was part of systemd-sysvinit sub-package but it was wrong since systemd-sysv-install is a script used to redirect enable/disable operations to chkconfig when the unit targets are sysv init scripts. Therefore it's never been a SySV init tool. ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:2760-1 Released: Thu Nov 22 16:25:38 2018 Summary: Security update for openssl Type: security Severity: moderate References: 1112209,1113534,1113652,1113742,CVE-2018-0734,CVE-2018-5407 Description: This update for openssl fixes the following issues: Security issues fixed: - CVE-2018-0734: Fixed timing vulnerability in DSA signature generation (bsc#1113652). - CVE-2018-5407: Fixed elliptic curve scalar multiplication timing attack defenses (bsc#1113534). - Add missing timing side channel patch for DSA signature generation (bsc#1113742). Non-security issues fixed: - Fixed infinite loop in DSA generation with incorrect parameters (bsc#1112209). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:2766-1 Released: Fri Nov 23 17:07:27 2018 Summary: Security update for rpm Type: security Severity: important References: 943457,CVE-2017-7500,CVE-2017-7501 Description: This update for rpm fixes the following issues: These security issues were fixed: - CVE-2017-7500: rpm did not properly handle RPM installations when a destination path was a symbolic link to a directory, possibly changing ownership and permissions of an arbitrary directory, and RPM files being placed in an arbitrary destination (bsc#943457). - CVE-2017-7501: rpm used temporary files with predictable names when installing an RPM. An attacker with ability to write in a directory where files will be installed could create symbolic links to an arbitrary location and modify content, and possibly permissions to arbitrary files, which could be used for denial of service or possibly privilege escalation (bsc#943457) This is a reissue of the above security fixes for SUSE Linux Enterprise 12 GA, SP1 and SP2 LTSS, they have already been released for SUSE Linux Enterprise Server 12 SP3. ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:1697-1 Released: Fri Nov 23 17:08:32 2018 Summary: Security update for libgcrypt Type: security Severity: moderate References: 1064455,1090766,1097410,CVE-2018-0495 Description: This update for libgcrypt fixes the following issues: The following security vulnerability was addressed: - CVE-2018-0495: Mitigate a novel side-channel attack by enabling blinding for ECDSA signatures (bsc#1097410). The following other issues were fixed: - Extended the fipsdrv dsa-sign and dsa-verify commands with the --algo parameter for the FIPS testing of DSA SigVer and SigGen (bsc#1064455). - Ensure libgcrypt20-hmac and libgcrypt20 are installed in the correct order. (bsc#1090766) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:1696-1 Released: Mon Nov 26 17:46:39 2018 Summary: Security update for procps Type: security Severity: moderate References: 1092100,CVE-2018-1122,CVE-2018-1123,CVE-2018-1124,CVE-2018-1125,CVE-2018-1126 Description: This update for procps fixes the following security issues: - CVE-2018-1122: Prevent local privilege escalation in top. If a user ran top with HOME unset in an attacker-controlled directory, the attacker could have achieved privilege escalation by exploiting one of several vulnerabilities in the config_file() function (bsc#1092100). - CVE-2018-1123: Prevent denial of service in ps via mmap buffer overflow. Inbuilt protection in ps maped a guard page at the end of the overflowed buffer, ensuring that the impact of this flaw is limited to a crash (temporary denial of service) (bsc#1092100). - CVE-2018-1124: Prevent multiple integer overflows leading to a heap corruption in file2strvec function. This allowed a privilege escalation for a local attacker who can create entries in procfs by starting processes, which could result in crashes or arbitrary code execution in proc utilities run by other users (bsc#1092100). - CVE-2018-1125: Prevent stack buffer overflow in pgrep. This vulnerability was mitigated by FORTIFY limiting the impact to a crash (bsc#1092100). - CVE-2018-1126: Ensure correct integer size in proc/alloc.* to prevent truncation/integer overflow issues (bsc#1092100). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:1618-1 Released: Tue Nov 27 13:39:49 2018 Summary: Security update for util-linux Type: security Severity: moderate References: 1072947,1078662,1080740,1084300,CVE-2018-7738 Description: This update for util-linux fixes the following issues: This non-security issue was fixed: - CVE-2018-7738: bash-completion/umount allowed local users to gain privileges by embedding shell commands in a mountpoint name, which was mishandled during a umount command by a different user (bsc#1084300). These non-security issues were fixed: - Fixed crash loop in lscpu (bsc#1072947). - Fixed possible segfault of umount -a - Fixed mount -a on NFS bind mounts (bsc#1080740). - Fixed lsblk on NVMe (bsc#1078662). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:2824-1 Released: Mon Dec 3 15:34:09 2018 Summary: Security update for ncurses Type: security Severity: important References: 1115929,CVE-2018-19211 Description: This update for ncurses fixes the following issue: Security issue fixed: - CVE-2018-19211: Fixed denial of service issue that was triggered by a NULL pointer dereference at function _nc_parse_entry (bsc#1115929). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2018:2836-1 Released: Wed Dec 5 09:29:31 2018 Summary: Recommended update for apparmor Type: recommended Severity: moderate References: 1111965,1113125 Description: This update for apparmor fixes the following issues: - Systemd aware apparmor.spec, remove old insserv from spec file (bsc#1113125) - Fix warnings produced because of use of uninitialized variables (bsc#1111965) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2018:2840-1 Released: Wed Dec 5 09:57:54 2018 Summary: Recommended update for permissions Type: recommended Severity: moderate References: 1028304,1047247,1050467,1097665,1111251 Description: This update for permissions fixes the following issues: - Allow setuid root for start-suid tool of singularity (group only) bsc#1028304 - Allow setuid root for authbind binary (bsc#1111251) - A incorrect error message was adjusted (bsc#1047247 bsc#1097665) - Make btmp root:utmp (bsc#1050467) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2018:2841-1 Released: Wed Dec 5 09:59:45 2018 Summary: Recommended update for glibc Type: recommended Severity: moderate References: 1105236,1110661,1112858 Description: This update for glibc fixes the following issues: - Added more checks for valid ld.so.cache file (bsc#1110661) - Rewrite elf_machine_load_address using _DYNAMIC symbol (bsc#1112858) - Always use __IPC_64 on powerpc as required by the kernel (bsc#1105236) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2018:2906-1 Released: Tue Dec 11 21:48:05 2018 Summary: Recommended update for blog Type: recommended Severity: moderate References: 1071568 Description: This update for blog fixes the following issues: - Hardening of the console list generation (bsc#1071568) - Changed description of blog-plymouth in same manner as used by the release notes ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:2947-1 Released: Mon Dec 17 08:51:28 2018 Summary: Security update for openldap2 Type: security Severity: moderate References: 1073313,CVE-2017-17740 Description: This update for openldap2 fixes the following issues: Security issue fixed: - CVE-2017-17740: When both the nops module and the memberof overlay are enabled, attempts to free a buffer that was allocated on the stack, which allows remote attackers to cause a denial of service (slapd crash) via a member MODDN operation. (bsc#1073313) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2018:3029-1 Released: Fri Dec 21 17:34:05 2018 Summary: Recommended update for libgcrypt Type: recommended Severity: moderate References: 1117355 Description: This update for libgcrypt provides the following fix: - Fail selftests when checksum file is missing in FIPS mode only. (bsc#1117355) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:43-1 Released: Tue Jan 8 13:07:17 2019 Summary: Recommended update for acl Type: recommended Severity: low References: 953659 Description: This update for acl fixes the following issues: - quote: Escape literal backslashes (bsc#953659). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:111-1 Released: Thu Jan 17 14:18:31 2019 Summary: Security update for krb5 Type: security Severity: important References: 1120489,CVE-2018-20217 Description: This update for krb5 fixes the following issues: Security issue fixed: - CVE-2018-20217: Fixed an assertion issue with older encryption types (bsc#1120489) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:135-1 Released: Mon Jan 21 13:53:58 2019 Summary: Security update for systemd Type: security Severity: moderate References: 1005023,1076696,1101591,1114981,1115518,1119971,1120323,CVE-2018-16864,CVE-2018-16865,CVE-2018-16866 Description: This update for systemd provides the following fixes: Security issues fixed: - CVE-2018-16864, CVE-2018-16865: Fixed two memory corruptions through attacker-controlled alloca()s (bsc#1120323) - CVE-2018-16866: Fixed an information leak in journald (bsc#1120323) - Fixed an issue during system startup in relation to encrypted swap disks (bsc#1119971) Non-security issues fixed: - core: Queue loading transient units after setting their properties. (bsc#1115518) - logind: Stop managing VT switches if no sessions are registered on that VT. (bsc#1101591) - terminal-util: introduce vt_release() and vt_restore() helpers. - terminal: Unify code for resetting kbd utf8 mode a bit. - terminal Reset should honour default_utf8 kernel setting. - logind: Make session_restore_vt() static. - udev: Downgrade message when settting inotify watch up fails. (bsc#1005023) - log: Never log into foreign fd #2 in PID 1 or its pre-execve() children. (bsc#1114981) - udev: Ignore the exit code of systemd-detect-virt for memory hot-add. In SLE-12-SP3, 80-hotplug-cpu-mem.rules has a memory hot-add rule that uses systemd-detect-virt to detect non-zvm environment. The systemd-detect-virt returns exit failure code when it detected _none_ state. The exit failure code causes that the hot-add memory block can not be set to online. (bsc#1076696) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:143-1 Released: Tue Jan 22 14:21:55 2019 Summary: Recommended update for ncurses Type: recommended Severity: important References: 1121450 Description: This update for ncurses fixes the following issues: - ncurses applications freezing (bsc#1121450) From sle-updates at lists.suse.com Thu Jan 16 10:01:12 2020 From: sle-updates at lists.suse.com (sle-updates at lists.suse.com) Date: Thu, 16 Jan 2020 18:01:12 +0100 (CET) Subject: SUSE-CU-2019:732-1: Security update of caasp/v4/salt-master Message-ID: <20200116170112.EF9BAF798@maintenance.suse.de> SUSE Container Update Advisory: caasp/v4/salt-master ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2019:732-1 Container Tags : caasp/v4/salt-master:2018.3.0 , caasp/v4/salt-master:2018.3.0-rev1 , caasp/v4/salt-master:2018.3.0-rev1-build2.1 , caasp/v4/salt-master:beta1 Severity : important Type : security References : 1073748 1109847 1120149 1122191 CVE-2018-14647 CVE-2019-5010 ----------------------------------------------------------------- The container caasp/v4/salt-master was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:440-1 Released: Tue Feb 19 18:52:51 2019 Summary: Recommended update for dmidecode Type: recommended Severity: moderate References: 1120149 Description: This update for dmidecode fixes the following issues: - Extensions to Memory Device (Type 17) (FATE#326831 bsc#1120149) - Add 'Logical non-volatile device' to the memory device types (FATE#326831 bsc#1120149) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:482-1 Released: Mon Feb 25 11:57:46 2019 Summary: Security update for python Type: security Severity: important References: 1073748,1109847,1122191,CVE-2018-14647,CVE-2019-5010 Description: This update for python fixes the following issues: Security issues fixed: - CVE-2019-5010: Fixed a denial-of-service vulnerability in the X509 certificate parser (bsc#1122191). - CVE-2018-14647: Fixed a denial-of-service vulnerability in Expat (bsc#1109847). Non-security issue fixed: - Fixed a bug where PyWeakReference struct was not initialized correctly leading to a crash (bsc#1073748). From sle-updates at lists.suse.com Thu Jan 16 09:58:15 2020 From: sle-updates at lists.suse.com (sle-updates at lists.suse.com) Date: Thu, 16 Jan 2020 17:58:15 +0100 (CET) Subject: SUSE-CU-2019:717-1: Recommended update of caasp/v4/pause Message-ID: <20200116165815.66EE5F796@maintenance.suse.de> SUSE Container Update Advisory: caasp/v4/pause ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2019:717-1 Container Tags : caasp/v4/pause:1.0.0 , caasp/v4/pause:1.0.0-rev1 , caasp/v4/pause:1.0.0-rev1-build1.5 Severity : low Type : recommended References : ----------------------------------------------------------------- The container caasp/v4/pause was updated. The following patches have been included in this update: From sle-updates at lists.suse.com Thu Jan 16 10:02:14 2020 From: sle-updates at lists.suse.com (sle-updates at lists.suse.com) Date: Thu, 16 Jan 2020 18:02:14 +0100 (CET) Subject: SUSE-CU-2019:738-1: Security update of caasp/v4/velum Message-ID: <20200116170214.5317EF79E@maintenance.suse.de> SUSE Container Update Advisory: caasp/v4/velum ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2019:738-1 Container Tags : caasp/v4/velum:4.0.0 , caasp/v4/velum:4.0.0-rev1 , caasp/v4/velum:4.0.0-rev1-build1.2 Severity : important Type : security References : 1000396 1000662 1000677 1001299 1001367 1001790 1001912 1002975 1003577 1003579 1003580 1003714 1003800 1003978 1004094 1004289 1004477 1004995 1004995 1004995 1005023 1005063 1005386 1005404 1005544 1005555 1005558 1005562 1005564 1005566 1005569 1005581 1005582 1005591 1005633 1005634 1005635 1005637 1005638 1005640 1005642 1005643 1005645 1005646 1006175 1006372 1006469 1006539 1006687 1006690 1007725 1007726 1007851 1008253 1008318 1008325 1009269 1009470 1009528 1009532 1009745 1009905 1009966 1010220 1010675 1010845 1010880 1011797 1012266 1012390 1012523 1012591 1012818 1012973 1013286 1013882 1013930 1013989 1014471 1014560 1014566 1014863 1014863 1014873 1015254 1015332 1015515 1015565 1015943 1017034 1017497 1018214 1018399 1018808 1019276 1019470 1019637 1019637 1019900 1020108 1020143 1020601 1020868 1020868 1020873 1020875 1020877 1020878 1020882 1020884 1020885 1020890 1020891 1020894 1020896 1020976 1020976 1021641 1022014 1022047 1022085 1022086 1022271 1022428 1022428 1023283 1023895 1024676 1024677 1024989 1025176 1025398 1025560 1025598 1025630 1025886 1026224 1026567 1026825 1027079 1027379 1027688 1027712 1027908 1027925 1028263 1028281 1028304 1028304 1028305 1028410 1028485 1028610 1028723 1029102 1029102 1029183 1029516 1029516 1029523 1029561 1029691 1029725 1029900 1030290 1030417 1030621 1031355 1031643 1031702 1031998 1032029 1032029 1032309 1032445 1032538 1032660 1032680 1033238 1033238 1033855 1034563 1034565 1034911 1035062 1035371 1035386 1035445 1035818 1035905 1035988 1036304 1036659 1036736 1036873 1036873 1037120 1037120 1037396 1037824 1037930 1038189 1038194 1038444 1038740 1038865 1038865 1038984 1038984 1039034 1039063 1039063 1039064 1039064 1039066 1039066 1039069 1039069 1039099 1039099 1039276 1039357 1039661 1039661 1039941 1040043 1040153 1040153 1040258 1040258 1040614 1040614 1040800 1040942 1040942 1040968 1040968 1040968 1041764 1042326 1042392 1042781 1043059 1043218 1043237 1043333 1043333 1043580 1043615 1043758 1043758 1043900 1043900 1044095 1044107 1044175 1044337 1044840 1044887 1044894 1045092 1045290 1045290 1045384 1045472 1045628 1045735 1045735 1045735 1045943 1045987 1046173 1046173 1046268 1046417 1046607 1046659 1046750 1046750 1046853 1046853 1046858 1046858 1047008 1047178 1047233 1047236 1047240 1047247 1047379 1047785 1047785 1047937 1047964 1047965 1048315 1048510 1048605 1048605 1048645 1048679 1048715 1049344 1049399 1049404 1049417 1049825 1050152 1050467 1050767 1050943 1051042 1051465 1051626 1051643 1051644 1051791 1052261 1053137 1053188 1053409 1053595 1053671 1054028 1054088 1054171 1054591 1054671 1055446 1055641 1055825 1055920 1056058 1056126 1056127 1056127 1056128 1056128 1056129 1056129 1056131 1056131 1056132 1056132 1056136 1056136 1056437 1056449 1056450 1056995 1057150 1057188 1057452 1057634 1057640 1057662 1057721 1057724 1057900 1057974 1058695 1058722 1058722 1058783 1059065 1059723 1060653 1060738 1061384 1061667 1061876 1062303 1062561 1062591 1062592 1063051 1063249 1063269 1063675 1063824 1063910 1064101 1064115 1064397 1064455 1064455 1064455 1064569 1064571 1064580 1064583 1064999 1065083 1065274 1065276 1065363 1065448 1065448 1066156 1066242 1066422 1066500 1067312 1067605 1067891 1068251 1068565 1068565 1068588 1068708 1068967 1069222 1069226 1069468 1069934 1070209 1070428 1070431 1070431 1070851 1070878 1070905 1070958 1071224 1071311 1071319 1071321 1071466 1071558 1071568 1071698 1071905 1071906 1072665 1072947 1072947 1073231 1073275 1073299 1073313 1073879 1073990 1074254 1074293 1074293 1074621 1074687 1075449 1075724 1075743 1075801 1075804 1075978 1076192 1076308 1076415 1076505 1076696 1076810 1076832 1076909 1077001 1077635 1077692 1077787 1077787 1077925 1077993 1078358 1078431 1078662 1078662 1078806 1078813 1079036 1079334 1079991 1080078 1080382 1080740 1080740 1081170 1081294 1081556 1081725 1082004 1082216 1082216 1082216 1082233 1082233 1082233 1082234 1082234 1082234 1082318 1082485 1082485 1083158 1083290 1083926 1083927 1083946 1084300 1084300 1084521 1084524 1084532 1084626 1084812 1084812 1084842 1085062 1085432 1086247 1086602 1086690 1086729 1086785 1086825 1087102 1087323 1087550 1087550 1087930 1088052 1088279 1088601 1088681 1088705 1088769 1088890 1088921 1089039 1089533 1089640 1089761 1089761 1089884 1090518 1090765 1090766 1090766 1090766 1090785 1090944 1091265 1091624 1091677 1092098 1092100 1092100 1092413 1092640 1092640 1093753 1093851 1094121 1094150 1094154 1094161 1094222 1095096 1095148 1096282 1096282 1096282 1096718 1096718 1096745 1096803 1097158 1097410 1097410 1097410 1097624 1097665 1098592 1099310 1099310 1099310 1099452 1099847 1099982 1100028 1101040 1101246 1101349 1101470 1101591 1102046 1102429 1102564 1103910 1104700 1104789 1105031 1105166 1105236 1106019 1106197 1106914 1106923 1107430 1107640 1107941 1108835 1109197 1109252 1109877 1110445 1110661 1111251 1111278 1111965 1112024 1112209 1112758 1112858 1113083 1113100 1113117 1113125 1113534 1113554 1113632 1113652 1113660 1113665 1113742 1114981 1115518 1115929 1117355 1119971 1120323 1120402 1120489 1121450 360993 408814 556664 658010 661410 675317 825385 829717 830805 874665 887877 888308 889138 889990 892431 894610 896202 896435 897422 898003 899524 899871 900275 900276 901202 901845 901924 902364 902367 902851 903543 905326 905483 906574 906574 906803 906858 907074 907456 907809 908128 908516 909418 909695 910252 910252 910253 910253 911228 911363 911662 912229 912415 912715 912922 913209 913650 913651 915402 915422 915693 915846 917152 917169 918089 918090 918346 919274 920057 920057 920386 921070 922534 923241 923498 924525 924687 924960 924960 926412 926826 926974 927184 927556 927607 927608 927746 927993 928246 928292 928533 928740 928841 929919 930176 931932 932232 932894 933029 933288 933288 933336 933878 933878 934119 934333 934654 934689 934920 936032 936050 936227 936227 936676 937787 937823 938343 938657 939392 939460 940315 941249 942865 942865 943457 943457 944903 945340 945842 945899 948227 948568 949520 952151 952347 952474 952625 953130 953532 953659 953807 953831 954002 954661 955382 955753 955770 957174 957566 957566 957567 957567 957598 957598 957600 957600 958369 958562 958789 959495 959693 960273 960820 960837 960837 961935 961964 962765 962983 962996 963041 963290 963448 963806 963810 963921 963942 964063 964468 965322 965780 965902 966220 967026 967082 967728 967838 968771 969569 970260 970287 970295 970882 971377 971741 971741 972127 972127 972331 972433 973073 974691 975875 978055 979261 979436 979441 979629 979906 980391 980486 980904 981114 981616 982303 982303 982833 983206 983215 983216 983754 984858 984906 984958 985217 986216 986216 986251 986630 986783 986935 987720 987887 988184 988311 989788 989831 990189 990190 990191 990538 990890 991389 991390 991391 991443 991616 991746 991901 992966 994157 994794 995936 996511 996821 997043 997420 997682 997830 998309 998760 998893 998906 999735 999878 CVE-2012-6702 CVE-2013-6435 CVE-2014-3591 CVE-2014-3707 CVE-2014-3710 CVE-2014-4975 CVE-2014-8080 CVE-2014-8090 CVE-2014-8116 CVE-2014-8116 CVE-2014-8117 CVE-2014-8117 CVE-2014-8118 CVE-2014-8150 CVE-2014-8964 CVE-2014-8964 CVE-2014-9087 CVE-2014-9112 CVE-2014-9130 CVE-2014-9447 CVE-2014-9620 CVE-2014-9621 CVE-2014-9653 CVE-2015-0247 CVE-2015-0837 CVE-2015-1283 CVE-2015-1572 CVE-2015-1606 CVE-2015-1607 CVE-2015-1782 CVE-2015-1855 CVE-2015-2059 CVE-2015-2325 CVE-2015-2325 CVE-2015-2327 CVE-2015-2327 CVE-2015-2328 CVE-2015-2328 CVE-2015-3143 CVE-2015-3144 CVE-2015-3145 CVE-2015-3148 CVE-2015-3153 CVE-2015-3210 CVE-2015-3210 CVE-2015-3217 CVE-2015-3217 CVE-2015-3238 CVE-2015-3900 CVE-2015-4792 CVE-2015-4802 CVE-2015-4807 CVE-2015-4815 CVE-2015-4826 CVE-2015-4830 CVE-2015-4836 CVE-2015-4858 CVE-2015-4861 CVE-2015-4870 CVE-2015-4913 CVE-2015-5073 CVE-2015-5073 CVE-2015-5276 CVE-2015-5969 CVE-2015-7511 CVE-2015-7551 CVE-2015-7995 CVE-2015-8380 CVE-2015-8380 CVE-2015-8381 CVE-2015-8381 CVE-2015-8382 CVE-2015-8382 CVE-2015-8383 CVE-2015-8383 CVE-2015-8384 CVE-2015-8384 CVE-2015-8385 CVE-2015-8385 CVE-2015-8386 CVE-2015-8386 CVE-2015-8387 CVE-2015-8387 CVE-2015-8388 CVE-2015-8388 CVE-2015-8389 CVE-2015-8389 CVE-2015-8390 CVE-2015-8390 CVE-2015-8391 CVE-2015-8391 CVE-2015-8392 CVE-2015-8392 CVE-2015-8393 CVE-2015-8393 CVE-2015-8394 CVE-2015-8394 CVE-2015-8395 CVE-2015-8395 CVE-2015-8853 CVE-2015-8948 CVE-2015-9019 CVE-2016-0505 CVE-2016-0546 CVE-2016-0596 CVE-2016-0597 CVE-2016-0598 CVE-2016-0600 CVE-2016-0606 CVE-2016-0608 CVE-2016-0609 CVE-2016-0616 CVE-2016-0634 CVE-2016-0640 CVE-2016-0641 CVE-2016-0642 CVE-2016-0643 CVE-2016-0644 CVE-2016-0646 CVE-2016-0647 CVE-2016-0648 CVE-2016-0649 CVE-2016-0650 CVE-2016-0651 CVE-2016-0655 CVE-2016-0666 CVE-2016-0668 CVE-2016-0718 CVE-2016-0755 CVE-2016-0787 CVE-2016-10156 CVE-2016-1238 CVE-2016-1283 CVE-2016-1283 CVE-2016-1839 CVE-2016-2037 CVE-2016-2047 CVE-2016-2339 CVE-2016-2381 CVE-2016-3191 CVE-2016-3191 CVE-2016-3477 CVE-2016-3492 CVE-2016-3521 CVE-2016-3615 CVE-2016-4574 CVE-2016-4579 CVE-2016-4658 CVE-2016-4738 CVE-2016-5131 CVE-2016-5300 CVE-2016-5419 CVE-2016-5420 CVE-2016-5421 CVE-2016-5440 CVE-2016-5584 CVE-2016-5616 CVE-2016-5624 CVE-2016-5626 CVE-2016-5629 CVE-2016-6185 CVE-2016-6252 CVE-2016-6252 CVE-2016-6252 CVE-2016-6261 CVE-2016-6262 CVE-2016-6263 CVE-2016-6313 CVE-2016-6318 CVE-2016-6662 CVE-2016-6663 CVE-2016-6664 CVE-2016-7055 CVE-2016-7141 CVE-2016-7167 CVE-2016-7440 CVE-2016-7543 CVE-2016-8283 CVE-2016-8615 CVE-2016-8616 CVE-2016-8617 CVE-2016-8618 CVE-2016-8619 CVE-2016-8620 CVE-2016-8621 CVE-2016-8622 CVE-2016-8623 CVE-2016-8624 CVE-2016-9063 CVE-2016-9318 CVE-2016-9401 CVE-2016-9586 CVE-2016-9597 CVE-2016-9840 CVE-2016-9841 CVE-2016-9842 CVE-2016-9843 CVE-2017-0663 CVE-2017-1000100 CVE-2017-1000101 CVE-2017-1000254 CVE-2017-1000257 CVE-2017-1000366 CVE-2017-1000408 CVE-2017-1000409 CVE-2017-10268 CVE-2017-10378 CVE-2017-10684 CVE-2017-10684 CVE-2017-10685 CVE-2017-10685 CVE-2017-11112 CVE-2017-11113 CVE-2017-11462 CVE-2017-12132 CVE-2017-12133 CVE-2017-12424 CVE-2017-12837 CVE-2017-12883 CVE-2017-13728 CVE-2017-13728 CVE-2017-13729 CVE-2017-13729 CVE-2017-13730 CVE-2017-13730 CVE-2017-13731 CVE-2017-13731 CVE-2017-13732 CVE-2017-13732 CVE-2017-13733 CVE-2017-13733 CVE-2017-13734 CVE-2017-14062 CVE-2017-15088 CVE-2017-15412 CVE-2017-15670 CVE-2017-15671 CVE-2017-15804 CVE-2017-15908 CVE-2017-16997 CVE-2017-17740 CVE-2017-18078 CVE-2017-18258 CVE-2017-18269 CVE-2017-3238 CVE-2017-3243 CVE-2017-3244 CVE-2017-3257 CVE-2017-3258 CVE-2017-3265 CVE-2017-3291 CVE-2017-3302 CVE-2017-3308 CVE-2017-3309 CVE-2017-3312 CVE-2017-3313 CVE-2017-3317 CVE-2017-3318 CVE-2017-3453 CVE-2017-3456 CVE-2017-3464 CVE-2017-3636 CVE-2017-3641 CVE-2017-3653 CVE-2017-3731 CVE-2017-3732 CVE-2017-3735 CVE-2017-3736 CVE-2017-3737 CVE-2017-3738 CVE-2017-5029 CVE-2017-5130 CVE-2017-5969 CVE-2017-6512 CVE-2017-7375 CVE-2017-7376 CVE-2017-7407 CVE-2017-7435 CVE-2017-7436 CVE-2017-7436 CVE-2017-7500 CVE-2017-7500 CVE-2017-7501 CVE-2017-7501 CVE-2017-7526 CVE-2017-7555 CVE-2017-8804 CVE-2017-8816 CVE-2017-8817 CVE-2017-8872 CVE-2017-9047 CVE-2017-9047 CVE-2017-9048 CVE-2017-9048 CVE-2017-9049 CVE-2017-9049 CVE-2017-9050 CVE-2017-9050 CVE-2017-9217 CVE-2017-9217 CVE-2017-9233 CVE-2017-9269 CVE-2017-9269 CVE-2017-9287 CVE-2017-9445 CVE-2017-9445 CVE-2017-9526 CVE-2018-0495 CVE-2018-0495 CVE-2018-0495 CVE-2018-0732 CVE-2018-0734 CVE-2018-0737 CVE-2018-0739 CVE-2018-1000001 CVE-2018-1000001 CVE-2018-1000007 CVE-2018-1000120 CVE-2018-1000121 CVE-2018-1000122 CVE-2018-1000301 CVE-2018-1049 CVE-2018-1122 CVE-2018-1122 CVE-2018-1123 CVE-2018-1123 CVE-2018-11236 CVE-2018-11237 CVE-2018-1124 CVE-2018-1124 CVE-2018-1125 CVE-2018-1125 CVE-2018-1126 CVE-2018-1126 CVE-2018-12015 CVE-2018-12015 CVE-2018-12020 CVE-2018-14404 CVE-2018-14567 CVE-2018-14618 CVE-2018-15686 CVE-2018-15688 CVE-2018-16840 CVE-2018-16842 CVE-2018-16864 CVE-2018-16865 CVE-2018-16866 CVE-2018-19211 CVE-2018-20217 CVE-2018-2562 CVE-2018-2612 CVE-2018-2622 CVE-2018-2640 CVE-2018-2665 CVE-2018-2668 CVE-2018-2755 CVE-2018-2761 CVE-2018-2766 CVE-2018-2767 CVE-2018-2771 CVE-2018-2781 CVE-2018-2782 CVE-2018-2784 CVE-2018-2787 CVE-2018-2813 CVE-2018-2817 CVE-2018-2819 CVE-2018-5407 CVE-2018-5729 CVE-2018-5730 CVE-2018-6003 CVE-2018-6485 CVE-2018-6551 CVE-2018-6797 CVE-2018-6797 CVE-2018-6797 CVE-2018-6798 CVE-2018-6798 CVE-2018-6798 CVE-2018-6913 CVE-2018-6913 CVE-2018-6913 CVE-2018-7169 CVE-2018-7685 CVE-2018-7738 CVE-2018-7738 CVE-2018-9251 ----------------------------------------------------------------- The container caasp/v4/velum was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-RU-2014:85-1 Released: Tue Nov 4 16:29:29 2014 Summary: Recommended update for dirmngr Type: recommended Severity: moderate References: 901845 Description: This update for dirmngr fixes a segmentation fault at start up. (bnc#901845) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2014:66-1 Released: Thu Nov 6 06:23:15 2014 Summary: Recommended update for gcc48 Type: recommended Severity: moderate References: 899871 Description: This update for gcc48 fixes a performance degradation issue caused by generation of unneeded code whe using option -pg. ----------------------------------------------------------------- Advisory ID: SUSE-SU-2014:97-1 Released: Fri Nov 28 10:20:32 2014 Summary: Security update for file Type: security Severity: moderate References: 888308,902367,CVE-2014-3710 Description: file was updated to fix one security issue. This security issue was fixed: - Out-of-bounds read in elf note headers (CVE-2014-3710). This non-security issues was fixed: - Correctly identify GDBM files created by libgdbm4 (bnc#888308). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2014:113-1 Released: Tue Dec 2 18:17:57 2014 Summary: Security update for cpio Type: security Severity: moderate References: 658010,907456,CVE-2014-9112 Description: This cpio security update fixes the following buffer overflow issue and two non security issues: - fix an OOB write with cpio -i (bnc#907456) (CVE-2014-9112) - prevent cpio from extracting over a symlink (bnc#658010) - fix a truncation check in mt ----------------------------------------------------------------- Advisory ID: SUSE-SU-2015:4-1 Released: Wed Dec 3 15:57:25 2014 Summary: Security update for libyaml Type: security Severity: moderate References: 907809,CVE-2014-9130 Description: This libyaml update fixes the following security issue: - bnc#907809: assert failure when processing wrapped strings (CVE-2014-9130) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2015:16-1 Released: Thu Dec 11 09:25:27 2014 Summary: Security update for libksba Type: security Severity: moderate References: 907074,CVE-2014-9087 Description: This libksba update fixes the following security issue: - bnc#907074: buffer overflow in OID processing (CVE-2014-9087) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2015:34-1 Released: Fri Dec 19 15:16:12 2014 Summary: Security update for ruby2.1 Type: security Severity: moderate References: 902851,905326,CVE-2014-8080,CVE-2014-8090 Description: This ruby update fixes the following two security issues: - bnc#902851: fix CVE-2014-8080: Denial Of Service XML Expansion - bnc#905326: fix CVE-2014-8090: Another Denial Of Service XML Expansion - Enable tests to run during the build. This way we can compare the results on different builds. ----------------------------------------------------------------- Advisory ID: SUSE-SU-2014:126-1 Released: Fri Dec 19 20:16:00 2014 Summary: Security update for file Type: security Severity: moderate References: 910252,910253,CVE-2014-8116,CVE-2014-8117 Description: This file update fixes the following security issues: - bsc#910252: multiple denial of service issues (resource consumption) (CVE-2014-8116) - bsc#910253: denial of service issue (resource consumption) (CVE-2014-8117) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2015:29-1 Released: Mon Jan 12 11:37:43 2015 Summary: Security update for curl Type: security Severity: moderate References: 901924,911363,CVE-2014-3707,CVE-2014-8150 Description: This update fixes the following security issues - CVE-2014-8150: URL request injection vulnerability (bnc#911363) - CVE-2014-3707: duphandle read out of bounds (bnc#901924) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2015:40-1 Released: Thu Jan 15 18:35:11 2015 Summary: Security update for rpm Type: security Severity: important References: 892431,906803,908128,911228,CVE-2013-6435,CVE-2014-8118 Description: This rpm update fixes the following security and non-security issues: - bnc#908128: Check for bad invalid name sizes (CVE-2014-8118) - bnc#906803: Create files with mode 0 (CVE-2013-6435) - bnc#892431: Honor --noglob in install mode - bnc#911228: Fix noglob patch, it broke files with space. ----------------------------------------------------------------- Advisory ID: SUSE-RU-2015:64-1 Released: Thu Jan 15 23:21:45 2015 Summary: Recommended update for e2fsprogs Type: recommended Severity: moderate References: 912229 Description: This update for e2fsprogs fixes a 'use after free' issue in fsck(8). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2015:76-1 Released: Fri Jan 30 15:01:03 2015 Summary: Security update for elfutils Type: security Severity: moderate References: 911662,CVE-2014-9447 Description: elfutils was updated to fix one security issue. This security issue was fixed: - Directory traversal vulnerability in the read_long_names function (CVE-2014-9447). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2015:55-1 Released: Tue Feb 3 14:51:17 2015 Summary: Recommended update for curl Type: recommended Severity: moderate References: 913209 Description: curl was updated to fix problems when operating in FIPS mode. This patch reenables following methods: - NTLM authentication (e.g. for proxies) (allowing its usage of MD4 and MD5) - HTTP Digest authentication (allowing its usage of MD5) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2015:121-1 Released: Tue Feb 3 16:30:16 2015 Summary: Recommended update for pam Type: recommended Severity: low References: 912922 Description: This update for pam fixes updating of NIS passwords. ----------------------------------------------------------------- Advisory ID: SUSE-RU-2015:69-1 Released: Mon Feb 23 11:53:02 2015 Summary: Recommended update for timezone Type: recommended Severity: important References: 912415,915422,915693 Description: This update provides the latest timezone information (2015a) for your system, including the following changes: - Add positive leap second on 2015-06-30 23:59:60 UTC, as per IERS Bulletin C 49. (bsc#912415) - Mexico state Quintana Roo (America/Cancun) shifts from Central Time with DST to Eastern Time without DST on 2015-02-01 02:00. (bsc#915422) - Chile (America/Santiago) will retain old DST as standard time from April, also Pacific/Easter, and Antarctica/Palmer. This release also includes changes affecting past time stamps, documentation and some minor bug fixes. For a comprehensive list, refer to the release announcement from ICANN: - [http://mm.icann.org/pipermail/tz-announce/2015-January/000028.html](http://mm.icann.org/pipermail/tz-announce/2015-January/000028.html) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2015:157-1 Released: Tue Mar 10 09:01:41 2015 Summary: Security update for libssh2_org Type: security Severity: moderate References: 921070,CVE-2015-1782 Description: The ssh client library libssh2_org was updated to fix a security issue. CVE-2015-1782: A malicious server could send a crafted SSH_MSG_KEXINIT packet, that could lead to a buffer overread and to a crash of the libssh2_org using application. ----------------------------------------------------------------- Advisory ID: SUSE-RU-2015:275-1 Released: Wed Mar 18 18:21:44 2015 Summary: Recommended update for procps Type: recommended Severity: low References: 901202,908516 Description: This update for procps provides the following fixes: - Add description of pgrep's --list-full parameter to usage instructions (--help). (bsc#901202) - Fix handling of arguments to -s option in free(1). (bsc#908516) - Correct package name in descriptions: procps, not props. ----------------------------------------------------------------- Advisory ID: SUSE-RU-2015:146-1 Released: Mon Mar 23 11:45:22 2015 Summary: Recommended update for timezone Type: recommended Severity: low References: 923498 Description: This update provides the latest timezone information (2015b) for your system, including the following changes: - Mongolia will start observing DST again in 2015, from the last Saturday in March to the last Saturday in September. - Palestine will start DST on March 28, not March 27. - Fix integer overflow bug in reference 'mktime' implementation. This release also includes changes affecting past time stamps and documentation. For a comprehensive list, refer to the release announcement from ICANN: - http://mm.icann.org/pipermail/tz-announce/2015-March/000029.html ----------------------------------------------------------------- Advisory ID: SUSE-RU-2015:169-1 Released: Wed Apr 15 02:34:35 2015 Summary: Recommended update for timezone Type: recommended Severity: low References: 927184 Description: This update provides the latest timezone information (2015c) for your system, including the following changes: - Egypt's spring-forward transition in 2015 will be on Thursday, April 30 at 24:00, not Friday, April 24 at 00:00. This release also includes changes affecting past time stamps and documentation. For a comprehensive list, refer to the release announcement from ICANN: - http://mm.icann.org/pipermail/tz-announce/2015-April/000030.html ----------------------------------------------------------------- Advisory ID: SUSE-RU-2015:174-1 Released: Sat Apr 25 15:13:10 2015 Summary: Recommended update for timezone Type: recommended Severity: low References: 928246 Description: This update adjusts Egypt's time zone definitions, canceling DST from 2015 onwards. ----------------------------------------------------------------- Advisory ID: SUSE-SU-2015:235-1 Released: Wed Apr 29 19:05:01 2015 Summary: Security update for curl Type: security Severity: moderate References: 927556,927607,927608,927746,928533,CVE-2015-3143,CVE-2015-3144,CVE-2015-3145,CVE-2015-3148,CVE-2015-3153 Description: curl was updated to fix five security issues. The following vulnerabilities were fixed: * CVE-2015-3143: curl could re-use NTML authenticateds connections * CVE-2015-3144: curl could access memory out of bounds with zero length host names * CVE-2015-3145: curl cookie parser could access memory out of boundary * CVE-2015-3148: curl could treat Negotiate as not connection-oriented * CVE-2015-3153: curl could have sent sensitive HTTP headers also to proxies ----------------------------------------------------------------- Advisory ID: SUSE-SU-2015:296-1 Released: Thu Jun 11 15:46:59 2015 Summary: Security update for libgcrypt Type: security Severity: moderate References: 896202,896435,898003,899524,900275,900276,905483,920057,928740,929919,CVE-2014-3591 Description: This update of libgcrypt fixes one security issue and brings various FIPS 140-2 related improvements. libgcrypt now uses ciphertext blinding for Elgamal decryption (CVE-2014-3591) FIPS 140-2 related changes: * The library performs its self-tests when the module is complete (the -hmac file is also installed). * Added a NIST 800-90a compliant DRBG. * Change DSA key generation to be FIPS 186-4 compliant. * Change RSA key generation to be FIPS 186-4 compliant. * Enable HW support in fips mode (bnc#896435) * Make DSA selftest use 2048 bit keys (bnc#898003) * Added ECDSA selftests and add support for it to the CAVS testing framework (bnc#896202) * Various CAVS testing improvements. ----------------------------------------------------------------- Advisory ID: SUSE-RU-2015:283-1 Released: Tue Jun 16 15:02:53 2015 Summary: Recommended update for timezone Type: recommended Severity: low References: 928841,934654 Description: This update provides the latest timezone information (2015e) for your system, including the following changes: - Morocco will suspend DST from 2015-06-14 03:00 through 2015-07-19 02:00, not 06-13 and 07-18. - Assume Cayman Islands will observe DST starting next year, using US rules. - Fix post-install script to overwrite the temporary file when attempting to create /etc/localtime as a hard link. (bsc#928841) This release also includes changes affecting past time stamps and documentation. For a comprehensive list, refer to the release announcements from ICANN: http://mm.icann.org/pipermail/tz-announce/2015-June/000032.html http://mm.icann.org/pipermail/tz-announce/2015-April/000031.html ----------------------------------------------------------------- Advisory ID: SUSE-SU-2015:366-1 Released: Mon Jun 29 10:13:43 2015 Summary: Security update for e2fsprogs Type: security Severity: low References: 915402,918346,CVE-2015-0247,CVE-2015-1572 Description: Two security issues were fixed in e2fsprogs: Security issues fixed: * CVE-2015-0247: Various heap overflows were fixed in e2fsprogs (fsck, dumpe2fs, e2image...). * CVE-2015-1572: Fixed a potential buffer overflow in closefs() (bsc#918346 ) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2015:361-1 Released: Wed Jul 15 08:26:27 2015 Summary: Recommended update for gcc48, libffi48, libgcj48 Type: recommended Severity: moderate References: 889990,917169,919274,922534,924525,924687,927993,930176,934689 Description: The system compiler gcc48 was updated to the GCC 4.8.5 release, fixing a lot of bugs and bringing some improvements. It includes various bug fixes found by our customers: * Fixes bogus integer overflow in constant expression. [bnc#934689] * Fixes ICE with atomics on aarch64. [bnc#930176] * Includes fix for -imacros bug. [bnc#917169] * Includes fix for incorrect -Warray-bounds warnings. [bnc#919274] * Includes updated -mhotpatch for s390x. [bnc#924525] * Includes fix for ppc64le issue with doubleword vector extract. [bnc#924687] * Includes patches to allow building against ISL 0.14. * Backport rework of the memory allocator for C++ exceptions used in OOM situations. [bnc#889990] * Fix a reload issue on S390 (GCC PR66306). * Avoid accessing invalid memory when passing aggregates by value. [bnc#922534] ----------------------------------------------------------------- Advisory ID: SUSE-OU-2015:422-1 Released: Tue Jul 28 06:25:51 2015 Summary: The Toolchain module containing GCC 5.2 Type: optional Severity: low References: 926412,936050,937823 Description: This update contains the release of the new SUSE Linux Enterprise Toolchain module. Its major feature is the GNU Compiler Collection 5.2, please see https://gcc.gnu.org/gcc-5/changes.html for important changes. This update also includes a version update of binutils to 2.25 release branch to provide features and bugfixes. Following features have been added to binutils: * IBM zSeries z13 hardware support (fate#318036, bnc#936050). * various IBM Power8 improvements (fate#318238, bnc#926412). * AVX512 support on the Intel EM64T platform (fate#318520). The GNU Debugger gdb was updated to version 7.9.1 bringing various features and lots of bugfixes. Also IBM zSeries z13 hardware support has been added to gdb. (fate#318039) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2015:416-1 Released: Tue Aug 11 18:18:42 2015 Summary: Recommended update for timezone Type: recommended Severity: low References: 941249 Description: This update provides the latest timezone information (2015f) for your system, including the following changes: - North Korea switches to +0830 on 2015-08-15. The abbreviation remains 'KST'. - Uruguay no longer observes DST. - Moldova starts and ends DST at 00:00 UTC, not at 01:00 UTC. This release also includes changes affecting past time stamps, documentation and some minor code fixes. For a comprehensive list, refer to the release announcement from ICANN: http://mm.icann.org/pipermail/tz-announce/2015-August/000033.html ----------------------------------------------------------------- Advisory ID: SUSE-SU-2015:500-1 Released: Mon Aug 17 11:36:33 2015 Summary: Security update for libgcrypt Type: security Severity: moderate References: 920057,938343,CVE-2015-0837 Description: This update fixes the following issues: Security: * Fixed data-dependent timing variations in modular exponentiation [related to CVE-2015-0837, Last-Level Cache Side-Channel Attacks are Practical] (bsc#920057) Bugfixes: * don't drop privileges when locking secure memory (bsc#938343) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2015:530-1 Released: Wed Aug 26 03:07:07 2015 Summary: Recommended update for sed Type: recommended Severity: low References: 933029 Description: This update for sed fixes the behavior of --follow-symlinks when reading from the standard input (stdin). The behavior of 'sed --follow-symlinks -' is now identical to 'sed -'. In both cases, sed will read from the standard input and no longer from a file named '-'. ----------------------------------------------------------------- Advisory ID: SUSE-RU-2015:568-1 Released: Wed Sep 16 13:30:12 2015 Summary: Recommended update for grep Type: recommended Severity: low References: 920386 Description: This update for grep fixes undefined behaviour with -P and non-utf-8 data. ----------------------------------------------------------------- Advisory ID: SUSE-RU-2015:682-1 Released: Fri Oct 2 19:17:57 2015 Summary: Recommended update for timezone Type: recommended Severity: low References: 948227,948568 Description: This update provides the latest timezone information (2015g) for your system, including the following changes: - Turkey's 2015 fall-back transition is scheduled for Nov. 8, not Oct. 25. - Norfolk moves from +1130 to +1100 on 2015-10-04 at 02:00 local time. - Fiji's 2016 fall-back transition is scheduled for January 17, not 24. - Fort Nelson, British Columbia will not fall back on 2015-11-01. It has effectively been on MST (-0700) since it advanced its clocks on 2015-03-08. Add new zone America/Fort_Nelson. This release also includes changes affecting past time stamps, documentation and some minor code fixes. For a comprehensive list, refer to the release announcement from ICANN: http://mm.icann.org/pipermail/tz/2015-October/022728.html ----------------------------------------------------------------- Advisory ID: SUSE-RU-2015:776-1 Released: Fri Oct 30 08:06:58 2015 Summary: Recommended update for libyaml Type: recommended Severity: low References: 952625 Description: This update adjusts libyaml's packaging to require pkg-config at build time. ----------------------------------------------------------------- Advisory ID: SUSE-SU-2015:922-1 Released: Tue Dec 22 08:44:25 2015 Summary: Security update for gpg2 Type: security Severity: moderate References: 918089,918090,952347,955753,CVE-2015-1606,CVE-2015-1607 Description: The gpg2 package was updated to fix the following security and non security issues: - CVE-2015-1606: Fixed invalid memory read using a garbled keyring (bsc#918089). - CVE-2015-1607: Fixed memcpy with overlapping ranges (bsc#918090). - bsc#955753: Fixed a regression of 'gpg --recv' due to keyserver import filter (also boo#952347). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2015:869-1 Released: Wed Dec 23 10:01:16 2015 Summary: Recommended update for libksba Type: security Severity: moderate References: 926826 Description: The libksba package was updated to fix the following security issues: - Fixed an integer overflow, an out of bounds read and a stack overflow issues (bsc#926826). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2015:862-1 Released: Wed Dec 23 17:40:51 2015 Summary: Recommended update for acl Type: recommended Severity: moderate References: 945899 Description: This update for acl provides the following fixes: - Fix segmentation fault of getfacl -e on overly long group name. - Make sure that acl_from_text() always sets errno when it fails. - Fix memory and resource leaks in getfacl. ----------------------------------------------------------------- Advisory ID: SUSE-RU-2016:46-1 Released: Fri Jan 8 12:37:34 2016 Summary: Recommended update for gcr, gnome-keyring, libgcrypt, libsecret Type: recommended Severity: moderate References: 932232 Description: This update for gcr, gnome-keyring, libgcrypt, libsecret fixes issues when the system operates in FIPS mode. The various GNOME libraries and tool have been changed to use the default libgcrypt allocators. GNOME keyring was changed not to use MD5 anymore. libgcrypt was adjusted to free the DRBG on exit to avoid crashes. ----------------------------------------------------------------- Advisory ID: SUSE-SU-2016:183-1 Released: Mon Feb 1 11:32:26 2016 Summary: Security update for mariadb Type: security Severity: moderate References: 937787,957174,958789,CVE-2015-4792,CVE-2015-4802,CVE-2015-4807,CVE-2015-4815,CVE-2015-4826,CVE-2015-4830,CVE-2015-4836,CVE-2015-4858,CVE-2015-4861,CVE-2015-4870,CVE-2015-4913,CVE-2015-5969 Description: MariaDB has been updated to version 10.0.22, which brings fixes for many security issues and other improvements. The following CVEs have been fixed: - 10.0.22: CVE-2015-4802, CVE-2015-4807, CVE-2015-4815, CVE-2015-4826, CVE-2015-4830, CVE-2015-4836, CVE-2015-4858, CVE-2015-4861, CVE-2015-4870, CVE-2015-4913, CVE-2015-4792 - Fix information leak via mysql-systemd-helper script. (CVE-2015-5969, bsc#957174) For a comprehensive list of changes refer to the upstream Release Notes and Change Log documents: - https://kb.askmonty.org/en/mariadb-10022-release-notes/ - https://kb.askmonty.org/en/mariadb-10022-changelog/ ----------------------------------------------------------------- Advisory ID: SUSE-SU-2016:201-1 Released: Thu Feb 4 15:51:22 2016 Summary: Security update for curl Type: security Severity: moderate References: 934333,936676,962983,962996,CVE-2016-0755 Description: This update for curl fixes the following issues: - CVE-2016-0755: libcurl would reuse NTLM-authenticated proxy connections without properly making sure that the connection was authenticated with the same credentials as set for this transfer (bsc#962983) The following non-security bugs were fixed: - bsc#936676: secure_getenv or __secure_getenv may not be detected correctly at build time The following tracked bugs only affect the test suite: - bsc#962996: Expired cookie in test 46 caused test failures - bsc#934333: Curl test suite was not run, is now enabled during build ----------------------------------------------------------------- Advisory ID: SUSE-RU-2016:252-1 Released: Fri Feb 12 14:58:06 2016 Summary: Recommended update for timezone Type: recommended Severity: low References: 963921 Description: This update provides the latest timezone information (2016a) for your system, including the following changes: - America/Cayman will not observe daylight saving this year. - Asia/Chita switches from +0800 to +0900 on 2016-03-27 at 02:00. - Asia/Tehran now has DST predictions for the year 2038 and later. - America/Metlakatla switched from PST all year to AKST/AKDT on 2015-11-01 at 02:00. - America/Santa_Isabel has been removed, and replaced with a backward compatibility link to America/Tijuana. - Asia/Karachi's two transition times in 2002 were off by a minute. This release also includes changes affecting past time stamps, documentation and some minor code fixes. For a comprehensive list, refer to the release announcement from ICANN: http://mm.icann.org/pipermail/tz/2016-January/023106.html ----------------------------------------------------------------- Advisory ID: SUSE-RU-2016:371-1 Released: Thu Mar 3 15:58:18 2016 Summary: Recommended update for insserv-compat Type: recommended Severity: low References: 960820 Description: This update for insserv-compat fixes the name of the ntpd service. ----------------------------------------------------------------- Advisory ID: SUSE-SU-2016:413-1 Released: Fri Mar 11 10:17:57 2016 Summary: Security update for libssh2_org Type: security Severity: moderate References: 933336,961964,967026,CVE-2016-0787 Description: This update for libssh2_org fixes the following issues: Security issue fixed: - CVE-2016-0787 (bsc#967026): Weakness in diffie-hellman secret key generation lead to much shorter DH groups then needed, which could be used to retrieve server keys. A feature was added: - Support of SHA256 digests for DH group exchanges was added (fate#320343, bsc#961964) Bug fixed: - Properly detect EVP_aes_128_ctr at configure time (bsc#933336) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2016:462-1 Released: Wed Mar 16 18:17:59 2016 Summary: Recommended update for libcap Type: recommended Severity: low References: 967838 Description: This update for libcap adds two new capabilities (CAP_WAKE_ALARM and CAP_BLOCK_SUSPEND) which are available in Linux Kernel 3.12. ----------------------------------------------------------------- Advisory ID: SUSE-RU-2016:490-1 Released: Mon Mar 21 16:45:13 2016 Summary: Recommended update for timezone Type: recommended Severity: low References: 971377 Description: This update provides the latest timezone information (2016b) for your system, including the following changes: - New zones Europe/Astrakhan and Europe/Ulyanovsk for Astrakhan and Ulyanovsk Oblasts, Russia, both of which will switch from +03 to +04 on 2016-03-27 at 02:00 local time. - New zone Asia/Barnaul for Altai Krai and Altai Republic, Russia, which will switch from +06 to +07 on the same date and local time. - Asia/Sakhalin moves from +10 to +11 on 2016-03-27 at 02:00. - As a trial of a new system that needs less information to be made up, the new zones use numeric time zone abbreviations like '+04' instead of invented abbreviations like 'ASTT'. - Haiti will not observe DST in 2016. - Palestine's spring-forward transition on 2016-03-26 is at 01:00, not 00:00. - tzselect's diagnostics and checking, and checktab.awk's checking, have been improved. - tzselect now tests Julian-date TZ settings more accurately. ----------------------------------------------------------------- Advisory ID: SUSE-RU-2016:510-1 Released: Thu Mar 24 15:40:28 2016 Summary: Recommended update for timezone Type: recommended Severity: low References: 972433 Description: This update provides the latest timezone information (2016c) for your system, including the following changes: - Azerbaijan no longer observes DST (Asia/Baku) - Chile reverts from permanent to seasonal DST This release also includes changes affecting past time stamps and documentation. For a comprehensive list, please refer to the release announcement from ICANN: http://mm.icann.org/pipermail/tz-announce/2016-March/000037.html ----------------------------------------------------------------- Advisory ID: SUSE-RU-2016:543-1 Released: Fri Apr 1 18:44:16 2016 Summary: Recommended update for libgcrypt Type: recommended Severity: moderate References: 970882 Description: This update for libgcrypt fixes a crash in GPG key generation when operating in FIPS mode. (bsc#970882) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2016:565-1 Released: Wed Apr 6 16:26:42 2016 Summary: Security update for gcc5 Type: security Severity: moderate References: 939460,945842,952151,953831,954002,955382,962765,964468,966220,968771,CVE-2015-5276 Description: The GNU Compiler Collection was updated to version 5.3.1, which brings several fixes and enhancements. The following security issue has been fixed: - Fix C++11 std::random_device short read issue that could lead to predictable randomness. (CVE-2015-5276, bsc#945842) The following non-security issues have been fixed: - Enable frame pointer for TARGET_64BIT_MS_ABI when stack is misaligned. Fixes internal compiler error when building Wine. (bsc#966220) - Fix a PowerPC specific issue in gcc-go that broke compilation of newer versions of Docker. (bsc#964468) - Fix HTM built-ins on PowerPC. (bsc#955382) - Fix libgo certificate lookup. (bsc#953831) - Suppress deprecated-declarations warnings for inline definitions of deprecated virtual methods. (bsc#939460) - Build s390[x] with '--with-tune=z9-109 --with-arch=z900' on SLE11 again. (bsc#954002) - Revert accidental libffi ABI breakage on aarch64. (bsc#968771) - On x86_64, set default 32bit code generation to -march=x86-64 rather than -march=i586. - Add experimental File System TS library. ----------------------------------------------------------------- Advisory ID: SUSE-SU-2016:636-1 Released: Mon Apr 18 09:18:19 2016 Summary: Security update for libgcrypt Type: security Severity: moderate References: 965902,CVE-2015-7511 Description: libgcrypt was updated to fix one security issue. This security issue was fixed: - CVE-2015-7511: Side-channel attack on ECDH with Weierstrass curves (bsc#965902). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2016:643-1 Released: Tue Apr 19 09:23:39 2016 Summary: Recommended update for bzip2 Type: recommended Severity: low References: 970260 Description: This update for bzip2 fixes the following issues: - Fix bzgrep wrapper that always returns 0 as exit code when working on multiple archives, even when the pattern is not found. ----------------------------------------------------------------- Advisory ID: SUSE-RU-2016:663-1 Released: Fri Apr 22 15:33:50 2016 Summary: Recommended update for timezone Type: recommended Severity: low References: 975875 Description: This update provides the latest timezone information (2016d) for your system, including the following changes: - Venezuela (America/Caracas) switches from -0430 to -04 on 2016-05-01 at 02:30. - Asia/Magadan switches from +10 to +11 on 2016-04-24 at 02:00. - New zone Asia/Tomsk, split off from Asia/Novosibirsk. It covers Tomsk Oblast, Russia, which switches from +06 to +07 on 2016-05-29 at 02:00. This release also includes changes affecting past time stamps. For a comprehensive list, please refer to the release announcement from ICANN: http://mm.icann.org/pipermail/tz/2016-April/023563.html ----------------------------------------------------------------- Advisory ID: SUSE-RU-2016:689-1 Released: Wed Apr 27 20:08:42 2016 Summary: Recommended update for ruby2.1 Type: recommended Severity: low References: 973073 Description: This update for ruby2.1 brings performance improvements of Ruby on the IBM POWER platform. ----------------------------------------------------------------- Advisory ID: SUSE-RU-2016:697-1 Released: Thu Apr 28 16:03:24 2016 Summary: Recommended update for libssh2_org Type: recommended Severity: important References: 974691 Description: This update for libssh2_org fixes a regression introduced by a previous update which could result in a segmentation fault in EVP_DigestInit_Ex(). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2016:801-1 Released: Thu May 19 22:38:01 2016 Summary: Recommended update for curl Type: recommended Severity: moderate References: 915846 Description: This update for curl fixes the following issue: - Fix 'Network is unreachable' error when ipv6 is not available but ipv4. This fixes the same error in applications using libcurl4 (like zypper). (bsc#915846) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2016:835-1 Released: Wed May 25 18:27:30 2016 Summary: Recommended update for libgcrypt Type: recommended Severity: moderate References: 979629 Description: This update for libgcrypt fixes the following issue: - Fix failing reboot after installing fips pattern (bsc#979629) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2016:898-1 Released: Tue Jun 7 09:48:12 2016 Summary: Security update for expat Type: security Severity: important References: 979441,980391,CVE-2015-1283,CVE-2016-0718 Description: This update for expat fixes the following issues: Security issue fixed: - CVE-2016-0718: Fix Expat XML parser that mishandles certain kinds of malformed input documents. (bsc#979441) - CVE-2015-1283: Fix multiple integer overflows. (bnc#980391) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2016:900-1 Released: Tue Jun 7 10:58:37 2016 Summary: Security update for libksba Type: security Severity: moderate References: 979261,979906,CVE-2016-4574,CVE-2016-4579 Description: This update for libksba fixes the following issues: - CVE-2016-4579: Out-of-bounds read in _ksba_ber_parse_tl() - CVE-2016-4574: two OOB read access bugs (remote DoS) (bsc#979261) Also adding reliability fixes from v1.3.4. ----------------------------------------------------------------- Advisory ID: SUSE-SU-2016:963-1 Released: Fri Jun 17 16:56:18 2016 Summary: Security update for mariadb Type: security Severity: important References: 961935,963806,963810,970287,970295,980904,CVE-2016-0505,CVE-2016-0546,CVE-2016-0596,CVE-2016-0597,CVE-2016-0598,CVE-2016-0600,CVE-2016-0606,CVE-2016-0608,CVE-2016-0609,CVE-2016-0616,CVE-2016-0640,CVE-2016-0641,CVE-2016-0642,CVE-2016-0643,CVE-2016-0644,CVE-2016-0646,CVE-2016-0647,CVE-2016-0648,CVE-2016-0649,CVE-2016-0650,CVE-2016-0651,CVE-2016-0655,CVE-2016-0666,CVE-2016-0668,CVE-2016-2047 Description: mariadb was updated to version 10.0.25 to fix 25 security issues. These security issues were fixed: - CVE-2016-0505: Unspecified vulnerability allowed remote authenticated users to affect availability via unknown vectors related to Options (bsc#980904). - CVE-2016-0546: Unspecified vulnerability allowed local users to affect confidentiality, integrity, and availability via unknown vectors related to Client (bsc#980904). - CVE-2016-0596: Unspecified vulnerability allowed remote authenticated users to affect availability via vectors related to DML (bsc#980904). - CVE-2016-0597: Unspecified vulnerability allowed remote authenticated users to affect availability via unknown vectors related to Optimizer (bsc#980904). - CVE-2016-0598: Unspecified vulnerability allowed remote authenticated users to affect availability via vectors related to DML (bsc#980904). - CVE-2016-0600: Unspecified vulnerability allowed remote authenticated users to affect availability via unknown vectors related to InnoDB (bsc#980904). - CVE-2016-0606: Unspecified vulnerability allowed remote authenticated users to affect integrity via unknown vectors related to encryption (bsc#980904). - CVE-2016-0608: Unspecified vulnerability allowed remote authenticated users to affect availability via vectors related to UDF (bsc#980904). - CVE-2016-0609: Unspecified vulnerability allowed remote authenticated users to affect availability via unknown vectors related to privileges (bsc#980904). - CVE-2016-0616: Unspecified vulnerability allowed remote authenticated users to affect availability via unknown vectors related to Optimizer (bsc#980904). - CVE-2016-0640: Unspecified vulnerability allowed local users to affect integrity and availability via vectors related to DML (bsc#980904). - CVE-2016-0641: Unspecified vulnerability allowed local users to affect confidentiality and availability via vectors related to MyISAM (bsc#980904). - CVE-2016-0642: Unspecified vulnerability allowed local users to affect integrity and availability via vectors related to Federated (bsc#980904). - CVE-2016-0643: Unspecified vulnerability allowed local users to affect confidentiality via vectors related to DML (bsc#980904). - CVE-2016-0644: Unspecified vulnerability allowed local users to affect availability via vectors related to DDL (bsc#980904). - CVE-2016-0646: Unspecified vulnerability allowed local users to affect availability via vectors related to DML (bsc#980904). - CVE-2016-0647: Unspecified vulnerability allowed local users to affect availability via vectors related to FTS (bsc#980904). - CVE-2016-0648: Unspecified vulnerability allowed local users to affect availability via vectors related to PS (bsc#980904). - CVE-2016-0649: Unspecified vulnerability allowed local users to affect availability via vectors related to PS (bsc#980904). - CVE-2016-0650: Unspecified vulnerability allowed local users to affect availability via vectors related to Replication (bsc#980904). - CVE-2016-0651: Unspecified vulnerability allowed local users to affect availability via vectors related to Optimizer (bsc#980904). - CVE-2016-0655: Unspecified vulnerability allowed local users to affect availability via vectors related to InnoDB (bsc#980904). - CVE-2016-0666: Unspecified vulnerability allowed local users to affect availability via vectors related to Security: Privileges (bsc#980904). - CVE-2016-0668: Unspecified vulnerability allowed local users to affect availability via vectors related to InnoDB (bsc#980904). - CVE-2016-2047: The ssl_verify_server_cert function in sql-common/client.c did not properly verify that the server hostname matches a domain name in the subject's Common Name (CN) or subjectAltName field of the X.509 certificate, which allowed man-in-the-middle attackers to spoof SSL servers via a '/CN=' string in a field in a certificate, as demonstrated by '/OU=/CN=bar.com/CN=foo.com (bsc#963806). These non-security issues were fixed: - bsc#961935: Remove the leftovers of 'openSUSE' string in the '-DWITH_COMMENT' and 'DCOMPILATION_COMMENT' options - bsc#970287: remove ha_tokudb.so plugin and tokuft_logprint and tokuftdump binaries as TokuDB storage engine requires the jemalloc library that isn't present in SLE-12-SP1 - bsc#970295: Fix the leftovers of 'logrotate.d/mysql' string in the logrotate error message. Occurrences of this string were changed to 'logrotate.d/mariadb' - bsc#963810: Add 'log-error' and 'secure-file-priv' configuration options * add '/etc/my.cnf.d/error_log.conf' that specifies 'log-error = /var/log/mysql/mysqld.log'. If no path is set, the error log is written to '/var/lib/mysql/$HOSTNAME.err', which is not picked up by logrotate. * add '/etc/my.cnf.d/secure_file_priv.conf' which specifies that 'LOAD DATA', 'SELECT ... INTO' and 'LOAD FILE()' will only work with files in the directory specified by 'secure-file-priv' option (='/var/lib/mysql-files'). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2016:967-1 Released: Mon Jun 20 12:05:16 2016 Summary: Recommended update for timezone Type: recommended Severity: low References: 982833 Description: This update provides the latest timezone information (2016e) for your system, including the following changes: - Africa/Cairo observes DST in 2016 from July 7 to the end of October. This release also includes changes affecting past time stamps. For a comprehensive list, please refer to the release announcement from ICANN: http://mm.icann.org/pipermail/tz-announce/2016-June/000039.html ----------------------------------------------------------------- Advisory ID: SUSE-RU-2016:987-1 Released: Wed Jun 22 14:32:18 2016 Summary: Recommended update for procps Type: recommended Severity: low References: 981616 Description: This update for procps fixes the following issues: - Improve pmap(1) to be compatible with kernel 4.4. (bsc#981616) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2016:1026-1 Released: Wed Jul 6 17:20:17 2016 Summary: Recommended update for timezone Type: recommended Severity: moderate References: 987720 Description: This update provides the latest timezone information (2016f) for your system, including the following changes: - Egypt (Africa/Cairo) DST change 2016-07-07 cancelled (bsc#987720) - Asia/Novosibirsk switches from +06 to +07 on 2016-07-24 02:00 - Asia/Novokuznetsk and Asia/Novosibirsk now use numeric time zone abbreviations instead of invented ones - Europe/Minsk's 1992-03-29 spring-forward transition was at 02:00 not 00:00 ----------------------------------------------------------------- Advisory ID: SUSE-RU-2016:1028-1 Released: Thu Jul 7 11:50:47 2016 Summary: Recommended update for findutils Type: recommended Severity: moderate References: 986935 Description: This update for findutils fixes the following issues: - find -exec + would not pass all arguments for certain specific filename lengths (bsc#986935) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2016:1126-1 Released: Sat Jul 30 00:39:03 2016 Summary: Recommended update for kmod Type: recommended Severity: low References: 983754,989788 Description: This update for kmod fixes libkmod to handle very long lines in /proc/modules. ----------------------------------------------------------------- Advisory ID: SUSE-RU-2016:1205-1 Released: Thu Aug 11 15:02:18 2016 Summary: Recommended update for rpm Type: recommended Severity: low References: 829717,894610,940315,953532,965322,967728 Description: This update for rpm provides the following fixes: - Add is_opensuse and leap_version macros to suse_macros. (bsc#940315) - Add option to make postinstall scriptlet errors fatal. (bsc#967728) - Normalize big blocksizes to 4096 bytes. (bsc#894610, bsc#829717, bsc#965322) - Fix updating of sources/patches when recursing because of a BuildArch. (bsc#953532) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2016:1228-1 Released: Tue Aug 16 09:29:01 2016 Summary: Security update for libidn Type: security Severity: moderate References: 923241,990189,990190,990191,CVE-2015-2059,CVE-2015-8948,CVE-2016-6261,CVE-2016-6262,CVE-2016-6263 Description: This update for libidn fixes the following issues: - CVE-2016-6262 and CVE-2015-8948: Out-of-bounds-read when reading one zero byte as input (bsc#990189) - CVE-2016-6261: Out-of-bounds stack read in idna_to_ascii_4i (bsc#990190) - CVE-2016-6263: stringprep_utf8_nfkc_normalize reject invalid UTF-8 (bsc#990191) - CVE-2015-2059: out-of-bounds read with stringprep on invalid UTF-8 (bsc#923241) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2016:1247-1 Released: Fri Aug 19 12:58:39 2016 Summary: Security update for cracklib Type: security Severity: moderate References: 992966,CVE-2016-6318 Description: This update for cracklib fixes the following issues: - Add patch to fix a buffer overflow in GECOS parser (bsc#992966 CVE-2016-6318) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2016:1252-1 Released: Mon Aug 22 15:12:43 2016 Summary: Recommended update for timezone Type: recommended Severity: low References: 988184 Description: This update for timezone adds a positive leap second at the end of 2016-12-31. ----------------------------------------------------------------- Advisory ID: SUSE-SU-2016:1308-1 Released: Fri Sep 2 11:52:13 2016 Summary: Security update for mariadb Type: security Severity: moderate References: 984858,985217,986251,991616,CVE-2016-3477,CVE-2016-3521,CVE-2016-3615,CVE-2016-5440 Description: This update for mariadb fixes the following issues: - CVE-2016-3477: Unspecified vulnerability in subcomponent parser [bsc#991616] - CVE-2016-3521: Unspecified vulnerability in subcomponent types [bsc#991616] - CVE-2016-3615: Unspecified vulnerability in subcomponent dml [bsc#991616] - CVE-2016-5440: Unspecified vulnerability in subcomponent rbr [bsc#991616] - mariadb failing test main.bootstrap [bsc#984858] - left over 'openSUSE' comments in MariaDB on SLE12 GM and SP1 [bsc#985217] - remove unnecessary conditionals from specfile - add '--ignore-db-dir=lost+found' option to rc.mysql-multi in order not to misinterpret the lost+found directory as a database [bsc#986251] ----------------------------------------------------------------- Advisory ID: SUSE-SU-2016:1326-1 Released: Thu Sep 8 11:37:44 2016 Summary: Security update for perl Type: security Severity: moderate References: 928292,932894,967082,984906,987887,988311,CVE-2015-8853,CVE-2016-1238,CVE-2016-2381,CVE-2016-6185 Description: This update for Perl fixes the following issues: - CVE-2016-6185: Xsloader looking at a '(eval)' directory. (bsc#988311) - CVE-2016-1238: Searching current directory for optional modules. (bsc#987887) - CVE-2015-8853: Regular expression engine hanging on bad utf8. (bsc) - CVE-2016-2381: Environment dup handling bug. (bsc#967082) - 'Insecure dependency in require' error in taint mode. (bsc#984906) - Memory leak in 'use utf8' handling. (bsc#928292) - Missing lock prototype to the debugger. (bsc#932894) ----------------------------------------------------------------- Advisory ID: SUSE-OU-2016:1358-1 Released: Thu Sep 15 20:54:21 2016 Summary: Optional update for gcc6 Type: optional Severity: low References: 983206 Description: This update ships the GNU Compiler Collection (GCC) in version 6.2. This update is shipped in two parts: - SUSE Linux Enterprise Server 12 and Desktop: The runtime libraries libgcc_s1, libstdc++6, libatomic1, libgomp1, libitm1 and some others can now be used by GCC 6 built binaries. - SUSE Linux Enterprise 12 Toolchain Module: The Toolchain module received the GCC 6 compiler suite with this update. Changes: - The default mode for C++ is now -std=gnu++14 instead of -std=gnu++98. Generic Optimization improvements: - UndefinedBehaviorSanitizer gained a new sanitization option, -fsanitize=bounds-strict, which enables strict checking of array bounds. In particular, it enables -fsanitize=bounds as well as instrumentation of flexible array member-like arrays. - Type-based alias analysis now disambiguates accesses to different pointers. This improves precision of the alias oracle by about 20-30% on higher-level C++ programs. Programs doing invalid type punning of pointer types may now need -fno-strict-aliasing to work correctly. - Alias analysis now correctly supports weakref and alias attributes. This makes it possible to access both a variable and its alias in one translation unit which is common with link-time optimization. - Value range propagation now assumes that the this pointer of C++ member functions is non-null. This eliminates common null pointer checks but also breaks some non-conforming code-bases (such as Qt-5, Chromium, KDevelop). As a temporary work-around -fno-delete-null-pointer-checks can be used. Wrong code can be identified by using -fsanitize=undefined. - Various Link-time optimization improvements. - Inter-procedural optimization improvements: - Basic jump threading is now performed before profile construction and inline analysis, resulting in more realistic size and time estimates that drive the heuristics of the of inliner and function cloning passes. - Function cloning now more aggressively eliminates unused function parameters. - Compared to GCC 5, the GCC 6 release series includes a much improved implementation of the OpenACC 2.0a specification. C language specific improvements: - Version 4.5 of the OpenMP specification is now supported in the C and C++ compilers. - Source locations for the C and C++ compilers are now tracked as ranges, rather than just points, making it easier to identify the subexpression of interest within a complicated expression. In addition, there is now initial support for precise diagnostic locations within strings, - Diagnostics can now contain 'fix-it hints', which are displayed in context underneath the relevant source code. - The C and C++ compilers now offer suggestions for misspelled field names. - New command-line options have been added for the C and C++ compilers: - -Wshift-negative-value warns about left shifting a negative value. - -Wshift-overflow warns about left shift overflows. This warning is enabled by default. -Wshift-overflow=2 also warns about left-shifting 1 into the sign bit. - -Wtautological-compare warns if a self-comparison always evaluates to true or false. This warning is enabled by -Wall. - -Wnull-dereference warns if the compiler detects paths that trigger erroneous or undefined behavior due to dereferencing a null pointer. This option is only active when -fdelete-null-pointer-checks is active, which is enabled by optimizations in most targets. The precision of the warnings depends on the optimization options used. - -Wduplicated-cond warns about duplicated conditions in an if-else-if chain. - -Wmisleading-indentation warns about places where the indentation of the code gives a misleading idea of the block structure of the code to a human reader. This warning is enabled by -Wall. - The C and C++ compilers now emit saner error messages if merge-conflict markers are present in a source file. C improvements: - It is possible to disable warnings when an initialized field of a structure or a union with side effects is being overridden when using designated initializers via a new warning option -Woverride-init-side-effects. - A new type attribute scalar_storage_order applying to structures and unions has been introduced. It specifies the storage order (aka endianness) in memory of scalar fields in structures or unions. C++ improvements: - The default mode has been changed to -std=gnu++14. - C++ Concepts are now supported when compiling with -fconcepts. - -flifetime-dse is more aggressive in dead-store elimination in situations where a memory store to a location precedes a constructor to that memory location. - G++ now supports C++17 fold expressions, u8 character literals, extended static_assert, and nested namespace definitions. - G++ now allows constant evaluation for all non-type template arguments. - G++ now supports C++ Transactional Memory when compiling with -fgnu-tm. libstdc++ improvements: - Extensions to the C++ Library to support mathematical special functions (ISO/IEC 29124:2010), thanks to Edward Smith-Rowland. - Experimental support for C++17. - An experimental implementation of the File System TS. - Experimental support for most features of the second version of the Library Fundamentals TS. This includes polymorphic memory resources and array support in shared_ptr, thanks to Fan You. - Some assertions checked by Debug Mode can now also be enabled by _GLIBCXX_ASSERTIONS. The subset of checks enabled by the new macro have less run-time overhead than the full _GLIBCXX_DEBUG checks and don't affect the library ABI, so can be enabled per-translation unit. Fortran improvements: - Fortran 2008 SUBMODULE support. - Fortran 2015 EVENT_TYPE, EVENT_POST, EVENT_WAIT, and EVENT_QUERY support. - Improved support for Fortran 2003 deferred-length character variables. - Improved support for OpenMP and OpenACC. - The MATMUL intrinsic is now inlined for straightforward cases if front-end optimization is active. The maximum size for inlining can be set to n with the -finline-matmul-limit=n option and turned off with -finline-matmul-limit=0. - The -Wconversion-extra option will warn about REAL constants which have excess precision for their kind. - The -Winteger-division option has been added, which warns about divisions of integer constants which are truncated. This option is included in -Wall by default. Architecture improvements: - AArch64 received a lot of improvements. IA-32/x86-64 improvements: - GCC now supports the Intel CPU named Skylake with AVX-512 extensions through -march=skylake-avx512. The switch enables the following ISA extensions: AVX-512F, AVX512VL, AVX-512CD, AVX-512BW, AVX-512DQ. - Support for new AMD instructions monitorx and mwaitx has been added. This includes new intrinsic and built-in support. It is enabled through option -mmwaitx. The instructions monitorx and mwaitx implement the same functionality as the old monitor and mwait instructions. In addition mwaitx adds a configurable timer. The timer value is received as third argument and stored in register %ebx. - x86-64 targets now allow stack realignment from a word-aligned stack pointer using the command-line option -mstackrealign or __attribute__ ((force_align_arg_pointer)). This allows functions compiled with a vector-aligned stack to be invoked from objects that keep only word-alignment. - Support for address spaces __seg_fs, __seg_gs, and __seg_tls. These can be used to access data via the %fs and %gs segments without having to resort to inline assembly. - Support for AMD Zen (family 17h) processors is now available through the -march=znver1 and -mtune=znver1 options. PowerPC / PowerPC64 / RS6000 improvements: - PowerPC64 now supports IEEE 128-bit floating-point using the __float128 data type. In GCC 6, this is not enabled by default, but you can enable it with -mfloat128. The IEEE 128-bit floating-point support requires the use of the VSX instruction set. IEEE 128-bit floating-point values are passed and returned as a single vector value. The software emulator for IEEE 128-bit floating-point support is only built on PowerPC GNU/Linux systems where the default CPU is at least power7. On future ISA 3.0 systems (POWER 9 and later), you will be able to use the -mfloat128-hardware option to use the ISA 3.0 instructions that support IEEE 128-bit floating-point. An additional type (__ibm128) has been added to refer to the IBM extended double type that normally implements long double. This will allow for a future transition to implementing long double with IEEE 128-bit floating-point. - Basic support has been added for POWER9 hardware that will use the recently published OpenPOWER ISA 3.0 instructions. The following new switches are available: - -mcpu=power9: Implement all of the ISA 3.0 instructions supported by the compiler. - -mtune=power9: In the future, apply tuning for POWER9 systems. Currently, POWER8 tunings are used. - -mmodulo: Generate code using the ISA 3.0 integer instructions (modulus, count trailing zeros, array index support, integer multiply/add). - -mpower9-fusion: Generate code to suitably fuse instruction sequences for a POWER9 system. - -mpower9-dform: Generate code to use the new D-form (register+offset) memory instructions for the vector registers. - -mpower9-vector: Generate code using the new ISA 3.0 vector (VSX or Altivec) instructions. - -mpower9-minmax: Reserved for future development. - -mtoc-fusion: Keep TOC entries together to provide more fusion opportunities. - New constraints have been added to support IEEE 128-bit floating-point and ISA 3.0 instructions. - Support has been added for __builtin_cpu_is() and __builtin_cpu_supports(), allowing for very fast access to AT_PLATFORM, AT_HWCAP, and AT_HWCAP2 values. This requires use of glibc 2.23 or later. - All hardware transactional memory builtins now correctly behave as memory barriers. Programmers can use #ifdef __TM_FENCE__ to determine whether their 'old' compiler treats the builtins as barriers. - Split-stack support has been added for gccgo on PowerPC64 for both big- and little-endian (but not for 32-bit). The gold linker from at least binutils 2.25.1 must be available in the PATH when configuring and building gccgo to enable split stack. (The requirement for binutils 2.25.1 applies to PowerPC64 only.) The split-stack feature allows a small initial stack size to be allocated for each goroutine, which increases as needed. - GCC on PowerPC now supports the standard lround function. - The 'q', 'S', 'T', and 't' asm-constraints have been removed. - The 'b', 'B', 'm', 'M', and 'W' format modifiers have been removed. S/390, System z, IBM z Systems improvements: - Support for the IBM z13 processor has been added. When using the -march=z13 option, the compiler will generate code making use of the new instructions and registers introduced with the vector extension facility. The -mtune=z13 option enables z13 specific instruction scheduling without making use of new instructions. - Compiling code with -march=z13 reduces the default alignment of vector types bigger than 8 bytes to 8. This is an ABI change and care must be taken when linking modules compiled with different arch levels which interchange variables containing vector type values. For newly compiled code the GNU linker will emit a warning. - The -mzvector option enables a C/C++ language extension. This extension provides a new keyword vector which can be used to define vector type variables. (Note: This is not available when enforcing strict standard compliance e.g. with -std=c99. Either enable GNU extensions with e.g. -std=gnu99 or use __vector instead of vector.) - Additionally a set of overloaded builtins is provided which is partially compatible to the PowerPC Altivec builtins. In order to make use of these builtins the vecintrin.h header file needs to be included. - The new command line options -march=native, and -mtune=native are now available on native IBM z Systems. Specifying these options will cause GCC to auto-detect the host CPU and rewrite these options to the optimal setting for that system. If GCC is unable to detect the host CPU these options have no effect. - The IBM z Systems port now supports target attributes and pragmas. Please refer to the documentation for details of available attributes and pragmas as well as usage instructions. - -fsplit-stack is now supported as part of the IBM z Systems port. This feature requires a recent gold linker to be used. - Support for the g5 and g6 -march=/-mtune= CPU level switches has been deprecated and will be removed in a future GCC release. -m31 from now on defaults to -march=z900 if not specified otherwise. -march=native on a g5/g6 machine will default to -march=z900. An even more detailed list of features can be found at: https://gcc.gnu.org/gcc-6/changes.html ----------------------------------------------------------------- Advisory ID: SUSE-SU-2016:1364-1 Released: Fri Sep 16 17:13:43 2016 Summary: Security update for curl Type: security Severity: moderate References: 991389,991390,991391,991746,997420,CVE-2016-5419,CVE-2016-5420,CVE-2016-5421,CVE-2016-7141 Description: This update for curl fixes the following issues: Security issues fixed: - CVE-2016-5419: TLS session resumption client cert bypass (bsc#991389) - CVE-2016-5420: Re-using connections with wrong client cert (bsc#991390) - CVE-2016-5421: use of connection struct after free (bsc#991391) - CVE-2016-7141: Fixed incorrect reuse of client certificates with NSS (bsc#997420) Also the following bug was fixed: - fixing a performance issue (bsc#991746) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2016:1370-1 Released: Wed Sep 21 12:58:14 2016 Summary: Security update for libgcrypt Type: security Severity: moderate References: 994157,CVE-2016-6313 Description: This update for libgcrypt fixes the following issues: - RNG prediction vulnerability (bsc#994157, CVE-2016-6313) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2016:1397-1 Released: Tue Sep 27 17:49:10 2016 Summary: Security update for mariadb Type: security Severity: important References: 949520,998309,CVE-2016-6662 Description: This update for mariadb to 1.0.0.27 fixes the following issues: Security issue fixed: * CVE-2016-6662: A malicious user with SQL and filesystem access could create a my.cnf in the datadir and, under certain circumstances, execute arbitrary code as mysql (or even root) user. (bsc#998309) * release notes: * https://kb.askmonty.org/en/mariadb-10027-release-notes * changelog: * https://kb.askmonty.org/en/mariadb-10027-changelog Bugs fixed: - Make ORDER BY optimization functions take into account multiple equalities. (bsc#949520) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2016:1454-1 Released: Mon Oct 10 16:25:51 2016 Summary: Recommended update for timezone Type: recommended Severity: low References: 997830 Description: This update provides the latest timezone information (2016g) for your system, including the following changes: - Turkey will remain on UTC+03 after 2016-10-30. (bsc#997830) - Antarctica and nautical time zones now use numeric time zone abbreviations instead of obsolete alphanumeric ones. - Renamed Asia/Rangoon to Asia/Yangon. This release also includes changes affecting past time stamps and documentation. ----------------------------------------------------------------- Advisory ID: SUSE-SU-2016:1591-1 Released: Wed Nov 2 12:07:51 2016 Summary: Security update for curl Type: security Severity: important References: 1005633,1005634,1005635,1005637,1005638,1005640,1005642,1005643,1005645,1005646,998760,CVE-2016-7167,CVE-2016-8615,CVE-2016-8616,CVE-2016-8617,CVE-2016-8618,CVE-2016-8619,CVE-2016-8620,CVE-2016-8621,CVE-2016-8622,CVE-2016-8623,CVE-2016-8624 Description: This update for curl fixes the following security issues: - CVE-2016-8624: invalid URL parsing with '#' (bsc#1005646) - CVE-2016-8623: Use-after-free via shared cookies (bsc#1005645) - CVE-2016-8622: URL unescape heap overflow via integer truncation (bsc#1005643) - CVE-2016-8621: curl_getdate read out of bounds (bsc#1005642) - CVE-2016-8620: glob parser write/read out of bounds (bsc#1005640) - CVE-2016-8619: double-free in krb5 code (bsc#1005638) - CVE-2016-8618: double-free in curl_maprintf (bsc#1005637) - CVE-2016-8617: OOB write via unchecked multiplication (bsc#1005635) - CVE-2016-8616: case insensitive password comparison (bsc#1005634) - CVE-2016-8615: cookie injection for other servers (bsc#1005633) - CVE-2016-7167: escape and unescape integer overflows (bsc#998760) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2016:1614-1 Released: Mon Nov 7 20:01:31 2016 Summary: Recommended update for shadow Type: recommended Severity: low References: 1002975 Description: This update for shadow fixes the following issues: - Set file modes according to the permissions package and don't attempt to manipulate them in %files section. (bsc#1002975) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2016:1621-1 Released: Tue Nov 8 16:20:57 2016 Summary: Recommended update for timezone Type: recommended Severity: low References: 1007725,1007726 Description: This update provides the latest timezone information (2016i) for your system, including the following changes: - Pacific/Tongatapu begins DST on 2016-11-06 at 02:00, ending on 2017-01-15 at 03:00. (bsc#1007725) - Northern Cyprus is now +03 year round, causing a split in Cyprus time zones starting 2016-10-30 at 04:00. This creates a zone Asia/Famagusta. (bsc#1007726) - Antarctica/Casey switched from +08 to +11 on 2016-10-22. - Asia/Gaza and Asia/Hebron end DST on 2016-10-29 at 01:00, not 2016-10-21 at 00:00. - Asia/Colombo now uses numeric time zone abbreviations. This release also includes changes affecting past time stamps and documentation. ----------------------------------------------------------------- Advisory ID: SUSE-RU-2016:1641-1 Released: Thu Nov 10 20:02:04 2016 Summary: Recommended update for sg3_utils Type: recommended Severity: moderate References: 1006469,958369,979436 Description: This update for sg3_utils provides the following fixes: - Adjust 55-scsi-sg3_id.rules to correctly handle VPD page 0x80. This issue could prevent some IBM Power systems from booting after installation. (bsc#1006469) - Fix 55-scsi_sg3_id.rules to skip sg_inq on recent kernels. (bsc#979436) - In some circumstances, the rescan-scsi-bus.sh script failed to identify new LUNs that have been added to the server. (bsc#958369) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2016:1717-1 Released: Mon Nov 28 16:24:41 2016 Summary: Recommended update for mariadb Type: security Severity: important References: 1001367,1003800,1004477,1005555,1005558,1005562,1005564,1005566,1005569,1005581,1005582,1006539,1008318,990890,CVE-2016-3492,CVE-2016-5584,CVE-2016-5616,CVE-2016-5624,CVE-2016-5626,CVE-2016-5629,CVE-2016-6663,CVE-2016-7440,CVE-2016-8283 Description: This mariadb update to version 10.0.28 fixes the following issues (bsc#1008318): Security fixes: - CVE-2016-8283: Unspecified vulnerability in subcomponent Types (bsc#1005582) - CVE-2016-7440: Unspecified vulnerability in subcomponent Encryption (bsc#1005581) - CVE-2016-5629: Unspecified vulnerability in subcomponent Federated (bsc#1005569) - CVE-2016-5626: Unspecified vulnerability in subcomponent GIS (bsc#1005566) - CVE-2016-5624: Unspecified vulnerability in subcomponent DML (bsc#1005564) - CVE-2016-5616: Unspecified vulnerability in subcomponent MyISAM (bsc#1005562) - CVE-2016-5584: Unspecified vulnerability in subcomponent Encryption (bsc#1005558) - CVE-2016-3492: Unspecified vulnerability in subcomponent Optimizer (bsc#1005555) - CVE-2016-6663: Privilege Escalation / Race Condition (bsc#1001367) Bugfixes: - mysql_install_db can't find data files (bsc#1006539) - mariadb failing test sys_vars.optimizer_switch_basic (bsc#1003800) - Remove useless mysql at default.service (bsc#1004477) - Replace all occurrences of the string '@sysconfdir@' with '/etc' as it wasn't expanded properly (bsc#990890) - Notable changes: * XtraDB updated to 5.6.33-79.0 * TokuDB updated to 5.6.33-79.0 * Innodb updated to 5.6.33 * Performance Schema updated to 5.6.33 - Release notes and upstream changelog: * https://kb.askmonty.org/en/mariadb-10028-release-notes * https://kb.askmonty.org/en/mariadb-10028-changelog ----------------------------------------------------------------- Advisory ID: SUSE-RU-2016:1734-1 Released: Thu Dec 1 10:34:07 2016 Summary: Recommended update for timezone Type: recommended Severity: low References: 1011797 Description: This update provides the latest timezone information (2016j) for your system, including the following changes: - Saratov, Russia switches from +03 to +04 on 2016-12-04 at 02:00. This change introduces a new zone Europe/Saratov split from Europe/Volgograd. This release also includes changes affecting past time stamps. For a comprehensive list, please refer to the release announcement from ICANN: http://mm.icann.org/pipermail/tz-announce/2016-November/000044.html ----------------------------------------------------------------- Advisory ID: SUSE-SU-2016:1744-1 Released: Fri Dec 2 11:42:41 2016 Summary: Security update for pcre Type: security Severity: moderate References: 906574,924960,933288,933878,936227,942865,957566,957567,957598,957600,960837,971741,972127,CVE-2014-8964,CVE-2015-2325,CVE-2015-2327,CVE-2015-2328,CVE-2015-3210,CVE-2015-3217,CVE-2015-5073,CVE-2015-8380,CVE-2015-8381,CVE-2015-8382,CVE-2015-8383,CVE-2015-8384,CVE-2015-8385,CVE-2015-8386,CVE-2015-8387,CVE-2015-8388,CVE-2015-8389,CVE-2015-8390,CVE-2015-8391,CVE-2015-8392,CVE-2015-8393,CVE-2015-8394,CVE-2015-8395,CVE-2016-1283,CVE-2016-3191 Description: This update for pcre to version 8.39 (bsc#972127) fixes several issues. If you use pcre extensively please be aware that this is an update to a new version. Please make sure that your software works with the updated version. This version fixes a number of vulnerabilities that affect pcre and applications using the libary when accepting untrusted input as regular expressions or as part thereof. Remote attackers could have caused the application to crash, disclose information or potentially execute arbitrary code. These security issues were fixed: - CVE-2014-8964: Heap-based buffer overflow in PCRE allowed remote attackers to cause a denial of service (crash) or have other unspecified impact via a crafted regular expression, related to an assertion that allows zero repeats (bsc#906574). - CVE-2015-2325: Heap buffer overflow in compile_branch() (bsc#924960). - CVE-2015-3210: Heap buffer overflow in pcre_compile2() / compile_regex() (bsc#933288) - CVE-2015-3217: PCRE Library Call Stack Overflow Vulnerability in match() (bsc#933878). - CVE-2015-5073: Library Heap Overflow Vulnerability in find_fixedlength() (bsc#936227). - bsc#942865: heap overflow in compile_regex() - CVE-2015-8380: The pcre_exec function in pcre_exec.c mishandled a // pattern with a \01 string, which allowed remote attackers to cause a denial of service (heap-based buffer overflow) or possibly have unspecified other impact via a crafted regular expression, as demonstrated by a JavaScript RegExp object encountered by Konqueror (bsc#957566). - CVE-2015-2327: PCRE mishandled certain patterns with internal recursive back references, which allowed remote attackers to cause a denial of service (segmentation fault) or possibly have unspecified other impact via a crafted regular expression, as demonstrated by a JavaScript RegExp object encountered by Konqueror (bsc#957567). - bsc#957598: Various security issues - CVE-2015-8381: Heap Overflow in compile_regex() (bsc#957598). - CVE-2015-8382: Regular Expression Uninitialized Pointer Information Disclosure Vulnerability (ZDI-CAN-2547)(bsc#957598). - CVE-2015-8383: Buffer overflow caused by repeated conditional group(bsc#957598). - CVE-2015-8384: Buffer overflow caused by recursive back reference by name within certain group(bsc#957598). - CVE-2015-8385: Buffer overflow caused by forward reference by name to certain group(bsc#957598). - CVE-2015-8386: Buffer overflow caused by lookbehind assertion(bsc#957598). - CVE-2015-8387: Integer overflow in subroutine calls(bsc#957598). - CVE-2015-8388: Buffer overflow caused by certain patterns with an unmatched closing parenthesis(bsc#957598). - CVE-2015-8389: Infinite recursion in JIT compiler when processing certain patterns(bsc#957598). - CVE-2015-8390: Reading from uninitialized memory when processing certain patterns(bsc#957598). - CVE-2015-8391: Some pathological patterns causes pcre_compile() to run for a very long time(bsc#957598). - CVE-2015-8392: Buffer overflow caused by certain patterns with duplicated named groups(bsc#957598). - CVE-2015-8393: Information leak when running pcgrep -q on crafted binary(bsc#957598). - CVE-2015-8394: Integer overflow caused by missing check for certain conditions(bsc#957598). - CVE-2015-8395: Buffer overflow caused by certain references(bsc#957598). - CVE-2015-2328: PCRE mishandled the /((?(R)a|(?1)))+/ pattern and related patterns with certain recursion, which allowed remote attackers to cause a denial of service (segmentation fault) or possibly have unspecified other impact via a crafted regular expression (bsc#957600). - CVE-2016-1283: The pcre_compile2 function in pcre_compile.c in PCRE mishandled certain patterns with named subgroups, which allowed remote attackers to cause a denial of service (heap-based buffer overflow) or possibly have unspecified other impact via a crafted regular expression (bsc#960837). - CVE-2016-3191: The compile_branch function in pcre_compile.c in pcre2_compile.c mishandled patterns containing an (*ACCEPT) substring in conjunction with nested parentheses, which allowed remote attackers to execute arbitrary code or cause a denial of service (stack-based buffer overflow) via a crafted regular expression (bsc#971741). These non-security issues were fixed: - JIT compiler improvements - performance improvements - The Unicode data tables have been updated to Unicode 7.0.0. ----------------------------------------------------------------- Advisory ID: SUSE-RU-2016:1782-1 Released: Fri Dec 9 13:35:02 2016 Summary: Recommended update for systemd Type: recommended Severity: moderate References: 1001790,1004289,1005404,1006372,1006690,989831,991443 Description: This update for systemd provides the following fixes: - Allow to redirect confirmation messages to a different console. (bsc#1006690) - Do not bind a mount unit to a device, if it was from mountinfo. (bsc#989831) - Decrease systemd-nspawn's non-fatal mount errors to debug level. (bsc#1004289) - Don't emit space usage message right after opening the persistent journal. (bsc#991443) - Change owner of /var/log/journal/remote and create /var/lib/systemd/journal-upload. (bsc#1006372) - Document that *KeyIgnoreInhibited only apply to a subset of locks. - Revert 'logind: really handle *KeyIgnoreInhibited options in logind.conf'. (bsc#1001790, bsc#1005404) - Revert 'kbd-model-map: add more mappings offered by Yast'. - Don't busy loop when we get a notification message we can't process. - Rename kbd-model-map-extra into kbd-model-map.legacy. - Add kbd-model-map-extra file which contains the additional maps needed by YaST. - Drop localfs.service: unused and not needed anymore. ----------------------------------------------------------------- Advisory ID: SUSE-SU-2016:1827-1 Released: Thu Dec 15 12:41:10 2016 Summary: Security update for pcre Type: security Severity: moderate References: 906574,924960,933288,933878,936227,942865,957566,957567,957598,957600,960837,971741,972127,CVE-2014-8964,CVE-2015-2325,CVE-2015-2327,CVE-2015-2328,CVE-2015-3210,CVE-2015-3217,CVE-2015-5073,CVE-2015-8380,CVE-2015-8381,CVE-2015-8382,CVE-2015-8383,CVE-2015-8384,CVE-2015-8385,CVE-2015-8386,CVE-2015-8387,CVE-2015-8388,CVE-2015-8389,CVE-2015-8390,CVE-2015-8391,CVE-2015-8392,CVE-2015-8393,CVE-2015-8394,CVE-2015-8395,CVE-2016-1283,CVE-2016-3191 Description: This update for pcre to version 8.39 (bsc#972127) fixes several issues. If you use pcre extensively please be aware that this is an update to a new version. Please make sure that your software works with the updated version. This version fixes a number of vulnerabilities that affect pcre and applications using the libary when accepting untrusted input as regular expressions or as part thereof. Remote attackers could have caused the application to crash, disclose information or potentially execute arbitrary code. These security issues were fixed: - CVE-2014-8964: Heap-based buffer overflow in PCRE allowed remote attackers to cause a denial of service (crash) or have other unspecified impact via a crafted regular expression, related to an assertion that allows zero repeats (bsc#906574). - CVE-2015-2325: Heap buffer overflow in compile_branch() (bsc#924960). - CVE-2015-3210: Heap buffer overflow in pcre_compile2() / compile_regex() (bsc#933288) - CVE-2015-3217: PCRE Library Call Stack Overflow Vulnerability in match() (bsc#933878). - CVE-2015-5073: Library Heap Overflow Vulnerability in find_fixedlength() (bsc#936227). - bsc#942865: heap overflow in compile_regex() - CVE-2015-8380: The pcre_exec function in pcre_exec.c mishandled a // pattern with a \01 string, which allowed remote attackers to cause a denial of service (heap-based buffer overflow) or possibly have unspecified other impact via a crafted regular expression, as demonstrated by a JavaScript RegExp object encountered by Konqueror (bsc#957566). - CVE-2015-2327: PCRE mishandled certain patterns with internal recursive back references, which allowed remote attackers to cause a denial of service (segmentation fault) or possibly have unspecified other impact via a crafted regular expression, as demonstrated by a JavaScript RegExp object encountered by Konqueror (bsc#957567). - bsc#957598: Various security issues - CVE-2015-8381: Heap Overflow in compile_regex() (bsc#957598). - CVE-2015-8382: Regular Expression Uninitialized Pointer Information Disclosure Vulnerability (ZDI-CAN-2547)(bsc#957598). - CVE-2015-8383: Buffer overflow caused by repeated conditional group(bsc#957598). - CVE-2015-8384: Buffer overflow caused by recursive back reference by name within certain group(bsc#957598). - CVE-2015-8385: Buffer overflow caused by forward reference by name to certain group(bsc#957598). - CVE-2015-8386: Buffer overflow caused by lookbehind assertion(bsc#957598). - CVE-2015-8387: Integer overflow in subroutine calls(bsc#957598). - CVE-2015-8388: Buffer overflow caused by certain patterns with an unmatched closing parenthesis(bsc#957598). - CVE-2015-8389: Infinite recursion in JIT compiler when processing certain patterns(bsc#957598). - CVE-2015-8390: Reading from uninitialized memory when processing certain patterns(bsc#957598). - CVE-2015-8391: Some pathological patterns causes pcre_compile() to run for a very long time(bsc#957598). - CVE-2015-8392: Buffer overflow caused by certain patterns with duplicated named groups(bsc#957598). - CVE-2015-8393: Information leak when running pcgrep -q on crafted binary(bsc#957598). - CVE-2015-8394: Integer overflow caused by missing check for certain conditions(bsc#957598). - CVE-2015-8395: Buffer overflow caused by certain references(bsc#957598). - CVE-2015-2328: PCRE mishandled the /((?(R)a|(?1)))+/ pattern and related patterns with certain recursion, which allowed remote attackers to cause a denial of service (segmentation fault) or possibly have unspecified other impact via a crafted regular expression (bsc#957600). - CVE-2016-1283: The pcre_compile2 function in pcre_compile.c in PCRE mishandled certain patterns with named subgroups, which allowed remote attackers to cause a denial of service (heap-based buffer overflow) or possibly have unspecified other impact via a crafted regular expression (bsc#960837). - CVE-2016-3191: The compile_branch function in pcre_compile.c in pcre2_compile.c mishandled patterns containing an (*ACCEPT) substring in conjunction with nested parentheses, which allowed remote attackers to execute arbitrary code or cause a denial of service (stack-based buffer overflow) via a crafted regular expression (bsc#971741). These non-security issues were fixed: - JIT compiler improvements - performance improvements - The Unicode data tables have been updated to Unicode 7.0.0. ----------------------------------------------------------------- Advisory ID: SUSE-RU-2016:1863-1 Released: Wed Dec 21 10:41:35 2016 Summary: Recommended updated for pth Type: recommended Severity: low References: 1013286 Description: This update adds the 32bit version of libpth20 to SUSE Linux Enterprise 12 SP1 and 12 SP2. ----------------------------------------------------------------- Advisory ID: SUSE-SU-2017:2-1 Released: Mon Jan 2 08:35:08 2017 Summary: Security update for zlib Type: security Severity: moderate References: 1003577,1003579,1003580,1013882,CVE-2016-9840,CVE-2016-9841,CVE-2016-9842,CVE-2016-9843 Description: This update for zlib fixes the following issues: CVE-2016-9843: Big-endian out-of-bounds pointer CVE-2016-9842: Undefined Left Shift of Negative Number (bsc#1003580) CVE-2016-9840 CVE-2016-9841: Out-of-bounds pointer arithmetic in inftrees.c (bsc#1003579) Incompatible declarations for external linkage function deflate (bsc#1003577) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2017:6-1 Released: Tue Jan 3 15:01:58 2017 Summary: Recommended update for systemd Type: recommended Severity: moderate References: 1012390,1012591,1012818,1013989,1015515,909418,912715,945340,953807,963290,990538 Description: This update for systemd fixes the following issues: - core: Make mount units from /proc/self/mountinfo possibly bind to a device. Fixes unmounting issues when ejecting CDs or DVDs. (bsc#909418, bsc#912715, bsc#945340) - fstab-generator: Remove bogus condition that leads to warnings on boot. (bsc#1013989) - coredumpctl: Let gdb handle the SIGINT signal. (bsc#1012591) - Ship kbd-model-map with the correct contents. (bsc#1015515) - rules: Set SYSTEMD_READY=0 on DM_UDEV_DISABLE_OTHER_RULES_FLAG=1 only with ADD event. (bsc#963290, bsc#990538) - tmpfiles: Don't skip path_set_perms on error. (bsc#953807) - nspawn: Properly handle image/directory paths that are symbolic links. (bsc#1012390) - systemctl: Fix 'is-enabled' exit status on failure when executed in chroot. (bsc#1012818) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2017:32-1 Released: Mon Jan 9 11:50:42 2017 Summary: Recommended update for dirmngr Type: recommended Severity: low References: 994794 Description: This update for dirmngr enables support for daemon mode. ----------------------------------------------------------------- Advisory ID: SUSE-RU-2017:47-1 Released: Wed Jan 11 11:42:43 2017 Summary: Recommended update for systemd Type: recommended Severity: important References: 1018214,1018399 Description: This update for systemd fixes the following two issues: - A regression in the previous update (SUSE-RU-2017:0013-1, bsc#909418) could have caused systemd to freeze. (bsc#1018399) - Warnings emitted when udev socket units are restarted during package upgrade were silenced. (bsc#1018214) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2017:98-1 Released: Thu Jan 19 10:17:55 2017 Summary: Recommended update for kmod Type: recommended Severity: low References: 998906 Description: This update for kmod fixes a rare race condition while loading modules. ----------------------------------------------------------------- Advisory ID: SUSE-SU-2017:149-1 Released: Wed Jan 25 09:17:08 2017 Summary: Security update for systemd Type: security Severity: important References: 1012266,1014560,1014566,1020601,997682,CVE-2016-10156 Description: This update for systemd fixes the following issues: This security issue was fixed: - CVE-2016-10156: Fix permissions set on permanent timer timestamp files, preventing local unprivileged users from escalating privileges (bsc#1020601). These non-security issues were fixed: - Fix permission set on /var/lib/systemd/linger/* - install: follow config_path symlink (#3362) - install: fix disable when /etc/systemd/system is a symlink (bsc#1014560) - run: make --slice= work in conjunction with --scope (bsc#1014566) - core: don't dispatch load queue when setting Slice= for transient units - systemctl: remove duplicate entries showed by list-dependencies (#5049) (bsc#1012266) - rule: don't automatically online standby memory on s390x (bsc#997682) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2017:185-1 Released: Thu Feb 2 18:22:37 2017 Summary: Security update for cpio Type: security Severity: moderate References: 1020108,963448,CVE-2016-2037 Description: This update for cpio fixes two issues. This security issue was fixed: - CVE-2016-2037: The cpio_safer_name_suffix function in util.c in cpio allowed remote attackers to cause a denial of service (out-of-bounds write) via a crafted cpio file (bsc#963448). This non-security issue was fixed: - bsc#1020108: Always use 32 bit CRC to prevent checksum errors for files greater than 32MB ----------------------------------------------------------------- Advisory ID: SUSE-SU-2017:192-1 Released: Fri Feb 3 18:46:05 2017 Summary: Security update for libxml2 Type: security Severity: moderate References: 1005544,1010675,1013930,1014873,1017497,CVE-2016-4658,CVE-2016-9318,CVE-2016-9597 Description: This update for libxml2 fixes the following issues: * CVE-2016-4658: use-after-free error could lead to crash [bsc#1005544] * Fix NULL dereference in xpointer.c when in recovery mode [bsc#1014873] * CVE-2016-9597: An XML document with many opening tags could have caused a overflow of the stack not detected by the recursion limits, allowing for DoS (bsc#1017497). For CVE-2016-9318 we decided not to ship a fix since it can break existing setups. Please take appropriate actions if you parse untrusted XML files and use the new -noxxe flag if possible (bnc#1010675, bnc#1013930). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2017:207-1 Released: Tue Feb 7 13:33:08 2017 Summary: Security update for mariadb Type: security Severity: important References: 1008253,1020868,1020873,1020875,1020877,1020878,1020882,1020884,1020885,1020891,1020894,1020896,1022428,CVE-2016-6664,CVE-2017-3238,CVE-2017-3243,CVE-2017-3244,CVE-2017-3257,CVE-2017-3258,CVE-2017-3265,CVE-2017-3291,CVE-2017-3312,CVE-2017-3317,CVE-2017-3318 Description: This mariadb version update to 10.0.29 fixes the following issues: - CVE-2017-3318: unspecified vulnerability affecting Error Handling (bsc#1020896) - CVE-2017-3317: unspecified vulnerability affecting Logging (bsc#1020894) - CVE-2017-3312: insecure error log file handling in mysqld_safe, incomplete CVE-2016-6664 (bsc#1020873) - CVE-2017-3291: unrestricted mysqld_safe's ledir (bsc#1020884) - CVE-2017-3265: unsafe chmod/chown use in init script (bsc#1020885) - CVE-2017-3258: unspecified vulnerability in the DDL component (bsc#1020875) - CVE-2017-3257: unspecified vulnerability affecting InnoDB (bsc#1020878) - CVE-2017-3244: unspecified vulnerability affecing the DML component (bsc#1020877) - CVE-2017-3243: unspecified vulnerability affecting the Charsets component (bsc#1020891) - CVE-2017-3238: unspecified vulnerability affecting the Optimizer component (bsc#1020882) - CVE-2016-6664: Root Privilege Escalation (bsc#1008253) - Applications using the client library for MySQL (libmysqlclient.so) had a use-after-free issue that could cause the applications to crash (bsc#1022428) - notable changes: * XtraDB updated to 5.6.34-79.1 * TokuDB updated to 5.6.34-79.1 * Innodb updated to 5.6.35 * Performance Schema updated to 5.6.35 Release notes and changelog: * https://kb.askmonty.org/en/mariadb-10029-release-notes * https://kb.askmonty.org/en/mariadb-10029-changelog ----------------------------------------------------------------- Advisory ID: SUSE-RU-2017:209-1 Released: Tue Feb 7 17:00:47 2017 Summary: Recommended update for libseccomp Type: recommended Severity: low References: 1019900 Description: This update provides libseccomp version 2.3.1 which fixes the following issues: - Fixed a problem with 32-bit x86 socket syscalls on some systems (fate#321647, bsc#1019900) - Fixed problems with ipc syscalls on 32-bit x86 - Fixed problems with socket and ipc syscalls on s390 and s390x ----------------------------------------------------------------- Advisory ID: SUSE-SU-2017:212-1 Released: Wed Feb 8 13:07:24 2017 Summary: Security update for expat Type: security Severity: moderate References: 983215,983216,CVE-2012-6702,CVE-2016-5300 Description: This update for expat fixes the following security issues: - CVE-2012-6702: Expat, when used in a parser that has not called XML_SetHashSalt or passed it a seed of 0, made it easier for context-dependent attackers to defeat cryptographic protection mechanisms via vectors involving use of the srand function. (bsc#983215) - CVE-2016-5300: The XML parser in Expat did not use sufficient entropy for hash initialization, which allowed context-dependent attackers to cause a denial of service (CPU consumption) via crafted identifiers in an XML document. NOTE: this vulnerability exists because of an incomplete fix for CVE-2012-0876. (bsc#983216) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2017:228-1 Released: Fri Feb 10 15:39:32 2017 Summary: Security update for openssl Type: security Severity: moderate References: 1000677,1001912,1009528,1019637,1021641,1022085,1022086,1022271,CVE-2016-7055,CVE-2017-3731,CVE-2017-3732 Description: This update for openssl fixes the following issues contained in the OpenSSL Security Advisory [26 Jan 2017] (bsc#1021641) Security issues fixed: - CVE-2016-7055: The x86_64 optimized montgomery multiplication may produce incorrect results (bsc#1009528) - CVE-2017-3731: Truncated packet could crash via OOB read (bsc#1022085) - CVE-2017-3732: BN_mod_exp may produce incorrect results on x86_64 (bsc#1022086) - Degrade the 3DES cipher to MEDIUM in SSLv2 (bsc#1001912) Non-security issues fixed: - fix crash in openssl speed (bsc#1000677) - fix X509_CERT_FILE path (bsc#1022271) - AES XTS key parts must not be identical in FIPS mode (bsc#1019637) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2017:261-1 Released: Mon Feb 20 11:00:28 2017 Summary: Recommended update for dirmngr Type: recommended Severity: low References: 1019276 Description: This update for dirmngr fixes the following issues: - Properly initialize the dirmngr tmpfilesd files right away and not just during reboot - Own the /usr/lib/tmpfiles.d/ folder as it is needed in older systemds wrt (bsc#1019276) - Proprely require logrotate as we need it for the dirmngr configs ----------------------------------------------------------------- Advisory ID: SUSE-RU-2017:354-1 Released: Thu Mar 9 11:31:22 2017 Summary: Recommended update for timezone Type: recommended Severity: low References: 1024676,1024677 Description: This update provides the latest timezone information (2017a) for your system, including the following changes: - Mongolia no longer observes DST. (bsc#1024676) - Chile's Region of Magallanes moves from -04/-03 to -03 year-round starting 2017-05-13 23:00. Split from America/Santiago creating a new zone America/Punta_Arenas. Also affects Antarctica/Palmer. (bsc#1024677) - Fixes to historical time stamps: Spain, Ecuador, Atyrau, Oral. - Switch to numeric, or commonly used time zone abbreviations. - zic(8) no longer mishandles some transitions in January 2038. - date and strftime now cause %z to generate '-0000' instead of '+0000' when the UT offset is zero and the time zone abbreviation begins with '-'. ----------------------------------------------------------------- Advisory ID: SUSE-RU-2017:365-1 Released: Fri Mar 10 15:16:59 2017 Summary: Recommended update for sg3_utils Type: recommended Severity: low References: 1006175 Description: This update for sg3_utils fixes the following issue: - Add udev rules to handle legacy CCISS devices (bsc#1006175) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2017:389-1 Released: Thu Mar 16 14:16:43 2017 Summary: Recommended update for systemd Type: recommended Severity: moderate References: 1004094,1006687,1019470,1022014,1022047,1025598,995936 Description: This update for systemd provides the following fixes: - core: Fix memory leak in transient units. (bsc#1025598) - core: Destroy all name watching bus slots when we are kicked off the bus. (bsc#1006687) - sd-event: Fix incorrect assertion. (bsc#995936, bsc#1022014) - journald: Don't flush to /var/log/journal before we get asked to. (bsc#1004094) - core: Downgrade warning about duplicate device names. (bsc#1022047) - units: Remove no longer needed ldconfig service. (bsc#1019470) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2017:439-1 Released: Tue Mar 21 10:48:47 2017 Summary: Recommended update for netcfg Type: recommended Severity: low References: 1028305,959693 Description: This update for netcfg provides the following fixes: - Update script to generate services to use UTF8 by default. (bsc#1028305) - Repack services.bz2 with latest from upstream and adjust the script to not add all the names and emails at the bottom of the file. (bsc#959693) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2017:457-1 Released: Fri Mar 24 12:35:18 2017 Summary: Recommended update for timezone Type: recommended Severity: low References: 1030417 Description: This update provides the latest timezone information (2017b) for your system, including following changes: - Haiti resumed observance of DST in 2017. - Liberia changed from -004430 to +00 on 1972-01-07, not 1972-05-01. - Use 'MMT' to abbreviate Liberia's time zone before 1972. ----------------------------------------------------------------- Advisory ID: SUSE-RU-2017:458-1 Released: Fri Mar 24 13:49:49 2017 Summary: Recommended update for fdupes Type: recommended Severity: low References: 1005386 Description: This update for fdupes provides the following fixes and enhancements: - Add new options: --nohidden, --permissions, --order, --reverse, --immediate. - Speed up file comparison. - Fix bug where fdupes fails to consistently ignore hardlinks, depending on file processing order, when F_CONSIDERHARDLINKS flag is not set. - Using tty for interactive input instead of regular stdin. This is to allow feeding filenames via stdin in future versions of fdupes without breaking interactive deletion feature. - Sort the output of fdupes by filename to make it deterministic for parallel builds. (bsc#1005386) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2017:462-1 Released: Fri Mar 24 21:58:07 2017 Summary: Recommended update for lvm2 Type: recommended Severity: moderate References: 1012973,1015943,1017034,1023283,1025560,1025630 Description: This update for lvm2 fixes the following issues: - Fix clvmd segmentation fault on ppc64le architecture. (bsc#1025630) - Fix several trivial issues about clvmd/cmirrord resource agents. (bsc#1023283, bsc#1025560) - Use {local,remote}-fs-pre.target instead of {local,remote}-fs.target. (bsc#1017034) - Simplify special-case for md in 69-dm-lvm-metadata.rules. (bsc#1012973) - Add systemd_requires to device-mapper package. (bsc#1015943) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2017:464-1 Released: Mon Mar 27 15:50:51 2017 Summary: Recommended update for glibc Type: recommended Severity: moderate References: 1007851,1029725,1029900 Description: This update for glibc fixes a potential segmentation fault in libpthread: - Fork in libpthread cannot use IFUNC resolver. (bsc#1007851, bsc#1029725, bsc#1029900) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2017:580-1 Released: Wed Apr 12 23:58:47 2017 Summary: Recommended update for cpio Type: recommended Severity: important References: 1028410 Description: This update for cpio fixes the following issues: - A regression caused cpio to crash for tar and ustar archive types [bsc#1028410] ----------------------------------------------------------------- Advisory ID: SUSE-SU-2017:609-1 Released: Tue Apr 18 11:28:14 2017 Summary: Security update for curl Type: security Severity: moderate References: 1015332,1027712,1032309,CVE-2016-9586,CVE-2017-7407 Description: This update for curl fixes the following issues: Security issue fixed: - CVE-2016-9586: libcurl printf floating point buffer overflow (bsc#1015332) - CVE-2017-7407: The ourWriteOut function in tool_writeout.c in curl might have allowed physically proximate attackers to obtain sensitive information from process memory in opportunistic circumstances by reading a workstation screen during use of a --write-out argument ending in a '%' character, which lead to a heap-based buffer over-read (bsc#1032309). With this release new default ciphers are active (SUSE_DEFAULT, bsc#1027712). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2017:624-1 Released: Thu Apr 20 08:35:35 2017 Summary: Security update for ruby2.1 Type: security Severity: important References: 1014863,1018808,887877,909695,926974,936032,959495,986630,CVE-2014-4975,CVE-2015-1855,CVE-2015-3900,CVE-2015-7551,CVE-2016-2339 Description: This ruby2.1 update to version 2.1.9 fixes the following issues: Security issues fixed: - CVE-2016-2339: heap overflow vulnerability in the Fiddle::Function.new'initialize' (bsc#1018808) - CVE-2015-7551: Unsafe tainted string usage in Fiddle and DL (bsc#959495) - CVE-2015-3900: hostname validation does not work when fetching gems or making API requests (bsc#936032) - CVE-2015-1855: Ruby'a OpenSSL extension suffers a vulnerability through overly permissive matching of hostnames (bsc#926974) - CVE-2014-4975: off-by-one stack-based buffer overflow in the encodes() function (bsc#887877) Bugfixes: - SUSEconnect doesn't handle domain wildcards in no_proxy environment variable properly (bsc#1014863) - Segmentation fault after pack & ioctl & unpack (bsc#909695) - Ruby:HTTP Header injection in 'net/http' (bsc#986630) ChangeLog: - http://svn.ruby-lang.org/repos/ruby/tags/v2_1_9/ChangeLog ----------------------------------------------------------------- Advisory ID: SUSE-RU-2017:643-1 Released: Tue Apr 25 19:11:45 2017 Summary: Recommended update for ruby2.1 Type: recommended Severity: important References: 1014863,1035988 Description: This update for ruby2.1 fixes a regression introduced by a previous update that was intended to fix insufficient support for domain wildcards in the $no_proxy environment variable. ----------------------------------------------------------------- Advisory ID: SUSE-RU-2017:732-1 Released: Wed May 10 14:03:43 2017 Summary: Recommended update for procps Type: recommended Severity: low References: 1030621 Description: This update for procps fixes the following issues: - Command w(1) with option -n doesn't work. (bsc#1030621) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2017:735-1 Released: Wed May 10 15:43:46 2017 Summary: Recommended update for gpg2 Type: recommended Severity: low References: 1036736,986783 Description: This update for gpg2 provides the following fixes: - Do not install CAcert and other root certificates which are not needed with Let's Encrypt. (bsc#1036736) - Initialize the trustdb before import attempt. (bsc#986783) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2017:751-1 Released: Thu May 11 17:14:30 2017 Summary: Recommended update for systemd Type: recommended Severity: moderate References: 1010220,1025398,1025886,1028263,1028610,1029183,1029691,1030290,1031355,1032538,1032660,1033855,1034565,955770 Description: This update for systemd provides the following fixes: - logind: Update empty and 'infinity' handling for [User]TasksMax. (bsc#1031355) - importd: Support SUSE style checksums. (fate#322054) - journal: Don't remove leading spaces. (bsc#1033855) - Make sure all swap units are ordered before the swap target. (bsc#955770, bsc#1034565) - hwdb: Fix warning 'atkbd serio0: Unknown key pressed'. (bsc#1010220) - logind: Restart logind on package update only on SLE12 distros. (bsc#1032660) - core: Treat masked files as 'unchanged'. (bsc#1032538) - units: Move Before deps for quota services to remote-fs.target. (bsc#1028263) - udev: Support predictable ifnames on vio buses. (bsc#1029183) - udev: Add a persistent rule for ibmvnic devices. (bsc#1029183) - units: Do not throw a warning in emergency mode if plymouth is not installed. (bsc#1025398) - core: Downgrade 'Time has been changed' message to debug level. (bsc#1028610) - vconsole: Don't do GIO_SCRNMAP / GIO_UNISCRNMAP. (bsc#1029691) - udev-rules: Perform whitespace replacement for symlink subst values. (bsc#1025886) - Consider chroot updates in fix-machines-subvol-for-rollbacks.sh. (bsc#1030290) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2017:793-1 Released: Tue May 16 15:40:43 2017 Summary: Security update for libxslt Type: security Severity: moderate References: 1005591,1035905,934119,952474,CVE-2015-7995,CVE-2015-9019,CVE-2016-4738,CVE-2017-5029 Description: This update for libxslt fixes the following issues: - CVE-2017-5029: The xsltAddTextString function in transform.c lacked a check for integer overflow during a size calculation, which allowed a remote attacker to perform an out of bounds memory write via a crafted HTML page (bsc#1035905). - CVE-2016-4738: Fix heap overread in xsltFormatNumberConversion: An empty decimal-separator could cause a heap overread. This can be exploited to leak a couple of bytes after the buffer that holds the pattern string (bsc#1005591). - CVE-2015-9019: Properly initialize random generator (bsc#934119). - CVE-2015-7995: Vulnerability in function xsltStylePreCompute' in preproc.c could cause a type confusion leading to DoS. (bsc#952474) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2017:794-1 Released: Tue May 16 15:41:09 2017 Summary: Security update for bash Type: security Severity: moderate References: 1010845,1035371,CVE-2016-9401 Description: This update for bash fixes an issue that could lead to syntax errors when parsing scripts that use expr(1) inside loops. Additionally, the popd build-in now ensures that the normalized stack offset is within bounds before trying to free that stack entry. This fixes a segmentation fault. ----------------------------------------------------------------- Advisory ID: SUSE-SU-2017:795-1 Released: Tue May 16 15:41:28 2017 Summary: Security update for mariadb Type: security Severity: important References: 1020868,1020890,1020976,1022428,1034911,996821,CVE-2017-3302,CVE-2017-3313 Description: This update for mariadb fixes the following issues: - update to MariaDB 10.0.30 GA * notable changes: * XtraDB updated to 5.6.35-80.0 * TokuDB updated to 5.6.35-80.0 * PCRE updated to 8.40 * MDEV-11027: better InnoDB crash recovery progress reporting * MDEV-11520: improvements to how InnoDB data files are extended * Improvements to InnoDB startup/shutdown to make it more robust * MDEV-11233: fix for FULLTEXT index crash * MDEV-6143: MariaDB Linux binary tarballs will now always untar to directories that match their filename * release notes and changelog: * https://kb.askmonty.org/en/mariadb-10030-release-notes * https://kb.askmonty.org/en/mariadb-10030-changelog * fixes the following CVEs: CVE-2017-3313: unspecified vulnerability affecting the MyISAM component [bsc#1020890] CVE-2017-3302: Use after free in libmysqlclient.so [bsc#1022428] - set the default umask to 077 in mysql-systemd-helper [bsc#1020976] - [bsc#1034911] - tracker bug * fixes also [bsc#1020868] ----------------------------------------------------------------- Advisory ID: SUSE-RU-2017:799-1 Released: Wed May 17 00:21:13 2017 Summary: Recommended update for glibc Type: recommended Severity: low References: 1026224,1035445 Description: This update for glibc introduces basic support for IBM POWER9 systems. Additionally, an improper assert in dlclose() has been removed. ----------------------------------------------------------------- Advisory ID: SUSE-RU-2017:857-1 Released: Wed May 24 15:42:31 2017 Summary: Recommended update for mariadb Type: recommended Severity: important References: 1020976,1038740 Description: This update for mariadb fixes permissions for /var/run/mysql in mysql-systemd-helper that were incorrectly set to 700 instead of 755 due to umask. This prevented non-root users from connecting to the database. ----------------------------------------------------------------- Advisory ID: SUSE-SU-2017:865-1 Released: Wed May 24 16:23:20 2017 Summary: Security update for pam Type: security Severity: moderate References: 1015565,1037824,934920,CVE-2015-3238 Description: This update for pam fixes the following issues: - CVE-2015-3238: pam_unix in conjunction with SELinux allowed for DoS attacks (bsc#934920). - log a hint to syslog if /etc/nologin is present, but empty (bsc#1015565). - If /etc/nologin is present, but empty, log a hint to syslog. (bsc#1015565) - Added support for libowcrypt.so, if present, to configure support for BLOWFISH (bsc#1037824) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2017:873-1 Released: Fri May 26 16:19:47 2017 Summary: Recommended update for e2fsprogs Type: recommended Severity: low References: 1009532,960273 Description: This update for e2fsprogs provides the following fixes: - Fix 32/64-bit overflow when multiplying by blocks/clusters per group. This allows resize2fs(8) to resize file systems larger than 20 TB. (bsc#1009532) - Update spec file to regenerate initrd when e2fsprogs is updated or uninstalled. (bsc#960273) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2017:877-1 Released: Mon May 29 15:11:48 2017 Summary: Recommended update for cryptsetup Type: recommended Severity: low References: 1031998 Description: This update for cryptsetup provides the following fix: - Don't use a zero-filled empty key, because in FIPS, XTS mode key parts mustn't be equivalent (bsc#1031998) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2017:891-1 Released: Tue May 30 22:28:21 2017 Summary: Security update for libxml2 Type: security Severity: moderate References: 1039063,1039064,1039066,1039069,1039661,981114,CVE-2016-1839,CVE-2017-9047,CVE-2017-9048,CVE-2017-9049,CVE-2017-9050 Description: This update for libxml2 fixes the following issues: - CVE-2017-9047, CVE-2017-9048: The function xmlSnprintfElementContent in valid.c was vulnerable to a stack buffer overflow (bsc#1039063, bsc#1039064) - CVE-2017-9049: The function xmlDictComputeFastKey in dict.c was vulnerable to a heap-based buffer over-read. (bsc#1039066) - CVE-2017-9050: The function xmlDictAddString was vulnerable to a heap-based buffer over-read (bsc#1039661) - CVE-2016-1839: heap-based buffer overflow (xmlDictAddString func) (bnc#1039069) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2017:907-1 Released: Thu Jun 1 14:23:36 2017 Summary: Recommended update for shadow Type: recommended Severity: low References: 1003978,1031643 Description: This update for shadow fixes the following issues: - Dynamically added users via pam_group are not listed in groups databases but are still valid. (bsc#1031643) - useradd(8) and groupadd(8) performance issue when using SSSD. Previously the entire possible UID/GID was iterated to find an available UID/GID. This could take long time over a network device. Instead, find available UID/GID locally, and then check only those values over network. (bsc#1003978) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2017:918-1 Released: Tue Jun 6 12:35:44 2017 Summary: Recommended update for libsemanage, selinux-policy Type: recommended Severity: moderate References: 1020143,1032445,1035818,1038189 Description: This update for libsemanage, selinux-policy fixes the following issues: - Limit to policy version 29 by default. - Fix policy module build failures and wrong policy path on SLE 12 SP2 (bsc#1038189, bsc#1035818, bsc#1020143, bsc#1032445) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2017:939-1 Released: Mon Jun 12 10:56:22 2017 Summary: Security update for libxml2 Type: security Severity: moderate References: 1039063,1039064,1039066,1039069,1039661,CVE-2017-9047,CVE-2017-9048,CVE-2017-9049,CVE-2017-9050 Description: This update for libxml2 fixes the following security issues: * CVE-2017-9050: A heap-based buffer over-read in xmlDictAddString (bsc#1039069, bsc#1039661) * CVE-2017-9049: A heap-based buffer overflow in xmlDictComputeFastKey (bsc#1039066) * CVE-2017-9048: A stack overflow vulnerability in xmlSnprintfElementContent (bsc#1039063) * CVE-2017-9047: A stack overflow vulnerability in xmlSnprintfElementContent (bsc#1039064) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2017:959-1 Released: Wed Jun 14 14:38:11 2017 Summary: Recommended update for gcc5 Type: recommended Severity: low References: 1043580 Description: This update for gcc5 fixes the version of libffi in its pkg-config configuration file. ----------------------------------------------------------------- Advisory ID: SUSE-SU-2017:962-1 Released: Wed Jun 14 16:33:07 2017 Summary: Security update for openldap2 Type: security Severity: moderate References: 1009470,1037396,1041764,972331,CVE-2017-9287 Description: This update for openldap2 fixes the following issues: Security issues fixed: - CVE-2017-9287: A double free vulnerability in the mdb backend during search with page size 0 was fixed (bsc#1041764) Non security bugs fixed: - Let OpenLDAP read system-wide certificates by default and don't hide the error if the user-specified CA location cannot be read. (bsc#1009470) - Fix an uninitialised variable that causes startup failure (bsc#1037396) - Fix an issue with transaction management that can cause server crash (bsc#972331) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2017:985-1 Released: Mon Jun 19 14:57:41 2017 Summary: Security update for libgcrypt Type: security Severity: moderate References: 1042326,931932,CVE-2017-9526 Description: This update for libgcrypt fixes the following issues: - CVE-2017-9526: Store the session key in secure memory to ensure that constant time point operations are used in the MPI library. (bsc#1042326) - Don't require secure memory for the fips selftests, this prevents the 'Oops, secure memory pool already initialized' warning. (bsc#931932) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2017:990-1 Released: Mon Jun 19 17:19:44 2017 Summary: Security update for glibc Type: security Severity: important References: 1039357,1040043,CVE-2017-1000366 Description: This update for glibc fixes the following issues: - CVE-2017-1000366: Fix a potential privilege escalation vulnerability that allowed unprivileged system users to manipulate the stack of setuid binaries to gain special privileges. [bsc#1039357] - A bug in glibc that could result in deadlocks between malloc() and fork() has been fixed. [bsc#1040043] ----------------------------------------------------------------- Advisory ID: SUSE-RU-2017:1033-1 Released: Fri Jun 23 16:38:55 2017 Summary: Recommended update for e2fsprogs Type: recommended Severity: low References: 1038194 Description: This update for e2fsprogs provides the following fixes: - Don't ignore fsync errors in libext2fs. (bsc#1038194) - Fix fsync(2) detection in libext2fs. (bsc#1038194) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2017:1036-1 Released: Mon Jun 26 08:12:24 2017 Summary: Security update for libxml2 Type: security Severity: moderate References: 1024989,1044337,CVE-2017-0663,CVE-2017-5969 Description: This update for libxml2 fixes the following issues: Security issues fixed: * CVE-2017-0663: Fixed a heap buffer overflow in xmlAddID (bsc#1044337) * CVE-2017-5969: Fixed a NULL pointer deref in xmlDumpElementContent (bsc#1024989) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2017:1040-1 Released: Mon Jun 26 13:22:26 2017 Summary: Recommended update for libsemanage, policycoreutils Type: recommended Severity: low References: 1043237 Description: This update for libsemanage, policycoreutils fixes the following issue: - Show version numbers of modules where they are available (bsc#1043237) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2017:1082-1 Released: Fri Jun 30 10:54:06 2017 Summary: Recommended update for dirmngr Type: recommended Severity: low References: 1045943 Description: This update for dirmngr provides the following fix: - Change logrotate from Requires to Recommends (bsc#1045943) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2017:1086-1 Released: Fri Jun 30 15:36:17 2017 Summary: Security update for libxml2 Type: security Severity: moderate References: 1044887,1044894,CVE-2017-7375,CVE-2017-7376 Description: This update for libxml2 fixes the following issues: Security issues fixed: * CVE-2017-7376: Increase buffer space for port in HTTP redirect support (bsc#1044887) * CVE-2017-7375: Prevent unwanted external entity reference [bsc#1044894, ] ----------------------------------------------------------------- Advisory ID: SUSE-SU-2017:1104-1 Released: Tue Jul 4 16:13:55 2017 Summary: Security update for systemd Type: security Severity: moderate References: 1004995,1029102,1029516,1036873,1038865,1040258,1040614,1040942,1043758,982303,CVE-2017-9217 Description: This update for systemd fixes the following issues: Security issue fixed: - CVE-2017-9217: resolved: Fix null pointer p->question dereferencing that could lead to resolved aborting (bsc#1040614) The update also fixed several non-security bugs: - core/mount: Use the '-c' flag to not canonicalize paths when calling /bin/umount - automount: Handle expire_tokens when the mount unit changes its state (bsc#1040942) - automount: Rework propagation between automount and mount units - build: Make sure tmpfiles.d/systemd-remote.conf get installed when necessary - build: Fix systemd-journal-upload installation - basic: Detect XEN Dom0 as no virtualization (bsc#1036873) - virt: Make sure some errors are not ignored - fstab-generator: Do not skip Before= ordering for noauto mountpoints - fstab-gen: Do not convert device timeout into seconds when initializing JobTimeoutSec - core/device: Use JobRunningTimeoutSec= for device units (bsc#1004995) - fstab-generator: Apply the _netdev option also to device units (bsc#1004995) - job: Add JobRunningTimeoutSec for JOB_RUNNING state (bsc#1004995) - job: Ensure JobRunningTimeoutSec= survives serialization (bsc#1004995) - rules: Export NVMe WWID udev attribute (bsc#1038865) - rules: Introduce disk/by-id (model_serial) symbolic links for NVMe drives - rules: Add rules for NVMe devices - sysusers: Make group shadow support configurable (bsc#1029516) - core: When deserializing a unit, fully restore its cgroup state (bsc#1029102) - core: Introduce cg_mask_from_string()/cg_mask_to_string() - core:execute: Fix handling failures of calling fork() in exec_spawn() (bsc#1040258) - Fix systemd-sysv-convert when a package starts shipping service units (bsc#982303) The database might be missing when upgrading a package which was shipping no sysv init scripts nor unit files (at the time --save was called) but the new version start shipping unit files. - Disable group shadow support (bsc#1029516) - Only check signature job error if signature job exists (bsc#1043758) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2017:1116-1 Released: Thu Jul 6 11:37:18 2017 Summary: Security update for libgcrypt Type: security Severity: moderate References: 1046607,CVE-2017-7526 Description: This update for libgcrypt fixes the following issues: - CVE-2017-7526: Hardening against a local side-channel attack in RSA key handling has been added (bsc#1046607) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2017:1119-1 Released: Fri Jul 7 11:23:20 2017 Summary: Recommended update for ncurses Type: security Severity: important References: 1000662,1046853,1046858,CVE-2017-10684,CVE-2017-10685 Description: This update for ncurses fixes the following issues: Security issues fixed: - CVE-2017-10684: Possible RCE via stack-based buffer overflow in the fmt_entry function. (bsc#1046858) - CVE-2017-10685: Possible RCE with format string vulnerability in the fmt_entry function. (bsc#1046853) Bugfixes: - Drop patch ncurses-5.9-environment.dif as YaST2 ncurses GUI does not need it anymore and as well as it causes bug bsc#1000662 ----------------------------------------------------------------- Advisory ID: SUSE-RU-2017:1160-1 Released: Fri Jul 14 17:20:26 2017 Summary: Recommended update for openldap2 Type: recommended Severity: low References: 1031702 Description: This update for openldap2 provides the following fix: - Fix a regression in handling of non-blocking connection (bsc#1031702) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2017:1174-1 Released: Wed Jul 19 11:12:51 2017 Summary: Security update for systemd, dracut Type: security Severity: important References: 1032029,1033238,1037120,1040153,1040968,1043900,1045290,1046750,986216,CVE-2017-9445 Description: This update for systemd and dracut fixes the following issues: Security issues fixed: - CVE-2017-9445: Possible out-of-bounds write triggered by a specially crafted TCP payload from a DNS server. (bsc#1045290) Non-security issues fixed in systemd: - Automounter issue in combination with NFS volumes (bsc#1040968) - Missing symbolic link for SAS device in /dev/disk/by-path (bsc#1040153) - Add minimal support for boot.d/* scripts in systemd-sysv-convert (bsc#1046750) Non-security issues fixed in dracut: - Bail out if module directory does not exist. (bsc#1043900) - Suppress bogus error message. (bsc#1032029) - Fix module force loading with systemd. (bsc#986216) - Ship udev files required by systemd. (bsc#1040153) - Ignore module resolution errors (e.g. with kgraft). (bsc#1037120) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2017:1222-1 Released: Wed Jul 26 17:15:18 2017 Summary: Recommended update for procps Type: recommended Severity: low References: 1034563,1039941 Description: This update for procps provides the following fixes: - Make pmap handle LazyFree in /proc/smaps (bsc#1034563) - Allow reading and writing content lines longer than 1024 characters under /proc/sys (bsc#1039941) - Avoid printing messages when /proc/sys/net/ipv6/conf/*/stable_secret is not set ----------------------------------------------------------------- Advisory ID: SUSE-SU-2017:1245-1 Released: Thu Aug 3 10:43:15 2017 Summary: Security update for systemd Type: security Severity: moderate References: 1004995,1029102,1029516,1032029,1033238,1036873,1037120,1038865,1040153,1040258,1040614,1040942,1040968,1043758,1043900,1045290,1046750,982303,986216,CVE-2017-9217,CVE-2017-9445 Description: This update for systemd provides several fixes and enhancements. Security issues fixed: - CVE-2017-9217: Null pointer dereferencing that could lead to resolved aborting. (bsc#1040614) - CVE-2017-9445: Possible out-of-bounds write triggered by a specially crafted TCP payload from a DNS server. (bsc#1045290) The update also fixed several non-security bugs: - core/mount: Use the '-c' flag to not canonicalize paths when calling /bin/umount - automount: Handle expire_tokens when the mount unit changes its state (bsc#1040942) - automount: Rework propagation between automount and mount units - build: Make sure tmpfiles.d/systemd-remote.conf get installed when necessary - build: Fix systemd-journal-upload installation - basic: Detect XEN Dom0 as no virtualization (bsc#1036873) - virt: Make sure some errors are not ignored - fstab-generator: Do not skip Before= ordering for noauto mountpoints - fstab-gen: Do not convert device timeout into seconds when initializing JobTimeoutSec - core/device: Use JobRunningTimeoutSec= for device units (bsc#1004995) - fstab-generator: Apply the _netdev option also to device units (bsc#1004995) - job: Add JobRunningTimeoutSec for JOB_RUNNING state (bsc#1004995) - job: Ensure JobRunningTimeoutSec= survives serialization (bsc#1004995) - rules: Export NVMe WWID udev attribute (bsc#1038865) - rules: Introduce disk/by-id (model_serial) symbolic links for NVMe drives - rules: Add rules for NVMe devices - sysusers: Make group shadow support configurable (bsc#1029516) - core: When deserializing a unit, fully restore its cgroup state (bsc#1029102) - core: Introduce cg_mask_from_string()/cg_mask_to_string() - core:execute: Fix handling failures of calling fork() in exec_spawn() (bsc#1040258) - Fix systemd-sysv-convert when a package starts shipping service units (bsc#982303) The database might be missing when upgrading a package which was shipping no sysv init scripts nor unit files (at the time --save was called) but the new version start shipping unit files. - Disable group shadow support (bsc#1029516) - Only check signature job error if signature job exists (bsc#1043758) - Automounter issue in combination with NFS volumes (bsc#1040968) - Missing symbolic link for SAS device in /dev/disk/by-path (bsc#1040153) - Add minimal support for boot.d/* scripts in systemd-sysv-convert (bsc#1046750) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2017:1247-1 Released: Thu Aug 3 10:44:44 2017 Summary: Security update for mariadb Type: security Severity: important References: 1048715,963041,CVE-2017-3308,CVE-2017-3309,CVE-2017-3453,CVE-2017-3456,CVE-2017-3464 Description: This MariaDB update to version 10.0.31 GA fixes the following issues: Security issues fixed: - CVE-2017-3308: Subcomponent: Server: DML: Easily 'exploitable' vulnerability allows low privileged attacker with network access via multiple protocols to compromise MariaDB Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS). (bsc#1048715) - CVE-2017-3309: Subcomponent: Server: Optimizer: Easily 'exploitable' vulnerability allows low privileged attacker with network access via multiple protocols to compromise MariaDB Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS). (bsc#1048715) - CVE-2017-3453: Subcomponent: Server: Optimizer: Easily 'exploitable' vulnerability allows low privileged attacker with network access via multiple protocols to compromise MariaDB Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS). (bsc#1048715) - CVE-2017-3456: Subcomponent: Server: DML: Easily 'exploitable' vulnerability allows low privileged attacker with network access via multiple protocols to compromise MariaDB Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS). (bsc#1048715) - CVE-2017-3464: Subcomponent: Server: DDL: Easily 'exploitable' vulnerability allows low privileged attacker with network access via multiple protocols to compromise MariaDB Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS). (bsc#1048715) Bug fixes: - switch from 'Restart=on-failure' to 'Restart=on-abort' in mysql.service in order to follow the upstream. It also fixes hanging mysql-systemd-helper when mariadb fails (e.g. because of the misconfiguration) (bsc#963041) - XtraDB updated to 5.6.36-82.0 - TokuDB updated to 5.6.36-82.0 - Innodb updated to 5.6.36 - Performance Schema updated to 5.6.36 Release notes and changelog: - https://kb.askmonty.org/en/mariadb-10031-release-notes - https://kb.askmonty.org/en/mariadb-10031-changelog ----------------------------------------------------------------- Advisory ID: SUSE-RU-2017:1268-1 Released: Mon Aug 7 10:09:19 2017 Summary: Recommended update for openssl Type: recommended Severity: moderate References: 1019637,1027079,1027688,1027908,1028281,1028723,1029523,1042392,1044095,1044107,1044175,902364 Description: This update for openssl fixes the following issues including fixes for our ongoing FIPS 140-2 evaluation: - Remove DES-CBC3-SHA based ciphers from DEFAULT_SUSE to address SWEET32 problem (bsc#1027908) - Use getrandom syscall instead of reading from /dev/urandom to get at least 128 bits of entropy to comply with FIPS 140.2 IG 7.14 (bsc#1027079 bsc#1044175) - Fix x86 extended feature detection (bsc#1029523) - Allow runtime switching of s390x capabilities via the 'OPENSSL_s390xcap' environmental variable (bsc#1028723) - s_client sent empty client certificate (bsc#1028281) Add back certificate initialization set_cert_key_stuff() which was removed in a previous update. - Fix a bug in XTS key handling (bsc#1019637) - Don't run FIPS power-up self-tests when the checksum files aren't installed (bsc#1042392) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2017:1279-1 Released: Mon Aug 7 14:46:40 2017 Summary: Security update for ncurses Type: security Severity: moderate References: 1046853,1046858,1047964,1047965,1049344,CVE-2017-10684,CVE-2017-10685,CVE-2017-11112,CVE-2017-11113 Description: This update for ncurses fixes the following issues: Security issues fixed: - CVE-2017-11112: Illegal address access in append_acs. (bsc#1047964) - CVE-2017-11113: Dereferencing NULL pointer in _nc_parse_entry. (bsc#1047965) - CVE-2017-10684, CVE-2017-10685: Add modified upstream fix from ncurses 6.0 to avoid broken termcap format (bsc#1046853, bsc#1046858, bsc#1049344) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2017:1316-1 Released: Thu Aug 10 13:54:27 2017 Summary: Recommended update for cyrus-sasl Type: recommended Severity: moderate References: 1014471,1026825,1044840,938657 Description: This update for cyrus-sasl provides the following fixes: - Fix SASL GSSAPI mechanism acceptor wrongly returns zero maxbufsize - Fix unknown authentication mechanism: kerberos5 (bsc#1026825) - Really use SASLAUTHD_PARAMS variable (bsc#938657) - Make sure /usr/sbin/rcsaslauthd exists - Add /usr/sbin/rcsaslauthd symbolic link to /usr/sbin/service (bsc#1014471) - Silence 'GSSAPI client step 1' debug log message (bsc#1044840) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2017:1326-1 Released: Fri Aug 11 16:59:04 2017 Summary: Security update for libxml2 Type: security Severity: low References: 1038444,CVE-2017-8872 Description: This update for libxml2 fixes the following issues: Security issues fixed: - CVE-2017-8872: Out-of-bounds read in htmlParseTryOrFinish. (bsc#1038444) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2017:1330-1 Released: Mon Aug 14 18:41:29 2017 Summary: Recommended update for sed Type: recommended Severity: low References: 954661 Description: This update for sed provides the following fixes: - Don't terminate with a segmentation fault if close of last file descriptor fails. (bsc#954661) ----------------------------------------------------------------- Advisory ID: SUSE-OU-2017:1333-1 Released: Tue Aug 15 17:59:30 2017 Summary: Optional update for libverto Type: optional Severity: low References: 1029561 Description: This update adds the libverto library to OpenStack Cloud Magnum Orchestration channels. ----------------------------------------------------------------- Advisory ID: SUSE-RU-2017:1334-1 Released: Tue Aug 15 20:09:03 2017 Summary: Recommended update for systemd Type: recommended Severity: important References: 1048679,874665 Description: This update for systemd fixes the following issues: - compat-rules: Don't rely on ID_SERIAL when generating 'by-id' links for NVMe devices. (bsc#1048679) - fstab-generator: Handle NFS 'bg' mounts correctly. (bsc#874665, fate#323464) - timesyncd: Don't use compiled-in list if FallbackNTP has been configured explicitly. ----------------------------------------------------------------- Advisory ID: SUSE-SU-2017:1335-1 Released: Wed Aug 16 11:24:21 2017 Summary: Security update for curl Type: security Severity: moderate References: 1051643,1051644,CVE-2017-1000100,CVE-2017-1000101 Description: This update for curl fixes the following issues: - CVE-2017-1000100: TFP sends more than buffer size and it could lead to a denial of service (bsc#1051644) - CVE-2017-1000101: URL globbing out of bounds read could lead to a denial of service (bsc#1051643) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2017:1347-1 Released: Fri Aug 18 11:03:57 2017 Summary: Recommended update for procps Type: recommended Severity: important References: 1053409 Description: This update for procps fixes the following issues: - Fix a regression introduced in a previous update that would result in sysctl dying with a SIGSEGV error (bsc#1053409). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2017:1349-1 Released: Fri Aug 18 12:31:07 2017 Summary: Recommended update for lua51 Type: recommended Severity: low References: 1051626 Description: This update for lua51 provides the following fixes: - Add Lua(API) and Lua(devel) symbols to fix building of lua51-luasocket. (bsc#1051626) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2017:1390-1 Released: Fri Aug 25 15:14:27 2017 Summary: Security update for libzypp Type: security Severity: important References: 1009745,1036659,1038984,1043218,1045735,1046417,1047785,1048315,CVE-2017-7435,CVE-2017-7436,CVE-2017-9269 Description: The Software Update Stack was updated to receive fixes and enhancements. libzypp: - CVE-2017-7435, CVE-2017-7436, CVE-2017-9269: Fix GPG check workflows, mainly for unsigned repositories and packages. (bsc#1045735, bsc#1038984) - Fix gpg-pubkey release (creation time) computation. (bsc#1036659) - Update lsof blacklist. (bsc#1046417) - Re-probe on refresh if the repository type changes. (bsc#1048315) - Propagate proper error code to DownloadProgressReport. (bsc#1047785) - Allow to trigger an appdata refresh unconditionally. (bsc#1009745) - Support custom repo variables defined in /etc/zypp/vars.d. yast2-pkg-bindings: - Do not crash when the repository URL is not defined. (bsc#1043218) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2017:1419-1 Released: Wed Aug 30 15:38:22 2017 Summary: Security update for expat Type: security Severity: moderate References: 1047236,1047240,CVE-2016-9063,CVE-2017-9233 Description: This update for expat fixes the following issues: - CVE-2016-9063: Possible integer overflow to fix inside XML_Parse leading to unexpected behaviour (bsc#1047240) - CVE-2017-9233: External Entity Vulnerability could lead to denial of service (bsc#1047236) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2017:1439-1 Released: Fri Sep 1 15:31:05 2017 Summary: Recommended update for systemd Type: recommended Severity: important References: 1045384,1045987,1046268,1047379,1048605 Description: This update for systemd fixes the following issues: - Revert fix for bsc#1004995 which could have caused boot failure on LVM (bsc#1048605) - compat-rules: drop the bogus 'import everything' rule (bsc#1046268) - core: use an AF_UNIX/SOCK_DGRAM socket for cgroup agent notification (bsc#1045384 bsc#1047379) - udev/path_id: introduce support for NVMe devices (bsc#1045987) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2017:1447-1 Released: Mon Sep 4 15:38:20 2017 Summary: Security update for libzypp, zypper Type: security Severity: important References: 1008325,1038984,1045735,1047785,1054088,1054671,1055920,CVE-2017-7436 Description: The Software Update Stack was updated to receive fixes and enhancements. libzypp: - Adapt to work with GnuPG 2.1.23. (bsc#1054088) - Support signing with subkeys. (bsc#1008325) - Enhance sort order for media.1/products. (bsc#1054671) zypper: - Also show a gpg key's subkeys. (bsc#1008325) - Improve signature check callback messages. (bsc#1045735) - Add options to tune the GPG check settings. (bsc#1045735) - Adapt download callback to report and handle unsigned packages. (bsc#1038984, CVE-2017-7436) - Report missing/optional files as 'not found' rather than 'error'. (bsc#1047785) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2017:1450-1 Released: Mon Sep 4 16:36:07 2017 Summary: Recommended update for insserv-compat Type: recommended Severity: low References: 1035062,944903 Description: This update for insserv-compat fixes the following issues: - Add /etc/init.d hierarchy from former 'filesystem' package. (bsc#1035062) - Fix directory argument parsing. (bsc#944903) - Add perl(Getopt::Long) to list of requirements. ----------------------------------------------------------------- Advisory ID: SUSE-RU-2017:1453-1 Released: Mon Sep 4 21:23:50 2017 Summary: Recommended update for libgcrypt Type: recommended Severity: moderate References: 1043333,1046659,1047008 Description: This update for libgcrypt fixes the following issues: - libgcrypt stored an open file descriptor to the random device in a static variable between invocations. gnome-keyring-daemon on initialization reopened descriptors 0-2 with /dev/null which caused an infinite loop when libgcrypt attempted to read from the random device (bsc#1043333) - Avoid seeding the DRBG during FIPS power-up selftests (bsc#1046659) * don't call gcry_drbg_instantiate() in healthcheck sanity test to save entropy * turn off blinding for RSA decryption in selftests_rsa to avoid allocation of a random integer - fix a bug in gcry_drbg_healthcheck_sanity() which caused skipping some of the tests (bsc#1046659) - dlsym returns PLT address on s390x, dlopen libgcrypt20.so before calling dlsym (bsc#1047008) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2017:1548-1 Released: Fri Sep 15 18:19:12 2017 Summary: Recommended update for sg3_utils Type: recommended Severity: moderate References: 1005063,1009269,1012523,1025176,1050767,1050943 Description: This update for sg3_utils provides the following fixes: - Add lunsearch filter to findresized() so that only LUNs specified using --luns are rescanned or resized. (bsc#1025176) - In case the VPD sysfs attributes are missing or cannot be accessed, fallback to use sg_inq --page when using multipath devices in AutoYast2 installations. (bsc#1012523) - Generate /dev/disk/by-path links based on WWPN for Fibre Channel NPIV setups. (bsc#1005063) - Fix dumping data in hexadecimal format in sg_vpd when using the --hex option. (bsc#1050943) - Fix ID_SERIAL values for KVM disks by exporting all NAA values and removing some validity checking. (bsc#1050767) - Make sure initrd is rebuilt on sg3_utils updates. (bsc#1009269) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2017:1592-1 Released: Tue Sep 26 17:38:03 2017 Summary: Recommended update for lvm2 Type: recommended Severity: moderate References: 1028485,1045628,978055,998893,999878 Description: This update for lvm2 provides the following fixes: - Create /dev/disk/by-part{label,uuid} and gpt-auto-root links. (bsc#1028485) - Try to refresh clvmd's device cache on the first failure. (bsc#978055) - Fix stale device cache in clvmd. (bsc#978055) - Warn if PV size in metadata is larger than disk device size. (bsc#999878) - Fix lvm2 activation issue when used on top of multipath. (bsc#998893) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2017:1644-1 Released: Mon Oct 9 07:52:24 2017 Summary: Security update for krb5 Type: security Severity: moderate References: 1032680,1054028,1056995,903543,CVE-2017-11462 Description: This update for krb5 fixes several issues. This security issue was fixed: - CVE-2017-11462: Prevent automatic security context deletion to prevent double-free (bsc#1056995) These non-security issues were fixed: - Set 'rdns' and 'dns_canonicalize_hostname' to false in krb5.conf in order to improve client security in handling service principle names. (bsc#1054028) - Prevent kadmind.service startup failure caused by absence of LDAP service. (bsc#903543) - Remove main package's dependency on systemd (bsc#1032680) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2017:1663-1 Released: Tue Oct 10 12:05:09 2017 Summary: Recommended update for dbus-1 Type: recommended Severity: moderate References: 1043615,1046173 Description: This update for dbus-1 provides the following fixes: - Fix systemd-logind dbus disconnection by ensuring all required timeouts are restarted. (bsc#1043615) - Remove call to initscripts related macros from the spec file as dbus-1 does not ship any initscript anymore. (bsc#1046173) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2017:1703-1 Released: Tue Oct 17 13:20:12 2017 Summary: Recommended update for audit Type: recommended Severity: low References: 1042781 Description: This update for audit provides the following fix: - Make auditd start by forking the systemd service to fix some initialization failures. (bsc#1042781) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2017:1758-1 Released: Mon Oct 23 08:47:47 2017 Summary: Security update for curl Type: security Severity: moderate References: 1060653,1061876,1063824,CVE-2017-1000254,CVE-2017-1000257 Description: This update for curl fixes the following issues: Security issues fixed: - CVE-2017-1000254: FTP PWD response parser out of bounds read (bsc#1061876) - CVE-2017-1000257: IMAP FETCH response out of bounds read (bsc#1063824) Bugs fixed: - Fixed error 'error:1408F10B:SSL routines' when connecting to ftps via proxy (bsc#1060653) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2017:1796-1 Released: Fri Oct 27 21:25:06 2017 Summary: Recommended update for pcre Type: recommended Severity: moderate References: 1058722 Description: This update for pcre fixes the following issues: - Fixed the pcre stack frame size detection because modern compilers break it due to cloning and inlining pcre match() function (bsc#1058722) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2017:1797-1 Released: Sat Oct 28 12:06:19 2017 Summary: Recommended update for permissions Type: recommended Severity: moderate References: 1028304,1048645,1060738 Description: This update for permissions fixes the following issues: - Allows users to install the HPC 'singularity' toolkit for managing singularity containers in setuid root mode. (bsc#1028304) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2017:1826-1 Released: Wed Nov 8 08:47:17 2017 Summary: Security update for krb5 Type: security Severity: important References: 1065274,CVE-2017-15088 Description: This update for krb5 fixes the following issues: Security issues fixed: - CVE-2017-15088: A buffer overflow in get_matching_data() was fixed that could under specific circumstances be used to execute code (bsc#1065274) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2017:1829-1 Released: Wed Nov 8 08:50:00 2017 Summary: Security update for shadow Type: security Severity: moderate References: 1023895,1052261,980486,CVE-2017-12424 Description: This update for shadow fixes several issues. This security issue was fixed: - CVE-2017-12424: The newusers tool could have been forced to manipulate internal data structures in ways unintended by the authors. Malformed input may have lead to crashes (with a buffer overflow or other memory corruption) or other unspecified behaviors (bsc#1052261). These non-security issues were fixed: - bsc#1023895: Fixed man page to not contain invalid options and also prevent warnings when using these options in certain settings - bsc#980486: Reset user in /var/log/tallylog because of the usage of pam_tally2 ----------------------------------------------------------------- Advisory ID: SUSE-SU-2017:1881-1 Released: Wed Nov 22 16:29:58 2017 Summary: Security update for file Type: security Severity: moderate References: 1009966,1063269,910252,910253,913650,913651,917152,996511,CVE-2014-8116,CVE-2014-8117,CVE-2014-9620,CVE-2014-9621,CVE-2014-9653 Description: The GNU file utility was updated to version 5.22. Security issues fixed: - CVE-2014-9621: The ELF parser in file allowed remote attackers to cause a denial of service via a long string. (bsc#913650) - CVE-2014-9620: The ELF parser in file allowed remote attackers to cause a denial of service via a large number of notes. (bsc#913651) - CVE-2014-9653: readelf.c in file did not consider that pread calls sometimes read only a subset of the available data, which allows remote attackers to cause a denial of service (uninitialized memory access) or possibly have unspecified other impact via a crafted ELF file. (bsc#917152) - CVE-2014-8116: The ELF parser (readelf.c) in file allowed remote attackers to cause a denial of service (CPU consumption or crash) via a large number of (1) program or (2) section headers or (3) invalid capabilities. (bsc#910253) - CVE-2014-8117: softmagic.c in file did not properly limit recursion, which allowed remote attackers to cause a denial of service (CPU consumption or crash) via unspecified vectors. (bsc#910253) Version update to file version 5.22 * add indirect relative for TIFF/Exif * restructure elf note printing to avoid repeated messages * add note limit, suggested by Alexander Cherepanov * Bail out on partial pread()'s (Alexander Cherepanov) * Fix incorrect bounds check in file_printable (Alexander Cherepanov) * PR/405: ignore SIGPIPE from uncompress programs * change printable -> file_printable and use it in more places for safety * in ELF, instead of '(uses dynamic libraries)' when PT_INTERP is present print the interpreter name. Version update to file version 5.21 * there was an incorrect free in magic_load_buffers() * there was an out of bounds read for some pascal strings * there was a memory leak in magic lists * don't interpret strings printed from files using the current locale, convert them to ascii format first. * there was an out of bounds read in elf note reads Update to file version 5.20 * recognize encrypted CDF documents * add magic_load_buffers from Brooks Davis * add thumbs.db support Additional non-security bug fixes: * Fixed a memory corruption during rpmbuild (bsc#1063269) * Backport of a fix for an increased printable string length as found in file 5.30 (bsc#996511) * file command throws 'Composite Document File V2 Document, corrupt: Can't read SSAT' error against excel 97/2003 file format. (bsc#1009966) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2017:1882-1 Released: Wed Nov 22 16:58:12 2017 Summary: Recommended update for timezone Type: recommended Severity: low References: 1064571 Description: This update provides the latest timezone information (2017c) for your system, including following changes: - Northern Cyprus switches from +03 to +02/+03 on 2017-10-29 - Fiji ends DST 2018-01-14, not 2018-01-21 - Namibia switches from +01/+02 to +02 on 2018-04-01 - Sudan switches from +03 to +02 on 2017-11-01 - Tonga likely switches from +13/+14 to +13 on 2017-11-05 - Turks and Caicos switches from -04 to -05/-04 on 2018-11-04 - Corrections to past DST transitions - Move oversized Canada/East-Saskatchewan to 'backward' file - zic(8) and the reference runtime now reject multiple leap seconds within 28 days of each other, or leap seconds before the Epoch. ----------------------------------------------------------------- Advisory ID: SUSE-SU-2017:1903-1 Released: Fri Nov 24 16:19:37 2017 Summary: Security update for perl Type: security Severity: moderate References: 1047178,1057721,1057724,999735,CVE-2017-12837,CVE-2017-12883,CVE-2017-6512 Description: This update for perl fixes the following issues: Security issues fixed: - CVE-2017-12837: Heap-based buffer overflow in the S_regatom function in regcomp.c in Perl 5 before 5.24.3-RC1 and 5.26.x before 5.26.1-RC1 allows remote attackers to cause a denial of service (out-of-bounds write) via a regular expression with a '\N{}' escape and the case-insensitive modifier. (bnc#1057724) - CVE-2017-12883: Buffer overflow in the S_grok_bslash_N function in regcomp.c in Perl 5 before 5.24.3-RC1 and 5.26.x before 5.26.1-RC1 allows remote attackers to disclose sensitive information or cause a denial of service (application crash) via a crafted regular expression with an invalid '\N{U+...}' escape. (bnc#1057721) - CVE-2017-6512: Race condition in the rmtree and remove_tree functions in the File-Path module before 2.13 for Perl allows attackers to set the mode on arbitrary files via vectors involving directory-permission loosening logic. (bnc#1047178) Bug fixes: - backport set_capture_string changes from upstream (bsc#999735) - reformat baselibs.conf as source validator workaround ----------------------------------------------------------------- Advisory ID: SUSE-RU-2017:1916-1 Released: Fri Nov 24 20:15:01 2017 Summary: Recommended update for libgcrypt Type: recommended Severity: important References: 1043333,1059723 Description: This update for libgcrypt provides the following fix: - Fix a regression in a previous update which caused libgcrypt to leak file descriptors causing failures when starting rtkit-daemon. (bsc#1059723) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2017:1917-1 Released: Mon Nov 27 13:32:07 2017 Summary: Optional update for gcc7 Type: recommended Severity: low References: 1056437,1062591,1062592 Description: The GNU Compiler GCC 7 is being added to the Toolchain Module by this update. New features: - Support for specific IBM Power9 processor instructions. - Support for specific IBM zSeries z14 processor instructions. - New packages cross-npvtx-gcc7 and nvptx-tools added to the Toolchain Module for specific NVIDIA Card offload support. The update also supplies gcc7 compatible libstdc++, libgcc_s1 and other gcc derived libraries for the base products of SUSE Linux Enterprise 12. Various optimizers have been improved in GCC 7, several of bugs fixed, quite some new warnings added and the error pin-pointing and fix-suggestions have been greatly improved. The GNU Compiler page for GCC 7 contains a summary of all the changes that have happened: https://gcc.gnu.org/gcc-7/changes.html ----------------------------------------------------------------- Advisory ID: SUSE-RU-2017:1965-1 Released: Thu Nov 30 12:48:45 2017 Summary: Recommended update for libsolv, libzypp, zypper Type: recommended Severity: moderate References: 1047233,1053671,1057188,1057634,1058695,1058783,1059065,1061384,1062561,1064999,661410 Description: The Software Update Stack was updated to receive fixes and enhancements. libsolv: - Many fixes and improvements for cleandeps. - Always create dup rules for 'distupgrade' jobs. - Use recommends also for ordering packages. - Fix splitprovides handling with addalreadyrecommended turned off. (bsc#1059065) - Expose solver_get_recommendations() in bindings. - Fix bug in solver_prune_to_highest_prio_per_name resulting in bad output from solver_get_recommendations(). - Support 'without' and 'unless' dependencies. - Use same heuristic as upstream to determine source RPMs. - Fix memory leak in bindings. - Add pool_best_solvables() function. - Fix 64bit integer parsing from RPM headers. - Enable bzip2 and xz/lzma compression support. - Enable complex/rich dependencies on distributions with RPM 4.13+. libzypp: - Fix media handling in presence of a repo path prefix. (bsc#1062561) - Fix RepoProvideFile ignoring a repo path prefix. (bsc#1062561) - Remove unused legacy notify-message script. (bsc#1058783) - Support multiple product licenses in repomd. (fate#322276) - Propagate 'rpm --import' errors. (bsc#1057188) - Fix typos in zypp.conf. zypper: - Locale: Fix possible segmentation fault. (bsc#1064999) - Add summary hint if product is better updated by a different command. This is mainly used by rolling distributions like openSUSE Tumbleweed to remind their users to use 'zypper dup' to update (not zypper up or patch). (bsc#1061384) - Unify '(add|modify)(repo|service)' property related arguments. - Fixed 'add' commands supporting to set only a subset of properties. - Introduced '-f/-F' as preferred short option for --[no-]refresh in all four commands. (bsc#661410, bsc#1053671) - Fix missing package names in installation report. (bsc#1058695) - Differ between unsupported and packages with unknown support status. (bsc#1057634) - Return error code '107' if an RPM's %post configuration script fails, but only if ZYPPER_ON_CODE12_RETURN_107=1 is set in the environment. (bsc#1047233) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2017:1966-1 Released: Thu Nov 30 13:45:24 2017 Summary: Recommended update for systemd Type: recommended Severity: moderate References: 1004995,1035386,1039099,1040800,1045472,1048605,1050152,1053137,1053595,1055641,1063249 Description: This update for systemd fixes the following issues: - unit: When JobTimeoutSec= is turned off, implicitly turn off JobRunningTimeoutSec= too. (bsc#1048605, bsc#1004995) - compat-rules: Generate compat by-id symlinks with 'nvme' prefix missing and warn users that have broken symlinks. (bsc#1063249) - compat-rules: Allow to specify the generation number through the kernel command line. - scsi_id: Fixup prefix for pre-SPC inquiry reply. (bsc#1039099) - tmpfiles: Remove old ICE and X11 sockets at boot. - tmpfiles: Silently ignore any path that passes through autofs. (bsc#1045472) - pam_logind: Skip leading /dev/ from PAM_TTY field before passing it on. - shared/machine-pool: Fix another mkfs.btrfs checking. (bsc#1053595) - shutdown: Fix incorrect fscanf() result check. - shutdown: Don't remount,ro network filesystems. (bsc#1035386) - shutdown: Don't be fooled when detaching DM devices with BTRFS. (bsc#1055641) - bash-completion: Add support for --now. (bsc#1053137) - Add convert-lib-udev-path.sh script to convert /lib/udev directory into a symlink pointing to /usr/lib/udev when upgrading from SLE11. (bsc#1050152) - Add a rule to teach hotplug to offline containers transparently. (bsc#1040800) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2017:1968-1 Released: Thu Nov 30 19:49:33 2017 Summary: Recommended update for coreutils Type: recommended Severity: low References: 1026567,1043059,965780 Description: This update for coreutils provides the following fixes: - Fix df(1) to no longer interact with excluded file system types, so for example specifying -x nfs no longer hangs with problematic nfs mounts. (bsc#1026567) - Ensure df -l no longer interacts with dummy file system types, so for example no longer hangs with problematic NFS mounted via system.automount(5). (bsc#1043059) - Significantly speed up df(1) for huge mount lists. (bsc#965780) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2017:1970-1 Released: Thu Nov 30 22:55:41 2017 Summary: Security update for openssl Type: security Severity: moderate References: 1055825,1056058,1065363,1066242,CVE-2017-3735,CVE-2017-3736 Description: This update for openssl fixes the following issues: Security issues fixed: - CVE-2017-3735: openssl1,openssl: Malformed X.509 IPAdressFamily could cause OOB read (bsc#1056058) - CVE-2017-3736: openssl: bn_sqrx8x_internal carry bug on x86_64 (bsc#1066242) - Out of bounds read+crash in DES_fcrypt (bsc#1065363) - openssl DEFAULT_SUSE cipher list is missing ECDHE-ECDSA ciphers (bsc#1055825) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2017:2021-1 Released: Fri Dec 8 10:11:04 2017 Summary: Recommended update for file Type: recommended Severity: moderate References: 1070878,1070958 Description: This update for file fixes detection of JPEG files. ----------------------------------------------------------------- Advisory ID: SUSE-RU-2017:2031-1 Released: Mon Dec 11 12:55:57 2017 Summary: Recommended update for gzip Type: recommended Severity: low References: 1067891 Description: This update for gzip provides the following fix: - Fix mishandling of leading zeros in the end-of-block code (bsc#1067891) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2017:2036-1 Released: Wed Dec 13 16:34:21 2017 Summary: Recommended update for util-linux Type: recommended Severity: low References: 1039276,1040968,1055446,1066500 Description: This update for util-linux provides the following fixes: - Allow unmounting of filesystems without calling stat() on the mount point, when '-c' is used. (bsc#1040968) - Fix an infinite loop, a crash and report the correct minimum and maximum frequencies in lscpu for some processors. (bsc#1055446) - Fix a lscpu failure on Sydney Amazon EC2 region. (bsc#1066500) - If multiple subvolumes are mounted, report the default subvolume. (bsc#1039276) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2017:2097-1 Released: Sat Dec 16 01:59:00 2017 Summary: Security update for openssl Type: security Severity: important References: 1071905,1071906,CVE-2017-3737,CVE-2017-3738 Description: This update for openssl fixes the following issues: - OpenSSL Security Advisory [07 Dec 2017] * CVE-2017-3737: OpenSSL 1.0.2 (starting from version 1.0.2b) introduced an \'error state\' mechanism. The intent was that if a fatal error occurred during a handshake then OpenSSL would move into the error state and would immediately fail if you attempted to continue the handshake. This works as designed for the explicit handshake functions (SSL_do_handshake(), SSL_accept() and SSL_connect()), however due to a bug it does not work correctly if SSL_read() or SSL_write() is called directly. In that scenario, if the handshake fails then a fatal error will be returned in the initial function call. If SSL_read()/SSL_write() is subsequently called by the application for the same SSL object then it will succeed and the data is passed without being decrypted/encrypted directly from the SSL/TLS record layer. In order to exploit this issue an application bug would have to be present that resulted in a call to SSL_read()/SSL_write() being issued after having already received a fatal error. O penSSL version 1.0.2b-1.0.2m are affected. Fixed in OpenSSL 1.0.2n. OpenSSL 1.1.0 is not affected. (bsc#1071905) * CVE-2017-3738: There is an overflow bug in the AVX2 Montgomery multiplication procedure used in exponentiation with 1024-bit moduli. No EC algorithms are affected. Analysis suggests that attacks against RSA and DSA as a result of this defect would be very difficult to perform and are not believed likely. Attacks against DH1024 are considered just feasible, because most of the work necessary to deduce information about a private key may be performed offline. The amount of resources required for such an attack would be significant. However, for an attack on TLS to be meaningful, the server would have to share the DH1024 private key among multiple clients, which is no longer an option since CVE-2016-0701. This only affects processors that support the AVX2 but not ADX extensions like Intel Haswell (4th generation). Note: The impact from this issue is similar to CVE-2017-3736, CVE-2017-3732 and CVE-2015-3193. (bsc#1071906) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2017:2137-1 Released: Thu Dec 21 17:49:12 2017 Summary: Recommended update for dbus-1 Type: recommended Severity: moderate References: 1046173,1071698 Description: This update for dbus-1 provides the following fixes: - The previously released fix for systemd-logind dbus disconnections was missing in some parts of the package, so properly apply it. (bsc#1071698) - Remove call to initscripts related macros from the spec file as dbus-1 does not ship any initscript anymore. (bsc#1046173) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2018:4-1 Released: Tue Jan 2 15:58:20 2018 Summary: Recommended update for libzypp, zypper Type: recommended Severity: moderate References: 1057640,1067605,1068708,1071466,969569 Description: The Software Update Stack was updated to receive fixes and enhancements. libzypp: - Don't store duplicated locks. (bsc#969569) - Fix default for solver.allowNameChange. (bsc#1071466) - Don't filter procs with a different mnt namespace. (bsc#1068708) - Support repo variables in an URIs host:port component. (bsc#1057640, bsc#1067605) zypper: - Update manpage regarding custom repository variable fixes. (bsc#1057640, bsc#1067605) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2018:38-1 Released: Tue Jan 9 14:56:43 2018 Summary: Recommended update for kmod Type: recommended Severity: low References: 1070209 Description: This update for kmod provides the following fix: - Fix resolving .TOC. in modules on 4.4 and older kernel (bsc#1070209) - Fix kernel master build for ppc64le (bsc#1070209) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:55-1 Released: Fri Jan 12 09:45:49 2018 Summary: Security update for glibc Type: security Severity: important References: 1051042,1053188,1063675,1064569,1064580,1064583,1070905,1071319,1073231,1074293,CVE-2017-1000408,CVE-2017-1000409,CVE-2017-15670,CVE-2017-15671,CVE-2017-15804,CVE-2017-16997,CVE-2018-1000001 Description: This update for glibc fixes the following issues: - A privilege escalation bug in the realpath() function has been fixed. [CVE-2018-1000001, bsc#1074293] - A memory leak and a buffer overflow in the dynamic ELF loader has been fixed. [CVE-2017-1000408, CVE-2017-1000409, bsc#1071319] - An issue in the code handling RPATHs was fixed that could have been exploited by an attacker to execute code loaded from arbitrary libraries. [CVE-2017-16997, bsc#1073231] - A potential crash caused by a use-after-free bug in pthread_create() has been fixed. [bsc#1053188] - A bug that prevented users to build shared objects which use the optimized libmvec.so API has been fixed. [bsc#1070905] - A memory leak in the glob() function has been fixed. [CVE-2017-15670, CVE-2017-15671, CVE-2017-15804, bsc#1064569, bsc#1064580, bsc#1064583] - A bug that would lose the syscall error code value in case of crashes has been fixed. [bsc#1063675] ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:64-1 Released: Fri Jan 12 16:19:28 2018 Summary: Security update for mariadb Type: security Severity: moderate References: 1039034,1049399,1049404,1049417,1054591,1072665,CVE-2017-3636,CVE-2017-3641,CVE-2017-3653 Description: This update for mariadb fixes several issues. These security issues were fixed: - CVE-2017-3636: Client programs had an unspecified vulnerability that could lead to unauthorized access and denial of service (bsc#1049399) - CVE-2017-3641: DDL unspecified vulnerability could lead to denial of service (bsc#1049404) - CVE-2017-3653: DML Unspecified vulnerability could lead to unauthorized database access (bsc#1049417) This non-security issues was fixed: - Add ODBC support for Connect engine (bsc#1039034) - Relax required version for mariadb-errormessages (bsc#1072665) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:86-1 Released: Wed Jan 17 09:38:17 2018 Summary: Security update for ncurses Type: security Severity: moderate References: 1056127,1056128,1056129,1056131,1056132,1056136,CVE-2017-13728,CVE-2017-13729,CVE-2017-13730,CVE-2017-13731,CVE-2017-13732,CVE-2017-13733 Description: This update for ncurses fixes the following issues: Security issues fixed: - CVE-2017-13728: Fix infinite loop in the next_char function in comp_scan.c (bsc#1056136). - CVE-2017-13730: Fix illegal address access in the function _nc_read_entry_source() (bsc#1056131). - CVE-2017-13733: Fix illegal address access in the fmt_entry function (bsc#1056127). - CVE-2017-13729: Fix illegal address access in the _nc_save_str (bsc#1056132). - CVE-2017-13732: Fix illegal address access in the function dump_uses() (bsc#1056128). - CVE-2017-13731: Fix illegal address access in the function postprocess_termcap() (bsc#1056129). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:88-1 Released: Wed Jan 17 14:41:17 2018 Summary: Security update for curl Type: security Severity: moderate References: 1069222,1069226,CVE-2017-8816,CVE-2017-8817 Description: This update for curl fixes the following issues: Security issues fixed: - CVE-2017-8816: Buffer overrun flaw in the NTLM authentication code (bsc#1069226). - CVE-2017-8817: Read out of bounds flaw in the FTP wildcard function (bsc#1069222). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2018:90-1 Released: Wed Jan 17 14:44:33 2018 Summary: Recommended update for lvm2 Type: recommended Severity: low References: 1063051,1067312 Description: This update for lvm2 provides the following fix: - Backport various upstream fixes for clvmd. (bsc#1063051) - Don't print error messages on testing the connection to the daemon. (bsc#1063051) - Fix handling of udev CHANGE events with systemd. (bsc#1067312) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2018:146-1 Released: Thu Jan 25 11:44:23 2018 Summary: Recommended update for openldap2 Type: recommended Severity: moderate References: 1064397,1065083 Description: This update for openldap2 provides the following fixes: - Fix a leak of sockets in case of unsuccessful connection attempts. (bsc#1065083) - Fix a crash that would happen under heavy load when using back-relay. (bsc#1064397) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:149-1 Released: Thu Jan 25 13:38:37 2018 Summary: Security update for curl Type: security Severity: moderate References: 1077001,CVE-2018-1000007 Description: This update for curl fixes one issues. This security issue was fixed: - CVE-2018-1000007: Prevent leaking authentication data to third parties when following redirects (bsc#1077001) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:209-1 Released: Tue Jan 30 10:53:43 2018 Summary: Security update for ncurses Type: security Severity: moderate References: 1056126,1056127,1056128,1056129,1056131,1056132,1056136,CVE-2017-13728,CVE-2017-13729,CVE-2017-13730,CVE-2017-13731,CVE-2017-13732,CVE-2017-13733,CVE-2017-13734 Description: This update for ncurses fixes several issues. These security issues were fixed: - CVE-2017-13734: Prevent illegal address access in the _nc_safe_strcat function in strings.c that might have lead to a remote denial of service attack (bsc#1056126). - CVE-2017-13733: Prevent illegal address access in the fmt_entry function in progs/dump_entry.c that might have lead to a remote denial of service attack (bsc#1056127). - CVE-2017-13732: Prevent illegal address access in the function dump_uses() in progs/dump_entry.c that might have lead to a remote denial of service attack (bsc#1056128). - CVE-2017-13731: Prevent illegal address access in the function postprocess_termcap() in parse_entry.c that might have lead to a remote denial of service attack (bsc#1056129). - CVE-2017-13730: Prevent illegal address access in the function _nc_read_entry_source() in progs/tic.c that might have lead to a remote denial of service attack (bsc#1056131). - CVE-2017-13729: Prevent illegal address access in the _nc_save_str function in alloc_entry.c that might have lead to a remote denial of service attack (bsc#1056132). - CVE-2017-13728: Prevent infinite loop in the next_char function in comp_scan.c that might have lead to a remote denial of service attack (bsc#1056136). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:213-1 Released: Tue Jan 30 14:36:40 2018 Summary: Security update for systemd Type: security Severity: moderate References: 1048510,1065276,1066156,1068251,1070428,1071558,1074254,1075724,1076308,897422,CVE-2017-15908,CVE-2018-1049 Description: This update for systemd fixes several issues. This security issue was fixed: - CVE-2018-1049: Prevent race that can lead to DoS when using automounts (bsc#1076308). These non-security issues were fixed: - core: don't choke if a unit another unit triggers vanishes during reload - delta: don't ignore PREFIX when the given argument is PREFIX/SUFFIX - delta: extend skip logic to work on full directory paths (prefix+suffix) (bsc#1070428) - delta: check if a prefix needs to be skipped only once - delta: skip symlink paths when split-usr is enabled (#4591) - sysctl: use raw file descriptor in sysctl_write (#7753) - sd-netlink: don't take possesion of netlink fd from caller on failure (bsc#1074254) - Fix the regexp used to detect broken by-id symlinks in /etc/crypttab It was missing the following case: '/dev/disk/by-id/cr_-xxx'. - sysctl: disable buffer while writing to /proc (bsc#1071558) - Use read_line() and LONG_LINE_MAX to read values configuration files. (bsc#1071558) - sysctl: no need to check for eof twice - def: add new constant LONG_LINE_MAX - fileio: add new helper call read_line() as bounded getline() replacement - service: Don't stop unneeded units needed by restarted service (#7526) (bsc#1066156) - gpt-auto-generator: fix the handling of the value returned by fstab_has_fstype() in add_swap() (#6280) - gpt-auto-generator: disable gpt auto logic for swaps if at least one is defined in fstab (bsc#897422) - fstab-util: introduce fstab_has_fstype() helper - fstab-generator: ignore root=/dev/nfs (#3591) - fstab-generator: don't process root= if it happens to be 'gpt-auto' (#3452) - virt: use XENFEAT_dom0 to detect the hardware domain (#6442, #6662) (#7581) (bsc#1048510) - analyze: replace --no-man with --man=no in the man page (bsc#1068251) - udev: net_setup_link: don't error out when we couldn't apply link config (#7328) - Add missing /etc/systemd/network directory - Fix parsing of features in detect_vm_xen_dom0 (#7890) (bsc#1048510) - sd-bus: use -- when passing arguments to ssh (#6706) - systemctl: make sure we terminate the bus connection first, and then close the pager (#3550) - sd-bus: bump message queue size (bsc#1075724) - tmpfiles: downgrade warning about duplicate line ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:214-1 Released: Tue Jan 30 14:37:42 2018 Summary: Security update for libtasn1 Type: security Severity: moderate References: 1076832,CVE-2018-6003 Description: This update for libtasn1 fixes one issue. This security issue was fixed: - CVE-2018-6003: Prevent a stack exhaustion in _asn1_decode_simple_ber (lib/decoding.c) when decoding BER encoded structure allowed for DoS (bsc#1076832). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2018:250-1 Released: Fri Feb 2 17:33:48 2018 Summary: Recommended update for timezone, timezone-java Type: recommended Severity: low References: 1073275 Description: This update provides the latest timezone information (2018c) for your system, including following changes: - Sao Tome and Principe switched from +00 to +01 on 2018-01-01. - Southern Brazil's DST will now start on November's first Sunday. (bsc#1073275) - New zic option -t to specify the time zone file if TZ is unset. ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:270-1 Released: Wed Feb 7 14:34:19 2018 Summary: Security update for mariadb Type: security Severity: moderate References: 1058722,1064101,1064115,1076505,CVE-2017-10268,CVE-2017-10378 Description: This update for mariadb to version 10.0.33 fixes several issues. These security issues were fixed: - CVE-2017-10378: Vulnerability in subcomponent: Server: Optimizer. Easily exploitable vulnerability allowed low privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server (bsc#1064115). - CVE-2017-10268: Vulnerability in subcomponent: Server: Replication. Difficult to exploit vulnerability allowed high privileged attacker with logon to the infrastructure where MySQL Server executes to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all MySQL Server accessible data (bsc#1064101). These non-security issues were fixed: - CHECK TABLE no longer returns an error when run on a CONNECT table - 'Undo log record is too big.' error occurring in very narrow range of string lengths - Race condition between INFORMATION_SCHEMA.INNODB_SYS_TABLESTATS and ALTER/DROP/TRUNCATE TABLE - Wrong result after altering a partitioned table fixed bugs in InnoDB FULLTEXT INDEX - InnoDB FTS duplicate key error - InnoDB crash after failed ADD INDEX and table_definition_cache eviction - fts_create_doc_id() unnecessarily allocates 8 bytes for every inserted row - IMPORT TABLESPACE may corrupt ROW_FORMAT=REDUNDANT tables For additional details please see https://kb.askmonty.org/en/mariadb-10033-changelog ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:276-1 Released: Thu Feb 8 17:47:43 2018 Summary: Security update for libxml2 Type: security Severity: moderate References: 1077993,1078806,1078813,CVE-2016-5131,CVE-2017-15412,CVE-2017-5130 Description: This update for libxml2 fixes one issue. This security issue was fixed: - CVE-2017-15412: Prevent use after free when calling XPath extension functions that allowed remote attackers to cause DoS or potentially RCE (bsc#1077993) - CVE-2016-5131: Use-after-free vulnerability in libxml2 allowed remote attackers to cause a denial of service or possibly have unspecified other impact via vectors related to the XPointer range-to function. (bsc#1078813) - CVE-2017-5130: Fixed a potential remote buffer overflow in function xmlMemoryStrdup() (bsc#1078806) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2018:291-1 Released: Mon Feb 12 11:50:39 2018 Summary: Recommended update for bash Type: recommended Severity: low References: 1057452,1076909 Description: This update for bash provides the following fix: - Allow process group assignment on all kernel versions to fix the usage of debug traps. (bsc#1057452) - Fix a crash when filesystem is full. (bsc#1076909) - Enable multi-byte characters by default. ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:314-1 Released: Thu Feb 15 14:47:35 2018 Summary: Security update for glibc Type: security Severity: important References: 1037930,1051791,1073990,1074293,1079036,CVE-2017-12132,CVE-2017-8804,CVE-2018-1000001,CVE-2018-6485,CVE-2018-6551 Description: This update for glibc fixes the following issues: Security issues fixed: - CVE-2017-8804: Fix memory leak after deserialization failure in xdr_bytes, xdr_string (bsc#1037930) - CVE-2017-12132: Reduce EDNS payload size to 1200 bytes (bsc#1051791) - CVE-2018-6485,CVE-2018-6551: Fix integer overflows in internal memalign and malloc functions (bsc#1079036) - CVE-2018-1000001: Avoid underflow of malloced area (bsc#1074293) Non security bugs fixed: - Release read lock after resetting timeout (bsc#1073990) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:355-1 Released: Mon Feb 26 16:34:46 2018 Summary: Security update for systemd Type: security Severity: moderate References: 1057974,1068588,1071224,1071311,1075801,1077925,CVE-2017-18078 Description: This update for systemd fixes the following issues: Security issue fixed: - CVE-2017-18078: tmpfiles: refuse to chown()/chmod() files which are hardlinked, unless protected_hardlinks sysctl is on. This could be used by local attackers to gain privileges (bsc#1077925) Non Security issues fixed: - core: use id unit when retrieving unit file state (#8038) (bsc#1075801) - cryptsetup-generator: run cryptsetup service before swap unit (#5480) - udev-rules: all values can contain escaped double quotes now (#6890) - strv: fix buffer size calculation in strv_join_quoted() - tmpfiles: change ownership of symlinks too - stdio-bridge: Correctly propagate error - stdio-bridge: remove dead code - remove bus-proxyd (bsc#1057974) - core/timer: Prevent timer looping when unit cannot start (bsc#1068588) - Make systemd-timesyncd use the openSUSE NTP servers by default Previously systemd-timesyncd used the Google Public NTP servers time{1..4}.google.com - Don't ship /usr/lib/systemd/system/tmp.mnt at all (bsc#1071224) But we still ship a copy in /var. Users who want to use tmpfs on /tmp are supposed to add a symlink in /etc/ pointing to the copy shipped in /var. To support the update path we automatically create the symlink if tmp.mount in use is located in /usr. - Enable systemd-networkd on Leap distros only (bsc#1071311) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2018:375-1 Released: Wed Feb 28 16:33:37 2018 Summary: Recommended update for net-tools Type: recommended Severity: low References: 1009905,1063910 Description: This update for net-tools provides the following fix: - netstat: fix handling of large socket numbers (bsc#1063910) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:439-1 Released: Fri Mar 9 14:05:22 2018 Summary: Security update for augeas Type: security Severity: low References: 1054171,CVE-2017-7555 Description: This update for augeas fixes the following issues: Security issue fixed: - CVE-2017-7555: Fix a memory corruption bug could have lead to arbitrary code execution by passing crafted strings that would be mis-handled by parse_name() (bsc#1054171). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:443-1 Released: Fri Mar 9 18:02:14 2018 Summary: Security update for glibc Type: security Severity: moderate References: 1081556,CVE-2017-12133 Description: This update for glibc fixes the following issues: - CVE-2017-12133: Avoid use-after-free read access in clntudp_call (bsc#1081556) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:446-1 Released: Mon Mar 12 13:13:55 2018 Summary: Security update for shadow Type: security Severity: moderate References: 1081294,CVE-2018-7169 Description: This update for shadow fixes the following issues: - CVE-2018-7169: Fixed an privilege escalation in newgidmap, which allowed an unprivileged user to be placed in a user namespace where setgroups(2) is allowed. (bsc#1081294) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2018:465-1 Released: Thu Mar 15 07:38:52 2018 Summary: Recommended update for systemd Type: recommended Severity: moderate References: 1075743,1078358,1081170 Description: This update for systemd fixes the following issues: - Add dmi/id conditions to 80-acpi-container-hotplug.rules to restrict the rule that it can only be triggered on Huawei Kunlun 9008, 9016 and 9032 machines. (bsc#1078358, bsc#1081170, bsc#1075743) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2018:472-1 Released: Thu Mar 15 10:47:40 2018 Summary: Recommended update for libsolv, libzypp, zypper Type: recommended Severity: low References: 1074687,1075449,1076415,1079334,953130 Description: This update for libsolv, libzypp and zypper provides the following fixes: libsolv: - Fix a bug that could make fileconflict detection very slow in some cases. (bnc#953130) - Add new configuration options: ENABLE_RPMDB_LIBRPM and ENABLE_RPMPKG_LIBRPM. - Add a new function to change the whatprovides data: pool_set_whatprovides. - Significant improvements in the selection code. libzypp: - Make sure deleted keys are also removed from rpmdb. (bsc#1075449) - plugin: Don't reject header values containing ':'. (bsc#1074687) - RpmDb::checkPackage: Fix parsing localized rpm output. (bsc#1076415) zypper: - Do not recommend cron as it is not a direct dependency of zypper. (bsc#1079334) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:478-1 Released: Thu Mar 15 16:56:52 2018 Summary: Security update for mariadb Type: security Severity: important References: 1078431,CVE-2018-2562,CVE-2018-2612,CVE-2018-2622,CVE-2018-2640,CVE-2018-2665,CVE-2018-2668 Description: This update for mariadb fixes the following issues: MariaDB was updated to 10.0.34 (bsc#1078431) The following security vulnerabilities are fixed: - CVE-2018-2562: Vulnerability in the MySQL Server subcomponent: Server : Partition. Easily exploitable vulnerability allowed low privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server as well as unauthorized update, insert or delete access to some of MySQL Server accessible data. - CVE-2018-2622: Vulnerability in the MySQL Server subcomponent: Server: DDL. Easily exploitable vulnerability allowed low privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. - CVE-2018-2640: Vulnerability in the MySQL Server subcomponent: Server: Optimizer. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. - CVE-2018-2665: Vulnerability in the MySQL Server subcomponent: Server: Optimizer. Easily exploitable vulnerability allowed low privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. - CVE-2018-2668: Vulnerability in the MySQL Server subcomponent: Server: Optimizer. Easily exploitable vulnerability allowed low privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. - CVE-2018-2612: Vulnerability in the MySQL Server subcomponent: InnoDB. Easily exploitable vulnerability allowed high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all MySQL Server accessible data and unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. The MariaDB external release notes and changelog for this release: * https://kb.askmonty.org/en/mariadb-10034-release-notes * https://kb.askmonty.org/en/mariadb-10034-changelog ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:522-1 Released: Thu Mar 22 08:20:46 2018 Summary: Security update for curl Type: security Severity: moderate References: 1084521,1084524,1084532,CVE-2018-1000120,CVE-2018-1000121,CVE-2018-1000122 Description: This update for curl fixes the following issues: Following security issues were fixed: - CVE-2018-1000120: A buffer overflow exists in the FTP URL handling that allowed an attacker to cause a denial of service or possible code execution (bsc#1084521). - CVE-2018-1000121: A NULL pointer dereference exists in the LDAP code that allowed an attacker to cause a denial of service (bsc#1084524). - CVE-2018-1000122: A buffer over-read exists in the RTSP+RTP handling code that allowed an attacker to cause a denial of service or information leakage (bsc#1084532). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:567-1 Released: Thu Mar 29 14:02:08 2018 Summary: Security update for krb5 Type: security Severity: moderate References: 1057662,1081725,1083926,1083927,CVE-2018-5729,CVE-2018-5730 Description: This update for krb5 provides the following fixes: Security issues fixed: - CVE-2018-5730: DN container check bypass by supplying special crafted data (bsc#1083927). - CVE-2018-5729: Null pointer dereference in kadmind or DN container check bypass by supplying special crafted data (bsc#1083926). Non-security issues fixed: - Make it possible for legacy applications (e.g. SAP Netweaver) to remain compatible with newer Kerberos. System administrators who are experiencing this kind of compatibility issues may set the environment variable GSSAPI_ASSUME_MECH_MATCH to a non-empty value, and make sure the environment variable is visible and effective to the application startup script. (bsc#1057662) - Fix a GSS failure in legacy applications by not indicating deprecated GSS mechanisms in gss_indicate_mech() list. (bsc#1081725) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:594-1 Released: Thu Apr 5 17:22:37 2018 Summary: Security update for libidn Type: security Severity: moderate References: 1056450,CVE-2017-14062 Description: This update for libidn fixes one issues. This security issue was fixed: - CVE-2017-14062: Prevent integer overflow in the decode_digit function that allowed remote attackers to cause a denial of service or possibly have unspecified other impact (bsc#1056450). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:624-1 Released: Wed Apr 11 18:02:57 2018 Summary: Security update for openssl Type: security Severity: moderate References: 1087102,CVE-2018-0739 Description: This update for openssl fixes the following issues: - CVE-2018-0739: Constructed ASN.1 types with a recursive definition (such as can be found in PKCS7) could eventually exceed the stack given malicious input with excessive recursion. This could result in a Denial Of Service attack. There are no such structures used within SSL/TLS that come from untrusted sources so this is considered safe. (bsc#1087102). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2018:656-1 Released: Wed Apr 18 12:08:13 2018 Summary: Recommended update for timezone, timezone-java Type: recommended Severity: low References: 1086729 Description: This update provides the latest timezone information (2018d) for your system, including following changes: - In 2018, Palestine starts DST on March 24, not March 31. - Casey Station in Antarctica changed from +11 to +08 on 2018-03-11 at 04:00 (bsc#1086729). - corrections for historical transitions. ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:730-1 Released: Wed Apr 25 14:14:41 2018 Summary: Security update for perl Type: security Severity: moderate References: 1082216,1082233,1082234,CVE-2018-6797,CVE-2018-6798,CVE-2018-6913 Description: This update for perl fixes the following issues: Security issues fixed: - CVE-2018-6913: Fixed space calculation issues in pp_pack.c (bsc#1082216). - CVE-2018-6798: Fixed heap buffer overflow in regexec.c (bsc#1082233). - CVE-2018-6797: Fixed sharp-s regexp overflow (bsc#1082234). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2018:736-1 Released: Wed Apr 25 14:23:49 2018 Summary: Recommended update for libsolv, libzypp Type: recommended Severity: moderate References: 1075978,1077635,1079991,1082318,1086602 Description: This update for libsolv, libzypp provides the following fixes: Changes in libsolv: - Make sure the product file comes from /etc/products.d for the fallback product search. (bsc#1086602) - Also make use of suggests for ordering packages. (bsc#1077635) - Fix bad assignment in solution refinement that led to a memory leak. (bsc#1075978) - Use license tag instead of doc in the spec file. (bsc#1082318) Changes in libzypp: - Make sure the product file comes from /etc/products.d for the fallback product search. (bsc#1086602) - Fix a memory leak in Digest.cc. (bsc#1075978) - Add /var/lib/gdm to CheckAccessDeleted blacklist to prevent showing superfluous `zypper ps -s` messages. (bsc#1079991) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2018:779-1 Released: Wed May 2 22:16:26 2018 Summary: Recommended update for rpm Type: recommended Severity: low References: 1003714,1027925,1069934 Description: This update for rpm provides the following fixes: - Fix find-lang.sh to handle special case of .qm file paths correctly. (bsc#1027925) - Add %sle_version macro to suse_macros. (bsc#1003714) - Added a %rpm_vercmp macro which accepts two versions as parameters and returns -1, 0, 1 if the first version is less than, equal or greater than the second version respectively. - Added a %pkg_version macro that accepts a package or capability name as argument and returns the version number of the installed package. If no package provides the argument, it returns the string '~~~'. - Added a %pkg_vcmp macro that accepts 3 parameters. The first parameter is a package name or provided capability name, the second argument is an operator ( < <= = >= > != ) and the third parameter is a version string to be compared to the installed version of the first argument. - Added a %pkg_version_cmp macro which accepts a package or capability name as first argument and a version number as second argument and returns -1, 0, 1 or '~~~'. The number values have the same meaning as in %rpm_vercmp and the '~~~' string is returned if the package or capability can't be found. (bsc#1069934) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2018:797-1 Released: Mon May 7 07:07:38 2018 Summary: Recommended update for gcc7 Type: recommended Severity: important References: 1061667,1068967,1074621,1083290,1083946,1084812,1087550,1087930 Description: This update for gcc7 to 7.3 release fixes the following issues: - Update to GCC 7.3 release and further updated to gcc-7-branch head (r258812). - The Spectre v2 mitigation patch for s390x is now included. [bsc#1083946] - Adds backport of x86 retpoline support via -mindirect-branch=, -mfunction-return= and friends. [bsc#1074621] - Update includes a fix for chromium build failure. [bsc#1083290] - Various AArch64 compile fixes are included: * Picks fix to no longer enable -mpc-relative-literal-loads by default with --enable-fix-cortex-a53-843419. * Enable --enable-fix-cortex-a53-843419 for aarch64. [bsc#1084812] [bsc#1087930] * Enable --enable-fix-cortex-a53-835769 for aarch64. * Contains fix for PR82445 which is about a RPI1 bootloader miscompile. [bsc#1061667] * Fixed bogus stack probe instruction on ARM. [bsc#1068967] - Revert the ios_base::failure ABI back to compatible behavior with the default ABI. [bsc#1087550] - Fix nvptx offload target compiler install so GCC can pick up required files. Split out the newlib part into cross-nvptx-newlib7-devel and avoid conflicts with GCC 8 variant via Provides/Conflicts of cross-nvptx-newlib-devel. ----------------------------------------------------------------- Advisory ID: SUSE-RU-2018:910-1 Released: Tue May 15 12:21:24 2018 Summary: Recommended update for timezone, timezone-java Type: recommended Severity: low References: 1073299 Description: This update provides the latest timezone information (2018e) for your system, including following changes: - North Korea switches back from +0830 to +09 on 2018-05-05. - Ireland's standard time is in the summer, with negative DST offset to standard time used in Winter (bsc#1073299) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:939-1 Released: Thu May 17 08:41:30 2018 Summary: Security update for curl Type: security Severity: moderate References: 1086825,1092098,CVE-2018-1000301 Description: This update for curl fixes several issues: Security issues fixed: - CVE-2018-1000301: Fixed a RTSP bad headers buffer over-read could crash the curl client (bsc#1092098) Non security issues fixed: - If the DEFAULT_SUSE cipher list is not available use the HIGH cipher alias before failing. (bsc#1086825) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2018:974-1 Released: Wed May 23 16:46:50 2018 Summary: Recommended update for systemd Type: recommended Severity: moderate References: 1045092,1051465,1066422,1075804,1082485,1084626,1085062,1086785,1087323 Description: This update for systemd provides the following fixes: - sysusers: Do not append entries after the NIS ones. (bsc#1085062, bsc#1045092) - sysusers: Also add support for NIS entries in /etc/shadow. - sysusers: Make sure to reset errno before calling fget*ent(). - coredump: Respect ulimit -c 0 settings. (bsc#1075804) - systemctl: Don't make up unit states, and don't eat up errors too eagerly. (bsc#1084626) - systemctl: Don't mangle unit names in check_unit_generic(). - rules, compat-rules: Fix errors detected by the rule syntax checker. - python: Use raw strings for regexp patterns. - compat-rules: Make path_id_compat build with meson. - compat-rules: Get rid of scsi_id when generating compat symlinks for NVMe devices. (bsc#1051465) - Fix memory hotplugging. - systemd: Add offline environmental condition to the udev rules for acpi container to prevent them from being triggered by the 'udevadm trigger' from user space. (bsc#1082485) - systemd-udevd: Limit children-max by the available memory. (bsc#1086785, bsc#1066422) - Rename the tarball to reflect the exact version used, so that it is clear that it contains some additional patches on top of the upstream version. Use the commit hash in the name so the exact version can easily be identified. (bsc#1087323) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:977-1 Released: Wed May 23 17:14:16 2018 Summary: Security update for bash Type: security Severity: moderate References: 1000396,1001299,1086247,CVE-2016-0634,CVE-2016-7543 Description: This update for bash fixes the following issues: Security issues fixed: - CVE-2016-7543: A code execution possibility via SHELLOPTS+PS4 variable was fixed (bsc#1001299) - CVE-2016-0634: Arbitrary code execution via malicious hostname was fixed (bsc#1000396) Non-security issues fixed: - Fix repeating self-calling of traps due the combination of a non-interactive shell, a trap handler for SIGINT, an external process in the trap handler, and a SIGINT within the trap after the external process runs. (bsc#1086247) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2018:978-1 Released: Wed May 23 17:18:39 2018 Summary: Recommended update for zlib Type: recommended Severity: moderate References: 1071321 Description: This update for zlib fixes the following issues: - Fix a segmentation fault which was raised when converting a negative value into an unsigned integer (bsc#1071321) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2018:1028-1 Released: Tue Jun 5 13:20:44 2018 Summary: Recommended update for pam Type: recommended Severity: low References: 1089884 Description: This update for pam fixes the following issues: - Fix order of accessed configuration files in man page. (bsc#1089884) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:1077-1 Released: Wed Jun 6 11:44:25 2018 Summary: Security update for glibc Type: security Severity: important References: 1086690,1094150,1094154,1094161,CVE-2017-18269,CVE-2018-11236,CVE-2018-11237 Description: This update for glibc fixes the following issues: - CVE-2017-18269: Fix SSE2 memmove issue when crossing 2GB boundary (bsc#1094150) - CVE-2018-11236: Fix overflow in path length computation (bsc#1094161) - CVE-2018-11237: Don't write beyond buffer destination in __mempcpy_avx512_no_vzeroupper (bsc#1094154) Non security bugs fixed: - Fix crash in resolver on memory allocation failure (bsc#1086690) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2018:1082-1 Released: Thu Jun 7 12:58:56 2018 Summary: Recommended update for rpm Type: recommended Severity: moderate References: 1073879,1080078,964063 Description: This update for rpm fixes the following issues: - Backport support for no_recompute_build_ids macro. (bsc#964063) - Fix code execution when evaluating common python-related macros. (bsc#1080078) Additionally, this update adds python3-rpm to the SUSE Linux Enterprise Server. ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:1141-1 Released: Fri Jun 15 13:41:08 2018 Summary: Security update for gpg2 Type: security Severity: important References: 1096745,CVE-2018-12020 Description: This update for gpg2 fixes the following security issue: - CVE-2018-12020: GnuPG mishandled the original filename during decryption and verification actions, which allowed remote attackers to spoof the output that GnuPG sends on file descriptor 2 to other programs that use the '--status-fd 2' option (bsc#1096745) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2018:1145-1 Released: Fri Jun 15 19:19:51 2018 Summary: Recommended update for openssl Type: recommended Severity: moderate References: 1090765 Description: This update for openssl provides the following fix: - Suggest libopenssl1_0_0-hmac from libopenssl1_0_0 package to avoid dependency issues during updates. (bsc#1090765) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:1202-1 Released: Fri Jun 22 07:40:27 2018 Summary: Security update for mariadb Type: security Severity: important References: 1088681,1090518,CVE-2018-2755,CVE-2018-2761,CVE-2018-2766,CVE-2018-2767,CVE-2018-2771,CVE-2018-2781,CVE-2018-2782,CVE-2018-2784,CVE-2018-2787,CVE-2018-2813,CVE-2018-2817,CVE-2018-2819 Description: MariaDB was updated to 10.0.35 (bsc#1090518) Notable changes: * PCRE updated to 8.42 * XtraDB updated to 5.6.39-83.1 * TokuDB updated to 5.6.39-83.1 * InnoDB updated to 5.6.40 * The embedded server library now supports SSL when connecting to remote servers [bsc#1088681], [CVE-2018-2767] * MDEV-15249 - Crash in MVCC read after IMPORT TABLESPACE * MDEV-14988 - innodb_read_only tries to modify files if transactions were recovered in COMMITTED state * MDEV-14773 - DROP TABLE hangs for InnoDB table with FULLTEXT index * MDEV-15723 - Crash in INFORMATION_SCHEMA.INNODB_SYS_TABLES when accessing corrupted record * fixes for the following security vulnerabilities: CVE-2018-2782, CVE-2018-2784, CVE-2018-2787, CVE-2018-2766, CVE-2018-2755, CVE-2018-2819, CVE-2018-2817, CVE-2018-2761, CVE-2018-2781, CVE-2018-2771, CVE-2018-2813 * Release notes and changelog: * https://kb.askmonty.org/en/mariadb-10035-release-notes * https://kb.askmonty.org/en/mariadb-10035-changelog ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:1242-1 Released: Thu Jun 28 13:44:16 2018 Summary: Security update for procps Type: security Severity: moderate References: 1092100,CVE-2018-1122,CVE-2018-1123,CVE-2018-1124,CVE-2018-1125,CVE-2018-1126 Description: This update for procps fixes the following security issues: - CVE-2018-1122: Prevent local privilege escalation in top. If a user ran top with HOME unset in an attacker-controlled directory, the attacker could have achieved privilege escalation by exploiting one of several vulnerabilities in the config_file() function (bsc#1092100). - CVE-2018-1123: Prevent denial of service in ps via mmap buffer overflow. Inbuilt protection in ps maped a guard page at the end of the overflowed buffer, ensuring that the impact of this flaw is limited to a crash (temporary denial of service) (bsc#1092100). - CVE-2018-1124: Prevent multiple integer overflows leading to a heap corruption in file2strvec function. This allowed a privilege escalation for a local attacker who can create entries in procfs by starting processes, which could result in crashes or arbitrary code execution in proc utilities run by other users (bsc#1092100). - CVE-2018-1125: Prevent stack buffer overflow in pgrep. This vulnerability was mitigated by FORTIFY limiting the impact to a crash (bsc#1092100). - CVE-2018-1126: Ensure correct integer size in proc/alloc.* to prevent truncation/integer overflow issues (bsc#1092100). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:1276-1 Released: Thu Jul 5 08:36:17 2018 Summary: Security update for openssl Type: security Severity: moderate References: 1097158,1097624,1098592,CVE-2018-0732 Description: This update for openssl fixes the following issues: - CVE-2018-0732: During key agreement in a TLS handshake using a DH(E) based ciphersuite a malicious server could have sent a very large prime value to the client. This caused the client to spend an unreasonably long period of time generating a key for this prime resulting in a hang until the client has finished. This could be exploited in a Denial Of Service attack (bsc#1097158). - Blinding enhancements for ECDSA and DSA (bsc#1097624, bsc#1098592) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:1328-1 Released: Tue Jul 17 08:07:57 2018 Summary: Security update for perl Type: security Severity: important References: 1068565,1082216,1082233,1082234,1096718,CVE-2018-12015,CVE-2018-6797,CVE-2018-6798,CVE-2018-6913 Description: This update for perl fixes the following issues: These security issue were fixed: - CVE-2018-6913: Fixed space calculation issues in pp_pack.c (bsc#1082216). - CVE-2018-6798: Fixed heap buffer overflow in regexec.c (bsc#1082233). - CVE-2018-6797: Fixed sharp-s regexp overflow (bsc#1082234). - CVE-2018-12015: The Archive::Tar module allowed remote attackers to bypass a directory-traversal protection mechanism and overwrite arbitrary files (bsc#1096718) This non-security issue was fixed: - fix debugger crash in tab completion with Term::ReadLine::Gnu [bsc#1068565] ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:1351-1 Released: Thu Jul 19 09:43:21 2018 Summary: Security update for shadow Type: security Severity: important References: 1099310,CVE-2016-6252 Description: This update for shadow fixes the following issues: - CVE-2016-6252: Incorrect integer handling could results in local privilege escalation (bsc#1099310) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:1400-1 Released: Thu Jul 26 16:32:29 2018 Summary: Security update for util-linux Type: security Severity: moderate References: 1072947,1078662,1080740,1084300,CVE-2018-7738 Description: This update for util-linux fixes the following issues: This non-security issue was fixed: - CVE-2018-7738: bash-completion/umount allowed local users to gain privileges by embedding shell commands in a mountpoint name, which was mishandled during a umount command by a different user (bsc#1084300). These non-security issues were fixed: - Fixed crash loop in lscpu (bsc#1072947). - Fixed possible segfault of umount -a - Fixed mount -a on NFS bind mounts (bsc#1080740). - Fixed lsblk on NVMe (bsc#1078662). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:1413-1 Released: Fri Jul 27 12:41:13 2018 Summary: Security update for libgcrypt Type: security Severity: moderate References: 1064455,1090766,1097410,CVE-2018-0495 Description: This update for libgcrypt fixes the following issues: The following security vulnerability was addressed: - CVE-2018-0495: Mitigate a novel side-channel attack by enabling blinding for ECDSA signatures (bsc#1097410). The following other issues were fixed: - Extended the fipsdrv dsa-sign and dsa-verify commands with the --algo parameter for the FIPS testing of DSA SigVer and SigGen (bsc#1064455). - Ensure libgcrypt20-hmac and libgcrypt20 are installed in the correct order. (bsc#1090766) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2018:1450-1 Released: Mon Jul 30 10:10:45 2018 Summary: Recommended update for pam Type: recommended Severity: low References: 1096282 Description: This update for pam provides the following fix: - Added /etc/security/limits.d to the pam package. (bsc#1096282) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2018:1549-1 Released: Mon Aug 13 13:41:22 2018 Summary: Recommended update for sg3_utils Type: recommended Severity: low References: 1065448,1070431,1077787,1092640 Description: This update for sg3_utils provides the following fix: - Decode standard INQUIRY for CD-ROMs correctly. (bsc#1065448, bsc#1070431) - Fix page decoding. (bsc#1077787) - Remove initrd rebuild macros for libsgutils2 subpackage. (bsc#1092640) - Use %post -p for ldconfig. (bsc#1092640) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:1610-1 Released: Thu Aug 16 14:04:25 2018 Summary: Security update for libgcrypt Type: security Severity: moderate References: 1064455,1090766,1097410,CVE-2018-0495 Description: This update for libgcrypt fixes the following issues: The following security vulnerability was addressed: - CVE-2018-0495: Mitigate a novel side-channel attack by enabling blinding for ECDSA signatures (bsc#1097410). The following other issues were fixed: - Extended the fipsdrv dsa-sign and dsa-verify commands with the --algo parameter for the FIPS testing of DSA SigVer and SigGen (bsc#1064455). - Ensure libgcrypt20-hmac and libgcrypt20 are installed in the correct order. (bsc#1090766) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:1620-1 Released: Thu Aug 16 14:49:45 2018 Summary: Security update for shadow Type: security Severity: important References: 1099310,CVE-2016-6252 Description: This update for shadow fixes the following issues: - CVE-2016-6252: Incorrect integer handling could results in local privilege escalation (bsc#1099310) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2018:1632-1 Released: Thu Aug 16 15:27:04 2018 Summary: Recommended update for systemd Type: recommended Severity: moderate References: 1039099,1080382,1082004,1082485,1083158,1088052,1088769,1088890,1089761,1090785,1091265,1093851,1095096 Description: This update for systemd fixes the following issues: - core: In --user mode, report READY=1 as soon as basic.target is reached. - sd-bus: Extend D-Bus authentication timeout considerably. - scsi_id: Fixup prefix for pre-SPC inquiry reply. (bsc#1039099) - udev: Use MAC address match only for ibmveth/ibmvnic/mlx4. (bsc#1095096) - compat-rules: Generate more compat by-id symlinks for NVMe devices. (bsc#1095096) - udev: Whitelist mlx4_core locally-administered MAC addresses in the persistent rule generator. (bsc#1083158) - udev: Don't create by-partlabel/primary and .../logical symlinks. (bsc#1089761) - rules: Add /dev/disk/by-partuuid symlinks also for dos partition tables. - device: Make sure to always retroactively start device dependencies. (bsc#1088052) - device: Skip deserialization of device units when udevd is not running. - install: 'user' and 'global' scopes are equivalent for user presets. (bsc#1093851) - install: Search preset files in /run. - man: Updated systemd-analyze blame description for service-units with Type=simple. (bsc#1091265) - logind: Fix crash when shutdown is not issued from a tty. (bsc#1088890) - logind: Do not use an uninitialized variable. (bsc#1088890) - Disable user services by default. (bsc#1090785) - Ship 99-sysctl.conf instead of creating it during package installation/update. (bsc#1088769) Previously this symlink was created in /etc/sysctl.d during %post which made the symlink not owned and more importantly it was created only if /etc/sysctl.conf is already installed which is not always the case during the installation process it seems. So ship the symlink unconditionally and put it in /usr/lib/sysctl.d instead since it's a distro default behavior that might be overriden by sysadmin later. - systemd: Add offline environmental condition to 80-acpi-container-hotplug.rules. (bsc#1080382, bsc#1082485) Add the offline event environmental condition to restrict the rule that is can only be triggered when the change event is received with the 'offline' environmental data. The 27664c581 'ACPI / scan: Send change uevent with offine environmental data' kernel patch changed the corresponding code in kernel. This change prevents the udev rules for acpi container be triggered by 'udevadm trigger' from user space. - build-sys: Explicitly require python3. (bsc#1082004) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2018:1636-1 Released: Thu Aug 16 15:30:11 2018 Summary: Recommended update for pam Type: recommended Severity: low References: 1096282 Description: This update for pam provides the following fix: - Added /etc/security/limits.d to the pam package. (bsc#1096282) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2018:1689-1 Released: Mon Aug 20 09:02:24 2018 Summary: Recommended update for pam Type: recommended Severity: low References: 1096282 Description: This update for pam provides the following fix: - Added /etc/security/limits.d to the pam package. (bsc#1096282) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2018:1691-1 Released: Mon Aug 20 09:04:17 2018 Summary: Recommended update for sg3_utils Type: recommended Severity: low References: 1065448,1070431,1077787,1092640 Description: This update for sg3_utils provides the following fix: - Decode standard INQUIRY for CD-ROMs correctly. (bsc#1065448, bsc#1070431) - Fix page decoding. (bsc#1077787) - Remove initrd rebuild macros for libsgutils2 subpackage. (bsc#1092640) - Use %post -p for ldconfig. (bsc#1092640) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:1695-1 Released: Mon Aug 20 09:19:20 2018 Summary: Security update for perl Type: security Severity: important References: 1068565,1082216,1082233,1082234,1096718,CVE-2018-12015,CVE-2018-6797,CVE-2018-6798,CVE-2018-6913 Description: This update for perl fixes the following issues: These security issue were fixed: - CVE-2018-6913: Fixed space calculation issues in pp_pack.c (bsc#1082216). - CVE-2018-6798: Fixed heap buffer overflow in regexec.c (bsc#1082233). - CVE-2018-6797: Fixed sharp-s regexp overflow (bsc#1082234). - CVE-2018-12015: The Archive::Tar module allowed remote attackers to bypass a directory-traversal protection mechanism and overwrite arbitrary files (bsc#1096718) This non-security issue was fixed: - fix debugger crash in tab completion with Term::ReadLine::Gnu [bsc#1068565] ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:1698-1 Released: Mon Aug 20 09:19:28 2018 Summary: Security update for shadow Type: security Severity: important References: 1099310,CVE-2016-6252 Description: This update for shadow fixes the following issues: - CVE-2016-6252: Incorrect integer handling could results in local privilege escalation (bsc#1099310) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2018:1834-1 Released: Wed Sep 5 10:17:42 2018 Summary: Recommended update for systemd Type: recommended Severity: moderate References: 1089761,1090944,1101040,1103910 Description: This update for systemd fixes the following issues: - cryptsetup: Add support for sector-size= option. (fate#325634) - resolved: Apply epoch to system time from PID 1. (bsc#1103910) - core/service: Rework the hold-off time over message. - core: Don't freeze OnCalendar= timer units when the clock goes back a lot. (bsc#1090944) - man: SystemMaxUse= clarification in journald.conf(5). (bsc#1101040) - Add udev.no-partlabel-links kernel command-line option. This option can be used to disable the generation of the by-partlabel symlinks regardless of the name used. (bsc#1089761) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:1903-1 Released: Fri Sep 14 12:46:21 2018 Summary: Security update for curl Type: security Severity: moderate References: 1089533,1106019,CVE-2018-14618 Description: This update for curl fixes the following issues: This security issue was fixed: - CVE-2018-14618: Prevent integer overflow in the NTLM authentication code (bsc#1106019) This non-security issue was fixed: - Fixed erroneous debug message when paired with OpenSSL (bsc#1089533) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:1969-1 Released: Mon Sep 24 08:06:42 2018 Summary: Security update for libzypp, zypper Type: security Severity: important References: 1036304,1045735,1049825,1070851,1076192,1088705,1091624,1092413,1096803,1099847,1100028,1101349,1102429,CVE-2017-9269,CVE-2018-7685 Description: This update for libzypp, zypper fixes the following issues: Update libzypp to version 16.17.20: Security issues fixed: - PackageProvider: Validate deta rpms before caching (bsc#1091624, bsc#1088705, CVE-2018-7685) - PackageProvider: Validate downloaded rpm package signatures before caching (bsc#1091624, bsc#1088705, CVE-2018-7685) Other bugs fixed: - lsof: use '-K i' if lsof supports it (bsc#1099847, bsc#1036304) - Handle http error 502 Bad Gateway in curl backend (bsc#1070851) - RepoManager: Explicitly request repo2solv to generate application pseudo packages. - libzypp-devel should not require cmake (bsc#1101349) - HardLocksFile: Prevent against empty commit without Target having been been loaded (bsc#1096803) - Avoid zombie tar processes (bsc#1076192) Update to zypper to version 1.13.45: Security issues fixed: - Improve signature check callback messages (bsc#1045735, CVE-2017-9269) - add/modify repo: Add options to tune the GPG check settings (bsc#1045735, CVE-2017-9269) Other bugs fixed: - XML attribute `packages-to-change` added (bsc#1102429) - man: Strengthen that `--config FILE' affects zypper.conf, not zypp.conf (bsc#1100028) - Prevent nested calls to exit() if aborted by a signal (bsc#1092413) - ansi.h: Prevent ESC sequence strings from going out of scope (bsc#1092413) - Fix: zypper bash completion expands non-existing options (bsc#1049825) - Improve signature check callback messages (bsc#1045735) - add/modify repo: Add options to tune the GPG check settings (bsc#1045735) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2018:1985-1 Released: Mon Sep 24 11:56:08 2018 Summary: Recommended update for openldap2 Type: recommended Severity: moderate References: 1089640 Description: This update for openldap2 provides the following fix: - Fix slapd segfaults in mdb_env_reader_dest. (bsc#1089640) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:1994-1 Released: Mon Sep 24 12:55:57 2018 Summary: Security update for shadow Type: security Severity: moderate References: 1106914 Description: This update for shadow fixes the following security issue: - Prevent useradd from creating intermediate directories with mode 0777 (bsc#1106914) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:2069-1 Released: Fri Sep 28 08:01:25 2018 Summary: Security update for openssl Type: security Severity: moderate References: 1089039,1101246,1101470,1104789,1106197,997043,CVE-2018-0737 Description: This update for openssl fixes the following issues: These security issues were fixed: - Prevent One&Done side-channel attack on RSA that allowed physically near attackers to use EM emanations to recover information (bsc#1104789) - CVE-2018-0737: The RSA Key generation algorithm has been shown to be vulnerable to a cache timing side channel attack. An attacker with sufficient access to mount cache timing attacks during the RSA key generation process could have recovered the private key (bsc#1089039) These non-security issues were fixed: - Add openssl(cli) Provide so the packages that require the openssl binary can require this instead of the new openssl meta package (bsc#1101470) - Fixed path to the engines which are under /lib64 on SLE-12 (bsc#1101246, bsc#997043) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2018:2162-1 Released: Fri Oct 5 14:46:53 2018 Summary: Recommended update for krb5 Type: recommended Severity: moderate References: 1088921 Description: This update for krb5 provides the following fix: - Resolve krb5 GSS credentials immediately if the application requests the lifetime. (bsc#1088921) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:2181-1 Released: Tue Oct 9 11:08:20 2018 Summary: Security update for libxml2 Type: security Severity: moderate References: 1088279,1088601,1102046,1105166,CVE-2017-18258,CVE-2018-14404,CVE-2018-14567,CVE-2018-9251 Description: This update for libxml2 fixes the following security issues: - CVE-2018-9251: The xz_decomp function allowed remote attackers to cause a denial of service (infinite loop) via a crafted XML file that triggers LZMA_MEMLIMIT_ERROR, as demonstrated by xmllint (bsc#1088279). - CVE-2018-14567: Prevent denial of service (infinite loop) via a crafted XML file that triggers LZMA_MEMLIMIT_ERROR, as demonstrated by xmllint (bsc#1105166). - CVE-2018-14404: Prevent NULL pointer dereference in the xmlXPathCompOpEval() function when parsing an invalid XPath expression in the XPATH_OP_AND or XPATH_OP_OR case leading to a denial of service attack (bsc#1102046). - CVE-2017-18258: The xz_head function allowed remote attackers to cause a denial of service (memory consumption) via a crafted LZMA file, because the decoder functionality did not restrict memory usage to what is required for a legitimate file (bsc#1088601). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2018:2196-1 Released: Thu Oct 11 07:45:16 2018 Summary: Optional update for gcc8 Type: recommended Severity: low References: 1084812,1084842,1087550,1094222,1102564 Description: The GNU Compiler GCC 8 is being added to the Toolchain Module by this update. The update also supplies gcc8 compatible libstdc++, libgcc_s1 and other gcc derived libraries for the base products of SUSE Linux Enterprise 12. Various optimizers have been improved in GCC 8, several of bugs fixed, quite some new warnings added and the error pin-pointing and fix-suggestions have been greatly improved. The GNU Compiler page for GCC 8 contains a summary of all the changes that have happened: https://gcc.gnu.org/gcc-8/changes.html Also changes needed or common pitfalls when porting software are described on: https://gcc.gnu.org/gcc-8/porting_to.html ----------------------------------------------------------------- Advisory ID: SUSE-RU-2018:2217-1 Released: Fri Oct 12 15:07:24 2018 Summary: Recommended update for bash Type: recommended Severity: moderate References: 1094121,1107430 Description: This update for bash provides the following fixes: - Fix an inconsistent behaviour regarding expansion of here strings. (bsc#1094121) - Fix mis-matching of null string with '*' pattern. (bsc#1107430) - Fix a crash when the lastpipe option is enabled. - Fix a typo that was preventing the `compat42' shopt option from working as intended. - Help the shell to process any pending traps at redirection. - Fix a crashe due to incorrect conversion from an indexed to associative array. - Avoid the expansion of escape sequences in HOSTNAME in prompt. - Avoid `xtrace' attack over $PS4. ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:2373-1 Released: Mon Oct 22 14:43:47 2018 Summary: Security update for rpm Type: security Severity: moderate References: 1077692,943457,CVE-2017-7500,CVE-2017-7501 Description: This update for rpm fixes the following issues: These security issues were fixed: - CVE-2017-7500: rpm did not properly handle RPM installations when a destination path was a symbolic link to a directory, possibly changing ownership and permissions of an arbitrary directory, and RPM files being placed in an arbitrary destination (bsc#943457). - CVE-2017-7501: rpm used temporary files with predictable names when installing an RPM. An attacker with ability to write in a directory where files will be installed could create symbolic links to an arbitrary location and modify content, and possibly permissions to arbitrary files, which could be used for denial of service or possibly privilege escalation (bsc#943457) This non-security issue was fixed: - Use ksym-provides tool [bsc#1077692] ----------------------------------------------------------------- Advisory ID: SUSE-RU-2018:2435-1 Released: Wed Oct 24 14:42:43 2018 Summary: Recommended update for systemd Type: recommended Severity: important References: 1015254,1091677,1093753,1105031,1107640,1107941,1109197,991901 Description: This update for systemd fixes the following issues: - detect-virt: do not try to read all of /proc/cpuinfo (bsc#1109197) - emergency: make sure console password agents don't interfere with the emergency shell - units: remove udev control socket when systemd stops the socket unit (#4039) (bsc#1015254) - man: document that 'nofail' also has an effect on ordering - journald: take leading spaces into account in syslog_parse_identifier - journal: do not remove multiple spaces after identifier in syslog message - syslog: fix segfault in syslog_parse_priority() - journal: fix syslog_parse_identifier() - tmpfiles: don't adjust qgroups on existing subvolumes (bsc#1093753) - socket-util: attempt SO_RCVBUFFORCE/SO_SNDBUFFORCE only if SO_RCVBUF/SO_SNDBUF fails (bsc#991901) - user at .service: don't kill user manager at runlevel switch (bsc#1091677) - units: make sure user at .service runs with dbus still up - fix race between daemon-reload and other commands (bsc#1105031) - nspawn: always use mode 555 for /sys (bsc#1107640) - cryptsetup: do not define arg_sector_size if libgcrypt is v1.x (#9990) - Enable or disable machines.target according to the presets (bsc#1107941) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2018:2475-1 Released: Thu Oct 25 16:56:24 2018 Summary: Recommended update for libzypp Type: recommended Severity: moderate References: 1099982,1109877,408814,556664,939392 Description: This update for libzypp fixes the following issues: - Add filesize check for downloads with known size (bsc#408814) - Fix conversion of string and glob to regex when compiling queries (bsc#1099982, bsc#939392, bsc#556664) - Fix blocking wait for finished child process (bsc#1109877) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2018:2488-1 Released: Fri Oct 26 12:39:59 2018 Summary: Recommended update for cpio Type: recommended Severity: low References: 1076810,889138 Description: This update for cpio provides the following fix: - Remove an obsolete patch that was causing cpio not to preserve folder permissions. (bsc#1076810, bsc#889138) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2018:2516-1 Released: Mon Oct 29 16:14:48 2018 Summary: Recommended update for console-setup, kbd Type: recommended Severity: moderate References: 1010880,1027379,1056449,1062303,1069468,1085432,360993,675317,825385,830805,958562,963942,984958 Description: This update for kbd and console-setup provides the following fixes: Changes in console-setup: - Add console-setup to SLE 12 to make it possible for kbd to provide converted X keymaps. (fate#325454, fate#318426) - Make the package build reproducible. (bsc#1062303) - Removed unneeded requires to kbd in order to resolve build cycle between kbd and console-setup. (bsc#963942) Changes in kbd: - Update to version 2.0.4, including the following fixes (FATE#325454): * Disable characters greater than or equal to =U+F000 as they do not work properly. (bsc#1085432) * Move initial NumLock handling from systemd back to kbd: * Add kbdsettings service. (bsc#1010880) * Exclude numlockbios support for non x86 platforms * Drop references to KEYTABLE and COMPOSETABLE. (bsc#1010880) * Drop from some fill-up templates and a couple of sysconfig variables not read by systemd anymore. (fate#319454) * Replace references to /var/adm/fillup-templates with new %_fillupdir macro. (bsc#1069468) * Add vlock.pamd PAM file. (bsc#1056449) * Enable vlock (bsc#1056449). * Revert dropping of kdb-legacy requirement as there are still packages and installation flows that needs this to be present. (bsc#1027379) * Fix data/keymaps/i386/querty/br-abnt2.map. (bsc#984958) * Fix missing dependency on coreutils for initrd macros. (bsc#958562) * Call missing initrd macro at postun. (bsc#958562) * Add the genmap4systemd.sh tool to generate entries for systemd's kbd-model-map table from xkeyboard-config converted keymaps. (fate#318426) * genmap4systemd.sh: Use 'abnt2' model for 'br' layouts, 'jp106' model for 'jp' layouts and 'microsoftpro' for anything else (instead of 'pc105' previously used). (fate#318426) * Include xkb layouts from xkeyboard-config converted to console keymaps. (fate#318426) * euro.map, euro1.map and euro2.map now produce correct unicode character for Euro sign. (bsc#360993) * Drop doshell reference from openvt.1 man page. (bsc#675317) * Drop the --userwait option as it is not used. (bsc#830805) * Fix a typo in the mac-querty-layout.inc. (bsc#825385) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2018:2525-1 Released: Tue Oct 30 09:22:45 2018 Summary: Recommended update for bash Type: recommended Severity: important References: 1113117 Description: This update for bash fixes the following issues: Recently released update introduced a change of behavior which resulted in broken customers scripts. (bsc#1113117) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:2563-1 Released: Fri Nov 2 17:09:49 2018 Summary: Security update for curl Type: security Severity: moderate References: 1112758,1113660,CVE-2018-16840,CVE-2018-16842 Description: This update for curl fixes the following issues: - CVE-2018-16840: A use after free in closing SASL handles was fixed (bsc#1112758) - CVE-2018-16842: A Out-of-bounds Read in tool_msgs.c was fixed which could lead to crashes (bsc#1113660) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2018:2567-1 Released: Fri Nov 2 18:59:06 2018 Summary: Recommended update for apparmor Type: recommended Severity: moderate References: 1047937,1057150,1057900,1099452,906858 Description: This update for apparmor provides the following fixes: - Add profile for usr.bin.lessopen.sh (bsc#906858) - Fix dovecot apparmor profile (bsc#1057150) - Fix creating profile rules from scanned logs when the chown operation is used (bsc#1047937) - Fix the traceroute profile to allow ipv6 usage (bsc#1057900) - Fix duplicate entry of capability when performing aa-logprof (bsc#1099452) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2018:2593-1 Released: Wed Nov 7 11:04:00 2018 Summary: Recommended update for rpm Type: recommended Severity: moderate References: 1095148,1113100 Description: This update for rpm fixes the following issues: - Fix superfluous TOC. dependency on PowerPC64 (bsc#1113100) - Update to current find-provides.ksyms and find-requires.ksyms scripts (bsc#1095148) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2018:2637-1 Released: Mon Nov 12 20:38:05 2018 Summary: Recommended update for timezone, timezone-java Type: recommended Severity: moderate References: 1104700,1113554 Description: This update provides the latest time zone definitions (2018g), including the following changes: - Morocco switched from +00/+01 to permanent +01 effective 2018-10-28 (bsc#1113554) - Volgograd moves from +03 to +04 on 2018-10-28. - Fiji ends DST 2019-01-13, not 2019-01-20. - Most of Chile changes DST dates, effective 2019-04-06 (bsc#1104700) - Corrections to past timestamps of DST transitions - Use 'PST' and 'PDT' for Philippine time - minor code changes to zic handling of the TZif format - documentation updates ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:2659-1 Released: Wed Nov 14 14:14:41 2018 Summary: Security update for systemd Type: security Severity: important References: 1106923,1108835,1109252,1110445,1111278,1112024,1113083,1113632,1113665,CVE-2018-15686,CVE-2018-15688 Description: This update for systemd fixes the following issues: Security issues fixed: - CVE-2018-15688: A buffer overflow vulnerability in the dhcp6 client of systemd allowed a malicious dhcp6 server to overwrite heap memory in systemd-networkd. (bsc#1113632) - CVE-2018-15686: A vulnerability in unit_deserialize of systemd allows an attacker to supply arbitrary state across systemd re-execution via NotifyAccess. This can be used to improperly influence systemd execution and possibly lead to root privilege escalation. (bsc#1113665) Non-security issues fixed: - dhcp6: split assert_return() to be more debuggable when hit - core: skip unit deserialization and move to the next one when unit_deserialize() fails - core: properly handle deserialization of unknown unit types (#6476) - core: don't create Requires for workdir if 'missing ok' (bsc#1113083) - logind: use manager_get_user_by_pid() where appropriate - logind: rework manager_get_{user|session}_by_pid() a bit - login: fix user at .service case, so we don't allow nested sessions (#8051) (bsc#1112024) - core: be more defensive if we can't determine per-connection socket peer (#7329) - socket-util: introduce port argument in sockaddr_port() - service: fixup ExecStop for socket-activated shutdown (#4120) - service: Continue shutdown on socket activated unit on termination (#4108) (bsc#1106923) - cryptsetup: build fixes for 'add support for sector-size= option' - udev-rules: IMPORT cmdline does not recognize keys with similar names (bsc#1111278) - core: keep the kernel coredump defaults when systemd-coredump is disabled - core: shorten main() a bit, split out coredump initialization - core: set RLIMIT_CORE to unlimited by default (bsc#1108835) - core/mount: fstype may be NULL - journald: don't ship systemd-journald-audit.socket (bsc#1109252) - core: make 'tmpfs' dependencies on swapfs a 'default' dep, not an 'implicit' (bsc#1110445) - mount: make sure we unmount tmpfs mounts before we deactivate swaps (#7076) - tmp.mount.hm4: After swap.target (#3087) - Ship systemd-sysv-install helper via the main package This script was part of systemd-sysvinit sub-package but it was wrong since systemd-sysv-install is a script used to redirect enable/disable operations to chkconfig when the unit targets are sysv init scripts. Therefore it's never been a SySV init tool. ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:2760-1 Released: Thu Nov 22 16:25:38 2018 Summary: Security update for openssl Type: security Severity: moderate References: 1112209,1113534,1113652,1113742,CVE-2018-0734,CVE-2018-5407 Description: This update for openssl fixes the following issues: Security issues fixed: - CVE-2018-0734: Fixed timing vulnerability in DSA signature generation (bsc#1113652). - CVE-2018-5407: Fixed elliptic curve scalar multiplication timing attack defenses (bsc#1113534). - Add missing timing side channel patch for DSA signature generation (bsc#1113742). Non-security issues fixed: - Fixed infinite loop in DSA generation with incorrect parameters (bsc#1112209). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:2766-1 Released: Fri Nov 23 17:07:27 2018 Summary: Security update for rpm Type: security Severity: important References: 943457,CVE-2017-7500,CVE-2017-7501 Description: This update for rpm fixes the following issues: These security issues were fixed: - CVE-2017-7500: rpm did not properly handle RPM installations when a destination path was a symbolic link to a directory, possibly changing ownership and permissions of an arbitrary directory, and RPM files being placed in an arbitrary destination (bsc#943457). - CVE-2017-7501: rpm used temporary files with predictable names when installing an RPM. An attacker with ability to write in a directory where files will be installed could create symbolic links to an arbitrary location and modify content, and possibly permissions to arbitrary files, which could be used for denial of service or possibly privilege escalation (bsc#943457) This is a reissue of the above security fixes for SUSE Linux Enterprise 12 GA, SP1 and SP2 LTSS, they have already been released for SUSE Linux Enterprise Server 12 SP3. ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:1697-1 Released: Fri Nov 23 17:08:32 2018 Summary: Security update for libgcrypt Type: security Severity: moderate References: 1064455,1090766,1097410,CVE-2018-0495 Description: This update for libgcrypt fixes the following issues: The following security vulnerability was addressed: - CVE-2018-0495: Mitigate a novel side-channel attack by enabling blinding for ECDSA signatures (bsc#1097410). The following other issues were fixed: - Extended the fipsdrv dsa-sign and dsa-verify commands with the --algo parameter for the FIPS testing of DSA SigVer and SigGen (bsc#1064455). - Ensure libgcrypt20-hmac and libgcrypt20 are installed in the correct order. (bsc#1090766) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:1696-1 Released: Mon Nov 26 17:46:39 2018 Summary: Security update for procps Type: security Severity: moderate References: 1092100,CVE-2018-1122,CVE-2018-1123,CVE-2018-1124,CVE-2018-1125,CVE-2018-1126 Description: This update for procps fixes the following security issues: - CVE-2018-1122: Prevent local privilege escalation in top. If a user ran top with HOME unset in an attacker-controlled directory, the attacker could have achieved privilege escalation by exploiting one of several vulnerabilities in the config_file() function (bsc#1092100). - CVE-2018-1123: Prevent denial of service in ps via mmap buffer overflow. Inbuilt protection in ps maped a guard page at the end of the overflowed buffer, ensuring that the impact of this flaw is limited to a crash (temporary denial of service) (bsc#1092100). - CVE-2018-1124: Prevent multiple integer overflows leading to a heap corruption in file2strvec function. This allowed a privilege escalation for a local attacker who can create entries in procfs by starting processes, which could result in crashes or arbitrary code execution in proc utilities run by other users (bsc#1092100). - CVE-2018-1125: Prevent stack buffer overflow in pgrep. This vulnerability was mitigated by FORTIFY limiting the impact to a crash (bsc#1092100). - CVE-2018-1126: Ensure correct integer size in proc/alloc.* to prevent truncation/integer overflow issues (bsc#1092100). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:1618-1 Released: Tue Nov 27 13:39:49 2018 Summary: Security update for util-linux Type: security Severity: moderate References: 1072947,1078662,1080740,1084300,CVE-2018-7738 Description: This update for util-linux fixes the following issues: This non-security issue was fixed: - CVE-2018-7738: bash-completion/umount allowed local users to gain privileges by embedding shell commands in a mountpoint name, which was mishandled during a umount command by a different user (bsc#1084300). These non-security issues were fixed: - Fixed crash loop in lscpu (bsc#1072947). - Fixed possible segfault of umount -a - Fixed mount -a on NFS bind mounts (bsc#1080740). - Fixed lsblk on NVMe (bsc#1078662). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:2824-1 Released: Mon Dec 3 15:34:09 2018 Summary: Security update for ncurses Type: security Severity: important References: 1115929,CVE-2018-19211 Description: This update for ncurses fixes the following issue: Security issue fixed: - CVE-2018-19211: Fixed denial of service issue that was triggered by a NULL pointer dereference at function _nc_parse_entry (bsc#1115929). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2018:2836-1 Released: Wed Dec 5 09:29:31 2018 Summary: Recommended update for apparmor Type: recommended Severity: moderate References: 1111965,1113125 Description: This update for apparmor fixes the following issues: - Systemd aware apparmor.spec, remove old insserv from spec file (bsc#1113125) - Fix warnings produced because of use of uninitialized variables (bsc#1111965) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2018:2840-1 Released: Wed Dec 5 09:57:54 2018 Summary: Recommended update for permissions Type: recommended Severity: moderate References: 1028304,1047247,1050467,1097665,1111251 Description: This update for permissions fixes the following issues: - Allow setuid root for start-suid tool of singularity (group only) bsc#1028304 - Allow setuid root for authbind binary (bsc#1111251) - A incorrect error message was adjusted (bsc#1047247 bsc#1097665) - Make btmp root:utmp (bsc#1050467) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2018:2841-1 Released: Wed Dec 5 09:59:45 2018 Summary: Recommended update for glibc Type: recommended Severity: moderate References: 1105236,1110661,1112858 Description: This update for glibc fixes the following issues: - Added more checks for valid ld.so.cache file (bsc#1110661) - Rewrite elf_machine_load_address using _DYNAMIC symbol (bsc#1112858) - Always use __IPC_64 on powerpc as required by the kernel (bsc#1105236) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2018:2906-1 Released: Tue Dec 11 21:48:05 2018 Summary: Recommended update for blog Type: recommended Severity: moderate References: 1071568 Description: This update for blog fixes the following issues: - Hardening of the console list generation (bsc#1071568) - Changed description of blog-plymouth in same manner as used by the release notes ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:2947-1 Released: Mon Dec 17 08:51:28 2018 Summary: Security update for openldap2 Type: security Severity: moderate References: 1073313,CVE-2017-17740 Description: This update for openldap2 fixes the following issues: Security issue fixed: - CVE-2017-17740: When both the nops module and the memberof overlay are enabled, attempts to free a buffer that was allocated on the stack, which allows remote attackers to cause a denial of service (slapd crash) via a member MODDN operation. (bsc#1073313) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2018:3029-1 Released: Fri Dec 21 17:34:05 2018 Summary: Recommended update for libgcrypt Type: recommended Severity: moderate References: 1117355 Description: This update for libgcrypt provides the following fix: - Fail selftests when checksum file is missing in FIPS mode only. (bsc#1117355) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:43-1 Released: Tue Jan 8 13:07:17 2019 Summary: Recommended update for acl Type: recommended Severity: low References: 953659 Description: This update for acl fixes the following issues: - quote: Escape literal backslashes (bsc#953659). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:101-1 Released: Tue Jan 15 18:02:39 2019 Summary: Recommended update for timezone Type: recommended Severity: moderate References: 1120402 Description: This update for timezone fixes the following issues: - Update 2018i: S?o Tom? and Pr?ncipe switches from +01 to +00 on 2019-01-01. (bsc#1120402) - Update 2018h: Qyzylorda, Kazakhstan moved from +06 to +05 on 2018-12-21 New zone Asia/Qostanay because Qostanay, Kazakhstan didn't move Metlakatla, Alaska observes PST this winter only Guess Morocco will continue to adjust clocks around Ramadan Add predictions for Iran from 2038 through 2090 ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:111-1 Released: Thu Jan 17 14:18:31 2019 Summary: Security update for krb5 Type: security Severity: important References: 1120489,CVE-2018-20217 Description: This update for krb5 fixes the following issues: Security issue fixed: - CVE-2018-20217: Fixed an assertion issue with older encryption types (bsc#1120489) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:135-1 Released: Mon Jan 21 13:53:58 2019 Summary: Security update for systemd Type: security Severity: moderate References: 1005023,1076696,1101591,1114981,1115518,1119971,1120323,CVE-2018-16864,CVE-2018-16865,CVE-2018-16866 Description: This update for systemd provides the following fixes: Security issues fixed: - CVE-2018-16864, CVE-2018-16865: Fixed two memory corruptions through attacker-controlled alloca()s (bsc#1120323) - CVE-2018-16866: Fixed an information leak in journald (bsc#1120323) - Fixed an issue during system startup in relation to encrypted swap disks (bsc#1119971) Non-security issues fixed: - core: Queue loading transient units after setting their properties. (bsc#1115518) - logind: Stop managing VT switches if no sessions are registered on that VT. (bsc#1101591) - terminal-util: introduce vt_release() and vt_restore() helpers. - terminal: Unify code for resetting kbd utf8 mode a bit. - terminal Reset should honour default_utf8 kernel setting. - logind: Make session_restore_vt() static. - udev: Downgrade message when settting inotify watch up fails. (bsc#1005023) - log: Never log into foreign fd #2 in PID 1 or its pre-execve() children. (bsc#1114981) - udev: Ignore the exit code of systemd-detect-virt for memory hot-add. In SLE-12-SP3, 80-hotplug-cpu-mem.rules has a memory hot-add rule that uses systemd-detect-virt to detect non-zvm environment. The systemd-detect-virt returns exit failure code when it detected _none_ state. The exit failure code causes that the hot-add memory block can not be set to online. (bsc#1076696) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:143-1 Released: Tue Jan 22 14:21:55 2019 Summary: Recommended update for ncurses Type: recommended Severity: important References: 1121450 Description: This update for ncurses fixes the following issues: - ncurses applications freezing (bsc#1121450) From sle-updates at lists.suse.com Thu Jan 16 09:58:53 2020 From: sle-updates at lists.suse.com (sle-updates at lists.suse.com) Date: Thu, 16 Jan 2020 17:58:53 +0100 (CET) Subject: SUSE-CU-2019:721-1: Security update of caasp/v4/nginx-ingress-controller Message-ID: <20200116165853.CC143F796@maintenance.suse.de> SUSE Container Update Advisory: caasp/v4/nginx-ingress-controller ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2019:721-1 Container Tags : caasp/v4/nginx-ingress-controller:0.15.0 , caasp/v4/nginx-ingress-controller:0.15.0-rev1 , caasp/v4/nginx-ingress-controller:0.15.0-rev1-build1.2 Severity : important Type : security References : 1000396 1000662 1000677 1001299 1001790 1001900 1001912 1002975 1002991 1002991 1002991 1002995 1002995 1002998 1002998 1003000 1003000 1003002 1003002 1003012 1003012 1003017 1003017 1003023 1003023 1003577 1003579 1003580 1003714 1003978 1004094 1004289 1004924 1004995 1004995 1004995 1005023 1005063 1005274 1005404 1005544 1005591 1005633 1005634 1005635 1005637 1005638 1005640 1005642 1005643 1005645 1005646 1006175 1006372 1006469 1006687 1006690 1007276 1007280 1007851 1008325 1009269 1009470 1009528 1009532 1009745 1009905 1009966 1010161 1010163 1010220 1010675 1010845 1010880 1011103 1011107 1012266 1012390 1012523 1012591 1012818 1012973 1013286 1013882 1013930 1013989 1014471 1014560 1014566 1014873 1015187 1015254 1015332 1015515 1015565 1015943 1017034 1017497 1017646 1017690 1017693 1018214 1018399 1019276 1019470 1019611 1019637 1019637 1019900 1020108 1020143 1020601 1021315 1021641 1022014 1022047 1022085 1022086 1022103 1022263 1022264 1022265 1022271 1022283 1022284 1022553 1023283 1023895 1024989 1025176 1025398 1025560 1025598 1025630 1025886 1026224 1026567 1026825 1027079 1027379 1027688 1027712 1027908 1027925 1028103 1028263 1028281 1028304 1028304 1028305 1028410 1028485 1028610 1028723 1029102 1029102 1029183 1029516 1029516 1029523 1029561 1029691 1029725 1029900 1030290 1030621 1031247 1031249 1031250 1031254 1031255 1031262 1031263 1031355 1031643 1031702 1031998 1032029 1032029 1032309 1032445 1032538 1032660 1032680 1033109 1033111 1033112 1033113 1033118 1033120 1033126 1033127 1033128 1033129 1033131 1033238 1033238 1033855 1034563 1034565 1035062 1035371 1035386 1035445 1035807 1035818 1035905 1036304 1036457 1036659 1036736 1036873 1036873 1037120 1037120 1037396 1037824 1037930 1038189 1038194 1038438 1038444 1038506 1038865 1038865 1038984 1038984 1039063 1039063 1039064 1039064 1039066 1039066 1039069 1039069 1039099 1039099 1039276 1039357 1039661 1039661 1039941 1040043 1040153 1040153 1040258 1040258 1040614 1040614 1040800 1040942 1040942 1040968 1040968 1040968 1041764 1042326 1042392 1042781 1042804 1042805 1043059 1043218 1043237 1043333 1043333 1043580 1043615 1043758 1043758 1043886 1043900 1043900 1044095 1044107 1044175 1044337 1044840 1044887 1044894 1045092 1045290 1045290 1045384 1045472 1045628 1045735 1045735 1045735 1045943 1045987 1046077 1046173 1046173 1046268 1046417 1046607 1046659 1046750 1046750 1046853 1046853 1046858 1046858 1047008 1047178 1047233 1047236 1047240 1047247 1047379 1047785 1047785 1047937 1047964 1047965 1048315 1048510 1048605 1048605 1048645 1048679 1049344 1049825 1050152 1050467 1050767 1050943 1051042 1051465 1051626 1051643 1051644 1051791 1052261 1053137 1053188 1053409 1053595 1053671 1054028 1054088 1054171 1054594 1054671 1055446 1055641 1055825 1055920 1056058 1056126 1056127 1056127 1056128 1056128 1056129 1056129 1056131 1056131 1056132 1056132 1056136 1056136 1056437 1056449 1056450 1056993 1056995 1057150 1057188 1057452 1057634 1057640 1057662 1057721 1057724 1057900 1057974 1058695 1058722 1058783 1059065 1059723 1060653 1060738 1061384 1061667 1061876 1062303 1062561 1062591 1062592 1062937 1063051 1063249 1063269 1063675 1063824 1063910 1064397 1064455 1064455 1064455 1064569 1064580 1064583 1064999 1065083 1065274 1065276 1065363 1065448 1065448 1066156 1066242 1066422 1066500 1067312 1067605 1067891 1068251 1068565 1068565 1068588 1068708 1068967 1069213 1069222 1069226 1069468 1069934 1070209 1070428 1070431 1070431 1070851 1070878 1070905 1070958 1071224 1071311 1071319 1071321 1071466 1071558 1071568 1071698 1071905 1071906 1072947 1072947 1073231 1073313 1073879 1073990 1074186 1074254 1074293 1074293 1074317 1074318 1074621 1074687 1075449 1075724 1075743 1075801 1075804 1075978 1075992 1076192 1076308 1076391 1076415 1076696 1076810 1076832 1076909 1077001 1077635 1077692 1077787 1077787 1077925 1077993 1078358 1078662 1078662 1078806 1078813 1079036 1079334 1079600 1079991 1080078 1080382 1080740 1080740 1081170 1081294 1081556 1081690 1081725 1082004 1082216 1082216 1082216 1082233 1082233 1082233 1082234 1082234 1082234 1082318 1082332 1082485 1082485 1082825 1083158 1083290 1083926 1083927 1083946 1084300 1084300 1084521 1084524 1084532 1084626 1084812 1084812 1084842 1085062 1085432 1086247 1086408 1086602 1086690 1086785 1086825 1087102 1087323 1087550 1087550 1087930 1088052 1088279 1088601 1088705 1088769 1088890 1088921 1089039 1089533 1089640 1089761 1089761 1089884 1090765 1090766 1090766 1090766 1090785 1090944 1091265 1091624 1091677 1092098 1092100 1092100 1092413 1092480 1092640 1092640 1092949 1093753 1093851 1094121 1094150 1094154 1094161 1094222 1094327 1095096 1095148 1096282 1096282 1096282 1096718 1096718 1096745 1096803 1097158 1097410 1097410 1097410 1097624 1097665 1098592 1099257 1099310 1099310 1099310 1099452 1099847 1099982 1100028 1101040 1101246 1101349 1101470 1101591 1102046 1102062 1102068 1102073 1102429 1102564 1103910 1104789 1105031 1105166 1105236 1105434 1106019 1106197 1106391 1106853 1106914 1106923 1107430 1107640 1107941 1108627 1108637 1108835 1109197 1109252 1109877 1110358 1110445 1110661 1111251 1111278 1111965 1112024 1112209 1112758 1112858 1113083 1113094 1113100 1113117 1113125 1113534 1113632 1113652 1113660 1113665 1113672 1113742 1114981 1115518 1115717 1115929 1117355 1119971 1120323 1120489 1121450 360993 408814 556664 658010 661410 675317 825385 829717 830805 874665 888308 889138 889990 892431 894610 896202 896435 897422 898003 899524 899871 900275 900276 901202 901845 901924 902364 902367 903543 905483 906574 906574 906761 906803 906858 907074 907456 908128 908516 909418 910252 910252 910253 910253 911228 911363 911662 912076 912229 912715 912922 912929 913209 913650 913651 914890 914890 915402 915846 916927 917152 917169 918089 918090 918346 919274 920057 920057 920386 921070 922534 923241 923945 924525 924687 924960 924960 926412 926826 927556 927607 927608 927746 927993 928292 928533 928740 929919 930176 931932 932232 932894 933029 933288 933288 933336 933878 933878 934119 934333 934689 934920 936050 936227 936227 936676 937823 938343 938657 939392 939460 940315 942690 942865 942865 943457 943457 944903 945340 945842 945899 952151 952347 952474 953130 953532 953659 953807 953831 954002 954661 954980 954980 955382 955753 955770 957566 957566 957567 957567 957598 957598 957600 957600 958369 958562 959693 960273 960341 960341 960820 960837 960837 961964 962765 962983 962996 963290 963448 963942 964063 964225 964468 965322 965780 965902 966220 967026 967082 967728 967838 968771 969569 969783 970260 970882 971741 971741 972127 972127 972331 973340 974449 974449 974614 974618 974621 974691 974840 975069 975070 978055 979261 979436 979441 979629 979906 980391 980486 981114 981616 982176 982303 982303 983206 983215 983216 983436 983440 983754 984368 984808 984813 984815 984831 984837 984842 984906 984958 986216 986216 986783 986935 987351 987351 987577 987887 988032 988311 989788 989831 990189 990190 990191 990460 990538 991389 991390 991391 991436 991443 991622 991710 991746 991901 992966 994157 994794 995034 995936 996511 997043 997420 997682 998760 998893 998906 999735 999878 CVE-2012-6702 CVE-2013-6435 CVE-2014-3591 CVE-2014-3707 CVE-2014-3710 CVE-2014-8116 CVE-2014-8116 CVE-2014-8117 CVE-2014-8117 CVE-2014-8118 CVE-2014-8127 CVE-2014-8127 CVE-2014-8128 CVE-2014-8128 CVE-2014-8129 CVE-2014-8130 CVE-2014-8150 CVE-2014-8964 CVE-2014-8964 CVE-2014-9087 CVE-2014-9092 CVE-2014-9112 CVE-2014-9447 CVE-2014-9495 CVE-2014-9620 CVE-2014-9621 CVE-2014-9653 CVE-2014-9655 CVE-2014-9709 CVE-2015-0247 CVE-2015-0837 CVE-2015-0973 CVE-2015-1283 CVE-2015-1572 CVE-2015-1606 CVE-2015-1607 CVE-2015-1782 CVE-2015-2059 CVE-2015-2325 CVE-2015-2325 CVE-2015-2327 CVE-2015-2327 CVE-2015-2328 CVE-2015-2328 CVE-2015-3143 CVE-2015-3144 CVE-2015-3145 CVE-2015-3148 CVE-2015-3153 CVE-2015-3210 CVE-2015-3210 CVE-2015-3217 CVE-2015-3217 CVE-2015-3238 CVE-2015-5073 CVE-2015-5073 CVE-2015-5276 CVE-2015-7511 CVE-2015-7554 CVE-2015-7554 CVE-2015-7995 CVE-2015-8126 CVE-2015-8126 CVE-2015-8380 CVE-2015-8380 CVE-2015-8381 CVE-2015-8381 CVE-2015-8382 CVE-2015-8382 CVE-2015-8383 CVE-2015-8383 CVE-2015-8384 CVE-2015-8384 CVE-2015-8385 CVE-2015-8385 CVE-2015-8386 CVE-2015-8386 CVE-2015-8387 CVE-2015-8387 CVE-2015-8388 CVE-2015-8388 CVE-2015-8389 CVE-2015-8389 CVE-2015-8390 CVE-2015-8390 CVE-2015-8391 CVE-2015-8391 CVE-2015-8392 CVE-2015-8392 CVE-2015-8393 CVE-2015-8393 CVE-2015-8394 CVE-2015-8394 CVE-2015-8395 CVE-2015-8395 CVE-2015-8781 CVE-2015-8782 CVE-2015-8783 CVE-2015-8853 CVE-2015-8948 CVE-2015-9019 CVE-2016-0634 CVE-2016-0718 CVE-2016-0755 CVE-2016-0787 CVE-2016-10087 CVE-2016-10092 CVE-2016-10093 CVE-2016-10094 CVE-2016-10095 CVE-2016-10156 CVE-2016-10164 CVE-2016-10166 CVE-2016-10167 CVE-2016-10168 CVE-2016-10244 CVE-2016-10266 CVE-2016-10267 CVE-2016-10268 CVE-2016-10269 CVE-2016-10270 CVE-2016-10271 CVE-2016-10272 CVE-2016-10371 CVE-2016-1238 CVE-2016-1283 CVE-2016-1283 CVE-2016-1839 CVE-2016-2037 CVE-2016-2381 CVE-2016-3186 CVE-2016-3191 CVE-2016-3191 CVE-2016-3622 CVE-2016-3622 CVE-2016-3623 CVE-2016-3632 CVE-2016-3658 CVE-2016-3945 CVE-2016-3990 CVE-2016-3991 CVE-2016-4574 CVE-2016-4579 CVE-2016-4658 CVE-2016-4738 CVE-2016-5116 CVE-2016-5131 CVE-2016-5300 CVE-2016-5314 CVE-2016-5316 CVE-2016-5317 CVE-2016-5318 CVE-2016-5319 CVE-2016-5320 CVE-2016-5321 CVE-2016-5323 CVE-2016-5407 CVE-2016-5407 CVE-2016-5419 CVE-2016-5420 CVE-2016-5421 CVE-2016-5652 CVE-2016-5875 CVE-2016-5875 CVE-2016-6128 CVE-2016-6132 CVE-2016-6161 CVE-2016-6185 CVE-2016-6207 CVE-2016-6214 CVE-2016-6223 CVE-2016-6252 CVE-2016-6252 CVE-2016-6252 CVE-2016-6261 CVE-2016-6262 CVE-2016-6263 CVE-2016-6313 CVE-2016-6318 CVE-2016-6905 CVE-2016-6906 CVE-2016-6911 CVE-2016-6912 CVE-2016-7055 CVE-2016-7141 CVE-2016-7167 CVE-2016-7543 CVE-2016-7568 CVE-2016-7942 CVE-2016-7942 CVE-2016-7942 CVE-2016-7944 CVE-2016-7944 CVE-2016-7945 CVE-2016-7945 CVE-2016-7946 CVE-2016-7946 CVE-2016-7947 CVE-2016-7947 CVE-2016-7948 CVE-2016-7948 CVE-2016-7949 CVE-2016-7949 CVE-2016-7950 CVE-2016-7950 CVE-2016-7951 CVE-2016-7951 CVE-2016-7952 CVE-2016-7952 CVE-2016-7953 CVE-2016-7953 CVE-2016-8331 CVE-2016-8615 CVE-2016-8616 CVE-2016-8617 CVE-2016-8618 CVE-2016-8619 CVE-2016-8620 CVE-2016-8621 CVE-2016-8622 CVE-2016-8623 CVE-2016-8624 CVE-2016-8670 CVE-2016-9063 CVE-2016-9273 CVE-2016-9297 CVE-2016-9317 CVE-2016-9318 CVE-2016-9401 CVE-2016-9448 CVE-2016-9453 CVE-2016-9586 CVE-2016-9597 CVE-2016-9840 CVE-2016-9841 CVE-2016-9842 CVE-2016-9843 CVE-2016-9933 CVE-2017-0663 CVE-2017-1000100 CVE-2017-1000101 CVE-2017-1000254 CVE-2017-1000257 CVE-2017-1000366 CVE-2017-1000408 CVE-2017-1000409 CVE-2017-10684 CVE-2017-10684 CVE-2017-10685 CVE-2017-10685 CVE-2017-11112 CVE-2017-11113 CVE-2017-11462 CVE-2017-11613 CVE-2017-11613 CVE-2017-12132 CVE-2017-12133 CVE-2017-12424 CVE-2017-12837 CVE-2017-12883 CVE-2017-12944 CVE-2017-13194 CVE-2017-13726 CVE-2017-13728 CVE-2017-13728 CVE-2017-13729 CVE-2017-13729 CVE-2017-13730 CVE-2017-13730 CVE-2017-13731 CVE-2017-13731 CVE-2017-13732 CVE-2017-13732 CVE-2017-13733 CVE-2017-13733 CVE-2017-13734 CVE-2017-14062 CVE-2017-15088 CVE-2017-15232 CVE-2017-15412 CVE-2017-15670 CVE-2017-15671 CVE-2017-15804 CVE-2017-15908 CVE-2017-16232 CVE-2017-16997 CVE-2017-17740 CVE-2017-17942 CVE-2017-17973 CVE-2017-18013 CVE-2017-18078 CVE-2017-18258 CVE-2017-18269 CVE-2017-3731 CVE-2017-3732 CVE-2017-3735 CVE-2017-3736 CVE-2017-3737 CVE-2017-3738 CVE-2017-5029 CVE-2017-5130 CVE-2017-5225 CVE-2017-5969 CVE-2017-6362 CVE-2017-6512 CVE-2017-7375 CVE-2017-7376 CVE-2017-7407 CVE-2017-7435 CVE-2017-7436 CVE-2017-7436 CVE-2017-7500 CVE-2017-7500 CVE-2017-7501 CVE-2017-7501 CVE-2017-7526 CVE-2017-7555 CVE-2017-7592 CVE-2017-7593 CVE-2017-7594 CVE-2017-7595 CVE-2017-7596 CVE-2017-7597 CVE-2017-7598 CVE-2017-7599 CVE-2017-7600 CVE-2017-7601 CVE-2017-7602 CVE-2017-7864 CVE-2017-8105 CVE-2017-8287 CVE-2017-8804 CVE-2017-8816 CVE-2017-8817 CVE-2017-8872 CVE-2017-9047 CVE-2017-9047 CVE-2017-9048 CVE-2017-9048 CVE-2017-9049 CVE-2017-9049 CVE-2017-9050 CVE-2017-9050 CVE-2017-9217 CVE-2017-9217 CVE-2017-9233 CVE-2017-9269 CVE-2017-9269 CVE-2017-9287 CVE-2017-9403 CVE-2017-9404 CVE-2017-9445 CVE-2017-9445 CVE-2017-9526 CVE-2017-9935 CVE-2017-9935 CVE-2018-0495 CVE-2018-0495 CVE-2018-0495 CVE-2018-0732 CVE-2018-0734 CVE-2018-0737 CVE-2018-0739 CVE-2018-1000001 CVE-2018-1000001 CVE-2018-1000007 CVE-2018-1000120 CVE-2018-1000121 CVE-2018-1000122 CVE-2018-1000222 CVE-2018-1000301 CVE-2018-1049 CVE-2018-10779 CVE-2018-10963 CVE-2018-1122 CVE-2018-1122 CVE-2018-1123 CVE-2018-1123 CVE-2018-11236 CVE-2018-11237 CVE-2018-1124 CVE-2018-1124 CVE-2018-1125 CVE-2018-1125 CVE-2018-1126 CVE-2018-1126 CVE-2018-12015 CVE-2018-12015 CVE-2018-12020 CVE-2018-12900 CVE-2018-14404 CVE-2018-14567 CVE-2018-14598 CVE-2018-14599 CVE-2018-14600 CVE-2018-14618 CVE-2018-15686 CVE-2018-15688 CVE-2018-16335 CVE-2018-16840 CVE-2018-16842 CVE-2018-16864 CVE-2018-16865 CVE-2018-16866 CVE-2018-17100 CVE-2018-17101 CVE-2018-17795 CVE-2018-18557 CVE-2018-18661 CVE-2018-19210 CVE-2018-19211 CVE-2018-20217 CVE-2018-5407 CVE-2018-5711 CVE-2018-5729 CVE-2018-5730 CVE-2018-5784 CVE-2018-6003 CVE-2018-6485 CVE-2018-6551 CVE-2018-6797 CVE-2018-6797 CVE-2018-6797 CVE-2018-6798 CVE-2018-6798 CVE-2018-6798 CVE-2018-6913 CVE-2018-6913 CVE-2018-6913 CVE-2018-7169 CVE-2018-7456 CVE-2018-7685 CVE-2018-7738 CVE-2018-7738 CVE-2018-8905 CVE-2018-9251 ----------------------------------------------------------------- The container caasp/v4/nginx-ingress-controller was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-RU-2014:85-1 Released: Tue Nov 4 16:29:29 2014 Summary: Recommended update for dirmngr Type: recommended Severity: moderate References: 901845 Description: This update for dirmngr fixes a segmentation fault at start up. (bnc#901845) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2014:66-1 Released: Thu Nov 6 06:23:15 2014 Summary: Recommended update for gcc48 Type: recommended Severity: moderate References: 899871 Description: This update for gcc48 fixes a performance degradation issue caused by generation of unneeded code whe using option -pg. ----------------------------------------------------------------- Advisory ID: SUSE-SU-2014:97-1 Released: Fri Nov 28 10:20:32 2014 Summary: Security update for file Type: security Severity: moderate References: 888308,902367,CVE-2014-3710 Description: file was updated to fix one security issue. This security issue was fixed: - Out-of-bounds read in elf note headers (CVE-2014-3710). This non-security issues was fixed: - Correctly identify GDBM files created by libgdbm4 (bnc#888308). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2014:113-1 Released: Tue Dec 2 18:17:57 2014 Summary: Security update for cpio Type: security Severity: moderate References: 658010,907456,CVE-2014-9112 Description: This cpio security update fixes the following buffer overflow issue and two non security issues: - fix an OOB write with cpio -i (bnc#907456) (CVE-2014-9112) - prevent cpio from extracting over a symlink (bnc#658010) - fix a truncation check in mt ----------------------------------------------------------------- Advisory ID: SUSE-SU-2015:15-1 Released: Thu Dec 4 15:24:10 2014 Summary: Security update for libjpeg-turbo, libjpeg62-turbo Type: security Severity: moderate References: 906761,CVE-2014-9092 Description: libjpeg-turbo, libjpeg62-turbo were updated to fix one security issue. This security issue was fixed: - Passing special crafted jpeg file smashes stack (CVE-2014-9092). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2015:16-1 Released: Thu Dec 11 09:25:27 2014 Summary: Security update for libksba Type: security Severity: moderate References: 907074,CVE-2014-9087 Description: This libksba update fixes the following security issue: - bnc#907074: buffer overflow in OID processing (CVE-2014-9087) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2014:126-1 Released: Fri Dec 19 20:16:00 2014 Summary: Security update for file Type: security Severity: moderate References: 910252,910253,CVE-2014-8116,CVE-2014-8117 Description: This file update fixes the following security issues: - bsc#910252: multiple denial of service issues (resource consumption) (CVE-2014-8116) - bsc#910253: denial of service issue (resource consumption) (CVE-2014-8117) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2015:29-1 Released: Mon Jan 12 11:37:43 2015 Summary: Security update for curl Type: security Severity: moderate References: 901924,911363,CVE-2014-3707,CVE-2014-8150 Description: This update fixes the following security issues - CVE-2014-8150: URL request injection vulnerability (bnc#911363) - CVE-2014-3707: duphandle read out of bounds (bnc#901924) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2015:33-1 Released: Wed Jan 14 10:47:09 2015 Summary: Security update for libpng16 Type: security Severity: important References: 912076,912929,CVE-2014-9495,CVE-2015-0973 Description: This update fixes the following security issues: * CVE-2014-9495: libpng versions heap overflow vulnerability, that under certain circumstances could be exploit. [bnc#912076] * CVE-2015-0973: A heap-based overflow was found in the png_combine_row() function of the libpng library, when very large interlaced images were used.[bnc#912929] ----------------------------------------------------------------- Advisory ID: SUSE-SU-2015:40-1 Released: Thu Jan 15 18:35:11 2015 Summary: Security update for rpm Type: security Severity: important References: 892431,906803,908128,911228,CVE-2013-6435,CVE-2014-8118 Description: This rpm update fixes the following security and non-security issues: - bnc#908128: Check for bad invalid name sizes (CVE-2014-8118) - bnc#906803: Create files with mode 0 (CVE-2013-6435) - bnc#892431: Honor --noglob in install mode - bnc#911228: Fix noglob patch, it broke files with space. ----------------------------------------------------------------- Advisory ID: SUSE-RU-2015:64-1 Released: Thu Jan 15 23:21:45 2015 Summary: Recommended update for e2fsprogs Type: recommended Severity: moderate References: 912229 Description: This update for e2fsprogs fixes a 'use after free' issue in fsck(8). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2015:76-1 Released: Fri Jan 30 15:01:03 2015 Summary: Security update for elfutils Type: security Severity: moderate References: 911662,CVE-2014-9447 Description: elfutils was updated to fix one security issue. This security issue was fixed: - Directory traversal vulnerability in the read_long_names function (CVE-2014-9447). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2015:55-1 Released: Tue Feb 3 14:51:17 2015 Summary: Recommended update for curl Type: recommended Severity: moderate References: 913209 Description: curl was updated to fix problems when operating in FIPS mode. This patch reenables following methods: - NTLM authentication (e.g. for proxies) (allowing its usage of MD4 and MD5) - HTTP Digest authentication (allowing its usage of MD5) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2015:121-1 Released: Tue Feb 3 16:30:16 2015 Summary: Recommended update for pam Type: recommended Severity: low References: 912922 Description: This update for pam fixes updating of NIS passwords. ----------------------------------------------------------------- Advisory ID: SUSE-SU-2015:157-1 Released: Tue Mar 10 09:01:41 2015 Summary: Security update for libssh2_org Type: security Severity: moderate References: 921070,CVE-2015-1782 Description: The ssh client library libssh2_org was updated to fix a security issue. CVE-2015-1782: A malicious server could send a crafted SSH_MSG_KEXINIT packet, that could lead to a buffer overread and to a crash of the libssh2_org using application. ----------------------------------------------------------------- Advisory ID: SUSE-RU-2015:275-1 Released: Wed Mar 18 18:21:44 2015 Summary: Recommended update for procps Type: recommended Severity: low References: 901202,908516 Description: This update for procps provides the following fixes: - Add description of pgrep's --list-full parameter to usage instructions (--help). (bsc#901202) - Fix handling of arguments to -s option in free(1). (bsc#908516) - Correct package name in descriptions: procps, not props. ----------------------------------------------------------------- Advisory ID: SUSE-SU-2015:194-1 Released: Tue Mar 24 17:21:25 2015 Summary: Security update for gd Type: security Severity: low References: 923945,CVE-2014-9709 Description: The graphics drawing library gd was updated to fix one security issue. The following vulnerability was fixed: * possible buffer read overflow (CVE-2014-9709) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2015:235-1 Released: Wed Apr 29 19:05:01 2015 Summary: Security update for curl Type: security Severity: moderate References: 927556,927607,927608,927746,928533,CVE-2015-3143,CVE-2015-3144,CVE-2015-3145,CVE-2015-3148,CVE-2015-3153 Description: curl was updated to fix five security issues. The following vulnerabilities were fixed: * CVE-2015-3143: curl could re-use NTML authenticateds connections * CVE-2015-3144: curl could access memory out of bounds with zero length host names * CVE-2015-3145: curl cookie parser could access memory out of boundary * CVE-2015-3148: curl could treat Negotiate as not connection-oriented * CVE-2015-3153: curl could have sent sensitive HTTP headers also to proxies ----------------------------------------------------------------- Advisory ID: SUSE-SU-2015:296-1 Released: Thu Jun 11 15:46:59 2015 Summary: Security update for libgcrypt Type: security Severity: moderate References: 896202,896435,898003,899524,900275,900276,905483,920057,928740,929919,CVE-2014-3591 Description: This update of libgcrypt fixes one security issue and brings various FIPS 140-2 related improvements. libgcrypt now uses ciphertext blinding for Elgamal decryption (CVE-2014-3591) FIPS 140-2 related changes: * The library performs its self-tests when the module is complete (the -hmac file is also installed). * Added a NIST 800-90a compliant DRBG. * Change DSA key generation to be FIPS 186-4 compliant. * Change RSA key generation to be FIPS 186-4 compliant. * Enable HW support in fips mode (bnc#896435) * Make DSA selftest use 2048 bit keys (bnc#898003) * Added ECDSA selftests and add support for it to the CAVS testing framework (bnc#896202) * Various CAVS testing improvements. ----------------------------------------------------------------- Advisory ID: SUSE-SU-2015:366-1 Released: Mon Jun 29 10:13:43 2015 Summary: Security update for e2fsprogs Type: security Severity: low References: 915402,918346,CVE-2015-0247,CVE-2015-1572 Description: Two security issues were fixed in e2fsprogs: Security issues fixed: * CVE-2015-0247: Various heap overflows were fixed in e2fsprogs (fsck, dumpe2fs, e2image...). * CVE-2015-1572: Fixed a potential buffer overflow in closefs() (bsc#918346 ) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2015:361-1 Released: Wed Jul 15 08:26:27 2015 Summary: Recommended update for gcc48, libffi48, libgcj48 Type: recommended Severity: moderate References: 889990,917169,919274,922534,924525,924687,927993,930176,934689 Description: The system compiler gcc48 was updated to the GCC 4.8.5 release, fixing a lot of bugs and bringing some improvements. It includes various bug fixes found by our customers: * Fixes bogus integer overflow in constant expression. [bnc#934689] * Fixes ICE with atomics on aarch64. [bnc#930176] * Includes fix for -imacros bug. [bnc#917169] * Includes fix for incorrect -Warray-bounds warnings. [bnc#919274] * Includes updated -mhotpatch for s390x. [bnc#924525] * Includes fix for ppc64le issue with doubleword vector extract. [bnc#924687] * Includes patches to allow building against ISL 0.14. * Backport rework of the memory allocator for C++ exceptions used in OOM situations. [bnc#889990] * Fix a reload issue on S390 (GCC PR66306). * Avoid accessing invalid memory when passing aggregates by value. [bnc#922534] ----------------------------------------------------------------- Advisory ID: SUSE-OU-2015:422-1 Released: Tue Jul 28 06:25:51 2015 Summary: The Toolchain module containing GCC 5.2 Type: optional Severity: low References: 926412,936050,937823 Description: This update contains the release of the new SUSE Linux Enterprise Toolchain module. Its major feature is the GNU Compiler Collection 5.2, please see https://gcc.gnu.org/gcc-5/changes.html for important changes. This update also includes a version update of binutils to 2.25 release branch to provide features and bugfixes. Following features have been added to binutils: * IBM zSeries z13 hardware support (fate#318036, bnc#936050). * various IBM Power8 improvements (fate#318238, bnc#926412). * AVX512 support on the Intel EM64T platform (fate#318520). The GNU Debugger gdb was updated to version 7.9.1 bringing various features and lots of bugfixes. Also IBM zSeries z13 hardware support has been added to gdb. (fate#318039) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2015:500-1 Released: Mon Aug 17 11:36:33 2015 Summary: Security update for libgcrypt Type: security Severity: moderate References: 920057,938343,CVE-2015-0837 Description: This update fixes the following issues: Security: * Fixed data-dependent timing variations in modular exponentiation [related to CVE-2015-0837, Last-Level Cache Side-Channel Attacks are Practical] (bsc#920057) Bugfixes: * don't drop privileges when locking secure memory (bsc#938343) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2015:473-1 Released: Tue Aug 25 16:06:40 2015 Summary: Security update for tiff Type: security Severity: moderate References: 914890,916927,CVE-2014-8127,CVE-2014-8128,CVE-2014-8129,CVE-2014-8130,CVE-2014-9655 Description: LibTiff was updated to the 4.0.4 stable release fixing various security issues and bugs. These security issues were fixed: - CVE-2014-8127: Out-of-bounds write (bnc#914890). - CVE-2014-8128: Out-of-bounds write (bnc#914890). - CVE-2014-8129: Out-of-bounds write (bnc#914890). - CVE-2014-8130: Out-of-bounds write (bnc#914890). - CVE-2014-9655: Access of uninitialized memory (bnc#916927). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2015:530-1 Released: Wed Aug 26 03:07:07 2015 Summary: Recommended update for sed Type: recommended Severity: low References: 933029 Description: This update for sed fixes the behavior of --follow-symlinks when reading from the standard input (stdin). The behavior of 'sed --follow-symlinks -' is now identical to 'sed -'. In both cases, sed will read from the standard input and no longer from a file named '-'. ----------------------------------------------------------------- Advisory ID: SUSE-RU-2015:568-1 Released: Wed Sep 16 13:30:12 2015 Summary: Recommended update for grep Type: recommended Severity: low References: 920386 Description: This update for grep fixes undefined behaviour with -P and non-utf-8 data. ----------------------------------------------------------------- Advisory ID: SUSE-SU-2015:855-1 Released: Wed Nov 18 10:41:00 2015 Summary: Security update for libpng16 Type: security Severity: moderate References: 954980,CVE-2015-8126 Description: The libpng16 package was updated to fix the following security issue: - CVE-2015-8126: Fixed a buffer overflow vulnerabilities in png_get_PLTE/png_set_PLTE functions (bsc#954980). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2015:922-1 Released: Tue Dec 22 08:44:25 2015 Summary: Security update for gpg2 Type: security Severity: moderate References: 918089,918090,952347,955753,CVE-2015-1606,CVE-2015-1607 Description: The gpg2 package was updated to fix the following security and non security issues: - CVE-2015-1606: Fixed invalid memory read using a garbled keyring (bsc#918089). - CVE-2015-1607: Fixed memcpy with overlapping ranges (bsc#918090). - bsc#955753: Fixed a regression of 'gpg --recv' due to keyserver import filter (also boo#952347). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2015:869-1 Released: Wed Dec 23 10:01:16 2015 Summary: Recommended update for libksba Type: security Severity: moderate References: 926826 Description: The libksba package was updated to fix the following security issues: - Fixed an integer overflow, an out of bounds read and a stack overflow issues (bsc#926826). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2015:862-1 Released: Wed Dec 23 17:40:51 2015 Summary: Recommended update for acl Type: recommended Severity: moderate References: 945899 Description: This update for acl provides the following fixes: - Fix segmentation fault of getfacl -e on overly long group name. - Make sure that acl_from_text() always sets errno when it fails. - Fix memory and resource leaks in getfacl. ----------------------------------------------------------------- Advisory ID: SUSE-SU-2016:16-1 Released: Tue Jan 5 15:13:34 2016 Summary: Security update for libpng16 Type: security Severity: moderate References: 954980,CVE-2015-8126 Description: This update fixes the following security issue: * CVE-2015-8126 Multiple buffer overflows in the png_set_PLTE and png_get_PLTE functions allow remote attackers to cause a denial of service (application crash) or possibly have unspecified other impact [bsc#954980] ----------------------------------------------------------------- Advisory ID: SUSE-RU-2016:46-1 Released: Fri Jan 8 12:37:34 2016 Summary: Recommended update for gcr, gnome-keyring, libgcrypt, libsecret Type: recommended Severity: moderate References: 932232 Description: This update for gcr, gnome-keyring, libgcrypt, libsecret fixes issues when the system operates in FIPS mode. The various GNOME libraries and tool have been changed to use the default libgcrypt allocators. GNOME keyring was changed not to use MD5 anymore. libgcrypt was adjusted to free the DRBG on exit to avoid crashes. ----------------------------------------------------------------- Advisory ID: SUSE-SU-2016:104-1 Released: Mon Jan 18 18:38:06 2016 Summary: Security update for tiff Type: security Severity: moderate References: 942690,960341,CVE-2015-7554 Description: This update to tiff 4.0.6 fixes the following issues: - CVE-2015-7554: Out-of-bounds write in the thumbnail and tiffcmp tools allowed attacker to cause a denial of service or have unspecified further impact (bsc#960341) - bsc#942690: potential out-of-bound write in NeXTDecode() (#2508) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2016:201-1 Released: Thu Feb 4 15:51:22 2016 Summary: Security update for curl Type: security Severity: moderate References: 934333,936676,962983,962996,CVE-2016-0755 Description: This update for curl fixes the following issues: - CVE-2016-0755: libcurl would reuse NTLM-authenticated proxy connections without properly making sure that the connection was authenticated with the same credentials as set for this transfer (bsc#962983) The following non-security bugs were fixed: - bsc#936676: secure_getenv or __secure_getenv may not be detected correctly at build time The following tracked bugs only affect the test suite: - bsc#962996: Expired cookie in test 46 caused test failures - bsc#934333: Curl test suite was not run, is now enabled during build ----------------------------------------------------------------- Advisory ID: SUSE-RU-2016:371-1 Released: Thu Mar 3 15:58:18 2016 Summary: Recommended update for insserv-compat Type: recommended Severity: low References: 960820 Description: This update for insserv-compat fixes the name of the ntpd service. ----------------------------------------------------------------- Advisory ID: SUSE-SU-2016:413-1 Released: Fri Mar 11 10:17:57 2016 Summary: Security update for libssh2_org Type: security Severity: moderate References: 933336,961964,967026,CVE-2016-0787 Description: This update for libssh2_org fixes the following issues: Security issue fixed: - CVE-2016-0787 (bsc#967026): Weakness in diffie-hellman secret key generation lead to much shorter DH groups then needed, which could be used to retrieve server keys. A feature was added: - Support of SHA256 digests for DH group exchanges was added (fate#320343, bsc#961964) Bug fixed: - Properly detect EVP_aes_128_ctr at configure time (bsc#933336) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2016:462-1 Released: Wed Mar 16 18:17:59 2016 Summary: Recommended update for libcap Type: recommended Severity: low References: 967838 Description: This update for libcap adds two new capabilities (CAP_WAKE_ALARM and CAP_BLOCK_SUSPEND) which are available in Linux Kernel 3.12. ----------------------------------------------------------------- Advisory ID: SUSE-RU-2016:543-1 Released: Fri Apr 1 18:44:16 2016 Summary: Recommended update for libgcrypt Type: recommended Severity: moderate References: 970882 Description: This update for libgcrypt fixes a crash in GPG key generation when operating in FIPS mode. (bsc#970882) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2016:565-1 Released: Wed Apr 6 16:26:42 2016 Summary: Security update for gcc5 Type: security Severity: moderate References: 939460,945842,952151,953831,954002,955382,962765,964468,966220,968771,CVE-2015-5276 Description: The GNU Compiler Collection was updated to version 5.3.1, which brings several fixes and enhancements. The following security issue has been fixed: - Fix C++11 std::random_device short read issue that could lead to predictable randomness. (CVE-2015-5276, bsc#945842) The following non-security issues have been fixed: - Enable frame pointer for TARGET_64BIT_MS_ABI when stack is misaligned. Fixes internal compiler error when building Wine. (bsc#966220) - Fix a PowerPC specific issue in gcc-go that broke compilation of newer versions of Docker. (bsc#964468) - Fix HTM built-ins on PowerPC. (bsc#955382) - Fix libgo certificate lookup. (bsc#953831) - Suppress deprecated-declarations warnings for inline definitions of deprecated virtual methods. (bsc#939460) - Build s390[x] with '--with-tune=z9-109 --with-arch=z900' on SLE11 again. (bsc#954002) - Revert accidental libffi ABI breakage on aarch64. (bsc#968771) - On x86_64, set default 32bit code generation to -march=x86-64 rather than -march=i586. - Add experimental File System TS library. ----------------------------------------------------------------- Advisory ID: SUSE-SU-2016:636-1 Released: Mon Apr 18 09:18:19 2016 Summary: Security update for libgcrypt Type: security Severity: moderate References: 965902,CVE-2015-7511 Description: libgcrypt was updated to fix one security issue. This security issue was fixed: - CVE-2015-7511: Side-channel attack on ECDH with Weierstrass curves (bsc#965902). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2016:643-1 Released: Tue Apr 19 09:23:39 2016 Summary: Recommended update for bzip2 Type: recommended Severity: low References: 970260 Description: This update for bzip2 fixes the following issues: - Fix bzgrep wrapper that always returns 0 as exit code when working on multiple archives, even when the pattern is not found. ----------------------------------------------------------------- Advisory ID: SUSE-RU-2016:697-1 Released: Thu Apr 28 16:03:24 2016 Summary: Recommended update for libssh2_org Type: recommended Severity: important References: 974691 Description: This update for libssh2_org fixes a regression introduced by a previous update which could result in a segmentation fault in EVP_DigestInit_Ex(). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2016:801-1 Released: Thu May 19 22:38:01 2016 Summary: Recommended update for curl Type: recommended Severity: moderate References: 915846 Description: This update for curl fixes the following issue: - Fix 'Network is unreachable' error when ipv6 is not available but ipv4. This fixes the same error in applications using libcurl4 (like zypper). (bsc#915846) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2016:835-1 Released: Wed May 25 18:27:30 2016 Summary: Recommended update for libgcrypt Type: recommended Severity: moderate References: 979629 Description: This update for libgcrypt fixes the following issue: - Fix failing reboot after installing fips pattern (bsc#979629) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2016:898-1 Released: Tue Jun 7 09:48:12 2016 Summary: Security update for expat Type: security Severity: important References: 979441,980391,CVE-2015-1283,CVE-2016-0718 Description: This update for expat fixes the following issues: Security issue fixed: - CVE-2016-0718: Fix Expat XML parser that mishandles certain kinds of malformed input documents. (bsc#979441) - CVE-2015-1283: Fix multiple integer overflows. (bnc#980391) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2016:900-1 Released: Tue Jun 7 10:58:37 2016 Summary: Security update for libksba Type: security Severity: moderate References: 979261,979906,CVE-2016-4574,CVE-2016-4579 Description: This update for libksba fixes the following issues: - CVE-2016-4579: Out-of-bounds read in _ksba_ber_parse_tl() - CVE-2016-4574: two OOB read access bugs (remote DoS) (bsc#979261) Also adding reliability fixes from v1.3.4. ----------------------------------------------------------------- Advisory ID: SUSE-RU-2016:987-1 Released: Wed Jun 22 14:32:18 2016 Summary: Recommended update for procps Type: recommended Severity: low References: 981616 Description: This update for procps fixes the following issues: - Improve pmap(1) to be compatible with kernel 4.4. (bsc#981616) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2016:1028-1 Released: Thu Jul 7 11:50:47 2016 Summary: Recommended update for findutils Type: recommended Severity: moderate References: 986935 Description: This update for findutils fixes the following issues: - find -exec + would not pass all arguments for certain specific filename lengths (bsc#986935) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2016:1124-1 Released: Fri Jul 29 13:27:52 2016 Summary: Recommended update for libxcb Type: recommended Severity: low References: 984368 Description: This update for libxcb provides the following fixes: - Fix encoding of 64-bit elements in PRESENT extension. (bsc#984368) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2016:1126-1 Released: Sat Jul 30 00:39:03 2016 Summary: Recommended update for kmod Type: recommended Severity: low References: 983754,989788 Description: This update for kmod fixes libkmod to handle very long lines in /proc/modules. ----------------------------------------------------------------- Advisory ID: SUSE-RU-2016:1205-1 Released: Thu Aug 11 15:02:18 2016 Summary: Recommended update for rpm Type: recommended Severity: low References: 829717,894610,940315,953532,965322,967728 Description: This update for rpm provides the following fixes: - Add is_opensuse and leap_version macros to suse_macros. (bsc#940315) - Add option to make postinstall scriptlet errors fatal. (bsc#967728) - Normalize big blocksizes to 4096 bytes. (bsc#894610, bsc#829717, bsc#965322) - Fix updating of sources/patches when recursing because of a BuildArch. (bsc#953532) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2016:1228-1 Released: Tue Aug 16 09:29:01 2016 Summary: Security update for libidn Type: security Severity: moderate References: 923241,990189,990190,990191,CVE-2015-2059,CVE-2015-8948,CVE-2016-6261,CVE-2016-6262,CVE-2016-6263 Description: This update for libidn fixes the following issues: - CVE-2016-6262 and CVE-2015-8948: Out-of-bounds-read when reading one zero byte as input (bsc#990189) - CVE-2016-6261: Out-of-bounds stack read in idna_to_ascii_4i (bsc#990190) - CVE-2016-6263: stringprep_utf8_nfkc_normalize reject invalid UTF-8 (bsc#990191) - CVE-2015-2059: out-of-bounds read with stringprep on invalid UTF-8 (bsc#923241) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2016:1247-1 Released: Fri Aug 19 12:58:39 2016 Summary: Security update for cracklib Type: security Severity: moderate References: 992966,CVE-2016-6318 Description: This update for cracklib fixes the following issues: - Add patch to fix a buffer overflow in GECOS parser (bsc#992966 CVE-2016-6318) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2016:1326-1 Released: Thu Sep 8 11:37:44 2016 Summary: Security update for perl Type: security Severity: moderate References: 928292,932894,967082,984906,987887,988311,CVE-2015-8853,CVE-2016-1238,CVE-2016-2381,CVE-2016-6185 Description: This update for Perl fixes the following issues: - CVE-2016-6185: Xsloader looking at a '(eval)' directory. (bsc#988311) - CVE-2016-1238: Searching current directory for optional modules. (bsc#987887) - CVE-2015-8853: Regular expression engine hanging on bad utf8. (bsc) - CVE-2016-2381: Environment dup handling bug. (bsc#967082) - 'Insecure dependency in require' error in taint mode. (bsc#984906) - Memory leak in 'use utf8' handling. (bsc#928292) - Missing lock prototype to the debugger. (bsc#932894) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2016:1330-1 Released: Fri Sep 9 09:00:53 2016 Summary: Security update for tiff Type: security Severity: moderate References: 964225,973340,984808,984831,984837,984842,987351,CVE-2015-8781,CVE-2015-8782,CVE-2015-8783,CVE-2016-3186,CVE-2016-5314,CVE-2016-5316,CVE-2016-5317,CVE-2016-5320,CVE-2016-5875 Description: This update for tiff fixes the following issues: * CVE-2015-8781, CVE-2015-8782, CVE-2015-8783: Out-of-bounds writes for invalid images (bsc#964225) * CVE-2016-3186: Buffer overflow in gif2tiff (bnc#973340). * CVE-2016-5875: heap-based buffer overflow when using the PixarLog compressionformat (bsc#987351) * CVE-2016-5316: Out-of-bounds read in PixarLogCleanup() function in tif_pixarlog.c (bsc#984837) * CVE-2016-5314: Out-of-bounds write in PixarLogDecode() function (bsc#984831) * CVE-2016-5317: Out-of-bounds write in PixarLogDecode() function in libtiff.so (bsc#984842) * CVE-2016-5320: Out-of-bounds write in PixarLogDecode() function in tif_pixarlog.c (bsc#984808) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2016:1347-1 Released: Wed Sep 14 09:12:04 2016 Summary: Security update for gd Type: security Severity: moderate References: 982176,987577,988032,991436,991622,991710,995034,CVE-2016-5116,CVE-2016-6128,CVE-2016-6132,CVE-2016-6161,CVE-2016-6207,CVE-2016-6214,CVE-2016-6905 Description: This update for gd fixes the following issues: * CVE-2016-6214: Buffer over-read issue when parsing crafted TGA file [bsc#991436] * CVE-2016-6132: read out-of-bands was found in the parsing of TGA files using libgd [bsc#987577] * CVE-2016-6128: Invalid color index not properly handled [bsc#991710] * CVE-2016-6207: Integer overflow error within _gdContributionsAlloc() [bsc#991622] * CVE-2016-6161: global out of bounds read when encoding gif from malformed input withgd2togif [bsc#988032] * CVE-2016-5116: avoid stack overflow (read) with large names [bsc#982176] * CVE-2016-6905: Out-of-bounds read in function read_image_tga in gd_tga.c [bsc#995034] ----------------------------------------------------------------- Advisory ID: SUSE-OU-2016:1358-1 Released: Thu Sep 15 20:54:21 2016 Summary: Optional update for gcc6 Type: optional Severity: low References: 983206 Description: This update ships the GNU Compiler Collection (GCC) in version 6.2. This update is shipped in two parts: - SUSE Linux Enterprise Server 12 and Desktop: The runtime libraries libgcc_s1, libstdc++6, libatomic1, libgomp1, libitm1 and some others can now be used by GCC 6 built binaries. - SUSE Linux Enterprise 12 Toolchain Module: The Toolchain module received the GCC 6 compiler suite with this update. Changes: - The default mode for C++ is now -std=gnu++14 instead of -std=gnu++98. Generic Optimization improvements: - UndefinedBehaviorSanitizer gained a new sanitization option, -fsanitize=bounds-strict, which enables strict checking of array bounds. In particular, it enables -fsanitize=bounds as well as instrumentation of flexible array member-like arrays. - Type-based alias analysis now disambiguates accesses to different pointers. This improves precision of the alias oracle by about 20-30% on higher-level C++ programs. Programs doing invalid type punning of pointer types may now need -fno-strict-aliasing to work correctly. - Alias analysis now correctly supports weakref and alias attributes. This makes it possible to access both a variable and its alias in one translation unit which is common with link-time optimization. - Value range propagation now assumes that the this pointer of C++ member functions is non-null. This eliminates common null pointer checks but also breaks some non-conforming code-bases (such as Qt-5, Chromium, KDevelop). As a temporary work-around -fno-delete-null-pointer-checks can be used. Wrong code can be identified by using -fsanitize=undefined. - Various Link-time optimization improvements. - Inter-procedural optimization improvements: - Basic jump threading is now performed before profile construction and inline analysis, resulting in more realistic size and time estimates that drive the heuristics of the of inliner and function cloning passes. - Function cloning now more aggressively eliminates unused function parameters. - Compared to GCC 5, the GCC 6 release series includes a much improved implementation of the OpenACC 2.0a specification. C language specific improvements: - Version 4.5 of the OpenMP specification is now supported in the C and C++ compilers. - Source locations for the C and C++ compilers are now tracked as ranges, rather than just points, making it easier to identify the subexpression of interest within a complicated expression. In addition, there is now initial support for precise diagnostic locations within strings, - Diagnostics can now contain 'fix-it hints', which are displayed in context underneath the relevant source code. - The C and C++ compilers now offer suggestions for misspelled field names. - New command-line options have been added for the C and C++ compilers: - -Wshift-negative-value warns about left shifting a negative value. - -Wshift-overflow warns about left shift overflows. This warning is enabled by default. -Wshift-overflow=2 also warns about left-shifting 1 into the sign bit. - -Wtautological-compare warns if a self-comparison always evaluates to true or false. This warning is enabled by -Wall. - -Wnull-dereference warns if the compiler detects paths that trigger erroneous or undefined behavior due to dereferencing a null pointer. This option is only active when -fdelete-null-pointer-checks is active, which is enabled by optimizations in most targets. The precision of the warnings depends on the optimization options used. - -Wduplicated-cond warns about duplicated conditions in an if-else-if chain. - -Wmisleading-indentation warns about places where the indentation of the code gives a misleading idea of the block structure of the code to a human reader. This warning is enabled by -Wall. - The C and C++ compilers now emit saner error messages if merge-conflict markers are present in a source file. C improvements: - It is possible to disable warnings when an initialized field of a structure or a union with side effects is being overridden when using designated initializers via a new warning option -Woverride-init-side-effects. - A new type attribute scalar_storage_order applying to structures and unions has been introduced. It specifies the storage order (aka endianness) in memory of scalar fields in structures or unions. C++ improvements: - The default mode has been changed to -std=gnu++14. - C++ Concepts are now supported when compiling with -fconcepts. - -flifetime-dse is more aggressive in dead-store elimination in situations where a memory store to a location precedes a constructor to that memory location. - G++ now supports C++17 fold expressions, u8 character literals, extended static_assert, and nested namespace definitions. - G++ now allows constant evaluation for all non-type template arguments. - G++ now supports C++ Transactional Memory when compiling with -fgnu-tm. libstdc++ improvements: - Extensions to the C++ Library to support mathematical special functions (ISO/IEC 29124:2010), thanks to Edward Smith-Rowland. - Experimental support for C++17. - An experimental implementation of the File System TS. - Experimental support for most features of the second version of the Library Fundamentals TS. This includes polymorphic memory resources and array support in shared_ptr, thanks to Fan You. - Some assertions checked by Debug Mode can now also be enabled by _GLIBCXX_ASSERTIONS. The subset of checks enabled by the new macro have less run-time overhead than the full _GLIBCXX_DEBUG checks and don't affect the library ABI, so can be enabled per-translation unit. Fortran improvements: - Fortran 2008 SUBMODULE support. - Fortran 2015 EVENT_TYPE, EVENT_POST, EVENT_WAIT, and EVENT_QUERY support. - Improved support for Fortran 2003 deferred-length character variables. - Improved support for OpenMP and OpenACC. - The MATMUL intrinsic is now inlined for straightforward cases if front-end optimization is active. The maximum size for inlining can be set to n with the -finline-matmul-limit=n option and turned off with -finline-matmul-limit=0. - The -Wconversion-extra option will warn about REAL constants which have excess precision for their kind. - The -Winteger-division option has been added, which warns about divisions of integer constants which are truncated. This option is included in -Wall by default. Architecture improvements: - AArch64 received a lot of improvements. IA-32/x86-64 improvements: - GCC now supports the Intel CPU named Skylake with AVX-512 extensions through -march=skylake-avx512. The switch enables the following ISA extensions: AVX-512F, AVX512VL, AVX-512CD, AVX-512BW, AVX-512DQ. - Support for new AMD instructions monitorx and mwaitx has been added. This includes new intrinsic and built-in support. It is enabled through option -mmwaitx. The instructions monitorx and mwaitx implement the same functionality as the old monitor and mwait instructions. In addition mwaitx adds a configurable timer. The timer value is received as third argument and stored in register %ebx. - x86-64 targets now allow stack realignment from a word-aligned stack pointer using the command-line option -mstackrealign or __attribute__ ((force_align_arg_pointer)). This allows functions compiled with a vector-aligned stack to be invoked from objects that keep only word-alignment. - Support for address spaces __seg_fs, __seg_gs, and __seg_tls. These can be used to access data via the %fs and %gs segments without having to resort to inline assembly. - Support for AMD Zen (family 17h) processors is now available through the -march=znver1 and -mtune=znver1 options. PowerPC / PowerPC64 / RS6000 improvements: - PowerPC64 now supports IEEE 128-bit floating-point using the __float128 data type. In GCC 6, this is not enabled by default, but you can enable it with -mfloat128. The IEEE 128-bit floating-point support requires the use of the VSX instruction set. IEEE 128-bit floating-point values are passed and returned as a single vector value. The software emulator for IEEE 128-bit floating-point support is only built on PowerPC GNU/Linux systems where the default CPU is at least power7. On future ISA 3.0 systems (POWER 9 and later), you will be able to use the -mfloat128-hardware option to use the ISA 3.0 instructions that support IEEE 128-bit floating-point. An additional type (__ibm128) has been added to refer to the IBM extended double type that normally implements long double. This will allow for a future transition to implementing long double with IEEE 128-bit floating-point. - Basic support has been added for POWER9 hardware that will use the recently published OpenPOWER ISA 3.0 instructions. The following new switches are available: - -mcpu=power9: Implement all of the ISA 3.0 instructions supported by the compiler. - -mtune=power9: In the future, apply tuning for POWER9 systems. Currently, POWER8 tunings are used. - -mmodulo: Generate code using the ISA 3.0 integer instructions (modulus, count trailing zeros, array index support, integer multiply/add). - -mpower9-fusion: Generate code to suitably fuse instruction sequences for a POWER9 system. - -mpower9-dform: Generate code to use the new D-form (register+offset) memory instructions for the vector registers. - -mpower9-vector: Generate code using the new ISA 3.0 vector (VSX or Altivec) instructions. - -mpower9-minmax: Reserved for future development. - -mtoc-fusion: Keep TOC entries together to provide more fusion opportunities. - New constraints have been added to support IEEE 128-bit floating-point and ISA 3.0 instructions. - Support has been added for __builtin_cpu_is() and __builtin_cpu_supports(), allowing for very fast access to AT_PLATFORM, AT_HWCAP, and AT_HWCAP2 values. This requires use of glibc 2.23 or later. - All hardware transactional memory builtins now correctly behave as memory barriers. Programmers can use #ifdef __TM_FENCE__ to determine whether their 'old' compiler treats the builtins as barriers. - Split-stack support has been added for gccgo on PowerPC64 for both big- and little-endian (but not for 32-bit). The gold linker from at least binutils 2.25.1 must be available in the PATH when configuring and building gccgo to enable split stack. (The requirement for binutils 2.25.1 applies to PowerPC64 only.) The split-stack feature allows a small initial stack size to be allocated for each goroutine, which increases as needed. - GCC on PowerPC now supports the standard lround function. - The 'q', 'S', 'T', and 't' asm-constraints have been removed. - The 'b', 'B', 'm', 'M', and 'W' format modifiers have been removed. S/390, System z, IBM z Systems improvements: - Support for the IBM z13 processor has been added. When using the -march=z13 option, the compiler will generate code making use of the new instructions and registers introduced with the vector extension facility. The -mtune=z13 option enables z13 specific instruction scheduling without making use of new instructions. - Compiling code with -march=z13 reduces the default alignment of vector types bigger than 8 bytes to 8. This is an ABI change and care must be taken when linking modules compiled with different arch levels which interchange variables containing vector type values. For newly compiled code the GNU linker will emit a warning. - The -mzvector option enables a C/C++ language extension. This extension provides a new keyword vector which can be used to define vector type variables. (Note: This is not available when enforcing strict standard compliance e.g. with -std=c99. Either enable GNU extensions with e.g. -std=gnu99 or use __vector instead of vector.) - Additionally a set of overloaded builtins is provided which is partially compatible to the PowerPC Altivec builtins. In order to make use of these builtins the vecintrin.h header file needs to be included. - The new command line options -march=native, and -mtune=native are now available on native IBM z Systems. Specifying these options will cause GCC to auto-detect the host CPU and rewrite these options to the optimal setting for that system. If GCC is unable to detect the host CPU these options have no effect. - The IBM z Systems port now supports target attributes and pragmas. Please refer to the documentation for details of available attributes and pragmas as well as usage instructions. - -fsplit-stack is now supported as part of the IBM z Systems port. This feature requires a recent gold linker to be used. - Support for the g5 and g6 -march=/-mtune= CPU level switches has been deprecated and will be removed in a future GCC release. -m31 from now on defaults to -march=z900 if not specified otherwise. -march=native on a g5/g6 machine will default to -march=z900. An even more detailed list of features can be found at: https://gcc.gnu.org/gcc-6/changes.html ----------------------------------------------------------------- Advisory ID: SUSE-SU-2016:1364-1 Released: Fri Sep 16 17:13:43 2016 Summary: Security update for curl Type: security Severity: moderate References: 991389,991390,991391,991746,997420,CVE-2016-5419,CVE-2016-5420,CVE-2016-5421,CVE-2016-7141 Description: This update for curl fixes the following issues: Security issues fixed: - CVE-2016-5419: TLS session resumption client cert bypass (bsc#991389) - CVE-2016-5420: Re-using connections with wrong client cert (bsc#991390) - CVE-2016-5421: use of connection struct after free (bsc#991391) - CVE-2016-7141: Fixed incorrect reuse of client certificates with NSS (bsc#997420) Also the following bug was fixed: - fixing a performance issue (bsc#991746) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2016:1370-1 Released: Wed Sep 21 12:58:14 2016 Summary: Security update for libgcrypt Type: security Severity: moderate References: 994157,CVE-2016-6313 Description: This update for libgcrypt fixes the following issues: - RNG prediction vulnerability (bsc#994157, CVE-2016-6313) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2016:1461-1 Released: Wed Oct 12 11:31:33 2016 Summary: Security update for tiff Type: security Severity: moderate References: 974449,974614,974618,975069,975070,CVE-2016-3622,CVE-2016-3623,CVE-2016-3945,CVE-2016-3990,CVE-2016-3991 Description: This update for tiff fixes the following security issues: - CVE-2016-3622: Specially crafted TIFF images could trigger a crash in tiff2rgba (bsc#974449) - Various out-of-bound write vulnerabilities with unspecified impact (MSVR 35093, MSVR 35094, MSVR 35095, MSVR 35096, MSVR 35097, MSVR 35098) - CVE-2016-3623: Specially crafted TIFF images could trigger a crash in rgb2ycbcr (bsc#974618) - CVE-2016-3945: Specially crafted TIFF images could trigger a crash or allow for arbitrary command execution via tiff2rgba (bsc#974614) - CVE-2016-3990: Specially crafted TIFF images could trigger a crash or allow for arbitrary command execution (bsc#975069) - CVE-2016-3991: Specially crafted TIFF images could trigger a crash or allow for arbitrary command execution via the tiffcrop tool (bsc#975070) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2016:1464-1 Released: Wed Oct 12 11:36:01 2016 Summary: Security update for X Window System client libraries Type: security Severity: moderate References: 1002991,1002995,1002998,1003000,1003002,1003012,1003017,1003023,CVE-2016-5407,CVE-2016-7942,CVE-2016-7944,CVE-2016-7945,CVE-2016-7946,CVE-2016-7947,CVE-2016-7948,CVE-2016-7949,CVE-2016-7950,CVE-2016-7951,CVE-2016-7952,CVE-2016-7953 Description: This update for the X Window System client libraries fixes a class of privilege escalation issues. A malicious X Server could send specially crafted data to X clients, which allowed for triggering crashes, or privilege escalation if this relationship was untrusted or crossed user or permission level boundaries. libX11, libXfixes, libXi, libXrandr, libXrender, libXtst, libXv, libXvMC were fixed, specifically: libX11: - CVE-2016-7942: insufficient validation of data from the X server allowed out of boundary memory read (bsc#1002991) libXfixes: - CVE-2016-7944: insufficient validation of data from the X server can cause an integer overflow on 32 bit architectures (bsc#1002995) libXi: - CVE-2016-7945, CVE-2016-7946: insufficient validation of data from the X server can cause out of boundary memory access or endless loops (Denial of Service) (bsc#1002998) libXtst: - CVE-2016-7951, CVE-2016-7952: insufficient validation of data from the X server can cause out of boundary memory access or endless loops (Denial of Service) (bsc#1003012) libXv: - CVE-2016-5407: insufficient validation of data from the X server can cause out of boundary memory and memory corruption (bsc#1003017) libXvMC: - CVE-2016-7953: insufficient validation of data from the X server can cause a one byte buffer read underrun (bsc#1003023) libXrender: - CVE-2016-7949, CVE-2016-7950: insufficient validation of data from the X server can cause out of boundary memory writes (bsc#1003002) libXrandr: - CVE-2016-7947, CVE-2016-7948: insufficient validation of data from the X server can cause out of boundary memory writes (bsc#1003000) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2016:1571-1 Released: Fri Oct 28 14:54:49 2016 Summary: Security update for gd Type: security Severity: important References: 1001900,1004924,1005274,CVE-2016-6911,CVE-2016-7568,CVE-2016-8670 Description: This update for gd fixes the following security issues: - CVE-2016-7568: A specially crafted image file could cause an application crash or potentially execute arbitrary code when the image is converted to webp (bsc#1001900) - CVE-2016-8670: Stack Buffer Overflow in GD dynamicGetbuf (bsc#1004924) - CVE-2016-6911: Check for out-of-bound read in dynamicGetbuf() (bsc#1005274) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2016:1591-1 Released: Wed Nov 2 12:07:51 2016 Summary: Security update for curl Type: security Severity: important References: 1005633,1005634,1005635,1005637,1005638,1005640,1005642,1005643,1005645,1005646,998760,CVE-2016-7167,CVE-2016-8615,CVE-2016-8616,CVE-2016-8617,CVE-2016-8618,CVE-2016-8619,CVE-2016-8620,CVE-2016-8621,CVE-2016-8622,CVE-2016-8623,CVE-2016-8624 Description: This update for curl fixes the following security issues: - CVE-2016-8624: invalid URL parsing with '#' (bsc#1005646) - CVE-2016-8623: Use-after-free via shared cookies (bsc#1005645) - CVE-2016-8622: URL unescape heap overflow via integer truncation (bsc#1005643) - CVE-2016-8621: curl_getdate read out of bounds (bsc#1005642) - CVE-2016-8620: glob parser write/read out of bounds (bsc#1005640) - CVE-2016-8619: double-free in krb5 code (bsc#1005638) - CVE-2016-8618: double-free in curl_maprintf (bsc#1005637) - CVE-2016-8617: OOB write via unchecked multiplication (bsc#1005635) - CVE-2016-8616: case insensitive password comparison (bsc#1005634) - CVE-2016-8615: cookie injection for other servers (bsc#1005633) - CVE-2016-7167: escape and unescape integer overflows (bsc#998760) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2016:1614-1 Released: Mon Nov 7 20:01:31 2016 Summary: Recommended update for shadow Type: recommended Severity: low References: 1002975 Description: This update for shadow fixes the following issues: - Set file modes according to the permissions package and don't attempt to manipulate them in %files section. (bsc#1002975) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2016:1641-1 Released: Thu Nov 10 20:02:04 2016 Summary: Recommended update for sg3_utils Type: recommended Severity: moderate References: 1006469,958369,979436 Description: This update for sg3_utils provides the following fixes: - Adjust 55-scsi-sg3_id.rules to correctly handle VPD page 0x80. This issue could prevent some IBM Power systems from booting after installation. (bsc#1006469) - Fix 55-scsi_sg3_id.rules to skip sg_inq on recent kernels. (bsc#979436) - In some circumstances, the rescan-scsi-bus.sh script failed to identify new LUNs that have been added to the server. (bsc#958369) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2016:1668-1 Released: Thu Nov 17 14:34:38 2016 Summary: Security update for X Window System client libraries Type: security Severity: moderate References: 1002991,1002995,1002998,1003000,1003002,1003012,1003017,1003023,CVE-2016-5407,CVE-2016-7942,CVE-2016-7944,CVE-2016-7945,CVE-2016-7946,CVE-2016-7947,CVE-2016-7948,CVE-2016-7949,CVE-2016-7950,CVE-2016-7951,CVE-2016-7952,CVE-2016-7953 Description: This update for the X Window System client libraries fixes a class of privilege escalation issues. A malicious X Server could send specially crafted data to X clients, which allowed for triggering crashes, or privilege escalation if this relationship was untrusted or crossed user or permission level boundaries. libX11, libXfixes, libXi, libXrandr, libXrender, libXtst, libXv, libXvMC were fixed, specifically: libX11: - CVE-2016-7942: insufficient validation of data from the X server allowed out of boundary memory read (bsc#1002991) libXfixes: - CVE-2016-7944: insufficient validation of data from the X server can cause an integer overflow on 32 bit architectures (bsc#1002995) libXi: - CVE-2016-7945, CVE-2016-7946: insufficient validation of data from the X server can cause out of boundary memory access or endless loops (Denial of Service) (bsc#1002998) libXtst: - CVE-2016-7951, CVE-2016-7952: insufficient validation of data from the X server can cause out of boundary memory access or endless loops (Denial of Service) (bsc#1003012) libXv: - CVE-2016-5407: insufficient validation of data from the X server can cause out of boundary memory and memory corruption (bsc#1003017) libXvMC: - CVE-2016-7953: insufficient validation of data from the X server can cause a one byte buffer read underrun (bsc#1003023) libXrender: - CVE-2016-7949, CVE-2016-7950: insufficient validation of data from the X server can cause out of boundary memory writes (bsc#1003002) libXrandr: - CVE-2016-7947, CVE-2016-7948: insufficient validation of data from the X server can cause out of boundary memory writes (bsc#1003000) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2016:1744-1 Released: Fri Dec 2 11:42:41 2016 Summary: Security update for pcre Type: security Severity: moderate References: 906574,924960,933288,933878,936227,942865,957566,957567,957598,957600,960837,971741,972127,CVE-2014-8964,CVE-2015-2325,CVE-2015-2327,CVE-2015-2328,CVE-2015-3210,CVE-2015-3217,CVE-2015-5073,CVE-2015-8380,CVE-2015-8381,CVE-2015-8382,CVE-2015-8383,CVE-2015-8384,CVE-2015-8385,CVE-2015-8386,CVE-2015-8387,CVE-2015-8388,CVE-2015-8389,CVE-2015-8390,CVE-2015-8391,CVE-2015-8392,CVE-2015-8393,CVE-2015-8394,CVE-2015-8395,CVE-2016-1283,CVE-2016-3191 Description: This update for pcre to version 8.39 (bsc#972127) fixes several issues. If you use pcre extensively please be aware that this is an update to a new version. Please make sure that your software works with the updated version. This version fixes a number of vulnerabilities that affect pcre and applications using the libary when accepting untrusted input as regular expressions or as part thereof. Remote attackers could have caused the application to crash, disclose information or potentially execute arbitrary code. These security issues were fixed: - CVE-2014-8964: Heap-based buffer overflow in PCRE allowed remote attackers to cause a denial of service (crash) or have other unspecified impact via a crafted regular expression, related to an assertion that allows zero repeats (bsc#906574). - CVE-2015-2325: Heap buffer overflow in compile_branch() (bsc#924960). - CVE-2015-3210: Heap buffer overflow in pcre_compile2() / compile_regex() (bsc#933288) - CVE-2015-3217: PCRE Library Call Stack Overflow Vulnerability in match() (bsc#933878). - CVE-2015-5073: Library Heap Overflow Vulnerability in find_fixedlength() (bsc#936227). - bsc#942865: heap overflow in compile_regex() - CVE-2015-8380: The pcre_exec function in pcre_exec.c mishandled a // pattern with a \01 string, which allowed remote attackers to cause a denial of service (heap-based buffer overflow) or possibly have unspecified other impact via a crafted regular expression, as demonstrated by a JavaScript RegExp object encountered by Konqueror (bsc#957566). - CVE-2015-2327: PCRE mishandled certain patterns with internal recursive back references, which allowed remote attackers to cause a denial of service (segmentation fault) or possibly have unspecified other impact via a crafted regular expression, as demonstrated by a JavaScript RegExp object encountered by Konqueror (bsc#957567). - bsc#957598: Various security issues - CVE-2015-8381: Heap Overflow in compile_regex() (bsc#957598). - CVE-2015-8382: Regular Expression Uninitialized Pointer Information Disclosure Vulnerability (ZDI-CAN-2547)(bsc#957598). - CVE-2015-8383: Buffer overflow caused by repeated conditional group(bsc#957598). - CVE-2015-8384: Buffer overflow caused by recursive back reference by name within certain group(bsc#957598). - CVE-2015-8385: Buffer overflow caused by forward reference by name to certain group(bsc#957598). - CVE-2015-8386: Buffer overflow caused by lookbehind assertion(bsc#957598). - CVE-2015-8387: Integer overflow in subroutine calls(bsc#957598). - CVE-2015-8388: Buffer overflow caused by certain patterns with an unmatched closing parenthesis(bsc#957598). - CVE-2015-8389: Infinite recursion in JIT compiler when processing certain patterns(bsc#957598). - CVE-2015-8390: Reading from uninitialized memory when processing certain patterns(bsc#957598). - CVE-2015-8391: Some pathological patterns causes pcre_compile() to run for a very long time(bsc#957598). - CVE-2015-8392: Buffer overflow caused by certain patterns with duplicated named groups(bsc#957598). - CVE-2015-8393: Information leak when running pcgrep -q on crafted binary(bsc#957598). - CVE-2015-8394: Integer overflow caused by missing check for certain conditions(bsc#957598). - CVE-2015-8395: Buffer overflow caused by certain references(bsc#957598). - CVE-2015-2328: PCRE mishandled the /((?(R)a|(?1)))+/ pattern and related patterns with certain recursion, which allowed remote attackers to cause a denial of service (segmentation fault) or possibly have unspecified other impact via a crafted regular expression (bsc#957600). - CVE-2016-1283: The pcre_compile2 function in pcre_compile.c in PCRE mishandled certain patterns with named subgroups, which allowed remote attackers to cause a denial of service (heap-based buffer overflow) or possibly have unspecified other impact via a crafted regular expression (bsc#960837). - CVE-2016-3191: The compile_branch function in pcre_compile.c in pcre2_compile.c mishandled patterns containing an (*ACCEPT) substring in conjunction with nested parentheses, which allowed remote attackers to execute arbitrary code or cause a denial of service (stack-based buffer overflow) via a crafted regular expression (bsc#971741). These non-security issues were fixed: - JIT compiler improvements - performance improvements - The Unicode data tables have been updated to Unicode 7.0.0. ----------------------------------------------------------------- Advisory ID: SUSE-SU-2016:1749-1 Released: Mon Dec 5 09:28:00 2016 Summary: Security update for libX11 Type: security Severity: moderate References: 1002991,CVE-2016-7942 Description: libX11 was updated to fix a memory leak that was introduced with the security fix for CVE-2016-7942. ----------------------------------------------------------------- Advisory ID: SUSE-RU-2016:1782-1 Released: Fri Dec 9 13:35:02 2016 Summary: Recommended update for systemd Type: recommended Severity: moderate References: 1001790,1004289,1005404,1006372,1006690,989831,991443 Description: This update for systemd provides the following fixes: - Allow to redirect confirmation messages to a different console. (bsc#1006690) - Do not bind a mount unit to a device, if it was from mountinfo. (bsc#989831) - Decrease systemd-nspawn's non-fatal mount errors to debug level. (bsc#1004289) - Don't emit space usage message right after opening the persistent journal. (bsc#991443) - Change owner of /var/log/journal/remote and create /var/lib/systemd/journal-upload. (bsc#1006372) - Document that *KeyIgnoreInhibited only apply to a subset of locks. - Revert 'logind: really handle *KeyIgnoreInhibited options in logind.conf'. (bsc#1001790, bsc#1005404) - Revert 'kbd-model-map: add more mappings offered by Yast'. - Don't busy loop when we get a notification message we can't process. - Rename kbd-model-map-extra into kbd-model-map.legacy. - Add kbd-model-map-extra file which contains the additional maps needed by YaST. - Drop localfs.service: unused and not needed anymore. ----------------------------------------------------------------- Advisory ID: SUSE-SU-2016:1827-1 Released: Thu Dec 15 12:41:10 2016 Summary: Security update for pcre Type: security Severity: moderate References: 906574,924960,933288,933878,936227,942865,957566,957567,957598,957600,960837,971741,972127,CVE-2014-8964,CVE-2015-2325,CVE-2015-2327,CVE-2015-2328,CVE-2015-3210,CVE-2015-3217,CVE-2015-5073,CVE-2015-8380,CVE-2015-8381,CVE-2015-8382,CVE-2015-8383,CVE-2015-8384,CVE-2015-8385,CVE-2015-8386,CVE-2015-8387,CVE-2015-8388,CVE-2015-8389,CVE-2015-8390,CVE-2015-8391,CVE-2015-8392,CVE-2015-8393,CVE-2015-8394,CVE-2015-8395,CVE-2016-1283,CVE-2016-3191 Description: This update for pcre to version 8.39 (bsc#972127) fixes several issues. If you use pcre extensively please be aware that this is an update to a new version. Please make sure that your software works with the updated version. This version fixes a number of vulnerabilities that affect pcre and applications using the libary when accepting untrusted input as regular expressions or as part thereof. Remote attackers could have caused the application to crash, disclose information or potentially execute arbitrary code. These security issues were fixed: - CVE-2014-8964: Heap-based buffer overflow in PCRE allowed remote attackers to cause a denial of service (crash) or have other unspecified impact via a crafted regular expression, related to an assertion that allows zero repeats (bsc#906574). - CVE-2015-2325: Heap buffer overflow in compile_branch() (bsc#924960). - CVE-2015-3210: Heap buffer overflow in pcre_compile2() / compile_regex() (bsc#933288) - CVE-2015-3217: PCRE Library Call Stack Overflow Vulnerability in match() (bsc#933878). - CVE-2015-5073: Library Heap Overflow Vulnerability in find_fixedlength() (bsc#936227). - bsc#942865: heap overflow in compile_regex() - CVE-2015-8380: The pcre_exec function in pcre_exec.c mishandled a // pattern with a \01 string, which allowed remote attackers to cause a denial of service (heap-based buffer overflow) or possibly have unspecified other impact via a crafted regular expression, as demonstrated by a JavaScript RegExp object encountered by Konqueror (bsc#957566). - CVE-2015-2327: PCRE mishandled certain patterns with internal recursive back references, which allowed remote attackers to cause a denial of service (segmentation fault) or possibly have unspecified other impact via a crafted regular expression, as demonstrated by a JavaScript RegExp object encountered by Konqueror (bsc#957567). - bsc#957598: Various security issues - CVE-2015-8381: Heap Overflow in compile_regex() (bsc#957598). - CVE-2015-8382: Regular Expression Uninitialized Pointer Information Disclosure Vulnerability (ZDI-CAN-2547)(bsc#957598). - CVE-2015-8383: Buffer overflow caused by repeated conditional group(bsc#957598). - CVE-2015-8384: Buffer overflow caused by recursive back reference by name within certain group(bsc#957598). - CVE-2015-8385: Buffer overflow caused by forward reference by name to certain group(bsc#957598). - CVE-2015-8386: Buffer overflow caused by lookbehind assertion(bsc#957598). - CVE-2015-8387: Integer overflow in subroutine calls(bsc#957598). - CVE-2015-8388: Buffer overflow caused by certain patterns with an unmatched closing parenthesis(bsc#957598). - CVE-2015-8389: Infinite recursion in JIT compiler when processing certain patterns(bsc#957598). - CVE-2015-8390: Reading from uninitialized memory when processing certain patterns(bsc#957598). - CVE-2015-8391: Some pathological patterns causes pcre_compile() to run for a very long time(bsc#957598). - CVE-2015-8392: Buffer overflow caused by certain patterns with duplicated named groups(bsc#957598). - CVE-2015-8393: Information leak when running pcgrep -q on crafted binary(bsc#957598). - CVE-2015-8394: Integer overflow caused by missing check for certain conditions(bsc#957598). - CVE-2015-8395: Buffer overflow caused by certain references(bsc#957598). - CVE-2015-2328: PCRE mishandled the /((?(R)a|(?1)))+/ pattern and related patterns with certain recursion, which allowed remote attackers to cause a denial of service (segmentation fault) or possibly have unspecified other impact via a crafted regular expression (bsc#957600). - CVE-2016-1283: The pcre_compile2 function in pcre_compile.c in PCRE mishandled certain patterns with named subgroups, which allowed remote attackers to cause a denial of service (heap-based buffer overflow) or possibly have unspecified other impact via a crafted regular expression (bsc#960837). - CVE-2016-3191: The compile_branch function in pcre_compile.c in pcre2_compile.c mishandled patterns containing an (*ACCEPT) substring in conjunction with nested parentheses, which allowed remote attackers to execute arbitrary code or cause a denial of service (stack-based buffer overflow) via a crafted regular expression (bsc#971741). These non-security issues were fixed: - JIT compiler improvements - performance improvements - The Unicode data tables have been updated to Unicode 7.0.0. ----------------------------------------------------------------- Advisory ID: SUSE-RU-2016:1863-1 Released: Wed Dec 21 10:41:35 2016 Summary: Recommended updated for pth Type: recommended Severity: low References: 1013286 Description: This update adds the 32bit version of libpth20 to SUSE Linux Enterprise 12 SP1 and 12 SP2. ----------------------------------------------------------------- Advisory ID: SUSE-SU-2016:1868-1 Released: Wed Dec 21 16:24:02 2016 Summary: Security update for gd Type: security Severity: moderate References: 1015187,CVE-2016-9933 Description: This update for gd fixes the following issues: * CVE-2016-9933 possible stackoverflow on malicious truecolor images [bsc#1015187] ----------------------------------------------------------------- Advisory ID: SUSE-SU-2016:1937-1 Released: Thu Dec 29 20:47:49 2016 Summary: Security update for tiff Type: security Severity: moderate References: 1007280,1010161,1010163,1011103,1011107,914890,974449,974840,984813,984815,987351,CVE-2014-8127,CVE-2016-3622,CVE-2016-3658,CVE-2016-5321,CVE-2016-5323,CVE-2016-5652,CVE-2016-5875,CVE-2016-9273,CVE-2016-9297,CVE-2016-9448,CVE-2016-9453 Description: The tiff library and tools were updated to version 4.0.7 fixing various bug and security issues. - CVE-2014-8127: out-of-bounds read with malformed TIFF image in multiple tools [bnc#914890] - CVE-2016-9297: tif_dirread.c read outside buffer in _TIFFPrintField() [bnc#1010161] - CVE-2016-3658: Illegal read in TIFFWriteDirectoryTagLongLong8Array function in tiffset / tif_dirwrite.c [bnc#974840] - CVE-2016-9273: heap overflow [bnc#1010163] - CVE-2016-3622: divide By Zero in the tiff2rgba tool [bnc#974449] - CVE-2016-5652: tiff2pdf JPEG Compression Tables Heap Buffer Overflow [bnc#1007280] - CVE-2016-9453: out-of-bounds Write memcpy and less bound check in tiff2pdf [bnc#1011107] - CVE-2016-5875: heap-based buffer overflow when using the PixarLog compressionformat [bnc#987351] - CVE-2016-9448: regression introduced by fixing CVE-2016-9297 [bnc#1011103] - CVE-2016-5321: out-of-bounds read in tiffcrop / DumpModeDecode() function [bnc#984813] - CVE-2016-5323: Divide-by-zero in _TIFFFax3fillruns() function (null ptr dereference?) [bnc#984815] ----------------------------------------------------------------- Advisory ID: SUSE-SU-2017:2-1 Released: Mon Jan 2 08:35:08 2017 Summary: Security update for zlib Type: security Severity: moderate References: 1003577,1003579,1003580,1013882,CVE-2016-9840,CVE-2016-9841,CVE-2016-9842,CVE-2016-9843 Description: This update for zlib fixes the following issues: CVE-2016-9843: Big-endian out-of-bounds pointer CVE-2016-9842: Undefined Left Shift of Negative Number (bsc#1003580) CVE-2016-9840 CVE-2016-9841: Out-of-bounds pointer arithmetic in inftrees.c (bsc#1003579) Incompatible declarations for external linkage function deflate (bsc#1003577) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2017:6-1 Released: Tue Jan 3 15:01:58 2017 Summary: Recommended update for systemd Type: recommended Severity: moderate References: 1012390,1012591,1012818,1013989,1015515,909418,912715,945340,953807,963290,990538 Description: This update for systemd fixes the following issues: - core: Make mount units from /proc/self/mountinfo possibly bind to a device. Fixes unmounting issues when ejecting CDs or DVDs. (bsc#909418, bsc#912715, bsc#945340) - fstab-generator: Remove bogus condition that leads to warnings on boot. (bsc#1013989) - coredumpctl: Let gdb handle the SIGINT signal. (bsc#1012591) - Ship kbd-model-map with the correct contents. (bsc#1015515) - rules: Set SYSTEMD_READY=0 on DM_UDEV_DISABLE_OTHER_RULES_FLAG=1 only with ADD event. (bsc#963290, bsc#990538) - tmpfiles: Don't skip path_set_perms on error. (bsc#953807) - nspawn: Properly handle image/directory paths that are symbolic links. (bsc#1012390) - systemctl: Fix 'is-enabled' exit status on failure when executed in chroot. (bsc#1012818) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2017:32-1 Released: Mon Jan 9 11:50:42 2017 Summary: Recommended update for dirmngr Type: recommended Severity: low References: 994794 Description: This update for dirmngr enables support for daemon mode. ----------------------------------------------------------------- Advisory ID: SUSE-RU-2017:47-1 Released: Wed Jan 11 11:42:43 2017 Summary: Recommended update for systemd Type: recommended Severity: important References: 1018214,1018399 Description: This update for systemd fixes the following two issues: - A regression in the previous update (SUSE-RU-2017:0013-1, bsc#909418) could have caused systemd to freeze. (bsc#1018399) - Warnings emitted when udev socket units are restarted during package upgrade were silenced. (bsc#1018214) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2017:98-1 Released: Thu Jan 19 10:17:55 2017 Summary: Recommended update for kmod Type: recommended Severity: low References: 998906 Description: This update for kmod fixes a rare race condition while loading modules. ----------------------------------------------------------------- Advisory ID: SUSE-SU-2017:149-1 Released: Wed Jan 25 09:17:08 2017 Summary: Security update for systemd Type: security Severity: important References: 1012266,1014560,1014566,1020601,997682,CVE-2016-10156 Description: This update for systemd fixes the following issues: This security issue was fixed: - CVE-2016-10156: Fix permissions set on permanent timer timestamp files, preventing local unprivileged users from escalating privileges (bsc#1020601). These non-security issues were fixed: - Fix permission set on /var/lib/systemd/linger/* - install: follow config_path symlink (#3362) - install: fix disable when /etc/systemd/system is a symlink (bsc#1014560) - run: make --slice= work in conjunction with --scope (bsc#1014566) - core: don't dispatch load queue when setting Slice= for transient units - systemctl: remove duplicate entries showed by list-dependencies (#5049) (bsc#1012266) - rule: don't automatically online standby memory on s390x (bsc#997682) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2017:185-1 Released: Thu Feb 2 18:22:37 2017 Summary: Security update for cpio Type: security Severity: moderate References: 1020108,963448,CVE-2016-2037 Description: This update for cpio fixes two issues. This security issue was fixed: - CVE-2016-2037: The cpio_safer_name_suffix function in util.c in cpio allowed remote attackers to cause a denial of service (out-of-bounds write) via a crafted cpio file (bsc#963448). This non-security issue was fixed: - bsc#1020108: Always use 32 bit CRC to prevent checksum errors for files greater than 32MB ----------------------------------------------------------------- Advisory ID: SUSE-SU-2017:192-1 Released: Fri Feb 3 18:46:05 2017 Summary: Security update for libxml2 Type: security Severity: moderate References: 1005544,1010675,1013930,1014873,1017497,CVE-2016-4658,CVE-2016-9318,CVE-2016-9597 Description: This update for libxml2 fixes the following issues: * CVE-2016-4658: use-after-free error could lead to crash [bsc#1005544] * Fix NULL dereference in xpointer.c when in recovery mode [bsc#1014873] * CVE-2016-9597: An XML document with many opening tags could have caused a overflow of the stack not detected by the recursion limits, allowing for DoS (bsc#1017497). For CVE-2016-9318 we decided not to ship a fix since it can break existing setups. Please take appropriate actions if you parse untrusted XML files and use the new -noxxe flag if possible (bnc#1010675, bnc#1013930). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2017:209-1 Released: Tue Feb 7 17:00:47 2017 Summary: Recommended update for libseccomp Type: recommended Severity: low References: 1019900 Description: This update provides libseccomp version 2.3.1 which fixes the following issues: - Fixed a problem with 32-bit x86 socket syscalls on some systems (fate#321647, bsc#1019900) - Fixed problems with ipc syscalls on 32-bit x86 - Fixed problems with socket and ipc syscalls on s390 and s390x ----------------------------------------------------------------- Advisory ID: SUSE-SU-2017:212-1 Released: Wed Feb 8 13:07:24 2017 Summary: Security update for expat Type: security Severity: moderate References: 983215,983216,CVE-2012-6702,CVE-2016-5300 Description: This update for expat fixes the following security issues: - CVE-2012-6702: Expat, when used in a parser that has not called XML_SetHashSalt or passed it a seed of 0, made it easier for context-dependent attackers to defeat cryptographic protection mechanisms via vectors involving use of the srand function. (bsc#983215) - CVE-2016-5300: The XML parser in Expat did not use sufficient entropy for hash initialization, which allowed context-dependent attackers to cause a denial of service (CPU consumption) via crafted identifiers in an XML document. NOTE: this vulnerability exists because of an incomplete fix for CVE-2012-0876. (bsc#983216) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2017:228-1 Released: Fri Feb 10 15:39:32 2017 Summary: Security update for openssl Type: security Severity: moderate References: 1000677,1001912,1009528,1019637,1021641,1022085,1022086,1022271,CVE-2016-7055,CVE-2017-3731,CVE-2017-3732 Description: This update for openssl fixes the following issues contained in the OpenSSL Security Advisory [26 Jan 2017] (bsc#1021641) Security issues fixed: - CVE-2016-7055: The x86_64 optimized montgomery multiplication may produce incorrect results (bsc#1009528) - CVE-2017-3731: Truncated packet could crash via OOB read (bsc#1022085) - CVE-2017-3732: BN_mod_exp may produce incorrect results on x86_64 (bsc#1022086) - Degrade the 3DES cipher to MEDIUM in SSLv2 (bsc#1001912) Non-security issues fixed: - fix crash in openssl speed (bsc#1000677) - fix X509_CERT_FILE path (bsc#1022271) - AES XTS key parts must not be identical in FIPS mode (bsc#1019637) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2017:231-1 Released: Mon Feb 13 11:40:25 2017 Summary: Security update for tiff Type: security Severity: moderate References: 1019611,1022103,CVE-2017-5225 Description: This update for tiff fixes the following issues: - A crafted TIFF image could cause a crash and potential code execution when processed by the 'tiffcp' utility (CVE-2017-5225, bsc#1019611). Also a regression from the version update to 4.0.7 was fixed in handling TIFFTAG_FAXRECVPARAMS. (bsc#1022103) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2017:240-1 Released: Wed Feb 15 07:29:29 2017 Summary: Security update for libXpm Type: security Severity: moderate References: 1021315,CVE-2016-10164 Description: This update for libXpm fixes the following issues: - A heap overflow in XPM handling could be used by attackers supplying XPM files to crash or potentially execute code. (bsc#1021315) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2017:241-1 Released: Wed Feb 15 07:30:57 2017 Summary: Security update for gd Type: security Severity: moderate References: 1022263,1022264,1022265,1022283,1022284,1022553,CVE-2016-10166,CVE-2016-10167,CVE-2016-10168,CVE-2016-6906,CVE-2016-6912,CVE-2016-9317 Description: This update for gd fixes the following security issues: - CVE-2016-6906: An out-of-bounds read in TGA decompression was fixed which could have lead to crashes. (bsc#1022553) - CVE-2016-6912: Double free vulnerability in the gdImageWebPtr function in the GD Graphics Library (aka libgd) allowed remote attackers to have unspecified impact via large width and height values. (bsc#1022284) - CVE-2016-9317: The gdImageCreate function in the GD Graphics Library (aka libgd) allowed remote attackers to cause a denial of service (system hang) via an oversized image. (bsc#1022283) - CVE-2016-10166: A potential unsigned underflow in gd interpolation functions could lead to memory corruption in the GD Graphics Library (aka libgd) (bsc#1022263) - CVE-2016-10167: A denial of service problem in gdImageCreateFromGd2Ctx() could lead to libgd running out of memory even on small files. (bsc#1022264) - CVE-2016-10168: A signed integer overflow in the GD Graphics Library (aka libgd) could lead to memory corruption (bsc#1022265) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2017:261-1 Released: Mon Feb 20 11:00:28 2017 Summary: Recommended update for dirmngr Type: recommended Severity: low References: 1019276 Description: This update for dirmngr fixes the following issues: - Properly initialize the dirmngr tmpfilesd files right away and not just during reboot - Own the /usr/lib/tmpfiles.d/ folder as it is needed in older systemds wrt (bsc#1019276) - Proprely require logrotate as we need it for the dirmngr configs ----------------------------------------------------------------- Advisory ID: SUSE-RU-2017:365-1 Released: Fri Mar 10 15:16:59 2017 Summary: Recommended update for sg3_utils Type: recommended Severity: low References: 1006175 Description: This update for sg3_utils fixes the following issue: - Add udev rules to handle legacy CCISS devices (bsc#1006175) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2017:389-1 Released: Thu Mar 16 14:16:43 2017 Summary: Recommended update for systemd Type: recommended Severity: moderate References: 1004094,1006687,1019470,1022014,1022047,1025598,995936 Description: This update for systemd provides the following fixes: - core: Fix memory leak in transient units. (bsc#1025598) - core: Destroy all name watching bus slots when we are kicked off the bus. (bsc#1006687) - sd-event: Fix incorrect assertion. (bsc#995936, bsc#1022014) - journald: Don't flush to /var/log/journal before we get asked to. (bsc#1004094) - core: Downgrade warning about duplicate device names. (bsc#1022047) - units: Remove no longer needed ldconfig service. (bsc#1019470) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2017:439-1 Released: Tue Mar 21 10:48:47 2017 Summary: Recommended update for netcfg Type: recommended Severity: low References: 1028305,959693 Description: This update for netcfg provides the following fixes: - Update script to generate services to use UTF8 by default. (bsc#1028305) - Repack services.bz2 with latest from upstream and adjust the script to not add all the names and emails at the bottom of the file. (bsc#959693) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2017:462-1 Released: Fri Mar 24 21:58:07 2017 Summary: Recommended update for lvm2 Type: recommended Severity: moderate References: 1012973,1015943,1017034,1023283,1025560,1025630 Description: This update for lvm2 fixes the following issues: - Fix clvmd segmentation fault on ppc64le architecture. (bsc#1025630) - Fix several trivial issues about clvmd/cmirrord resource agents. (bsc#1023283, bsc#1025560) - Use {local,remote}-fs-pre.target instead of {local,remote}-fs.target. (bsc#1017034) - Simplify special-case for md in 69-dm-lvm-metadata.rules. (bsc#1012973) - Add systemd_requires to device-mapper package. (bsc#1015943) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2017:464-1 Released: Mon Mar 27 15:50:51 2017 Summary: Recommended update for glibc Type: recommended Severity: moderate References: 1007851,1029725,1029900 Description: This update for glibc fixes a potential segmentation fault in libpthread: - Fork in libpthread cannot use IFUNC resolver. (bsc#1007851, bsc#1029725, bsc#1029900) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2017:478-1 Released: Wed Mar 29 13:02:30 2017 Summary: Security update for libpng16 Type: security Severity: moderate References: 1017646,CVE-2016-10087 Description: This update for libpng16 fixes the following issues: Security issues fixed: - CVE-2016-10087: NULL pointer dereference in png_set_text_2() (bsc#1017646) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2017:580-1 Released: Wed Apr 12 23:58:47 2017 Summary: Recommended update for cpio Type: recommended Severity: important References: 1028410 Description: This update for cpio fixes the following issues: - A regression caused cpio to crash for tar and ustar archive types [bsc#1028410] ----------------------------------------------------------------- Advisory ID: SUSE-SU-2017:609-1 Released: Tue Apr 18 11:28:14 2017 Summary: Security update for curl Type: security Severity: moderate References: 1015332,1027712,1032309,CVE-2016-9586,CVE-2017-7407 Description: This update for curl fixes the following issues: Security issue fixed: - CVE-2016-9586: libcurl printf floating point buffer overflow (bsc#1015332) - CVE-2017-7407: The ourWriteOut function in tool_writeout.c in curl might have allowed physically proximate attackers to obtain sensitive information from process memory in opportunistic circumstances by reading a workstation screen during use of a --write-out argument ending in a '%' character, which lead to a heap-based buffer over-read (bsc#1032309). With this release new default ciphers are active (SUSE_DEFAULT, bsc#1027712). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2017:610-1 Released: Tue Apr 18 11:29:22 2017 Summary: Security update for tiff Type: security Severity: important References: 1031247,1031249,1031250,1031254,1031255,1031262,1031263,CVE-2016-10266,CVE-2016-10267,CVE-2016-10268,CVE-2016-10269,CVE-2016-10270,CVE-2016-10271,CVE-2016-10272 Description: This update for tiff fixes the following issues: Security issues fixed: - CVE-2016-10272: LibTIFF 4.0.7 allows remote attackers to cause a denial of service (heap-based buffer overflow) or possibly have unspecified other impact via a crafted TIFF image, related to 'WRITE of size 2048' and libtiff/tif_next.c:64:9 (bsc#1031247). - CVE-2016-10271: tools/tiffcrop.c in LibTIFF 4.0.7 allows remote attackers to cause a denial of service (heap-based buffer over-read and buffer overflow) or possibly have unspecified other impact via a crafted TIFF image, related to 'READ of size 1' and libtiff/tif_fax3.c:413:13 (bsc#1031249). - CVE-2016-10270: LibTIFF 4.0.7 allows remote attackers to cause a denial of service (heap-based buffer over-read) or possibly have unspecified other impact via a crafted TIFF image, related to 'READ of size 8' and libtiff/tif_read.c:523:22 (bsc#1031250). - CVE-2016-10269: LibTIFF 4.0.7 allows remote attackers to cause a denial of service (heap-based buffer over-read) or possibly have unspecified other impact via a crafted TIFF image, related to 'READ of size 512' and libtiff/tif_unix.c:340:2 (bsc#1031254). - CVE-2016-10268: tools/tiffcp.c in LibTIFF 4.0.7 allows remote attackers to cause a denial of service (integer underflow and heap-based buffer under-read) or possibly have unspecified other impact via a crafted TIFF image, related to 'READ of size 78490' and libtiff/tif_unix.c:115:23 (bsc#1031255). - CVE-2016-10267: LibTIFF 4.0.7 allows remote attackers to cause a denial of service (divide-by-zero error and application crash) via a crafted TIFF image, related to libtiff/tif_ojpeg.c:816:8 (bsc#1031262). - CVE-2016-10266: LibTIFF 4.0.7 allows remote attackers to cause a denial of service (divide-by-zero error and application crash) via a crafted TIFF image, related to libtiff/tif_read.c:351:22. (bsc#1031263). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2017:732-1 Released: Wed May 10 14:03:43 2017 Summary: Recommended update for procps Type: recommended Severity: low References: 1030621 Description: This update for procps fixes the following issues: - Command w(1) with option -n doesn't work. (bsc#1030621) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2017:735-1 Released: Wed May 10 15:43:46 2017 Summary: Recommended update for gpg2 Type: recommended Severity: low References: 1036736,986783 Description: This update for gpg2 provides the following fixes: - Do not install CAcert and other root certificates which are not needed with Let's Encrypt. (bsc#1036736) - Initialize the trustdb before import attempt. (bsc#986783) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2017:751-1 Released: Thu May 11 17:14:30 2017 Summary: Recommended update for systemd Type: recommended Severity: moderate References: 1010220,1025398,1025886,1028263,1028610,1029183,1029691,1030290,1031355,1032538,1032660,1033855,1034565,955770 Description: This update for systemd provides the following fixes: - logind: Update empty and 'infinity' handling for [User]TasksMax. (bsc#1031355) - importd: Support SUSE style checksums. (fate#322054) - journal: Don't remove leading spaces. (bsc#1033855) - Make sure all swap units are ordered before the swap target. (bsc#955770, bsc#1034565) - hwdb: Fix warning 'atkbd serio0: Unknown key pressed'. (bsc#1010220) - logind: Restart logind on package update only on SLE12 distros. (bsc#1032660) - core: Treat masked files as 'unchanged'. (bsc#1032538) - units: Move Before deps for quota services to remote-fs.target. (bsc#1028263) - udev: Support predictable ifnames on vio buses. (bsc#1029183) - udev: Add a persistent rule for ibmvnic devices. (bsc#1029183) - units: Do not throw a warning in emergency mode if plymouth is not installed. (bsc#1025398) - core: Downgrade 'Time has been changed' message to debug level. (bsc#1028610) - vconsole: Don't do GIO_SCRNMAP / GIO_UNISCRNMAP. (bsc#1029691) - udev-rules: Perform whitespace replacement for symlink subst values. (bsc#1025886) - Consider chroot updates in fix-machines-subvol-for-rollbacks.sh. (bsc#1030290) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2017:793-1 Released: Tue May 16 15:40:43 2017 Summary: Security update for libxslt Type: security Severity: moderate References: 1005591,1035905,934119,952474,CVE-2015-7995,CVE-2015-9019,CVE-2016-4738,CVE-2017-5029 Description: This update for libxslt fixes the following issues: - CVE-2017-5029: The xsltAddTextString function in transform.c lacked a check for integer overflow during a size calculation, which allowed a remote attacker to perform an out of bounds memory write via a crafted HTML page (bsc#1035905). - CVE-2016-4738: Fix heap overread in xsltFormatNumberConversion: An empty decimal-separator could cause a heap overread. This can be exploited to leak a couple of bytes after the buffer that holds the pattern string (bsc#1005591). - CVE-2015-9019: Properly initialize random generator (bsc#934119). - CVE-2015-7995: Vulnerability in function xsltStylePreCompute' in preproc.c could cause a type confusion leading to DoS. (bsc#952474) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2017:794-1 Released: Tue May 16 15:41:09 2017 Summary: Security update for bash Type: security Severity: moderate References: 1010845,1035371,CVE-2016-9401 Description: This update for bash fixes an issue that could lead to syntax errors when parsing scripts that use expr(1) inside loops. Additionally, the popd build-in now ensures that the normalized stack offset is within bounds before trying to free that stack entry. This fixes a segmentation fault. ----------------------------------------------------------------- Advisory ID: SUSE-RU-2017:799-1 Released: Wed May 17 00:21:13 2017 Summary: Recommended update for glibc Type: recommended Severity: low References: 1026224,1035445 Description: This update for glibc introduces basic support for IBM POWER9 systems. Additionally, an improper assert in dlclose() has been removed. ----------------------------------------------------------------- Advisory ID: SUSE-SU-2017:865-1 Released: Wed May 24 16:23:20 2017 Summary: Security update for pam Type: security Severity: moderate References: 1015565,1037824,934920,CVE-2015-3238 Description: This update for pam fixes the following issues: - CVE-2015-3238: pam_unix in conjunction with SELinux allowed for DoS attacks (bsc#934920). - log a hint to syslog if /etc/nologin is present, but empty (bsc#1015565). - If /etc/nologin is present, but empty, log a hint to syslog. (bsc#1015565) - Added support for libowcrypt.so, if present, to configure support for BLOWFISH (bsc#1037824) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2017:873-1 Released: Fri May 26 16:19:47 2017 Summary: Recommended update for e2fsprogs Type: recommended Severity: low References: 1009532,960273 Description: This update for e2fsprogs provides the following fixes: - Fix 32/64-bit overflow when multiplying by blocks/clusters per group. This allows resize2fs(8) to resize file systems larger than 20 TB. (bsc#1009532) - Update spec file to regenerate initrd when e2fsprogs is updated or uninstalled. (bsc#960273) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2017:877-1 Released: Mon May 29 15:11:48 2017 Summary: Recommended update for cryptsetup Type: recommended Severity: low References: 1031998 Description: This update for cryptsetup provides the following fix: - Don't use a zero-filled empty key, because in FIPS, XTS mode key parts mustn't be equivalent (bsc#1031998) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2017:891-1 Released: Tue May 30 22:28:21 2017 Summary: Security update for libxml2 Type: security Severity: moderate References: 1039063,1039064,1039066,1039069,1039661,981114,CVE-2016-1839,CVE-2017-9047,CVE-2017-9048,CVE-2017-9049,CVE-2017-9050 Description: This update for libxml2 fixes the following issues: - CVE-2017-9047, CVE-2017-9048: The function xmlSnprintfElementContent in valid.c was vulnerable to a stack buffer overflow (bsc#1039063, bsc#1039064) - CVE-2017-9049: The function xmlDictComputeFastKey in dict.c was vulnerable to a heap-based buffer over-read. (bsc#1039066) - CVE-2017-9050: The function xmlDictAddString was vulnerable to a heap-based buffer over-read (bsc#1039661) - CVE-2016-1839: heap-based buffer overflow (xmlDictAddString func) (bnc#1039069) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2017:907-1 Released: Thu Jun 1 14:23:36 2017 Summary: Recommended update for shadow Type: recommended Severity: low References: 1003978,1031643 Description: This update for shadow fixes the following issues: - Dynamically added users via pam_group are not listed in groups databases but are still valid. (bsc#1031643) - useradd(8) and groupadd(8) performance issue when using SSSD. Previously the entire possible UID/GID was iterated to find an available UID/GID. This could take long time over a network device. Instead, find available UID/GID locally, and then check only those values over network. (bsc#1003978) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2017:918-1 Released: Tue Jun 6 12:35:44 2017 Summary: Recommended update for libsemanage, selinux-policy Type: recommended Severity: moderate References: 1020143,1032445,1035818,1038189 Description: This update for libsemanage, selinux-policy fixes the following issues: - Limit to policy version 29 by default. - Fix policy module build failures and wrong policy path on SLE 12 SP2 (bsc#1038189, bsc#1035818, bsc#1020143, bsc#1032445) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2017:925-1 Released: Thu Jun 8 12:58:42 2017 Summary: Recommended update for freetype2 Type: recommended Severity: low References: 1038506 Description: This update for freetype2 fixes an issue within handling of very large fonts which could lead to corrupted characters in the boot splash screen of systems configured to use the Korean language. ----------------------------------------------------------------- Advisory ID: SUSE-SU-2017:939-1 Released: Mon Jun 12 10:56:22 2017 Summary: Security update for libxml2 Type: security Severity: moderate References: 1039063,1039064,1039066,1039069,1039661,CVE-2017-9047,CVE-2017-9048,CVE-2017-9049,CVE-2017-9050 Description: This update for libxml2 fixes the following security issues: * CVE-2017-9050: A heap-based buffer over-read in xmlDictAddString (bsc#1039069, bsc#1039661) * CVE-2017-9049: A heap-based buffer overflow in xmlDictComputeFastKey (bsc#1039066) * CVE-2017-9048: A stack overflow vulnerability in xmlSnprintfElementContent (bsc#1039063) * CVE-2017-9047: A stack overflow vulnerability in xmlSnprintfElementContent (bsc#1039064) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2017:959-1 Released: Wed Jun 14 14:38:11 2017 Summary: Recommended update for gcc5 Type: recommended Severity: low References: 1043580 Description: This update for gcc5 fixes the version of libffi in its pkg-config configuration file. ----------------------------------------------------------------- Advisory ID: SUSE-SU-2017:962-1 Released: Wed Jun 14 16:33:07 2017 Summary: Security update for openldap2 Type: security Severity: moderate References: 1009470,1037396,1041764,972331,CVE-2017-9287 Description: This update for openldap2 fixes the following issues: Security issues fixed: - CVE-2017-9287: A double free vulnerability in the mdb backend during search with page size 0 was fixed (bsc#1041764) Non security bugs fixed: - Let OpenLDAP read system-wide certificates by default and don't hide the error if the user-specified CA location cannot be read. (bsc#1009470) - Fix an uninitialised variable that causes startup failure (bsc#1037396) - Fix an issue with transaction management that can cause server crash (bsc#972331) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2017:985-1 Released: Mon Jun 19 14:57:41 2017 Summary: Security update for libgcrypt Type: security Severity: moderate References: 1042326,931932,CVE-2017-9526 Description: This update for libgcrypt fixes the following issues: - CVE-2017-9526: Store the session key in secure memory to ensure that constant time point operations are used in the MPI library. (bsc#1042326) - Don't require secure memory for the fips selftests, this prevents the 'Oops, secure memory pool already initialized' warning. (bsc#931932) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2017:990-1 Released: Mon Jun 19 17:19:44 2017 Summary: Security update for glibc Type: security Severity: important References: 1039357,1040043,CVE-2017-1000366 Description: This update for glibc fixes the following issues: - CVE-2017-1000366: Fix a potential privilege escalation vulnerability that allowed unprivileged system users to manipulate the stack of setuid binaries to gain special privileges. [bsc#1039357] - A bug in glibc that could result in deadlocks between malloc() and fork() has been fixed. [bsc#1040043] ----------------------------------------------------------------- Advisory ID: SUSE-RU-2017:1033-1 Released: Fri Jun 23 16:38:55 2017 Summary: Recommended update for e2fsprogs Type: recommended Severity: low References: 1038194 Description: This update for e2fsprogs provides the following fixes: - Don't ignore fsync errors in libext2fs. (bsc#1038194) - Fix fsync(2) detection in libext2fs. (bsc#1038194) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2017:1036-1 Released: Mon Jun 26 08:12:24 2017 Summary: Security update for libxml2 Type: security Severity: moderate References: 1024989,1044337,CVE-2017-0663,CVE-2017-5969 Description: This update for libxml2 fixes the following issues: Security issues fixed: * CVE-2017-0663: Fixed a heap buffer overflow in xmlAddID (bsc#1044337) * CVE-2017-5969: Fixed a NULL pointer deref in xmlDumpElementContent (bsc#1024989) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2017:1040-1 Released: Mon Jun 26 13:22:26 2017 Summary: Recommended update for libsemanage, policycoreutils Type: recommended Severity: low References: 1043237 Description: This update for libsemanage, policycoreutils fixes the following issue: - Show version numbers of modules where they are available (bsc#1043237) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2017:1082-1 Released: Fri Jun 30 10:54:06 2017 Summary: Recommended update for dirmngr Type: recommended Severity: low References: 1045943 Description: This update for dirmngr provides the following fix: - Change logrotate from Requires to Recommends (bsc#1045943) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2017:1086-1 Released: Fri Jun 30 15:36:17 2017 Summary: Security update for libxml2 Type: security Severity: moderate References: 1044887,1044894,CVE-2017-7375,CVE-2017-7376 Description: This update for libxml2 fixes the following issues: Security issues fixed: * CVE-2017-7376: Increase buffer space for port in HTTP redirect support (bsc#1044887) * CVE-2017-7375: Prevent unwanted external entity reference [bsc#1044894, ] ----------------------------------------------------------------- Advisory ID: SUSE-SU-2017:1104-1 Released: Tue Jul 4 16:13:55 2017 Summary: Security update for systemd Type: security Severity: moderate References: 1004995,1029102,1029516,1036873,1038865,1040258,1040614,1040942,1043758,982303,CVE-2017-9217 Description: This update for systemd fixes the following issues: Security issue fixed: - CVE-2017-9217: resolved: Fix null pointer p->question dereferencing that could lead to resolved aborting (bsc#1040614) The update also fixed several non-security bugs: - core/mount: Use the '-c' flag to not canonicalize paths when calling /bin/umount - automount: Handle expire_tokens when the mount unit changes its state (bsc#1040942) - automount: Rework propagation between automount and mount units - build: Make sure tmpfiles.d/systemd-remote.conf get installed when necessary - build: Fix systemd-journal-upload installation - basic: Detect XEN Dom0 as no virtualization (bsc#1036873) - virt: Make sure some errors are not ignored - fstab-generator: Do not skip Before= ordering for noauto mountpoints - fstab-gen: Do not convert device timeout into seconds when initializing JobTimeoutSec - core/device: Use JobRunningTimeoutSec= for device units (bsc#1004995) - fstab-generator: Apply the _netdev option also to device units (bsc#1004995) - job: Add JobRunningTimeoutSec for JOB_RUNNING state (bsc#1004995) - job: Ensure JobRunningTimeoutSec= survives serialization (bsc#1004995) - rules: Export NVMe WWID udev attribute (bsc#1038865) - rules: Introduce disk/by-id (model_serial) symbolic links for NVMe drives - rules: Add rules for NVMe devices - sysusers: Make group shadow support configurable (bsc#1029516) - core: When deserializing a unit, fully restore its cgroup state (bsc#1029102) - core: Introduce cg_mask_from_string()/cg_mask_to_string() - core:execute: Fix handling failures of calling fork() in exec_spawn() (bsc#1040258) - Fix systemd-sysv-convert when a package starts shipping service units (bsc#982303) The database might be missing when upgrading a package which was shipping no sysv init scripts nor unit files (at the time --save was called) but the new version start shipping unit files. - Disable group shadow support (bsc#1029516) - Only check signature job error if signature job exists (bsc#1043758) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2017:1116-1 Released: Thu Jul 6 11:37:18 2017 Summary: Security update for libgcrypt Type: security Severity: moderate References: 1046607,CVE-2017-7526 Description: This update for libgcrypt fixes the following issues: - CVE-2017-7526: Hardening against a local side-channel attack in RSA key handling has been added (bsc#1046607) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2017:1119-1 Released: Fri Jul 7 11:23:20 2017 Summary: Recommended update for ncurses Type: security Severity: important References: 1000662,1046853,1046858,CVE-2017-10684,CVE-2017-10685 Description: This update for ncurses fixes the following issues: Security issues fixed: - CVE-2017-10684: Possible RCE via stack-based buffer overflow in the fmt_entry function. (bsc#1046858) - CVE-2017-10685: Possible RCE with format string vulnerability in the fmt_entry function. (bsc#1046853) Bugfixes: - Drop patch ncurses-5.9-environment.dif as YaST2 ncurses GUI does not need it anymore and as well as it causes bug bsc#1000662 ----------------------------------------------------------------- Advisory ID: SUSE-RU-2017:1160-1 Released: Fri Jul 14 17:20:26 2017 Summary: Recommended update for openldap2 Type: recommended Severity: low References: 1031702 Description: This update for openldap2 provides the following fix: - Fix a regression in handling of non-blocking connection (bsc#1031702) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2017:1174-1 Released: Wed Jul 19 11:12:51 2017 Summary: Security update for systemd, dracut Type: security Severity: important References: 1032029,1033238,1037120,1040153,1040968,1043900,1045290,1046750,986216,CVE-2017-9445 Description: This update for systemd and dracut fixes the following issues: Security issues fixed: - CVE-2017-9445: Possible out-of-bounds write triggered by a specially crafted TCP payload from a DNS server. (bsc#1045290) Non-security issues fixed in systemd: - Automounter issue in combination with NFS volumes (bsc#1040968) - Missing symbolic link for SAS device in /dev/disk/by-path (bsc#1040153) - Add minimal support for boot.d/* scripts in systemd-sysv-convert (bsc#1046750) Non-security issues fixed in dracut: - Bail out if module directory does not exist. (bsc#1043900) - Suppress bogus error message. (bsc#1032029) - Fix module force loading with systemd. (bsc#986216) - Ship udev files required by systemd. (bsc#1040153) - Ignore module resolution errors (e.g. with kgraft). (bsc#1037120) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2017:1222-1 Released: Wed Jul 26 17:15:18 2017 Summary: Recommended update for procps Type: recommended Severity: low References: 1034563,1039941 Description: This update for procps provides the following fixes: - Make pmap handle LazyFree in /proc/smaps (bsc#1034563) - Allow reading and writing content lines longer than 1024 characters under /proc/sys (bsc#1039941) - Avoid printing messages when /proc/sys/net/ipv6/conf/*/stable_secret is not set ----------------------------------------------------------------- Advisory ID: SUSE-SU-2017:1245-1 Released: Thu Aug 3 10:43:15 2017 Summary: Security update for systemd Type: security Severity: moderate References: 1004995,1029102,1029516,1032029,1033238,1036873,1037120,1038865,1040153,1040258,1040614,1040942,1040968,1043758,1043900,1045290,1046750,982303,986216,CVE-2017-9217,CVE-2017-9445 Description: This update for systemd provides several fixes and enhancements. Security issues fixed: - CVE-2017-9217: Null pointer dereferencing that could lead to resolved aborting. (bsc#1040614) - CVE-2017-9445: Possible out-of-bounds write triggered by a specially crafted TCP payload from a DNS server. (bsc#1045290) The update also fixed several non-security bugs: - core/mount: Use the '-c' flag to not canonicalize paths when calling /bin/umount - automount: Handle expire_tokens when the mount unit changes its state (bsc#1040942) - automount: Rework propagation between automount and mount units - build: Make sure tmpfiles.d/systemd-remote.conf get installed when necessary - build: Fix systemd-journal-upload installation - basic: Detect XEN Dom0 as no virtualization (bsc#1036873) - virt: Make sure some errors are not ignored - fstab-generator: Do not skip Before= ordering for noauto mountpoints - fstab-gen: Do not convert device timeout into seconds when initializing JobTimeoutSec - core/device: Use JobRunningTimeoutSec= for device units (bsc#1004995) - fstab-generator: Apply the _netdev option also to device units (bsc#1004995) - job: Add JobRunningTimeoutSec for JOB_RUNNING state (bsc#1004995) - job: Ensure JobRunningTimeoutSec= survives serialization (bsc#1004995) - rules: Export NVMe WWID udev attribute (bsc#1038865) - rules: Introduce disk/by-id (model_serial) symbolic links for NVMe drives - rules: Add rules for NVMe devices - sysusers: Make group shadow support configurable (bsc#1029516) - core: When deserializing a unit, fully restore its cgroup state (bsc#1029102) - core: Introduce cg_mask_from_string()/cg_mask_to_string() - core:execute: Fix handling failures of calling fork() in exec_spawn() (bsc#1040258) - Fix systemd-sysv-convert when a package starts shipping service units (bsc#982303) The database might be missing when upgrading a package which was shipping no sysv init scripts nor unit files (at the time --save was called) but the new version start shipping unit files. - Disable group shadow support (bsc#1029516) - Only check signature job error if signature job exists (bsc#1043758) - Automounter issue in combination with NFS volumes (bsc#1040968) - Missing symbolic link for SAS device in /dev/disk/by-path (bsc#1040153) - Add minimal support for boot.d/* scripts in systemd-sysv-convert (bsc#1046750) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2017:1268-1 Released: Mon Aug 7 10:09:19 2017 Summary: Recommended update for openssl Type: recommended Severity: moderate References: 1019637,1027079,1027688,1027908,1028281,1028723,1029523,1042392,1044095,1044107,1044175,902364 Description: This update for openssl fixes the following issues including fixes for our ongoing FIPS 140-2 evaluation: - Remove DES-CBC3-SHA based ciphers from DEFAULT_SUSE to address SWEET32 problem (bsc#1027908) - Use getrandom syscall instead of reading from /dev/urandom to get at least 128 bits of entropy to comply with FIPS 140.2 IG 7.14 (bsc#1027079 bsc#1044175) - Fix x86 extended feature detection (bsc#1029523) - Allow runtime switching of s390x capabilities via the 'OPENSSL_s390xcap' environmental variable (bsc#1028723) - s_client sent empty client certificate (bsc#1028281) Add back certificate initialization set_cert_key_stuff() which was removed in a previous update. - Fix a bug in XTS key handling (bsc#1019637) - Don't run FIPS power-up self-tests when the checksum files aren't installed (bsc#1042392) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2017:1279-1 Released: Mon Aug 7 14:46:40 2017 Summary: Security update for ncurses Type: security Severity: moderate References: 1046853,1046858,1047964,1047965,1049344,CVE-2017-10684,CVE-2017-10685,CVE-2017-11112,CVE-2017-11113 Description: This update for ncurses fixes the following issues: Security issues fixed: - CVE-2017-11112: Illegal address access in append_acs. (bsc#1047964) - CVE-2017-11113: Dereferencing NULL pointer in _nc_parse_entry. (bsc#1047965) - CVE-2017-10684, CVE-2017-10685: Add modified upstream fix from ncurses 6.0 to avoid broken termcap format (bsc#1046853, bsc#1046858, bsc#1049344) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2017:1316-1 Released: Thu Aug 10 13:54:27 2017 Summary: Recommended update for cyrus-sasl Type: recommended Severity: moderate References: 1014471,1026825,1044840,938657 Description: This update for cyrus-sasl provides the following fixes: - Fix SASL GSSAPI mechanism acceptor wrongly returns zero maxbufsize - Fix unknown authentication mechanism: kerberos5 (bsc#1026825) - Really use SASLAUTHD_PARAMS variable (bsc#938657) - Make sure /usr/sbin/rcsaslauthd exists - Add /usr/sbin/rcsaslauthd symbolic link to /usr/sbin/service (bsc#1014471) - Silence 'GSSAPI client step 1' debug log message (bsc#1044840) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2017:1326-1 Released: Fri Aug 11 16:59:04 2017 Summary: Security update for libxml2 Type: security Severity: low References: 1038444,CVE-2017-8872 Description: This update for libxml2 fixes the following issues: Security issues fixed: - CVE-2017-8872: Out-of-bounds read in htmlParseTryOrFinish. (bsc#1038444) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2017:1330-1 Released: Mon Aug 14 18:41:29 2017 Summary: Recommended update for sed Type: recommended Severity: low References: 954661 Description: This update for sed provides the following fixes: - Don't terminate with a segmentation fault if close of last file descriptor fails. (bsc#954661) ----------------------------------------------------------------- Advisory ID: SUSE-OU-2017:1333-1 Released: Tue Aug 15 17:59:30 2017 Summary: Optional update for libverto Type: optional Severity: low References: 1029561 Description: This update adds the libverto library to OpenStack Cloud Magnum Orchestration channels. ----------------------------------------------------------------- Advisory ID: SUSE-RU-2017:1334-1 Released: Tue Aug 15 20:09:03 2017 Summary: Recommended update for systemd Type: recommended Severity: important References: 1048679,874665 Description: This update for systemd fixes the following issues: - compat-rules: Don't rely on ID_SERIAL when generating 'by-id' links for NVMe devices. (bsc#1048679) - fstab-generator: Handle NFS 'bg' mounts correctly. (bsc#874665, fate#323464) - timesyncd: Don't use compiled-in list if FallbackNTP has been configured explicitly. ----------------------------------------------------------------- Advisory ID: SUSE-SU-2017:1335-1 Released: Wed Aug 16 11:24:21 2017 Summary: Security update for curl Type: security Severity: moderate References: 1051643,1051644,CVE-2017-1000100,CVE-2017-1000101 Description: This update for curl fixes the following issues: - CVE-2017-1000100: TFP sends more than buffer size and it could lead to a denial of service (bsc#1051644) - CVE-2017-1000101: URL globbing out of bounds read could lead to a denial of service (bsc#1051643) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2017:1347-1 Released: Fri Aug 18 11:03:57 2017 Summary: Recommended update for procps Type: recommended Severity: important References: 1053409 Description: This update for procps fixes the following issues: - Fix a regression introduced in a previous update that would result in sysctl dying with a SIGSEGV error (bsc#1053409). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2017:1349-1 Released: Fri Aug 18 12:31:07 2017 Summary: Recommended update for lua51 Type: recommended Severity: low References: 1051626 Description: This update for lua51 provides the following fixes: - Add Lua(API) and Lua(devel) symbols to fix building of lua51-luasocket. (bsc#1051626) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2017:1390-1 Released: Fri Aug 25 15:14:27 2017 Summary: Security update for libzypp Type: security Severity: important References: 1009745,1036659,1038984,1043218,1045735,1046417,1047785,1048315,CVE-2017-7435,CVE-2017-7436,CVE-2017-9269 Description: The Software Update Stack was updated to receive fixes and enhancements. libzypp: - CVE-2017-7435, CVE-2017-7436, CVE-2017-9269: Fix GPG check workflows, mainly for unsigned repositories and packages. (bsc#1045735, bsc#1038984) - Fix gpg-pubkey release (creation time) computation. (bsc#1036659) - Update lsof blacklist. (bsc#1046417) - Re-probe on refresh if the repository type changes. (bsc#1048315) - Propagate proper error code to DownloadProgressReport. (bsc#1047785) - Allow to trigger an appdata refresh unconditionally. (bsc#1009745) - Support custom repo variables defined in /etc/zypp/vars.d. yast2-pkg-bindings: - Do not crash when the repository URL is not defined. (bsc#1043218) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2017:1419-1 Released: Wed Aug 30 15:38:22 2017 Summary: Security update for expat Type: security Severity: moderate References: 1047236,1047240,CVE-2016-9063,CVE-2017-9233 Description: This update for expat fixes the following issues: - CVE-2016-9063: Possible integer overflow to fix inside XML_Parse leading to unexpected behaviour (bsc#1047240) - CVE-2017-9233: External Entity Vulnerability could lead to denial of service (bsc#1047236) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2017:1439-1 Released: Fri Sep 1 15:31:05 2017 Summary: Recommended update for systemd Type: recommended Severity: important References: 1045384,1045987,1046268,1047379,1048605 Description: This update for systemd fixes the following issues: - Revert fix for bsc#1004995 which could have caused boot failure on LVM (bsc#1048605) - compat-rules: drop the bogus 'import everything' rule (bsc#1046268) - core: use an AF_UNIX/SOCK_DGRAM socket for cgroup agent notification (bsc#1045384 bsc#1047379) - udev/path_id: introduce support for NVMe devices (bsc#1045987) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2017:1447-1 Released: Mon Sep 4 15:38:20 2017 Summary: Security update for libzypp, zypper Type: security Severity: important References: 1008325,1038984,1045735,1047785,1054088,1054671,1055920,CVE-2017-7436 Description: The Software Update Stack was updated to receive fixes and enhancements. libzypp: - Adapt to work with GnuPG 2.1.23. (bsc#1054088) - Support signing with subkeys. (bsc#1008325) - Enhance sort order for media.1/products. (bsc#1054671) zypper: - Also show a gpg key's subkeys. (bsc#1008325) - Improve signature check callback messages. (bsc#1045735) - Add options to tune the GPG check settings. (bsc#1045735) - Adapt download callback to report and handle unsigned packages. (bsc#1038984, CVE-2017-7436) - Report missing/optional files as 'not found' rather than 'error'. (bsc#1047785) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2017:1450-1 Released: Mon Sep 4 16:36:07 2017 Summary: Recommended update for insserv-compat Type: recommended Severity: low References: 1035062,944903 Description: This update for insserv-compat fixes the following issues: - Add /etc/init.d hierarchy from former 'filesystem' package. (bsc#1035062) - Fix directory argument parsing. (bsc#944903) - Add perl(Getopt::Long) to list of requirements. ----------------------------------------------------------------- Advisory ID: SUSE-RU-2017:1453-1 Released: Mon Sep 4 21:23:50 2017 Summary: Recommended update for libgcrypt Type: recommended Severity: moderate References: 1043333,1046659,1047008 Description: This update for libgcrypt fixes the following issues: - libgcrypt stored an open file descriptor to the random device in a static variable between invocations. gnome-keyring-daemon on initialization reopened descriptors 0-2 with /dev/null which caused an infinite loop when libgcrypt attempted to read from the random device (bsc#1043333) - Avoid seeding the DRBG during FIPS power-up selftests (bsc#1046659) * don't call gcry_drbg_instantiate() in healthcheck sanity test to save entropy * turn off blinding for RSA decryption in selftests_rsa to avoid allocation of a random integer - fix a bug in gcry_drbg_healthcheck_sanity() which caused skipping some of the tests (bsc#1046659) - dlsym returns PLT address on s390x, dlopen libgcrypt20.so before calling dlsym (bsc#1047008) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2017:1548-1 Released: Fri Sep 15 18:19:12 2017 Summary: Recommended update for sg3_utils Type: recommended Severity: moderate References: 1005063,1009269,1012523,1025176,1050767,1050943 Description: This update for sg3_utils provides the following fixes: - Add lunsearch filter to findresized() so that only LUNs specified using --luns are rescanned or resized. (bsc#1025176) - In case the VPD sysfs attributes are missing or cannot be accessed, fallback to use sg_inq --page when using multipath devices in AutoYast2 installations. (bsc#1012523) - Generate /dev/disk/by-path links based on WWPN for Fibre Channel NPIV setups. (bsc#1005063) - Fix dumping data in hexadecimal format in sg_vpd when using the --hex option. (bsc#1050943) - Fix ID_SERIAL values for KVM disks by exporting all NAA values and removing some validity checking. (bsc#1050767) - Make sure initrd is rebuilt on sg3_utils updates. (bsc#1009269) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2017:1589-1 Released: Tue Sep 26 09:58:51 2017 Summary: Security update for tiff Type: security Severity: moderate References: 1033109,1033111,1033112,1033113,1033118,1033120,1033126,1033127,1033128,1033129,1033131,1038438,1042804,1042805,CVE-2016-10371,CVE-2017-7592,CVE-2017-7593,CVE-2017-7594,CVE-2017-7595,CVE-2017-7596,CVE-2017-7597,CVE-2017-7598,CVE-2017-7599,CVE-2017-7600,CVE-2017-7601,CVE-2017-7602,CVE-2017-9403,CVE-2017-9404 Description: This update for tiff to version 4.0.8 fixes a several bugs and security issues: These security issues were fixed: - CVE-2017-7595: The JPEGSetupEncode function allowed remote attackers to cause a denial of service (divide-by-zero error and application crash) via a crafted image (bsc#1033127). - CVE-2016-10371: The TIFFWriteDirectoryTagCheckedRational function allowed remote attackers to cause a denial of service (assertion failure and application exit) via a crafted TIFF file (bsc#1038438). - CVE-2017-7598: Error in tif_dirread.c allowed remote attackers to cause a denial of service (divide-by-zero error and application crash) via a crafted image (bsc#1033118). - CVE-2017-7596: Undefined behavior because of floats outside their expected value range, which allowed remote attackers to cause a denial of service (application crash) or possibly have unspecified other impact via a crafted image (bsc#1033126). - CVE-2017-7597: Undefined behavior because of floats outside their expected value range, which allowed remote attackers to cause a denial of service (application crash) or possibly have unspecified other impact via a crafted image (bsc#1033120). - CVE-2017-7599: Undefined behavior because of shorts outside their expected value range, which allowed remote attackers to cause a denial of service (application crash) or possibly have unspecified other impact via a crafted image (bsc#1033113). - CVE-2017-7600: Undefined behavior because of chars outside their expected value range, which allowed remote attackers to cause a denial of service (application crash) or possibly have unspecified other impact via a crafted image (bsc#1033112). - CVE-2017-7601: Because of a shift exponent too large for 64-bit type long undefined behavior was caused, which allowed remote attackers to cause a denial of service (application crash) or possibly have unspecified other impact via a crafted image (bsc#1033111). - CVE-2017-7602: Prevent signed integer overflow, which allowed remote attackers to cause a denial of service (application crash) or possibly have unspecified other impact via a crafted image (bsc#1033109). - CVE-2017-7592: The putagreytile function had a left-shift undefined behavior issue, which might allowed remote attackers to cause a denial of service (application crash) or possibly have unspecified other impact via a crafted image (bsc#1033131). - CVE-2017-7593: Ensure that tif_rawdata is properly initialized, to prevent remote attackers to obtain sensitive information from process memory via a crafted image (bsc#1033129). - CVE-2017-7594: The OJPEGReadHeaderInfoSecTablesDcTable function allowed remote attackers to cause a denial of service (memory leak) via a crafted image (bsc#1033128). - CVE-2017-9403: Prevent memory leak in function TIFFReadDirEntryLong8Array, which allowed attackers to cause a denial of service via a crafted file (bsc#1042805). - CVE-2017-9404: Fixed memory leak vulnerability in function OJPEGReadHeaderInfoSecTablesQTable, which allowed attackers to cause a denial of service via a crafted file (bsc#1042804). These various other issues were fixed: - Fix uint32 overflow in TIFFReadEncodedStrip() that caused an integer division by zero. Reported by Agostino Sarubbo. - fix heap-based buffer overflow on generation of PixarLog / LUV compressed files, with ColorMap, TransferFunction attached and nasty plays with bitspersample. The fix for LUV has not been tested, but suffers from the same kind of issue of PixarLog. - modify ChopUpSingleUncompressedStrip() to instanciate compute ntrips as TIFFhowmany_32(td->td_imagelength, rowsperstrip), instead of a logic based on the total size of data. Which is faulty is the total size of data is not sufficient to fill the whole image, and thus results in reading outside of the StripByCounts/StripOffsets arrays when using TIFFReadScanline() - make OJPEGDecode() early exit in case of failure in OJPEGPreDecode(). This will avoid a divide by zero, and potential other issues. - fix misleading indentation as warned by GCC. - revert change done on 2016-01-09 that made Param member of TIFFFaxTabEnt structure a uint16 to reduce size of the binary. It happens that the Hylafax software uses the tables that follow this typedef (TIFFFaxMainTable, TIFFFaxWhiteTable, TIFFFaxBlackTable), although they are not in a public libtiff header. - add TIFFReadRGBAStripExt() and TIFFReadRGBATileExt() variants of the functions without ext, with an extra argument to control the stop_on_error behaviour. - fix potential memory leaks in error code path of TIFFRGBAImageBegin(). - increase libjpeg max memory usable to 10 MB instead of libjpeg 1MB default. This helps when creating files with 'big' tile, without using libjpeg temporary files. - add _TIFFcalloc() - return 0 in Encode functions instead of -1 when TIFFFlushData1() fails. - only run JPEGFixupTagsSubsampling() if the YCbCrSubsampling tag is not explicitly present. This helps a bit to reduce the I/O amount when the tag is present (especially on cloud hosted files). - in LZWPostEncode(), increase, if necessary, the code bit-width after flushing the remaining code and before emitting the EOI code. - fix memory leak in error code path of PixarLogSetupDecode(). - fix potential memory leak in OJPEGReadHeaderInfoSecTablesQTable, OJPEGReadHeaderInfoSecTablesDcTable and OJPEGReadHeaderInfoSecTablesAcTable - avoid crash in Fax3Close() on empty file. - TIFFFillStrip(): add limitation to the number of bytes read in case td_stripbytecount[strip] is bigger than reasonable, so as to avoid excessive memory allocation. - fix memory leak when the underlying codec (ZIP, PixarLog) succeeds its setupdecode() method, but PredictorSetup fails. - TIFFFillStrip() and TIFFFillTile(): avoid excessive memory allocation in case of shorten files. Only effective on 64 bit builds and non-mapped cases. - TIFFFillStripPartial() / TIFFSeek(), avoid potential integer overflows with read_ahead in CHUNKY_STRIP_READ_SUPPORT mode. - avoid excessive memory allocation in case of shorten files. Only effective on 64 bit builds. - update tif_rawcc in CHUNKY_STRIP_READ_SUPPORT mode with tif_rawdataloaded when calling TIFFStartStrip() or TIFFFillStripPartial(). - avoid potential int32 overflow in TIFFYCbCrToRGBInit() Fixes - avoid potential int32 overflows in multiply_ms() and add_ms(). - fix out-of-buffer read in PackBitsDecode() Fixes - LogL16InitState(): avoid excessive memory allocation when RowsPerStrip tag is missing. - update dec_bitsleft at beginning of LZWDecode(), and update tif_rawcc at end of LZWDecode(). This is needed to properly work with the latest chnges in tif_read.c in CHUNKY_STRIP_READ_SUPPORT mode. - PixarLogDecode(): resync tif_rawcp with next_in and tif_rawcc with avail_in at beginning and end of function, similarly to what is done in LZWDecode(). Likely needed so that it works properly with latest chnges in tif_read.c in CHUNKY_STRIP_READ_SUPPORT mode. - initYCbCrConversion(): add basic validation of luma and refBlackWhite coefficients (just check they are not NaN for now), to avoid potential float to int overflows. - _TIFFVSetField(): fix outside range cast of double to float. - initYCbCrConversion(): check luma[1] is not zero to avoid division by zero - _TIFFVSetField(): fix outside range cast of double to float. - initYCbCrConversion(): check luma[1] is not zero to avoid division by zero. - initYCbCrConversion(): stricter validation for refBlackWhite coefficients values. - avoid uint32 underflow in cpDecodedStrips that can cause various issues, such as buffer overflows in the library. - fix readContigStripsIntoBuffer() in -i (ignore) mode so that the output buffer is correctly incremented to avoid write outside bounds. - add 3 extra bytes at end of strip buffer in readSeparateStripsIntoBuffer() to avoid read outside of heap allocated buffer. - fix integer division by zero when BitsPerSample is missing. - fix null pointer dereference in -r mode when the image has no StripByteCount tag. - avoid potential division by zero is BitsPerSamples tag is missing. - when TIFFGetField(, TIFFTAG_NUMBEROFINKS, ) is called, limit the return number of inks to SamplesPerPixel, so that code that parses ink names doesn't go past the end of the buffer. - avoid potential division by zero is BitsPerSamples tag is missing. - fix uint32 underflow/overflow that can cause heap-based buffer overflow. - replace assert( (bps % 8) == 0 ) by a non assert check. - fix 2 heap-based buffer overflows (in PSDataBW and PSDataColorContig). - prevent heap-based buffer overflow in -j mode on a paletted image. - fix wrong usage of memcpy() that can trigger unspecified behaviour. - avoid potential invalid memory read in t2p_writeproc. - avoid potential heap-based overflow in t2p_readwrite_pdf_image_tile(). - remove extraneous TIFFClose() in error code path, that caused double free. - error out cleanly in cpContig2SeparateByRow and cpSeparate2ContigByRow if BitsPerSample != 8 to avoid heap based overflow. - avoid integer division by zero. - call TIFFClose() in error code paths. - emit appropriate message if the input file is empty. - close TIFF handle in error code path. ----------------------------------------------------------------- Advisory ID: SUSE-RU-2017:1592-1 Released: Tue Sep 26 17:38:03 2017 Summary: Recommended update for lvm2 Type: recommended Severity: moderate References: 1028485,1045628,978055,998893,999878 Description: This update for lvm2 provides the following fixes: - Create /dev/disk/by-part{label,uuid} and gpt-auto-root links. (bsc#1028485) - Try to refresh clvmd's device cache on the first failure. (bsc#978055) - Fix stale device cache in clvmd. (bsc#978055) - Warn if PV size in metadata is larger than disk device size. (bsc#999878) - Fix lvm2 activation issue when used on top of multipath. (bsc#998893) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2017:1644-1 Released: Mon Oct 9 07:52:24 2017 Summary: Security update for krb5 Type: security Severity: moderate References: 1032680,1054028,1056995,903543,CVE-2017-11462 Description: This update for krb5 fixes several issues. This security issue was fixed: - CVE-2017-11462: Prevent automatic security context deletion to prevent double-free (bsc#1056995) These non-security issues were fixed: - Set 'rdns' and 'dns_canonicalize_hostname' to false in krb5.conf in order to improve client security in handling service principle names. (bsc#1054028) - Prevent kadmind.service startup failure caused by absence of LDAP service. (bsc#903543) - Remove main package's dependency on systemd (bsc#1032680) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2017:1663-1 Released: Tue Oct 10 12:05:09 2017 Summary: Recommended update for dbus-1 Type: recommended Severity: moderate References: 1043615,1046173 Description: This update for dbus-1 provides the following fixes: - Fix systemd-logind dbus disconnection by ensuring all required timeouts are restarted. (bsc#1043615) - Remove call to initscripts related macros from the spec file as dbus-1 does not ship any initscript anymore. (bsc#1046173) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2017:1703-1 Released: Tue Oct 17 13:20:12 2017 Summary: Recommended update for audit Type: recommended Severity: low References: 1042781 Description: This update for audit provides the following fix: - Make auditd start by forking the systemd service to fix some initialization failures. (bsc#1042781) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2017:1758-1 Released: Mon Oct 23 08:47:47 2017 Summary: Security update for curl Type: security Severity: moderate References: 1060653,1061876,1063824,CVE-2017-1000254,CVE-2017-1000257 Description: This update for curl fixes the following issues: Security issues fixed: - CVE-2017-1000254: FTP PWD response parser out of bounds read (bsc#1061876) - CVE-2017-1000257: IMAP FETCH response out of bounds read (bsc#1063824) Bugs fixed: - Fixed error 'error:1408F10B:SSL routines' when connecting to ftps via proxy (bsc#1060653) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2017:1796-1 Released: Fri Oct 27 21:25:06 2017 Summary: Recommended update for pcre Type: recommended Severity: moderate References: 1058722 Description: This update for pcre fixes the following issues: - Fixed the pcre stack frame size detection because modern compilers break it due to cloning and inlining pcre match() function (bsc#1058722) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2017:1797-1 Released: Sat Oct 28 12:06:19 2017 Summary: Recommended update for permissions Type: recommended Severity: moderate References: 1028304,1048645,1060738 Description: This update for permissions fixes the following issues: - Allows users to install the HPC 'singularity' toolkit for managing singularity containers in setuid root mode. (bsc#1028304) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2017:1826-1 Released: Wed Nov 8 08:47:17 2017 Summary: Security update for krb5 Type: security Severity: important References: 1065274,CVE-2017-15088 Description: This update for krb5 fixes the following issues: Security issues fixed: - CVE-2017-15088: A buffer overflow in get_matching_data() was fixed that could under specific circumstances be used to execute code (bsc#1065274) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2017:1829-1 Released: Wed Nov 8 08:50:00 2017 Summary: Security update for shadow Type: security Severity: moderate References: 1023895,1052261,980486,CVE-2017-12424 Description: This update for shadow fixes several issues. This security issue was fixed: - CVE-2017-12424: The newusers tool could have been forced to manipulate internal data structures in ways unintended by the authors. Malformed input may have lead to crashes (with a buffer overflow or other memory corruption) or other unspecified behaviors (bsc#1052261). These non-security issues were fixed: - bsc#1023895: Fixed man page to not contain invalid options and also prevent warnings when using these options in certain settings - bsc#980486: Reset user in /var/log/tallylog because of the usage of pam_tally2 ----------------------------------------------------------------- Advisory ID: SUSE-SU-2017:1881-1 Released: Wed Nov 22 16:29:58 2017 Summary: Security update for file Type: security Severity: moderate References: 1009966,1063269,910252,910253,913650,913651,917152,996511,CVE-2014-8116,CVE-2014-8117,CVE-2014-9620,CVE-2014-9621,CVE-2014-9653 Description: The GNU file utility was updated to version 5.22. Security issues fixed: - CVE-2014-9621: The ELF parser in file allowed remote attackers to cause a denial of service via a long string. (bsc#913650) - CVE-2014-9620: The ELF parser in file allowed remote attackers to cause a denial of service via a large number of notes. (bsc#913651) - CVE-2014-9653: readelf.c in file did not consider that pread calls sometimes read only a subset of the available data, which allows remote attackers to cause a denial of service (uninitialized memory access) or possibly have unspecified other impact via a crafted ELF file. (bsc#917152) - CVE-2014-8116: The ELF parser (readelf.c) in file allowed remote attackers to cause a denial of service (CPU consumption or crash) via a large number of (1) program or (2) section headers or (3) invalid capabilities. (bsc#910253) - CVE-2014-8117: softmagic.c in file did not properly limit recursion, which allowed remote attackers to cause a denial of service (CPU consumption or crash) via unspecified vectors. (bsc#910253) Version update to file version 5.22 * add indirect relative for TIFF/Exif * restructure elf note printing to avoid repeated messages * add note limit, suggested by Alexander Cherepanov * Bail out on partial pread()'s (Alexander Cherepanov) * Fix incorrect bounds check in file_printable (Alexander Cherepanov) * PR/405: ignore SIGPIPE from uncompress programs * change printable -> file_printable and use it in more places for safety * in ELF, instead of '(uses dynamic libraries)' when PT_INTERP is present print the interpreter name. Version update to file version 5.21 * there was an incorrect free in magic_load_buffers() * there was an out of bounds read for some pascal strings * there was a memory leak in magic lists * don't interpret strings printed from files using the current locale, convert them to ascii format first. * there was an out of bounds read in elf note reads Update to file version 5.20 * recognize encrypted CDF documents * add magic_load_buffers from Brooks Davis * add thumbs.db support Additional non-security bug fixes: * Fixed a memory corruption during rpmbuild (bsc#1063269) * Backport of a fix for an increased printable string length as found in file 5.30 (bsc#996511) * file command throws 'Composite Document File V2 Document, corrupt: Can't read SSAT' error against excel 97/2003 file format. (bsc#1009966) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2017:1903-1 Released: Fri Nov 24 16:19:37 2017 Summary: Security update for perl Type: security Severity: moderate References: 1047178,1057721,1057724,999735,CVE-2017-12837,CVE-2017-12883,CVE-2017-6512 Description: This update for perl fixes the following issues: Security issues fixed: - CVE-2017-12837: Heap-based buffer overflow in the S_regatom function in regcomp.c in Perl 5 before 5.24.3-RC1 and 5.26.x before 5.26.1-RC1 allows remote attackers to cause a denial of service (out-of-bounds write) via a regular expression with a '\N{}' escape and the case-insensitive modifier. (bnc#1057724) - CVE-2017-12883: Buffer overflow in the S_grok_bslash_N function in regcomp.c in Perl 5 before 5.24.3-RC1 and 5.26.x before 5.26.1-RC1 allows remote attackers to disclose sensitive information or cause a denial of service (application crash) via a crafted regular expression with an invalid '\N{U+...}' escape. (bnc#1057721) - CVE-2017-6512: Race condition in the rmtree and remove_tree functions in the File-Path module before 2.13 for Perl allows attackers to set the mode on arbitrary files via vectors involving directory-permission loosening logic. (bnc#1047178) Bug fixes: - backport set_capture_string changes from upstream (bsc#999735) - reformat baselibs.conf as source validator workaround ----------------------------------------------------------------- Advisory ID: SUSE-RU-2017:1916-1 Released: Fri Nov 24 20:15:01 2017 Summary: Recommended update for libgcrypt Type: recommended Severity: important References: 1043333,1059723 Description: This update for libgcrypt provides the following fix: - Fix a regression in a previous update which caused libgcrypt to leak file descriptors causing failures when starting rtkit-daemon. (bsc#1059723) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2017:1917-1 Released: Mon Nov 27 13:32:07 2017 Summary: Optional update for gcc7 Type: recommended Severity: low References: 1056437,1062591,1062592 Description: The GNU Compiler GCC 7 is being added to the Toolchain Module by this update. New features: - Support for specific IBM Power9 processor instructions. - Support for specific IBM zSeries z14 processor instructions. - New packages cross-npvtx-gcc7 and nvptx-tools added to the Toolchain Module for specific NVIDIA Card offload support. The update also supplies gcc7 compatible libstdc++, libgcc_s1 and other gcc derived libraries for the base products of SUSE Linux Enterprise 12. Various optimizers have been improved in GCC 7, several of bugs fixed, quite some new warnings added and the error pin-pointing and fix-suggestions have been greatly improved. The GNU Compiler page for GCC 7 contains a summary of all the changes that have happened: https://gcc.gnu.org/gcc-7/changes.html ----------------------------------------------------------------- Advisory ID: SUSE-RU-2017:1965-1 Released: Thu Nov 30 12:48:45 2017 Summary: Recommended update for libsolv, libzypp, zypper Type: recommended Severity: moderate References: 1047233,1053671,1057188,1057634,1058695,1058783,1059065,1061384,1062561,1064999,661410 Description: The Software Update Stack was updated to receive fixes and enhancements. libsolv: - Many fixes and improvements for cleandeps. - Always create dup rules for 'distupgrade' jobs. - Use recommends also for ordering packages. - Fix splitprovides handling with addalreadyrecommended turned off. (bsc#1059065) - Expose solver_get_recommendations() in bindings. - Fix bug in solver_prune_to_highest_prio_per_name resulting in bad output from solver_get_recommendations(). - Support 'without' and 'unless' dependencies. - Use same heuristic as upstream to determine source RPMs. - Fix memory leak in bindings. - Add pool_best_solvables() function. - Fix 64bit integer parsing from RPM headers. - Enable bzip2 and xz/lzma compression support. - Enable complex/rich dependencies on distributions with RPM 4.13+. libzypp: - Fix media handling in presence of a repo path prefix. (bsc#1062561) - Fix RepoProvideFile ignoring a repo path prefix. (bsc#1062561) - Remove unused legacy notify-message script. (bsc#1058783) - Support multiple product licenses in repomd. (fate#322276) - Propagate 'rpm --import' errors. (bsc#1057188) - Fix typos in zypp.conf. zypper: - Locale: Fix possible segmentation fault. (bsc#1064999) - Add summary hint if product is better updated by a different command. This is mainly used by rolling distributions like openSUSE Tumbleweed to remind their users to use 'zypper dup' to update (not zypper up or patch). (bsc#1061384) - Unify '(add|modify)(repo|service)' property related arguments. - Fixed 'add' commands supporting to set only a subset of properties. - Introduced '-f/-F' as preferred short option for --[no-]refresh in all four commands. (bsc#661410, bsc#1053671) - Fix missing package names in installation report. (bsc#1058695) - Differ between unsupported and packages with unknown support status. (bsc#1057634) - Return error code '107' if an RPM's %post configuration script fails, but only if ZYPPER_ON_CODE12_RETURN_107=1 is set in the environment. (bsc#1047233) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2017:1966-1 Released: Thu Nov 30 13:45:24 2017 Summary: Recommended update for systemd Type: recommended Severity: moderate References: 1004995,1035386,1039099,1040800,1045472,1048605,1050152,1053137,1053595,1055641,1063249 Description: This update for systemd fixes the following issues: - unit: When JobTimeoutSec= is turned off, implicitly turn off JobRunningTimeoutSec= too. (bsc#1048605, bsc#1004995) - compat-rules: Generate compat by-id symlinks with 'nvme' prefix missing and warn users that have broken symlinks. (bsc#1063249) - compat-rules: Allow to specify the generation number through the kernel command line. - scsi_id: Fixup prefix for pre-SPC inquiry reply. (bsc#1039099) - tmpfiles: Remove old ICE and X11 sockets at boot. - tmpfiles: Silently ignore any path that passes through autofs. (bsc#1045472) - pam_logind: Skip leading /dev/ from PAM_TTY field before passing it on. - shared/machine-pool: Fix another mkfs.btrfs checking. (bsc#1053595) - shutdown: Fix incorrect fscanf() result check. - shutdown: Don't remount,ro network filesystems. (bsc#1035386) - shutdown: Don't be fooled when detaching DM devices with BTRFS. (bsc#1055641) - bash-completion: Add support for --now. (bsc#1053137) - Add convert-lib-udev-path.sh script to convert /lib/udev directory into a symlink pointing to /usr/lib/udev when upgrading from SLE11. (bsc#1050152) - Add a rule to teach hotplug to offline containers transparently. (bsc#1040800) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2017:1968-1 Released: Thu Nov 30 19:49:33 2017 Summary: Recommended update for coreutils Type: recommended Severity: low References: 1026567,1043059,965780 Description: This update for coreutils provides the following fixes: - Fix df(1) to no longer interact with excluded file system types, so for example specifying -x nfs no longer hangs with problematic nfs mounts. (bsc#1026567) - Ensure df -l no longer interacts with dummy file system types, so for example no longer hangs with problematic NFS mounted via system.automount(5). (bsc#1043059) - Significantly speed up df(1) for huge mount lists. (bsc#965780) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2017:1970-1 Released: Thu Nov 30 22:55:41 2017 Summary: Security update for openssl Type: security Severity: moderate References: 1055825,1056058,1065363,1066242,CVE-2017-3735,CVE-2017-3736 Description: This update for openssl fixes the following issues: Security issues fixed: - CVE-2017-3735: openssl1,openssl: Malformed X.509 IPAdressFamily could cause OOB read (bsc#1056058) - CVE-2017-3736: openssl: bn_sqrx8x_internal carry bug on x86_64 (bsc#1066242) - Out of bounds read+crash in DES_fcrypt (bsc#1065363) - openssl DEFAULT_SUSE cipher list is missing ECDHE-ECDSA ciphers (bsc#1055825) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2017:2021-1 Released: Fri Dec 8 10:11:04 2017 Summary: Recommended update for file Type: recommended Severity: moderate References: 1070878,1070958 Description: This update for file fixes detection of JPEG files. ----------------------------------------------------------------- Advisory ID: SUSE-RU-2017:2031-1 Released: Mon Dec 11 12:55:57 2017 Summary: Recommended update for gzip Type: recommended Severity: low References: 1067891 Description: This update for gzip provides the following fix: - Fix mishandling of leading zeros in the end-of-block code (bsc#1067891) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2017:2036-1 Released: Wed Dec 13 16:34:21 2017 Summary: Recommended update for util-linux Type: recommended Severity: low References: 1039276,1040968,1055446,1066500 Description: This update for util-linux provides the following fixes: - Allow unmounting of filesystems without calling stat() on the mount point, when '-c' is used. (bsc#1040968) - Fix an infinite loop, a crash and report the correct minimum and maximum frequencies in lscpu for some processors. (bsc#1055446) - Fix a lscpu failure on Sydney Amazon EC2 region. (bsc#1066500) - If multiple subvolumes are mounted, report the default subvolume. (bsc#1039276) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2017:2097-1 Released: Sat Dec 16 01:59:00 2017 Summary: Security update for openssl Type: security Severity: important References: 1071905,1071906,CVE-2017-3737,CVE-2017-3738 Description: This update for openssl fixes the following issues: - OpenSSL Security Advisory [07 Dec 2017] * CVE-2017-3737: OpenSSL 1.0.2 (starting from version 1.0.2b) introduced an \'error state\' mechanism. The intent was that if a fatal error occurred during a handshake then OpenSSL would move into the error state and would immediately fail if you attempted to continue the handshake. This works as designed for the explicit handshake functions (SSL_do_handshake(), SSL_accept() and SSL_connect()), however due to a bug it does not work correctly if SSL_read() or SSL_write() is called directly. In that scenario, if the handshake fails then a fatal error will be returned in the initial function call. If SSL_read()/SSL_write() is subsequently called by the application for the same SSL object then it will succeed and the data is passed without being decrypted/encrypted directly from the SSL/TLS record layer. In order to exploit this issue an application bug would have to be present that resulted in a call to SSL_read()/SSL_write() being issued after having already received a fatal error. O penSSL version 1.0.2b-1.0.2m are affected. Fixed in OpenSSL 1.0.2n. OpenSSL 1.1.0 is not affected. (bsc#1071905) * CVE-2017-3738: There is an overflow bug in the AVX2 Montgomery multiplication procedure used in exponentiation with 1024-bit moduli. No EC algorithms are affected. Analysis suggests that attacks against RSA and DSA as a result of this defect would be very difficult to perform and are not believed likely. Attacks against DH1024 are considered just feasible, because most of the work necessary to deduce information about a private key may be performed offline. The amount of resources required for such an attack would be significant. However, for an attack on TLS to be meaningful, the server would have to share the DH1024 private key among multiple clients, which is no longer an option since CVE-2016-0701. This only affects processors that support the AVX2 but not ADX extensions like Intel Haswell (4th generation). Note: The impact from this issue is similar to CVE-2017-3736, CVE-2017-3732 and CVE-2015-3193. (bsc#1071906) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2017:2137-1 Released: Thu Dec 21 17:49:12 2017 Summary: Recommended update for dbus-1 Type: recommended Severity: moderate References: 1046173,1071698 Description: This update for dbus-1 provides the following fixes: - The previously released fix for systemd-logind dbus disconnections was missing in some parts of the package, so properly apply it. (bsc#1071698) - Remove call to initscripts related macros from the spec file as dbus-1 does not ship any initscript anymore. (bsc#1046173) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2018:4-1 Released: Tue Jan 2 15:58:20 2018 Summary: Recommended update for libzypp, zypper Type: recommended Severity: moderate References: 1057640,1067605,1068708,1071466,969569 Description: The Software Update Stack was updated to receive fixes and enhancements. libzypp: - Don't store duplicated locks. (bsc#969569) - Fix default for solver.allowNameChange. (bsc#1071466) - Don't filter procs with a different mnt namespace. (bsc#1068708) - Support repo variables in an URIs host:port component. (bsc#1057640, bsc#1067605) zypper: - Update manpage regarding custom repository variable fixes. (bsc#1057640, bsc#1067605) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2018:38-1 Released: Tue Jan 9 14:56:43 2018 Summary: Recommended update for kmod Type: recommended Severity: low References: 1070209 Description: This update for kmod provides the following fix: - Fix resolving .TOC. in modules on 4.4 and older kernel (bsc#1070209) - Fix kernel master build for ppc64le (bsc#1070209) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:55-1 Released: Fri Jan 12 09:45:49 2018 Summary: Security update for glibc Type: security Severity: important References: 1051042,1053188,1063675,1064569,1064580,1064583,1070905,1071319,1073231,1074293,CVE-2017-1000408,CVE-2017-1000409,CVE-2017-15670,CVE-2017-15671,CVE-2017-15804,CVE-2017-16997,CVE-2018-1000001 Description: This update for glibc fixes the following issues: - A privilege escalation bug in the realpath() function has been fixed. [CVE-2018-1000001, bsc#1074293] - A memory leak and a buffer overflow in the dynamic ELF loader has been fixed. [CVE-2017-1000408, CVE-2017-1000409, bsc#1071319] - An issue in the code handling RPATHs was fixed that could have been exploited by an attacker to execute code loaded from arbitrary libraries. [CVE-2017-16997, bsc#1073231] - A potential crash caused by a use-after-free bug in pthread_create() has been fixed. [bsc#1053188] - A bug that prevented users to build shared objects which use the optimized libmvec.so API has been fixed. [bsc#1070905] - A memory leak in the glob() function has been fixed. [CVE-2017-15670, CVE-2017-15671, CVE-2017-15804, bsc#1064569, bsc#1064580, bsc#1064583] - A bug that would lose the syscall error code value in case of crashes has been fixed. [bsc#1063675] ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:59-1 Released: Fri Jan 12 11:18:44 2018 Summary: Security update for tiff Type: security Severity: important References: 1017690,1069213,960341,969783,983436,CVE-2014-8128,CVE-2015-7554,CVE-2016-10095,CVE-2016-5318,CVE-2017-16232 Description: This update for tiff to version 4.0.9 fixes the following issues: Security issues fixed: - CVE-2014-8128: Fix out-of-bounds read with malformed TIFF image in multiple tools (bsc#969783). - CVE-2015-7554: Fix invalid write in tiffsplit / _TIFFVGetField (bsc#960341). - CVE-2016-10095: Fix stack-based buffer overflow in _TIFFVGetField (tif_dir.c) (bsc#1017690). - CVE-2016-5318: Fix stackoverflow in thumbnail (bsc#983436). - CVE-2017-16232: Fix memory-based DoS in tiff2bw (bsc#1069213). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:86-1 Released: Wed Jan 17 09:38:17 2018 Summary: Security update for ncurses Type: security Severity: moderate References: 1056127,1056128,1056129,1056131,1056132,1056136,CVE-2017-13728,CVE-2017-13729,CVE-2017-13730,CVE-2017-13731,CVE-2017-13732,CVE-2017-13733 Description: This update for ncurses fixes the following issues: Security issues fixed: - CVE-2017-13728: Fix infinite loop in the next_char function in comp_scan.c (bsc#1056136). - CVE-2017-13730: Fix illegal address access in the function _nc_read_entry_source() (bsc#1056131). - CVE-2017-13733: Fix illegal address access in the fmt_entry function (bsc#1056127). - CVE-2017-13729: Fix illegal address access in the _nc_save_str (bsc#1056132). - CVE-2017-13732: Fix illegal address access in the function dump_uses() (bsc#1056128). - CVE-2017-13731: Fix illegal address access in the function postprocess_termcap() (bsc#1056129). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:88-1 Released: Wed Jan 17 14:41:17 2018 Summary: Security update for curl Type: security Severity: moderate References: 1069222,1069226,CVE-2017-8816,CVE-2017-8817 Description: This update for curl fixes the following issues: Security issues fixed: - CVE-2017-8816: Buffer overrun flaw in the NTLM authentication code (bsc#1069226). - CVE-2017-8817: Read out of bounds flaw in the FTP wildcard function (bsc#1069222). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2018:90-1 Released: Wed Jan 17 14:44:33 2018 Summary: Recommended update for lvm2 Type: recommended Severity: low References: 1063051,1067312 Description: This update for lvm2 provides the following fix: - Backport various upstream fixes for clvmd. (bsc#1063051) - Don't print error messages on testing the connection to the daemon. (bsc#1063051) - Fix handling of udev CHANGE events with systemd. (bsc#1067312) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:100-1 Released: Thu Jan 18 14:40:35 2018 Summary: Security update for gd Type: security Severity: moderate References: 1056993,CVE-2017-6362 Description: This update for gd fixes one issues. This security issue was fixed: - CVE-2017-6362: Prevent double-free in gdImagePngPtr() that potentially allowed for DoS or remote code execution (bsc#1056993). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:127-1 Released: Tue Jan 23 13:37:09 2018 Summary: Security update for libvpx Type: security Severity: moderate References: 1075992,CVE-2017-13194 Description: This update for libvpx fixes one issues. This security issue was fixed: - CVE-2017-13194: Fixed incorrect memory allocation related to odd frame width (bsc#1075992). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2018:146-1 Released: Thu Jan 25 11:44:23 2018 Summary: Recommended update for openldap2 Type: recommended Severity: moderate References: 1064397,1065083 Description: This update for openldap2 provides the following fixes: - Fix a leak of sockets in case of unsuccessful connection attempts. (bsc#1065083) - Fix a crash that would happen under heavy load when using back-relay. (bsc#1064397) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:149-1 Released: Thu Jan 25 13:38:37 2018 Summary: Security update for curl Type: security Severity: moderate References: 1077001,CVE-2018-1000007 Description: This update for curl fixes one issues. This security issue was fixed: - CVE-2018-1000007: Prevent leaking authentication data to third parties when following redirects (bsc#1077001) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:178-1 Released: Mon Jan 29 09:55:25 2018 Summary: Security update for gd Type: security Severity: moderate References: 1076391,CVE-2018-5711 Description: This update for gd fixes one issues. This security issue was fixed: - CVE-2018-5711: Prevent integer signedness error that could have lead to an infinite loop via a crafted GIF file allowing for DoS (bsc#1076391) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:209-1 Released: Tue Jan 30 10:53:43 2018 Summary: Security update for ncurses Type: security Severity: moderate References: 1056126,1056127,1056128,1056129,1056131,1056132,1056136,CVE-2017-13728,CVE-2017-13729,CVE-2017-13730,CVE-2017-13731,CVE-2017-13732,CVE-2017-13733,CVE-2017-13734 Description: This update for ncurses fixes several issues. These security issues were fixed: - CVE-2017-13734: Prevent illegal address access in the _nc_safe_strcat function in strings.c that might have lead to a remote denial of service attack (bsc#1056126). - CVE-2017-13733: Prevent illegal address access in the fmt_entry function in progs/dump_entry.c that might have lead to a remote denial of service attack (bsc#1056127). - CVE-2017-13732: Prevent illegal address access in the function dump_uses() in progs/dump_entry.c that might have lead to a remote denial of service attack (bsc#1056128). - CVE-2017-13731: Prevent illegal address access in the function postprocess_termcap() in parse_entry.c that might have lead to a remote denial of service attack (bsc#1056129). - CVE-2017-13730: Prevent illegal address access in the function _nc_read_entry_source() in progs/tic.c that might have lead to a remote denial of service attack (bsc#1056131). - CVE-2017-13729: Prevent illegal address access in the _nc_save_str function in alloc_entry.c that might have lead to a remote denial of service attack (bsc#1056132). - CVE-2017-13728: Prevent infinite loop in the next_char function in comp_scan.c that might have lead to a remote denial of service attack (bsc#1056136). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:213-1 Released: Tue Jan 30 14:36:40 2018 Summary: Security update for systemd Type: security Severity: moderate References: 1048510,1065276,1066156,1068251,1070428,1071558,1074254,1075724,1076308,897422,CVE-2017-15908,CVE-2018-1049 Description: This update for systemd fixes several issues. This security issue was fixed: - CVE-2018-1049: Prevent race that can lead to DoS when using automounts (bsc#1076308). These non-security issues were fixed: - core: don't choke if a unit another unit triggers vanishes during reload - delta: don't ignore PREFIX when the given argument is PREFIX/SUFFIX - delta: extend skip logic to work on full directory paths (prefix+suffix) (bsc#1070428) - delta: check if a prefix needs to be skipped only once - delta: skip symlink paths when split-usr is enabled (#4591) - sysctl: use raw file descriptor in sysctl_write (#7753) - sd-netlink: don't take possesion of netlink fd from caller on failure (bsc#1074254) - Fix the regexp used to detect broken by-id symlinks in /etc/crypttab It was missing the following case: '/dev/disk/by-id/cr_-xxx'. - sysctl: disable buffer while writing to /proc (bsc#1071558) - Use read_line() and LONG_LINE_MAX to read values configuration files. (bsc#1071558) - sysctl: no need to check for eof twice - def: add new constant LONG_LINE_MAX - fileio: add new helper call read_line() as bounded getline() replacement - service: Don't stop unneeded units needed by restarted service (#7526) (bsc#1066156) - gpt-auto-generator: fix the handling of the value returned by fstab_has_fstype() in add_swap() (#6280) - gpt-auto-generator: disable gpt auto logic for swaps if at least one is defined in fstab (bsc#897422) - fstab-util: introduce fstab_has_fstype() helper - fstab-generator: ignore root=/dev/nfs (#3591) - fstab-generator: don't process root= if it happens to be 'gpt-auto' (#3452) - virt: use XENFEAT_dom0 to detect the hardware domain (#6442, #6662) (#7581) (bsc#1048510) - analyze: replace --no-man with --man=no in the man page (bsc#1068251) - udev: net_setup_link: don't error out when we couldn't apply link config (#7328) - Add missing /etc/systemd/network directory - Fix parsing of features in detect_vm_xen_dom0 (#7890) (bsc#1048510) - sd-bus: use -- when passing arguments to ssh (#6706) - systemctl: make sure we terminate the bus connection first, and then close the pager (#3550) - sd-bus: bump message queue size (bsc#1075724) - tmpfiles: downgrade warning about duplicate line ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:214-1 Released: Tue Jan 30 14:37:42 2018 Summary: Security update for libtasn1 Type: security Severity: moderate References: 1076832,CVE-2018-6003 Description: This update for libtasn1 fixes one issue. This security issue was fixed: - CVE-2018-6003: Prevent a stack exhaustion in _asn1_decode_simple_ber (lib/decoding.c) when decoding BER encoded structure allowed for DoS (bsc#1076832). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:261-1 Released: Tue Feb 6 11:24:15 2018 Summary: Security update for libjpeg-turbo Type: security Severity: moderate References: 1062937,CVE-2017-15232 Description: This update for libjpeg-turbo fixes the following issues: Feature update: - Update from version 1.3.1 to version 1.5.2 (fate#324061). Security issue fixed: - CVE-2017-15232: Fix NULL pointer dereference in jdpostct.c and jquant1.c (bsc#1062937). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:276-1 Released: Thu Feb 8 17:47:43 2018 Summary: Security update for libxml2 Type: security Severity: moderate References: 1077993,1078806,1078813,CVE-2016-5131,CVE-2017-15412,CVE-2017-5130 Description: This update for libxml2 fixes one issue. This security issue was fixed: - CVE-2017-15412: Prevent use after free when calling XPath extension functions that allowed remote attackers to cause DoS or potentially RCE (bsc#1077993) - CVE-2016-5131: Use-after-free vulnerability in libxml2 allowed remote attackers to cause a denial of service or possibly have unspecified other impact via vectors related to the XPointer range-to function. (bsc#1078813) - CVE-2017-5130: Fixed a potential remote buffer overflow in function xmlMemoryStrdup() (bsc#1078806) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:286-1 Released: Fri Feb 9 16:48:50 2018 Summary: Security update for freetype2 Type: security Severity: important References: 1028103,1035807,1036457,1079600,CVE-2016-10244,CVE-2017-7864,CVE-2017-8105,CVE-2017-8287 Description: This update for freetype2 fixes the following security issues: - CVE-2016-10244: Make sure that the parse_charstrings function in type1/t1load.c does ensure that a font contains a glyph name to prevent a DoS through a heap-based buffer over-read or possibly have unspecified other impact via a crafted file (bsc#1028103) - CVE-2017-8105: Fix an out-of-bounds write caused by a heap-based buffer overflow related to the t1_decoder_parse_charstrings function in psaux/t1decode.ca (bsc#1035807) - CVE-2017-8287: an out-of-bounds write caused by a heap-based buffer overflow related to the t1_builder_close_contour function in psaux/psobjs.c (bsc#1036457) - Fix several integer overflow issues in truetype/ttinterp.c (bsc#1079600) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2018:291-1 Released: Mon Feb 12 11:50:39 2018 Summary: Recommended update for bash Type: recommended Severity: low References: 1057452,1076909 Description: This update for bash provides the following fix: - Allow process group assignment on all kernel versions to fix the usage of debug traps. (bsc#1057452) - Fix a crash when filesystem is full. (bsc#1076909) - Enable multi-byte characters by default. ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:314-1 Released: Thu Feb 15 14:47:35 2018 Summary: Security update for glibc Type: security Severity: important References: 1037930,1051791,1073990,1074293,1079036,CVE-2017-12132,CVE-2017-8804,CVE-2018-1000001,CVE-2018-6485,CVE-2018-6551 Description: This update for glibc fixes the following issues: Security issues fixed: - CVE-2017-8804: Fix memory leak after deserialization failure in xdr_bytes, xdr_string (bsc#1037930) - CVE-2017-12132: Reduce EDNS payload size to 1200 bytes (bsc#1051791) - CVE-2018-6485,CVE-2018-6551: Fix integer overflows in internal memalign and malloc functions (bsc#1079036) - CVE-2018-1000001: Avoid underflow of malloced area (bsc#1074293) Non security bugs fixed: - Release read lock after resetting timeout (bsc#1073990) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:336-1 Released: Wed Feb 21 14:26:52 2018 Summary: Security update for libdb-4_8 Type: security Severity: moderate References: 1043886 Description: This update for libdb-4_8 fixes the following issues: - A DB_CONFIG file in the current working directory allowed local users to obtain sensitive information via a symlink attack involving a setgid or setuid application using libdb-4_8. (bsc#1043886) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:355-1 Released: Mon Feb 26 16:34:46 2018 Summary: Security update for systemd Type: security Severity: moderate References: 1057974,1068588,1071224,1071311,1075801,1077925,CVE-2017-18078 Description: This update for systemd fixes the following issues: Security issue fixed: - CVE-2017-18078: tmpfiles: refuse to chown()/chmod() files which are hardlinked, unless protected_hardlinks sysctl is on. This could be used by local attackers to gain privileges (bsc#1077925) Non Security issues fixed: - core: use id unit when retrieving unit file state (#8038) (bsc#1075801) - cryptsetup-generator: run cryptsetup service before swap unit (#5480) - udev-rules: all values can contain escaped double quotes now (#6890) - strv: fix buffer size calculation in strv_join_quoted() - tmpfiles: change ownership of symlinks too - stdio-bridge: Correctly propagate error - stdio-bridge: remove dead code - remove bus-proxyd (bsc#1057974) - core/timer: Prevent timer looping when unit cannot start (bsc#1068588) - Make systemd-timesyncd use the openSUSE NTP servers by default Previously systemd-timesyncd used the Google Public NTP servers time{1..4}.google.com - Don't ship /usr/lib/systemd/system/tmp.mnt at all (bsc#1071224) But we still ship a copy in /var. Users who want to use tmpfs on /tmp are supposed to add a symlink in /etc/ pointing to the copy shipped in /var. To support the update path we automatically create the symlink if tmp.mount in use is located in /usr. - Enable systemd-networkd on Leap distros only (bsc#1071311) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2018:375-1 Released: Wed Feb 28 16:33:37 2018 Summary: Recommended update for net-tools Type: recommended Severity: low References: 1009905,1063910 Description: This update for net-tools provides the following fix: - netstat: fix handling of large socket numbers (bsc#1063910) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:439-1 Released: Fri Mar 9 14:05:22 2018 Summary: Security update for augeas Type: security Severity: low References: 1054171,CVE-2017-7555 Description: This update for augeas fixes the following issues: Security issue fixed: - CVE-2017-7555: Fix a memory corruption bug could have lead to arbitrary code execution by passing crafted strings that would be mis-handled by parse_name() (bsc#1054171). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:443-1 Released: Fri Mar 9 18:02:14 2018 Summary: Security update for glibc Type: security Severity: moderate References: 1081556,CVE-2017-12133 Description: This update for glibc fixes the following issues: - CVE-2017-12133: Avoid use-after-free read access in clntudp_call (bsc#1081556) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:446-1 Released: Mon Mar 12 13:13:55 2018 Summary: Security update for shadow Type: security Severity: moderate References: 1081294,CVE-2018-7169 Description: This update for shadow fixes the following issues: - CVE-2018-7169: Fixed an privilege escalation in newgidmap, which allowed an unprivileged user to be placed in a user namespace where setgroups(2) is allowed. (bsc#1081294) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2018:465-1 Released: Thu Mar 15 07:38:52 2018 Summary: Recommended update for systemd Type: recommended Severity: moderate References: 1075743,1078358,1081170 Description: This update for systemd fixes the following issues: - Add dmi/id conditions to 80-acpi-container-hotplug.rules to restrict the rule that it can only be triggered on Huawei Kunlun 9008, 9016 and 9032 machines. (bsc#1078358, bsc#1081170, bsc#1075743) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2018:472-1 Released: Thu Mar 15 10:47:40 2018 Summary: Recommended update for libsolv, libzypp, zypper Type: recommended Severity: low References: 1074687,1075449,1076415,1079334,953130 Description: This update for libsolv, libzypp and zypper provides the following fixes: libsolv: - Fix a bug that could make fileconflict detection very slow in some cases. (bnc#953130) - Add new configuration options: ENABLE_RPMDB_LIBRPM and ENABLE_RPMPKG_LIBRPM. - Add a new function to change the whatprovides data: pool_set_whatprovides. - Significant improvements in the selection code. libzypp: - Make sure deleted keys are also removed from rpmdb. (bsc#1075449) - plugin: Don't reject header values containing ':'. (bsc#1074687) - RpmDb::checkPackage: Fix parsing localized rpm output. (bsc#1076415) zypper: - Do not recommend cron as it is not a direct dependency of zypper. (bsc#1079334) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:522-1 Released: Thu Mar 22 08:20:46 2018 Summary: Security update for curl Type: security Severity: moderate References: 1084521,1084524,1084532,CVE-2018-1000120,CVE-2018-1000121,CVE-2018-1000122 Description: This update for curl fixes the following issues: Following security issues were fixed: - CVE-2018-1000120: A buffer overflow exists in the FTP URL handling that allowed an attacker to cause a denial of service or possible code execution (bsc#1084521). - CVE-2018-1000121: A NULL pointer dereference exists in the LDAP code that allowed an attacker to cause a denial of service (bsc#1084524). - CVE-2018-1000122: A buffer over-read exists in the RTSP+RTP handling code that allowed an attacker to cause a denial of service or information leakage (bsc#1084532). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:567-1 Released: Thu Mar 29 14:02:08 2018 Summary: Security update for krb5 Type: security Severity: moderate References: 1057662,1081725,1083926,1083927,CVE-2018-5729,CVE-2018-5730 Description: This update for krb5 provides the following fixes: Security issues fixed: - CVE-2018-5730: DN container check bypass by supplying special crafted data (bsc#1083927). - CVE-2018-5729: Null pointer dereference in kadmind or DN container check bypass by supplying special crafted data (bsc#1083926). Non-security issues fixed: - Make it possible for legacy applications (e.g. SAP Netweaver) to remain compatible with newer Kerberos. System administrators who are experiencing this kind of compatibility issues may set the environment variable GSSAPI_ASSUME_MECH_MATCH to a non-empty value, and make sure the environment variable is visible and effective to the application startup script. (bsc#1057662) - Fix a GSS failure in legacy applications by not indicating deprecated GSS mechanisms in gss_indicate_mech() list. (bsc#1081725) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:594-1 Released: Thu Apr 5 17:22:37 2018 Summary: Security update for libidn Type: security Severity: moderate References: 1056450,CVE-2017-14062 Description: This update for libidn fixes one issues. This security issue was fixed: - CVE-2017-14062: Prevent integer overflow in the decode_digit function that allowed remote attackers to cause a denial of service or possibly have unspecified other impact (bsc#1056450). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:624-1 Released: Wed Apr 11 18:02:57 2018 Summary: Security update for openssl Type: security Severity: moderate References: 1087102,CVE-2018-0739 Description: This update for openssl fixes the following issues: - CVE-2018-0739: Constructed ASN.1 types with a recursive definition (such as can be found in PKCS7) could eventually exceed the stack given malicious input with excessive recursion. This could result in a Denial Of Service attack. There are no such structures used within SSL/TLS that come from untrusted sources so this is considered safe. (bsc#1087102). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:730-1 Released: Wed Apr 25 14:14:41 2018 Summary: Security update for perl Type: security Severity: moderate References: 1082216,1082233,1082234,CVE-2018-6797,CVE-2018-6798,CVE-2018-6913 Description: This update for perl fixes the following issues: Security issues fixed: - CVE-2018-6913: Fixed space calculation issues in pp_pack.c (bsc#1082216). - CVE-2018-6798: Fixed heap buffer overflow in regexec.c (bsc#1082233). - CVE-2018-6797: Fixed sharp-s regexp overflow (bsc#1082234). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2018:736-1 Released: Wed Apr 25 14:23:49 2018 Summary: Recommended update for libsolv, libzypp Type: recommended Severity: moderate References: 1075978,1077635,1079991,1082318,1086602 Description: This update for libsolv, libzypp provides the following fixes: Changes in libsolv: - Make sure the product file comes from /etc/products.d for the fallback product search. (bsc#1086602) - Also make use of suggests for ordering packages. (bsc#1077635) - Fix bad assignment in solution refinement that led to a memory leak. (bsc#1075978) - Use license tag instead of doc in the spec file. (bsc#1082318) Changes in libzypp: - Make sure the product file comes from /etc/products.d for the fallback product search. (bsc#1086602) - Fix a memory leak in Digest.cc. (bsc#1075978) - Add /var/lib/gdm to CheckAccessDeleted blacklist to prevent showing superfluous `zypper ps -s` messages. (bsc#1079991) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2018:779-1 Released: Wed May 2 22:16:26 2018 Summary: Recommended update for rpm Type: recommended Severity: low References: 1003714,1027925,1069934 Description: This update for rpm provides the following fixes: - Fix find-lang.sh to handle special case of .qm file paths correctly. (bsc#1027925) - Add %sle_version macro to suse_macros. (bsc#1003714) - Added a %rpm_vercmp macro which accepts two versions as parameters and returns -1, 0, 1 if the first version is less than, equal or greater than the second version respectively. - Added a %pkg_version macro that accepts a package or capability name as argument and returns the version number of the installed package. If no package provides the argument, it returns the string '~~~'. - Added a %pkg_vcmp macro that accepts 3 parameters. The first parameter is a package name or provided capability name, the second argument is an operator ( < <= = >= > != ) and the third parameter is a version string to be compared to the installed version of the first argument. - Added a %pkg_version_cmp macro which accepts a package or capability name as first argument and a version number as second argument and returns -1, 0, 1 or '~~~'. The number values have the same meaning as in %rpm_vercmp and the '~~~' string is returned if the package or capability can't be found. (bsc#1069934) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2018:797-1 Released: Mon May 7 07:07:38 2018 Summary: Recommended update for gcc7 Type: recommended Severity: important References: 1061667,1068967,1074621,1083290,1083946,1084812,1087550,1087930 Description: This update for gcc7 to 7.3 release fixes the following issues: - Update to GCC 7.3 release and further updated to gcc-7-branch head (r258812). - The Spectre v2 mitigation patch for s390x is now included. [bsc#1083946] - Adds backport of x86 retpoline support via -mindirect-branch=, -mfunction-return= and friends. [bsc#1074621] - Update includes a fix for chromium build failure. [bsc#1083290] - Various AArch64 compile fixes are included: * Picks fix to no longer enable -mpc-relative-literal-loads by default with --enable-fix-cortex-a53-843419. * Enable --enable-fix-cortex-a53-843419 for aarch64. [bsc#1084812] [bsc#1087930] * Enable --enable-fix-cortex-a53-835769 for aarch64. * Contains fix for PR82445 which is about a RPI1 bootloader miscompile. [bsc#1061667] * Fixed bogus stack probe instruction on ARM. [bsc#1068967] - Revert the ios_base::failure ABI back to compatible behavior with the default ABI. [bsc#1087550] - Fix nvptx offload target compiler install so GCC can pick up required files. Split out the newlib part into cross-nvptx-newlib7-devel and avoid conflicts with GCC 8 variant via Provides/Conflicts of cross-nvptx-newlib-devel. ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:822-1 Released: Wed May 9 14:01:33 2018 Summary: Security update for tiff Type: security Severity: moderate References: 1046077,1074318,1081690,CVE-2017-17973,CVE-2017-9935,CVE-2018-5784 Description: This update for tiff fixes the following issues: - CVE-2017-9935: There was a heap-based buffer overflow in the t2p_write_pdf function in tools/tiff2pdf.c. This heap overflow could lead to different damages. For example, a crafted TIFF document can lead to an out-of-bounds read in TIFFCleanup, an invalid free in TIFFClose or t2p_free, memory corruption in t2p_readwrite_pdf_image, or a double free in t2p_free. Given these possibilities, it probably could cause arbitrary code execution (bsc#1046077) - CVE-2017-17973: There is a heap-based use-after-free in the t2p_writeproc function in tiff2pdf.c. (bsc#1074318) - CVE-2018-5784: There is an uncontrolled resource consumption in the TIFFSetDirectory function of tif_dir.c. Remote attackers could leverage this vulnerability to cause a denial of service via a crafted tif file. This occurs because the declared number of directory entries is not validated against the actual number of directory entries (bsc#1081690) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:939-1 Released: Thu May 17 08:41:30 2018 Summary: Security update for curl Type: security Severity: moderate References: 1086825,1092098,CVE-2018-1000301 Description: This update for curl fixes several issues: Security issues fixed: - CVE-2018-1000301: Fixed a RTSP bad headers buffer over-read could crash the curl client (bsc#1092098) Non security issues fixed: - If the DEFAULT_SUSE cipher list is not available use the HIGH cipher alias before failing. (bsc#1086825) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2018:974-1 Released: Wed May 23 16:46:50 2018 Summary: Recommended update for systemd Type: recommended Severity: moderate References: 1045092,1051465,1066422,1075804,1082485,1084626,1085062,1086785,1087323 Description: This update for systemd provides the following fixes: - sysusers: Do not append entries after the NIS ones. (bsc#1085062, bsc#1045092) - sysusers: Also add support for NIS entries in /etc/shadow. - sysusers: Make sure to reset errno before calling fget*ent(). - coredump: Respect ulimit -c 0 settings. (bsc#1075804) - systemctl: Don't make up unit states, and don't eat up errors too eagerly. (bsc#1084626) - systemctl: Don't mangle unit names in check_unit_generic(). - rules, compat-rules: Fix errors detected by the rule syntax checker. - python: Use raw strings for regexp patterns. - compat-rules: Make path_id_compat build with meson. - compat-rules: Get rid of scsi_id when generating compat symlinks for NVMe devices. (bsc#1051465) - Fix memory hotplugging. - systemd: Add offline environmental condition to the udev rules for acpi container to prevent them from being triggered by the 'udevadm trigger' from user space. (bsc#1082485) - systemd-udevd: Limit children-max by the available memory. (bsc#1086785, bsc#1066422) - Rename the tarball to reflect the exact version used, so that it is clear that it contains some additional patches on top of the upstream version. Use the commit hash in the name so the exact version can easily be identified. (bsc#1087323) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:977-1 Released: Wed May 23 17:14:16 2018 Summary: Security update for bash Type: security Severity: moderate References: 1000396,1001299,1086247,CVE-2016-0634,CVE-2016-7543 Description: This update for bash fixes the following issues: Security issues fixed: - CVE-2016-7543: A code execution possibility via SHELLOPTS+PS4 variable was fixed (bsc#1001299) - CVE-2016-0634: Arbitrary code execution via malicious hostname was fixed (bsc#1000396) Non-security issues fixed: - Fix repeating self-calling of traps due the combination of a non-interactive shell, a trap handler for SIGINT, an external process in the trap handler, and a SIGINT within the trap after the external process runs. (bsc#1086247) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2018:978-1 Released: Wed May 23 17:18:39 2018 Summary: Recommended update for zlib Type: recommended Severity: moderate References: 1071321 Description: This update for zlib fixes the following issues: - Fix a segmentation fault which was raised when converting a negative value into an unsigned integer (bsc#1071321) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2018:1028-1 Released: Tue Jun 5 13:20:44 2018 Summary: Recommended update for pam Type: recommended Severity: low References: 1089884 Description: This update for pam fixes the following issues: - Fix order of accessed configuration files in man page. (bsc#1089884) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:1077-1 Released: Wed Jun 6 11:44:25 2018 Summary: Security update for glibc Type: security Severity: important References: 1086690,1094150,1094154,1094161,CVE-2017-18269,CVE-2018-11236,CVE-2018-11237 Description: This update for glibc fixes the following issues: - CVE-2017-18269: Fix SSE2 memmove issue when crossing 2GB boundary (bsc#1094150) - CVE-2018-11236: Fix overflow in path length computation (bsc#1094161) - CVE-2018-11237: Don't write beyond buffer destination in __mempcpy_avx512_no_vzeroupper (bsc#1094154) Non security bugs fixed: - Fix crash in resolver on memory allocation failure (bsc#1086690) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2018:1082-1 Released: Thu Jun 7 12:58:56 2018 Summary: Recommended update for rpm Type: recommended Severity: moderate References: 1073879,1080078,964063 Description: This update for rpm fixes the following issues: - Backport support for no_recompute_build_ids macro. (bsc#964063) - Fix code execution when evaluating common python-related macros. (bsc#1080078) Additionally, this update adds python3-rpm to the SUSE Linux Enterprise Server. ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:1141-1 Released: Fri Jun 15 13:41:08 2018 Summary: Security update for gpg2 Type: security Severity: important References: 1096745,CVE-2018-12020 Description: This update for gpg2 fixes the following security issue: - CVE-2018-12020: GnuPG mishandled the original filename during decryption and verification actions, which allowed remote attackers to spoof the output that GnuPG sends on file descriptor 2 to other programs that use the '--status-fd 2' option (bsc#1096745) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2018:1145-1 Released: Fri Jun 15 19:19:51 2018 Summary: Recommended update for openssl Type: recommended Severity: moderate References: 1090765 Description: This update for openssl provides the following fix: - Suggest libopenssl1_0_0-hmac from libopenssl1_0_0 package to avoid dependency issues during updates. (bsc#1090765) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:1233-1 Released: Wed Jun 27 12:45:13 2018 Summary: Security update for tiff Type: security Severity: moderate References: 1007276,1074317,1082332,1082825,1086408,1092949,974621,CVE-2016-3632,CVE-2016-8331,CVE-2017-11613,CVE-2017-13726,CVE-2017-18013,CVE-2018-10963,CVE-2018-7456,CVE-2018-8905 Description: This update for tiff fixes the following issues: These security issues were fixed: - CVE-2017-18013: There was a Null-Pointer Dereference in the tif_print.c TIFFPrintDirectory function, as demonstrated by a tiffinfo crash. (bsc#1074317) - CVE-2018-10963: The TIFFWriteDirectorySec() function in tif_dirwrite.c allowed remote attackers to cause a denial of service (assertion failure and application crash) via a crafted file, a different vulnerability than CVE-2017-13726. (bsc#1092949) - CVE-2018-7456: Prevent a NULL Pointer dereference in the function TIFFPrintDirectory when using the tiffinfo tool to print crafted TIFF information, a different vulnerability than CVE-2017-18013 (bsc#1082825) - CVE-2017-11613: Prevent denial of service in the TIFFOpen function. During the TIFFOpen process, td_imagelength is not checked. The value of td_imagelength can be directly controlled by an input file. In the ChopUpSingleUncompressedStrip function, the _TIFFCheckMalloc function is called based on td_imagelength. If the value of td_imagelength is set close to the amount of system memory, it will hang the system or trigger the OOM killer (bsc#1082332) - CVE-2018-8905: Prevent heap-based buffer overflow in the function LZWDecodeCompat via a crafted TIFF file (bsc#1086408) - CVE-2016-8331: Prevent remote code execution because of incorrect handling of TIFF images. A crafted TIFF document could have lead to a type confusion vulnerability resulting in remote code execution. This vulnerability could have been be triggered via a TIFF file delivered to the application using LibTIFF's tag extension functionality (bsc#1007276) - CVE-2016-3632: The _TIFFVGetField function allowed remote attackers to cause a denial of service (out-of-bounds write) or execute arbitrary code via a crafted TIFF image (bsc#974621) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:1242-1 Released: Thu Jun 28 13:44:16 2018 Summary: Security update for procps Type: security Severity: moderate References: 1092100,CVE-2018-1122,CVE-2018-1123,CVE-2018-1124,CVE-2018-1125,CVE-2018-1126 Description: This update for procps fixes the following security issues: - CVE-2018-1122: Prevent local privilege escalation in top. If a user ran top with HOME unset in an attacker-controlled directory, the attacker could have achieved privilege escalation by exploiting one of several vulnerabilities in the config_file() function (bsc#1092100). - CVE-2018-1123: Prevent denial of service in ps via mmap buffer overflow. Inbuilt protection in ps maped a guard page at the end of the overflowed buffer, ensuring that the impact of this flaw is limited to a crash (temporary denial of service) (bsc#1092100). - CVE-2018-1124: Prevent multiple integer overflows leading to a heap corruption in file2strvec function. This allowed a privilege escalation for a local attacker who can create entries in procfs by starting processes, which could result in crashes or arbitrary code execution in proc utilities run by other users (bsc#1092100). - CVE-2018-1125: Prevent stack buffer overflow in pgrep. This vulnerability was mitigated by FORTIFY limiting the impact to a crash (bsc#1092100). - CVE-2018-1126: Ensure correct integer size in proc/alloc.* to prevent truncation/integer overflow issues (bsc#1092100). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:1276-1 Released: Thu Jul 5 08:36:17 2018 Summary: Security update for openssl Type: security Severity: moderate References: 1097158,1097624,1098592,CVE-2018-0732 Description: This update for openssl fixes the following issues: - CVE-2018-0732: During key agreement in a TLS handshake using a DH(E) based ciphersuite a malicious server could have sent a very large prime value to the client. This caused the client to spend an unreasonably long period of time generating a key for this prime resulting in a hang until the client has finished. This could be exploited in a Denial Of Service attack (bsc#1097158). - Blinding enhancements for ECDSA and DSA (bsc#1097624, bsc#1098592) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:1328-1 Released: Tue Jul 17 08:07:57 2018 Summary: Security update for perl Type: security Severity: important References: 1068565,1082216,1082233,1082234,1096718,CVE-2018-12015,CVE-2018-6797,CVE-2018-6798,CVE-2018-6913 Description: This update for perl fixes the following issues: These security issue were fixed: - CVE-2018-6913: Fixed space calculation issues in pp_pack.c (bsc#1082216). - CVE-2018-6798: Fixed heap buffer overflow in regexec.c (bsc#1082233). - CVE-2018-6797: Fixed sharp-s regexp overflow (bsc#1082234). - CVE-2018-12015: The Archive::Tar module allowed remote attackers to bypass a directory-traversal protection mechanism and overwrite arbitrary files (bsc#1096718) This non-security issue was fixed: - fix debugger crash in tab completion with Term::ReadLine::Gnu [bsc#1068565] ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:1351-1 Released: Thu Jul 19 09:43:21 2018 Summary: Security update for shadow Type: security Severity: important References: 1099310,CVE-2016-6252 Description: This update for shadow fixes the following issues: - CVE-2016-6252: Incorrect integer handling could results in local privilege escalation (bsc#1099310) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:1400-1 Released: Thu Jul 26 16:32:29 2018 Summary: Security update for util-linux Type: security Severity: moderate References: 1072947,1078662,1080740,1084300,CVE-2018-7738 Description: This update for util-linux fixes the following issues: This non-security issue was fixed: - CVE-2018-7738: bash-completion/umount allowed local users to gain privileges by embedding shell commands in a mountpoint name, which was mishandled during a umount command by a different user (bsc#1084300). These non-security issues were fixed: - Fixed crash loop in lscpu (bsc#1072947). - Fixed possible segfault of umount -a - Fixed mount -a on NFS bind mounts (bsc#1080740). - Fixed lsblk on NVMe (bsc#1078662). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:1413-1 Released: Fri Jul 27 12:41:13 2018 Summary: Security update for libgcrypt Type: security Severity: moderate References: 1064455,1090766,1097410,CVE-2018-0495 Description: This update for libgcrypt fixes the following issues: The following security vulnerability was addressed: - CVE-2018-0495: Mitigate a novel side-channel attack by enabling blinding for ECDSA signatures (bsc#1097410). The following other issues were fixed: - Extended the fipsdrv dsa-sign and dsa-verify commands with the --algo parameter for the FIPS testing of DSA SigVer and SigGen (bsc#1064455). - Ensure libgcrypt20-hmac and libgcrypt20 are installed in the correct order. (bsc#1090766) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2018:1450-1 Released: Mon Jul 30 10:10:45 2018 Summary: Recommended update for pam Type: recommended Severity: low References: 1096282 Description: This update for pam provides the following fix: - Added /etc/security/limits.d to the pam package. (bsc#1096282) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2018:1549-1 Released: Mon Aug 13 13:41:22 2018 Summary: Recommended update for sg3_utils Type: recommended Severity: low References: 1065448,1070431,1077787,1092640 Description: This update for sg3_utils provides the following fix: - Decode standard INQUIRY for CD-ROMs correctly. (bsc#1065448, bsc#1070431) - Fix page decoding. (bsc#1077787) - Remove initrd rebuild macros for libsgutils2 subpackage. (bsc#1092640) - Use %post -p for ldconfig. (bsc#1092640) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:1610-1 Released: Thu Aug 16 14:04:25 2018 Summary: Security update for libgcrypt Type: security Severity: moderate References: 1064455,1090766,1097410,CVE-2018-0495 Description: This update for libgcrypt fixes the following issues: The following security vulnerability was addressed: - CVE-2018-0495: Mitigate a novel side-channel attack by enabling blinding for ECDSA signatures (bsc#1097410). The following other issues were fixed: - Extended the fipsdrv dsa-sign and dsa-verify commands with the --algo parameter for the FIPS testing of DSA SigVer and SigGen (bsc#1064455). - Ensure libgcrypt20-hmac and libgcrypt20 are installed in the correct order. (bsc#1090766) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:1620-1 Released: Thu Aug 16 14:49:45 2018 Summary: Security update for shadow Type: security Severity: important References: 1099310,CVE-2016-6252 Description: This update for shadow fixes the following issues: - CVE-2016-6252: Incorrect integer handling could results in local privilege escalation (bsc#1099310) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2018:1632-1 Released: Thu Aug 16 15:27:04 2018 Summary: Recommended update for systemd Type: recommended Severity: moderate References: 1039099,1080382,1082004,1082485,1083158,1088052,1088769,1088890,1089761,1090785,1091265,1093851,1095096 Description: This update for systemd fixes the following issues: - core: In --user mode, report READY=1 as soon as basic.target is reached. - sd-bus: Extend D-Bus authentication timeout considerably. - scsi_id: Fixup prefix for pre-SPC inquiry reply. (bsc#1039099) - udev: Use MAC address match only for ibmveth/ibmvnic/mlx4. (bsc#1095096) - compat-rules: Generate more compat by-id symlinks for NVMe devices. (bsc#1095096) - udev: Whitelist mlx4_core locally-administered MAC addresses in the persistent rule generator. (bsc#1083158) - udev: Don't create by-partlabel/primary and .../logical symlinks. (bsc#1089761) - rules: Add /dev/disk/by-partuuid symlinks also for dos partition tables. - device: Make sure to always retroactively start device dependencies. (bsc#1088052) - device: Skip deserialization of device units when udevd is not running. - install: 'user' and 'global' scopes are equivalent for user presets. (bsc#1093851) - install: Search preset files in /run. - man: Updated systemd-analyze blame description for service-units with Type=simple. (bsc#1091265) - logind: Fix crash when shutdown is not issued from a tty. (bsc#1088890) - logind: Do not use an uninitialized variable. (bsc#1088890) - Disable user services by default. (bsc#1090785) - Ship 99-sysctl.conf instead of creating it during package installation/update. (bsc#1088769) Previously this symlink was created in /etc/sysctl.d during %post which made the symlink not owned and more importantly it was created only if /etc/sysctl.conf is already installed which is not always the case during the installation process it seems. So ship the symlink unconditionally and put it in /usr/lib/sysctl.d instead since it's a distro default behavior that might be overriden by sysadmin later. - systemd: Add offline environmental condition to 80-acpi-container-hotplug.rules. (bsc#1080382, bsc#1082485) Add the offline event environmental condition to restrict the rule that is can only be triggered when the change event is received with the 'offline' environmental data. The 27664c581 'ACPI / scan: Send change uevent with offine environmental data' kernel patch changed the corresponding code in kernel. This change prevents the udev rules for acpi container be triggered by 'udevadm trigger' from user space. - build-sys: Explicitly require python3. (bsc#1082004) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2018:1636-1 Released: Thu Aug 16 15:30:11 2018 Summary: Recommended update for pam Type: recommended Severity: low References: 1096282 Description: This update for pam provides the following fix: - Added /etc/security/limits.d to the pam package. (bsc#1096282) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2018:1689-1 Released: Mon Aug 20 09:02:24 2018 Summary: Recommended update for pam Type: recommended Severity: low References: 1096282 Description: This update for pam provides the following fix: - Added /etc/security/limits.d to the pam package. (bsc#1096282) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2018:1691-1 Released: Mon Aug 20 09:04:17 2018 Summary: Recommended update for sg3_utils Type: recommended Severity: low References: 1065448,1070431,1077787,1092640 Description: This update for sg3_utils provides the following fix: - Decode standard INQUIRY for CD-ROMs correctly. (bsc#1065448, bsc#1070431) - Fix page decoding. (bsc#1077787) - Remove initrd rebuild macros for libsgutils2 subpackage. (bsc#1092640) - Use %post -p for ldconfig. (bsc#1092640) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:1695-1 Released: Mon Aug 20 09:19:20 2018 Summary: Security update for perl Type: security Severity: important References: 1068565,1082216,1082233,1082234,1096718,CVE-2018-12015,CVE-2018-6797,CVE-2018-6798,CVE-2018-6913 Description: This update for perl fixes the following issues: These security issue were fixed: - CVE-2018-6913: Fixed space calculation issues in pp_pack.c (bsc#1082216). - CVE-2018-6798: Fixed heap buffer overflow in regexec.c (bsc#1082233). - CVE-2018-6797: Fixed sharp-s regexp overflow (bsc#1082234). - CVE-2018-12015: The Archive::Tar module allowed remote attackers to bypass a directory-traversal protection mechanism and overwrite arbitrary files (bsc#1096718) This non-security issue was fixed: - fix debugger crash in tab completion with Term::ReadLine::Gnu [bsc#1068565] ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:1698-1 Released: Mon Aug 20 09:19:28 2018 Summary: Security update for shadow Type: security Severity: important References: 1099310,CVE-2016-6252 Description: This update for shadow fixes the following issues: - CVE-2016-6252: Incorrect integer handling could results in local privilege escalation (bsc#1099310) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2018:1834-1 Released: Wed Sep 5 10:17:42 2018 Summary: Recommended update for systemd Type: recommended Severity: moderate References: 1089761,1090944,1101040,1103910 Description: This update for systemd fixes the following issues: - cryptsetup: Add support for sector-size= option. (fate#325634) - resolved: Apply epoch to system time from PID 1. (bsc#1103910) - core/service: Rework the hold-off time over message. - core: Don't freeze OnCalendar= timer units when the clock goes back a lot. (bsc#1090944) - man: SystemMaxUse= clarification in journald.conf(5). (bsc#1101040) - Add udev.no-partlabel-links kernel command-line option. This option can be used to disable the generation of the by-partlabel symlinks regardless of the name used. (bsc#1089761) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2018:1838-1 Released: Wed Sep 5 14:08:13 2018 Summary: Optional update for brotli Type: recommended Severity: low References: 1106391 Description: This update supplies the brotli compressor. (FATE#326659) It will be used in an nginx container of CAASP 3.0 ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:1903-1 Released: Fri Sep 14 12:46:21 2018 Summary: Security update for curl Type: security Severity: moderate References: 1089533,1106019,CVE-2018-14618 Description: This update for curl fixes the following issues: This security issue was fixed: - CVE-2018-14618: Prevent integer overflow in the NTLM authentication code (bsc#1106019) This non-security issue was fixed: - Fixed erroneous debug message when paired with OpenSSL (bsc#1089533) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:1969-1 Released: Mon Sep 24 08:06:42 2018 Summary: Security update for libzypp, zypper Type: security Severity: important References: 1036304,1045735,1049825,1070851,1076192,1088705,1091624,1092413,1096803,1099847,1100028,1101349,1102429,CVE-2017-9269,CVE-2018-7685 Description: This update for libzypp, zypper fixes the following issues: Update libzypp to version 16.17.20: Security issues fixed: - PackageProvider: Validate deta rpms before caching (bsc#1091624, bsc#1088705, CVE-2018-7685) - PackageProvider: Validate downloaded rpm package signatures before caching (bsc#1091624, bsc#1088705, CVE-2018-7685) Other bugs fixed: - lsof: use '-K i' if lsof supports it (bsc#1099847, bsc#1036304) - Handle http error 502 Bad Gateway in curl backend (bsc#1070851) - RepoManager: Explicitly request repo2solv to generate application pseudo packages. - libzypp-devel should not require cmake (bsc#1101349) - HardLocksFile: Prevent against empty commit without Target having been been loaded (bsc#1096803) - Avoid zombie tar processes (bsc#1076192) Update to zypper to version 1.13.45: Security issues fixed: - Improve signature check callback messages (bsc#1045735, CVE-2017-9269) - add/modify repo: Add options to tune the GPG check settings (bsc#1045735, CVE-2017-9269) Other bugs fixed: - XML attribute `packages-to-change` added (bsc#1102429) - man: Strengthen that `--config FILE' affects zypper.conf, not zypp.conf (bsc#1100028) - Prevent nested calls to exit() if aborted by a signal (bsc#1092413) - ansi.h: Prevent ESC sequence strings from going out of scope (bsc#1092413) - Fix: zypper bash completion expands non-existing options (bsc#1049825) - Improve signature check callback messages (bsc#1045735) - add/modify repo: Add options to tune the GPG check settings (bsc#1045735) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2018:1985-1 Released: Mon Sep 24 11:56:08 2018 Summary: Recommended update for openldap2 Type: recommended Severity: moderate References: 1089640 Description: This update for openldap2 provides the following fix: - Fix slapd segfaults in mdb_env_reader_dest. (bsc#1089640) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:1989-1 Released: Mon Sep 24 12:54:37 2018 Summary: Security update for tiff Type: security Severity: moderate References: 1074186,1092480,983440,CVE-2016-5319,CVE-2017-17942,CVE-2018-10779 Description: This update for tiff fixes the following issues: Security issues fixed: - CVE-2018-10779: Fixed a heap-based buffer overflow in TIFFWriteScanline() in tif_write.c (bsc#1092480) - CVE-2017-17942: Fixed a heap-based buffer overflow in the function PackBitsEncode in tif_packbits.c. (bsc#1074186) - CVE-2016-5319: Fixed a beap-based buffer overflow in bmp2tiff (bsc#983440) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:1991-1 Released: Mon Sep 24 12:55:19 2018 Summary: Security update for gd Type: security Severity: moderate References: 1105434,CVE-2018-1000222 Description: This update for gd fixes the following issues: Security issue fixed: - CVE-2018-1000222: Fixed a double free vulnerability in gdImageBmpPtr() that could result in remote code execution. This could have been exploited via a specially crafted JPEG image files. (bsc#1105434) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:1994-1 Released: Mon Sep 24 12:55:57 2018 Summary: Security update for shadow Type: security Severity: moderate References: 1106914 Description: This update for shadow fixes the following security issue: - Prevent useradd from creating intermediate directories with mode 0777 (bsc#1106914) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:2069-1 Released: Fri Sep 28 08:01:25 2018 Summary: Security update for openssl Type: security Severity: moderate References: 1089039,1101246,1101470,1104789,1106197,997043,CVE-2018-0737 Description: This update for openssl fixes the following issues: These security issues were fixed: - Prevent One&Done side-channel attack on RSA that allowed physically near attackers to use EM emanations to recover information (bsc#1104789) - CVE-2018-0737: The RSA Key generation algorithm has been shown to be vulnerable to a cache timing side channel attack. An attacker with sufficient access to mount cache timing attacks during the RSA key generation process could have recovered the private key (bsc#1089039) These non-security issues were fixed: - Add openssl(cli) Provide so the packages that require the openssl binary can require this instead of the new openssl meta package (bsc#1101470) - Fixed path to the engines which are under /lib64 on SLE-12 (bsc#1101246, bsc#997043) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2018:2162-1 Released: Fri Oct 5 14:46:53 2018 Summary: Recommended update for krb5 Type: recommended Severity: moderate References: 1088921 Description: This update for krb5 provides the following fix: - Resolve krb5 GSS credentials immediately if the application requests the lifetime. (bsc#1088921) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:2181-1 Released: Tue Oct 9 11:08:20 2018 Summary: Security update for libxml2 Type: security Severity: moderate References: 1088279,1088601,1102046,1105166,CVE-2017-18258,CVE-2018-14404,CVE-2018-14567,CVE-2018-9251 Description: This update for libxml2 fixes the following security issues: - CVE-2018-9251: The xz_decomp function allowed remote attackers to cause a denial of service (infinite loop) via a crafted XML file that triggers LZMA_MEMLIMIT_ERROR, as demonstrated by xmllint (bsc#1088279). - CVE-2018-14567: Prevent denial of service (infinite loop) via a crafted XML file that triggers LZMA_MEMLIMIT_ERROR, as demonstrated by xmllint (bsc#1105166). - CVE-2018-14404: Prevent NULL pointer dereference in the xmlXPathCompOpEval() function when parsing an invalid XPath expression in the XPATH_OP_AND or XPATH_OP_OR case leading to a denial of service attack (bsc#1102046). - CVE-2017-18258: The xz_head function allowed remote attackers to cause a denial of service (memory consumption) via a crafted LZMA file, because the decoder functionality did not restrict memory usage to what is required for a legitimate file (bsc#1088601). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2018:2196-1 Released: Thu Oct 11 07:45:16 2018 Summary: Optional update for gcc8 Type: recommended Severity: low References: 1084812,1084842,1087550,1094222,1102564 Description: The GNU Compiler GCC 8 is being added to the Toolchain Module by this update. The update also supplies gcc8 compatible libstdc++, libgcc_s1 and other gcc derived libraries for the base products of SUSE Linux Enterprise 12. Various optimizers have been improved in GCC 8, several of bugs fixed, quite some new warnings added and the error pin-pointing and fix-suggestions have been greatly improved. The GNU Compiler page for GCC 8 contains a summary of all the changes that have happened: https://gcc.gnu.org/gcc-8/changes.html Also changes needed or common pitfalls when porting software are described on: https://gcc.gnu.org/gcc-8/porting_to.html ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:2202-1 Released: Thu Oct 11 20:46:27 2018 Summary: Security update for libX11 and libxcb Type: security Severity: moderate References: 1094327,1102062,1102068,1102073,CVE-2018-14598,CVE-2018-14599,CVE-2018-14600 Description: This update for libX11 and libxcb fixes the following issue: libX11: These security issues were fixed: - CVE-2018-14599: The function XListExtensions was vulnerable to an off-by-one error caused by malicious server responses, leading to DoS or possibly unspecified other impact (bsc#1102062). - CVE-2018-14600: The function XListExtensions interpreted a variable as signed instead of unsigned, resulting in an out-of-bounds write (of up to 128 bytes), leading to DoS or remote code execution (bsc#1102068). - CVE-2018-14598: A malicious server could have sent a reply in which the first string overflows, causing a variable to be set to NULL that will be freed later on, leading to DoS (segmentation fault) (bsc#1102073). This non-security issue was fixed: - Make use of the new 64-bit sequence number API in XCB 1.11.1 to avoid the 32-bit sequence number wrap in libX11 (bsc#1094327). libxcb: - Expose 64-bit sequence number from XCB API so that Xlib and others can use it even on 32-bit environment. (bsc#1094327) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2018:2217-1 Released: Fri Oct 12 15:07:24 2018 Summary: Recommended update for bash Type: recommended Severity: moderate References: 1094121,1107430 Description: This update for bash provides the following fixes: - Fix an inconsistent behaviour regarding expansion of here strings. (bsc#1094121) - Fix mis-matching of null string with '*' pattern. (bsc#1107430) - Fix a crash when the lastpipe option is enabled. - Fix a typo that was preventing the `compat42' shopt option from working as intended. - Help the shell to process any pending traps at redirection. - Fix a crashe due to incorrect conversion from an indexed to associative array. - Avoid the expansion of escape sequences in HOSTNAME in prompt. - Avoid `xtrace' attack over $PS4. ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:2373-1 Released: Mon Oct 22 14:43:47 2018 Summary: Security update for rpm Type: security Severity: moderate References: 1077692,943457,CVE-2017-7500,CVE-2017-7501 Description: This update for rpm fixes the following issues: These security issues were fixed: - CVE-2017-7500: rpm did not properly handle RPM installations when a destination path was a symbolic link to a directory, possibly changing ownership and permissions of an arbitrary directory, and RPM files being placed in an arbitrary destination (bsc#943457). - CVE-2017-7501: rpm used temporary files with predictable names when installing an RPM. An attacker with ability to write in a directory where files will be installed could create symbolic links to an arbitrary location and modify content, and possibly permissions to arbitrary files, which could be used for denial of service or possibly privilege escalation (bsc#943457) This non-security issue was fixed: - Use ksym-provides tool [bsc#1077692] ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:2375-1 Released: Mon Oct 22 15:30:22 2018 Summary: Security update for tiff Type: security Severity: moderate References: 1106853,1108627,1108637,1110358,CVE-2017-11613,CVE-2017-9935,CVE-2018-16335,CVE-2018-17100,CVE-2018-17101,CVE-2018-17795 Description: This update for tiff fixes the following issues: - CVE-2018-17100: There is a int32 overflow in multiply_ms in tools/ppm2tiff.c, which can cause a denial of service (crash) or possibly have unspecified other impact via a crafted image file. (bsc#1108637) - CVE-2018-17101: There are two out-of-bounds writes in cpTags in tools/tiff2bw.c and tools/pal2rgb.c, which can cause a denial of service (application crash) or possibly have unspecified other impact via a crafted image file. (bsc#1108627) - CVE-2018-17795: The function t2p_write_pdf in tiff2pdf.c allowed remote attackers to cause a denial of service (heap-based buffer overflow and application crash) or possibly have unspecified other impact via a crafted TIFF file, a similar issue to CVE-2017-9935. (bsc#1110358) - CVE-2018-16335: newoffsets handling in ChopUpSingleUncompressedStrip in tif_dirread.c allowed remote attackers to cause a denial of service (heap-based buffer overflow and application crash) or possibly have unspecified other impact via a crafted TIFF file, as demonstrated by tiff2pdf. This is a different vulnerability than CVE-2018-15209. (bsc#1106853) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2018:2435-1 Released: Wed Oct 24 14:42:43 2018 Summary: Recommended update for systemd Type: recommended Severity: important References: 1015254,1091677,1093753,1105031,1107640,1107941,1109197,991901 Description: This update for systemd fixes the following issues: - detect-virt: do not try to read all of /proc/cpuinfo (bsc#1109197) - emergency: make sure console password agents don't interfere with the emergency shell - units: remove udev control socket when systemd stops the socket unit (#4039) (bsc#1015254) - man: document that 'nofail' also has an effect on ordering - journald: take leading spaces into account in syslog_parse_identifier - journal: do not remove multiple spaces after identifier in syslog message - syslog: fix segfault in syslog_parse_priority() - journal: fix syslog_parse_identifier() - tmpfiles: don't adjust qgroups on existing subvolumes (bsc#1093753) - socket-util: attempt SO_RCVBUFFORCE/SO_SNDBUFFORCE only if SO_RCVBUF/SO_SNDBUF fails (bsc#991901) - user at .service: don't kill user manager at runlevel switch (bsc#1091677) - units: make sure user at .service runs with dbus still up - fix race between daemon-reload and other commands (bsc#1105031) - nspawn: always use mode 555 for /sys (bsc#1107640) - cryptsetup: do not define arg_sector_size if libgcrypt is v1.x (#9990) - Enable or disable machines.target according to the presets (bsc#1107941) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2018:2475-1 Released: Thu Oct 25 16:56:24 2018 Summary: Recommended update for libzypp Type: recommended Severity: moderate References: 1099982,1109877,408814,556664,939392 Description: This update for libzypp fixes the following issues: - Add filesize check for downloads with known size (bsc#408814) - Fix conversion of string and glob to regex when compiling queries (bsc#1099982, bsc#939392, bsc#556664) - Fix blocking wait for finished child process (bsc#1109877) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2018:2488-1 Released: Fri Oct 26 12:39:59 2018 Summary: Recommended update for cpio Type: recommended Severity: low References: 1076810,889138 Description: This update for cpio provides the following fix: - Remove an obsolete patch that was causing cpio not to preserve folder permissions. (bsc#1076810, bsc#889138) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2018:2516-1 Released: Mon Oct 29 16:14:48 2018 Summary: Recommended update for console-setup, kbd Type: recommended Severity: moderate References: 1010880,1027379,1056449,1062303,1069468,1085432,360993,675317,825385,830805,958562,963942,984958 Description: This update for kbd and console-setup provides the following fixes: Changes in console-setup: - Add console-setup to SLE 12 to make it possible for kbd to provide converted X keymaps. (fate#325454, fate#318426) - Make the package build reproducible. (bsc#1062303) - Removed unneeded requires to kbd in order to resolve build cycle between kbd and console-setup. (bsc#963942) Changes in kbd: - Update to version 2.0.4, including the following fixes (FATE#325454): * Disable characters greater than or equal to =U+F000 as they do not work properly. (bsc#1085432) * Move initial NumLock handling from systemd back to kbd: * Add kbdsettings service. (bsc#1010880) * Exclude numlockbios support for non x86 platforms * Drop references to KEYTABLE and COMPOSETABLE. (bsc#1010880) * Drop from some fill-up templates and a couple of sysconfig variables not read by systemd anymore. (fate#319454) * Replace references to /var/adm/fillup-templates with new %_fillupdir macro. (bsc#1069468) * Add vlock.pamd PAM file. (bsc#1056449) * Enable vlock (bsc#1056449). * Revert dropping of kdb-legacy requirement as there are still packages and installation flows that needs this to be present. (bsc#1027379) * Fix data/keymaps/i386/querty/br-abnt2.map. (bsc#984958) * Fix missing dependency on coreutils for initrd macros. (bsc#958562) * Call missing initrd macro at postun. (bsc#958562) * Add the genmap4systemd.sh tool to generate entries for systemd's kbd-model-map table from xkeyboard-config converted keymaps. (fate#318426) * genmap4systemd.sh: Use 'abnt2' model for 'br' layouts, 'jp106' model for 'jp' layouts and 'microsoftpro' for anything else (instead of 'pc105' previously used). (fate#318426) * Include xkb layouts from xkeyboard-config converted to console keymaps. (fate#318426) * euro.map, euro1.map and euro2.map now produce correct unicode character for Euro sign. (bsc#360993) * Drop doshell reference from openvt.1 man page. (bsc#675317) * Drop the --userwait option as it is not used. (bsc#830805) * Fix a typo in the mac-querty-layout.inc. (bsc#825385) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2018:2525-1 Released: Tue Oct 30 09:22:45 2018 Summary: Recommended update for bash Type: recommended Severity: important References: 1113117 Description: This update for bash fixes the following issues: Recently released update introduced a change of behavior which resulted in broken customers scripts. (bsc#1113117) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:2563-1 Released: Fri Nov 2 17:09:49 2018 Summary: Security update for curl Type: security Severity: moderate References: 1112758,1113660,CVE-2018-16840,CVE-2018-16842 Description: This update for curl fixes the following issues: - CVE-2018-16840: A use after free in closing SASL handles was fixed (bsc#1112758) - CVE-2018-16842: A Out-of-bounds Read in tool_msgs.c was fixed which could lead to crashes (bsc#1113660) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2018:2567-1 Released: Fri Nov 2 18:59:06 2018 Summary: Recommended update for apparmor Type: recommended Severity: moderate References: 1047937,1057150,1057900,1099452,906858 Description: This update for apparmor provides the following fixes: - Add profile for usr.bin.lessopen.sh (bsc#906858) - Fix dovecot apparmor profile (bsc#1057150) - Fix creating profile rules from scanned logs when the chown operation is used (bsc#1047937) - Fix the traceroute profile to allow ipv6 usage (bsc#1057900) - Fix duplicate entry of capability when performing aa-logprof (bsc#1099452) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2018:2593-1 Released: Wed Nov 7 11:04:00 2018 Summary: Recommended update for rpm Type: recommended Severity: moderate References: 1095148,1113100 Description: This update for rpm fixes the following issues: - Fix superfluous TOC. dependency on PowerPC64 (bsc#1113100) - Update to current find-provides.ksyms and find-requires.ksyms scripts (bsc#1095148) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:2659-1 Released: Wed Nov 14 14:14:41 2018 Summary: Security update for systemd Type: security Severity: important References: 1106923,1108835,1109252,1110445,1111278,1112024,1113083,1113632,1113665,CVE-2018-15686,CVE-2018-15688 Description: This update for systemd fixes the following issues: Security issues fixed: - CVE-2018-15688: A buffer overflow vulnerability in the dhcp6 client of systemd allowed a malicious dhcp6 server to overwrite heap memory in systemd-networkd. (bsc#1113632) - CVE-2018-15686: A vulnerability in unit_deserialize of systemd allows an attacker to supply arbitrary state across systemd re-execution via NotifyAccess. This can be used to improperly influence systemd execution and possibly lead to root privilege escalation. (bsc#1113665) Non-security issues fixed: - dhcp6: split assert_return() to be more debuggable when hit - core: skip unit deserialization and move to the next one when unit_deserialize() fails - core: properly handle deserialization of unknown unit types (#6476) - core: don't create Requires for workdir if 'missing ok' (bsc#1113083) - logind: use manager_get_user_by_pid() where appropriate - logind: rework manager_get_{user|session}_by_pid() a bit - login: fix user at .service case, so we don't allow nested sessions (#8051) (bsc#1112024) - core: be more defensive if we can't determine per-connection socket peer (#7329) - socket-util: introduce port argument in sockaddr_port() - service: fixup ExecStop for socket-activated shutdown (#4120) - service: Continue shutdown on socket activated unit on termination (#4108) (bsc#1106923) - cryptsetup: build fixes for 'add support for sector-size= option' - udev-rules: IMPORT cmdline does not recognize keys with similar names (bsc#1111278) - core: keep the kernel coredump defaults when systemd-coredump is disabled - core: shorten main() a bit, split out coredump initialization - core: set RLIMIT_CORE to unlimited by default (bsc#1108835) - core/mount: fstype may be NULL - journald: don't ship systemd-journald-audit.socket (bsc#1109252) - core: make 'tmpfs' dependencies on swapfs a 'default' dep, not an 'implicit' (bsc#1110445) - mount: make sure we unmount tmpfs mounts before we deactivate swaps (#7076) - tmp.mount.hm4: After swap.target (#3087) - Ship systemd-sysv-install helper via the main package This script was part of systemd-sysvinit sub-package but it was wrong since systemd-sysv-install is a script used to redirect enable/disable operations to chkconfig when the unit targets are sysv init scripts. Therefore it's never been a SySV init tool. ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:2760-1 Released: Thu Nov 22 16:25:38 2018 Summary: Security update for openssl Type: security Severity: moderate References: 1112209,1113534,1113652,1113742,CVE-2018-0734,CVE-2018-5407 Description: This update for openssl fixes the following issues: Security issues fixed: - CVE-2018-0734: Fixed timing vulnerability in DSA signature generation (bsc#1113652). - CVE-2018-5407: Fixed elliptic curve scalar multiplication timing attack defenses (bsc#1113534). - Add missing timing side channel patch for DSA signature generation (bsc#1113742). Non-security issues fixed: - Fixed infinite loop in DSA generation with incorrect parameters (bsc#1112209). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:2766-1 Released: Fri Nov 23 17:07:27 2018 Summary: Security update for rpm Type: security Severity: important References: 943457,CVE-2017-7500,CVE-2017-7501 Description: This update for rpm fixes the following issues: These security issues were fixed: - CVE-2017-7500: rpm did not properly handle RPM installations when a destination path was a symbolic link to a directory, possibly changing ownership and permissions of an arbitrary directory, and RPM files being placed in an arbitrary destination (bsc#943457). - CVE-2017-7501: rpm used temporary files with predictable names when installing an RPM. An attacker with ability to write in a directory where files will be installed could create symbolic links to an arbitrary location and modify content, and possibly permissions to arbitrary files, which could be used for denial of service or possibly privilege escalation (bsc#943457) This is a reissue of the above security fixes for SUSE Linux Enterprise 12 GA, SP1 and SP2 LTSS, they have already been released for SUSE Linux Enterprise Server 12 SP3. ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:1697-1 Released: Fri Nov 23 17:08:32 2018 Summary: Security update for libgcrypt Type: security Severity: moderate References: 1064455,1090766,1097410,CVE-2018-0495 Description: This update for libgcrypt fixes the following issues: The following security vulnerability was addressed: - CVE-2018-0495: Mitigate a novel side-channel attack by enabling blinding for ECDSA signatures (bsc#1097410). The following other issues were fixed: - Extended the fipsdrv dsa-sign and dsa-verify commands with the --algo parameter for the FIPS testing of DSA SigVer and SigGen (bsc#1064455). - Ensure libgcrypt20-hmac and libgcrypt20 are installed in the correct order. (bsc#1090766) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:1696-1 Released: Mon Nov 26 17:46:39 2018 Summary: Security update for procps Type: security Severity: moderate References: 1092100,CVE-2018-1122,CVE-2018-1123,CVE-2018-1124,CVE-2018-1125,CVE-2018-1126 Description: This update for procps fixes the following security issues: - CVE-2018-1122: Prevent local privilege escalation in top. If a user ran top with HOME unset in an attacker-controlled directory, the attacker could have achieved privilege escalation by exploiting one of several vulnerabilities in the config_file() function (bsc#1092100). - CVE-2018-1123: Prevent denial of service in ps via mmap buffer overflow. Inbuilt protection in ps maped a guard page at the end of the overflowed buffer, ensuring that the impact of this flaw is limited to a crash (temporary denial of service) (bsc#1092100). - CVE-2018-1124: Prevent multiple integer overflows leading to a heap corruption in file2strvec function. This allowed a privilege escalation for a local attacker who can create entries in procfs by starting processes, which could result in crashes or arbitrary code execution in proc utilities run by other users (bsc#1092100). - CVE-2018-1125: Prevent stack buffer overflow in pgrep. This vulnerability was mitigated by FORTIFY limiting the impact to a crash (bsc#1092100). - CVE-2018-1126: Ensure correct integer size in proc/alloc.* to prevent truncation/integer overflow issues (bsc#1092100). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:2782-1 Released: Mon Nov 26 17:46:59 2018 Summary: Security update for tiff Type: security Severity: moderate References: 1099257,1113094,1113672,CVE-2018-12900,CVE-2018-18557,CVE-2018-18661 Description: This update for tiff fixes the following issues: Security issues fixed: - CVE-2018-12900: Fixed heap-based buffer overflow in the cpSeparateBufToContigBuf (bsc#1099257). - CVE-2018-18661: Fixed NULL pointer dereference in the function LZWDecode in the file tif_lzw.c (bsc#1113672). - CVE-2018-18557: Fixed JBIG decode can lead to out-of-bounds write (bsc#1113094). Non-security issues fixed: - asan_build: build ASAN included - debug_build: build more suitable for debugging ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:1618-1 Released: Tue Nov 27 13:39:49 2018 Summary: Security update for util-linux Type: security Severity: moderate References: 1072947,1078662,1080740,1084300,CVE-2018-7738 Description: This update for util-linux fixes the following issues: This non-security issue was fixed: - CVE-2018-7738: bash-completion/umount allowed local users to gain privileges by embedding shell commands in a mountpoint name, which was mishandled during a umount command by a different user (bsc#1084300). These non-security issues were fixed: - Fixed crash loop in lscpu (bsc#1072947). - Fixed possible segfault of umount -a - Fixed mount -a on NFS bind mounts (bsc#1080740). - Fixed lsblk on NVMe (bsc#1078662). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:2824-1 Released: Mon Dec 3 15:34:09 2018 Summary: Security update for ncurses Type: security Severity: important References: 1115929,CVE-2018-19211 Description: This update for ncurses fixes the following issue: Security issue fixed: - CVE-2018-19211: Fixed denial of service issue that was triggered by a NULL pointer dereference at function _nc_parse_entry (bsc#1115929). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2018:2836-1 Released: Wed Dec 5 09:29:31 2018 Summary: Recommended update for apparmor Type: recommended Severity: moderate References: 1111965,1113125 Description: This update for apparmor fixes the following issues: - Systemd aware apparmor.spec, remove old insserv from spec file (bsc#1113125) - Fix warnings produced because of use of uninitialized variables (bsc#1111965) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2018:2840-1 Released: Wed Dec 5 09:57:54 2018 Summary: Recommended update for permissions Type: recommended Severity: moderate References: 1028304,1047247,1050467,1097665,1111251 Description: This update for permissions fixes the following issues: - Allow setuid root for start-suid tool of singularity (group only) bsc#1028304 - Allow setuid root for authbind binary (bsc#1111251) - A incorrect error message was adjusted (bsc#1047247 bsc#1097665) - Make btmp root:utmp (bsc#1050467) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2018:2841-1 Released: Wed Dec 5 09:59:45 2018 Summary: Recommended update for glibc Type: recommended Severity: moderate References: 1105236,1110661,1112858 Description: This update for glibc fixes the following issues: - Added more checks for valid ld.so.cache file (bsc#1110661) - Rewrite elf_machine_load_address using _DYNAMIC symbol (bsc#1112858) - Always use __IPC_64 on powerpc as required by the kernel (bsc#1105236) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2018:2906-1 Released: Tue Dec 11 21:48:05 2018 Summary: Recommended update for blog Type: recommended Severity: moderate References: 1071568 Description: This update for blog fixes the following issues: - Hardening of the console list generation (bsc#1071568) - Changed description of blog-plymouth in same manner as used by the release notes ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:2947-1 Released: Mon Dec 17 08:51:28 2018 Summary: Security update for openldap2 Type: security Severity: moderate References: 1073313,CVE-2017-17740 Description: This update for openldap2 fixes the following issues: Security issue fixed: - CVE-2017-17740: When both the nops module and the memberof overlay are enabled, attempts to free a buffer that was allocated on the stack, which allows remote attackers to cause a denial of service (slapd crash) via a member MODDN operation. (bsc#1073313) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:2991-1 Released: Wed Dec 19 14:17:13 2018 Summary: Security update for tiff Type: security Severity: moderate References: 1017693,1054594,1115717,990460,CVE-2016-10092,CVE-2016-10093,CVE-2016-10094,CVE-2016-6223,CVE-2017-12944,CVE-2018-19210 Description: This update for tiff fixes the following issues: Security issues fixed: - CVE-2018-19210: Fixed NULL pointer dereference in the TIFFWriteDirectorySec function (bsc#1115717). - CVE-2017-12944: Fixed denial of service issue in the TIFFReadDirEntryArray function (bsc#1054594). - CVE-2016-10094: Fixed heap-based buffer overflow in the _tiffWriteProc function (bsc#1017693). - CVE-2016-10093: Fixed heap-based buffer overflow in the _TIFFmemcpy function (bsc#1017693). - CVE-2016-10092: Fixed heap-based buffer overflow in the TIFFReverseBits function (bsc#1017693). - CVE-2016-6223: Fixed out-of-bounds read on memory-mapped files in TIFFReadRawStrip1() and TIFFReadRawTile1() (bsc#990460). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2018:3029-1 Released: Fri Dec 21 17:34:05 2018 Summary: Recommended update for libgcrypt Type: recommended Severity: moderate References: 1117355 Description: This update for libgcrypt provides the following fix: - Fail selftests when checksum file is missing in FIPS mode only. (bsc#1117355) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:43-1 Released: Tue Jan 8 13:07:17 2019 Summary: Recommended update for acl Type: recommended Severity: low References: 953659 Description: This update for acl fixes the following issues: - quote: Escape literal backslashes (bsc#953659). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:111-1 Released: Thu Jan 17 14:18:31 2019 Summary: Security update for krb5 Type: security Severity: important References: 1120489,CVE-2018-20217 Description: This update for krb5 fixes the following issues: Security issue fixed: - CVE-2018-20217: Fixed an assertion issue with older encryption types (bsc#1120489) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:135-1 Released: Mon Jan 21 13:53:58 2019 Summary: Security update for systemd Type: security Severity: moderate References: 1005023,1076696,1101591,1114981,1115518,1119971,1120323,CVE-2018-16864,CVE-2018-16865,CVE-2018-16866 Description: This update for systemd provides the following fixes: Security issues fixed: - CVE-2018-16864, CVE-2018-16865: Fixed two memory corruptions through attacker-controlled alloca()s (bsc#1120323) - CVE-2018-16866: Fixed an information leak in journald (bsc#1120323) - Fixed an issue during system startup in relation to encrypted swap disks (bsc#1119971) Non-security issues fixed: - core: Queue loading transient units after setting their properties. (bsc#1115518) - logind: Stop managing VT switches if no sessions are registered on that VT. (bsc#1101591) - terminal-util: introduce vt_release() and vt_restore() helpers. - terminal: Unify code for resetting kbd utf8 mode a bit. - terminal Reset should honour default_utf8 kernel setting. - logind: Make session_restore_vt() static. - udev: Downgrade message when settting inotify watch up fails. (bsc#1005023) - log: Never log into foreign fd #2 in PID 1 or its pre-execve() children. (bsc#1114981) - udev: Ignore the exit code of systemd-detect-virt for memory hot-add. In SLE-12-SP3, 80-hotplug-cpu-mem.rules has a memory hot-add rule that uses systemd-detect-virt to detect non-zvm environment. The systemd-detect-virt returns exit failure code when it detected _none_ state. The exit failure code causes that the hot-add memory block can not be set to online. (bsc#1076696) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:143-1 Released: Tue Jan 22 14:21:55 2019 Summary: Recommended update for ncurses Type: recommended Severity: important References: 1121450 Description: This update for ncurses fixes the following issues: - ncurses applications freezing (bsc#1121450) From sle-updates at lists.suse.com Thu Jan 16 09:55:53 2020 From: sle-updates at lists.suse.com (sle-updates at lists.suse.com) Date: Thu, 16 Jan 2020 17:55:53 +0100 (CET) Subject: SUSE-CU-2020:17-1: Recommended update of suse/sles12sp3 Message-ID: <20200116165553.F411AF796@maintenance.suse.de> SUSE Container Update Advisory: suse/sles12sp3 ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2020:17-1 Container Tags : suse/sles12sp3:2.0.2 , suse/sles12sp3:24.100 , suse/sles12sp3:latest Severity : important Type : recommended References : 1155338 1155339 ----------------------------------------------------------------- The container suse/sles12sp3 was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:106-1 Released: Wed Jan 15 12:50:55 2020 Summary: Recommended update for libgcrypt Type: recommended Severity: important References: 1155338,1155339 Description: This update for libgcrypt fixes the following issues: - Fix test dsa-rfc6979 in FIPS mode: Disabled tests in elliptic curves with 192 bits which are not recommended in FIPS mode - Added CMAC AES and TDES FIPS self-tests: (bsc#1155339, bsc#1155338) From sle-updates at lists.suse.com Thu Jan 16 10:01:25 2020 From: sle-updates at lists.suse.com (sle-updates at lists.suse.com) Date: Thu, 16 Jan 2020 18:01:25 +0100 (CET) Subject: SUSE-CU-2019:733-1: Security update of caasp/v4/salt-minion Message-ID: <20200116170125.6EB53F798@maintenance.suse.de> SUSE Container Update Advisory: caasp/v4/salt-minion ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2019:733-1 Container Tags : caasp/v4/salt-minion:2018.3.0 , caasp/v4/salt-minion:2018.3.0-rev1 , caasp/v4/salt-minion:2018.3.0-rev1-build1.2 Severity : important Type : security References : 1000396 1000662 1000677 1001299 1001377 1001790 1001912 1002529 1002576 1002895 1002895 1002895 1002975 1003449 1003449 1003577 1003579 1003580 1003714 1003978 1004047 1004047 1004094 1004260 1004260 1004289 1004723 1004723 1004995 1004995 1004995 1005023 1005063 1005404 1005544 1005633 1005634 1005635 1005637 1005638 1005640 1005642 1005643 1005645 1005646 1006175 1006372 1006469 1006687 1006690 1007851 1008325 1008933 1009269 1009470 1009528 1009532 1009745 1009905 1009966 1010220 1010675 1010845 1010880 1011304 1011800 1012266 1012390 1012398 1012523 1012591 1012818 1012973 1012999 1013286 1013882 1013930 1013989 1014471 1014560 1014566 1014873 1015254 1015332 1015515 1015565 1015943 1017034 1017078 1017078 1017420 1017497 1018214 1018399 1019276 1019386 1019470 1019518 1019637 1019637 1019900 1020108 1020143 1020601 1020831 1021641 1022014 1022047 1022085 1022086 1022271 1022562 1022841 1023283 1023535 1023895 1024989 1025034 1025176 1025398 1025560 1025598 1025630 1025886 1025896 1026224 1026567 1026825 1027044 1027079 1027240 1027240 1027282 1027379 1027688 1027712 1027722 1027722 1027908 1027925 1028263 1028281 1028304 1028304 1028305 1028410 1028485 1028610 1028723 1029102 1029102 1029183 1029516 1029516 1029523 1029561 1029691 1029725 1029900 1030009 1030009 1030073 1030290 1030621 1031355 1031643 1031702 1031998 1032029 1032029 1032213 1032309 1032445 1032452 1032538 1032660 1032680 1032931 1033238 1033238 1033855 1034563 1034565 1035062 1035371 1035386 1035445 1035818 1035912 1035914 1036125 1036125 1036304 1036659 1036736 1036873 1036873 1037120 1037120 1037396 1037824 1037930 1038189 1038194 1038444 1038855 1038865 1038865 1038984 1038984 1039063 1039063 1039064 1039064 1039066 1039066 1039069 1039069 1039099 1039099 1039276 1039357 1039370 1039661 1039661 1039941 1040043 1040153 1040153 1040258 1040258 1040584 1040614 1040614 1040800 1040886 1040942 1040942 1040968 1040968 1040968 1041764 1041993 1042326 1042392 1042749 1042781 1043059 1043111 1043218 1043237 1043333 1043333 1043580 1043615 1043758 1043758 1043886 1043900 1043900 1044095 1044107 1044175 1044337 1044840 1044887 1044894 1045092 1045290 1045290 1045384 1045472 1045628 1045735 1045735 1045735 1045943 1045987 1046173 1046173 1046268 1046417 1046607 1046659 1046750 1046750 1046853 1046853 1046858 1046858 1047008 1047178 1047233 1047236 1047240 1047247 1047379 1047666 1047785 1047785 1047937 1047964 1047965 1048315 1048510 1048605 1048605 1048645 1048679 1049344 1049825 1050003 1050003 1050152 1050467 1050767 1050943 1051042 1051465 1051626 1051643 1051644 1051791 1051948 1052261 1052264 1053137 1053188 1053376 1053409 1053595 1053671 1053955 1054028 1054088 1054171 1054671 1055446 1055641 1055825 1055920 1056058 1056126 1056127 1056127 1056128 1056128 1056129 1056129 1056131 1056131 1056132 1056132 1056136 1056136 1056437 1056449 1056450 1056995 1057150 1057188 1057452 1057634 1057635 1057640 1057662 1057721 1057724 1057801 1057900 1057974 1058695 1058722 1058783 1059065 1059291 1059291 1059723 1059758 1060230 1060653 1060738 1061384 1061407 1061667 1061876 1062303 1062462 1062464 1062464 1062561 1062591 1062592 1063051 1063249 1063269 1063419 1063675 1063824 1063910 1064397 1064455 1064455 1064455 1064520 1064569 1064580 1064583 1064999 1065083 1065274 1065276 1065363 1065448 1065448 1065792 1066156 1066242 1066422 1066500 1067312 1067605 1067891 1068251 1068446 1068565 1068565 1068566 1068588 1068664 1068708 1068967 1069222 1069226 1069468 1069934 1070209 1070428 1070431 1070431 1070851 1070878 1070905 1070958 1071224 1071311 1071319 1071321 1071322 1071466 1071543 1071558 1071568 1071698 1071905 1071906 1072218 1072599 1072947 1072947 1072973 1072973 1072973 1072973 1073231 1073313 1073618 1073715 1073879 1073879 1073879 1073879 1073879 1073879 1073879 1073879 1073879 1073879 1073990 1074227 1074254 1074293 1074293 1074621 1074687 1075449 1075724 1075743 1075801 1075804 1075950 1075978 1076192 1076308 1076415 1076696 1076810 1076832 1076909 1077001 1077635 1077692 1077787 1077787 1077925 1077993 1078001 1078358 1078662 1078662 1078806 1078813 1079036 1079048 1079300 1079334 1079398 1079991 1080078 1080382 1080740 1080740 1081170 1081294 1081556 1081592 1081596 1081725 1082004 1082216 1082216 1082216 1082233 1082233 1082233 1082234 1082234 1082234 1082318 1082485 1082485 1083158 1083290 1083507 1083507 1083507 1083926 1083927 1083946 1084300 1084300 1084521 1084524 1084532 1084626 1084812 1084812 1084842 1085062 1085432 1085635 1086001 1086247 1086602 1086690 1086785 1086825 1087055 1087102 1087278 1087323 1087550 1087550 1087581 1087891 1087930 1088004 1088009 1088052 1088279 1088601 1088705 1088769 1088888 1088890 1088921 1089039 1089112 1089362 1089526 1089526 1089533 1089640 1089761 1089761 1089884 1090242 1090765 1090766 1090766 1090766 1090785 1090944 1091265 1091371 1091624 1091677 1092098 1092100 1092100 1092161 1092373 1092413 1092640 1092640 1093617 1093753 1093851 1094055 1094121 1094150 1094154 1094161 1094222 1095096 1095148 1095507 1095651 1095942 1096282 1096282 1096282 1096514 1096718 1096718 1096745 1096803 1097158 1097174 1097410 1097410 1097410 1097413 1097624 1097665 1098394 1098592 1099310 1099310 1099310 1099323 1099452 1099460 1099847 1099887 1099945 1099982 1100028 1100142 1100225 1100697 1101040 1101246 1101349 1101470 1101591 1101812 1101880 1102013 1102046 1102218 1102265 1102429 1102564 1102861 1103530 1103910 1104154 1104491 1104789 1105031 1105166 1105236 1106019 1106164 1106197 1106914 1106923 1107333 1107430 1107640 1107941 1108557 1108834 1108835 1108969 1108995 1109197 1109252 1109663 1109877 1109893 1110445 1110661 1110938 1111251 1111278 1111800 1111965 1112024 1112209 1112758 1112858 1112874 1113083 1113100 1113117 1113125 1113534 1113632 1113652 1113660 1113665 1113698 1113699 1113742 1113784 1114029 1114197 1114474 1114824 1114981 1115518 1115929 1116837 1117355 1117995 1119971 1120323 1120489 1121091 1121450 1123044 1123512 360993 408814 556664 658010 661410 675317 825385 829717 830805 874665 888308 889138 889990 892431 894610 896202 896435 897422 898003 899524 899871 900275 900276 901202 901845 901924 902364 902367 903543 905483 906574 906574 906803 906858 907074 907456 907809 908128 908516 909418 910252 910252 910253 910253 911228 911363 911662 912229 912460 912715 912922 913209 913650 913651 913799 914521 915402 915846 917152 917169 917309 918089 918090 918346 919274 920057 920057 920386 921070 921588 922448 922534 923241 924525 924687 924960 924960 926412 926826 927556 927607 927608 927746 927993 928292 928533 928740 929736 929919 930176 930361 930362 931932 931978 932232 932894 933029 933288 933288 933336 933878 933878 934333 934689 934920 935252 936050 936227 936227 936676 937823 938343 938657 939392 939460 940315 940813 942865 942865 943457 943457 944903 945340 945842 945899 946907 948930 948995 948996 952151 952347 952625 953130 953532 953659 953807 953831 954002 954661 955382 955753 955770 956981 957566 957566 957567 957567 957598 957598 957600 957600 958369 958562 959693 960273 960820 960837 960837 961596 961964 962765 962983 962996 963290 963448 963942 964063 964182 964468 964932 965322 965780 965902 966220 967026 967082 967128 967128 967728 967838 968771 969320 969569 970260 970550 970669 970882 970989 971372 971741 971741 972127 972127 972311 972331 973418 974657 974691 974864 974993 975093 975303 975306 975733 975757 976148 976826 977264 978055 978150 978833 979261 979313 979436 979441 979448 979629 979676 979906 980313 980391 980486 981114 981616 982303 982303 983017 983206 983215 983216 983512 983754 984622 984751 984906 984958 984998 985112 985177 985348 985661 986019 986019 986216 986216 986447 986783 986935 986978 987394 987887 988311 988506 989193 989523 989693 989788 989831 990029 990189 990190 990191 990439 990440 990538 990738 991048 991389 991390 991391 991443 991746 991901 992966 993039 993549 994157 994619 994794 995936 996455 996511 997043 997420 997682 998185 998760 998893 998906 999735 999852 999852 999878 CVE-2012-6702 CVE-2013-6435 CVE-2013-7459 CVE-2014-3591 CVE-2014-3707 CVE-2014-3710 CVE-2014-8116 CVE-2014-8116 CVE-2014-8117 CVE-2014-8117 CVE-2014-8118 CVE-2014-8150 CVE-2014-8964 CVE-2014-8964 CVE-2014-9087 CVE-2014-9112 CVE-2014-9130 CVE-2014-9130 CVE-2014-9447 CVE-2014-9620 CVE-2014-9621 CVE-2014-9653 CVE-2014-9720 CVE-2014-9721 CVE-2015-0247 CVE-2015-0837 CVE-2015-1283 CVE-2015-1572 CVE-2015-1606 CVE-2015-1607 CVE-2015-1782 CVE-2015-2059 CVE-2015-2296 CVE-2015-2325 CVE-2015-2325 CVE-2015-2327 CVE-2015-2327 CVE-2015-2328 CVE-2015-2328 CVE-2015-3143 CVE-2015-3144 CVE-2015-3145 CVE-2015-3148 CVE-2015-3153 CVE-2015-3210 CVE-2015-3210 CVE-2015-3217 CVE-2015-3217 CVE-2015-3238 CVE-2015-5073 CVE-2015-5073 CVE-2015-5276 CVE-2015-7511 CVE-2015-8380 CVE-2015-8380 CVE-2015-8381 CVE-2015-8381 CVE-2015-8382 CVE-2015-8382 CVE-2015-8383 CVE-2015-8383 CVE-2015-8384 CVE-2015-8384 CVE-2015-8385 CVE-2015-8385 CVE-2015-8386 CVE-2015-8386 CVE-2015-8387 CVE-2015-8387 CVE-2015-8388 CVE-2015-8388 CVE-2015-8389 CVE-2015-8389 CVE-2015-8390 CVE-2015-8390 CVE-2015-8391 CVE-2015-8391 CVE-2015-8392 CVE-2015-8392 CVE-2015-8393 CVE-2015-8393 CVE-2015-8394 CVE-2015-8394 CVE-2015-8395 CVE-2015-8395 CVE-2015-8853 CVE-2015-8948 CVE-2016-0634 CVE-2016-0718 CVE-2016-0755 CVE-2016-0772 CVE-2016-0787 CVE-2016-1000110 CVE-2016-10156 CVE-2016-1238 CVE-2016-1283 CVE-2016-1283 CVE-2016-1839 CVE-2016-2037 CVE-2016-2381 CVE-2016-3191 CVE-2016-3191 CVE-2016-4574 CVE-2016-4579 CVE-2016-4658 CVE-2016-5131 CVE-2016-5300 CVE-2016-5419 CVE-2016-5420 CVE-2016-5421 CVE-2016-5636 CVE-2016-5699 CVE-2016-6153 CVE-2016-6185 CVE-2016-6252 CVE-2016-6252 CVE-2016-6252 CVE-2016-6261 CVE-2016-6262 CVE-2016-6263 CVE-2016-6313 CVE-2016-6318 CVE-2016-7055 CVE-2016-7141 CVE-2016-7167 CVE-2016-7543 CVE-2016-8615 CVE-2016-8616 CVE-2016-8617 CVE-2016-8618 CVE-2016-8619 CVE-2016-8620 CVE-2016-8621 CVE-2016-8622 CVE-2016-8623 CVE-2016-8624 CVE-2016-9063 CVE-2016-9318 CVE-2016-9401 CVE-2016-9586 CVE-2016-9597 CVE-2016-9639 CVE-2016-9840 CVE-2016-9841 CVE-2016-9842 CVE-2016-9843 CVE-2017-0663 CVE-2017-1000100 CVE-2017-1000101 CVE-2017-1000158 CVE-2017-1000254 CVE-2017-1000257 CVE-2017-1000366 CVE-2017-1000408 CVE-2017-1000409 CVE-2017-10684 CVE-2017-10684 CVE-2017-10685 CVE-2017-10685 CVE-2017-11112 CVE-2017-11113 CVE-2017-11462 CVE-2017-12132 CVE-2017-12133 CVE-2017-12424 CVE-2017-12791 CVE-2017-12837 CVE-2017-12883 CVE-2017-13728 CVE-2017-13728 CVE-2017-13729 CVE-2017-13729 CVE-2017-13730 CVE-2017-13730 CVE-2017-13731 CVE-2017-13731 CVE-2017-13732 CVE-2017-13732 CVE-2017-13733 CVE-2017-13733 CVE-2017-13734 CVE-2017-14062 CVE-2017-14695 CVE-2017-14695 CVE-2017-14696 CVE-2017-14696 CVE-2017-15088 CVE-2017-15412 CVE-2017-15670 CVE-2017-15671 CVE-2017-15804 CVE-2017-15908 CVE-2017-16997 CVE-2017-17740 CVE-2017-18078 CVE-2017-18207 CVE-2017-18207 CVE-2017-18207 CVE-2017-18258 CVE-2017-18269 CVE-2017-3731 CVE-2017-3732 CVE-2017-3735 CVE-2017-3736 CVE-2017-3737 CVE-2017-3738 CVE-2017-5130 CVE-2017-5200 CVE-2017-5969 CVE-2017-6512 CVE-2017-7375 CVE-2017-7376 CVE-2017-7407 CVE-2017-7435 CVE-2017-7436 CVE-2017-7436 CVE-2017-7500 CVE-2017-7500 CVE-2017-7501 CVE-2017-7501 CVE-2017-7526 CVE-2017-7555 CVE-2017-8109 CVE-2017-8804 CVE-2017-8816 CVE-2017-8817 CVE-2017-8872 CVE-2017-9047 CVE-2017-9047 CVE-2017-9048 CVE-2017-9048 CVE-2017-9049 CVE-2017-9049 CVE-2017-9050 CVE-2017-9050 CVE-2017-9217 CVE-2017-9217 CVE-2017-9233 CVE-2017-9269 CVE-2017-9269 CVE-2017-9287 CVE-2017-9445 CVE-2017-9445 CVE-2017-9526 CVE-2018-0495 CVE-2018-0495 CVE-2018-0495 CVE-2018-0732 CVE-2018-0734 CVE-2018-0737 CVE-2018-0739 CVE-2018-1000001 CVE-2018-1000001 CVE-2018-1000007 CVE-2018-1000030 CVE-2018-1000120 CVE-2018-1000121 CVE-2018-1000122 CVE-2018-1000301 CVE-2018-1000802 CVE-2018-1049 CVE-2018-1060 CVE-2018-1061 CVE-2018-1122 CVE-2018-1122 CVE-2018-1123 CVE-2018-1123 CVE-2018-11236 CVE-2018-11237 CVE-2018-1124 CVE-2018-1124 CVE-2018-1125 CVE-2018-1125 CVE-2018-1126 CVE-2018-1126 CVE-2018-12015 CVE-2018-12015 CVE-2018-12020 CVE-2018-14404 CVE-2018-14567 CVE-2018-14618 CVE-2018-15686 CVE-2018-15688 CVE-2018-15750 CVE-2018-15751 CVE-2018-16840 CVE-2018-16842 CVE-2018-16864 CVE-2018-16865 CVE-2018-16866 CVE-2018-19211 CVE-2018-20217 CVE-2018-5407 CVE-2018-5729 CVE-2018-5730 CVE-2018-6003 CVE-2018-6485 CVE-2018-6551 CVE-2018-6797 CVE-2018-6797 CVE-2018-6797 CVE-2018-6798 CVE-2018-6798 CVE-2018-6798 CVE-2018-6913 CVE-2018-6913 CVE-2018-6913 CVE-2018-7169 CVE-2018-7685 CVE-2018-7738 CVE-2018-7738 CVE-2018-9251 ----------------------------------------------------------------- The container caasp/v4/salt-minion was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-RU-2014:85-1 Released: Tue Nov 4 16:29:29 2014 Summary: Recommended update for dirmngr Type: recommended Severity: moderate References: 901845 Description: This update for dirmngr fixes a segmentation fault at start up. (bnc#901845) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2014:66-1 Released: Thu Nov 6 06:23:15 2014 Summary: Recommended update for gcc48 Type: recommended Severity: moderate References: 899871 Description: This update for gcc48 fixes a performance degradation issue caused by generation of unneeded code whe using option -pg. ----------------------------------------------------------------- Advisory ID: SUSE-SU-2014:97-1 Released: Fri Nov 28 10:20:32 2014 Summary: Security update for file Type: security Severity: moderate References: 888308,902367,CVE-2014-3710 Description: file was updated to fix one security issue. This security issue was fixed: - Out-of-bounds read in elf note headers (CVE-2014-3710). This non-security issues was fixed: - Correctly identify GDBM files created by libgdbm4 (bnc#888308). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2014:113-1 Released: Tue Dec 2 18:17:57 2014 Summary: Security update for cpio Type: security Severity: moderate References: 658010,907456,CVE-2014-9112 Description: This cpio security update fixes the following buffer overflow issue and two non security issues: - fix an OOB write with cpio -i (bnc#907456) (CVE-2014-9112) - prevent cpio from extracting over a symlink (bnc#658010) - fix a truncation check in mt ----------------------------------------------------------------- Advisory ID: SUSE-SU-2015:4-1 Released: Wed Dec 3 15:57:25 2014 Summary: Security update for libyaml Type: security Severity: moderate References: 907809,CVE-2014-9130 Description: This libyaml update fixes the following security issue: - bnc#907809: assert failure when processing wrapped strings (CVE-2014-9130) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2015:16-1 Released: Thu Dec 11 09:25:27 2014 Summary: Security update for libksba Type: security Severity: moderate References: 907074,CVE-2014-9087 Description: This libksba update fixes the following security issue: - bnc#907074: buffer overflow in OID processing (CVE-2014-9087) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2014:126-1 Released: Fri Dec 19 20:16:00 2014 Summary: Security update for file Type: security Severity: moderate References: 910252,910253,CVE-2014-8116,CVE-2014-8117 Description: This file update fixes the following security issues: - bsc#910252: multiple denial of service issues (resource consumption) (CVE-2014-8116) - bsc#910253: denial of service issue (resource consumption) (CVE-2014-8117) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2015:29-1 Released: Mon Jan 12 11:37:43 2015 Summary: Security update for curl Type: security Severity: moderate References: 901924,911363,CVE-2014-3707,CVE-2014-8150 Description: This update fixes the following security issues - CVE-2014-8150: URL request injection vulnerability (bnc#911363) - CVE-2014-3707: duphandle read out of bounds (bnc#901924) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2015:40-1 Released: Thu Jan 15 18:35:11 2015 Summary: Security update for rpm Type: security Severity: important References: 892431,906803,908128,911228,CVE-2013-6435,CVE-2014-8118 Description: This rpm update fixes the following security and non-security issues: - bnc#908128: Check for bad invalid name sizes (CVE-2014-8118) - bnc#906803: Create files with mode 0 (CVE-2013-6435) - bnc#892431: Honor --noglob in install mode - bnc#911228: Fix noglob patch, it broke files with space. ----------------------------------------------------------------- Advisory ID: SUSE-RU-2015:64-1 Released: Thu Jan 15 23:21:45 2015 Summary: Recommended update for e2fsprogs Type: recommended Severity: moderate References: 912229 Description: This update for e2fsprogs fixes a 'use after free' issue in fsck(8). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2015:76-1 Released: Fri Jan 30 15:01:03 2015 Summary: Security update for elfutils Type: security Severity: moderate References: 911662,CVE-2014-9447 Description: elfutils was updated to fix one security issue. This security issue was fixed: - Directory traversal vulnerability in the read_long_names function (CVE-2014-9447). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2015:55-1 Released: Tue Feb 3 14:51:17 2015 Summary: Recommended update for curl Type: recommended Severity: moderate References: 913209 Description: curl was updated to fix problems when operating in FIPS mode. This patch reenables following methods: - NTLM authentication (e.g. for proxies) (allowing its usage of MD4 and MD5) - HTTP Digest authentication (allowing its usage of MD5) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2015:121-1 Released: Tue Feb 3 16:30:16 2015 Summary: Recommended update for pam Type: recommended Severity: low References: 912922 Description: This update for pam fixes updating of NIS passwords. ----------------------------------------------------------------- Advisory ID: SUSE-SU-2015:157-1 Released: Tue Mar 10 09:01:41 2015 Summary: Security update for libssh2_org Type: security Severity: moderate References: 921070,CVE-2015-1782 Description: The ssh client library libssh2_org was updated to fix a security issue. CVE-2015-1782: A malicious server could send a crafted SSH_MSG_KEXINIT packet, that could lead to a buffer overread and to a crash of the libssh2_org using application. ----------------------------------------------------------------- Advisory ID: SUSE-SU-2015:208-1 Released: Thu Mar 12 10:43:10 2015 Summary: Security update for python-PyYAML Type: security Severity: moderate References: 921588,CVE-2014-9130 Description: python-PyYAML was updated to fix one security issue which could have allowed an attacker to cause a denial of service by supplying specially crafted strings The following issue was fixed: - #921588: python-PyYAML: assert failure when processing wrapped strings (equivalent to CVE-2014-9130 in LibYAML) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2015:275-1 Released: Wed Mar 18 18:21:44 2015 Summary: Recommended update for procps Type: recommended Severity: low References: 901202,908516 Description: This update for procps provides the following fixes: - Add description of pgrep's --list-full parameter to usage instructions (--help). (bsc#901202) - Fix handling of arguments to -s option in free(1). (bsc#908516) - Correct package name in descriptions: procps, not props. ----------------------------------------------------------------- Advisory ID: SUSE-OU-2015:143-1 Released: Mon Mar 23 21:46:58 2015 Summary: Initial release of SUSE Enterprise Storage client Type: optional Severity: low References: 913799,914521,917309 Description: This update provides the functionality required for SUSE Linux Enterprise Server 12 to act as a client for SUSE Enterprise Storage. qemu can now use storage provided by the SUSE Enterprise Storage Ceph cluster via the RADOS Block Device (rbd) backend. Applications can now be enhanced to directly incorporate object or block storage backed by the SUSE Enterprise Storage cluster, by linking with the librados and librbd client libraries. Also included is the rbd tool to manage RADOS block devices mapped via the rbd kernel module, for use as a standard generic block device. ----------------------------------------------------------------- Advisory ID: SUSE-SU-2015:235-1 Released: Wed Apr 29 19:05:01 2015 Summary: Security update for curl Type: security Severity: moderate References: 927556,927607,927608,927746,928533,CVE-2015-3143,CVE-2015-3144,CVE-2015-3145,CVE-2015-3148,CVE-2015-3153 Description: curl was updated to fix five security issues. The following vulnerabilities were fixed: * CVE-2015-3143: curl could re-use NTML authenticateds connections * CVE-2015-3144: curl could access memory out of bounds with zero length host names * CVE-2015-3145: curl cookie parser could access memory out of boundary * CVE-2015-3148: curl could treat Negotiate as not connection-oriented * CVE-2015-3153: curl could have sent sensitive HTTP headers also to proxies ----------------------------------------------------------------- Advisory ID: SUSE-SU-2015:296-1 Released: Thu Jun 11 15:46:59 2015 Summary: Security update for libgcrypt Type: security Severity: moderate References: 896202,896435,898003,899524,900275,900276,905483,920057,928740,929919,CVE-2014-3591 Description: This update of libgcrypt fixes one security issue and brings various FIPS 140-2 related improvements. libgcrypt now uses ciphertext blinding for Elgamal decryption (CVE-2014-3591) FIPS 140-2 related changes: * The library performs its self-tests when the module is complete (the -hmac file is also installed). * Added a NIST 800-90a compliant DRBG. * Change DSA key generation to be FIPS 186-4 compliant. * Change RSA key generation to be FIPS 186-4 compliant. * Enable HW support in fips mode (bnc#896435) * Make DSA selftest use 2048 bit keys (bnc#898003) * Added ECDSA selftests and add support for it to the CAVS testing framework (bnc#896202) * Various CAVS testing improvements. ----------------------------------------------------------------- Advisory ID: SUSE-SU-2015:366-1 Released: Mon Jun 29 10:13:43 2015 Summary: Security update for e2fsprogs Type: security Severity: low References: 915402,918346,CVE-2015-0247,CVE-2015-1572 Description: Two security issues were fixed in e2fsprogs: Security issues fixed: * CVE-2015-0247: Various heap overflows were fixed in e2fsprogs (fsck, dumpe2fs, e2image...). * CVE-2015-1572: Fixed a potential buffer overflow in closefs() (bsc#918346 ) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2015:361-1 Released: Wed Jul 15 08:26:27 2015 Summary: Recommended update for gcc48, libffi48, libgcj48 Type: recommended Severity: moderate References: 889990,917169,919274,922534,924525,924687,927993,930176,934689 Description: The system compiler gcc48 was updated to the GCC 4.8.5 release, fixing a lot of bugs and bringing some improvements. It includes various bug fixes found by our customers: * Fixes bogus integer overflow in constant expression. [bnc#934689] * Fixes ICE with atomics on aarch64. [bnc#930176] * Includes fix for -imacros bug. [bnc#917169] * Includes fix for incorrect -Warray-bounds warnings. [bnc#919274] * Includes updated -mhotpatch for s390x. [bnc#924525] * Includes fix for ppc64le issue with doubleword vector extract. [bnc#924687] * Includes patches to allow building against ISL 0.14. * Backport rework of the memory allocator for C++ exceptions used in OOM situations. [bnc#889990] * Fix a reload issue on S390 (GCC PR66306). * Avoid accessing invalid memory when passing aggregates by value. [bnc#922534] ----------------------------------------------------------------- Advisory ID: SUSE-OU-2015:422-1 Released: Tue Jul 28 06:25:51 2015 Summary: The Toolchain module containing GCC 5.2 Type: optional Severity: low References: 926412,936050,937823 Description: This update contains the release of the new SUSE Linux Enterprise Toolchain module. Its major feature is the GNU Compiler Collection 5.2, please see https://gcc.gnu.org/gcc-5/changes.html for important changes. This update also includes a version update of binutils to 2.25 release branch to provide features and bugfixes. Following features have been added to binutils: * IBM zSeries z13 hardware support (fate#318036, bnc#936050). * various IBM Power8 improvements (fate#318238, bnc#926412). * AVX512 support on the Intel EM64T platform (fate#318520). The GNU Debugger gdb was updated to version 7.9.1 bringing various features and lots of bugfixes. Also IBM zSeries z13 hardware support has been added to gdb. (fate#318039) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2015:556-1 Released: Tue Aug 4 14:52:55 2015 Summary: Recommended update for python-requests Type: recommended Severity: moderate References: 935252 Description: python-requests was updated to use the system CA certificate store. ----------------------------------------------------------------- Advisory ID: SUSE-SU-2015:500-1 Released: Mon Aug 17 11:36:33 2015 Summary: Security update for libgcrypt Type: security Severity: moderate References: 920057,938343,CVE-2015-0837 Description: This update fixes the following issues: Security: * Fixed data-dependent timing variations in modular exponentiation [related to CVE-2015-0837, Last-Level Cache Side-Channel Attacks are Practical] (bsc#920057) Bugfixes: * don't drop privileges when locking secure memory (bsc#938343) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2015:530-1 Released: Wed Aug 26 03:07:07 2015 Summary: Recommended update for sed Type: recommended Severity: low References: 933029 Description: This update for sed fixes the behavior of --follow-symlinks when reading from the standard input (stdin). The behavior of 'sed --follow-symlinks -' is now identical to 'sed -'. In both cases, sed will read from the standard input and no longer from a file named '-'. ----------------------------------------------------------------- Advisory ID: SUSE-SU-2015:499-1 Released: Mon Aug 31 11:55:14 2015 Summary: Security update for zeromq Type: security Severity: moderate References: 912460,931978,CVE-2014-9721 Description: zeromq was updated to fix one security issue and one non-security bug. The following vulnerability was fixed: * CVE-2014-9721: zeromq protocol downgrade attack on sockets using the ZMTP v3 protocol (boo#931978) The following bug was fixed: * boo#912460: avoid curve test to hang for ppc ppc64 ppc64le architectures ----------------------------------------------------------------- Advisory ID: SUSE-RU-2015:568-1 Released: Wed Sep 16 13:30:12 2015 Summary: Recommended update for grep Type: recommended Severity: low References: 920386 Description: This update for grep fixes undefined behaviour with -P and non-utf-8 data. ----------------------------------------------------------------- Advisory ID: SUSE-RU-2015:727-1 Released: Wed Oct 7 09:26:23 2015 Summary: Recommended update for cloud-init Type: recommended Severity: low References: 948930,948995,948996 Description: cloud-init uses the Jinja2 Python module to generate configuration files from templates, but this dependency was not defined in the package's spec file. This update adds the missing requirement to cloud-init. ----------------------------------------------------------------- Advisory ID: SUSE-RU-2015:776-1 Released: Fri Oct 30 08:06:58 2015 Summary: Recommended update for libyaml Type: recommended Severity: low References: 952625 Description: This update adjusts libyaml's packaging to require pkg-config at build time. ----------------------------------------------------------------- Advisory ID: SUSE-OU-2015:817-1 Released: Fri Nov 6 23:42:46 2015 Summary: Initial release of python-azurectl Type: optional Severity: low References: 946907 Description: This update provides a set of command line tools to interact with the Microsoft Azure public cloud framework. Refer to the azurectl(1) man page, included in python-azurectl, for comprehensive documentation and usage instructions. ----------------------------------------------------------------- Advisory ID: SUSE-RU-2015:834-1 Released: Thu Nov 12 13:52:22 2015 Summary: Recommended update for python-Twisted Type: recommended Severity: moderate References: 940813 Description: python-Twisted has been updated to version 15.2.1, which brings several fixes and enhancements such as: - twisted.positioning, a new API for positioning systems such as GPS, has been added. It comes with an implementation of NMEA, the most common wire protocol for GPS devices. It will supersede twisted.protocols.gps. - IReactorUDP.listenUDP, IUDPTransport.write and IUDPTransport.connect now accept ipv6 address literals. - A new API, twisted.internet.ssl.optionsForClientTLS, allows clients to specify and verify the identity of the peer they're communicating with. When used with the service_identity library from PyPI, this provides support for service identity verification from RFC 6125, as well as server name indication from RFC 6066. - Twisted's TLS support now provides a way to ask for user-configured trust roots rather than having to manually configure such certificate authority certificates. - twisted.internet.ssl.CertificateOptions now supports ECDHE for servers by default on pyOpenSSL 0.14 and later, if the underlying versions of cryptography.io and OpenSSL support it. - twisted.internet.ssl.CertificateOptions now allows the user to set acceptable ciphers and uses secure ones by default. - The new package twisted.logger provides a new, fully tested, and feature-rich logging framework. The old module twisted.python.log is now implemented using the new framework. - twisted.conch.ssh.forwarding now supports local->remote forwarding of IPv6. - twisted.mail.smtp.sendmail now uses ESMTP. It will opportunistically enable encryption and allow the use of authentication. - twisted.internet.ssl.CertificateOptions now enables TLSv1.1 and TLSv1.2 by default (in addition to TLSv1.0) if the underlying version of OpenSSL supports these protocol versions. - twisted.internet.ssl.CertificateOptions now supports Diffie-Hellman key exchange. - twisted.internet.ssl.CertificateOptions now disables TLS compression to avoid CRIME attacks and, for servers, uses server preference to choose the cipher. - MSN protocol support has been marked as deprecated. - Removed deprecated UDPClient. - Better support and integration with Python 3. For a comprehensive list of changes, please refer to the file NEWS shipped within the package. ----------------------------------------------------------------- Advisory ID: SUSE-SU-2015:922-1 Released: Tue Dec 22 08:44:25 2015 Summary: Security update for gpg2 Type: security Severity: moderate References: 918089,918090,952347,955753,CVE-2015-1606,CVE-2015-1607 Description: The gpg2 package was updated to fix the following security and non security issues: - CVE-2015-1606: Fixed invalid memory read using a garbled keyring (bsc#918089). - CVE-2015-1607: Fixed memcpy with overlapping ranges (bsc#918090). - bsc#955753: Fixed a regression of 'gpg --recv' due to keyserver import filter (also boo#952347). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2015:869-1 Released: Wed Dec 23 10:01:16 2015 Summary: Recommended update for libksba Type: security Severity: moderate References: 926826 Description: The libksba package was updated to fix the following security issues: - Fixed an integer overflow, an out of bounds read and a stack overflow issues (bsc#926826). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2015:862-1 Released: Wed Dec 23 17:40:51 2015 Summary: Recommended update for acl Type: recommended Severity: moderate References: 945899 Description: This update for acl provides the following fixes: - Fix segmentation fault of getfacl -e on overly long group name. - Make sure that acl_from_text() always sets errno when it fails. - Fix memory and resource leaks in getfacl. ----------------------------------------------------------------- Advisory ID: SUSE-RU-2016:46-1 Released: Fri Jan 8 12:37:34 2016 Summary: Recommended update for gcr, gnome-keyring, libgcrypt, libsecret Type: recommended Severity: moderate References: 932232 Description: This update for gcr, gnome-keyring, libgcrypt, libsecret fixes issues when the system operates in FIPS mode. The various GNOME libraries and tool have been changed to use the default libgcrypt allocators. GNOME keyring was changed not to use MD5 anymore. libgcrypt was adjusted to free the DRBG on exit to avoid crashes. ----------------------------------------------------------------- Advisory ID: SUSE-SU-2016:80-1 Released: Wed Jan 13 21:05:28 2016 Summary: Security update for python-requests Type: security Severity: moderate References: 922448,929736,961596,CVE-2015-2296 Description: The python-requests module has been updated to version 2.8.1, which brings several fixes and enhancements: - Fix handling of cookies on redirect. Previously a cookie without a host value set would use the hostname for the redirected URL exposing requests users to session fixation attacks and potentially cookie stealing. (bsc#922448, CVE-2015-2296) - Add support for per-host proxies. This allows the proxies dictionary to have entries of the form {'://': ''}. Host-specific proxies will be used in preference to the previously-supported scheme-specific ones, but the previous syntax will continue to work. - Update certificate bundle to match 'certifi' 2015.9.6.2's weak certificate bundle. - Response.raise_for_status now prints the URL that failed as part of the exception message. - requests.utils.get_netrc_auth now takes an raise_errors kwarg, defaulting to False. When True, errors parsing .netrc files cause exceptions to be thrown. - Change to bundled projects import logic to make it easier to unbundle requests downstream. - Change the default User-Agent string to avoid leaking data on Linux: now contains only the requests version. - The json parameter to post() and friends will now only be used if neither data nor files are present, consistent with the documentation. - Empty fields in the NO_PROXY environment variable are now ignored. - Fix problem where httplib.BadStatusLine would get raised if combining stream=True with contextlib.closing. - Prevent bugs where we would attempt to return the same connection back to the connection pool twice when sending a Chunked body. - Digest Auth support is now thread safe. - Resolved several bugs involving chunked transfer encoding and response framing. - Copy a PreparedRequest's CookieJar more reliably. - Support bytearrays when passed as parameters in the 'files' argument. - Avoid data duplication when creating a request with 'str', 'bytes', or 'bytearray' input to the 'files' argument. - 'Connection: keep-alive' header is now sent automatically. - Support for connect timeouts. Timeout now accepts a tuple (connect, read) which is used to set individual connect and read timeouts. For a comprehensive list of changes please refer to the package's change log or the Release Notes at http://docs.python-requests.org/en/latest/community/updates/#id3 ----------------------------------------------------------------- Advisory ID: SUSE-SU-2016:201-1 Released: Thu Feb 4 15:51:22 2016 Summary: Security update for curl Type: security Severity: moderate References: 934333,936676,962983,962996,CVE-2016-0755 Description: This update for curl fixes the following issues: - CVE-2016-0755: libcurl would reuse NTLM-authenticated proxy connections without properly making sure that the connection was authenticated with the same credentials as set for this transfer (bsc#962983) The following non-security bugs were fixed: - bsc#936676: secure_getenv or __secure_getenv may not be detected correctly at build time The following tracked bugs only affect the test suite: - bsc#962996: Expired cookie in test 46 caused test failures - bsc#934333: Curl test suite was not run, is now enabled during build ----------------------------------------------------------------- Advisory ID: SUSE-RU-2016:371-1 Released: Thu Mar 3 15:58:18 2016 Summary: Recommended update for insserv-compat Type: recommended Severity: low References: 960820 Description: This update for insserv-compat fixes the name of the ntpd service. ----------------------------------------------------------------- Advisory ID: SUSE-SU-2016:413-1 Released: Fri Mar 11 10:17:57 2016 Summary: Security update for libssh2_org Type: security Severity: moderate References: 933336,961964,967026,CVE-2016-0787 Description: This update for libssh2_org fixes the following issues: Security issue fixed: - CVE-2016-0787 (bsc#967026): Weakness in diffie-hellman secret key generation lead to much shorter DH groups then needed, which could be used to retrieve server keys. A feature was added: - Support of SHA256 digests for DH group exchanges was added (fate#320343, bsc#961964) Bug fixed: - Properly detect EVP_aes_128_ctr at configure time (bsc#933336) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2016:462-1 Released: Wed Mar 16 18:17:59 2016 Summary: Recommended update for libcap Type: recommended Severity: low References: 967838 Description: This update for libcap adds two new capabilities (CAP_WAKE_ALARM and CAP_BLOCK_SUSPEND) which are available in Linux Kernel 3.12. ----------------------------------------------------------------- Advisory ID: SUSE-RU-2016:543-1 Released: Fri Apr 1 18:44:16 2016 Summary: Recommended update for libgcrypt Type: recommended Severity: moderate References: 970882 Description: This update for libgcrypt fixes a crash in GPG key generation when operating in FIPS mode. (bsc#970882) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2016:565-1 Released: Wed Apr 6 16:26:42 2016 Summary: Security update for gcc5 Type: security Severity: moderate References: 939460,945842,952151,953831,954002,955382,962765,964468,966220,968771,CVE-2015-5276 Description: The GNU Compiler Collection was updated to version 5.3.1, which brings several fixes and enhancements. The following security issue has been fixed: - Fix C++11 std::random_device short read issue that could lead to predictable randomness. (CVE-2015-5276, bsc#945842) The following non-security issues have been fixed: - Enable frame pointer for TARGET_64BIT_MS_ABI when stack is misaligned. Fixes internal compiler error when building Wine. (bsc#966220) - Fix a PowerPC specific issue in gcc-go that broke compilation of newer versions of Docker. (bsc#964468) - Fix HTM built-ins on PowerPC. (bsc#955382) - Fix libgo certificate lookup. (bsc#953831) - Suppress deprecated-declarations warnings for inline definitions of deprecated virtual methods. (bsc#939460) - Build s390[x] with '--with-tune=z9-109 --with-arch=z900' on SLE11 again. (bsc#954002) - Revert accidental libffi ABI breakage on aarch64. (bsc#968771) - On x86_64, set default 32bit code generation to -march=x86-64 rather than -march=i586. - Add experimental File System TS library. ----------------------------------------------------------------- Advisory ID: SUSE-SU-2016:636-1 Released: Mon Apr 18 09:18:19 2016 Summary: Security update for libgcrypt Type: security Severity: moderate References: 965902,CVE-2015-7511 Description: libgcrypt was updated to fix one security issue. This security issue was fixed: - CVE-2015-7511: Side-channel attack on ECDH with Weierstrass curves (bsc#965902). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2016:643-1 Released: Tue Apr 19 09:23:39 2016 Summary: Recommended update for bzip2 Type: recommended Severity: low References: 970260 Description: This update for bzip2 fixes the following issues: - Fix bzgrep wrapper that always returns 0 as exit code when working on multiple archives, even when the pattern is not found. ----------------------------------------------------------------- Advisory ID: SUSE-RU-2016:652-1 Released: Wed Apr 20 10:34:05 2016 Summary: Recommended update for SUSE Manager Client Tools Type: recommended Severity: moderate References: 956981,970550,970989,974864,975093 Description: This update for SUSE Manager Client Tools provides the following new features: - Integrate SaltStack for configuration management. (fate#312447) - Replace upstream subscription counting with new subscription matching. (fate#311619) This update fixes the following issues: osad: - Fix file permissions. (bsc#970550) - Add possibility for OSAD to work in failover mode. rhn-custom-info: - Version update. rhn-virtualization: - Version update. rhncfg: - Fix file permissions. (bsc#970550) - Fix removal of temporary files during transaction rollback for rhncfg-manager. - Fix removal of directories which rhncfg-manager didn't create. - Remove temporary files when exception occurs. - Make rhncfg support sha256 and use it by default. - Fix for assigning all groups user belongs to running process. - Show server modified time with rhncfg-client diff. rhnlib: - Use TLSv1_METHOD in SSL Context. (bsc#970989) rhnpush: - Don't count on having newest rhn-client-tools. - Allow to use existing rpcServer when creating RhnServer. - Wire in timeout for rhnpush. spacecmd: - Text description missing for remote command by Spacecmd. - Added functions to add/edit SSL certificates for repositories. - Mimetype detection to set the binary flag requires 'file' tool. - Always base64 encode to avoid trim() bugs in the XML-RPC library. - Replace upstream subscription counting with new subscription matching. (fate#311619) spacewalk-backend: - Version update. spacewalk-client-tools: - Convert dbus.Int32 to int to fix a TypeError during registration. (bsc#974864) - Fix client registration for network interfaces with labels. (bsc#956981) - Show a descriptive message on reboot. - Replace upstream subscription counting with new subscription matching. (fate#311619) spacewalk-koan: - Fix file permissions. (bsc#970550) - Switch to KVM if possible. spacewalk-oscap: - Still require openscap-utils on RHEL5. spacewalk-remote-utils: - Add RHEL 7.2 channel definitions. - Update RHEL 6.7 and 7.1 channel definitions. - Use hostname instead of localhost for https connections. - Spacewalk-create-channel added -o option to clone channel to current state. spacewalksd: - Delete file with input files after template is created. suseRegisterInfo: - Fix file permissions. (bsc#970550) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2016:697-1 Released: Thu Apr 28 16:03:24 2016 Summary: Recommended update for libssh2_org Type: recommended Severity: important References: 974691 Description: This update for libssh2_org fixes a regression introduced by a previous update which could result in a segmentation fault in EVP_DigestInit_Ex(). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2016:589-1 Released: Mon May 2 15:01:37 2016 Summary: Security update for python-tornado Type: security Severity: moderate References: 930361,930362,974657,CVE-2014-9720 Description: The python-tornado module was updated to version 4.2.1, which brings several fixes, enhancements and new features. The following security issues have been fixed: - A path traversal vulnerability in StaticFileHandler, in which files whose names started with the static_path directory but were not actually in that directory could be accessed. - The XSRF token is now encoded with a random mask on each request. This makes it safe to include in compressed pages without being vulnerable to the BREACH attack. This applies to most applications that use both the xsrf_cookies and gzip options (or have gzip applied by a proxy). (bsc#930362, CVE-2014-9720) - The signed-value format used by RequestHandler.{g,s}et_secure_cookie changed to be more secure. (bsc#930361) The following enhancements have been implemented: - SSLIOStream.connect and IOStream.start_tls now validate certificates by default. - Certificate validation will now use the system CA root certificates. - The default SSL configuration has become stricter, using ssl.create_default_context where available on the client side. - The deprecated classes in the tornado.auth module, GoogleMixin, FacebookMixin and FriendFeedMixin have been removed. - New modules have been added: tornado.locks and tornado.queues. - The tornado.websocket module now supports compression via the 'permessage-deflate' extension. - Tornado now depends on the backports.ssl_match_hostname when running on Python 2. For a comprehensive list of changes, please refer to the release notes: - http://www.tornadoweb.org/en/stable/releases/v4.2.0.html - http://www.tornadoweb.org/en/stable/releases/v4.1.0.html - http://www.tornadoweb.org/en/stable/releases/v4.0.0.html - http://www.tornadoweb.org/en/stable/releases/v3.2.0.html ----------------------------------------------------------------- Advisory ID: SUSE-RU-2016:797-1 Released: Thu May 19 13:26:11 2016 Summary: Recommended update for python-futures Type: recommended Severity: low References: 974993 Description: This update for python-futures provides version 3.0.2 required from python-s3transfer (fate#320748) and fixes the following issues: - Made multiprocessing optional again on implementations other than just Jython - Made Executor.map() non-greedy - Dropped Python 2.5 and 3.1 support - Removed the deprecated 'futures' top level package - Remove CFLAGS: this is a python only module - Remove futures from package files: not provided anymore - Added the set_exception_info() and exception_info() methods to Future to enable extraction of tracebacks on Python 2.x - Added support for Future.set_exception_info() to ThreadPoolExecutor ----------------------------------------------------------------- Advisory ID: SUSE-RU-2016:801-1 Released: Thu May 19 22:38:01 2016 Summary: Recommended update for curl Type: recommended Severity: moderate References: 915846 Description: This update for curl fixes the following issue: - Fix 'Network is unreachable' error when ipv6 is not available but ipv4. This fixes the same error in applications using libcurl4 (like zypper). (bsc#915846) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2016:835-1 Released: Wed May 25 18:27:30 2016 Summary: Recommended update for libgcrypt Type: recommended Severity: moderate References: 979629 Description: This update for libgcrypt fixes the following issue: - Fix failing reboot after installing fips pattern (bsc#979629) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2016:898-1 Released: Tue Jun 7 09:48:12 2016 Summary: Security update for expat Type: security Severity: important References: 979441,980391,CVE-2015-1283,CVE-2016-0718 Description: This update for expat fixes the following issues: Security issue fixed: - CVE-2016-0718: Fix Expat XML parser that mishandles certain kinds of malformed input documents. (bsc#979441) - CVE-2015-1283: Fix multiple integer overflows. (bnc#980391) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2016:900-1 Released: Tue Jun 7 10:58:37 2016 Summary: Security update for libksba Type: security Severity: moderate References: 979261,979906,CVE-2016-4574,CVE-2016-4579 Description: This update for libksba fixes the following issues: - CVE-2016-4579: Out-of-bounds read in _ksba_ber_parse_tl() - CVE-2016-4574: two OOB read access bugs (remote DoS) (bsc#979261) Also adding reliability fixes from v1.3.4. ----------------------------------------------------------------- Advisory ID: SUSE-RU-2016:984-1 Released: Wed Jun 22 11:11:35 2016 Summary: Recommended update for SUSE Manager Server, Proxy and Client Tools Type: recommended Severity: moderate References: 964932,969320,971372,973418,975303,975306,975733,975757,976148,976826,977264,978833,979313,979676,980313 Description: This update fixes the following issues for the SUSE Manager Server 3.0 and Client Tools: zypp-plugin-spacewalk: - Fix failover for multiple URLs per repo. (bsc#964932) The following issues for SUSE Manager Proxy 3.0 and Client Tools have been fixed: cobbler: - Remove grubby-compat because perl-Bootloader gets dropped. - Disabling 'get-loaders' command and 'check' fixed. (bsc#973418) - Add logrotate file for cobbler. (bsc#976826) Additionally the following issues for the SUSE Linux Enterprise 12 Clienttools have been fixed: salt: - Remove option -f from startproc. (bsc#975733) - Changed Zypper's plugin. Added Unit test and related to that data. (bsc#980313) - Zypper plugin: alter the generated event name on package set change. - Fix file ownership on master keys and cache directories during upgrade. (handles upgrading from salt 2014, where the daemon ran as root, to 2015 where it runs as the salt user, bsc#979676) - Salt-proxy .service file created. (bsc#975306) - Prevent salt-proxy test.ping crash. (bsc#975303) - Fix shared directories ownership issues. - Add Zypper plugin to generate an event, once Zypper is used outside the Salt infrastructure demand. (bsc#971372) - Restore boolean values from the repo configuration - Fix priority attribute (bsc#978833) - Unblock-Zypper. (bsc#976148) - Modify-environment. (bsc#971372) - Prevent crash if pygit2 package is requesting re-compilation. - Align OS grains from older SLES with current one. (bsc#975757) - Bugfix: salt-key crashes if tries to generate keys to the directory w/o write access. (bsc#969320) spacecmd: - Make spacecmd createRepo compatible with SUSE Manager 2.1 API. (bsc#977264) spacewalk-backend: - Better error message for system that is already registered as minion. - Fix GPG bad signature detection and improve error messages. (bsc#979313) - Send and save machine_id on traditional registration. - Add machine info capability spacewalk-client-tools: - Send and save machine_id on traditional registration. - Send machine info only if server has machine info capability. ----------------------------------------------------------------- Advisory ID: SUSE-RU-2016:987-1 Released: Wed Jun 22 14:32:18 2016 Summary: Recommended update for procps Type: recommended Severity: low References: 981616 Description: This update for procps fixes the following issues: - Improve pmap(1) to be compatible with kernel 4.4. (bsc#981616) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2016:1028-1 Released: Thu Jul 7 11:50:47 2016 Summary: Recommended update for findutils Type: recommended Severity: moderate References: 986935 Description: This update for findutils fixes the following issues: - find -exec + would not pass all arguments for certain specific filename lengths (bsc#986935) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2016:1126-1 Released: Sat Jul 30 00:39:03 2016 Summary: Recommended update for kmod Type: recommended Severity: low References: 983754,989788 Description: This update for kmod fixes libkmod to handle very long lines in /proc/modules. ----------------------------------------------------------------- Advisory ID: SUSE-SU-2016:1141-1 Released: Wed Aug 3 15:24:30 2016 Summary: Security update for sqlite3 Type: security Severity: moderate References: 987394,CVE-2016-6153 Description: This update for sqlite3 fixes the following issues: The following security issue was fixed: - CVE-2016-6153: Fixed a tempdir selection vulnerability (bsc#987394) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2016:1205-1 Released: Thu Aug 11 15:02:18 2016 Summary: Recommended update for rpm Type: recommended Severity: low References: 829717,894610,940315,953532,965322,967728 Description: This update for rpm provides the following fixes: - Add is_opensuse and leap_version macros to suse_macros. (bsc#940315) - Add option to make postinstall scriptlet errors fatal. (bsc#967728) - Normalize big blocksizes to 4096 bytes. (bsc#894610, bsc#829717, bsc#965322) - Fix updating of sources/patches when recursing because of a BuildArch. (bsc#953532) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2016:1216-1 Released: Fri Aug 12 18:19:22 2016 Summary: Recommended update for SUSE Manager 3.0 and Client Tools Type: recommended Severity: moderate References: 970669,972311,978150,979448,983017,983512,984622,984998,985661,988506,989193 Description: This consolidated update includes multiple patchinfos for SUSE Manager Server, Proxy and SUSE Enterprise Storage 3. This patchinfo is used for the codestream release only ----------------------------------------------------------------- Advisory ID: SUSE-SU-2016:1228-1 Released: Tue Aug 16 09:29:01 2016 Summary: Security update for libidn Type: security Severity: moderate References: 923241,990189,990190,990191,CVE-2015-2059,CVE-2015-8948,CVE-2016-6261,CVE-2016-6262,CVE-2016-6263 Description: This update for libidn fixes the following issues: - CVE-2016-6262 and CVE-2015-8948: Out-of-bounds-read when reading one zero byte as input (bsc#990189) - CVE-2016-6261: Out-of-bounds stack read in idna_to_ascii_4i (bsc#990190) - CVE-2016-6263: stringprep_utf8_nfkc_normalize reject invalid UTF-8 (bsc#990191) - CVE-2015-2059: out-of-bounds read with stringprep on invalid UTF-8 (bsc#923241) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2016:1245-1 Released: Fri Aug 19 10:31:11 2016 Summary: Security update for python Type: security Severity: moderate References: 984751,985177,985348,989523,CVE-2016-0772,CVE-2016-1000110,CVE-2016-5636,CVE-2016-5699 Description: This update for python fixes the following issues: - CVE-2016-0772: smtplib vulnerability opens startTLS stripping attack (bsc#984751) - CVE-2016-5636: heap overflow when importing malformed zip files (bsc#985177) - CVE-2016-5699: incorrect validation of HTTP headers allow header injection (bsc#985348) - CVE-2016-1000110: HTTPoxy vulnerability in urllib, fixed by disregarding HTTP_PROXY when REQUEST_METHOD is also set (bsc#989523) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2016:1247-1 Released: Fri Aug 19 12:58:39 2016 Summary: Security update for cracklib Type: security Severity: moderate References: 992966,CVE-2016-6318 Description: This update for cracklib fixes the following issues: - Add patch to fix a buffer overflow in GECOS parser (bsc#992966 CVE-2016-6318) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2016:1326-1 Released: Thu Sep 8 11:37:44 2016 Summary: Security update for perl Type: security Severity: moderate References: 928292,932894,967082,984906,987887,988311,CVE-2015-8853,CVE-2016-1238,CVE-2016-2381,CVE-2016-6185 Description: This update for Perl fixes the following issues: - CVE-2016-6185: Xsloader looking at a '(eval)' directory. (bsc#988311) - CVE-2016-1238: Searching current directory for optional modules. (bsc#987887) - CVE-2015-8853: Regular expression engine hanging on bad utf8. (bsc) - CVE-2016-2381: Environment dup handling bug. (bsc#967082) - 'Insecure dependency in require' error in taint mode. (bsc#984906) - Memory leak in 'use utf8' handling. (bsc#928292) - Missing lock prototype to the debugger. (bsc#932894) ----------------------------------------------------------------- Advisory ID: SUSE-OU-2016:1358-1 Released: Thu Sep 15 20:54:21 2016 Summary: Optional update for gcc6 Type: optional Severity: low References: 983206 Description: This update ships the GNU Compiler Collection (GCC) in version 6.2. This update is shipped in two parts: - SUSE Linux Enterprise Server 12 and Desktop: The runtime libraries libgcc_s1, libstdc++6, libatomic1, libgomp1, libitm1 and some others can now be used by GCC 6 built binaries. - SUSE Linux Enterprise 12 Toolchain Module: The Toolchain module received the GCC 6 compiler suite with this update. Changes: - The default mode for C++ is now -std=gnu++14 instead of -std=gnu++98. Generic Optimization improvements: - UndefinedBehaviorSanitizer gained a new sanitization option, -fsanitize=bounds-strict, which enables strict checking of array bounds. In particular, it enables -fsanitize=bounds as well as instrumentation of flexible array member-like arrays. - Type-based alias analysis now disambiguates accesses to different pointers. This improves precision of the alias oracle by about 20-30% on higher-level C++ programs. Programs doing invalid type punning of pointer types may now need -fno-strict-aliasing to work correctly. - Alias analysis now correctly supports weakref and alias attributes. This makes it possible to access both a variable and its alias in one translation unit which is common with link-time optimization. - Value range propagation now assumes that the this pointer of C++ member functions is non-null. This eliminates common null pointer checks but also breaks some non-conforming code-bases (such as Qt-5, Chromium, KDevelop). As a temporary work-around -fno-delete-null-pointer-checks can be used. Wrong code can be identified by using -fsanitize=undefined. - Various Link-time optimization improvements. - Inter-procedural optimization improvements: - Basic jump threading is now performed before profile construction and inline analysis, resulting in more realistic size and time estimates that drive the heuristics of the of inliner and function cloning passes. - Function cloning now more aggressively eliminates unused function parameters. - Compared to GCC 5, the GCC 6 release series includes a much improved implementation of the OpenACC 2.0a specification. C language specific improvements: - Version 4.5 of the OpenMP specification is now supported in the C and C++ compilers. - Source locations for the C and C++ compilers are now tracked as ranges, rather than just points, making it easier to identify the subexpression of interest within a complicated expression. In addition, there is now initial support for precise diagnostic locations within strings, - Diagnostics can now contain 'fix-it hints', which are displayed in context underneath the relevant source code. - The C and C++ compilers now offer suggestions for misspelled field names. - New command-line options have been added for the C and C++ compilers: - -Wshift-negative-value warns about left shifting a negative value. - -Wshift-overflow warns about left shift overflows. This warning is enabled by default. -Wshift-overflow=2 also warns about left-shifting 1 into the sign bit. - -Wtautological-compare warns if a self-comparison always evaluates to true or false. This warning is enabled by -Wall. - -Wnull-dereference warns if the compiler detects paths that trigger erroneous or undefined behavior due to dereferencing a null pointer. This option is only active when -fdelete-null-pointer-checks is active, which is enabled by optimizations in most targets. The precision of the warnings depends on the optimization options used. - -Wduplicated-cond warns about duplicated conditions in an if-else-if chain. - -Wmisleading-indentation warns about places where the indentation of the code gives a misleading idea of the block structure of the code to a human reader. This warning is enabled by -Wall. - The C and C++ compilers now emit saner error messages if merge-conflict markers are present in a source file. C improvements: - It is possible to disable warnings when an initialized field of a structure or a union with side effects is being overridden when using designated initializers via a new warning option -Woverride-init-side-effects. - A new type attribute scalar_storage_order applying to structures and unions has been introduced. It specifies the storage order (aka endianness) in memory of scalar fields in structures or unions. C++ improvements: - The default mode has been changed to -std=gnu++14. - C++ Concepts are now supported when compiling with -fconcepts. - -flifetime-dse is more aggressive in dead-store elimination in situations where a memory store to a location precedes a constructor to that memory location. - G++ now supports C++17 fold expressions, u8 character literals, extended static_assert, and nested namespace definitions. - G++ now allows constant evaluation for all non-type template arguments. - G++ now supports C++ Transactional Memory when compiling with -fgnu-tm. libstdc++ improvements: - Extensions to the C++ Library to support mathematical special functions (ISO/IEC 29124:2010), thanks to Edward Smith-Rowland. - Experimental support for C++17. - An experimental implementation of the File System TS. - Experimental support for most features of the second version of the Library Fundamentals TS. This includes polymorphic memory resources and array support in shared_ptr, thanks to Fan You. - Some assertions checked by Debug Mode can now also be enabled by _GLIBCXX_ASSERTIONS. The subset of checks enabled by the new macro have less run-time overhead than the full _GLIBCXX_DEBUG checks and don't affect the library ABI, so can be enabled per-translation unit. Fortran improvements: - Fortran 2008 SUBMODULE support. - Fortran 2015 EVENT_TYPE, EVENT_POST, EVENT_WAIT, and EVENT_QUERY support. - Improved support for Fortran 2003 deferred-length character variables. - Improved support for OpenMP and OpenACC. - The MATMUL intrinsic is now inlined for straightforward cases if front-end optimization is active. The maximum size for inlining can be set to n with the -finline-matmul-limit=n option and turned off with -finline-matmul-limit=0. - The -Wconversion-extra option will warn about REAL constants which have excess precision for their kind. - The -Winteger-division option has been added, which warns about divisions of integer constants which are truncated. This option is included in -Wall by default. Architecture improvements: - AArch64 received a lot of improvements. IA-32/x86-64 improvements: - GCC now supports the Intel CPU named Skylake with AVX-512 extensions through -march=skylake-avx512. The switch enables the following ISA extensions: AVX-512F, AVX512VL, AVX-512CD, AVX-512BW, AVX-512DQ. - Support for new AMD instructions monitorx and mwaitx has been added. This includes new intrinsic and built-in support. It is enabled through option -mmwaitx. The instructions monitorx and mwaitx implement the same functionality as the old monitor and mwait instructions. In addition mwaitx adds a configurable timer. The timer value is received as third argument and stored in register %ebx. - x86-64 targets now allow stack realignment from a word-aligned stack pointer using the command-line option -mstackrealign or __attribute__ ((force_align_arg_pointer)). This allows functions compiled with a vector-aligned stack to be invoked from objects that keep only word-alignment. - Support for address spaces __seg_fs, __seg_gs, and __seg_tls. These can be used to access data via the %fs and %gs segments without having to resort to inline assembly. - Support for AMD Zen (family 17h) processors is now available through the -march=znver1 and -mtune=znver1 options. PowerPC / PowerPC64 / RS6000 improvements: - PowerPC64 now supports IEEE 128-bit floating-point using the __float128 data type. In GCC 6, this is not enabled by default, but you can enable it with -mfloat128. The IEEE 128-bit floating-point support requires the use of the VSX instruction set. IEEE 128-bit floating-point values are passed and returned as a single vector value. The software emulator for IEEE 128-bit floating-point support is only built on PowerPC GNU/Linux systems where the default CPU is at least power7. On future ISA 3.0 systems (POWER 9 and later), you will be able to use the -mfloat128-hardware option to use the ISA 3.0 instructions that support IEEE 128-bit floating-point. An additional type (__ibm128) has been added to refer to the IBM extended double type that normally implements long double. This will allow for a future transition to implementing long double with IEEE 128-bit floating-point. - Basic support has been added for POWER9 hardware that will use the recently published OpenPOWER ISA 3.0 instructions. The following new switches are available: - -mcpu=power9: Implement all of the ISA 3.0 instructions supported by the compiler. - -mtune=power9: In the future, apply tuning for POWER9 systems. Currently, POWER8 tunings are used. - -mmodulo: Generate code using the ISA 3.0 integer instructions (modulus, count trailing zeros, array index support, integer multiply/add). - -mpower9-fusion: Generate code to suitably fuse instruction sequences for a POWER9 system. - -mpower9-dform: Generate code to use the new D-form (register+offset) memory instructions for the vector registers. - -mpower9-vector: Generate code using the new ISA 3.0 vector (VSX or Altivec) instructions. - -mpower9-minmax: Reserved for future development. - -mtoc-fusion: Keep TOC entries together to provide more fusion opportunities. - New constraints have been added to support IEEE 128-bit floating-point and ISA 3.0 instructions. - Support has been added for __builtin_cpu_is() and __builtin_cpu_supports(), allowing for very fast access to AT_PLATFORM, AT_HWCAP, and AT_HWCAP2 values. This requires use of glibc 2.23 or later. - All hardware transactional memory builtins now correctly behave as memory barriers. Programmers can use #ifdef __TM_FENCE__ to determine whether their 'old' compiler treats the builtins as barriers. - Split-stack support has been added for gccgo on PowerPC64 for both big- and little-endian (but not for 32-bit). The gold linker from at least binutils 2.25.1 must be available in the PATH when configuring and building gccgo to enable split stack. (The requirement for binutils 2.25.1 applies to PowerPC64 only.) The split-stack feature allows a small initial stack size to be allocated for each goroutine, which increases as needed. - GCC on PowerPC now supports the standard lround function. - The 'q', 'S', 'T', and 't' asm-constraints have been removed. - The 'b', 'B', 'm', 'M', and 'W' format modifiers have been removed. S/390, System z, IBM z Systems improvements: - Support for the IBM z13 processor has been added. When using the -march=z13 option, the compiler will generate code making use of the new instructions and registers introduced with the vector extension facility. The -mtune=z13 option enables z13 specific instruction scheduling without making use of new instructions. - Compiling code with -march=z13 reduces the default alignment of vector types bigger than 8 bytes to 8. This is an ABI change and care must be taken when linking modules compiled with different arch levels which interchange variables containing vector type values. For newly compiled code the GNU linker will emit a warning. - The -mzvector option enables a C/C++ language extension. This extension provides a new keyword vector which can be used to define vector type variables. (Note: This is not available when enforcing strict standard compliance e.g. with -std=c99. Either enable GNU extensions with e.g. -std=gnu99 or use __vector instead of vector.) - Additionally a set of overloaded builtins is provided which is partially compatible to the PowerPC Altivec builtins. In order to make use of these builtins the vecintrin.h header file needs to be included. - The new command line options -march=native, and -mtune=native are now available on native IBM z Systems. Specifying these options will cause GCC to auto-detect the host CPU and rewrite these options to the optimal setting for that system. If GCC is unable to detect the host CPU these options have no effect. - The IBM z Systems port now supports target attributes and pragmas. Please refer to the documentation for details of available attributes and pragmas as well as usage instructions. - -fsplit-stack is now supported as part of the IBM z Systems port. This feature requires a recent gold linker to be used. - Support for the g5 and g6 -march=/-mtune= CPU level switches has been deprecated and will be removed in a future GCC release. -m31 from now on defaults to -march=z900 if not specified otherwise. -march=native on a g5/g6 machine will default to -march=z900. An even more detailed list of features can be found at: https://gcc.gnu.org/gcc-6/changes.html ----------------------------------------------------------------- Advisory ID: SUSE-SU-2016:1364-1 Released: Fri Sep 16 17:13:43 2016 Summary: Security update for curl Type: security Severity: moderate References: 991389,991390,991391,991746,997420,CVE-2016-5419,CVE-2016-5420,CVE-2016-5421,CVE-2016-7141 Description: This update for curl fixes the following issues: Security issues fixed: - CVE-2016-5419: TLS session resumption client cert bypass (bsc#991389) - CVE-2016-5420: Re-using connections with wrong client cert (bsc#991390) - CVE-2016-5421: use of connection struct after free (bsc#991391) - CVE-2016-7141: Fixed incorrect reuse of client certificates with NSS (bsc#997420) Also the following bug was fixed: - fixing a performance issue (bsc#991746) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2016:1370-1 Released: Wed Sep 21 12:58:14 2016 Summary: Security update for libgcrypt Type: security Severity: moderate References: 994157,CVE-2016-6313 Description: This update for libgcrypt fixes the following issues: - RNG prediction vulnerability (bsc#994157, CVE-2016-6313) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2016:1533-1 Released: Mon Oct 24 14:12:29 2016 Summary: Recommended update for SUSE Manager Client Tools Type: recommended Severity: moderate References: 1002529,986447,986978,990029,990439,990440,990738,991048,993039,993549,994619,996455,998185 Description: This update fixes the following issues: cobbler: - Enabling PXE grub2 support for PowerPC (bsc#986978) rhnlib: - Add function aliases for backward compatibility (bsc#998185) salt: - Setting up OS grains for SLES-ES (SLES Expanded Support platform) - Move salt home directory to /var/lib/salt (bsc#1002529) - Generate Salt Thin with configured extra modules (bsc#990439) - Prevent pkg.install failure for expired keys (bsc#996455) - Required D-Bus and generating machine ID - Fix python-jinja2 requirements in rhel - Fix pkg.installed refresh repository failure (bsc#993549) - Fix salt.states.pkgrepo.management no change failure (bsc#990440) - Prevent snapper module crash on load if no DBus is available in the system (bsc#993039) - Prevent continuous restart, if a dependency wasn't installed (bsc#991048) - Fix beacon list to include all beacons being process - Run salt-api as user salt like the master (bsc#990029) spacewalk-backend: - Fix for non-integer IDs for bugzilla bug - Silently ignore non-existing errata severity label on errata import, remove non-used exception (bsc#986447) - Make suseLib usable on a proxy spacewalk-client-tools: - Logging message in case of malformed XML file - Prevent crashes if machine-id is None (bsc#994619) - Print invalid package name and replace the invalid character - Ignore packages with not UTF-8 characters in name, version and release (bsc#990738) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2016:1591-1 Released: Wed Nov 2 12:07:51 2016 Summary: Security update for curl Type: security Severity: important References: 1005633,1005634,1005635,1005637,1005638,1005640,1005642,1005643,1005645,1005646,998760,CVE-2016-7167,CVE-2016-8615,CVE-2016-8616,CVE-2016-8617,CVE-2016-8618,CVE-2016-8619,CVE-2016-8620,CVE-2016-8621,CVE-2016-8622,CVE-2016-8623,CVE-2016-8624 Description: This update for curl fixes the following security issues: - CVE-2016-8624: invalid URL parsing with '#' (bsc#1005646) - CVE-2016-8623: Use-after-free via shared cookies (bsc#1005645) - CVE-2016-8622: URL unescape heap overflow via integer truncation (bsc#1005643) - CVE-2016-8621: curl_getdate read out of bounds (bsc#1005642) - CVE-2016-8620: glob parser write/read out of bounds (bsc#1005640) - CVE-2016-8619: double-free in krb5 code (bsc#1005638) - CVE-2016-8618: double-free in curl_maprintf (bsc#1005637) - CVE-2016-8617: OOB write via unchecked multiplication (bsc#1005635) - CVE-2016-8616: case insensitive password comparison (bsc#1005634) - CVE-2016-8615: cookie injection for other servers (bsc#1005633) - CVE-2016-7167: escape and unescape integer overflows (bsc#998760) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2016:1614-1 Released: Mon Nov 7 20:01:31 2016 Summary: Recommended update for shadow Type: recommended Severity: low References: 1002975 Description: This update for shadow fixes the following issues: - Set file modes according to the permissions package and don't attempt to manipulate them in %files section. (bsc#1002975) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2016:1641-1 Released: Thu Nov 10 20:02:04 2016 Summary: Recommended update for sg3_utils Type: recommended Severity: moderate References: 1006469,958369,979436 Description: This update for sg3_utils provides the following fixes: - Adjust 55-scsi-sg3_id.rules to correctly handle VPD page 0x80. This issue could prevent some IBM Power systems from booting after installation. (bsc#1006469) - Fix 55-scsi_sg3_id.rules to skip sg_inq on recent kernels. (bsc#979436) - In some circumstances, the rescan-scsi-bus.sh script failed to identify new LUNs that have been added to the server. (bsc#958369) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2016:1667-1 Released: Thu Nov 17 13:43:10 2016 Summary: Recommended update for python-M2Crypto Type: recommended Severity: low References: 1001377 Description: This update for python-M2Crypto fixes the following issues: - Do not strip leading zeros from certificate fingerprints. (bsc#1001377) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2016:1716-1 Released: Mon Nov 28 14:52:36 2016 Summary: Recommended update for SUSE Manager Client Tools Type: recommended Severity: moderate References: 1003449,1004047,1004260,1004723,986019,999852 Description: This update includes the following new features: - Support Service Pack migration for Salt minions. (fate#320559) This update fixes the following issues: salt: - Fix exit codes of sysv init script. (bsc#999852) - Include resolution parameters in the Zypper debug-solver call during a dry-run dist-upgrade. - Fix Salt API crash via salt-ssh on empty roster. (bsc#1004723) - Add 'dist-upgrade' support to zypper module. (fate#320559) - Fix position of -X option to setfacl. (bsc#1004260) - Fix generated shebang in scripts on SLES-ES 7. (bsc#1004047) spacecmd: - Make exception class more generic and code fixes. (bsc#1003449) - Handle exceptions raised by listChannels. (bsc#1003449) - Alert if a non-unique package ID is detected. ----------------------------------------------------------------- Advisory ID: SUSE-SU-2016:1744-1 Released: Fri Dec 2 11:42:41 2016 Summary: Security update for pcre Type: security Severity: moderate References: 906574,924960,933288,933878,936227,942865,957566,957567,957598,957600,960837,971741,972127,CVE-2014-8964,CVE-2015-2325,CVE-2015-2327,CVE-2015-2328,CVE-2015-3210,CVE-2015-3217,CVE-2015-5073,CVE-2015-8380,CVE-2015-8381,CVE-2015-8382,CVE-2015-8383,CVE-2015-8384,CVE-2015-8385,CVE-2015-8386,CVE-2015-8387,CVE-2015-8388,CVE-2015-8389,CVE-2015-8390,CVE-2015-8391,CVE-2015-8392,CVE-2015-8393,CVE-2015-8394,CVE-2015-8395,CVE-2016-1283,CVE-2016-3191 Description: This update for pcre to version 8.39 (bsc#972127) fixes several issues. If you use pcre extensively please be aware that this is an update to a new version. Please make sure that your software works with the updated version. This version fixes a number of vulnerabilities that affect pcre and applications using the libary when accepting untrusted input as regular expressions or as part thereof. Remote attackers could have caused the application to crash, disclose information or potentially execute arbitrary code. These security issues were fixed: - CVE-2014-8964: Heap-based buffer overflow in PCRE allowed remote attackers to cause a denial of service (crash) or have other unspecified impact via a crafted regular expression, related to an assertion that allows zero repeats (bsc#906574). - CVE-2015-2325: Heap buffer overflow in compile_branch() (bsc#924960). - CVE-2015-3210: Heap buffer overflow in pcre_compile2() / compile_regex() (bsc#933288) - CVE-2015-3217: PCRE Library Call Stack Overflow Vulnerability in match() (bsc#933878). - CVE-2015-5073: Library Heap Overflow Vulnerability in find_fixedlength() (bsc#936227). - bsc#942865: heap overflow in compile_regex() - CVE-2015-8380: The pcre_exec function in pcre_exec.c mishandled a // pattern with a \01 string, which allowed remote attackers to cause a denial of service (heap-based buffer overflow) or possibly have unspecified other impact via a crafted regular expression, as demonstrated by a JavaScript RegExp object encountered by Konqueror (bsc#957566). - CVE-2015-2327: PCRE mishandled certain patterns with internal recursive back references, which allowed remote attackers to cause a denial of service (segmentation fault) or possibly have unspecified other impact via a crafted regular expression, as demonstrated by a JavaScript RegExp object encountered by Konqueror (bsc#957567). - bsc#957598: Various security issues - CVE-2015-8381: Heap Overflow in compile_regex() (bsc#957598). - CVE-2015-8382: Regular Expression Uninitialized Pointer Information Disclosure Vulnerability (ZDI-CAN-2547)(bsc#957598). - CVE-2015-8383: Buffer overflow caused by repeated conditional group(bsc#957598). - CVE-2015-8384: Buffer overflow caused by recursive back reference by name within certain group(bsc#957598). - CVE-2015-8385: Buffer overflow caused by forward reference by name to certain group(bsc#957598). - CVE-2015-8386: Buffer overflow caused by lookbehind assertion(bsc#957598). - CVE-2015-8387: Integer overflow in subroutine calls(bsc#957598). - CVE-2015-8388: Buffer overflow caused by certain patterns with an unmatched closing parenthesis(bsc#957598). - CVE-2015-8389: Infinite recursion in JIT compiler when processing certain patterns(bsc#957598). - CVE-2015-8390: Reading from uninitialized memory when processing certain patterns(bsc#957598). - CVE-2015-8391: Some pathological patterns causes pcre_compile() to run for a very long time(bsc#957598). - CVE-2015-8392: Buffer overflow caused by certain patterns with duplicated named groups(bsc#957598). - CVE-2015-8393: Information leak when running pcgrep -q on crafted binary(bsc#957598). - CVE-2015-8394: Integer overflow caused by missing check for certain conditions(bsc#957598). - CVE-2015-8395: Buffer overflow caused by certain references(bsc#957598). - CVE-2015-2328: PCRE mishandled the /((?(R)a|(?1)))+/ pattern and related patterns with certain recursion, which allowed remote attackers to cause a denial of service (segmentation fault) or possibly have unspecified other impact via a crafted regular expression (bsc#957600). - CVE-2016-1283: The pcre_compile2 function in pcre_compile.c in PCRE mishandled certain patterns with named subgroups, which allowed remote attackers to cause a denial of service (heap-based buffer overflow) or possibly have unspecified other impact via a crafted regular expression (bsc#960837). - CVE-2016-3191: The compile_branch function in pcre_compile.c in pcre2_compile.c mishandled patterns containing an (*ACCEPT) substring in conjunction with nested parentheses, which allowed remote attackers to execute arbitrary code or cause a denial of service (stack-based buffer overflow) via a crafted regular expression (bsc#971741). These non-security issues were fixed: - JIT compiler improvements - performance improvements - The Unicode data tables have been updated to Unicode 7.0.0. ----------------------------------------------------------------- Advisory ID: SUSE-RU-2016:1782-1 Released: Fri Dec 9 13:35:02 2016 Summary: Recommended update for systemd Type: recommended Severity: moderate References: 1001790,1004289,1005404,1006372,1006690,989831,991443 Description: This update for systemd provides the following fixes: - Allow to redirect confirmation messages to a different console. (bsc#1006690) - Do not bind a mount unit to a device, if it was from mountinfo. (bsc#989831) - Decrease systemd-nspawn's non-fatal mount errors to debug level. (bsc#1004289) - Don't emit space usage message right after opening the persistent journal. (bsc#991443) - Change owner of /var/log/journal/remote and create /var/lib/systemd/journal-upload. (bsc#1006372) - Document that *KeyIgnoreInhibited only apply to a subset of locks. - Revert 'logind: really handle *KeyIgnoreInhibited options in logind.conf'. (bsc#1001790, bsc#1005404) - Revert 'kbd-model-map: add more mappings offered by Yast'. - Don't busy loop when we get a notification message we can't process. - Rename kbd-model-map-extra into kbd-model-map.legacy. - Add kbd-model-map-extra file which contains the additional maps needed by YaST. - Drop localfs.service: unused and not needed anymore. ----------------------------------------------------------------- Advisory ID: SUSE-SU-2016:1827-1 Released: Thu Dec 15 12:41:10 2016 Summary: Security update for pcre Type: security Severity: moderate References: 906574,924960,933288,933878,936227,942865,957566,957567,957598,957600,960837,971741,972127,CVE-2014-8964,CVE-2015-2325,CVE-2015-2327,CVE-2015-2328,CVE-2015-3210,CVE-2015-3217,CVE-2015-5073,CVE-2015-8380,CVE-2015-8381,CVE-2015-8382,CVE-2015-8383,CVE-2015-8384,CVE-2015-8385,CVE-2015-8386,CVE-2015-8387,CVE-2015-8388,CVE-2015-8389,CVE-2015-8390,CVE-2015-8391,CVE-2015-8392,CVE-2015-8393,CVE-2015-8394,CVE-2015-8395,CVE-2016-1283,CVE-2016-3191 Description: This update for pcre to version 8.39 (bsc#972127) fixes several issues. If you use pcre extensively please be aware that this is an update to a new version. Please make sure that your software works with the updated version. This version fixes a number of vulnerabilities that affect pcre and applications using the libary when accepting untrusted input as regular expressions or as part thereof. Remote attackers could have caused the application to crash, disclose information or potentially execute arbitrary code. These security issues were fixed: - CVE-2014-8964: Heap-based buffer overflow in PCRE allowed remote attackers to cause a denial of service (crash) or have other unspecified impact via a crafted regular expression, related to an assertion that allows zero repeats (bsc#906574). - CVE-2015-2325: Heap buffer overflow in compile_branch() (bsc#924960). - CVE-2015-3210: Heap buffer overflow in pcre_compile2() / compile_regex() (bsc#933288) - CVE-2015-3217: PCRE Library Call Stack Overflow Vulnerability in match() (bsc#933878). - CVE-2015-5073: Library Heap Overflow Vulnerability in find_fixedlength() (bsc#936227). - bsc#942865: heap overflow in compile_regex() - CVE-2015-8380: The pcre_exec function in pcre_exec.c mishandled a // pattern with a \01 string, which allowed remote attackers to cause a denial of service (heap-based buffer overflow) or possibly have unspecified other impact via a crafted regular expression, as demonstrated by a JavaScript RegExp object encountered by Konqueror (bsc#957566). - CVE-2015-2327: PCRE mishandled certain patterns with internal recursive back references, which allowed remote attackers to cause a denial of service (segmentation fault) or possibly have unspecified other impact via a crafted regular expression, as demonstrated by a JavaScript RegExp object encountered by Konqueror (bsc#957567). - bsc#957598: Various security issues - CVE-2015-8381: Heap Overflow in compile_regex() (bsc#957598). - CVE-2015-8382: Regular Expression Uninitialized Pointer Information Disclosure Vulnerability (ZDI-CAN-2547)(bsc#957598). - CVE-2015-8383: Buffer overflow caused by repeated conditional group(bsc#957598). - CVE-2015-8384: Buffer overflow caused by recursive back reference by name within certain group(bsc#957598). - CVE-2015-8385: Buffer overflow caused by forward reference by name to certain group(bsc#957598). - CVE-2015-8386: Buffer overflow caused by lookbehind assertion(bsc#957598). - CVE-2015-8387: Integer overflow in subroutine calls(bsc#957598). - CVE-2015-8388: Buffer overflow caused by certain patterns with an unmatched closing parenthesis(bsc#957598). - CVE-2015-8389: Infinite recursion in JIT compiler when processing certain patterns(bsc#957598). - CVE-2015-8390: Reading from uninitialized memory when processing certain patterns(bsc#957598). - CVE-2015-8391: Some pathological patterns causes pcre_compile() to run for a very long time(bsc#957598). - CVE-2015-8392: Buffer overflow caused by certain patterns with duplicated named groups(bsc#957598). - CVE-2015-8393: Information leak when running pcgrep -q on crafted binary(bsc#957598). - CVE-2015-8394: Integer overflow caused by missing check for certain conditions(bsc#957598). - CVE-2015-8395: Buffer overflow caused by certain references(bsc#957598). - CVE-2015-2328: PCRE mishandled the /((?(R)a|(?1)))+/ pattern and related patterns with certain recursion, which allowed remote attackers to cause a denial of service (segmentation fault) or possibly have unspecified other impact via a crafted regular expression (bsc#957600). - CVE-2016-1283: The pcre_compile2 function in pcre_compile.c in PCRE mishandled certain patterns with named subgroups, which allowed remote attackers to cause a denial of service (heap-based buffer overflow) or possibly have unspecified other impact via a crafted regular expression (bsc#960837). - CVE-2016-3191: The compile_branch function in pcre_compile.c in pcre2_compile.c mishandled patterns containing an (*ACCEPT) substring in conjunction with nested parentheses, which allowed remote attackers to execute arbitrary code or cause a denial of service (stack-based buffer overflow) via a crafted regular expression (bsc#971741). These non-security issues were fixed: - JIT compiler improvements - performance improvements - The Unicode data tables have been updated to Unicode 7.0.0. ----------------------------------------------------------------- Advisory ID: SUSE-RU-2016:1863-1 Released: Wed Dec 21 10:41:35 2016 Summary: Recommended updated for pth Type: recommended Severity: low References: 1013286 Description: This update adds the 32bit version of libpth20 to SUSE Linux Enterprise 12 SP1 and 12 SP2. ----------------------------------------------------------------- Advisory ID: SUSE-OU-2016:1901-1 Released: Thu Dec 22 17:33:41 2016 Summary: Optional update for SLE 12 Modules for ARM64 Type: optional Severity: low References: 1002576 Description: This update introduces many packages that were missing in the ARM64 version of the Web and Scripting, Manager Tools and Public Cloud Modules for SUSE Linux Enterprise Server 12 SP2. ----------------------------------------------------------------- Advisory ID: SUSE-SU-2017:2-1 Released: Mon Jan 2 08:35:08 2017 Summary: Security update for zlib Type: security Severity: moderate References: 1003577,1003579,1003580,1013882,CVE-2016-9840,CVE-2016-9841,CVE-2016-9842,CVE-2016-9843 Description: This update for zlib fixes the following issues: CVE-2016-9843: Big-endian out-of-bounds pointer CVE-2016-9842: Undefined Left Shift of Negative Number (bsc#1003580) CVE-2016-9840 CVE-2016-9841: Out-of-bounds pointer arithmetic in inftrees.c (bsc#1003579) Incompatible declarations for external linkage function deflate (bsc#1003577) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2017:6-1 Released: Tue Jan 3 15:01:58 2017 Summary: Recommended update for systemd Type: recommended Severity: moderate References: 1012390,1012591,1012818,1013989,1015515,909418,912715,945340,953807,963290,990538 Description: This update for systemd fixes the following issues: - core: Make mount units from /proc/self/mountinfo possibly bind to a device. Fixes unmounting issues when ejecting CDs or DVDs. (bsc#909418, bsc#912715, bsc#945340) - fstab-generator: Remove bogus condition that leads to warnings on boot. (bsc#1013989) - coredumpctl: Let gdb handle the SIGINT signal. (bsc#1012591) - Ship kbd-model-map with the correct contents. (bsc#1015515) - rules: Set SYSTEMD_READY=0 on DM_UDEV_DISABLE_OTHER_RULES_FLAG=1 only with ADD event. (bsc#963290, bsc#990538) - tmpfiles: Don't skip path_set_perms on error. (bsc#953807) - nspawn: Properly handle image/directory paths that are symbolic links. (bsc#1012390) - systemctl: Fix 'is-enabled' exit status on failure when executed in chroot. (bsc#1012818) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2017:32-1 Released: Mon Jan 9 11:50:42 2017 Summary: Recommended update for dirmngr Type: recommended Severity: low References: 994794 Description: This update for dirmngr enables support for daemon mode. ----------------------------------------------------------------- Advisory ID: SUSE-RU-2017:47-1 Released: Wed Jan 11 11:42:43 2017 Summary: Recommended update for systemd Type: recommended Severity: important References: 1018214,1018399 Description: This update for systemd fixes the following two issues: - A regression in the previous update (SUSE-RU-2017:0013-1, bsc#909418) could have caused systemd to freeze. (bsc#1018399) - Warnings emitted when udev socket units are restarted during package upgrade were silenced. (bsc#1018214) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2017:77-1 Released: Tue Jan 17 10:06:02 2017 Summary: Recommended update for salt Type: recommended Severity: moderate References: 1003449,1004047,1004260,1004723,1008933,1012398,986019,999852,CVE-2016-9639 Description: This update for Salt fixes one security issue and several non-security issues. The following security issue has been fixed: - Fix possible information leak due to revoked keys still being used. (bsc#1012398, CVE-2016-9639) The following non-security issues have been fixed: - Update to 2015.8.12 - Add pre-require to salt for minions. - Do not restart salt-minion in salt package. - Add try-restart to sys-v init scripts. - Add 'Restart=on-failure' for salt-minion systemd service. - Re-introduce 'KillMode=process' for salt-minion systemd service. - Successfully exit of salt-api child processes when SIGTERM is received. - Fix exit codes of sysv init script. (bsc#999852) - Include resolution parameters in the Zypper debug-solver call during a dry-run dist-upgrade. - Fix Salt API crash via salt-ssh on empty roster. (bsc#1004723) - Add 'dist-upgrade' support to zypper module. (fate#320559) - Fix position of -X option to setfacl. (bsc#1004260) - Fix generated shebang in scripts on SLES-ES 7. (bsc#1004047) - Fix changing default-timezone. (bsc#1008933) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2017:98-1 Released: Thu Jan 19 10:17:55 2017 Summary: Recommended update for kmod Type: recommended Severity: low References: 998906 Description: This update for kmod fixes a rare race condition while loading modules. ----------------------------------------------------------------- Advisory ID: SUSE-SU-2017:149-1 Released: Wed Jan 25 09:17:08 2017 Summary: Security update for systemd Type: security Severity: important References: 1012266,1014560,1014566,1020601,997682,CVE-2016-10156 Description: This update for systemd fixes the following issues: This security issue was fixed: - CVE-2016-10156: Fix permissions set on permanent timer timestamp files, preventing local unprivileged users from escalating privileges (bsc#1020601). These non-security issues were fixed: - Fix permission set on /var/lib/systemd/linger/* - install: follow config_path symlink (#3362) - install: fix disable when /etc/systemd/system is a symlink (bsc#1014560) - run: make --slice= work in conjunction with --scope (bsc#1014566) - core: don't dispatch load queue when setting Slice= for transient units - systemctl: remove duplicate entries showed by list-dependencies (#5049) (bsc#1012266) - rule: don't automatically online standby memory on s390x (bsc#997682) ----------------------------------------------------------------- Advisory ID: SUSE-OU-2017:170-1 Released: Mon Jan 30 19:13:36 2017 Summary: Initial release of Salt Type: optional Severity: low References: 989693 Description: This update adds Salt to the Advanced Systems Management 12 Module. Salt is a distributed remote execution system used to execute commands and query data. It was developed in order to bring the best solutions found in the world of remote execution together and make them better, faster and more malleable. Salt accomplishes this via its ability to handle larger loads of information, and not just dozens, but hundreds or even thousands of individual servers, handle them quickly and through a simple and manageable interface. ----------------------------------------------------------------- Advisory ID: SUSE-SU-2017:185-1 Released: Thu Feb 2 18:22:37 2017 Summary: Security update for cpio Type: security Severity: moderate References: 1020108,963448,CVE-2016-2037 Description: This update for cpio fixes two issues. This security issue was fixed: - CVE-2016-2037: The cpio_safer_name_suffix function in util.c in cpio allowed remote attackers to cause a denial of service (out-of-bounds write) via a crafted cpio file (bsc#963448). This non-security issue was fixed: - bsc#1020108: Always use 32 bit CRC to prevent checksum errors for files greater than 32MB ----------------------------------------------------------------- Advisory ID: SUSE-SU-2017:192-1 Released: Fri Feb 3 18:46:05 2017 Summary: Security update for libxml2 Type: security Severity: moderate References: 1005544,1010675,1013930,1014873,1017497,CVE-2016-4658,CVE-2016-9318,CVE-2016-9597 Description: This update for libxml2 fixes the following issues: * CVE-2016-4658: use-after-free error could lead to crash [bsc#1005544] * Fix NULL dereference in xpointer.c when in recovery mode [bsc#1014873] * CVE-2016-9597: An XML document with many opening tags could have caused a overflow of the stack not detected by the recursion limits, allowing for DoS (bsc#1017497). For CVE-2016-9318 we decided not to ship a fix since it can break existing setups. Please take appropriate actions if you parse untrusted XML files and use the new -noxxe flag if possible (bnc#1010675, bnc#1013930). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2017:209-1 Released: Tue Feb 7 17:00:47 2017 Summary: Recommended update for libseccomp Type: recommended Severity: low References: 1019900 Description: This update provides libseccomp version 2.3.1 which fixes the following issues: - Fixed a problem with 32-bit x86 socket syscalls on some systems (fate#321647, bsc#1019900) - Fixed problems with ipc syscalls on 32-bit x86 - Fixed problems with socket and ipc syscalls on s390 and s390x ----------------------------------------------------------------- Advisory ID: SUSE-SU-2017:212-1 Released: Wed Feb 8 13:07:24 2017 Summary: Security update for expat Type: security Severity: moderate References: 983215,983216,CVE-2012-6702,CVE-2016-5300 Description: This update for expat fixes the following security issues: - CVE-2012-6702: Expat, when used in a parser that has not called XML_SetHashSalt or passed it a seed of 0, made it easier for context-dependent attackers to defeat cryptographic protection mechanisms via vectors involving use of the srand function. (bsc#983215) - CVE-2016-5300: The XML parser in Expat did not use sufficient entropy for hash initialization, which allowed context-dependent attackers to cause a denial of service (CPU consumption) via crafted identifiers in an XML document. NOTE: this vulnerability exists because of an incomplete fix for CVE-2012-0876. (bsc#983216) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2017:228-1 Released: Fri Feb 10 15:39:32 2017 Summary: Security update for openssl Type: security Severity: moderate References: 1000677,1001912,1009528,1019637,1021641,1022085,1022086,1022271,CVE-2016-7055,CVE-2017-3731,CVE-2017-3732 Description: This update for openssl fixes the following issues contained in the OpenSSL Security Advisory [26 Jan 2017] (bsc#1021641) Security issues fixed: - CVE-2016-7055: The x86_64 optimized montgomery multiplication may produce incorrect results (bsc#1009528) - CVE-2017-3731: Truncated packet could crash via OOB read (bsc#1022085) - CVE-2017-3732: BN_mod_exp may produce incorrect results on x86_64 (bsc#1022086) - Degrade the 3DES cipher to MEDIUM in SSLv2 (bsc#1001912) Non-security issues fixed: - fix crash in openssl speed (bsc#1000677) - fix X509_CERT_FILE path (bsc#1022271) - AES XTS key parts must not be identical in FIPS mode (bsc#1019637) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2017:261-1 Released: Mon Feb 20 11:00:28 2017 Summary: Recommended update for dirmngr Type: recommended Severity: low References: 1019276 Description: This update for dirmngr fixes the following issues: - Properly initialize the dirmngr tmpfilesd files right away and not just during reboot - Own the /usr/lib/tmpfiles.d/ folder as it is needed in older systemds wrt (bsc#1019276) - Proprely require logrotate as we need it for the dirmngr configs ----------------------------------------------------------------- Advisory ID: SUSE-RU-2017:347-1 Released: Wed Mar 8 12:23:47 2017 Summary: Recommended update for Salt Type: recommended Severity: moderate References: 1011304,1017078 Description: This update for salt fixes the following issues: - Fix invalid chars allowed for data IDs. (bsc#1011304) - Fix timezone: Should be always in UTC. (bsc#1017078) - Fixes wrong 'enabled' opts for yumnotify plugin. - SSH-option parameter for salt-ssh command. ----------------------------------------------------------------- Advisory ID: SUSE-RU-2017:365-1 Released: Fri Mar 10 15:16:59 2017 Summary: Recommended update for sg3_utils Type: recommended Severity: low References: 1006175 Description: This update for sg3_utils fixes the following issue: - Add udev rules to handle legacy CCISS devices (bsc#1006175) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2017:389-1 Released: Thu Mar 16 14:16:43 2017 Summary: Recommended update for systemd Type: recommended Severity: moderate References: 1004094,1006687,1019470,1022014,1022047,1025598,995936 Description: This update for systemd provides the following fixes: - core: Fix memory leak in transient units. (bsc#1025598) - core: Destroy all name watching bus slots when we are kicked off the bus. (bsc#1006687) - sd-event: Fix incorrect assertion. (bsc#995936, bsc#1022014) - journald: Don't flush to /var/log/journal before we get asked to. (bsc#1004094) - core: Downgrade warning about duplicate device names. (bsc#1022047) - units: Remove no longer needed ldconfig service. (bsc#1019470) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2017:439-1 Released: Tue Mar 21 10:48:47 2017 Summary: Recommended update for netcfg Type: recommended Severity: low References: 1028305,959693 Description: This update for netcfg provides the following fixes: - Update script to generate services to use UTF8 by default. (bsc#1028305) - Repack services.bz2 with latest from upstream and adjust the script to not add all the names and emails at the bottom of the file. (bsc#959693) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2017:448-1 Released: Wed Mar 22 13:31:03 2017 Summary: Recommended update for python Type: recommended Severity: moderate References: 1027282,964182 Description: This update provides Python 2.7.13, which brings several bug fixes. - Fix build with NCurses 6.0 and OPAQUE_WINDOW set to 1. - Update cipher lists for OpenSSL wrapper and support OpenSSL 1.1.0 and newer. - Incorporate more integer overflow checks from upstream. (bsc#964182) - Provide python2-* symbols to support new packages built as python2-. For a comprehensive list of changes, please refer to the upstream Release Notes available at https://hg.python.org/cpython/raw-file/v2.7.13/Misc/NEWS ----------------------------------------------------------------- Advisory ID: SUSE-RU-2017:462-1 Released: Fri Mar 24 21:58:07 2017 Summary: Recommended update for lvm2 Type: recommended Severity: moderate References: 1012973,1015943,1017034,1023283,1025560,1025630 Description: This update for lvm2 fixes the following issues: - Fix clvmd segmentation fault on ppc64le architecture. (bsc#1025630) - Fix several trivial issues about clvmd/cmirrord resource agents. (bsc#1023283, bsc#1025560) - Use {local,remote}-fs-pre.target instead of {local,remote}-fs.target. (bsc#1017034) - Simplify special-case for md in 69-dm-lvm-metadata.rules. (bsc#1012973) - Add systemd_requires to device-mapper package. (bsc#1015943) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2017:464-1 Released: Mon Mar 27 15:50:51 2017 Summary: Recommended update for glibc Type: recommended Severity: moderate References: 1007851,1029725,1029900 Description: This update for glibc fixes a potential segmentation fault in libpthread: - Fork in libpthread cannot use IFUNC resolver. (bsc#1007851, bsc#1029725, bsc#1029900) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2017:580-1 Released: Wed Apr 12 23:58:47 2017 Summary: Recommended update for cpio Type: recommended Severity: important References: 1028410 Description: This update for cpio fixes the following issues: - A regression caused cpio to crash for tar and ustar archive types [bsc#1028410] ----------------------------------------------------------------- Advisory ID: SUSE-SU-2017:609-1 Released: Tue Apr 18 11:28:14 2017 Summary: Security update for curl Type: security Severity: moderate References: 1015332,1027712,1032309,CVE-2016-9586,CVE-2017-7407 Description: This update for curl fixes the following issues: Security issue fixed: - CVE-2016-9586: libcurl printf floating point buffer overflow (bsc#1015332) - CVE-2017-7407: The ourWriteOut function in tool_writeout.c in curl might have allowed physically proximate attackers to obtain sensitive information from process memory in opportunistic circumstances by reading a workstation screen during use of a --write-out argument ending in a '%' character, which lead to a heap-based buffer over-read (bsc#1032309). With this release new default ciphers are active (SUSE_DEFAULT, bsc#1027712). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2017:656-1 Released: Fri Apr 28 16:12:30 2017 Summary: Recommended update for sqlite3 Type: recommended Severity: low References: 1019518,1025034 Description: This update for sqlite3 provides the following fixes: - Avoid calling sqlite3OsFetch() on a file-handle for which the xFetch method is NULL. This prevents a potential segmentation fault. (bsc#1025034) - Fix defect in the in-memory journal logic that could leave the read cursor for the in-memory journal in an inconsistent state and result in a segmentation fault. (bsc#1019518) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2017:732-1 Released: Wed May 10 14:03:43 2017 Summary: Recommended update for procps Type: recommended Severity: low References: 1030621 Description: This update for procps fixes the following issues: - Command w(1) with option -n doesn't work. (bsc#1030621) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2017:735-1 Released: Wed May 10 15:43:46 2017 Summary: Recommended update for gpg2 Type: recommended Severity: low References: 1036736,986783 Description: This update for gpg2 provides the following fixes: - Do not install CAcert and other root certificates which are not needed with Let's Encrypt. (bsc#1036736) - Initialize the trustdb before import attempt. (bsc#986783) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2017:751-1 Released: Thu May 11 17:14:30 2017 Summary: Recommended update for systemd Type: recommended Severity: moderate References: 1010220,1025398,1025886,1028263,1028610,1029183,1029691,1030290,1031355,1032538,1032660,1033855,1034565,955770 Description: This update for systemd provides the following fixes: - logind: Update empty and 'infinity' handling for [User]TasksMax. (bsc#1031355) - importd: Support SUSE style checksums. (fate#322054) - journal: Don't remove leading spaces. (bsc#1033855) - Make sure all swap units are ordered before the swap target. (bsc#955770, bsc#1034565) - hwdb: Fix warning 'atkbd serio0: Unknown key pressed'. (bsc#1010220) - logind: Restart logind on package update only on SLE12 distros. (bsc#1032660) - core: Treat masked files as 'unchanged'. (bsc#1032538) - units: Move Before deps for quota services to remote-fs.target. (bsc#1028263) - udev: Support predictable ifnames on vio buses. (bsc#1029183) - udev: Add a persistent rule for ibmvnic devices. (bsc#1029183) - units: Do not throw a warning in emergency mode if plymouth is not installed. (bsc#1025398) - core: Downgrade 'Time has been changed' message to debug level. (bsc#1028610) - vconsole: Don't do GIO_SCRNMAP / GIO_UNISCRNMAP. (bsc#1029691) - udev-rules: Perform whitespace replacement for symlink subst values. (bsc#1025886) - Consider chroot updates in fix-machines-subvol-for-rollbacks.sh. (bsc#1030290) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2017:794-1 Released: Tue May 16 15:41:09 2017 Summary: Security update for bash Type: security Severity: moderate References: 1010845,1035371,CVE-2016-9401 Description: This update for bash fixes an issue that could lead to syntax errors when parsing scripts that use expr(1) inside loops. Additionally, the popd build-in now ensures that the normalized stack offset is within bounds before trying to free that stack entry. This fixes a segmentation fault. ----------------------------------------------------------------- Advisory ID: SUSE-RU-2017:799-1 Released: Wed May 17 00:21:13 2017 Summary: Recommended update for glibc Type: recommended Severity: low References: 1026224,1035445 Description: This update for glibc introduces basic support for IBM POWER9 systems. Additionally, an improper assert in dlclose() has been removed. ----------------------------------------------------------------- Advisory ID: SUSE-RU-2017:821-1 Released: Fri May 19 00:17:44 2017 Summary: Recommended update for Salt Type: recommended Severity: moderate References: 1019386,1022841,1023535,1027044,1027240,1027722,1030009,1032213,1032452 Description: This update for salt fixes the following issues: - Refactoring on Zypper and Yum execution and state modules to allow installation of patches/errata. - Fix log rotation permission issue (bsc#1030009) - Use pkg/suse/salt-api.service by this package - Set SHELL environment variable for the salt-api.service. - Fix 'timeout' and 'gather_job_timeout' kwargs parameters for 'local_batch' client. - Add missing bootstrap script for Salt Cloud. (bsc#1032452) - Add missing /var/cache/salt/cloud directory. (bsc#1032213) - Add test case for race conditions on cache directory creation. - Add 'pkg.install downloadonly=True' support to yum/dnf execution module. - Makes sure 'gather_job_timeout' is an Integer. - Add 'pkg.downloaded' state and support for installing patches/erratas. - Merge master_tops output. - Fix race condition on cache directory creation. - Cleanup salt user environment preparation. (bsc#1027722) - Don't send passwords after shim delimiter is found. (bsc#1019386) - Allow to set 'timeout' and 'gather_job_timeout' via kwargs. - Allow to set custom timeouts for 'manage.up' and 'manage.status'. - Define with system for fedora and RHEL 7. (bsc#1027240) - Fix service state returning stacktrace. (bsc#1027044) - Add OpenSCAP Module. - Prevents 'OSError' exception in case certain job cache path doesn't exist. (bsc#1023535) - Fix issue with cp.push. - Fix salt-minion update on RHEL. (bsc#1022841) - Adding new functions to Snapper execution module. ----------------------------------------------------------------- Advisory ID: SUSE-SU-2017:865-1 Released: Wed May 24 16:23:20 2017 Summary: Security update for pam Type: security Severity: moderate References: 1015565,1037824,934920,CVE-2015-3238 Description: This update for pam fixes the following issues: - CVE-2015-3238: pam_unix in conjunction with SELinux allowed for DoS attacks (bsc#934920). - log a hint to syslog if /etc/nologin is present, but empty (bsc#1015565). - If /etc/nologin is present, but empty, log a hint to syslog. (bsc#1015565) - Added support for libowcrypt.so, if present, to configure support for BLOWFISH (bsc#1037824) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2017:873-1 Released: Fri May 26 16:19:47 2017 Summary: Recommended update for e2fsprogs Type: recommended Severity: low References: 1009532,960273 Description: This update for e2fsprogs provides the following fixes: - Fix 32/64-bit overflow when multiplying by blocks/clusters per group. This allows resize2fs(8) to resize file systems larger than 20 TB. (bsc#1009532) - Update spec file to regenerate initrd when e2fsprogs is updated or uninstalled. (bsc#960273) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2017:877-1 Released: Mon May 29 15:11:48 2017 Summary: Recommended update for cryptsetup Type: recommended Severity: low References: 1031998 Description: This update for cryptsetup provides the following fix: - Don't use a zero-filled empty key, because in FIPS, XTS mode key parts mustn't be equivalent (bsc#1031998) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2017:891-1 Released: Tue May 30 22:28:21 2017 Summary: Security update for libxml2 Type: security Severity: moderate References: 1039063,1039064,1039066,1039069,1039661,981114,CVE-2016-1839,CVE-2017-9047,CVE-2017-9048,CVE-2017-9049,CVE-2017-9050 Description: This update for libxml2 fixes the following issues: - CVE-2017-9047, CVE-2017-9048: The function xmlSnprintfElementContent in valid.c was vulnerable to a stack buffer overflow (bsc#1039063, bsc#1039064) - CVE-2017-9049: The function xmlDictComputeFastKey in dict.c was vulnerable to a heap-based buffer over-read. (bsc#1039066) - CVE-2017-9050: The function xmlDictAddString was vulnerable to a heap-based buffer over-read (bsc#1039661) - CVE-2016-1839: heap-based buffer overflow (xmlDictAddString func) (bnc#1039069) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2017:907-1 Released: Thu Jun 1 14:23:36 2017 Summary: Recommended update for shadow Type: recommended Severity: low References: 1003978,1031643 Description: This update for shadow fixes the following issues: - Dynamically added users via pam_group are not listed in groups databases but are still valid. (bsc#1031643) - useradd(8) and groupadd(8) performance issue when using SSSD. Previously the entire possible UID/GID was iterated to find an available UID/GID. This could take long time over a network device. Instead, find available UID/GID locally, and then check only those values over network. (bsc#1003978) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2017:918-1 Released: Tue Jun 6 12:35:44 2017 Summary: Recommended update for libsemanage, selinux-policy Type: recommended Severity: moderate References: 1020143,1032445,1035818,1038189 Description: This update for libsemanage, selinux-policy fixes the following issues: - Limit to policy version 29 by default. - Fix policy module build failures and wrong policy path on SLE 12 SP2 (bsc#1038189, bsc#1035818, bsc#1020143, bsc#1032445) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2017:939-1 Released: Mon Jun 12 10:56:22 2017 Summary: Security update for libxml2 Type: security Severity: moderate References: 1039063,1039064,1039066,1039069,1039661,CVE-2017-9047,CVE-2017-9048,CVE-2017-9049,CVE-2017-9050 Description: This update for libxml2 fixes the following security issues: * CVE-2017-9050: A heap-based buffer over-read in xmlDictAddString (bsc#1039069, bsc#1039661) * CVE-2017-9049: A heap-based buffer overflow in xmlDictComputeFastKey (bsc#1039066) * CVE-2017-9048: A stack overflow vulnerability in xmlSnprintfElementContent (bsc#1039063) * CVE-2017-9047: A stack overflow vulnerability in xmlSnprintfElementContent (bsc#1039064) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2017:959-1 Released: Wed Jun 14 14:38:11 2017 Summary: Recommended update for gcc5 Type: recommended Severity: low References: 1043580 Description: This update for gcc5 fixes the version of libffi in its pkg-config configuration file. ----------------------------------------------------------------- Advisory ID: SUSE-SU-2017:962-1 Released: Wed Jun 14 16:33:07 2017 Summary: Security update for openldap2 Type: security Severity: moderate References: 1009470,1037396,1041764,972331,CVE-2017-9287 Description: This update for openldap2 fixes the following issues: Security issues fixed: - CVE-2017-9287: A double free vulnerability in the mdb backend during search with page size 0 was fixed (bsc#1041764) Non security bugs fixed: - Let OpenLDAP read system-wide certificates by default and don't hide the error if the user-specified CA location cannot be read. (bsc#1009470) - Fix an uninitialised variable that causes startup failure (bsc#1037396) - Fix an issue with transaction management that can cause server crash (bsc#972331) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2017:974-1 Released: Fri Jun 16 13:49:05 2017 Summary: Security update for Salt Type: security Severity: moderate References: 1011800,1012999,1017078,1020831,1022562,1025896,1027240,1027722,1030009,1030073,1032931,1035912,1035914,1036125,1038855,1039370,1040584,1040886,1043111,CVE-2017-5200,CVE-2017-8109 Description: This update for salt provides version 2016.11.4 and brings various fixes and improvements: - Adding a salt-minion watchdog for RHEL6 and SLES11 systems (sysV) to restart salt-minion in case of crashes during upgrade. - Fix format error. (bsc#1043111) - Fix ownership for whole master cache directory. (bsc#1035914) - Disable 3rd party runtime packages to be explicitly recommended. (bsc#1040886) - Fix insecure permissions in salt-ssh temporary files. (bsc#1035912, CVE-2017-8109) - Disable custom rosters for Salt SSH via Salt API. (bsc#1011800, CVE-2017-5200) - Orchestrate and batches don't return false failed information anymore. - Speed-up cherrypy by removing sleep call. - Fix os_family grains on SUSE. (bsc#1038855) - Fix setting the language on SUSE systems. (bsc#1038855) - Use SUSE specific salt-api.service. (bsc#1039370) - Fix using hostname for minion ID as '127'. - Fix core grains constants for timezone. (bsc#1032931) - Minor fixes on new pkg.list_downloaded. - Listing all type of advisory patches for Yum module. - Prevents zero length error on Python 2.6. - Fixes zypper test error after backporting. - Raet protocol is no longer supported. (bsc#1020831) - Fix moving SSH data to the new home. (bsc#1027722) - Fix logrotating /var/log/salt/minion. (bsc#1030009) - Fix result of master_tops extension is mutually overwritten. (bsc#1030073) - Allows to set 'timeout' and 'gather_job_timeout' via kwargs. - Allows to set custom timeouts for 'manage.up' and 'manage.status'. - Use salt's ordereddict for comparison. - Fix scripts for salt-proxy. - Add openscap module. - File.get_managed regression fix. - Fix translate variable arguments if they contain hidden keywords. (bsc#1025896) - Added unit test for dockerng.sls_build dryrun. - Added dryrun to dockerng.sls_build. - Update dockerng minimal version requirements. - Fix format error in error parsing. - Keep fix for migrating salt home directory. (bsc#1022562) - Fix salt pkg.latest raises exception if package is not available. (bsc#1012999) - Timezone should always be in UTC. (bsc#1017078) - Fix timezone handling for rpm installtime. (bsc#1017078) - Increasing timeouts for running integrations tests. - Add buildargs option to dockerng.build module. - Fix error when missing ssh-option parameter. - Re-add yum notify plugin. - All kwargs to dockerng.create to provide all features to sls_build as well. - Datetime should be returned always in UTC. - Fix possible crash while deserialising data on infinite recursion in scheduled state. (bsc#1036125) - Documentation refresh to 2016.11.4 - For a detailed description, please refer to: + https://docs.saltstack.com/en/develop/topics/releases/2016.11.4.html + https://docs.saltstack.com/en/develop/topics/releases/2016.11.3.html + https://docs.saltstack.com/en/develop/topics/releases/2016.11.2.html + https://docs.saltstack.com/en/develop/topics/releases/2016.11.1.html ----------------------------------------------------------------- Advisory ID: SUSE-SU-2017:985-1 Released: Mon Jun 19 14:57:41 2017 Summary: Security update for libgcrypt Type: security Severity: moderate References: 1042326,931932,CVE-2017-9526 Description: This update for libgcrypt fixes the following issues: - CVE-2017-9526: Store the session key in secure memory to ensure that constant time point operations are used in the MPI library. (bsc#1042326) - Don't require secure memory for the fips selftests, this prevents the 'Oops, secure memory pool already initialized' warning. (bsc#931932) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2017:990-1 Released: Mon Jun 19 17:19:44 2017 Summary: Security update for glibc Type: security Severity: important References: 1039357,1040043,CVE-2017-1000366 Description: This update for glibc fixes the following issues: - CVE-2017-1000366: Fix a potential privilege escalation vulnerability that allowed unprivileged system users to manipulate the stack of setuid binaries to gain special privileges. [bsc#1039357] - A bug in glibc that could result in deadlocks between malloc() and fork() has been fixed. [bsc#1040043] ----------------------------------------------------------------- Advisory ID: SUSE-RU-2017:1033-1 Released: Fri Jun 23 16:38:55 2017 Summary: Recommended update for e2fsprogs Type: recommended Severity: low References: 1038194 Description: This update for e2fsprogs provides the following fixes: - Don't ignore fsync errors in libext2fs. (bsc#1038194) - Fix fsync(2) detection in libext2fs. (bsc#1038194) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2017:1036-1 Released: Mon Jun 26 08:12:24 2017 Summary: Security update for libxml2 Type: security Severity: moderate References: 1024989,1044337,CVE-2017-0663,CVE-2017-5969 Description: This update for libxml2 fixes the following issues: Security issues fixed: * CVE-2017-0663: Fixed a heap buffer overflow in xmlAddID (bsc#1044337) * CVE-2017-5969: Fixed a NULL pointer deref in xmlDumpElementContent (bsc#1024989) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2017:1040-1 Released: Mon Jun 26 13:22:26 2017 Summary: Recommended update for libsemanage, policycoreutils Type: recommended Severity: low References: 1043237 Description: This update for libsemanage, policycoreutils fixes the following issue: - Show version numbers of modules where they are available (bsc#1043237) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2017:1075-1 Released: Thu Jun 29 18:18:50 2017 Summary: Recommended update for python-PyYAML Type: recommended Severity: low References: 1002895 Description: This update for python-PyYAML fixes the following issues: - Adding an implicit resolver to a derived loader should not affect the base loader. - Uniform representation for OrderedDict? across different versions of Python. - Fixed comparison to None warning. ----------------------------------------------------------------- Advisory ID: SUSE-RU-2017:1082-1 Released: Fri Jun 30 10:54:06 2017 Summary: Recommended update for dirmngr Type: recommended Severity: low References: 1045943 Description: This update for dirmngr provides the following fix: - Change logrotate from Requires to Recommends (bsc#1045943) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2017:1086-1 Released: Fri Jun 30 15:36:17 2017 Summary: Security update for libxml2 Type: security Severity: moderate References: 1044887,1044894,CVE-2017-7375,CVE-2017-7376 Description: This update for libxml2 fixes the following issues: Security issues fixed: * CVE-2017-7376: Increase buffer space for port in HTTP redirect support (bsc#1044887) * CVE-2017-7375: Prevent unwanted external entity reference [bsc#1044894, ] ----------------------------------------------------------------- Advisory ID: SUSE-SU-2017:1104-1 Released: Tue Jul 4 16:13:55 2017 Summary: Security update for systemd Type: security Severity: moderate References: 1004995,1029102,1029516,1036873,1038865,1040258,1040614,1040942,1043758,982303,CVE-2017-9217 Description: This update for systemd fixes the following issues: Security issue fixed: - CVE-2017-9217: resolved: Fix null pointer p->question dereferencing that could lead to resolved aborting (bsc#1040614) The update also fixed several non-security bugs: - core/mount: Use the '-c' flag to not canonicalize paths when calling /bin/umount - automount: Handle expire_tokens when the mount unit changes its state (bsc#1040942) - automount: Rework propagation between automount and mount units - build: Make sure tmpfiles.d/systemd-remote.conf get installed when necessary - build: Fix systemd-journal-upload installation - basic: Detect XEN Dom0 as no virtualization (bsc#1036873) - virt: Make sure some errors are not ignored - fstab-generator: Do not skip Before= ordering for noauto mountpoints - fstab-gen: Do not convert device timeout into seconds when initializing JobTimeoutSec - core/device: Use JobRunningTimeoutSec= for device units (bsc#1004995) - fstab-generator: Apply the _netdev option also to device units (bsc#1004995) - job: Add JobRunningTimeoutSec for JOB_RUNNING state (bsc#1004995) - job: Ensure JobRunningTimeoutSec= survives serialization (bsc#1004995) - rules: Export NVMe WWID udev attribute (bsc#1038865) - rules: Introduce disk/by-id (model_serial) symbolic links for NVMe drives - rules: Add rules for NVMe devices - sysusers: Make group shadow support configurable (bsc#1029516) - core: When deserializing a unit, fully restore its cgroup state (bsc#1029102) - core: Introduce cg_mask_from_string()/cg_mask_to_string() - core:execute: Fix handling failures of calling fork() in exec_spawn() (bsc#1040258) - Fix systemd-sysv-convert when a package starts shipping service units (bsc#982303) The database might be missing when upgrading a package which was shipping no sysv init scripts nor unit files (at the time --save was called) but the new version start shipping unit files. - Disable group shadow support (bsc#1029516) - Only check signature job error if signature job exists (bsc#1043758) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2017:1116-1 Released: Thu Jul 6 11:37:18 2017 Summary: Security update for libgcrypt Type: security Severity: moderate References: 1046607,CVE-2017-7526 Description: This update for libgcrypt fixes the following issues: - CVE-2017-7526: Hardening against a local side-channel attack in RSA key handling has been added (bsc#1046607) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2017:1119-1 Released: Fri Jul 7 11:23:20 2017 Summary: Recommended update for ncurses Type: security Severity: important References: 1000662,1046853,1046858,CVE-2017-10684,CVE-2017-10685 Description: This update for ncurses fixes the following issues: Security issues fixed: - CVE-2017-10684: Possible RCE via stack-based buffer overflow in the fmt_entry function. (bsc#1046858) - CVE-2017-10685: Possible RCE with format string vulnerability in the fmt_entry function. (bsc#1046853) Bugfixes: - Drop patch ncurses-5.9-environment.dif as YaST2 ncurses GUI does not need it anymore and as well as it causes bug bsc#1000662 ----------------------------------------------------------------- Advisory ID: SUSE-RU-2017:1126-1 Released: Fri Jul 7 21:23:02 2017 Summary: Recommended update for python-requests Type: recommended Severity: low References: 967128 Description: This update provides python-requests 2.11.1, which brings many fixes and enhancements: - Strip Content-Type and Transfer-Encoding headers from the header block when following a redirect that transforms the verb from POST/PUT to GET. - Added support for the ALL_PROXY environment variable. - Reject header values that contain leading whitespace or newline characters to reduce risk of header smuggling. - Fixed occasional TypeError when attempting to decode a JSON response that occurred in an error case. Now correctly returns a ValueError. - Requests would incorrectly ignore a non-CIDR IP address in the NO_PROXY environment variables: Requests now treats it as a specific IP. - Fixed a bug when sending JSON data that could cause us to encounter obscure OpenSSL errors in certain network conditions. - Added type checks to ensure that iter_content only accepts integers and None for chunk sizes. - Fixed issue where responses whose body had not been fully consumed would have the underlying connection closed but not returned to the connection pool, which could cause Requests to hang in situations where the HTTPAdapter had been configured to use a blocking connection pool. - Change built-in CaseInsensitiveDict to use OrderedDict as its underlying datastore. - Don't use redirect_cache if allow_redirects=False. - When passed objects that throw exceptions from tell(), send them via chunked transfer encoding instead of failing. - Raise a ProxyError for proxy related connection issues. - The verify keyword argument now supports being passed a path to a directory of CA certificates, not just a single-file bundle. - Warnings are now emitted when sending files opened in text mode. - Added the 511 Network Authentication Required status code to the status code registry. - For file-like objects that are not seeked to the very beginning, we now send the content length for the number of bytes we will actually read, rather than the total size of the file, allowing partial file uploads. - When uploading file-like objects, if they are empty or have no obvious content length we set Transfer-Encoding: chunked rather than Content-Length: 0. - We correctly receive the response in buffered mode when uploading chunked bodies. - We now handle being passed a query string as a bytestring on Python 3, by decoding it as UTF-8. - Sessions are now closed in all cases (exceptional and not) when using the functional API rather than leaking and waiting for the garbage collector to clean them up. - Correctly handle digest auth headers with a malformed qop directive that contains no token, by treating it the same as if no qop directive was provided at all. - Minor performance improvements when removing specific cookies by name. ----------------------------------------------------------------- Advisory ID: SUSE-RU-2017:1160-1 Released: Fri Jul 14 17:20:26 2017 Summary: Recommended update for openldap2 Type: recommended Severity: low References: 1031702 Description: This update for openldap2 provides the following fix: - Fix a regression in handling of non-blocking connection (bsc#1031702) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2017:1174-1 Released: Wed Jul 19 11:12:51 2017 Summary: Security update for systemd, dracut Type: security Severity: important References: 1032029,1033238,1037120,1040153,1040968,1043900,1045290,1046750,986216,CVE-2017-9445 Description: This update for systemd and dracut fixes the following issues: Security issues fixed: - CVE-2017-9445: Possible out-of-bounds write triggered by a specially crafted TCP payload from a DNS server. (bsc#1045290) Non-security issues fixed in systemd: - Automounter issue in combination with NFS volumes (bsc#1040968) - Missing symbolic link for SAS device in /dev/disk/by-path (bsc#1040153) - Add minimal support for boot.d/* scripts in systemd-sysv-convert (bsc#1046750) Non-security issues fixed in dracut: - Bail out if module directory does not exist. (bsc#1043900) - Suppress bogus error message. (bsc#1032029) - Fix module force loading with systemd. (bsc#986216) - Ship udev files required by systemd. (bsc#1040153) - Ignore module resolution errors (e.g. with kgraft). (bsc#1037120) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2017:1198-1 Released: Fri Jul 21 14:04:23 2017 Summary: Recommended update for python-boto, python-simplejson Type: recommended Severity: low References: 1002895 Description: This update provides python-boto 2.42.0 and python-simplejson 3.8.2, which bring many fixes and enhancements. python-boto: - Respect is_secure parameter in generate_url_sigv4 - Update MTurk API - Update endpoints.json - Allow s3 bucket lifecycle policies with multiple transitions - Fixes upload parts for glacier - Autodetect sigv4 for ap-northeast-2 - Added support for ap-northeast-2 - Remove VeriSign Class 3 CA from trusted certs - Add note about boto3 on all pages of boto docs - Fix for listing EMR steps based on cluster_states filter - Fixed param name in set_contents_from_string docstring - Spelling and documentation fixes - Add deprecation notice to emr methods - Add some GovCloud endpoints. python-simplejson: - Fix issue with iterable_as_array and indent option - New iterable_as_array encoder option to perform lazy serialization of any iterable objects, without having to convert to tuple or list - Do not cache Decimal class in encoder, only reference the decimal module - No longer trust custom str/repr methods for int, long, float subclasses: these instances are now formatted as if they were exact instances of those types - Fix reference leak when an error occurs during dict encoding - Fix dump when only sort_keys is set - Automatically strip any UTF-8 BOM from input to more closely follow the latest specs - Fix lower bound checking in scan_once / raw_decode API - Consistently reject int_as_string_bitcount settings that are not positive integers - Add int_as_string_bitcount encoder option - Fix potential crash when encoder created with incorrect options - Documentation updates. ----------------------------------------------------------------- Advisory ID: SUSE-RU-2017:1222-1 Released: Wed Jul 26 17:15:18 2017 Summary: Recommended update for procps Type: recommended Severity: low References: 1034563,1039941 Description: This update for procps provides the following fixes: - Make pmap handle LazyFree in /proc/smaps (bsc#1034563) - Allow reading and writing content lines longer than 1024 characters under /proc/sys (bsc#1039941) - Avoid printing messages when /proc/sys/net/ipv6/conf/*/stable_secret is not set ----------------------------------------------------------------- Advisory ID: SUSE-SU-2017:1245-1 Released: Thu Aug 3 10:43:15 2017 Summary: Security update for systemd Type: security Severity: moderate References: 1004995,1029102,1029516,1032029,1033238,1036873,1037120,1038865,1040153,1040258,1040614,1040942,1040968,1043758,1043900,1045290,1046750,982303,986216,CVE-2017-9217,CVE-2017-9445 Description: This update for systemd provides several fixes and enhancements. Security issues fixed: - CVE-2017-9217: Null pointer dereferencing that could lead to resolved aborting. (bsc#1040614) - CVE-2017-9445: Possible out-of-bounds write triggered by a specially crafted TCP payload from a DNS server. (bsc#1045290) The update also fixed several non-security bugs: - core/mount: Use the '-c' flag to not canonicalize paths when calling /bin/umount - automount: Handle expire_tokens when the mount unit changes its state (bsc#1040942) - automount: Rework propagation between automount and mount units - build: Make sure tmpfiles.d/systemd-remote.conf get installed when necessary - build: Fix systemd-journal-upload installation - basic: Detect XEN Dom0 as no virtualization (bsc#1036873) - virt: Make sure some errors are not ignored - fstab-generator: Do not skip Before= ordering for noauto mountpoints - fstab-gen: Do not convert device timeout into seconds when initializing JobTimeoutSec - core/device: Use JobRunningTimeoutSec= for device units (bsc#1004995) - fstab-generator: Apply the _netdev option also to device units (bsc#1004995) - job: Add JobRunningTimeoutSec for JOB_RUNNING state (bsc#1004995) - job: Ensure JobRunningTimeoutSec= survives serialization (bsc#1004995) - rules: Export NVMe WWID udev attribute (bsc#1038865) - rules: Introduce disk/by-id (model_serial) symbolic links for NVMe drives - rules: Add rules for NVMe devices - sysusers: Make group shadow support configurable (bsc#1029516) - core: When deserializing a unit, fully restore its cgroup state (bsc#1029102) - core: Introduce cg_mask_from_string()/cg_mask_to_string() - core:execute: Fix handling failures of calling fork() in exec_spawn() (bsc#1040258) - Fix systemd-sysv-convert when a package starts shipping service units (bsc#982303) The database might be missing when upgrading a package which was shipping no sysv init scripts nor unit files (at the time --save was called) but the new version start shipping unit files. - Disable group shadow support (bsc#1029516) - Only check signature job error if signature job exists (bsc#1043758) - Automounter issue in combination with NFS volumes (bsc#1040968) - Missing symbolic link for SAS device in /dev/disk/by-path (bsc#1040153) - Add minimal support for boot.d/* scripts in systemd-sysv-convert (bsc#1046750) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2017:1268-1 Released: Mon Aug 7 10:09:19 2017 Summary: Recommended update for openssl Type: recommended Severity: moderate References: 1019637,1027079,1027688,1027908,1028281,1028723,1029523,1042392,1044095,1044107,1044175,902364 Description: This update for openssl fixes the following issues including fixes for our ongoing FIPS 140-2 evaluation: - Remove DES-CBC3-SHA based ciphers from DEFAULT_SUSE to address SWEET32 problem (bsc#1027908) - Use getrandom syscall instead of reading from /dev/urandom to get at least 128 bits of entropy to comply with FIPS 140.2 IG 7.14 (bsc#1027079 bsc#1044175) - Fix x86 extended feature detection (bsc#1029523) - Allow runtime switching of s390x capabilities via the 'OPENSSL_s390xcap' environmental variable (bsc#1028723) - s_client sent empty client certificate (bsc#1028281) Add back certificate initialization set_cert_key_stuff() which was removed in a previous update. - Fix a bug in XTS key handling (bsc#1019637) - Don't run FIPS power-up self-tests when the checksum files aren't installed (bsc#1042392) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2017:1279-1 Released: Mon Aug 7 14:46:40 2017 Summary: Security update for ncurses Type: security Severity: moderate References: 1046853,1046858,1047964,1047965,1049344,CVE-2017-10684,CVE-2017-10685,CVE-2017-11112,CVE-2017-11113 Description: This update for ncurses fixes the following issues: Security issues fixed: - CVE-2017-11112: Illegal address access in append_acs. (bsc#1047964) - CVE-2017-11113: Dereferencing NULL pointer in _nc_parse_entry. (bsc#1047965) - CVE-2017-10684, CVE-2017-10685: Add modified upstream fix from ncurses 6.0 to avoid broken termcap format (bsc#1046853, bsc#1046858, bsc#1049344) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2017:1316-1 Released: Thu Aug 10 13:54:27 2017 Summary: Recommended update for cyrus-sasl Type: recommended Severity: moderate References: 1014471,1026825,1044840,938657 Description: This update for cyrus-sasl provides the following fixes: - Fix SASL GSSAPI mechanism acceptor wrongly returns zero maxbufsize - Fix unknown authentication mechanism: kerberos5 (bsc#1026825) - Really use SASLAUTHD_PARAMS variable (bsc#938657) - Make sure /usr/sbin/rcsaslauthd exists - Add /usr/sbin/rcsaslauthd symbolic link to /usr/sbin/service (bsc#1014471) - Silence 'GSSAPI client step 1' debug log message (bsc#1044840) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2017:1326-1 Released: Fri Aug 11 16:59:04 2017 Summary: Security update for libxml2 Type: security Severity: low References: 1038444,CVE-2017-8872 Description: This update for libxml2 fixes the following issues: Security issues fixed: - CVE-2017-8872: Out-of-bounds read in htmlParseTryOrFinish. (bsc#1038444) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2017:1330-1 Released: Mon Aug 14 18:41:29 2017 Summary: Recommended update for sed Type: recommended Severity: low References: 954661 Description: This update for sed provides the following fixes: - Don't terminate with a segmentation fault if close of last file descriptor fails. (bsc#954661) ----------------------------------------------------------------- Advisory ID: SUSE-OU-2017:1333-1 Released: Tue Aug 15 17:59:30 2017 Summary: Optional update for libverto Type: optional Severity: low References: 1029561 Description: This update adds the libverto library to OpenStack Cloud Magnum Orchestration channels. ----------------------------------------------------------------- Advisory ID: SUSE-RU-2017:1334-1 Released: Tue Aug 15 20:09:03 2017 Summary: Recommended update for systemd Type: recommended Severity: important References: 1048679,874665 Description: This update for systemd fixes the following issues: - compat-rules: Don't rely on ID_SERIAL when generating 'by-id' links for NVMe devices. (bsc#1048679) - fstab-generator: Handle NFS 'bg' mounts correctly. (bsc#874665, fate#323464) - timesyncd: Don't use compiled-in list if FallbackNTP has been configured explicitly. ----------------------------------------------------------------- Advisory ID: SUSE-SU-2017:1335-1 Released: Wed Aug 16 11:24:21 2017 Summary: Security update for curl Type: security Severity: moderate References: 1051643,1051644,CVE-2017-1000100,CVE-2017-1000101 Description: This update for curl fixes the following issues: - CVE-2017-1000100: TFP sends more than buffer size and it could lead to a denial of service (bsc#1051644) - CVE-2017-1000101: URL globbing out of bounds read could lead to a denial of service (bsc#1051643) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2017:1344-1 Released: Thu Aug 17 12:20:25 2017 Summary: Recommended update for python-simplejson Type: recommended Severity: low References: 1002895 Description: This update provides python-simplejson 3.8.2, which brings many fixes and enhancements: - Fix issue with iterable_as_array and indent option - New iterable_as_array encoder option to perform lazy serialization of any iterable objects, without having to convert to tuple or list - Do not cache Decimal class in encoder, only reference the decimal module - No longer trust custom str/repr methods for int, long, float subclasses: these instances are now formatted as if they were exact instances of those types - Fix reference leak when an error occurs during dict encoding - Fix dump when only sort_keys is set - Automatically strip any UTF-8 BOM from input to more closely follow the latest specs - Fix lower bound checking in scan_once / raw_decode API - Consistently reject int_as_string_bitcount settings that are not positive integers - Add int_as_string_bitcount encoder option - Fix potential crash when encoder created with incorrect options - Documentation updates. ----------------------------------------------------------------- Advisory ID: SUSE-RU-2017:1347-1 Released: Fri Aug 18 11:03:57 2017 Summary: Recommended update for procps Type: recommended Severity: important References: 1053409 Description: This update for procps fixes the following issues: - Fix a regression introduced in a previous update that would result in sysctl dying with a SIGSEGV error (bsc#1053409). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2017:1349-1 Released: Fri Aug 18 12:31:07 2017 Summary: Recommended update for lua51 Type: recommended Severity: low References: 1051626 Description: This update for lua51 provides the following fixes: - Add Lua(API) and Lua(devel) symbols to fix building of lua51-luasocket. (bsc#1051626) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2017:1384-1 Released: Fri Aug 25 13:39:19 2017 Summary: Recommended update for Salt Type: recommended Severity: moderate References: 1036125 Description: This update for salt fixes the following issues: - Added bugfix when jobs scheduled to run at a future time stay pending for Salt minions. (bsc#1036125) - Adding procps as dependency. This provides 'ps' and 'pgrep' utils which are called from different Salt modules and also from new salt-minion watchdog. ----------------------------------------------------------------- Advisory ID: SUSE-SU-2017:1390-1 Released: Fri Aug 25 15:14:27 2017 Summary: Security update for libzypp Type: security Severity: important References: 1009745,1036659,1038984,1043218,1045735,1046417,1047785,1048315,CVE-2017-7435,CVE-2017-7436,CVE-2017-9269 Description: The Software Update Stack was updated to receive fixes and enhancements. libzypp: - CVE-2017-7435, CVE-2017-7436, CVE-2017-9269: Fix GPG check workflows, mainly for unsigned repositories and packages. (bsc#1045735, bsc#1038984) - Fix gpg-pubkey release (creation time) computation. (bsc#1036659) - Update lsof blacklist. (bsc#1046417) - Re-probe on refresh if the repository type changes. (bsc#1048315) - Propagate proper error code to DownloadProgressReport. (bsc#1047785) - Allow to trigger an appdata refresh unconditionally. (bsc#1009745) - Support custom repo variables defined in /etc/zypp/vars.d. yast2-pkg-bindings: - Do not crash when the repository URL is not defined. (bsc#1043218) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2017:1412-1 Released: Tue Aug 29 18:29:00 2017 Summary: Recommended update for python-requests Type: recommended Severity: low References: 967128 Description: This update provides python-requests 2.11.1, which brings many fixes and enhancements: - Strip Content-Type and Transfer-Encoding headers from the header block when following a redirect that transforms the verb from POST/PUT to GET. - Added support for the ALL_PROXY environment variable. - Reject header values that contain leading whitespace or newline characters to reduce risk of header smuggling. - Fixed occasional TypeError when attempting to decode a JSON response that occurred in an error case. Now correctly returns a ValueError. - Requests would incorrectly ignore a non-CIDR IP address in the NO_PROXY environment variables: Requests now treats it as a specific IP. - Fixed a bug when sending JSON data that could cause us to encounter obscure OpenSSL errors in certain network conditions. - Added type checks to ensure that iter_content only accepts integers and None for chunk sizes. - Fixed issue where responses whose body had not been fully consumed would have the underlying connection closed but not returned to the connection pool, which could cause Requests to hang in situations where the HTTPAdapter had been configured to use a blocking connection pool. - Change built-in CaseInsensitiveDict to use OrderedDict as its underlying datastore. - Don't use redirect_cache if allow_redirects=False. - When passed objects that throw exceptions from tell(), send them via chunked transfer encoding instead of failing. - Raise a ProxyError for proxy related connection issues. - The verify keyword argument now supports being passed a path to a directory of CA certificates, not just a single-file bundle. - Warnings are now emitted when sending files opened in text mode. - Added the 511 Network Authentication Required status code to the status code registry. - For file-like objects that are not seeked to the very beginning, we now send the content length for the number of bytes we will actually read, rather than the total size of the file, allowing partial file uploads. - When uploading file-like objects, if they are empty or have no obvious content length we set Transfer-Encoding: chunked rather than Content-Length: 0. - We correctly receive the response in buffered mode when uploading chunked bodies. - We now handle being passed a query string as a bytestring on Python 3, by decoding it as UTF-8. - Sessions are now closed in all cases (exceptional and not) when using the functional API rather than leaking and waiting for the garbage collector to clean them up. - Correctly handle digest auth headers with a malformed qop directive that contains no token, by treating it the same as if no qop directive was provided at all. - Minor performance improvements when removing specific cookies by name. ----------------------------------------------------------------- Advisory ID: SUSE-SU-2017:1419-1 Released: Wed Aug 30 15:38:22 2017 Summary: Security update for expat Type: security Severity: moderate References: 1047236,1047240,CVE-2016-9063,CVE-2017-9233 Description: This update for expat fixes the following issues: - CVE-2016-9063: Possible integer overflow to fix inside XML_Parse leading to unexpected behaviour (bsc#1047240) - CVE-2017-9233: External Entity Vulnerability could lead to denial of service (bsc#1047236) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2017:1439-1 Released: Fri Sep 1 15:31:05 2017 Summary: Recommended update for systemd Type: recommended Severity: important References: 1045384,1045987,1046268,1047379,1048605 Description: This update for systemd fixes the following issues: - Revert fix for bsc#1004995 which could have caused boot failure on LVM (bsc#1048605) - compat-rules: drop the bogus 'import everything' rule (bsc#1046268) - core: use an AF_UNIX/SOCK_DGRAM socket for cgroup agent notification (bsc#1045384 bsc#1047379) - udev/path_id: introduce support for NVMe devices (bsc#1045987) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2017:1447-1 Released: Mon Sep 4 15:38:20 2017 Summary: Security update for libzypp, zypper Type: security Severity: important References: 1008325,1038984,1045735,1047785,1054088,1054671,1055920,CVE-2017-7436 Description: The Software Update Stack was updated to receive fixes and enhancements. libzypp: - Adapt to work with GnuPG 2.1.23. (bsc#1054088) - Support signing with subkeys. (bsc#1008325) - Enhance sort order for media.1/products. (bsc#1054671) zypper: - Also show a gpg key's subkeys. (bsc#1008325) - Improve signature check callback messages. (bsc#1045735) - Add options to tune the GPG check settings. (bsc#1045735) - Adapt download callback to report and handle unsigned packages. (bsc#1038984, CVE-2017-7436) - Report missing/optional files as 'not found' rather than 'error'. (bsc#1047785) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2017:1450-1 Released: Mon Sep 4 16:36:07 2017 Summary: Recommended update for insserv-compat Type: recommended Severity: low References: 1035062,944903 Description: This update for insserv-compat fixes the following issues: - Add /etc/init.d hierarchy from former 'filesystem' package. (bsc#1035062) - Fix directory argument parsing. (bsc#944903) - Add perl(Getopt::Long) to list of requirements. ----------------------------------------------------------------- Advisory ID: SUSE-RU-2017:1453-1 Released: Mon Sep 4 21:23:50 2017 Summary: Recommended update for libgcrypt Type: recommended Severity: moderate References: 1043333,1046659,1047008 Description: This update for libgcrypt fixes the following issues: - libgcrypt stored an open file descriptor to the random device in a static variable between invocations. gnome-keyring-daemon on initialization reopened descriptors 0-2 with /dev/null which caused an infinite loop when libgcrypt attempted to read from the random device (bsc#1043333) - Avoid seeding the DRBG during FIPS power-up selftests (bsc#1046659) * don't call gcry_drbg_instantiate() in healthcheck sanity test to save entropy * turn off blinding for RSA decryption in selftests_rsa to avoid allocation of a random integer - fix a bug in gcry_drbg_healthcheck_sanity() which caused skipping some of the tests (bsc#1046659) - dlsym returns PLT address on s390x, dlopen libgcrypt20.so before calling dlsym (bsc#1047008) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2017:1457-1 Released: Tue Sep 5 14:40:18 2017 Summary: Security update for python-pycrypto Type: security Severity: important References: 1017420,1047666,CVE-2013-7459 Description: This update for python-pycrypto fixes the following issues: - CVE-2013-7459: Fixed a potential heap buffer overflow in ALGnew (bsc#1017420). python-paramiko was adjusted to work together with this python-pycrypto change. (bsc#1047666) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2017:1548-1 Released: Fri Sep 15 18:19:12 2017 Summary: Recommended update for sg3_utils Type: recommended Severity: moderate References: 1005063,1009269,1012523,1025176,1050767,1050943 Description: This update for sg3_utils provides the following fixes: - Add lunsearch filter to findresized() so that only LUNs specified using --luns are rescanned or resized. (bsc#1025176) - In case the VPD sysfs attributes are missing or cannot be accessed, fallback to use sg_inq --page when using multipath devices in AutoYast2 installations. (bsc#1012523) - Generate /dev/disk/by-path links based on WWPN for Fibre Channel NPIV setups. (bsc#1005063) - Fix dumping data in hexadecimal format in sg_vpd when using the --hex option. (bsc#1050943) - Fix ID_SERIAL values for KVM disks by exporting all NAA values and removing some validity checking. (bsc#1050767) - Make sure initrd is rebuilt on sg3_utils updates. (bsc#1009269) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2017:1592-1 Released: Tue Sep 26 17:38:03 2017 Summary: Recommended update for lvm2 Type: recommended Severity: moderate References: 1028485,1045628,978055,998893,999878 Description: This update for lvm2 provides the following fixes: - Create /dev/disk/by-part{label,uuid} and gpt-auto-root links. (bsc#1028485) - Try to refresh clvmd's device cache on the first failure. (bsc#978055) - Fix stale device cache in clvmd. (bsc#978055) - Warn if PV size in metadata is larger than disk device size. (bsc#999878) - Fix lvm2 activation issue when used on top of multipath. (bsc#998893) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2017:1644-1 Released: Mon Oct 9 07:52:24 2017 Summary: Security update for krb5 Type: security Severity: moderate References: 1032680,1054028,1056995,903543,CVE-2017-11462 Description: This update for krb5 fixes several issues. This security issue was fixed: - CVE-2017-11462: Prevent automatic security context deletion to prevent double-free (bsc#1056995) These non-security issues were fixed: - Set 'rdns' and 'dns_canonicalize_hostname' to false in krb5.conf in order to improve client security in handling service principle names. (bsc#1054028) - Prevent kadmind.service startup failure caused by absence of LDAP service. (bsc#903543) - Remove main package's dependency on systemd (bsc#1032680) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2017:1660-1 Released: Mon Oct 9 15:39:22 2017 Summary: Security update for Salt Type: security Severity: moderate References: 1051948,1052264,1053376,1053955,CVE-2017-12791 Description: This update for salt fixes one security issue and bugs: The following security issue has been fixed: - CVE-2017-12791: Directory traversal vulnerability in minion id validation allowed remote minions with incorrect credentials to authenticate to a master via a crafted minion ID (bsc#1053955). Additionally, the following non-security issues have been fixed: - Added support for SUSE Manager scalability features. (bsc#1052264) - Introduced the kubernetes module. (bsc#1051948) - Notify systemd synchronously via NOTIFY_SOCKET. (bsc#1053376) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2017:1663-1 Released: Tue Oct 10 12:05:09 2017 Summary: Recommended update for dbus-1 Type: recommended Severity: moderate References: 1043615,1046173 Description: This update for dbus-1 provides the following fixes: - Fix systemd-logind dbus disconnection by ensuring all required timeouts are restarted. (bsc#1043615) - Remove call to initscripts related macros from the spec file as dbus-1 does not ship any initscript anymore. (bsc#1046173) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2017:1703-1 Released: Tue Oct 17 13:20:12 2017 Summary: Recommended update for audit Type: recommended Severity: low References: 1042781 Description: This update for audit provides the following fix: - Make auditd start by forking the systemd service to fix some initialization failures. (bsc#1042781) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2017:1758-1 Released: Mon Oct 23 08:47:47 2017 Summary: Security update for curl Type: security Severity: moderate References: 1060653,1061876,1063824,CVE-2017-1000254,CVE-2017-1000257 Description: This update for curl fixes the following issues: Security issues fixed: - CVE-2017-1000254: FTP PWD response parser out of bounds read (bsc#1061876) - CVE-2017-1000257: IMAP FETCH response out of bounds read (bsc#1063824) Bugs fixed: - Fixed error 'error:1408F10B:SSL routines' when connecting to ftps via proxy (bsc#1060653) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2017:1772-1 Released: Wed Oct 25 14:10:42 2017 Summary: Recommended update for logrotate Type: recommended Severity: low References: 1057801 Description: This update for logrotate provides the following fix: - Make sure log files continue to rotate properly when a stale status file is found. (bsc#1057801) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2017:1796-1 Released: Fri Oct 27 21:25:06 2017 Summary: Recommended update for pcre Type: recommended Severity: moderate References: 1058722 Description: This update for pcre fixes the following issues: - Fixed the pcre stack frame size detection because modern compilers break it due to cloning and inlining pcre match() function (bsc#1058722) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2017:1797-1 Released: Sat Oct 28 12:06:19 2017 Summary: Recommended update for permissions Type: recommended Severity: moderate References: 1028304,1048645,1060738 Description: This update for permissions fixes the following issues: - Allows users to install the HPC 'singularity' toolkit for managing singularity containers in setuid root mode. (bsc#1028304) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2017:1826-1 Released: Wed Nov 8 08:47:17 2017 Summary: Security update for krb5 Type: security Severity: important References: 1065274,CVE-2017-15088 Description: This update for krb5 fixes the following issues: Security issues fixed: - CVE-2017-15088: A buffer overflow in get_matching_data() was fixed that could under specific circumstances be used to execute code (bsc#1065274) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2017:1829-1 Released: Wed Nov 8 08:50:00 2017 Summary: Security update for shadow Type: security Severity: moderate References: 1023895,1052261,980486,CVE-2017-12424 Description: This update for shadow fixes several issues. This security issue was fixed: - CVE-2017-12424: The newusers tool could have been forced to manipulate internal data structures in ways unintended by the authors. Malformed input may have lead to crashes (with a buffer overflow or other memory corruption) or other unspecified behaviors (bsc#1052261). These non-security issues were fixed: - bsc#1023895: Fixed man page to not contain invalid options and also prevent warnings when using these options in certain settings - bsc#980486: Reset user in /var/log/tallylog because of the usage of pam_tally2 ----------------------------------------------------------------- Advisory ID: SUSE-SU-2017:1881-1 Released: Wed Nov 22 16:29:58 2017 Summary: Security update for file Type: security Severity: moderate References: 1009966,1063269,910252,910253,913650,913651,917152,996511,CVE-2014-8116,CVE-2014-8117,CVE-2014-9620,CVE-2014-9621,CVE-2014-9653 Description: The GNU file utility was updated to version 5.22. Security issues fixed: - CVE-2014-9621: The ELF parser in file allowed remote attackers to cause a denial of service via a long string. (bsc#913650) - CVE-2014-9620: The ELF parser in file allowed remote attackers to cause a denial of service via a large number of notes. (bsc#913651) - CVE-2014-9653: readelf.c in file did not consider that pread calls sometimes read only a subset of the available data, which allows remote attackers to cause a denial of service (uninitialized memory access) or possibly have unspecified other impact via a crafted ELF file. (bsc#917152) - CVE-2014-8116: The ELF parser (readelf.c) in file allowed remote attackers to cause a denial of service (CPU consumption or crash) via a large number of (1) program or (2) section headers or (3) invalid capabilities. (bsc#910253) - CVE-2014-8117: softmagic.c in file did not properly limit recursion, which allowed remote attackers to cause a denial of service (CPU consumption or crash) via unspecified vectors. (bsc#910253) Version update to file version 5.22 * add indirect relative for TIFF/Exif * restructure elf note printing to avoid repeated messages * add note limit, suggested by Alexander Cherepanov * Bail out on partial pread()'s (Alexander Cherepanov) * Fix incorrect bounds check in file_printable (Alexander Cherepanov) * PR/405: ignore SIGPIPE from uncompress programs * change printable -> file_printable and use it in more places for safety * in ELF, instead of '(uses dynamic libraries)' when PT_INTERP is present print the interpreter name. Version update to file version 5.21 * there was an incorrect free in magic_load_buffers() * there was an out of bounds read for some pascal strings * there was a memory leak in magic lists * don't interpret strings printed from files using the current locale, convert them to ascii format first. * there was an out of bounds read in elf note reads Update to file version 5.20 * recognize encrypted CDF documents * add magic_load_buffers from Brooks Davis * add thumbs.db support Additional non-security bug fixes: * Fixed a memory corruption during rpmbuild (bsc#1063269) * Backport of a fix for an increased printable string length as found in file 5.30 (bsc#996511) * file command throws 'Composite Document File V2 Document, corrupt: Can't read SSAT' error against excel 97/2003 file format. (bsc#1009966) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2017:1903-1 Released: Fri Nov 24 16:19:37 2017 Summary: Security update for perl Type: security Severity: moderate References: 1047178,1057721,1057724,999735,CVE-2017-12837,CVE-2017-12883,CVE-2017-6512 Description: This update for perl fixes the following issues: Security issues fixed: - CVE-2017-12837: Heap-based buffer overflow in the S_regatom function in regcomp.c in Perl 5 before 5.24.3-RC1 and 5.26.x before 5.26.1-RC1 allows remote attackers to cause a denial of service (out-of-bounds write) via a regular expression with a '\N{}' escape and the case-insensitive modifier. (bnc#1057724) - CVE-2017-12883: Buffer overflow in the S_grok_bslash_N function in regcomp.c in Perl 5 before 5.24.3-RC1 and 5.26.x before 5.26.1-RC1 allows remote attackers to disclose sensitive information or cause a denial of service (application crash) via a crafted regular expression with an invalid '\N{U+...}' escape. (bnc#1057721) - CVE-2017-6512: Race condition in the rmtree and remove_tree functions in the File-Path module before 2.13 for Perl allows attackers to set the mode on arbitrary files via vectors involving directory-permission loosening logic. (bnc#1047178) Bug fixes: - backport set_capture_string changes from upstream (bsc#999735) - reformat baselibs.conf as source validator workaround ----------------------------------------------------------------- Advisory ID: SUSE-RU-2017:1916-1 Released: Fri Nov 24 20:15:01 2017 Summary: Recommended update for libgcrypt Type: recommended Severity: important References: 1043333,1059723 Description: This update for libgcrypt provides the following fix: - Fix a regression in a previous update which caused libgcrypt to leak file descriptors causing failures when starting rtkit-daemon. (bsc#1059723) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2017:1917-1 Released: Mon Nov 27 13:32:07 2017 Summary: Optional update for gcc7 Type: recommended Severity: low References: 1056437,1062591,1062592 Description: The GNU Compiler GCC 7 is being added to the Toolchain Module by this update. New features: - Support for specific IBM Power9 processor instructions. - Support for specific IBM zSeries z14 processor instructions. - New packages cross-npvtx-gcc7 and nvptx-tools added to the Toolchain Module for specific NVIDIA Card offload support. The update also supplies gcc7 compatible libstdc++, libgcc_s1 and other gcc derived libraries for the base products of SUSE Linux Enterprise 12. Various optimizers have been improved in GCC 7, several of bugs fixed, quite some new warnings added and the error pin-pointing and fix-suggestions have been greatly improved. The GNU Compiler page for GCC 7 contains a summary of all the changes that have happened: https://gcc.gnu.org/gcc-7/changes.html ----------------------------------------------------------------- Advisory ID: SUSE-RU-2017:1965-1 Released: Thu Nov 30 12:48:45 2017 Summary: Recommended update for libsolv, libzypp, zypper Type: recommended Severity: moderate References: 1047233,1053671,1057188,1057634,1058695,1058783,1059065,1061384,1062561,1064999,661410 Description: The Software Update Stack was updated to receive fixes and enhancements. libsolv: - Many fixes and improvements for cleandeps. - Always create dup rules for 'distupgrade' jobs. - Use recommends also for ordering packages. - Fix splitprovides handling with addalreadyrecommended turned off. (bsc#1059065) - Expose solver_get_recommendations() in bindings. - Fix bug in solver_prune_to_highest_prio_per_name resulting in bad output from solver_get_recommendations(). - Support 'without' and 'unless' dependencies. - Use same heuristic as upstream to determine source RPMs. - Fix memory leak in bindings. - Add pool_best_solvables() function. - Fix 64bit integer parsing from RPM headers. - Enable bzip2 and xz/lzma compression support. - Enable complex/rich dependencies on distributions with RPM 4.13+. libzypp: - Fix media handling in presence of a repo path prefix. (bsc#1062561) - Fix RepoProvideFile ignoring a repo path prefix. (bsc#1062561) - Remove unused legacy notify-message script. (bsc#1058783) - Support multiple product licenses in repomd. (fate#322276) - Propagate 'rpm --import' errors. (bsc#1057188) - Fix typos in zypp.conf. zypper: - Locale: Fix possible segmentation fault. (bsc#1064999) - Add summary hint if product is better updated by a different command. This is mainly used by rolling distributions like openSUSE Tumbleweed to remind their users to use 'zypper dup' to update (not zypper up or patch). (bsc#1061384) - Unify '(add|modify)(repo|service)' property related arguments. - Fixed 'add' commands supporting to set only a subset of properties. - Introduced '-f/-F' as preferred short option for --[no-]refresh in all four commands. (bsc#661410, bsc#1053671) - Fix missing package names in installation report. (bsc#1058695) - Differ between unsupported and packages with unknown support status. (bsc#1057634) - Return error code '107' if an RPM's %post configuration script fails, but only if ZYPPER_ON_CODE12_RETURN_107=1 is set in the environment. (bsc#1047233) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2017:1966-1 Released: Thu Nov 30 13:45:24 2017 Summary: Recommended update for systemd Type: recommended Severity: moderate References: 1004995,1035386,1039099,1040800,1045472,1048605,1050152,1053137,1053595,1055641,1063249 Description: This update for systemd fixes the following issues: - unit: When JobTimeoutSec= is turned off, implicitly turn off JobRunningTimeoutSec= too. (bsc#1048605, bsc#1004995) - compat-rules: Generate compat by-id symlinks with 'nvme' prefix missing and warn users that have broken symlinks. (bsc#1063249) - compat-rules: Allow to specify the generation number through the kernel command line. - scsi_id: Fixup prefix for pre-SPC inquiry reply. (bsc#1039099) - tmpfiles: Remove old ICE and X11 sockets at boot. - tmpfiles: Silently ignore any path that passes through autofs. (bsc#1045472) - pam_logind: Skip leading /dev/ from PAM_TTY field before passing it on. - shared/machine-pool: Fix another mkfs.btrfs checking. (bsc#1053595) - shutdown: Fix incorrect fscanf() result check. - shutdown: Don't remount,ro network filesystems. (bsc#1035386) - shutdown: Don't be fooled when detaching DM devices with BTRFS. (bsc#1055641) - bash-completion: Add support for --now. (bsc#1053137) - Add convert-lib-udev-path.sh script to convert /lib/udev directory into a symlink pointing to /usr/lib/udev when upgrading from SLE11. (bsc#1050152) - Add a rule to teach hotplug to offline containers transparently. (bsc#1040800) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2017:1968-1 Released: Thu Nov 30 19:49:33 2017 Summary: Recommended update for coreutils Type: recommended Severity: low References: 1026567,1043059,965780 Description: This update for coreutils provides the following fixes: - Fix df(1) to no longer interact with excluded file system types, so for example specifying -x nfs no longer hangs with problematic nfs mounts. (bsc#1026567) - Ensure df -l no longer interacts with dummy file system types, so for example no longer hangs with problematic NFS mounted via system.automount(5). (bsc#1043059) - Significantly speed up df(1) for huge mount lists. (bsc#965780) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2017:1970-1 Released: Thu Nov 30 22:55:41 2017 Summary: Security update for openssl Type: security Severity: moderate References: 1055825,1056058,1065363,1066242,CVE-2017-3735,CVE-2017-3736 Description: This update for openssl fixes the following issues: Security issues fixed: - CVE-2017-3735: openssl1,openssl: Malformed X.509 IPAdressFamily could cause OOB read (bsc#1056058) - CVE-2017-3736: openssl: bn_sqrx8x_internal carry bug on x86_64 (bsc#1066242) - Out of bounds read+crash in DES_fcrypt (bsc#1065363) - openssl DEFAULT_SUSE cipher list is missing ECDHE-ECDSA ciphers (bsc#1055825) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2017:2021-1 Released: Fri Dec 8 10:11:04 2017 Summary: Recommended update for file Type: recommended Severity: moderate References: 1070878,1070958 Description: This update for file fixes detection of JPEG files. ----------------------------------------------------------------- Advisory ID: SUSE-RU-2017:2031-1 Released: Mon Dec 11 12:55:57 2017 Summary: Recommended update for gzip Type: recommended Severity: low References: 1067891 Description: This update for gzip provides the following fix: - Fix mishandling of leading zeros in the end-of-block code (bsc#1067891) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2017:2036-1 Released: Wed Dec 13 16:34:21 2017 Summary: Recommended update for util-linux Type: recommended Severity: low References: 1039276,1040968,1055446,1066500 Description: This update for util-linux provides the following fixes: - Allow unmounting of filesystems without calling stat() on the mount point, when '-c' is used. (bsc#1040968) - Fix an infinite loop, a crash and report the correct minimum and maximum frequencies in lscpu for some processors. (bsc#1055446) - Fix a lscpu failure on Sydney Amazon EC2 region. (bsc#1066500) - If multiple subvolumes are mounted, report the default subvolume. (bsc#1039276) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2017:2097-1 Released: Sat Dec 16 01:59:00 2017 Summary: Security update for openssl Type: security Severity: important References: 1071905,1071906,CVE-2017-3737,CVE-2017-3738 Description: This update for openssl fixes the following issues: - OpenSSL Security Advisory [07 Dec 2017] * CVE-2017-3737: OpenSSL 1.0.2 (starting from version 1.0.2b) introduced an \'error state\' mechanism. The intent was that if a fatal error occurred during a handshake then OpenSSL would move into the error state and would immediately fail if you attempted to continue the handshake. This works as designed for the explicit handshake functions (SSL_do_handshake(), SSL_accept() and SSL_connect()), however due to a bug it does not work correctly if SSL_read() or SSL_write() is called directly. In that scenario, if the handshake fails then a fatal error will be returned in the initial function call. If SSL_read()/SSL_write() is subsequently called by the application for the same SSL object then it will succeed and the data is passed without being decrypted/encrypted directly from the SSL/TLS record layer. In order to exploit this issue an application bug would have to be present that resulted in a call to SSL_read()/SSL_write() being issued after having already received a fatal error. O penSSL version 1.0.2b-1.0.2m are affected. Fixed in OpenSSL 1.0.2n. OpenSSL 1.1.0 is not affected. (bsc#1071905) * CVE-2017-3738: There is an overflow bug in the AVX2 Montgomery multiplication procedure used in exponentiation with 1024-bit moduli. No EC algorithms are affected. Analysis suggests that attacks against RSA and DSA as a result of this defect would be very difficult to perform and are not believed likely. Attacks against DH1024 are considered just feasible, because most of the work necessary to deduce information about a private key may be performed offline. The amount of resources required for such an attack would be significant. However, for an attack on TLS to be meaningful, the server would have to share the DH1024 private key among multiple clients, which is no longer an option since CVE-2016-0701. This only affects processors that support the AVX2 but not ADX extensions like Intel Haswell (4th generation). Note: The impact from this issue is similar to CVE-2017-3736, CVE-2017-3732 and CVE-2015-3193. (bsc#1071906) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2017:2111-1 Released: Wed Dec 20 12:12:49 2017 Summary: Security update for Salt Type: security Severity: moderate References: 1041993,1042749,1050003,1059291,1059758,1060230,1062462,1062464,985112,CVE-2017-14695,CVE-2017-14696 Description: This update for salt fixes one security issue and bugs. The following security issues have been fixed: - CVE-2017-14695: A directory traversal vulnerability in minion id validation allowed remote minions with incorrect credentials to authenticate to a master via a crafted minion ID. (bsc#1062462) - CVE-2017-14696: It was possible to force a remote Denial of Service with a specially crafted authentication request. (bsc#1062464) Additionally, the following non-security issues have been fixed: - Removed deprecation warning for beacon configuration using dictionaries. (bsc#1041993) - Fixed beacons failure when pillar-based suppressing config-based. (bsc#1060230) - Fixed minion resource exhaustion when many functions are being executed in parallel. (bsc#1059758) - Remove 'TasksTask' attribute from salt-master.service in older versions of systemd. (bsc#985112) - Fix for delete_deployment in Kubernetes module. (bsc#1059291) - Catching error when PIDfile cannot be deleted. (bsc#1050003) - Use $HOME to get the user home directory instead using '~' char. (bsc#1042749) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2017:2137-1 Released: Thu Dec 21 17:49:12 2017 Summary: Recommended update for dbus-1 Type: recommended Severity: moderate References: 1046173,1071698 Description: This update for dbus-1 provides the following fixes: - The previously released fix for systemd-logind dbus disconnections was missing in some parts of the package, so properly apply it. (bsc#1071698) - Remove call to initscripts related macros from the spec file as dbus-1 does not ship any initscript anymore. (bsc#1046173) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2018:4-1 Released: Tue Jan 2 15:58:20 2018 Summary: Recommended update for libzypp, zypper Type: recommended Severity: moderate References: 1057640,1067605,1068708,1071466,969569 Description: The Software Update Stack was updated to receive fixes and enhancements. libzypp: - Don't store duplicated locks. (bsc#969569) - Fix default for solver.allowNameChange. (bsc#1071466) - Don't filter procs with a different mnt namespace. (bsc#1068708) - Support repo variables in an URIs host:port component. (bsc#1057640, bsc#1067605) zypper: - Update manpage regarding custom repository variable fixes. (bsc#1057640, bsc#1067605) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2018:38-1 Released: Tue Jan 9 14:56:43 2018 Summary: Recommended update for kmod Type: recommended Severity: low References: 1070209 Description: This update for kmod provides the following fix: - Fix resolving .TOC. in modules on 4.4 and older kernel (bsc#1070209) - Fix kernel master build for ppc64le (bsc#1070209) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:55-1 Released: Fri Jan 12 09:45:49 2018 Summary: Security update for glibc Type: security Severity: important References: 1051042,1053188,1063675,1064569,1064580,1064583,1070905,1071319,1073231,1074293,CVE-2017-1000408,CVE-2017-1000409,CVE-2017-15670,CVE-2017-15671,CVE-2017-15804,CVE-2017-16997,CVE-2018-1000001 Description: This update for glibc fixes the following issues: - A privilege escalation bug in the realpath() function has been fixed. [CVE-2018-1000001, bsc#1074293] - A memory leak and a buffer overflow in the dynamic ELF loader has been fixed. [CVE-2017-1000408, CVE-2017-1000409, bsc#1071319] - An issue in the code handling RPATHs was fixed that could have been exploited by an attacker to execute code loaded from arbitrary libraries. [CVE-2017-16997, bsc#1073231] - A potential crash caused by a use-after-free bug in pthread_create() has been fixed. [bsc#1053188] - A bug that prevented users to build shared objects which use the optimized libmvec.so API has been fixed. [bsc#1070905] - A memory leak in the glob() function has been fixed. [CVE-2017-15670, CVE-2017-15671, CVE-2017-15804, bsc#1064569, bsc#1064580, bsc#1064583] - A bug that would lose the syscall error code value in case of crashes has been fixed. [bsc#1063675] ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:86-1 Released: Wed Jan 17 09:38:17 2018 Summary: Security update for ncurses Type: security Severity: moderate References: 1056127,1056128,1056129,1056131,1056132,1056136,CVE-2017-13728,CVE-2017-13729,CVE-2017-13730,CVE-2017-13731,CVE-2017-13732,CVE-2017-13733 Description: This update for ncurses fixes the following issues: Security issues fixed: - CVE-2017-13728: Fix infinite loop in the next_char function in comp_scan.c (bsc#1056136). - CVE-2017-13730: Fix illegal address access in the function _nc_read_entry_source() (bsc#1056131). - CVE-2017-13733: Fix illegal address access in the fmt_entry function (bsc#1056127). - CVE-2017-13729: Fix illegal address access in the _nc_save_str (bsc#1056132). - CVE-2017-13732: Fix illegal address access in the function dump_uses() (bsc#1056128). - CVE-2017-13731: Fix illegal address access in the function postprocess_termcap() (bsc#1056129). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:88-1 Released: Wed Jan 17 14:41:17 2018 Summary: Security update for curl Type: security Severity: moderate References: 1069222,1069226,CVE-2017-8816,CVE-2017-8817 Description: This update for curl fixes the following issues: Security issues fixed: - CVE-2017-8816: Buffer overrun flaw in the NTLM authentication code (bsc#1069226). - CVE-2017-8817: Read out of bounds flaw in the FTP wildcard function (bsc#1069222). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2018:90-1 Released: Wed Jan 17 14:44:33 2018 Summary: Recommended update for lvm2 Type: recommended Severity: low References: 1063051,1067312 Description: This update for lvm2 provides the following fix: - Backport various upstream fixes for clvmd. (bsc#1063051) - Don't print error messages on testing the connection to the daemon. (bsc#1063051) - Fix handling of udev CHANGE events with systemd. (bsc#1067312) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2018:146-1 Released: Thu Jan 25 11:44:23 2018 Summary: Recommended update for openldap2 Type: recommended Severity: moderate References: 1064397,1065083 Description: This update for openldap2 provides the following fixes: - Fix a leak of sockets in case of unsuccessful connection attempts. (bsc#1065083) - Fix a crash that would happen under heavy load when using back-relay. (bsc#1064397) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:149-1 Released: Thu Jan 25 13:38:37 2018 Summary: Security update for curl Type: security Severity: moderate References: 1077001,CVE-2018-1000007 Description: This update for curl fixes one issues. This security issue was fixed: - CVE-2018-1000007: Prevent leaking authentication data to third parties when following redirects (bsc#1077001) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:209-1 Released: Tue Jan 30 10:53:43 2018 Summary: Security update for ncurses Type: security Severity: moderate References: 1056126,1056127,1056128,1056129,1056131,1056132,1056136,CVE-2017-13728,CVE-2017-13729,CVE-2017-13730,CVE-2017-13731,CVE-2017-13732,CVE-2017-13733,CVE-2017-13734 Description: This update for ncurses fixes several issues. These security issues were fixed: - CVE-2017-13734: Prevent illegal address access in the _nc_safe_strcat function in strings.c that might have lead to a remote denial of service attack (bsc#1056126). - CVE-2017-13733: Prevent illegal address access in the fmt_entry function in progs/dump_entry.c that might have lead to a remote denial of service attack (bsc#1056127). - CVE-2017-13732: Prevent illegal address access in the function dump_uses() in progs/dump_entry.c that might have lead to a remote denial of service attack (bsc#1056128). - CVE-2017-13731: Prevent illegal address access in the function postprocess_termcap() in parse_entry.c that might have lead to a remote denial of service attack (bsc#1056129). - CVE-2017-13730: Prevent illegal address access in the function _nc_read_entry_source() in progs/tic.c that might have lead to a remote denial of service attack (bsc#1056131). - CVE-2017-13729: Prevent illegal address access in the _nc_save_str function in alloc_entry.c that might have lead to a remote denial of service attack (bsc#1056132). - CVE-2017-13728: Prevent infinite loop in the next_char function in comp_scan.c that might have lead to a remote denial of service attack (bsc#1056136). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:213-1 Released: Tue Jan 30 14:36:40 2018 Summary: Security update for systemd Type: security Severity: moderate References: 1048510,1065276,1066156,1068251,1070428,1071558,1074254,1075724,1076308,897422,CVE-2017-15908,CVE-2018-1049 Description: This update for systemd fixes several issues. This security issue was fixed: - CVE-2018-1049: Prevent race that can lead to DoS when using automounts (bsc#1076308). These non-security issues were fixed: - core: don't choke if a unit another unit triggers vanishes during reload - delta: don't ignore PREFIX when the given argument is PREFIX/SUFFIX - delta: extend skip logic to work on full directory paths (prefix+suffix) (bsc#1070428) - delta: check if a prefix needs to be skipped only once - delta: skip symlink paths when split-usr is enabled (#4591) - sysctl: use raw file descriptor in sysctl_write (#7753) - sd-netlink: don't take possesion of netlink fd from caller on failure (bsc#1074254) - Fix the regexp used to detect broken by-id symlinks in /etc/crypttab It was missing the following case: '/dev/disk/by-id/cr_-xxx'. - sysctl: disable buffer while writing to /proc (bsc#1071558) - Use read_line() and LONG_LINE_MAX to read values configuration files. (bsc#1071558) - sysctl: no need to check for eof twice - def: add new constant LONG_LINE_MAX - fileio: add new helper call read_line() as bounded getline() replacement - service: Don't stop unneeded units needed by restarted service (#7526) (bsc#1066156) - gpt-auto-generator: fix the handling of the value returned by fstab_has_fstype() in add_swap() (#6280) - gpt-auto-generator: disable gpt auto logic for swaps if at least one is defined in fstab (bsc#897422) - fstab-util: introduce fstab_has_fstype() helper - fstab-generator: ignore root=/dev/nfs (#3591) - fstab-generator: don't process root= if it happens to be 'gpt-auto' (#3452) - virt: use XENFEAT_dom0 to detect the hardware domain (#6442, #6662) (#7581) (bsc#1048510) - analyze: replace --no-man with --man=no in the man page (bsc#1068251) - udev: net_setup_link: don't error out when we couldn't apply link config (#7328) - Add missing /etc/systemd/network directory - Fix parsing of features in detect_vm_xen_dom0 (#7890) (bsc#1048510) - sd-bus: use -- when passing arguments to ssh (#6706) - systemctl: make sure we terminate the bus connection first, and then close the pager (#3550) - sd-bus: bump message queue size (bsc#1075724) - tmpfiles: downgrade warning about duplicate line ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:214-1 Released: Tue Jan 30 14:37:42 2018 Summary: Security update for libtasn1 Type: security Severity: moderate References: 1076832,CVE-2018-6003 Description: This update for libtasn1 fixes one issue. This security issue was fixed: - CVE-2018-6003: Prevent a stack exhaustion in _asn1_decode_simple_ber (lib/decoding.c) when decoding BER encoded structure allowed for DoS (bsc#1076832). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2018:231-1 Released: Thu Feb 1 09:56:36 2018 Summary: Recommended update for systemd-rpm-macros Type: recommended Severity: low References: 1071543,1073715 Description: This update for systemd-rpm-macros provides the following fixes: - Make sure to apply presets if packages start shipping units during upgrades. (bsc#1071543, bsc#1073715) - Remove a useless test in %service_add_pre(). The test was placed where the condition '[ '$FIRST_ARG' -gt 1 ]' was always true. ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:276-1 Released: Thu Feb 8 17:47:43 2018 Summary: Security update for libxml2 Type: security Severity: moderate References: 1077993,1078806,1078813,CVE-2016-5131,CVE-2017-15412,CVE-2017-5130 Description: This update for libxml2 fixes one issue. This security issue was fixed: - CVE-2017-15412: Prevent use after free when calling XPath extension functions that allowed remote attackers to cause DoS or potentially RCE (bsc#1077993) - CVE-2016-5131: Use-after-free vulnerability in libxml2 allowed remote attackers to cause a denial of service or possibly have unspecified other impact via vectors related to the XPointer range-to function. (bsc#1078813) - CVE-2017-5130: Fixed a potential remote buffer overflow in function xmlMemoryStrdup() (bsc#1078806) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2018:291-1 Released: Mon Feb 12 11:50:39 2018 Summary: Recommended update for bash Type: recommended Severity: low References: 1057452,1076909 Description: This update for bash provides the following fix: - Allow process group assignment on all kernel versions to fix the usage of debug traps. (bsc#1057452) - Fix a crash when filesystem is full. (bsc#1076909) - Enable multi-byte characters by default. ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:314-1 Released: Thu Feb 15 14:47:35 2018 Summary: Security update for glibc Type: security Severity: important References: 1037930,1051791,1073990,1074293,1079036,CVE-2017-12132,CVE-2017-8804,CVE-2018-1000001,CVE-2018-6485,CVE-2018-6551 Description: This update for glibc fixes the following issues: Security issues fixed: - CVE-2017-8804: Fix memory leak after deserialization failure in xdr_bytes, xdr_string (bsc#1037930) - CVE-2017-12132: Reduce EDNS payload size to 1200 bytes (bsc#1051791) - CVE-2018-6485,CVE-2018-6551: Fix integer overflows in internal memalign and malloc functions (bsc#1079036) - CVE-2018-1000001: Avoid underflow of malloced area (bsc#1074293) Non security bugs fixed: - Release read lock after resetting timeout (bsc#1073990) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:336-1 Released: Wed Feb 21 14:26:52 2018 Summary: Security update for libdb-4_8 Type: security Severity: moderate References: 1043886 Description: This update for libdb-4_8 fixes the following issues: - A DB_CONFIG file in the current working directory allowed local users to obtain sensitive information via a symlink attack involving a setgid or setuid application using libdb-4_8. (bsc#1043886) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:355-1 Released: Mon Feb 26 16:34:46 2018 Summary: Security update for systemd Type: security Severity: moderate References: 1057974,1068588,1071224,1071311,1075801,1077925,CVE-2017-18078 Description: This update for systemd fixes the following issues: Security issue fixed: - CVE-2017-18078: tmpfiles: refuse to chown()/chmod() files which are hardlinked, unless protected_hardlinks sysctl is on. This could be used by local attackers to gain privileges (bsc#1077925) Non Security issues fixed: - core: use id unit when retrieving unit file state (#8038) (bsc#1075801) - cryptsetup-generator: run cryptsetup service before swap unit (#5480) - udev-rules: all values can contain escaped double quotes now (#6890) - strv: fix buffer size calculation in strv_join_quoted() - tmpfiles: change ownership of symlinks too - stdio-bridge: Correctly propagate error - stdio-bridge: remove dead code - remove bus-proxyd (bsc#1057974) - core/timer: Prevent timer looping when unit cannot start (bsc#1068588) - Make systemd-timesyncd use the openSUSE NTP servers by default Previously systemd-timesyncd used the Google Public NTP servers time{1..4}.google.com - Don't ship /usr/lib/systemd/system/tmp.mnt at all (bsc#1071224) But we still ship a copy in /var. Users who want to use tmpfs on /tmp are supposed to add a symlink in /etc/ pointing to the copy shipped in /var. To support the update path we automatically create the symlink if tmp.mount in use is located in /usr. - Enable systemd-networkd on Leap distros only (bsc#1071311) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2018:375-1 Released: Wed Feb 28 16:33:37 2018 Summary: Recommended update for net-tools Type: recommended Severity: low References: 1009905,1063910 Description: This update for net-tools provides the following fix: - netstat: fix handling of large socket numbers (bsc#1063910) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2018:377-1 Released: Wed Feb 28 21:31:59 2018 Summary: Recommended update for Salt Type: recommended Severity: moderate References: 1050003,1063419,1065792,1068446,1068566,1071322,1072218,1073618,1074227,1078001 Description: This update for salt fixes the following issues: - Fix state files with unicode. (bsc#1074227) - Catch ImportError for kubernetes.client import. (bsc#1078001) - Fix epoch handling for Rhel 6 and 7. - Fix zypper module to return UTC dates on 'pkg.list_downloaded'. - Fix return value parsing when calling vm_state. (bsc#1073618) - Fix 'user.present' when 'gid_from_name' is set but group does not exist. - Split only strings, if they are such. (bsc#1072218) - Feat: Add grain for all FQDNs. (bsc#1063419) - Fix 'No service execution module loaded' issue. (bsc#1065792) - Removed unnecessary logging on shutdown. (bsc#1050003) - Add grain for retrieving FQDNs. (bsc#1063419) - Older logrotate need su directive. (bsc#1071322) - Fix for wrong version processing during yum pkg install. (bsc#1068566) - Avoid excessive syslogging by watchdog cronjob. - Check pillar: Fix the logic according to the exact described purpose of the function. (bsc#1068446) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:439-1 Released: Fri Mar 9 14:05:22 2018 Summary: Security update for augeas Type: security Severity: low References: 1054171,CVE-2017-7555 Description: This update for augeas fixes the following issues: Security issue fixed: - CVE-2017-7555: Fix a memory corruption bug could have lead to arbitrary code execution by passing crafted strings that would be mis-handled by parse_name() (bsc#1054171). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:443-1 Released: Fri Mar 9 18:02:14 2018 Summary: Security update for glibc Type: security Severity: moderate References: 1081556,CVE-2017-12133 Description: This update for glibc fixes the following issues: - CVE-2017-12133: Avoid use-after-free read access in clntudp_call (bsc#1081556) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:446-1 Released: Mon Mar 12 13:13:55 2018 Summary: Security update for shadow Type: security Severity: moderate References: 1081294,CVE-2018-7169 Description: This update for shadow fixes the following issues: - CVE-2018-7169: Fixed an privilege escalation in newgidmap, which allowed an unprivileged user to be placed in a user namespace where setgroups(2) is allowed. (bsc#1081294) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2018:465-1 Released: Thu Mar 15 07:38:52 2018 Summary: Recommended update for systemd Type: recommended Severity: moderate References: 1075743,1078358,1081170 Description: This update for systemd fixes the following issues: - Add dmi/id conditions to 80-acpi-container-hotplug.rules to restrict the rule that it can only be triggered on Huawei Kunlun 9008, 9016 and 9032 machines. (bsc#1078358, bsc#1081170, bsc#1075743) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2018:472-1 Released: Thu Mar 15 10:47:40 2018 Summary: Recommended update for libsolv, libzypp, zypper Type: recommended Severity: low References: 1074687,1075449,1076415,1079334,953130 Description: This update for libsolv, libzypp and zypper provides the following fixes: libsolv: - Fix a bug that could make fileconflict detection very slow in some cases. (bnc#953130) - Add new configuration options: ENABLE_RPMDB_LIBRPM and ENABLE_RPMPKG_LIBRPM. - Add a new function to change the whatprovides data: pool_set_whatprovides. - Significant improvements in the selection code. libzypp: - Make sure deleted keys are also removed from rpmdb. (bsc#1075449) - plugin: Don't reject header values containing ':'. (bsc#1074687) - RpmDb::checkPackage: Fix parsing localized rpm output. (bsc#1076415) zypper: - Do not recommend cron as it is not a direct dependency of zypper. (bsc#1079334) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:522-1 Released: Thu Mar 22 08:20:46 2018 Summary: Security update for curl Type: security Severity: moderate References: 1084521,1084524,1084532,CVE-2018-1000120,CVE-2018-1000121,CVE-2018-1000122 Description: This update for curl fixes the following issues: Following security issues were fixed: - CVE-2018-1000120: A buffer overflow exists in the FTP URL handling that allowed an attacker to cause a denial of service or possible code execution (bsc#1084521). - CVE-2018-1000121: A NULL pointer dereference exists in the LDAP code that allowed an attacker to cause a denial of service (bsc#1084524). - CVE-2018-1000122: A buffer over-read exists in the RTSP+RTP handling code that allowed an attacker to cause a denial of service or information leakage (bsc#1084532). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2018:524-1 Released: Thu Mar 22 11:53:28 2018 Summary: Recommended update for zypp-plugin Type: recommended Severity: low References: 1081596 Description: This update provides the new Python 3 module for the zypp-plugin. ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:567-1 Released: Thu Mar 29 14:02:08 2018 Summary: Security update for krb5 Type: security Severity: moderate References: 1057662,1081725,1083926,1083927,CVE-2018-5729,CVE-2018-5730 Description: This update for krb5 provides the following fixes: Security issues fixed: - CVE-2018-5730: DN container check bypass by supplying special crafted data (bsc#1083927). - CVE-2018-5729: Null pointer dereference in kadmind or DN container check bypass by supplying special crafted data (bsc#1083926). Non-security issues fixed: - Make it possible for legacy applications (e.g. SAP Netweaver) to remain compatible with newer Kerberos. System administrators who are experiencing this kind of compatibility issues may set the environment variable GSSAPI_ASSUME_MECH_MATCH to a non-empty value, and make sure the environment variable is visible and effective to the application startup script. (bsc#1057662) - Fix a GSS failure in legacy applications by not indicating deprecated GSS mechanisms in gss_indicate_mech() list. (bsc#1081725) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:594-1 Released: Thu Apr 5 17:22:37 2018 Summary: Security update for libidn Type: security Severity: moderate References: 1056450,CVE-2017-14062 Description: This update for libidn fixes one issues. This security issue was fixed: - CVE-2017-14062: Prevent integer overflow in the decode_digit function that allowed remote attackers to cause a denial of service or possibly have unspecified other impact (bsc#1056450). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:624-1 Released: Wed Apr 11 18:02:57 2018 Summary: Security update for openssl Type: security Severity: moderate References: 1087102,CVE-2018-0739 Description: This update for openssl fixes the following issues: - CVE-2018-0739: Constructed ASN.1 types with a recursive definition (such as can be found in PKCS7) could eventually exceed the stack given malicious input with excessive recursion. This could result in a Denial Of Service attack. There are no such structures used within SSL/TLS that come from untrusted sources so this is considered safe. (bsc#1087102). ----------------------------------------------------------------- Advisory ID: SUSE-OU-2018:651-1 Released: Mon Apr 16 19:25:08 2018 Summary: Initial release of python3-cssselect, -lxml, -pycparser, -simplejson and -pycurl Type: optional Severity: low References: 1073879 Description: This update provides the following new Python 3 modules for the SUSE Linux Enterprise Server: - python3-cssselect - python3-lxml - python3-pycparser - python3-pycurl - python3-simplejson ----------------------------------------------------------------- Advisory ID: SUSE-OU-2018:727-1 Released: Tue Apr 24 12:50:53 2018 Summary: Initial release of python3-pyzmq Type: optional Severity: low References: 1073879 Description: This update provides the following new Python 3 module: - python3-pyzmq ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:730-1 Released: Wed Apr 25 14:14:41 2018 Summary: Security update for perl Type: security Severity: moderate References: 1082216,1082233,1082234,CVE-2018-6797,CVE-2018-6798,CVE-2018-6913 Description: This update for perl fixes the following issues: Security issues fixed: - CVE-2018-6913: Fixed space calculation issues in pp_pack.c (bsc#1082216). - CVE-2018-6798: Fixed heap buffer overflow in regexec.c (bsc#1082233). - CVE-2018-6797: Fixed sharp-s regexp overflow (bsc#1082234). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2018:736-1 Released: Wed Apr 25 14:23:49 2018 Summary: Recommended update for libsolv, libzypp Type: recommended Severity: moderate References: 1075978,1077635,1079991,1082318,1086602 Description: This update for libsolv, libzypp provides the following fixes: Changes in libsolv: - Make sure the product file comes from /etc/products.d for the fallback product search. (bsc#1086602) - Also make use of suggests for ordering packages. (bsc#1077635) - Fix bad assignment in solution refinement that led to a memory leak. (bsc#1075978) - Use license tag instead of doc in the spec file. (bsc#1082318) Changes in libzypp: - Make sure the product file comes from /etc/products.d for the fallback product search. (bsc#1086602) - Fix a memory leak in Digest.cc. (bsc#1075978) - Add /var/lib/gdm to CheckAccessDeleted blacklist to prevent showing superfluous `zypper ps -s` messages. (bsc#1079991) ----------------------------------------------------------------- Advisory ID: SUSE-OU-2018:743-1 Released: Thu Apr 26 15:40:28 2018 Summary: Initial release of python3-psutil and -pycrypto Type: optional Severity: low References: 1073879 Description: This update provides the following new Python 3 modules: - python3-psutil - python3-pycrypto ----------------------------------------------------------------- Advisory ID: SUSE-RU-2018:759-1 Released: Mon Apr 30 12:03:07 2018 Summary: Recommended update for Salt Type: recommended Severity: moderate References: 1072973,1079398,1085635 Description: This update for salt fixes the following issues: - Make module result usable in states module.run. (bsc#1085635) - Fix Augeas module 'stripped quotes' issue. (bsc#1079398) - Fix logging with FQDNs. - Explore 'module.run' state module output in depth to catch the 'result' properly. - Fix x509 unit test to run on 2016.11.4 version. - Fix TypeError, thrown by M2Crypto on missing fields. (bsc#1072973) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2018:779-1 Released: Wed May 2 22:16:26 2018 Summary: Recommended update for rpm Type: recommended Severity: low References: 1003714,1027925,1069934 Description: This update for rpm provides the following fixes: - Fix find-lang.sh to handle special case of .qm file paths correctly. (bsc#1027925) - Add %sle_version macro to suse_macros. (bsc#1003714) - Added a %rpm_vercmp macro which accepts two versions as parameters and returns -1, 0, 1 if the first version is less than, equal or greater than the second version respectively. - Added a %pkg_version macro that accepts a package or capability name as argument and returns the version number of the installed package. If no package provides the argument, it returns the string '~~~'. - Added a %pkg_vcmp macro that accepts 3 parameters. The first parameter is a package name or provided capability name, the second argument is an operator ( < <= = >= > != ) and the third parameter is a version string to be compared to the installed version of the first argument. - Added a %pkg_version_cmp macro which accepts a package or capability name as first argument and a version number as second argument and returns -1, 0, 1 or '~~~'. The number values have the same meaning as in %rpm_vercmp and the '~~~' string is returned if the package or capability can't be found. (bsc#1069934) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2018:797-1 Released: Mon May 7 07:07:38 2018 Summary: Recommended update for gcc7 Type: recommended Severity: important References: 1061667,1068967,1074621,1083290,1083946,1084812,1087550,1087930 Description: This update for gcc7 to 7.3 release fixes the following issues: - Update to GCC 7.3 release and further updated to gcc-7-branch head (r258812). - The Spectre v2 mitigation patch for s390x is now included. [bsc#1083946] - Adds backport of x86 retpoline support via -mindirect-branch=, -mfunction-return= and friends. [bsc#1074621] - Update includes a fix for chromium build failure. [bsc#1083290] - Various AArch64 compile fixes are included: * Picks fix to no longer enable -mpc-relative-literal-loads by default with --enable-fix-cortex-a53-843419. * Enable --enable-fix-cortex-a53-843419 for aarch64. [bsc#1084812] [bsc#1087930] * Enable --enable-fix-cortex-a53-835769 for aarch64. * Contains fix for PR82445 which is about a RPI1 bootloader miscompile. [bsc#1061667] * Fixed bogus stack probe instruction on ARM. [bsc#1068967] - Revert the ios_base::failure ABI back to compatible behavior with the default ABI. [bsc#1087550] - Fix nvptx offload target compiler install so GCC can pick up required files. Split out the newlib part into cross-nvptx-newlib7-devel and avoid conflicts with GCC 8 variant via Provides/Conflicts of cross-nvptx-newlib-devel. ----------------------------------------------------------------- Advisory ID: SUSE-OU-2018:801-1 Released: Mon May 7 12:59:12 2018 Summary: Initial release of python3-msgpack-python Type: optional Severity: low References: 1073879 Description: This update provides the following new Python 3 module: - python3-msgpack-python ----------------------------------------------------------------- Advisory ID: SUSE-OU-2018:806-1 Released: Tue May 8 12:31:07 2018 Summary: Initial release of python3-MarkupSafe Type: optional Severity: low References: 1073879 Description: This update provides the following new Python 3 module: - python3-MarkupSafe ----------------------------------------------------------------- Advisory ID: SUSE-OU-2018:807-1 Released: Tue May 8 12:33:03 2018 Summary: Initial release of python3-Jinja2 Type: optional Severity: low References: 1073879 Description: This update provides the following new Python 3 module: - python3-Jinja2 ----------------------------------------------------------------- Advisory ID: SUSE-OU-2018:810-1 Released: Tue May 8 17:20:51 2018 Summary: Initial release of python3-PyYAML Type: optional Severity: low References: 1073879 Description: This update provides the following new Python 3 module: - python3-PyYAML ----------------------------------------------------------------- Advisory ID: SUSE-OU-2018:919-1 Released: Tue May 15 16:30:21 2018 Summary: Initial release of python3-tornado Type: optional Severity: low References: 1073879 Description: This update provides the following new Python 3 module: - python3-tornado ----------------------------------------------------------------- Advisory ID: SUSE-OU-2018:925-1 Released: Wed May 16 10:09:28 2018 Summary: Initial release of python3-requests Type: optional Severity: low References: 1073879 Description: This update provides the following new Python 3 module: - python3-requests ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:939-1 Released: Thu May 17 08:41:30 2018 Summary: Security update for curl Type: security Severity: moderate References: 1086825,1092098,CVE-2018-1000301 Description: This update for curl fixes several issues: Security issues fixed: - CVE-2018-1000301: Fixed a RTSP bad headers buffer over-read could crash the curl client (bsc#1092098) Non security issues fixed: - If the DEFAULT_SUSE cipher list is not available use the HIGH cipher alias before failing. (bsc#1086825) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:964-1 Released: Tue May 22 18:31:29 2018 Summary: Security update for python Type: security Severity: moderate References: 1068664,1079300,CVE-2017-1000158,CVE-2018-1000030 Description: This update for python fixes the following issues: Security issues fixed: - CVE-2017-1000158: Fixed integer overflows in PyString_DecodeEscape that could have resulted in heap-based buffer overflow attacks and possible arbitrary code execution (bsc#1068664). - CVE-2018-1000030: Fixed crash inside the Python interpreter when multiple threads used the same I/O stream concurrently (bsc#1079300). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2018:974-1 Released: Wed May 23 16:46:50 2018 Summary: Recommended update for systemd Type: recommended Severity: moderate References: 1045092,1051465,1066422,1075804,1082485,1084626,1085062,1086785,1087323 Description: This update for systemd provides the following fixes: - sysusers: Do not append entries after the NIS ones. (bsc#1085062, bsc#1045092) - sysusers: Also add support for NIS entries in /etc/shadow. - sysusers: Make sure to reset errno before calling fget*ent(). - coredump: Respect ulimit -c 0 settings. (bsc#1075804) - systemctl: Don't make up unit states, and don't eat up errors too eagerly. (bsc#1084626) - systemctl: Don't mangle unit names in check_unit_generic(). - rules, compat-rules: Fix errors detected by the rule syntax checker. - python: Use raw strings for regexp patterns. - compat-rules: Make path_id_compat build with meson. - compat-rules: Get rid of scsi_id when generating compat symlinks for NVMe devices. (bsc#1051465) - Fix memory hotplugging. - systemd: Add offline environmental condition to the udev rules for acpi container to prevent them from being triggered by the 'udevadm trigger' from user space. (bsc#1082485) - systemd-udevd: Limit children-max by the available memory. (bsc#1086785, bsc#1066422) - Rename the tarball to reflect the exact version used, so that it is clear that it contains some additional patches on top of the upstream version. Use the commit hash in the name so the exact version can easily be identified. (bsc#1087323) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:977-1 Released: Wed May 23 17:14:16 2018 Summary: Security update for bash Type: security Severity: moderate References: 1000396,1001299,1086247,CVE-2016-0634,CVE-2016-7543 Description: This update for bash fixes the following issues: Security issues fixed: - CVE-2016-7543: A code execution possibility via SHELLOPTS+PS4 variable was fixed (bsc#1001299) - CVE-2016-0634: Arbitrary code execution via malicious hostname was fixed (bsc#1000396) Non-security issues fixed: - Fix repeating self-calling of traps due the combination of a non-interactive shell, a trap handler for SIGINT, an external process in the trap handler, and a SIGINT within the trap after the external process runs. (bsc#1086247) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2018:978-1 Released: Wed May 23 17:18:39 2018 Summary: Recommended update for zlib Type: recommended Severity: moderate References: 1071321 Description: This update for zlib fixes the following issues: - Fix a segmentation fault which was raised when converting a negative value into an unsigned integer (bsc#1071321) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2018:1028-1 Released: Tue Jun 5 13:20:44 2018 Summary: Recommended update for pam Type: recommended Severity: low References: 1089884 Description: This update for pam fixes the following issues: - Fix order of accessed configuration files in man page. (bsc#1089884) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:1077-1 Released: Wed Jun 6 11:44:25 2018 Summary: Security update for glibc Type: security Severity: important References: 1086690,1094150,1094154,1094161,CVE-2017-18269,CVE-2018-11236,CVE-2018-11237 Description: This update for glibc fixes the following issues: - CVE-2017-18269: Fix SSE2 memmove issue when crossing 2GB boundary (bsc#1094150) - CVE-2018-11236: Fix overflow in path length computation (bsc#1094161) - CVE-2018-11237: Don't write beyond buffer destination in __mempcpy_avx512_no_vzeroupper (bsc#1094154) Non security bugs fixed: - Fix crash in resolver on memory allocation failure (bsc#1086690) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2018:1082-1 Released: Thu Jun 7 12:58:56 2018 Summary: Recommended update for rpm Type: recommended Severity: moderate References: 1073879,1080078,964063 Description: This update for rpm fixes the following issues: - Backport support for no_recompute_build_ids macro. (bsc#964063) - Fix code execution when evaluating common python-related macros. (bsc#1080078) Additionally, this update adds python3-rpm to the SUSE Linux Enterprise Server. ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:1141-1 Released: Fri Jun 15 13:41:08 2018 Summary: Security update for gpg2 Type: security Severity: important References: 1096745,CVE-2018-12020 Description: This update for gpg2 fixes the following security issue: - CVE-2018-12020: GnuPG mishandled the original filename during decryption and verification actions, which allowed remote attackers to spoof the output that GnuPG sends on file descriptor 2 to other programs that use the '--status-fd 2' option (bsc#1096745) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2018:1144-1 Released: Fri Jun 15 19:19:29 2018 Summary: Recommended update for logrotate Type: recommended Severity: moderate References: 1093617 Description: This update for logrotate provides the following fix: - Ensure the HOME environment variable is set to /root when logrotate is started via systemd. This allows mariadb to rotate its logs when the database has a root password defined. (bsc#1093617) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2018:1145-1 Released: Fri Jun 15 19:19:51 2018 Summary: Recommended update for openssl Type: recommended Severity: moderate References: 1090765 Description: This update for openssl provides the following fix: - Suggest libopenssl1_0_0-hmac from libopenssl1_0_0 package to avoid dependency issues during updates. (bsc#1090765) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:1157-1 Released: Tue Jun 19 15:31:48 2018 Summary: Security update for salt Type: security Severity: moderate References: 1059291,1061407,1062464,1064520,1075950,1079048,1081592,1087055,1087278,1087581,1087891,1088888,1089112,1089362,1089526,1090242,1091371,1092161,1092373,1094055,1097174,1097413,CVE-2017-14695,CVE-2017-14696 Description: This update for salt provides version 2018.3 and brings many fixes and improvements: - Fix for sorting of multi-version packages (bsc#1097174 and bsc#1097413) - Align SUSE salt-master.service 'LimitNOFILES' limit with upstream Salt - Add 'other' attribute to GECOS fields to avoid inconsistencies with chfn - Prevent zypper from parsing repo configuration from not .repo files (bsc#1094055) - Collect all versions of installed packages on SUSE and RHEL systems (bsc#1089526) - No more AWS EC2 rate limitations in salt-cloud. (bsc#1088888) - MySQL returner now also allows to use Unix sockets. (bsc#1091371) - Do not override jid on returners, only sending back to master. (bsc#1092373) - Remove minion/thin/version if exists to force thin regeneration. (bsc#1092161) - Fix minion scheduler to return a 'retcode' attribute. (bsc#1089112) - Fix for logging during network interface querying. (bsc#1087581) - Fix rhel packages requires both net-tools and iproute. (bsc#1087055) - Fix patchinstall on yum module. Bad comparison. (bsc#1087278) - Strip trailing commas on Linux user's GECOS fields. (bsc#1089362) - Fallback to PyMySQL. (bsc#1087891) - Fix for [Errno 0] Resolver Error 0 (no error). (bsc#1087581) - Add python-2.6 support to salt-ssh. - Make it possible to use docker login, pull and push from module.run and detect errors. - Fix unicode decode error with salt-ssh. - Fix cp.push empty file. (bsc#1075950) - Fix grains containing trailing '\n'. - Remove salt-minion python2 requirement when python3 is default. (bsc#1081592) - Restoring installation of packages for Rhel 6 and 7. - Prevent queryformat pattern from expanding. (bsc#1079048) - Fix for delete_deployment in Kubernetes module. (bsc#1059291) - Fix bsc#1062464 and CVE-2017-14696 already included in 2017.7.2. - Fix wrong version reported by Salt. (bsc#1061407) - Run salt-api as user salt. (bsc#1064520) For a detailed description, please refer to the upstream-changelog at https://docs.saltstack.com/en/latest/topics/releases/index.html or to the rpm-changelog. supportutils-plugin-salt: - Collect salt-api, salt-broker and salt-ssh log files (bsc#1090242) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:1242-1 Released: Thu Jun 28 13:44:16 2018 Summary: Security update for procps Type: security Severity: moderate References: 1092100,CVE-2018-1122,CVE-2018-1123,CVE-2018-1124,CVE-2018-1125,CVE-2018-1126 Description: This update for procps fixes the following security issues: - CVE-2018-1122: Prevent local privilege escalation in top. If a user ran top with HOME unset in an attacker-controlled directory, the attacker could have achieved privilege escalation by exploiting one of several vulnerabilities in the config_file() function (bsc#1092100). - CVE-2018-1123: Prevent denial of service in ps via mmap buffer overflow. Inbuilt protection in ps maped a guard page at the end of the overflowed buffer, ensuring that the impact of this flaw is limited to a crash (temporary denial of service) (bsc#1092100). - CVE-2018-1124: Prevent multiple integer overflows leading to a heap corruption in file2strvec function. This allowed a privilege escalation for a local attacker who can create entries in procfs by starting processes, which could result in crashes or arbitrary code execution in proc utilities run by other users (bsc#1092100). - CVE-2018-1125: Prevent stack buffer overflow in pgrep. This vulnerability was mitigated by FORTIFY limiting the impact to a crash (bsc#1092100). - CVE-2018-1126: Ensure correct integer size in proc/alloc.* to prevent truncation/integer overflow issues (bsc#1092100). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:1276-1 Released: Thu Jul 5 08:36:17 2018 Summary: Security update for openssl Type: security Severity: moderate References: 1097158,1097624,1098592,CVE-2018-0732 Description: This update for openssl fixes the following issues: - CVE-2018-0732: During key agreement in a TLS handshake using a DH(E) based ciphersuite a malicious server could have sent a very large prime value to the client. This caused the client to spend an unreasonably long period of time generating a key for this prime resulting in a hang until the client has finished. This could be exploited in a Denial Of Service attack (bsc#1097158). - Blinding enhancements for ECDSA and DSA (bsc#1097624, bsc#1098592) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:1328-1 Released: Tue Jul 17 08:07:57 2018 Summary: Security update for perl Type: security Severity: important References: 1068565,1082216,1082233,1082234,1096718,CVE-2018-12015,CVE-2018-6797,CVE-2018-6798,CVE-2018-6913 Description: This update for perl fixes the following issues: These security issue were fixed: - CVE-2018-6913: Fixed space calculation issues in pp_pack.c (bsc#1082216). - CVE-2018-6798: Fixed heap buffer overflow in regexec.c (bsc#1082233). - CVE-2018-6797: Fixed sharp-s regexp overflow (bsc#1082234). - CVE-2018-12015: The Archive::Tar module allowed remote attackers to bypass a directory-traversal protection mechanism and overwrite arbitrary files (bsc#1096718) This non-security issue was fixed: - fix debugger crash in tab completion with Term::ReadLine::Gnu [bsc#1068565] ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:1351-1 Released: Thu Jul 19 09:43:21 2018 Summary: Security update for shadow Type: security Severity: important References: 1099310,CVE-2016-6252 Description: This update for shadow fixes the following issues: - CVE-2016-6252: Incorrect integer handling could results in local privilege escalation (bsc#1099310) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:1376-1 Released: Mon Jul 23 10:54:47 2018 Summary: Security update for python Type: security Severity: moderate References: 1083507,CVE-2017-18207 Description: This update for python fixes the following issues: The following security vulnerabilities were addressed: - Add a check to Lib/wave.py that verifies that at least one channel is provided. Prior to this, attackers could cause a denial of service via a crafted wav format audio file. [bsc#1083507, CVE-2017-18207] ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:1400-1 Released: Thu Jul 26 16:32:29 2018 Summary: Security update for util-linux Type: security Severity: moderate References: 1072947,1078662,1080740,1084300,CVE-2018-7738 Description: This update for util-linux fixes the following issues: This non-security issue was fixed: - CVE-2018-7738: bash-completion/umount allowed local users to gain privileges by embedding shell commands in a mountpoint name, which was mishandled during a umount command by a different user (bsc#1084300). These non-security issues were fixed: - Fixed crash loop in lscpu (bsc#1072947). - Fixed possible segfault of umount -a - Fixed mount -a on NFS bind mounts (bsc#1080740). - Fixed lsblk on NVMe (bsc#1078662). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:1413-1 Released: Fri Jul 27 12:41:13 2018 Summary: Security update for libgcrypt Type: security Severity: moderate References: 1064455,1090766,1097410,CVE-2018-0495 Description: This update for libgcrypt fixes the following issues: The following security vulnerability was addressed: - CVE-2018-0495: Mitigate a novel side-channel attack by enabling blinding for ECDSA signatures (bsc#1097410). The following other issues were fixed: - Extended the fipsdrv dsa-sign and dsa-verify commands with the --algo parameter for the FIPS testing of DSA SigVer and SigGen (bsc#1064455). - Ensure libgcrypt20-hmac and libgcrypt20 are installed in the correct order. (bsc#1090766) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2018:1450-1 Released: Mon Jul 30 10:10:45 2018 Summary: Recommended update for pam Type: recommended Severity: low References: 1096282 Description: This update for pam provides the following fix: - Added /etc/security/limits.d to the pam package. (bsc#1096282) ----------------------------------------------------------------- Advisory ID: SUSE-OU-2018:1515-1 Released: Tue Aug 7 20:19:04 2018 Summary: Introduce packages added to SLES 12 SP3 after release Type: optional Severity: low References: 1102861 Description: This update adds packages to the SUSE Linux Enterprise Server 12 SP3 for Teradata which were added after the released of SLES 12 SP3. ----------------------------------------------------------------- Advisory ID: SUSE-RU-2018:1549-1 Released: Mon Aug 13 13:41:22 2018 Summary: Recommended update for sg3_utils Type: recommended Severity: low References: 1065448,1070431,1077787,1092640 Description: This update for sg3_utils provides the following fix: - Decode standard INQUIRY for CD-ROMs correctly. (bsc#1065448, bsc#1070431) - Fix page decoding. (bsc#1077787) - Remove initrd rebuild macros for libsgutils2 subpackage. (bsc#1092640) - Use %post -p for ldconfig. (bsc#1092640) ----------------------------------------------------------------- Advisory ID: SUSE-OU-2018:1579-1 Released: Wed Aug 15 16:16:52 2018 Summary: Initial release of python-typing Type: optional Severity: low References: 1072973 Description: This update adds python-typing to the SUSE Linux Enterprise Server 12. The typing-module backports the standard library for Python versions older than 3.5. ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:1610-1 Released: Thu Aug 16 14:04:25 2018 Summary: Security update for libgcrypt Type: security Severity: moderate References: 1064455,1090766,1097410,CVE-2018-0495 Description: This update for libgcrypt fixes the following issues: The following security vulnerability was addressed: - CVE-2018-0495: Mitigate a novel side-channel attack by enabling blinding for ECDSA signatures (bsc#1097410). The following other issues were fixed: - Extended the fipsdrv dsa-sign and dsa-verify commands with the --algo parameter for the FIPS testing of DSA SigVer and SigGen (bsc#1064455). - Ensure libgcrypt20-hmac and libgcrypt20 are installed in the correct order. (bsc#1090766) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:1612-1 Released: Thu Aug 16 14:04:38 2018 Summary: Security update for python Type: security Severity: moderate References: 1083507,CVE-2017-18207 Description: This update for python fixes the following issues: The following security vulnerabilities were addressed: - Add a check to Lib/wave.py that verifies that at least one channel is provided. Prior to this, attackers could cause a denial of service via a crafted wav format audio file. [bsc#1083507, CVE-2017-18207] ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:1620-1 Released: Thu Aug 16 14:49:45 2018 Summary: Security update for shadow Type: security Severity: important References: 1099310,CVE-2016-6252 Description: This update for shadow fixes the following issues: - CVE-2016-6252: Incorrect integer handling could results in local privilege escalation (bsc#1099310) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2018:1632-1 Released: Thu Aug 16 15:27:04 2018 Summary: Recommended update for systemd Type: recommended Severity: moderate References: 1039099,1080382,1082004,1082485,1083158,1088052,1088769,1088890,1089761,1090785,1091265,1093851,1095096 Description: This update for systemd fixes the following issues: - core: In --user mode, report READY=1 as soon as basic.target is reached. - sd-bus: Extend D-Bus authentication timeout considerably. - scsi_id: Fixup prefix for pre-SPC inquiry reply. (bsc#1039099) - udev: Use MAC address match only for ibmveth/ibmvnic/mlx4. (bsc#1095096) - compat-rules: Generate more compat by-id symlinks for NVMe devices. (bsc#1095096) - udev: Whitelist mlx4_core locally-administered MAC addresses in the persistent rule generator. (bsc#1083158) - udev: Don't create by-partlabel/primary and .../logical symlinks. (bsc#1089761) - rules: Add /dev/disk/by-partuuid symlinks also for dos partition tables. - device: Make sure to always retroactively start device dependencies. (bsc#1088052) - device: Skip deserialization of device units when udevd is not running. - install: 'user' and 'global' scopes are equivalent for user presets. (bsc#1093851) - install: Search preset files in /run. - man: Updated systemd-analyze blame description for service-units with Type=simple. (bsc#1091265) - logind: Fix crash when shutdown is not issued from a tty. (bsc#1088890) - logind: Do not use an uninitialized variable. (bsc#1088890) - Disable user services by default. (bsc#1090785) - Ship 99-sysctl.conf instead of creating it during package installation/update. (bsc#1088769) Previously this symlink was created in /etc/sysctl.d during %post which made the symlink not owned and more importantly it was created only if /etc/sysctl.conf is already installed which is not always the case during the installation process it seems. So ship the symlink unconditionally and put it in /usr/lib/sysctl.d instead since it's a distro default behavior that might be overriden by sysadmin later. - systemd: Add offline environmental condition to 80-acpi-container-hotplug.rules. (bsc#1080382, bsc#1082485) Add the offline event environmental condition to restrict the rule that is can only be triggered when the change event is received with the 'offline' environmental data. The 27664c581 'ACPI / scan: Send change uevent with offine environmental data' kernel patch changed the corresponding code in kernel. This change prevents the udev rules for acpi container be triggered by 'udevadm trigger' from user space. - build-sys: Explicitly require python3. (bsc#1082004) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2018:1636-1 Released: Thu Aug 16 15:30:11 2018 Summary: Recommended update for pam Type: recommended Severity: low References: 1096282 Description: This update for pam provides the following fix: - Added /etc/security/limits.d to the pam package. (bsc#1096282) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2018:1689-1 Released: Mon Aug 20 09:02:24 2018 Summary: Recommended update for pam Type: recommended Severity: low References: 1096282 Description: This update for pam provides the following fix: - Added /etc/security/limits.d to the pam package. (bsc#1096282) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2018:1691-1 Released: Mon Aug 20 09:04:17 2018 Summary: Recommended update for sg3_utils Type: recommended Severity: low References: 1065448,1070431,1077787,1092640 Description: This update for sg3_utils provides the following fix: - Decode standard INQUIRY for CD-ROMs correctly. (bsc#1065448, bsc#1070431) - Fix page decoding. (bsc#1077787) - Remove initrd rebuild macros for libsgutils2 subpackage. (bsc#1092640) - Use %post -p for ldconfig. (bsc#1092640) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:1695-1 Released: Mon Aug 20 09:19:20 2018 Summary: Security update for perl Type: security Severity: important References: 1068565,1082216,1082233,1082234,1096718,CVE-2018-12015,CVE-2018-6797,CVE-2018-6798,CVE-2018-6913 Description: This update for perl fixes the following issues: These security issue were fixed: - CVE-2018-6913: Fixed space calculation issues in pp_pack.c (bsc#1082216). - CVE-2018-6798: Fixed heap buffer overflow in regexec.c (bsc#1082233). - CVE-2018-6797: Fixed sharp-s regexp overflow (bsc#1082234). - CVE-2018-12015: The Archive::Tar module allowed remote attackers to bypass a directory-traversal protection mechanism and overwrite arbitrary files (bsc#1096718) This non-security issue was fixed: - fix debugger crash in tab completion with Term::ReadLine::Gnu [bsc#1068565] ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:1698-1 Released: Mon Aug 20 09:19:28 2018 Summary: Security update for shadow Type: security Severity: important References: 1099310,CVE-2016-6252 Description: This update for shadow fixes the following issues: - CVE-2016-6252: Incorrect integer handling could results in local privilege escalation (bsc#1099310) ----------------------------------------------------------------- Advisory ID: SUSE-OU-2018:1703-1 Released: Mon Aug 20 13:49:57 2018 Summary: Initial release of python-typing Type: optional Severity: low References: 1072973 Description: This update adds python-typing to the SUSE Linux Enterprise Desktop 12. The typing-module backports the standard library for Python versions older than 3.5. ----------------------------------------------------------------- Advisory ID: SUSE-RU-2018:1716-1 Released: Mon Aug 20 17:03:40 2018 Summary: Recommended update for Salt Type: recommended Severity: moderate References: 1057635,1072599,1089526,1095507,1096514,1098394,1099323,1099460,1099945,1100142,1100225,1100697,1101812,1101880,1102218,1102265 Description: This update for salt fixes the following issues: - Fix file.blockreplace to avoid throwing IndexError. (bsc#1101812) - Fix pkg.upgrade reports when dealing with multiversion packages. (bsc#1102265) - Fix UnicodeDecodeError using is_binary check. (bsc#1100225) - Fix corrupt public key with m2crypto python3. (bsc#1099323) - Prevent payload crash on decoding binary data. (bsc#1100697) - Accounting for when files in an archive contain non-ascii characters. (bsc#1099460) - Handle packages with multiple version properly with zypper. (bsc#1096514) - Fix file.get_diff regression on 2018.3. (bsc#1098394) - Provide python version mismatch solutions. (bsc#1072599) - Add custom SUSE capabilities as Grains. (bsc#1089526) - Fix file.managed binary file utf8 error. (bsc#1098394) - Multiversion patch plus upstream fix and patch reordering. - Add environment variable to know if yum is invoked from Salt. (bsc#1057635) - Prevent deprecation warning with salt-ssh. (bsc#1095507) - Add missing dateutils import (bsc#1099945) - Check dmidecoder executable on each 'smbios' call to avoid race condition (bsc#1101880) - Fix mine.get not returning data - workaround for #48020 (bsc#1100142) - Add API log rotation on SUSE package (bsc#1102218) - Backport the new libvirt_events engine from upstream ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:1753-1 Released: Fri Aug 24 14:24:17 2018 Summary: Security update for python Type: security Severity: moderate References: 1083507,CVE-2017-18207 Description: This update for python fixes the following issues: The following security vulnerabilities were addressed: - Add a check to Lib/wave.py that verifies that at least one channel is provided. Prior to this, attackers could cause a denial of service via a crafted wav format audio file. [bsc#1083507, CVE-2017-18207] ----------------------------------------------------------------- Advisory ID: SUSE-RU-2018:1834-1 Released: Wed Sep 5 10:17:42 2018 Summary: Recommended update for systemd Type: recommended Severity: moderate References: 1089761,1090944,1101040,1103910 Description: This update for systemd fixes the following issues: - cryptsetup: Add support for sector-size= option. (fate#325634) - resolved: Apply epoch to system time from PID 1. (bsc#1103910) - core/service: Rework the hold-off time over message. - core: Don't freeze OnCalendar= timer units when the clock goes back a lot. (bsc#1090944) - man: SystemMaxUse= clarification in journald.conf(5). (bsc#1101040) - Add udev.no-partlabel-links kernel command-line option. This option can be used to disable the generation of the by-partlabel symlinks regardless of the name used. (bsc#1089761) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:1903-1 Released: Fri Sep 14 12:46:21 2018 Summary: Security update for curl Type: security Severity: moderate References: 1089533,1106019,CVE-2018-14618 Description: This update for curl fixes the following issues: This security issue was fixed: - CVE-2018-14618: Prevent integer overflow in the NTLM authentication code (bsc#1106019) This non-security issue was fixed: - Fixed erroneous debug message when paired with OpenSSL (bsc#1089533) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2018:1927-1 Released: Wed Sep 19 21:33:08 2018 Summary: Recommended update for python-M2Crypto Type: recommended Severity: moderate References: 1072973 Description: This update for python-M2Crypto provides version 0.29.0 and brings many fixes and improvements. For a detailed description, please refer to the changelog. ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:1969-1 Released: Mon Sep 24 08:06:42 2018 Summary: Security update for libzypp, zypper Type: security Severity: important References: 1036304,1045735,1049825,1070851,1076192,1088705,1091624,1092413,1096803,1099847,1100028,1101349,1102429,CVE-2017-9269,CVE-2018-7685 Description: This update for libzypp, zypper fixes the following issues: Update libzypp to version 16.17.20: Security issues fixed: - PackageProvider: Validate deta rpms before caching (bsc#1091624, bsc#1088705, CVE-2018-7685) - PackageProvider: Validate downloaded rpm package signatures before caching (bsc#1091624, bsc#1088705, CVE-2018-7685) Other bugs fixed: - lsof: use '-K i' if lsof supports it (bsc#1099847, bsc#1036304) - Handle http error 502 Bad Gateway in curl backend (bsc#1070851) - RepoManager: Explicitly request repo2solv to generate application pseudo packages. - libzypp-devel should not require cmake (bsc#1101349) - HardLocksFile: Prevent against empty commit without Target having been been loaded (bsc#1096803) - Avoid zombie tar processes (bsc#1076192) Update to zypper to version 1.13.45: Security issues fixed: - Improve signature check callback messages (bsc#1045735, CVE-2017-9269) - add/modify repo: Add options to tune the GPG check settings (bsc#1045735, CVE-2017-9269) Other bugs fixed: - XML attribute `packages-to-change` added (bsc#1102429) - man: Strengthen that `--config FILE' affects zypper.conf, not zypp.conf (bsc#1100028) - Prevent nested calls to exit() if aborted by a signal (bsc#1092413) - ansi.h: Prevent ESC sequence strings from going out of scope (bsc#1092413) - Fix: zypper bash completion expands non-existing options (bsc#1049825) - Improve signature check callback messages (bsc#1045735) - add/modify repo: Add options to tune the GPG check settings (bsc#1045735) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2018:1985-1 Released: Mon Sep 24 11:56:08 2018 Summary: Recommended update for openldap2 Type: recommended Severity: moderate References: 1089640 Description: This update for openldap2 provides the following fix: - Fix slapd segfaults in mdb_env_reader_dest. (bsc#1089640) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:1994-1 Released: Mon Sep 24 12:55:57 2018 Summary: Security update for shadow Type: security Severity: moderate References: 1106914 Description: This update for shadow fixes the following security issue: - Prevent useradd from creating intermediate directories with mode 0777 (bsc#1106914) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2018:2023-1 Released: Wed Sep 26 09:48:49 2018 Summary: Recommended update for patchinfo.salt, salt Type: recommended Severity: moderate References: 1095942,1102013,1103530,1104154 Description: This update for salt fixes the following issues: - Prepend current directory when path is just filename. (bsc#1095942) - Only do reverse DNS lookup on IPs for salt-ssh. (bsc#1104154) - Add support for Python 3.7 and Tornado 5.0. - Decode file contents for python2. (bsc#1102013, bsc#1103530) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:2069-1 Released: Fri Sep 28 08:01:25 2018 Summary: Security update for openssl Type: security Severity: moderate References: 1089039,1101246,1101470,1104789,1106197,997043,CVE-2018-0737 Description: This update for openssl fixes the following issues: These security issues were fixed: - Prevent One&Done side-channel attack on RSA that allowed physically near attackers to use EM emanations to recover information (bsc#1104789) - CVE-2018-0737: The RSA Key generation algorithm has been shown to be vulnerable to a cache timing side channel attack. An attacker with sufficient access to mount cache timing attacks during the RSA key generation process could have recovered the private key (bsc#1089039) These non-security issues were fixed: - Add openssl(cli) Provide so the packages that require the openssl binary can require this instead of the new openssl meta package (bsc#1101470) - Fixed path to the engines which are under /lib64 on SLE-12 (bsc#1101246, bsc#997043) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2018:2162-1 Released: Fri Oct 5 14:46:53 2018 Summary: Recommended update for krb5 Type: recommended Severity: moderate References: 1088921 Description: This update for krb5 provides the following fix: - Resolve krb5 GSS credentials immediately if the application requests the lifetime. (bsc#1088921) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:2181-1 Released: Tue Oct 9 11:08:20 2018 Summary: Security update for libxml2 Type: security Severity: moderate References: 1088279,1088601,1102046,1105166,CVE-2017-18258,CVE-2018-14404,CVE-2018-14567,CVE-2018-9251 Description: This update for libxml2 fixes the following security issues: - CVE-2018-9251: The xz_decomp function allowed remote attackers to cause a denial of service (infinite loop) via a crafted XML file that triggers LZMA_MEMLIMIT_ERROR, as demonstrated by xmllint (bsc#1088279). - CVE-2018-14567: Prevent denial of service (infinite loop) via a crafted XML file that triggers LZMA_MEMLIMIT_ERROR, as demonstrated by xmllint (bsc#1105166). - CVE-2018-14404: Prevent NULL pointer dereference in the xmlXPathCompOpEval() function when parsing an invalid XPath expression in the XPATH_OP_AND or XPATH_OP_OR case leading to a denial of service attack (bsc#1102046). - CVE-2017-18258: The xz_head function allowed remote attackers to cause a denial of service (memory consumption) via a crafted LZMA file, because the decoder functionality did not restrict memory usage to what is required for a legitimate file (bsc#1088601). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2018:2196-1 Released: Thu Oct 11 07:45:16 2018 Summary: Optional update for gcc8 Type: recommended Severity: low References: 1084812,1084842,1087550,1094222,1102564 Description: The GNU Compiler GCC 8 is being added to the Toolchain Module by this update. The update also supplies gcc8 compatible libstdc++, libgcc_s1 and other gcc derived libraries for the base products of SUSE Linux Enterprise 12. Various optimizers have been improved in GCC 8, several of bugs fixed, quite some new warnings added and the error pin-pointing and fix-suggestions have been greatly improved. The GNU Compiler page for GCC 8 contains a summary of all the changes that have happened: https://gcc.gnu.org/gcc-8/changes.html Also changes needed or common pitfalls when porting software are described on: https://gcc.gnu.org/gcc-8/porting_to.html ----------------------------------------------------------------- Advisory ID: SUSE-RU-2018:2217-1 Released: Fri Oct 12 15:07:24 2018 Summary: Recommended update for bash Type: recommended Severity: moderate References: 1094121,1107430 Description: This update for bash provides the following fixes: - Fix an inconsistent behaviour regarding expansion of here strings. (bsc#1094121) - Fix mis-matching of null string with '*' pattern. (bsc#1107430) - Fix a crash when the lastpipe option is enabled. - Fix a typo that was preventing the `compat42' shopt option from working as intended. - Help the shell to process any pending traps at redirection. - Fix a crashe due to incorrect conversion from an indexed to associative array. - Avoid the expansion of escape sequences in HOSTNAME in prompt. - Avoid `xtrace' attack over $PS4. ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:2373-1 Released: Mon Oct 22 14:43:47 2018 Summary: Security update for rpm Type: security Severity: moderate References: 1077692,943457,CVE-2017-7500,CVE-2017-7501 Description: This update for rpm fixes the following issues: These security issues were fixed: - CVE-2017-7500: rpm did not properly handle RPM installations when a destination path was a symbolic link to a directory, possibly changing ownership and permissions of an arbitrary directory, and RPM files being placed in an arbitrary destination (bsc#943457). - CVE-2017-7501: rpm used temporary files with predictable names when installing an RPM. An attacker with ability to write in a directory where files will be installed could create symbolic links to an arbitrary location and modify content, and possibly permissions to arbitrary files, which could be used for denial of service or possibly privilege escalation (bsc#943457) This non-security issue was fixed: - Use ksym-provides tool [bsc#1077692] ----------------------------------------------------------------- Advisory ID: SUSE-RU-2018:2379-1 Released: Tue Oct 23 10:32:56 2018 Summary: Recommended update for Salt Type: recommended Severity: moderate References: 1095651,1104491,1106164,1107333,1108557,1108834,1108969,1108995,1109893 Description: This update fixes the following issues: salt: - Improved IPv6 address handling (bsc#1108557) - Better handling for zypper exiting with exit code ZYPPER_EXIT_NO_REPOS (bsc#1108834, bsc#1109893) - Fix for dependency problem with pip (bsc#1104491) - Fix loosen azure sdk dependencies in azurearm cloud driver (bsc#1107333) - Fix for Python3 issue in zypper (bsc#1108995) - Allow running salt-cloud in GCE using instance credentials (bsc#1108969) - Improved handling of Python unicode literals in YAML parsing (bsc#1095651) - Fix for Salt 'acl.present' and 'acl.absent' states to make them successfully work recursively when 'recurse=True'. (bsc#1106164) - Fix for Python3 byte/unicode mismatch and additional minor bugfixes to x509 module. - Integration of MSI authentication for azurearm - Compound list targeting wrongly returned with minions specified in 'not'. - Fixes the x509 module to work, when using the sign_remote_certificate functionality. - Fix for SUSE Expanded Support os grain detection (returned 'Redhat' instead of 'Centos') ----------------------------------------------------------------- Advisory ID: SUSE-RU-2018:2435-1 Released: Wed Oct 24 14:42:43 2018 Summary: Recommended update for systemd Type: recommended Severity: important References: 1015254,1091677,1093753,1105031,1107640,1107941,1109197,991901 Description: This update for systemd fixes the following issues: - detect-virt: do not try to read all of /proc/cpuinfo (bsc#1109197) - emergency: make sure console password agents don't interfere with the emergency shell - units: remove udev control socket when systemd stops the socket unit (#4039) (bsc#1015254) - man: document that 'nofail' also has an effect on ordering - journald: take leading spaces into account in syslog_parse_identifier - journal: do not remove multiple spaces after identifier in syslog message - syslog: fix segfault in syslog_parse_priority() - journal: fix syslog_parse_identifier() - tmpfiles: don't adjust qgroups on existing subvolumes (bsc#1093753) - socket-util: attempt SO_RCVBUFFORCE/SO_SNDBUFFORCE only if SO_RCVBUF/SO_SNDBUF fails (bsc#991901) - user at .service: don't kill user manager at runlevel switch (bsc#1091677) - units: make sure user at .service runs with dbus still up - fix race between daemon-reload and other commands (bsc#1105031) - nspawn: always use mode 555 for /sys (bsc#1107640) - cryptsetup: do not define arg_sector_size if libgcrypt is v1.x (#9990) - Enable or disable machines.target according to the presets (bsc#1107941) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2018:2475-1 Released: Thu Oct 25 16:56:24 2018 Summary: Recommended update for libzypp Type: recommended Severity: moderate References: 1099982,1109877,408814,556664,939392 Description: This update for libzypp fixes the following issues: - Add filesize check for downloads with known size (bsc#408814) - Fix conversion of string and glob to regex when compiling queries (bsc#1099982, bsc#939392, bsc#556664) - Fix blocking wait for finished child process (bsc#1109877) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2018:2488-1 Released: Fri Oct 26 12:39:59 2018 Summary: Recommended update for cpio Type: recommended Severity: low References: 1076810,889138 Description: This update for cpio provides the following fix: - Remove an obsolete patch that was causing cpio not to preserve folder permissions. (bsc#1076810, bsc#889138) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2018:2516-1 Released: Mon Oct 29 16:14:48 2018 Summary: Recommended update for console-setup, kbd Type: recommended Severity: moderate References: 1010880,1027379,1056449,1062303,1069468,1085432,360993,675317,825385,830805,958562,963942,984958 Description: This update for kbd and console-setup provides the following fixes: Changes in console-setup: - Add console-setup to SLE 12 to make it possible for kbd to provide converted X keymaps. (fate#325454, fate#318426) - Make the package build reproducible. (bsc#1062303) - Removed unneeded requires to kbd in order to resolve build cycle between kbd and console-setup. (bsc#963942) Changes in kbd: - Update to version 2.0.4, including the following fixes (FATE#325454): * Disable characters greater than or equal to =U+F000 as they do not work properly. (bsc#1085432) * Move initial NumLock handling from systemd back to kbd: * Add kbdsettings service. (bsc#1010880) * Exclude numlockbios support for non x86 platforms * Drop references to KEYTABLE and COMPOSETABLE. (bsc#1010880) * Drop from some fill-up templates and a couple of sysconfig variables not read by systemd anymore. (fate#319454) * Replace references to /var/adm/fillup-templates with new %_fillupdir macro. (bsc#1069468) * Add vlock.pamd PAM file. (bsc#1056449) * Enable vlock (bsc#1056449). * Revert dropping of kdb-legacy requirement as there are still packages and installation flows that needs this to be present. (bsc#1027379) * Fix data/keymaps/i386/querty/br-abnt2.map. (bsc#984958) * Fix missing dependency on coreutils for initrd macros. (bsc#958562) * Call missing initrd macro at postun. (bsc#958562) * Add the genmap4systemd.sh tool to generate entries for systemd's kbd-model-map table from xkeyboard-config converted keymaps. (fate#318426) * genmap4systemd.sh: Use 'abnt2' model for 'br' layouts, 'jp106' model for 'jp' layouts and 'microsoftpro' for anything else (instead of 'pc105' previously used). (fate#318426) * Include xkb layouts from xkeyboard-config converted to console keymaps. (fate#318426) * euro.map, euro1.map and euro2.map now produce correct unicode character for Euro sign. (bsc#360993) * Drop doshell reference from openvt.1 man page. (bsc#675317) * Drop the --userwait option as it is not used. (bsc#830805) * Fix a typo in the mac-querty-layout.inc. (bsc#825385) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:2520-1 Released: Mon Oct 29 17:28:57 2018 Summary: Security update for python, python-base Type: security Severity: moderate References: 1086001,1088004,1088009,1109663,CVE-2018-1000802,CVE-2018-1060,CVE-2018-1061 Description: This update for python, python-base fixes the following issues: Security issues fixed: - CVE-2018-1000802: Prevent command injection in shutil module (make_archive function) via passage of unfiltered user input (bsc#1109663). - CVE-2018-1061: Fixed DoS via regular expression backtracking in difflib.IS_LINE_JUNK method in difflib (bsc#1088004). - CVE-2018-1060: Fixed DoS via regular expression catastrophic backtracking in apop() method in pop3lib (bsc#1088009). Bug fixes: - bsc#1086001: python tarfile uses random order. ----------------------------------------------------------------- Advisory ID: SUSE-RU-2018:2525-1 Released: Tue Oct 30 09:22:45 2018 Summary: Recommended update for bash Type: recommended Severity: important References: 1113117 Description: This update for bash fixes the following issues: Recently released update introduced a change of behavior which resulted in broken customers scripts. (bsc#1113117) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:2563-1 Released: Fri Nov 2 17:09:49 2018 Summary: Security update for curl Type: security Severity: moderate References: 1112758,1113660,CVE-2018-16840,CVE-2018-16842 Description: This update for curl fixes the following issues: - CVE-2018-16840: A use after free in closing SASL handles was fixed (bsc#1112758) - CVE-2018-16842: A Out-of-bounds Read in tool_msgs.c was fixed which could lead to crashes (bsc#1113660) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2018:2567-1 Released: Fri Nov 2 18:59:06 2018 Summary: Recommended update for apparmor Type: recommended Severity: moderate References: 1047937,1057150,1057900,1099452,906858 Description: This update for apparmor provides the following fixes: - Add profile for usr.bin.lessopen.sh (bsc#906858) - Fix dovecot apparmor profile (bsc#1057150) - Fix creating profile rules from scanned logs when the chown operation is used (bsc#1047937) - Fix the traceroute profile to allow ipv6 usage (bsc#1057900) - Fix duplicate entry of capability when performing aa-logprof (bsc#1099452) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2018:2593-1 Released: Wed Nov 7 11:04:00 2018 Summary: Recommended update for rpm Type: recommended Severity: moderate References: 1095148,1113100 Description: This update for rpm fixes the following issues: - Fix superfluous TOC. dependency on PowerPC64 (bsc#1113100) - Update to current find-provides.ksyms and find-requires.ksyms scripts (bsc#1095148) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:2659-1 Released: Wed Nov 14 14:14:41 2018 Summary: Security update for systemd Type: security Severity: important References: 1106923,1108835,1109252,1110445,1111278,1112024,1113083,1113632,1113665,CVE-2018-15686,CVE-2018-15688 Description: This update for systemd fixes the following issues: Security issues fixed: - CVE-2018-15688: A buffer overflow vulnerability in the dhcp6 client of systemd allowed a malicious dhcp6 server to overwrite heap memory in systemd-networkd. (bsc#1113632) - CVE-2018-15686: A vulnerability in unit_deserialize of systemd allows an attacker to supply arbitrary state across systemd re-execution via NotifyAccess. This can be used to improperly influence systemd execution and possibly lead to root privilege escalation. (bsc#1113665) Non-security issues fixed: - dhcp6: split assert_return() to be more debuggable when hit - core: skip unit deserialization and move to the next one when unit_deserialize() fails - core: properly handle deserialization of unknown unit types (#6476) - core: don't create Requires for workdir if 'missing ok' (bsc#1113083) - logind: use manager_get_user_by_pid() where appropriate - logind: rework manager_get_{user|session}_by_pid() a bit - login: fix user at .service case, so we don't allow nested sessions (#8051) (bsc#1112024) - core: be more defensive if we can't determine per-connection socket peer (#7329) - socket-util: introduce port argument in sockaddr_port() - service: fixup ExecStop for socket-activated shutdown (#4120) - service: Continue shutdown on socket activated unit on termination (#4108) (bsc#1106923) - cryptsetup: build fixes for 'add support for sector-size= option' - udev-rules: IMPORT cmdline does not recognize keys with similar names (bsc#1111278) - core: keep the kernel coredump defaults when systemd-coredump is disabled - core: shorten main() a bit, split out coredump initialization - core: set RLIMIT_CORE to unlimited by default (bsc#1108835) - core/mount: fstype may be NULL - journald: don't ship systemd-journald-audit.socket (bsc#1109252) - core: make 'tmpfs' dependencies on swapfs a 'default' dep, not an 'implicit' (bsc#1110445) - mount: make sure we unmount tmpfs mounts before we deactivate swaps (#7076) - tmp.mount.hm4: After swap.target (#3087) - Ship systemd-sysv-install helper via the main package This script was part of systemd-sysvinit sub-package but it was wrong since systemd-sysv-install is a script used to redirect enable/disable operations to chkconfig when the unit targets are sysv init scripts. Therefore it's never been a SySV init tool. ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:2745-1 Released: Thu Nov 22 16:13:42 2018 Summary: Security update for salt Type: security Severity: important References: 1110938,1113698,1113699,1113784,1114197,CVE-2018-15750,CVE-2018-15751 Description: This update for salt fixes the following issues: Security issues fixed: - CVE-2018-15750: Fixed directory traversal vulnerability in salt-api (bsc#1113698). - CVE-2018-15751: Fixed remote authentication bypass in salt-api(netapi) that allows to execute arbitrary commands (bsc#1113699). Non-security issues fixed: - Improved handling of LDAP group id. gid is no longer treated as a string, which could have lead to faulty group creations (bsc#1113784). - Fix async call to process manager (bsc#1110938). - Fixed OS arch detection when RPM is not installed (bsc#1114197). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:2760-1 Released: Thu Nov 22 16:25:38 2018 Summary: Security update for openssl Type: security Severity: moderate References: 1112209,1113534,1113652,1113742,CVE-2018-0734,CVE-2018-5407 Description: This update for openssl fixes the following issues: Security issues fixed: - CVE-2018-0734: Fixed timing vulnerability in DSA signature generation (bsc#1113652). - CVE-2018-5407: Fixed elliptic curve scalar multiplication timing attack defenses (bsc#1113534). - Add missing timing side channel patch for DSA signature generation (bsc#1113742). Non-security issues fixed: - Fixed infinite loop in DSA generation with incorrect parameters (bsc#1112209). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:2766-1 Released: Fri Nov 23 17:07:27 2018 Summary: Security update for rpm Type: security Severity: important References: 943457,CVE-2017-7500,CVE-2017-7501 Description: This update for rpm fixes the following issues: These security issues were fixed: - CVE-2017-7500: rpm did not properly handle RPM installations when a destination path was a symbolic link to a directory, possibly changing ownership and permissions of an arbitrary directory, and RPM files being placed in an arbitrary destination (bsc#943457). - CVE-2017-7501: rpm used temporary files with predictable names when installing an RPM. An attacker with ability to write in a directory where files will be installed could create symbolic links to an arbitrary location and modify content, and possibly permissions to arbitrary files, which could be used for denial of service or possibly privilege escalation (bsc#943457) This is a reissue of the above security fixes for SUSE Linux Enterprise 12 GA, SP1 and SP2 LTSS, they have already been released for SUSE Linux Enterprise Server 12 SP3. ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:1697-1 Released: Fri Nov 23 17:08:32 2018 Summary: Security update for libgcrypt Type: security Severity: moderate References: 1064455,1090766,1097410,CVE-2018-0495 Description: This update for libgcrypt fixes the following issues: The following security vulnerability was addressed: - CVE-2018-0495: Mitigate a novel side-channel attack by enabling blinding for ECDSA signatures (bsc#1097410). The following other issues were fixed: - Extended the fipsdrv dsa-sign and dsa-verify commands with the --algo parameter for the FIPS testing of DSA SigVer and SigGen (bsc#1064455). - Ensure libgcrypt20-hmac and libgcrypt20 are installed in the correct order. (bsc#1090766) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:1696-1 Released: Mon Nov 26 17:46:39 2018 Summary: Security update for procps Type: security Severity: moderate References: 1092100,CVE-2018-1122,CVE-2018-1123,CVE-2018-1124,CVE-2018-1125,CVE-2018-1126 Description: This update for procps fixes the following security issues: - CVE-2018-1122: Prevent local privilege escalation in top. If a user ran top with HOME unset in an attacker-controlled directory, the attacker could have achieved privilege escalation by exploiting one of several vulnerabilities in the config_file() function (bsc#1092100). - CVE-2018-1123: Prevent denial of service in ps via mmap buffer overflow. Inbuilt protection in ps maped a guard page at the end of the overflowed buffer, ensuring that the impact of this flaw is limited to a crash (temporary denial of service) (bsc#1092100). - CVE-2018-1124: Prevent multiple integer overflows leading to a heap corruption in file2strvec function. This allowed a privilege escalation for a local attacker who can create entries in procfs by starting processes, which could result in crashes or arbitrary code execution in proc utilities run by other users (bsc#1092100). - CVE-2018-1125: Prevent stack buffer overflow in pgrep. This vulnerability was mitigated by FORTIFY limiting the impact to a crash (bsc#1092100). - CVE-2018-1126: Ensure correct integer size in proc/alloc.* to prevent truncation/integer overflow issues (bsc#1092100). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:1618-1 Released: Tue Nov 27 13:39:49 2018 Summary: Security update for util-linux Type: security Severity: moderate References: 1072947,1078662,1080740,1084300,CVE-2018-7738 Description: This update for util-linux fixes the following issues: This non-security issue was fixed: - CVE-2018-7738: bash-completion/umount allowed local users to gain privileges by embedding shell commands in a mountpoint name, which was mishandled during a umount command by a different user (bsc#1084300). These non-security issues were fixed: - Fixed crash loop in lscpu (bsc#1072947). - Fixed possible segfault of umount -a - Fixed mount -a on NFS bind mounts (bsc#1080740). - Fixed lsblk on NVMe (bsc#1078662). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:2824-1 Released: Mon Dec 3 15:34:09 2018 Summary: Security update for ncurses Type: security Severity: important References: 1115929,CVE-2018-19211 Description: This update for ncurses fixes the following issue: Security issue fixed: - CVE-2018-19211: Fixed denial of service issue that was triggered by a NULL pointer dereference at function _nc_parse_entry (bsc#1115929). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2018:2836-1 Released: Wed Dec 5 09:29:31 2018 Summary: Recommended update for apparmor Type: recommended Severity: moderate References: 1111965,1113125 Description: This update for apparmor fixes the following issues: - Systemd aware apparmor.spec, remove old insserv from spec file (bsc#1113125) - Fix warnings produced because of use of uninitialized variables (bsc#1111965) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2018:2840-1 Released: Wed Dec 5 09:57:54 2018 Summary: Recommended update for permissions Type: recommended Severity: moderate References: 1028304,1047247,1050467,1097665,1111251 Description: This update for permissions fixes the following issues: - Allow setuid root for start-suid tool of singularity (group only) bsc#1028304 - Allow setuid root for authbind binary (bsc#1111251) - A incorrect error message was adjusted (bsc#1047247 bsc#1097665) - Make btmp root:utmp (bsc#1050467) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2018:2841-1 Released: Wed Dec 5 09:59:45 2018 Summary: Recommended update for glibc Type: recommended Severity: moderate References: 1105236,1110661,1112858 Description: This update for glibc fixes the following issues: - Added more checks for valid ld.so.cache file (bsc#1110661) - Rewrite elf_machine_load_address using _DYNAMIC symbol (bsc#1112858) - Always use __IPC_64 on powerpc as required by the kernel (bsc#1105236) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2018:2880-1 Released: Fri Dec 7 14:50:23 2018 Summary: Recommended update for Salt Type: recommended Severity: moderate References: 1112874,1114824 Description: This update fixes the following issues: salt: - Crontab module fix: file attributes option missing (bsc#1114824) - Fix git_pillar merging across multiple __env__ repositories (bsc#1112874) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2018:2906-1 Released: Tue Dec 11 21:48:05 2018 Summary: Recommended update for blog Type: recommended Severity: moderate References: 1071568 Description: This update for blog fixes the following issues: - Hardening of the console list generation (bsc#1071568) - Changed description of blog-plymouth in same manner as used by the release notes ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:2947-1 Released: Mon Dec 17 08:51:28 2018 Summary: Security update for openldap2 Type: security Severity: moderate References: 1073313,CVE-2017-17740 Description: This update for openldap2 fixes the following issues: Security issue fixed: - CVE-2017-17740: When both the nops module and the memberof overlay are enabled, attempts to free a buffer that was allocated on the stack, which allows remote attackers to cause a denial of service (slapd crash) via a member MODDN operation. (bsc#1073313) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2018:2975-1 Released: Tue Dec 18 13:45:02 2018 Summary: Recommended update for python-psutil Type: recommended Severity: moderate References: 1111800 Description: python-psutil was updated to version 5.2.2 to fulfill requirements of other packages. (FATE#326775, bsc#1111800) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2018:3029-1 Released: Fri Dec 21 17:34:05 2018 Summary: Recommended update for libgcrypt Type: recommended Severity: moderate References: 1117355 Description: This update for libgcrypt provides the following fix: - Fail selftests when checksum file is missing in FIPS mode only. (bsc#1117355) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:43-1 Released: Tue Jan 8 13:07:17 2019 Summary: Recommended update for acl Type: recommended Severity: low References: 953659 Description: This update for acl fixes the following issues: - quote: Escape literal backslashes (bsc#953659). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:111-1 Released: Thu Jan 17 14:18:31 2019 Summary: Security update for krb5 Type: security Severity: important References: 1120489,CVE-2018-20217 Description: This update for krb5 fixes the following issues: Security issue fixed: - CVE-2018-20217: Fixed an assertion issue with older encryption types (bsc#1120489) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:135-1 Released: Mon Jan 21 13:53:58 2019 Summary: Security update for systemd Type: security Severity: moderate References: 1005023,1076696,1101591,1114981,1115518,1119971,1120323,CVE-2018-16864,CVE-2018-16865,CVE-2018-16866 Description: This update for systemd provides the following fixes: Security issues fixed: - CVE-2018-16864, CVE-2018-16865: Fixed two memory corruptions through attacker-controlled alloca()s (bsc#1120323) - CVE-2018-16866: Fixed an information leak in journald (bsc#1120323) - Fixed an issue during system startup in relation to encrypted swap disks (bsc#1119971) Non-security issues fixed: - core: Queue loading transient units after setting their properties. (bsc#1115518) - logind: Stop managing VT switches if no sessions are registered on that VT. (bsc#1101591) - terminal-util: introduce vt_release() and vt_restore() helpers. - terminal: Unify code for resetting kbd utf8 mode a bit. - terminal Reset should honour default_utf8 kernel setting. - logind: Make session_restore_vt() static. - udev: Downgrade message when settting inotify watch up fails. (bsc#1005023) - log: Never log into foreign fd #2 in PID 1 or its pre-execve() children. (bsc#1114981) - udev: Ignore the exit code of systemd-detect-virt for memory hot-add. In SLE-12-SP3, 80-hotplug-cpu-mem.rules has a memory hot-add rule that uses systemd-detect-virt to detect non-zvm environment. The systemd-detect-virt returns exit failure code when it detected _none_ state. The exit failure code causes that the hot-add memory block can not be set to online. (bsc#1076696) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:143-1 Released: Tue Jan 22 14:21:55 2019 Summary: Recommended update for ncurses Type: recommended Severity: important References: 1121450 Description: This update for ncurses fixes the following issues: - ncurses applications freezing (bsc#1121450) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:342-1 Released: Wed Feb 13 11:04:32 2019 Summary: Recommended update for Salt Type: recommended Severity: moderate References: 1099887,1114029,1114474,1116837,1117995,1121091,1123044,1123512 Description: This update fixes the following issues: salt: - Remove patch unable install salt minions on SLE 15 (bsc#1123512) - Fix integration tests in state compiler (U#2068) - Fix 'pkg.list_pkgs' output when using 'attr' to take the arch into account (bsc#1114029) - Fix powerpc null server_id_arch (bsc#1117995) - Fix module 'azure.storage' has no attribute '__version__' (bsc#1121091) - Add supportconfig module and states for minions and SaltSSH - Fix FIPS enabled RES clients (bsc#1099887) - Add hold/unhold functions. Fix Debian repo 'signed-by'. - Strip architecture from debian package names - Fix latin1 encoding problems on file module (bsc#1116837) - Don't error on retcode 0 in libcrypto.OPENSSL_init_crypto - Handle anycast IPv6 addresses on network.routes (bsc#1114474) - Debian info_installed compatibility (U#50453) - Add compatibility with other package modules for 'list_repos' function - Remove MSI Azure cloud module authentication patch (bsc#1123044) - Don't encode response string from role API From sle-updates at lists.suse.com Thu Jan 16 09:59:21 2020 From: sle-updates at lists.suse.com (sle-updates at lists.suse.com) Date: Thu, 16 Jan 2020 17:59:21 +0100 (CET) Subject: SUSE-CU-2019:724-1: Recommended update of caasp/v4/openldap Message-ID: <20200116165921.DF90FF796@maintenance.suse.de> SUSE Container Update Advisory: caasp/v4/openldap ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2019:724-1 Container Tags : caasp/v4/openldap:2.4.41 , caasp/v4/openldap:2.4.41-rev1 , caasp/v4/openldap:2.4.41-rev1-build2.1 , caasp/v4/openldap:beta1 Severity : low Type : recommended References : ----------------------------------------------------------------- The container caasp/v4/openldap was updated. The following patches have been included in this update: From sle-updates at lists.suse.com Thu Jan 16 10:01:49 2020 From: sle-updates at lists.suse.com (sle-updates at lists.suse.com) Date: Thu, 16 Jan 2020 18:01:49 +0100 (CET) Subject: SUSE-CU-2019:735-1: Security update of caasp/v4/skuba-tooling Message-ID: <20200116170149.15E9AF79E@maintenance.suse.de> SUSE Container Update Advisory: caasp/v4/skuba-tooling ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2019:735-1 Container Tags : caasp/v4/skuba-tooling:0.1.0 , caasp/v4/skuba-tooling:0.1.0-rev2 , caasp/v4/skuba-tooling:0.1.0-rev2-build1.1 , caasp/v4/skuba-tooling:beta Severity : important Type : security References : 1005023 1009532 1033084 1033085 1033086 1033087 1033088 1033089 1033090 1036463 1038194 1039099 1044840 1045723 1047002 1063675 1065270 1071321 1072183 1076696 1080919 1082318 1083158 1084812 1084842 1086367 1086367 1087550 1088052 1088279 1088524 1089640 1089761 1090944 1091265 1091677 1092877 1093753 1093753 1093851 1094150 1094154 1094161 1094222 1094735 1095096 1095148 1095661 1095670 1095973 1096191 1096718 1096745 1096974 1096984 1097158 1098569 1099793 1100396 1100415 1100488 1101040 1101470 1101470 1101591 1102046 1102310 1102526 1102564 1102908 1103320 1104531 1104780 1105031 1105166 1105435 1105437 1105459 1105460 1106019 1106390 1107066 1107067 1107617 1107640 1107941 1109197 1109252 1110304 1110445 1110700 1111019 1111498 1111973 1112024 1112570 1112723 1112726 1112758 1113083 1113100 1113632 1113660 1113665 1114135 1114407 1114674 1114675 1114681 1114686 1114933 1114984 1114993 1115640 1115929 1117025 1117063 1118086 1118087 1118087 1118364 1119414 1119687 1119971 1120323 1120346 1120689 1121051 1121446 1121563 1121563 1122000 1122729 1123043 1123333 1123371 1123377 1123378 1123685 1123727 1123892 1124122 1124153 1124223 1125007 1125352 1125352 1125410 1125604 1126056 1126096 1126117 1126118 1126119 1126327 1126377 1126590 1127557 1128246 1128383 1128598 1129576 1129598 1129753 1130045 1130230 1130325 1130326 1130681 1130682 1131060 1131686 1132348 1132400 1132721 1133506 1133509 1133808 1134193 1134217 1134524 1134856 1135170 1135709 1137053 1137832 1139083 1139937 915402 918346 943457 953659 960273 985657 991901 CVE-2015-0247 CVE-2015-1572 CVE-2016-10739 CVE-2016-3189 CVE-2017-10790 CVE-2017-18269 CVE-2017-7500 CVE-2017-7607 CVE-2017-7608 CVE-2017-7609 CVE-2017-7610 CVE-2017-7611 CVE-2017-7612 CVE-2017-7613 CVE-2018-0500 CVE-2018-0732 CVE-2018-1000654 CVE-2018-1000858 CVE-2018-10360 CVE-2018-10844 CVE-2018-10845 CVE-2018-10846 CVE-2018-11236 CVE-2018-11237 CVE-2018-12015 CVE-2018-12020 CVE-2018-14404 CVE-2018-14567 CVE-2018-14618 CVE-2018-15686 CVE-2018-15688 CVE-2018-16062 CVE-2018-16402 CVE-2018-16403 CVE-2018-16839 CVE-2018-16840 CVE-2018-16842 CVE-2018-16864 CVE-2018-16865 CVE-2018-16866 CVE-2018-16868 CVE-2018-16868 CVE-2018-16869 CVE-2018-16890 CVE-2018-17953 CVE-2018-18310 CVE-2018-18311 CVE-2018-18312 CVE-2018-18313 CVE-2018-18314 CVE-2018-18520 CVE-2018-18521 CVE-2018-19211 CVE-2018-20346 CVE-2018-20843 CVE-2018-6954 CVE-2018-9251 CVE-2019-12749 CVE-2019-12900 CVE-2019-3822 CVE-2019-3823 CVE-2019-3829 CVE-2019-3836 CVE-2019-3842 CVE-2019-3843 CVE-2019-3844 CVE-2019-3880 CVE-2019-5021 CVE-2019-5436 CVE-2019-6454 CVE-2019-6454 CVE-2019-6706 CVE-2019-7150 CVE-2019-7665 CVE-2019-8905 CVE-2019-8906 CVE-2019-8907 CVE-2019-9936 CVE-2019-9937 SLE-3853 SLE-4117 SLE-5933 ----------------------------------------------------------------- The container caasp/v4/skuba-tooling was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:1223-1 Released: Tue Jun 26 11:41:00 2018 Summary: Security update for gpg2 Type: security Severity: important References: 1096745,CVE-2018-12020 Description: This update for gpg2 fixes the following security issue: - CVE-2018-12020: GnuPG mishandled the original filename during decryption and verification actions, which allowed remote attackers to spoof the output that GnuPG sends on file descriptor 2 to other programs that use the '--status-fd 2' option (bsc#1096745). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2018:1264-1 Released: Tue Jul 3 10:56:12 2018 Summary: Recommended update for curl Type: recommended Severity: moderate References: 1086367 Description: This update for curl provides the following fix: - Use OPENSSL_config() instead of CONF_modules_load_file() to avoid crashes due to conflicting openssl engines. (bsc#1086367) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:1327-1 Released: Tue Jul 17 08:07:24 2018 Summary: Security update for perl Type: security Severity: moderate References: 1096718,CVE-2018-12015 Description: This update for perl fixes the following issues: - CVE-2018-12015: The Archive::Tar module allowed remote attackers to bypass a directory-traversal protection mechanism and overwrite arbitrary files (bsc#1096718) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:1346-1 Released: Thu Jul 19 09:25:08 2018 Summary: Security update for glibc Type: security Severity: moderate References: 1082318,1092877,1094150,1094154,1094161,CVE-2017-18269,CVE-2018-11236,CVE-2018-11237 Description: This update for glibc fixes the following security issues: - CVE-2017-18269: An SSE2-optimized memmove implementation for i386 did not correctly perform the overlapping memory check if the source memory range spaned the middle of the address space, resulting in corrupt data being produced by the copy operation. This may have disclosed information to context-dependent attackers, resulted in a denial of service or code execution (bsc#1094150). - CVE-2018-11236: Prevent integer overflow on 32-bit architectures when processing very long pathname arguments to the realpath function, leading to a stack-based buffer overflow (bsc#1094161). - CVE-2018-11237: An AVX-512-optimized implementation of the mempcpy function may have writen data beyond the target buffer, leading to a buffer overflow in __mempcpy_avx512_no_vzeroupper (bsc#1092877, bsc#1094154). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:1353-1 Released: Thu Jul 19 09:50:32 2018 Summary: Security update for e2fsprogs Type: security Severity: moderate References: 1009532,1038194,915402,918346,960273,CVE-2015-0247,CVE-2015-1572 Description: This update for e2fsprogs fixes the following issues: Security issues fixed: - CVE-2015-0247: Fixed couple of heap overflows in e2fsprogs (fsck, dumpe2fs, e2image...) (bsc#915402). - CVE-2015-1572: Fixed potential buffer overflow in closefs() (bsc#918346). Bug fixes: - bsc#1038194: generic/405 test fails with /dev/mapper/thin-vol is inconsistent on ext4 file system. - bsc#1009532: resize2fs hangs when trying to resize a large ext4 file system. - bsc#960273: xfsprogs does not call %{?regenerate_initrd_post}. ----------------------------------------------------------------- Advisory ID: SUSE-RU-2018:1362-1 Released: Thu Jul 19 12:47:33 2018 Summary: Recommended update for ca-certificates-mozilla Type: recommended Severity: moderate References: 1100415 Description: ca-certificates-mozilla was updated to the 2.24 state of the Mozilla NSS Certificate store. (bsc#1100415) Following CAs were removed: * S-TRUST_Universal_Root_CA * TC_TrustCenter_Class_3_CA_II * TUeRKTRUST_Elektronik_Sertifika_Hizmet_Saglayicisi_H5 ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:1396-1 Released: Thu Jul 26 16:23:09 2018 Summary: Security update for rpm Type: security Severity: moderate References: 1094735,1095148,943457,CVE-2017-7500 Description: This update for rpm fixes the following issues: This security vulnerability was fixed: - CVE-2017-7500: Fixed symlink attacks during RPM installation (bsc#943457) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2018:1409-1 Released: Fri Jul 27 06:45:10 2018 Summary: Recommended update for systemd Type: recommended Severity: moderate References: 1039099,1083158,1088052,1091265,1093851,1095096,1095973,1098569 Description: This update for systemd provides the following fixes: - systemctl: Mask always reports the same unit names when different unknown units are passed. (bsc#1095973) - systemctl: Check the existence of all units, not just the first one. - scsi_id: Fix the prefix for pre-SPC inquiry reply. (bsc#1039099) - device: Make sure to always retroactively start device dependencies. (bsc#1088052) - locale-util: On overlayfs FTW_MOUNT causes nftw(3) to not list *any* files. - Fix pattern to detect distribution. - install: The 'user' and 'global' scopes are equivalent for user presets. (bsc#1093851) - install: Search for preset files in /run (#7715) - install: Consider globally enabled units as 'enabled' for the user. (bsc#1093851) - install: Consider non-Alias=/non-DefaultInstance= symlinks as 'indirect' enablement. - install: Only consider names in Alias= as 'enabling'. - udev: Whitelist mlx4_core locally-administered MAC addresses in the persistent rule generator. (bsc#1083158) - man: Updated systemd-analyze blame description for service-units with Type=simple. (bsc#1091265) - fileio: Support writing atomic files with timestamp. - fileio.c: Fix incorrect mtime - Drop runtime dependency on dracut, otherwise systemd pulls in tools to generate the initrd even in container/chroot installations that don't have a kernel. For environments where initrd matters, dracut should be pulled via a pattern. (bsc#1098569) - An update broke booting with encrypted partitions on NVMe (bsc#1095096) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:1685-1 Released: Fri Aug 17 18:20:58 2018 Summary: Security update for curl Type: security Severity: moderate References: 1099793,CVE-2018-0500 Description: This update for curl fixes the following issues: Security issue fixed: - CVE-2018-0500: Fix a SMTP send heap buffer overflow (bsc#1099793). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2018:1754-1 Released: Fri Aug 24 16:40:21 2018 Summary: Recommended update for ca-certificates-mozilla Type: recommended Severity: moderate References: 1104780 Description: This update for ca-certificates-mozilla fixes the following issues: Updated to the 2.26 state of the Mozilla NSS Certificate store. (bsc#1104780) - removed server auth rights from following CAs: - Certplus Root CA G1 - Certplus Root CA G2 - OpenTrust Root CA G1 - OpenTrust Root CA G2 - OpenTrust Root CA G3 - removed CA - ComSign CA - new CA added: - GlobalSign ----------------------------------------------------------------- Advisory ID: SUSE-RU-2018:1760-1 Released: Fri Aug 24 17:14:53 2018 Summary: Recommended update for libtirpc Type: recommended Severity: moderate References: 1072183 Description: This update for libtirpc fixes the following issues: - rpcinfo: send RPC getport call as specified via parameter (bsc#1072183) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:1904-1 Released: Fri Sep 14 12:46:39 2018 Summary: Security update for curl Type: security Severity: moderate References: 1086367,1106019,CVE-2018-14618 Description: This update for curl fixes the following issues: This security issue was fixed: - CVE-2018-14618: Prevent integer overflow in the NTLM authentication code (bsc#1106019) This non-security issue was fixed: - Use OPENSSL_config instead of CONF_modules_load_file() to avoid crashes due to openssl engines conflicts (bsc#1086367) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2018:1999-1 Released: Tue Sep 25 08:20:35 2018 Summary: Recommended update for zlib Type: recommended Severity: moderate References: 1071321 Description: This update for zlib provides the following fixes: - Speedup zlib on power8. (fate#325307) - Add safeguard against negative values in uInt. (bsc#1071321) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2018:2055-1 Released: Thu Sep 27 14:30:14 2018 Summary: Recommended update for openldap2 Type: recommended Severity: moderate References: 1089640 Description: This update for openldap2 provides the following fix: - Fix slapd segfaults in mdb_env_reader_dest. (bsc#1089640) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:2070-1 Released: Fri Sep 28 08:02:02 2018 Summary: Security update for gnutls Type: security Severity: moderate References: 1047002,1105437,1105459,1105460,CVE-2017-10790,CVE-2018-10844,CVE-2018-10845,CVE-2018-10846 Description: This update for gnutls fixes the following security issues: - Improved mitigations against Lucky 13 class of attacks - CVE-2018-10846: 'Just in Time' PRIME + PROBE cache-based side channel attack can lead to plaintext recovery (bsc#1105460) - CVE-2018-10845: HMAC-SHA-384 vulnerable to Lucky thirteen attack due to use of wrong constant (bsc#1105459) - CVE-2018-10844: HMAC-SHA-256 vulnerable to Lucky thirteen attack due to not enough dummy function calls (bsc#1105437) - CVE-2017-10790: The _asn1_check_identifier function in Libtasn1 caused a NULL pointer dereference and crash (bsc#1047002) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:2083-1 Released: Sun Sep 30 14:06:33 2018 Summary: Security update for openssl-1_1 Type: security Severity: moderate References: 1097158,1101470,CVE-2018-0732 Description: This update for openssl-1_1 to 1.1.0i fixes the following issues: These security issues were fixed: - CVE-2018-0732: During key agreement in a TLS handshake using a DH(E) based ciphersuite a malicious server could have sent a very large prime value to the client. This caused the client to spend an unreasonably long period of time generating a key for this prime resulting in a hang until the client has finished. This could be exploited in a Denial Of Service attack (bsc#1097158) - Make problematic ECDSA sign addition length-invariant - Add blinding to ECDSA and DSA signatures to protect against side channel attacks These non-security issues were fixed: - When unlocking a pass phrase protected PEM file or PKCS#8 container, we now allow empty (zero character) pass phrases. - Certificate time validation (X509_cmp_time) enforces stricter compliance with RFC 5280. Fractional seconds and timezone offsets are no longer allowed. - Fixed a text canonicalisation bug in CMS - Add openssl(cli) Provide so the packages that require the openssl binary can require this instead of the new openssl meta package (bsc#1101470) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2018:2155-1 Released: Fri Oct 5 14:41:17 2018 Summary: Recommended update for ca-certificates Type: recommended Severity: moderate References: 1101470 Description: This update for ca-certificates fixes the following issues: - Changed 'openssl' requirement to 'openssl(cli)' (bsc#1101470) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2018:2177-1 Released: Tue Oct 9 09:00:13 2018 Summary: Recommended update for bash Type: recommended Severity: moderate References: 1095661,1095670,1100488 Description: This update for bash provides the following fixes: - Bugfix: Parse settings in inputrc for all screen TERM variables starting with 'screen.' (bsc#1095661) - Make the generation of bash.html reproducible. (bsc#1100488) - Use initgroups(3) instead of setgroups(2) to fix the usage of suid programs. (bsc#1095670) - Fix a problem that could cause hash table bash uses to store exit statuses from asynchronous processes to develop loops in circumstances involving long-running scripts that create and reap many processes. - Fix a problem that could cause the shell to loop if a SIGINT is received inside of a SIGINT trap handler. - Fix cases where a failing readline command (e.g., delete-char at the end of a line) can cause a multi-character key sequence to 'back up' and attempt to re-read some of the characters in the sequence. - Fix a problem when sourcing a file from an interactive shell, that setting the SIGINT handler to the default and typing ^C would cause the shell to exit. ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:2182-1 Released: Tue Oct 9 11:08:36 2018 Summary: Security update for libxml2 Type: security Severity: moderate References: 1088279,1102046,1105166,CVE-2018-14404,CVE-2018-14567,CVE-2018-9251 Description: This update for libxml2 fixes the following security issues: - CVE-2018-9251: The xz_decomp function allowed remote attackers to cause a denial of service (infinite loop) via a crafted XML file that triggers LZMA_MEMLIMIT_ERROR, as demonstrated by xmllint (bsc#1088279) - CVE-2018-14567: Prevent denial of service (infinite loop) via a crafted XML file that triggers LZMA_MEMLIMIT_ERROR, as demonstrated by xmllint (bsc#1105166) - CVE-2018-14404: Prevent NULL pointer dereference in the xmlXPathCompOpEval() function when parsing an invalid XPath expression in the XPATH_OP_AND or XPATH_OP_OR case leading to a denial of service attack (bsc#1102046) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2018:2370-1 Released: Mon Oct 22 14:02:01 2018 Summary: Recommended update for aaa_base Type: recommended Severity: moderate References: 1102310,1104531 Description: This update for aaa_base provides the following fixes: - Let bash.bashrc work even for (m)ksh. (bsc#1104531) - Fix an error at login if java system directory is empty. (bsc#1102310) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2018:2487-1 Released: Fri Oct 26 12:39:07 2018 Summary: Recommended update for glibc Type: recommended Severity: moderate References: 1102526 Description: This update for glibc fixes the following issues: - Fix build on aarch64 with binutils newer than 2.30. - Fix year 2039 bug for localtime with 64-bit time_t (bsc#1102526) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2018:2539-1 Released: Tue Oct 30 16:17:23 2018 Summary: Recommended update for rpm Type: recommended Severity: moderate References: 1113100 Description: This update for rpm fixes the following issues: - On PowerPC64 fix the superfluous TOC. dependency (bsc#1113100) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2018:2569-1 Released: Fri Nov 2 19:00:18 2018 Summary: Recommended update for pam Type: recommended Severity: moderate References: 1110700 Description: This update for pam fixes the following issues: - Remove limits for nproc from /etc/security/limits.conf (bsc#1110700) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:2578-1 Released: Mon Nov 5 17:55:35 2018 Summary: Security update for curl Type: security Severity: moderate References: 1112758,1113660,CVE-2018-16839,CVE-2018-16840,CVE-2018-16842 Description: This update for curl fixes the following issues: - CVE-2018-16839: A SASL password overflow via integer overflow was fixed which could lead to crashes (bsc#1112758) - CVE-2018-16840: A use-after-free in SASL handle close was fixed which could lead to crashes (bsc#1112758) - CVE-2018-16842: A Out-of-bounds Read in tool_msgs.c was fixed which could lead to crashes (bsc#1113660) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:2595-1 Released: Wed Nov 7 11:14:42 2018 Summary: Security update for systemd Type: security Severity: important References: 1089761,1090944,1091677,1093753,1101040,1102908,1105031,1107640,1107941,1109197,1109252,1110445,1112024,1113083,1113632,1113665,1114135,991901,CVE-2018-15686,CVE-2018-15688 Description: This update for systemd fixes the following issues: Security issues fixed: - CVE-2018-15688: A buffer overflow vulnerability in the dhcp6 client of systemd allowed a malicious dhcp6 server to overwrite heap memory in systemd-networkd. (bsc#1113632) - CVE-2018-15686: A vulnerability in unit_deserialize of systemd allows an attacker to supply arbitrary state across systemd re-execution via NotifyAccess. This can be used to improperly influence systemd execution and possibly lead to root privilege escalation. (bsc#1113665) Non security issues fixed: - dhcp6: split assert_return() to be more debuggable when hit - core: skip unit deserialization and move to the next one when unit_deserialize() fails - core: properly handle deserialization of unknown unit types (#6476) - core: don't create Requires for workdir if 'missing ok' (bsc#1113083) - logind: use manager_get_user_by_pid() where appropriate - logind: rework manager_get_{user|session}_by_pid() a bit - login: fix user at .service case, so we don't allow nested sessions (#8051) (bsc#1112024) - core: be more defensive if we can't determine per-connection socket peer (#7329) - core: introduce systemd.early_core_pattern= kernel cmdline option - core: add missing 'continue' statement - core/mount: fstype may be NULL - journald: don't ship systemd-journald-audit.socket (bsc#1109252) - core: make 'tmpfs' dependencies on swapfs a 'default' dep, not an 'implicit' (bsc#1110445) - mount: make sure we unmount tmpfs mounts before we deactivate swaps (#7076) - detect-virt: do not try to read all of /proc/cpuinfo (bsc#1109197) - emergency: make sure console password agents don't interfere with the emergency shell - man: document that 'nofail' also has an effect on ordering - journald: take leading spaces into account in syslog_parse_identifier - journal: do not remove multiple spaces after identifier in syslog message - syslog: fix segfault in syslog_parse_priority() - journal: fix syslog_parse_identifier() - install: drop left-over debug message (#6913) - Ship systemd-sysv-install helper via the main package This script was part of systemd-sysvinit sub-package but it was wrong since systemd-sysv-install is a script used to redirect enable/disable operations to chkconfig when the unit targets are sysv init scripts. Therefore it's never been a SySV init tool. - Add udev.no-partlabel-links kernel command-line option. This option can be used to disable the generation of the by-partlabel symlinks regardless of the name used. (bsc#1089761) - man: SystemMaxUse= clarification in journald.conf(5). (bsc#1101040) - systemctl: load unit if needed in 'systemctl is-active' (bsc#1102908) - core: don't freeze OnCalendar= timer units when the clock goes back a lot (bsc#1090944) - Enable or disable machines.target according to the presets (bsc#1107941) - cryptsetup: add support for sector-size= option (fate#325697) - nspawn: always use permission mode 555 for /sys (bsc#1107640) - Bugfix for a race condition between daemon-reload and other commands (bsc#1105031) - Fixes an issue where login with root credentials was not possible in init level 5 (bsc#1091677) - Fix an issue where services of type 'notify' harmless DENIED log entries. (bsc#991901) - Does no longer adjust qgroups on existing subvolumes (bsc#1093753) - cryptsetup: add support for sector-size= option (#9936) (fate#325697 bsc#1114135) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2018:2607-1 Released: Wed Nov 7 15:42:48 2018 Summary: Optional update for gcc8 Type: recommended Severity: low References: 1084812,1084842,1087550,1094222,1102564 Description: The GNU Compiler GCC 8 is being added to the Development Tools Module by this update. The update also supplies gcc8 compatible libstdc++, libgcc_s1 and other gcc derived libraries for the Basesystem module of SUSE Linux Enterprise 15. Various optimizers have been improved in GCC 8, several of bugs fixed, quite some new warnings added and the error pin-pointing and fix-suggestions have been greatly improved. The GNU Compiler page for GCC 8 contains a summary of all the changes that have happened: https://gcc.gnu.org/gcc-8/changes.html Also changes needed or common pitfalls when porting software are described on: https://gcc.gnu.org/gcc-8/porting_to.html ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:2825-1 Released: Mon Dec 3 15:35:02 2018 Summary: Security update for pam Type: security Severity: important References: 1115640,CVE-2018-17953 Description: This update for pam fixes the following issue: Security issue fixed: - CVE-2018-17953: Fixed IP address and subnet handling of pam_access.so that was not honoured correctly when a single host was specified (bsc#1115640). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:2861-1 Released: Thu Dec 6 14:32:01 2018 Summary: Security update for ncurses Type: security Severity: important References: 1103320,1115929,CVE-2018-19211 Description: This update for ncurses fixes the following issues: Security issue fixed: - CVE-2018-19211: Fixed denial of service issue that was triggered by a NULL pointer dereference at function _nc_parse_entry (bsc#1115929). Non-security issue fixed: - Remove scree.xterm from terminfo data base as with this screen uses fallback TERM=screen (bsc#1103320). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:2984-1 Released: Wed Dec 19 11:32:39 2018 Summary: Security update for perl Type: security Severity: moderate References: 1114674,1114675,1114681,1114686,CVE-2018-18311,CVE-2018-18312,CVE-2018-18313,CVE-2018-18314 Description: This update for perl fixes the following issues: Secuirty issues fixed: - CVE-2018-18311: Fixed integer overflow with oversize environment (bsc#1114674). - CVE-2018-18312: Fixed heap-buffer-overflow write / reg_node overrun (bsc#1114675). - CVE-2018-18313: Fixed heap-buffer-overflow read if regex contains \0 chars (bsc#1114681). - CVE-2018-18314: Fixed heap-buffer-overflow in regex (bsc#1114686). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:2986-1 Released: Wed Dec 19 13:53:22 2018 Summary: Security update for libnettle Type: security Severity: moderate References: 1118086,CVE-2018-16869 Description: This update for libnettle fixes the following issues: Security issues fixed: - CVE-2018-16869: Fixed a leaky data conversion exposing a manager oracle (bsc#1118086) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:23-1 Released: Mon Jan 7 16:30:33 2019 Summary: Security update for gpg2 Type: security Severity: moderate References: 1120346,CVE-2018-1000858 Description: This update for gpg2 fixes the following issue: Security issue fixed: - CVE-2018-1000858: Fixed a Cross Site Request Forgery(CSRF) vulnerability in dirmngr that can result in Attacker controlled CSRF (bsc#1120346). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:44-1 Released: Tue Jan 8 13:07:32 2019 Summary: Recommended update for acl Type: recommended Severity: low References: 953659 Description: This update for acl fixes the following issues: - test: Add helper library to fake passwd/group files. - quote: Escape literal backslashes. (bsc#953659) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:137-1 Released: Mon Jan 21 15:52:45 2019 Summary: Security update for systemd Type: security Severity: important References: 1005023,1045723,1076696,1080919,1093753,1101591,1111498,1114933,1117063,1119971,1120323,CVE-2018-16864,CVE-2018-16865,CVE-2018-16866,CVE-2018-6954 Description: This update for systemd provides the following fixes: Security issues fixed: - CVE-2018-16864, CVE-2018-16865: Fixed two memory corruptions through attacker-controlled alloca()s (bsc#1120323) - CVE-2018-16866: Fixed an information leak in journald (bsc#1120323) - CVE-2018-6954: Fix mishandling of symlinks present in non-terminal path components (bsc#1080919) - Fixed an issue during system startup in relation to encrypted swap disks (bsc#1119971) Non-security issues fixed: - pam_systemd: Fix 'Cannot create session: Already running in a session' (bsc#1111498) - systemd-vconsole-setup: vconsole setup fails, fonts will not be copied to tty (bsc#1114933) - systemd-tmpfiles-setup: symlinked /tmp to /var/tmp breaking multiple units (bsc#1045723) - Fixed installation issue with /etc/machine-id during update (bsc#1117063) - btrfs: qgroups are assigned to parent qgroups after reboot (bsc#1093753) - logind: Stop managing VT switches if no sessions are registered on that VT. (bsc#1101591) - udev: Downgrade message when settting inotify watch up fails. (bsc#1005023) - udev: Ignore the exit code of systemd-detect-virt for memory hot-add. In SLE-12-SP3, 80-hotplug-cpu-mem.rules has a memory hot-add rule that uses systemd-detect-virt to detect non-zvm environment. The systemd-detect-virt returns exit failure code when it detected _none_ state. The exit failure code causes that the hot-add memory block can not be set to online. (bsc#1076696) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:147-1 Released: Wed Jan 23 17:57:31 2019 Summary: Recommended update for ca-certificates-mozilla Type: recommended Severity: moderate References: 1121446 Description: This update for ca-certificates-mozilla fixes the following issues: The package was updated to the 2.30 version of the Mozilla NSS Certificate store. (bsc#1121446) Removed Root CAs: - AC Raiz Certicamara S.A. - Certplus Root CA G1 - Certplus Root CA G2 - OpenTrust Root CA G1 - OpenTrust Root CA G2 - OpenTrust Root CA G3 - Visa eCommerce Root Added Root CAs: - Certigna Root CA (email and server auth) - GTS Root R1 (server auth) - GTS Root R2 (server auth) - GTS Root R3 (server auth) - GTS Root R4 (server auth) - OISTE WISeKey Global Root GC CA (email and server auth) - UCA Extended Validation Root (server auth) - UCA Global G2 Root (email and server auth) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:189-1 Released: Mon Jan 28 14:14:46 2019 Summary: Recommended update for rpm Type: recommended Severity: moderate References: Description: This update for rpm fixes the following issues: - Add kmod(module) provides to kernel and KMPs (fate#326579). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:247-1 Released: Wed Feb 6 07:18:45 2019 Summary: Security update for lua53 Type: security Severity: moderate References: 1123043,CVE-2019-6706 Description: This update for lua53 fixes the following issues: Security issue fixed: - CVE-2019-6706: Fixed a use-after-free bug in the lua_upvaluejoin function of lapi.c (bsc#1123043) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:248-1 Released: Wed Feb 6 08:35:20 2019 Summary: Security update for curl Type: security Severity: important References: 1123371,1123377,1123378,CVE-2018-16890,CVE-2019-3822,CVE-2019-3823 Description: This update for curl fixes the following issues: Security issues fixed: - CVE-2019-3823: Fixed a heap out-of-bounds read in the code handling the end-of-response for SMTP (bsc#1123378). - CVE-2019-3822: Fixed a stack based buffer overflow in the function creating an outgoing NTLM type-3 message (bsc#1123377). - CVE-2018-16890: Fixed a heap buffer out-of-bounds read in the function handling incoming NTLM type-2 messages (bsc#1123371). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:369-1 Released: Wed Feb 13 14:01:42 2019 Summary: Recommended update for itstool Type: recommended Severity: moderate References: 1065270,1111019 Description: This update for itstool and python-libxml2-python fixes the following issues: Package: itstool - Updated version to support Python3. (bnc#1111019) Package: python-libxml2-python - Fix segfault when parsing invalid data. (bsc#1065270) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:426-1 Released: Mon Feb 18 17:46:55 2019 Summary: Security update for systemd Type: security Severity: important References: 1117025,1121563,1122000,1123333,1123727,1123892,1124153,1125352,CVE-2019-6454 Description: This update for systemd fixes the following issues: - CVE-2019-6454: Overlong DBUS messages could be used to crash systemd (bsc#1125352) - units: make sure initrd-cleanup.service terminates before switching to rootfs (bsc#1123333) - logind: fix bad error propagation - login: log session state 'closing' (as well as New/Removed) - logind: fix borked r check - login: don't remove all devices from PID1 when only one was removed - login: we only allow opening character devices - login: correct comment in session_device_free() - login: remember that fds received from PID1 need to be removed eventually - login: fix FDNAME in call to sd_pid_notify_with_fds() - logind: fd 0 is a valid fd - logind: rework sd_eviocrevoke() - logind: check file is device node before using .st_rdev - logind: use the new FDSTOREREMOVE=1 sd_notify() message (bsc#1124153) - core: add a new sd_notify() message for removing fds from the FD store again - logind: make sure we don't trip up on half-initialized session devices (bsc#1123727) - fd-util: accept that kcmp might fail with EPERM/EACCES - core: Fix use after free case in load_from_path() (bsc#1121563) - core: include Found state in device dumps - device: fix serialization and deserialization of DeviceFound - fix path in btrfs rule (#6844) - assemble multidevice btrfs volumes without external tools (#6607) (bsc#1117025) - Update systemd-system.conf.xml (bsc#1122000) - units: inform user that the default target is started after exiting from rescue or emergency mode - core: free lines after reading them (bsc#1123892) - sd-bus: if we receive an invalid dbus message, ignore and proceeed - automount: don't pass non-blocking pipe to kernel. ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:571-1 Released: Thu Mar 7 18:13:46 2019 Summary: Security update for file Type: security Severity: moderate References: 1096974,1096984,1126117,1126118,1126119,CVE-2018-10360,CVE-2019-8905,CVE-2019-8906,CVE-2019-8907 Description: This update for file fixes the following issues: The following security vulnerabilities were addressed: - CVE-2018-10360: Fixed an out-of-bounds read in the function do_core_note in readelf.c, which allowed remote attackers to cause a denial of service (application crash) via a crafted ELF file (bsc#1096974) - CVE-2019-8905: Fixed a stack-based buffer over-read in do_core_note in readelf.c (bsc#1126118) - CVE-2019-8906: Fixed an out-of-bounds read in do_core_note in readelf. c (bsc#1126119) - CVE-2019-8907: Fixed a stack corruption in do_core_note in readelf.c (bsc#1126117) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:641-1 Released: Tue Mar 19 13:17:28 2019 Summary: Recommended update for glibc Type: recommended Severity: moderate References: 1112570,1114984,1114993 Description: This update for glibc provides the following fixes: - Fix Haswell CPU string flags. (bsc#1114984) - Fix waiters-after-spinning case. (bsc#1114993) - Do not relocate absolute symbols. (bsc#1112570) - Add glibc-locale-base subpackage containing only C, C.UTF-8 and en_US.UTF-8 locales. (fate#326551) - Add HWCAP_ATOMICS to HWCAP_IMPORTANT (fate#325962) - Remove slow paths from math routines. (fate#325815, fate#325879, fate#325880, fate#325881, fate#325882) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:664-1 Released: Wed Mar 20 14:54:12 2019 Summary: Recommended update for gpgme Type: recommended Severity: low References: 1121051 Description: This update for gpgme provides the following fix: - Re-generate keys in Qt tests to not expire. (bsc#1121051) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:700-1 Released: Thu Mar 21 19:54:00 2019 Summary: Recommended update for cyrus-sasl Type: recommended Severity: moderate References: 1044840 Description: This update for cyrus-sasl provides the following fix: - Fix a problem that was causing syslog to be polluted with messages 'GSSAPI client step 1'. By server context the connection will be sent to the log function but the client content does not have log level information, so there is no way to stop DEBUG level logs. (bsc#1044840) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:713-1 Released: Fri Mar 22 15:55:05 2019 Summary: Recommended update for glibc Type: recommended Severity: moderate References: 1063675,1126590 Description: This update for glibc fixes the following issues: - Add MAP_SYNC from Linux 4.15 (bsc#1126590) - Add MAP_SHARED_VALIDATE from Linux 4.15 (bsc#1126590) - nptl: Preserve error in setxid thread broadcast in coredumps (bsc#1063675, BZ #22153) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:732-1 Released: Mon Mar 25 14:10:04 2019 Summary: Recommended update for aaa_base Type: recommended Severity: moderate References: 1088524,1118364,1128246 Description: This update for aaa_base fixes the following issues: - Restore old position of ssh/sudo source of profile (bsc#1118364). - Update logic for JRE_HOME env variable (bsc#1128246) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:788-1 Released: Thu Mar 28 11:55:06 2019 Summary: Security update for sqlite3 Type: security Severity: moderate References: 1119687,CVE-2018-20346 Description: This update for sqlite3 to version 3.27.2 fixes the following issue: Security issue fixed: - CVE-2018-20346: Fixed a remote code execution vulnerability in FTS3 (Magellan) (bsc#1119687). Release notes: https://www.sqlite.org/releaselog/3_27_2.html ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:791-1 Released: Thu Mar 28 12:06:50 2019 Summary: Security update for libnettle Type: recommended Severity: moderate References: 1129598 Description: This update for libnettle to version 3.4.1 fixes the following issues: Issues addressed and new features: - Updated to 3.4.1 (fate#327114 and bsc#1129598) - Fixed a missing break statements in the parsing of PEM input files in pkcs1-conv. - Fixed a link error on the pss-mgf1-test which was affecting builds without public key support. - All functions using RSA private keys are now side-channel silent. This applies both to the bignum calculations, which now use GMP's mpn_sec_* family of functions, and the processing of PKCS#1 padding needed for RSA decryption. - Changes in behavior: The functions rsa_decrypt and rsa_decrypt_tr may now clobber all of the provided message buffer, independent of the actual message length. They are side-channel silent, in that branches and memory accesses don't depend on the validity or length of the message. Side-channel leakage from the caller's use of length and return value may still provide an oracle useable for a Bleichenbacher-style chosen ciphertext attack. Which is why the new function rsa_sec_decrypt is recommended. ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:858-1 Released: Wed Apr 3 15:50:37 2019 Summary: Recommended update for libtirpc Type: recommended Severity: moderate References: 1120689,1126096 Description: This update for libtirpc fixes the following issues: - Fix a yp_bind_client_create_v3: RPC: Unknown host error (bsc#1126096). - add an option to enforce connection via protocol version 2 first (bsc#1120689). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:894-1 Released: Fri Apr 5 17:16:23 2019 Summary: Recommended update for rpm Type: recommended Severity: moderate References: 1119414,1126327,1129753,SLE-3853,SLE-4117 Description: This update for rpm fixes the following issues: - This update shortens RPM changelog to after a certain cut off date (bsc#1129753) - Translate dashes to underscores in kmod provides (FATE#326579, jsc#SLE-4117, jsc#SLE-3853, bsc#1119414). - Re-add symset-table from SLE 12 (bsc#1126327). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:903-1 Released: Mon Apr 8 15:41:44 2019 Summary: Security update for glibc Type: security Severity: moderate References: 1100396,1122729,1130045,CVE-2016-10739 Description: This update for glibc fixes the following issues: Security issue fixed: - CVE-2016-10739: Fixed an improper implementation of getaddrinfo function which could allow applications to incorrectly assume that had parsed a valid string, without the possibility of embedded HTTP headers or other potentially dangerous substrings (bsc#1122729). Other issue fixed: - Fixed an issue where pthread_mutex_trylock did not use a correct order of instructions while maintained the robust mutex list due to missing compiler barriers (bsc#1130045). - Added new Japanese Era name support (bsc#1100396). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:1002-1 Released: Wed Apr 24 10:13:34 2019 Summary: Recommended update for zlib Type: recommended Severity: moderate References: 1110304,1129576 Description: This update for zlib fixes the following issues: - Fixes a segmentation fault error (bsc#1110304, bsc#1129576) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:1040-1 Released: Thu Apr 25 17:09:21 2019 Summary: Security update for samba Type: security Severity: important References: 1114407,1124223,1125410,1126377,1131060,1131686,CVE-2019-3880 Description: This update for samba fixes the following issues: Security issue fixed: - CVE-2019-3880: Fixed a path/symlink traversal vulnerability, which allowed an unprivileged user to save registry files outside a share (bsc#1131060). ldb was updated to version 1.2.4 (bsc#1125410 bsc#1131686): - Out of bound read in ldb_wildcard_compare - Hold at most 10 outstanding paged result cookies - Put 'results_store' into a doubly linked list - Refuse to build Samba against a newer minor version of ldb Non-security issues fixed: - Fixed update-apparmor-samba-profile script after apparmor switched to using named profiles (bsc#1126377). - Abide to the load_printers parameter in smb.conf (bsc#1124223). - Provide the 32bit samba winbind PAM module and its dependend 32bit libraries. ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:1121-1 Released: Tue Apr 30 18:02:43 2019 Summary: Security update for gnutls Type: security Severity: important References: 1118087,1130681,1130682,CVE-2018-16868,CVE-2019-3829,CVE-2019-3836 Description: This update for gnutls fixes to version 3.6.7 the following issues: Security issued fixed: - CVE-2019-3836: Fixed an invalid pointer access via malformed TLS1.3 async messages (bsc#1130682). - CVE-2019-3829: Fixed a double free vulnerability in the certificate verification API (bsc#1130681). - CVE-2018-16868: Fixed Bleichenbacher-like side channel leakage in PKCS#1 v1.5 verification and padding oracle verification (bsc#1118087) Non-security issue fixed: - Update gnutls to support TLS 1.3 (fate#327114) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:1127-1 Released: Thu May 2 09:39:24 2019 Summary: Security update for sqlite3 Type: security Severity: moderate References: 1130325,1130326,CVE-2019-9936,CVE-2019-9937 Description: This update for sqlite3 to version 3.28.0 fixes the following issues: Security issues fixed: - CVE-2019-9936: Fixed a heap-based buffer over-read, when running fts5 prefix queries inside transaction (bsc#1130326). - CVE-2019-9937: Fixed a denial of service related to interleaving reads and writes in a single transaction with an fts5 virtual table (bsc#1130325). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:1206-1 Released: Fri May 10 14:01:55 2019 Summary: Security update for bzip2 Type: security Severity: low References: 985657,CVE-2016-3189 Description: This update for bzip2 fixes the following issues: Security issue fixed: - CVE-2016-3189: Fixed a use-after-free in bzip2recover (bsc#985657). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:1312-1 Released: Wed May 22 12:19:12 2019 Summary: Recommended update for aaa_base Type: recommended Severity: moderate References: 1096191 Description: This update for aaa_base fixes the following issue: * Shell detection in /etc/profile and /etc/bash.bashrc was broken within AppArmor-confined containers (bsc#1096191) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:1351-1 Released: Fri May 24 14:41:10 2019 Summary: Security update for gnutls Type: security Severity: important References: 1118087,1134856,CVE-2018-16868 Description: This update for gnutls fixes the following issues: Security issue fixed: - CVE-2018-16868: Fixed Bleichenbacher-like side channel leakage in PKCS#1 v1.5 verification (bsc#1118087). Non-security issue fixed: - Explicitly require libnettle 3.4.1 to prevent missing symbol errors (bsc#1134856). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:1357-1 Released: Mon May 27 13:29:15 2019 Summary: Security update for curl Type: security Severity: important References: 1135170,CVE-2019-5436 Description: This update for curl fixes the following issues: Security issue fixed: - CVE-2019-5436: Fixed a heap buffer overflow exists in tftp_receive_packet that receives data from a TFTP server (bsc#1135170). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:1364-1 Released: Tue May 28 10:51:38 2019 Summary: Security update for systemd Type: security Severity: moderate References: 1036463,1121563,1124122,1125352,1125604,1126056,1127557,1130230,1132348,1132400,1132721,1133506,1133509,CVE-2019-3842,CVE-2019-3843,CVE-2019-3844,CVE-2019-6454,SLE-5933 Description: This update for systemd fixes the following issues: Security issues fixed: - CVE-2019-3842: Fixed a privilege escalation in pam_systemd which could be exploited by a local user (bsc#1132348). - CVE-2019-6454: Fixed a denial of service via crafted D-Bus message (bsc#1125352). - CVE-2019-3843, CVE-2019-3844: Fixed a privilege escalation where services with DynamicUser could gain new privileges or create SUID/SGID binaries (bsc#1133506, bsc#1133509). Non-security issued fixed: - logind: fix killing of scopes (bsc#1125604) - namespace: make MountFlags=shared work again (bsc#1124122) - rules: load drivers only on 'add' events (bsc#1126056) - sysctl: Don't pass null directive argument to '%s' (bsc#1121563) - systemd-coredump: generate a stack trace of all core dumps and log into the journal (jsc#SLE-5933) - udevd: notify when max number value of children is reached only once per batch of events (bsc#1132400) - sd-bus: bump message queue size again (bsc#1132721) - Do not automatically online memory on s390x (bsc#1127557) - Removed sg.conf (bsc#1036463) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:1368-1 Released: Tue May 28 13:15:38 2019 Summary: Recommended update for sles12sp3-docker-image, sles12sp4-image, system-user-root Type: security Severity: important References: 1134524,CVE-2019-5021 Description: This update for sles12sp3-docker-image, sles12sp4-image, system-user-root fixes the following issues: - CVE-2019-5021: Include an invalidated root password by default, not an empty one (bsc#1134524) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:1372-1 Released: Tue May 28 16:53:28 2019 Summary: Security update for libtasn1 Type: security Severity: moderate References: 1105435,CVE-2018-1000654 Description: This update for libtasn1 fixes the following issues: Security issue fixed: - CVE-2018-1000654: Fixed a denial of service in the asn1 parser (bsc#1105435). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:1484-1 Released: Thu Jun 13 07:46:46 2019 Summary: Recommended update for e2fsprogs Type: recommended Severity: moderate References: 1128383 Description: This update for e2fsprogs fixes the following issues: - Check and fix tails of all bitmap blocks (bsc#1128383) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:1486-1 Released: Thu Jun 13 09:40:24 2019 Summary: Security update for elfutils Type: security Severity: moderate References: 1033084,1033085,1033086,1033087,1033088,1033089,1033090,1106390,1107066,1107067,1111973,1112723,1112726,1123685,1125007,CVE-2017-7607,CVE-2017-7608,CVE-2017-7609,CVE-2017-7610,CVE-2017-7611,CVE-2017-7612,CVE-2017-7613,CVE-2018-16062,CVE-2018-16402,CVE-2018-16403,CVE-2018-18310,CVE-2018-18520,CVE-2018-18521,CVE-2019-7150,CVE-2019-7665 Description: This update for elfutils fixes the following issues: Security issues fixed: - CVE-2017-7607: Fixed a heap-based buffer overflow in handle_gnu_hash (bsc#1033084) - CVE-2017-7608: Fixed a heap-based buffer overflow in ebl_object_note_type_name() (bsc#1033085) - CVE-2017-7609: Fixed a memory allocation failure in __libelf_decompress (bsc#1033086) - CVE-2017-7610: Fixed a heap-based buffer overflow in check_group (bsc#1033087) - CVE-2017-7611: Fixed a denial of service via a crafted ELF file (bsc#1033088) - CVE-2017-7612: Fixed a denial of service in check_sysv_hash() via a crafted ELF file (bsc#1033089) - CVE-2017-7613: Fixed denial of service caused by the missing validation of the number of sections and the number of segments in a crafted ELF file (bsc#1033090) - CVE-2018-16062: Fixed a heap-buffer overflow in /elfutils/libdw/dwarf_getaranges.c:156 (bsc#1106390) - CVE-2018-16402: Fixed a denial of service/double free on an attempt to decompress the same section twice (bsc#1107066) - CVE-2018-16403: Fixed a heap buffer overflow in readelf (bsc#1107067) - CVE-2018-18310: Fixed an invalid address read problem in dwfl_segment_report_module.c (bsc#1111973) - CVE-2018-18520: Fixed bad handling of ar files inside are files (bsc#1112726) - CVE-2018-18521: Fixed a denial of service vulnerabilities in the function arlib_add_symbols() used by eu-ranlib (bsc#1112723) - CVE-2019-7150: dwfl_segment_report_module doesn't check whether the dyn data read from core file is truncated (bsc#1123685) - CVE-2019-7665: NT_PLATFORM core file note should be a zero terminated string (bsc#1125007) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:1590-1 Released: Thu Jun 20 19:49:57 2019 Summary: Recommended update for permissions Type: recommended Severity: moderate References: 1128598 Description: This update for permissions fixes the following issues: - Added whitelisting for /usr/lib/singularity/bin/starter-suid in the new singularity 3.1 version. (bsc#1128598) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:1595-1 Released: Fri Jun 21 10:17:44 2019 Summary: Security update for dbus-1 Type: security Severity: important References: 1137832,CVE-2019-12749 Description: This update for dbus-1 fixes the following issues: Security issue fixed: - CVE-2019-12749: Fixed an implementation flaw in DBUS_COOKIE_SHA1 which could have allowed local attackers to bypass authentication (bsc#1137832). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:1631-1 Released: Fri Jun 21 11:17:21 2019 Summary: Recommended update for xz Type: recommended Severity: low References: 1135709 Description: This update for xz fixes the following issues: Add SUSE-Public-Domain licence as some parts of xz utils (liblzma, xz, xzdec, lzmadec, documentation, translated messages, tests, debug, extra directory) are in public domain licence [bsc#1135709] ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:1635-1 Released: Fri Jun 21 12:45:53 2019 Summary: Recommended update for krb5 Type: recommended Severity: moderate References: 1134217 Description: This update for krb5 provides the following fix: - Move LDAP schema files from /usr/share/doc/packages/krb5 to /usr/share/kerberos/ldap. (bsc#1134217) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:1700-1 Released: Tue Jun 25 13:19:21 2019 Summary: Security update for libssh Type: recommended Severity: moderate References: 1134193 Description: This update for libssh fixes the following issue: Issue addressed: - Added support for new AES-GCM encryption types (bsc#1134193). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:1808-1 Released: Wed Jul 10 13:16:29 2019 Summary: Recommended update for libgcrypt Type: recommended Severity: moderate References: 1133808 Description: This update for libgcrypt fixes the following issues: - Fixed redundant fips tests in some situations causing sudo to stop working when pam-kwallet is installed. bsc#1133808 ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:1835-1 Released: Fri Jul 12 18:06:31 2019 Summary: Security update for expat Type: security Severity: moderate References: 1139937,CVE-2018-20843 Description: This update for expat fixes the following issues: Security issue fixed: - CVE-2018-20843: Fixed a denial of service triggered by high resource consumption in the XML parser when XML names contain a large amount of colons (bsc#1139937). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:1846-1 Released: Mon Jul 15 11:36:33 2019 Summary: Security update for bzip2 Type: security Severity: important References: 1139083,CVE-2019-12900 Description: This update for bzip2 fixes the following issues: Security issue fixed: - CVE-2019-12900: Fixed an out-of-bounds write in decompress.c with many selectors (bsc#1139083). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:1853-1 Released: Mon Jul 15 16:03:36 2019 Summary: Recommended update for systemd Type: recommended Severity: moderate References: 1107617,1137053 Description: This update for systemd fixes the following issues: - conf-parse: remove 4K line length limit (bsc#1137053) - udevd: change the default value of udev.children-max (again) (bsc#1107617) - meson: stop creating enablement symlinks in /etc during installation (sequel) - Fixed build for openSUSE Leap 15+ - Make sure we don't ship any static enablement symlinks in /etc Those symlinks must only be created by the presets. There are no changes in practice since systemd/udev doesn't ship such symlinks in /etc but let's make sure no future changes will introduce new ones by mistake. From sle-updates at lists.suse.com Thu Jan 16 09:58:23 2020 From: sle-updates at lists.suse.com (sle-updates at lists.suse.com) Date: Thu, 16 Jan 2020 17:58:23 +0100 (CET) Subject: SUSE-CU-2019:718-1: Recommended update of caasp/v4/pause Message-ID: <20200116165823.26E4DF796@maintenance.suse.de> SUSE Container Update Advisory: caasp/v4/pause ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2019:718-1 Container Tags : caasp/v4/pause:1.0.0 , caasp/v4/pause:1.0.0-rev1 , caasp/v4/pause:1.0.0-rev1-build2.1 , caasp/v4/pause:beta1 Severity : low Type : recommended References : ----------------------------------------------------------------- The container caasp/v4/pause was updated. The following patches have been included in this update: From sle-updates at lists.suse.com Thu Jan 16 10:02:03 2020 From: sle-updates at lists.suse.com (sle-updates at lists.suse.com) Date: Thu, 16 Jan 2020 18:02:03 +0100 (CET) Subject: SUSE-CU-2019:737-1: Recommended update of caasp/v4/skuba-tooling Message-ID: <20200116170203.3BF25F79E@maintenance.suse.de> SUSE Container Update Advisory: caasp/v4/skuba-tooling ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2019:737-1 Container Tags : caasp/v4/skuba-tooling:0.1.0 , caasp/v4/skuba-tooling:0.1.0-rev4 , caasp/v4/skuba-tooling:0.1.0-rev4-build1.1 Severity : important Type : recommended References : 1097073 1136717 1137624 1140647 1141059 1141883 SLE-5807 ----------------------------------------------------------------- The container caasp/v4/skuba-tooling was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:2097-1 Released: Fri Aug 9 09:31:17 2019 Summary: Recommended update for libgcrypt Type: recommended Severity: important References: 1097073 Description: This update for libgcrypt fixes the following issues: - Fixed a regression where system were unable to boot in fips mode, caused by an incomplete implementation of previous change (bsc#1097073). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:2134-1 Released: Wed Aug 14 11:54:56 2019 Summary: Recommended update for zlib Type: recommended Severity: moderate References: 1136717,1137624,1141059,SLE-5807 Description: This update for zlib fixes the following issues: - Update the s390 patchset. (bsc#1137624) - Tweak zlib-power8 to have type of crc32_vpmsum conform to usage. (bsc#1141059) - Use FAT LTO objects in order to provide proper static library. - Do not enable the previous patchset on s390 but just s390x. (bsc#1137624) - Add patchset for s390 improvements. (jsc#SLE-5807, bsc#1136717) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:2188-1 Released: Wed Aug 21 10:10:29 2019 Summary: Recommended update for aaa_base Type: recommended Severity: moderate References: 1140647 Description: This update for aaa_base fixes the following issues: - Make systemd detection cgroup oblivious. (bsc#1140647) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:2218-1 Released: Mon Aug 26 11:29:57 2019 Summary: Recommended update for pinentry Type: recommended Severity: moderate References: 1141883 Description: This update for pinentry fixes the following issues: - Fix a dangling pointer in qt/main.cpp that caused crashes. (bsc#1141883) From sle-updates at lists.suse.com Thu Jan 16 09:57:40 2020 From: sle-updates at lists.suse.com (sle-updates at lists.suse.com) Date: Thu, 16 Jan 2020 17:57:40 +0100 (CET) Subject: SUSE-CU-2019:713-1: Recommended update of caasp/v4/kubedns Message-ID: <20200116165740.0232BF796@maintenance.suse.de> SUSE Container Update Advisory: caasp/v4/kubedns ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2019:713-1 Container Tags : caasp/v4/kubedns:1.14.1 , caasp/v4/kubedns:1.14.1-rev1 , caasp/v4/kubedns:1.14.1-rev1-build2.1 , caasp/v4/kubedns:beta1 Severity : low Type : recommended References : ----------------------------------------------------------------- The container caasp/v4/kubedns was updated. The following patches have been included in this update: From sle-updates at lists.suse.com Thu Jan 16 09:59:48 2020 From: sle-updates at lists.suse.com (sle-updates at lists.suse.com) Date: Thu, 16 Jan 2020 17:59:48 +0100 (CET) Subject: SUSE-CU-2019:726-1: Recommended update of caasp/v4/pv-recycler-node Message-ID: <20200116165948.E033DF796@maintenance.suse.de> SUSE Container Update Advisory: caasp/v4/pv-recycler-node ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2019:726-1 Container Tags : caasp/v4/pv-recycler-node:8.25 , caasp/v4/pv-recycler-node:8.25-rev1 , caasp/v4/pv-recycler-node:8.25-rev1-build2.1 , caasp/v4/pv-recycler-node:beta1 Severity : low Type : recommended References : ----------------------------------------------------------------- The container caasp/v4/pv-recycler-node was updated. The following patches have been included in this update: From sle-updates at lists.suse.com Thu Jan 16 09:47:02 2020 From: sle-updates at lists.suse.com (sle-updates at lists.suse.com) Date: Thu, 16 Jan 2020 17:47:02 +0100 (CET) Subject: SUSE-CU-2020:15-1: Recommended update of suse/sles12sp5 Message-ID: <20200116164702.2A46EF3F6@maintenance.suse.de> SUSE Container Update Advisory: suse/sles12sp5 ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2020:15-1 Container Tags : suse/sles12sp5:5.2.275 , suse/sles12sp5:latest Severity : important Type : recommended References : 1155338 1155339 ----------------------------------------------------------------- The container suse/sles12sp5 was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:106-1 Released: Wed Jan 15 12:50:55 2020 Summary: Recommended update for libgcrypt Type: recommended Severity: important References: 1155338,1155339 Description: This update for libgcrypt fixes the following issues: - Fix test dsa-rfc6979 in FIPS mode: Disabled tests in elliptic curves with 192 bits which are not recommended in FIPS mode - Added CMAC AES and TDES FIPS self-tests: (bsc#1155339, bsc#1155338) From sle-updates at lists.suse.com Thu Jan 16 13:13:09 2020 From: sle-updates at lists.suse.com (sle-updates at lists.suse.com) Date: Thu, 16 Jan 2020 21:13:09 +0100 (CET) Subject: SUSE-RU-2020:0119-1: moderate: Recommended update for python-jsonpatch Message-ID: <20200116201309.BADF0F798@maintenance.suse.de> SUSE Recommended Update: Recommended update for python-jsonpatch ______________________________________________________________________________ Announcement ID: SUSE-RU-2020:0119-1 Rating: moderate References: #1160978 Affected Products: SUSE Linux Enterprise Module for Public Cloud 15-SP1 SUSE Linux Enterprise Module for Open Buildservice Development Tools 15-SP1 ______________________________________________________________________________ An update that has one recommended fix can now be installed. Description: This update for python-jsonpatch fixes the following issues: - Drop jsondiff binary to avoid conflict with python-jsondiff package. Patch Instructions: To install this SUSE Recommended Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Module for Public Cloud 15-SP1: zypper in -t patch SUSE-SLE-Module-Public-Cloud-15-SP1-2020-119=1 - SUSE Linux Enterprise Module for Open Buildservice Development Tools 15-SP1: zypper in -t patch SUSE-SLE-Module-Development-Tools-OBS-15-SP1-2020-119=1 Package List: - SUSE Linux Enterprise Module for Public Cloud 15-SP1 (noarch): python3-jsonpatch-1.23-3.3.1 - SUSE Linux Enterprise Module for Open Buildservice Development Tools 15-SP1 (noarch): python2-jsonpatch-1.23-3.3.1 References: https://bugzilla.suse.com/1160978 From sle-updates at lists.suse.com Thu Jan 16 09:56:59 2020 From: sle-updates at lists.suse.com (sle-updates at lists.suse.com) Date: Thu, 16 Jan 2020 17:56:59 +0100 (CET) Subject: SUSE-CU-2019:709-1: Recommended update of caasp/v4/flannel Message-ID: <20200116165659.67BA6F796@maintenance.suse.de> SUSE Container Update Advisory: caasp/v4/flannel ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2019:709-1 Container Tags : caasp/v4/flannel:0.9.1 , caasp/v4/flannel:0.9.1-rev1 , caasp/v4/flannel:0.9.1-rev1-build2.1 , caasp/v4/flannel:beta1 Severity : low Type : recommended References : ----------------------------------------------------------------- The container caasp/v4/flannel was updated. The following patches have been included in this update: From sle-updates at lists.suse.com Thu Jan 16 09:56:51 2020 From: sle-updates at lists.suse.com (sle-updates at lists.suse.com) Date: Thu, 16 Jan 2020 17:56:51 +0100 (CET) Subject: SUSE-CU-2019:708-1: Security update of caasp/v4/flannel Message-ID: <20200116165651.7267BF796@maintenance.suse.de> SUSE Container Update Advisory: caasp/v4/flannel ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2019:708-1 Container Tags : caasp/v4/flannel:0.9.1 , caasp/v4/flannel:0.9.1-rev1 , caasp/v4/flannel:0.9.1-rev1-build1.1 Severity : important Type : security References : 1000396 1000662 1000677 1001299 1001790 1001912 1002975 1003577 1003579 1003580 1003714 1003978 1004094 1004289 1004995 1004995 1004995 1005023 1005063 1005404 1005544 1005633 1005634 1005635 1005637 1005638 1005640 1005642 1005643 1005645 1005646 1006175 1006372 1006469 1006687 1006690 1007851 1008325 1009269 1009470 1009528 1009532 1009745 1009905 1009966 1010220 1010675 1010845 1010880 1012266 1012390 1012523 1012591 1012818 1012973 1013286 1013882 1013930 1013989 1014471 1014560 1014566 1014873 1015254 1015332 1015515 1015565 1015943 1017034 1017497 1018214 1018399 1019276 1019470 1019637 1019637 1019900 1020108 1020143 1020601 1021641 1022014 1022047 1022085 1022086 1022271 1023283 1023895 1024989 1025176 1025398 1025560 1025598 1025630 1025886 1026224 1026567 1026825 1027079 1027379 1027688 1027712 1027908 1027925 1028263 1028281 1028304 1028304 1028305 1028410 1028485 1028610 1028723 1029102 1029102 1029183 1029516 1029516 1029523 1029561 1029691 1029725 1029900 1030290 1030621 1031355 1031643 1031702 1031998 1032029 1032029 1032309 1032445 1032538 1032660 1032680 1033238 1033238 1033855 1034563 1034565 1035062 1035371 1035386 1035445 1035818 1036304 1036659 1036736 1036873 1036873 1037120 1037120 1037396 1037824 1037930 1038189 1038194 1038444 1038865 1038865 1038984 1038984 1039063 1039063 1039064 1039064 1039066 1039066 1039069 1039069 1039099 1039099 1039276 1039357 1039661 1039661 1039941 1040043 1040153 1040153 1040258 1040258 1040614 1040614 1040800 1040942 1040942 1040968 1040968 1040968 1041764 1042326 1042392 1042781 1043059 1043218 1043237 1043333 1043333 1043580 1043615 1043758 1043758 1043900 1043900 1044095 1044107 1044175 1044337 1044840 1044887 1044894 1045092 1045130 1045130 1045290 1045290 1045384 1045472 1045628 1045735 1045735 1045735 1045943 1045987 1046173 1046173 1046268 1046417 1046607 1046659 1046750 1046750 1046853 1046853 1046858 1046858 1047008 1047178 1047233 1047236 1047240 1047247 1047379 1047785 1047785 1047937 1047964 1047965 1048315 1048510 1048605 1048605 1048645 1048679 1049344 1049825 1050152 1050467 1050767 1050943 1051042 1051465 1051626 1051643 1051644 1051791 1052261 1053137 1053188 1053409 1053595 1053671 1054028 1054088 1054171 1054671 1055446 1055641 1055825 1055920 1056058 1056126 1056127 1056127 1056128 1056128 1056129 1056129 1056131 1056131 1056132 1056132 1056136 1056136 1056437 1056449 1056450 1056995 1057150 1057188 1057452 1057634 1057640 1057662 1057721 1057724 1057900 1057974 1058695 1058722 1058783 1059065 1059723 1060653 1060738 1061384 1061667 1061876 1062303 1062561 1062591 1062592 1063051 1063249 1063269 1063675 1063824 1063910 1064397 1064455 1064455 1064455 1064569 1064580 1064583 1064999 1065083 1065274 1065276 1065363 1065448 1065448 1066156 1066242 1066422 1066500 1067312 1067605 1067891 1068251 1068565 1068565 1068588 1068708 1068967 1069222 1069226 1069468 1069934 1070209 1070428 1070431 1070431 1070851 1070878 1070905 1070958 1071224 1071311 1071319 1071321 1071466 1071558 1071568 1071698 1071905 1071906 1072947 1072947 1073231 1073313 1073879 1073990 1074254 1074293 1074293 1074621 1074687 1075449 1075724 1075743 1075801 1075804 1075978 1076192 1076308 1076415 1076696 1076810 1076832 1076909 1077001 1077635 1077692 1077787 1077787 1077925 1077993 1078358 1078662 1078662 1078806 1078813 1079036 1079334 1079991 1080078 1080382 1080740 1080740 1081170 1081294 1081556 1081725 1082004 1082216 1082216 1082216 1082233 1082233 1082233 1082234 1082234 1082234 1082318 1082485 1082485 1083158 1083290 1083926 1083927 1083946 1084300 1084300 1084521 1084524 1084532 1084626 1084812 1084812 1084842 1085062 1085432 1086247 1086602 1086690 1086785 1086825 1087102 1087323 1087550 1087550 1087930 1088052 1088279 1088601 1088705 1088769 1088890 1088921 1089039 1089533 1089640 1089761 1089761 1089884 1090765 1090766 1090766 1090766 1090785 1090944 1091265 1091624 1091677 1092098 1092100 1092100 1092413 1092640 1092640 1093753 1093851 1094121 1094150 1094154 1094161 1094222 1095096 1095148 1096282 1096282 1096282 1096718 1096718 1096745 1096803 1097158 1097410 1097410 1097410 1097624 1097665 1098592 1099310 1099310 1099310 1099452 1099847 1099982 1100028 1101040 1101246 1101349 1101470 1101591 1102046 1102429 1102564 1103910 1104789 1105031 1105166 1105236 1106019 1106197 1106914 1106923 1107430 1107640 1107941 1108835 1109197 1109252 1109877 1110445 1110661 1111251 1111278 1111965 1112024 1112209 1112758 1112858 1113083 1113100 1113117 1113125 1113534 1113632 1113652 1113660 1113665 1113742 1114981 1115518 1115929 1117355 1119971 1120323 1120489 1121450 360993 408814 556664 658010 661410 675317 825385 829717 830805 874665 888308 889138 889990 892431 894610 896202 896435 897422 898003 899524 899871 900275 900276 901202 901845 901924 902364 902367 903543 905483 906574 906574 906803 906858 907074 907456 908128 908516 909418 910252 910252 910253 910253 911228 911363 911662 912229 912715 912922 913209 913650 913651 915402 915846 917152 917169 918089 918090 918346 919274 920057 920057 920386 921070 922534 923241 924525 924687 924960 924960 926412 926826 927556 927607 927608 927746 927993 928292 928533 928740 929919 930176 931932 932232 932894 933029 933288 933288 933336 933878 933878 934333 934689 934920 936050 936227 936227 936676 937823 938343 938657 939392 939460 940315 942865 942865 943457 943457 944903 945340 945842 945899 952151 952347 953130 953532 953659 953807 953831 954002 954661 955382 955753 955770 957566 957566 957567 957567 957598 957598 957600 957600 958369 958562 959693 960273 960820 960837 960837 961964 962765 962983 962996 963290 963448 963942 964063 964468 965322 965780 965902 966220 967026 967082 967728 967838 968771 969569 970260 970882 971741 971741 972127 972127 972331 974691 978055 979261 979436 979441 979629 979906 980391 980486 981114 981616 982303 982303 983206 983215 983216 983754 984906 984958 986216 986216 986783 986935 987887 988311 989788 989831 990189 990190 990191 990538 991389 991390 991391 991443 991746 991901 992966 994157 994794 995936 996511 997043 997420 997682 998760 998893 998906 999735 999878 CVE-2012-6702 CVE-2013-6435 CVE-2014-3591 CVE-2014-3707 CVE-2014-3710 CVE-2014-8116 CVE-2014-8116 CVE-2014-8117 CVE-2014-8117 CVE-2014-8118 CVE-2014-8150 CVE-2014-8964 CVE-2014-8964 CVE-2014-9087 CVE-2014-9112 CVE-2014-9447 CVE-2014-9620 CVE-2014-9621 CVE-2014-9653 CVE-2015-0247 CVE-2015-0837 CVE-2015-1283 CVE-2015-1572 CVE-2015-1606 CVE-2015-1607 CVE-2015-1782 CVE-2015-2059 CVE-2015-2325 CVE-2015-2325 CVE-2015-2327 CVE-2015-2327 CVE-2015-2328 CVE-2015-2328 CVE-2015-3143 CVE-2015-3144 CVE-2015-3145 CVE-2015-3148 CVE-2015-3153 CVE-2015-3210 CVE-2015-3210 CVE-2015-3217 CVE-2015-3217 CVE-2015-3238 CVE-2015-5073 CVE-2015-5073 CVE-2015-5276 CVE-2015-7511 CVE-2015-8380 CVE-2015-8380 CVE-2015-8381 CVE-2015-8381 CVE-2015-8382 CVE-2015-8382 CVE-2015-8383 CVE-2015-8383 CVE-2015-8384 CVE-2015-8384 CVE-2015-8385 CVE-2015-8385 CVE-2015-8386 CVE-2015-8386 CVE-2015-8387 CVE-2015-8387 CVE-2015-8388 CVE-2015-8388 CVE-2015-8389 CVE-2015-8389 CVE-2015-8390 CVE-2015-8390 CVE-2015-8391 CVE-2015-8391 CVE-2015-8392 CVE-2015-8392 CVE-2015-8393 CVE-2015-8393 CVE-2015-8394 CVE-2015-8394 CVE-2015-8395 CVE-2015-8395 CVE-2015-8853 CVE-2015-8948 CVE-2016-0634 CVE-2016-0718 CVE-2016-0755 CVE-2016-0787 CVE-2016-10156 CVE-2016-1238 CVE-2016-1283 CVE-2016-1283 CVE-2016-1839 CVE-2016-2037 CVE-2016-2381 CVE-2016-3191 CVE-2016-3191 CVE-2016-4574 CVE-2016-4579 CVE-2016-4658 CVE-2016-5131 CVE-2016-5300 CVE-2016-5419 CVE-2016-5420 CVE-2016-5421 CVE-2016-6185 CVE-2016-6252 CVE-2016-6252 CVE-2016-6252 CVE-2016-6261 CVE-2016-6262 CVE-2016-6263 CVE-2016-6313 CVE-2016-6318 CVE-2016-7055 CVE-2016-7141 CVE-2016-7167 CVE-2016-7543 CVE-2016-8615 CVE-2016-8616 CVE-2016-8617 CVE-2016-8618 CVE-2016-8619 CVE-2016-8620 CVE-2016-8621 CVE-2016-8622 CVE-2016-8623 CVE-2016-8624 CVE-2016-9063 CVE-2016-9318 CVE-2016-9401 CVE-2016-9586 CVE-2016-9597 CVE-2016-9840 CVE-2016-9841 CVE-2016-9842 CVE-2016-9843 CVE-2017-0663 CVE-2017-1000100 CVE-2017-1000101 CVE-2017-1000254 CVE-2017-1000257 CVE-2017-1000366 CVE-2017-1000408 CVE-2017-1000409 CVE-2017-10684 CVE-2017-10684 CVE-2017-10685 CVE-2017-10685 CVE-2017-11112 CVE-2017-11113 CVE-2017-11462 CVE-2017-12132 CVE-2017-12133 CVE-2017-12424 CVE-2017-12837 CVE-2017-12883 CVE-2017-13728 CVE-2017-13728 CVE-2017-13729 CVE-2017-13729 CVE-2017-13730 CVE-2017-13730 CVE-2017-13731 CVE-2017-13731 CVE-2017-13732 CVE-2017-13732 CVE-2017-13733 CVE-2017-13733 CVE-2017-13734 CVE-2017-14062 CVE-2017-15088 CVE-2017-15412 CVE-2017-15670 CVE-2017-15671 CVE-2017-15804 CVE-2017-15908 CVE-2017-16997 CVE-2017-17740 CVE-2017-18078 CVE-2017-18258 CVE-2017-18269 CVE-2017-3731 CVE-2017-3732 CVE-2017-3735 CVE-2017-3736 CVE-2017-3737 CVE-2017-3738 CVE-2017-5130 CVE-2017-5969 CVE-2017-6512 CVE-2017-7375 CVE-2017-7376 CVE-2017-7407 CVE-2017-7435 CVE-2017-7436 CVE-2017-7436 CVE-2017-7500 CVE-2017-7500 CVE-2017-7501 CVE-2017-7501 CVE-2017-7526 CVE-2017-7555 CVE-2017-8804 CVE-2017-8816 CVE-2017-8817 CVE-2017-8872 CVE-2017-9047 CVE-2017-9047 CVE-2017-9048 CVE-2017-9048 CVE-2017-9049 CVE-2017-9049 CVE-2017-9050 CVE-2017-9050 CVE-2017-9217 CVE-2017-9217 CVE-2017-9233 CVE-2017-9269 CVE-2017-9269 CVE-2017-9287 CVE-2017-9445 CVE-2017-9445 CVE-2017-9526 CVE-2018-0495 CVE-2018-0495 CVE-2018-0495 CVE-2018-0732 CVE-2018-0734 CVE-2018-0737 CVE-2018-0739 CVE-2018-1000001 CVE-2018-1000001 CVE-2018-1000007 CVE-2018-1000120 CVE-2018-1000121 CVE-2018-1000122 CVE-2018-1000301 CVE-2018-1049 CVE-2018-1122 CVE-2018-1122 CVE-2018-1123 CVE-2018-1123 CVE-2018-11236 CVE-2018-11237 CVE-2018-1124 CVE-2018-1124 CVE-2018-1125 CVE-2018-1125 CVE-2018-1126 CVE-2018-1126 CVE-2018-12015 CVE-2018-12015 CVE-2018-12020 CVE-2018-14404 CVE-2018-14567 CVE-2018-14618 CVE-2018-15686 CVE-2018-15688 CVE-2018-16840 CVE-2018-16842 CVE-2018-16864 CVE-2018-16865 CVE-2018-16866 CVE-2018-19211 CVE-2018-20217 CVE-2018-5407 CVE-2018-5729 CVE-2018-5730 CVE-2018-6003 CVE-2018-6485 CVE-2018-6551 CVE-2018-6797 CVE-2018-6797 CVE-2018-6797 CVE-2018-6798 CVE-2018-6798 CVE-2018-6798 CVE-2018-6913 CVE-2018-6913 CVE-2018-6913 CVE-2018-7169 CVE-2018-7685 CVE-2018-7738 CVE-2018-7738 CVE-2018-9251 ----------------------------------------------------------------- The container caasp/v4/flannel was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-RU-2014:85-1 Released: Tue Nov 4 16:29:29 2014 Summary: Recommended update for dirmngr Type: recommended Severity: moderate References: 901845 Description: This update for dirmngr fixes a segmentation fault at start up. (bnc#901845) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2014:66-1 Released: Thu Nov 6 06:23:15 2014 Summary: Recommended update for gcc48 Type: recommended Severity: moderate References: 899871 Description: This update for gcc48 fixes a performance degradation issue caused by generation of unneeded code whe using option -pg. ----------------------------------------------------------------- Advisory ID: SUSE-SU-2014:97-1 Released: Fri Nov 28 10:20:32 2014 Summary: Security update for file Type: security Severity: moderate References: 888308,902367,CVE-2014-3710 Description: file was updated to fix one security issue. This security issue was fixed: - Out-of-bounds read in elf note headers (CVE-2014-3710). This non-security issues was fixed: - Correctly identify GDBM files created by libgdbm4 (bnc#888308). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2014:113-1 Released: Tue Dec 2 18:17:57 2014 Summary: Security update for cpio Type: security Severity: moderate References: 658010,907456,CVE-2014-9112 Description: This cpio security update fixes the following buffer overflow issue and two non security issues: - fix an OOB write with cpio -i (bnc#907456) (CVE-2014-9112) - prevent cpio from extracting over a symlink (bnc#658010) - fix a truncation check in mt ----------------------------------------------------------------- Advisory ID: SUSE-SU-2015:16-1 Released: Thu Dec 11 09:25:27 2014 Summary: Security update for libksba Type: security Severity: moderate References: 907074,CVE-2014-9087 Description: This libksba update fixes the following security issue: - bnc#907074: buffer overflow in OID processing (CVE-2014-9087) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2014:126-1 Released: Fri Dec 19 20:16:00 2014 Summary: Security update for file Type: security Severity: moderate References: 910252,910253,CVE-2014-8116,CVE-2014-8117 Description: This file update fixes the following security issues: - bsc#910252: multiple denial of service issues (resource consumption) (CVE-2014-8116) - bsc#910253: denial of service issue (resource consumption) (CVE-2014-8117) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2015:29-1 Released: Mon Jan 12 11:37:43 2015 Summary: Security update for curl Type: security Severity: moderate References: 901924,911363,CVE-2014-3707,CVE-2014-8150 Description: This update fixes the following security issues - CVE-2014-8150: URL request injection vulnerability (bnc#911363) - CVE-2014-3707: duphandle read out of bounds (bnc#901924) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2015:40-1 Released: Thu Jan 15 18:35:11 2015 Summary: Security update for rpm Type: security Severity: important References: 892431,906803,908128,911228,CVE-2013-6435,CVE-2014-8118 Description: This rpm update fixes the following security and non-security issues: - bnc#908128: Check for bad invalid name sizes (CVE-2014-8118) - bnc#906803: Create files with mode 0 (CVE-2013-6435) - bnc#892431: Honor --noglob in install mode - bnc#911228: Fix noglob patch, it broke files with space. ----------------------------------------------------------------- Advisory ID: SUSE-RU-2015:64-1 Released: Thu Jan 15 23:21:45 2015 Summary: Recommended update for e2fsprogs Type: recommended Severity: moderate References: 912229 Description: This update for e2fsprogs fixes a 'use after free' issue in fsck(8). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2015:76-1 Released: Fri Jan 30 15:01:03 2015 Summary: Security update for elfutils Type: security Severity: moderate References: 911662,CVE-2014-9447 Description: elfutils was updated to fix one security issue. This security issue was fixed: - Directory traversal vulnerability in the read_long_names function (CVE-2014-9447). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2015:55-1 Released: Tue Feb 3 14:51:17 2015 Summary: Recommended update for curl Type: recommended Severity: moderate References: 913209 Description: curl was updated to fix problems when operating in FIPS mode. This patch reenables following methods: - NTLM authentication (e.g. for proxies) (allowing its usage of MD4 and MD5) - HTTP Digest authentication (allowing its usage of MD5) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2015:121-1 Released: Tue Feb 3 16:30:16 2015 Summary: Recommended update for pam Type: recommended Severity: low References: 912922 Description: This update for pam fixes updating of NIS passwords. ----------------------------------------------------------------- Advisory ID: SUSE-SU-2015:157-1 Released: Tue Mar 10 09:01:41 2015 Summary: Security update for libssh2_org Type: security Severity: moderate References: 921070,CVE-2015-1782 Description: The ssh client library libssh2_org was updated to fix a security issue. CVE-2015-1782: A malicious server could send a crafted SSH_MSG_KEXINIT packet, that could lead to a buffer overread and to a crash of the libssh2_org using application. ----------------------------------------------------------------- Advisory ID: SUSE-RU-2015:275-1 Released: Wed Mar 18 18:21:44 2015 Summary: Recommended update for procps Type: recommended Severity: low References: 901202,908516 Description: This update for procps provides the following fixes: - Add description of pgrep's --list-full parameter to usage instructions (--help). (bsc#901202) - Fix handling of arguments to -s option in free(1). (bsc#908516) - Correct package name in descriptions: procps, not props. ----------------------------------------------------------------- Advisory ID: SUSE-SU-2015:235-1 Released: Wed Apr 29 19:05:01 2015 Summary: Security update for curl Type: security Severity: moderate References: 927556,927607,927608,927746,928533,CVE-2015-3143,CVE-2015-3144,CVE-2015-3145,CVE-2015-3148,CVE-2015-3153 Description: curl was updated to fix five security issues. The following vulnerabilities were fixed: * CVE-2015-3143: curl could re-use NTML authenticateds connections * CVE-2015-3144: curl could access memory out of bounds with zero length host names * CVE-2015-3145: curl cookie parser could access memory out of boundary * CVE-2015-3148: curl could treat Negotiate as not connection-oriented * CVE-2015-3153: curl could have sent sensitive HTTP headers also to proxies ----------------------------------------------------------------- Advisory ID: SUSE-SU-2015:296-1 Released: Thu Jun 11 15:46:59 2015 Summary: Security update for libgcrypt Type: security Severity: moderate References: 896202,896435,898003,899524,900275,900276,905483,920057,928740,929919,CVE-2014-3591 Description: This update of libgcrypt fixes one security issue and brings various FIPS 140-2 related improvements. libgcrypt now uses ciphertext blinding for Elgamal decryption (CVE-2014-3591) FIPS 140-2 related changes: * The library performs its self-tests when the module is complete (the -hmac file is also installed). * Added a NIST 800-90a compliant DRBG. * Change DSA key generation to be FIPS 186-4 compliant. * Change RSA key generation to be FIPS 186-4 compliant. * Enable HW support in fips mode (bnc#896435) * Make DSA selftest use 2048 bit keys (bnc#898003) * Added ECDSA selftests and add support for it to the CAVS testing framework (bnc#896202) * Various CAVS testing improvements. ----------------------------------------------------------------- Advisory ID: SUSE-SU-2015:366-1 Released: Mon Jun 29 10:13:43 2015 Summary: Security update for e2fsprogs Type: security Severity: low References: 915402,918346,CVE-2015-0247,CVE-2015-1572 Description: Two security issues were fixed in e2fsprogs: Security issues fixed: * CVE-2015-0247: Various heap overflows were fixed in e2fsprogs (fsck, dumpe2fs, e2image...). * CVE-2015-1572: Fixed a potential buffer overflow in closefs() (bsc#918346 ) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2015:361-1 Released: Wed Jul 15 08:26:27 2015 Summary: Recommended update for gcc48, libffi48, libgcj48 Type: recommended Severity: moderate References: 889990,917169,919274,922534,924525,924687,927993,930176,934689 Description: The system compiler gcc48 was updated to the GCC 4.8.5 release, fixing a lot of bugs and bringing some improvements. It includes various bug fixes found by our customers: * Fixes bogus integer overflow in constant expression. [bnc#934689] * Fixes ICE with atomics on aarch64. [bnc#930176] * Includes fix for -imacros bug. [bnc#917169] * Includes fix for incorrect -Warray-bounds warnings. [bnc#919274] * Includes updated -mhotpatch for s390x. [bnc#924525] * Includes fix for ppc64le issue with doubleword vector extract. [bnc#924687] * Includes patches to allow building against ISL 0.14. * Backport rework of the memory allocator for C++ exceptions used in OOM situations. [bnc#889990] * Fix a reload issue on S390 (GCC PR66306). * Avoid accessing invalid memory when passing aggregates by value. [bnc#922534] ----------------------------------------------------------------- Advisory ID: SUSE-OU-2015:422-1 Released: Tue Jul 28 06:25:51 2015 Summary: The Toolchain module containing GCC 5.2 Type: optional Severity: low References: 926412,936050,937823 Description: This update contains the release of the new SUSE Linux Enterprise Toolchain module. Its major feature is the GNU Compiler Collection 5.2, please see https://gcc.gnu.org/gcc-5/changes.html for important changes. This update also includes a version update of binutils to 2.25 release branch to provide features and bugfixes. Following features have been added to binutils: * IBM zSeries z13 hardware support (fate#318036, bnc#936050). * various IBM Power8 improvements (fate#318238, bnc#926412). * AVX512 support on the Intel EM64T platform (fate#318520). The GNU Debugger gdb was updated to version 7.9.1 bringing various features and lots of bugfixes. Also IBM zSeries z13 hardware support has been added to gdb. (fate#318039) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2015:500-1 Released: Mon Aug 17 11:36:33 2015 Summary: Security update for libgcrypt Type: security Severity: moderate References: 920057,938343,CVE-2015-0837 Description: This update fixes the following issues: Security: * Fixed data-dependent timing variations in modular exponentiation [related to CVE-2015-0837, Last-Level Cache Side-Channel Attacks are Practical] (bsc#920057) Bugfixes: * don't drop privileges when locking secure memory (bsc#938343) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2015:530-1 Released: Wed Aug 26 03:07:07 2015 Summary: Recommended update for sed Type: recommended Severity: low References: 933029 Description: This update for sed fixes the behavior of --follow-symlinks when reading from the standard input (stdin). The behavior of 'sed --follow-symlinks -' is now identical to 'sed -'. In both cases, sed will read from the standard input and no longer from a file named '-'. ----------------------------------------------------------------- Advisory ID: SUSE-RU-2015:568-1 Released: Wed Sep 16 13:30:12 2015 Summary: Recommended update for grep Type: recommended Severity: low References: 920386 Description: This update for grep fixes undefined behaviour with -P and non-utf-8 data. ----------------------------------------------------------------- Advisory ID: SUSE-SU-2015:922-1 Released: Tue Dec 22 08:44:25 2015 Summary: Security update for gpg2 Type: security Severity: moderate References: 918089,918090,952347,955753,CVE-2015-1606,CVE-2015-1607 Description: The gpg2 package was updated to fix the following security and non security issues: - CVE-2015-1606: Fixed invalid memory read using a garbled keyring (bsc#918089). - CVE-2015-1607: Fixed memcpy with overlapping ranges (bsc#918090). - bsc#955753: Fixed a regression of 'gpg --recv' due to keyserver import filter (also boo#952347). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2015:869-1 Released: Wed Dec 23 10:01:16 2015 Summary: Recommended update for libksba Type: security Severity: moderate References: 926826 Description: The libksba package was updated to fix the following security issues: - Fixed an integer overflow, an out of bounds read and a stack overflow issues (bsc#926826). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2015:862-1 Released: Wed Dec 23 17:40:51 2015 Summary: Recommended update for acl Type: recommended Severity: moderate References: 945899 Description: This update for acl provides the following fixes: - Fix segmentation fault of getfacl -e on overly long group name. - Make sure that acl_from_text() always sets errno when it fails. - Fix memory and resource leaks in getfacl. ----------------------------------------------------------------- Advisory ID: SUSE-RU-2016:46-1 Released: Fri Jan 8 12:37:34 2016 Summary: Recommended update for gcr, gnome-keyring, libgcrypt, libsecret Type: recommended Severity: moderate References: 932232 Description: This update for gcr, gnome-keyring, libgcrypt, libsecret fixes issues when the system operates in FIPS mode. The various GNOME libraries and tool have been changed to use the default libgcrypt allocators. GNOME keyring was changed not to use MD5 anymore. libgcrypt was adjusted to free the DRBG on exit to avoid crashes. ----------------------------------------------------------------- Advisory ID: SUSE-SU-2016:201-1 Released: Thu Feb 4 15:51:22 2016 Summary: Security update for curl Type: security Severity: moderate References: 934333,936676,962983,962996,CVE-2016-0755 Description: This update for curl fixes the following issues: - CVE-2016-0755: libcurl would reuse NTLM-authenticated proxy connections without properly making sure that the connection was authenticated with the same credentials as set for this transfer (bsc#962983) The following non-security bugs were fixed: - bsc#936676: secure_getenv or __secure_getenv may not be detected correctly at build time The following tracked bugs only affect the test suite: - bsc#962996: Expired cookie in test 46 caused test failures - bsc#934333: Curl test suite was not run, is now enabled during build ----------------------------------------------------------------- Advisory ID: SUSE-RU-2016:371-1 Released: Thu Mar 3 15:58:18 2016 Summary: Recommended update for insserv-compat Type: recommended Severity: low References: 960820 Description: This update for insserv-compat fixes the name of the ntpd service. ----------------------------------------------------------------- Advisory ID: SUSE-SU-2016:413-1 Released: Fri Mar 11 10:17:57 2016 Summary: Security update for libssh2_org Type: security Severity: moderate References: 933336,961964,967026,CVE-2016-0787 Description: This update for libssh2_org fixes the following issues: Security issue fixed: - CVE-2016-0787 (bsc#967026): Weakness in diffie-hellman secret key generation lead to much shorter DH groups then needed, which could be used to retrieve server keys. A feature was added: - Support of SHA256 digests for DH group exchanges was added (fate#320343, bsc#961964) Bug fixed: - Properly detect EVP_aes_128_ctr at configure time (bsc#933336) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2016:462-1 Released: Wed Mar 16 18:17:59 2016 Summary: Recommended update for libcap Type: recommended Severity: low References: 967838 Description: This update for libcap adds two new capabilities (CAP_WAKE_ALARM and CAP_BLOCK_SUSPEND) which are available in Linux Kernel 3.12. ----------------------------------------------------------------- Advisory ID: SUSE-RU-2016:543-1 Released: Fri Apr 1 18:44:16 2016 Summary: Recommended update for libgcrypt Type: recommended Severity: moderate References: 970882 Description: This update for libgcrypt fixes a crash in GPG key generation when operating in FIPS mode. (bsc#970882) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2016:565-1 Released: Wed Apr 6 16:26:42 2016 Summary: Security update for gcc5 Type: security Severity: moderate References: 939460,945842,952151,953831,954002,955382,962765,964468,966220,968771,CVE-2015-5276 Description: The GNU Compiler Collection was updated to version 5.3.1, which brings several fixes and enhancements. The following security issue has been fixed: - Fix C++11 std::random_device short read issue that could lead to predictable randomness. (CVE-2015-5276, bsc#945842) The following non-security issues have been fixed: - Enable frame pointer for TARGET_64BIT_MS_ABI when stack is misaligned. Fixes internal compiler error when building Wine. (bsc#966220) - Fix a PowerPC specific issue in gcc-go that broke compilation of newer versions of Docker. (bsc#964468) - Fix HTM built-ins on PowerPC. (bsc#955382) - Fix libgo certificate lookup. (bsc#953831) - Suppress deprecated-declarations warnings for inline definitions of deprecated virtual methods. (bsc#939460) - Build s390[x] with '--with-tune=z9-109 --with-arch=z900' on SLE11 again. (bsc#954002) - Revert accidental libffi ABI breakage on aarch64. (bsc#968771) - On x86_64, set default 32bit code generation to -march=x86-64 rather than -march=i586. - Add experimental File System TS library. ----------------------------------------------------------------- Advisory ID: SUSE-SU-2016:636-1 Released: Mon Apr 18 09:18:19 2016 Summary: Security update for libgcrypt Type: security Severity: moderate References: 965902,CVE-2015-7511 Description: libgcrypt was updated to fix one security issue. This security issue was fixed: - CVE-2015-7511: Side-channel attack on ECDH with Weierstrass curves (bsc#965902). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2016:643-1 Released: Tue Apr 19 09:23:39 2016 Summary: Recommended update for bzip2 Type: recommended Severity: low References: 970260 Description: This update for bzip2 fixes the following issues: - Fix bzgrep wrapper that always returns 0 as exit code when working on multiple archives, even when the pattern is not found. ----------------------------------------------------------------- Advisory ID: SUSE-RU-2016:697-1 Released: Thu Apr 28 16:03:24 2016 Summary: Recommended update for libssh2_org Type: recommended Severity: important References: 974691 Description: This update for libssh2_org fixes a regression introduced by a previous update which could result in a segmentation fault in EVP_DigestInit_Ex(). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2016:801-1 Released: Thu May 19 22:38:01 2016 Summary: Recommended update for curl Type: recommended Severity: moderate References: 915846 Description: This update for curl fixes the following issue: - Fix 'Network is unreachable' error when ipv6 is not available but ipv4. This fixes the same error in applications using libcurl4 (like zypper). (bsc#915846) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2016:835-1 Released: Wed May 25 18:27:30 2016 Summary: Recommended update for libgcrypt Type: recommended Severity: moderate References: 979629 Description: This update for libgcrypt fixes the following issue: - Fix failing reboot after installing fips pattern (bsc#979629) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2016:898-1 Released: Tue Jun 7 09:48:12 2016 Summary: Security update for expat Type: security Severity: important References: 979441,980391,CVE-2015-1283,CVE-2016-0718 Description: This update for expat fixes the following issues: Security issue fixed: - CVE-2016-0718: Fix Expat XML parser that mishandles certain kinds of malformed input documents. (bsc#979441) - CVE-2015-1283: Fix multiple integer overflows. (bnc#980391) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2016:900-1 Released: Tue Jun 7 10:58:37 2016 Summary: Security update for libksba Type: security Severity: moderate References: 979261,979906,CVE-2016-4574,CVE-2016-4579 Description: This update for libksba fixes the following issues: - CVE-2016-4579: Out-of-bounds read in _ksba_ber_parse_tl() - CVE-2016-4574: two OOB read access bugs (remote DoS) (bsc#979261) Also adding reliability fixes from v1.3.4. ----------------------------------------------------------------- Advisory ID: SUSE-RU-2016:987-1 Released: Wed Jun 22 14:32:18 2016 Summary: Recommended update for procps Type: recommended Severity: low References: 981616 Description: This update for procps fixes the following issues: - Improve pmap(1) to be compatible with kernel 4.4. (bsc#981616) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2016:1028-1 Released: Thu Jul 7 11:50:47 2016 Summary: Recommended update for findutils Type: recommended Severity: moderate References: 986935 Description: This update for findutils fixes the following issues: - find -exec + would not pass all arguments for certain specific filename lengths (bsc#986935) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2016:1126-1 Released: Sat Jul 30 00:39:03 2016 Summary: Recommended update for kmod Type: recommended Severity: low References: 983754,989788 Description: This update for kmod fixes libkmod to handle very long lines in /proc/modules. ----------------------------------------------------------------- Advisory ID: SUSE-RU-2016:1205-1 Released: Thu Aug 11 15:02:18 2016 Summary: Recommended update for rpm Type: recommended Severity: low References: 829717,894610,940315,953532,965322,967728 Description: This update for rpm provides the following fixes: - Add is_opensuse and leap_version macros to suse_macros. (bsc#940315) - Add option to make postinstall scriptlet errors fatal. (bsc#967728) - Normalize big blocksizes to 4096 bytes. (bsc#894610, bsc#829717, bsc#965322) - Fix updating of sources/patches when recursing because of a BuildArch. (bsc#953532) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2016:1228-1 Released: Tue Aug 16 09:29:01 2016 Summary: Security update for libidn Type: security Severity: moderate References: 923241,990189,990190,990191,CVE-2015-2059,CVE-2015-8948,CVE-2016-6261,CVE-2016-6262,CVE-2016-6263 Description: This update for libidn fixes the following issues: - CVE-2016-6262 and CVE-2015-8948: Out-of-bounds-read when reading one zero byte as input (bsc#990189) - CVE-2016-6261: Out-of-bounds stack read in idna_to_ascii_4i (bsc#990190) - CVE-2016-6263: stringprep_utf8_nfkc_normalize reject invalid UTF-8 (bsc#990191) - CVE-2015-2059: out-of-bounds read with stringprep on invalid UTF-8 (bsc#923241) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2016:1247-1 Released: Fri Aug 19 12:58:39 2016 Summary: Security update for cracklib Type: security Severity: moderate References: 992966,CVE-2016-6318 Description: This update for cracklib fixes the following issues: - Add patch to fix a buffer overflow in GECOS parser (bsc#992966 CVE-2016-6318) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2016:1326-1 Released: Thu Sep 8 11:37:44 2016 Summary: Security update for perl Type: security Severity: moderate References: 928292,932894,967082,984906,987887,988311,CVE-2015-8853,CVE-2016-1238,CVE-2016-2381,CVE-2016-6185 Description: This update for Perl fixes the following issues: - CVE-2016-6185: Xsloader looking at a '(eval)' directory. (bsc#988311) - CVE-2016-1238: Searching current directory for optional modules. (bsc#987887) - CVE-2015-8853: Regular expression engine hanging on bad utf8. (bsc) - CVE-2016-2381: Environment dup handling bug. (bsc#967082) - 'Insecure dependency in require' error in taint mode. (bsc#984906) - Memory leak in 'use utf8' handling. (bsc#928292) - Missing lock prototype to the debugger. (bsc#932894) ----------------------------------------------------------------- Advisory ID: SUSE-OU-2016:1358-1 Released: Thu Sep 15 20:54:21 2016 Summary: Optional update for gcc6 Type: optional Severity: low References: 983206 Description: This update ships the GNU Compiler Collection (GCC) in version 6.2. This update is shipped in two parts: - SUSE Linux Enterprise Server 12 and Desktop: The runtime libraries libgcc_s1, libstdc++6, libatomic1, libgomp1, libitm1 and some others can now be used by GCC 6 built binaries. - SUSE Linux Enterprise 12 Toolchain Module: The Toolchain module received the GCC 6 compiler suite with this update. Changes: - The default mode for C++ is now -std=gnu++14 instead of -std=gnu++98. Generic Optimization improvements: - UndefinedBehaviorSanitizer gained a new sanitization option, -fsanitize=bounds-strict, which enables strict checking of array bounds. In particular, it enables -fsanitize=bounds as well as instrumentation of flexible array member-like arrays. - Type-based alias analysis now disambiguates accesses to different pointers. This improves precision of the alias oracle by about 20-30% on higher-level C++ programs. Programs doing invalid type punning of pointer types may now need -fno-strict-aliasing to work correctly. - Alias analysis now correctly supports weakref and alias attributes. This makes it possible to access both a variable and its alias in one translation unit which is common with link-time optimization. - Value range propagation now assumes that the this pointer of C++ member functions is non-null. This eliminates common null pointer checks but also breaks some non-conforming code-bases (such as Qt-5, Chromium, KDevelop). As a temporary work-around -fno-delete-null-pointer-checks can be used. Wrong code can be identified by using -fsanitize=undefined. - Various Link-time optimization improvements. - Inter-procedural optimization improvements: - Basic jump threading is now performed before profile construction and inline analysis, resulting in more realistic size and time estimates that drive the heuristics of the of inliner and function cloning passes. - Function cloning now more aggressively eliminates unused function parameters. - Compared to GCC 5, the GCC 6 release series includes a much improved implementation of the OpenACC 2.0a specification. C language specific improvements: - Version 4.5 of the OpenMP specification is now supported in the C and C++ compilers. - Source locations for the C and C++ compilers are now tracked as ranges, rather than just points, making it easier to identify the subexpression of interest within a complicated expression. In addition, there is now initial support for precise diagnostic locations within strings, - Diagnostics can now contain 'fix-it hints', which are displayed in context underneath the relevant source code. - The C and C++ compilers now offer suggestions for misspelled field names. - New command-line options have been added for the C and C++ compilers: - -Wshift-negative-value warns about left shifting a negative value. - -Wshift-overflow warns about left shift overflows. This warning is enabled by default. -Wshift-overflow=2 also warns about left-shifting 1 into the sign bit. - -Wtautological-compare warns if a self-comparison always evaluates to true or false. This warning is enabled by -Wall. - -Wnull-dereference warns if the compiler detects paths that trigger erroneous or undefined behavior due to dereferencing a null pointer. This option is only active when -fdelete-null-pointer-checks is active, which is enabled by optimizations in most targets. The precision of the warnings depends on the optimization options used. - -Wduplicated-cond warns about duplicated conditions in an if-else-if chain. - -Wmisleading-indentation warns about places where the indentation of the code gives a misleading idea of the block structure of the code to a human reader. This warning is enabled by -Wall. - The C and C++ compilers now emit saner error messages if merge-conflict markers are present in a source file. C improvements: - It is possible to disable warnings when an initialized field of a structure or a union with side effects is being overridden when using designated initializers via a new warning option -Woverride-init-side-effects. - A new type attribute scalar_storage_order applying to structures and unions has been introduced. It specifies the storage order (aka endianness) in memory of scalar fields in structures or unions. C++ improvements: - The default mode has been changed to -std=gnu++14. - C++ Concepts are now supported when compiling with -fconcepts. - -flifetime-dse is more aggressive in dead-store elimination in situations where a memory store to a location precedes a constructor to that memory location. - G++ now supports C++17 fold expressions, u8 character literals, extended static_assert, and nested namespace definitions. - G++ now allows constant evaluation for all non-type template arguments. - G++ now supports C++ Transactional Memory when compiling with -fgnu-tm. libstdc++ improvements: - Extensions to the C++ Library to support mathematical special functions (ISO/IEC 29124:2010), thanks to Edward Smith-Rowland. - Experimental support for C++17. - An experimental implementation of the File System TS. - Experimental support for most features of the second version of the Library Fundamentals TS. This includes polymorphic memory resources and array support in shared_ptr, thanks to Fan You. - Some assertions checked by Debug Mode can now also be enabled by _GLIBCXX_ASSERTIONS. The subset of checks enabled by the new macro have less run-time overhead than the full _GLIBCXX_DEBUG checks and don't affect the library ABI, so can be enabled per-translation unit. Fortran improvements: - Fortran 2008 SUBMODULE support. - Fortran 2015 EVENT_TYPE, EVENT_POST, EVENT_WAIT, and EVENT_QUERY support. - Improved support for Fortran 2003 deferred-length character variables. - Improved support for OpenMP and OpenACC. - The MATMUL intrinsic is now inlined for straightforward cases if front-end optimization is active. The maximum size for inlining can be set to n with the -finline-matmul-limit=n option and turned off with -finline-matmul-limit=0. - The -Wconversion-extra option will warn about REAL constants which have excess precision for their kind. - The -Winteger-division option has been added, which warns about divisions of integer constants which are truncated. This option is included in -Wall by default. Architecture improvements: - AArch64 received a lot of improvements. IA-32/x86-64 improvements: - GCC now supports the Intel CPU named Skylake with AVX-512 extensions through -march=skylake-avx512. The switch enables the following ISA extensions: AVX-512F, AVX512VL, AVX-512CD, AVX-512BW, AVX-512DQ. - Support for new AMD instructions monitorx and mwaitx has been added. This includes new intrinsic and built-in support. It is enabled through option -mmwaitx. The instructions monitorx and mwaitx implement the same functionality as the old monitor and mwait instructions. In addition mwaitx adds a configurable timer. The timer value is received as third argument and stored in register %ebx. - x86-64 targets now allow stack realignment from a word-aligned stack pointer using the command-line option -mstackrealign or __attribute__ ((force_align_arg_pointer)). This allows functions compiled with a vector-aligned stack to be invoked from objects that keep only word-alignment. - Support for address spaces __seg_fs, __seg_gs, and __seg_tls. These can be used to access data via the %fs and %gs segments without having to resort to inline assembly. - Support for AMD Zen (family 17h) processors is now available through the -march=znver1 and -mtune=znver1 options. PowerPC / PowerPC64 / RS6000 improvements: - PowerPC64 now supports IEEE 128-bit floating-point using the __float128 data type. In GCC 6, this is not enabled by default, but you can enable it with -mfloat128. The IEEE 128-bit floating-point support requires the use of the VSX instruction set. IEEE 128-bit floating-point values are passed and returned as a single vector value. The software emulator for IEEE 128-bit floating-point support is only built on PowerPC GNU/Linux systems where the default CPU is at least power7. On future ISA 3.0 systems (POWER 9 and later), you will be able to use the -mfloat128-hardware option to use the ISA 3.0 instructions that support IEEE 128-bit floating-point. An additional type (__ibm128) has been added to refer to the IBM extended double type that normally implements long double. This will allow for a future transition to implementing long double with IEEE 128-bit floating-point. - Basic support has been added for POWER9 hardware that will use the recently published OpenPOWER ISA 3.0 instructions. The following new switches are available: - -mcpu=power9: Implement all of the ISA 3.0 instructions supported by the compiler. - -mtune=power9: In the future, apply tuning for POWER9 systems. Currently, POWER8 tunings are used. - -mmodulo: Generate code using the ISA 3.0 integer instructions (modulus, count trailing zeros, array index support, integer multiply/add). - -mpower9-fusion: Generate code to suitably fuse instruction sequences for a POWER9 system. - -mpower9-dform: Generate code to use the new D-form (register+offset) memory instructions for the vector registers. - -mpower9-vector: Generate code using the new ISA 3.0 vector (VSX or Altivec) instructions. - -mpower9-minmax: Reserved for future development. - -mtoc-fusion: Keep TOC entries together to provide more fusion opportunities. - New constraints have been added to support IEEE 128-bit floating-point and ISA 3.0 instructions. - Support has been added for __builtin_cpu_is() and __builtin_cpu_supports(), allowing for very fast access to AT_PLATFORM, AT_HWCAP, and AT_HWCAP2 values. This requires use of glibc 2.23 or later. - All hardware transactional memory builtins now correctly behave as memory barriers. Programmers can use #ifdef __TM_FENCE__ to determine whether their 'old' compiler treats the builtins as barriers. - Split-stack support has been added for gccgo on PowerPC64 for both big- and little-endian (but not for 32-bit). The gold linker from at least binutils 2.25.1 must be available in the PATH when configuring and building gccgo to enable split stack. (The requirement for binutils 2.25.1 applies to PowerPC64 only.) The split-stack feature allows a small initial stack size to be allocated for each goroutine, which increases as needed. - GCC on PowerPC now supports the standard lround function. - The 'q', 'S', 'T', and 't' asm-constraints have been removed. - The 'b', 'B', 'm', 'M', and 'W' format modifiers have been removed. S/390, System z, IBM z Systems improvements: - Support for the IBM z13 processor has been added. When using the -march=z13 option, the compiler will generate code making use of the new instructions and registers introduced with the vector extension facility. The -mtune=z13 option enables z13 specific instruction scheduling without making use of new instructions. - Compiling code with -march=z13 reduces the default alignment of vector types bigger than 8 bytes to 8. This is an ABI change and care must be taken when linking modules compiled with different arch levels which interchange variables containing vector type values. For newly compiled code the GNU linker will emit a warning. - The -mzvector option enables a C/C++ language extension. This extension provides a new keyword vector which can be used to define vector type variables. (Note: This is not available when enforcing strict standard compliance e.g. with -std=c99. Either enable GNU extensions with e.g. -std=gnu99 or use __vector instead of vector.) - Additionally a set of overloaded builtins is provided which is partially compatible to the PowerPC Altivec builtins. In order to make use of these builtins the vecintrin.h header file needs to be included. - The new command line options -march=native, and -mtune=native are now available on native IBM z Systems. Specifying these options will cause GCC to auto-detect the host CPU and rewrite these options to the optimal setting for that system. If GCC is unable to detect the host CPU these options have no effect. - The IBM z Systems port now supports target attributes and pragmas. Please refer to the documentation for details of available attributes and pragmas as well as usage instructions. - -fsplit-stack is now supported as part of the IBM z Systems port. This feature requires a recent gold linker to be used. - Support for the g5 and g6 -march=/-mtune= CPU level switches has been deprecated and will be removed in a future GCC release. -m31 from now on defaults to -march=z900 if not specified otherwise. -march=native on a g5/g6 machine will default to -march=z900. An even more detailed list of features can be found at: https://gcc.gnu.org/gcc-6/changes.html ----------------------------------------------------------------- Advisory ID: SUSE-SU-2016:1364-1 Released: Fri Sep 16 17:13:43 2016 Summary: Security update for curl Type: security Severity: moderate References: 991389,991390,991391,991746,997420,CVE-2016-5419,CVE-2016-5420,CVE-2016-5421,CVE-2016-7141 Description: This update for curl fixes the following issues: Security issues fixed: - CVE-2016-5419: TLS session resumption client cert bypass (bsc#991389) - CVE-2016-5420: Re-using connections with wrong client cert (bsc#991390) - CVE-2016-5421: use of connection struct after free (bsc#991391) - CVE-2016-7141: Fixed incorrect reuse of client certificates with NSS (bsc#997420) Also the following bug was fixed: - fixing a performance issue (bsc#991746) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2016:1370-1 Released: Wed Sep 21 12:58:14 2016 Summary: Security update for libgcrypt Type: security Severity: moderate References: 994157,CVE-2016-6313 Description: This update for libgcrypt fixes the following issues: - RNG prediction vulnerability (bsc#994157, CVE-2016-6313) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2016:1591-1 Released: Wed Nov 2 12:07:51 2016 Summary: Security update for curl Type: security Severity: important References: 1005633,1005634,1005635,1005637,1005638,1005640,1005642,1005643,1005645,1005646,998760,CVE-2016-7167,CVE-2016-8615,CVE-2016-8616,CVE-2016-8617,CVE-2016-8618,CVE-2016-8619,CVE-2016-8620,CVE-2016-8621,CVE-2016-8622,CVE-2016-8623,CVE-2016-8624 Description: This update for curl fixes the following security issues: - CVE-2016-8624: invalid URL parsing with '#' (bsc#1005646) - CVE-2016-8623: Use-after-free via shared cookies (bsc#1005645) - CVE-2016-8622: URL unescape heap overflow via integer truncation (bsc#1005643) - CVE-2016-8621: curl_getdate read out of bounds (bsc#1005642) - CVE-2016-8620: glob parser write/read out of bounds (bsc#1005640) - CVE-2016-8619: double-free in krb5 code (bsc#1005638) - CVE-2016-8618: double-free in curl_maprintf (bsc#1005637) - CVE-2016-8617: OOB write via unchecked multiplication (bsc#1005635) - CVE-2016-8616: case insensitive password comparison (bsc#1005634) - CVE-2016-8615: cookie injection for other servers (bsc#1005633) - CVE-2016-7167: escape and unescape integer overflows (bsc#998760) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2016:1614-1 Released: Mon Nov 7 20:01:31 2016 Summary: Recommended update for shadow Type: recommended Severity: low References: 1002975 Description: This update for shadow fixes the following issues: - Set file modes according to the permissions package and don't attempt to manipulate them in %files section. (bsc#1002975) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2016:1641-1 Released: Thu Nov 10 20:02:04 2016 Summary: Recommended update for sg3_utils Type: recommended Severity: moderate References: 1006469,958369,979436 Description: This update for sg3_utils provides the following fixes: - Adjust 55-scsi-sg3_id.rules to correctly handle VPD page 0x80. This issue could prevent some IBM Power systems from booting after installation. (bsc#1006469) - Fix 55-scsi_sg3_id.rules to skip sg_inq on recent kernels. (bsc#979436) - In some circumstances, the rescan-scsi-bus.sh script failed to identify new LUNs that have been added to the server. (bsc#958369) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2016:1744-1 Released: Fri Dec 2 11:42:41 2016 Summary: Security update for pcre Type: security Severity: moderate References: 906574,924960,933288,933878,936227,942865,957566,957567,957598,957600,960837,971741,972127,CVE-2014-8964,CVE-2015-2325,CVE-2015-2327,CVE-2015-2328,CVE-2015-3210,CVE-2015-3217,CVE-2015-5073,CVE-2015-8380,CVE-2015-8381,CVE-2015-8382,CVE-2015-8383,CVE-2015-8384,CVE-2015-8385,CVE-2015-8386,CVE-2015-8387,CVE-2015-8388,CVE-2015-8389,CVE-2015-8390,CVE-2015-8391,CVE-2015-8392,CVE-2015-8393,CVE-2015-8394,CVE-2015-8395,CVE-2016-1283,CVE-2016-3191 Description: This update for pcre to version 8.39 (bsc#972127) fixes several issues. If you use pcre extensively please be aware that this is an update to a new version. Please make sure that your software works with the updated version. This version fixes a number of vulnerabilities that affect pcre and applications using the libary when accepting untrusted input as regular expressions or as part thereof. Remote attackers could have caused the application to crash, disclose information or potentially execute arbitrary code. These security issues were fixed: - CVE-2014-8964: Heap-based buffer overflow in PCRE allowed remote attackers to cause a denial of service (crash) or have other unspecified impact via a crafted regular expression, related to an assertion that allows zero repeats (bsc#906574). - CVE-2015-2325: Heap buffer overflow in compile_branch() (bsc#924960). - CVE-2015-3210: Heap buffer overflow in pcre_compile2() / compile_regex() (bsc#933288) - CVE-2015-3217: PCRE Library Call Stack Overflow Vulnerability in match() (bsc#933878). - CVE-2015-5073: Library Heap Overflow Vulnerability in find_fixedlength() (bsc#936227). - bsc#942865: heap overflow in compile_regex() - CVE-2015-8380: The pcre_exec function in pcre_exec.c mishandled a // pattern with a \01 string, which allowed remote attackers to cause a denial of service (heap-based buffer overflow) or possibly have unspecified other impact via a crafted regular expression, as demonstrated by a JavaScript RegExp object encountered by Konqueror (bsc#957566). - CVE-2015-2327: PCRE mishandled certain patterns with internal recursive back references, which allowed remote attackers to cause a denial of service (segmentation fault) or possibly have unspecified other impact via a crafted regular expression, as demonstrated by a JavaScript RegExp object encountered by Konqueror (bsc#957567). - bsc#957598: Various security issues - CVE-2015-8381: Heap Overflow in compile_regex() (bsc#957598). - CVE-2015-8382: Regular Expression Uninitialized Pointer Information Disclosure Vulnerability (ZDI-CAN-2547)(bsc#957598). - CVE-2015-8383: Buffer overflow caused by repeated conditional group(bsc#957598). - CVE-2015-8384: Buffer overflow caused by recursive back reference by name within certain group(bsc#957598). - CVE-2015-8385: Buffer overflow caused by forward reference by name to certain group(bsc#957598). - CVE-2015-8386: Buffer overflow caused by lookbehind assertion(bsc#957598). - CVE-2015-8387: Integer overflow in subroutine calls(bsc#957598). - CVE-2015-8388: Buffer overflow caused by certain patterns with an unmatched closing parenthesis(bsc#957598). - CVE-2015-8389: Infinite recursion in JIT compiler when processing certain patterns(bsc#957598). - CVE-2015-8390: Reading from uninitialized memory when processing certain patterns(bsc#957598). - CVE-2015-8391: Some pathological patterns causes pcre_compile() to run for a very long time(bsc#957598). - CVE-2015-8392: Buffer overflow caused by certain patterns with duplicated named groups(bsc#957598). - CVE-2015-8393: Information leak when running pcgrep -q on crafted binary(bsc#957598). - CVE-2015-8394: Integer overflow caused by missing check for certain conditions(bsc#957598). - CVE-2015-8395: Buffer overflow caused by certain references(bsc#957598). - CVE-2015-2328: PCRE mishandled the /((?(R)a|(?1)))+/ pattern and related patterns with certain recursion, which allowed remote attackers to cause a denial of service (segmentation fault) or possibly have unspecified other impact via a crafted regular expression (bsc#957600). - CVE-2016-1283: The pcre_compile2 function in pcre_compile.c in PCRE mishandled certain patterns with named subgroups, which allowed remote attackers to cause a denial of service (heap-based buffer overflow) or possibly have unspecified other impact via a crafted regular expression (bsc#960837). - CVE-2016-3191: The compile_branch function in pcre_compile.c in pcre2_compile.c mishandled patterns containing an (*ACCEPT) substring in conjunction with nested parentheses, which allowed remote attackers to execute arbitrary code or cause a denial of service (stack-based buffer overflow) via a crafted regular expression (bsc#971741). These non-security issues were fixed: - JIT compiler improvements - performance improvements - The Unicode data tables have been updated to Unicode 7.0.0. ----------------------------------------------------------------- Advisory ID: SUSE-RU-2016:1782-1 Released: Fri Dec 9 13:35:02 2016 Summary: Recommended update for systemd Type: recommended Severity: moderate References: 1001790,1004289,1005404,1006372,1006690,989831,991443 Description: This update for systemd provides the following fixes: - Allow to redirect confirmation messages to a different console. (bsc#1006690) - Do not bind a mount unit to a device, if it was from mountinfo. (bsc#989831) - Decrease systemd-nspawn's non-fatal mount errors to debug level. (bsc#1004289) - Don't emit space usage message right after opening the persistent journal. (bsc#991443) - Change owner of /var/log/journal/remote and create /var/lib/systemd/journal-upload. (bsc#1006372) - Document that *KeyIgnoreInhibited only apply to a subset of locks. - Revert 'logind: really handle *KeyIgnoreInhibited options in logind.conf'. (bsc#1001790, bsc#1005404) - Revert 'kbd-model-map: add more mappings offered by Yast'. - Don't busy loop when we get a notification message we can't process. - Rename kbd-model-map-extra into kbd-model-map.legacy. - Add kbd-model-map-extra file which contains the additional maps needed by YaST. - Drop localfs.service: unused and not needed anymore. ----------------------------------------------------------------- Advisory ID: SUSE-SU-2016:1827-1 Released: Thu Dec 15 12:41:10 2016 Summary: Security update for pcre Type: security Severity: moderate References: 906574,924960,933288,933878,936227,942865,957566,957567,957598,957600,960837,971741,972127,CVE-2014-8964,CVE-2015-2325,CVE-2015-2327,CVE-2015-2328,CVE-2015-3210,CVE-2015-3217,CVE-2015-5073,CVE-2015-8380,CVE-2015-8381,CVE-2015-8382,CVE-2015-8383,CVE-2015-8384,CVE-2015-8385,CVE-2015-8386,CVE-2015-8387,CVE-2015-8388,CVE-2015-8389,CVE-2015-8390,CVE-2015-8391,CVE-2015-8392,CVE-2015-8393,CVE-2015-8394,CVE-2015-8395,CVE-2016-1283,CVE-2016-3191 Description: This update for pcre to version 8.39 (bsc#972127) fixes several issues. If you use pcre extensively please be aware that this is an update to a new version. Please make sure that your software works with the updated version. This version fixes a number of vulnerabilities that affect pcre and applications using the libary when accepting untrusted input as regular expressions or as part thereof. Remote attackers could have caused the application to crash, disclose information or potentially execute arbitrary code. These security issues were fixed: - CVE-2014-8964: Heap-based buffer overflow in PCRE allowed remote attackers to cause a denial of service (crash) or have other unspecified impact via a crafted regular expression, related to an assertion that allows zero repeats (bsc#906574). - CVE-2015-2325: Heap buffer overflow in compile_branch() (bsc#924960). - CVE-2015-3210: Heap buffer overflow in pcre_compile2() / compile_regex() (bsc#933288) - CVE-2015-3217: PCRE Library Call Stack Overflow Vulnerability in match() (bsc#933878). - CVE-2015-5073: Library Heap Overflow Vulnerability in find_fixedlength() (bsc#936227). - bsc#942865: heap overflow in compile_regex() - CVE-2015-8380: The pcre_exec function in pcre_exec.c mishandled a // pattern with a \01 string, which allowed remote attackers to cause a denial of service (heap-based buffer overflow) or possibly have unspecified other impact via a crafted regular expression, as demonstrated by a JavaScript RegExp object encountered by Konqueror (bsc#957566). - CVE-2015-2327: PCRE mishandled certain patterns with internal recursive back references, which allowed remote attackers to cause a denial of service (segmentation fault) or possibly have unspecified other impact via a crafted regular expression, as demonstrated by a JavaScript RegExp object encountered by Konqueror (bsc#957567). - bsc#957598: Various security issues - CVE-2015-8381: Heap Overflow in compile_regex() (bsc#957598). - CVE-2015-8382: Regular Expression Uninitialized Pointer Information Disclosure Vulnerability (ZDI-CAN-2547)(bsc#957598). - CVE-2015-8383: Buffer overflow caused by repeated conditional group(bsc#957598). - CVE-2015-8384: Buffer overflow caused by recursive back reference by name within certain group(bsc#957598). - CVE-2015-8385: Buffer overflow caused by forward reference by name to certain group(bsc#957598). - CVE-2015-8386: Buffer overflow caused by lookbehind assertion(bsc#957598). - CVE-2015-8387: Integer overflow in subroutine calls(bsc#957598). - CVE-2015-8388: Buffer overflow caused by certain patterns with an unmatched closing parenthesis(bsc#957598). - CVE-2015-8389: Infinite recursion in JIT compiler when processing certain patterns(bsc#957598). - CVE-2015-8390: Reading from uninitialized memory when processing certain patterns(bsc#957598). - CVE-2015-8391: Some pathological patterns causes pcre_compile() to run for a very long time(bsc#957598). - CVE-2015-8392: Buffer overflow caused by certain patterns with duplicated named groups(bsc#957598). - CVE-2015-8393: Information leak when running pcgrep -q on crafted binary(bsc#957598). - CVE-2015-8394: Integer overflow caused by missing check for certain conditions(bsc#957598). - CVE-2015-8395: Buffer overflow caused by certain references(bsc#957598). - CVE-2015-2328: PCRE mishandled the /((?(R)a|(?1)))+/ pattern and related patterns with certain recursion, which allowed remote attackers to cause a denial of service (segmentation fault) or possibly have unspecified other impact via a crafted regular expression (bsc#957600). - CVE-2016-1283: The pcre_compile2 function in pcre_compile.c in PCRE mishandled certain patterns with named subgroups, which allowed remote attackers to cause a denial of service (heap-based buffer overflow) or possibly have unspecified other impact via a crafted regular expression (bsc#960837). - CVE-2016-3191: The compile_branch function in pcre_compile.c in pcre2_compile.c mishandled patterns containing an (*ACCEPT) substring in conjunction with nested parentheses, which allowed remote attackers to execute arbitrary code or cause a denial of service (stack-based buffer overflow) via a crafted regular expression (bsc#971741). These non-security issues were fixed: - JIT compiler improvements - performance improvements - The Unicode data tables have been updated to Unicode 7.0.0. ----------------------------------------------------------------- Advisory ID: SUSE-RU-2016:1863-1 Released: Wed Dec 21 10:41:35 2016 Summary: Recommended updated for pth Type: recommended Severity: low References: 1013286 Description: This update adds the 32bit version of libpth20 to SUSE Linux Enterprise 12 SP1 and 12 SP2. ----------------------------------------------------------------- Advisory ID: SUSE-SU-2017:2-1 Released: Mon Jan 2 08:35:08 2017 Summary: Security update for zlib Type: security Severity: moderate References: 1003577,1003579,1003580,1013882,CVE-2016-9840,CVE-2016-9841,CVE-2016-9842,CVE-2016-9843 Description: This update for zlib fixes the following issues: CVE-2016-9843: Big-endian out-of-bounds pointer CVE-2016-9842: Undefined Left Shift of Negative Number (bsc#1003580) CVE-2016-9840 CVE-2016-9841: Out-of-bounds pointer arithmetic in inftrees.c (bsc#1003579) Incompatible declarations for external linkage function deflate (bsc#1003577) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2017:6-1 Released: Tue Jan 3 15:01:58 2017 Summary: Recommended update for systemd Type: recommended Severity: moderate References: 1012390,1012591,1012818,1013989,1015515,909418,912715,945340,953807,963290,990538 Description: This update for systemd fixes the following issues: - core: Make mount units from /proc/self/mountinfo possibly bind to a device. Fixes unmounting issues when ejecting CDs or DVDs. (bsc#909418, bsc#912715, bsc#945340) - fstab-generator: Remove bogus condition that leads to warnings on boot. (bsc#1013989) - coredumpctl: Let gdb handle the SIGINT signal. (bsc#1012591) - Ship kbd-model-map with the correct contents. (bsc#1015515) - rules: Set SYSTEMD_READY=0 on DM_UDEV_DISABLE_OTHER_RULES_FLAG=1 only with ADD event. (bsc#963290, bsc#990538) - tmpfiles: Don't skip path_set_perms on error. (bsc#953807) - nspawn: Properly handle image/directory paths that are symbolic links. (bsc#1012390) - systemctl: Fix 'is-enabled' exit status on failure when executed in chroot. (bsc#1012818) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2017:32-1 Released: Mon Jan 9 11:50:42 2017 Summary: Recommended update for dirmngr Type: recommended Severity: low References: 994794 Description: This update for dirmngr enables support for daemon mode. ----------------------------------------------------------------- Advisory ID: SUSE-RU-2017:47-1 Released: Wed Jan 11 11:42:43 2017 Summary: Recommended update for systemd Type: recommended Severity: important References: 1018214,1018399 Description: This update for systemd fixes the following two issues: - A regression in the previous update (SUSE-RU-2017:0013-1, bsc#909418) could have caused systemd to freeze. (bsc#1018399) - Warnings emitted when udev socket units are restarted during package upgrade were silenced. (bsc#1018214) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2017:98-1 Released: Thu Jan 19 10:17:55 2017 Summary: Recommended update for kmod Type: recommended Severity: low References: 998906 Description: This update for kmod fixes a rare race condition while loading modules. ----------------------------------------------------------------- Advisory ID: SUSE-SU-2017:149-1 Released: Wed Jan 25 09:17:08 2017 Summary: Security update for systemd Type: security Severity: important References: 1012266,1014560,1014566,1020601,997682,CVE-2016-10156 Description: This update for systemd fixes the following issues: This security issue was fixed: - CVE-2016-10156: Fix permissions set on permanent timer timestamp files, preventing local unprivileged users from escalating privileges (bsc#1020601). These non-security issues were fixed: - Fix permission set on /var/lib/systemd/linger/* - install: follow config_path symlink (#3362) - install: fix disable when /etc/systemd/system is a symlink (bsc#1014560) - run: make --slice= work in conjunction with --scope (bsc#1014566) - core: don't dispatch load queue when setting Slice= for transient units - systemctl: remove duplicate entries showed by list-dependencies (#5049) (bsc#1012266) - rule: don't automatically online standby memory on s390x (bsc#997682) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2017:185-1 Released: Thu Feb 2 18:22:37 2017 Summary: Security update for cpio Type: security Severity: moderate References: 1020108,963448,CVE-2016-2037 Description: This update for cpio fixes two issues. This security issue was fixed: - CVE-2016-2037: The cpio_safer_name_suffix function in util.c in cpio allowed remote attackers to cause a denial of service (out-of-bounds write) via a crafted cpio file (bsc#963448). This non-security issue was fixed: - bsc#1020108: Always use 32 bit CRC to prevent checksum errors for files greater than 32MB ----------------------------------------------------------------- Advisory ID: SUSE-SU-2017:192-1 Released: Fri Feb 3 18:46:05 2017 Summary: Security update for libxml2 Type: security Severity: moderate References: 1005544,1010675,1013930,1014873,1017497,CVE-2016-4658,CVE-2016-9318,CVE-2016-9597 Description: This update for libxml2 fixes the following issues: * CVE-2016-4658: use-after-free error could lead to crash [bsc#1005544] * Fix NULL dereference in xpointer.c when in recovery mode [bsc#1014873] * CVE-2016-9597: An XML document with many opening tags could have caused a overflow of the stack not detected by the recursion limits, allowing for DoS (bsc#1017497). For CVE-2016-9318 we decided not to ship a fix since it can break existing setups. Please take appropriate actions if you parse untrusted XML files and use the new -noxxe flag if possible (bnc#1010675, bnc#1013930). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2017:209-1 Released: Tue Feb 7 17:00:47 2017 Summary: Recommended update for libseccomp Type: recommended Severity: low References: 1019900 Description: This update provides libseccomp version 2.3.1 which fixes the following issues: - Fixed a problem with 32-bit x86 socket syscalls on some systems (fate#321647, bsc#1019900) - Fixed problems with ipc syscalls on 32-bit x86 - Fixed problems with socket and ipc syscalls on s390 and s390x ----------------------------------------------------------------- Advisory ID: SUSE-SU-2017:212-1 Released: Wed Feb 8 13:07:24 2017 Summary: Security update for expat Type: security Severity: moderate References: 983215,983216,CVE-2012-6702,CVE-2016-5300 Description: This update for expat fixes the following security issues: - CVE-2012-6702: Expat, when used in a parser that has not called XML_SetHashSalt or passed it a seed of 0, made it easier for context-dependent attackers to defeat cryptographic protection mechanisms via vectors involving use of the srand function. (bsc#983215) - CVE-2016-5300: The XML parser in Expat did not use sufficient entropy for hash initialization, which allowed context-dependent attackers to cause a denial of service (CPU consumption) via crafted identifiers in an XML document. NOTE: this vulnerability exists because of an incomplete fix for CVE-2012-0876. (bsc#983216) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2017:228-1 Released: Fri Feb 10 15:39:32 2017 Summary: Security update for openssl Type: security Severity: moderate References: 1000677,1001912,1009528,1019637,1021641,1022085,1022086,1022271,CVE-2016-7055,CVE-2017-3731,CVE-2017-3732 Description: This update for openssl fixes the following issues contained in the OpenSSL Security Advisory [26 Jan 2017] (bsc#1021641) Security issues fixed: - CVE-2016-7055: The x86_64 optimized montgomery multiplication may produce incorrect results (bsc#1009528) - CVE-2017-3731: Truncated packet could crash via OOB read (bsc#1022085) - CVE-2017-3732: BN_mod_exp may produce incorrect results on x86_64 (bsc#1022086) - Degrade the 3DES cipher to MEDIUM in SSLv2 (bsc#1001912) Non-security issues fixed: - fix crash in openssl speed (bsc#1000677) - fix X509_CERT_FILE path (bsc#1022271) - AES XTS key parts must not be identical in FIPS mode (bsc#1019637) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2017:261-1 Released: Mon Feb 20 11:00:28 2017 Summary: Recommended update for dirmngr Type: recommended Severity: low References: 1019276 Description: This update for dirmngr fixes the following issues: - Properly initialize the dirmngr tmpfilesd files right away and not just during reboot - Own the /usr/lib/tmpfiles.d/ folder as it is needed in older systemds wrt (bsc#1019276) - Proprely require logrotate as we need it for the dirmngr configs ----------------------------------------------------------------- Advisory ID: SUSE-RU-2017:365-1 Released: Fri Mar 10 15:16:59 2017 Summary: Recommended update for sg3_utils Type: recommended Severity: low References: 1006175 Description: This update for sg3_utils fixes the following issue: - Add udev rules to handle legacy CCISS devices (bsc#1006175) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2017:389-1 Released: Thu Mar 16 14:16:43 2017 Summary: Recommended update for systemd Type: recommended Severity: moderate References: 1004094,1006687,1019470,1022014,1022047,1025598,995936 Description: This update for systemd provides the following fixes: - core: Fix memory leak in transient units. (bsc#1025598) - core: Destroy all name watching bus slots when we are kicked off the bus. (bsc#1006687) - sd-event: Fix incorrect assertion. (bsc#995936, bsc#1022014) - journald: Don't flush to /var/log/journal before we get asked to. (bsc#1004094) - core: Downgrade warning about duplicate device names. (bsc#1022047) - units: Remove no longer needed ldconfig service. (bsc#1019470) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2017:439-1 Released: Tue Mar 21 10:48:47 2017 Summary: Recommended update for netcfg Type: recommended Severity: low References: 1028305,959693 Description: This update for netcfg provides the following fixes: - Update script to generate services to use UTF8 by default. (bsc#1028305) - Repack services.bz2 with latest from upstream and adjust the script to not add all the names and emails at the bottom of the file. (bsc#959693) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2017:462-1 Released: Fri Mar 24 21:58:07 2017 Summary: Recommended update for lvm2 Type: recommended Severity: moderate References: 1012973,1015943,1017034,1023283,1025560,1025630 Description: This update for lvm2 fixes the following issues: - Fix clvmd segmentation fault on ppc64le architecture. (bsc#1025630) - Fix several trivial issues about clvmd/cmirrord resource agents. (bsc#1023283, bsc#1025560) - Use {local,remote}-fs-pre.target instead of {local,remote}-fs.target. (bsc#1017034) - Simplify special-case for md in 69-dm-lvm-metadata.rules. (bsc#1012973) - Add systemd_requires to device-mapper package. (bsc#1015943) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2017:464-1 Released: Mon Mar 27 15:50:51 2017 Summary: Recommended update for glibc Type: recommended Severity: moderate References: 1007851,1029725,1029900 Description: This update for glibc fixes a potential segmentation fault in libpthread: - Fork in libpthread cannot use IFUNC resolver. (bsc#1007851, bsc#1029725, bsc#1029900) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2017:580-1 Released: Wed Apr 12 23:58:47 2017 Summary: Recommended update for cpio Type: recommended Severity: important References: 1028410 Description: This update for cpio fixes the following issues: - A regression caused cpio to crash for tar and ustar archive types [bsc#1028410] ----------------------------------------------------------------- Advisory ID: SUSE-SU-2017:609-1 Released: Tue Apr 18 11:28:14 2017 Summary: Security update for curl Type: security Severity: moderate References: 1015332,1027712,1032309,CVE-2016-9586,CVE-2017-7407 Description: This update for curl fixes the following issues: Security issue fixed: - CVE-2016-9586: libcurl printf floating point buffer overflow (bsc#1015332) - CVE-2017-7407: The ourWriteOut function in tool_writeout.c in curl might have allowed physically proximate attackers to obtain sensitive information from process memory in opportunistic circumstances by reading a workstation screen during use of a --write-out argument ending in a '%' character, which lead to a heap-based buffer over-read (bsc#1032309). With this release new default ciphers are active (SUSE_DEFAULT, bsc#1027712). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2017:732-1 Released: Wed May 10 14:03:43 2017 Summary: Recommended update for procps Type: recommended Severity: low References: 1030621 Description: This update for procps fixes the following issues: - Command w(1) with option -n doesn't work. (bsc#1030621) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2017:735-1 Released: Wed May 10 15:43:46 2017 Summary: Recommended update for gpg2 Type: recommended Severity: low References: 1036736,986783 Description: This update for gpg2 provides the following fixes: - Do not install CAcert and other root certificates which are not needed with Let's Encrypt. (bsc#1036736) - Initialize the trustdb before import attempt. (bsc#986783) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2017:751-1 Released: Thu May 11 17:14:30 2017 Summary: Recommended update for systemd Type: recommended Severity: moderate References: 1010220,1025398,1025886,1028263,1028610,1029183,1029691,1030290,1031355,1032538,1032660,1033855,1034565,955770 Description: This update for systemd provides the following fixes: - logind: Update empty and 'infinity' handling for [User]TasksMax. (bsc#1031355) - importd: Support SUSE style checksums. (fate#322054) - journal: Don't remove leading spaces. (bsc#1033855) - Make sure all swap units are ordered before the swap target. (bsc#955770, bsc#1034565) - hwdb: Fix warning 'atkbd serio0: Unknown key pressed'. (bsc#1010220) - logind: Restart logind on package update only on SLE12 distros. (bsc#1032660) - core: Treat masked files as 'unchanged'. (bsc#1032538) - units: Move Before deps for quota services to remote-fs.target. (bsc#1028263) - udev: Support predictable ifnames on vio buses. (bsc#1029183) - udev: Add a persistent rule for ibmvnic devices. (bsc#1029183) - units: Do not throw a warning in emergency mode if plymouth is not installed. (bsc#1025398) - core: Downgrade 'Time has been changed' message to debug level. (bsc#1028610) - vconsole: Don't do GIO_SCRNMAP / GIO_UNISCRNMAP. (bsc#1029691) - udev-rules: Perform whitespace replacement for symlink subst values. (bsc#1025886) - Consider chroot updates in fix-machines-subvol-for-rollbacks.sh. (bsc#1030290) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2017:794-1 Released: Tue May 16 15:41:09 2017 Summary: Security update for bash Type: security Severity: moderate References: 1010845,1035371,CVE-2016-9401 Description: This update for bash fixes an issue that could lead to syntax errors when parsing scripts that use expr(1) inside loops. Additionally, the popd build-in now ensures that the normalized stack offset is within bounds before trying to free that stack entry. This fixes a segmentation fault. ----------------------------------------------------------------- Advisory ID: SUSE-RU-2017:799-1 Released: Wed May 17 00:21:13 2017 Summary: Recommended update for glibc Type: recommended Severity: low References: 1026224,1035445 Description: This update for glibc introduces basic support for IBM POWER9 systems. Additionally, an improper assert in dlclose() has been removed. ----------------------------------------------------------------- Advisory ID: SUSE-SU-2017:865-1 Released: Wed May 24 16:23:20 2017 Summary: Security update for pam Type: security Severity: moderate References: 1015565,1037824,934920,CVE-2015-3238 Description: This update for pam fixes the following issues: - CVE-2015-3238: pam_unix in conjunction with SELinux allowed for DoS attacks (bsc#934920). - log a hint to syslog if /etc/nologin is present, but empty (bsc#1015565). - If /etc/nologin is present, but empty, log a hint to syslog. (bsc#1015565) - Added support for libowcrypt.so, if present, to configure support for BLOWFISH (bsc#1037824) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2017:873-1 Released: Fri May 26 16:19:47 2017 Summary: Recommended update for e2fsprogs Type: recommended Severity: low References: 1009532,960273 Description: This update for e2fsprogs provides the following fixes: - Fix 32/64-bit overflow when multiplying by blocks/clusters per group. This allows resize2fs(8) to resize file systems larger than 20 TB. (bsc#1009532) - Update spec file to regenerate initrd when e2fsprogs is updated or uninstalled. (bsc#960273) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2017:877-1 Released: Mon May 29 15:11:48 2017 Summary: Recommended update for cryptsetup Type: recommended Severity: low References: 1031998 Description: This update for cryptsetup provides the following fix: - Don't use a zero-filled empty key, because in FIPS, XTS mode key parts mustn't be equivalent (bsc#1031998) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2017:891-1 Released: Tue May 30 22:28:21 2017 Summary: Security update for libxml2 Type: security Severity: moderate References: 1039063,1039064,1039066,1039069,1039661,981114,CVE-2016-1839,CVE-2017-9047,CVE-2017-9048,CVE-2017-9049,CVE-2017-9050 Description: This update for libxml2 fixes the following issues: - CVE-2017-9047, CVE-2017-9048: The function xmlSnprintfElementContent in valid.c was vulnerable to a stack buffer overflow (bsc#1039063, bsc#1039064) - CVE-2017-9049: The function xmlDictComputeFastKey in dict.c was vulnerable to a heap-based buffer over-read. (bsc#1039066) - CVE-2017-9050: The function xmlDictAddString was vulnerable to a heap-based buffer over-read (bsc#1039661) - CVE-2016-1839: heap-based buffer overflow (xmlDictAddString func) (bnc#1039069) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2017:907-1 Released: Thu Jun 1 14:23:36 2017 Summary: Recommended update for shadow Type: recommended Severity: low References: 1003978,1031643 Description: This update for shadow fixes the following issues: - Dynamically added users via pam_group are not listed in groups databases but are still valid. (bsc#1031643) - useradd(8) and groupadd(8) performance issue when using SSSD. Previously the entire possible UID/GID was iterated to find an available UID/GID. This could take long time over a network device. Instead, find available UID/GID locally, and then check only those values over network. (bsc#1003978) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2017:918-1 Released: Tue Jun 6 12:35:44 2017 Summary: Recommended update for libsemanage, selinux-policy Type: recommended Severity: moderate References: 1020143,1032445,1035818,1038189 Description: This update for libsemanage, selinux-policy fixes the following issues: - Limit to policy version 29 by default. - Fix policy module build failures and wrong policy path on SLE 12 SP2 (bsc#1038189, bsc#1035818, bsc#1020143, bsc#1032445) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2017:939-1 Released: Mon Jun 12 10:56:22 2017 Summary: Security update for libxml2 Type: security Severity: moderate References: 1039063,1039064,1039066,1039069,1039661,CVE-2017-9047,CVE-2017-9048,CVE-2017-9049,CVE-2017-9050 Description: This update for libxml2 fixes the following security issues: * CVE-2017-9050: A heap-based buffer over-read in xmlDictAddString (bsc#1039069, bsc#1039661) * CVE-2017-9049: A heap-based buffer overflow in xmlDictComputeFastKey (bsc#1039066) * CVE-2017-9048: A stack overflow vulnerability in xmlSnprintfElementContent (bsc#1039063) * CVE-2017-9047: A stack overflow vulnerability in xmlSnprintfElementContent (bsc#1039064) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2017:959-1 Released: Wed Jun 14 14:38:11 2017 Summary: Recommended update for gcc5 Type: recommended Severity: low References: 1043580 Description: This update for gcc5 fixes the version of libffi in its pkg-config configuration file. ----------------------------------------------------------------- Advisory ID: SUSE-SU-2017:962-1 Released: Wed Jun 14 16:33:07 2017 Summary: Security update for openldap2 Type: security Severity: moderate References: 1009470,1037396,1041764,972331,CVE-2017-9287 Description: This update for openldap2 fixes the following issues: Security issues fixed: - CVE-2017-9287: A double free vulnerability in the mdb backend during search with page size 0 was fixed (bsc#1041764) Non security bugs fixed: - Let OpenLDAP read system-wide certificates by default and don't hide the error if the user-specified CA location cannot be read. (bsc#1009470) - Fix an uninitialised variable that causes startup failure (bsc#1037396) - Fix an issue with transaction management that can cause server crash (bsc#972331) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2017:985-1 Released: Mon Jun 19 14:57:41 2017 Summary: Security update for libgcrypt Type: security Severity: moderate References: 1042326,931932,CVE-2017-9526 Description: This update for libgcrypt fixes the following issues: - CVE-2017-9526: Store the session key in secure memory to ensure that constant time point operations are used in the MPI library. (bsc#1042326) - Don't require secure memory for the fips selftests, this prevents the 'Oops, secure memory pool already initialized' warning. (bsc#931932) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2017:990-1 Released: Mon Jun 19 17:19:44 2017 Summary: Security update for glibc Type: security Severity: important References: 1039357,1040043,CVE-2017-1000366 Description: This update for glibc fixes the following issues: - CVE-2017-1000366: Fix a potential privilege escalation vulnerability that allowed unprivileged system users to manipulate the stack of setuid binaries to gain special privileges. [bsc#1039357] - A bug in glibc that could result in deadlocks between malloc() and fork() has been fixed. [bsc#1040043] ----------------------------------------------------------------- Advisory ID: SUSE-RU-2017:1033-1 Released: Fri Jun 23 16:38:55 2017 Summary: Recommended update for e2fsprogs Type: recommended Severity: low References: 1038194 Description: This update for e2fsprogs provides the following fixes: - Don't ignore fsync errors in libext2fs. (bsc#1038194) - Fix fsync(2) detection in libext2fs. (bsc#1038194) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2017:1036-1 Released: Mon Jun 26 08:12:24 2017 Summary: Security update for libxml2 Type: security Severity: moderate References: 1024989,1044337,CVE-2017-0663,CVE-2017-5969 Description: This update for libxml2 fixes the following issues: Security issues fixed: * CVE-2017-0663: Fixed a heap buffer overflow in xmlAddID (bsc#1044337) * CVE-2017-5969: Fixed a NULL pointer deref in xmlDumpElementContent (bsc#1024989) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2017:1040-1 Released: Mon Jun 26 13:22:26 2017 Summary: Recommended update for libsemanage, policycoreutils Type: recommended Severity: low References: 1043237 Description: This update for libsemanage, policycoreutils fixes the following issue: - Show version numbers of modules where they are available (bsc#1043237) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2017:1082-1 Released: Fri Jun 30 10:54:06 2017 Summary: Recommended update for dirmngr Type: recommended Severity: low References: 1045943 Description: This update for dirmngr provides the following fix: - Change logrotate from Requires to Recommends (bsc#1045943) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2017:1086-1 Released: Fri Jun 30 15:36:17 2017 Summary: Security update for libxml2 Type: security Severity: moderate References: 1044887,1044894,CVE-2017-7375,CVE-2017-7376 Description: This update for libxml2 fixes the following issues: Security issues fixed: * CVE-2017-7376: Increase buffer space for port in HTTP redirect support (bsc#1044887) * CVE-2017-7375: Prevent unwanted external entity reference [bsc#1044894, ] ----------------------------------------------------------------- Advisory ID: SUSE-SU-2017:1104-1 Released: Tue Jul 4 16:13:55 2017 Summary: Security update for systemd Type: security Severity: moderate References: 1004995,1029102,1029516,1036873,1038865,1040258,1040614,1040942,1043758,982303,CVE-2017-9217 Description: This update for systemd fixes the following issues: Security issue fixed: - CVE-2017-9217: resolved: Fix null pointer p->question dereferencing that could lead to resolved aborting (bsc#1040614) The update also fixed several non-security bugs: - core/mount: Use the '-c' flag to not canonicalize paths when calling /bin/umount - automount: Handle expire_tokens when the mount unit changes its state (bsc#1040942) - automount: Rework propagation between automount and mount units - build: Make sure tmpfiles.d/systemd-remote.conf get installed when necessary - build: Fix systemd-journal-upload installation - basic: Detect XEN Dom0 as no virtualization (bsc#1036873) - virt: Make sure some errors are not ignored - fstab-generator: Do not skip Before= ordering for noauto mountpoints - fstab-gen: Do not convert device timeout into seconds when initializing JobTimeoutSec - core/device: Use JobRunningTimeoutSec= for device units (bsc#1004995) - fstab-generator: Apply the _netdev option also to device units (bsc#1004995) - job: Add JobRunningTimeoutSec for JOB_RUNNING state (bsc#1004995) - job: Ensure JobRunningTimeoutSec= survives serialization (bsc#1004995) - rules: Export NVMe WWID udev attribute (bsc#1038865) - rules: Introduce disk/by-id (model_serial) symbolic links for NVMe drives - rules: Add rules for NVMe devices - sysusers: Make group shadow support configurable (bsc#1029516) - core: When deserializing a unit, fully restore its cgroup state (bsc#1029102) - core: Introduce cg_mask_from_string()/cg_mask_to_string() - core:execute: Fix handling failures of calling fork() in exec_spawn() (bsc#1040258) - Fix systemd-sysv-convert when a package starts shipping service units (bsc#982303) The database might be missing when upgrading a package which was shipping no sysv init scripts nor unit files (at the time --save was called) but the new version start shipping unit files. - Disable group shadow support (bsc#1029516) - Only check signature job error if signature job exists (bsc#1043758) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2017:1116-1 Released: Thu Jul 6 11:37:18 2017 Summary: Security update for libgcrypt Type: security Severity: moderate References: 1046607,CVE-2017-7526 Description: This update for libgcrypt fixes the following issues: - CVE-2017-7526: Hardening against a local side-channel attack in RSA key handling has been added (bsc#1046607) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2017:1119-1 Released: Fri Jul 7 11:23:20 2017 Summary: Recommended update for ncurses Type: security Severity: important References: 1000662,1046853,1046858,CVE-2017-10684,CVE-2017-10685 Description: This update for ncurses fixes the following issues: Security issues fixed: - CVE-2017-10684: Possible RCE via stack-based buffer overflow in the fmt_entry function. (bsc#1046858) - CVE-2017-10685: Possible RCE with format string vulnerability in the fmt_entry function. (bsc#1046853) Bugfixes: - Drop patch ncurses-5.9-environment.dif as YaST2 ncurses GUI does not need it anymore and as well as it causes bug bsc#1000662 ----------------------------------------------------------------- Advisory ID: SUSE-RU-2017:1160-1 Released: Fri Jul 14 17:20:26 2017 Summary: Recommended update for openldap2 Type: recommended Severity: low References: 1031702 Description: This update for openldap2 provides the following fix: - Fix a regression in handling of non-blocking connection (bsc#1031702) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2017:1174-1 Released: Wed Jul 19 11:12:51 2017 Summary: Security update for systemd, dracut Type: security Severity: important References: 1032029,1033238,1037120,1040153,1040968,1043900,1045290,1046750,986216,CVE-2017-9445 Description: This update for systemd and dracut fixes the following issues: Security issues fixed: - CVE-2017-9445: Possible out-of-bounds write triggered by a specially crafted TCP payload from a DNS server. (bsc#1045290) Non-security issues fixed in systemd: - Automounter issue in combination with NFS volumes (bsc#1040968) - Missing symbolic link for SAS device in /dev/disk/by-path (bsc#1040153) - Add minimal support for boot.d/* scripts in systemd-sysv-convert (bsc#1046750) Non-security issues fixed in dracut: - Bail out if module directory does not exist. (bsc#1043900) - Suppress bogus error message. (bsc#1032029) - Fix module force loading with systemd. (bsc#986216) - Ship udev files required by systemd. (bsc#1040153) - Ignore module resolution errors (e.g. with kgraft). (bsc#1037120) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2017:1192-1 Released: Thu Jul 20 20:07:36 2017 Summary: Recommended update for iptables Type: recommended Severity: low References: 1045130 Description: This update for iptables provides the following fix: - Fix a locking issue of iptables-batch when other programs modify the iptables rules in parallel (bsc#1045130) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2017:1222-1 Released: Wed Jul 26 17:15:18 2017 Summary: Recommended update for procps Type: recommended Severity: low References: 1034563,1039941 Description: This update for procps provides the following fixes: - Make pmap handle LazyFree in /proc/smaps (bsc#1034563) - Allow reading and writing content lines longer than 1024 characters under /proc/sys (bsc#1039941) - Avoid printing messages when /proc/sys/net/ipv6/conf/*/stable_secret is not set ----------------------------------------------------------------- Advisory ID: SUSE-SU-2017:1245-1 Released: Thu Aug 3 10:43:15 2017 Summary: Security update for systemd Type: security Severity: moderate References: 1004995,1029102,1029516,1032029,1033238,1036873,1037120,1038865,1040153,1040258,1040614,1040942,1040968,1043758,1043900,1045290,1046750,982303,986216,CVE-2017-9217,CVE-2017-9445 Description: This update for systemd provides several fixes and enhancements. Security issues fixed: - CVE-2017-9217: Null pointer dereferencing that could lead to resolved aborting. (bsc#1040614) - CVE-2017-9445: Possible out-of-bounds write triggered by a specially crafted TCP payload from a DNS server. (bsc#1045290) The update also fixed several non-security bugs: - core/mount: Use the '-c' flag to not canonicalize paths when calling /bin/umount - automount: Handle expire_tokens when the mount unit changes its state (bsc#1040942) - automount: Rework propagation between automount and mount units - build: Make sure tmpfiles.d/systemd-remote.conf get installed when necessary - build: Fix systemd-journal-upload installation - basic: Detect XEN Dom0 as no virtualization (bsc#1036873) - virt: Make sure some errors are not ignored - fstab-generator: Do not skip Before= ordering for noauto mountpoints - fstab-gen: Do not convert device timeout into seconds when initializing JobTimeoutSec - core/device: Use JobRunningTimeoutSec= for device units (bsc#1004995) - fstab-generator: Apply the _netdev option also to device units (bsc#1004995) - job: Add JobRunningTimeoutSec for JOB_RUNNING state (bsc#1004995) - job: Ensure JobRunningTimeoutSec= survives serialization (bsc#1004995) - rules: Export NVMe WWID udev attribute (bsc#1038865) - rules: Introduce disk/by-id (model_serial) symbolic links for NVMe drives - rules: Add rules for NVMe devices - sysusers: Make group shadow support configurable (bsc#1029516) - core: When deserializing a unit, fully restore its cgroup state (bsc#1029102) - core: Introduce cg_mask_from_string()/cg_mask_to_string() - core:execute: Fix handling failures of calling fork() in exec_spawn() (bsc#1040258) - Fix systemd-sysv-convert when a package starts shipping service units (bsc#982303) The database might be missing when upgrading a package which was shipping no sysv init scripts nor unit files (at the time --save was called) but the new version start shipping unit files. - Disable group shadow support (bsc#1029516) - Only check signature job error if signature job exists (bsc#1043758) - Automounter issue in combination with NFS volumes (bsc#1040968) - Missing symbolic link for SAS device in /dev/disk/by-path (bsc#1040153) - Add minimal support for boot.d/* scripts in systemd-sysv-convert (bsc#1046750) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2017:1268-1 Released: Mon Aug 7 10:09:19 2017 Summary: Recommended update for openssl Type: recommended Severity: moderate References: 1019637,1027079,1027688,1027908,1028281,1028723,1029523,1042392,1044095,1044107,1044175,902364 Description: This update for openssl fixes the following issues including fixes for our ongoing FIPS 140-2 evaluation: - Remove DES-CBC3-SHA based ciphers from DEFAULT_SUSE to address SWEET32 problem (bsc#1027908) - Use getrandom syscall instead of reading from /dev/urandom to get at least 128 bits of entropy to comply with FIPS 140.2 IG 7.14 (bsc#1027079 bsc#1044175) - Fix x86 extended feature detection (bsc#1029523) - Allow runtime switching of s390x capabilities via the 'OPENSSL_s390xcap' environmental variable (bsc#1028723) - s_client sent empty client certificate (bsc#1028281) Add back certificate initialization set_cert_key_stuff() which was removed in a previous update. - Fix a bug in XTS key handling (bsc#1019637) - Don't run FIPS power-up self-tests when the checksum files aren't installed (bsc#1042392) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2017:1279-1 Released: Mon Aug 7 14:46:40 2017 Summary: Security update for ncurses Type: security Severity: moderate References: 1046853,1046858,1047964,1047965,1049344,CVE-2017-10684,CVE-2017-10685,CVE-2017-11112,CVE-2017-11113 Description: This update for ncurses fixes the following issues: Security issues fixed: - CVE-2017-11112: Illegal address access in append_acs. (bsc#1047964) - CVE-2017-11113: Dereferencing NULL pointer in _nc_parse_entry. (bsc#1047965) - CVE-2017-10684, CVE-2017-10685: Add modified upstream fix from ncurses 6.0 to avoid broken termcap format (bsc#1046853, bsc#1046858, bsc#1049344) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2017:1316-1 Released: Thu Aug 10 13:54:27 2017 Summary: Recommended update for cyrus-sasl Type: recommended Severity: moderate References: 1014471,1026825,1044840,938657 Description: This update for cyrus-sasl provides the following fixes: - Fix SASL GSSAPI mechanism acceptor wrongly returns zero maxbufsize - Fix unknown authentication mechanism: kerberos5 (bsc#1026825) - Really use SASLAUTHD_PARAMS variable (bsc#938657) - Make sure /usr/sbin/rcsaslauthd exists - Add /usr/sbin/rcsaslauthd symbolic link to /usr/sbin/service (bsc#1014471) - Silence 'GSSAPI client step 1' debug log message (bsc#1044840) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2017:1326-1 Released: Fri Aug 11 16:59:04 2017 Summary: Security update for libxml2 Type: security Severity: low References: 1038444,CVE-2017-8872 Description: This update for libxml2 fixes the following issues: Security issues fixed: - CVE-2017-8872: Out-of-bounds read in htmlParseTryOrFinish. (bsc#1038444) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2017:1330-1 Released: Mon Aug 14 18:41:29 2017 Summary: Recommended update for sed Type: recommended Severity: low References: 954661 Description: This update for sed provides the following fixes: - Don't terminate with a segmentation fault if close of last file descriptor fails. (bsc#954661) ----------------------------------------------------------------- Advisory ID: SUSE-OU-2017:1333-1 Released: Tue Aug 15 17:59:30 2017 Summary: Optional update for libverto Type: optional Severity: low References: 1029561 Description: This update adds the libverto library to OpenStack Cloud Magnum Orchestration channels. ----------------------------------------------------------------- Advisory ID: SUSE-RU-2017:1334-1 Released: Tue Aug 15 20:09:03 2017 Summary: Recommended update for systemd Type: recommended Severity: important References: 1048679,874665 Description: This update for systemd fixes the following issues: - compat-rules: Don't rely on ID_SERIAL when generating 'by-id' links for NVMe devices. (bsc#1048679) - fstab-generator: Handle NFS 'bg' mounts correctly. (bsc#874665, fate#323464) - timesyncd: Don't use compiled-in list if FallbackNTP has been configured explicitly. ----------------------------------------------------------------- Advisory ID: SUSE-SU-2017:1335-1 Released: Wed Aug 16 11:24:21 2017 Summary: Security update for curl Type: security Severity: moderate References: 1051643,1051644,CVE-2017-1000100,CVE-2017-1000101 Description: This update for curl fixes the following issues: - CVE-2017-1000100: TFP sends more than buffer size and it could lead to a denial of service (bsc#1051644) - CVE-2017-1000101: URL globbing out of bounds read could lead to a denial of service (bsc#1051643) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2017:1347-1 Released: Fri Aug 18 11:03:57 2017 Summary: Recommended update for procps Type: recommended Severity: important References: 1053409 Description: This update for procps fixes the following issues: - Fix a regression introduced in a previous update that would result in sysctl dying with a SIGSEGV error (bsc#1053409). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2017:1349-1 Released: Fri Aug 18 12:31:07 2017 Summary: Recommended update for lua51 Type: recommended Severity: low References: 1051626 Description: This update for lua51 provides the following fixes: - Add Lua(API) and Lua(devel) symbols to fix building of lua51-luasocket. (bsc#1051626) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2017:1390-1 Released: Fri Aug 25 15:14:27 2017 Summary: Security update for libzypp Type: security Severity: important References: 1009745,1036659,1038984,1043218,1045735,1046417,1047785,1048315,CVE-2017-7435,CVE-2017-7436,CVE-2017-9269 Description: The Software Update Stack was updated to receive fixes and enhancements. libzypp: - CVE-2017-7435, CVE-2017-7436, CVE-2017-9269: Fix GPG check workflows, mainly for unsigned repositories and packages. (bsc#1045735, bsc#1038984) - Fix gpg-pubkey release (creation time) computation. (bsc#1036659) - Update lsof blacklist. (bsc#1046417) - Re-probe on refresh if the repository type changes. (bsc#1048315) - Propagate proper error code to DownloadProgressReport. (bsc#1047785) - Allow to trigger an appdata refresh unconditionally. (bsc#1009745) - Support custom repo variables defined in /etc/zypp/vars.d. yast2-pkg-bindings: - Do not crash when the repository URL is not defined. (bsc#1043218) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2017:1419-1 Released: Wed Aug 30 15:38:22 2017 Summary: Security update for expat Type: security Severity: moderate References: 1047236,1047240,CVE-2016-9063,CVE-2017-9233 Description: This update for expat fixes the following issues: - CVE-2016-9063: Possible integer overflow to fix inside XML_Parse leading to unexpected behaviour (bsc#1047240) - CVE-2017-9233: External Entity Vulnerability could lead to denial of service (bsc#1047236) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2017:1439-1 Released: Fri Sep 1 15:31:05 2017 Summary: Recommended update for systemd Type: recommended Severity: important References: 1045384,1045987,1046268,1047379,1048605 Description: This update for systemd fixes the following issues: - Revert fix for bsc#1004995 which could have caused boot failure on LVM (bsc#1048605) - compat-rules: drop the bogus 'import everything' rule (bsc#1046268) - core: use an AF_UNIX/SOCK_DGRAM socket for cgroup agent notification (bsc#1045384 bsc#1047379) - udev/path_id: introduce support for NVMe devices (bsc#1045987) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2017:1447-1 Released: Mon Sep 4 15:38:20 2017 Summary: Security update for libzypp, zypper Type: security Severity: important References: 1008325,1038984,1045735,1047785,1054088,1054671,1055920,CVE-2017-7436 Description: The Software Update Stack was updated to receive fixes and enhancements. libzypp: - Adapt to work with GnuPG 2.1.23. (bsc#1054088) - Support signing with subkeys. (bsc#1008325) - Enhance sort order for media.1/products. (bsc#1054671) zypper: - Also show a gpg key's subkeys. (bsc#1008325) - Improve signature check callback messages. (bsc#1045735) - Add options to tune the GPG check settings. (bsc#1045735) - Adapt download callback to report and handle unsigned packages. (bsc#1038984, CVE-2017-7436) - Report missing/optional files as 'not found' rather than 'error'. (bsc#1047785) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2017:1450-1 Released: Mon Sep 4 16:36:07 2017 Summary: Recommended update for insserv-compat Type: recommended Severity: low References: 1035062,944903 Description: This update for insserv-compat fixes the following issues: - Add /etc/init.d hierarchy from former 'filesystem' package. (bsc#1035062) - Fix directory argument parsing. (bsc#944903) - Add perl(Getopt::Long) to list of requirements. ----------------------------------------------------------------- Advisory ID: SUSE-RU-2017:1453-1 Released: Mon Sep 4 21:23:50 2017 Summary: Recommended update for libgcrypt Type: recommended Severity: moderate References: 1043333,1046659,1047008 Description: This update for libgcrypt fixes the following issues: - libgcrypt stored an open file descriptor to the random device in a static variable between invocations. gnome-keyring-daemon on initialization reopened descriptors 0-2 with /dev/null which caused an infinite loop when libgcrypt attempted to read from the random device (bsc#1043333) - Avoid seeding the DRBG during FIPS power-up selftests (bsc#1046659) * don't call gcry_drbg_instantiate() in healthcheck sanity test to save entropy * turn off blinding for RSA decryption in selftests_rsa to avoid allocation of a random integer - fix a bug in gcry_drbg_healthcheck_sanity() which caused skipping some of the tests (bsc#1046659) - dlsym returns PLT address on s390x, dlopen libgcrypt20.so before calling dlsym (bsc#1047008) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2017:1548-1 Released: Fri Sep 15 18:19:12 2017 Summary: Recommended update for sg3_utils Type: recommended Severity: moderate References: 1005063,1009269,1012523,1025176,1050767,1050943 Description: This update for sg3_utils provides the following fixes: - Add lunsearch filter to findresized() so that only LUNs specified using --luns are rescanned or resized. (bsc#1025176) - In case the VPD sysfs attributes are missing or cannot be accessed, fallback to use sg_inq --page when using multipath devices in AutoYast2 installations. (bsc#1012523) - Generate /dev/disk/by-path links based on WWPN for Fibre Channel NPIV setups. (bsc#1005063) - Fix dumping data in hexadecimal format in sg_vpd when using the --hex option. (bsc#1050943) - Fix ID_SERIAL values for KVM disks by exporting all NAA values and removing some validity checking. (bsc#1050767) - Make sure initrd is rebuilt on sg3_utils updates. (bsc#1009269) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2017:1592-1 Released: Tue Sep 26 17:38:03 2017 Summary: Recommended update for lvm2 Type: recommended Severity: moderate References: 1028485,1045628,978055,998893,999878 Description: This update for lvm2 provides the following fixes: - Create /dev/disk/by-part{label,uuid} and gpt-auto-root links. (bsc#1028485) - Try to refresh clvmd's device cache on the first failure. (bsc#978055) - Fix stale device cache in clvmd. (bsc#978055) - Warn if PV size in metadata is larger than disk device size. (bsc#999878) - Fix lvm2 activation issue when used on top of multipath. (bsc#998893) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2017:1644-1 Released: Mon Oct 9 07:52:24 2017 Summary: Security update for krb5 Type: security Severity: moderate References: 1032680,1054028,1056995,903543,CVE-2017-11462 Description: This update for krb5 fixes several issues. This security issue was fixed: - CVE-2017-11462: Prevent automatic security context deletion to prevent double-free (bsc#1056995) These non-security issues were fixed: - Set 'rdns' and 'dns_canonicalize_hostname' to false in krb5.conf in order to improve client security in handling service principle names. (bsc#1054028) - Prevent kadmind.service startup failure caused by absence of LDAP service. (bsc#903543) - Remove main package's dependency on systemd (bsc#1032680) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2017:1663-1 Released: Tue Oct 10 12:05:09 2017 Summary: Recommended update for dbus-1 Type: recommended Severity: moderate References: 1043615,1046173 Description: This update for dbus-1 provides the following fixes: - Fix systemd-logind dbus disconnection by ensuring all required timeouts are restarted. (bsc#1043615) - Remove call to initscripts related macros from the spec file as dbus-1 does not ship any initscript anymore. (bsc#1046173) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2017:1703-1 Released: Tue Oct 17 13:20:12 2017 Summary: Recommended update for audit Type: recommended Severity: low References: 1042781 Description: This update for audit provides the following fix: - Make auditd start by forking the systemd service to fix some initialization failures. (bsc#1042781) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2017:1758-1 Released: Mon Oct 23 08:47:47 2017 Summary: Security update for curl Type: security Severity: moderate References: 1060653,1061876,1063824,CVE-2017-1000254,CVE-2017-1000257 Description: This update for curl fixes the following issues: Security issues fixed: - CVE-2017-1000254: FTP PWD response parser out of bounds read (bsc#1061876) - CVE-2017-1000257: IMAP FETCH response out of bounds read (bsc#1063824) Bugs fixed: - Fixed error 'error:1408F10B:SSL routines' when connecting to ftps via proxy (bsc#1060653) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2017:1796-1 Released: Fri Oct 27 21:25:06 2017 Summary: Recommended update for pcre Type: recommended Severity: moderate References: 1058722 Description: This update for pcre fixes the following issues: - Fixed the pcre stack frame size detection because modern compilers break it due to cloning and inlining pcre match() function (bsc#1058722) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2017:1797-1 Released: Sat Oct 28 12:06:19 2017 Summary: Recommended update for permissions Type: recommended Severity: moderate References: 1028304,1048645,1060738 Description: This update for permissions fixes the following issues: - Allows users to install the HPC 'singularity' toolkit for managing singularity containers in setuid root mode. (bsc#1028304) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2017:1802-1 Released: Tue Oct 31 12:05:17 2017 Summary: Recommended update for iptables Type: recommended Severity: low References: 1045130 Description: This update for iptables provides the following fix: - Fix a locking issue of iptables-batch when other programs modify the iptables rules in parallel (bsc#1045130) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2017:1826-1 Released: Wed Nov 8 08:47:17 2017 Summary: Security update for krb5 Type: security Severity: important References: 1065274,CVE-2017-15088 Description: This update for krb5 fixes the following issues: Security issues fixed: - CVE-2017-15088: A buffer overflow in get_matching_data() was fixed that could under specific circumstances be used to execute code (bsc#1065274) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2017:1829-1 Released: Wed Nov 8 08:50:00 2017 Summary: Security update for shadow Type: security Severity: moderate References: 1023895,1052261,980486,CVE-2017-12424 Description: This update for shadow fixes several issues. This security issue was fixed: - CVE-2017-12424: The newusers tool could have been forced to manipulate internal data structures in ways unintended by the authors. Malformed input may have lead to crashes (with a buffer overflow or other memory corruption) or other unspecified behaviors (bsc#1052261). These non-security issues were fixed: - bsc#1023895: Fixed man page to not contain invalid options and also prevent warnings when using these options in certain settings - bsc#980486: Reset user in /var/log/tallylog because of the usage of pam_tally2 ----------------------------------------------------------------- Advisory ID: SUSE-SU-2017:1881-1 Released: Wed Nov 22 16:29:58 2017 Summary: Security update for file Type: security Severity: moderate References: 1009966,1063269,910252,910253,913650,913651,917152,996511,CVE-2014-8116,CVE-2014-8117,CVE-2014-9620,CVE-2014-9621,CVE-2014-9653 Description: The GNU file utility was updated to version 5.22. Security issues fixed: - CVE-2014-9621: The ELF parser in file allowed remote attackers to cause a denial of service via a long string. (bsc#913650) - CVE-2014-9620: The ELF parser in file allowed remote attackers to cause a denial of service via a large number of notes. (bsc#913651) - CVE-2014-9653: readelf.c in file did not consider that pread calls sometimes read only a subset of the available data, which allows remote attackers to cause a denial of service (uninitialized memory access) or possibly have unspecified other impact via a crafted ELF file. (bsc#917152) - CVE-2014-8116: The ELF parser (readelf.c) in file allowed remote attackers to cause a denial of service (CPU consumption or crash) via a large number of (1) program or (2) section headers or (3) invalid capabilities. (bsc#910253) - CVE-2014-8117: softmagic.c in file did not properly limit recursion, which allowed remote attackers to cause a denial of service (CPU consumption or crash) via unspecified vectors. (bsc#910253) Version update to file version 5.22 * add indirect relative for TIFF/Exif * restructure elf note printing to avoid repeated messages * add note limit, suggested by Alexander Cherepanov * Bail out on partial pread()'s (Alexander Cherepanov) * Fix incorrect bounds check in file_printable (Alexander Cherepanov) * PR/405: ignore SIGPIPE from uncompress programs * change printable -> file_printable and use it in more places for safety * in ELF, instead of '(uses dynamic libraries)' when PT_INTERP is present print the interpreter name. Version update to file version 5.21 * there was an incorrect free in magic_load_buffers() * there was an out of bounds read for some pascal strings * there was a memory leak in magic lists * don't interpret strings printed from files using the current locale, convert them to ascii format first. * there was an out of bounds read in elf note reads Update to file version 5.20 * recognize encrypted CDF documents * add magic_load_buffers from Brooks Davis * add thumbs.db support Additional non-security bug fixes: * Fixed a memory corruption during rpmbuild (bsc#1063269) * Backport of a fix for an increased printable string length as found in file 5.30 (bsc#996511) * file command throws 'Composite Document File V2 Document, corrupt: Can't read SSAT' error against excel 97/2003 file format. (bsc#1009966) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2017:1903-1 Released: Fri Nov 24 16:19:37 2017 Summary: Security update for perl Type: security Severity: moderate References: 1047178,1057721,1057724,999735,CVE-2017-12837,CVE-2017-12883,CVE-2017-6512 Description: This update for perl fixes the following issues: Security issues fixed: - CVE-2017-12837: Heap-based buffer overflow in the S_regatom function in regcomp.c in Perl 5 before 5.24.3-RC1 and 5.26.x before 5.26.1-RC1 allows remote attackers to cause a denial of service (out-of-bounds write) via a regular expression with a '\N{}' escape and the case-insensitive modifier. (bnc#1057724) - CVE-2017-12883: Buffer overflow in the S_grok_bslash_N function in regcomp.c in Perl 5 before 5.24.3-RC1 and 5.26.x before 5.26.1-RC1 allows remote attackers to disclose sensitive information or cause a denial of service (application crash) via a crafted regular expression with an invalid '\N{U+...}' escape. (bnc#1057721) - CVE-2017-6512: Race condition in the rmtree and remove_tree functions in the File-Path module before 2.13 for Perl allows attackers to set the mode on arbitrary files via vectors involving directory-permission loosening logic. (bnc#1047178) Bug fixes: - backport set_capture_string changes from upstream (bsc#999735) - reformat baselibs.conf as source validator workaround ----------------------------------------------------------------- Advisory ID: SUSE-RU-2017:1916-1 Released: Fri Nov 24 20:15:01 2017 Summary: Recommended update for libgcrypt Type: recommended Severity: important References: 1043333,1059723 Description: This update for libgcrypt provides the following fix: - Fix a regression in a previous update which caused libgcrypt to leak file descriptors causing failures when starting rtkit-daemon. (bsc#1059723) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2017:1917-1 Released: Mon Nov 27 13:32:07 2017 Summary: Optional update for gcc7 Type: recommended Severity: low References: 1056437,1062591,1062592 Description: The GNU Compiler GCC 7 is being added to the Toolchain Module by this update. New features: - Support for specific IBM Power9 processor instructions. - Support for specific IBM zSeries z14 processor instructions. - New packages cross-npvtx-gcc7 and nvptx-tools added to the Toolchain Module for specific NVIDIA Card offload support. The update also supplies gcc7 compatible libstdc++, libgcc_s1 and other gcc derived libraries for the base products of SUSE Linux Enterprise 12. Various optimizers have been improved in GCC 7, several of bugs fixed, quite some new warnings added and the error pin-pointing and fix-suggestions have been greatly improved. The GNU Compiler page for GCC 7 contains a summary of all the changes that have happened: https://gcc.gnu.org/gcc-7/changes.html ----------------------------------------------------------------- Advisory ID: SUSE-RU-2017:1965-1 Released: Thu Nov 30 12:48:45 2017 Summary: Recommended update for libsolv, libzypp, zypper Type: recommended Severity: moderate References: 1047233,1053671,1057188,1057634,1058695,1058783,1059065,1061384,1062561,1064999,661410 Description: The Software Update Stack was updated to receive fixes and enhancements. libsolv: - Many fixes and improvements for cleandeps. - Always create dup rules for 'distupgrade' jobs. - Use recommends also for ordering packages. - Fix splitprovides handling with addalreadyrecommended turned off. (bsc#1059065) - Expose solver_get_recommendations() in bindings. - Fix bug in solver_prune_to_highest_prio_per_name resulting in bad output from solver_get_recommendations(). - Support 'without' and 'unless' dependencies. - Use same heuristic as upstream to determine source RPMs. - Fix memory leak in bindings. - Add pool_best_solvables() function. - Fix 64bit integer parsing from RPM headers. - Enable bzip2 and xz/lzma compression support. - Enable complex/rich dependencies on distributions with RPM 4.13+. libzypp: - Fix media handling in presence of a repo path prefix. (bsc#1062561) - Fix RepoProvideFile ignoring a repo path prefix. (bsc#1062561) - Remove unused legacy notify-message script. (bsc#1058783) - Support multiple product licenses in repomd. (fate#322276) - Propagate 'rpm --import' errors. (bsc#1057188) - Fix typos in zypp.conf. zypper: - Locale: Fix possible segmentation fault. (bsc#1064999) - Add summary hint if product is better updated by a different command. This is mainly used by rolling distributions like openSUSE Tumbleweed to remind their users to use 'zypper dup' to update (not zypper up or patch). (bsc#1061384) - Unify '(add|modify)(repo|service)' property related arguments. - Fixed 'add' commands supporting to set only a subset of properties. - Introduced '-f/-F' as preferred short option for --[no-]refresh in all four commands. (bsc#661410, bsc#1053671) - Fix missing package names in installation report. (bsc#1058695) - Differ between unsupported and packages with unknown support status. (bsc#1057634) - Return error code '107' if an RPM's %post configuration script fails, but only if ZYPPER_ON_CODE12_RETURN_107=1 is set in the environment. (bsc#1047233) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2017:1966-1 Released: Thu Nov 30 13:45:24 2017 Summary: Recommended update for systemd Type: recommended Severity: moderate References: 1004995,1035386,1039099,1040800,1045472,1048605,1050152,1053137,1053595,1055641,1063249 Description: This update for systemd fixes the following issues: - unit: When JobTimeoutSec= is turned off, implicitly turn off JobRunningTimeoutSec= too. (bsc#1048605, bsc#1004995) - compat-rules: Generate compat by-id symlinks with 'nvme' prefix missing and warn users that have broken symlinks. (bsc#1063249) - compat-rules: Allow to specify the generation number through the kernel command line. - scsi_id: Fixup prefix for pre-SPC inquiry reply. (bsc#1039099) - tmpfiles: Remove old ICE and X11 sockets at boot. - tmpfiles: Silently ignore any path that passes through autofs. (bsc#1045472) - pam_logind: Skip leading /dev/ from PAM_TTY field before passing it on. - shared/machine-pool: Fix another mkfs.btrfs checking. (bsc#1053595) - shutdown: Fix incorrect fscanf() result check. - shutdown: Don't remount,ro network filesystems. (bsc#1035386) - shutdown: Don't be fooled when detaching DM devices with BTRFS. (bsc#1055641) - bash-completion: Add support for --now. (bsc#1053137) - Add convert-lib-udev-path.sh script to convert /lib/udev directory into a symlink pointing to /usr/lib/udev when upgrading from SLE11. (bsc#1050152) - Add a rule to teach hotplug to offline containers transparently. (bsc#1040800) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2017:1968-1 Released: Thu Nov 30 19:49:33 2017 Summary: Recommended update for coreutils Type: recommended Severity: low References: 1026567,1043059,965780 Description: This update for coreutils provides the following fixes: - Fix df(1) to no longer interact with excluded file system types, so for example specifying -x nfs no longer hangs with problematic nfs mounts. (bsc#1026567) - Ensure df -l no longer interacts with dummy file system types, so for example no longer hangs with problematic NFS mounted via system.automount(5). (bsc#1043059) - Significantly speed up df(1) for huge mount lists. (bsc#965780) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2017:1970-1 Released: Thu Nov 30 22:55:41 2017 Summary: Security update for openssl Type: security Severity: moderate References: 1055825,1056058,1065363,1066242,CVE-2017-3735,CVE-2017-3736 Description: This update for openssl fixes the following issues: Security issues fixed: - CVE-2017-3735: openssl1,openssl: Malformed X.509 IPAdressFamily could cause OOB read (bsc#1056058) - CVE-2017-3736: openssl: bn_sqrx8x_internal carry bug on x86_64 (bsc#1066242) - Out of bounds read+crash in DES_fcrypt (bsc#1065363) - openssl DEFAULT_SUSE cipher list is missing ECDHE-ECDSA ciphers (bsc#1055825) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2017:2021-1 Released: Fri Dec 8 10:11:04 2017 Summary: Recommended update for file Type: recommended Severity: moderate References: 1070878,1070958 Description: This update for file fixes detection of JPEG files. ----------------------------------------------------------------- Advisory ID: SUSE-RU-2017:2031-1 Released: Mon Dec 11 12:55:57 2017 Summary: Recommended update for gzip Type: recommended Severity: low References: 1067891 Description: This update for gzip provides the following fix: - Fix mishandling of leading zeros in the end-of-block code (bsc#1067891) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2017:2036-1 Released: Wed Dec 13 16:34:21 2017 Summary: Recommended update for util-linux Type: recommended Severity: low References: 1039276,1040968,1055446,1066500 Description: This update for util-linux provides the following fixes: - Allow unmounting of filesystems without calling stat() on the mount point, when '-c' is used. (bsc#1040968) - Fix an infinite loop, a crash and report the correct minimum and maximum frequencies in lscpu for some processors. (bsc#1055446) - Fix a lscpu failure on Sydney Amazon EC2 region. (bsc#1066500) - If multiple subvolumes are mounted, report the default subvolume. (bsc#1039276) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2017:2097-1 Released: Sat Dec 16 01:59:00 2017 Summary: Security update for openssl Type: security Severity: important References: 1071905,1071906,CVE-2017-3737,CVE-2017-3738 Description: This update for openssl fixes the following issues: - OpenSSL Security Advisory [07 Dec 2017] * CVE-2017-3737: OpenSSL 1.0.2 (starting from version 1.0.2b) introduced an \'error state\' mechanism. The intent was that if a fatal error occurred during a handshake then OpenSSL would move into the error state and would immediately fail if you attempted to continue the handshake. This works as designed for the explicit handshake functions (SSL_do_handshake(), SSL_accept() and SSL_connect()), however due to a bug it does not work correctly if SSL_read() or SSL_write() is called directly. In that scenario, if the handshake fails then a fatal error will be returned in the initial function call. If SSL_read()/SSL_write() is subsequently called by the application for the same SSL object then it will succeed and the data is passed without being decrypted/encrypted directly from the SSL/TLS record layer. In order to exploit this issue an application bug would have to be present that resulted in a call to SSL_read()/SSL_write() being issued after having already received a fatal error. O penSSL version 1.0.2b-1.0.2m are affected. Fixed in OpenSSL 1.0.2n. OpenSSL 1.1.0 is not affected. (bsc#1071905) * CVE-2017-3738: There is an overflow bug in the AVX2 Montgomery multiplication procedure used in exponentiation with 1024-bit moduli. No EC algorithms are affected. Analysis suggests that attacks against RSA and DSA as a result of this defect would be very difficult to perform and are not believed likely. Attacks against DH1024 are considered just feasible, because most of the work necessary to deduce information about a private key may be performed offline. The amount of resources required for such an attack would be significant. However, for an attack on TLS to be meaningful, the server would have to share the DH1024 private key among multiple clients, which is no longer an option since CVE-2016-0701. This only affects processors that support the AVX2 but not ADX extensions like Intel Haswell (4th generation). Note: The impact from this issue is similar to CVE-2017-3736, CVE-2017-3732 and CVE-2015-3193. (bsc#1071906) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2017:2137-1 Released: Thu Dec 21 17:49:12 2017 Summary: Recommended update for dbus-1 Type: recommended Severity: moderate References: 1046173,1071698 Description: This update for dbus-1 provides the following fixes: - The previously released fix for systemd-logind dbus disconnections was missing in some parts of the package, so properly apply it. (bsc#1071698) - Remove call to initscripts related macros from the spec file as dbus-1 does not ship any initscript anymore. (bsc#1046173) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2018:4-1 Released: Tue Jan 2 15:58:20 2018 Summary: Recommended update for libzypp, zypper Type: recommended Severity: moderate References: 1057640,1067605,1068708,1071466,969569 Description: The Software Update Stack was updated to receive fixes and enhancements. libzypp: - Don't store duplicated locks. (bsc#969569) - Fix default for solver.allowNameChange. (bsc#1071466) - Don't filter procs with a different mnt namespace. (bsc#1068708) - Support repo variables in an URIs host:port component. (bsc#1057640, bsc#1067605) zypper: - Update manpage regarding custom repository variable fixes. (bsc#1057640, bsc#1067605) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2018:38-1 Released: Tue Jan 9 14:56:43 2018 Summary: Recommended update for kmod Type: recommended Severity: low References: 1070209 Description: This update for kmod provides the following fix: - Fix resolving .TOC. in modules on 4.4 and older kernel (bsc#1070209) - Fix kernel master build for ppc64le (bsc#1070209) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:55-1 Released: Fri Jan 12 09:45:49 2018 Summary: Security update for glibc Type: security Severity: important References: 1051042,1053188,1063675,1064569,1064580,1064583,1070905,1071319,1073231,1074293,CVE-2017-1000408,CVE-2017-1000409,CVE-2017-15670,CVE-2017-15671,CVE-2017-15804,CVE-2017-16997,CVE-2018-1000001 Description: This update for glibc fixes the following issues: - A privilege escalation bug in the realpath() function has been fixed. [CVE-2018-1000001, bsc#1074293] - A memory leak and a buffer overflow in the dynamic ELF loader has been fixed. [CVE-2017-1000408, CVE-2017-1000409, bsc#1071319] - An issue in the code handling RPATHs was fixed that could have been exploited by an attacker to execute code loaded from arbitrary libraries. [CVE-2017-16997, bsc#1073231] - A potential crash caused by a use-after-free bug in pthread_create() has been fixed. [bsc#1053188] - A bug that prevented users to build shared objects which use the optimized libmvec.so API has been fixed. [bsc#1070905] - A memory leak in the glob() function has been fixed. [CVE-2017-15670, CVE-2017-15671, CVE-2017-15804, bsc#1064569, bsc#1064580, bsc#1064583] - A bug that would lose the syscall error code value in case of crashes has been fixed. [bsc#1063675] ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:86-1 Released: Wed Jan 17 09:38:17 2018 Summary: Security update for ncurses Type: security Severity: moderate References: 1056127,1056128,1056129,1056131,1056132,1056136,CVE-2017-13728,CVE-2017-13729,CVE-2017-13730,CVE-2017-13731,CVE-2017-13732,CVE-2017-13733 Description: This update for ncurses fixes the following issues: Security issues fixed: - CVE-2017-13728: Fix infinite loop in the next_char function in comp_scan.c (bsc#1056136). - CVE-2017-13730: Fix illegal address access in the function _nc_read_entry_source() (bsc#1056131). - CVE-2017-13733: Fix illegal address access in the fmt_entry function (bsc#1056127). - CVE-2017-13729: Fix illegal address access in the _nc_save_str (bsc#1056132). - CVE-2017-13732: Fix illegal address access in the function dump_uses() (bsc#1056128). - CVE-2017-13731: Fix illegal address access in the function postprocess_termcap() (bsc#1056129). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:88-1 Released: Wed Jan 17 14:41:17 2018 Summary: Security update for curl Type: security Severity: moderate References: 1069222,1069226,CVE-2017-8816,CVE-2017-8817 Description: This update for curl fixes the following issues: Security issues fixed: - CVE-2017-8816: Buffer overrun flaw in the NTLM authentication code (bsc#1069226). - CVE-2017-8817: Read out of bounds flaw in the FTP wildcard function (bsc#1069222). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2018:90-1 Released: Wed Jan 17 14:44:33 2018 Summary: Recommended update for lvm2 Type: recommended Severity: low References: 1063051,1067312 Description: This update for lvm2 provides the following fix: - Backport various upstream fixes for clvmd. (bsc#1063051) - Don't print error messages on testing the connection to the daemon. (bsc#1063051) - Fix handling of udev CHANGE events with systemd. (bsc#1067312) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2018:146-1 Released: Thu Jan 25 11:44:23 2018 Summary: Recommended update for openldap2 Type: recommended Severity: moderate References: 1064397,1065083 Description: This update for openldap2 provides the following fixes: - Fix a leak of sockets in case of unsuccessful connection attempts. (bsc#1065083) - Fix a crash that would happen under heavy load when using back-relay. (bsc#1064397) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:149-1 Released: Thu Jan 25 13:38:37 2018 Summary: Security update for curl Type: security Severity: moderate References: 1077001,CVE-2018-1000007 Description: This update for curl fixes one issues. This security issue was fixed: - CVE-2018-1000007: Prevent leaking authentication data to third parties when following redirects (bsc#1077001) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:209-1 Released: Tue Jan 30 10:53:43 2018 Summary: Security update for ncurses Type: security Severity: moderate References: 1056126,1056127,1056128,1056129,1056131,1056132,1056136,CVE-2017-13728,CVE-2017-13729,CVE-2017-13730,CVE-2017-13731,CVE-2017-13732,CVE-2017-13733,CVE-2017-13734 Description: This update for ncurses fixes several issues. These security issues were fixed: - CVE-2017-13734: Prevent illegal address access in the _nc_safe_strcat function in strings.c that might have lead to a remote denial of service attack (bsc#1056126). - CVE-2017-13733: Prevent illegal address access in the fmt_entry function in progs/dump_entry.c that might have lead to a remote denial of service attack (bsc#1056127). - CVE-2017-13732: Prevent illegal address access in the function dump_uses() in progs/dump_entry.c that might have lead to a remote denial of service attack (bsc#1056128). - CVE-2017-13731: Prevent illegal address access in the function postprocess_termcap() in parse_entry.c that might have lead to a remote denial of service attack (bsc#1056129). - CVE-2017-13730: Prevent illegal address access in the function _nc_read_entry_source() in progs/tic.c that might have lead to a remote denial of service attack (bsc#1056131). - CVE-2017-13729: Prevent illegal address access in the _nc_save_str function in alloc_entry.c that might have lead to a remote denial of service attack (bsc#1056132). - CVE-2017-13728: Prevent infinite loop in the next_char function in comp_scan.c that might have lead to a remote denial of service attack (bsc#1056136). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:213-1 Released: Tue Jan 30 14:36:40 2018 Summary: Security update for systemd Type: security Severity: moderate References: 1048510,1065276,1066156,1068251,1070428,1071558,1074254,1075724,1076308,897422,CVE-2017-15908,CVE-2018-1049 Description: This update for systemd fixes several issues. This security issue was fixed: - CVE-2018-1049: Prevent race that can lead to DoS when using automounts (bsc#1076308). These non-security issues were fixed: - core: don't choke if a unit another unit triggers vanishes during reload - delta: don't ignore PREFIX when the given argument is PREFIX/SUFFIX - delta: extend skip logic to work on full directory paths (prefix+suffix) (bsc#1070428) - delta: check if a prefix needs to be skipped only once - delta: skip symlink paths when split-usr is enabled (#4591) - sysctl: use raw file descriptor in sysctl_write (#7753) - sd-netlink: don't take possesion of netlink fd from caller on failure (bsc#1074254) - Fix the regexp used to detect broken by-id symlinks in /etc/crypttab It was missing the following case: '/dev/disk/by-id/cr_-xxx'. - sysctl: disable buffer while writing to /proc (bsc#1071558) - Use read_line() and LONG_LINE_MAX to read values configuration files. (bsc#1071558) - sysctl: no need to check for eof twice - def: add new constant LONG_LINE_MAX - fileio: add new helper call read_line() as bounded getline() replacement - service: Don't stop unneeded units needed by restarted service (#7526) (bsc#1066156) - gpt-auto-generator: fix the handling of the value returned by fstab_has_fstype() in add_swap() (#6280) - gpt-auto-generator: disable gpt auto logic for swaps if at least one is defined in fstab (bsc#897422) - fstab-util: introduce fstab_has_fstype() helper - fstab-generator: ignore root=/dev/nfs (#3591) - fstab-generator: don't process root= if it happens to be 'gpt-auto' (#3452) - virt: use XENFEAT_dom0 to detect the hardware domain (#6442, #6662) (#7581) (bsc#1048510) - analyze: replace --no-man with --man=no in the man page (bsc#1068251) - udev: net_setup_link: don't error out when we couldn't apply link config (#7328) - Add missing /etc/systemd/network directory - Fix parsing of features in detect_vm_xen_dom0 (#7890) (bsc#1048510) - sd-bus: use -- when passing arguments to ssh (#6706) - systemctl: make sure we terminate the bus connection first, and then close the pager (#3550) - sd-bus: bump message queue size (bsc#1075724) - tmpfiles: downgrade warning about duplicate line ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:214-1 Released: Tue Jan 30 14:37:42 2018 Summary: Security update for libtasn1 Type: security Severity: moderate References: 1076832,CVE-2018-6003 Description: This update for libtasn1 fixes one issue. This security issue was fixed: - CVE-2018-6003: Prevent a stack exhaustion in _asn1_decode_simple_ber (lib/decoding.c) when decoding BER encoded structure allowed for DoS (bsc#1076832). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:276-1 Released: Thu Feb 8 17:47:43 2018 Summary: Security update for libxml2 Type: security Severity: moderate References: 1077993,1078806,1078813,CVE-2016-5131,CVE-2017-15412,CVE-2017-5130 Description: This update for libxml2 fixes one issue. This security issue was fixed: - CVE-2017-15412: Prevent use after free when calling XPath extension functions that allowed remote attackers to cause DoS or potentially RCE (bsc#1077993) - CVE-2016-5131: Use-after-free vulnerability in libxml2 allowed remote attackers to cause a denial of service or possibly have unspecified other impact via vectors related to the XPointer range-to function. (bsc#1078813) - CVE-2017-5130: Fixed a potential remote buffer overflow in function xmlMemoryStrdup() (bsc#1078806) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2018:291-1 Released: Mon Feb 12 11:50:39 2018 Summary: Recommended update for bash Type: recommended Severity: low References: 1057452,1076909 Description: This update for bash provides the following fix: - Allow process group assignment on all kernel versions to fix the usage of debug traps. (bsc#1057452) - Fix a crash when filesystem is full. (bsc#1076909) - Enable multi-byte characters by default. ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:314-1 Released: Thu Feb 15 14:47:35 2018 Summary: Security update for glibc Type: security Severity: important References: 1037930,1051791,1073990,1074293,1079036,CVE-2017-12132,CVE-2017-8804,CVE-2018-1000001,CVE-2018-6485,CVE-2018-6551 Description: This update for glibc fixes the following issues: Security issues fixed: - CVE-2017-8804: Fix memory leak after deserialization failure in xdr_bytes, xdr_string (bsc#1037930) - CVE-2017-12132: Reduce EDNS payload size to 1200 bytes (bsc#1051791) - CVE-2018-6485,CVE-2018-6551: Fix integer overflows in internal memalign and malloc functions (bsc#1079036) - CVE-2018-1000001: Avoid underflow of malloced area (bsc#1074293) Non security bugs fixed: - Release read lock after resetting timeout (bsc#1073990) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:355-1 Released: Mon Feb 26 16:34:46 2018 Summary: Security update for systemd Type: security Severity: moderate References: 1057974,1068588,1071224,1071311,1075801,1077925,CVE-2017-18078 Description: This update for systemd fixes the following issues: Security issue fixed: - CVE-2017-18078: tmpfiles: refuse to chown()/chmod() files which are hardlinked, unless protected_hardlinks sysctl is on. This could be used by local attackers to gain privileges (bsc#1077925) Non Security issues fixed: - core: use id unit when retrieving unit file state (#8038) (bsc#1075801) - cryptsetup-generator: run cryptsetup service before swap unit (#5480) - udev-rules: all values can contain escaped double quotes now (#6890) - strv: fix buffer size calculation in strv_join_quoted() - tmpfiles: change ownership of symlinks too - stdio-bridge: Correctly propagate error - stdio-bridge: remove dead code - remove bus-proxyd (bsc#1057974) - core/timer: Prevent timer looping when unit cannot start (bsc#1068588) - Make systemd-timesyncd use the openSUSE NTP servers by default Previously systemd-timesyncd used the Google Public NTP servers time{1..4}.google.com - Don't ship /usr/lib/systemd/system/tmp.mnt at all (bsc#1071224) But we still ship a copy in /var. Users who want to use tmpfs on /tmp are supposed to add a symlink in /etc/ pointing to the copy shipped in /var. To support the update path we automatically create the symlink if tmp.mount in use is located in /usr. - Enable systemd-networkd on Leap distros only (bsc#1071311) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2018:375-1 Released: Wed Feb 28 16:33:37 2018 Summary: Recommended update for net-tools Type: recommended Severity: low References: 1009905,1063910 Description: This update for net-tools provides the following fix: - netstat: fix handling of large socket numbers (bsc#1063910) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:439-1 Released: Fri Mar 9 14:05:22 2018 Summary: Security update for augeas Type: security Severity: low References: 1054171,CVE-2017-7555 Description: This update for augeas fixes the following issues: Security issue fixed: - CVE-2017-7555: Fix a memory corruption bug could have lead to arbitrary code execution by passing crafted strings that would be mis-handled by parse_name() (bsc#1054171). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:443-1 Released: Fri Mar 9 18:02:14 2018 Summary: Security update for glibc Type: security Severity: moderate References: 1081556,CVE-2017-12133 Description: This update for glibc fixes the following issues: - CVE-2017-12133: Avoid use-after-free read access in clntudp_call (bsc#1081556) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:446-1 Released: Mon Mar 12 13:13:55 2018 Summary: Security update for shadow Type: security Severity: moderate References: 1081294,CVE-2018-7169 Description: This update for shadow fixes the following issues: - CVE-2018-7169: Fixed an privilege escalation in newgidmap, which allowed an unprivileged user to be placed in a user namespace where setgroups(2) is allowed. (bsc#1081294) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2018:465-1 Released: Thu Mar 15 07:38:52 2018 Summary: Recommended update for systemd Type: recommended Severity: moderate References: 1075743,1078358,1081170 Description: This update for systemd fixes the following issues: - Add dmi/id conditions to 80-acpi-container-hotplug.rules to restrict the rule that it can only be triggered on Huawei Kunlun 9008, 9016 and 9032 machines. (bsc#1078358, bsc#1081170, bsc#1075743) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2018:472-1 Released: Thu Mar 15 10:47:40 2018 Summary: Recommended update for libsolv, libzypp, zypper Type: recommended Severity: low References: 1074687,1075449,1076415,1079334,953130 Description: This update for libsolv, libzypp and zypper provides the following fixes: libsolv: - Fix a bug that could make fileconflict detection very slow in some cases. (bnc#953130) - Add new configuration options: ENABLE_RPMDB_LIBRPM and ENABLE_RPMPKG_LIBRPM. - Add a new function to change the whatprovides data: pool_set_whatprovides. - Significant improvements in the selection code. libzypp: - Make sure deleted keys are also removed from rpmdb. (bsc#1075449) - plugin: Don't reject header values containing ':'. (bsc#1074687) - RpmDb::checkPackage: Fix parsing localized rpm output. (bsc#1076415) zypper: - Do not recommend cron as it is not a direct dependency of zypper. (bsc#1079334) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:522-1 Released: Thu Mar 22 08:20:46 2018 Summary: Security update for curl Type: security Severity: moderate References: 1084521,1084524,1084532,CVE-2018-1000120,CVE-2018-1000121,CVE-2018-1000122 Description: This update for curl fixes the following issues: Following security issues were fixed: - CVE-2018-1000120: A buffer overflow exists in the FTP URL handling that allowed an attacker to cause a denial of service or possible code execution (bsc#1084521). - CVE-2018-1000121: A NULL pointer dereference exists in the LDAP code that allowed an attacker to cause a denial of service (bsc#1084524). - CVE-2018-1000122: A buffer over-read exists in the RTSP+RTP handling code that allowed an attacker to cause a denial of service or information leakage (bsc#1084532). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:567-1 Released: Thu Mar 29 14:02:08 2018 Summary: Security update for krb5 Type: security Severity: moderate References: 1057662,1081725,1083926,1083927,CVE-2018-5729,CVE-2018-5730 Description: This update for krb5 provides the following fixes: Security issues fixed: - CVE-2018-5730: DN container check bypass by supplying special crafted data (bsc#1083927). - CVE-2018-5729: Null pointer dereference in kadmind or DN container check bypass by supplying special crafted data (bsc#1083926). Non-security issues fixed: - Make it possible for legacy applications (e.g. SAP Netweaver) to remain compatible with newer Kerberos. System administrators who are experiencing this kind of compatibility issues may set the environment variable GSSAPI_ASSUME_MECH_MATCH to a non-empty value, and make sure the environment variable is visible and effective to the application startup script. (bsc#1057662) - Fix a GSS failure in legacy applications by not indicating deprecated GSS mechanisms in gss_indicate_mech() list. (bsc#1081725) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:594-1 Released: Thu Apr 5 17:22:37 2018 Summary: Security update for libidn Type: security Severity: moderate References: 1056450,CVE-2017-14062 Description: This update for libidn fixes one issues. This security issue was fixed: - CVE-2017-14062: Prevent integer overflow in the decode_digit function that allowed remote attackers to cause a denial of service or possibly have unspecified other impact (bsc#1056450). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:624-1 Released: Wed Apr 11 18:02:57 2018 Summary: Security update for openssl Type: security Severity: moderate References: 1087102,CVE-2018-0739 Description: This update for openssl fixes the following issues: - CVE-2018-0739: Constructed ASN.1 types with a recursive definition (such as can be found in PKCS7) could eventually exceed the stack given malicious input with excessive recursion. This could result in a Denial Of Service attack. There are no such structures used within SSL/TLS that come from untrusted sources so this is considered safe. (bsc#1087102). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:730-1 Released: Wed Apr 25 14:14:41 2018 Summary: Security update for perl Type: security Severity: moderate References: 1082216,1082233,1082234,CVE-2018-6797,CVE-2018-6798,CVE-2018-6913 Description: This update for perl fixes the following issues: Security issues fixed: - CVE-2018-6913: Fixed space calculation issues in pp_pack.c (bsc#1082216). - CVE-2018-6798: Fixed heap buffer overflow in regexec.c (bsc#1082233). - CVE-2018-6797: Fixed sharp-s regexp overflow (bsc#1082234). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2018:736-1 Released: Wed Apr 25 14:23:49 2018 Summary: Recommended update for libsolv, libzypp Type: recommended Severity: moderate References: 1075978,1077635,1079991,1082318,1086602 Description: This update for libsolv, libzypp provides the following fixes: Changes in libsolv: - Make sure the product file comes from /etc/products.d for the fallback product search. (bsc#1086602) - Also make use of suggests for ordering packages. (bsc#1077635) - Fix bad assignment in solution refinement that led to a memory leak. (bsc#1075978) - Use license tag instead of doc in the spec file. (bsc#1082318) Changes in libzypp: - Make sure the product file comes from /etc/products.d for the fallback product search. (bsc#1086602) - Fix a memory leak in Digest.cc. (bsc#1075978) - Add /var/lib/gdm to CheckAccessDeleted blacklist to prevent showing superfluous `zypper ps -s` messages. (bsc#1079991) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2018:779-1 Released: Wed May 2 22:16:26 2018 Summary: Recommended update for rpm Type: recommended Severity: low References: 1003714,1027925,1069934 Description: This update for rpm provides the following fixes: - Fix find-lang.sh to handle special case of .qm file paths correctly. (bsc#1027925) - Add %sle_version macro to suse_macros. (bsc#1003714) - Added a %rpm_vercmp macro which accepts two versions as parameters and returns -1, 0, 1 if the first version is less than, equal or greater than the second version respectively. - Added a %pkg_version macro that accepts a package or capability name as argument and returns the version number of the installed package. If no package provides the argument, it returns the string '~~~'. - Added a %pkg_vcmp macro that accepts 3 parameters. The first parameter is a package name or provided capability name, the second argument is an operator ( < <= = >= > != ) and the third parameter is a version string to be compared to the installed version of the first argument. - Added a %pkg_version_cmp macro which accepts a package or capability name as first argument and a version number as second argument and returns -1, 0, 1 or '~~~'. The number values have the same meaning as in %rpm_vercmp and the '~~~' string is returned if the package or capability can't be found. (bsc#1069934) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2018:797-1 Released: Mon May 7 07:07:38 2018 Summary: Recommended update for gcc7 Type: recommended Severity: important References: 1061667,1068967,1074621,1083290,1083946,1084812,1087550,1087930 Description: This update for gcc7 to 7.3 release fixes the following issues: - Update to GCC 7.3 release and further updated to gcc-7-branch head (r258812). - The Spectre v2 mitigation patch for s390x is now included. [bsc#1083946] - Adds backport of x86 retpoline support via -mindirect-branch=, -mfunction-return= and friends. [bsc#1074621] - Update includes a fix for chromium build failure. [bsc#1083290] - Various AArch64 compile fixes are included: * Picks fix to no longer enable -mpc-relative-literal-loads by default with --enable-fix-cortex-a53-843419. * Enable --enable-fix-cortex-a53-843419 for aarch64. [bsc#1084812] [bsc#1087930] * Enable --enable-fix-cortex-a53-835769 for aarch64. * Contains fix for PR82445 which is about a RPI1 bootloader miscompile. [bsc#1061667] * Fixed bogus stack probe instruction on ARM. [bsc#1068967] - Revert the ios_base::failure ABI back to compatible behavior with the default ABI. [bsc#1087550] - Fix nvptx offload target compiler install so GCC can pick up required files. Split out the newlib part into cross-nvptx-newlib7-devel and avoid conflicts with GCC 8 variant via Provides/Conflicts of cross-nvptx-newlib-devel. ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:939-1 Released: Thu May 17 08:41:30 2018 Summary: Security update for curl Type: security Severity: moderate References: 1086825,1092098,CVE-2018-1000301 Description: This update for curl fixes several issues: Security issues fixed: - CVE-2018-1000301: Fixed a RTSP bad headers buffer over-read could crash the curl client (bsc#1092098) Non security issues fixed: - If the DEFAULT_SUSE cipher list is not available use the HIGH cipher alias before failing. (bsc#1086825) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2018:974-1 Released: Wed May 23 16:46:50 2018 Summary: Recommended update for systemd Type: recommended Severity: moderate References: 1045092,1051465,1066422,1075804,1082485,1084626,1085062,1086785,1087323 Description: This update for systemd provides the following fixes: - sysusers: Do not append entries after the NIS ones. (bsc#1085062, bsc#1045092) - sysusers: Also add support for NIS entries in /etc/shadow. - sysusers: Make sure to reset errno before calling fget*ent(). - coredump: Respect ulimit -c 0 settings. (bsc#1075804) - systemctl: Don't make up unit states, and don't eat up errors too eagerly. (bsc#1084626) - systemctl: Don't mangle unit names in check_unit_generic(). - rules, compat-rules: Fix errors detected by the rule syntax checker. - python: Use raw strings for regexp patterns. - compat-rules: Make path_id_compat build with meson. - compat-rules: Get rid of scsi_id when generating compat symlinks for NVMe devices. (bsc#1051465) - Fix memory hotplugging. - systemd: Add offline environmental condition to the udev rules for acpi container to prevent them from being triggered by the 'udevadm trigger' from user space. (bsc#1082485) - systemd-udevd: Limit children-max by the available memory. (bsc#1086785, bsc#1066422) - Rename the tarball to reflect the exact version used, so that it is clear that it contains some additional patches on top of the upstream version. Use the commit hash in the name so the exact version can easily be identified. (bsc#1087323) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:977-1 Released: Wed May 23 17:14:16 2018 Summary: Security update for bash Type: security Severity: moderate References: 1000396,1001299,1086247,CVE-2016-0634,CVE-2016-7543 Description: This update for bash fixes the following issues: Security issues fixed: - CVE-2016-7543: A code execution possibility via SHELLOPTS+PS4 variable was fixed (bsc#1001299) - CVE-2016-0634: Arbitrary code execution via malicious hostname was fixed (bsc#1000396) Non-security issues fixed: - Fix repeating self-calling of traps due the combination of a non-interactive shell, a trap handler for SIGINT, an external process in the trap handler, and a SIGINT within the trap after the external process runs. (bsc#1086247) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2018:978-1 Released: Wed May 23 17:18:39 2018 Summary: Recommended update for zlib Type: recommended Severity: moderate References: 1071321 Description: This update for zlib fixes the following issues: - Fix a segmentation fault which was raised when converting a negative value into an unsigned integer (bsc#1071321) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2018:1028-1 Released: Tue Jun 5 13:20:44 2018 Summary: Recommended update for pam Type: recommended Severity: low References: 1089884 Description: This update for pam fixes the following issues: - Fix order of accessed configuration files in man page. (bsc#1089884) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:1077-1 Released: Wed Jun 6 11:44:25 2018 Summary: Security update for glibc Type: security Severity: important References: 1086690,1094150,1094154,1094161,CVE-2017-18269,CVE-2018-11236,CVE-2018-11237 Description: This update for glibc fixes the following issues: - CVE-2017-18269: Fix SSE2 memmove issue when crossing 2GB boundary (bsc#1094150) - CVE-2018-11236: Fix overflow in path length computation (bsc#1094161) - CVE-2018-11237: Don't write beyond buffer destination in __mempcpy_avx512_no_vzeroupper (bsc#1094154) Non security bugs fixed: - Fix crash in resolver on memory allocation failure (bsc#1086690) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2018:1082-1 Released: Thu Jun 7 12:58:56 2018 Summary: Recommended update for rpm Type: recommended Severity: moderate References: 1073879,1080078,964063 Description: This update for rpm fixes the following issues: - Backport support for no_recompute_build_ids macro. (bsc#964063) - Fix code execution when evaluating common python-related macros. (bsc#1080078) Additionally, this update adds python3-rpm to the SUSE Linux Enterprise Server. ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:1141-1 Released: Fri Jun 15 13:41:08 2018 Summary: Security update for gpg2 Type: security Severity: important References: 1096745,CVE-2018-12020 Description: This update for gpg2 fixes the following security issue: - CVE-2018-12020: GnuPG mishandled the original filename during decryption and verification actions, which allowed remote attackers to spoof the output that GnuPG sends on file descriptor 2 to other programs that use the '--status-fd 2' option (bsc#1096745) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2018:1145-1 Released: Fri Jun 15 19:19:51 2018 Summary: Recommended update for openssl Type: recommended Severity: moderate References: 1090765 Description: This update for openssl provides the following fix: - Suggest libopenssl1_0_0-hmac from libopenssl1_0_0 package to avoid dependency issues during updates. (bsc#1090765) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:1242-1 Released: Thu Jun 28 13:44:16 2018 Summary: Security update for procps Type: security Severity: moderate References: 1092100,CVE-2018-1122,CVE-2018-1123,CVE-2018-1124,CVE-2018-1125,CVE-2018-1126 Description: This update for procps fixes the following security issues: - CVE-2018-1122: Prevent local privilege escalation in top. If a user ran top with HOME unset in an attacker-controlled directory, the attacker could have achieved privilege escalation by exploiting one of several vulnerabilities in the config_file() function (bsc#1092100). - CVE-2018-1123: Prevent denial of service in ps via mmap buffer overflow. Inbuilt protection in ps maped a guard page at the end of the overflowed buffer, ensuring that the impact of this flaw is limited to a crash (temporary denial of service) (bsc#1092100). - CVE-2018-1124: Prevent multiple integer overflows leading to a heap corruption in file2strvec function. This allowed a privilege escalation for a local attacker who can create entries in procfs by starting processes, which could result in crashes or arbitrary code execution in proc utilities run by other users (bsc#1092100). - CVE-2018-1125: Prevent stack buffer overflow in pgrep. This vulnerability was mitigated by FORTIFY limiting the impact to a crash (bsc#1092100). - CVE-2018-1126: Ensure correct integer size in proc/alloc.* to prevent truncation/integer overflow issues (bsc#1092100). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:1276-1 Released: Thu Jul 5 08:36:17 2018 Summary: Security update for openssl Type: security Severity: moderate References: 1097158,1097624,1098592,CVE-2018-0732 Description: This update for openssl fixes the following issues: - CVE-2018-0732: During key agreement in a TLS handshake using a DH(E) based ciphersuite a malicious server could have sent a very large prime value to the client. This caused the client to spend an unreasonably long period of time generating a key for this prime resulting in a hang until the client has finished. This could be exploited in a Denial Of Service attack (bsc#1097158). - Blinding enhancements for ECDSA and DSA (bsc#1097624, bsc#1098592) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:1328-1 Released: Tue Jul 17 08:07:57 2018 Summary: Security update for perl Type: security Severity: important References: 1068565,1082216,1082233,1082234,1096718,CVE-2018-12015,CVE-2018-6797,CVE-2018-6798,CVE-2018-6913 Description: This update for perl fixes the following issues: These security issue were fixed: - CVE-2018-6913: Fixed space calculation issues in pp_pack.c (bsc#1082216). - CVE-2018-6798: Fixed heap buffer overflow in regexec.c (bsc#1082233). - CVE-2018-6797: Fixed sharp-s regexp overflow (bsc#1082234). - CVE-2018-12015: The Archive::Tar module allowed remote attackers to bypass a directory-traversal protection mechanism and overwrite arbitrary files (bsc#1096718) This non-security issue was fixed: - fix debugger crash in tab completion with Term::ReadLine::Gnu [bsc#1068565] ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:1351-1 Released: Thu Jul 19 09:43:21 2018 Summary: Security update for shadow Type: security Severity: important References: 1099310,CVE-2016-6252 Description: This update for shadow fixes the following issues: - CVE-2016-6252: Incorrect integer handling could results in local privilege escalation (bsc#1099310) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:1400-1 Released: Thu Jul 26 16:32:29 2018 Summary: Security update for util-linux Type: security Severity: moderate References: 1072947,1078662,1080740,1084300,CVE-2018-7738 Description: This update for util-linux fixes the following issues: This non-security issue was fixed: - CVE-2018-7738: bash-completion/umount allowed local users to gain privileges by embedding shell commands in a mountpoint name, which was mishandled during a umount command by a different user (bsc#1084300). These non-security issues were fixed: - Fixed crash loop in lscpu (bsc#1072947). - Fixed possible segfault of umount -a - Fixed mount -a on NFS bind mounts (bsc#1080740). - Fixed lsblk on NVMe (bsc#1078662). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:1413-1 Released: Fri Jul 27 12:41:13 2018 Summary: Security update for libgcrypt Type: security Severity: moderate References: 1064455,1090766,1097410,CVE-2018-0495 Description: This update for libgcrypt fixes the following issues: The following security vulnerability was addressed: - CVE-2018-0495: Mitigate a novel side-channel attack by enabling blinding for ECDSA signatures (bsc#1097410). The following other issues were fixed: - Extended the fipsdrv dsa-sign and dsa-verify commands with the --algo parameter for the FIPS testing of DSA SigVer and SigGen (bsc#1064455). - Ensure libgcrypt20-hmac and libgcrypt20 are installed in the correct order. (bsc#1090766) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2018:1450-1 Released: Mon Jul 30 10:10:45 2018 Summary: Recommended update for pam Type: recommended Severity: low References: 1096282 Description: This update for pam provides the following fix: - Added /etc/security/limits.d to the pam package. (bsc#1096282) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2018:1549-1 Released: Mon Aug 13 13:41:22 2018 Summary: Recommended update for sg3_utils Type: recommended Severity: low References: 1065448,1070431,1077787,1092640 Description: This update for sg3_utils provides the following fix: - Decode standard INQUIRY for CD-ROMs correctly. (bsc#1065448, bsc#1070431) - Fix page decoding. (bsc#1077787) - Remove initrd rebuild macros for libsgutils2 subpackage. (bsc#1092640) - Use %post -p for ldconfig. (bsc#1092640) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:1610-1 Released: Thu Aug 16 14:04:25 2018 Summary: Security update for libgcrypt Type: security Severity: moderate References: 1064455,1090766,1097410,CVE-2018-0495 Description: This update for libgcrypt fixes the following issues: The following security vulnerability was addressed: - CVE-2018-0495: Mitigate a novel side-channel attack by enabling blinding for ECDSA signatures (bsc#1097410). The following other issues were fixed: - Extended the fipsdrv dsa-sign and dsa-verify commands with the --algo parameter for the FIPS testing of DSA SigVer and SigGen (bsc#1064455). - Ensure libgcrypt20-hmac and libgcrypt20 are installed in the correct order. (bsc#1090766) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:1620-1 Released: Thu Aug 16 14:49:45 2018 Summary: Security update for shadow Type: security Severity: important References: 1099310,CVE-2016-6252 Description: This update for shadow fixes the following issues: - CVE-2016-6252: Incorrect integer handling could results in local privilege escalation (bsc#1099310) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2018:1632-1 Released: Thu Aug 16 15:27:04 2018 Summary: Recommended update for systemd Type: recommended Severity: moderate References: 1039099,1080382,1082004,1082485,1083158,1088052,1088769,1088890,1089761,1090785,1091265,1093851,1095096 Description: This update for systemd fixes the following issues: - core: In --user mode, report READY=1 as soon as basic.target is reached. - sd-bus: Extend D-Bus authentication timeout considerably. - scsi_id: Fixup prefix for pre-SPC inquiry reply. (bsc#1039099) - udev: Use MAC address match only for ibmveth/ibmvnic/mlx4. (bsc#1095096) - compat-rules: Generate more compat by-id symlinks for NVMe devices. (bsc#1095096) - udev: Whitelist mlx4_core locally-administered MAC addresses in the persistent rule generator. (bsc#1083158) - udev: Don't create by-partlabel/primary and .../logical symlinks. (bsc#1089761) - rules: Add /dev/disk/by-partuuid symlinks also for dos partition tables. - device: Make sure to always retroactively start device dependencies. (bsc#1088052) - device: Skip deserialization of device units when udevd is not running. - install: 'user' and 'global' scopes are equivalent for user presets. (bsc#1093851) - install: Search preset files in /run. - man: Updated systemd-analyze blame description for service-units with Type=simple. (bsc#1091265) - logind: Fix crash when shutdown is not issued from a tty. (bsc#1088890) - logind: Do not use an uninitialized variable. (bsc#1088890) - Disable user services by default. (bsc#1090785) - Ship 99-sysctl.conf instead of creating it during package installation/update. (bsc#1088769) Previously this symlink was created in /etc/sysctl.d during %post which made the symlink not owned and more importantly it was created only if /etc/sysctl.conf is already installed which is not always the case during the installation process it seems. So ship the symlink unconditionally and put it in /usr/lib/sysctl.d instead since it's a distro default behavior that might be overriden by sysadmin later. - systemd: Add offline environmental condition to 80-acpi-container-hotplug.rules. (bsc#1080382, bsc#1082485) Add the offline event environmental condition to restrict the rule that is can only be triggered when the change event is received with the 'offline' environmental data. The 27664c581 'ACPI / scan: Send change uevent with offine environmental data' kernel patch changed the corresponding code in kernel. This change prevents the udev rules for acpi container be triggered by 'udevadm trigger' from user space. - build-sys: Explicitly require python3. (bsc#1082004) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2018:1636-1 Released: Thu Aug 16 15:30:11 2018 Summary: Recommended update for pam Type: recommended Severity: low References: 1096282 Description: This update for pam provides the following fix: - Added /etc/security/limits.d to the pam package. (bsc#1096282) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2018:1689-1 Released: Mon Aug 20 09:02:24 2018 Summary: Recommended update for pam Type: recommended Severity: low References: 1096282 Description: This update for pam provides the following fix: - Added /etc/security/limits.d to the pam package. (bsc#1096282) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2018:1691-1 Released: Mon Aug 20 09:04:17 2018 Summary: Recommended update for sg3_utils Type: recommended Severity: low References: 1065448,1070431,1077787,1092640 Description: This update for sg3_utils provides the following fix: - Decode standard INQUIRY for CD-ROMs correctly. (bsc#1065448, bsc#1070431) - Fix page decoding. (bsc#1077787) - Remove initrd rebuild macros for libsgutils2 subpackage. (bsc#1092640) - Use %post -p for ldconfig. (bsc#1092640) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:1695-1 Released: Mon Aug 20 09:19:20 2018 Summary: Security update for perl Type: security Severity: important References: 1068565,1082216,1082233,1082234,1096718,CVE-2018-12015,CVE-2018-6797,CVE-2018-6798,CVE-2018-6913 Description: This update for perl fixes the following issues: These security issue were fixed: - CVE-2018-6913: Fixed space calculation issues in pp_pack.c (bsc#1082216). - CVE-2018-6798: Fixed heap buffer overflow in regexec.c (bsc#1082233). - CVE-2018-6797: Fixed sharp-s regexp overflow (bsc#1082234). - CVE-2018-12015: The Archive::Tar module allowed remote attackers to bypass a directory-traversal protection mechanism and overwrite arbitrary files (bsc#1096718) This non-security issue was fixed: - fix debugger crash in tab completion with Term::ReadLine::Gnu [bsc#1068565] ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:1698-1 Released: Mon Aug 20 09:19:28 2018 Summary: Security update for shadow Type: security Severity: important References: 1099310,CVE-2016-6252 Description: This update for shadow fixes the following issues: - CVE-2016-6252: Incorrect integer handling could results in local privilege escalation (bsc#1099310) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2018:1834-1 Released: Wed Sep 5 10:17:42 2018 Summary: Recommended update for systemd Type: recommended Severity: moderate References: 1089761,1090944,1101040,1103910 Description: This update for systemd fixes the following issues: - cryptsetup: Add support for sector-size= option. (fate#325634) - resolved: Apply epoch to system time from PID 1. (bsc#1103910) - core/service: Rework the hold-off time over message. - core: Don't freeze OnCalendar= timer units when the clock goes back a lot. (bsc#1090944) - man: SystemMaxUse= clarification in journald.conf(5). (bsc#1101040) - Add udev.no-partlabel-links kernel command-line option. This option can be used to disable the generation of the by-partlabel symlinks regardless of the name used. (bsc#1089761) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:1903-1 Released: Fri Sep 14 12:46:21 2018 Summary: Security update for curl Type: security Severity: moderate References: 1089533,1106019,CVE-2018-14618 Description: This update for curl fixes the following issues: This security issue was fixed: - CVE-2018-14618: Prevent integer overflow in the NTLM authentication code (bsc#1106019) This non-security issue was fixed: - Fixed erroneous debug message when paired with OpenSSL (bsc#1089533) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:1969-1 Released: Mon Sep 24 08:06:42 2018 Summary: Security update for libzypp, zypper Type: security Severity: important References: 1036304,1045735,1049825,1070851,1076192,1088705,1091624,1092413,1096803,1099847,1100028,1101349,1102429,CVE-2017-9269,CVE-2018-7685 Description: This update for libzypp, zypper fixes the following issues: Update libzypp to version 16.17.20: Security issues fixed: - PackageProvider: Validate deta rpms before caching (bsc#1091624, bsc#1088705, CVE-2018-7685) - PackageProvider: Validate downloaded rpm package signatures before caching (bsc#1091624, bsc#1088705, CVE-2018-7685) Other bugs fixed: - lsof: use '-K i' if lsof supports it (bsc#1099847, bsc#1036304) - Handle http error 502 Bad Gateway in curl backend (bsc#1070851) - RepoManager: Explicitly request repo2solv to generate application pseudo packages. - libzypp-devel should not require cmake (bsc#1101349) - HardLocksFile: Prevent against empty commit without Target having been been loaded (bsc#1096803) - Avoid zombie tar processes (bsc#1076192) Update to zypper to version 1.13.45: Security issues fixed: - Improve signature check callback messages (bsc#1045735, CVE-2017-9269) - add/modify repo: Add options to tune the GPG check settings (bsc#1045735, CVE-2017-9269) Other bugs fixed: - XML attribute `packages-to-change` added (bsc#1102429) - man: Strengthen that `--config FILE' affects zypper.conf, not zypp.conf (bsc#1100028) - Prevent nested calls to exit() if aborted by a signal (bsc#1092413) - ansi.h: Prevent ESC sequence strings from going out of scope (bsc#1092413) - Fix: zypper bash completion expands non-existing options (bsc#1049825) - Improve signature check callback messages (bsc#1045735) - add/modify repo: Add options to tune the GPG check settings (bsc#1045735) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2018:1985-1 Released: Mon Sep 24 11:56:08 2018 Summary: Recommended update for openldap2 Type: recommended Severity: moderate References: 1089640 Description: This update for openldap2 provides the following fix: - Fix slapd segfaults in mdb_env_reader_dest. (bsc#1089640) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:1994-1 Released: Mon Sep 24 12:55:57 2018 Summary: Security update for shadow Type: security Severity: moderate References: 1106914 Description: This update for shadow fixes the following security issue: - Prevent useradd from creating intermediate directories with mode 0777 (bsc#1106914) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:2069-1 Released: Fri Sep 28 08:01:25 2018 Summary: Security update for openssl Type: security Severity: moderate References: 1089039,1101246,1101470,1104789,1106197,997043,CVE-2018-0737 Description: This update for openssl fixes the following issues: These security issues were fixed: - Prevent One&Done side-channel attack on RSA that allowed physically near attackers to use EM emanations to recover information (bsc#1104789) - CVE-2018-0737: The RSA Key generation algorithm has been shown to be vulnerable to a cache timing side channel attack. An attacker with sufficient access to mount cache timing attacks during the RSA key generation process could have recovered the private key (bsc#1089039) These non-security issues were fixed: - Add openssl(cli) Provide so the packages that require the openssl binary can require this instead of the new openssl meta package (bsc#1101470) - Fixed path to the engines which are under /lib64 on SLE-12 (bsc#1101246, bsc#997043) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2018:2162-1 Released: Fri Oct 5 14:46:53 2018 Summary: Recommended update for krb5 Type: recommended Severity: moderate References: 1088921 Description: This update for krb5 provides the following fix: - Resolve krb5 GSS credentials immediately if the application requests the lifetime. (bsc#1088921) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:2181-1 Released: Tue Oct 9 11:08:20 2018 Summary: Security update for libxml2 Type: security Severity: moderate References: 1088279,1088601,1102046,1105166,CVE-2017-18258,CVE-2018-14404,CVE-2018-14567,CVE-2018-9251 Description: This update for libxml2 fixes the following security issues: - CVE-2018-9251: The xz_decomp function allowed remote attackers to cause a denial of service (infinite loop) via a crafted XML file that triggers LZMA_MEMLIMIT_ERROR, as demonstrated by xmllint (bsc#1088279). - CVE-2018-14567: Prevent denial of service (infinite loop) via a crafted XML file that triggers LZMA_MEMLIMIT_ERROR, as demonstrated by xmllint (bsc#1105166). - CVE-2018-14404: Prevent NULL pointer dereference in the xmlXPathCompOpEval() function when parsing an invalid XPath expression in the XPATH_OP_AND or XPATH_OP_OR case leading to a denial of service attack (bsc#1102046). - CVE-2017-18258: The xz_head function allowed remote attackers to cause a denial of service (memory consumption) via a crafted LZMA file, because the decoder functionality did not restrict memory usage to what is required for a legitimate file (bsc#1088601). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2018:2196-1 Released: Thu Oct 11 07:45:16 2018 Summary: Optional update for gcc8 Type: recommended Severity: low References: 1084812,1084842,1087550,1094222,1102564 Description: The GNU Compiler GCC 8 is being added to the Toolchain Module by this update. The update also supplies gcc8 compatible libstdc++, libgcc_s1 and other gcc derived libraries for the base products of SUSE Linux Enterprise 12. Various optimizers have been improved in GCC 8, several of bugs fixed, quite some new warnings added and the error pin-pointing and fix-suggestions have been greatly improved. The GNU Compiler page for GCC 8 contains a summary of all the changes that have happened: https://gcc.gnu.org/gcc-8/changes.html Also changes needed or common pitfalls when porting software are described on: https://gcc.gnu.org/gcc-8/porting_to.html ----------------------------------------------------------------- Advisory ID: SUSE-RU-2018:2217-1 Released: Fri Oct 12 15:07:24 2018 Summary: Recommended update for bash Type: recommended Severity: moderate References: 1094121,1107430 Description: This update for bash provides the following fixes: - Fix an inconsistent behaviour regarding expansion of here strings. (bsc#1094121) - Fix mis-matching of null string with '*' pattern. (bsc#1107430) - Fix a crash when the lastpipe option is enabled. - Fix a typo that was preventing the `compat42' shopt option from working as intended. - Help the shell to process any pending traps at redirection. - Fix a crashe due to incorrect conversion from an indexed to associative array. - Avoid the expansion of escape sequences in HOSTNAME in prompt. - Avoid `xtrace' attack over $PS4. ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:2373-1 Released: Mon Oct 22 14:43:47 2018 Summary: Security update for rpm Type: security Severity: moderate References: 1077692,943457,CVE-2017-7500,CVE-2017-7501 Description: This update for rpm fixes the following issues: These security issues were fixed: - CVE-2017-7500: rpm did not properly handle RPM installations when a destination path was a symbolic link to a directory, possibly changing ownership and permissions of an arbitrary directory, and RPM files being placed in an arbitrary destination (bsc#943457). - CVE-2017-7501: rpm used temporary files with predictable names when installing an RPM. An attacker with ability to write in a directory where files will be installed could create symbolic links to an arbitrary location and modify content, and possibly permissions to arbitrary files, which could be used for denial of service or possibly privilege escalation (bsc#943457) This non-security issue was fixed: - Use ksym-provides tool [bsc#1077692] ----------------------------------------------------------------- Advisory ID: SUSE-RU-2018:2435-1 Released: Wed Oct 24 14:42:43 2018 Summary: Recommended update for systemd Type: recommended Severity: important References: 1015254,1091677,1093753,1105031,1107640,1107941,1109197,991901 Description: This update for systemd fixes the following issues: - detect-virt: do not try to read all of /proc/cpuinfo (bsc#1109197) - emergency: make sure console password agents don't interfere with the emergency shell - units: remove udev control socket when systemd stops the socket unit (#4039) (bsc#1015254) - man: document that 'nofail' also has an effect on ordering - journald: take leading spaces into account in syslog_parse_identifier - journal: do not remove multiple spaces after identifier in syslog message - syslog: fix segfault in syslog_parse_priority() - journal: fix syslog_parse_identifier() - tmpfiles: don't adjust qgroups on existing subvolumes (bsc#1093753) - socket-util: attempt SO_RCVBUFFORCE/SO_SNDBUFFORCE only if SO_RCVBUF/SO_SNDBUF fails (bsc#991901) - user at .service: don't kill user manager at runlevel switch (bsc#1091677) - units: make sure user at .service runs with dbus still up - fix race between daemon-reload and other commands (bsc#1105031) - nspawn: always use mode 555 for /sys (bsc#1107640) - cryptsetup: do not define arg_sector_size if libgcrypt is v1.x (#9990) - Enable or disable machines.target according to the presets (bsc#1107941) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2018:2475-1 Released: Thu Oct 25 16:56:24 2018 Summary: Recommended update for libzypp Type: recommended Severity: moderate References: 1099982,1109877,408814,556664,939392 Description: This update for libzypp fixes the following issues: - Add filesize check for downloads with known size (bsc#408814) - Fix conversion of string and glob to regex when compiling queries (bsc#1099982, bsc#939392, bsc#556664) - Fix blocking wait for finished child process (bsc#1109877) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2018:2488-1 Released: Fri Oct 26 12:39:59 2018 Summary: Recommended update for cpio Type: recommended Severity: low References: 1076810,889138 Description: This update for cpio provides the following fix: - Remove an obsolete patch that was causing cpio not to preserve folder permissions. (bsc#1076810, bsc#889138) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2018:2516-1 Released: Mon Oct 29 16:14:48 2018 Summary: Recommended update for console-setup, kbd Type: recommended Severity: moderate References: 1010880,1027379,1056449,1062303,1069468,1085432,360993,675317,825385,830805,958562,963942,984958 Description: This update for kbd and console-setup provides the following fixes: Changes in console-setup: - Add console-setup to SLE 12 to make it possible for kbd to provide converted X keymaps. (fate#325454, fate#318426) - Make the package build reproducible. (bsc#1062303) - Removed unneeded requires to kbd in order to resolve build cycle between kbd and console-setup. (bsc#963942) Changes in kbd: - Update to version 2.0.4, including the following fixes (FATE#325454): * Disable characters greater than or equal to =U+F000 as they do not work properly. (bsc#1085432) * Move initial NumLock handling from systemd back to kbd: * Add kbdsettings service. (bsc#1010880) * Exclude numlockbios support for non x86 platforms * Drop references to KEYTABLE and COMPOSETABLE. (bsc#1010880) * Drop from some fill-up templates and a couple of sysconfig variables not read by systemd anymore. (fate#319454) * Replace references to /var/adm/fillup-templates with new %_fillupdir macro. (bsc#1069468) * Add vlock.pamd PAM file. (bsc#1056449) * Enable vlock (bsc#1056449). * Revert dropping of kdb-legacy requirement as there are still packages and installation flows that needs this to be present. (bsc#1027379) * Fix data/keymaps/i386/querty/br-abnt2.map. (bsc#984958) * Fix missing dependency on coreutils for initrd macros. (bsc#958562) * Call missing initrd macro at postun. (bsc#958562) * Add the genmap4systemd.sh tool to generate entries for systemd's kbd-model-map table from xkeyboard-config converted keymaps. (fate#318426) * genmap4systemd.sh: Use 'abnt2' model for 'br' layouts, 'jp106' model for 'jp' layouts and 'microsoftpro' for anything else (instead of 'pc105' previously used). (fate#318426) * Include xkb layouts from xkeyboard-config converted to console keymaps. (fate#318426) * euro.map, euro1.map and euro2.map now produce correct unicode character for Euro sign. (bsc#360993) * Drop doshell reference from openvt.1 man page. (bsc#675317) * Drop the --userwait option as it is not used. (bsc#830805) * Fix a typo in the mac-querty-layout.inc. (bsc#825385) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2018:2525-1 Released: Tue Oct 30 09:22:45 2018 Summary: Recommended update for bash Type: recommended Severity: important References: 1113117 Description: This update for bash fixes the following issues: Recently released update introduced a change of behavior which resulted in broken customers scripts. (bsc#1113117) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:2563-1 Released: Fri Nov 2 17:09:49 2018 Summary: Security update for curl Type: security Severity: moderate References: 1112758,1113660,CVE-2018-16840,CVE-2018-16842 Description: This update for curl fixes the following issues: - CVE-2018-16840: A use after free in closing SASL handles was fixed (bsc#1112758) - CVE-2018-16842: A Out-of-bounds Read in tool_msgs.c was fixed which could lead to crashes (bsc#1113660) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2018:2567-1 Released: Fri Nov 2 18:59:06 2018 Summary: Recommended update for apparmor Type: recommended Severity: moderate References: 1047937,1057150,1057900,1099452,906858 Description: This update for apparmor provides the following fixes: - Add profile for usr.bin.lessopen.sh (bsc#906858) - Fix dovecot apparmor profile (bsc#1057150) - Fix creating profile rules from scanned logs when the chown operation is used (bsc#1047937) - Fix the traceroute profile to allow ipv6 usage (bsc#1057900) - Fix duplicate entry of capability when performing aa-logprof (bsc#1099452) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2018:2593-1 Released: Wed Nov 7 11:04:00 2018 Summary: Recommended update for rpm Type: recommended Severity: moderate References: 1095148,1113100 Description: This update for rpm fixes the following issues: - Fix superfluous TOC. dependency on PowerPC64 (bsc#1113100) - Update to current find-provides.ksyms and find-requires.ksyms scripts (bsc#1095148) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:2659-1 Released: Wed Nov 14 14:14:41 2018 Summary: Security update for systemd Type: security Severity: important References: 1106923,1108835,1109252,1110445,1111278,1112024,1113083,1113632,1113665,CVE-2018-15686,CVE-2018-15688 Description: This update for systemd fixes the following issues: Security issues fixed: - CVE-2018-15688: A buffer overflow vulnerability in the dhcp6 client of systemd allowed a malicious dhcp6 server to overwrite heap memory in systemd-networkd. (bsc#1113632) - CVE-2018-15686: A vulnerability in unit_deserialize of systemd allows an attacker to supply arbitrary state across systemd re-execution via NotifyAccess. This can be used to improperly influence systemd execution and possibly lead to root privilege escalation. (bsc#1113665) Non-security issues fixed: - dhcp6: split assert_return() to be more debuggable when hit - core: skip unit deserialization and move to the next one when unit_deserialize() fails - core: properly handle deserialization of unknown unit types (#6476) - core: don't create Requires for workdir if 'missing ok' (bsc#1113083) - logind: use manager_get_user_by_pid() where appropriate - logind: rework manager_get_{user|session}_by_pid() a bit - login: fix user at .service case, so we don't allow nested sessions (#8051) (bsc#1112024) - core: be more defensive if we can't determine per-connection socket peer (#7329) - socket-util: introduce port argument in sockaddr_port() - service: fixup ExecStop for socket-activated shutdown (#4120) - service: Continue shutdown on socket activated unit on termination (#4108) (bsc#1106923) - cryptsetup: build fixes for 'add support for sector-size= option' - udev-rules: IMPORT cmdline does not recognize keys with similar names (bsc#1111278) - core: keep the kernel coredump defaults when systemd-coredump is disabled - core: shorten main() a bit, split out coredump initialization - core: set RLIMIT_CORE to unlimited by default (bsc#1108835) - core/mount: fstype may be NULL - journald: don't ship systemd-journald-audit.socket (bsc#1109252) - core: make 'tmpfs' dependencies on swapfs a 'default' dep, not an 'implicit' (bsc#1110445) - mount: make sure we unmount tmpfs mounts before we deactivate swaps (#7076) - tmp.mount.hm4: After swap.target (#3087) - Ship systemd-sysv-install helper via the main package This script was part of systemd-sysvinit sub-package but it was wrong since systemd-sysv-install is a script used to redirect enable/disable operations to chkconfig when the unit targets are sysv init scripts. Therefore it's never been a SySV init tool. ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:2760-1 Released: Thu Nov 22 16:25:38 2018 Summary: Security update for openssl Type: security Severity: moderate References: 1112209,1113534,1113652,1113742,CVE-2018-0734,CVE-2018-5407 Description: This update for openssl fixes the following issues: Security issues fixed: - CVE-2018-0734: Fixed timing vulnerability in DSA signature generation (bsc#1113652). - CVE-2018-5407: Fixed elliptic curve scalar multiplication timing attack defenses (bsc#1113534). - Add missing timing side channel patch for DSA signature generation (bsc#1113742). Non-security issues fixed: - Fixed infinite loop in DSA generation with incorrect parameters (bsc#1112209). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:2766-1 Released: Fri Nov 23 17:07:27 2018 Summary: Security update for rpm Type: security Severity: important References: 943457,CVE-2017-7500,CVE-2017-7501 Description: This update for rpm fixes the following issues: These security issues were fixed: - CVE-2017-7500: rpm did not properly handle RPM installations when a destination path was a symbolic link to a directory, possibly changing ownership and permissions of an arbitrary directory, and RPM files being placed in an arbitrary destination (bsc#943457). - CVE-2017-7501: rpm used temporary files with predictable names when installing an RPM. An attacker with ability to write in a directory where files will be installed could create symbolic links to an arbitrary location and modify content, and possibly permissions to arbitrary files, which could be used for denial of service or possibly privilege escalation (bsc#943457) This is a reissue of the above security fixes for SUSE Linux Enterprise 12 GA, SP1 and SP2 LTSS, they have already been released for SUSE Linux Enterprise Server 12 SP3. ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:1697-1 Released: Fri Nov 23 17:08:32 2018 Summary: Security update for libgcrypt Type: security Severity: moderate References: 1064455,1090766,1097410,CVE-2018-0495 Description: This update for libgcrypt fixes the following issues: The following security vulnerability was addressed: - CVE-2018-0495: Mitigate a novel side-channel attack by enabling blinding for ECDSA signatures (bsc#1097410). The following other issues were fixed: - Extended the fipsdrv dsa-sign and dsa-verify commands with the --algo parameter for the FIPS testing of DSA SigVer and SigGen (bsc#1064455). - Ensure libgcrypt20-hmac and libgcrypt20 are installed in the correct order. (bsc#1090766) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:1696-1 Released: Mon Nov 26 17:46:39 2018 Summary: Security update for procps Type: security Severity: moderate References: 1092100,CVE-2018-1122,CVE-2018-1123,CVE-2018-1124,CVE-2018-1125,CVE-2018-1126 Description: This update for procps fixes the following security issues: - CVE-2018-1122: Prevent local privilege escalation in top. If a user ran top with HOME unset in an attacker-controlled directory, the attacker could have achieved privilege escalation by exploiting one of several vulnerabilities in the config_file() function (bsc#1092100). - CVE-2018-1123: Prevent denial of service in ps via mmap buffer overflow. Inbuilt protection in ps maped a guard page at the end of the overflowed buffer, ensuring that the impact of this flaw is limited to a crash (temporary denial of service) (bsc#1092100). - CVE-2018-1124: Prevent multiple integer overflows leading to a heap corruption in file2strvec function. This allowed a privilege escalation for a local attacker who can create entries in procfs by starting processes, which could result in crashes or arbitrary code execution in proc utilities run by other users (bsc#1092100). - CVE-2018-1125: Prevent stack buffer overflow in pgrep. This vulnerability was mitigated by FORTIFY limiting the impact to a crash (bsc#1092100). - CVE-2018-1126: Ensure correct integer size in proc/alloc.* to prevent truncation/integer overflow issues (bsc#1092100). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:1618-1 Released: Tue Nov 27 13:39:49 2018 Summary: Security update for util-linux Type: security Severity: moderate References: 1072947,1078662,1080740,1084300,CVE-2018-7738 Description: This update for util-linux fixes the following issues: This non-security issue was fixed: - CVE-2018-7738: bash-completion/umount allowed local users to gain privileges by embedding shell commands in a mountpoint name, which was mishandled during a umount command by a different user (bsc#1084300). These non-security issues were fixed: - Fixed crash loop in lscpu (bsc#1072947). - Fixed possible segfault of umount -a - Fixed mount -a on NFS bind mounts (bsc#1080740). - Fixed lsblk on NVMe (bsc#1078662). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:2824-1 Released: Mon Dec 3 15:34:09 2018 Summary: Security update for ncurses Type: security Severity: important References: 1115929,CVE-2018-19211 Description: This update for ncurses fixes the following issue: Security issue fixed: - CVE-2018-19211: Fixed denial of service issue that was triggered by a NULL pointer dereference at function _nc_parse_entry (bsc#1115929). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2018:2836-1 Released: Wed Dec 5 09:29:31 2018 Summary: Recommended update for apparmor Type: recommended Severity: moderate References: 1111965,1113125 Description: This update for apparmor fixes the following issues: - Systemd aware apparmor.spec, remove old insserv from spec file (bsc#1113125) - Fix warnings produced because of use of uninitialized variables (bsc#1111965) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2018:2840-1 Released: Wed Dec 5 09:57:54 2018 Summary: Recommended update for permissions Type: recommended Severity: moderate References: 1028304,1047247,1050467,1097665,1111251 Description: This update for permissions fixes the following issues: - Allow setuid root for start-suid tool of singularity (group only) bsc#1028304 - Allow setuid root for authbind binary (bsc#1111251) - A incorrect error message was adjusted (bsc#1047247 bsc#1097665) - Make btmp root:utmp (bsc#1050467) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2018:2841-1 Released: Wed Dec 5 09:59:45 2018 Summary: Recommended update for glibc Type: recommended Severity: moderate References: 1105236,1110661,1112858 Description: This update for glibc fixes the following issues: - Added more checks for valid ld.so.cache file (bsc#1110661) - Rewrite elf_machine_load_address using _DYNAMIC symbol (bsc#1112858) - Always use __IPC_64 on powerpc as required by the kernel (bsc#1105236) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2018:2906-1 Released: Tue Dec 11 21:48:05 2018 Summary: Recommended update for blog Type: recommended Severity: moderate References: 1071568 Description: This update for blog fixes the following issues: - Hardening of the console list generation (bsc#1071568) - Changed description of blog-plymouth in same manner as used by the release notes ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:2947-1 Released: Mon Dec 17 08:51:28 2018 Summary: Security update for openldap2 Type: security Severity: moderate References: 1073313,CVE-2017-17740 Description: This update for openldap2 fixes the following issues: Security issue fixed: - CVE-2017-17740: When both the nops module and the memberof overlay are enabled, attempts to free a buffer that was allocated on the stack, which allows remote attackers to cause a denial of service (slapd crash) via a member MODDN operation. (bsc#1073313) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2018:3029-1 Released: Fri Dec 21 17:34:05 2018 Summary: Recommended update for libgcrypt Type: recommended Severity: moderate References: 1117355 Description: This update for libgcrypt provides the following fix: - Fail selftests when checksum file is missing in FIPS mode only. (bsc#1117355) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:43-1 Released: Tue Jan 8 13:07:17 2019 Summary: Recommended update for acl Type: recommended Severity: low References: 953659 Description: This update for acl fixes the following issues: - quote: Escape literal backslashes (bsc#953659). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:111-1 Released: Thu Jan 17 14:18:31 2019 Summary: Security update for krb5 Type: security Severity: important References: 1120489,CVE-2018-20217 Description: This update for krb5 fixes the following issues: Security issue fixed: - CVE-2018-20217: Fixed an assertion issue with older encryption types (bsc#1120489) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:135-1 Released: Mon Jan 21 13:53:58 2019 Summary: Security update for systemd Type: security Severity: moderate References: 1005023,1076696,1101591,1114981,1115518,1119971,1120323,CVE-2018-16864,CVE-2018-16865,CVE-2018-16866 Description: This update for systemd provides the following fixes: Security issues fixed: - CVE-2018-16864, CVE-2018-16865: Fixed two memory corruptions through attacker-controlled alloca()s (bsc#1120323) - CVE-2018-16866: Fixed an information leak in journald (bsc#1120323) - Fixed an issue during system startup in relation to encrypted swap disks (bsc#1119971) Non-security issues fixed: - core: Queue loading transient units after setting their properties. (bsc#1115518) - logind: Stop managing VT switches if no sessions are registered on that VT. (bsc#1101591) - terminal-util: introduce vt_release() and vt_restore() helpers. - terminal: Unify code for resetting kbd utf8 mode a bit. - terminal Reset should honour default_utf8 kernel setting. - logind: Make session_restore_vt() static. - udev: Downgrade message when settting inotify watch up fails. (bsc#1005023) - log: Never log into foreign fd #2 in PID 1 or its pre-execve() children. (bsc#1114981) - udev: Ignore the exit code of systemd-detect-virt for memory hot-add. In SLE-12-SP3, 80-hotplug-cpu-mem.rules has a memory hot-add rule that uses systemd-detect-virt to detect non-zvm environment. The systemd-detect-virt returns exit failure code when it detected _none_ state. The exit failure code causes that the hot-add memory block can not be set to online. (bsc#1076696) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:143-1 Released: Tue Jan 22 14:21:55 2019 Summary: Recommended update for ncurses Type: recommended Severity: important References: 1121450 Description: This update for ncurses fixes the following issues: - ncurses applications freezing (bsc#1121450) From sle-updates at lists.suse.com Thu Jan 16 09:59:57 2020 From: sle-updates at lists.suse.com (sle-updates at lists.suse.com) Date: Thu, 16 Jan 2020 17:59:57 +0100 (CET) Subject: SUSE-CU-2019:727-1: Security update of caasp/v4/registry Message-ID: <20200116165957.6F08DF796@maintenance.suse.de> SUSE Container Update Advisory: caasp/v4/registry ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2019:727-1 Container Tags : caasp/v4/registry:2.6.2 , caasp/v4/registry:2.6.2-rev1 , caasp/v4/registry:2.6.2-rev1-build1.2 Severity : important Type : security References : 1000396 1000662 1000677 1001299 1001790 1001912 1002975 1003577 1003579 1003580 1003714 1003978 1004094 1004289 1004995 1004995 1004995 1005023 1005063 1005404 1005544 1005633 1005634 1005635 1005637 1005638 1005640 1005642 1005643 1005645 1005646 1006175 1006372 1006469 1006687 1006690 1007851 1008325 1009269 1009470 1009528 1009532 1009745 1009905 1009966 1010220 1010675 1010845 1010880 1012266 1012390 1012523 1012591 1012818 1012973 1013286 1013648 1013882 1013930 1013989 1014471 1014560 1014566 1014873 1015254 1015332 1015515 1015565 1015943 1016712 1016714 1016715 1016715 1017034 1017497 1018214 1018399 1019276 1019380 1019470 1019637 1019637 1019900 1020108 1020143 1020601 1021641 1022014 1022047 1022085 1022086 1022271 1023283 1023616 1023895 1024989 1025176 1025398 1025560 1025598 1025630 1025886 1026224 1026567 1026825 1026827 1027079 1027379 1027688 1027712 1027908 1027925 1028113 1028263 1028281 1028304 1028304 1028305 1028410 1028485 1028610 1028638 1028639 1028723 1029102 1029102 1029183 1029516 1029516 1029523 1029561 1029691 1029725 1029900 1030290 1030621 1030702 1031355 1031643 1031702 1031998 1032029 1032029 1032287 1032309 1032445 1032538 1032644 1032660 1032680 1032769 1033172 1033238 1033238 1033855 1034053 1034063 1034563 1034565 1035062 1035371 1035386 1035445 1035818 1035829 1036304 1036659 1036736 1036873 1036873 1037120 1037120 1037396 1037436 1037607 1037824 1037930 1038189 1038194 1038444 1038476 1038493 1038865 1038865 1038984 1038984 1039063 1039063 1039064 1039064 1039066 1039066 1039069 1039069 1039099 1039099 1039276 1039357 1039661 1039661 1039941 1040043 1040153 1040153 1040258 1040258 1040614 1040614 1040618 1040800 1040942 1040942 1040968 1040968 1040968 1041764 1041830 1042037 1042326 1042392 1042781 1043055 1043059 1043218 1043237 1043333 1043333 1043580 1043615 1043758 1043758 1043886 1043900 1043900 1044095 1044107 1044175 1044337 1044840 1044887 1044894 1045060 1045062 1045065 1045092 1045160 1045290 1045290 1045384 1045472 1045628 1045735 1045735 1045735 1045943 1045987 1046173 1046173 1046268 1046417 1046607 1046659 1046750 1046750 1046853 1046853 1046858 1046858 1047008 1047178 1047233 1047236 1047240 1047247 1047379 1047785 1047785 1047937 1047964 1047965 1048315 1048510 1048575 1048576 1048605 1048605 1048645 1048679 1049344 1049825 1049850 1050152 1050305 1050467 1050767 1050943 1051042 1051465 1051626 1051643 1051644 1051791 1052261 1053137 1053188 1053409 1053595 1053671 1054028 1054088 1054171 1054671 1055446 1055641 1055825 1055920 1056058 1056126 1056127 1056127 1056128 1056128 1056129 1056129 1056131 1056131 1056132 1056132 1056136 1056136 1056437 1056449 1056450 1056995 1057150 1057188 1057406 1057452 1057634 1057640 1057662 1057721 1057724 1057900 1057974 1058058 1058695 1058722 1058783 1059065 1059723 1060653 1060738 1061384 1061667 1061876 1062303 1062561 1062591 1062592 1063051 1063249 1063269 1063675 1063824 1063910 1064397 1064455 1064455 1064455 1064569 1064580 1064583 1064982 1064990 1064999 1065083 1065274 1065276 1065363 1065448 1065448 1066156 1066242 1066422 1066500 1067312 1067605 1067891 1068251 1068565 1068565 1068588 1068708 1068967 1069222 1069226 1069468 1069934 1070209 1070428 1070431 1070431 1070851 1070878 1070905 1070958 1071224 1071311 1071319 1071321 1071466 1071558 1071568 1071698 1071905 1071906 1072947 1072947 1073231 1073313 1073879 1073990 1074254 1074293 1074293 1074621 1074687 1075449 1075724 1075743 1075801 1075804 1075978 1076192 1076308 1076415 1076696 1076810 1076832 1076909 1077001 1077635 1077692 1077787 1077787 1077925 1077993 1078358 1078662 1078662 1078806 1078813 1079036 1079334 1079991 1080078 1080382 1080740 1080740 1081170 1081294 1081556 1081725 1082004 1082216 1082216 1082216 1082233 1082233 1082233 1082234 1082234 1082234 1082318 1082485 1082485 1083158 1083290 1083474 1083926 1083927 1083946 1084300 1084300 1084521 1084524 1084532 1084626 1084812 1084812 1084842 1085062 1085432 1086247 1086602 1086690 1086774 1086775 1086785 1086813 1086814 1086817 1086820 1086825 1087102 1087323 1087550 1087550 1087930 1088052 1088279 1088601 1088705 1088769 1088890 1088921 1089039 1089533 1089640 1089761 1089761 1089884 1090765 1090766 1090766 1090766 1090785 1090944 1091265 1091624 1091677 1092098 1092100 1092100 1092413 1092640 1092640 1093753 1093851 1094121 1094150 1094154 1094161 1094222 1094779 1095096 1095148 1096282 1096282 1096282 1096360 1096718 1096718 1096745 1096803 1097158 1097410 1097410 1097410 1097624 1097665 1098592 1099310 1099310 1099310 1099452 1099847 1099982 1100028 1101040 1101246 1101349 1101470 1101591 1101689 1102046 1102429 1102564 1103910 1104789 1104826 1104876 1105031 1105166 1105236 1106019 1106197 1106914 1106923 1107430 1107640 1107941 1108835 1108989 1109197 1109252 1109877 1109961 1110445 1110661 1111251 1111278 1111965 1112024 1112209 1112758 1112858 1113083 1113100 1113117 1113125 1113534 1113632 1113652 1113660 1113665 1113742 1114981 1115518 1115929 1117355 1119971 1120323 1120489 1121450 360993 408814 556664 658010 661410 675317 825385 829717 830805 874665 888308 889138 889990 892431 894610 896202 896435 897422 898003 899524 899871 900275 900276 901202 901845 901924 902364 902367 903543 905483 906574 906574 906803 906858 907074 907456 908128 908516 909418 910252 910252 910253 910253 911228 911363 911662 912229 912715 912922 913209 913650 913651 915402 915846 917152 917169 918089 918090 918228 918346 919274 920057 920057 920386 921070 922534 923241 924438 924525 924687 924960 924960 926412 926826 927556 927607 927608 927746 927993 928292 928533 928740 929919 930176 931932 932232 932894 933029 933288 933288 933336 933878 933878 934333 934689 934920 936050 936227 936227 936676 937823 938343 938657 939392 939460 940315 942865 942865 943457 943457 944903 945340 945842 945899 948097 952151 952347 953130 953182 953532 953659 953807 953831 954002 954661 955382 955753 955770 957566 957566 957567 957567 957598 957598 957600 957600 958369 958562 959693 960273 960820 960837 960837 961964 962765 962983 962996 963290 963448 963942 964063 964468 964546 965322 965780 965902 966220 967026 967082 967728 967838 968771 969569 970260 970507 970882 971741 971741 972127 972127 972331 974691 978055 979261 979436 979441 979629 979906 980391 980486 981114 981616 982303 982303 983206 983215 983216 983754 984906 984958 986216 986216 986783 986935 987887 988311 989788 989831 990189 990190 990191 990538 991389 991390 991391 991443 991746 991901 992966 994157 994794 995936 996303 996511 997043 997420 997682 998760 998893 998906 999735 999878 CVE-2012-6702 CVE-2013-6435 CVE-2014-3591 CVE-2014-3707 CVE-2014-3710 CVE-2014-8116 CVE-2014-8116 CVE-2014-8117 CVE-2014-8117 CVE-2014-8118 CVE-2014-8150 CVE-2014-8964 CVE-2014-8964 CVE-2014-9087 CVE-2014-9112 CVE-2014-9447 CVE-2014-9620 CVE-2014-9621 CVE-2014-9653 CVE-2015-0247 CVE-2015-0837 CVE-2015-1283 CVE-2015-1572 CVE-2015-1606 CVE-2015-1607 CVE-2015-1782 CVE-2015-2059 CVE-2015-2325 CVE-2015-2325 CVE-2015-2327 CVE-2015-2327 CVE-2015-2328 CVE-2015-2328 CVE-2015-3143 CVE-2015-3144 CVE-2015-3145 CVE-2015-3148 CVE-2015-3153 CVE-2015-3210 CVE-2015-3210 CVE-2015-3217 CVE-2015-3217 CVE-2015-3238 CVE-2015-5073 CVE-2015-5073 CVE-2015-5276 CVE-2015-7511 CVE-2015-8380 CVE-2015-8380 CVE-2015-8381 CVE-2015-8381 CVE-2015-8382 CVE-2015-8382 CVE-2015-8383 CVE-2015-8383 CVE-2015-8384 CVE-2015-8384 CVE-2015-8385 CVE-2015-8385 CVE-2015-8386 CVE-2015-8386 CVE-2015-8387 CVE-2015-8387 CVE-2015-8388 CVE-2015-8388 CVE-2015-8389 CVE-2015-8389 CVE-2015-8390 CVE-2015-8390 CVE-2015-8391 CVE-2015-8391 CVE-2015-8392 CVE-2015-8392 CVE-2015-8393 CVE-2015-8393 CVE-2015-8394 CVE-2015-8394 CVE-2015-8395 CVE-2015-8395 CVE-2015-8853 CVE-2015-8948 CVE-2016-0634 CVE-2016-0718 CVE-2016-0736 CVE-2016-0755 CVE-2016-0787 CVE-2016-10156 CVE-2016-1238 CVE-2016-1283 CVE-2016-1283 CVE-2016-1839 CVE-2016-2037 CVE-2016-2161 CVE-2016-2381 CVE-2016-3191 CVE-2016-3191 CVE-2016-4574 CVE-2016-4579 CVE-2016-4658 CVE-2016-4975 CVE-2016-5131 CVE-2016-5300 CVE-2016-5419 CVE-2016-5420 CVE-2016-5421 CVE-2016-6185 CVE-2016-6252 CVE-2016-6252 CVE-2016-6252 CVE-2016-6261 CVE-2016-6262 CVE-2016-6263 CVE-2016-6313 CVE-2016-6318 CVE-2016-7055 CVE-2016-7141 CVE-2016-7167 CVE-2016-7543 CVE-2016-8615 CVE-2016-8616 CVE-2016-8617 CVE-2016-8618 CVE-2016-8619 CVE-2016-8620 CVE-2016-8621 CVE-2016-8622 CVE-2016-8623 CVE-2016-8624 CVE-2016-8740 CVE-2016-8743 CVE-2016-8743 CVE-2016-9063 CVE-2016-9318 CVE-2016-9401 CVE-2016-9586 CVE-2016-9597 CVE-2016-9840 CVE-2016-9841 CVE-2016-9842 CVE-2016-9843 CVE-2017-0663 CVE-2017-1000100 CVE-2017-1000101 CVE-2017-1000254 CVE-2017-1000257 CVE-2017-1000366 CVE-2017-1000408 CVE-2017-1000409 CVE-2017-10684 CVE-2017-10684 CVE-2017-10685 CVE-2017-10685 CVE-2017-11112 CVE-2017-11113 CVE-2017-11462 CVE-2017-11468 CVE-2017-12132 CVE-2017-12133 CVE-2017-12424 CVE-2017-12613 CVE-2017-12618 CVE-2017-12837 CVE-2017-12883 CVE-2017-13728 CVE-2017-13728 CVE-2017-13729 CVE-2017-13729 CVE-2017-13730 CVE-2017-13730 CVE-2017-13731 CVE-2017-13731 CVE-2017-13732 CVE-2017-13732 CVE-2017-13733 CVE-2017-13733 CVE-2017-13734 CVE-2017-14062 CVE-2017-15088 CVE-2017-15412 CVE-2017-15670 CVE-2017-15671 CVE-2017-15710 CVE-2017-15715 CVE-2017-15804 CVE-2017-15908 CVE-2017-16997 CVE-2017-17740 CVE-2017-18078 CVE-2017-18258 CVE-2017-18269 CVE-2017-3167 CVE-2017-3169 CVE-2017-3731 CVE-2017-3732 CVE-2017-3735 CVE-2017-3736 CVE-2017-3737 CVE-2017-3738 CVE-2017-5130 CVE-2017-5969 CVE-2017-6512 CVE-2017-7375 CVE-2017-7376 CVE-2017-7407 CVE-2017-7435 CVE-2017-7436 CVE-2017-7436 CVE-2017-7500 CVE-2017-7500 CVE-2017-7501 CVE-2017-7501 CVE-2017-7526 CVE-2017-7555 CVE-2017-7659 CVE-2017-7679 CVE-2017-8804 CVE-2017-8816 CVE-2017-8817 CVE-2017-8872 CVE-2017-8932 CVE-2017-9047 CVE-2017-9047 CVE-2017-9048 CVE-2017-9048 CVE-2017-9049 CVE-2017-9049 CVE-2017-9050 CVE-2017-9050 CVE-2017-9217 CVE-2017-9217 CVE-2017-9233 CVE-2017-9269 CVE-2017-9269 CVE-2017-9287 CVE-2017-9445 CVE-2017-9445 CVE-2017-9526 CVE-2017-9788 CVE-2017-9789 CVE-2017-9798 CVE-2018-0495 CVE-2018-0495 CVE-2018-0495 CVE-2018-0732 CVE-2018-0734 CVE-2018-0737 CVE-2018-0739 CVE-2018-1000001 CVE-2018-1000001 CVE-2018-1000007 CVE-2018-1000120 CVE-2018-1000121 CVE-2018-1000122 CVE-2018-1000301 CVE-2018-1049 CVE-2018-1122 CVE-2018-1122 CVE-2018-1123 CVE-2018-1123 CVE-2018-11236 CVE-2018-11237 CVE-2018-1124 CVE-2018-1124 CVE-2018-1125 CVE-2018-1125 CVE-2018-1126 CVE-2018-1126 CVE-2018-11763 CVE-2018-12015 CVE-2018-12015 CVE-2018-12020 CVE-2018-1283 CVE-2018-1301 CVE-2018-1302 CVE-2018-1303 CVE-2018-1312 CVE-2018-1333 CVE-2018-14404 CVE-2018-14567 CVE-2018-14618 CVE-2018-15686 CVE-2018-15688 CVE-2018-16840 CVE-2018-16842 CVE-2018-16864 CVE-2018-16865 CVE-2018-16866 CVE-2018-19211 CVE-2018-20217 CVE-2018-5407 CVE-2018-5729 CVE-2018-5730 CVE-2018-6003 CVE-2018-6485 CVE-2018-6551 CVE-2018-6797 CVE-2018-6797 CVE-2018-6797 CVE-2018-6798 CVE-2018-6798 CVE-2018-6798 CVE-2018-6913 CVE-2018-6913 CVE-2018-6913 CVE-2018-7169 CVE-2018-7685 CVE-2018-7738 CVE-2018-7738 CVE-2018-9251 ----------------------------------------------------------------- The container caasp/v4/registry was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-RU-2014:85-1 Released: Tue Nov 4 16:29:29 2014 Summary: Recommended update for dirmngr Type: recommended Severity: moderate References: 901845 Description: This update for dirmngr fixes a segmentation fault at start up. (bnc#901845) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2014:66-1 Released: Thu Nov 6 06:23:15 2014 Summary: Recommended update for gcc48 Type: recommended Severity: moderate References: 899871 Description: This update for gcc48 fixes a performance degradation issue caused by generation of unneeded code whe using option -pg. ----------------------------------------------------------------- Advisory ID: SUSE-SU-2014:97-1 Released: Fri Nov 28 10:20:32 2014 Summary: Security update for file Type: security Severity: moderate References: 888308,902367,CVE-2014-3710 Description: file was updated to fix one security issue. This security issue was fixed: - Out-of-bounds read in elf note headers (CVE-2014-3710). This non-security issues was fixed: - Correctly identify GDBM files created by libgdbm4 (bnc#888308). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2014:113-1 Released: Tue Dec 2 18:17:57 2014 Summary: Security update for cpio Type: security Severity: moderate References: 658010,907456,CVE-2014-9112 Description: This cpio security update fixes the following buffer overflow issue and two non security issues: - fix an OOB write with cpio -i (bnc#907456) (CVE-2014-9112) - prevent cpio from extracting over a symlink (bnc#658010) - fix a truncation check in mt ----------------------------------------------------------------- Advisory ID: SUSE-SU-2015:16-1 Released: Thu Dec 11 09:25:27 2014 Summary: Security update for libksba Type: security Severity: moderate References: 907074,CVE-2014-9087 Description: This libksba update fixes the following security issue: - bnc#907074: buffer overflow in OID processing (CVE-2014-9087) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2014:126-1 Released: Fri Dec 19 20:16:00 2014 Summary: Security update for file Type: security Severity: moderate References: 910252,910253,CVE-2014-8116,CVE-2014-8117 Description: This file update fixes the following security issues: - bsc#910252: multiple denial of service issues (resource consumption) (CVE-2014-8116) - bsc#910253: denial of service issue (resource consumption) (CVE-2014-8117) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2015:29-1 Released: Mon Jan 12 11:37:43 2015 Summary: Security update for curl Type: security Severity: moderate References: 901924,911363,CVE-2014-3707,CVE-2014-8150 Description: This update fixes the following security issues - CVE-2014-8150: URL request injection vulnerability (bnc#911363) - CVE-2014-3707: duphandle read out of bounds (bnc#901924) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2015:40-1 Released: Thu Jan 15 18:35:11 2015 Summary: Security update for rpm Type: security Severity: important References: 892431,906803,908128,911228,CVE-2013-6435,CVE-2014-8118 Description: This rpm update fixes the following security and non-security issues: - bnc#908128: Check for bad invalid name sizes (CVE-2014-8118) - bnc#906803: Create files with mode 0 (CVE-2013-6435) - bnc#892431: Honor --noglob in install mode - bnc#911228: Fix noglob patch, it broke files with space. ----------------------------------------------------------------- Advisory ID: SUSE-RU-2015:64-1 Released: Thu Jan 15 23:21:45 2015 Summary: Recommended update for e2fsprogs Type: recommended Severity: moderate References: 912229 Description: This update for e2fsprogs fixes a 'use after free' issue in fsck(8). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2015:76-1 Released: Fri Jan 30 15:01:03 2015 Summary: Security update for elfutils Type: security Severity: moderate References: 911662,CVE-2014-9447 Description: elfutils was updated to fix one security issue. This security issue was fixed: - Directory traversal vulnerability in the read_long_names function (CVE-2014-9447). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2015:55-1 Released: Tue Feb 3 14:51:17 2015 Summary: Recommended update for curl Type: recommended Severity: moderate References: 913209 Description: curl was updated to fix problems when operating in FIPS mode. This patch reenables following methods: - NTLM authentication (e.g. for proxies) (allowing its usage of MD4 and MD5) - HTTP Digest authentication (allowing its usage of MD5) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2015:121-1 Released: Tue Feb 3 16:30:16 2015 Summary: Recommended update for pam Type: recommended Severity: low References: 912922 Description: This update for pam fixes updating of NIS passwords. ----------------------------------------------------------------- Advisory ID: SUSE-SU-2015:157-1 Released: Tue Mar 10 09:01:41 2015 Summary: Security update for libssh2_org Type: security Severity: moderate References: 921070,CVE-2015-1782 Description: The ssh client library libssh2_org was updated to fix a security issue. CVE-2015-1782: A malicious server could send a crafted SSH_MSG_KEXINIT packet, that could lead to a buffer overread and to a crash of the libssh2_org using application. ----------------------------------------------------------------- Advisory ID: SUSE-RU-2015:275-1 Released: Wed Mar 18 18:21:44 2015 Summary: Recommended update for procps Type: recommended Severity: low References: 901202,908516 Description: This update for procps provides the following fixes: - Add description of pgrep's --list-full parameter to usage instructions (--help). (bsc#901202) - Fix handling of arguments to -s option in free(1). (bsc#908516) - Correct package name in descriptions: procps, not props. ----------------------------------------------------------------- Advisory ID: SUSE-SU-2015:235-1 Released: Wed Apr 29 19:05:01 2015 Summary: Security update for curl Type: security Severity: moderate References: 927556,927607,927608,927746,928533,CVE-2015-3143,CVE-2015-3144,CVE-2015-3145,CVE-2015-3148,CVE-2015-3153 Description: curl was updated to fix five security issues. The following vulnerabilities were fixed: * CVE-2015-3143: curl could re-use NTML authenticateds connections * CVE-2015-3144: curl could access memory out of bounds with zero length host names * CVE-2015-3145: curl cookie parser could access memory out of boundary * CVE-2015-3148: curl could treat Negotiate as not connection-oriented * CVE-2015-3153: curl could have sent sensitive HTTP headers also to proxies ----------------------------------------------------------------- Advisory ID: SUSE-SU-2015:296-1 Released: Thu Jun 11 15:46:59 2015 Summary: Security update for libgcrypt Type: security Severity: moderate References: 896202,896435,898003,899524,900275,900276,905483,920057,928740,929919,CVE-2014-3591 Description: This update of libgcrypt fixes one security issue and brings various FIPS 140-2 related improvements. libgcrypt now uses ciphertext blinding for Elgamal decryption (CVE-2014-3591) FIPS 140-2 related changes: * The library performs its self-tests when the module is complete (the -hmac file is also installed). * Added a NIST 800-90a compliant DRBG. * Change DSA key generation to be FIPS 186-4 compliant. * Change RSA key generation to be FIPS 186-4 compliant. * Enable HW support in fips mode (bnc#896435) * Make DSA selftest use 2048 bit keys (bnc#898003) * Added ECDSA selftests and add support for it to the CAVS testing framework (bnc#896202) * Various CAVS testing improvements. ----------------------------------------------------------------- Advisory ID: SUSE-SU-2015:366-1 Released: Mon Jun 29 10:13:43 2015 Summary: Security update for e2fsprogs Type: security Severity: low References: 915402,918346,CVE-2015-0247,CVE-2015-1572 Description: Two security issues were fixed in e2fsprogs: Security issues fixed: * CVE-2015-0247: Various heap overflows were fixed in e2fsprogs (fsck, dumpe2fs, e2image...). * CVE-2015-1572: Fixed a potential buffer overflow in closefs() (bsc#918346 ) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2015:287-1 Released: Fri Jul 3 23:20:01 2015 Summary: Initial update for the Containers-Module Type: recommended Severity: low References: 918228,924438 Description: This recommended update provides the initial version of docker and its dependencies including images for SUSE Linux Enterprise Server 12 and 11-SP3 for the Containers-Module. Fully supported as part of SUSE Linux Enterprise Server 12, enterprise-ready Docker from SUSE improves operational efficiency and is accompanied by easy-to-use tools to build, deploy and manage containers. SUSE provides pre-built images from a verified and trusted source. In addition, customers can create an on-premise registry behind the enterprise firewall, minimizing exposure to malicious attacks and providing better control of intellectual property. As integral parts of SUSE Linux Enterprise Server, Docker and containers provide additional virtualization options to improve operational efficiency. SUSE Linux Enterprise Server includes the Xen and KVM hypervisors and is a perfect guest in virtual and cloud environments. With the addition of Docker, customers can build, ship and run containerized applications on SUSE Linux Enterprise Server in physical, virtual or cloud environments. The efficient YaST management framework provides a simple overview of the available Docker images and allows customers to run and easily control Docker containers. In addition, the KIWI image-building tool has been extended to support the Docker build format. SUSE's current Docker offering supports x86-64 servers with support for other hardware platforms in the works. For more information about Docker in SUSE Linux Enterprise Server, including a series of Docker mini-course videos, visit www.suse.com/promo/docker.html and www.suse.com/promo/sle. ----------------------------------------------------------------- Advisory ID: SUSE-RU-2015:361-1 Released: Wed Jul 15 08:26:27 2015 Summary: Recommended update for gcc48, libffi48, libgcj48 Type: recommended Severity: moderate References: 889990,917169,919274,922534,924525,924687,927993,930176,934689 Description: The system compiler gcc48 was updated to the GCC 4.8.5 release, fixing a lot of bugs and bringing some improvements. It includes various bug fixes found by our customers: * Fixes bogus integer overflow in constant expression. [bnc#934689] * Fixes ICE with atomics on aarch64. [bnc#930176] * Includes fix for -imacros bug. [bnc#917169] * Includes fix for incorrect -Warray-bounds warnings. [bnc#919274] * Includes updated -mhotpatch for s390x. [bnc#924525] * Includes fix for ppc64le issue with doubleword vector extract. [bnc#924687] * Includes patches to allow building against ISL 0.14. * Backport rework of the memory allocator for C++ exceptions used in OOM situations. [bnc#889990] * Fix a reload issue on S390 (GCC PR66306). * Avoid accessing invalid memory when passing aggregates by value. [bnc#922534] ----------------------------------------------------------------- Advisory ID: SUSE-OU-2015:422-1 Released: Tue Jul 28 06:25:51 2015 Summary: The Toolchain module containing GCC 5.2 Type: optional Severity: low References: 926412,936050,937823 Description: This update contains the release of the new SUSE Linux Enterprise Toolchain module. Its major feature is the GNU Compiler Collection 5.2, please see https://gcc.gnu.org/gcc-5/changes.html for important changes. This update also includes a version update of binutils to 2.25 release branch to provide features and bugfixes. Following features have been added to binutils: * IBM zSeries z13 hardware support (fate#318036, bnc#936050). * various IBM Power8 improvements (fate#318238, bnc#926412). * AVX512 support on the Intel EM64T platform (fate#318520). The GNU Debugger gdb was updated to version 7.9.1 bringing various features and lots of bugfixes. Also IBM zSeries z13 hardware support has been added to gdb. (fate#318039) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2015:500-1 Released: Mon Aug 17 11:36:33 2015 Summary: Security update for libgcrypt Type: security Severity: moderate References: 920057,938343,CVE-2015-0837 Description: This update fixes the following issues: Security: * Fixed data-dependent timing variations in modular exponentiation [related to CVE-2015-0837, Last-Level Cache Side-Channel Attacks are Practical] (bsc#920057) Bugfixes: * don't drop privileges when locking secure memory (bsc#938343) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2015:530-1 Released: Wed Aug 26 03:07:07 2015 Summary: Recommended update for sed Type: recommended Severity: low References: 933029 Description: This update for sed fixes the behavior of --follow-symlinks when reading from the standard input (stdin). The behavior of 'sed --follow-symlinks -' is now identical to 'sed -'. In both cases, sed will read from the standard input and no longer from a file named '-'. ----------------------------------------------------------------- Advisory ID: SUSE-RU-2015:568-1 Released: Wed Sep 16 13:30:12 2015 Summary: Recommended update for grep Type: recommended Severity: low References: 920386 Description: This update for grep fixes undefined behaviour with -P and non-utf-8 data. ----------------------------------------------------------------- Advisory ID: SUSE-RU-2015:628-1 Released: Tue Sep 29 21:39:37 2015 Summary: Recommended update for docker-distribution Type: recommended Severity: moderate References: 948097 Description: This update provides docker-distribution 2.1.1, which brings fixes and enhancements: - Support for listing Registry repositories: A specification and implementation of the catalog API allows users to list the contents of a Registry. - Manifests and layers can now be deleted by reference. - New Storage Drivers: Aliyun OSS, Ceph, Openstack Swift. For a comprehensive list of changes, please refer to the upstream change log at: https://github.com/docker/distribution/releases ----------------------------------------------------------------- Advisory ID: SUSE-SU-2015:922-1 Released: Tue Dec 22 08:44:25 2015 Summary: Security update for gpg2 Type: security Severity: moderate References: 918089,918090,952347,955753,CVE-2015-1606,CVE-2015-1607 Description: The gpg2 package was updated to fix the following security and non security issues: - CVE-2015-1606: Fixed invalid memory read using a garbled keyring (bsc#918089). - CVE-2015-1607: Fixed memcpy with overlapping ranges (bsc#918090). - bsc#955753: Fixed a regression of 'gpg --recv' due to keyserver import filter (also boo#952347). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2015:869-1 Released: Wed Dec 23 10:01:16 2015 Summary: Recommended update for libksba Type: security Severity: moderate References: 926826 Description: The libksba package was updated to fix the following security issues: - Fixed an integer overflow, an out of bounds read and a stack overflow issues (bsc#926826). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2015:862-1 Released: Wed Dec 23 17:40:51 2015 Summary: Recommended update for acl Type: recommended Severity: moderate References: 945899 Description: This update for acl provides the following fixes: - Fix segmentation fault of getfacl -e on overly long group name. - Make sure that acl_from_text() always sets errno when it fails. - Fix memory and resource leaks in getfacl. ----------------------------------------------------------------- Advisory ID: SUSE-RU-2016:46-1 Released: Fri Jan 8 12:37:34 2016 Summary: Recommended update for gcr, gnome-keyring, libgcrypt, libsecret Type: recommended Severity: moderate References: 932232 Description: This update for gcr, gnome-keyring, libgcrypt, libsecret fixes issues when the system operates in FIPS mode. The various GNOME libraries and tool have been changed to use the default libgcrypt allocators. GNOME keyring was changed not to use MD5 anymore. libgcrypt was adjusted to free the DRBG on exit to avoid crashes. ----------------------------------------------------------------- Advisory ID: SUSE-SU-2016:201-1 Released: Thu Feb 4 15:51:22 2016 Summary: Security update for curl Type: security Severity: moderate References: 934333,936676,962983,962996,CVE-2016-0755 Description: This update for curl fixes the following issues: - CVE-2016-0755: libcurl would reuse NTLM-authenticated proxy connections without properly making sure that the connection was authenticated with the same credentials as set for this transfer (bsc#962983) The following non-security bugs were fixed: - bsc#936676: secure_getenv or __secure_getenv may not be detected correctly at build time The following tracked bugs only affect the test suite: - bsc#962996: Expired cookie in test 46 caused test failures - bsc#934333: Curl test suite was not run, is now enabled during build ----------------------------------------------------------------- Advisory ID: SUSE-RU-2016:371-1 Released: Thu Mar 3 15:58:18 2016 Summary: Recommended update for insserv-compat Type: recommended Severity: low References: 960820 Description: This update for insserv-compat fixes the name of the ntpd service. ----------------------------------------------------------------- Advisory ID: SUSE-SU-2016:413-1 Released: Fri Mar 11 10:17:57 2016 Summary: Security update for libssh2_org Type: security Severity: moderate References: 933336,961964,967026,CVE-2016-0787 Description: This update for libssh2_org fixes the following issues: Security issue fixed: - CVE-2016-0787 (bsc#967026): Weakness in diffie-hellman secret key generation lead to much shorter DH groups then needed, which could be used to retrieve server keys. A feature was added: - Support of SHA256 digests for DH group exchanges was added (fate#320343, bsc#961964) Bug fixed: - Properly detect EVP_aes_128_ctr at configure time (bsc#933336) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2016:462-1 Released: Wed Mar 16 18:17:59 2016 Summary: Recommended update for libcap Type: recommended Severity: low References: 967838 Description: This update for libcap adds two new capabilities (CAP_WAKE_ALARM and CAP_BLOCK_SUSPEND) which are available in Linux Kernel 3.12. ----------------------------------------------------------------- Advisory ID: SUSE-RU-2016:543-1 Released: Fri Apr 1 18:44:16 2016 Summary: Recommended update for libgcrypt Type: recommended Severity: moderate References: 970882 Description: This update for libgcrypt fixes a crash in GPG key generation when operating in FIPS mode. (bsc#970882) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2016:565-1 Released: Wed Apr 6 16:26:42 2016 Summary: Security update for gcc5 Type: security Severity: moderate References: 939460,945842,952151,953831,954002,955382,962765,964468,966220,968771,CVE-2015-5276 Description: The GNU Compiler Collection was updated to version 5.3.1, which brings several fixes and enhancements. The following security issue has been fixed: - Fix C++11 std::random_device short read issue that could lead to predictable randomness. (CVE-2015-5276, bsc#945842) The following non-security issues have been fixed: - Enable frame pointer for TARGET_64BIT_MS_ABI when stack is misaligned. Fixes internal compiler error when building Wine. (bsc#966220) - Fix a PowerPC specific issue in gcc-go that broke compilation of newer versions of Docker. (bsc#964468) - Fix HTM built-ins on PowerPC. (bsc#955382) - Fix libgo certificate lookup. (bsc#953831) - Suppress deprecated-declarations warnings for inline definitions of deprecated virtual methods. (bsc#939460) - Build s390[x] with '--with-tune=z9-109 --with-arch=z900' on SLE11 again. (bsc#954002) - Revert accidental libffi ABI breakage on aarch64. (bsc#968771) - On x86_64, set default 32bit code generation to -march=x86-64 rather than -march=i586. - Add experimental File System TS library. ----------------------------------------------------------------- Advisory ID: SUSE-SU-2016:636-1 Released: Mon Apr 18 09:18:19 2016 Summary: Security update for libgcrypt Type: security Severity: moderate References: 965902,CVE-2015-7511 Description: libgcrypt was updated to fix one security issue. This security issue was fixed: - CVE-2015-7511: Side-channel attack on ECDH with Weierstrass curves (bsc#965902). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2016:643-1 Released: Tue Apr 19 09:23:39 2016 Summary: Recommended update for bzip2 Type: recommended Severity: low References: 970260 Description: This update for bzip2 fixes the following issues: - Fix bzgrep wrapper that always returns 0 as exit code when working on multiple archives, even when the pattern is not found. ----------------------------------------------------------------- Advisory ID: SUSE-RU-2016:673-1 Released: Mon Apr 25 16:36:16 2016 Summary: Recommended update for docker-distribution Type: recommended Severity: moderate References: 970507 Description: This update provides docker-distribution 2.3.1, which brings the following fixes and enhancements: - Allow uppercase characters in hostnames. - Fix schema1 manifest etag and docker content digest header. - Add option to disable signatures. - To avoid any network use unless necessary, delay establishing authorization. - Extend authChallenger interface to remove type cast. - Enable proxying registries to downgrade fetched manifests to Schema 1. This Docker Registry release is the first to support the Image Manifest Version 2, Schema 2 manifest format. ----------------------------------------------------------------- Advisory ID: SUSE-RU-2016:697-1 Released: Thu Apr 28 16:03:24 2016 Summary: Recommended update for libssh2_org Type: recommended Severity: important References: 974691 Description: This update for libssh2_org fixes a regression introduced by a previous update which could result in a segmentation fault in EVP_DigestInit_Ex(). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2016:801-1 Released: Thu May 19 22:38:01 2016 Summary: Recommended update for curl Type: recommended Severity: moderate References: 915846 Description: This update for curl fixes the following issue: - Fix 'Network is unreachable' error when ipv6 is not available but ipv4. This fixes the same error in applications using libcurl4 (like zypper). (bsc#915846) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2016:835-1 Released: Wed May 25 18:27:30 2016 Summary: Recommended update for libgcrypt Type: recommended Severity: moderate References: 979629 Description: This update for libgcrypt fixes the following issue: - Fix failing reboot after installing fips pattern (bsc#979629) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2016:898-1 Released: Tue Jun 7 09:48:12 2016 Summary: Security update for expat Type: security Severity: important References: 979441,980391,CVE-2015-1283,CVE-2016-0718 Description: This update for expat fixes the following issues: Security issue fixed: - CVE-2016-0718: Fix Expat XML parser that mishandles certain kinds of malformed input documents. (bsc#979441) - CVE-2015-1283: Fix multiple integer overflows. (bnc#980391) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2016:900-1 Released: Tue Jun 7 10:58:37 2016 Summary: Security update for libksba Type: security Severity: moderate References: 979261,979906,CVE-2016-4574,CVE-2016-4579 Description: This update for libksba fixes the following issues: - CVE-2016-4579: Out-of-bounds read in _ksba_ber_parse_tl() - CVE-2016-4574: two OOB read access bugs (remote DoS) (bsc#979261) Also adding reliability fixes from v1.3.4. ----------------------------------------------------------------- Advisory ID: SUSE-RU-2016:987-1 Released: Wed Jun 22 14:32:18 2016 Summary: Recommended update for procps Type: recommended Severity: low References: 981616 Description: This update for procps fixes the following issues: - Improve pmap(1) to be compatible with kernel 4.4. (bsc#981616) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2016:1028-1 Released: Thu Jul 7 11:50:47 2016 Summary: Recommended update for findutils Type: recommended Severity: moderate References: 986935 Description: This update for findutils fixes the following issues: - find -exec + would not pass all arguments for certain specific filename lengths (bsc#986935) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2016:1126-1 Released: Sat Jul 30 00:39:03 2016 Summary: Recommended update for kmod Type: recommended Severity: low References: 983754,989788 Description: This update for kmod fixes libkmod to handle very long lines in /proc/modules. ----------------------------------------------------------------- Advisory ID: SUSE-RU-2016:1205-1 Released: Thu Aug 11 15:02:18 2016 Summary: Recommended update for rpm Type: recommended Severity: low References: 829717,894610,940315,953532,965322,967728 Description: This update for rpm provides the following fixes: - Add is_opensuse and leap_version macros to suse_macros. (bsc#940315) - Add option to make postinstall scriptlet errors fatal. (bsc#967728) - Normalize big blocksizes to 4096 bytes. (bsc#894610, bsc#829717, bsc#965322) - Fix updating of sources/patches when recursing because of a BuildArch. (bsc#953532) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2016:1228-1 Released: Tue Aug 16 09:29:01 2016 Summary: Security update for libidn Type: security Severity: moderate References: 923241,990189,990190,990191,CVE-2015-2059,CVE-2015-8948,CVE-2016-6261,CVE-2016-6262,CVE-2016-6263 Description: This update for libidn fixes the following issues: - CVE-2016-6262 and CVE-2015-8948: Out-of-bounds-read when reading one zero byte as input (bsc#990189) - CVE-2016-6261: Out-of-bounds stack read in idna_to_ascii_4i (bsc#990190) - CVE-2016-6263: stringprep_utf8_nfkc_normalize reject invalid UTF-8 (bsc#990191) - CVE-2015-2059: out-of-bounds read with stringprep on invalid UTF-8 (bsc#923241) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2016:1247-1 Released: Fri Aug 19 12:58:39 2016 Summary: Security update for cracklib Type: security Severity: moderate References: 992966,CVE-2016-6318 Description: This update for cracklib fixes the following issues: - Add patch to fix a buffer overflow in GECOS parser (bsc#992966 CVE-2016-6318) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2016:1326-1 Released: Thu Sep 8 11:37:44 2016 Summary: Security update for perl Type: security Severity: moderate References: 928292,932894,967082,984906,987887,988311,CVE-2015-8853,CVE-2016-1238,CVE-2016-2381,CVE-2016-6185 Description: This update for Perl fixes the following issues: - CVE-2016-6185: Xsloader looking at a '(eval)' directory. (bsc#988311) - CVE-2016-1238: Searching current directory for optional modules. (bsc#987887) - CVE-2015-8853: Regular expression engine hanging on bad utf8. (bsc) - CVE-2016-2381: Environment dup handling bug. (bsc#967082) - 'Insecure dependency in require' error in taint mode. (bsc#984906) - Memory leak in 'use utf8' handling. (bsc#928292) - Missing lock prototype to the debugger. (bsc#932894) ----------------------------------------------------------------- Advisory ID: SUSE-OU-2016:1358-1 Released: Thu Sep 15 20:54:21 2016 Summary: Optional update for gcc6 Type: optional Severity: low References: 983206 Description: This update ships the GNU Compiler Collection (GCC) in version 6.2. This update is shipped in two parts: - SUSE Linux Enterprise Server 12 and Desktop: The runtime libraries libgcc_s1, libstdc++6, libatomic1, libgomp1, libitm1 and some others can now be used by GCC 6 built binaries. - SUSE Linux Enterprise 12 Toolchain Module: The Toolchain module received the GCC 6 compiler suite with this update. Changes: - The default mode for C++ is now -std=gnu++14 instead of -std=gnu++98. Generic Optimization improvements: - UndefinedBehaviorSanitizer gained a new sanitization option, -fsanitize=bounds-strict, which enables strict checking of array bounds. In particular, it enables -fsanitize=bounds as well as instrumentation of flexible array member-like arrays. - Type-based alias analysis now disambiguates accesses to different pointers. This improves precision of the alias oracle by about 20-30% on higher-level C++ programs. Programs doing invalid type punning of pointer types may now need -fno-strict-aliasing to work correctly. - Alias analysis now correctly supports weakref and alias attributes. This makes it possible to access both a variable and its alias in one translation unit which is common with link-time optimization. - Value range propagation now assumes that the this pointer of C++ member functions is non-null. This eliminates common null pointer checks but also breaks some non-conforming code-bases (such as Qt-5, Chromium, KDevelop). As a temporary work-around -fno-delete-null-pointer-checks can be used. Wrong code can be identified by using -fsanitize=undefined. - Various Link-time optimization improvements. - Inter-procedural optimization improvements: - Basic jump threading is now performed before profile construction and inline analysis, resulting in more realistic size and time estimates that drive the heuristics of the of inliner and function cloning passes. - Function cloning now more aggressively eliminates unused function parameters. - Compared to GCC 5, the GCC 6 release series includes a much improved implementation of the OpenACC 2.0a specification. C language specific improvements: - Version 4.5 of the OpenMP specification is now supported in the C and C++ compilers. - Source locations for the C and C++ compilers are now tracked as ranges, rather than just points, making it easier to identify the subexpression of interest within a complicated expression. In addition, there is now initial support for precise diagnostic locations within strings, - Diagnostics can now contain 'fix-it hints', which are displayed in context underneath the relevant source code. - The C and C++ compilers now offer suggestions for misspelled field names. - New command-line options have been added for the C and C++ compilers: - -Wshift-negative-value warns about left shifting a negative value. - -Wshift-overflow warns about left shift overflows. This warning is enabled by default. -Wshift-overflow=2 also warns about left-shifting 1 into the sign bit. - -Wtautological-compare warns if a self-comparison always evaluates to true or false. This warning is enabled by -Wall. - -Wnull-dereference warns if the compiler detects paths that trigger erroneous or undefined behavior due to dereferencing a null pointer. This option is only active when -fdelete-null-pointer-checks is active, which is enabled by optimizations in most targets. The precision of the warnings depends on the optimization options used. - -Wduplicated-cond warns about duplicated conditions in an if-else-if chain. - -Wmisleading-indentation warns about places where the indentation of the code gives a misleading idea of the block structure of the code to a human reader. This warning is enabled by -Wall. - The C and C++ compilers now emit saner error messages if merge-conflict markers are present in a source file. C improvements: - It is possible to disable warnings when an initialized field of a structure or a union with side effects is being overridden when using designated initializers via a new warning option -Woverride-init-side-effects. - A new type attribute scalar_storage_order applying to structures and unions has been introduced. It specifies the storage order (aka endianness) in memory of scalar fields in structures or unions. C++ improvements: - The default mode has been changed to -std=gnu++14. - C++ Concepts are now supported when compiling with -fconcepts. - -flifetime-dse is more aggressive in dead-store elimination in situations where a memory store to a location precedes a constructor to that memory location. - G++ now supports C++17 fold expressions, u8 character literals, extended static_assert, and nested namespace definitions. - G++ now allows constant evaluation for all non-type template arguments. - G++ now supports C++ Transactional Memory when compiling with -fgnu-tm. libstdc++ improvements: - Extensions to the C++ Library to support mathematical special functions (ISO/IEC 29124:2010), thanks to Edward Smith-Rowland. - Experimental support for C++17. - An experimental implementation of the File System TS. - Experimental support for most features of the second version of the Library Fundamentals TS. This includes polymorphic memory resources and array support in shared_ptr, thanks to Fan You. - Some assertions checked by Debug Mode can now also be enabled by _GLIBCXX_ASSERTIONS. The subset of checks enabled by the new macro have less run-time overhead than the full _GLIBCXX_DEBUG checks and don't affect the library ABI, so can be enabled per-translation unit. Fortran improvements: - Fortran 2008 SUBMODULE support. - Fortran 2015 EVENT_TYPE, EVENT_POST, EVENT_WAIT, and EVENT_QUERY support. - Improved support for Fortran 2003 deferred-length character variables. - Improved support for OpenMP and OpenACC. - The MATMUL intrinsic is now inlined for straightforward cases if front-end optimization is active. The maximum size for inlining can be set to n with the -finline-matmul-limit=n option and turned off with -finline-matmul-limit=0. - The -Wconversion-extra option will warn about REAL constants which have excess precision for their kind. - The -Winteger-division option has been added, which warns about divisions of integer constants which are truncated. This option is included in -Wall by default. Architecture improvements: - AArch64 received a lot of improvements. IA-32/x86-64 improvements: - GCC now supports the Intel CPU named Skylake with AVX-512 extensions through -march=skylake-avx512. The switch enables the following ISA extensions: AVX-512F, AVX512VL, AVX-512CD, AVX-512BW, AVX-512DQ. - Support for new AMD instructions monitorx and mwaitx has been added. This includes new intrinsic and built-in support. It is enabled through option -mmwaitx. The instructions monitorx and mwaitx implement the same functionality as the old monitor and mwait instructions. In addition mwaitx adds a configurable timer. The timer value is received as third argument and stored in register %ebx. - x86-64 targets now allow stack realignment from a word-aligned stack pointer using the command-line option -mstackrealign or __attribute__ ((force_align_arg_pointer)). This allows functions compiled with a vector-aligned stack to be invoked from objects that keep only word-alignment. - Support for address spaces __seg_fs, __seg_gs, and __seg_tls. These can be used to access data via the %fs and %gs segments without having to resort to inline assembly. - Support for AMD Zen (family 17h) processors is now available through the -march=znver1 and -mtune=znver1 options. PowerPC / PowerPC64 / RS6000 improvements: - PowerPC64 now supports IEEE 128-bit floating-point using the __float128 data type. In GCC 6, this is not enabled by default, but you can enable it with -mfloat128. The IEEE 128-bit floating-point support requires the use of the VSX instruction set. IEEE 128-bit floating-point values are passed and returned as a single vector value. The software emulator for IEEE 128-bit floating-point support is only built on PowerPC GNU/Linux systems where the default CPU is at least power7. On future ISA 3.0 systems (POWER 9 and later), you will be able to use the -mfloat128-hardware option to use the ISA 3.0 instructions that support IEEE 128-bit floating-point. An additional type (__ibm128) has been added to refer to the IBM extended double type that normally implements long double. This will allow for a future transition to implementing long double with IEEE 128-bit floating-point. - Basic support has been added for POWER9 hardware that will use the recently published OpenPOWER ISA 3.0 instructions. The following new switches are available: - -mcpu=power9: Implement all of the ISA 3.0 instructions supported by the compiler. - -mtune=power9: In the future, apply tuning for POWER9 systems. Currently, POWER8 tunings are used. - -mmodulo: Generate code using the ISA 3.0 integer instructions (modulus, count trailing zeros, array index support, integer multiply/add). - -mpower9-fusion: Generate code to suitably fuse instruction sequences for a POWER9 system. - -mpower9-dform: Generate code to use the new D-form (register+offset) memory instructions for the vector registers. - -mpower9-vector: Generate code using the new ISA 3.0 vector (VSX or Altivec) instructions. - -mpower9-minmax: Reserved for future development. - -mtoc-fusion: Keep TOC entries together to provide more fusion opportunities. - New constraints have been added to support IEEE 128-bit floating-point and ISA 3.0 instructions. - Support has been added for __builtin_cpu_is() and __builtin_cpu_supports(), allowing for very fast access to AT_PLATFORM, AT_HWCAP, and AT_HWCAP2 values. This requires use of glibc 2.23 or later. - All hardware transactional memory builtins now correctly behave as memory barriers. Programmers can use #ifdef __TM_FENCE__ to determine whether their 'old' compiler treats the builtins as barriers. - Split-stack support has been added for gccgo on PowerPC64 for both big- and little-endian (but not for 32-bit). The gold linker from at least binutils 2.25.1 must be available in the PATH when configuring and building gccgo to enable split stack. (The requirement for binutils 2.25.1 applies to PowerPC64 only.) The split-stack feature allows a small initial stack size to be allocated for each goroutine, which increases as needed. - GCC on PowerPC now supports the standard lround function. - The 'q', 'S', 'T', and 't' asm-constraints have been removed. - The 'b', 'B', 'm', 'M', and 'W' format modifiers have been removed. S/390, System z, IBM z Systems improvements: - Support for the IBM z13 processor has been added. When using the -march=z13 option, the compiler will generate code making use of the new instructions and registers introduced with the vector extension facility. The -mtune=z13 option enables z13 specific instruction scheduling without making use of new instructions. - Compiling code with -march=z13 reduces the default alignment of vector types bigger than 8 bytes to 8. This is an ABI change and care must be taken when linking modules compiled with different arch levels which interchange variables containing vector type values. For newly compiled code the GNU linker will emit a warning. - The -mzvector option enables a C/C++ language extension. This extension provides a new keyword vector which can be used to define vector type variables. (Note: This is not available when enforcing strict standard compliance e.g. with -std=c99. Either enable GNU extensions with e.g. -std=gnu99 or use __vector instead of vector.) - Additionally a set of overloaded builtins is provided which is partially compatible to the PowerPC Altivec builtins. In order to make use of these builtins the vecintrin.h header file needs to be included. - The new command line options -march=native, and -mtune=native are now available on native IBM z Systems. Specifying these options will cause GCC to auto-detect the host CPU and rewrite these options to the optimal setting for that system. If GCC is unable to detect the host CPU these options have no effect. - The IBM z Systems port now supports target attributes and pragmas. Please refer to the documentation for details of available attributes and pragmas as well as usage instructions. - -fsplit-stack is now supported as part of the IBM z Systems port. This feature requires a recent gold linker to be used. - Support for the g5 and g6 -march=/-mtune= CPU level switches has been deprecated and will be removed in a future GCC release. -m31 from now on defaults to -march=z900 if not specified otherwise. -march=native on a g5/g6 machine will default to -march=z900. An even more detailed list of features can be found at: https://gcc.gnu.org/gcc-6/changes.html ----------------------------------------------------------------- Advisory ID: SUSE-SU-2016:1364-1 Released: Fri Sep 16 17:13:43 2016 Summary: Security update for curl Type: security Severity: moderate References: 991389,991390,991391,991746,997420,CVE-2016-5419,CVE-2016-5420,CVE-2016-5421,CVE-2016-7141 Description: This update for curl fixes the following issues: Security issues fixed: - CVE-2016-5419: TLS session resumption client cert bypass (bsc#991389) - CVE-2016-5420: Re-using connections with wrong client cert (bsc#991390) - CVE-2016-5421: use of connection struct after free (bsc#991391) - CVE-2016-7141: Fixed incorrect reuse of client certificates with NSS (bsc#997420) Also the following bug was fixed: - fixing a performance issue (bsc#991746) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2016:1370-1 Released: Wed Sep 21 12:58:14 2016 Summary: Security update for libgcrypt Type: security Severity: moderate References: 994157,CVE-2016-6313 Description: This update for libgcrypt fixes the following issues: - RNG prediction vulnerability (bsc#994157, CVE-2016-6313) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2016:1591-1 Released: Wed Nov 2 12:07:51 2016 Summary: Security update for curl Type: security Severity: important References: 1005633,1005634,1005635,1005637,1005638,1005640,1005642,1005643,1005645,1005646,998760,CVE-2016-7167,CVE-2016-8615,CVE-2016-8616,CVE-2016-8617,CVE-2016-8618,CVE-2016-8619,CVE-2016-8620,CVE-2016-8621,CVE-2016-8622,CVE-2016-8623,CVE-2016-8624 Description: This update for curl fixes the following security issues: - CVE-2016-8624: invalid URL parsing with '#' (bsc#1005646) - CVE-2016-8623: Use-after-free via shared cookies (bsc#1005645) - CVE-2016-8622: URL unescape heap overflow via integer truncation (bsc#1005643) - CVE-2016-8621: curl_getdate read out of bounds (bsc#1005642) - CVE-2016-8620: glob parser write/read out of bounds (bsc#1005640) - CVE-2016-8619: double-free in krb5 code (bsc#1005638) - CVE-2016-8618: double-free in curl_maprintf (bsc#1005637) - CVE-2016-8617: OOB write via unchecked multiplication (bsc#1005635) - CVE-2016-8616: case insensitive password comparison (bsc#1005634) - CVE-2016-8615: cookie injection for other servers (bsc#1005633) - CVE-2016-7167: escape and unescape integer overflows (bsc#998760) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2016:1614-1 Released: Mon Nov 7 20:01:31 2016 Summary: Recommended update for shadow Type: recommended Severity: low References: 1002975 Description: This update for shadow fixes the following issues: - Set file modes according to the permissions package and don't attempt to manipulate them in %files section. (bsc#1002975) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2016:1641-1 Released: Thu Nov 10 20:02:04 2016 Summary: Recommended update for sg3_utils Type: recommended Severity: moderate References: 1006469,958369,979436 Description: This update for sg3_utils provides the following fixes: - Adjust 55-scsi-sg3_id.rules to correctly handle VPD page 0x80. This issue could prevent some IBM Power systems from booting after installation. (bsc#1006469) - Fix 55-scsi_sg3_id.rules to skip sg_inq on recent kernels. (bsc#979436) - In some circumstances, the rescan-scsi-bus.sh script failed to identify new LUNs that have been added to the server. (bsc#958369) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2016:1744-1 Released: Fri Dec 2 11:42:41 2016 Summary: Security update for pcre Type: security Severity: moderate References: 906574,924960,933288,933878,936227,942865,957566,957567,957598,957600,960837,971741,972127,CVE-2014-8964,CVE-2015-2325,CVE-2015-2327,CVE-2015-2328,CVE-2015-3210,CVE-2015-3217,CVE-2015-5073,CVE-2015-8380,CVE-2015-8381,CVE-2015-8382,CVE-2015-8383,CVE-2015-8384,CVE-2015-8385,CVE-2015-8386,CVE-2015-8387,CVE-2015-8388,CVE-2015-8389,CVE-2015-8390,CVE-2015-8391,CVE-2015-8392,CVE-2015-8393,CVE-2015-8394,CVE-2015-8395,CVE-2016-1283,CVE-2016-3191 Description: This update for pcre to version 8.39 (bsc#972127) fixes several issues. If you use pcre extensively please be aware that this is an update to a new version. Please make sure that your software works with the updated version. This version fixes a number of vulnerabilities that affect pcre and applications using the libary when accepting untrusted input as regular expressions or as part thereof. Remote attackers could have caused the application to crash, disclose information or potentially execute arbitrary code. These security issues were fixed: - CVE-2014-8964: Heap-based buffer overflow in PCRE allowed remote attackers to cause a denial of service (crash) or have other unspecified impact via a crafted regular expression, related to an assertion that allows zero repeats (bsc#906574). - CVE-2015-2325: Heap buffer overflow in compile_branch() (bsc#924960). - CVE-2015-3210: Heap buffer overflow in pcre_compile2() / compile_regex() (bsc#933288) - CVE-2015-3217: PCRE Library Call Stack Overflow Vulnerability in match() (bsc#933878). - CVE-2015-5073: Library Heap Overflow Vulnerability in find_fixedlength() (bsc#936227). - bsc#942865: heap overflow in compile_regex() - CVE-2015-8380: The pcre_exec function in pcre_exec.c mishandled a // pattern with a \01 string, which allowed remote attackers to cause a denial of service (heap-based buffer overflow) or possibly have unspecified other impact via a crafted regular expression, as demonstrated by a JavaScript RegExp object encountered by Konqueror (bsc#957566). - CVE-2015-2327: PCRE mishandled certain patterns with internal recursive back references, which allowed remote attackers to cause a denial of service (segmentation fault) or possibly have unspecified other impact via a crafted regular expression, as demonstrated by a JavaScript RegExp object encountered by Konqueror (bsc#957567). - bsc#957598: Various security issues - CVE-2015-8381: Heap Overflow in compile_regex() (bsc#957598). - CVE-2015-8382: Regular Expression Uninitialized Pointer Information Disclosure Vulnerability (ZDI-CAN-2547)(bsc#957598). - CVE-2015-8383: Buffer overflow caused by repeated conditional group(bsc#957598). - CVE-2015-8384: Buffer overflow caused by recursive back reference by name within certain group(bsc#957598). - CVE-2015-8385: Buffer overflow caused by forward reference by name to certain group(bsc#957598). - CVE-2015-8386: Buffer overflow caused by lookbehind assertion(bsc#957598). - CVE-2015-8387: Integer overflow in subroutine calls(bsc#957598). - CVE-2015-8388: Buffer overflow caused by certain patterns with an unmatched closing parenthesis(bsc#957598). - CVE-2015-8389: Infinite recursion in JIT compiler when processing certain patterns(bsc#957598). - CVE-2015-8390: Reading from uninitialized memory when processing certain patterns(bsc#957598). - CVE-2015-8391: Some pathological patterns causes pcre_compile() to run for a very long time(bsc#957598). - CVE-2015-8392: Buffer overflow caused by certain patterns with duplicated named groups(bsc#957598). - CVE-2015-8393: Information leak when running pcgrep -q on crafted binary(bsc#957598). - CVE-2015-8394: Integer overflow caused by missing check for certain conditions(bsc#957598). - CVE-2015-8395: Buffer overflow caused by certain references(bsc#957598). - CVE-2015-2328: PCRE mishandled the /((?(R)a|(?1)))+/ pattern and related patterns with certain recursion, which allowed remote attackers to cause a denial of service (segmentation fault) or possibly have unspecified other impact via a crafted regular expression (bsc#957600). - CVE-2016-1283: The pcre_compile2 function in pcre_compile.c in PCRE mishandled certain patterns with named subgroups, which allowed remote attackers to cause a denial of service (heap-based buffer overflow) or possibly have unspecified other impact via a crafted regular expression (bsc#960837). - CVE-2016-3191: The compile_branch function in pcre_compile.c in pcre2_compile.c mishandled patterns containing an (*ACCEPT) substring in conjunction with nested parentheses, which allowed remote attackers to execute arbitrary code or cause a denial of service (stack-based buffer overflow) via a crafted regular expression (bsc#971741). These non-security issues were fixed: - JIT compiler improvements - performance improvements - The Unicode data tables have been updated to Unicode 7.0.0. ----------------------------------------------------------------- Advisory ID: SUSE-RU-2016:1782-1 Released: Fri Dec 9 13:35:02 2016 Summary: Recommended update for systemd Type: recommended Severity: moderate References: 1001790,1004289,1005404,1006372,1006690,989831,991443 Description: This update for systemd provides the following fixes: - Allow to redirect confirmation messages to a different console. (bsc#1006690) - Do not bind a mount unit to a device, if it was from mountinfo. (bsc#989831) - Decrease systemd-nspawn's non-fatal mount errors to debug level. (bsc#1004289) - Don't emit space usage message right after opening the persistent journal. (bsc#991443) - Change owner of /var/log/journal/remote and create /var/lib/systemd/journal-upload. (bsc#1006372) - Document that *KeyIgnoreInhibited only apply to a subset of locks. - Revert 'logind: really handle *KeyIgnoreInhibited options in logind.conf'. (bsc#1001790, bsc#1005404) - Revert 'kbd-model-map: add more mappings offered by Yast'. - Don't busy loop when we get a notification message we can't process. - Rename kbd-model-map-extra into kbd-model-map.legacy. - Add kbd-model-map-extra file which contains the additional maps needed by YaST. - Drop localfs.service: unused and not needed anymore. ----------------------------------------------------------------- Advisory ID: SUSE-SU-2016:1827-1 Released: Thu Dec 15 12:41:10 2016 Summary: Security update for pcre Type: security Severity: moderate References: 906574,924960,933288,933878,936227,942865,957566,957567,957598,957600,960837,971741,972127,CVE-2014-8964,CVE-2015-2325,CVE-2015-2327,CVE-2015-2328,CVE-2015-3210,CVE-2015-3217,CVE-2015-5073,CVE-2015-8380,CVE-2015-8381,CVE-2015-8382,CVE-2015-8383,CVE-2015-8384,CVE-2015-8385,CVE-2015-8386,CVE-2015-8387,CVE-2015-8388,CVE-2015-8389,CVE-2015-8390,CVE-2015-8391,CVE-2015-8392,CVE-2015-8393,CVE-2015-8394,CVE-2015-8395,CVE-2016-1283,CVE-2016-3191 Description: This update for pcre to version 8.39 (bsc#972127) fixes several issues. If you use pcre extensively please be aware that this is an update to a new version. Please make sure that your software works with the updated version. This version fixes a number of vulnerabilities that affect pcre and applications using the libary when accepting untrusted input as regular expressions or as part thereof. Remote attackers could have caused the application to crash, disclose information or potentially execute arbitrary code. These security issues were fixed: - CVE-2014-8964: Heap-based buffer overflow in PCRE allowed remote attackers to cause a denial of service (crash) or have other unspecified impact via a crafted regular expression, related to an assertion that allows zero repeats (bsc#906574). - CVE-2015-2325: Heap buffer overflow in compile_branch() (bsc#924960). - CVE-2015-3210: Heap buffer overflow in pcre_compile2() / compile_regex() (bsc#933288) - CVE-2015-3217: PCRE Library Call Stack Overflow Vulnerability in match() (bsc#933878). - CVE-2015-5073: Library Heap Overflow Vulnerability in find_fixedlength() (bsc#936227). - bsc#942865: heap overflow in compile_regex() - CVE-2015-8380: The pcre_exec function in pcre_exec.c mishandled a // pattern with a \01 string, which allowed remote attackers to cause a denial of service (heap-based buffer overflow) or possibly have unspecified other impact via a crafted regular expression, as demonstrated by a JavaScript RegExp object encountered by Konqueror (bsc#957566). - CVE-2015-2327: PCRE mishandled certain patterns with internal recursive back references, which allowed remote attackers to cause a denial of service (segmentation fault) or possibly have unspecified other impact via a crafted regular expression, as demonstrated by a JavaScript RegExp object encountered by Konqueror (bsc#957567). - bsc#957598: Various security issues - CVE-2015-8381: Heap Overflow in compile_regex() (bsc#957598). - CVE-2015-8382: Regular Expression Uninitialized Pointer Information Disclosure Vulnerability (ZDI-CAN-2547)(bsc#957598). - CVE-2015-8383: Buffer overflow caused by repeated conditional group(bsc#957598). - CVE-2015-8384: Buffer overflow caused by recursive back reference by name within certain group(bsc#957598). - CVE-2015-8385: Buffer overflow caused by forward reference by name to certain group(bsc#957598). - CVE-2015-8386: Buffer overflow caused by lookbehind assertion(bsc#957598). - CVE-2015-8387: Integer overflow in subroutine calls(bsc#957598). - CVE-2015-8388: Buffer overflow caused by certain patterns with an unmatched closing parenthesis(bsc#957598). - CVE-2015-8389: Infinite recursion in JIT compiler when processing certain patterns(bsc#957598). - CVE-2015-8390: Reading from uninitialized memory when processing certain patterns(bsc#957598). - CVE-2015-8391: Some pathological patterns causes pcre_compile() to run for a very long time(bsc#957598). - CVE-2015-8392: Buffer overflow caused by certain patterns with duplicated named groups(bsc#957598). - CVE-2015-8393: Information leak when running pcgrep -q on crafted binary(bsc#957598). - CVE-2015-8394: Integer overflow caused by missing check for certain conditions(bsc#957598). - CVE-2015-8395: Buffer overflow caused by certain references(bsc#957598). - CVE-2015-2328: PCRE mishandled the /((?(R)a|(?1)))+/ pattern and related patterns with certain recursion, which allowed remote attackers to cause a denial of service (segmentation fault) or possibly have unspecified other impact via a crafted regular expression (bsc#957600). - CVE-2016-1283: The pcre_compile2 function in pcre_compile.c in PCRE mishandled certain patterns with named subgroups, which allowed remote attackers to cause a denial of service (heap-based buffer overflow) or possibly have unspecified other impact via a crafted regular expression (bsc#960837). - CVE-2016-3191: The compile_branch function in pcre_compile.c in pcre2_compile.c mishandled patterns containing an (*ACCEPT) substring in conjunction with nested parentheses, which allowed remote attackers to execute arbitrary code or cause a denial of service (stack-based buffer overflow) via a crafted regular expression (bsc#971741). These non-security issues were fixed: - JIT compiler improvements - performance improvements - The Unicode data tables have been updated to Unicode 7.0.0. ----------------------------------------------------------------- Advisory ID: SUSE-RU-2016:1863-1 Released: Wed Dec 21 10:41:35 2016 Summary: Recommended updated for pth Type: recommended Severity: low References: 1013286 Description: This update adds the 32bit version of libpth20 to SUSE Linux Enterprise 12 SP1 and 12 SP2. ----------------------------------------------------------------- Advisory ID: SUSE-SU-2017:2-1 Released: Mon Jan 2 08:35:08 2017 Summary: Security update for zlib Type: security Severity: moderate References: 1003577,1003579,1003580,1013882,CVE-2016-9840,CVE-2016-9841,CVE-2016-9842,CVE-2016-9843 Description: This update for zlib fixes the following issues: CVE-2016-9843: Big-endian out-of-bounds pointer CVE-2016-9842: Undefined Left Shift of Negative Number (bsc#1003580) CVE-2016-9840 CVE-2016-9841: Out-of-bounds pointer arithmetic in inftrees.c (bsc#1003579) Incompatible declarations for external linkage function deflate (bsc#1003577) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2017:6-1 Released: Tue Jan 3 15:01:58 2017 Summary: Recommended update for systemd Type: recommended Severity: moderate References: 1012390,1012591,1012818,1013989,1015515,909418,912715,945340,953807,963290,990538 Description: This update for systemd fixes the following issues: - core: Make mount units from /proc/self/mountinfo possibly bind to a device. Fixes unmounting issues when ejecting CDs or DVDs. (bsc#909418, bsc#912715, bsc#945340) - fstab-generator: Remove bogus condition that leads to warnings on boot. (bsc#1013989) - coredumpctl: Let gdb handle the SIGINT signal. (bsc#1012591) - Ship kbd-model-map with the correct contents. (bsc#1015515) - rules: Set SYSTEMD_READY=0 on DM_UDEV_DISABLE_OTHER_RULES_FLAG=1 only with ADD event. (bsc#963290, bsc#990538) - tmpfiles: Don't skip path_set_perms on error. (bsc#953807) - nspawn: Properly handle image/directory paths that are symbolic links. (bsc#1012390) - systemctl: Fix 'is-enabled' exit status on failure when executed in chroot. (bsc#1012818) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2017:32-1 Released: Mon Jan 9 11:50:42 2017 Summary: Recommended update for dirmngr Type: recommended Severity: low References: 994794 Description: This update for dirmngr enables support for daemon mode. ----------------------------------------------------------------- Advisory ID: SUSE-RU-2017:47-1 Released: Wed Jan 11 11:42:43 2017 Summary: Recommended update for systemd Type: recommended Severity: important References: 1018214,1018399 Description: This update for systemd fixes the following two issues: - A regression in the previous update (SUSE-RU-2017:0013-1, bsc#909418) could have caused systemd to freeze. (bsc#1018399) - Warnings emitted when udev socket units are restarted during package upgrade were silenced. (bsc#1018214) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2017:98-1 Released: Thu Jan 19 10:17:55 2017 Summary: Recommended update for kmod Type: recommended Severity: low References: 998906 Description: This update for kmod fixes a rare race condition while loading modules. ----------------------------------------------------------------- Advisory ID: SUSE-SU-2017:99-1 Released: Thu Jan 19 10:35:21 2017 Summary: Security update for apache2 Type: security Severity: moderate References: 1013648,CVE-2016-8740 Description: This update for apache2 fixes the following issues: - CVE-2016-8740 Server memory can be exhausted and service denied when HTTP/2 is used [bsc#1013648] ----------------------------------------------------------------- Advisory ID: SUSE-SU-2017:149-1 Released: Wed Jan 25 09:17:08 2017 Summary: Security update for systemd Type: security Severity: important References: 1012266,1014560,1014566,1020601,997682,CVE-2016-10156 Description: This update for systemd fixes the following issues: This security issue was fixed: - CVE-2016-10156: Fix permissions set on permanent timer timestamp files, preventing local unprivileged users from escalating privileges (bsc#1020601). These non-security issues were fixed: - Fix permission set on /var/lib/systemd/linger/* - install: follow config_path symlink (#3362) - install: fix disable when /etc/systemd/system is a symlink (bsc#1014560) - run: make --slice= work in conjunction with --scope (bsc#1014566) - core: don't dispatch load queue when setting Slice= for transient units - systemctl: remove duplicate entries showed by list-dependencies (#5049) (bsc#1012266) - rule: don't automatically online standby memory on s390x (bsc#997682) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2017:185-1 Released: Thu Feb 2 18:22:37 2017 Summary: Security update for cpio Type: security Severity: moderate References: 1020108,963448,CVE-2016-2037 Description: This update for cpio fixes two issues. This security issue was fixed: - CVE-2016-2037: The cpio_safer_name_suffix function in util.c in cpio allowed remote attackers to cause a denial of service (out-of-bounds write) via a crafted cpio file (bsc#963448). This non-security issue was fixed: - bsc#1020108: Always use 32 bit CRC to prevent checksum errors for files greater than 32MB ----------------------------------------------------------------- Advisory ID: SUSE-SU-2017:192-1 Released: Fri Feb 3 18:46:05 2017 Summary: Security update for libxml2 Type: security Severity: moderate References: 1005544,1010675,1013930,1014873,1017497,CVE-2016-4658,CVE-2016-9318,CVE-2016-9597 Description: This update for libxml2 fixes the following issues: * CVE-2016-4658: use-after-free error could lead to crash [bsc#1005544] * Fix NULL dereference in xpointer.c when in recovery mode [bsc#1014873] * CVE-2016-9597: An XML document with many opening tags could have caused a overflow of the stack not detected by the recursion limits, allowing for DoS (bsc#1017497). For CVE-2016-9318 we decided not to ship a fix since it can break existing setups. Please take appropriate actions if you parse untrusted XML files and use the new -noxxe flag if possible (bnc#1010675, bnc#1013930). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2017:209-1 Released: Tue Feb 7 17:00:47 2017 Summary: Recommended update for libseccomp Type: recommended Severity: low References: 1019900 Description: This update provides libseccomp version 2.3.1 which fixes the following issues: - Fixed a problem with 32-bit x86 socket syscalls on some systems (fate#321647, bsc#1019900) - Fixed problems with ipc syscalls on 32-bit x86 - Fixed problems with socket and ipc syscalls on s390 and s390x ----------------------------------------------------------------- Advisory ID: SUSE-SU-2017:212-1 Released: Wed Feb 8 13:07:24 2017 Summary: Security update for expat Type: security Severity: moderate References: 983215,983216,CVE-2012-6702,CVE-2016-5300 Description: This update for expat fixes the following security issues: - CVE-2012-6702: Expat, when used in a parser that has not called XML_SetHashSalt or passed it a seed of 0, made it easier for context-dependent attackers to defeat cryptographic protection mechanisms via vectors involving use of the srand function. (bsc#983215) - CVE-2016-5300: The XML parser in Expat did not use sufficient entropy for hash initialization, which allowed context-dependent attackers to cause a denial of service (CPU consumption) via crafted identifiers in an XML document. NOTE: this vulnerability exists because of an incomplete fix for CVE-2012-0876. (bsc#983216) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2017:228-1 Released: Fri Feb 10 15:39:32 2017 Summary: Security update for openssl Type: security Severity: moderate References: 1000677,1001912,1009528,1019637,1021641,1022085,1022086,1022271,CVE-2016-7055,CVE-2017-3731,CVE-2017-3732 Description: This update for openssl fixes the following issues contained in the OpenSSL Security Advisory [26 Jan 2017] (bsc#1021641) Security issues fixed: - CVE-2016-7055: The x86_64 optimized montgomery multiplication may produce incorrect results (bsc#1009528) - CVE-2017-3731: Truncated packet could crash via OOB read (bsc#1022085) - CVE-2017-3732: BN_mod_exp may produce incorrect results on x86_64 (bsc#1022086) - Degrade the 3DES cipher to MEDIUM in SSLv2 (bsc#1001912) Non-security issues fixed: - fix crash in openssl speed (bsc#1000677) - fix X509_CERT_FILE path (bsc#1022271) - AES XTS key parts must not be identical in FIPS mode (bsc#1019637) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2017:261-1 Released: Mon Feb 20 11:00:28 2017 Summary: Recommended update for dirmngr Type: recommended Severity: low References: 1019276 Description: This update for dirmngr fixes the following issues: - Properly initialize the dirmngr tmpfilesd files right away and not just during reboot - Own the /usr/lib/tmpfiles.d/ folder as it is needed in older systemds wrt (bsc#1019276) - Proprely require logrotate as we need it for the dirmngr configs ----------------------------------------------------------------- Advisory ID: SUSE-RU-2017:365-1 Released: Fri Mar 10 15:16:59 2017 Summary: Recommended update for sg3_utils Type: recommended Severity: low References: 1006175 Description: This update for sg3_utils fixes the following issue: - Add udev rules to handle legacy CCISS devices (bsc#1006175) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2017:389-1 Released: Thu Mar 16 14:16:43 2017 Summary: Recommended update for systemd Type: recommended Severity: moderate References: 1004094,1006687,1019470,1022014,1022047,1025598,995936 Description: This update for systemd provides the following fixes: - core: Fix memory leak in transient units. (bsc#1025598) - core: Destroy all name watching bus slots when we are kicked off the bus. (bsc#1006687) - sd-event: Fix incorrect assertion. (bsc#995936, bsc#1022014) - journald: Don't flush to /var/log/journal before we get asked to. (bsc#1004094) - core: Downgrade warning about duplicate device names. (bsc#1022047) - units: Remove no longer needed ldconfig service. (bsc#1019470) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2017:439-1 Released: Tue Mar 21 10:48:47 2017 Summary: Recommended update for netcfg Type: recommended Severity: low References: 1028305,959693 Description: This update for netcfg provides the following fixes: - Update script to generate services to use UTF8 by default. (bsc#1028305) - Repack services.bz2 with latest from upstream and adjust the script to not add all the names and emails at the bottom of the file. (bsc#959693) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2017:450-1 Released: Wed Mar 22 15:54:10 2017 Summary: Security update for apache2 Type: security Severity: moderate References: 1016712,1016714,1016715,1019380,CVE-2016-0736,CVE-2016-2161,CVE-2016-8743 Description: This update for apache2 fixes the following security issues: Security issues fixed: - CVE-2016-0736: Protect mod_session_crypto data with a MAC to prevent padding oracle attacks (bsc#1016712). - CVE-2016-2161: Malicious input to mod_auth_digest could have caused the server to crash, resulting in DoS (bsc#1016714). - CVE-2016-8743: Added new directive 'HttpProtocolOptions Strict' to avoid proxy chain misinterpretation (bsc#1016715). Bugfixes: - Add missing copy of hcuri and hcexpr from the worker to the health check worker (bsc#1019380). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2017:462-1 Released: Fri Mar 24 21:58:07 2017 Summary: Recommended update for lvm2 Type: recommended Severity: moderate References: 1012973,1015943,1017034,1023283,1025560,1025630 Description: This update for lvm2 fixes the following issues: - Fix clvmd segmentation fault on ppc64le architecture. (bsc#1025630) - Fix several trivial issues about clvmd/cmirrord resource agents. (bsc#1023283, bsc#1025560) - Use {local,remote}-fs-pre.target instead of {local,remote}-fs.target. (bsc#1017034) - Simplify special-case for md in 69-dm-lvm-metadata.rules. (bsc#1012973) - Add systemd_requires to device-mapper package. (bsc#1015943) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2017:464-1 Released: Mon Mar 27 15:50:51 2017 Summary: Recommended update for glibc Type: recommended Severity: moderate References: 1007851,1029725,1029900 Description: This update for glibc fixes a potential segmentation fault in libpthread: - Fork in libpthread cannot use IFUNC resolver. (bsc#1007851, bsc#1029725, bsc#1029900) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2017:580-1 Released: Wed Apr 12 23:58:47 2017 Summary: Recommended update for cpio Type: recommended Severity: important References: 1028410 Description: This update for cpio fixes the following issues: - A regression caused cpio to crash for tar and ustar archive types [bsc#1028410] ----------------------------------------------------------------- Advisory ID: SUSE-SU-2017:609-1 Released: Tue Apr 18 11:28:14 2017 Summary: Security update for curl Type: security Severity: moderate References: 1015332,1027712,1032309,CVE-2016-9586,CVE-2017-7407 Description: This update for curl fixes the following issues: Security issue fixed: - CVE-2016-9586: libcurl printf floating point buffer overflow (bsc#1015332) - CVE-2017-7407: The ourWriteOut function in tool_writeout.c in curl might have allowed physically proximate attackers to obtain sensitive information from process memory in opportunistic circumstances by reading a workstation screen during use of a --write-out argument ending in a '%' character, which lead to a heap-based buffer over-read (bsc#1032309). With this release new default ciphers are active (SUSE_DEFAULT, bsc#1027712). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2017:732-1 Released: Wed May 10 14:03:43 2017 Summary: Recommended update for procps Type: recommended Severity: low References: 1030621 Description: This update for procps fixes the following issues: - Command w(1) with option -n doesn't work. (bsc#1030621) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2017:735-1 Released: Wed May 10 15:43:46 2017 Summary: Recommended update for gpg2 Type: recommended Severity: low References: 1036736,986783 Description: This update for gpg2 provides the following fixes: - Do not install CAcert and other root certificates which are not needed with Let's Encrypt. (bsc#1036736) - Initialize the trustdb before import attempt. (bsc#986783) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2017:751-1 Released: Thu May 11 17:14:30 2017 Summary: Recommended update for systemd Type: recommended Severity: moderate References: 1010220,1025398,1025886,1028263,1028610,1029183,1029691,1030290,1031355,1032538,1032660,1033855,1034565,955770 Description: This update for systemd provides the following fixes: - logind: Update empty and 'infinity' handling for [User]TasksMax. (bsc#1031355) - importd: Support SUSE style checksums. (fate#322054) - journal: Don't remove leading spaces. (bsc#1033855) - Make sure all swap units are ordered before the swap target. (bsc#955770, bsc#1034565) - hwdb: Fix warning 'atkbd serio0: Unknown key pressed'. (bsc#1010220) - logind: Restart logind on package update only on SLE12 distros. (bsc#1032660) - core: Treat masked files as 'unchanged'. (bsc#1032538) - units: Move Before deps for quota services to remote-fs.target. (bsc#1028263) - udev: Support predictable ifnames on vio buses. (bsc#1029183) - udev: Add a persistent rule for ibmvnic devices. (bsc#1029183) - units: Do not throw a warning in emergency mode if plymouth is not installed. (bsc#1025398) - core: Downgrade 'Time has been changed' message to debug level. (bsc#1028610) - vconsole: Don't do GIO_SCRNMAP / GIO_UNISCRNMAP. (bsc#1029691) - udev-rules: Perform whitespace replacement for symlink subst values. (bsc#1025886) - Consider chroot updates in fix-machines-subvol-for-rollbacks.sh. (bsc#1030290) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2017:794-1 Released: Tue May 16 15:41:09 2017 Summary: Security update for bash Type: security Severity: moderate References: 1010845,1035371,CVE-2016-9401 Description: This update for bash fixes an issue that could lead to syntax errors when parsing scripts that use expr(1) inside loops. Additionally, the popd build-in now ensures that the normalized stack offset is within bounds before trying to free that stack entry. This fixes a segmentation fault. ----------------------------------------------------------------- Advisory ID: SUSE-RU-2017:799-1 Released: Wed May 17 00:21:13 2017 Summary: Recommended update for glibc Type: recommended Severity: low References: 1026224,1035445 Description: This update for glibc introduces basic support for IBM POWER9 systems. Additionally, an improper assert in dlclose() has been removed. ----------------------------------------------------------------- Advisory ID: SUSE-SU-2017:865-1 Released: Wed May 24 16:23:20 2017 Summary: Security update for pam Type: security Severity: moderate References: 1015565,1037824,934920,CVE-2015-3238 Description: This update for pam fixes the following issues: - CVE-2015-3238: pam_unix in conjunction with SELinux allowed for DoS attacks (bsc#934920). - log a hint to syslog if /etc/nologin is present, but empty (bsc#1015565). - If /etc/nologin is present, but empty, log a hint to syslog. (bsc#1015565) - Added support for libowcrypt.so, if present, to configure support for BLOWFISH (bsc#1037824) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2017:873-1 Released: Fri May 26 16:19:47 2017 Summary: Recommended update for e2fsprogs Type: recommended Severity: low References: 1009532,960273 Description: This update for e2fsprogs provides the following fixes: - Fix 32/64-bit overflow when multiplying by blocks/clusters per group. This allows resize2fs(8) to resize file systems larger than 20 TB. (bsc#1009532) - Update spec file to regenerate initrd when e2fsprogs is updated or uninstalled. (bsc#960273) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2017:877-1 Released: Mon May 29 15:11:48 2017 Summary: Recommended update for cryptsetup Type: recommended Severity: low References: 1031998 Description: This update for cryptsetup provides the following fix: - Don't use a zero-filled empty key, because in FIPS, XTS mode key parts mustn't be equivalent (bsc#1031998) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2017:891-1 Released: Tue May 30 22:28:21 2017 Summary: Security update for libxml2 Type: security Severity: moderate References: 1039063,1039064,1039066,1039069,1039661,981114,CVE-2016-1839,CVE-2017-9047,CVE-2017-9048,CVE-2017-9049,CVE-2017-9050 Description: This update for libxml2 fixes the following issues: - CVE-2017-9047, CVE-2017-9048: The function xmlSnprintfElementContent in valid.c was vulnerable to a stack buffer overflow (bsc#1039063, bsc#1039064) - CVE-2017-9049: The function xmlDictComputeFastKey in dict.c was vulnerable to a heap-based buffer over-read. (bsc#1039066) - CVE-2017-9050: The function xmlDictAddString was vulnerable to a heap-based buffer over-read (bsc#1039661) - CVE-2016-1839: heap-based buffer overflow (xmlDictAddString func) (bnc#1039069) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2017:907-1 Released: Thu Jun 1 14:23:36 2017 Summary: Recommended update for shadow Type: recommended Severity: low References: 1003978,1031643 Description: This update for shadow fixes the following issues: - Dynamically added users via pam_group are not listed in groups databases but are still valid. (bsc#1031643) - useradd(8) and groupadd(8) performance issue when using SSSD. Previously the entire possible UID/GID was iterated to find an available UID/GID. This could take long time over a network device. Instead, find available UID/GID locally, and then check only those values over network. (bsc#1003978) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2017:918-1 Released: Tue Jun 6 12:35:44 2017 Summary: Recommended update for libsemanage, selinux-policy Type: recommended Severity: moderate References: 1020143,1032445,1035818,1038189 Description: This update for libsemanage, selinux-policy fixes the following issues: - Limit to policy version 29 by default. - Fix policy module build failures and wrong policy path on SLE 12 SP2 (bsc#1038189, bsc#1035818, bsc#1020143, bsc#1032445) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2017:939-1 Released: Mon Jun 12 10:56:22 2017 Summary: Security update for libxml2 Type: security Severity: moderate References: 1039063,1039064,1039066,1039069,1039661,CVE-2017-9047,CVE-2017-9048,CVE-2017-9049,CVE-2017-9050 Description: This update for libxml2 fixes the following security issues: * CVE-2017-9050: A heap-based buffer over-read in xmlDictAddString (bsc#1039069, bsc#1039661) * CVE-2017-9049: A heap-based buffer overflow in xmlDictComputeFastKey (bsc#1039066) * CVE-2017-9048: A stack overflow vulnerability in xmlSnprintfElementContent (bsc#1039063) * CVE-2017-9047: A stack overflow vulnerability in xmlSnprintfElementContent (bsc#1039064) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2017:959-1 Released: Wed Jun 14 14:38:11 2017 Summary: Recommended update for gcc5 Type: recommended Severity: low References: 1043580 Description: This update for gcc5 fixes the version of libffi in its pkg-config configuration file. ----------------------------------------------------------------- Advisory ID: SUSE-SU-2017:962-1 Released: Wed Jun 14 16:33:07 2017 Summary: Security update for openldap2 Type: security Severity: moderate References: 1009470,1037396,1041764,972331,CVE-2017-9287 Description: This update for openldap2 fixes the following issues: Security issues fixed: - CVE-2017-9287: A double free vulnerability in the mdb backend during search with page size 0 was fixed (bsc#1041764) Non security bugs fixed: - Let OpenLDAP read system-wide certificates by default and don't hide the error if the user-specified CA location cannot be read. (bsc#1009470) - Fix an uninitialised variable that causes startup failure (bsc#1037396) - Fix an issue with transaction management that can cause server crash (bsc#972331) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2017:985-1 Released: Mon Jun 19 14:57:41 2017 Summary: Security update for libgcrypt Type: security Severity: moderate References: 1042326,931932,CVE-2017-9526 Description: This update for libgcrypt fixes the following issues: - CVE-2017-9526: Store the session key in secure memory to ensure that constant time point operations are used in the MPI library. (bsc#1042326) - Don't require secure memory for the fips selftests, this prevents the 'Oops, secure memory pool already initialized' warning. (bsc#931932) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2017:990-1 Released: Mon Jun 19 17:19:44 2017 Summary: Security update for glibc Type: security Severity: important References: 1039357,1040043,CVE-2017-1000366 Description: This update for glibc fixes the following issues: - CVE-2017-1000366: Fix a potential privilege escalation vulnerability that allowed unprivileged system users to manipulate the stack of setuid binaries to gain special privileges. [bsc#1039357] - A bug in glibc that could result in deadlocks between malloc() and fork() has been fixed. [bsc#1040043] ----------------------------------------------------------------- Advisory ID: SUSE-RU-2017:1033-1 Released: Fri Jun 23 16:38:55 2017 Summary: Recommended update for e2fsprogs Type: recommended Severity: low References: 1038194 Description: This update for e2fsprogs provides the following fixes: - Don't ignore fsync errors in libext2fs. (bsc#1038194) - Fix fsync(2) detection in libext2fs. (bsc#1038194) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2017:1036-1 Released: Mon Jun 26 08:12:24 2017 Summary: Security update for libxml2 Type: security Severity: moderate References: 1024989,1044337,CVE-2017-0663,CVE-2017-5969 Description: This update for libxml2 fixes the following issues: Security issues fixed: * CVE-2017-0663: Fixed a heap buffer overflow in xmlAddID (bsc#1044337) * CVE-2017-5969: Fixed a NULL pointer deref in xmlDumpElementContent (bsc#1024989) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2017:1040-1 Released: Mon Jun 26 13:22:26 2017 Summary: Recommended update for libsemanage, policycoreutils Type: recommended Severity: low References: 1043237 Description: This update for libsemanage, policycoreutils fixes the following issue: - Show version numbers of modules where they are available (bsc#1043237) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2017:1062-1 Released: Wed Jun 28 21:14:17 2017 Summary: Security update for apache2 Type: security Severity: moderate References: 1035829,1041830,1045060,1045062,1045065,CVE-2017-3167,CVE-2017-3169,CVE-2017-7679 Description: This update for apache2 provides the following fixes: Security issues fixed: - CVE-2017-3167: In Apache use of httpd ap_get_basic_auth_pw() outside of the authentication phase could lead to authentication requirements bypass (bsc#1045065) - CVE-2017-3169: In mod_ssl may have a dereference NULL pointer issue which could lead to denial of service (bsc#1045062) - CVE-2017-7679: In mod_mime can buffer over-read by 1 byte, potentially leading to a crash or information disclosure (bsc#1045060) Non-Security issues fixed: - Remove /usr/bin/http2 symlink only during apache2 package uninstall, not upgrade. (bsc#1041830) - In gensslcert, use hostname when fqdn is too long. (bsc#1035829) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2017:1082-1 Released: Fri Jun 30 10:54:06 2017 Summary: Recommended update for dirmngr Type: recommended Severity: low References: 1045943 Description: This update for dirmngr provides the following fix: - Change logrotate from Requires to Recommends (bsc#1045943) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2017:1086-1 Released: Fri Jun 30 15:36:17 2017 Summary: Security update for libxml2 Type: security Severity: moderate References: 1044887,1044894,CVE-2017-7375,CVE-2017-7376 Description: This update for libxml2 fixes the following issues: Security issues fixed: * CVE-2017-7376: Increase buffer space for port in HTTP redirect support (bsc#1044887) * CVE-2017-7375: Prevent unwanted external entity reference [bsc#1044894, ] ----------------------------------------------------------------- Advisory ID: SUSE-SU-2017:1104-1 Released: Tue Jul 4 16:13:55 2017 Summary: Security update for systemd Type: security Severity: moderate References: 1004995,1029102,1029516,1036873,1038865,1040258,1040614,1040942,1043758,982303,CVE-2017-9217 Description: This update for systemd fixes the following issues: Security issue fixed: - CVE-2017-9217: resolved: Fix null pointer p->question dereferencing that could lead to resolved aborting (bsc#1040614) The update also fixed several non-security bugs: - core/mount: Use the '-c' flag to not canonicalize paths when calling /bin/umount - automount: Handle expire_tokens when the mount unit changes its state (bsc#1040942) - automount: Rework propagation between automount and mount units - build: Make sure tmpfiles.d/systemd-remote.conf get installed when necessary - build: Fix systemd-journal-upload installation - basic: Detect XEN Dom0 as no virtualization (bsc#1036873) - virt: Make sure some errors are not ignored - fstab-generator: Do not skip Before= ordering for noauto mountpoints - fstab-gen: Do not convert device timeout into seconds when initializing JobTimeoutSec - core/device: Use JobRunningTimeoutSec= for device units (bsc#1004995) - fstab-generator: Apply the _netdev option also to device units (bsc#1004995) - job: Add JobRunningTimeoutSec for JOB_RUNNING state (bsc#1004995) - job: Ensure JobRunningTimeoutSec= survives serialization (bsc#1004995) - rules: Export NVMe WWID udev attribute (bsc#1038865) - rules: Introduce disk/by-id (model_serial) symbolic links for NVMe drives - rules: Add rules for NVMe devices - sysusers: Make group shadow support configurable (bsc#1029516) - core: When deserializing a unit, fully restore its cgroup state (bsc#1029102) - core: Introduce cg_mask_from_string()/cg_mask_to_string() - core:execute: Fix handling failures of calling fork() in exec_spawn() (bsc#1040258) - Fix systemd-sysv-convert when a package starts shipping service units (bsc#982303) The database might be missing when upgrading a package which was shipping no sysv init scripts nor unit files (at the time --save was called) but the new version start shipping unit files. - Disable group shadow support (bsc#1029516) - Only check signature job error if signature job exists (bsc#1043758) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2017:1116-1 Released: Thu Jul 6 11:37:18 2017 Summary: Security update for libgcrypt Type: security Severity: moderate References: 1046607,CVE-2017-7526 Description: This update for libgcrypt fixes the following issues: - CVE-2017-7526: Hardening against a local side-channel attack in RSA key handling has been added (bsc#1046607) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2017:1119-1 Released: Fri Jul 7 11:23:20 2017 Summary: Recommended update for ncurses Type: security Severity: important References: 1000662,1046853,1046858,CVE-2017-10684,CVE-2017-10685 Description: This update for ncurses fixes the following issues: Security issues fixed: - CVE-2017-10684: Possible RCE via stack-based buffer overflow in the fmt_entry function. (bsc#1046858) - CVE-2017-10685: Possible RCE with format string vulnerability in the fmt_entry function. (bsc#1046853) Bugfixes: - Drop patch ncurses-5.9-environment.dif as YaST2 ncurses GUI does not need it anymore and as well as it causes bug bsc#1000662 ----------------------------------------------------------------- Advisory ID: SUSE-RU-2017:1143-1 Released: Wed Jul 12 15:49:13 2017 Summary: Recommended update for Docker, RunC, Containerd Type: recommended Severity: moderate References: 1026827,1028113,1028638,1028639,1030702,1032287,1032644,1032769,1034053,1034063,1037436,1037607,1038476,1038493,1040618,953182,964546,996303,CVE-2017-8932 Description: This update for Containerd, Docker and RunC provides several fixes and enhancements. Containerd: - Update containerd to the version needed for docker-v17.04.0-ce. (bsc#1034053) - Fix spurious messages filling journal. (bsc#1032769) - Set TasksMax=infinity to make sure runC doesn't start failing randomly. Docker: - Update to version 17.04.0-ce. (bsc#1034053) - Fix execids leaks due to bad error handling. (bsc#1037436) - Make Apparmor's pkg/aaparser work on read-only root. (bsc#1037607) - Improve Docker's systemd configuration. (bsc#1032287) - Check if the docker binary is available before attempting to use it. (bsc#1038476) - Build man pages for all architectures. (bsc#953182) - Fix DNS resolution when Docker host uses 127.0.0.1 as resolver. (bsc#1034063) - Enable Delegate=yes, since systemd will safely ignore lvalues it doesn't understand. - Update SUSE secrets patch to handle bsc#1030702. - Change lvm2 from Requires to Recommends: Docker usually uses a default storage driver, when it's not configured explicitly. This default driver then depends on the underlying system and gets chosen during installation. (bsc#1032644) - Disable libseccomp for Leap 42.1, SLE 12 and 12-SP1, because docker needs a higher version. Otherwise, we get the error 'conditional filtering requires libseccomp version >= 2.2.1. (bsc#1028639, bsc#1028638) - Add a backport of fix to AppArmor lazy loading docker-exec case. - Fix systemd TasksMax default which could throttle docker. (bsc#1026827) - Enable pkcs11 For a comprehensive list of changes please refer to /usr/share/doc/packages/docker/CHANGELOG.md RunC: - Update version to the one required by docker-17.04.0-ce. (bsc#1034053) - Make sure to ignore cgroup v2 mountpoints. (bsc#1028113) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2017:1160-1 Released: Fri Jul 14 17:20:26 2017 Summary: Recommended update for openldap2 Type: recommended Severity: low References: 1031702 Description: This update for openldap2 provides the following fix: - Fix a regression in handling of non-blocking connection (bsc#1031702) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2017:1174-1 Released: Wed Jul 19 11:12:51 2017 Summary: Security update for systemd, dracut Type: security Severity: important References: 1032029,1033238,1037120,1040153,1040968,1043900,1045290,1046750,986216,CVE-2017-9445 Description: This update for systemd and dracut fixes the following issues: Security issues fixed: - CVE-2017-9445: Possible out-of-bounds write triggered by a specially crafted TCP payload from a DNS server. (bsc#1045290) Non-security issues fixed in systemd: - Automounter issue in combination with NFS volumes (bsc#1040968) - Missing symbolic link for SAS device in /dev/disk/by-path (bsc#1040153) - Add minimal support for boot.d/* scripts in systemd-sysv-convert (bsc#1046750) Non-security issues fixed in dracut: - Bail out if module directory does not exist. (bsc#1043900) - Suppress bogus error message. (bsc#1032029) - Fix module force loading with systemd. (bsc#986216) - Ship udev files required by systemd. (bsc#1040153) - Ignore module resolution errors (e.g. with kgraft). (bsc#1037120) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2017:1220-1 Released: Wed Jul 26 14:16:15 2017 Summary: Security update for apache2 Type: security Severity: moderate References: 1023616,1043055,1048576,CVE-2017-9788 Description: This update for apache2 fixes the following issues: Security issue fixed: - CVE-2017-9788: Uninitialized memory reflection in mod_auth_digest. (bsc#1048576) Bug fixes: - Include individual sysconfig.d files instead of the whole sysconfig.d directory. - Include sysconfig.d/include.conf after httpd.conf is processed. (bsc#1023616, bsc#1043055) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2017:1222-1 Released: Wed Jul 26 17:15:18 2017 Summary: Recommended update for procps Type: recommended Severity: low References: 1034563,1039941 Description: This update for procps provides the following fixes: - Make pmap handle LazyFree in /proc/smaps (bsc#1034563) - Allow reading and writing content lines longer than 1024 characters under /proc/sys (bsc#1039941) - Avoid printing messages when /proc/sys/net/ipv6/conf/*/stable_secret is not set ----------------------------------------------------------------- Advisory ID: SUSE-SU-2017:1245-1 Released: Thu Aug 3 10:43:15 2017 Summary: Security update for systemd Type: security Severity: moderate References: 1004995,1029102,1029516,1032029,1033238,1036873,1037120,1038865,1040153,1040258,1040614,1040942,1040968,1043758,1043900,1045290,1046750,982303,986216,CVE-2017-9217,CVE-2017-9445 Description: This update for systemd provides several fixes and enhancements. Security issues fixed: - CVE-2017-9217: Null pointer dereferencing that could lead to resolved aborting. (bsc#1040614) - CVE-2017-9445: Possible out-of-bounds write triggered by a specially crafted TCP payload from a DNS server. (bsc#1045290) The update also fixed several non-security bugs: - core/mount: Use the '-c' flag to not canonicalize paths when calling /bin/umount - automount: Handle expire_tokens when the mount unit changes its state (bsc#1040942) - automount: Rework propagation between automount and mount units - build: Make sure tmpfiles.d/systemd-remote.conf get installed when necessary - build: Fix systemd-journal-upload installation - basic: Detect XEN Dom0 as no virtualization (bsc#1036873) - virt: Make sure some errors are not ignored - fstab-generator: Do not skip Before= ordering for noauto mountpoints - fstab-gen: Do not convert device timeout into seconds when initializing JobTimeoutSec - core/device: Use JobRunningTimeoutSec= for device units (bsc#1004995) - fstab-generator: Apply the _netdev option also to device units (bsc#1004995) - job: Add JobRunningTimeoutSec for JOB_RUNNING state (bsc#1004995) - job: Ensure JobRunningTimeoutSec= survives serialization (bsc#1004995) - rules: Export NVMe WWID udev attribute (bsc#1038865) - rules: Introduce disk/by-id (model_serial) symbolic links for NVMe drives - rules: Add rules for NVMe devices - sysusers: Make group shadow support configurable (bsc#1029516) - core: When deserializing a unit, fully restore its cgroup state (bsc#1029102) - core: Introduce cg_mask_from_string()/cg_mask_to_string() - core:execute: Fix handling failures of calling fork() in exec_spawn() (bsc#1040258) - Fix systemd-sysv-convert when a package starts shipping service units (bsc#982303) The database might be missing when upgrading a package which was shipping no sysv init scripts nor unit files (at the time --save was called) but the new version start shipping unit files. - Disable group shadow support (bsc#1029516) - Only check signature job error if signature job exists (bsc#1043758) - Automounter issue in combination with NFS volumes (bsc#1040968) - Missing symbolic link for SAS device in /dev/disk/by-path (bsc#1040153) - Add minimal support for boot.d/* scripts in systemd-sysv-convert (bsc#1046750) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2017:1268-1 Released: Mon Aug 7 10:09:19 2017 Summary: Recommended update for openssl Type: recommended Severity: moderate References: 1019637,1027079,1027688,1027908,1028281,1028723,1029523,1042392,1044095,1044107,1044175,902364 Description: This update for openssl fixes the following issues including fixes for our ongoing FIPS 140-2 evaluation: - Remove DES-CBC3-SHA based ciphers from DEFAULT_SUSE to address SWEET32 problem (bsc#1027908) - Use getrandom syscall instead of reading from /dev/urandom to get at least 128 bits of entropy to comply with FIPS 140.2 IG 7.14 (bsc#1027079 bsc#1044175) - Fix x86 extended feature detection (bsc#1029523) - Allow runtime switching of s390x capabilities via the 'OPENSSL_s390xcap' environmental variable (bsc#1028723) - s_client sent empty client certificate (bsc#1028281) Add back certificate initialization set_cert_key_stuff() which was removed in a previous update. - Fix a bug in XTS key handling (bsc#1019637) - Don't run FIPS power-up self-tests when the checksum files aren't installed (bsc#1042392) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2017:1279-1 Released: Mon Aug 7 14:46:40 2017 Summary: Security update for ncurses Type: security Severity: moderate References: 1046853,1046858,1047964,1047965,1049344,CVE-2017-10684,CVE-2017-10685,CVE-2017-11112,CVE-2017-11113 Description: This update for ncurses fixes the following issues: Security issues fixed: - CVE-2017-11112: Illegal address access in append_acs. (bsc#1047964) - CVE-2017-11113: Dereferencing NULL pointer in _nc_parse_entry. (bsc#1047965) - CVE-2017-10684, CVE-2017-10685: Add modified upstream fix from ncurses 6.0 to avoid broken termcap format (bsc#1046853, bsc#1046858, bsc#1049344) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2017:1316-1 Released: Thu Aug 10 13:54:27 2017 Summary: Recommended update for cyrus-sasl Type: recommended Severity: moderate References: 1014471,1026825,1044840,938657 Description: This update for cyrus-sasl provides the following fixes: - Fix SASL GSSAPI mechanism acceptor wrongly returns zero maxbufsize - Fix unknown authentication mechanism: kerberos5 (bsc#1026825) - Really use SASLAUTHD_PARAMS variable (bsc#938657) - Make sure /usr/sbin/rcsaslauthd exists - Add /usr/sbin/rcsaslauthd symbolic link to /usr/sbin/service (bsc#1014471) - Silence 'GSSAPI client step 1' debug log message (bsc#1044840) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2017:1326-1 Released: Fri Aug 11 16:59:04 2017 Summary: Security update for libxml2 Type: security Severity: low References: 1038444,CVE-2017-8872 Description: This update for libxml2 fixes the following issues: Security issues fixed: - CVE-2017-8872: Out-of-bounds read in htmlParseTryOrFinish. (bsc#1038444) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2017:1330-1 Released: Mon Aug 14 18:41:29 2017 Summary: Recommended update for sed Type: recommended Severity: low References: 954661 Description: This update for sed provides the following fixes: - Don't terminate with a segmentation fault if close of last file descriptor fails. (bsc#954661) ----------------------------------------------------------------- Advisory ID: SUSE-OU-2017:1333-1 Released: Tue Aug 15 17:59:30 2017 Summary: Optional update for libverto Type: optional Severity: low References: 1029561 Description: This update adds the libverto library to OpenStack Cloud Magnum Orchestration channels. ----------------------------------------------------------------- Advisory ID: SUSE-RU-2017:1334-1 Released: Tue Aug 15 20:09:03 2017 Summary: Recommended update for systemd Type: recommended Severity: important References: 1048679,874665 Description: This update for systemd fixes the following issues: - compat-rules: Don't rely on ID_SERIAL when generating 'by-id' links for NVMe devices. (bsc#1048679) - fstab-generator: Handle NFS 'bg' mounts correctly. (bsc#874665, fate#323464) - timesyncd: Don't use compiled-in list if FallbackNTP has been configured explicitly. ----------------------------------------------------------------- Advisory ID: SUSE-SU-2017:1335-1 Released: Wed Aug 16 11:24:21 2017 Summary: Security update for curl Type: security Severity: moderate References: 1051643,1051644,CVE-2017-1000100,CVE-2017-1000101 Description: This update for curl fixes the following issues: - CVE-2017-1000100: TFP sends more than buffer size and it could lead to a denial of service (bsc#1051644) - CVE-2017-1000101: URL globbing out of bounds read could lead to a denial of service (bsc#1051643) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2017:1347-1 Released: Fri Aug 18 11:03:57 2017 Summary: Recommended update for procps Type: recommended Severity: important References: 1053409 Description: This update for procps fixes the following issues: - Fix a regression introduced in a previous update that would result in sysctl dying with a SIGSEGV error (bsc#1053409). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2017:1349-1 Released: Fri Aug 18 12:31:07 2017 Summary: Recommended update for lua51 Type: recommended Severity: low References: 1051626 Description: This update for lua51 provides the following fixes: - Add Lua(API) and Lua(devel) symbols to fix building of lua51-luasocket. (bsc#1051626) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2017:1390-1 Released: Fri Aug 25 15:14:27 2017 Summary: Security update for libzypp Type: security Severity: important References: 1009745,1036659,1038984,1043218,1045735,1046417,1047785,1048315,CVE-2017-7435,CVE-2017-7436,CVE-2017-9269 Description: The Software Update Stack was updated to receive fixes and enhancements. libzypp: - CVE-2017-7435, CVE-2017-7436, CVE-2017-9269: Fix GPG check workflows, mainly for unsigned repositories and packages. (bsc#1045735, bsc#1038984) - Fix gpg-pubkey release (creation time) computation. (bsc#1036659) - Update lsof blacklist. (bsc#1046417) - Re-probe on refresh if the repository type changes. (bsc#1048315) - Propagate proper error code to DownloadProgressReport. (bsc#1047785) - Allow to trigger an appdata refresh unconditionally. (bsc#1009745) - Support custom repo variables defined in /etc/zypp/vars.d. yast2-pkg-bindings: - Do not crash when the repository URL is not defined. (bsc#1043218) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2017:1419-1 Released: Wed Aug 30 15:38:22 2017 Summary: Security update for expat Type: security Severity: moderate References: 1047236,1047240,CVE-2016-9063,CVE-2017-9233 Description: This update for expat fixes the following issues: - CVE-2016-9063: Possible integer overflow to fix inside XML_Parse leading to unexpected behaviour (bsc#1047240) - CVE-2017-9233: External Entity Vulnerability could lead to denial of service (bsc#1047236) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2017:1439-1 Released: Fri Sep 1 15:31:05 2017 Summary: Recommended update for systemd Type: recommended Severity: important References: 1045384,1045987,1046268,1047379,1048605 Description: This update for systemd fixes the following issues: - Revert fix for bsc#1004995 which could have caused boot failure on LVM (bsc#1048605) - compat-rules: drop the bogus 'import everything' rule (bsc#1046268) - core: use an AF_UNIX/SOCK_DGRAM socket for cgroup agent notification (bsc#1045384 bsc#1047379) - udev/path_id: introduce support for NVMe devices (bsc#1045987) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2017:1447-1 Released: Mon Sep 4 15:38:20 2017 Summary: Security update for libzypp, zypper Type: security Severity: important References: 1008325,1038984,1045735,1047785,1054088,1054671,1055920,CVE-2017-7436 Description: The Software Update Stack was updated to receive fixes and enhancements. libzypp: - Adapt to work with GnuPG 2.1.23. (bsc#1054088) - Support signing with subkeys. (bsc#1008325) - Enhance sort order for media.1/products. (bsc#1054671) zypper: - Also show a gpg key's subkeys. (bsc#1008325) - Improve signature check callback messages. (bsc#1045735) - Add options to tune the GPG check settings. (bsc#1045735) - Adapt download callback to report and handle unsigned packages. (bsc#1038984, CVE-2017-7436) - Report missing/optional files as 'not found' rather than 'error'. (bsc#1047785) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2017:1450-1 Released: Mon Sep 4 16:36:07 2017 Summary: Recommended update for insserv-compat Type: recommended Severity: low References: 1035062,944903 Description: This update for insserv-compat fixes the following issues: - Add /etc/init.d hierarchy from former 'filesystem' package. (bsc#1035062) - Fix directory argument parsing. (bsc#944903) - Add perl(Getopt::Long) to list of requirements. ----------------------------------------------------------------- Advisory ID: SUSE-RU-2017:1453-1 Released: Mon Sep 4 21:23:50 2017 Summary: Recommended update for libgcrypt Type: recommended Severity: moderate References: 1043333,1046659,1047008 Description: This update for libgcrypt fixes the following issues: - libgcrypt stored an open file descriptor to the random device in a static variable between invocations. gnome-keyring-daemon on initialization reopened descriptors 0-2 with /dev/null which caused an infinite loop when libgcrypt attempted to read from the random device (bsc#1043333) - Avoid seeding the DRBG during FIPS power-up selftests (bsc#1046659) * don't call gcry_drbg_instantiate() in healthcheck sanity test to save entropy * turn off blinding for RSA decryption in selftests_rsa to avoid allocation of a random integer - fix a bug in gcry_drbg_healthcheck_sanity() which caused skipping some of the tests (bsc#1046659) - dlsym returns PLT address on s390x, dlopen libgcrypt20.so before calling dlsym (bsc#1047008) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2017:1548-1 Released: Fri Sep 15 18:19:12 2017 Summary: Recommended update for sg3_utils Type: recommended Severity: moderate References: 1005063,1009269,1012523,1025176,1050767,1050943 Description: This update for sg3_utils provides the following fixes: - Add lunsearch filter to findresized() so that only LUNs specified using --luns are rescanned or resized. (bsc#1025176) - In case the VPD sysfs attributes are missing or cannot be accessed, fallback to use sg_inq --page when using multipath devices in AutoYast2 installations. (bsc#1012523) - Generate /dev/disk/by-path links based on WWPN for Fibre Channel NPIV setups. (bsc#1005063) - Fix dumping data in hexadecimal format in sg_vpd when using the --hex option. (bsc#1050943) - Fix ID_SERIAL values for KVM disks by exporting all NAA values and removing some validity checking. (bsc#1050767) - Make sure initrd is rebuilt on sg3_utils updates. (bsc#1009269) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2017:1572-1 Released: Thu Sep 21 15:32:04 2017 Summary: Security update for apache2 Type: security Severity: moderate References: 1058058,CVE-2017-9798 Description: This update for apache2 fixes the following security issue: - CVE-2017-9798: Prevent use-after-free use of memory that allowed for an information leak via OPTIONS (bsc#1058058). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2017:1592-1 Released: Tue Sep 26 17:38:03 2017 Summary: Recommended update for lvm2 Type: recommended Severity: moderate References: 1028485,1045628,978055,998893,999878 Description: This update for lvm2 provides the following fixes: - Create /dev/disk/by-part{label,uuid} and gpt-auto-root links. (bsc#1028485) - Try to refresh clvmd's device cache on the first failure. (bsc#978055) - Fix stale device cache in clvmd. (bsc#978055) - Warn if PV size in metadata is larger than disk device size. (bsc#999878) - Fix lvm2 activation issue when used on top of multipath. (bsc#998893) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2017:1644-1 Released: Mon Oct 9 07:52:24 2017 Summary: Security update for krb5 Type: security Severity: moderate References: 1032680,1054028,1056995,903543,CVE-2017-11462 Description: This update for krb5 fixes several issues. This security issue was fixed: - CVE-2017-11462: Prevent automatic security context deletion to prevent double-free (bsc#1056995) These non-security issues were fixed: - Set 'rdns' and 'dns_canonicalize_hostname' to false in krb5.conf in order to improve client security in handling service principle names. (bsc#1054028) - Prevent kadmind.service startup failure caused by absence of LDAP service. (bsc#903543) - Remove main package's dependency on systemd (bsc#1032680) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2017:1663-1 Released: Tue Oct 10 12:05:09 2017 Summary: Recommended update for dbus-1 Type: recommended Severity: moderate References: 1043615,1046173 Description: This update for dbus-1 provides the following fixes: - Fix systemd-logind dbus disconnection by ensuring all required timeouts are restarted. (bsc#1043615) - Remove call to initscripts related macros from the spec file as dbus-1 does not ship any initscript anymore. (bsc#1046173) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2017:1703-1 Released: Tue Oct 17 13:20:12 2017 Summary: Recommended update for audit Type: recommended Severity: low References: 1042781 Description: This update for audit provides the following fix: - Make auditd start by forking the systemd service to fix some initialization failures. (bsc#1042781) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2017:1758-1 Released: Mon Oct 23 08:47:47 2017 Summary: Security update for curl Type: security Severity: moderate References: 1060653,1061876,1063824,CVE-2017-1000254,CVE-2017-1000257 Description: This update for curl fixes the following issues: Security issues fixed: - CVE-2017-1000254: FTP PWD response parser out of bounds read (bsc#1061876) - CVE-2017-1000257: IMAP FETCH response out of bounds read (bsc#1063824) Bugs fixed: - Fixed error 'error:1408F10B:SSL routines' when connecting to ftps via proxy (bsc#1060653) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2017:1796-1 Released: Fri Oct 27 21:25:06 2017 Summary: Recommended update for pcre Type: recommended Severity: moderate References: 1058722 Description: This update for pcre fixes the following issues: - Fixed the pcre stack frame size detection because modern compilers break it due to cloning and inlining pcre match() function (bsc#1058722) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2017:1797-1 Released: Sat Oct 28 12:06:19 2017 Summary: Recommended update for permissions Type: recommended Severity: moderate References: 1028304,1048645,1060738 Description: This update for permissions fixes the following issues: - Allows users to install the HPC 'singularity' toolkit for managing singularity containers in setuid root mode. (bsc#1028304) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2017:1826-1 Released: Wed Nov 8 08:47:17 2017 Summary: Security update for krb5 Type: security Severity: important References: 1065274,CVE-2017-15088 Description: This update for krb5 fixes the following issues: Security issues fixed: - CVE-2017-15088: A buffer overflow in get_matching_data() was fixed that could under specific circumstances be used to execute code (bsc#1065274) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2017:1829-1 Released: Wed Nov 8 08:50:00 2017 Summary: Security update for shadow Type: security Severity: moderate References: 1023895,1052261,980486,CVE-2017-12424 Description: This update for shadow fixes several issues. This security issue was fixed: - CVE-2017-12424: The newusers tool could have been forced to manipulate internal data structures in ways unintended by the authors. Malformed input may have lead to crashes (with a buffer overflow or other memory corruption) or other unspecified behaviors (bsc#1052261). These non-security issues were fixed: - bsc#1023895: Fixed man page to not contain invalid options and also prevent warnings when using these options in certain settings - bsc#980486: Reset user in /var/log/tallylog because of the usage of pam_tally2 ----------------------------------------------------------------- Advisory ID: SUSE-SU-2017:1881-1 Released: Wed Nov 22 16:29:58 2017 Summary: Security update for file Type: security Severity: moderate References: 1009966,1063269,910252,910253,913650,913651,917152,996511,CVE-2014-8116,CVE-2014-8117,CVE-2014-9620,CVE-2014-9621,CVE-2014-9653 Description: The GNU file utility was updated to version 5.22. Security issues fixed: - CVE-2014-9621: The ELF parser in file allowed remote attackers to cause a denial of service via a long string. (bsc#913650) - CVE-2014-9620: The ELF parser in file allowed remote attackers to cause a denial of service via a large number of notes. (bsc#913651) - CVE-2014-9653: readelf.c in file did not consider that pread calls sometimes read only a subset of the available data, which allows remote attackers to cause a denial of service (uninitialized memory access) or possibly have unspecified other impact via a crafted ELF file. (bsc#917152) - CVE-2014-8116: The ELF parser (readelf.c) in file allowed remote attackers to cause a denial of service (CPU consumption or crash) via a large number of (1) program or (2) section headers or (3) invalid capabilities. (bsc#910253) - CVE-2014-8117: softmagic.c in file did not properly limit recursion, which allowed remote attackers to cause a denial of service (CPU consumption or crash) via unspecified vectors. (bsc#910253) Version update to file version 5.22 * add indirect relative for TIFF/Exif * restructure elf note printing to avoid repeated messages * add note limit, suggested by Alexander Cherepanov * Bail out on partial pread()'s (Alexander Cherepanov) * Fix incorrect bounds check in file_printable (Alexander Cherepanov) * PR/405: ignore SIGPIPE from uncompress programs * change printable -> file_printable and use it in more places for safety * in ELF, instead of '(uses dynamic libraries)' when PT_INTERP is present print the interpreter name. Version update to file version 5.21 * there was an incorrect free in magic_load_buffers() * there was an out of bounds read for some pascal strings * there was a memory leak in magic lists * don't interpret strings printed from files using the current locale, convert them to ascii format first. * there was an out of bounds read in elf note reads Update to file version 5.20 * recognize encrypted CDF documents * add magic_load_buffers from Brooks Davis * add thumbs.db support Additional non-security bug fixes: * Fixed a memory corruption during rpmbuild (bsc#1063269) * Backport of a fix for an increased printable string length as found in file 5.30 (bsc#996511) * file command throws 'Composite Document File V2 Document, corrupt: Can't read SSAT' error against excel 97/2003 file format. (bsc#1009966) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2017:1903-1 Released: Fri Nov 24 16:19:37 2017 Summary: Security update for perl Type: security Severity: moderate References: 1047178,1057721,1057724,999735,CVE-2017-12837,CVE-2017-12883,CVE-2017-6512 Description: This update for perl fixes the following issues: Security issues fixed: - CVE-2017-12837: Heap-based buffer overflow in the S_regatom function in regcomp.c in Perl 5 before 5.24.3-RC1 and 5.26.x before 5.26.1-RC1 allows remote attackers to cause a denial of service (out-of-bounds write) via a regular expression with a '\N{}' escape and the case-insensitive modifier. (bnc#1057724) - CVE-2017-12883: Buffer overflow in the S_grok_bslash_N function in regcomp.c in Perl 5 before 5.24.3-RC1 and 5.26.x before 5.26.1-RC1 allows remote attackers to disclose sensitive information or cause a denial of service (application crash) via a crafted regular expression with an invalid '\N{U+...}' escape. (bnc#1057721) - CVE-2017-6512: Race condition in the rmtree and remove_tree functions in the File-Path module before 2.13 for Perl allows attackers to set the mode on arbitrary files via vectors involving directory-permission loosening logic. (bnc#1047178) Bug fixes: - backport set_capture_string changes from upstream (bsc#999735) - reformat baselibs.conf as source validator workaround ----------------------------------------------------------------- Advisory ID: SUSE-RU-2017:1916-1 Released: Fri Nov 24 20:15:01 2017 Summary: Recommended update for libgcrypt Type: recommended Severity: important References: 1043333,1059723 Description: This update for libgcrypt provides the following fix: - Fix a regression in a previous update which caused libgcrypt to leak file descriptors causing failures when starting rtkit-daemon. (bsc#1059723) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2017:1917-1 Released: Mon Nov 27 13:32:07 2017 Summary: Optional update for gcc7 Type: recommended Severity: low References: 1056437,1062591,1062592 Description: The GNU Compiler GCC 7 is being added to the Toolchain Module by this update. New features: - Support for specific IBM Power9 processor instructions. - Support for specific IBM zSeries z14 processor instructions. - New packages cross-npvtx-gcc7 and nvptx-tools added to the Toolchain Module for specific NVIDIA Card offload support. The update also supplies gcc7 compatible libstdc++, libgcc_s1 and other gcc derived libraries for the base products of SUSE Linux Enterprise 12. Various optimizers have been improved in GCC 7, several of bugs fixed, quite some new warnings added and the error pin-pointing and fix-suggestions have been greatly improved. The GNU Compiler page for GCC 7 contains a summary of all the changes that have happened: https://gcc.gnu.org/gcc-7/changes.html ----------------------------------------------------------------- Advisory ID: SUSE-RU-2017:1965-1 Released: Thu Nov 30 12:48:45 2017 Summary: Recommended update for libsolv, libzypp, zypper Type: recommended Severity: moderate References: 1047233,1053671,1057188,1057634,1058695,1058783,1059065,1061384,1062561,1064999,661410 Description: The Software Update Stack was updated to receive fixes and enhancements. libsolv: - Many fixes and improvements for cleandeps. - Always create dup rules for 'distupgrade' jobs. - Use recommends also for ordering packages. - Fix splitprovides handling with addalreadyrecommended turned off. (bsc#1059065) - Expose solver_get_recommendations() in bindings. - Fix bug in solver_prune_to_highest_prio_per_name resulting in bad output from solver_get_recommendations(). - Support 'without' and 'unless' dependencies. - Use same heuristic as upstream to determine source RPMs. - Fix memory leak in bindings. - Add pool_best_solvables() function. - Fix 64bit integer parsing from RPM headers. - Enable bzip2 and xz/lzma compression support. - Enable complex/rich dependencies on distributions with RPM 4.13+. libzypp: - Fix media handling in presence of a repo path prefix. (bsc#1062561) - Fix RepoProvideFile ignoring a repo path prefix. (bsc#1062561) - Remove unused legacy notify-message script. (bsc#1058783) - Support multiple product licenses in repomd. (fate#322276) - Propagate 'rpm --import' errors. (bsc#1057188) - Fix typos in zypp.conf. zypper: - Locale: Fix possible segmentation fault. (bsc#1064999) - Add summary hint if product is better updated by a different command. This is mainly used by rolling distributions like openSUSE Tumbleweed to remind their users to use 'zypper dup' to update (not zypper up or patch). (bsc#1061384) - Unify '(add|modify)(repo|service)' property related arguments. - Fixed 'add' commands supporting to set only a subset of properties. - Introduced '-f/-F' as preferred short option for --[no-]refresh in all four commands. (bsc#661410, bsc#1053671) - Fix missing package names in installation report. (bsc#1058695) - Differ between unsupported and packages with unknown support status. (bsc#1057634) - Return error code '107' if an RPM's %post configuration script fails, but only if ZYPPER_ON_CODE12_RETURN_107=1 is set in the environment. (bsc#1047233) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2017:1966-1 Released: Thu Nov 30 13:45:24 2017 Summary: Recommended update for systemd Type: recommended Severity: moderate References: 1004995,1035386,1039099,1040800,1045472,1048605,1050152,1053137,1053595,1055641,1063249 Description: This update for systemd fixes the following issues: - unit: When JobTimeoutSec= is turned off, implicitly turn off JobRunningTimeoutSec= too. (bsc#1048605, bsc#1004995) - compat-rules: Generate compat by-id symlinks with 'nvme' prefix missing and warn users that have broken symlinks. (bsc#1063249) - compat-rules: Allow to specify the generation number through the kernel command line. - scsi_id: Fixup prefix for pre-SPC inquiry reply. (bsc#1039099) - tmpfiles: Remove old ICE and X11 sockets at boot. - tmpfiles: Silently ignore any path that passes through autofs. (bsc#1045472) - pam_logind: Skip leading /dev/ from PAM_TTY field before passing it on. - shared/machine-pool: Fix another mkfs.btrfs checking. (bsc#1053595) - shutdown: Fix incorrect fscanf() result check. - shutdown: Don't remount,ro network filesystems. (bsc#1035386) - shutdown: Don't be fooled when detaching DM devices with BTRFS. (bsc#1055641) - bash-completion: Add support for --now. (bsc#1053137) - Add convert-lib-udev-path.sh script to convert /lib/udev directory into a symlink pointing to /usr/lib/udev when upgrading from SLE11. (bsc#1050152) - Add a rule to teach hotplug to offline containers transparently. (bsc#1040800) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2017:1968-1 Released: Thu Nov 30 19:49:33 2017 Summary: Recommended update for coreutils Type: recommended Severity: low References: 1026567,1043059,965780 Description: This update for coreutils provides the following fixes: - Fix df(1) to no longer interact with excluded file system types, so for example specifying -x nfs no longer hangs with problematic nfs mounts. (bsc#1026567) - Ensure df -l no longer interacts with dummy file system types, so for example no longer hangs with problematic NFS mounted via system.automount(5). (bsc#1043059) - Significantly speed up df(1) for huge mount lists. (bsc#965780) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2017:1970-1 Released: Thu Nov 30 22:55:41 2017 Summary: Security update for openssl Type: security Severity: moderate References: 1055825,1056058,1065363,1066242,CVE-2017-3735,CVE-2017-3736 Description: This update for openssl fixes the following issues: Security issues fixed: - CVE-2017-3735: openssl1,openssl: Malformed X.509 IPAdressFamily could cause OOB read (bsc#1056058) - CVE-2017-3736: openssl: bn_sqrx8x_internal carry bug on x86_64 (bsc#1066242) - Out of bounds read+crash in DES_fcrypt (bsc#1065363) - openssl DEFAULT_SUSE cipher list is missing ECDHE-ECDSA ciphers (bsc#1055825) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2017:2021-1 Released: Fri Dec 8 10:11:04 2017 Summary: Recommended update for file Type: recommended Severity: moderate References: 1070878,1070958 Description: This update for file fixes detection of JPEG files. ----------------------------------------------------------------- Advisory ID: SUSE-RU-2017:2031-1 Released: Mon Dec 11 12:55:57 2017 Summary: Recommended update for gzip Type: recommended Severity: low References: 1067891 Description: This update for gzip provides the following fix: - Fix mishandling of leading zeros in the end-of-block code (bsc#1067891) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2017:2036-1 Released: Wed Dec 13 16:34:21 2017 Summary: Recommended update for util-linux Type: recommended Severity: low References: 1039276,1040968,1055446,1066500 Description: This update for util-linux provides the following fixes: - Allow unmounting of filesystems without calling stat() on the mount point, when '-c' is used. (bsc#1040968) - Fix an infinite loop, a crash and report the correct minimum and maximum frequencies in lscpu for some processors. (bsc#1055446) - Fix a lscpu failure on Sydney Amazon EC2 region. (bsc#1066500) - If multiple subvolumes are mounted, report the default subvolume. (bsc#1039276) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2017:2039-1 Released: Wed Dec 13 17:10:24 2017 Summary: Security update for libapr-util1 Type: security Severity: moderate References: 1064990,CVE-2017-12618 Description: This update for libapr-util1 fixes the following issues: Security issue fixed: - CVE-2017-12618: DoS via crafted SDBM database files in apr_sdbm*() functions (bsc#1064990) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2017:2097-1 Released: Sat Dec 16 01:59:00 2017 Summary: Security update for openssl Type: security Severity: important References: 1071905,1071906,CVE-2017-3737,CVE-2017-3738 Description: This update for openssl fixes the following issues: - OpenSSL Security Advisory [07 Dec 2017] * CVE-2017-3737: OpenSSL 1.0.2 (starting from version 1.0.2b) introduced an \'error state\' mechanism. The intent was that if a fatal error occurred during a handshake then OpenSSL would move into the error state and would immediately fail if you attempted to continue the handshake. This works as designed for the explicit handshake functions (SSL_do_handshake(), SSL_accept() and SSL_connect()), however due to a bug it does not work correctly if SSL_read() or SSL_write() is called directly. In that scenario, if the handshake fails then a fatal error will be returned in the initial function call. If SSL_read()/SSL_write() is subsequently called by the application for the same SSL object then it will succeed and the data is passed without being decrypted/encrypted directly from the SSL/TLS record layer. In order to exploit this issue an application bug would have to be present that resulted in a call to SSL_read()/SSL_write() being issued after having already received a fatal error. O penSSL version 1.0.2b-1.0.2m are affected. Fixed in OpenSSL 1.0.2n. OpenSSL 1.1.0 is not affected. (bsc#1071905) * CVE-2017-3738: There is an overflow bug in the AVX2 Montgomery multiplication procedure used in exponentiation with 1024-bit moduli. No EC algorithms are affected. Analysis suggests that attacks against RSA and DSA as a result of this defect would be very difficult to perform and are not believed likely. Attacks against DH1024 are considered just feasible, because most of the work necessary to deduce information about a private key may be performed offline. The amount of resources required for such an attack would be significant. However, for an attack on TLS to be meaningful, the server would have to share the DH1024 private key among multiple clients, which is no longer an option since CVE-2016-0701. This only affects processors that support the AVX2 but not ADX extensions like Intel Haswell (4th generation). Note: The impact from this issue is similar to CVE-2017-3736, CVE-2017-3732 and CVE-2015-3193. (bsc#1071906) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2017:2137-1 Released: Thu Dec 21 17:49:12 2017 Summary: Recommended update for dbus-1 Type: recommended Severity: moderate References: 1046173,1071698 Description: This update for dbus-1 provides the following fixes: - The previously released fix for systemd-logind dbus disconnections was missing in some parts of the package, so properly apply it. (bsc#1071698) - Remove call to initscripts related macros from the spec file as dbus-1 does not ship any initscript anymore. (bsc#1046173) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2018:4-1 Released: Tue Jan 2 15:58:20 2018 Summary: Recommended update for libzypp, zypper Type: recommended Severity: moderate References: 1057640,1067605,1068708,1071466,969569 Description: The Software Update Stack was updated to receive fixes and enhancements. libzypp: - Don't store duplicated locks. (bsc#969569) - Fix default for solver.allowNameChange. (bsc#1071466) - Don't filter procs with a different mnt namespace. (bsc#1068708) - Support repo variables in an URIs host:port component. (bsc#1057640, bsc#1067605) zypper: - Update manpage regarding custom repository variable fixes. (bsc#1057640, bsc#1067605) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2018:38-1 Released: Tue Jan 9 14:56:43 2018 Summary: Recommended update for kmod Type: recommended Severity: low References: 1070209 Description: This update for kmod provides the following fix: - Fix resolving .TOC. in modules on 4.4 and older kernel (bsc#1070209) - Fix kernel master build for ppc64le (bsc#1070209) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:55-1 Released: Fri Jan 12 09:45:49 2018 Summary: Security update for glibc Type: security Severity: important References: 1051042,1053188,1063675,1064569,1064580,1064583,1070905,1071319,1073231,1074293,CVE-2017-1000408,CVE-2017-1000409,CVE-2017-15670,CVE-2017-15671,CVE-2017-15804,CVE-2017-16997,CVE-2018-1000001 Description: This update for glibc fixes the following issues: - A privilege escalation bug in the realpath() function has been fixed. [CVE-2018-1000001, bsc#1074293] - A memory leak and a buffer overflow in the dynamic ELF loader has been fixed. [CVE-2017-1000408, CVE-2017-1000409, bsc#1071319] - An issue in the code handling RPATHs was fixed that could have been exploited by an attacker to execute code loaded from arbitrary libraries. [CVE-2017-16997, bsc#1073231] - A potential crash caused by a use-after-free bug in pthread_create() has been fixed. [bsc#1053188] - A bug that prevented users to build shared objects which use the optimized libmvec.so API has been fixed. [bsc#1070905] - A memory leak in the glob() function has been fixed. [CVE-2017-15670, CVE-2017-15671, CVE-2017-15804, bsc#1064569, bsc#1064580, bsc#1064583] - A bug that would lose the syscall error code value in case of crashes has been fixed. [bsc#1063675] ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:86-1 Released: Wed Jan 17 09:38:17 2018 Summary: Security update for ncurses Type: security Severity: moderate References: 1056127,1056128,1056129,1056131,1056132,1056136,CVE-2017-13728,CVE-2017-13729,CVE-2017-13730,CVE-2017-13731,CVE-2017-13732,CVE-2017-13733 Description: This update for ncurses fixes the following issues: Security issues fixed: - CVE-2017-13728: Fix infinite loop in the next_char function in comp_scan.c (bsc#1056136). - CVE-2017-13730: Fix illegal address access in the function _nc_read_entry_source() (bsc#1056131). - CVE-2017-13733: Fix illegal address access in the fmt_entry function (bsc#1056127). - CVE-2017-13729: Fix illegal address access in the _nc_save_str (bsc#1056132). - CVE-2017-13732: Fix illegal address access in the function dump_uses() (bsc#1056128). - CVE-2017-13731: Fix illegal address access in the function postprocess_termcap() (bsc#1056129). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:88-1 Released: Wed Jan 17 14:41:17 2018 Summary: Security update for curl Type: security Severity: moderate References: 1069222,1069226,CVE-2017-8816,CVE-2017-8817 Description: This update for curl fixes the following issues: Security issues fixed: - CVE-2017-8816: Buffer overrun flaw in the NTLM authentication code (bsc#1069226). - CVE-2017-8817: Read out of bounds flaw in the FTP wildcard function (bsc#1069222). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2018:90-1 Released: Wed Jan 17 14:44:33 2018 Summary: Recommended update for lvm2 Type: recommended Severity: low References: 1063051,1067312 Description: This update for lvm2 provides the following fix: - Backport various upstream fixes for clvmd. (bsc#1063051) - Don't print error messages on testing the connection to the daemon. (bsc#1063051) - Fix handling of udev CHANGE events with systemd. (bsc#1067312) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2018:146-1 Released: Thu Jan 25 11:44:23 2018 Summary: Recommended update for openldap2 Type: recommended Severity: moderate References: 1064397,1065083 Description: This update for openldap2 provides the following fixes: - Fix a leak of sockets in case of unsuccessful connection attempts. (bsc#1065083) - Fix a crash that would happen under heavy load when using back-relay. (bsc#1064397) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:149-1 Released: Thu Jan 25 13:38:37 2018 Summary: Security update for curl Type: security Severity: moderate References: 1077001,CVE-2018-1000007 Description: This update for curl fixes one issues. This security issue was fixed: - CVE-2018-1000007: Prevent leaking authentication data to third parties when following redirects (bsc#1077001) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:179-1 Released: Mon Jan 29 11:41:10 2018 Summary: Recommended update for apache2 Type: security Severity: moderate References: 1042037,1045160,1048575,1057406,CVE-2017-7659,CVE-2017-9789 Description: This update for apache2 fixes several issues. These security issues were fixed: - CVE-2017-9789: When under stress (closing many connections) the HTTP/2 handling code would sometimes access memory after it has been freed, resulting in potentially erratic behaviour (bsc#1048575). - CVE-2017-7659: A maliciously constructed HTTP/2 request could cause mod_http2 to dereference a NULL pointer and crash the server process (bsc#1045160). These non-security issues were fixed: - Use the full path to a2enmod and a2dismod in the apache-22-24-upgrade script (bsc#1042037) - Fall back to 'localhost' as hostname in gensslcert (bsc#1057406) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:209-1 Released: Tue Jan 30 10:53:43 2018 Summary: Security update for ncurses Type: security Severity: moderate References: 1056126,1056127,1056128,1056129,1056131,1056132,1056136,CVE-2017-13728,CVE-2017-13729,CVE-2017-13730,CVE-2017-13731,CVE-2017-13732,CVE-2017-13733,CVE-2017-13734 Description: This update for ncurses fixes several issues. These security issues were fixed: - CVE-2017-13734: Prevent illegal address access in the _nc_safe_strcat function in strings.c that might have lead to a remote denial of service attack (bsc#1056126). - CVE-2017-13733: Prevent illegal address access in the fmt_entry function in progs/dump_entry.c that might have lead to a remote denial of service attack (bsc#1056127). - CVE-2017-13732: Prevent illegal address access in the function dump_uses() in progs/dump_entry.c that might have lead to a remote denial of service attack (bsc#1056128). - CVE-2017-13731: Prevent illegal address access in the function postprocess_termcap() in parse_entry.c that might have lead to a remote denial of service attack (bsc#1056129). - CVE-2017-13730: Prevent illegal address access in the function _nc_read_entry_source() in progs/tic.c that might have lead to a remote denial of service attack (bsc#1056131). - CVE-2017-13729: Prevent illegal address access in the _nc_save_str function in alloc_entry.c that might have lead to a remote denial of service attack (bsc#1056132). - CVE-2017-13728: Prevent infinite loop in the next_char function in comp_scan.c that might have lead to a remote denial of service attack (bsc#1056136). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:213-1 Released: Tue Jan 30 14:36:40 2018 Summary: Security update for systemd Type: security Severity: moderate References: 1048510,1065276,1066156,1068251,1070428,1071558,1074254,1075724,1076308,897422,CVE-2017-15908,CVE-2018-1049 Description: This update for systemd fixes several issues. This security issue was fixed: - CVE-2018-1049: Prevent race that can lead to DoS when using automounts (bsc#1076308). These non-security issues were fixed: - core: don't choke if a unit another unit triggers vanishes during reload - delta: don't ignore PREFIX when the given argument is PREFIX/SUFFIX - delta: extend skip logic to work on full directory paths (prefix+suffix) (bsc#1070428) - delta: check if a prefix needs to be skipped only once - delta: skip symlink paths when split-usr is enabled (#4591) - sysctl: use raw file descriptor in sysctl_write (#7753) - sd-netlink: don't take possesion of netlink fd from caller on failure (bsc#1074254) - Fix the regexp used to detect broken by-id symlinks in /etc/crypttab It was missing the following case: '/dev/disk/by-id/cr_-xxx'. - sysctl: disable buffer while writing to /proc (bsc#1071558) - Use read_line() and LONG_LINE_MAX to read values configuration files. (bsc#1071558) - sysctl: no need to check for eof twice - def: add new constant LONG_LINE_MAX - fileio: add new helper call read_line() as bounded getline() replacement - service: Don't stop unneeded units needed by restarted service (#7526) (bsc#1066156) - gpt-auto-generator: fix the handling of the value returned by fstab_has_fstype() in add_swap() (#6280) - gpt-auto-generator: disable gpt auto logic for swaps if at least one is defined in fstab (bsc#897422) - fstab-util: introduce fstab_has_fstype() helper - fstab-generator: ignore root=/dev/nfs (#3591) - fstab-generator: don't process root= if it happens to be 'gpt-auto' (#3452) - virt: use XENFEAT_dom0 to detect the hardware domain (#6442, #6662) (#7581) (bsc#1048510) - analyze: replace --no-man with --man=no in the man page (bsc#1068251) - udev: net_setup_link: don't error out when we couldn't apply link config (#7328) - Add missing /etc/systemd/network directory - Fix parsing of features in detect_vm_xen_dom0 (#7890) (bsc#1048510) - sd-bus: use -- when passing arguments to ssh (#6706) - systemctl: make sure we terminate the bus connection first, and then close the pager (#3550) - sd-bus: bump message queue size (bsc#1075724) - tmpfiles: downgrade warning about duplicate line ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:214-1 Released: Tue Jan 30 14:37:42 2018 Summary: Security update for libtasn1 Type: security Severity: moderate References: 1076832,CVE-2018-6003 Description: This update for libtasn1 fixes one issue. This security issue was fixed: - CVE-2018-6003: Prevent a stack exhaustion in _asn1_decode_simple_ber (lib/decoding.c) when decoding BER encoded structure allowed for DoS (bsc#1076832). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:276-1 Released: Thu Feb 8 17:47:43 2018 Summary: Security update for libxml2 Type: security Severity: moderate References: 1077993,1078806,1078813,CVE-2016-5131,CVE-2017-15412,CVE-2017-5130 Description: This update for libxml2 fixes one issue. This security issue was fixed: - CVE-2017-15412: Prevent use after free when calling XPath extension functions that allowed remote attackers to cause DoS or potentially RCE (bsc#1077993) - CVE-2016-5131: Use-after-free vulnerability in libxml2 allowed remote attackers to cause a denial of service or possibly have unspecified other impact via vectors related to the XPointer range-to function. (bsc#1078813) - CVE-2017-5130: Fixed a potential remote buffer overflow in function xmlMemoryStrdup() (bsc#1078806) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2018:291-1 Released: Mon Feb 12 11:50:39 2018 Summary: Recommended update for bash Type: recommended Severity: low References: 1057452,1076909 Description: This update for bash provides the following fix: - Allow process group assignment on all kernel versions to fix the usage of debug traps. (bsc#1057452) - Fix a crash when filesystem is full. (bsc#1076909) - Enable multi-byte characters by default. ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:314-1 Released: Thu Feb 15 14:47:35 2018 Summary: Security update for glibc Type: security Severity: important References: 1037930,1051791,1073990,1074293,1079036,CVE-2017-12132,CVE-2017-8804,CVE-2018-1000001,CVE-2018-6485,CVE-2018-6551 Description: This update for glibc fixes the following issues: Security issues fixed: - CVE-2017-8804: Fix memory leak after deserialization failure in xdr_bytes, xdr_string (bsc#1037930) - CVE-2017-12132: Reduce EDNS payload size to 1200 bytes (bsc#1051791) - CVE-2018-6485,CVE-2018-6551: Fix integer overflows in internal memalign and malloc functions (bsc#1079036) - CVE-2018-1000001: Avoid underflow of malloced area (bsc#1074293) Non security bugs fixed: - Release read lock after resetting timeout (bsc#1073990) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:336-1 Released: Wed Feb 21 14:26:52 2018 Summary: Security update for libdb-4_8 Type: security Severity: moderate References: 1043886 Description: This update for libdb-4_8 fixes the following issues: - A DB_CONFIG file in the current working directory allowed local users to obtain sensitive information via a symlink attack involving a setgid or setuid application using libdb-4_8. (bsc#1043886) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:355-1 Released: Mon Feb 26 16:34:46 2018 Summary: Security update for systemd Type: security Severity: moderate References: 1057974,1068588,1071224,1071311,1075801,1077925,CVE-2017-18078 Description: This update for systemd fixes the following issues: Security issue fixed: - CVE-2017-18078: tmpfiles: refuse to chown()/chmod() files which are hardlinked, unless protected_hardlinks sysctl is on. This could be used by local attackers to gain privileges (bsc#1077925) Non Security issues fixed: - core: use id unit when retrieving unit file state (#8038) (bsc#1075801) - cryptsetup-generator: run cryptsetup service before swap unit (#5480) - udev-rules: all values can contain escaped double quotes now (#6890) - strv: fix buffer size calculation in strv_join_quoted() - tmpfiles: change ownership of symlinks too - stdio-bridge: Correctly propagate error - stdio-bridge: remove dead code - remove bus-proxyd (bsc#1057974) - core/timer: Prevent timer looping when unit cannot start (bsc#1068588) - Make systemd-timesyncd use the openSUSE NTP servers by default Previously systemd-timesyncd used the Google Public NTP servers time{1..4}.google.com - Don't ship /usr/lib/systemd/system/tmp.mnt at all (bsc#1071224) But we still ship a copy in /var. Users who want to use tmpfs on /tmp are supposed to add a symlink in /etc/ pointing to the copy shipped in /var. To support the update path we automatically create the symlink if tmp.mount in use is located in /usr. - Enable systemd-networkd on Leap distros only (bsc#1071311) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2018:375-1 Released: Wed Feb 28 16:33:37 2018 Summary: Recommended update for net-tools Type: recommended Severity: low References: 1009905,1063910 Description: This update for net-tools provides the following fix: - netstat: fix handling of large socket numbers (bsc#1063910) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:439-1 Released: Fri Mar 9 14:05:22 2018 Summary: Security update for augeas Type: security Severity: low References: 1054171,CVE-2017-7555 Description: This update for augeas fixes the following issues: Security issue fixed: - CVE-2017-7555: Fix a memory corruption bug could have lead to arbitrary code execution by passing crafted strings that would be mis-handled by parse_name() (bsc#1054171). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:443-1 Released: Fri Mar 9 18:02:14 2018 Summary: Security update for glibc Type: security Severity: moderate References: 1081556,CVE-2017-12133 Description: This update for glibc fixes the following issues: - CVE-2017-12133: Avoid use-after-free read access in clntudp_call (bsc#1081556) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:446-1 Released: Mon Mar 12 13:13:55 2018 Summary: Security update for shadow Type: security Severity: moderate References: 1081294,CVE-2018-7169 Description: This update for shadow fixes the following issues: - CVE-2018-7169: Fixed an privilege escalation in newgidmap, which allowed an unprivileged user to be placed in a user namespace where setgroups(2) is allowed. (bsc#1081294) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2018:465-1 Released: Thu Mar 15 07:38:52 2018 Summary: Recommended update for systemd Type: recommended Severity: moderate References: 1075743,1078358,1081170 Description: This update for systemd fixes the following issues: - Add dmi/id conditions to 80-acpi-container-hotplug.rules to restrict the rule that it can only be triggered on Huawei Kunlun 9008, 9016 and 9032 machines. (bsc#1078358, bsc#1081170, bsc#1075743) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2018:472-1 Released: Thu Mar 15 10:47:40 2018 Summary: Recommended update for libsolv, libzypp, zypper Type: recommended Severity: low References: 1074687,1075449,1076415,1079334,953130 Description: This update for libsolv, libzypp and zypper provides the following fixes: libsolv: - Fix a bug that could make fileconflict detection very slow in some cases. (bnc#953130) - Add new configuration options: ENABLE_RPMDB_LIBRPM and ENABLE_RPMPKG_LIBRPM. - Add a new function to change the whatprovides data: pool_set_whatprovides. - Significant improvements in the selection code. libzypp: - Make sure deleted keys are also removed from rpmdb. (bsc#1075449) - plugin: Don't reject header values containing ':'. (bsc#1074687) - RpmDb::checkPackage: Fix parsing localized rpm output. (bsc#1076415) zypper: - Do not recommend cron as it is not a direct dependency of zypper. (bsc#1079334) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:522-1 Released: Thu Mar 22 08:20:46 2018 Summary: Security update for curl Type: security Severity: moderate References: 1084521,1084524,1084532,CVE-2018-1000120,CVE-2018-1000121,CVE-2018-1000122 Description: This update for curl fixes the following issues: Following security issues were fixed: - CVE-2018-1000120: A buffer overflow exists in the FTP URL handling that allowed an attacker to cause a denial of service or possible code execution (bsc#1084521). - CVE-2018-1000121: A NULL pointer dereference exists in the LDAP code that allowed an attacker to cause a denial of service (bsc#1084524). - CVE-2018-1000122: A buffer over-read exists in the RTSP+RTP handling code that allowed an attacker to cause a denial of service or information leakage (bsc#1084532). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:567-1 Released: Thu Mar 29 14:02:08 2018 Summary: Security update for krb5 Type: security Severity: moderate References: 1057662,1081725,1083926,1083927,CVE-2018-5729,CVE-2018-5730 Description: This update for krb5 provides the following fixes: Security issues fixed: - CVE-2018-5730: DN container check bypass by supplying special crafted data (bsc#1083927). - CVE-2018-5729: Null pointer dereference in kadmind or DN container check bypass by supplying special crafted data (bsc#1083926). Non-security issues fixed: - Make it possible for legacy applications (e.g. SAP Netweaver) to remain compatible with newer Kerberos. System administrators who are experiencing this kind of compatibility issues may set the environment variable GSSAPI_ASSUME_MECH_MATCH to a non-empty value, and make sure the environment variable is visible and effective to the application startup script. (bsc#1057662) - Fix a GSS failure in legacy applications by not indicating deprecated GSS mechanisms in gss_indicate_mech() list. (bsc#1081725) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:582-1 Released: Tue Apr 3 18:42:55 2018 Summary: Security update for docker-distribution Type: security Severity: moderate References: 1033172,1049850,1083474,CVE-2017-11468 Description: This update for docker-distribution fixes the following issues: Security issues fixed: - CVE-2017-11468: Fixed a denial of service (memory consumption) via the manifest endpoint (bsc#1049850). Bug fixes: - bsc#1083474: docker-distirbution-registry overwrites configuration file with update. - bsc#1033172: Garbage collector needed - or kindly release docker-distribution-registry in Version 2.4. - Add SuSEfirewall2 service file for TCP port 5000. ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:594-1 Released: Thu Apr 5 17:22:37 2018 Summary: Security update for libidn Type: security Severity: moderate References: 1056450,CVE-2017-14062 Description: This update for libidn fixes one issues. This security issue was fixed: - CVE-2017-14062: Prevent integer overflow in the decode_digit function that allowed remote attackers to cause a denial of service or possibly have unspecified other impact (bsc#1056450). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:624-1 Released: Wed Apr 11 18:02:57 2018 Summary: Security update for openssl Type: security Severity: moderate References: 1087102,CVE-2018-0739 Description: This update for openssl fixes the following issues: - CVE-2018-0739: Constructed ASN.1 types with a recursive definition (such as can be found in PKCS7) could eventually exceed the stack given malicious input with excessive recursion. This could result in a Denial Of Service attack. There are no such structures used within SSL/TLS that come from untrusted sources so this is considered safe. (bsc#1087102). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:730-1 Released: Wed Apr 25 14:14:41 2018 Summary: Security update for perl Type: security Severity: moderate References: 1082216,1082233,1082234,CVE-2018-6797,CVE-2018-6798,CVE-2018-6913 Description: This update for perl fixes the following issues: Security issues fixed: - CVE-2018-6913: Fixed space calculation issues in pp_pack.c (bsc#1082216). - CVE-2018-6798: Fixed heap buffer overflow in regexec.c (bsc#1082233). - CVE-2018-6797: Fixed sharp-s regexp overflow (bsc#1082234). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2018:736-1 Released: Wed Apr 25 14:23:49 2018 Summary: Recommended update for libsolv, libzypp Type: recommended Severity: moderate References: 1075978,1077635,1079991,1082318,1086602 Description: This update for libsolv, libzypp provides the following fixes: Changes in libsolv: - Make sure the product file comes from /etc/products.d for the fallback product search. (bsc#1086602) - Also make use of suggests for ordering packages. (bsc#1077635) - Fix bad assignment in solution refinement that led to a memory leak. (bsc#1075978) - Use license tag instead of doc in the spec file. (bsc#1082318) Changes in libzypp: - Make sure the product file comes from /etc/products.d for the fallback product search. (bsc#1086602) - Fix a memory leak in Digest.cc. (bsc#1075978) - Add /var/lib/gdm to CheckAccessDeleted blacklist to prevent showing superfluous `zypper ps -s` messages. (bsc#1079991) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2018:779-1 Released: Wed May 2 22:16:26 2018 Summary: Recommended update for rpm Type: recommended Severity: low References: 1003714,1027925,1069934 Description: This update for rpm provides the following fixes: - Fix find-lang.sh to handle special case of .qm file paths correctly. (bsc#1027925) - Add %sle_version macro to suse_macros. (bsc#1003714) - Added a %rpm_vercmp macro which accepts two versions as parameters and returns -1, 0, 1 if the first version is less than, equal or greater than the second version respectively. - Added a %pkg_version macro that accepts a package or capability name as argument and returns the version number of the installed package. If no package provides the argument, it returns the string '~~~'. - Added a %pkg_vcmp macro that accepts 3 parameters. The first parameter is a package name or provided capability name, the second argument is an operator ( < <= = >= > != ) and the third parameter is a version string to be compared to the installed version of the first argument. - Added a %pkg_version_cmp macro which accepts a package or capability name as first argument and a version number as second argument and returns -1, 0, 1 or '~~~'. The number values have the same meaning as in %rpm_vercmp and the '~~~' string is returned if the package or capability can't be found. (bsc#1069934) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2018:797-1 Released: Mon May 7 07:07:38 2018 Summary: Recommended update for gcc7 Type: recommended Severity: important References: 1061667,1068967,1074621,1083290,1083946,1084812,1087550,1087930 Description: This update for gcc7 to 7.3 release fixes the following issues: - Update to GCC 7.3 release and further updated to gcc-7-branch head (r258812). - The Spectre v2 mitigation patch for s390x is now included. [bsc#1083946] - Adds backport of x86 retpoline support via -mindirect-branch=, -mfunction-return= and friends. [bsc#1074621] - Update includes a fix for chromium build failure. [bsc#1083290] - Various AArch64 compile fixes are included: * Picks fix to no longer enable -mpc-relative-literal-loads by default with --enable-fix-cortex-a53-843419. * Enable --enable-fix-cortex-a53-843419 for aarch64. [bsc#1084812] [bsc#1087930] * Enable --enable-fix-cortex-a53-835769 for aarch64. * Contains fix for PR82445 which is about a RPI1 bootloader miscompile. [bsc#1061667] * Fixed bogus stack probe instruction on ARM. [bsc#1068967] - Revert the ios_base::failure ABI back to compatible behavior with the default ABI. [bsc#1087550] - Fix nvptx offload target compiler install so GCC can pick up required files. Split out the newlib part into cross-nvptx-newlib7-devel and avoid conflicts with GCC 8 variant via Provides/Conflicts of cross-nvptx-newlib-devel. ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:803-1 Released: Mon May 7 14:56:28 2018 Summary: Security update for apache2 Type: security Severity: moderate References: 1086774,1086775,1086813,1086814,1086817,1086820,CVE-2017-15710,CVE-2017-15715,CVE-2018-1283,CVE-2018-1301,CVE-2018-1302,CVE-2018-1303,CVE-2018-1312 Description: This update for apache2 fixes the following issues: * CVE-2018-1283: when mod_session is configured to forward its session data to CGI applications (SessionEnv on, not the default), a remote user may influence their content by using a \'Session\' header leading to unexpected behavior [bsc#1086814]. * CVE-2018-1301: due to an out of bound access after a size limit being reached by reading the HTTP header, a specially crafted request could lead to remote denial of service. [bsc#1086817] * CVE-2018-1303: a specially crafted HTTP request header could lead to crash due to an out of bound read while preparing data to be cached in shared memory.[bsc#1086813] * CVE-2017-15715: a regular expression could match '$' to a newline character in a malicious filename, rather than matching only the end of the filename. leading to corruption of uploaded files.[bsc#1086774] * CVE-2018-1312: when generating an HTTP Digest authentication challenge, the nonce sent to prevent reply attacks was not correctly generated using a pseudo-random seed. In a cluster of servers using a common Digest authentication configuration, HTTP requests could be replayed across servers by an attacker without detection. [bsc#1086775] * CVE-2017-15710: mod_authnz_ldap, if configured with AuthLDAPCharsetConfig, uses the Accept-Language header value to lookup the right charset encoding when verifying the user's credentials. If the header value is not present in the charset conversion table, a fallback mechanism is used to truncate it to a two characters value to allow a quick retry (for example, 'en-US' is truncated to 'en'). A header value of less than two characters forces an out of bound write of one NUL byte to a memory location that is not part of the string. In the worst case, quite unlikely, the process would crash which could be used as a Denial of Service attack. In the more likely case, this memory is already reserved for future use and the issue has no effect at all. [bsc#1086820] * CVE-2018-1302: when an HTTP/2 stream was destroyed after being handled, it could have written a NULL pointer potentially to an already freed memory. The memory pools maintained by the server make this vulnerability hard to trigger in usual configurations, the reporter and the team could not reproduce it outside debug builds, so it is classified as low risk. [bsc#1086820] ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:835-1 Released: Wed May 9 19:58:59 2018 Summary: Security update for libapr1 Type: security Severity: moderate References: 1064982,CVE-2017-12613 Description: This update fixes the following issues: - CVE-2017-12613: DoS or information disclosure in pr_exp_time*() or apr_os_exp_time*() functions (bsc#1064982). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:939-1 Released: Thu May 17 08:41:30 2018 Summary: Security update for curl Type: security Severity: moderate References: 1086825,1092098,CVE-2018-1000301 Description: This update for curl fixes several issues: Security issues fixed: - CVE-2018-1000301: Fixed a RTSP bad headers buffer over-read could crash the curl client (bsc#1092098) Non security issues fixed: - If the DEFAULT_SUSE cipher list is not available use the HIGH cipher alias before failing. (bsc#1086825) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2018:974-1 Released: Wed May 23 16:46:50 2018 Summary: Recommended update for systemd Type: recommended Severity: moderate References: 1045092,1051465,1066422,1075804,1082485,1084626,1085062,1086785,1087323 Description: This update for systemd provides the following fixes: - sysusers: Do not append entries after the NIS ones. (bsc#1085062, bsc#1045092) - sysusers: Also add support for NIS entries in /etc/shadow. - sysusers: Make sure to reset errno before calling fget*ent(). - coredump: Respect ulimit -c 0 settings. (bsc#1075804) - systemctl: Don't make up unit states, and don't eat up errors too eagerly. (bsc#1084626) - systemctl: Don't mangle unit names in check_unit_generic(). - rules, compat-rules: Fix errors detected by the rule syntax checker. - python: Use raw strings for regexp patterns. - compat-rules: Make path_id_compat build with meson. - compat-rules: Get rid of scsi_id when generating compat symlinks for NVMe devices. (bsc#1051465) - Fix memory hotplugging. - systemd: Add offline environmental condition to the udev rules for acpi container to prevent them from being triggered by the 'udevadm trigger' from user space. (bsc#1082485) - systemd-udevd: Limit children-max by the available memory. (bsc#1086785, bsc#1066422) - Rename the tarball to reflect the exact version used, so that it is clear that it contains some additional patches on top of the upstream version. Use the commit hash in the name so the exact version can easily be identified. (bsc#1087323) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:977-1 Released: Wed May 23 17:14:16 2018 Summary: Security update for bash Type: security Severity: moderate References: 1000396,1001299,1086247,CVE-2016-0634,CVE-2016-7543 Description: This update for bash fixes the following issues: Security issues fixed: - CVE-2016-7543: A code execution possibility via SHELLOPTS+PS4 variable was fixed (bsc#1001299) - CVE-2016-0634: Arbitrary code execution via malicious hostname was fixed (bsc#1000396) Non-security issues fixed: - Fix repeating self-calling of traps due the combination of a non-interactive shell, a trap handler for SIGINT, an external process in the trap handler, and a SIGINT within the trap after the external process runs. (bsc#1086247) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2018:978-1 Released: Wed May 23 17:18:39 2018 Summary: Recommended update for zlib Type: recommended Severity: moderate References: 1071321 Description: This update for zlib fixes the following issues: - Fix a segmentation fault which was raised when converting a negative value into an unsigned integer (bsc#1071321) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2018:1028-1 Released: Tue Jun 5 13:20:44 2018 Summary: Recommended update for pam Type: recommended Severity: low References: 1089884 Description: This update for pam fixes the following issues: - Fix order of accessed configuration files in man page. (bsc#1089884) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:1077-1 Released: Wed Jun 6 11:44:25 2018 Summary: Security update for glibc Type: security Severity: important References: 1086690,1094150,1094154,1094161,CVE-2017-18269,CVE-2018-11236,CVE-2018-11237 Description: This update for glibc fixes the following issues: - CVE-2017-18269: Fix SSE2 memmove issue when crossing 2GB boundary (bsc#1094150) - CVE-2018-11236: Fix overflow in path length computation (bsc#1094161) - CVE-2018-11237: Don't write beyond buffer destination in __mempcpy_avx512_no_vzeroupper (bsc#1094154) Non security bugs fixed: - Fix crash in resolver on memory allocation failure (bsc#1086690) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2018:1082-1 Released: Thu Jun 7 12:58:56 2018 Summary: Recommended update for rpm Type: recommended Severity: moderate References: 1073879,1080078,964063 Description: This update for rpm fixes the following issues: - Backport support for no_recompute_build_ids macro. (bsc#964063) - Fix code execution when evaluating common python-related macros. (bsc#1080078) Additionally, this update adds python3-rpm to the SUSE Linux Enterprise Server. ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:1141-1 Released: Fri Jun 15 13:41:08 2018 Summary: Security update for gpg2 Type: security Severity: important References: 1096745,CVE-2018-12020 Description: This update for gpg2 fixes the following security issue: - CVE-2018-12020: GnuPG mishandled the original filename during decryption and verification actions, which allowed remote attackers to spoof the output that GnuPG sends on file descriptor 2 to other programs that use the '--status-fd 2' option (bsc#1096745) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2018:1145-1 Released: Fri Jun 15 19:19:51 2018 Summary: Recommended update for openssl Type: recommended Severity: moderate References: 1090765 Description: This update for openssl provides the following fix: - Suggest libopenssl1_0_0-hmac from libopenssl1_0_0 package to avoid dependency issues during updates. (bsc#1090765) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:1242-1 Released: Thu Jun 28 13:44:16 2018 Summary: Security update for procps Type: security Severity: moderate References: 1092100,CVE-2018-1122,CVE-2018-1123,CVE-2018-1124,CVE-2018-1125,CVE-2018-1126 Description: This update for procps fixes the following security issues: - CVE-2018-1122: Prevent local privilege escalation in top. If a user ran top with HOME unset in an attacker-controlled directory, the attacker could have achieved privilege escalation by exploiting one of several vulnerabilities in the config_file() function (bsc#1092100). - CVE-2018-1123: Prevent denial of service in ps via mmap buffer overflow. Inbuilt protection in ps maped a guard page at the end of the overflowed buffer, ensuring that the impact of this flaw is limited to a crash (temporary denial of service) (bsc#1092100). - CVE-2018-1124: Prevent multiple integer overflows leading to a heap corruption in file2strvec function. This allowed a privilege escalation for a local attacker who can create entries in procfs by starting processes, which could result in crashes or arbitrary code execution in proc utilities run by other users (bsc#1092100). - CVE-2018-1125: Prevent stack buffer overflow in pgrep. This vulnerability was mitigated by FORTIFY limiting the impact to a crash (bsc#1092100). - CVE-2018-1126: Ensure correct integer size in proc/alloc.* to prevent truncation/integer overflow issues (bsc#1092100). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:1276-1 Released: Thu Jul 5 08:36:17 2018 Summary: Security update for openssl Type: security Severity: moderate References: 1097158,1097624,1098592,CVE-2018-0732 Description: This update for openssl fixes the following issues: - CVE-2018-0732: During key agreement in a TLS handshake using a DH(E) based ciphersuite a malicious server could have sent a very large prime value to the client. This caused the client to spend an unreasonably long period of time generating a key for this prime resulting in a hang until the client has finished. This could be exploited in a Denial Of Service attack (bsc#1097158). - Blinding enhancements for ECDSA and DSA (bsc#1097624, bsc#1098592) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:1328-1 Released: Tue Jul 17 08:07:57 2018 Summary: Security update for perl Type: security Severity: important References: 1068565,1082216,1082233,1082234,1096718,CVE-2018-12015,CVE-2018-6797,CVE-2018-6798,CVE-2018-6913 Description: This update for perl fixes the following issues: These security issue were fixed: - CVE-2018-6913: Fixed space calculation issues in pp_pack.c (bsc#1082216). - CVE-2018-6798: Fixed heap buffer overflow in regexec.c (bsc#1082233). - CVE-2018-6797: Fixed sharp-s regexp overflow (bsc#1082234). - CVE-2018-12015: The Archive::Tar module allowed remote attackers to bypass a directory-traversal protection mechanism and overwrite arbitrary files (bsc#1096718) This non-security issue was fixed: - fix debugger crash in tab completion with Term::ReadLine::Gnu [bsc#1068565] ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:1351-1 Released: Thu Jul 19 09:43:21 2018 Summary: Security update for shadow Type: security Severity: important References: 1099310,CVE-2016-6252 Description: This update for shadow fixes the following issues: - CVE-2016-6252: Incorrect integer handling could results in local privilege escalation (bsc#1099310) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:1400-1 Released: Thu Jul 26 16:32:29 2018 Summary: Security update for util-linux Type: security Severity: moderate References: 1072947,1078662,1080740,1084300,CVE-2018-7738 Description: This update for util-linux fixes the following issues: This non-security issue was fixed: - CVE-2018-7738: bash-completion/umount allowed local users to gain privileges by embedding shell commands in a mountpoint name, which was mishandled during a umount command by a different user (bsc#1084300). These non-security issues were fixed: - Fixed crash loop in lscpu (bsc#1072947). - Fixed possible segfault of umount -a - Fixed mount -a on NFS bind mounts (bsc#1080740). - Fixed lsblk on NVMe (bsc#1078662). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:1413-1 Released: Fri Jul 27 12:41:13 2018 Summary: Security update for libgcrypt Type: security Severity: moderate References: 1064455,1090766,1097410,CVE-2018-0495 Description: This update for libgcrypt fixes the following issues: The following security vulnerability was addressed: - CVE-2018-0495: Mitigate a novel side-channel attack by enabling blinding for ECDSA signatures (bsc#1097410). The following other issues were fixed: - Extended the fipsdrv dsa-sign and dsa-verify commands with the --algo parameter for the FIPS testing of DSA SigVer and SigGen (bsc#1064455). - Ensure libgcrypt20-hmac and libgcrypt20 are installed in the correct order. (bsc#1090766) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2018:1450-1 Released: Mon Jul 30 10:10:45 2018 Summary: Recommended update for pam Type: recommended Severity: low References: 1096282 Description: This update for pam provides the following fix: - Added /etc/security/limits.d to the pam package. (bsc#1096282) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2018:1549-1 Released: Mon Aug 13 13:41:22 2018 Summary: Recommended update for sg3_utils Type: recommended Severity: low References: 1065448,1070431,1077787,1092640 Description: This update for sg3_utils provides the following fix: - Decode standard INQUIRY for CD-ROMs correctly. (bsc#1065448, bsc#1070431) - Fix page decoding. (bsc#1077787) - Remove initrd rebuild macros for libsgutils2 subpackage. (bsc#1092640) - Use %post -p for ldconfig. (bsc#1092640) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:1575-1 Released: Wed Aug 15 14:47:30 2018 Summary: Security update for apache2 Type: security Severity: moderate References: 1101689,CVE-2018-1333 Description: This update for apache2 fixes the following issues: The following security vulnerability were fixed: - CVE-2018-1333: Fixed a worker exhaustion that could have lead to a denial of service via specially crafted HTTP/2 requests (bsc#1101689). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:1610-1 Released: Thu Aug 16 14:04:25 2018 Summary: Security update for libgcrypt Type: security Severity: moderate References: 1064455,1090766,1097410,CVE-2018-0495 Description: This update for libgcrypt fixes the following issues: The following security vulnerability was addressed: - CVE-2018-0495: Mitigate a novel side-channel attack by enabling blinding for ECDSA signatures (bsc#1097410). The following other issues were fixed: - Extended the fipsdrv dsa-sign and dsa-verify commands with the --algo parameter for the FIPS testing of DSA SigVer and SigGen (bsc#1064455). - Ensure libgcrypt20-hmac and libgcrypt20 are installed in the correct order. (bsc#1090766) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:1620-1 Released: Thu Aug 16 14:49:45 2018 Summary: Security update for shadow Type: security Severity: important References: 1099310,CVE-2016-6252 Description: This update for shadow fixes the following issues: - CVE-2016-6252: Incorrect integer handling could results in local privilege escalation (bsc#1099310) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2018:1632-1 Released: Thu Aug 16 15:27:04 2018 Summary: Recommended update for systemd Type: recommended Severity: moderate References: 1039099,1080382,1082004,1082485,1083158,1088052,1088769,1088890,1089761,1090785,1091265,1093851,1095096 Description: This update for systemd fixes the following issues: - core: In --user mode, report READY=1 as soon as basic.target is reached. - sd-bus: Extend D-Bus authentication timeout considerably. - scsi_id: Fixup prefix for pre-SPC inquiry reply. (bsc#1039099) - udev: Use MAC address match only for ibmveth/ibmvnic/mlx4. (bsc#1095096) - compat-rules: Generate more compat by-id symlinks for NVMe devices. (bsc#1095096) - udev: Whitelist mlx4_core locally-administered MAC addresses in the persistent rule generator. (bsc#1083158) - udev: Don't create by-partlabel/primary and .../logical symlinks. (bsc#1089761) - rules: Add /dev/disk/by-partuuid symlinks also for dos partition tables. - device: Make sure to always retroactively start device dependencies. (bsc#1088052) - device: Skip deserialization of device units when udevd is not running. - install: 'user' and 'global' scopes are equivalent for user presets. (bsc#1093851) - install: Search preset files in /run. - man: Updated systemd-analyze blame description for service-units with Type=simple. (bsc#1091265) - logind: Fix crash when shutdown is not issued from a tty. (bsc#1088890) - logind: Do not use an uninitialized variable. (bsc#1088890) - Disable user services by default. (bsc#1090785) - Ship 99-sysctl.conf instead of creating it during package installation/update. (bsc#1088769) Previously this symlink was created in /etc/sysctl.d during %post which made the symlink not owned and more importantly it was created only if /etc/sysctl.conf is already installed which is not always the case during the installation process it seems. So ship the symlink unconditionally and put it in /usr/lib/sysctl.d instead since it's a distro default behavior that might be overriden by sysadmin later. - systemd: Add offline environmental condition to 80-acpi-container-hotplug.rules. (bsc#1080382, bsc#1082485) Add the offline event environmental condition to restrict the rule that is can only be triggered when the change event is received with the 'offline' environmental data. The 27664c581 'ACPI / scan: Send change uevent with offine environmental data' kernel patch changed the corresponding code in kernel. This change prevents the udev rules for acpi container be triggered by 'udevadm trigger' from user space. - build-sys: Explicitly require python3. (bsc#1082004) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2018:1636-1 Released: Thu Aug 16 15:30:11 2018 Summary: Recommended update for pam Type: recommended Severity: low References: 1096282 Description: This update for pam provides the following fix: - Added /etc/security/limits.d to the pam package. (bsc#1096282) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2018:1689-1 Released: Mon Aug 20 09:02:24 2018 Summary: Recommended update for pam Type: recommended Severity: low References: 1096282 Description: This update for pam provides the following fix: - Added /etc/security/limits.d to the pam package. (bsc#1096282) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2018:1691-1 Released: Mon Aug 20 09:04:17 2018 Summary: Recommended update for sg3_utils Type: recommended Severity: low References: 1065448,1070431,1077787,1092640 Description: This update for sg3_utils provides the following fix: - Decode standard INQUIRY for CD-ROMs correctly. (bsc#1065448, bsc#1070431) - Fix page decoding. (bsc#1077787) - Remove initrd rebuild macros for libsgutils2 subpackage. (bsc#1092640) - Use %post -p for ldconfig. (bsc#1092640) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:1695-1 Released: Mon Aug 20 09:19:20 2018 Summary: Security update for perl Type: security Severity: important References: 1068565,1082216,1082233,1082234,1096718,CVE-2018-12015,CVE-2018-6797,CVE-2018-6798,CVE-2018-6913 Description: This update for perl fixes the following issues: These security issue were fixed: - CVE-2018-6913: Fixed space calculation issues in pp_pack.c (bsc#1082216). - CVE-2018-6798: Fixed heap buffer overflow in regexec.c (bsc#1082233). - CVE-2018-6797: Fixed sharp-s regexp overflow (bsc#1082234). - CVE-2018-12015: The Archive::Tar module allowed remote attackers to bypass a directory-traversal protection mechanism and overwrite arbitrary files (bsc#1096718) This non-security issue was fixed: - fix debugger crash in tab completion with Term::ReadLine::Gnu [bsc#1068565] ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:1698-1 Released: Mon Aug 20 09:19:28 2018 Summary: Security update for shadow Type: security Severity: important References: 1099310,CVE-2016-6252 Description: This update for shadow fixes the following issues: - CVE-2016-6252: Incorrect integer handling could results in local privilege escalation (bsc#1099310) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2018:1834-1 Released: Wed Sep 5 10:17:42 2018 Summary: Recommended update for systemd Type: recommended Severity: moderate References: 1089761,1090944,1101040,1103910 Description: This update for systemd fixes the following issues: - cryptsetup: Add support for sector-size= option. (fate#325634) - resolved: Apply epoch to system time from PID 1. (bsc#1103910) - core/service: Rework the hold-off time over message. - core: Don't freeze OnCalendar= timer units when the clock goes back a lot. (bsc#1090944) - man: SystemMaxUse= clarification in journald.conf(5). (bsc#1101040) - Add udev.no-partlabel-links kernel command-line option. This option can be used to disable the generation of the by-partlabel symlinks regardless of the name used. (bsc#1089761) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:1903-1 Released: Fri Sep 14 12:46:21 2018 Summary: Security update for curl Type: security Severity: moderate References: 1089533,1106019,CVE-2018-14618 Description: This update for curl fixes the following issues: This security issue was fixed: - CVE-2018-14618: Prevent integer overflow in the NTLM authentication code (bsc#1106019) This non-security issue was fixed: - Fixed erroneous debug message when paired with OpenSSL (bsc#1089533) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:1969-1 Released: Mon Sep 24 08:06:42 2018 Summary: Security update for libzypp, zypper Type: security Severity: important References: 1036304,1045735,1049825,1070851,1076192,1088705,1091624,1092413,1096803,1099847,1100028,1101349,1102429,CVE-2017-9269,CVE-2018-7685 Description: This update for libzypp, zypper fixes the following issues: Update libzypp to version 16.17.20: Security issues fixed: - PackageProvider: Validate deta rpms before caching (bsc#1091624, bsc#1088705, CVE-2018-7685) - PackageProvider: Validate downloaded rpm package signatures before caching (bsc#1091624, bsc#1088705, CVE-2018-7685) Other bugs fixed: - lsof: use '-K i' if lsof supports it (bsc#1099847, bsc#1036304) - Handle http error 502 Bad Gateway in curl backend (bsc#1070851) - RepoManager: Explicitly request repo2solv to generate application pseudo packages. - libzypp-devel should not require cmake (bsc#1101349) - HardLocksFile: Prevent against empty commit without Target having been been loaded (bsc#1096803) - Avoid zombie tar processes (bsc#1076192) Update to zypper to version 1.13.45: Security issues fixed: - Improve signature check callback messages (bsc#1045735, CVE-2017-9269) - add/modify repo: Add options to tune the GPG check settings (bsc#1045735, CVE-2017-9269) Other bugs fixed: - XML attribute `packages-to-change` added (bsc#1102429) - man: Strengthen that `--config FILE' affects zypper.conf, not zypp.conf (bsc#1100028) - Prevent nested calls to exit() if aborted by a signal (bsc#1092413) - ansi.h: Prevent ESC sequence strings from going out of scope (bsc#1092413) - Fix: zypper bash completion expands non-existing options (bsc#1049825) - Improve signature check callback messages (bsc#1045735) - add/modify repo: Add options to tune the GPG check settings (bsc#1045735) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:1970-1 Released: Mon Sep 24 08:07:42 2018 Summary: Security update for apache2 Type: security Severity: moderate References: 1016715,1104826,CVE-2016-4975,CVE-2016-8743 Description: This update for apache2 fixes the following issues: Security issues fixed: - CVE-2016-8743: Fixed liberal whitespace interpretation accepted from requests and sent in response lines and headers. Accepting these different behaviors represented a security concern when httpd participates in any chain of proxies or interacts with back-end application servers, either through mod_proxy or using conventional CGI mechanisms, and may result in request smuggling, response splitting and cache pollution. (bsc#1016715) - CVE-2016-4975: Fixed possible CRLF injection allowing HTTP response splitting attacks for sites which use mod_userdir. This issue was mitigated by changes which prohibit CR or LF injection into the 'Location' or other outbound header key or value. (bsc#1104826) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2018:1985-1 Released: Mon Sep 24 11:56:08 2018 Summary: Recommended update for openldap2 Type: recommended Severity: moderate References: 1089640 Description: This update for openldap2 provides the following fix: - Fix slapd segfaults in mdb_env_reader_dest. (bsc#1089640) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:1994-1 Released: Mon Sep 24 12:55:57 2018 Summary: Security update for shadow Type: security Severity: moderate References: 1106914 Description: This update for shadow fixes the following security issue: - Prevent useradd from creating intermediate directories with mode 0777 (bsc#1106914) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:2069-1 Released: Fri Sep 28 08:01:25 2018 Summary: Security update for openssl Type: security Severity: moderate References: 1089039,1101246,1101470,1104789,1106197,997043,CVE-2018-0737 Description: This update for openssl fixes the following issues: These security issues were fixed: - Prevent One&Done side-channel attack on RSA that allowed physically near attackers to use EM emanations to recover information (bsc#1104789) - CVE-2018-0737: The RSA Key generation algorithm has been shown to be vulnerable to a cache timing side channel attack. An attacker with sufficient access to mount cache timing attacks during the RSA key generation process could have recovered the private key (bsc#1089039) These non-security issues were fixed: - Add openssl(cli) Provide so the packages that require the openssl binary can require this instead of the new openssl meta package (bsc#1101470) - Fixed path to the engines which are under /lib64 on SLE-12 (bsc#1101246, bsc#997043) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2018:2162-1 Released: Fri Oct 5 14:46:53 2018 Summary: Recommended update for krb5 Type: recommended Severity: moderate References: 1088921 Description: This update for krb5 provides the following fix: - Resolve krb5 GSS credentials immediately if the application requests the lifetime. (bsc#1088921) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:2181-1 Released: Tue Oct 9 11:08:20 2018 Summary: Security update for libxml2 Type: security Severity: moderate References: 1088279,1088601,1102046,1105166,CVE-2017-18258,CVE-2018-14404,CVE-2018-14567,CVE-2018-9251 Description: This update for libxml2 fixes the following security issues: - CVE-2018-9251: The xz_decomp function allowed remote attackers to cause a denial of service (infinite loop) via a crafted XML file that triggers LZMA_MEMLIMIT_ERROR, as demonstrated by xmllint (bsc#1088279). - CVE-2018-14567: Prevent denial of service (infinite loop) via a crafted XML file that triggers LZMA_MEMLIMIT_ERROR, as demonstrated by xmllint (bsc#1105166). - CVE-2018-14404: Prevent NULL pointer dereference in the xmlXPathCompOpEval() function when parsing an invalid XPath expression in the XPATH_OP_AND or XPATH_OP_OR case leading to a denial of service attack (bsc#1102046). - CVE-2017-18258: The xz_head function allowed remote attackers to cause a denial of service (memory consumption) via a crafted LZMA file, because the decoder functionality did not restrict memory usage to what is required for a legitimate file (bsc#1088601). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2018:2196-1 Released: Thu Oct 11 07:45:16 2018 Summary: Optional update for gcc8 Type: recommended Severity: low References: 1084812,1084842,1087550,1094222,1102564 Description: The GNU Compiler GCC 8 is being added to the Toolchain Module by this update. The update also supplies gcc8 compatible libstdc++, libgcc_s1 and other gcc derived libraries for the base products of SUSE Linux Enterprise 12. Various optimizers have been improved in GCC 8, several of bugs fixed, quite some new warnings added and the error pin-pointing and fix-suggestions have been greatly improved. The GNU Compiler page for GCC 8 contains a summary of all the changes that have happened: https://gcc.gnu.org/gcc-8/changes.html Also changes needed or common pitfalls when porting software are described on: https://gcc.gnu.org/gcc-8/porting_to.html ----------------------------------------------------------------- Advisory ID: SUSE-RU-2018:2217-1 Released: Fri Oct 12 15:07:24 2018 Summary: Recommended update for bash Type: recommended Severity: moderate References: 1094121,1107430 Description: This update for bash provides the following fixes: - Fix an inconsistent behaviour regarding expansion of here strings. (bsc#1094121) - Fix mis-matching of null string with '*' pattern. (bsc#1107430) - Fix a crash when the lastpipe option is enabled. - Fix a typo that was preventing the `compat42' shopt option from working as intended. - Help the shell to process any pending traps at redirection. - Fix a crashe due to incorrect conversion from an indexed to associative array. - Avoid the expansion of escape sequences in HOSTNAME in prompt. - Avoid `xtrace' attack over $PS4. ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:2373-1 Released: Mon Oct 22 14:43:47 2018 Summary: Security update for rpm Type: security Severity: moderate References: 1077692,943457,CVE-2017-7500,CVE-2017-7501 Description: This update for rpm fixes the following issues: These security issues were fixed: - CVE-2017-7500: rpm did not properly handle RPM installations when a destination path was a symbolic link to a directory, possibly changing ownership and permissions of an arbitrary directory, and RPM files being placed in an arbitrary destination (bsc#943457). - CVE-2017-7501: rpm used temporary files with predictable names when installing an RPM. An attacker with ability to write in a directory where files will be installed could create symbolic links to an arbitrary location and modify content, and possibly permissions to arbitrary files, which could be used for denial of service or possibly privilege escalation (bsc#943457) This non-security issue was fixed: - Use ksym-provides tool [bsc#1077692] ----------------------------------------------------------------- Advisory ID: SUSE-RU-2018:2435-1 Released: Wed Oct 24 14:42:43 2018 Summary: Recommended update for systemd Type: recommended Severity: important References: 1015254,1091677,1093753,1105031,1107640,1107941,1109197,991901 Description: This update for systemd fixes the following issues: - detect-virt: do not try to read all of /proc/cpuinfo (bsc#1109197) - emergency: make sure console password agents don't interfere with the emergency shell - units: remove udev control socket when systemd stops the socket unit (#4039) (bsc#1015254) - man: document that 'nofail' also has an effect on ordering - journald: take leading spaces into account in syslog_parse_identifier - journal: do not remove multiple spaces after identifier in syslog message - syslog: fix segfault in syslog_parse_priority() - journal: fix syslog_parse_identifier() - tmpfiles: don't adjust qgroups on existing subvolumes (bsc#1093753) - socket-util: attempt SO_RCVBUFFORCE/SO_SNDBUFFORCE only if SO_RCVBUF/SO_SNDBUF fails (bsc#991901) - user at .service: don't kill user manager at runlevel switch (bsc#1091677) - units: make sure user at .service runs with dbus still up - fix race between daemon-reload and other commands (bsc#1105031) - nspawn: always use mode 555 for /sys (bsc#1107640) - cryptsetup: do not define arg_sector_size if libgcrypt is v1.x (#9990) - Enable or disable machines.target according to the presets (bsc#1107941) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2018:2475-1 Released: Thu Oct 25 16:56:24 2018 Summary: Recommended update for libzypp Type: recommended Severity: moderate References: 1099982,1109877,408814,556664,939392 Description: This update for libzypp fixes the following issues: - Add filesize check for downloads with known size (bsc#408814) - Fix conversion of string and glob to regex when compiling queries (bsc#1099982, bsc#939392, bsc#556664) - Fix blocking wait for finished child process (bsc#1109877) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2018:2488-1 Released: Fri Oct 26 12:39:59 2018 Summary: Recommended update for cpio Type: recommended Severity: low References: 1076810,889138 Description: This update for cpio provides the following fix: - Remove an obsolete patch that was causing cpio not to preserve folder permissions. (bsc#1076810, bsc#889138) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2018:2516-1 Released: Mon Oct 29 16:14:48 2018 Summary: Recommended update for console-setup, kbd Type: recommended Severity: moderate References: 1010880,1027379,1056449,1062303,1069468,1085432,360993,675317,825385,830805,958562,963942,984958 Description: This update for kbd and console-setup provides the following fixes: Changes in console-setup: - Add console-setup to SLE 12 to make it possible for kbd to provide converted X keymaps. (fate#325454, fate#318426) - Make the package build reproducible. (bsc#1062303) - Removed unneeded requires to kbd in order to resolve build cycle between kbd and console-setup. (bsc#963942) Changes in kbd: - Update to version 2.0.4, including the following fixes (FATE#325454): * Disable characters greater than or equal to =U+F000 as they do not work properly. (bsc#1085432) * Move initial NumLock handling from systemd back to kbd: * Add kbdsettings service. (bsc#1010880) * Exclude numlockbios support for non x86 platforms * Drop references to KEYTABLE and COMPOSETABLE. (bsc#1010880) * Drop from some fill-up templates and a couple of sysconfig variables not read by systemd anymore. (fate#319454) * Replace references to /var/adm/fillup-templates with new %_fillupdir macro. (bsc#1069468) * Add vlock.pamd PAM file. (bsc#1056449) * Enable vlock (bsc#1056449). * Revert dropping of kdb-legacy requirement as there are still packages and installation flows that needs this to be present. (bsc#1027379) * Fix data/keymaps/i386/querty/br-abnt2.map. (bsc#984958) * Fix missing dependency on coreutils for initrd macros. (bsc#958562) * Call missing initrd macro at postun. (bsc#958562) * Add the genmap4systemd.sh tool to generate entries for systemd's kbd-model-map table from xkeyboard-config converted keymaps. (fate#318426) * genmap4systemd.sh: Use 'abnt2' model for 'br' layouts, 'jp106' model for 'jp' layouts and 'microsoftpro' for anything else (instead of 'pc105' previously used). (fate#318426) * Include xkb layouts from xkeyboard-config converted to console keymaps. (fate#318426) * euro.map, euro1.map and euro2.map now produce correct unicode character for Euro sign. (bsc#360993) * Drop doshell reference from openvt.1 man page. (bsc#675317) * Drop the --userwait option as it is not used. (bsc#830805) * Fix a typo in the mac-querty-layout.inc. (bsc#825385) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2018:2525-1 Released: Tue Oct 30 09:22:45 2018 Summary: Recommended update for bash Type: recommended Severity: important References: 1113117 Description: This update for bash fixes the following issues: Recently released update introduced a change of behavior which resulted in broken customers scripts. (bsc#1113117) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:2541-1 Released: Tue Oct 30 17:20:58 2018 Summary: Security update for apache2 Type: security Severity: important References: 1109961,CVE-2018-11763 Description: This update for apache2 fixes the following issues: Security issues fixed: - CVE-2018-11763: In Apache HTTP Server by sending continuous, large SETTINGS frames a client can occupy a connection, server thread and CPU time without any connection timeout coming to effect. This affects only HTTP/2 connections. (bsc#1109961) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:2563-1 Released: Fri Nov 2 17:09:49 2018 Summary: Security update for curl Type: security Severity: moderate References: 1112758,1113660,CVE-2018-16840,CVE-2018-16842 Description: This update for curl fixes the following issues: - CVE-2018-16840: A use after free in closing SASL handles was fixed (bsc#1112758) - CVE-2018-16842: A Out-of-bounds Read in tool_msgs.c was fixed which could lead to crashes (bsc#1113660) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2018:2567-1 Released: Fri Nov 2 18:59:06 2018 Summary: Recommended update for apparmor Type: recommended Severity: moderate References: 1047937,1057150,1057900,1099452,906858 Description: This update for apparmor provides the following fixes: - Add profile for usr.bin.lessopen.sh (bsc#906858) - Fix dovecot apparmor profile (bsc#1057150) - Fix creating profile rules from scanned logs when the chown operation is used (bsc#1047937) - Fix the traceroute profile to allow ipv6 usage (bsc#1057900) - Fix duplicate entry of capability when performing aa-logprof (bsc#1099452) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2018:2593-1 Released: Wed Nov 7 11:04:00 2018 Summary: Recommended update for rpm Type: recommended Severity: moderate References: 1095148,1113100 Description: This update for rpm fixes the following issues: - Fix superfluous TOC. dependency on PowerPC64 (bsc#1113100) - Update to current find-provides.ksyms and find-requires.ksyms scripts (bsc#1095148) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:2659-1 Released: Wed Nov 14 14:14:41 2018 Summary: Security update for systemd Type: security Severity: important References: 1106923,1108835,1109252,1110445,1111278,1112024,1113083,1113632,1113665,CVE-2018-15686,CVE-2018-15688 Description: This update for systemd fixes the following issues: Security issues fixed: - CVE-2018-15688: A buffer overflow vulnerability in the dhcp6 client of systemd allowed a malicious dhcp6 server to overwrite heap memory in systemd-networkd. (bsc#1113632) - CVE-2018-15686: A vulnerability in unit_deserialize of systemd allows an attacker to supply arbitrary state across systemd re-execution via NotifyAccess. This can be used to improperly influence systemd execution and possibly lead to root privilege escalation. (bsc#1113665) Non-security issues fixed: - dhcp6: split assert_return() to be more debuggable when hit - core: skip unit deserialization and move to the next one when unit_deserialize() fails - core: properly handle deserialization of unknown unit types (#6476) - core: don't create Requires for workdir if 'missing ok' (bsc#1113083) - logind: use manager_get_user_by_pid() where appropriate - logind: rework manager_get_{user|session}_by_pid() a bit - login: fix user at .service case, so we don't allow nested sessions (#8051) (bsc#1112024) - core: be more defensive if we can't determine per-connection socket peer (#7329) - socket-util: introduce port argument in sockaddr_port() - service: fixup ExecStop for socket-activated shutdown (#4120) - service: Continue shutdown on socket activated unit on termination (#4108) (bsc#1106923) - cryptsetup: build fixes for 'add support for sector-size= option' - udev-rules: IMPORT cmdline does not recognize keys with similar names (bsc#1111278) - core: keep the kernel coredump defaults when systemd-coredump is disabled - core: shorten main() a bit, split out coredump initialization - core: set RLIMIT_CORE to unlimited by default (bsc#1108835) - core/mount: fstype may be NULL - journald: don't ship systemd-journald-audit.socket (bsc#1109252) - core: make 'tmpfs' dependencies on swapfs a 'default' dep, not an 'implicit' (bsc#1110445) - mount: make sure we unmount tmpfs mounts before we deactivate swaps (#7076) - tmp.mount.hm4: After swap.target (#3087) - Ship systemd-sysv-install helper via the main package This script was part of systemd-sysvinit sub-package but it was wrong since systemd-sysv-install is a script used to redirect enable/disable operations to chkconfig when the unit targets are sysv init scripts. Therefore it's never been a SySV init tool. ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:2760-1 Released: Thu Nov 22 16:25:38 2018 Summary: Security update for openssl Type: security Severity: moderate References: 1112209,1113534,1113652,1113742,CVE-2018-0734,CVE-2018-5407 Description: This update for openssl fixes the following issues: Security issues fixed: - CVE-2018-0734: Fixed timing vulnerability in DSA signature generation (bsc#1113652). - CVE-2018-5407: Fixed elliptic curve scalar multiplication timing attack defenses (bsc#1113534). - Add missing timing side channel patch for DSA signature generation (bsc#1113742). Non-security issues fixed: - Fixed infinite loop in DSA generation with incorrect parameters (bsc#1112209). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:2766-1 Released: Fri Nov 23 17:07:27 2018 Summary: Security update for rpm Type: security Severity: important References: 943457,CVE-2017-7500,CVE-2017-7501 Description: This update for rpm fixes the following issues: These security issues were fixed: - CVE-2017-7500: rpm did not properly handle RPM installations when a destination path was a symbolic link to a directory, possibly changing ownership and permissions of an arbitrary directory, and RPM files being placed in an arbitrary destination (bsc#943457). - CVE-2017-7501: rpm used temporary files with predictable names when installing an RPM. An attacker with ability to write in a directory where files will be installed could create symbolic links to an arbitrary location and modify content, and possibly permissions to arbitrary files, which could be used for denial of service or possibly privilege escalation (bsc#943457) This is a reissue of the above security fixes for SUSE Linux Enterprise 12 GA, SP1 and SP2 LTSS, they have already been released for SUSE Linux Enterprise Server 12 SP3. ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:1697-1 Released: Fri Nov 23 17:08:32 2018 Summary: Security update for libgcrypt Type: security Severity: moderate References: 1064455,1090766,1097410,CVE-2018-0495 Description: This update for libgcrypt fixes the following issues: The following security vulnerability was addressed: - CVE-2018-0495: Mitigate a novel side-channel attack by enabling blinding for ECDSA signatures (bsc#1097410). The following other issues were fixed: - Extended the fipsdrv dsa-sign and dsa-verify commands with the --algo parameter for the FIPS testing of DSA SigVer and SigGen (bsc#1064455). - Ensure libgcrypt20-hmac and libgcrypt20 are installed in the correct order. (bsc#1090766) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:1696-1 Released: Mon Nov 26 17:46:39 2018 Summary: Security update for procps Type: security Severity: moderate References: 1092100,CVE-2018-1122,CVE-2018-1123,CVE-2018-1124,CVE-2018-1125,CVE-2018-1126 Description: This update for procps fixes the following security issues: - CVE-2018-1122: Prevent local privilege escalation in top. If a user ran top with HOME unset in an attacker-controlled directory, the attacker could have achieved privilege escalation by exploiting one of several vulnerabilities in the config_file() function (bsc#1092100). - CVE-2018-1123: Prevent denial of service in ps via mmap buffer overflow. Inbuilt protection in ps maped a guard page at the end of the overflowed buffer, ensuring that the impact of this flaw is limited to a crash (temporary denial of service) (bsc#1092100). - CVE-2018-1124: Prevent multiple integer overflows leading to a heap corruption in file2strvec function. This allowed a privilege escalation for a local attacker who can create entries in procfs by starting processes, which could result in crashes or arbitrary code execution in proc utilities run by other users (bsc#1092100). - CVE-2018-1125: Prevent stack buffer overflow in pgrep. This vulnerability was mitigated by FORTIFY limiting the impact to a crash (bsc#1092100). - CVE-2018-1126: Ensure correct integer size in proc/alloc.* to prevent truncation/integer overflow issues (bsc#1092100). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:1618-1 Released: Tue Nov 27 13:39:49 2018 Summary: Security update for util-linux Type: security Severity: moderate References: 1072947,1078662,1080740,1084300,CVE-2018-7738 Description: This update for util-linux fixes the following issues: This non-security issue was fixed: - CVE-2018-7738: bash-completion/umount allowed local users to gain privileges by embedding shell commands in a mountpoint name, which was mishandled during a umount command by a different user (bsc#1084300). These non-security issues were fixed: - Fixed crash loop in lscpu (bsc#1072947). - Fixed possible segfault of umount -a - Fixed mount -a on NFS bind mounts (bsc#1080740). - Fixed lsblk on NVMe (bsc#1078662). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:2824-1 Released: Mon Dec 3 15:34:09 2018 Summary: Security update for ncurses Type: security Severity: important References: 1115929,CVE-2018-19211 Description: This update for ncurses fixes the following issue: Security issue fixed: - CVE-2018-19211: Fixed denial of service issue that was triggered by a NULL pointer dereference at function _nc_parse_entry (bsc#1115929). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2018:2836-1 Released: Wed Dec 5 09:29:31 2018 Summary: Recommended update for apparmor Type: recommended Severity: moderate References: 1111965,1113125 Description: This update for apparmor fixes the following issues: - Systemd aware apparmor.spec, remove old insserv from spec file (bsc#1113125) - Fix warnings produced because of use of uninitialized variables (bsc#1111965) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2018:2840-1 Released: Wed Dec 5 09:57:54 2018 Summary: Recommended update for permissions Type: recommended Severity: moderate References: 1028304,1047247,1050467,1097665,1111251 Description: This update for permissions fixes the following issues: - Allow setuid root for start-suid tool of singularity (group only) bsc#1028304 - Allow setuid root for authbind binary (bsc#1111251) - A incorrect error message was adjusted (bsc#1047247 bsc#1097665) - Make btmp root:utmp (bsc#1050467) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2018:2841-1 Released: Wed Dec 5 09:59:45 2018 Summary: Recommended update for glibc Type: recommended Severity: moderate References: 1105236,1110661,1112858 Description: This update for glibc fixes the following issues: - Added more checks for valid ld.so.cache file (bsc#1110661) - Rewrite elf_machine_load_address using _DYNAMIC symbol (bsc#1112858) - Always use __IPC_64 on powerpc as required by the kernel (bsc#1105236) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2018:2906-1 Released: Tue Dec 11 21:48:05 2018 Summary: Recommended update for blog Type: recommended Severity: moderate References: 1071568 Description: This update for blog fixes the following issues: - Hardening of the console list generation (bsc#1071568) - Changed description of blog-plymouth in same manner as used by the release notes ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:2947-1 Released: Mon Dec 17 08:51:28 2018 Summary: Security update for openldap2 Type: security Severity: moderate References: 1073313,CVE-2017-17740 Description: This update for openldap2 fixes the following issues: Security issue fixed: - CVE-2017-17740: When both the nops module and the memberof overlay are enabled, attempts to free a buffer that was allocated on the stack, which allows remote attackers to cause a denial of service (slapd crash) via a member MODDN operation. (bsc#1073313) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2018:2973-1 Released: Tue Dec 18 07:30:42 2018 Summary: Recommended update for libepubgen, libetonyek, liblangtag, libmwaw, libnumbertext, libreoffice, libstaroffice, libwps, myspell-dictionaries, xmlsec1 Type: recommended Severity: moderate References: 1050305,1094779,1096360,1104876 Description: This update for LibreOffice, libepubgen, libetonyek, liblangtag, libmwaw, libnumbertext, libstaroffice, libwps, myspell-dictionaries, xmlsec1 fixes the following issues: LibreOffice was updated to 6.1.3.2 (fate#326624) and contains new features and lots of bugfixes: The full changelog can be found on: https://wiki.documentfoundation.org/ReleaseNotes/6.1 Add more translations: * Belarusian * Bodo * Dogri * Frisian * Gaelic * Paraguayan_Guaran * Upper_Sorbian * Konkani * Kashmiri * Luxembourgish * Monglolian * Manipuri * Burnese * Occitan * Kinyarwanda * Santali * Sanskrit * Sindhi * Sidamo * Tatar * Uzbek * Upper Sorbian * Venetian * Amharic * Asturian * Tibetian * Bosnian * English GB * English ZA * Indonesian * Icelandic * Georgian * Khmer * Lao * Macedonian * Nepali * Oromo * Albanian * Tajik * Uyghur * Vietnamese * Kurdish - Try to build all languages see bsc#1096360 - Make sure to install the KDE5/Qt5 UI/filepicker - Try to implement safeguarding to avoid bsc#1050305 - Disable base-drivers-mysql as it needs mysqlcppcon that is only for mysql and not mariadb, causes issues bsc#1094779 * Users can still connect using jdbc/odbc - Fix java detection on machines with too many cpus libepubgen was updated to 0.1.1: - Avoid
inside

or . - Avoid writin vertical-align attribute without a value. - Fix generation of invalid XHTML when there is a link starting at the beginning of a footnote. - Handle relative width for images. - Fixed layout: write chapter names to improve navigation. - Support writing mode. - Start a new HTML file at every page span in addition to the splits induced by the chosen split method. This is to ensure that specified writing mode works correctly, as it is HTML attribute. libetonyek was updated to 0.1.8: - More support for keynote content - Add support for Keynote 1 documents. - Add support for Numbers 3 documents. - Fix several issues found by oss-fuzz. - Fix build with glm 0.9.9. - Other fixes and improvements. liblangtag was updated to 0.6.2: - use standard function - fix leak in test libmwaw was updated to 0.3.14: - Support MS Multiplan 1.1 files libnumbertext was update to 1.0.5: - Various fixes in numerical calculations and issues reported on libreoffice tracker libstaroffice was updated to 0.0.6: - retrieve some StarMath's formula, - retrieve some charts as graphic, - retrieve some fields in sda/sdc/sdp text-boxes, - .sdw: retrieve more attachments. libwps was updated to 0.4.9: - QuattroPro: add parser to .wb3 files - Multiplan: add parser to DOS v1-v3 files - charts: try to retrieve charts in .wk*, .wq* files - QuattroPro: add parser to .wb[12] files myspell-dictionaries was updated to 20181025: - Turkish dictionary added - Updated French dictionary xmlsec1 was updated to 1.2.26: - Added xmlsec-mscng module based on Microsoft Cryptography API: Next Generation - Added support for GOST 2012 and fixed CryptoPro CSP provider for GOST R 34.10-2001 in xmlsec-mscrypto ----------------------------------------------------------------- Advisory ID: SUSE-RU-2018:3029-1 Released: Fri Dec 21 17:34:05 2018 Summary: Recommended update for libgcrypt Type: recommended Severity: moderate References: 1117355 Description: This update for libgcrypt provides the following fix: - Fail selftests when checksum file is missing in FIPS mode only. (bsc#1117355) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:43-1 Released: Tue Jan 8 13:07:17 2019 Summary: Recommended update for acl Type: recommended Severity: low References: 953659 Description: This update for acl fixes the following issues: - quote: Escape literal backslashes (bsc#953659). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:72-1 Released: Thu Jan 10 20:34:44 2019 Summary: Recommended update for apache2 Type: recommended Severity: moderate References: 1108989 Description: This update for apache2 provides the following fix: - Fix full scoreboard error. (bsc#1108989) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:111-1 Released: Thu Jan 17 14:18:31 2019 Summary: Security update for krb5 Type: security Severity: important References: 1120489,CVE-2018-20217 Description: This update for krb5 fixes the following issues: Security issue fixed: - CVE-2018-20217: Fixed an assertion issue with older encryption types (bsc#1120489) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:135-1 Released: Mon Jan 21 13:53:58 2019 Summary: Security update for systemd Type: security Severity: moderate References: 1005023,1076696,1101591,1114981,1115518,1119971,1120323,CVE-2018-16864,CVE-2018-16865,CVE-2018-16866 Description: This update for systemd provides the following fixes: Security issues fixed: - CVE-2018-16864, CVE-2018-16865: Fixed two memory corruptions through attacker-controlled alloca()s (bsc#1120323) - CVE-2018-16866: Fixed an information leak in journald (bsc#1120323) - Fixed an issue during system startup in relation to encrypted swap disks (bsc#1119971) Non-security issues fixed: - core: Queue loading transient units after setting their properties. (bsc#1115518) - logind: Stop managing VT switches if no sessions are registered on that VT. (bsc#1101591) - terminal-util: introduce vt_release() and vt_restore() helpers. - terminal: Unify code for resetting kbd utf8 mode a bit. - terminal Reset should honour default_utf8 kernel setting. - logind: Make session_restore_vt() static. - udev: Downgrade message when settting inotify watch up fails. (bsc#1005023) - log: Never log into foreign fd #2 in PID 1 or its pre-execve() children. (bsc#1114981) - udev: Ignore the exit code of systemd-detect-virt for memory hot-add. In SLE-12-SP3, 80-hotplug-cpu-mem.rules has a memory hot-add rule that uses systemd-detect-virt to detect non-zvm environment. The systemd-detect-virt returns exit failure code when it detected _none_ state. The exit failure code causes that the hot-add memory block can not be set to online. (bsc#1076696) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:143-1 Released: Tue Jan 22 14:21:55 2019 Summary: Recommended update for ncurses Type: recommended Severity: important References: 1121450 Description: This update for ncurses fixes the following issues: - ncurses applications freezing (bsc#1121450) From sle-updates at lists.suse.com Thu Jan 16 10:00:07 2020 From: sle-updates at lists.suse.com (sle-updates at lists.suse.com) Date: Thu, 16 Jan 2020 18:00:07 +0100 (CET) Subject: SUSE-CU-2019:728-1: Recommended update of caasp/v4/registry Message-ID: <20200116170007.8C31CF798@maintenance.suse.de> SUSE Container Update Advisory: caasp/v4/registry ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2019:728-1 Container Tags : caasp/v4/registry:2.6.2 , caasp/v4/registry:2.6.2-rev1 , caasp/v4/registry:2.6.2-rev1-build2.1 , caasp/v4/registry:beta1 Severity : low Type : recommended References : ----------------------------------------------------------------- The container caasp/v4/registry was updated. The following patches have been included in this update: From sle-updates at lists.suse.com Thu Jan 16 10:00:40 2020 From: sle-updates at lists.suse.com (sle-updates at lists.suse.com) Date: Thu, 16 Jan 2020 18:00:40 +0100 (CET) Subject: SUSE-CU-2019:730-1: Security update of caasp/v4/salt-api Message-ID: <20200116170040.19FF1F798@maintenance.suse.de> SUSE Container Update Advisory: caasp/v4/salt-api ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2019:730-1 Container Tags : caasp/v4/salt-api:2018.3.0 , caasp/v4/salt-api:2018.3.0-rev1 , caasp/v4/salt-api:2018.3.0-rev1-build2.1 , caasp/v4/salt-api:beta1 Severity : important Type : security References : 1073748 1109847 1120149 1122191 CVE-2018-14647 CVE-2019-5010 ----------------------------------------------------------------- The container caasp/v4/salt-api was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:440-1 Released: Tue Feb 19 18:52:51 2019 Summary: Recommended update for dmidecode Type: recommended Severity: moderate References: 1120149 Description: This update for dmidecode fixes the following issues: - Extensions to Memory Device (Type 17) (FATE#326831 bsc#1120149) - Add 'Logical non-volatile device' to the memory device types (FATE#326831 bsc#1120149) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:482-1 Released: Mon Feb 25 11:57:46 2019 Summary: Security update for python Type: security Severity: important References: 1073748,1109847,1122191,CVE-2018-14647,CVE-2019-5010 Description: This update for python fixes the following issues: Security issues fixed: - CVE-2019-5010: Fixed a denial-of-service vulnerability in the X509 certificate parser (bsc#1122191). - CVE-2018-14647: Fixed a denial-of-service vulnerability in Expat (bsc#1109847). Non-security issue fixed: - Fixed a bug where PyWeakReference struct was not initialized correctly leading to a crash (bsc#1073748). From sle-updates at lists.suse.com Thu Jan 16 09:57:58 2020 From: sle-updates at lists.suse.com (sle-updates at lists.suse.com) Date: Thu, 16 Jan 2020 17:57:58 +0100 (CET) Subject: SUSE-CU-2019:715-1: Recommended update of caasp/v4/sidecar Message-ID: <20200116165758.2657AF796@maintenance.suse.de> SUSE Container Update Advisory: caasp/v4/sidecar ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2019:715-1 Container Tags : caasp/v4/sidecar:1.14.1 , caasp/v4/sidecar:1.14.1-rev1 , caasp/v4/sidecar:1.14.1-rev1-build2.1 , caasp/v4/sidecar:beta1 Severity : low Type : recommended References : ----------------------------------------------------------------- The container caasp/v4/sidecar was updated. The following patches have been included in this update: From sle-updates at lists.suse.com Thu Jan 16 09:52:28 2020 From: sle-updates at lists.suse.com (sle-updates at lists.suse.com) Date: Thu, 16 Jan 2020 17:52:28 +0100 (CET) Subject: SUSE-CU-2020:16-1: Recommended update of suse/sles12sp4 Message-ID: <20200116165228.EE0FFF796@maintenance.suse.de> SUSE Container Update Advisory: suse/sles12sp4 ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2020:16-1 Container Tags : suse/sles12sp4:26.122 , suse/sles12sp4:latest Severity : important Type : recommended References : 1155338 1155339 ----------------------------------------------------------------- The container suse/sles12sp4 was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:106-1 Released: Wed Jan 15 12:50:55 2020 Summary: Recommended update for libgcrypt Type: recommended Severity: important References: 1155338,1155339 Description: This update for libgcrypt fixes the following issues: - Fix test dsa-rfc6979 in FIPS mode: Disabled tests in elliptic curves with 192 bits which are not recommended in FIPS mode - Added CMAC AES and TDES FIPS self-tests: (bsc#1155339, bsc#1155338) From sle-updates at lists.suse.com Thu Jan 16 10:01:58 2020 From: sle-updates at lists.suse.com (sle-updates at lists.suse.com) Date: Thu, 16 Jan 2020 18:01:58 +0100 (CET) Subject: SUSE-CU-2019:736-1: Security update of caasp/v4/skuba-tooling Message-ID: <20200116170158.0A0B3F79E@maintenance.suse.de> SUSE Container Update Advisory: caasp/v4/skuba-tooling ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2019:736-1 Container Tags : caasp/v4/skuba-tooling:0.1.0 , caasp/v4/skuba-tooling:0.1.0-rev3 , caasp/v4/skuba-tooling:0.1.0-rev3-build1.1 , caasp/v4/skuba-tooling:beta Severity : important Type : security References : 1117993 1123710 1124847 1127223 1127308 1131330 1135123 1138939 1139083 1141093 CVE-2009-5155 CVE-2019-12900 CVE-2019-12904 CVE-2019-13050 CVE-2019-9169 ----------------------------------------------------------------- The container caasp/v4/skuba-tooling was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:1877-1 Released: Thu Jul 18 11:31:46 2019 Summary: Security update for glibc Type: security Severity: moderate References: 1117993,1123710,1127223,1127308,1131330,CVE-2009-5155,CVE-2019-9169 Description: This update for glibc fixes the following issues: Security issues fixed: - CVE-2019-9169: Fixed a heap-based buffer over-read via an attempted case-insensitive regular-expression match (bsc#1127308). - CVE-2009-5155: Fixed a denial of service in parse_reg_exp() (bsc#1127223). Non-security issues fixed: - Does no longer compress debug sections in crt*.o files (bsc#1123710) - Fixes a concurrency problem in ldconfig (bsc#1117993) - Fixes a race condition in pthread_mutex_lock while promoting to PTHREAD_MUTEX_ELISION_NP (bsc#1131330) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:1971-1 Released: Thu Jul 25 14:58:52 2019 Summary: Security update for libgcrypt Type: security Severity: moderate References: 1138939,CVE-2019-12904 Description: This update for libgcrypt fixes the following issues: Security issue fixed: - CVE-2019-12904: Fixed a flush-and-reload side-channel attack in the AES implementation (bsc#1138939). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:1994-1 Released: Fri Jul 26 16:12:05 2019 Summary: Recommended update for libxml2 Type: recommended Severity: moderate References: 1135123 Description: This update for libxml2 fixes the following issues: - Added a new configurable variable XPATH_DEFAULT_MAX_NODESET_LENGTH to avoid nodeset limit when processing large XML files. (bsc#1135123) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:2004-1 Released: Mon Jul 29 13:01:59 2019 Summary: Security update for bzip2 Type: security Severity: important References: 1139083,CVE-2019-12900 Description: This update for bzip2 fixes the following issues: - Fixed a regression with the fix for CVE-2019-12900, which caused incompatibilities with files that used many selectors (bsc#1139083). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:2006-1 Released: Mon Jul 29 13:02:49 2019 Summary: Security update for gpg2 Type: security Severity: important References: 1124847,1141093,CVE-2019-13050 Description: This update for gpg2 fixes the following issues: Security issue fixed: - CVE-2019-13050: Fixed a denial of service attacks via big keys (bsc#1141093). Non-security issue fixed: - Allow coredumps in X11 desktop sessions (bsc#1124847) From sle-updates at lists.suse.com Thu Jan 16 09:59:12 2020 From: sle-updates at lists.suse.com (sle-updates at lists.suse.com) Date: Thu, 16 Jan 2020 17:59:12 +0100 (CET) Subject: SUSE-CU-2019:723-1: Security update of caasp/v4/openldap Message-ID: <20200116165912.0689EF796@maintenance.suse.de> SUSE Container Update Advisory: caasp/v4/openldap ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2019:723-1 Container Tags : caasp/v4/openldap:2.4.41 , caasp/v4/openldap:2.4.41-rev1 , caasp/v4/openldap:2.4.41-rev1-build1.2 Severity : important Type : security References : 1000396 1000662 1000677 1001299 1001600 1001600 1001790 1001912 1002975 1003577 1003579 1003580 1003714 1003846 1003978 1004094 1004289 1004995 1004995 1004995 1005023 1005063 1005404 1005544 1005633 1005634 1005635 1005637 1005638 1005640 1005642 1005643 1005645 1005646 1006175 1006372 1006469 1006687 1006690 1007851 1008325 1009269 1009470 1009528 1009532 1009745 1009905 1009966 1010220 1010675 1010802 1010845 1010880 1012266 1012390 1012523 1012591 1012818 1012973 1013286 1013882 1013930 1013989 1014471 1014560 1014566 1014873 1015254 1015332 1015515 1015565 1015943 1017034 1017497 1018214 1018399 1019276 1019470 1019637 1019637 1019900 1020108 1020143 1020601 1021641 1022014 1022047 1022085 1022086 1022271 1023283 1023895 1024989 1025176 1025282 1025398 1025560 1025598 1025630 1025886 1026224 1026567 1026825 1027079 1027379 1027688 1027712 1027908 1027925 1028263 1028281 1028304 1028304 1028305 1028410 1028485 1028610 1028723 1029102 1029102 1029183 1029516 1029516 1029523 1029561 1029691 1029725 1029900 1029907 1029907 1029908 1029908 1029909 1029909 1029995 1030290 1030296 1030296 1030297 1030297 1030298 1030298 1030583 1030584 1030584 1030585 1030585 1030588 1030588 1030589 1030589 1030621 1031355 1031508 1031508 1031590 1031590 1031593 1031593 1031595 1031595 1031638 1031638 1031643 1031644 1031644 1031656 1031656 1031702 1031998 1032029 1032029 1032309 1032445 1032538 1032660 1032680 1033122 1033238 1033238 1033855 1034563 1034565 1035062 1035371 1035386 1035445 1035818 1036304 1036659 1036736 1036873 1036873 1037052 1037052 1037057 1037057 1037061 1037061 1037062 1037066 1037066 1037070 1037072 1037120 1037120 1037273 1037273 1037396 1037824 1037930 1038189 1038194 1038444 1038865 1038865 1038874 1038875 1038876 1038877 1038878 1038880 1038881 1038984 1038984 1039063 1039063 1039064 1039064 1039066 1039066 1039069 1039069 1039099 1039099 1039276 1039357 1039661 1039661 1039941 1040043 1040153 1040153 1040258 1040258 1040614 1040614 1040800 1040942 1040942 1040968 1040968 1040968 1041764 1042326 1042392 1042781 1043059 1043218 1043237 1043333 1043333 1043580 1043615 1043758 1043758 1043886 1043900 1043900 1044095 1044107 1044175 1044337 1044840 1044887 1044891 1044891 1044894 1044897 1044897 1044901 1044901 1044909 1044909 1044925 1044925 1044927 1044927 1045092 1045290 1045290 1045384 1045472 1045628 1045735 1045735 1045735 1045943 1045987 1046094 1046173 1046173 1046268 1046417 1046607 1046659 1046750 1046750 1046853 1046853 1046858 1046858 1047008 1047178 1047233 1047236 1047240 1047247 1047379 1047785 1047785 1047937 1047964 1047965 1048315 1048510 1048605 1048605 1048645 1048679 1049344 1049825 1050152 1050467 1050767 1050943 1051042 1051465 1051626 1051643 1051644 1051791 1052061 1052261 1052496 1052503 1052507 1052509 1052511 1052514 1052518 1053137 1053188 1053347 1053409 1053595 1053671 1054028 1054088 1054171 1054671 1055446 1055641 1055825 1055920 1056058 1056126 1056127 1056127 1056128 1056128 1056129 1056129 1056131 1056131 1056132 1056132 1056136 1056136 1056312 1056381 1056437 1056437 1056449 1056450 1056995 1057139 1057144 1057149 1057150 1057188 1057452 1057634 1057640 1057662 1057721 1057724 1057900 1057974 1058480 1058695 1058722 1058783 1059050 1059065 1059723 1060599 1060621 1060653 1060738 1061241 1061384 1061667 1061876 1062303 1062561 1062591 1062592 1063051 1063249 1063269 1063675 1063824 1063910 1064397 1064455 1064455 1064455 1064569 1064580 1064583 1064999 1065083 1065274 1065276 1065363 1065448 1065448 1065643 1065689 1065693 1066156 1066242 1066422 1066500 1067312 1067605 1067891 1068251 1068565 1068565 1068588 1068640 1068643 1068708 1068887 1068888 1068950 1068967 1069176 1069202 1069222 1069226 1069468 1069934 1070209 1070428 1070431 1070431 1070851 1070878 1070905 1070958 1071224 1071311 1071319 1071321 1071466 1071558 1071568 1071698 1071905 1071906 1072947 1072947 1073231 1073313 1073879 1073990 1074254 1074293 1074293 1074621 1074687 1074741 1075418 1075449 1075724 1075743 1075801 1075804 1075978 1076035 1076035 1076035 1076192 1076308 1076415 1076696 1076810 1076832 1076909 1077001 1077635 1077692 1077745 1077787 1077787 1077925 1077993 1078358 1078662 1078662 1078806 1078813 1079036 1079103 1079334 1079741 1079991 1080078 1080382 1080556 1080740 1080740 1080964 1080964 1080964 1081170 1081294 1081527 1081556 1081725 1082004 1082216 1082216 1082216 1082233 1082233 1082233 1082234 1082234 1082234 1082318 1082485 1082485 1083158 1083290 1083528 1083532 1083926 1083927 1083946 1084300 1084300 1084521 1084524 1084532 1084626 1084812 1084812 1084842 1085062 1085432 1085784 1086247 1086602 1086608 1086690 1086784 1086785 1086786 1086788 1086825 1087102 1087323 1087550 1087550 1087930 1088052 1088279 1088601 1088705 1088769 1088890 1088921 1089039 1089533 1089640 1089761 1089761 1089884 1090638 1090638 1090765 1090766 1090766 1090766 1090785 1090944 1090997 1091015 1091265 1091365 1091368 1091624 1091677 1092098 1092100 1092100 1092413 1092640 1092640 1093753 1093851 1094121 1094150 1094154 1094161 1094222 1095096 1095148 1096282 1096282 1096282 1096718 1096718 1096745 1096803 1097158 1097410 1097410 1097410 1097624 1097665 1098592 1099310 1099310 1099310 1099452 1099847 1099982 1100028 1101040 1101246 1101349 1101470 1101591 1102046 1102429 1102564 1103910 1104789 1105031 1105166 1105236 1106019 1106197 1106914 1106923 1107430 1107640 1107941 1108835 1109197 1109252 1109877 1110445 1110661 1111251 1111278 1111965 1112024 1112209 1112758 1112858 1113083 1113100 1113117 1113125 1113534 1113632 1113652 1113660 1113665 1113742 1114981 1115518 1115929 1117355 1119971 1120323 1120489 1121450 360993 408814 437293 445037 546106 556664 561142 578249 590820 658010 661410 675317 691290 698346 713504 776968 825385 829717 830805 863764 874665 888308 889138 889990 892431 894610 896202 896435 897422 898003 899524 899871 900275 900276 901202 901845 901924 902364 902367 902676 902677 903543 903655 905483 905735 905736 906574 906574 906803 906858 907074 907456 908128 908516 909195 909418 910252 910252 910253 910253 911228 911363 911662 912229 912715 912922 913209 913650 913651 915402 915846 917152 917169 918089 918090 918346 919274 920057 920057 920386 921070 922534 923241 924525 924687 924960 924960 926412 926826 927556 927607 927608 927746 927993 928292 928533 928740 929919 930176 931932 932232 932894 933029 933288 933288 933336 933878 933878 934333 934689 934920 936050 936227 936227 936676 937823 938343 938657 938658 939392 939460 940315 942865 942865 943457 943457 944903 945340 945842 945899 949066 950777 952151 952347 953130 953532 953659 953807 953831 954002 954210 954661 955382 955753 955770 957566 957566 957567 957567 957598 957598 957600 957600 958369 958562 959693 960273 960820 960837 960837 961964 962765 962983 962996 963290 963448 963942 964063 964468 965322 965780 965902 966220 967026 967082 967728 967838 968771 969569 970239 970239 970260 970882 971741 971741 972127 972127 972331 974655 974655 974691 978055 979261 979436 979441 979629 979906 980391 980486 980722 980722 981114 981616 982303 982303 983206 983215 983216 983754 984906 984958 985642 986216 986216 986783 986935 987887 988311 989788 989831 990189 990190 990191 990538 990856 991389 991390 991391 991443 991746 991901 992966 994157 994794 994989 994989 995936 996511 997043 997420 997682 998760 998893 998906 999735 999878 CVE-2012-6702 CVE-2013-6435 CVE-2014-3591 CVE-2014-3707 CVE-2014-3710 CVE-2014-8116 CVE-2014-8116 CVE-2014-8117 CVE-2014-8117 CVE-2014-8118 CVE-2014-8150 CVE-2014-8484 CVE-2014-8485 CVE-2014-8501 CVE-2014-8502 CVE-2014-8503 CVE-2014-8504 CVE-2014-8737 CVE-2014-8738 CVE-2014-8964 CVE-2014-8964 CVE-2014-9087 CVE-2014-9112 CVE-2014-9447 CVE-2014-9620 CVE-2014-9621 CVE-2014-9653 CVE-2014-9939 CVE-2014-9939 CVE-2015-0247 CVE-2015-0837 CVE-2015-1283 CVE-2015-1572 CVE-2015-1606 CVE-2015-1607 CVE-2015-1782 CVE-2015-2059 CVE-2015-2325 CVE-2015-2325 CVE-2015-2327 CVE-2015-2327 CVE-2015-2328 CVE-2015-2328 CVE-2015-3143 CVE-2015-3144 CVE-2015-3145 CVE-2015-3148 CVE-2015-3153 CVE-2015-3210 CVE-2015-3210 CVE-2015-3217 CVE-2015-3217 CVE-2015-3238 CVE-2015-5073 CVE-2015-5073 CVE-2015-5276 CVE-2015-7511 CVE-2015-8079 CVE-2015-8380 CVE-2015-8380 CVE-2015-8381 CVE-2015-8381 CVE-2015-8382 CVE-2015-8382 CVE-2015-8383 CVE-2015-8383 CVE-2015-8384 CVE-2015-8384 CVE-2015-8385 CVE-2015-8385 CVE-2015-8386 CVE-2015-8386 CVE-2015-8387 CVE-2015-8387 CVE-2015-8388 CVE-2015-8388 CVE-2015-8389 CVE-2015-8389 CVE-2015-8390 CVE-2015-8390 CVE-2015-8391 CVE-2015-8391 CVE-2015-8392 CVE-2015-8392 CVE-2015-8393 CVE-2015-8393 CVE-2015-8394 CVE-2015-8394 CVE-2015-8395 CVE-2015-8395 CVE-2015-8853 CVE-2015-8948 CVE-2016-0634 CVE-2016-0718 CVE-2016-0755 CVE-2016-0787 CVE-2016-10156 CVE-2016-1238 CVE-2016-1283 CVE-2016-1283 CVE-2016-1839 CVE-2016-2037 CVE-2016-2381 CVE-2016-3191 CVE-2016-3191 CVE-2016-4574 CVE-2016-4579 CVE-2016-4658 CVE-2016-4912 CVE-2016-4912 CVE-2016-5131 CVE-2016-5300 CVE-2016-5419 CVE-2016-5420 CVE-2016-5421 CVE-2016-6185 CVE-2016-6252 CVE-2016-6252 CVE-2016-6252 CVE-2016-6261 CVE-2016-6262 CVE-2016-6263 CVE-2016-6313 CVE-2016-6318 CVE-2016-6354 CVE-2016-7055 CVE-2016-7141 CVE-2016-7167 CVE-2016-7543 CVE-2016-7567 CVE-2016-7567 CVE-2016-8615 CVE-2016-8616 CVE-2016-8617 CVE-2016-8618 CVE-2016-8619 CVE-2016-8620 CVE-2016-8621 CVE-2016-8622 CVE-2016-8623 CVE-2016-8624 CVE-2016-9063 CVE-2016-9318 CVE-2016-9401 CVE-2016-9586 CVE-2016-9597 CVE-2016-9840 CVE-2016-9841 CVE-2016-9842 CVE-2016-9843 CVE-2017-0663 CVE-2017-1000100 CVE-2017-1000101 CVE-2017-1000254 CVE-2017-1000257 CVE-2017-1000366 CVE-2017-1000408 CVE-2017-1000409 CVE-2017-10684 CVE-2017-10684 CVE-2017-10685 CVE-2017-10685 CVE-2017-11112 CVE-2017-11113 CVE-2017-11462 CVE-2017-12132 CVE-2017-12133 CVE-2017-12424 CVE-2017-12448 CVE-2017-12450 CVE-2017-12452 CVE-2017-12453 CVE-2017-12454 CVE-2017-12456 CVE-2017-12799 CVE-2017-12837 CVE-2017-12883 CVE-2017-13728 CVE-2017-13728 CVE-2017-13729 CVE-2017-13729 CVE-2017-13730 CVE-2017-13730 CVE-2017-13731 CVE-2017-13731 CVE-2017-13732 CVE-2017-13732 CVE-2017-13733 CVE-2017-13733 CVE-2017-13734 CVE-2017-13757 CVE-2017-14062 CVE-2017-14128 CVE-2017-14129 CVE-2017-14130 CVE-2017-14333 CVE-2017-14529 CVE-2017-14729 CVE-2017-14745 CVE-2017-14974 CVE-2017-15088 CVE-2017-15412 CVE-2017-15670 CVE-2017-15671 CVE-2017-15804 CVE-2017-15908 CVE-2017-15938 CVE-2017-15939 CVE-2017-15996 CVE-2017-16826 CVE-2017-16827 CVE-2017-16828 CVE-2017-16829 CVE-2017-16830 CVE-2017-16831 CVE-2017-16832 CVE-2017-16997 CVE-2017-17740 CVE-2017-17833 CVE-2017-17833 CVE-2017-18078 CVE-2017-18258 CVE-2017-18269 CVE-2017-3731 CVE-2017-3732 CVE-2017-3735 CVE-2017-3736 CVE-2017-3737 CVE-2017-3738 CVE-2017-5130 CVE-2017-5969 CVE-2017-6512 CVE-2017-6965 CVE-2017-6965 CVE-2017-6966 CVE-2017-6966 CVE-2017-6969 CVE-2017-6969 CVE-2017-7209 CVE-2017-7209 CVE-2017-7210 CVE-2017-7210 CVE-2017-7223 CVE-2017-7223 CVE-2017-7224 CVE-2017-7224 CVE-2017-7225 CVE-2017-7225 CVE-2017-7226 CVE-2017-7226 CVE-2017-7227 CVE-2017-7299 CVE-2017-7299 CVE-2017-7300 CVE-2017-7300 CVE-2017-7301 CVE-2017-7301 CVE-2017-7302 CVE-2017-7302 CVE-2017-7303 CVE-2017-7303 CVE-2017-7304 CVE-2017-7304 CVE-2017-7375 CVE-2017-7376 CVE-2017-7407 CVE-2017-7435 CVE-2017-7436 CVE-2017-7436 CVE-2017-7500 CVE-2017-7500 CVE-2017-7501 CVE-2017-7501 CVE-2017-7526 CVE-2017-7555 CVE-2017-7614 CVE-2017-8392 CVE-2017-8392 CVE-2017-8393 CVE-2017-8393 CVE-2017-8394 CVE-2017-8394 CVE-2017-8395 CVE-2017-8396 CVE-2017-8396 CVE-2017-8397 CVE-2017-8398 CVE-2017-8421 CVE-2017-8421 CVE-2017-8804 CVE-2017-8816 CVE-2017-8817 CVE-2017-8872 CVE-2017-9038 CVE-2017-9039 CVE-2017-9040 CVE-2017-9041 CVE-2017-9042 CVE-2017-9043 CVE-2017-9044 CVE-2017-9047 CVE-2017-9047 CVE-2017-9048 CVE-2017-9048 CVE-2017-9049 CVE-2017-9049 CVE-2017-9050 CVE-2017-9050 CVE-2017-9217 CVE-2017-9217 CVE-2017-9233 CVE-2017-9269 CVE-2017-9269 CVE-2017-9287 CVE-2017-9445 CVE-2017-9445 CVE-2017-9526 CVE-2017-9746 CVE-2017-9746 CVE-2017-9747 CVE-2017-9747 CVE-2017-9748 CVE-2017-9748 CVE-2017-9750 CVE-2017-9750 CVE-2017-9755 CVE-2017-9755 CVE-2017-9756 CVE-2017-9756 CVE-2017-9954 CVE-2017-9955 CVE-2018-0495 CVE-2018-0495 CVE-2018-0495 CVE-2018-0732 CVE-2018-0734 CVE-2018-0737 CVE-2018-0739 CVE-2018-1000001 CVE-2018-1000001 CVE-2018-1000007 CVE-2018-1000120 CVE-2018-1000121 CVE-2018-1000122 CVE-2018-1000301 CVE-2018-10372 CVE-2018-10373 CVE-2018-1049 CVE-2018-10534 CVE-2018-10535 CVE-2018-1122 CVE-2018-1122 CVE-2018-1123 CVE-2018-1123 CVE-2018-11236 CVE-2018-11237 CVE-2018-1124 CVE-2018-1124 CVE-2018-1125 CVE-2018-1125 CVE-2018-1126 CVE-2018-1126 CVE-2018-12015 CVE-2018-12015 CVE-2018-12020 CVE-2018-14404 CVE-2018-14567 CVE-2018-14618 CVE-2018-15686 CVE-2018-15688 CVE-2018-16840 CVE-2018-16842 CVE-2018-16864 CVE-2018-16865 CVE-2018-16866 CVE-2018-19211 CVE-2018-20217 CVE-2018-5407 CVE-2018-5729 CVE-2018-5730 CVE-2018-6003 CVE-2018-6323 CVE-2018-6485 CVE-2018-6543 CVE-2018-6551 CVE-2018-6759 CVE-2018-6797 CVE-2018-6797 CVE-2018-6797 CVE-2018-6798 CVE-2018-6798 CVE-2018-6798 CVE-2018-6872 CVE-2018-6913 CVE-2018-6913 CVE-2018-6913 CVE-2018-7169 CVE-2018-7208 CVE-2018-7568 CVE-2018-7569 CVE-2018-7570 CVE-2018-7642 CVE-2018-7643 CVE-2018-7685 CVE-2018-7738 CVE-2018-7738 CVE-2018-8945 CVE-2018-9251 ----------------------------------------------------------------- The container caasp/v4/openldap was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-RU-2014:85-1 Released: Tue Nov 4 16:29:29 2014 Summary: Recommended update for dirmngr Type: recommended Severity: moderate References: 901845 Description: This update for dirmngr fixes a segmentation fault at start up. (bnc#901845) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2014:66-1 Released: Thu Nov 6 06:23:15 2014 Summary: Recommended update for gcc48 Type: recommended Severity: moderate References: 899871 Description: This update for gcc48 fixes a performance degradation issue caused by generation of unneeded code whe using option -pg. ----------------------------------------------------------------- Advisory ID: SUSE-SU-2014:97-1 Released: Fri Nov 28 10:20:32 2014 Summary: Security update for file Type: security Severity: moderate References: 888308,902367,CVE-2014-3710 Description: file was updated to fix one security issue. This security issue was fixed: - Out-of-bounds read in elf note headers (CVE-2014-3710). This non-security issues was fixed: - Correctly identify GDBM files created by libgdbm4 (bnc#888308). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2014:113-1 Released: Tue Dec 2 18:17:57 2014 Summary: Security update for cpio Type: security Severity: moderate References: 658010,907456,CVE-2014-9112 Description: This cpio security update fixes the following buffer overflow issue and two non security issues: - fix an OOB write with cpio -i (bnc#907456) (CVE-2014-9112) - prevent cpio from extracting over a symlink (bnc#658010) - fix a truncation check in mt ----------------------------------------------------------------- Advisory ID: SUSE-SU-2015:16-1 Released: Thu Dec 11 09:25:27 2014 Summary: Security update for libksba Type: security Severity: moderate References: 907074,CVE-2014-9087 Description: This libksba update fixes the following security issue: - bnc#907074: buffer overflow in OID processing (CVE-2014-9087) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2014:126-1 Released: Fri Dec 19 20:16:00 2014 Summary: Security update for file Type: security Severity: moderate References: 910252,910253,CVE-2014-8116,CVE-2014-8117 Description: This file update fixes the following security issues: - bsc#910252: multiple denial of service issues (resource consumption) (CVE-2014-8116) - bsc#910253: denial of service issue (resource consumption) (CVE-2014-8117) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2015:29-1 Released: Mon Jan 12 11:37:43 2015 Summary: Security update for curl Type: security Severity: moderate References: 901924,911363,CVE-2014-3707,CVE-2014-8150 Description: This update fixes the following security issues - CVE-2014-8150: URL request injection vulnerability (bnc#911363) - CVE-2014-3707: duphandle read out of bounds (bnc#901924) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2015:40-1 Released: Thu Jan 15 18:35:11 2015 Summary: Security update for rpm Type: security Severity: important References: 892431,906803,908128,911228,CVE-2013-6435,CVE-2014-8118 Description: This rpm update fixes the following security and non-security issues: - bnc#908128: Check for bad invalid name sizes (CVE-2014-8118) - bnc#906803: Create files with mode 0 (CVE-2013-6435) - bnc#892431: Honor --noglob in install mode - bnc#911228: Fix noglob patch, it broke files with space. ----------------------------------------------------------------- Advisory ID: SUSE-RU-2015:64-1 Released: Thu Jan 15 23:21:45 2015 Summary: Recommended update for e2fsprogs Type: recommended Severity: moderate References: 912229 Description: This update for e2fsprogs fixes a 'use after free' issue in fsck(8). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2015:44-1 Released: Tue Jan 20 00:18:26 2015 Summary: Security update for binutils Type: security Severity: moderate References: 902676,902677,903655,905735,905736,CVE-2014-8484,CVE-2014-8485,CVE-2014-8501,CVE-2014-8502,CVE-2014-8503,CVE-2014-8504,CVE-2014-8737,CVE-2014-8738 Description: This binutils update fixes the following security issues: - bnc#902676: lack of range checking leading to controlled write in _bfd_elf_setup_sections() (CVE-2014-8485) - bnc#902677: invalid read flaw in libbfd (CVE-2014-8484) - bnc#903655: Multiple memory corruption issues in binary parsers of libbfd (CVE-2014-8501, CVE-2014-8502, CVE-2014-8503, CVE-2014-8504) - bnc#905735: Out-of-bounds memory write while processing a crafted 'ar' archive (CVE-2014-8738) - bnc#905736: Directory traversal vulnerability allowing random file deletion/creation (CVE-2014-8737) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2015:76-1 Released: Fri Jan 30 15:01:03 2015 Summary: Security update for elfutils Type: security Severity: moderate References: 911662,CVE-2014-9447 Description: elfutils was updated to fix one security issue. This security issue was fixed: - Directory traversal vulnerability in the read_long_names function (CVE-2014-9447). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2015:55-1 Released: Tue Feb 3 14:51:17 2015 Summary: Recommended update for curl Type: recommended Severity: moderate References: 913209 Description: curl was updated to fix problems when operating in FIPS mode. This patch reenables following methods: - NTLM authentication (e.g. for proxies) (allowing its usage of MD4 and MD5) - HTTP Digest authentication (allowing its usage of MD5) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2015:121-1 Released: Tue Feb 3 16:30:16 2015 Summary: Recommended update for pam Type: recommended Severity: low References: 912922 Description: This update for pam fixes updating of NIS passwords. ----------------------------------------------------------------- Advisory ID: SUSE-RU-2015:274-1 Released: Mon Feb 23 22:21:35 2015 Summary: Recommended update for openslp Type: recommended Severity: moderate References: 909195 Description: This update for openslp provides the following fixes: - Fix storage handling in predicate code. It clashed with gcc's fortify_source extension and this could cause a segmentation fault. - Bring back allowDoubleEqualInPredicate option. ----------------------------------------------------------------- Advisory ID: SUSE-SU-2015:157-1 Released: Tue Mar 10 09:01:41 2015 Summary: Security update for libssh2_org Type: security Severity: moderate References: 921070,CVE-2015-1782 Description: The ssh client library libssh2_org was updated to fix a security issue. CVE-2015-1782: A malicious server could send a crafted SSH_MSG_KEXINIT packet, that could lead to a buffer overread and to a crash of the libssh2_org using application. ----------------------------------------------------------------- Advisory ID: SUSE-RU-2015:275-1 Released: Wed Mar 18 18:21:44 2015 Summary: Recommended update for procps Type: recommended Severity: low References: 901202,908516 Description: This update for procps provides the following fixes: - Add description of pgrep's --list-full parameter to usage instructions (--help). (bsc#901202) - Fix handling of arguments to -s option in free(1). (bsc#908516) - Correct package name in descriptions: procps, not props. ----------------------------------------------------------------- Advisory ID: SUSE-SU-2015:235-1 Released: Wed Apr 29 19:05:01 2015 Summary: Security update for curl Type: security Severity: moderate References: 927556,927607,927608,927746,928533,CVE-2015-3143,CVE-2015-3144,CVE-2015-3145,CVE-2015-3148,CVE-2015-3153 Description: curl was updated to fix five security issues. The following vulnerabilities were fixed: * CVE-2015-3143: curl could re-use NTML authenticateds connections * CVE-2015-3144: curl could access memory out of bounds with zero length host names * CVE-2015-3145: curl cookie parser could access memory out of boundary * CVE-2015-3148: curl could treat Negotiate as not connection-oriented * CVE-2015-3153: curl could have sent sensitive HTTP headers also to proxies ----------------------------------------------------------------- Advisory ID: SUSE-SU-2015:296-1 Released: Thu Jun 11 15:46:59 2015 Summary: Security update for libgcrypt Type: security Severity: moderate References: 896202,896435,898003,899524,900275,900276,905483,920057,928740,929919,CVE-2014-3591 Description: This update of libgcrypt fixes one security issue and brings various FIPS 140-2 related improvements. libgcrypt now uses ciphertext blinding for Elgamal decryption (CVE-2014-3591) FIPS 140-2 related changes: * The library performs its self-tests when the module is complete (the -hmac file is also installed). * Added a NIST 800-90a compliant DRBG. * Change DSA key generation to be FIPS 186-4 compliant. * Change RSA key generation to be FIPS 186-4 compliant. * Enable HW support in fips mode (bnc#896435) * Make DSA selftest use 2048 bit keys (bnc#898003) * Added ECDSA selftests and add support for it to the CAVS testing framework (bnc#896202) * Various CAVS testing improvements. ----------------------------------------------------------------- Advisory ID: SUSE-SU-2015:366-1 Released: Mon Jun 29 10:13:43 2015 Summary: Security update for e2fsprogs Type: security Severity: low References: 915402,918346,CVE-2015-0247,CVE-2015-1572 Description: Two security issues were fixed in e2fsprogs: Security issues fixed: * CVE-2015-0247: Various heap overflows were fixed in e2fsprogs (fsck, dumpe2fs, e2image...). * CVE-2015-1572: Fixed a potential buffer overflow in closefs() (bsc#918346 ) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2015:361-1 Released: Wed Jul 15 08:26:27 2015 Summary: Recommended update for gcc48, libffi48, libgcj48 Type: recommended Severity: moderate References: 889990,917169,919274,922534,924525,924687,927993,930176,934689 Description: The system compiler gcc48 was updated to the GCC 4.8.5 release, fixing a lot of bugs and bringing some improvements. It includes various bug fixes found by our customers: * Fixes bogus integer overflow in constant expression. [bnc#934689] * Fixes ICE with atomics on aarch64. [bnc#930176] * Includes fix for -imacros bug. [bnc#917169] * Includes fix for incorrect -Warray-bounds warnings. [bnc#919274] * Includes updated -mhotpatch for s390x. [bnc#924525] * Includes fix for ppc64le issue with doubleword vector extract. [bnc#924687] * Includes patches to allow building against ISL 0.14. * Backport rework of the memory allocator for C++ exceptions used in OOM situations. [bnc#889990] * Fix a reload issue on S390 (GCC PR66306). * Avoid accessing invalid memory when passing aggregates by value. [bnc#922534] ----------------------------------------------------------------- Advisory ID: SUSE-OU-2015:422-1 Released: Tue Jul 28 06:25:51 2015 Summary: The Toolchain module containing GCC 5.2 Type: optional Severity: low References: 926412,936050,937823 Description: This update contains the release of the new SUSE Linux Enterprise Toolchain module. Its major feature is the GNU Compiler Collection 5.2, please see https://gcc.gnu.org/gcc-5/changes.html for important changes. This update also includes a version update of binutils to 2.25 release branch to provide features and bugfixes. Following features have been added to binutils: * IBM zSeries z13 hardware support (fate#318036, bnc#936050). * various IBM Power8 improvements (fate#318238, bnc#926412). * AVX512 support on the Intel EM64T platform (fate#318520). The GNU Debugger gdb was updated to version 7.9.1 bringing various features and lots of bugfixes. Also IBM zSeries z13 hardware support has been added to gdb. (fate#318039) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2015:500-1 Released: Mon Aug 17 11:36:33 2015 Summary: Security update for libgcrypt Type: security Severity: moderate References: 920057,938343,CVE-2015-0837 Description: This update fixes the following issues: Security: * Fixed data-dependent timing variations in modular exponentiation [related to CVE-2015-0837, Last-Level Cache Side-Channel Attacks are Practical] (bsc#920057) Bugfixes: * don't drop privileges when locking secure memory (bsc#938343) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2015:530-1 Released: Wed Aug 26 03:07:07 2015 Summary: Recommended update for sed Type: recommended Severity: low References: 933029 Description: This update for sed fixes the behavior of --follow-symlinks when reading from the standard input (stdin). The behavior of 'sed --follow-symlinks -' is now identical to 'sed -'. In both cases, sed will read from the standard input and no longer from a file named '-'. ----------------------------------------------------------------- Advisory ID: SUSE-RU-2015:568-1 Released: Wed Sep 16 13:30:12 2015 Summary: Recommended update for grep Type: recommended Severity: low References: 920386 Description: This update for grep fixes undefined behaviour with -P and non-utf-8 data. ----------------------------------------------------------------- Advisory ID: SUSE-OU-2015:663-1 Released: Wed Oct 7 16:01:20 2015 Summary: Optional update for binutils Type: optional Severity: low References: 949066 Description: ARM64 (aarch64) binaries produced by binutils 2.25 gold linker had incorrect (4k) section alignment. As a result, those binaries could not be mapped when being executed on a SLE 12 kernel. This update adjusts the section alignment to 64k, as required by the ABI. ----------------------------------------------------------------- Advisory ID: SUSE-SU-2015:922-1 Released: Tue Dec 22 08:44:25 2015 Summary: Security update for gpg2 Type: security Severity: moderate References: 918089,918090,952347,955753,CVE-2015-1606,CVE-2015-1607 Description: The gpg2 package was updated to fix the following security and non security issues: - CVE-2015-1606: Fixed invalid memory read using a garbled keyring (bsc#918089). - CVE-2015-1607: Fixed memcpy with overlapping ranges (bsc#918090). - bsc#955753: Fixed a regression of 'gpg --recv' due to keyserver import filter (also boo#952347). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2015:869-1 Released: Wed Dec 23 10:01:16 2015 Summary: Recommended update for libksba Type: security Severity: moderate References: 926826 Description: The libksba package was updated to fix the following security issues: - Fixed an integer overflow, an out of bounds read and a stack overflow issues (bsc#926826). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2015:862-1 Released: Wed Dec 23 17:40:51 2015 Summary: Recommended update for acl Type: recommended Severity: moderate References: 945899 Description: This update for acl provides the following fixes: - Fix segmentation fault of getfacl -e on overly long group name. - Make sure that acl_from_text() always sets errno when it fails. - Fix memory and resource leaks in getfacl. ----------------------------------------------------------------- Advisory ID: SUSE-RU-2016:46-1 Released: Fri Jan 8 12:37:34 2016 Summary: Recommended update for gcr, gnome-keyring, libgcrypt, libsecret Type: recommended Severity: moderate References: 932232 Description: This update for gcr, gnome-keyring, libgcrypt, libsecret fixes issues when the system operates in FIPS mode. The various GNOME libraries and tool have been changed to use the default libgcrypt allocators. GNOME keyring was changed not to use MD5 anymore. libgcrypt was adjusted to free the DRBG on exit to avoid crashes. ----------------------------------------------------------------- Advisory ID: SUSE-SU-2016:201-1 Released: Thu Feb 4 15:51:22 2016 Summary: Security update for curl Type: security Severity: moderate References: 934333,936676,962983,962996,CVE-2016-0755 Description: This update for curl fixes the following issues: - CVE-2016-0755: libcurl would reuse NTLM-authenticated proxy connections without properly making sure that the connection was authenticated with the same credentials as set for this transfer (bsc#962983) The following non-security bugs were fixed: - bsc#936676: secure_getenv or __secure_getenv may not be detected correctly at build time The following tracked bugs only affect the test suite: - bsc#962996: Expired cookie in test 46 caused test failures - bsc#934333: Curl test suite was not run, is now enabled during build ----------------------------------------------------------------- Advisory ID: SUSE-RU-2016:291-1 Released: Fri Feb 19 19:31:54 2016 Summary: Recommended update for openslp Type: recommended Severity: low References: 950777 Description: This update for OpenSLP adjusts slpd's initialization to use SystemD's forking mechanism, avoiding stale PID files after the daemon is stopped. ----------------------------------------------------------------- Advisory ID: SUSE-RU-2016:371-1 Released: Thu Mar 3 15:58:18 2016 Summary: Recommended update for insserv-compat Type: recommended Severity: low References: 960820 Description: This update for insserv-compat fixes the name of the ntpd service. ----------------------------------------------------------------- Advisory ID: SUSE-SU-2016:413-1 Released: Fri Mar 11 10:17:57 2016 Summary: Security update for libssh2_org Type: security Severity: moderate References: 933336,961964,967026,CVE-2016-0787 Description: This update for libssh2_org fixes the following issues: Security issue fixed: - CVE-2016-0787 (bsc#967026): Weakness in diffie-hellman secret key generation lead to much shorter DH groups then needed, which could be used to retrieve server keys. A feature was added: - Support of SHA256 digests for DH group exchanges was added (fate#320343, bsc#961964) Bug fixed: - Properly detect EVP_aes_128_ctr at configure time (bsc#933336) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2016:462-1 Released: Wed Mar 16 18:17:59 2016 Summary: Recommended update for libcap Type: recommended Severity: low References: 967838 Description: This update for libcap adds two new capabilities (CAP_WAKE_ALARM and CAP_BLOCK_SUSPEND) which are available in Linux Kernel 3.12. ----------------------------------------------------------------- Advisory ID: SUSE-RU-2016:543-1 Released: Fri Apr 1 18:44:16 2016 Summary: Recommended update for libgcrypt Type: recommended Severity: moderate References: 970882 Description: This update for libgcrypt fixes a crash in GPG key generation when operating in FIPS mode. (bsc#970882) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2016:565-1 Released: Wed Apr 6 16:26:42 2016 Summary: Security update for gcc5 Type: security Severity: moderate References: 939460,945842,952151,953831,954002,955382,962765,964468,966220,968771,CVE-2015-5276 Description: The GNU Compiler Collection was updated to version 5.3.1, which brings several fixes and enhancements. The following security issue has been fixed: - Fix C++11 std::random_device short read issue that could lead to predictable randomness. (CVE-2015-5276, bsc#945842) The following non-security issues have been fixed: - Enable frame pointer for TARGET_64BIT_MS_ABI when stack is misaligned. Fixes internal compiler error when building Wine. (bsc#966220) - Fix a PowerPC specific issue in gcc-go that broke compilation of newer versions of Docker. (bsc#964468) - Fix HTM built-ins on PowerPC. (bsc#955382) - Fix libgo certificate lookup. (bsc#953831) - Suppress deprecated-declarations warnings for inline definitions of deprecated virtual methods. (bsc#939460) - Build s390[x] with '--with-tune=z9-109 --with-arch=z900' on SLE11 again. (bsc#954002) - Revert accidental libffi ABI breakage on aarch64. (bsc#968771) - On x86_64, set default 32bit code generation to -march=x86-64 rather than -march=i586. - Add experimental File System TS library. ----------------------------------------------------------------- Advisory ID: SUSE-SU-2016:636-1 Released: Mon Apr 18 09:18:19 2016 Summary: Security update for libgcrypt Type: security Severity: moderate References: 965902,CVE-2015-7511 Description: libgcrypt was updated to fix one security issue. This security issue was fixed: - CVE-2015-7511: Side-channel attack on ECDH with Weierstrass curves (bsc#965902). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2016:643-1 Released: Tue Apr 19 09:23:39 2016 Summary: Recommended update for bzip2 Type: recommended Severity: low References: 970260 Description: This update for bzip2 fixes the following issues: - Fix bzgrep wrapper that always returns 0 as exit code when working on multiple archives, even when the pattern is not found. ----------------------------------------------------------------- Advisory ID: SUSE-RU-2016:697-1 Released: Thu Apr 28 16:03:24 2016 Summary: Recommended update for libssh2_org Type: recommended Severity: important References: 974691 Description: This update for libssh2_org fixes a regression introduced by a previous update which could result in a segmentation fault in EVP_DigestInit_Ex(). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2016:801-1 Released: Thu May 19 22:38:01 2016 Summary: Recommended update for curl Type: recommended Severity: moderate References: 915846 Description: This update for curl fixes the following issue: - Fix 'Network is unreachable' error when ipv6 is not available but ipv4. This fixes the same error in applications using libcurl4 (like zypper). (bsc#915846) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2016:835-1 Released: Wed May 25 18:27:30 2016 Summary: Recommended update for libgcrypt Type: recommended Severity: moderate References: 979629 Description: This update for libgcrypt fixes the following issue: - Fix failing reboot after installing fips pattern (bsc#979629) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2016:898-1 Released: Tue Jun 7 09:48:12 2016 Summary: Security update for expat Type: security Severity: important References: 979441,980391,CVE-2015-1283,CVE-2016-0718 Description: This update for expat fixes the following issues: Security issue fixed: - CVE-2016-0718: Fix Expat XML parser that mishandles certain kinds of malformed input documents. (bsc#979441) - CVE-2015-1283: Fix multiple integer overflows. (bnc#980391) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2016:900-1 Released: Tue Jun 7 10:58:37 2016 Summary: Security update for libksba Type: security Severity: moderate References: 979261,979906,CVE-2016-4574,CVE-2016-4579 Description: This update for libksba fixes the following issues: - CVE-2016-4579: Out-of-bounds read in _ksba_ber_parse_tl() - CVE-2016-4574: two OOB read access bugs (remote DoS) (bsc#979261) Also adding reliability fixes from v1.3.4. ----------------------------------------------------------------- Advisory ID: SUSE-RU-2016:987-1 Released: Wed Jun 22 14:32:18 2016 Summary: Recommended update for procps Type: recommended Severity: low References: 981616 Description: This update for procps fixes the following issues: - Improve pmap(1) to be compatible with kernel 4.4. (bsc#981616) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2016:1028-1 Released: Thu Jul 7 11:50:47 2016 Summary: Recommended update for findutils Type: recommended Severity: moderate References: 986935 Description: This update for findutils fixes the following issues: - find -exec + would not pass all arguments for certain specific filename lengths (bsc#986935) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2016:1126-1 Released: Sat Jul 30 00:39:03 2016 Summary: Recommended update for kmod Type: recommended Severity: low References: 983754,989788 Description: This update for kmod fixes libkmod to handle very long lines in /proc/modules. ----------------------------------------------------------------- Advisory ID: SUSE-RU-2016:1152-1 Released: Thu Aug 4 15:02:18 2016 Summary: Recommended update for binutils Type: recommended Severity: low References: 970239,985642 Description: GNU Binutils was updated to version 2.26.1, which brings several fixes and enhancements: - Add -mrelax-relocations on x86 but keep it disabled on old products. - Add --fix-stm32l4xx-629360 to the ARM linker to enable a link-time workaround for a bug in the bus matrix / memory controller for some of the STM32 Cortex-M4 based products (STM32L4xx). - Add a configure option --enable-compressed-debug-sections={all,ld} to decide whether DWARF debug sections should be compressed by default. - Add support for the ARC EM/HS, and ARC600/700 architectures. - Experimental support for linker garbage collection (--gc-sections) has been enabled for COFF and PE based targets. - New command line option for ELF targets to compress DWARF debug sections, --compress-debug-sections=[none|zlib|zlib-gnu|zlib-gabi]. - New command line option, --orphan-handling=[place|warn|error|discard], to adjust how orphan sections are handled. The default is 'place' which gives the current behavior, 'warn' and 'error' issue a warning or error respectively when orphan sections are found, and 'discard' will discard all orphan sections. - Add support for LLVM plugin. - Add --print-memory-usage option to report memory blocks usage. - Add --require-defined option, it's like --undefined except the new symbol must be defined by the end of the link. - Add a configure option --enable-compressed-debug-sections={all,gas} to decide whether DWARF debug sections should be compressed by default. - Add support for the ARC EM/HS, and ARC600/700 architectures. Remove assembler support for Argonaut RISC architectures. - Add option to objcopy to insert new symbols into a file: --add-symbol =[

:][,] - Add support for the ARC EM/HS, and ARC600/700 architectures. - Extend objcopy --compress-debug-sections option to support --compress-debug-sections=[none|zlib|zlib-gnu|zlib-gabi] for ELF targets. - Add --update-section option to objcopy. - Add --output-separator option to strings. - Fix internal error when applying TLSDESC relocations with no TLS segment - Fix wrong insn type for troo insn. - Change default common-page-size to 64K on aarch64. ----------------------------------------------------------------- Advisory ID: SUSE-RU-2016:1205-1 Released: Thu Aug 11 15:02:18 2016 Summary: Recommended update for rpm Type: recommended Severity: low References: 829717,894610,940315,953532,965322,967728 Description: This update for rpm provides the following fixes: - Add is_opensuse and leap_version macros to suse_macros. (bsc#940315) - Add option to make postinstall scriptlet errors fatal. (bsc#967728) - Normalize big blocksizes to 4096 bytes. (bsc#894610, bsc#829717, bsc#965322) - Fix updating of sources/patches when recursing because of a BuildArch. (bsc#953532) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2016:1228-1 Released: Tue Aug 16 09:29:01 2016 Summary: Security update for libidn Type: security Severity: moderate References: 923241,990189,990190,990191,CVE-2015-2059,CVE-2015-8948,CVE-2016-6261,CVE-2016-6262,CVE-2016-6263 Description: This update for libidn fixes the following issues: - CVE-2016-6262 and CVE-2015-8948: Out-of-bounds-read when reading one zero byte as input (bsc#990189) - CVE-2016-6261: Out-of-bounds stack read in idna_to_ascii_4i (bsc#990190) - CVE-2016-6263: stringprep_utf8_nfkc_normalize reject invalid UTF-8 (bsc#990191) - CVE-2015-2059: out-of-bounds read with stringprep on invalid UTF-8 (bsc#923241) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2016:1247-1 Released: Fri Aug 19 12:58:39 2016 Summary: Security update for cracklib Type: security Severity: moderate References: 992966,CVE-2016-6318 Description: This update for cracklib fixes the following issues: - Add patch to fix a buffer overflow in GECOS parser (bsc#992966 CVE-2016-6318) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2016:1326-1 Released: Thu Sep 8 11:37:44 2016 Summary: Security update for perl Type: security Severity: moderate References: 928292,932894,967082,984906,987887,988311,CVE-2015-8853,CVE-2016-1238,CVE-2016-2381,CVE-2016-6185 Description: This update for Perl fixes the following issues: - CVE-2016-6185: Xsloader looking at a '(eval)' directory. (bsc#988311) - CVE-2016-1238: Searching current directory for optional modules. (bsc#987887) - CVE-2015-8853: Regular expression engine hanging on bad utf8. (bsc) - CVE-2016-2381: Environment dup handling bug. (bsc#967082) - 'Insecure dependency in require' error in taint mode. (bsc#984906) - Memory leak in 'use utf8' handling. (bsc#928292) - Missing lock prototype to the debugger. (bsc#932894) ----------------------------------------------------------------- Advisory ID: SUSE-OU-2016:1358-1 Released: Thu Sep 15 20:54:21 2016 Summary: Optional update for gcc6 Type: optional Severity: low References: 983206 Description: This update ships the GNU Compiler Collection (GCC) in version 6.2. This update is shipped in two parts: - SUSE Linux Enterprise Server 12 and Desktop: The runtime libraries libgcc_s1, libstdc++6, libatomic1, libgomp1, libitm1 and some others can now be used by GCC 6 built binaries. - SUSE Linux Enterprise 12 Toolchain Module: The Toolchain module received the GCC 6 compiler suite with this update. Changes: - The default mode for C++ is now -std=gnu++14 instead of -std=gnu++98. Generic Optimization improvements: - UndefinedBehaviorSanitizer gained a new sanitization option, -fsanitize=bounds-strict, which enables strict checking of array bounds. In particular, it enables -fsanitize=bounds as well as instrumentation of flexible array member-like arrays. - Type-based alias analysis now disambiguates accesses to different pointers. This improves precision of the alias oracle by about 20-30% on higher-level C++ programs. Programs doing invalid type punning of pointer types may now need -fno-strict-aliasing to work correctly. - Alias analysis now correctly supports weakref and alias attributes. This makes it possible to access both a variable and its alias in one translation unit which is common with link-time optimization. - Value range propagation now assumes that the this pointer of C++ member functions is non-null. This eliminates common null pointer checks but also breaks some non-conforming code-bases (such as Qt-5, Chromium, KDevelop). As a temporary work-around -fno-delete-null-pointer-checks can be used. Wrong code can be identified by using -fsanitize=undefined. - Various Link-time optimization improvements. - Inter-procedural optimization improvements: - Basic jump threading is now performed before profile construction and inline analysis, resulting in more realistic size and time estimates that drive the heuristics of the of inliner and function cloning passes. - Function cloning now more aggressively eliminates unused function parameters. - Compared to GCC 5, the GCC 6 release series includes a much improved implementation of the OpenACC 2.0a specification. C language specific improvements: - Version 4.5 of the OpenMP specification is now supported in the C and C++ compilers. - Source locations for the C and C++ compilers are now tracked as ranges, rather than just points, making it easier to identify the subexpression of interest within a complicated expression. In addition, there is now initial support for precise diagnostic locations within strings, - Diagnostics can now contain 'fix-it hints', which are displayed in context underneath the relevant source code. - The C and C++ compilers now offer suggestions for misspelled field names. - New command-line options have been added for the C and C++ compilers: - -Wshift-negative-value warns about left shifting a negative value. - -Wshift-overflow warns about left shift overflows. This warning is enabled by default. -Wshift-overflow=2 also warns about left-shifting 1 into the sign bit. - -Wtautological-compare warns if a self-comparison always evaluates to true or false. This warning is enabled by -Wall. - -Wnull-dereference warns if the compiler detects paths that trigger erroneous or undefined behavior due to dereferencing a null pointer. This option is only active when -fdelete-null-pointer-checks is active, which is enabled by optimizations in most targets. The precision of the warnings depends on the optimization options used. - -Wduplicated-cond warns about duplicated conditions in an if-else-if chain. - -Wmisleading-indentation warns about places where the indentation of the code gives a misleading idea of the block structure of the code to a human reader. This warning is enabled by -Wall. - The C and C++ compilers now emit saner error messages if merge-conflict markers are present in a source file. C improvements: - It is possible to disable warnings when an initialized field of a structure or a union with side effects is being overridden when using designated initializers via a new warning option -Woverride-init-side-effects. - A new type attribute scalar_storage_order applying to structures and unions has been introduced. It specifies the storage order (aka endianness) in memory of scalar fields in structures or unions. C++ improvements: - The default mode has been changed to -std=gnu++14. - C++ Concepts are now supported when compiling with -fconcepts. - -flifetime-dse is more aggressive in dead-store elimination in situations where a memory store to a location precedes a constructor to that memory location. - G++ now supports C++17 fold expressions, u8 character literals, extended static_assert, and nested namespace definitions. - G++ now allows constant evaluation for all non-type template arguments. - G++ now supports C++ Transactional Memory when compiling with -fgnu-tm. libstdc++ improvements: - Extensions to the C++ Library to support mathematical special functions (ISO/IEC 29124:2010), thanks to Edward Smith-Rowland. - Experimental support for C++17. - An experimental implementation of the File System TS. - Experimental support for most features of the second version of the Library Fundamentals TS. This includes polymorphic memory resources and array support in shared_ptr, thanks to Fan You. - Some assertions checked by Debug Mode can now also be enabled by _GLIBCXX_ASSERTIONS. The subset of checks enabled by the new macro have less run-time overhead than the full _GLIBCXX_DEBUG checks and don't affect the library ABI, so can be enabled per-translation unit. Fortran improvements: - Fortran 2008 SUBMODULE support. - Fortran 2015 EVENT_TYPE, EVENT_POST, EVENT_WAIT, and EVENT_QUERY support. - Improved support for Fortran 2003 deferred-length character variables. - Improved support for OpenMP and OpenACC. - The MATMUL intrinsic is now inlined for straightforward cases if front-end optimization is active. The maximum size for inlining can be set to n with the -finline-matmul-limit=n option and turned off with -finline-matmul-limit=0. - The -Wconversion-extra option will warn about REAL constants which have excess precision for their kind. - The -Winteger-division option has been added, which warns about divisions of integer constants which are truncated. This option is included in -Wall by default. Architecture improvements: - AArch64 received a lot of improvements. IA-32/x86-64 improvements: - GCC now supports the Intel CPU named Skylake with AVX-512 extensions through -march=skylake-avx512. The switch enables the following ISA extensions: AVX-512F, AVX512VL, AVX-512CD, AVX-512BW, AVX-512DQ. - Support for new AMD instructions monitorx and mwaitx has been added. This includes new intrinsic and built-in support. It is enabled through option -mmwaitx. The instructions monitorx and mwaitx implement the same functionality as the old monitor and mwait instructions. In addition mwaitx adds a configurable timer. The timer value is received as third argument and stored in register %ebx. - x86-64 targets now allow stack realignment from a word-aligned stack pointer using the command-line option -mstackrealign or __attribute__ ((force_align_arg_pointer)). This allows functions compiled with a vector-aligned stack to be invoked from objects that keep only word-alignment. - Support for address spaces __seg_fs, __seg_gs, and __seg_tls. These can be used to access data via the %fs and %gs segments without having to resort to inline assembly. - Support for AMD Zen (family 17h) processors is now available through the -march=znver1 and -mtune=znver1 options. PowerPC / PowerPC64 / RS6000 improvements: - PowerPC64 now supports IEEE 128-bit floating-point using the __float128 data type. In GCC 6, this is not enabled by default, but you can enable it with -mfloat128. The IEEE 128-bit floating-point support requires the use of the VSX instruction set. IEEE 128-bit floating-point values are passed and returned as a single vector value. The software emulator for IEEE 128-bit floating-point support is only built on PowerPC GNU/Linux systems where the default CPU is at least power7. On future ISA 3.0 systems (POWER 9 and later), you will be able to use the -mfloat128-hardware option to use the ISA 3.0 instructions that support IEEE 128-bit floating-point. An additional type (__ibm128) has been added to refer to the IBM extended double type that normally implements long double. This will allow for a future transition to implementing long double with IEEE 128-bit floating-point. - Basic support has been added for POWER9 hardware that will use the recently published OpenPOWER ISA 3.0 instructions. The following new switches are available: - -mcpu=power9: Implement all of the ISA 3.0 instructions supported by the compiler. - -mtune=power9: In the future, apply tuning for POWER9 systems. Currently, POWER8 tunings are used. - -mmodulo: Generate code using the ISA 3.0 integer instructions (modulus, count trailing zeros, array index support, integer multiply/add). - -mpower9-fusion: Generate code to suitably fuse instruction sequences for a POWER9 system. - -mpower9-dform: Generate code to use the new D-form (register+offset) memory instructions for the vector registers. - -mpower9-vector: Generate code using the new ISA 3.0 vector (VSX or Altivec) instructions. - -mpower9-minmax: Reserved for future development. - -mtoc-fusion: Keep TOC entries together to provide more fusion opportunities. - New constraints have been added to support IEEE 128-bit floating-point and ISA 3.0 instructions. - Support has been added for __builtin_cpu_is() and __builtin_cpu_supports(), allowing for very fast access to AT_PLATFORM, AT_HWCAP, and AT_HWCAP2 values. This requires use of glibc 2.23 or later. - All hardware transactional memory builtins now correctly behave as memory barriers. Programmers can use #ifdef __TM_FENCE__ to determine whether their 'old' compiler treats the builtins as barriers. - Split-stack support has been added for gccgo on PowerPC64 for both big- and little-endian (but not for 32-bit). The gold linker from at least binutils 2.25.1 must be available in the PATH when configuring and building gccgo to enable split stack. (The requirement for binutils 2.25.1 applies to PowerPC64 only.) The split-stack feature allows a small initial stack size to be allocated for each goroutine, which increases as needed. - GCC on PowerPC now supports the standard lround function. - The 'q', 'S', 'T', and 't' asm-constraints have been removed. - The 'b', 'B', 'm', 'M', and 'W' format modifiers have been removed. S/390, System z, IBM z Systems improvements: - Support for the IBM z13 processor has been added. When using the -march=z13 option, the compiler will generate code making use of the new instructions and registers introduced with the vector extension facility. The -mtune=z13 option enables z13 specific instruction scheduling without making use of new instructions. - Compiling code with -march=z13 reduces the default alignment of vector types bigger than 8 bytes to 8. This is an ABI change and care must be taken when linking modules compiled with different arch levels which interchange variables containing vector type values. For newly compiled code the GNU linker will emit a warning. - The -mzvector option enables a C/C++ language extension. This extension provides a new keyword vector which can be used to define vector type variables. (Note: This is not available when enforcing strict standard compliance e.g. with -std=c99. Either enable GNU extensions with e.g. -std=gnu99 or use __vector instead of vector.) - Additionally a set of overloaded builtins is provided which is partially compatible to the PowerPC Altivec builtins. In order to make use of these builtins the vecintrin.h header file needs to be included. - The new command line options -march=native, and -mtune=native are now available on native IBM z Systems. Specifying these options will cause GCC to auto-detect the host CPU and rewrite these options to the optimal setting for that system. If GCC is unable to detect the host CPU these options have no effect. - The IBM z Systems port now supports target attributes and pragmas. Please refer to the documentation for details of available attributes and pragmas as well as usage instructions. - -fsplit-stack is now supported as part of the IBM z Systems port. This feature requires a recent gold linker to be used. - Support for the g5 and g6 -march=/-mtune= CPU level switches has been deprecated and will be removed in a future GCC release. -m31 from now on defaults to -march=z900 if not specified otherwise. -march=native on a g5/g6 machine will default to -march=z900. An even more detailed list of features can be found at: https://gcc.gnu.org/gcc-6/changes.html ----------------------------------------------------------------- Advisory ID: SUSE-SU-2016:1364-1 Released: Fri Sep 16 17:13:43 2016 Summary: Security update for curl Type: security Severity: moderate References: 991389,991390,991391,991746,997420,CVE-2016-5419,CVE-2016-5420,CVE-2016-5421,CVE-2016-7141 Description: This update for curl fixes the following issues: Security issues fixed: - CVE-2016-5419: TLS session resumption client cert bypass (bsc#991389) - CVE-2016-5420: Re-using connections with wrong client cert (bsc#991390) - CVE-2016-5421: use of connection struct after free (bsc#991391) - CVE-2016-7141: Fixed incorrect reuse of client certificates with NSS (bsc#997420) Also the following bug was fixed: - fixing a performance issue (bsc#991746) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2016:1370-1 Released: Wed Sep 21 12:58:14 2016 Summary: Security update for libgcrypt Type: security Severity: moderate References: 994157,CVE-2016-6313 Description: This update for libgcrypt fixes the following issues: - RNG prediction vulnerability (bsc#994157, CVE-2016-6313) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2016:1390-1 Released: Tue Sep 27 15:11:15 2016 Summary: Security update for flex, at, bogofilter, cyrus-imapd, kdelibs4, libQtWebKit4, libbonobo, mdbtools, netpbm, openslp, sgmltool, virtuoso, libqt5-qtwebkit Type: security Severity: moderate References: 954210,990856,CVE-2015-8079,CVE-2016-6354 Description: Various packages included vulnerable parsers generated by 'flex'. This update provides a fixed 'flex' package and also rebuilds of packages that might have security issues caused by the auto generated code. Flex itself was updated to fix a buffer overflow in the generated scanner (bsc#990856, CVE-2016-6354) Packages that were rebuilt with the fixed flex: - at - bogofilter - cyrus-imapd - kdelibs4 - libQtWebKit4 - libbonobo - mdbtools - netpbm - openslp - sgmltool - virtuoso Also libqt5-qtwebkit received an additional security fix: - CVE-2015-8079: QtWebKit logs visited URLs to WebpageIcons.db in private browsing mode (bsc#954210). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2016:1565-1 Released: Thu Oct 27 13:06:35 2016 Summary: Security update for openslp Type: security Severity: moderate References: 1001600,974655,980722,994989,CVE-2016-4912,CVE-2016-7567 Description: This update for openslp fixes two security issues and two bugs. The following vulnerabilities were fixed: - CVE-2016-4912: A remote attacker could have crashed the server with a large number of packages (bsc#980722) - CVE-2016-7567: A remote attacker could cause a memory corruption having unspecified impact (bsc#1001600) The following bugfix changes are included: - bsc#994989: Removed convenience code as changes bytes in the message buffer breaking the verification code - bsc#974655: Removed no longer needed slpd init file ----------------------------------------------------------------- Advisory ID: SUSE-SU-2016:1591-1 Released: Wed Nov 2 12:07:51 2016 Summary: Security update for curl Type: security Severity: important References: 1005633,1005634,1005635,1005637,1005638,1005640,1005642,1005643,1005645,1005646,998760,CVE-2016-7167,CVE-2016-8615,CVE-2016-8616,CVE-2016-8617,CVE-2016-8618,CVE-2016-8619,CVE-2016-8620,CVE-2016-8621,CVE-2016-8622,CVE-2016-8623,CVE-2016-8624 Description: This update for curl fixes the following security issues: - CVE-2016-8624: invalid URL parsing with '#' (bsc#1005646) - CVE-2016-8623: Use-after-free via shared cookies (bsc#1005645) - CVE-2016-8622: URL unescape heap overflow via integer truncation (bsc#1005643) - CVE-2016-8621: curl_getdate read out of bounds (bsc#1005642) - CVE-2016-8620: glob parser write/read out of bounds (bsc#1005640) - CVE-2016-8619: double-free in krb5 code (bsc#1005638) - CVE-2016-8618: double-free in curl_maprintf (bsc#1005637) - CVE-2016-8617: OOB write via unchecked multiplication (bsc#1005635) - CVE-2016-8616: case insensitive password comparison (bsc#1005634) - CVE-2016-8615: cookie injection for other servers (bsc#1005633) - CVE-2016-7167: escape and unescape integer overflows (bsc#998760) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2016:1614-1 Released: Mon Nov 7 20:01:31 2016 Summary: Recommended update for shadow Type: recommended Severity: low References: 1002975 Description: This update for shadow fixes the following issues: - Set file modes according to the permissions package and don't attempt to manipulate them in %files section. (bsc#1002975) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2016:1641-1 Released: Thu Nov 10 20:02:04 2016 Summary: Recommended update for sg3_utils Type: recommended Severity: moderate References: 1006469,958369,979436 Description: This update for sg3_utils provides the following fixes: - Adjust 55-scsi-sg3_id.rules to correctly handle VPD page 0x80. This issue could prevent some IBM Power systems from booting after installation. (bsc#1006469) - Fix 55-scsi_sg3_id.rules to skip sg_inq on recent kernels. (bsc#979436) - In some circumstances, the rescan-scsi-bus.sh script failed to identify new LUNs that have been added to the server. (bsc#958369) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2016:1744-1 Released: Fri Dec 2 11:42:41 2016 Summary: Security update for pcre Type: security Severity: moderate References: 906574,924960,933288,933878,936227,942865,957566,957567,957598,957600,960837,971741,972127,CVE-2014-8964,CVE-2015-2325,CVE-2015-2327,CVE-2015-2328,CVE-2015-3210,CVE-2015-3217,CVE-2015-5073,CVE-2015-8380,CVE-2015-8381,CVE-2015-8382,CVE-2015-8383,CVE-2015-8384,CVE-2015-8385,CVE-2015-8386,CVE-2015-8387,CVE-2015-8388,CVE-2015-8389,CVE-2015-8390,CVE-2015-8391,CVE-2015-8392,CVE-2015-8393,CVE-2015-8394,CVE-2015-8395,CVE-2016-1283,CVE-2016-3191 Description: This update for pcre to version 8.39 (bsc#972127) fixes several issues. If you use pcre extensively please be aware that this is an update to a new version. Please make sure that your software works with the updated version. This version fixes a number of vulnerabilities that affect pcre and applications using the libary when accepting untrusted input as regular expressions or as part thereof. Remote attackers could have caused the application to crash, disclose information or potentially execute arbitrary code. These security issues were fixed: - CVE-2014-8964: Heap-based buffer overflow in PCRE allowed remote attackers to cause a denial of service (crash) or have other unspecified impact via a crafted regular expression, related to an assertion that allows zero repeats (bsc#906574). - CVE-2015-2325: Heap buffer overflow in compile_branch() (bsc#924960). - CVE-2015-3210: Heap buffer overflow in pcre_compile2() / compile_regex() (bsc#933288) - CVE-2015-3217: PCRE Library Call Stack Overflow Vulnerability in match() (bsc#933878). - CVE-2015-5073: Library Heap Overflow Vulnerability in find_fixedlength() (bsc#936227). - bsc#942865: heap overflow in compile_regex() - CVE-2015-8380: The pcre_exec function in pcre_exec.c mishandled a // pattern with a \01 string, which allowed remote attackers to cause a denial of service (heap-based buffer overflow) or possibly have unspecified other impact via a crafted regular expression, as demonstrated by a JavaScript RegExp object encountered by Konqueror (bsc#957566). - CVE-2015-2327: PCRE mishandled certain patterns with internal recursive back references, which allowed remote attackers to cause a denial of service (segmentation fault) or possibly have unspecified other impact via a crafted regular expression, as demonstrated by a JavaScript RegExp object encountered by Konqueror (bsc#957567). - bsc#957598: Various security issues - CVE-2015-8381: Heap Overflow in compile_regex() (bsc#957598). - CVE-2015-8382: Regular Expression Uninitialized Pointer Information Disclosure Vulnerability (ZDI-CAN-2547)(bsc#957598). - CVE-2015-8383: Buffer overflow caused by repeated conditional group(bsc#957598). - CVE-2015-8384: Buffer overflow caused by recursive back reference by name within certain group(bsc#957598). - CVE-2015-8385: Buffer overflow caused by forward reference by name to certain group(bsc#957598). - CVE-2015-8386: Buffer overflow caused by lookbehind assertion(bsc#957598). - CVE-2015-8387: Integer overflow in subroutine calls(bsc#957598). - CVE-2015-8388: Buffer overflow caused by certain patterns with an unmatched closing parenthesis(bsc#957598). - CVE-2015-8389: Infinite recursion in JIT compiler when processing certain patterns(bsc#957598). - CVE-2015-8390: Reading from uninitialized memory when processing certain patterns(bsc#957598). - CVE-2015-8391: Some pathological patterns causes pcre_compile() to run for a very long time(bsc#957598). - CVE-2015-8392: Buffer overflow caused by certain patterns with duplicated named groups(bsc#957598). - CVE-2015-8393: Information leak when running pcgrep -q on crafted binary(bsc#957598). - CVE-2015-8394: Integer overflow caused by missing check for certain conditions(bsc#957598). - CVE-2015-8395: Buffer overflow caused by certain references(bsc#957598). - CVE-2015-2328: PCRE mishandled the /((?(R)a|(?1)))+/ pattern and related patterns with certain recursion, which allowed remote attackers to cause a denial of service (segmentation fault) or possibly have unspecified other impact via a crafted regular expression (bsc#957600). - CVE-2016-1283: The pcre_compile2 function in pcre_compile.c in PCRE mishandled certain patterns with named subgroups, which allowed remote attackers to cause a denial of service (heap-based buffer overflow) or possibly have unspecified other impact via a crafted regular expression (bsc#960837). - CVE-2016-3191: The compile_branch function in pcre_compile.c in pcre2_compile.c mishandled patterns containing an (*ACCEPT) substring in conjunction with nested parentheses, which allowed remote attackers to execute arbitrary code or cause a denial of service (stack-based buffer overflow) via a crafted regular expression (bsc#971741). These non-security issues were fixed: - JIT compiler improvements - performance improvements - The Unicode data tables have been updated to Unicode 7.0.0. ----------------------------------------------------------------- Advisory ID: SUSE-RU-2016:1782-1 Released: Fri Dec 9 13:35:02 2016 Summary: Recommended update for systemd Type: recommended Severity: moderate References: 1001790,1004289,1005404,1006372,1006690,989831,991443 Description: This update for systemd provides the following fixes: - Allow to redirect confirmation messages to a different console. (bsc#1006690) - Do not bind a mount unit to a device, if it was from mountinfo. (bsc#989831) - Decrease systemd-nspawn's non-fatal mount errors to debug level. (bsc#1004289) - Don't emit space usage message right after opening the persistent journal. (bsc#991443) - Change owner of /var/log/journal/remote and create /var/lib/systemd/journal-upload. (bsc#1006372) - Document that *KeyIgnoreInhibited only apply to a subset of locks. - Revert 'logind: really handle *KeyIgnoreInhibited options in logind.conf'. (bsc#1001790, bsc#1005404) - Revert 'kbd-model-map: add more mappings offered by Yast'. - Don't busy loop when we get a notification message we can't process. - Rename kbd-model-map-extra into kbd-model-map.legacy. - Add kbd-model-map-extra file which contains the additional maps needed by YaST. - Drop localfs.service: unused and not needed anymore. ----------------------------------------------------------------- Advisory ID: SUSE-SU-2016:1827-1 Released: Thu Dec 15 12:41:10 2016 Summary: Security update for pcre Type: security Severity: moderate References: 906574,924960,933288,933878,936227,942865,957566,957567,957598,957600,960837,971741,972127,CVE-2014-8964,CVE-2015-2325,CVE-2015-2327,CVE-2015-2328,CVE-2015-3210,CVE-2015-3217,CVE-2015-5073,CVE-2015-8380,CVE-2015-8381,CVE-2015-8382,CVE-2015-8383,CVE-2015-8384,CVE-2015-8385,CVE-2015-8386,CVE-2015-8387,CVE-2015-8388,CVE-2015-8389,CVE-2015-8390,CVE-2015-8391,CVE-2015-8392,CVE-2015-8393,CVE-2015-8394,CVE-2015-8395,CVE-2016-1283,CVE-2016-3191 Description: This update for pcre to version 8.39 (bsc#972127) fixes several issues. If you use pcre extensively please be aware that this is an update to a new version. Please make sure that your software works with the updated version. This version fixes a number of vulnerabilities that affect pcre and applications using the libary when accepting untrusted input as regular expressions or as part thereof. Remote attackers could have caused the application to crash, disclose information or potentially execute arbitrary code. These security issues were fixed: - CVE-2014-8964: Heap-based buffer overflow in PCRE allowed remote attackers to cause a denial of service (crash) or have other unspecified impact via a crafted regular expression, related to an assertion that allows zero repeats (bsc#906574). - CVE-2015-2325: Heap buffer overflow in compile_branch() (bsc#924960). - CVE-2015-3210: Heap buffer overflow in pcre_compile2() / compile_regex() (bsc#933288) - CVE-2015-3217: PCRE Library Call Stack Overflow Vulnerability in match() (bsc#933878). - CVE-2015-5073: Library Heap Overflow Vulnerability in find_fixedlength() (bsc#936227). - bsc#942865: heap overflow in compile_regex() - CVE-2015-8380: The pcre_exec function in pcre_exec.c mishandled a // pattern with a \01 string, which allowed remote attackers to cause a denial of service (heap-based buffer overflow) or possibly have unspecified other impact via a crafted regular expression, as demonstrated by a JavaScript RegExp object encountered by Konqueror (bsc#957566). - CVE-2015-2327: PCRE mishandled certain patterns with internal recursive back references, which allowed remote attackers to cause a denial of service (segmentation fault) or possibly have unspecified other impact via a crafted regular expression, as demonstrated by a JavaScript RegExp object encountered by Konqueror (bsc#957567). - bsc#957598: Various security issues - CVE-2015-8381: Heap Overflow in compile_regex() (bsc#957598). - CVE-2015-8382: Regular Expression Uninitialized Pointer Information Disclosure Vulnerability (ZDI-CAN-2547)(bsc#957598). - CVE-2015-8383: Buffer overflow caused by repeated conditional group(bsc#957598). - CVE-2015-8384: Buffer overflow caused by recursive back reference by name within certain group(bsc#957598). - CVE-2015-8385: Buffer overflow caused by forward reference by name to certain group(bsc#957598). - CVE-2015-8386: Buffer overflow caused by lookbehind assertion(bsc#957598). - CVE-2015-8387: Integer overflow in subroutine calls(bsc#957598). - CVE-2015-8388: Buffer overflow caused by certain patterns with an unmatched closing parenthesis(bsc#957598). - CVE-2015-8389: Infinite recursion in JIT compiler when processing certain patterns(bsc#957598). - CVE-2015-8390: Reading from uninitialized memory when processing certain patterns(bsc#957598). - CVE-2015-8391: Some pathological patterns causes pcre_compile() to run for a very long time(bsc#957598). - CVE-2015-8392: Buffer overflow caused by certain patterns with duplicated named groups(bsc#957598). - CVE-2015-8393: Information leak when running pcgrep -q on crafted binary(bsc#957598). - CVE-2015-8394: Integer overflow caused by missing check for certain conditions(bsc#957598). - CVE-2015-8395: Buffer overflow caused by certain references(bsc#957598). - CVE-2015-2328: PCRE mishandled the /((?(R)a|(?1)))+/ pattern and related patterns with certain recursion, which allowed remote attackers to cause a denial of service (segmentation fault) or possibly have unspecified other impact via a crafted regular expression (bsc#957600). - CVE-2016-1283: The pcre_compile2 function in pcre_compile.c in PCRE mishandled certain patterns with named subgroups, which allowed remote attackers to cause a denial of service (heap-based buffer overflow) or possibly have unspecified other impact via a crafted regular expression (bsc#960837). - CVE-2016-3191: The compile_branch function in pcre_compile.c in pcre2_compile.c mishandled patterns containing an (*ACCEPT) substring in conjunction with nested parentheses, which allowed remote attackers to execute arbitrary code or cause a denial of service (stack-based buffer overflow) via a crafted regular expression (bsc#971741). These non-security issues were fixed: - JIT compiler improvements - performance improvements - The Unicode data tables have been updated to Unicode 7.0.0. ----------------------------------------------------------------- Advisory ID: SUSE-RU-2016:1863-1 Released: Wed Dec 21 10:41:35 2016 Summary: Recommended updated for pth Type: recommended Severity: low References: 1013286 Description: This update adds the 32bit version of libpth20 to SUSE Linux Enterprise 12 SP1 and 12 SP2. ----------------------------------------------------------------- Advisory ID: SUSE-SU-2017:2-1 Released: Mon Jan 2 08:35:08 2017 Summary: Security update for zlib Type: security Severity: moderate References: 1003577,1003579,1003580,1013882,CVE-2016-9840,CVE-2016-9841,CVE-2016-9842,CVE-2016-9843 Description: This update for zlib fixes the following issues: CVE-2016-9843: Big-endian out-of-bounds pointer CVE-2016-9842: Undefined Left Shift of Negative Number (bsc#1003580) CVE-2016-9840 CVE-2016-9841: Out-of-bounds pointer arithmetic in inftrees.c (bsc#1003579) Incompatible declarations for external linkage function deflate (bsc#1003577) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2017:6-1 Released: Tue Jan 3 15:01:58 2017 Summary: Recommended update for systemd Type: recommended Severity: moderate References: 1012390,1012591,1012818,1013989,1015515,909418,912715,945340,953807,963290,990538 Description: This update for systemd fixes the following issues: - core: Make mount units from /proc/self/mountinfo possibly bind to a device. Fixes unmounting issues when ejecting CDs or DVDs. (bsc#909418, bsc#912715, bsc#945340) - fstab-generator: Remove bogus condition that leads to warnings on boot. (bsc#1013989) - coredumpctl: Let gdb handle the SIGINT signal. (bsc#1012591) - Ship kbd-model-map with the correct contents. (bsc#1015515) - rules: Set SYSTEMD_READY=0 on DM_UDEV_DISABLE_OTHER_RULES_FLAG=1 only with ADD event. (bsc#963290, bsc#990538) - tmpfiles: Don't skip path_set_perms on error. (bsc#953807) - nspawn: Properly handle image/directory paths that are symbolic links. (bsc#1012390) - systemctl: Fix 'is-enabled' exit status on failure when executed in chroot. (bsc#1012818) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2017:32-1 Released: Mon Jan 9 11:50:42 2017 Summary: Recommended update for dirmngr Type: recommended Severity: low References: 994794 Description: This update for dirmngr enables support for daemon mode. ----------------------------------------------------------------- Advisory ID: SUSE-RU-2017:47-1 Released: Wed Jan 11 11:42:43 2017 Summary: Recommended update for systemd Type: recommended Severity: important References: 1018214,1018399 Description: This update for systemd fixes the following two issues: - A regression in the previous update (SUSE-RU-2017:0013-1, bsc#909418) could have caused systemd to freeze. (bsc#1018399) - Warnings emitted when udev socket units are restarted during package upgrade were silenced. (bsc#1018214) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2017:98-1 Released: Thu Jan 19 10:17:55 2017 Summary: Recommended update for kmod Type: recommended Severity: low References: 998906 Description: This update for kmod fixes a rare race condition while loading modules. ----------------------------------------------------------------- Advisory ID: SUSE-SU-2017:149-1 Released: Wed Jan 25 09:17:08 2017 Summary: Security update for systemd Type: security Severity: important References: 1012266,1014560,1014566,1020601,997682,CVE-2016-10156 Description: This update for systemd fixes the following issues: This security issue was fixed: - CVE-2016-10156: Fix permissions set on permanent timer timestamp files, preventing local unprivileged users from escalating privileges (bsc#1020601). These non-security issues were fixed: - Fix permission set on /var/lib/systemd/linger/* - install: follow config_path symlink (#3362) - install: fix disable when /etc/systemd/system is a symlink (bsc#1014560) - run: make --slice= work in conjunction with --scope (bsc#1014566) - core: don't dispatch load queue when setting Slice= for transient units - systemctl: remove duplicate entries showed by list-dependencies (#5049) (bsc#1012266) - rule: don't automatically online standby memory on s390x (bsc#997682) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2017:185-1 Released: Thu Feb 2 18:22:37 2017 Summary: Security update for cpio Type: security Severity: moderate References: 1020108,963448,CVE-2016-2037 Description: This update for cpio fixes two issues. This security issue was fixed: - CVE-2016-2037: The cpio_safer_name_suffix function in util.c in cpio allowed remote attackers to cause a denial of service (out-of-bounds write) via a crafted cpio file (bsc#963448). This non-security issue was fixed: - bsc#1020108: Always use 32 bit CRC to prevent checksum errors for files greater than 32MB ----------------------------------------------------------------- Advisory ID: SUSE-SU-2017:192-1 Released: Fri Feb 3 18:46:05 2017 Summary: Security update for libxml2 Type: security Severity: moderate References: 1005544,1010675,1013930,1014873,1017497,CVE-2016-4658,CVE-2016-9318,CVE-2016-9597 Description: This update for libxml2 fixes the following issues: * CVE-2016-4658: use-after-free error could lead to crash [bsc#1005544] * Fix NULL dereference in xpointer.c when in recovery mode [bsc#1014873] * CVE-2016-9597: An XML document with many opening tags could have caused a overflow of the stack not detected by the recursion limits, allowing for DoS (bsc#1017497). For CVE-2016-9318 we decided not to ship a fix since it can break existing setups. Please take appropriate actions if you parse untrusted XML files and use the new -noxxe flag if possible (bnc#1010675, bnc#1013930). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2017:209-1 Released: Tue Feb 7 17:00:47 2017 Summary: Recommended update for libseccomp Type: recommended Severity: low References: 1019900 Description: This update provides libseccomp version 2.3.1 which fixes the following issues: - Fixed a problem with 32-bit x86 socket syscalls on some systems (fate#321647, bsc#1019900) - Fixed problems with ipc syscalls on 32-bit x86 - Fixed problems with socket and ipc syscalls on s390 and s390x ----------------------------------------------------------------- Advisory ID: SUSE-SU-2017:212-1 Released: Wed Feb 8 13:07:24 2017 Summary: Security update for expat Type: security Severity: moderate References: 983215,983216,CVE-2012-6702,CVE-2016-5300 Description: This update for expat fixes the following security issues: - CVE-2012-6702: Expat, when used in a parser that has not called XML_SetHashSalt or passed it a seed of 0, made it easier for context-dependent attackers to defeat cryptographic protection mechanisms via vectors involving use of the srand function. (bsc#983215) - CVE-2016-5300: The XML parser in Expat did not use sufficient entropy for hash initialization, which allowed context-dependent attackers to cause a denial of service (CPU consumption) via crafted identifiers in an XML document. NOTE: this vulnerability exists because of an incomplete fix for CVE-2012-0876. (bsc#983216) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2017:228-1 Released: Fri Feb 10 15:39:32 2017 Summary: Security update for openssl Type: security Severity: moderate References: 1000677,1001912,1009528,1019637,1021641,1022085,1022086,1022271,CVE-2016-7055,CVE-2017-3731,CVE-2017-3732 Description: This update for openssl fixes the following issues contained in the OpenSSL Security Advisory [26 Jan 2017] (bsc#1021641) Security issues fixed: - CVE-2016-7055: The x86_64 optimized montgomery multiplication may produce incorrect results (bsc#1009528) - CVE-2017-3731: Truncated packet could crash via OOB read (bsc#1022085) - CVE-2017-3732: BN_mod_exp may produce incorrect results on x86_64 (bsc#1022086) - Degrade the 3DES cipher to MEDIUM in SSLv2 (bsc#1001912) Non-security issues fixed: - fix crash in openssl speed (bsc#1000677) - fix X509_CERT_FILE path (bsc#1022271) - AES XTS key parts must not be identical in FIPS mode (bsc#1019637) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2017:261-1 Released: Mon Feb 20 11:00:28 2017 Summary: Recommended update for dirmngr Type: recommended Severity: low References: 1019276 Description: This update for dirmngr fixes the following issues: - Properly initialize the dirmngr tmpfilesd files right away and not just during reboot - Own the /usr/lib/tmpfiles.d/ folder as it is needed in older systemds wrt (bsc#1019276) - Proprely require logrotate as we need it for the dirmngr configs ----------------------------------------------------------------- Advisory ID: SUSE-RU-2017:365-1 Released: Fri Mar 10 15:16:59 2017 Summary: Recommended update for sg3_utils Type: recommended Severity: low References: 1006175 Description: This update for sg3_utils fixes the following issue: - Add udev rules to handle legacy CCISS devices (bsc#1006175) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2017:389-1 Released: Thu Mar 16 14:16:43 2017 Summary: Recommended update for systemd Type: recommended Severity: moderate References: 1004094,1006687,1019470,1022014,1022047,1025598,995936 Description: This update for systemd provides the following fixes: - core: Fix memory leak in transient units. (bsc#1025598) - core: Destroy all name watching bus slots when we are kicked off the bus. (bsc#1006687) - sd-event: Fix incorrect assertion. (bsc#995936, bsc#1022014) - journald: Don't flush to /var/log/journal before we get asked to. (bsc#1004094) - core: Downgrade warning about duplicate device names. (bsc#1022047) - units: Remove no longer needed ldconfig service. (bsc#1019470) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2017:439-1 Released: Tue Mar 21 10:48:47 2017 Summary: Recommended update for netcfg Type: recommended Severity: low References: 1028305,959693 Description: This update for netcfg provides the following fixes: - Update script to generate services to use UTF8 by default. (bsc#1028305) - Repack services.bz2 with latest from upstream and adjust the script to not add all the names and emails at the bottom of the file. (bsc#959693) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2017:462-1 Released: Fri Mar 24 21:58:07 2017 Summary: Recommended update for lvm2 Type: recommended Severity: moderate References: 1012973,1015943,1017034,1023283,1025560,1025630 Description: This update for lvm2 fixes the following issues: - Fix clvmd segmentation fault on ppc64le architecture. (bsc#1025630) - Fix several trivial issues about clvmd/cmirrord resource agents. (bsc#1023283, bsc#1025560) - Use {local,remote}-fs-pre.target instead of {local,remote}-fs.target. (bsc#1017034) - Simplify special-case for md in 69-dm-lvm-metadata.rules. (bsc#1012973) - Add systemd_requires to device-mapper package. (bsc#1015943) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2017:464-1 Released: Mon Mar 27 15:50:51 2017 Summary: Recommended update for glibc Type: recommended Severity: moderate References: 1007851,1029725,1029900 Description: This update for glibc fixes a potential segmentation fault in libpthread: - Fork in libpthread cannot use IFUNC resolver. (bsc#1007851, bsc#1029725, bsc#1029900) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2017:580-1 Released: Wed Apr 12 23:58:47 2017 Summary: Recommended update for cpio Type: recommended Severity: important References: 1028410 Description: This update for cpio fixes the following issues: - A regression caused cpio to crash for tar and ustar archive types [bsc#1028410] ----------------------------------------------------------------- Advisory ID: SUSE-RU-2017:589-1 Released: Thu Apr 13 13:12:45 2017 Summary: Recommended update for libtool Type: recommended Severity: moderate References: 1010802 Description: This update for libtool prevents a segmentation fault caused by insufficient error handling on out-of-memory situations. ----------------------------------------------------------------- Advisory ID: SUSE-SU-2017:609-1 Released: Tue Apr 18 11:28:14 2017 Summary: Security update for curl Type: security Severity: moderate References: 1015332,1027712,1032309,CVE-2016-9586,CVE-2017-7407 Description: This update for curl fixes the following issues: Security issue fixed: - CVE-2016-9586: libcurl printf floating point buffer overflow (bsc#1015332) - CVE-2017-7407: The ourWriteOut function in tool_writeout.c in curl might have allowed physically proximate attackers to obtain sensitive information from process memory in opportunistic circumstances by reading a workstation screen during use of a --write-out argument ending in a '%' character, which lead to a heap-based buffer over-read (bsc#1032309). With this release new default ciphers are active (SUSE_DEFAULT, bsc#1027712). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2017:732-1 Released: Wed May 10 14:03:43 2017 Summary: Recommended update for procps Type: recommended Severity: low References: 1030621 Description: This update for procps fixes the following issues: - Command w(1) with option -n doesn't work. (bsc#1030621) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2017:735-1 Released: Wed May 10 15:43:46 2017 Summary: Recommended update for gpg2 Type: recommended Severity: low References: 1036736,986783 Description: This update for gpg2 provides the following fixes: - Do not install CAcert and other root certificates which are not needed with Let's Encrypt. (bsc#1036736) - Initialize the trustdb before import attempt. (bsc#986783) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2017:751-1 Released: Thu May 11 17:14:30 2017 Summary: Recommended update for systemd Type: recommended Severity: moderate References: 1010220,1025398,1025886,1028263,1028610,1029183,1029691,1030290,1031355,1032538,1032660,1033855,1034565,955770 Description: This update for systemd provides the following fixes: - logind: Update empty and 'infinity' handling for [User]TasksMax. (bsc#1031355) - importd: Support SUSE style checksums. (fate#322054) - journal: Don't remove leading spaces. (bsc#1033855) - Make sure all swap units are ordered before the swap target. (bsc#955770, bsc#1034565) - hwdb: Fix warning 'atkbd serio0: Unknown key pressed'. (bsc#1010220) - logind: Restart logind on package update only on SLE12 distros. (bsc#1032660) - core: Treat masked files as 'unchanged'. (bsc#1032538) - units: Move Before deps for quota services to remote-fs.target. (bsc#1028263) - udev: Support predictable ifnames on vio buses. (bsc#1029183) - udev: Add a persistent rule for ibmvnic devices. (bsc#1029183) - units: Do not throw a warning in emergency mode if plymouth is not installed. (bsc#1025398) - core: Downgrade 'Time has been changed' message to debug level. (bsc#1028610) - vconsole: Don't do GIO_SCRNMAP / GIO_UNISCRNMAP. (bsc#1029691) - udev-rules: Perform whitespace replacement for symlink subst values. (bsc#1025886) - Consider chroot updates in fix-machines-subvol-for-rollbacks.sh. (bsc#1030290) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2017:794-1 Released: Tue May 16 15:41:09 2017 Summary: Security update for bash Type: security Severity: moderate References: 1010845,1035371,CVE-2016-9401 Description: This update for bash fixes an issue that could lead to syntax errors when parsing scripts that use expr(1) inside loops. Additionally, the popd build-in now ensures that the normalized stack offset is within bounds before trying to free that stack entry. This fixes a segmentation fault. ----------------------------------------------------------------- Advisory ID: SUSE-RU-2017:799-1 Released: Wed May 17 00:21:13 2017 Summary: Recommended update for glibc Type: recommended Severity: low References: 1026224,1035445 Description: This update for glibc introduces basic support for IBM POWER9 systems. Additionally, an improper assert in dlclose() has been removed. ----------------------------------------------------------------- Advisory ID: SUSE-SU-2017:865-1 Released: Wed May 24 16:23:20 2017 Summary: Security update for pam Type: security Severity: moderate References: 1015565,1037824,934920,CVE-2015-3238 Description: This update for pam fixes the following issues: - CVE-2015-3238: pam_unix in conjunction with SELinux allowed for DoS attacks (bsc#934920). - log a hint to syslog if /etc/nologin is present, but empty (bsc#1015565). - If /etc/nologin is present, but empty, log a hint to syslog. (bsc#1015565) - Added support for libowcrypt.so, if present, to configure support for BLOWFISH (bsc#1037824) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2017:873-1 Released: Fri May 26 16:19:47 2017 Summary: Recommended update for e2fsprogs Type: recommended Severity: low References: 1009532,960273 Description: This update for e2fsprogs provides the following fixes: - Fix 32/64-bit overflow when multiplying by blocks/clusters per group. This allows resize2fs(8) to resize file systems larger than 20 TB. (bsc#1009532) - Update spec file to regenerate initrd when e2fsprogs is updated or uninstalled. (bsc#960273) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2017:877-1 Released: Mon May 29 15:11:48 2017 Summary: Recommended update for cryptsetup Type: recommended Severity: low References: 1031998 Description: This update for cryptsetup provides the following fix: - Don't use a zero-filled empty key, because in FIPS, XTS mode key parts mustn't be equivalent (bsc#1031998) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2017:891-1 Released: Tue May 30 22:28:21 2017 Summary: Security update for libxml2 Type: security Severity: moderate References: 1039063,1039064,1039066,1039069,1039661,981114,CVE-2016-1839,CVE-2017-9047,CVE-2017-9048,CVE-2017-9049,CVE-2017-9050 Description: This update for libxml2 fixes the following issues: - CVE-2017-9047, CVE-2017-9048: The function xmlSnprintfElementContent in valid.c was vulnerable to a stack buffer overflow (bsc#1039063, bsc#1039064) - CVE-2017-9049: The function xmlDictComputeFastKey in dict.c was vulnerable to a heap-based buffer over-read. (bsc#1039066) - CVE-2017-9050: The function xmlDictAddString was vulnerable to a heap-based buffer over-read (bsc#1039661) - CVE-2016-1839: heap-based buffer overflow (xmlDictAddString func) (bnc#1039069) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2017:907-1 Released: Thu Jun 1 14:23:36 2017 Summary: Recommended update for shadow Type: recommended Severity: low References: 1003978,1031643 Description: This update for shadow fixes the following issues: - Dynamically added users via pam_group are not listed in groups databases but are still valid. (bsc#1031643) - useradd(8) and groupadd(8) performance issue when using SSSD. Previously the entire possible UID/GID was iterated to find an available UID/GID. This could take long time over a network device. Instead, find available UID/GID locally, and then check only those values over network. (bsc#1003978) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2017:918-1 Released: Tue Jun 6 12:35:44 2017 Summary: Recommended update for libsemanage, selinux-policy Type: recommended Severity: moderate References: 1020143,1032445,1035818,1038189 Description: This update for libsemanage, selinux-policy fixes the following issues: - Limit to policy version 29 by default. - Fix policy module build failures and wrong policy path on SLE 12 SP2 (bsc#1038189, bsc#1035818, bsc#1020143, bsc#1032445) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2017:939-1 Released: Mon Jun 12 10:56:22 2017 Summary: Security update for libxml2 Type: security Severity: moderate References: 1039063,1039064,1039066,1039069,1039661,CVE-2017-9047,CVE-2017-9048,CVE-2017-9049,CVE-2017-9050 Description: This update for libxml2 fixes the following security issues: * CVE-2017-9050: A heap-based buffer over-read in xmlDictAddString (bsc#1039069, bsc#1039661) * CVE-2017-9049: A heap-based buffer overflow in xmlDictComputeFastKey (bsc#1039066) * CVE-2017-9048: A stack overflow vulnerability in xmlSnprintfElementContent (bsc#1039063) * CVE-2017-9047: A stack overflow vulnerability in xmlSnprintfElementContent (bsc#1039064) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2017:959-1 Released: Wed Jun 14 14:38:11 2017 Summary: Recommended update for gcc5 Type: recommended Severity: low References: 1043580 Description: This update for gcc5 fixes the version of libffi in its pkg-config configuration file. ----------------------------------------------------------------- Advisory ID: SUSE-SU-2017:962-1 Released: Wed Jun 14 16:33:07 2017 Summary: Security update for openldap2 Type: security Severity: moderate References: 1009470,1037396,1041764,972331,CVE-2017-9287 Description: This update for openldap2 fixes the following issues: Security issues fixed: - CVE-2017-9287: A double free vulnerability in the mdb backend during search with page size 0 was fixed (bsc#1041764) Non security bugs fixed: - Let OpenLDAP read system-wide certificates by default and don't hide the error if the user-specified CA location cannot be read. (bsc#1009470) - Fix an uninitialised variable that causes startup failure (bsc#1037396) - Fix an issue with transaction management that can cause server crash (bsc#972331) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2017:985-1 Released: Mon Jun 19 14:57:41 2017 Summary: Security update for libgcrypt Type: security Severity: moderate References: 1042326,931932,CVE-2017-9526 Description: This update for libgcrypt fixes the following issues: - CVE-2017-9526: Store the session key in secure memory to ensure that constant time point operations are used in the MPI library. (bsc#1042326) - Don't require secure memory for the fips selftests, this prevents the 'Oops, secure memory pool already initialized' warning. (bsc#931932) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2017:990-1 Released: Mon Jun 19 17:19:44 2017 Summary: Security update for glibc Type: security Severity: important References: 1039357,1040043,CVE-2017-1000366 Description: This update for glibc fixes the following issues: - CVE-2017-1000366: Fix a potential privilege escalation vulnerability that allowed unprivileged system users to manipulate the stack of setuid binaries to gain special privileges. [bsc#1039357] - A bug in glibc that could result in deadlocks between malloc() and fork() has been fixed. [bsc#1040043] ----------------------------------------------------------------- Advisory ID: SUSE-RU-2017:1033-1 Released: Fri Jun 23 16:38:55 2017 Summary: Recommended update for e2fsprogs Type: recommended Severity: low References: 1038194 Description: This update for e2fsprogs provides the following fixes: - Don't ignore fsync errors in libext2fs. (bsc#1038194) - Fix fsync(2) detection in libext2fs. (bsc#1038194) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2017:1036-1 Released: Mon Jun 26 08:12:24 2017 Summary: Security update for libxml2 Type: security Severity: moderate References: 1024989,1044337,CVE-2017-0663,CVE-2017-5969 Description: This update for libxml2 fixes the following issues: Security issues fixed: * CVE-2017-0663: Fixed a heap buffer overflow in xmlAddID (bsc#1044337) * CVE-2017-5969: Fixed a NULL pointer deref in xmlDumpElementContent (bsc#1024989) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2017:1040-1 Released: Mon Jun 26 13:22:26 2017 Summary: Recommended update for libsemanage, policycoreutils Type: recommended Severity: low References: 1043237 Description: This update for libsemanage, policycoreutils fixes the following issue: - Show version numbers of modules where they are available (bsc#1043237) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2017:1082-1 Released: Fri Jun 30 10:54:06 2017 Summary: Recommended update for dirmngr Type: recommended Severity: low References: 1045943 Description: This update for dirmngr provides the following fix: - Change logrotate from Requires to Recommends (bsc#1045943) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2017:1086-1 Released: Fri Jun 30 15:36:17 2017 Summary: Security update for libxml2 Type: security Severity: moderate References: 1044887,1044894,CVE-2017-7375,CVE-2017-7376 Description: This update for libxml2 fixes the following issues: Security issues fixed: * CVE-2017-7376: Increase buffer space for port in HTTP redirect support (bsc#1044887) * CVE-2017-7375: Prevent unwanted external entity reference [bsc#1044894, ] ----------------------------------------------------------------- Advisory ID: SUSE-SU-2017:1104-1 Released: Tue Jul 4 16:13:55 2017 Summary: Security update for systemd Type: security Severity: moderate References: 1004995,1029102,1029516,1036873,1038865,1040258,1040614,1040942,1043758,982303,CVE-2017-9217 Description: This update for systemd fixes the following issues: Security issue fixed: - CVE-2017-9217: resolved: Fix null pointer p->question dereferencing that could lead to resolved aborting (bsc#1040614) The update also fixed several non-security bugs: - core/mount: Use the '-c' flag to not canonicalize paths when calling /bin/umount - automount: Handle expire_tokens when the mount unit changes its state (bsc#1040942) - automount: Rework propagation between automount and mount units - build: Make sure tmpfiles.d/systemd-remote.conf get installed when necessary - build: Fix systemd-journal-upload installation - basic: Detect XEN Dom0 as no virtualization (bsc#1036873) - virt: Make sure some errors are not ignored - fstab-generator: Do not skip Before= ordering for noauto mountpoints - fstab-gen: Do not convert device timeout into seconds when initializing JobTimeoutSec - core/device: Use JobRunningTimeoutSec= for device units (bsc#1004995) - fstab-generator: Apply the _netdev option also to device units (bsc#1004995) - job: Add JobRunningTimeoutSec for JOB_RUNNING state (bsc#1004995) - job: Ensure JobRunningTimeoutSec= survives serialization (bsc#1004995) - rules: Export NVMe WWID udev attribute (bsc#1038865) - rules: Introduce disk/by-id (model_serial) symbolic links for NVMe drives - rules: Add rules for NVMe devices - sysusers: Make group shadow support configurable (bsc#1029516) - core: When deserializing a unit, fully restore its cgroup state (bsc#1029102) - core: Introduce cg_mask_from_string()/cg_mask_to_string() - core:execute: Fix handling failures of calling fork() in exec_spawn() (bsc#1040258) - Fix systemd-sysv-convert when a package starts shipping service units (bsc#982303) The database might be missing when upgrading a package which was shipping no sysv init scripts nor unit files (at the time --save was called) but the new version start shipping unit files. - Disable group shadow support (bsc#1029516) - Only check signature job error if signature job exists (bsc#1043758) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2017:1116-1 Released: Thu Jul 6 11:37:18 2017 Summary: Security update for libgcrypt Type: security Severity: moderate References: 1046607,CVE-2017-7526 Description: This update for libgcrypt fixes the following issues: - CVE-2017-7526: Hardening against a local side-channel attack in RSA key handling has been added (bsc#1046607) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2017:1119-1 Released: Fri Jul 7 11:23:20 2017 Summary: Recommended update for ncurses Type: security Severity: important References: 1000662,1046853,1046858,CVE-2017-10684,CVE-2017-10685 Description: This update for ncurses fixes the following issues: Security issues fixed: - CVE-2017-10684: Possible RCE via stack-based buffer overflow in the fmt_entry function. (bsc#1046858) - CVE-2017-10685: Possible RCE with format string vulnerability in the fmt_entry function. (bsc#1046853) Bugfixes: - Drop patch ncurses-5.9-environment.dif as YaST2 ncurses GUI does not need it anymore and as well as it causes bug bsc#1000662 ----------------------------------------------------------------- Advisory ID: SUSE-RU-2017:1124-1 Released: Fri Jul 7 19:32:38 2017 Summary: Recommended update for binutils Type: recommended Severity: moderate References: 1031508 Description: This update for binutils fixes an issue that prevented ld(1) from correctly linking the 32 bit version of libclntshcore.so.12.1 from the Oracle 12 Client. ----------------------------------------------------------------- Advisory ID: SUSE-RU-2017:1160-1 Released: Fri Jul 14 17:20:26 2017 Summary: Recommended update for openldap2 Type: recommended Severity: low References: 1031702 Description: This update for openldap2 provides the following fix: - Fix a regression in handling of non-blocking connection (bsc#1031702) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2017:1174-1 Released: Wed Jul 19 11:12:51 2017 Summary: Security update for systemd, dracut Type: security Severity: important References: 1032029,1033238,1037120,1040153,1040968,1043900,1045290,1046750,986216,CVE-2017-9445 Description: This update for systemd and dracut fixes the following issues: Security issues fixed: - CVE-2017-9445: Possible out-of-bounds write triggered by a specially crafted TCP payload from a DNS server. (bsc#1045290) Non-security issues fixed in systemd: - Automounter issue in combination with NFS volumes (bsc#1040968) - Missing symbolic link for SAS device in /dev/disk/by-path (bsc#1040153) - Add minimal support for boot.d/* scripts in systemd-sysv-convert (bsc#1046750) Non-security issues fixed in dracut: - Bail out if module directory does not exist. (bsc#1043900) - Suppress bogus error message. (bsc#1032029) - Fix module force loading with systemd. (bsc#986216) - Ship udev files required by systemd. (bsc#1040153) - Ignore module resolution errors (e.g. with kgraft). (bsc#1037120) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2017:1222-1 Released: Wed Jul 26 17:15:18 2017 Summary: Recommended update for procps Type: recommended Severity: low References: 1034563,1039941 Description: This update for procps provides the following fixes: - Make pmap handle LazyFree in /proc/smaps (bsc#1034563) - Allow reading and writing content lines longer than 1024 characters under /proc/sys (bsc#1039941) - Avoid printing messages when /proc/sys/net/ipv6/conf/*/stable_secret is not set ----------------------------------------------------------------- Advisory ID: SUSE-SU-2017:1245-1 Released: Thu Aug 3 10:43:15 2017 Summary: Security update for systemd Type: security Severity: moderate References: 1004995,1029102,1029516,1032029,1033238,1036873,1037120,1038865,1040153,1040258,1040614,1040942,1040968,1043758,1043900,1045290,1046750,982303,986216,CVE-2017-9217,CVE-2017-9445 Description: This update for systemd provides several fixes and enhancements. Security issues fixed: - CVE-2017-9217: Null pointer dereferencing that could lead to resolved aborting. (bsc#1040614) - CVE-2017-9445: Possible out-of-bounds write triggered by a specially crafted TCP payload from a DNS server. (bsc#1045290) The update also fixed several non-security bugs: - core/mount: Use the '-c' flag to not canonicalize paths when calling /bin/umount - automount: Handle expire_tokens when the mount unit changes its state (bsc#1040942) - automount: Rework propagation between automount and mount units - build: Make sure tmpfiles.d/systemd-remote.conf get installed when necessary - build: Fix systemd-journal-upload installation - basic: Detect XEN Dom0 as no virtualization (bsc#1036873) - virt: Make sure some errors are not ignored - fstab-generator: Do not skip Before= ordering for noauto mountpoints - fstab-gen: Do not convert device timeout into seconds when initializing JobTimeoutSec - core/device: Use JobRunningTimeoutSec= for device units (bsc#1004995) - fstab-generator: Apply the _netdev option also to device units (bsc#1004995) - job: Add JobRunningTimeoutSec for JOB_RUNNING state (bsc#1004995) - job: Ensure JobRunningTimeoutSec= survives serialization (bsc#1004995) - rules: Export NVMe WWID udev attribute (bsc#1038865) - rules: Introduce disk/by-id (model_serial) symbolic links for NVMe drives - rules: Add rules for NVMe devices - sysusers: Make group shadow support configurable (bsc#1029516) - core: When deserializing a unit, fully restore its cgroup state (bsc#1029102) - core: Introduce cg_mask_from_string()/cg_mask_to_string() - core:execute: Fix handling failures of calling fork() in exec_spawn() (bsc#1040258) - Fix systemd-sysv-convert when a package starts shipping service units (bsc#982303) The database might be missing when upgrading a package which was shipping no sysv init scripts nor unit files (at the time --save was called) but the new version start shipping unit files. - Disable group shadow support (bsc#1029516) - Only check signature job error if signature job exists (bsc#1043758) - Automounter issue in combination with NFS volumes (bsc#1040968) - Missing symbolic link for SAS device in /dev/disk/by-path (bsc#1040153) - Add minimal support for boot.d/* scripts in systemd-sysv-convert (bsc#1046750) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2017:1250-1 Released: Thu Aug 3 13:49:24 2017 Summary: Recommended update for binutils Type: recommended Severity: moderate References: 1031508 Description: This update for binutils fixes an issue that prevented ld(1) from correctly linking the 32 bit version of libclntshcore.so.12.1 from the Oracle 12 Client. ----------------------------------------------------------------- Advisory ID: SUSE-RU-2017:1268-1 Released: Mon Aug 7 10:09:19 2017 Summary: Recommended update for openssl Type: recommended Severity: moderate References: 1019637,1027079,1027688,1027908,1028281,1028723,1029523,1042392,1044095,1044107,1044175,902364 Description: This update for openssl fixes the following issues including fixes for our ongoing FIPS 140-2 evaluation: - Remove DES-CBC3-SHA based ciphers from DEFAULT_SUSE to address SWEET32 problem (bsc#1027908) - Use getrandom syscall instead of reading from /dev/urandom to get at least 128 bits of entropy to comply with FIPS 140.2 IG 7.14 (bsc#1027079 bsc#1044175) - Fix x86 extended feature detection (bsc#1029523) - Allow runtime switching of s390x capabilities via the 'OPENSSL_s390xcap' environmental variable (bsc#1028723) - s_client sent empty client certificate (bsc#1028281) Add back certificate initialization set_cert_key_stuff() which was removed in a previous update. - Fix a bug in XTS key handling (bsc#1019637) - Don't run FIPS power-up self-tests when the checksum files aren't installed (bsc#1042392) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2017:1279-1 Released: Mon Aug 7 14:46:40 2017 Summary: Security update for ncurses Type: security Severity: moderate References: 1046853,1046858,1047964,1047965,1049344,CVE-2017-10684,CVE-2017-10685,CVE-2017-11112,CVE-2017-11113 Description: This update for ncurses fixes the following issues: Security issues fixed: - CVE-2017-11112: Illegal address access in append_acs. (bsc#1047964) - CVE-2017-11113: Dereferencing NULL pointer in _nc_parse_entry. (bsc#1047965) - CVE-2017-10684, CVE-2017-10685: Add modified upstream fix from ncurses 6.0 to avoid broken termcap format (bsc#1046853, bsc#1046858, bsc#1049344) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2017:1316-1 Released: Thu Aug 10 13:54:27 2017 Summary: Recommended update for cyrus-sasl Type: recommended Severity: moderate References: 1014471,1026825,1044840,938657 Description: This update for cyrus-sasl provides the following fixes: - Fix SASL GSSAPI mechanism acceptor wrongly returns zero maxbufsize - Fix unknown authentication mechanism: kerberos5 (bsc#1026825) - Really use SASLAUTHD_PARAMS variable (bsc#938657) - Make sure /usr/sbin/rcsaslauthd exists - Add /usr/sbin/rcsaslauthd symbolic link to /usr/sbin/service (bsc#1014471) - Silence 'GSSAPI client step 1' debug log message (bsc#1044840) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2017:1326-1 Released: Fri Aug 11 16:59:04 2017 Summary: Security update for libxml2 Type: security Severity: low References: 1038444,CVE-2017-8872 Description: This update for libxml2 fixes the following issues: Security issues fixed: - CVE-2017-8872: Out-of-bounds read in htmlParseTryOrFinish. (bsc#1038444) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2017:1330-1 Released: Mon Aug 14 18:41:29 2017 Summary: Recommended update for sed Type: recommended Severity: low References: 954661 Description: This update for sed provides the following fixes: - Don't terminate with a segmentation fault if close of last file descriptor fails. (bsc#954661) ----------------------------------------------------------------- Advisory ID: SUSE-OU-2017:1333-1 Released: Tue Aug 15 17:59:30 2017 Summary: Optional update for libverto Type: optional Severity: low References: 1029561 Description: This update adds the libverto library to OpenStack Cloud Magnum Orchestration channels. ----------------------------------------------------------------- Advisory ID: SUSE-RU-2017:1334-1 Released: Tue Aug 15 20:09:03 2017 Summary: Recommended update for systemd Type: recommended Severity: important References: 1048679,874665 Description: This update for systemd fixes the following issues: - compat-rules: Don't rely on ID_SERIAL when generating 'by-id' links for NVMe devices. (bsc#1048679) - fstab-generator: Handle NFS 'bg' mounts correctly. (bsc#874665, fate#323464) - timesyncd: Don't use compiled-in list if FallbackNTP has been configured explicitly. ----------------------------------------------------------------- Advisory ID: SUSE-SU-2017:1335-1 Released: Wed Aug 16 11:24:21 2017 Summary: Security update for curl Type: security Severity: moderate References: 1051643,1051644,CVE-2017-1000100,CVE-2017-1000101 Description: This update for curl fixes the following issues: - CVE-2017-1000100: TFP sends more than buffer size and it could lead to a denial of service (bsc#1051644) - CVE-2017-1000101: URL globbing out of bounds read could lead to a denial of service (bsc#1051643) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2017:1347-1 Released: Fri Aug 18 11:03:57 2017 Summary: Recommended update for procps Type: recommended Severity: important References: 1053409 Description: This update for procps fixes the following issues: - Fix a regression introduced in a previous update that would result in sysctl dying with a SIGSEGV error (bsc#1053409). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2017:1349-1 Released: Fri Aug 18 12:31:07 2017 Summary: Recommended update for lua51 Type: recommended Severity: low References: 1051626 Description: This update for lua51 provides the following fixes: - Add Lua(API) and Lua(devel) symbols to fix building of lua51-luasocket. (bsc#1051626) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2017:1390-1 Released: Fri Aug 25 15:14:27 2017 Summary: Security update for libzypp Type: security Severity: important References: 1009745,1036659,1038984,1043218,1045735,1046417,1047785,1048315,CVE-2017-7435,CVE-2017-7436,CVE-2017-9269 Description: The Software Update Stack was updated to receive fixes and enhancements. libzypp: - CVE-2017-7435, CVE-2017-7436, CVE-2017-9269: Fix GPG check workflows, mainly for unsigned repositories and packages. (bsc#1045735, bsc#1038984) - Fix gpg-pubkey release (creation time) computation. (bsc#1036659) - Update lsof blacklist. (bsc#1046417) - Re-probe on refresh if the repository type changes. (bsc#1048315) - Propagate proper error code to DownloadProgressReport. (bsc#1047785) - Allow to trigger an appdata refresh unconditionally. (bsc#1009745) - Support custom repo variables defined in /etc/zypp/vars.d. yast2-pkg-bindings: - Do not crash when the repository URL is not defined. (bsc#1043218) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2017:1419-1 Released: Wed Aug 30 15:38:22 2017 Summary: Security update for expat Type: security Severity: moderate References: 1047236,1047240,CVE-2016-9063,CVE-2017-9233 Description: This update for expat fixes the following issues: - CVE-2016-9063: Possible integer overflow to fix inside XML_Parse leading to unexpected behaviour (bsc#1047240) - CVE-2017-9233: External Entity Vulnerability could lead to denial of service (bsc#1047236) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2017:1439-1 Released: Fri Sep 1 15:31:05 2017 Summary: Recommended update for systemd Type: recommended Severity: important References: 1045384,1045987,1046268,1047379,1048605 Description: This update for systemd fixes the following issues: - Revert fix for bsc#1004995 which could have caused boot failure on LVM (bsc#1048605) - compat-rules: drop the bogus 'import everything' rule (bsc#1046268) - core: use an AF_UNIX/SOCK_DGRAM socket for cgroup agent notification (bsc#1045384 bsc#1047379) - udev/path_id: introduce support for NVMe devices (bsc#1045987) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2017:1447-1 Released: Mon Sep 4 15:38:20 2017 Summary: Security update for libzypp, zypper Type: security Severity: important References: 1008325,1038984,1045735,1047785,1054088,1054671,1055920,CVE-2017-7436 Description: The Software Update Stack was updated to receive fixes and enhancements. libzypp: - Adapt to work with GnuPG 2.1.23. (bsc#1054088) - Support signing with subkeys. (bsc#1008325) - Enhance sort order for media.1/products. (bsc#1054671) zypper: - Also show a gpg key's subkeys. (bsc#1008325) - Improve signature check callback messages. (bsc#1045735) - Add options to tune the GPG check settings. (bsc#1045735) - Adapt download callback to report and handle unsigned packages. (bsc#1038984, CVE-2017-7436) - Report missing/optional files as 'not found' rather than 'error'. (bsc#1047785) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2017:1450-1 Released: Mon Sep 4 16:36:07 2017 Summary: Recommended update for insserv-compat Type: recommended Severity: low References: 1035062,944903 Description: This update for insserv-compat fixes the following issues: - Add /etc/init.d hierarchy from former 'filesystem' package. (bsc#1035062) - Fix directory argument parsing. (bsc#944903) - Add perl(Getopt::Long) to list of requirements. ----------------------------------------------------------------- Advisory ID: SUSE-RU-2017:1453-1 Released: Mon Sep 4 21:23:50 2017 Summary: Recommended update for libgcrypt Type: recommended Severity: moderate References: 1043333,1046659,1047008 Description: This update for libgcrypt fixes the following issues: - libgcrypt stored an open file descriptor to the random device in a static variable between invocations. gnome-keyring-daemon on initialization reopened descriptors 0-2 with /dev/null which caused an infinite loop when libgcrypt attempted to read from the random device (bsc#1043333) - Avoid seeding the DRBG during FIPS power-up selftests (bsc#1046659) * don't call gcry_drbg_instantiate() in healthcheck sanity test to save entropy * turn off blinding for RSA decryption in selftests_rsa to avoid allocation of a random integer - fix a bug in gcry_drbg_healthcheck_sanity() which caused skipping some of the tests (bsc#1046659) - dlsym returns PLT address on s390x, dlopen libgcrypt20.so before calling dlsym (bsc#1047008) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2017:1548-1 Released: Fri Sep 15 18:19:12 2017 Summary: Recommended update for sg3_utils Type: recommended Severity: moderate References: 1005063,1009269,1012523,1025176,1050767,1050943 Description: This update for sg3_utils provides the following fixes: - Add lunsearch filter to findresized() so that only LUNs specified using --luns are rescanned or resized. (bsc#1025176) - In case the VPD sysfs attributes are missing or cannot be accessed, fallback to use sg_inq --page when using multipath devices in AutoYast2 installations. (bsc#1012523) - Generate /dev/disk/by-path links based on WWPN for Fibre Channel NPIV setups. (bsc#1005063) - Fix dumping data in hexadecimal format in sg_vpd when using the --hex option. (bsc#1050943) - Fix ID_SERIAL values for KVM disks by exporting all NAA values and removing some validity checking. (bsc#1050767) - Make sure initrd is rebuilt on sg3_utils updates. (bsc#1009269) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2017:1592-1 Released: Tue Sep 26 17:38:03 2017 Summary: Recommended update for lvm2 Type: recommended Severity: moderate References: 1028485,1045628,978055,998893,999878 Description: This update for lvm2 provides the following fixes: - Create /dev/disk/by-part{label,uuid} and gpt-auto-root links. (bsc#1028485) - Try to refresh clvmd's device cache on the first failure. (bsc#978055) - Fix stale device cache in clvmd. (bsc#978055) - Warn if PV size in metadata is larger than disk device size. (bsc#999878) - Fix lvm2 activation issue when used on top of multipath. (bsc#998893) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2017:1644-1 Released: Mon Oct 9 07:52:24 2017 Summary: Security update for krb5 Type: security Severity: moderate References: 1032680,1054028,1056995,903543,CVE-2017-11462 Description: This update for krb5 fixes several issues. This security issue was fixed: - CVE-2017-11462: Prevent automatic security context deletion to prevent double-free (bsc#1056995) These non-security issues were fixed: - Set 'rdns' and 'dns_canonicalize_hostname' to false in krb5.conf in order to improve client security in handling service principle names. (bsc#1054028) - Prevent kadmind.service startup failure caused by absence of LDAP service. (bsc#903543) - Remove main package's dependency on systemd (bsc#1032680) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2017:1663-1 Released: Tue Oct 10 12:05:09 2017 Summary: Recommended update for dbus-1 Type: recommended Severity: moderate References: 1043615,1046173 Description: This update for dbus-1 provides the following fixes: - Fix systemd-logind dbus disconnection by ensuring all required timeouts are restarted. (bsc#1043615) - Remove call to initscripts related macros from the spec file as dbus-1 does not ship any initscript anymore. (bsc#1046173) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2017:1703-1 Released: Tue Oct 17 13:20:12 2017 Summary: Recommended update for audit Type: recommended Severity: low References: 1042781 Description: This update for audit provides the following fix: - Make auditd start by forking the systemd service to fix some initialization failures. (bsc#1042781) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2017:1758-1 Released: Mon Oct 23 08:47:47 2017 Summary: Security update for curl Type: security Severity: moderate References: 1060653,1061876,1063824,CVE-2017-1000254,CVE-2017-1000257 Description: This update for curl fixes the following issues: Security issues fixed: - CVE-2017-1000254: FTP PWD response parser out of bounds read (bsc#1061876) - CVE-2017-1000257: IMAP FETCH response out of bounds read (bsc#1063824) Bugs fixed: - Fixed error 'error:1408F10B:SSL routines' when connecting to ftps via proxy (bsc#1060653) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2017:1796-1 Released: Fri Oct 27 21:25:06 2017 Summary: Recommended update for pcre Type: recommended Severity: moderate References: 1058722 Description: This update for pcre fixes the following issues: - Fixed the pcre stack frame size detection because modern compilers break it due to cloning and inlining pcre match() function (bsc#1058722) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2017:1797-1 Released: Sat Oct 28 12:06:19 2017 Summary: Recommended update for permissions Type: recommended Severity: moderate References: 1028304,1048645,1060738 Description: This update for permissions fixes the following issues: - Allows users to install the HPC 'singularity' toolkit for managing singularity containers in setuid root mode. (bsc#1028304) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2017:1826-1 Released: Wed Nov 8 08:47:17 2017 Summary: Security update for krb5 Type: security Severity: important References: 1065274,CVE-2017-15088 Description: This update for krb5 fixes the following issues: Security issues fixed: - CVE-2017-15088: A buffer overflow in get_matching_data() was fixed that could under specific circumstances be used to execute code (bsc#1065274) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2017:1829-1 Released: Wed Nov 8 08:50:00 2017 Summary: Security update for shadow Type: security Severity: moderate References: 1023895,1052261,980486,CVE-2017-12424 Description: This update for shadow fixes several issues. This security issue was fixed: - CVE-2017-12424: The newusers tool could have been forced to manipulate internal data structures in ways unintended by the authors. Malformed input may have lead to crashes (with a buffer overflow or other memory corruption) or other unspecified behaviors (bsc#1052261). These non-security issues were fixed: - bsc#1023895: Fixed man page to not contain invalid options and also prevent warnings when using these options in certain settings - bsc#980486: Reset user in /var/log/tallylog because of the usage of pam_tally2 ----------------------------------------------------------------- Advisory ID: SUSE-SU-2017:1881-1 Released: Wed Nov 22 16:29:58 2017 Summary: Security update for file Type: security Severity: moderate References: 1009966,1063269,910252,910253,913650,913651,917152,996511,CVE-2014-8116,CVE-2014-8117,CVE-2014-9620,CVE-2014-9621,CVE-2014-9653 Description: The GNU file utility was updated to version 5.22. Security issues fixed: - CVE-2014-9621: The ELF parser in file allowed remote attackers to cause a denial of service via a long string. (bsc#913650) - CVE-2014-9620: The ELF parser in file allowed remote attackers to cause a denial of service via a large number of notes. (bsc#913651) - CVE-2014-9653: readelf.c in file did not consider that pread calls sometimes read only a subset of the available data, which allows remote attackers to cause a denial of service (uninitialized memory access) or possibly have unspecified other impact via a crafted ELF file. (bsc#917152) - CVE-2014-8116: The ELF parser (readelf.c) in file allowed remote attackers to cause a denial of service (CPU consumption or crash) via a large number of (1) program or (2) section headers or (3) invalid capabilities. (bsc#910253) - CVE-2014-8117: softmagic.c in file did not properly limit recursion, which allowed remote attackers to cause a denial of service (CPU consumption or crash) via unspecified vectors. (bsc#910253) Version update to file version 5.22 * add indirect relative for TIFF/Exif * restructure elf note printing to avoid repeated messages * add note limit, suggested by Alexander Cherepanov * Bail out on partial pread()'s (Alexander Cherepanov) * Fix incorrect bounds check in file_printable (Alexander Cherepanov) * PR/405: ignore SIGPIPE from uncompress programs * change printable -> file_printable and use it in more places for safety * in ELF, instead of '(uses dynamic libraries)' when PT_INTERP is present print the interpreter name. Version update to file version 5.21 * there was an incorrect free in magic_load_buffers() * there was an out of bounds read for some pascal strings * there was a memory leak in magic lists * don't interpret strings printed from files using the current locale, convert them to ascii format first. * there was an out of bounds read in elf note reads Update to file version 5.20 * recognize encrypted CDF documents * add magic_load_buffers from Brooks Davis * add thumbs.db support Additional non-security bug fixes: * Fixed a memory corruption during rpmbuild (bsc#1063269) * Backport of a fix for an increased printable string length as found in file 5.30 (bsc#996511) * file command throws 'Composite Document File V2 Document, corrupt: Can't read SSAT' error against excel 97/2003 file format. (bsc#1009966) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2017:1903-1 Released: Fri Nov 24 16:19:37 2017 Summary: Security update for perl Type: security Severity: moderate References: 1047178,1057721,1057724,999735,CVE-2017-12837,CVE-2017-12883,CVE-2017-6512 Description: This update for perl fixes the following issues: Security issues fixed: - CVE-2017-12837: Heap-based buffer overflow in the S_regatom function in regcomp.c in Perl 5 before 5.24.3-RC1 and 5.26.x before 5.26.1-RC1 allows remote attackers to cause a denial of service (out-of-bounds write) via a regular expression with a '\N{}' escape and the case-insensitive modifier. (bnc#1057724) - CVE-2017-12883: Buffer overflow in the S_grok_bslash_N function in regcomp.c in Perl 5 before 5.24.3-RC1 and 5.26.x before 5.26.1-RC1 allows remote attackers to disclose sensitive information or cause a denial of service (application crash) via a crafted regular expression with an invalid '\N{U+...}' escape. (bnc#1057721) - CVE-2017-6512: Race condition in the rmtree and remove_tree functions in the File-Path module before 2.13 for Perl allows attackers to set the mode on arbitrary files via vectors involving directory-permission loosening logic. (bnc#1047178) Bug fixes: - backport set_capture_string changes from upstream (bsc#999735) - reformat baselibs.conf as source validator workaround ----------------------------------------------------------------- Advisory ID: SUSE-RU-2017:1916-1 Released: Fri Nov 24 20:15:01 2017 Summary: Recommended update for libgcrypt Type: recommended Severity: important References: 1043333,1059723 Description: This update for libgcrypt provides the following fix: - Fix a regression in a previous update which caused libgcrypt to leak file descriptors causing failures when starting rtkit-daemon. (bsc#1059723) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2017:1917-1 Released: Mon Nov 27 13:32:07 2017 Summary: Optional update for gcc7 Type: recommended Severity: low References: 1056437,1062591,1062592 Description: The GNU Compiler GCC 7 is being added to the Toolchain Module by this update. New features: - Support for specific IBM Power9 processor instructions. - Support for specific IBM zSeries z14 processor instructions. - New packages cross-npvtx-gcc7 and nvptx-tools added to the Toolchain Module for specific NVIDIA Card offload support. The update also supplies gcc7 compatible libstdc++, libgcc_s1 and other gcc derived libraries for the base products of SUSE Linux Enterprise 12. Various optimizers have been improved in GCC 7, several of bugs fixed, quite some new warnings added and the error pin-pointing and fix-suggestions have been greatly improved. The GNU Compiler page for GCC 7 contains a summary of all the changes that have happened: https://gcc.gnu.org/gcc-7/changes.html ----------------------------------------------------------------- Advisory ID: SUSE-RU-2017:1965-1 Released: Thu Nov 30 12:48:45 2017 Summary: Recommended update for libsolv, libzypp, zypper Type: recommended Severity: moderate References: 1047233,1053671,1057188,1057634,1058695,1058783,1059065,1061384,1062561,1064999,661410 Description: The Software Update Stack was updated to receive fixes and enhancements. libsolv: - Many fixes and improvements for cleandeps. - Always create dup rules for 'distupgrade' jobs. - Use recommends also for ordering packages. - Fix splitprovides handling with addalreadyrecommended turned off. (bsc#1059065) - Expose solver_get_recommendations() in bindings. - Fix bug in solver_prune_to_highest_prio_per_name resulting in bad output from solver_get_recommendations(). - Support 'without' and 'unless' dependencies. - Use same heuristic as upstream to determine source RPMs. - Fix memory leak in bindings. - Add pool_best_solvables() function. - Fix 64bit integer parsing from RPM headers. - Enable bzip2 and xz/lzma compression support. - Enable complex/rich dependencies on distributions with RPM 4.13+. libzypp: - Fix media handling in presence of a repo path prefix. (bsc#1062561) - Fix RepoProvideFile ignoring a repo path prefix. (bsc#1062561) - Remove unused legacy notify-message script. (bsc#1058783) - Support multiple product licenses in repomd. (fate#322276) - Propagate 'rpm --import' errors. (bsc#1057188) - Fix typos in zypp.conf. zypper: - Locale: Fix possible segmentation fault. (bsc#1064999) - Add summary hint if product is better updated by a different command. This is mainly used by rolling distributions like openSUSE Tumbleweed to remind their users to use 'zypper dup' to update (not zypper up or patch). (bsc#1061384) - Unify '(add|modify)(repo|service)' property related arguments. - Fixed 'add' commands supporting to set only a subset of properties. - Introduced '-f/-F' as preferred short option for --[no-]refresh in all four commands. (bsc#661410, bsc#1053671) - Fix missing package names in installation report. (bsc#1058695) - Differ between unsupported and packages with unknown support status. (bsc#1057634) - Return error code '107' if an RPM's %post configuration script fails, but only if ZYPPER_ON_CODE12_RETURN_107=1 is set in the environment. (bsc#1047233) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2017:1966-1 Released: Thu Nov 30 13:45:24 2017 Summary: Recommended update for systemd Type: recommended Severity: moderate References: 1004995,1035386,1039099,1040800,1045472,1048605,1050152,1053137,1053595,1055641,1063249 Description: This update for systemd fixes the following issues: - unit: When JobTimeoutSec= is turned off, implicitly turn off JobRunningTimeoutSec= too. (bsc#1048605, bsc#1004995) - compat-rules: Generate compat by-id symlinks with 'nvme' prefix missing and warn users that have broken symlinks. (bsc#1063249) - compat-rules: Allow to specify the generation number through the kernel command line. - scsi_id: Fixup prefix for pre-SPC inquiry reply. (bsc#1039099) - tmpfiles: Remove old ICE and X11 sockets at boot. - tmpfiles: Silently ignore any path that passes through autofs. (bsc#1045472) - pam_logind: Skip leading /dev/ from PAM_TTY field before passing it on. - shared/machine-pool: Fix another mkfs.btrfs checking. (bsc#1053595) - shutdown: Fix incorrect fscanf() result check. - shutdown: Don't remount,ro network filesystems. (bsc#1035386) - shutdown: Don't be fooled when detaching DM devices with BTRFS. (bsc#1055641) - bash-completion: Add support for --now. (bsc#1053137) - Add convert-lib-udev-path.sh script to convert /lib/udev directory into a symlink pointing to /usr/lib/udev when upgrading from SLE11. (bsc#1050152) - Add a rule to teach hotplug to offline containers transparently. (bsc#1040800) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2017:1968-1 Released: Thu Nov 30 19:49:33 2017 Summary: Recommended update for coreutils Type: recommended Severity: low References: 1026567,1043059,965780 Description: This update for coreutils provides the following fixes: - Fix df(1) to no longer interact with excluded file system types, so for example specifying -x nfs no longer hangs with problematic nfs mounts. (bsc#1026567) - Ensure df -l no longer interacts with dummy file system types, so for example no longer hangs with problematic NFS mounted via system.automount(5). (bsc#1043059) - Significantly speed up df(1) for huge mount lists. (bsc#965780) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2017:1969-1 Released: Thu Nov 30 19:50:53 2017 Summary: Recommended update for libtool Type: recommended Severity: low References: 1056381 Description: This update for libtool provides the following fix: - Add missing dependencies and provides to baselibs.conf to make sure libltdl libraries are properly installed. (bsc#1056381) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2017:1970-1 Released: Thu Nov 30 22:55:41 2017 Summary: Security update for openssl Type: security Severity: moderate References: 1055825,1056058,1065363,1066242,CVE-2017-3735,CVE-2017-3736 Description: This update for openssl fixes the following issues: Security issues fixed: - CVE-2017-3735: openssl1,openssl: Malformed X.509 IPAdressFamily could cause OOB read (bsc#1056058) - CVE-2017-3736: openssl: bn_sqrx8x_internal carry bug on x86_64 (bsc#1066242) - Out of bounds read+crash in DES_fcrypt (bsc#1065363) - openssl DEFAULT_SUSE cipher list is missing ECDHE-ECDSA ciphers (bsc#1055825) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2017:1971-1 Released: Thu Nov 30 22:58:14 2017 Summary: Security update for binutils Type: security Severity: moderate References: 1003846,1025282,1029907,1029908,1029909,1029995,1030296,1030297,1030298,1030583,1030584,1030585,1030588,1030589,1031590,1031593,1031595,1031638,1031644,1031656,1033122,1037052,1037057,1037061,1037062,1037066,1037070,1037072,1037273,1038874,1038875,1038876,1038877,1038878,1038880,1038881,1044891,1044897,1044901,1044909,1044925,1044927,1046094,1052061,1052496,1052503,1052507,1052509,1052511,1052514,1052518,1053347,1056312,1056437,1057139,1057144,1057149,1058480,1059050,1060599,1060621,1061241,437293,445037,546106,561142,578249,590820,691290,698346,713504,776968,863764,938658,970239,CVE-2014-9939,CVE-2017-12448,CVE-2017-12450,CVE-2017-12452,CVE-2017-12453,CVE-2017-12454,CVE-2017-12456,CVE-2017-12799,CVE-2017-13757,CVE-2017-14128,CVE-2017-14129,CVE-2017-14130,CVE-2017-14333,CVE-2017-14529,CVE-2017-14729,CVE-2017-14745,CVE-2017-14974,CVE-2017-6965,CVE-2017-6966,CVE-2017-6969,CVE-2017-7209,CVE-2017-7210,CVE-2017-7223,CVE-2017-7224,CVE-2017-7225,CVE-2017-7226,CVE-2017-7227,CVE- 2017-7299,CVE-2017-7300,CVE-2017-7301,CVE-2017-7302,CVE-2017-7303,CVE-2017-7304,CVE-2017-7614,CVE-2017-8392,CVE-2017-8393,CVE-2017-8394,CVE-2017-8395,CVE-2017-8396,CVE-2017-8397,CVE-2017-8398,CVE-2017-8421,CVE-2017-9038,CVE-2017-9039,CVE-2017-9040,CVE-2017-9041,CVE-2017-9042,CVE-2017-9043,CVE-2017-9044,CVE-2017-9746,CVE-2017-9747,CVE-2017-9748,CVE-2017-9750,CVE-2017-9755,CVE-2017-9756,CVE-2017-9954,CVE-2017-9955 Description: GNU binutil was updated to the 2.29.1 release, bringing various new features, fixing a lot of bugs and security issues. Following security issues are being addressed by this release: * 18750 bsc#1030296 CVE-2014-9939 * 20891 bsc#1030585 CVE-2017-7225 * 20892 bsc#1030588 CVE-2017-7224 * 20898 bsc#1030589 CVE-2017-7223 * 20905 bsc#1030584 CVE-2017-7226 * 20908 bsc#1031644 CVE-2017-7299 * 20909 bsc#1031656 CVE-2017-7300 * 20921 bsc#1031595 CVE-2017-7302 * 20922 bsc#1031593 CVE-2017-7303 * 20924 bsc#1031638 CVE-2017-7301 * 20931 bsc#1031590 CVE-2017-7304 * 21135 bsc#1030298 CVE-2017-7209 * 21137 bsc#1029909 CVE-2017-6965 * 21139 bsc#1029908 CVE-2017-6966 * 21156 bsc#1029907 CVE-2017-6969 * 21157 bsc#1030297 CVE-2017-7210 * 21409 bsc#1037052 CVE-2017-8392 * 21412 bsc#1037057 CVE-2017-8393 * 21414 bsc#1037061 CVE-2017-8394 * 21432 bsc#1037066 CVE-2017-8396 * 21440 bsc#1037273 CVE-2017-8421 * 21580 bsc#1044891 CVE-2017-9746 * 21581 bsc#1044897 CVE-2017-9747 * 21582 bsc#1044901 CVE-2017-9748 * 21587 bsc#1044909 CVE-2017-9750 * 21594 bsc#1044925 CVE-2017-9755 * 21595 bsc#1044927 CVE-2017-9756 * 21787 bsc#1052518 CVE-2017-12448 * 21813 bsc#1052503, CVE-2017-12456, bsc#1052507, CVE-2017-12454, bsc#1052509, CVE-2017-12453, bsc#1052511, CVE-2017-12452, bsc#1052514, CVE-2017-12450, bsc#1052503, CVE-2017-12456, bsc#1052507, CVE-2017-12454, bsc#1052509, CVE-2017-12453, bsc#1052511, CVE-2017-12452, bsc#1052514, CVE-2017-12450 * 21933 bsc#1053347 CVE-2017-12799 * 21990 bsc#1058480 CVE-2017-14333 * 22018 bsc#1056312 CVE-2017-13757 * 22047 bsc#1057144 CVE-2017-14129 * 22058 bsc#1057149 CVE-2017-14130 * 22059 bsc#1057139 CVE-2017-14128 * 22113 bsc#1059050 CVE-2017-14529 * 22148 bsc#1060599 CVE-2017-14745 * 22163 bsc#1061241 CVE-2017-14974 * 22170 bsc#1060621 CVE-2017-14729 Update to binutils 2.29. [fate#321454, fate#321494, fate#323293]: * The MIPS port now supports microMIPS eXtended Physical Addressing (XPA) instructions for assembly and disassembly. * The MIPS port now supports the microMIPS Release 5 ISA for assembly and disassembly. * The MIPS port now supports the Imagination interAptiv MR2 processor, which implements the MIPS32r3 ISA, the MIPS16e2 ASE as well as a couple of implementation-specific regular MIPS and MIPS16e2 ASE instructions. * The SPARC port now supports the SPARC M8 processor, which implements the Oracle SPARC Architecture 2017. * The MIPS port now supports the MIPS16e2 ASE for assembly and disassembly. * Add support for ELF SHF_GNU_MBIND and PT_GNU_MBIND_XXX. * Add support for the wasm32 ELF conversion of the WebAssembly file format. * Add --inlines option to objdump, which extends the --line-numbers option so that inlined functions will display their nesting information. * Add --merge-notes options to objcopy to reduce the size of notes in a binary file by merging and deleting redundant notes. * Add support for locating separate debug info files using the build-id method, where the separate file has a name based upon the build-id of the original file. - GAS specific: * Add support for ELF SHF_GNU_MBIND. * Add support for the WebAssembly file format and wasm32 ELF conversion. * PowerPC gas now checks that the correct register class is used in instructions. For instance, 'addi %f4,%cr3,%r31' warns three times that the registers are invalid. * Add support for the Texas Instruments PRU processor. * Support for the ARMv8-R architecture and Cortex-R52 processor has been added to the ARM port. - GNU ld specific: * Support for -z shstk in the x86 ELF linker to generate GNU_PROPERTY_X86_FEATURE_1_SHSTK in ELF GNU program properties. * Add support for GNU_PROPERTY_X86_FEATURE_1_SHSTK in ELF GNU program properties in the x86 ELF linker. * Add support for GNU_PROPERTY_X86_FEATURE_1_IBT in ELF GNU program properties in the x86 ELF linker. * Support for -z ibtplt in the x86 ELF linker to generate IBT-enabled PLT. * Support for -z ibt in the x86 ELF linker to generate IBT-enabled PLT as well as GNU_PROPERTY_X86_FEATURE_1_IBT in ELF GNU program properties. * Add support for ELF SHF_GNU_MBIND and PT_GNU_MBIND_XXX. * Add support for ELF GNU program properties. * Add support for the Texas Instruments PRU processor. * When configuring for arc*-*-linux* targets the default linker emulation will change if --with-cpu=nps400 is used at configure time. * Improve assignment of LMAs to orphan sections in some edge cases where a mixture of both AT>LMA_REGION and AT(LMA) are used. * Orphan sections placed after an empty section that has an AT(LMA) will now take an load memory address starting from LMA. * Section groups can now be resolved (the group deleted and the group members placed like normal sections) at partial link time either using the new linker option --force-group-allocation or by placing FORCE_GROUP_ALLOCATION into the linker script. - Add riscv64 target, tested with gcc7 and downstream newlib 2.4.0 - Prepare riscv32 target (gh#riscv/riscv-newlib#8) - Make compressed debug section handling explicit, disable for old products and enable for gas on all architectures otherwise. [bsc#1029995] - Remove empty rpath component removal optimization from to workaround CMake rpath handling. [bsc#1025282] Minor security bugs fixed: PR 21147, PR 21148, PR 21149, PR 21150, PR 21151, PR 21155, PR 21158, PR 21159 - Update to binutils 2.28. * Add support for locating separate debug info files using the build-id method, where the separate file has a name based upon the build-id of the original file. * This version of binutils fixes a problem with PowerPC VLE 16A and 16D relocations which were functionally swapped, for example, R_PPC_VLE_HA16A performed like R_PPC_VLE_HA16D while R_PPC_VLE_HA16D performed like R_PPC_VLE_HA16A. This could have been fixed by renumbering relocations, which would keep object files created by an older version of gas compatible with a newer ld. However, that would require an ABI update, affecting other assemblers and linkers that create and process the relocations correctly. It is recommended that all VLE object files be recompiled, but ld can modify the relocations if --vle-reloc-fixup is passed to ld. If the new ld command line option is not used, ld will ld warn on finding relocations inconsistent with the instructions being relocated. * The nm program has a new command line option (--with-version-strings) which will display a symbol's version information, if any, after the symbol's name. * The ARC port of objdump now accepts a -M option to specify the extra instruction class(es) that should be disassembled. * The --remove-section option for objcopy and strip now accepts section patterns starting with an exclamation point to indicate a non-matching section. A non-matching section is removed from the set of sections matched by an earlier --remove-section pattern. * The --only-section option for objcopy now accepts section patterns starting with an exclamation point to indicate a non-matching section. A non-matching section is removed from the set of sections matched by an earlier --only-section pattern. * New --remove-relocations=SECTIONPATTERN option for objcopy and strip. This option can be used to remove sections containing relocations. The SECTIONPATTERN is the section to which the relocations apply, not the relocation section itself. - GAS specific: * Add support for the RISC-V architecture. * Add support for the ARM Cortex-M23 and Cortex-M33 processors. - GNU ld specific: * The EXCLUDE_FILE linker script construct can now be applied outside of the section list in order for the exclusions to apply over all input sections in the list. * Add support for the RISC-V architecture. * The command line option --no-eh-frame-hdr can now be used in ELF based linkers to disable the automatic generation of .eh_frame_hdr sections. * Add --in-implib= to the ARM linker to enable specifying a set of Secure Gateway veneers that must exist in the output import library specified by --out-implib= and the address they must have. As such, --in-implib is only supported in combination with --cmse-implib. * Extended the --out-implib= option, previously restricted to x86 PE targets, to any ELF based target. This allows the generation of an import library for an ELF executable, which can then be used by another application to link against the executable. - GOLD specific: * Add -z bndplt option (x86-64 only) to support Intel MPX. * Add --orphan-handling option. * Add --stub-group-multi option (PowerPC only). * Add --target1-rel, --target1-abs, --target2 options (Arm only). * Add -z stack-size option. * Add --be8 option (Arm only). * Add HIDDEN support in linker scripts. * Add SORT_BY_INIT_PRIORITY support in linker scripts. - Other fixes: * Fix section alignment on .gnu_debuglink. [bso#21193] * Add s390x to gold_archs. * Fix alignment frags for aarch64 (bsc#1003846) * Call ldconfig for libbfd * Fix an assembler problem with clang on ARM. * Restore monotonically increasing section offsets. - Update to binutils 2.27. * Add a configure option, --enable-64-bit-archive, to force use of a 64-bit format when creating an archive symbol index. * Add --elf-stt-common= option to objcopy for ELF targets to control whether to convert common symbols to the STT_COMMON type. - GAS specific: * Default to --enable-compressed-debug-sections=gas for Linux/x86 targets. * Add --no-pad-sections to stop the assembler from padding the end of output sections up to their alignment boundary. * Support for the ARMv8-M architecture has been added to the ARM port. Support for the ARMv8-M Security and DSP Extensions has also been added to the ARM port. * ARC backend accepts .extInstruction, .extCondCode, .extAuxRegister, and .extCoreRegister pseudo-ops that allow an user to define custom instructions, conditional codes, auxiliary and core registers. * Add a configure option --enable-elf-stt-common to decide whether ELF assembler should generate common symbols with the STT_COMMON type by default. Default to no. * New command line option --elf-stt-common= for ELF targets to control whether to generate common symbols with the STT_COMMON type. * Add ability to set section flags and types via numeric values for ELF based targets. * Add a configure option --enable-x86-relax-relocations to decide whether x86 assembler should generate relax relocations by default. Default to yes, except for x86 Solaris targets older than Solaris 12. * New command line option -mrelax-relocations= for x86 target to control whether to generate relax relocations. * New command line option -mfence-as-lock-add=yes for x86 target to encode lfence, mfence and sfence as 'lock addl $0x0, (%[re]sp)'. * Add assembly-time relaxation option for ARC cpus. * Add --with-cpu=TYPE configure option for ARC gas. This allows the default cpu type to be adjusted at configure time. - GOLD specific: * Add a configure option --enable-relro to decide whether -z relro should be enabled by default. Default to yes. * Add support for s390, MIPS, AArch64, and TILE-Gx architectures. * Add support for STT_GNU_IFUNC symbols. * Add support for incremental linking (--incremental). - GNU ld specific: * Add a configure option --enable-relro to decide whether -z relro should be enabled in ELF linker by default. Default to yes for all Linux targets except FRV, HPPA, IA64 and MIPS. * Support for -z noreloc-overflow in the x86-64 ELF linker to disable relocation overflow check. * Add -z common/-z nocommon options for ELF targets to control whether to convert common symbols to the STT_COMMON type during a relocatable link. * Support for -z nodynamic-undefined-weak in the x86 ELF linker, which avoids dynamic relocations against undefined weak symbols in executable. * The NOCROSSREFSTO command was added to the linker script language. * Add --no-apply-dynamic-relocs to the AArch64 linker to do not apply link-time values for dynamic relocations. ----------------------------------------------------------------- Advisory ID: SUSE-RU-2017:2021-1 Released: Fri Dec 8 10:11:04 2017 Summary: Recommended update for file Type: recommended Severity: moderate References: 1070878,1070958 Description: This update for file fixes detection of JPEG files. ----------------------------------------------------------------- Advisory ID: SUSE-RU-2017:2031-1 Released: Mon Dec 11 12:55:57 2017 Summary: Recommended update for gzip Type: recommended Severity: low References: 1067891 Description: This update for gzip provides the following fix: - Fix mishandling of leading zeros in the end-of-block code (bsc#1067891) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2017:2036-1 Released: Wed Dec 13 16:34:21 2017 Summary: Recommended update for util-linux Type: recommended Severity: low References: 1039276,1040968,1055446,1066500 Description: This update for util-linux provides the following fixes: - Allow unmounting of filesystems without calling stat() on the mount point, when '-c' is used. (bsc#1040968) - Fix an infinite loop, a crash and report the correct minimum and maximum frequencies in lscpu for some processors. (bsc#1055446) - Fix a lscpu failure on Sydney Amazon EC2 region. (bsc#1066500) - If multiple subvolumes are mounted, report the default subvolume. (bsc#1039276) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2017:2097-1 Released: Sat Dec 16 01:59:00 2017 Summary: Security update for openssl Type: security Severity: important References: 1071905,1071906,CVE-2017-3737,CVE-2017-3738 Description: This update for openssl fixes the following issues: - OpenSSL Security Advisory [07 Dec 2017] * CVE-2017-3737: OpenSSL 1.0.2 (starting from version 1.0.2b) introduced an \'error state\' mechanism. The intent was that if a fatal error occurred during a handshake then OpenSSL would move into the error state and would immediately fail if you attempted to continue the handshake. This works as designed for the explicit handshake functions (SSL_do_handshake(), SSL_accept() and SSL_connect()), however due to a bug it does not work correctly if SSL_read() or SSL_write() is called directly. In that scenario, if the handshake fails then a fatal error will be returned in the initial function call. If SSL_read()/SSL_write() is subsequently called by the application for the same SSL object then it will succeed and the data is passed without being decrypted/encrypted directly from the SSL/TLS record layer. In order to exploit this issue an application bug would have to be present that resulted in a call to SSL_read()/SSL_write() being issued after having already received a fatal error. O penSSL version 1.0.2b-1.0.2m are affected. Fixed in OpenSSL 1.0.2n. OpenSSL 1.1.0 is not affected. (bsc#1071905) * CVE-2017-3738: There is an overflow bug in the AVX2 Montgomery multiplication procedure used in exponentiation with 1024-bit moduli. No EC algorithms are affected. Analysis suggests that attacks against RSA and DSA as a result of this defect would be very difficult to perform and are not believed likely. Attacks against DH1024 are considered just feasible, because most of the work necessary to deduce information about a private key may be performed offline. The amount of resources required for such an attack would be significant. However, for an attack on TLS to be meaningful, the server would have to share the DH1024 private key among multiple clients, which is no longer an option since CVE-2016-0701. This only affects processors that support the AVX2 but not ADX extensions like Intel Haswell (4th generation). Note: The impact from this issue is similar to CVE-2017-3736, CVE-2017-3732 and CVE-2015-3193. (bsc#1071906) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2017:2137-1 Released: Thu Dec 21 17:49:12 2017 Summary: Recommended update for dbus-1 Type: recommended Severity: moderate References: 1046173,1071698 Description: This update for dbus-1 provides the following fixes: - The previously released fix for systemd-logind dbus disconnections was missing in some parts of the package, so properly apply it. (bsc#1071698) - Remove call to initscripts related macros from the spec file as dbus-1 does not ship any initscript anymore. (bsc#1046173) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2018:4-1 Released: Tue Jan 2 15:58:20 2018 Summary: Recommended update for libzypp, zypper Type: recommended Severity: moderate References: 1057640,1067605,1068708,1071466,969569 Description: The Software Update Stack was updated to receive fixes and enhancements. libzypp: - Don't store duplicated locks. (bsc#969569) - Fix default for solver.allowNameChange. (bsc#1071466) - Don't filter procs with a different mnt namespace. (bsc#1068708) - Support repo variables in an URIs host:port component. (bsc#1057640, bsc#1067605) zypper: - Update manpage regarding custom repository variable fixes. (bsc#1057640, bsc#1067605) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2018:38-1 Released: Tue Jan 9 14:56:43 2018 Summary: Recommended update for kmod Type: recommended Severity: low References: 1070209 Description: This update for kmod provides the following fix: - Fix resolving .TOC. in modules on 4.4 and older kernel (bsc#1070209) - Fix kernel master build for ppc64le (bsc#1070209) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:55-1 Released: Fri Jan 12 09:45:49 2018 Summary: Security update for glibc Type: security Severity: important References: 1051042,1053188,1063675,1064569,1064580,1064583,1070905,1071319,1073231,1074293,CVE-2017-1000408,CVE-2017-1000409,CVE-2017-15670,CVE-2017-15671,CVE-2017-15804,CVE-2017-16997,CVE-2018-1000001 Description: This update for glibc fixes the following issues: - A privilege escalation bug in the realpath() function has been fixed. [CVE-2018-1000001, bsc#1074293] - A memory leak and a buffer overflow in the dynamic ELF loader has been fixed. [CVE-2017-1000408, CVE-2017-1000409, bsc#1071319] - An issue in the code handling RPATHs was fixed that could have been exploited by an attacker to execute code loaded from arbitrary libraries. [CVE-2017-16997, bsc#1073231] - A potential crash caused by a use-after-free bug in pthread_create() has been fixed. [bsc#1053188] - A bug that prevented users to build shared objects which use the optimized libmvec.so API has been fixed. [bsc#1070905] - A memory leak in the glob() function has been fixed. [CVE-2017-15670, CVE-2017-15671, CVE-2017-15804, bsc#1064569, bsc#1064580, bsc#1064583] - A bug that would lose the syscall error code value in case of crashes has been fixed. [bsc#1063675] ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:68-1 Released: Mon Jan 15 11:30:39 2018 Summary: Security update for openslp Type: security Severity: moderate References: 1001600,974655,980722,994989,CVE-2016-4912,CVE-2016-7567 Description: This update for openslp fixes two security issues and two bugs. The following vulnerabilities were fixed: - CVE-2016-4912: A remote attacker could have crashed the server with a large number of packages (bsc#980722) - CVE-2016-7567: A remote attacker could cause a memory corruption having unspecified impact (bsc#1001600) The following bugfix changes are included: - bsc#994989: Removed convenience code as changes bytes in the message buffer breaking the verification code - bsc#974655: Removed no longer needed slpd init file ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:86-1 Released: Wed Jan 17 09:38:17 2018 Summary: Security update for ncurses Type: security Severity: moderate References: 1056127,1056128,1056129,1056131,1056132,1056136,CVE-2017-13728,CVE-2017-13729,CVE-2017-13730,CVE-2017-13731,CVE-2017-13732,CVE-2017-13733 Description: This update for ncurses fixes the following issues: Security issues fixed: - CVE-2017-13728: Fix infinite loop in the next_char function in comp_scan.c (bsc#1056136). - CVE-2017-13730: Fix illegal address access in the function _nc_read_entry_source() (bsc#1056131). - CVE-2017-13733: Fix illegal address access in the fmt_entry function (bsc#1056127). - CVE-2017-13729: Fix illegal address access in the _nc_save_str (bsc#1056132). - CVE-2017-13732: Fix illegal address access in the function dump_uses() (bsc#1056128). - CVE-2017-13731: Fix illegal address access in the function postprocess_termcap() (bsc#1056129). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:88-1 Released: Wed Jan 17 14:41:17 2018 Summary: Security update for curl Type: security Severity: moderate References: 1069222,1069226,CVE-2017-8816,CVE-2017-8817 Description: This update for curl fixes the following issues: Security issues fixed: - CVE-2017-8816: Buffer overrun flaw in the NTLM authentication code (bsc#1069226). - CVE-2017-8817: Read out of bounds flaw in the FTP wildcard function (bsc#1069222). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2018:90-1 Released: Wed Jan 17 14:44:33 2018 Summary: Recommended update for lvm2 Type: recommended Severity: low References: 1063051,1067312 Description: This update for lvm2 provides the following fix: - Backport various upstream fixes for clvmd. (bsc#1063051) - Don't print error messages on testing the connection to the daemon. (bsc#1063051) - Fix handling of udev CHANGE events with systemd. (bsc#1067312) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2018:146-1 Released: Thu Jan 25 11:44:23 2018 Summary: Recommended update for openldap2 Type: recommended Severity: moderate References: 1064397,1065083 Description: This update for openldap2 provides the following fixes: - Fix a leak of sockets in case of unsuccessful connection attempts. (bsc#1065083) - Fix a crash that would happen under heavy load when using back-relay. (bsc#1064397) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:149-1 Released: Thu Jan 25 13:38:37 2018 Summary: Security update for curl Type: security Severity: moderate References: 1077001,CVE-2018-1000007 Description: This update for curl fixes one issues. This security issue was fixed: - CVE-2018-1000007: Prevent leaking authentication data to third parties when following redirects (bsc#1077001) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:209-1 Released: Tue Jan 30 10:53:43 2018 Summary: Security update for ncurses Type: security Severity: moderate References: 1056126,1056127,1056128,1056129,1056131,1056132,1056136,CVE-2017-13728,CVE-2017-13729,CVE-2017-13730,CVE-2017-13731,CVE-2017-13732,CVE-2017-13733,CVE-2017-13734 Description: This update for ncurses fixes several issues. These security issues were fixed: - CVE-2017-13734: Prevent illegal address access in the _nc_safe_strcat function in strings.c that might have lead to a remote denial of service attack (bsc#1056126). - CVE-2017-13733: Prevent illegal address access in the fmt_entry function in progs/dump_entry.c that might have lead to a remote denial of service attack (bsc#1056127). - CVE-2017-13732: Prevent illegal address access in the function dump_uses() in progs/dump_entry.c that might have lead to a remote denial of service attack (bsc#1056128). - CVE-2017-13731: Prevent illegal address access in the function postprocess_termcap() in parse_entry.c that might have lead to a remote denial of service attack (bsc#1056129). - CVE-2017-13730: Prevent illegal address access in the function _nc_read_entry_source() in progs/tic.c that might have lead to a remote denial of service attack (bsc#1056131). - CVE-2017-13729: Prevent illegal address access in the _nc_save_str function in alloc_entry.c that might have lead to a remote denial of service attack (bsc#1056132). - CVE-2017-13728: Prevent infinite loop in the next_char function in comp_scan.c that might have lead to a remote denial of service attack (bsc#1056136). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:213-1 Released: Tue Jan 30 14:36:40 2018 Summary: Security update for systemd Type: security Severity: moderate References: 1048510,1065276,1066156,1068251,1070428,1071558,1074254,1075724,1076308,897422,CVE-2017-15908,CVE-2018-1049 Description: This update for systemd fixes several issues. This security issue was fixed: - CVE-2018-1049: Prevent race that can lead to DoS when using automounts (bsc#1076308). These non-security issues were fixed: - core: don't choke if a unit another unit triggers vanishes during reload - delta: don't ignore PREFIX when the given argument is PREFIX/SUFFIX - delta: extend skip logic to work on full directory paths (prefix+suffix) (bsc#1070428) - delta: check if a prefix needs to be skipped only once - delta: skip symlink paths when split-usr is enabled (#4591) - sysctl: use raw file descriptor in sysctl_write (#7753) - sd-netlink: don't take possesion of netlink fd from caller on failure (bsc#1074254) - Fix the regexp used to detect broken by-id symlinks in /etc/crypttab It was missing the following case: '/dev/disk/by-id/cr_-xxx'. - sysctl: disable buffer while writing to /proc (bsc#1071558) - Use read_line() and LONG_LINE_MAX to read values configuration files. (bsc#1071558) - sysctl: no need to check for eof twice - def: add new constant LONG_LINE_MAX - fileio: add new helper call read_line() as bounded getline() replacement - service: Don't stop unneeded units needed by restarted service (#7526) (bsc#1066156) - gpt-auto-generator: fix the handling of the value returned by fstab_has_fstype() in add_swap() (#6280) - gpt-auto-generator: disable gpt auto logic for swaps if at least one is defined in fstab (bsc#897422) - fstab-util: introduce fstab_has_fstype() helper - fstab-generator: ignore root=/dev/nfs (#3591) - fstab-generator: don't process root= if it happens to be 'gpt-auto' (#3452) - virt: use XENFEAT_dom0 to detect the hardware domain (#6442, #6662) (#7581) (bsc#1048510) - analyze: replace --no-man with --man=no in the man page (bsc#1068251) - udev: net_setup_link: don't error out when we couldn't apply link config (#7328) - Add missing /etc/systemd/network directory - Fix parsing of features in detect_vm_xen_dom0 (#7890) (bsc#1048510) - sd-bus: use -- when passing arguments to ssh (#6706) - systemctl: make sure we terminate the bus connection first, and then close the pager (#3550) - sd-bus: bump message queue size (bsc#1075724) - tmpfiles: downgrade warning about duplicate line ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:214-1 Released: Tue Jan 30 14:37:42 2018 Summary: Security update for libtasn1 Type: security Severity: moderate References: 1076832,CVE-2018-6003 Description: This update for libtasn1 fixes one issue. This security issue was fixed: - CVE-2018-6003: Prevent a stack exhaustion in _asn1_decode_simple_ber (lib/decoding.c) when decoding BER encoded structure allowed for DoS (bsc#1076832). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:276-1 Released: Thu Feb 8 17:47:43 2018 Summary: Security update for libxml2 Type: security Severity: moderate References: 1077993,1078806,1078813,CVE-2016-5131,CVE-2017-15412,CVE-2017-5130 Description: This update for libxml2 fixes one issue. This security issue was fixed: - CVE-2017-15412: Prevent use after free when calling XPath extension functions that allowed remote attackers to cause DoS or potentially RCE (bsc#1077993) - CVE-2016-5131: Use-after-free vulnerability in libxml2 allowed remote attackers to cause a denial of service or possibly have unspecified other impact via vectors related to the XPointer range-to function. (bsc#1078813) - CVE-2017-5130: Fixed a potential remote buffer overflow in function xmlMemoryStrdup() (bsc#1078806) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2018:291-1 Released: Mon Feb 12 11:50:39 2018 Summary: Recommended update for bash Type: recommended Severity: low References: 1057452,1076909 Description: This update for bash provides the following fix: - Allow process group assignment on all kernel versions to fix the usage of debug traps. (bsc#1057452) - Fix a crash when filesystem is full. (bsc#1076909) - Enable multi-byte characters by default. ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:314-1 Released: Thu Feb 15 14:47:35 2018 Summary: Security update for glibc Type: security Severity: important References: 1037930,1051791,1073990,1074293,1079036,CVE-2017-12132,CVE-2017-8804,CVE-2018-1000001,CVE-2018-6485,CVE-2018-6551 Description: This update for glibc fixes the following issues: Security issues fixed: - CVE-2017-8804: Fix memory leak after deserialization failure in xdr_bytes, xdr_string (bsc#1037930) - CVE-2017-12132: Reduce EDNS payload size to 1200 bytes (bsc#1051791) - CVE-2018-6485,CVE-2018-6551: Fix integer overflows in internal memalign and malloc functions (bsc#1079036) - CVE-2018-1000001: Avoid underflow of malloced area (bsc#1074293) Non security bugs fixed: - Release read lock after resetting timeout (bsc#1073990) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:336-1 Released: Wed Feb 21 14:26:52 2018 Summary: Security update for libdb-4_8 Type: security Severity: moderate References: 1043886 Description: This update for libdb-4_8 fixes the following issues: - A DB_CONFIG file in the current working directory allowed local users to obtain sensitive information via a symlink attack involving a setgid or setuid application using libdb-4_8. (bsc#1043886) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:355-1 Released: Mon Feb 26 16:34:46 2018 Summary: Security update for systemd Type: security Severity: moderate References: 1057974,1068588,1071224,1071311,1075801,1077925,CVE-2017-18078 Description: This update for systemd fixes the following issues: Security issue fixed: - CVE-2017-18078: tmpfiles: refuse to chown()/chmod() files which are hardlinked, unless protected_hardlinks sysctl is on. This could be used by local attackers to gain privileges (bsc#1077925) Non Security issues fixed: - core: use id unit when retrieving unit file state (#8038) (bsc#1075801) - cryptsetup-generator: run cryptsetup service before swap unit (#5480) - udev-rules: all values can contain escaped double quotes now (#6890) - strv: fix buffer size calculation in strv_join_quoted() - tmpfiles: change ownership of symlinks too - stdio-bridge: Correctly propagate error - stdio-bridge: remove dead code - remove bus-proxyd (bsc#1057974) - core/timer: Prevent timer looping when unit cannot start (bsc#1068588) - Make systemd-timesyncd use the openSUSE NTP servers by default Previously systemd-timesyncd used the Google Public NTP servers time{1..4}.google.com - Don't ship /usr/lib/systemd/system/tmp.mnt at all (bsc#1071224) But we still ship a copy in /var. Users who want to use tmpfs on /tmp are supposed to add a symlink in /etc/ pointing to the copy shipped in /var. To support the update path we automatically create the symlink if tmp.mount in use is located in /usr. - Enable systemd-networkd on Leap distros only (bsc#1071311) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2018:375-1 Released: Wed Feb 28 16:33:37 2018 Summary: Recommended update for net-tools Type: recommended Severity: low References: 1009905,1063910 Description: This update for net-tools provides the following fix: - netstat: fix handling of large socket numbers (bsc#1063910) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:439-1 Released: Fri Mar 9 14:05:22 2018 Summary: Security update for augeas Type: security Severity: low References: 1054171,CVE-2017-7555 Description: This update for augeas fixes the following issues: Security issue fixed: - CVE-2017-7555: Fix a memory corruption bug could have lead to arbitrary code execution by passing crafted strings that would be mis-handled by parse_name() (bsc#1054171). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:443-1 Released: Fri Mar 9 18:02:14 2018 Summary: Security update for glibc Type: security Severity: moderate References: 1081556,CVE-2017-12133 Description: This update for glibc fixes the following issues: - CVE-2017-12133: Avoid use-after-free read access in clntudp_call (bsc#1081556) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:446-1 Released: Mon Mar 12 13:13:55 2018 Summary: Security update for shadow Type: security Severity: moderate References: 1081294,CVE-2018-7169 Description: This update for shadow fixes the following issues: - CVE-2018-7169: Fixed an privilege escalation in newgidmap, which allowed an unprivileged user to be placed in a user namespace where setgroups(2) is allowed. (bsc#1081294) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2018:465-1 Released: Thu Mar 15 07:38:52 2018 Summary: Recommended update for systemd Type: recommended Severity: moderate References: 1075743,1078358,1081170 Description: This update for systemd fixes the following issues: - Add dmi/id conditions to 80-acpi-container-hotplug.rules to restrict the rule that it can only be triggered on Huawei Kunlun 9008, 9016 and 9032 machines. (bsc#1078358, bsc#1081170, bsc#1075743) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2018:472-1 Released: Thu Mar 15 10:47:40 2018 Summary: Recommended update for libsolv, libzypp, zypper Type: recommended Severity: low References: 1074687,1075449,1076415,1079334,953130 Description: This update for libsolv, libzypp and zypper provides the following fixes: libsolv: - Fix a bug that could make fileconflict detection very slow in some cases. (bnc#953130) - Add new configuration options: ENABLE_RPMDB_LIBRPM and ENABLE_RPMPKG_LIBRPM. - Add a new function to change the whatprovides data: pool_set_whatprovides. - Significant improvements in the selection code. libzypp: - Make sure deleted keys are also removed from rpmdb. (bsc#1075449) - plugin: Don't reject header values containing ':'. (bsc#1074687) - RpmDb::checkPackage: Fix parsing localized rpm output. (bsc#1076415) zypper: - Do not recommend cron as it is not a direct dependency of zypper. (bsc#1079334) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:522-1 Released: Thu Mar 22 08:20:46 2018 Summary: Security update for curl Type: security Severity: moderate References: 1084521,1084524,1084532,CVE-2018-1000120,CVE-2018-1000121,CVE-2018-1000122 Description: This update for curl fixes the following issues: Following security issues were fixed: - CVE-2018-1000120: A buffer overflow exists in the FTP URL handling that allowed an attacker to cause a denial of service or possible code execution (bsc#1084521). - CVE-2018-1000121: A NULL pointer dereference exists in the LDAP code that allowed an attacker to cause a denial of service (bsc#1084524). - CVE-2018-1000122: A buffer over-read exists in the RTSP+RTP handling code that allowed an attacker to cause a denial of service or information leakage (bsc#1084532). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:567-1 Released: Thu Mar 29 14:02:08 2018 Summary: Security update for krb5 Type: security Severity: moderate References: 1057662,1081725,1083926,1083927,CVE-2018-5729,CVE-2018-5730 Description: This update for krb5 provides the following fixes: Security issues fixed: - CVE-2018-5730: DN container check bypass by supplying special crafted data (bsc#1083927). - CVE-2018-5729: Null pointer dereference in kadmind or DN container check bypass by supplying special crafted data (bsc#1083926). Non-security issues fixed: - Make it possible for legacy applications (e.g. SAP Netweaver) to remain compatible with newer Kerberos. System administrators who are experiencing this kind of compatibility issues may set the environment variable GSSAPI_ASSUME_MECH_MATCH to a non-empty value, and make sure the environment variable is visible and effective to the application startup script. (bsc#1057662) - Fix a GSS failure in legacy applications by not indicating deprecated GSS mechanisms in gss_indicate_mech() list. (bsc#1081725) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:594-1 Released: Thu Apr 5 17:22:37 2018 Summary: Security update for libidn Type: security Severity: moderate References: 1056450,CVE-2017-14062 Description: This update for libidn fixes one issues. This security issue was fixed: - CVE-2017-14062: Prevent integer overflow in the decode_digit function that allowed remote attackers to cause a denial of service or possibly have unspecified other impact (bsc#1056450). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:624-1 Released: Wed Apr 11 18:02:57 2018 Summary: Security update for openssl Type: security Severity: moderate References: 1087102,CVE-2018-0739 Description: This update for openssl fixes the following issues: - CVE-2018-0739: Constructed ASN.1 types with a recursive definition (such as can be found in PKCS7) could eventually exceed the stack given malicious input with excessive recursion. This could result in a Denial Of Service attack. There are no such structures used within SSL/TLS that come from untrusted sources so this is considered safe. (bsc#1087102). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:730-1 Released: Wed Apr 25 14:14:41 2018 Summary: Security update for perl Type: security Severity: moderate References: 1082216,1082233,1082234,CVE-2018-6797,CVE-2018-6798,CVE-2018-6913 Description: This update for perl fixes the following issues: Security issues fixed: - CVE-2018-6913: Fixed space calculation issues in pp_pack.c (bsc#1082216). - CVE-2018-6798: Fixed heap buffer overflow in regexec.c (bsc#1082233). - CVE-2018-6797: Fixed sharp-s regexp overflow (bsc#1082234). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2018:736-1 Released: Wed Apr 25 14:23:49 2018 Summary: Recommended update for libsolv, libzypp Type: recommended Severity: moderate References: 1075978,1077635,1079991,1082318,1086602 Description: This update for libsolv, libzypp provides the following fixes: Changes in libsolv: - Make sure the product file comes from /etc/products.d for the fallback product search. (bsc#1086602) - Also make use of suggests for ordering packages. (bsc#1077635) - Fix bad assignment in solution refinement that led to a memory leak. (bsc#1075978) - Use license tag instead of doc in the spec file. (bsc#1082318) Changes in libzypp: - Make sure the product file comes from /etc/products.d for the fallback product search. (bsc#1086602) - Fix a memory leak in Digest.cc. (bsc#1075978) - Add /var/lib/gdm to CheckAccessDeleted blacklist to prevent showing superfluous `zypper ps -s` messages. (bsc#1079991) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2018:779-1 Released: Wed May 2 22:16:26 2018 Summary: Recommended update for rpm Type: recommended Severity: low References: 1003714,1027925,1069934 Description: This update for rpm provides the following fixes: - Fix find-lang.sh to handle special case of .qm file paths correctly. (bsc#1027925) - Add %sle_version macro to suse_macros. (bsc#1003714) - Added a %rpm_vercmp macro which accepts two versions as parameters and returns -1, 0, 1 if the first version is less than, equal or greater than the second version respectively. - Added a %pkg_version macro that accepts a package or capability name as argument and returns the version number of the installed package. If no package provides the argument, it returns the string '~~~'. - Added a %pkg_vcmp macro that accepts 3 parameters. The first parameter is a package name or provided capability name, the second argument is an operator ( < <= = >= > != ) and the third parameter is a version string to be compared to the installed version of the first argument. - Added a %pkg_version_cmp macro which accepts a package or capability name as first argument and a version number as second argument and returns -1, 0, 1 or '~~~'. The number values have the same meaning as in %rpm_vercmp and the '~~~' string is returned if the package or capability can't be found. (bsc#1069934) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2018:797-1 Released: Mon May 7 07:07:38 2018 Summary: Recommended update for gcc7 Type: recommended Severity: important References: 1061667,1068967,1074621,1083290,1083946,1084812,1087550,1087930 Description: This update for gcc7 to 7.3 release fixes the following issues: - Update to GCC 7.3 release and further updated to gcc-7-branch head (r258812). - The Spectre v2 mitigation patch for s390x is now included. [bsc#1083946] - Adds backport of x86 retpoline support via -mindirect-branch=, -mfunction-return= and friends. [bsc#1074621] - Update includes a fix for chromium build failure. [bsc#1083290] - Various AArch64 compile fixes are included: * Picks fix to no longer enable -mpc-relative-literal-loads by default with --enable-fix-cortex-a53-843419. * Enable --enable-fix-cortex-a53-843419 for aarch64. [bsc#1084812] [bsc#1087930] * Enable --enable-fix-cortex-a53-835769 for aarch64. * Contains fix for PR82445 which is about a RPI1 bootloader miscompile. [bsc#1061667] * Fixed bogus stack probe instruction on ARM. [bsc#1068967] - Revert the ios_base::failure ABI back to compatible behavior with the default ABI. [bsc#1087550] - Fix nvptx offload target compiler install so GCC can pick up required files. Split out the newlib part into cross-nvptx-newlib7-devel and avoid conflicts with GCC 8 variant via Provides/Conflicts of cross-nvptx-newlib-devel. ----------------------------------------------------------------- Advisory ID: SUSE-RU-2018:906-1 Released: Mon May 14 15:18:26 2018 Summary: Recommended update for binutils Type: recommended Severity: moderate References: 1075418 Description: This update for binutils fixes the following issues: - Fix pacemaker libqb problem with section start/stop symbols. (bsc#1075418) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:939-1 Released: Thu May 17 08:41:30 2018 Summary: Security update for curl Type: security Severity: moderate References: 1086825,1092098,CVE-2018-1000301 Description: This update for curl fixes several issues: Security issues fixed: - CVE-2018-1000301: Fixed a RTSP bad headers buffer over-read could crash the curl client (bsc#1092098) Non security issues fixed: - If the DEFAULT_SUSE cipher list is not available use the HIGH cipher alias before failing. (bsc#1086825) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2018:974-1 Released: Wed May 23 16:46:50 2018 Summary: Recommended update for systemd Type: recommended Severity: moderate References: 1045092,1051465,1066422,1075804,1082485,1084626,1085062,1086785,1087323 Description: This update for systemd provides the following fixes: - sysusers: Do not append entries after the NIS ones. (bsc#1085062, bsc#1045092) - sysusers: Also add support for NIS entries in /etc/shadow. - sysusers: Make sure to reset errno before calling fget*ent(). - coredump: Respect ulimit -c 0 settings. (bsc#1075804) - systemctl: Don't make up unit states, and don't eat up errors too eagerly. (bsc#1084626) - systemctl: Don't mangle unit names in check_unit_generic(). - rules, compat-rules: Fix errors detected by the rule syntax checker. - python: Use raw strings for regexp patterns. - compat-rules: Make path_id_compat build with meson. - compat-rules: Get rid of scsi_id when generating compat symlinks for NVMe devices. (bsc#1051465) - Fix memory hotplugging. - systemd: Add offline environmental condition to the udev rules for acpi container to prevent them from being triggered by the 'udevadm trigger' from user space. (bsc#1082485) - systemd-udevd: Limit children-max by the available memory. (bsc#1086785, bsc#1066422) - Rename the tarball to reflect the exact version used, so that it is clear that it contains some additional patches on top of the upstream version. Use the commit hash in the name so the exact version can easily be identified. (bsc#1087323) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:977-1 Released: Wed May 23 17:14:16 2018 Summary: Security update for bash Type: security Severity: moderate References: 1000396,1001299,1086247,CVE-2016-0634,CVE-2016-7543 Description: This update for bash fixes the following issues: Security issues fixed: - CVE-2016-7543: A code execution possibility via SHELLOPTS+PS4 variable was fixed (bsc#1001299) - CVE-2016-0634: Arbitrary code execution via malicious hostname was fixed (bsc#1000396) Non-security issues fixed: - Fix repeating self-calling of traps due the combination of a non-interactive shell, a trap handler for SIGINT, an external process in the trap handler, and a SIGINT within the trap after the external process runs. (bsc#1086247) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2018:978-1 Released: Wed May 23 17:18:39 2018 Summary: Recommended update for zlib Type: recommended Severity: moderate References: 1071321 Description: This update for zlib fixes the following issues: - Fix a segmentation fault which was raised when converting a negative value into an unsigned integer (bsc#1071321) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2018:1028-1 Released: Tue Jun 5 13:20:44 2018 Summary: Recommended update for pam Type: recommended Severity: low References: 1089884 Description: This update for pam fixes the following issues: - Fix order of accessed configuration files in man page. (bsc#1089884) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:1077-1 Released: Wed Jun 6 11:44:25 2018 Summary: Security update for glibc Type: security Severity: important References: 1086690,1094150,1094154,1094161,CVE-2017-18269,CVE-2018-11236,CVE-2018-11237 Description: This update for glibc fixes the following issues: - CVE-2017-18269: Fix SSE2 memmove issue when crossing 2GB boundary (bsc#1094150) - CVE-2018-11236: Fix overflow in path length computation (bsc#1094161) - CVE-2018-11237: Don't write beyond buffer destination in __mempcpy_avx512_no_vzeroupper (bsc#1094154) Non security bugs fixed: - Fix crash in resolver on memory allocation failure (bsc#1086690) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2018:1082-1 Released: Thu Jun 7 12:58:56 2018 Summary: Recommended update for rpm Type: recommended Severity: moderate References: 1073879,1080078,964063 Description: This update for rpm fixes the following issues: - Backport support for no_recompute_build_ids macro. (bsc#964063) - Fix code execution when evaluating common python-related macros. (bsc#1080078) Additionally, this update adds python3-rpm to the SUSE Linux Enterprise Server. ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:1141-1 Released: Fri Jun 15 13:41:08 2018 Summary: Security update for gpg2 Type: security Severity: important References: 1096745,CVE-2018-12020 Description: This update for gpg2 fixes the following security issue: - CVE-2018-12020: GnuPG mishandled the original filename during decryption and verification actions, which allowed remote attackers to spoof the output that GnuPG sends on file descriptor 2 to other programs that use the '--status-fd 2' option (bsc#1096745) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2018:1145-1 Released: Fri Jun 15 19:19:51 2018 Summary: Recommended update for openssl Type: recommended Severity: moderate References: 1090765 Description: This update for openssl provides the following fix: - Suggest libopenssl1_0_0-hmac from libopenssl1_0_0 package to avoid dependency issues during updates. (bsc#1090765) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2018:1156-1 Released: Tue Jun 19 15:10:45 2018 Summary: Recommended update for openslp Type: recommended Severity: moderate References: 1076035,1080964 Description: This update for openslp provides the following fixes: - Fix slpd using the peer address as local address for TCP connections. (bsc#1076035) - Use TCP connections for unicast requests. (bsc#1080964) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2018:1193-1 Released: Wed Jun 20 18:48:16 2018 Summary: Recommended update for openslp Type: recommended Severity: moderate References: 1076035,1080964 Description: This update for openslp provides the following fixes: - Fix slpd using the peer address as local address for TCP connections. (bsc#1076035) - Use TCP connections for unicast requests. (bsc#1080964) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:1242-1 Released: Thu Jun 28 13:44:16 2018 Summary: Security update for procps Type: security Severity: moderate References: 1092100,CVE-2018-1122,CVE-2018-1123,CVE-2018-1124,CVE-2018-1125,CVE-2018-1126 Description: This update for procps fixes the following security issues: - CVE-2018-1122: Prevent local privilege escalation in top. If a user ran top with HOME unset in an attacker-controlled directory, the attacker could have achieved privilege escalation by exploiting one of several vulnerabilities in the config_file() function (bsc#1092100). - CVE-2018-1123: Prevent denial of service in ps via mmap buffer overflow. Inbuilt protection in ps maped a guard page at the end of the overflowed buffer, ensuring that the impact of this flaw is limited to a crash (temporary denial of service) (bsc#1092100). - CVE-2018-1124: Prevent multiple integer overflows leading to a heap corruption in file2strvec function. This allowed a privilege escalation for a local attacker who can create entries in procfs by starting processes, which could result in crashes or arbitrary code execution in proc utilities run by other users (bsc#1092100). - CVE-2018-1125: Prevent stack buffer overflow in pgrep. This vulnerability was mitigated by FORTIFY limiting the impact to a crash (bsc#1092100). - CVE-2018-1126: Ensure correct integer size in proc/alloc.* to prevent truncation/integer overflow issues (bsc#1092100). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:1276-1 Released: Thu Jul 5 08:36:17 2018 Summary: Security update for openssl Type: security Severity: moderate References: 1097158,1097624,1098592,CVE-2018-0732 Description: This update for openssl fixes the following issues: - CVE-2018-0732: During key agreement in a TLS handshake using a DH(E) based ciphersuite a malicious server could have sent a very large prime value to the client. This caused the client to spend an unreasonably long period of time generating a key for this prime resulting in a hang until the client has finished. This could be exploited in a Denial Of Service attack (bsc#1097158). - Blinding enhancements for ECDSA and DSA (bsc#1097624, bsc#1098592) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:1328-1 Released: Tue Jul 17 08:07:57 2018 Summary: Security update for perl Type: security Severity: important References: 1068565,1082216,1082233,1082234,1096718,CVE-2018-12015,CVE-2018-6797,CVE-2018-6798,CVE-2018-6913 Description: This update for perl fixes the following issues: These security issue were fixed: - CVE-2018-6913: Fixed space calculation issues in pp_pack.c (bsc#1082216). - CVE-2018-6798: Fixed heap buffer overflow in regexec.c (bsc#1082233). - CVE-2018-6797: Fixed sharp-s regexp overflow (bsc#1082234). - CVE-2018-12015: The Archive::Tar module allowed remote attackers to bypass a directory-traversal protection mechanism and overwrite arbitrary files (bsc#1096718) This non-security issue was fixed: - fix debugger crash in tab completion with Term::ReadLine::Gnu [bsc#1068565] ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:1351-1 Released: Thu Jul 19 09:43:21 2018 Summary: Security update for shadow Type: security Severity: important References: 1099310,CVE-2016-6252 Description: This update for shadow fixes the following issues: - CVE-2016-6252: Incorrect integer handling could results in local privilege escalation (bsc#1099310) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:1400-1 Released: Thu Jul 26 16:32:29 2018 Summary: Security update for util-linux Type: security Severity: moderate References: 1072947,1078662,1080740,1084300,CVE-2018-7738 Description: This update for util-linux fixes the following issues: This non-security issue was fixed: - CVE-2018-7738: bash-completion/umount allowed local users to gain privileges by embedding shell commands in a mountpoint name, which was mishandled during a umount command by a different user (bsc#1084300). These non-security issues were fixed: - Fixed crash loop in lscpu (bsc#1072947). - Fixed possible segfault of umount -a - Fixed mount -a on NFS bind mounts (bsc#1080740). - Fixed lsblk on NVMe (bsc#1078662). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:1413-1 Released: Fri Jul 27 12:41:13 2018 Summary: Security update for libgcrypt Type: security Severity: moderate References: 1064455,1090766,1097410,CVE-2018-0495 Description: This update for libgcrypt fixes the following issues: The following security vulnerability was addressed: - CVE-2018-0495: Mitigate a novel side-channel attack by enabling blinding for ECDSA signatures (bsc#1097410). The following other issues were fixed: - Extended the fipsdrv dsa-sign and dsa-verify commands with the --algo parameter for the FIPS testing of DSA SigVer and SigGen (bsc#1064455). - Ensure libgcrypt20-hmac and libgcrypt20 are installed in the correct order. (bsc#1090766) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2018:1450-1 Released: Mon Jul 30 10:10:45 2018 Summary: Recommended update for pam Type: recommended Severity: low References: 1096282 Description: This update for pam provides the following fix: - Added /etc/security/limits.d to the pam package. (bsc#1096282) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2018:1549-1 Released: Mon Aug 13 13:41:22 2018 Summary: Recommended update for sg3_utils Type: recommended Severity: low References: 1065448,1070431,1077787,1092640 Description: This update for sg3_utils provides the following fix: - Decode standard INQUIRY for CD-ROMs correctly. (bsc#1065448, bsc#1070431) - Fix page decoding. (bsc#1077787) - Remove initrd rebuild macros for libsgutils2 subpackage. (bsc#1092640) - Use %post -p for ldconfig. (bsc#1092640) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:1610-1 Released: Thu Aug 16 14:04:25 2018 Summary: Security update for libgcrypt Type: security Severity: moderate References: 1064455,1090766,1097410,CVE-2018-0495 Description: This update for libgcrypt fixes the following issues: The following security vulnerability was addressed: - CVE-2018-0495: Mitigate a novel side-channel attack by enabling blinding for ECDSA signatures (bsc#1097410). The following other issues were fixed: - Extended the fipsdrv dsa-sign and dsa-verify commands with the --algo parameter for the FIPS testing of DSA SigVer and SigGen (bsc#1064455). - Ensure libgcrypt20-hmac and libgcrypt20 are installed in the correct order. (bsc#1090766) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:1620-1 Released: Thu Aug 16 14:49:45 2018 Summary: Security update for shadow Type: security Severity: important References: 1099310,CVE-2016-6252 Description: This update for shadow fixes the following issues: - CVE-2016-6252: Incorrect integer handling could results in local privilege escalation (bsc#1099310) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2018:1632-1 Released: Thu Aug 16 15:27:04 2018 Summary: Recommended update for systemd Type: recommended Severity: moderate References: 1039099,1080382,1082004,1082485,1083158,1088052,1088769,1088890,1089761,1090785,1091265,1093851,1095096 Description: This update for systemd fixes the following issues: - core: In --user mode, report READY=1 as soon as basic.target is reached. - sd-bus: Extend D-Bus authentication timeout considerably. - scsi_id: Fixup prefix for pre-SPC inquiry reply. (bsc#1039099) - udev: Use MAC address match only for ibmveth/ibmvnic/mlx4. (bsc#1095096) - compat-rules: Generate more compat by-id symlinks for NVMe devices. (bsc#1095096) - udev: Whitelist mlx4_core locally-administered MAC addresses in the persistent rule generator. (bsc#1083158) - udev: Don't create by-partlabel/primary and .../logical symlinks. (bsc#1089761) - rules: Add /dev/disk/by-partuuid symlinks also for dos partition tables. - device: Make sure to always retroactively start device dependencies. (bsc#1088052) - device: Skip deserialization of device units when udevd is not running. - install: 'user' and 'global' scopes are equivalent for user presets. (bsc#1093851) - install: Search preset files in /run. - man: Updated systemd-analyze blame description for service-units with Type=simple. (bsc#1091265) - logind: Fix crash when shutdown is not issued from a tty. (bsc#1088890) - logind: Do not use an uninitialized variable. (bsc#1088890) - Disable user services by default. (bsc#1090785) - Ship 99-sysctl.conf instead of creating it during package installation/update. (bsc#1088769) Previously this symlink was created in /etc/sysctl.d during %post which made the symlink not owned and more importantly it was created only if /etc/sysctl.conf is already installed which is not always the case during the installation process it seems. So ship the symlink unconditionally and put it in /usr/lib/sysctl.d instead since it's a distro default behavior that might be overriden by sysadmin later. - systemd: Add offline environmental condition to 80-acpi-container-hotplug.rules. (bsc#1080382, bsc#1082485) Add the offline event environmental condition to restrict the rule that is can only be triggered when the change event is received with the 'offline' environmental data. The 27664c581 'ACPI / scan: Send change uevent with offine environmental data' kernel patch changed the corresponding code in kernel. This change prevents the udev rules for acpi container be triggered by 'udevadm trigger' from user space. - build-sys: Explicitly require python3. (bsc#1082004) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2018:1636-1 Released: Thu Aug 16 15:30:11 2018 Summary: Recommended update for pam Type: recommended Severity: low References: 1096282 Description: This update for pam provides the following fix: - Added /etc/security/limits.d to the pam package. (bsc#1096282) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2018:1688-1 Released: Mon Aug 20 09:02:23 2018 Summary: Recommended update for openslp Type: recommended Severity: moderate References: 1076035,1080964 Description: This update for openslp provides the following fixes: - Fix slpd using the peer address as local address for TCP connections. (bsc#1076035) - Use TCP connections for unicast requests. (bsc#1080964) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2018:1689-1 Released: Mon Aug 20 09:02:24 2018 Summary: Recommended update for pam Type: recommended Severity: low References: 1096282 Description: This update for pam provides the following fix: - Added /etc/security/limits.d to the pam package. (bsc#1096282) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2018:1691-1 Released: Mon Aug 20 09:04:17 2018 Summary: Recommended update for sg3_utils Type: recommended Severity: low References: 1065448,1070431,1077787,1092640 Description: This update for sg3_utils provides the following fix: - Decode standard INQUIRY for CD-ROMs correctly. (bsc#1065448, bsc#1070431) - Fix page decoding. (bsc#1077787) - Remove initrd rebuild macros for libsgutils2 subpackage. (bsc#1092640) - Use %post -p for ldconfig. (bsc#1092640) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:1695-1 Released: Mon Aug 20 09:19:20 2018 Summary: Security update for perl Type: security Severity: important References: 1068565,1082216,1082233,1082234,1096718,CVE-2018-12015,CVE-2018-6797,CVE-2018-6798,CVE-2018-6913 Description: This update for perl fixes the following issues: These security issue were fixed: - CVE-2018-6913: Fixed space calculation issues in pp_pack.c (bsc#1082216). - CVE-2018-6798: Fixed heap buffer overflow in regexec.c (bsc#1082233). - CVE-2018-6797: Fixed sharp-s regexp overflow (bsc#1082234). - CVE-2018-12015: The Archive::Tar module allowed remote attackers to bypass a directory-traversal protection mechanism and overwrite arbitrary files (bsc#1096718) This non-security issue was fixed: - fix debugger crash in tab completion with Term::ReadLine::Gnu [bsc#1068565] ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:1698-1 Released: Mon Aug 20 09:19:28 2018 Summary: Security update for shadow Type: security Severity: important References: 1099310,CVE-2016-6252 Description: This update for shadow fixes the following issues: - CVE-2016-6252: Incorrect integer handling could results in local privilege escalation (bsc#1099310) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2018:1834-1 Released: Wed Sep 5 10:17:42 2018 Summary: Recommended update for systemd Type: recommended Severity: moderate References: 1089761,1090944,1101040,1103910 Description: This update for systemd fixes the following issues: - cryptsetup: Add support for sector-size= option. (fate#325634) - resolved: Apply epoch to system time from PID 1. (bsc#1103910) - core/service: Rework the hold-off time over message. - core: Don't freeze OnCalendar= timer units when the clock goes back a lot. (bsc#1090944) - man: SystemMaxUse= clarification in journald.conf(5). (bsc#1101040) - Add udev.no-partlabel-links kernel command-line option. This option can be used to disable the generation of the by-partlabel symlinks regardless of the name used. (bsc#1089761) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:1903-1 Released: Fri Sep 14 12:46:21 2018 Summary: Security update for curl Type: security Severity: moderate References: 1089533,1106019,CVE-2018-14618 Description: This update for curl fixes the following issues: This security issue was fixed: - CVE-2018-14618: Prevent integer overflow in the NTLM authentication code (bsc#1106019) This non-security issue was fixed: - Fixed erroneous debug message when paired with OpenSSL (bsc#1089533) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:1942-1 Released: Fri Sep 21 07:51:02 2018 Summary: Security update for openslp Type: security Severity: important References: 1090638,CVE-2017-17833 Description: This update for openslp fixes the following issues: - CVE-2017-17833: Prevent heap-related memory corruption issue which may have manifested itself as a denial-of-service or a remote code-execution vulnerability (bsc#1090638) - Prevent out of bounds reads in message parsing ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:1969-1 Released: Mon Sep 24 08:06:42 2018 Summary: Security update for libzypp, zypper Type: security Severity: important References: 1036304,1045735,1049825,1070851,1076192,1088705,1091624,1092413,1096803,1099847,1100028,1101349,1102429,CVE-2017-9269,CVE-2018-7685 Description: This update for libzypp, zypper fixes the following issues: Update libzypp to version 16.17.20: Security issues fixed: - PackageProvider: Validate deta rpms before caching (bsc#1091624, bsc#1088705, CVE-2018-7685) - PackageProvider: Validate downloaded rpm package signatures before caching (bsc#1091624, bsc#1088705, CVE-2018-7685) Other bugs fixed: - lsof: use '-K i' if lsof supports it (bsc#1099847, bsc#1036304) - Handle http error 502 Bad Gateway in curl backend (bsc#1070851) - RepoManager: Explicitly request repo2solv to generate application pseudo packages. - libzypp-devel should not require cmake (bsc#1101349) - HardLocksFile: Prevent against empty commit without Target having been been loaded (bsc#1096803) - Avoid zombie tar processes (bsc#1076192) Update to zypper to version 1.13.45: Security issues fixed: - Improve signature check callback messages (bsc#1045735, CVE-2017-9269) - add/modify repo: Add options to tune the GPG check settings (bsc#1045735, CVE-2017-9269) Other bugs fixed: - XML attribute `packages-to-change` added (bsc#1102429) - man: Strengthen that `--config FILE' affects zypper.conf, not zypp.conf (bsc#1100028) - Prevent nested calls to exit() if aborted by a signal (bsc#1092413) - ansi.h: Prevent ESC sequence strings from going out of scope (bsc#1092413) - Fix: zypper bash completion expands non-existing options (bsc#1049825) - Improve signature check callback messages (bsc#1045735) - add/modify repo: Add options to tune the GPG check settings (bsc#1045735) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2018:1985-1 Released: Mon Sep 24 11:56:08 2018 Summary: Recommended update for openldap2 Type: recommended Severity: moderate References: 1089640 Description: This update for openldap2 provides the following fix: - Fix slapd segfaults in mdb_env_reader_dest. (bsc#1089640) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:1994-1 Released: Mon Sep 24 12:55:57 2018 Summary: Security update for shadow Type: security Severity: moderate References: 1106914 Description: This update for shadow fixes the following security issue: - Prevent useradd from creating intermediate directories with mode 0777 (bsc#1106914) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:2069-1 Released: Fri Sep 28 08:01:25 2018 Summary: Security update for openssl Type: security Severity: moderate References: 1089039,1101246,1101470,1104789,1106197,997043,CVE-2018-0737 Description: This update for openssl fixes the following issues: These security issues were fixed: - Prevent One&Done side-channel attack on RSA that allowed physically near attackers to use EM emanations to recover information (bsc#1104789) - CVE-2018-0737: The RSA Key generation algorithm has been shown to be vulnerable to a cache timing side channel attack. An attacker with sufficient access to mount cache timing attacks during the RSA key generation process could have recovered the private key (bsc#1089039) These non-security issues were fixed: - Add openssl(cli) Provide so the packages that require the openssl binary can require this instead of the new openssl meta package (bsc#1101470) - Fixed path to the engines which are under /lib64 on SLE-12 (bsc#1101246, bsc#997043) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:2132-1 Released: Thu Oct 4 06:47:56 2018 Summary: Security update for openslp Type: security Severity: important References: 1090638,CVE-2017-17833 Description: This update for openslp fixes the following issues: - CVE-2017-17833: Prevent heap-related memory corruption issue which may have manifested itself as a denial-of-service or a remote code-execution vulnerability (bsc#1090638) - Prevent out of bounds reads in message parsing ----------------------------------------------------------------- Advisory ID: SUSE-RU-2018:2162-1 Released: Fri Oct 5 14:46:53 2018 Summary: Recommended update for krb5 Type: recommended Severity: moderate References: 1088921 Description: This update for krb5 provides the following fix: - Resolve krb5 GSS credentials immediately if the application requests the lifetime. (bsc#1088921) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:2181-1 Released: Tue Oct 9 11:08:20 2018 Summary: Security update for libxml2 Type: security Severity: moderate References: 1088279,1088601,1102046,1105166,CVE-2017-18258,CVE-2018-14404,CVE-2018-14567,CVE-2018-9251 Description: This update for libxml2 fixes the following security issues: - CVE-2018-9251: The xz_decomp function allowed remote attackers to cause a denial of service (infinite loop) via a crafted XML file that triggers LZMA_MEMLIMIT_ERROR, as demonstrated by xmllint (bsc#1088279). - CVE-2018-14567: Prevent denial of service (infinite loop) via a crafted XML file that triggers LZMA_MEMLIMIT_ERROR, as demonstrated by xmllint (bsc#1105166). - CVE-2018-14404: Prevent NULL pointer dereference in the xmlXPathCompOpEval() function when parsing an invalid XPath expression in the XPATH_OP_AND or XPATH_OP_OR case leading to a denial of service attack (bsc#1102046). - CVE-2017-18258: The xz_head function allowed remote attackers to cause a denial of service (memory consumption) via a crafted LZMA file, because the decoder functionality did not restrict memory usage to what is required for a legitimate file (bsc#1088601). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2018:2196-1 Released: Thu Oct 11 07:45:16 2018 Summary: Optional update for gcc8 Type: recommended Severity: low References: 1084812,1084842,1087550,1094222,1102564 Description: The GNU Compiler GCC 8 is being added to the Toolchain Module by this update. The update also supplies gcc8 compatible libstdc++, libgcc_s1 and other gcc derived libraries for the base products of SUSE Linux Enterprise 12. Various optimizers have been improved in GCC 8, several of bugs fixed, quite some new warnings added and the error pin-pointing and fix-suggestions have been greatly improved. The GNU Compiler page for GCC 8 contains a summary of all the changes that have happened: https://gcc.gnu.org/gcc-8/changes.html Also changes needed or common pitfalls when porting software are described on: https://gcc.gnu.org/gcc-8/porting_to.html ----------------------------------------------------------------- Advisory ID: SUSE-RU-2018:2217-1 Released: Fri Oct 12 15:07:24 2018 Summary: Recommended update for bash Type: recommended Severity: moderate References: 1094121,1107430 Description: This update for bash provides the following fixes: - Fix an inconsistent behaviour regarding expansion of here strings. (bsc#1094121) - Fix mis-matching of null string with '*' pattern. (bsc#1107430) - Fix a crash when the lastpipe option is enabled. - Fix a typo that was preventing the `compat42' shopt option from working as intended. - Help the shell to process any pending traps at redirection. - Fix a crashe due to incorrect conversion from an indexed to associative array. - Avoid the expansion of escape sequences in HOSTNAME in prompt. - Avoid `xtrace' attack over $PS4. ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:2297-1 Released: Wed Oct 17 16:56:44 2018 Summary: Security update for binutils Type: security Severity: moderate References: 1029907,1029908,1029909,1030296,1030297,1030298,1030584,1030585,1030588,1030589,1031590,1031593,1031595,1031638,1031644,1031656,1037052,1037057,1037061,1037066,1037273,1044891,1044897,1044901,1044909,1044925,1044927,1065643,1065689,1065693,1068640,1068643,1068887,1068888,1068950,1069176,1069202,1074741,1077745,1079103,1079741,1080556,1081527,1083528,1083532,1085784,1086608,1086784,1086786,1086788,1090997,1091015,1091365,1091368,CVE-2014-9939,CVE-2017-15938,CVE-2017-15939,CVE-2017-15996,CVE-2017-16826,CVE-2017-16827,CVE-2017-16828,CVE-2017-16829,CVE-2017-16830,CVE-2017-16831,CVE-2017-16832,CVE-2017-6965,CVE-2017-6966,CVE-2017-6969,CVE-2017-7209,CVE-2017-7210,CVE-2017-7223,CVE-2017-7224,CVE-2017-7225,CVE-2017-7226,CVE-2017-7299,CVE-2017-7300,CVE-2017-7301,CVE-2017-7302,CVE-2017-7303,CVE-2017-7304,CVE-2017-8392,CVE-2017-8393,CVE-2017-8394,CVE-2017-8396,CVE-2017-8421,CVE-2017-9746,CVE-2017-9747,CVE-2017-9748,CVE-2017-9750,CVE-2017-9755,CVE-2017-9756,CVE-2018-10372,CVE-2018-1 0373,CVE-2018-10534,CVE-2018-10535,CVE-2018-6323,CVE-2018-6543,CVE-2018-6759,CVE-2018-6872,CVE-2018-7208,CVE-2018-7568,CVE-2018-7569,CVE-2018-7570,CVE-2018-7642,CVE-2018-7643,CVE-2018-8945 Description: This update for binutils to 2.31 fixes the following issues: These security issues were fixed: - CVE-2017-15996: readelf allowed remote attackers to cause a denial of service (excessive memory allocation) or possibly have unspecified other impact via a crafted ELF file that triggered a buffer overflow on fuzzed archive header (bsc#1065643). - CVE-2017-15939: Binary File Descriptor (BFD) library (aka libbfd) mishandled NULL files in a .debug_line file table, which allowed remote attackers to cause a denial of service (NULL pointer dereference and application crash) via a crafted ELF file, related to concat_filename (bsc#1065689). - CVE-2017-15938: the Binary File Descriptor (BFD) library (aka libbfd) miscalculated DW_FORM_ref_addr die refs in the case of a relocatable object file, which allowed remote attackers to cause a denial of service (find_abstract_instance_name invalid memory read, segmentation fault, and application crash) (bsc#1065693). - CVE-2017-16826: The coff_slurp_line_table function the Binary File Descriptor (BFD) library (aka libbfd) allowed remote attackers to cause a denial of service (invalid memory access and application crash) or possibly have unspecified other impact via a crafted PE file (bsc#1068640). - CVE-2017-16832: The pe_bfd_read_buildid function in the Binary File Descriptor (BFD) library (aka libbfd) did not validate size and offset values in the data dictionary, which allowed remote attackers to cause a denial of service (segmentation violation and application crash) or possibly have unspecified other impact via a crafted PE file (bsc#1068643). - CVE-2017-16831: Binary File Descriptor (BFD) library (aka libbfd) did not validate the symbol count, which allowed remote attackers to cause a denial of service (integer overflow and application crash, or excessive memory allocation) or possibly have unspecified other impact via a crafted PE file (bsc#1068887). - CVE-2017-16830: The print_gnu_property_note function did not have integer-overflow protection on 32-bit platforms, which allowed remote attackers to cause a denial of service (segmentation violation and application crash) or possibly have unspecified other impact via a crafted ELF file (bsc#1068888). - CVE-2017-16829: The _bfd_elf_parse_gnu_properties function in the Binary File Descriptor (BFD) library (aka libbfd) did not prevent negative pointers, which allowed remote attackers to cause a denial of service (out-of-bounds read and application crash) or possibly have unspecified other impact via a crafted ELF file (bsc#1068950). - CVE-2017-16828: The display_debug_frames function allowed remote attackers to cause a denial of service (integer overflow and heap-based buffer over-read, and application crash) or possibly have unspecified other impact via a crafted ELF file (bsc#1069176). - CVE-2017-16827: The aout_get_external_symbols function in the Binary File Descriptor (BFD) library (aka libbfd) allowed remote attackers to cause a denial of service (slurp_symtab invalid free and application crash) or possibly have unspecified other impact via a crafted ELF file (bsc#1069202). - CVE-2018-6323: The elf_object_p function in the Binary File Descriptor (BFD) library (aka libbfd) had an unsigned integer overflow because bfd_size_type multiplication is not used. A crafted ELF file allowed remote attackers to cause a denial of service (application crash) or possibly have unspecified other impact (bsc#1077745). - CVE-2018-6543: Prevent integer overflow in the function load_specific_debug_section() which resulted in `malloc()` with 0 size. A crafted ELF file allowed remote attackers to cause a denial of service (application crash) or possibly have unspecified other impact (bsc#1079103). - CVE-2018-6759: The bfd_get_debug_link_info_1 function in the Binary File Descriptor (BFD) library (aka libbfd) had an unchecked strnlen operation. Remote attackers could have leveraged this vulnerability to cause a denial of service (segmentation fault) via a crafted ELF file (bsc#1079741). - CVE-2018-6872: The elf_parse_notes function in the Binary File Descriptor (BFD) library (aka libbfd) allowed remote attackers to cause a denial of service (out-of-bounds read and segmentation violation) via a note with a large alignment (bsc#1080556). - CVE-2018-7208: In the coff_pointerize_aux function in the Binary File Descriptor (BFD) library (aka libbfd) an index was not validated, which allowed remote attackers to cause a denial of service (segmentation fault) or possibly have unspecified other impact via a crafted file, as demonstrated by objcopy of a COFF object (bsc#1081527). - CVE-2018-7570: The assign_file_positions_for_non_load_sections function in the Binary File Descriptor (BFD) library (aka libbfd) allowed remote attackers to cause a denial of service (NULL pointer dereference and application crash) via an ELF file with a RELRO segment that lacks a matching LOAD segment, as demonstrated by objcopy (bsc#1083528). - CVE-2018-7569: The Binary File Descriptor (BFD) library (aka libbfd) allowed remote attackers to cause a denial of service (integer underflow or overflow, and application crash) via an ELF file with a corrupt DWARF FORM block, as demonstrated by nm (bsc#1083532). - CVE-2018-8945: The bfd_section_from_shdr function in the Binary File Descriptor (BFD) library (aka libbfd) allowed remote attackers to cause a denial of service (segmentation fault) via a large attribute section (bsc#1086608). - CVE-2018-7643: The display_debug_ranges function allowed remote attackers to cause a denial of service (integer overflow and application crash) or possibly have unspecified other impact via a crafted ELF file, as demonstrated by objdump (bsc#1086784). - CVE-2018-7642: The swap_std_reloc_in function in the Binary File Descriptor (BFD) library (aka libbfd) allowed remote attackers to cause a denial of service (aout_32_swap_std_reloc_out NULL pointer dereference and application crash) via a crafted ELF file, as demonstrated by objcopy (bsc#1086786). - CVE-2018-7568: The parse_die function in the Binary File Descriptor (BFD) library (aka libbfd) allowed remote attackers to cause a denial of service (integer overflow and application crash) via an ELF file with corrupt dwarf1 debug information, as demonstrated by nm (bsc#1086788). - CVE-2018-10373: concat_filename in the Binary File Descriptor (BFD) library (aka libbfd) allowed remote attackers to cause a denial of service (NULL pointer dereference and application crash) via a crafted binary file, as demonstrated by nm-new (bsc#1090997). - CVE-2018-10372: process_cu_tu_index allowed remote attackers to cause a denial of service (heap-based buffer over-read and application crash) via a crafted binary file, as demonstrated by readelf (bsc#1091015). - CVE-2018-10535: The ignore_section_sym function in the Binary File Descriptor (BFD) library (aka libbfd) did not validate the output_section pointer in the case of a symtab entry with a 'SECTION' type that has a '0' value, which allowed remote attackers to cause a denial of service (NULL pointer dereference and application crash) via a crafted file, as demonstrated by objcopy (bsc#1091365). - CVE-2018-10534: The _bfd_XX_bfd_copy_private_bfd_data_common function in the Binary File Descriptor (BFD) library (aka libbfd) processesed a negative Data Directory size with an unbounded loop that increased the value of (external_IMAGE_DEBUG_DIRECTORY) *edd so that the address exceeded its own memory region, resulting in an out-of-bounds memory write, as demonstrated by objcopy copying private info with _bfd_pex64_bfd_copy_private_bfd_data_common in pex64igen.c (bsc#1091368). These non-security issues were fixed: - The AArch64 port now supports showing disassembly notes which are emitted when inconsistencies are found with the instruction that may result in the instruction being invalid. These can be turned on with the option -M notes to objdump. - The AArch64 port now emits warnings when a combination of an instruction and a named register could be invalid. - Added O modifier to ar to display member offsets inside an archive - The ADR and ADRL pseudo-instructions supported by the ARM assembler now only set the bottom bit of the address of thumb function symbols if the -mthumb-interwork command line option is active. - Add --generate-missing-build-notes=[yes|no] option to create (or not) GNU Build Attribute notes if none are present in the input sources. Add a --enable-generate-build-notes=[yes|no] configure time option to set the default behaviour. Set the default if the configure option is not used to 'no'. - Remove -mold-gcc command-line option for x86 targets. - Add -O[2|s] command-line options to x86 assembler to enable alternate shorter instruction encoding. - Add support for .nops directive. It is currently supported only for x86 targets. - Speed up direct linking with DLLs for Cygwin and Mingw targets. - Add a configure option --enable-separate-code to decide whether -z separate-code should be enabled in ELF linker by default. Default to yes for Linux/x86 targets. Note that -z separate-code can increase disk and memory size. - RISC-V: Fix symbol address problem with versioned symbols - Restore riscv64-elf cross prefix via symlinks - RISC-V: Don't enable relaxation in relocatable link - Prevent linking faiures on i386 with assertion (bsc#1085784) - Fix symbol size bug when relaxation deletes bytes - Add --debug-dump=links option to readelf and --dwarf=links option to objdump which displays the contents of any .gnu_debuglink or .gnu_debugaltlink sections. Add a --debug-dump=follow-links option to readelf and a --dwarf=follow-links option to objdump which causes indirect links into separate debug info files to be followed when dumping other DWARF sections. - Add support for loaction views in DWARF debug line information. - Add -z separate-code to generate separate code PT_LOAD segment. - Add '-z undefs' command line option as the inverse of the '-z defs' option. - Add -z globalaudit command line option to force audit libraries to be run for every dynamic object loaded by an executable - provided that the loader supports this functionality. - Tighten linker script grammar around file name specifiers to prevent the use of SORT_BY_ALIGNMENT and SORT_BY_INIT_PRIORITY on filenames. These would previously be accepted but had no effect. - The EXCLUDE_FILE directive can now be placed within any SORT_* directive within input section lists. - Fix linker relaxation with --wrap - Add arm-none-eabi symlinks (bsc#1074741) Former updates of binutils also fixed the following security issues, for which there was not CVE assigned at the time the update was released or no mapping between code change and CVE existed: - CVE-2014-9939: Prevent stack buffer overflow when printing bad bytes in Intel Hex objects (bsc#1030296). - CVE-2017-7225: The find_nearest_line function in addr2line did not handle the case where the main file name and the directory name are both empty, triggering a NULL pointer dereference and an invalid write, and leading to a program crash (bsc#1030585). - CVE-2017-7224: The find_nearest_line function in objdump was vulnerable to an invalid write (of size 1) while disassembling a corrupt binary that contains an empty function name, leading to a program crash (bsc#1030588). - CVE-2017-7223: GNU assembler in was vulnerable to a global buffer overflow (of size 1) while attempting to unget an EOF character from the input stream, potentially leading to a program crash (bsc#1030589). - CVE-2017-7226: The pe_ILF_object_p function in the Binary File Descriptor (BFD) library (aka libbfd) was vulnerable to a heap-based buffer over-read of size 4049 because it used the strlen function instead of strnlen, leading to program crashes in several utilities such as addr2line, size, and strings. It could lead to information disclosure as well (bsc#1030584). - CVE-2017-7299: The Binary File Descriptor (BFD) library (aka libbfd) had an invalid read (of size 8) because the code to emit relocs (bfd_elf_final_link function in bfd/elflink.c) did not check the format of the input file trying to read the ELF reloc section header. The vulnerability leads to a GNU linker (ld) program crash (bsc#1031644). - CVE-2017-7300: The Binary File Descriptor (BFD) library (aka libbfd) had an aout_link_add_symbols function in bfd/aoutx.h that is vulnerable to a heap-based buffer over-read (off-by-one) because of an incomplete check for invalid string offsets while loading symbols, leading to a GNU linker (ld) program crash (bsc#1031656). - CVE-2017-7302: The Binary File Descriptor (BFD) library (aka libbfd) had a swap_std_reloc_out function in bfd/aoutx.h that is vulnerable to an invalid read (of size 4) because of missing checks for relocs that could not be recognised. This vulnerability caused Binutils utilities like strip to crash (bsc#1031595). - CVE-2017-7303: The Binary File Descriptor (BFD) library (aka libbfd) was vulnerable to an invalid read (of size 4) because of missing a check (in the find_link function) for null headers attempting to match them. This vulnerability caused Binutils utilities like strip to crash (bsc#1031593). - CVE-2017-7301: The Binary File Descriptor (BFD) library (aka libbfd) had an aout_link_add_symbols function in bfd/aoutx.h that has an off-by-one vulnerability because it did not carefully check the string offset. The vulnerability could lead to a GNU linker (ld) program crash (bsc#1031638). - CVE-2017-7304: The Binary File Descriptor (BFD) library (aka libbfd) was vulnerable to an invalid read (of size 8) because of missing a check (in the copy_special_section_fields function) for an invalid sh_link field attempting to follow it. This vulnerability caused Binutils utilities like strip to crash (bsc#1031590). - CVE-2017-8392: The Binary File Descriptor (BFD) library (aka libbfd) was vulnerable to an invalid read of size 8 because of missing a check to determine whether symbols are NULL in the _bfd_dwarf2_find_nearest_line function. This vulnerability caused programs that conduct an analysis of binary programs using the libbfd library, such as objdump, to crash (bsc#1037052). - CVE-2017-8393: The Binary File Descriptor (BFD) library (aka libbfd) was vulnerable to a global buffer over-read error because of an assumption made by code that runs for objcopy and strip, that SHT_REL/SHR_RELA sections are always named starting with a .rel/.rela prefix. This vulnerability caused programs that conduct an analysis of binary programs using the libbfd library, such as objcopy and strip, to crash (bsc#1037057). - CVE-2017-8394: The Binary File Descriptor (BFD) library (aka libbfd) was vulnerable to an invalid read of size 4 due to NULL pointer dereferencing of _bfd_elf_large_com_section. This vulnerability caused programs that conduct an analysis of binary programs using the libbfd library, such as objcopy, to crash (bsc#1037061). - CVE-2017-8396: The Binary File Descriptor (BFD) library (aka libbfd) was vulnerable to an invalid read of size 1 because the existing reloc offset range tests didn't catch small negative offsets less than the size of the reloc field. This vulnerability caused programs that conduct an analysis of binary programs using the libbfd library, such as objdump, to crash (bsc#1037066). - CVE-2017-8421: The function coff_set_alignment_hook in Binary File Descriptor (BFD) library (aka libbfd) had a memory leak vulnerability which can cause memory exhaustion in objdump via a crafted PE file (bsc#1037273). - CVE-2017-9746: The disassemble_bytes function in objdump.c allowed remote attackers to cause a denial of service (buffer overflow and application crash) or possibly have unspecified other impact via a crafted binary file, as demonstrated by mishandling of rae insns printing for this file during 'objdump -D' execution (bsc#1044891). - CVE-2017-9747: The ieee_archive_p function in the Binary File Descriptor (BFD) library (aka libbfd) might have allowed remote attackers to cause a denial of service (buffer overflow and application crash) or possibly have unspecified other impact via a crafted binary file, as demonstrated by mishandling of this file during 'objdump -D' execution (bsc#1044897). - CVE-2017-9748: The ieee_object_p function in the Binary File Descriptor (BFD) library (aka libbfd) might have allowed remote attackers to cause a denial of service (buffer overflow and application crash) or possibly have unspecified other impact via a crafted binary file, as demonstrated by mishandling of this file during 'objdump -D' execution (bsc#1044901). - CVE-2017-9750: opcodes/rx-decode.opc lacked bounds checks for certain scale arrays, which allowed remote attackers to cause a denial of service (buffer overflow and application crash) or possibly have unspecified other impact via a crafted binary file, as demonstrated by mishandling of this file during 'objdump -D' execution (bsc#1044909). - CVE-2017-9755: Not considering the the number of registers for bnd mode allowed remote attackers to cause a denial of service (buffer overflow and application crash) or possibly have unspecified other impact via a crafted binary file, as demonstrated by mishandling of this file during 'objdump -D' execution (bsc#1044925). - CVE-2017-9756: The aarch64_ext_ldst_reglist function allowed remote attackers to cause a denial of service (buffer overflow and application crash) or possibly have unspecified other impact via a crafted binary file, as demonstrated by mishandling of this file during 'objdump -D' execution (bsc#1044927). - CVE-2017-7209: The dump_section_as_bytes function in readelf accessed a NULL pointer while reading section contents in a corrupt binary, leading to a program crash (bsc#1030298). - CVE-2017-6965: readelf wrote to illegal addresses while processing corrupt input files containing symbol-difference relocations, leading to a heap-based buffer overflow (bsc#1029909). - CVE-2017-6966: readelf had a use-after-free (specifically read-after-free) error while processing multiple, relocated sections in an MSP430 binary. This is caused by mishandling of an invalid symbol index, and mishandling of state across invocations (bsc#1029908). - CVE-2017-6969: readelf was vulnerable to a heap-based buffer over-read while processing corrupt RL78 binaries. The vulnerability can trigger program crashes. It may lead to an information leak as well (bsc#1029907). - CVE-2017-7210: objdump was vulnerable to multiple heap-based buffer over-reads (of size 1 and size 8) while handling corrupt STABS enum type strings in a crafted object file, leading to program crash (bsc#1030297). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:2373-1 Released: Mon Oct 22 14:43:47 2018 Summary: Security update for rpm Type: security Severity: moderate References: 1077692,943457,CVE-2017-7500,CVE-2017-7501 Description: This update for rpm fixes the following issues: These security issues were fixed: - CVE-2017-7500: rpm did not properly handle RPM installations when a destination path was a symbolic link to a directory, possibly changing ownership and permissions of an arbitrary directory, and RPM files being placed in an arbitrary destination (bsc#943457). - CVE-2017-7501: rpm used temporary files with predictable names when installing an RPM. An attacker with ability to write in a directory where files will be installed could create symbolic links to an arbitrary location and modify content, and possibly permissions to arbitrary files, which could be used for denial of service or possibly privilege escalation (bsc#943457) This non-security issue was fixed: - Use ksym-provides tool [bsc#1077692] ----------------------------------------------------------------- Advisory ID: SUSE-RU-2018:2435-1 Released: Wed Oct 24 14:42:43 2018 Summary: Recommended update for systemd Type: recommended Severity: important References: 1015254,1091677,1093753,1105031,1107640,1107941,1109197,991901 Description: This update for systemd fixes the following issues: - detect-virt: do not try to read all of /proc/cpuinfo (bsc#1109197) - emergency: make sure console password agents don't interfere with the emergency shell - units: remove udev control socket when systemd stops the socket unit (#4039) (bsc#1015254) - man: document that 'nofail' also has an effect on ordering - journald: take leading spaces into account in syslog_parse_identifier - journal: do not remove multiple spaces after identifier in syslog message - syslog: fix segfault in syslog_parse_priority() - journal: fix syslog_parse_identifier() - tmpfiles: don't adjust qgroups on existing subvolumes (bsc#1093753) - socket-util: attempt SO_RCVBUFFORCE/SO_SNDBUFFORCE only if SO_RCVBUF/SO_SNDBUF fails (bsc#991901) - user at .service: don't kill user manager at runlevel switch (bsc#1091677) - units: make sure user at .service runs with dbus still up - fix race between daemon-reload and other commands (bsc#1105031) - nspawn: always use mode 555 for /sys (bsc#1107640) - cryptsetup: do not define arg_sector_size if libgcrypt is v1.x (#9990) - Enable or disable machines.target according to the presets (bsc#1107941) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2018:2475-1 Released: Thu Oct 25 16:56:24 2018 Summary: Recommended update for libzypp Type: recommended Severity: moderate References: 1099982,1109877,408814,556664,939392 Description: This update for libzypp fixes the following issues: - Add filesize check for downloads with known size (bsc#408814) - Fix conversion of string and glob to regex when compiling queries (bsc#1099982, bsc#939392, bsc#556664) - Fix blocking wait for finished child process (bsc#1109877) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2018:2488-1 Released: Fri Oct 26 12:39:59 2018 Summary: Recommended update for cpio Type: recommended Severity: low References: 1076810,889138 Description: This update for cpio provides the following fix: - Remove an obsolete patch that was causing cpio not to preserve folder permissions. (bsc#1076810, bsc#889138) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2018:2516-1 Released: Mon Oct 29 16:14:48 2018 Summary: Recommended update for console-setup, kbd Type: recommended Severity: moderate References: 1010880,1027379,1056449,1062303,1069468,1085432,360993,675317,825385,830805,958562,963942,984958 Description: This update for kbd and console-setup provides the following fixes: Changes in console-setup: - Add console-setup to SLE 12 to make it possible for kbd to provide converted X keymaps. (fate#325454, fate#318426) - Make the package build reproducible. (bsc#1062303) - Removed unneeded requires to kbd in order to resolve build cycle between kbd and console-setup. (bsc#963942) Changes in kbd: - Update to version 2.0.4, including the following fixes (FATE#325454): * Disable characters greater than or equal to =U+F000 as they do not work properly. (bsc#1085432) * Move initial NumLock handling from systemd back to kbd: * Add kbdsettings service. (bsc#1010880) * Exclude numlockbios support for non x86 platforms * Drop references to KEYTABLE and COMPOSETABLE. (bsc#1010880) * Drop from some fill-up templates and a couple of sysconfig variables not read by systemd anymore. (fate#319454) * Replace references to /var/adm/fillup-templates with new %_fillupdir macro. (bsc#1069468) * Add vlock.pamd PAM file. (bsc#1056449) * Enable vlock (bsc#1056449). * Revert dropping of kdb-legacy requirement as there are still packages and installation flows that needs this to be present. (bsc#1027379) * Fix data/keymaps/i386/querty/br-abnt2.map. (bsc#984958) * Fix missing dependency on coreutils for initrd macros. (bsc#958562) * Call missing initrd macro at postun. (bsc#958562) * Add the genmap4systemd.sh tool to generate entries for systemd's kbd-model-map table from xkeyboard-config converted keymaps. (fate#318426) * genmap4systemd.sh: Use 'abnt2' model for 'br' layouts, 'jp106' model for 'jp' layouts and 'microsoftpro' for anything else (instead of 'pc105' previously used). (fate#318426) * Include xkb layouts from xkeyboard-config converted to console keymaps. (fate#318426) * euro.map, euro1.map and euro2.map now produce correct unicode character for Euro sign. (bsc#360993) * Drop doshell reference from openvt.1 man page. (bsc#675317) * Drop the --userwait option as it is not used. (bsc#830805) * Fix a typo in the mac-querty-layout.inc. (bsc#825385) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2018:2525-1 Released: Tue Oct 30 09:22:45 2018 Summary: Recommended update for bash Type: recommended Severity: important References: 1113117 Description: This update for bash fixes the following issues: Recently released update introduced a change of behavior which resulted in broken customers scripts. (bsc#1113117) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:2563-1 Released: Fri Nov 2 17:09:49 2018 Summary: Security update for curl Type: security Severity: moderate References: 1112758,1113660,CVE-2018-16840,CVE-2018-16842 Description: This update for curl fixes the following issues: - CVE-2018-16840: A use after free in closing SASL handles was fixed (bsc#1112758) - CVE-2018-16842: A Out-of-bounds Read in tool_msgs.c was fixed which could lead to crashes (bsc#1113660) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2018:2567-1 Released: Fri Nov 2 18:59:06 2018 Summary: Recommended update for apparmor Type: recommended Severity: moderate References: 1047937,1057150,1057900,1099452,906858 Description: This update for apparmor provides the following fixes: - Add profile for usr.bin.lessopen.sh (bsc#906858) - Fix dovecot apparmor profile (bsc#1057150) - Fix creating profile rules from scanned logs when the chown operation is used (bsc#1047937) - Fix the traceroute profile to allow ipv6 usage (bsc#1057900) - Fix duplicate entry of capability when performing aa-logprof (bsc#1099452) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2018:2593-1 Released: Wed Nov 7 11:04:00 2018 Summary: Recommended update for rpm Type: recommended Severity: moderate References: 1095148,1113100 Description: This update for rpm fixes the following issues: - Fix superfluous TOC. dependency on PowerPC64 (bsc#1113100) - Update to current find-provides.ksyms and find-requires.ksyms scripts (bsc#1095148) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:2659-1 Released: Wed Nov 14 14:14:41 2018 Summary: Security update for systemd Type: security Severity: important References: 1106923,1108835,1109252,1110445,1111278,1112024,1113083,1113632,1113665,CVE-2018-15686,CVE-2018-15688 Description: This update for systemd fixes the following issues: Security issues fixed: - CVE-2018-15688: A buffer overflow vulnerability in the dhcp6 client of systemd allowed a malicious dhcp6 server to overwrite heap memory in systemd-networkd. (bsc#1113632) - CVE-2018-15686: A vulnerability in unit_deserialize of systemd allows an attacker to supply arbitrary state across systemd re-execution via NotifyAccess. This can be used to improperly influence systemd execution and possibly lead to root privilege escalation. (bsc#1113665) Non-security issues fixed: - dhcp6: split assert_return() to be more debuggable when hit - core: skip unit deserialization and move to the next one when unit_deserialize() fails - core: properly handle deserialization of unknown unit types (#6476) - core: don't create Requires for workdir if 'missing ok' (bsc#1113083) - logind: use manager_get_user_by_pid() where appropriate - logind: rework manager_get_{user|session}_by_pid() a bit - login: fix user at .service case, so we don't allow nested sessions (#8051) (bsc#1112024) - core: be more defensive if we can't determine per-connection socket peer (#7329) - socket-util: introduce port argument in sockaddr_port() - service: fixup ExecStop for socket-activated shutdown (#4120) - service: Continue shutdown on socket activated unit on termination (#4108) (bsc#1106923) - cryptsetup: build fixes for 'add support for sector-size= option' - udev-rules: IMPORT cmdline does not recognize keys with similar names (bsc#1111278) - core: keep the kernel coredump defaults when systemd-coredump is disabled - core: shorten main() a bit, split out coredump initialization - core: set RLIMIT_CORE to unlimited by default (bsc#1108835) - core/mount: fstype may be NULL - journald: don't ship systemd-journald-audit.socket (bsc#1109252) - core: make 'tmpfs' dependencies on swapfs a 'default' dep, not an 'implicit' (bsc#1110445) - mount: make sure we unmount tmpfs mounts before we deactivate swaps (#7076) - tmp.mount.hm4: After swap.target (#3087) - Ship systemd-sysv-install helper via the main package This script was part of systemd-sysvinit sub-package but it was wrong since systemd-sysv-install is a script used to redirect enable/disable operations to chkconfig when the unit targets are sysv init scripts. Therefore it's never been a SySV init tool. ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:2760-1 Released: Thu Nov 22 16:25:38 2018 Summary: Security update for openssl Type: security Severity: moderate References: 1112209,1113534,1113652,1113742,CVE-2018-0734,CVE-2018-5407 Description: This update for openssl fixes the following issues: Security issues fixed: - CVE-2018-0734: Fixed timing vulnerability in DSA signature generation (bsc#1113652). - CVE-2018-5407: Fixed elliptic curve scalar multiplication timing attack defenses (bsc#1113534). - Add missing timing side channel patch for DSA signature generation (bsc#1113742). Non-security issues fixed: - Fixed infinite loop in DSA generation with incorrect parameters (bsc#1112209). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:2766-1 Released: Fri Nov 23 17:07:27 2018 Summary: Security update for rpm Type: security Severity: important References: 943457,CVE-2017-7500,CVE-2017-7501 Description: This update for rpm fixes the following issues: These security issues were fixed: - CVE-2017-7500: rpm did not properly handle RPM installations when a destination path was a symbolic link to a directory, possibly changing ownership and permissions of an arbitrary directory, and RPM files being placed in an arbitrary destination (bsc#943457). - CVE-2017-7501: rpm used temporary files with predictable names when installing an RPM. An attacker with ability to write in a directory where files will be installed could create symbolic links to an arbitrary location and modify content, and possibly permissions to arbitrary files, which could be used for denial of service or possibly privilege escalation (bsc#943457) This is a reissue of the above security fixes for SUSE Linux Enterprise 12 GA, SP1 and SP2 LTSS, they have already been released for SUSE Linux Enterprise Server 12 SP3. ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:1697-1 Released: Fri Nov 23 17:08:32 2018 Summary: Security update for libgcrypt Type: security Severity: moderate References: 1064455,1090766,1097410,CVE-2018-0495 Description: This update for libgcrypt fixes the following issues: The following security vulnerability was addressed: - CVE-2018-0495: Mitigate a novel side-channel attack by enabling blinding for ECDSA signatures (bsc#1097410). The following other issues were fixed: - Extended the fipsdrv dsa-sign and dsa-verify commands with the --algo parameter for the FIPS testing of DSA SigVer and SigGen (bsc#1064455). - Ensure libgcrypt20-hmac and libgcrypt20 are installed in the correct order. (bsc#1090766) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:1696-1 Released: Mon Nov 26 17:46:39 2018 Summary: Security update for procps Type: security Severity: moderate References: 1092100,CVE-2018-1122,CVE-2018-1123,CVE-2018-1124,CVE-2018-1125,CVE-2018-1126 Description: This update for procps fixes the following security issues: - CVE-2018-1122: Prevent local privilege escalation in top. If a user ran top with HOME unset in an attacker-controlled directory, the attacker could have achieved privilege escalation by exploiting one of several vulnerabilities in the config_file() function (bsc#1092100). - CVE-2018-1123: Prevent denial of service in ps via mmap buffer overflow. Inbuilt protection in ps maped a guard page at the end of the overflowed buffer, ensuring that the impact of this flaw is limited to a crash (temporary denial of service) (bsc#1092100). - CVE-2018-1124: Prevent multiple integer overflows leading to a heap corruption in file2strvec function. This allowed a privilege escalation for a local attacker who can create entries in procfs by starting processes, which could result in crashes or arbitrary code execution in proc utilities run by other users (bsc#1092100). - CVE-2018-1125: Prevent stack buffer overflow in pgrep. This vulnerability was mitigated by FORTIFY limiting the impact to a crash (bsc#1092100). - CVE-2018-1126: Ensure correct integer size in proc/alloc.* to prevent truncation/integer overflow issues (bsc#1092100). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:1618-1 Released: Tue Nov 27 13:39:49 2018 Summary: Security update for util-linux Type: security Severity: moderate References: 1072947,1078662,1080740,1084300,CVE-2018-7738 Description: This update for util-linux fixes the following issues: This non-security issue was fixed: - CVE-2018-7738: bash-completion/umount allowed local users to gain privileges by embedding shell commands in a mountpoint name, which was mishandled during a umount command by a different user (bsc#1084300). These non-security issues were fixed: - Fixed crash loop in lscpu (bsc#1072947). - Fixed possible segfault of umount -a - Fixed mount -a on NFS bind mounts (bsc#1080740). - Fixed lsblk on NVMe (bsc#1078662). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:2824-1 Released: Mon Dec 3 15:34:09 2018 Summary: Security update for ncurses Type: security Severity: important References: 1115929,CVE-2018-19211 Description: This update for ncurses fixes the following issue: Security issue fixed: - CVE-2018-19211: Fixed denial of service issue that was triggered by a NULL pointer dereference at function _nc_parse_entry (bsc#1115929). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2018:2836-1 Released: Wed Dec 5 09:29:31 2018 Summary: Recommended update for apparmor Type: recommended Severity: moderate References: 1111965,1113125 Description: This update for apparmor fixes the following issues: - Systemd aware apparmor.spec, remove old insserv from spec file (bsc#1113125) - Fix warnings produced because of use of uninitialized variables (bsc#1111965) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2018:2840-1 Released: Wed Dec 5 09:57:54 2018 Summary: Recommended update for permissions Type: recommended Severity: moderate References: 1028304,1047247,1050467,1097665,1111251 Description: This update for permissions fixes the following issues: - Allow setuid root for start-suid tool of singularity (group only) bsc#1028304 - Allow setuid root for authbind binary (bsc#1111251) - A incorrect error message was adjusted (bsc#1047247 bsc#1097665) - Make btmp root:utmp (bsc#1050467) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2018:2841-1 Released: Wed Dec 5 09:59:45 2018 Summary: Recommended update for glibc Type: recommended Severity: moderate References: 1105236,1110661,1112858 Description: This update for glibc fixes the following issues: - Added more checks for valid ld.so.cache file (bsc#1110661) - Rewrite elf_machine_load_address using _DYNAMIC symbol (bsc#1112858) - Always use __IPC_64 on powerpc as required by the kernel (bsc#1105236) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2018:2906-1 Released: Tue Dec 11 21:48:05 2018 Summary: Recommended update for blog Type: recommended Severity: moderate References: 1071568 Description: This update for blog fixes the following issues: - Hardening of the console list generation (bsc#1071568) - Changed description of blog-plymouth in same manner as used by the release notes ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:2947-1 Released: Mon Dec 17 08:51:28 2018 Summary: Security update for openldap2 Type: security Severity: moderate References: 1073313,CVE-2017-17740 Description: This update for openldap2 fixes the following issues: Security issue fixed: - CVE-2017-17740: When both the nops module and the memberof overlay are enabled, attempts to free a buffer that was allocated on the stack, which allows remote attackers to cause a denial of service (slapd crash) via a member MODDN operation. (bsc#1073313) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2018:3029-1 Released: Fri Dec 21 17:34:05 2018 Summary: Recommended update for libgcrypt Type: recommended Severity: moderate References: 1117355 Description: This update for libgcrypt provides the following fix: - Fail selftests when checksum file is missing in FIPS mode only. (bsc#1117355) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:43-1 Released: Tue Jan 8 13:07:17 2019 Summary: Recommended update for acl Type: recommended Severity: low References: 953659 Description: This update for acl fixes the following issues: - quote: Escape literal backslashes (bsc#953659). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:111-1 Released: Thu Jan 17 14:18:31 2019 Summary: Security update for krb5 Type: security Severity: important References: 1120489,CVE-2018-20217 Description: This update for krb5 fixes the following issues: Security issue fixed: - CVE-2018-20217: Fixed an assertion issue with older encryption types (bsc#1120489) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:135-1 Released: Mon Jan 21 13:53:58 2019 Summary: Security update for systemd Type: security Severity: moderate References: 1005023,1076696,1101591,1114981,1115518,1119971,1120323,CVE-2018-16864,CVE-2018-16865,CVE-2018-16866 Description: This update for systemd provides the following fixes: Security issues fixed: - CVE-2018-16864, CVE-2018-16865: Fixed two memory corruptions through attacker-controlled alloca()s (bsc#1120323) - CVE-2018-16866: Fixed an information leak in journald (bsc#1120323) - Fixed an issue during system startup in relation to encrypted swap disks (bsc#1119971) Non-security issues fixed: - core: Queue loading transient units after setting their properties. (bsc#1115518) - logind: Stop managing VT switches if no sessions are registered on that VT. (bsc#1101591) - terminal-util: introduce vt_release() and vt_restore() helpers. - terminal: Unify code for resetting kbd utf8 mode a bit. - terminal Reset should honour default_utf8 kernel setting. - logind: Make session_restore_vt() static. - udev: Downgrade message when settting inotify watch up fails. (bsc#1005023) - log: Never log into foreign fd #2 in PID 1 or its pre-execve() children. (bsc#1114981) - udev: Ignore the exit code of systemd-detect-virt for memory hot-add. In SLE-12-SP3, 80-hotplug-cpu-mem.rules has a memory hot-add rule that uses systemd-detect-virt to detect non-zvm environment. The systemd-detect-virt returns exit failure code when it detected _none_ state. The exit failure code causes that the hot-add memory block can not be set to online. (bsc#1076696) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:143-1 Released: Tue Jan 22 14:21:55 2019 Summary: Recommended update for ncurses Type: recommended Severity: important References: 1121450 Description: This update for ncurses fixes the following issues: - ncurses applications freezing (bsc#1121450) From sle-updates at lists.suse.com Thu Jan 16 09:59:02 2020 From: sle-updates at lists.suse.com (sle-updates at lists.suse.com) Date: Thu, 16 Jan 2020 17:59:02 +0100 (CET) Subject: SUSE-CU-2019:722-1: Recommended update of caasp/v4/nginx-ingress-controller Message-ID: <20200116165902.E2259F796@maintenance.suse.de> SUSE Container Update Advisory: caasp/v4/nginx-ingress-controller ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2019:722-1 Container Tags : caasp/v4/nginx-ingress-controller:0.15.0 , caasp/v4/nginx-ingress-controller:0.15.0-rev1 , caasp/v4/nginx-ingress-controller:0.15.0-rev1-build2.1 , caasp/v4/nginx-ingress-controller:beta1 Severity : low Type : recommended References : ----------------------------------------------------------------- The container caasp/v4/nginx-ingress-controller was updated. The following patches have been included in this update: From sle-updates at lists.suse.com Thu Jan 16 10:12:30 2020 From: sle-updates at lists.suse.com (sle-updates at lists.suse.com) Date: Thu, 16 Jan 2020 18:12:30 +0100 (CET) Subject: SUSE-SU-2020:0118-1: moderate: Security update for fontforge Message-ID: <20200116171230.C2A7BF798@maintenance.suse.de> SUSE Security Update: Security update for fontforge ______________________________________________________________________________ Announcement ID: SUSE-SU-2020:0118-1 Rating: moderate References: #1160220 #1160236 Cross-References: CVE-2020-5395 CVE-2020-5496 Affected Products: SUSE Linux Enterprise Module for Open Buildservice Development Tools 15-SP1 ______________________________________________________________________________ An update that fixes two vulnerabilities is now available. Description: This update for fontforge fixes the following issues: - CVE-2020-5395: Fixed a use-after-free in SFD_GetFontMetaData() (bsc#1160220). - CVE-2020-5496: Fixed a heap-based buffer overflow in Type2NotDefSplines() (bsc#1160236). Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Module for Open Buildservice Development Tools 15-SP1: zypper in -t patch SUSE-SLE-Module-Development-Tools-OBS-15-SP1-2020-118=1 Package List: - SUSE Linux Enterprise Module for Open Buildservice Development Tools 15-SP1 (aarch64 ppc64le s390x x86_64): fontforge-20170731-4.3.2 fontforge-debuginfo-20170731-4.3.2 fontforge-debugsource-20170731-4.3.2 fontforge-devel-20170731-4.3.2 - SUSE Linux Enterprise Module for Open Buildservice Development Tools 15-SP1 (noarch): fontforge-doc-20170731-4.3.2 References: https://www.suse.com/security/cve/CVE-2020-5395.html https://www.suse.com/security/cve/CVE-2020-5496.html https://bugzilla.suse.com/1160220 https://bugzilla.suse.com/1160236 From sle-updates at lists.suse.com Thu Jan 16 09:58:41 2020 From: sle-updates at lists.suse.com (sle-updates at lists.suse.com) Date: Thu, 16 Jan 2020 17:58:41 +0100 (CET) Subject: SUSE-CU-2019:720-1: Recommended update of caasp/v4/mariadb Message-ID: <20200116165841.CC575F796@maintenance.suse.de> SUSE Container Update Advisory: caasp/v4/mariadb ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2019:720-1 Container Tags : caasp/v4/mariadb:10.0.35 , caasp/v4/mariadb:10.0.35-rev1 , caasp/v4/mariadb:10.0.35-rev1-build2.1 , caasp/v4/mariadb:beta1 Severity : low Type : recommended References : ----------------------------------------------------------------- The container caasp/v4/mariadb was updated. The following patches have been included in this update: From sle-updates at lists.suse.com Thu Jan 16 09:59:40 2020 From: sle-updates at lists.suse.com (sle-updates at lists.suse.com) Date: Thu, 16 Jan 2020 17:59:40 +0100 (CET) Subject: SUSE-CU-2019:725-1: Security update of caasp/v4/pv-recycler-node Message-ID: <20200116165940.CC9CCF796@maintenance.suse.de> SUSE Container Update Advisory: caasp/v4/pv-recycler-node ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2019:725-1 Container Tags : caasp/v4/pv-recycler-node:8.25 , caasp/v4/pv-recycler-node:8.25-rev1 , caasp/v4/pv-recycler-node:8.25-rev1-build1.1 Severity : important Type : security References : 1000396 1000662 1000677 1001299 1001790 1001912 1002975 1003577 1003579 1003580 1003714 1003978 1004094 1004289 1004995 1004995 1004995 1005023 1005063 1005404 1005544 1005633 1005634 1005635 1005637 1005638 1005640 1005642 1005643 1005645 1005646 1006175 1006372 1006469 1006687 1006690 1007851 1008325 1009269 1009470 1009528 1009532 1009745 1009905 1009966 1010220 1010675 1010845 1010880 1012266 1012390 1012523 1012591 1012818 1012973 1013286 1013882 1013930 1013989 1014471 1014560 1014566 1014873 1015254 1015332 1015515 1015565 1015943 1017034 1017497 1018214 1018399 1019276 1019470 1019637 1019637 1019900 1020108 1020143 1020601 1021641 1022014 1022047 1022085 1022086 1022271 1023283 1023895 1024989 1025176 1025398 1025560 1025598 1025630 1025886 1026224 1026567 1026825 1027079 1027379 1027688 1027712 1027908 1027925 1028263 1028281 1028304 1028304 1028305 1028410 1028485 1028610 1028723 1029102 1029102 1029183 1029516 1029516 1029523 1029561 1029691 1029725 1029900 1030290 1030621 1031355 1031643 1031702 1031998 1032029 1032029 1032309 1032445 1032538 1032660 1032680 1033238 1033238 1033855 1034563 1034565 1035062 1035371 1035386 1035445 1035818 1036304 1036659 1036736 1036873 1036873 1037120 1037120 1037396 1037824 1037930 1038189 1038194 1038444 1038865 1038865 1038984 1038984 1039063 1039063 1039064 1039064 1039066 1039066 1039069 1039069 1039099 1039099 1039276 1039357 1039661 1039661 1039941 1040043 1040153 1040153 1040258 1040258 1040614 1040614 1040800 1040942 1040942 1040968 1040968 1040968 1041764 1042326 1042392 1042781 1043059 1043218 1043237 1043333 1043333 1043580 1043615 1043758 1043758 1043900 1043900 1044095 1044107 1044175 1044337 1044840 1044887 1044894 1045092 1045290 1045290 1045384 1045472 1045628 1045735 1045735 1045735 1045943 1045987 1046173 1046173 1046268 1046417 1046607 1046659 1046750 1046750 1046853 1046853 1046858 1046858 1047008 1047178 1047233 1047236 1047240 1047247 1047379 1047785 1047785 1047937 1047964 1047965 1048315 1048510 1048605 1048605 1048645 1048679 1049344 1049825 1050152 1050467 1050767 1050943 1051042 1051465 1051626 1051643 1051644 1051791 1052261 1053137 1053188 1053409 1053595 1053671 1054028 1054088 1054171 1054671 1055446 1055641 1055825 1055920 1056058 1056126 1056127 1056127 1056128 1056128 1056129 1056129 1056131 1056131 1056132 1056132 1056136 1056136 1056437 1056449 1056450 1056995 1057150 1057188 1057452 1057634 1057640 1057662 1057721 1057724 1057900 1057974 1058695 1058722 1058783 1059065 1059723 1060653 1060738 1061384 1061667 1061876 1062303 1062561 1062591 1062592 1063051 1063249 1063269 1063675 1063824 1063910 1064397 1064455 1064455 1064455 1064569 1064580 1064583 1064999 1065083 1065274 1065276 1065363 1065448 1065448 1066156 1066242 1066422 1066500 1067312 1067605 1067891 1068251 1068565 1068565 1068588 1068708 1068967 1069222 1069226 1069468 1069934 1070209 1070428 1070431 1070431 1070851 1070878 1070905 1070958 1071224 1071311 1071319 1071321 1071466 1071558 1071568 1071698 1071905 1071906 1072947 1072947 1073231 1073313 1073879 1073990 1074254 1074293 1074293 1074621 1074687 1075449 1075724 1075743 1075801 1075804 1075978 1076192 1076308 1076415 1076696 1076810 1076832 1076909 1077001 1077635 1077692 1077787 1077787 1077925 1077993 1078358 1078662 1078662 1078806 1078813 1079036 1079334 1079991 1080078 1080382 1080740 1080740 1081170 1081294 1081556 1081725 1082004 1082216 1082216 1082216 1082233 1082233 1082233 1082234 1082234 1082234 1082318 1082485 1082485 1083158 1083290 1083926 1083927 1083946 1084300 1084300 1084521 1084524 1084532 1084626 1084812 1084812 1084842 1085062 1085432 1086247 1086602 1086690 1086785 1086825 1087102 1087323 1087550 1087550 1087930 1088052 1088279 1088601 1088705 1088769 1088890 1088921 1089039 1089533 1089640 1089761 1089761 1089884 1090765 1090766 1090766 1090766 1090785 1090944 1091265 1091624 1091677 1092098 1092100 1092100 1092413 1092640 1092640 1093753 1093851 1094121 1094150 1094154 1094161 1094222 1095096 1095148 1096282 1096282 1096282 1096718 1096718 1096745 1096803 1097158 1097410 1097410 1097410 1097624 1097665 1098592 1099310 1099310 1099310 1099452 1099847 1099982 1100028 1101040 1101246 1101349 1101470 1101591 1102046 1102429 1102564 1103910 1104789 1105031 1105166 1105236 1106019 1106197 1106914 1106923 1107430 1107640 1107941 1108835 1109197 1109252 1109877 1110445 1110661 1111251 1111278 1111965 1112024 1112209 1112758 1112858 1113083 1113100 1113117 1113125 1113534 1113632 1113652 1113660 1113665 1113742 1114981 1115518 1115929 1117355 1119971 1120323 1120489 1121450 360993 408814 556664 658010 661410 675317 825385 829717 830805 874665 888308 889138 889990 892431 894610 896202 896435 897422 898003 899524 899871 900275 900276 901202 901845 901924 902364 902367 903543 905483 906574 906574 906803 906858 907074 907456 908128 908516 909418 910252 910252 910253 910253 911228 911363 911662 912229 912715 912922 913209 913650 913651 915402 915846 917152 917169 918089 918090 918346 919274 920057 920057 920386 921070 922534 923241 924525 924687 924960 924960 926412 926826 927556 927607 927608 927746 927993 928292 928533 928740 929919 930176 931932 932232 932894 933029 933288 933288 933336 933878 933878 934333 934689 934920 936050 936227 936227 936676 937823 938343 938657 939392 939460 940315 942865 942865 943457 943457 944903 945340 945842 945899 952151 952347 953130 953532 953659 953807 953831 954002 954661 955382 955753 955770 957566 957566 957567 957567 957598 957598 957600 957600 958369 958562 959693 960273 960820 960837 960837 961964 962765 962983 962996 963290 963448 963942 964063 964468 965322 965780 965902 966220 967026 967082 967728 967838 968771 969569 970260 970882 971741 971741 972127 972127 972331 974691 978055 979261 979436 979441 979629 979906 980391 980486 981114 981616 982303 982303 983206 983215 983216 983754 984906 984958 986216 986216 986783 986935 987887 988311 989788 989831 990189 990190 990191 990538 991389 991390 991391 991443 991746 991901 992966 994157 994794 995936 996511 997043 997420 997682 998760 998893 998906 999735 999878 CVE-2012-6702 CVE-2013-6435 CVE-2014-3591 CVE-2014-3707 CVE-2014-3710 CVE-2014-8116 CVE-2014-8116 CVE-2014-8117 CVE-2014-8117 CVE-2014-8118 CVE-2014-8150 CVE-2014-8964 CVE-2014-8964 CVE-2014-9087 CVE-2014-9112 CVE-2014-9447 CVE-2014-9620 CVE-2014-9621 CVE-2014-9653 CVE-2015-0247 CVE-2015-0837 CVE-2015-1283 CVE-2015-1572 CVE-2015-1606 CVE-2015-1607 CVE-2015-1782 CVE-2015-2059 CVE-2015-2325 CVE-2015-2325 CVE-2015-2327 CVE-2015-2327 CVE-2015-2328 CVE-2015-2328 CVE-2015-3143 CVE-2015-3144 CVE-2015-3145 CVE-2015-3148 CVE-2015-3153 CVE-2015-3210 CVE-2015-3210 CVE-2015-3217 CVE-2015-3217 CVE-2015-3238 CVE-2015-5073 CVE-2015-5073 CVE-2015-5276 CVE-2015-7511 CVE-2015-8380 CVE-2015-8380 CVE-2015-8381 CVE-2015-8381 CVE-2015-8382 CVE-2015-8382 CVE-2015-8383 CVE-2015-8383 CVE-2015-8384 CVE-2015-8384 CVE-2015-8385 CVE-2015-8385 CVE-2015-8386 CVE-2015-8386 CVE-2015-8387 CVE-2015-8387 CVE-2015-8388 CVE-2015-8388 CVE-2015-8389 CVE-2015-8389 CVE-2015-8390 CVE-2015-8390 CVE-2015-8391 CVE-2015-8391 CVE-2015-8392 CVE-2015-8392 CVE-2015-8393 CVE-2015-8393 CVE-2015-8394 CVE-2015-8394 CVE-2015-8395 CVE-2015-8395 CVE-2015-8853 CVE-2015-8948 CVE-2016-0634 CVE-2016-0718 CVE-2016-0755 CVE-2016-0787 CVE-2016-10156 CVE-2016-1238 CVE-2016-1283 CVE-2016-1283 CVE-2016-1839 CVE-2016-2037 CVE-2016-2381 CVE-2016-3191 CVE-2016-3191 CVE-2016-4574 CVE-2016-4579 CVE-2016-4658 CVE-2016-5131 CVE-2016-5300 CVE-2016-5419 CVE-2016-5420 CVE-2016-5421 CVE-2016-6185 CVE-2016-6252 CVE-2016-6252 CVE-2016-6252 CVE-2016-6261 CVE-2016-6262 CVE-2016-6263 CVE-2016-6313 CVE-2016-6318 CVE-2016-7055 CVE-2016-7141 CVE-2016-7167 CVE-2016-7543 CVE-2016-8615 CVE-2016-8616 CVE-2016-8617 CVE-2016-8618 CVE-2016-8619 CVE-2016-8620 CVE-2016-8621 CVE-2016-8622 CVE-2016-8623 CVE-2016-8624 CVE-2016-9063 CVE-2016-9318 CVE-2016-9401 CVE-2016-9586 CVE-2016-9597 CVE-2016-9840 CVE-2016-9841 CVE-2016-9842 CVE-2016-9843 CVE-2017-0663 CVE-2017-1000100 CVE-2017-1000101 CVE-2017-1000254 CVE-2017-1000257 CVE-2017-1000366 CVE-2017-1000408 CVE-2017-1000409 CVE-2017-10684 CVE-2017-10684 CVE-2017-10685 CVE-2017-10685 CVE-2017-11112 CVE-2017-11113 CVE-2017-11462 CVE-2017-12132 CVE-2017-12133 CVE-2017-12424 CVE-2017-12837 CVE-2017-12883 CVE-2017-13728 CVE-2017-13728 CVE-2017-13729 CVE-2017-13729 CVE-2017-13730 CVE-2017-13730 CVE-2017-13731 CVE-2017-13731 CVE-2017-13732 CVE-2017-13732 CVE-2017-13733 CVE-2017-13733 CVE-2017-13734 CVE-2017-14062 CVE-2017-15088 CVE-2017-15412 CVE-2017-15670 CVE-2017-15671 CVE-2017-15804 CVE-2017-15908 CVE-2017-16997 CVE-2017-17740 CVE-2017-18078 CVE-2017-18258 CVE-2017-18269 CVE-2017-3731 CVE-2017-3732 CVE-2017-3735 CVE-2017-3736 CVE-2017-3737 CVE-2017-3738 CVE-2017-5130 CVE-2017-5969 CVE-2017-6512 CVE-2017-7375 CVE-2017-7376 CVE-2017-7407 CVE-2017-7435 CVE-2017-7436 CVE-2017-7436 CVE-2017-7500 CVE-2017-7500 CVE-2017-7501 CVE-2017-7501 CVE-2017-7526 CVE-2017-7555 CVE-2017-8804 CVE-2017-8816 CVE-2017-8817 CVE-2017-8872 CVE-2017-9047 CVE-2017-9047 CVE-2017-9048 CVE-2017-9048 CVE-2017-9049 CVE-2017-9049 CVE-2017-9050 CVE-2017-9050 CVE-2017-9217 CVE-2017-9217 CVE-2017-9233 CVE-2017-9269 CVE-2017-9269 CVE-2017-9287 CVE-2017-9445 CVE-2017-9445 CVE-2017-9526 CVE-2018-0495 CVE-2018-0495 CVE-2018-0495 CVE-2018-0732 CVE-2018-0734 CVE-2018-0737 CVE-2018-0739 CVE-2018-1000001 CVE-2018-1000001 CVE-2018-1000007 CVE-2018-1000120 CVE-2018-1000121 CVE-2018-1000122 CVE-2018-1000301 CVE-2018-1049 CVE-2018-1122 CVE-2018-1122 CVE-2018-1123 CVE-2018-1123 CVE-2018-11236 CVE-2018-11237 CVE-2018-1124 CVE-2018-1124 CVE-2018-1125 CVE-2018-1125 CVE-2018-1126 CVE-2018-1126 CVE-2018-12015 CVE-2018-12015 CVE-2018-12020 CVE-2018-14404 CVE-2018-14567 CVE-2018-14618 CVE-2018-15686 CVE-2018-15688 CVE-2018-16840 CVE-2018-16842 CVE-2018-16864 CVE-2018-16865 CVE-2018-16866 CVE-2018-19211 CVE-2018-20217 CVE-2018-5407 CVE-2018-5729 CVE-2018-5730 CVE-2018-6003 CVE-2018-6485 CVE-2018-6551 CVE-2018-6797 CVE-2018-6797 CVE-2018-6797 CVE-2018-6798 CVE-2018-6798 CVE-2018-6798 CVE-2018-6913 CVE-2018-6913 CVE-2018-6913 CVE-2018-7169 CVE-2018-7685 CVE-2018-7738 CVE-2018-7738 CVE-2018-9251 ----------------------------------------------------------------- The container caasp/v4/pv-recycler-node was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-RU-2014:85-1 Released: Tue Nov 4 16:29:29 2014 Summary: Recommended update for dirmngr Type: recommended Severity: moderate References: 901845 Description: This update for dirmngr fixes a segmentation fault at start up. (bnc#901845) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2014:66-1 Released: Thu Nov 6 06:23:15 2014 Summary: Recommended update for gcc48 Type: recommended Severity: moderate References: 899871 Description: This update for gcc48 fixes a performance degradation issue caused by generation of unneeded code whe using option -pg. ----------------------------------------------------------------- Advisory ID: SUSE-SU-2014:97-1 Released: Fri Nov 28 10:20:32 2014 Summary: Security update for file Type: security Severity: moderate References: 888308,902367,CVE-2014-3710 Description: file was updated to fix one security issue. This security issue was fixed: - Out-of-bounds read in elf note headers (CVE-2014-3710). This non-security issues was fixed: - Correctly identify GDBM files created by libgdbm4 (bnc#888308). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2014:113-1 Released: Tue Dec 2 18:17:57 2014 Summary: Security update for cpio Type: security Severity: moderate References: 658010,907456,CVE-2014-9112 Description: This cpio security update fixes the following buffer overflow issue and two non security issues: - fix an OOB write with cpio -i (bnc#907456) (CVE-2014-9112) - prevent cpio from extracting over a symlink (bnc#658010) - fix a truncation check in mt ----------------------------------------------------------------- Advisory ID: SUSE-SU-2015:16-1 Released: Thu Dec 11 09:25:27 2014 Summary: Security update for libksba Type: security Severity: moderate References: 907074,CVE-2014-9087 Description: This libksba update fixes the following security issue: - bnc#907074: buffer overflow in OID processing (CVE-2014-9087) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2014:126-1 Released: Fri Dec 19 20:16:00 2014 Summary: Security update for file Type: security Severity: moderate References: 910252,910253,CVE-2014-8116,CVE-2014-8117 Description: This file update fixes the following security issues: - bsc#910252: multiple denial of service issues (resource consumption) (CVE-2014-8116) - bsc#910253: denial of service issue (resource consumption) (CVE-2014-8117) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2015:29-1 Released: Mon Jan 12 11:37:43 2015 Summary: Security update for curl Type: security Severity: moderate References: 901924,911363,CVE-2014-3707,CVE-2014-8150 Description: This update fixes the following security issues - CVE-2014-8150: URL request injection vulnerability (bnc#911363) - CVE-2014-3707: duphandle read out of bounds (bnc#901924) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2015:40-1 Released: Thu Jan 15 18:35:11 2015 Summary: Security update for rpm Type: security Severity: important References: 892431,906803,908128,911228,CVE-2013-6435,CVE-2014-8118 Description: This rpm update fixes the following security and non-security issues: - bnc#908128: Check for bad invalid name sizes (CVE-2014-8118) - bnc#906803: Create files with mode 0 (CVE-2013-6435) - bnc#892431: Honor --noglob in install mode - bnc#911228: Fix noglob patch, it broke files with space. ----------------------------------------------------------------- Advisory ID: SUSE-RU-2015:64-1 Released: Thu Jan 15 23:21:45 2015 Summary: Recommended update for e2fsprogs Type: recommended Severity: moderate References: 912229 Description: This update for e2fsprogs fixes a 'use after free' issue in fsck(8). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2015:76-1 Released: Fri Jan 30 15:01:03 2015 Summary: Security update for elfutils Type: security Severity: moderate References: 911662,CVE-2014-9447 Description: elfutils was updated to fix one security issue. This security issue was fixed: - Directory traversal vulnerability in the read_long_names function (CVE-2014-9447). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2015:55-1 Released: Tue Feb 3 14:51:17 2015 Summary: Recommended update for curl Type: recommended Severity: moderate References: 913209 Description: curl was updated to fix problems when operating in FIPS mode. This patch reenables following methods: - NTLM authentication (e.g. for proxies) (allowing its usage of MD4 and MD5) - HTTP Digest authentication (allowing its usage of MD5) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2015:121-1 Released: Tue Feb 3 16:30:16 2015 Summary: Recommended update for pam Type: recommended Severity: low References: 912922 Description: This update for pam fixes updating of NIS passwords. ----------------------------------------------------------------- Advisory ID: SUSE-SU-2015:157-1 Released: Tue Mar 10 09:01:41 2015 Summary: Security update for libssh2_org Type: security Severity: moderate References: 921070,CVE-2015-1782 Description: The ssh client library libssh2_org was updated to fix a security issue. CVE-2015-1782: A malicious server could send a crafted SSH_MSG_KEXINIT packet, that could lead to a buffer overread and to a crash of the libssh2_org using application. ----------------------------------------------------------------- Advisory ID: SUSE-RU-2015:275-1 Released: Wed Mar 18 18:21:44 2015 Summary: Recommended update for procps Type: recommended Severity: low References: 901202,908516 Description: This update for procps provides the following fixes: - Add description of pgrep's --list-full parameter to usage instructions (--help). (bsc#901202) - Fix handling of arguments to -s option in free(1). (bsc#908516) - Correct package name in descriptions: procps, not props. ----------------------------------------------------------------- Advisory ID: SUSE-SU-2015:235-1 Released: Wed Apr 29 19:05:01 2015 Summary: Security update for curl Type: security Severity: moderate References: 927556,927607,927608,927746,928533,CVE-2015-3143,CVE-2015-3144,CVE-2015-3145,CVE-2015-3148,CVE-2015-3153 Description: curl was updated to fix five security issues. The following vulnerabilities were fixed: * CVE-2015-3143: curl could re-use NTML authenticateds connections * CVE-2015-3144: curl could access memory out of bounds with zero length host names * CVE-2015-3145: curl cookie parser could access memory out of boundary * CVE-2015-3148: curl could treat Negotiate as not connection-oriented * CVE-2015-3153: curl could have sent sensitive HTTP headers also to proxies ----------------------------------------------------------------- Advisory ID: SUSE-SU-2015:296-1 Released: Thu Jun 11 15:46:59 2015 Summary: Security update for libgcrypt Type: security Severity: moderate References: 896202,896435,898003,899524,900275,900276,905483,920057,928740,929919,CVE-2014-3591 Description: This update of libgcrypt fixes one security issue and brings various FIPS 140-2 related improvements. libgcrypt now uses ciphertext blinding for Elgamal decryption (CVE-2014-3591) FIPS 140-2 related changes: * The library performs its self-tests when the module is complete (the -hmac file is also installed). * Added a NIST 800-90a compliant DRBG. * Change DSA key generation to be FIPS 186-4 compliant. * Change RSA key generation to be FIPS 186-4 compliant. * Enable HW support in fips mode (bnc#896435) * Make DSA selftest use 2048 bit keys (bnc#898003) * Added ECDSA selftests and add support for it to the CAVS testing framework (bnc#896202) * Various CAVS testing improvements. ----------------------------------------------------------------- Advisory ID: SUSE-SU-2015:366-1 Released: Mon Jun 29 10:13:43 2015 Summary: Security update for e2fsprogs Type: security Severity: low References: 915402,918346,CVE-2015-0247,CVE-2015-1572 Description: Two security issues were fixed in e2fsprogs: Security issues fixed: * CVE-2015-0247: Various heap overflows were fixed in e2fsprogs (fsck, dumpe2fs, e2image...). * CVE-2015-1572: Fixed a potential buffer overflow in closefs() (bsc#918346 ) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2015:361-1 Released: Wed Jul 15 08:26:27 2015 Summary: Recommended update for gcc48, libffi48, libgcj48 Type: recommended Severity: moderate References: 889990,917169,919274,922534,924525,924687,927993,930176,934689 Description: The system compiler gcc48 was updated to the GCC 4.8.5 release, fixing a lot of bugs and bringing some improvements. It includes various bug fixes found by our customers: * Fixes bogus integer overflow in constant expression. [bnc#934689] * Fixes ICE with atomics on aarch64. [bnc#930176] * Includes fix for -imacros bug. [bnc#917169] * Includes fix for incorrect -Warray-bounds warnings. [bnc#919274] * Includes updated -mhotpatch for s390x. [bnc#924525] * Includes fix for ppc64le issue with doubleword vector extract. [bnc#924687] * Includes patches to allow building against ISL 0.14. * Backport rework of the memory allocator for C++ exceptions used in OOM situations. [bnc#889990] * Fix a reload issue on S390 (GCC PR66306). * Avoid accessing invalid memory when passing aggregates by value. [bnc#922534] ----------------------------------------------------------------- Advisory ID: SUSE-OU-2015:422-1 Released: Tue Jul 28 06:25:51 2015 Summary: The Toolchain module containing GCC 5.2 Type: optional Severity: low References: 926412,936050,937823 Description: This update contains the release of the new SUSE Linux Enterprise Toolchain module. Its major feature is the GNU Compiler Collection 5.2, please see https://gcc.gnu.org/gcc-5/changes.html for important changes. This update also includes a version update of binutils to 2.25 release branch to provide features and bugfixes. Following features have been added to binutils: * IBM zSeries z13 hardware support (fate#318036, bnc#936050). * various IBM Power8 improvements (fate#318238, bnc#926412). * AVX512 support on the Intel EM64T platform (fate#318520). The GNU Debugger gdb was updated to version 7.9.1 bringing various features and lots of bugfixes. Also IBM zSeries z13 hardware support has been added to gdb. (fate#318039) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2015:500-1 Released: Mon Aug 17 11:36:33 2015 Summary: Security update for libgcrypt Type: security Severity: moderate References: 920057,938343,CVE-2015-0837 Description: This update fixes the following issues: Security: * Fixed data-dependent timing variations in modular exponentiation [related to CVE-2015-0837, Last-Level Cache Side-Channel Attacks are Practical] (bsc#920057) Bugfixes: * don't drop privileges when locking secure memory (bsc#938343) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2015:530-1 Released: Wed Aug 26 03:07:07 2015 Summary: Recommended update for sed Type: recommended Severity: low References: 933029 Description: This update for sed fixes the behavior of --follow-symlinks when reading from the standard input (stdin). The behavior of 'sed --follow-symlinks -' is now identical to 'sed -'. In both cases, sed will read from the standard input and no longer from a file named '-'. ----------------------------------------------------------------- Advisory ID: SUSE-RU-2015:568-1 Released: Wed Sep 16 13:30:12 2015 Summary: Recommended update for grep Type: recommended Severity: low References: 920386 Description: This update for grep fixes undefined behaviour with -P and non-utf-8 data. ----------------------------------------------------------------- Advisory ID: SUSE-SU-2015:922-1 Released: Tue Dec 22 08:44:25 2015 Summary: Security update for gpg2 Type: security Severity: moderate References: 918089,918090,952347,955753,CVE-2015-1606,CVE-2015-1607 Description: The gpg2 package was updated to fix the following security and non security issues: - CVE-2015-1606: Fixed invalid memory read using a garbled keyring (bsc#918089). - CVE-2015-1607: Fixed memcpy with overlapping ranges (bsc#918090). - bsc#955753: Fixed a regression of 'gpg --recv' due to keyserver import filter (also boo#952347). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2015:869-1 Released: Wed Dec 23 10:01:16 2015 Summary: Recommended update for libksba Type: security Severity: moderate References: 926826 Description: The libksba package was updated to fix the following security issues: - Fixed an integer overflow, an out of bounds read and a stack overflow issues (bsc#926826). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2015:862-1 Released: Wed Dec 23 17:40:51 2015 Summary: Recommended update for acl Type: recommended Severity: moderate References: 945899 Description: This update for acl provides the following fixes: - Fix segmentation fault of getfacl -e on overly long group name. - Make sure that acl_from_text() always sets errno when it fails. - Fix memory and resource leaks in getfacl. ----------------------------------------------------------------- Advisory ID: SUSE-RU-2016:46-1 Released: Fri Jan 8 12:37:34 2016 Summary: Recommended update for gcr, gnome-keyring, libgcrypt, libsecret Type: recommended Severity: moderate References: 932232 Description: This update for gcr, gnome-keyring, libgcrypt, libsecret fixes issues when the system operates in FIPS mode. The various GNOME libraries and tool have been changed to use the default libgcrypt allocators. GNOME keyring was changed not to use MD5 anymore. libgcrypt was adjusted to free the DRBG on exit to avoid crashes. ----------------------------------------------------------------- Advisory ID: SUSE-SU-2016:201-1 Released: Thu Feb 4 15:51:22 2016 Summary: Security update for curl Type: security Severity: moderate References: 934333,936676,962983,962996,CVE-2016-0755 Description: This update for curl fixes the following issues: - CVE-2016-0755: libcurl would reuse NTLM-authenticated proxy connections without properly making sure that the connection was authenticated with the same credentials as set for this transfer (bsc#962983) The following non-security bugs were fixed: - bsc#936676: secure_getenv or __secure_getenv may not be detected correctly at build time The following tracked bugs only affect the test suite: - bsc#962996: Expired cookie in test 46 caused test failures - bsc#934333: Curl test suite was not run, is now enabled during build ----------------------------------------------------------------- Advisory ID: SUSE-RU-2016:371-1 Released: Thu Mar 3 15:58:18 2016 Summary: Recommended update for insserv-compat Type: recommended Severity: low References: 960820 Description: This update for insserv-compat fixes the name of the ntpd service. ----------------------------------------------------------------- Advisory ID: SUSE-SU-2016:413-1 Released: Fri Mar 11 10:17:57 2016 Summary: Security update for libssh2_org Type: security Severity: moderate References: 933336,961964,967026,CVE-2016-0787 Description: This update for libssh2_org fixes the following issues: Security issue fixed: - CVE-2016-0787 (bsc#967026): Weakness in diffie-hellman secret key generation lead to much shorter DH groups then needed, which could be used to retrieve server keys. A feature was added: - Support of SHA256 digests for DH group exchanges was added (fate#320343, bsc#961964) Bug fixed: - Properly detect EVP_aes_128_ctr at configure time (bsc#933336) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2016:462-1 Released: Wed Mar 16 18:17:59 2016 Summary: Recommended update for libcap Type: recommended Severity: low References: 967838 Description: This update for libcap adds two new capabilities (CAP_WAKE_ALARM and CAP_BLOCK_SUSPEND) which are available in Linux Kernel 3.12. ----------------------------------------------------------------- Advisory ID: SUSE-RU-2016:543-1 Released: Fri Apr 1 18:44:16 2016 Summary: Recommended update for libgcrypt Type: recommended Severity: moderate References: 970882 Description: This update for libgcrypt fixes a crash in GPG key generation when operating in FIPS mode. (bsc#970882) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2016:565-1 Released: Wed Apr 6 16:26:42 2016 Summary: Security update for gcc5 Type: security Severity: moderate References: 939460,945842,952151,953831,954002,955382,962765,964468,966220,968771,CVE-2015-5276 Description: The GNU Compiler Collection was updated to version 5.3.1, which brings several fixes and enhancements. The following security issue has been fixed: - Fix C++11 std::random_device short read issue that could lead to predictable randomness. (CVE-2015-5276, bsc#945842) The following non-security issues have been fixed: - Enable frame pointer for TARGET_64BIT_MS_ABI when stack is misaligned. Fixes internal compiler error when building Wine. (bsc#966220) - Fix a PowerPC specific issue in gcc-go that broke compilation of newer versions of Docker. (bsc#964468) - Fix HTM built-ins on PowerPC. (bsc#955382) - Fix libgo certificate lookup. (bsc#953831) - Suppress deprecated-declarations warnings for inline definitions of deprecated virtual methods. (bsc#939460) - Build s390[x] with '--with-tune=z9-109 --with-arch=z900' on SLE11 again. (bsc#954002) - Revert accidental libffi ABI breakage on aarch64. (bsc#968771) - On x86_64, set default 32bit code generation to -march=x86-64 rather than -march=i586. - Add experimental File System TS library. ----------------------------------------------------------------- Advisory ID: SUSE-SU-2016:636-1 Released: Mon Apr 18 09:18:19 2016 Summary: Security update for libgcrypt Type: security Severity: moderate References: 965902,CVE-2015-7511 Description: libgcrypt was updated to fix one security issue. This security issue was fixed: - CVE-2015-7511: Side-channel attack on ECDH with Weierstrass curves (bsc#965902). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2016:643-1 Released: Tue Apr 19 09:23:39 2016 Summary: Recommended update for bzip2 Type: recommended Severity: low References: 970260 Description: This update for bzip2 fixes the following issues: - Fix bzgrep wrapper that always returns 0 as exit code when working on multiple archives, even when the pattern is not found. ----------------------------------------------------------------- Advisory ID: SUSE-RU-2016:697-1 Released: Thu Apr 28 16:03:24 2016 Summary: Recommended update for libssh2_org Type: recommended Severity: important References: 974691 Description: This update for libssh2_org fixes a regression introduced by a previous update which could result in a segmentation fault in EVP_DigestInit_Ex(). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2016:801-1 Released: Thu May 19 22:38:01 2016 Summary: Recommended update for curl Type: recommended Severity: moderate References: 915846 Description: This update for curl fixes the following issue: - Fix 'Network is unreachable' error when ipv6 is not available but ipv4. This fixes the same error in applications using libcurl4 (like zypper). (bsc#915846) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2016:835-1 Released: Wed May 25 18:27:30 2016 Summary: Recommended update for libgcrypt Type: recommended Severity: moderate References: 979629 Description: This update for libgcrypt fixes the following issue: - Fix failing reboot after installing fips pattern (bsc#979629) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2016:898-1 Released: Tue Jun 7 09:48:12 2016 Summary: Security update for expat Type: security Severity: important References: 979441,980391,CVE-2015-1283,CVE-2016-0718 Description: This update for expat fixes the following issues: Security issue fixed: - CVE-2016-0718: Fix Expat XML parser that mishandles certain kinds of malformed input documents. (bsc#979441) - CVE-2015-1283: Fix multiple integer overflows. (bnc#980391) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2016:900-1 Released: Tue Jun 7 10:58:37 2016 Summary: Security update for libksba Type: security Severity: moderate References: 979261,979906,CVE-2016-4574,CVE-2016-4579 Description: This update for libksba fixes the following issues: - CVE-2016-4579: Out-of-bounds read in _ksba_ber_parse_tl() - CVE-2016-4574: two OOB read access bugs (remote DoS) (bsc#979261) Also adding reliability fixes from v1.3.4. ----------------------------------------------------------------- Advisory ID: SUSE-RU-2016:987-1 Released: Wed Jun 22 14:32:18 2016 Summary: Recommended update for procps Type: recommended Severity: low References: 981616 Description: This update for procps fixes the following issues: - Improve pmap(1) to be compatible with kernel 4.4. (bsc#981616) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2016:1028-1 Released: Thu Jul 7 11:50:47 2016 Summary: Recommended update for findutils Type: recommended Severity: moderate References: 986935 Description: This update for findutils fixes the following issues: - find -exec + would not pass all arguments for certain specific filename lengths (bsc#986935) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2016:1126-1 Released: Sat Jul 30 00:39:03 2016 Summary: Recommended update for kmod Type: recommended Severity: low References: 983754,989788 Description: This update for kmod fixes libkmod to handle very long lines in /proc/modules. ----------------------------------------------------------------- Advisory ID: SUSE-RU-2016:1205-1 Released: Thu Aug 11 15:02:18 2016 Summary: Recommended update for rpm Type: recommended Severity: low References: 829717,894610,940315,953532,965322,967728 Description: This update for rpm provides the following fixes: - Add is_opensuse and leap_version macros to suse_macros. (bsc#940315) - Add option to make postinstall scriptlet errors fatal. (bsc#967728) - Normalize big blocksizes to 4096 bytes. (bsc#894610, bsc#829717, bsc#965322) - Fix updating of sources/patches when recursing because of a BuildArch. (bsc#953532) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2016:1228-1 Released: Tue Aug 16 09:29:01 2016 Summary: Security update for libidn Type: security Severity: moderate References: 923241,990189,990190,990191,CVE-2015-2059,CVE-2015-8948,CVE-2016-6261,CVE-2016-6262,CVE-2016-6263 Description: This update for libidn fixes the following issues: - CVE-2016-6262 and CVE-2015-8948: Out-of-bounds-read when reading one zero byte as input (bsc#990189) - CVE-2016-6261: Out-of-bounds stack read in idna_to_ascii_4i (bsc#990190) - CVE-2016-6263: stringprep_utf8_nfkc_normalize reject invalid UTF-8 (bsc#990191) - CVE-2015-2059: out-of-bounds read with stringprep on invalid UTF-8 (bsc#923241) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2016:1247-1 Released: Fri Aug 19 12:58:39 2016 Summary: Security update for cracklib Type: security Severity: moderate References: 992966,CVE-2016-6318 Description: This update for cracklib fixes the following issues: - Add patch to fix a buffer overflow in GECOS parser (bsc#992966 CVE-2016-6318) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2016:1326-1 Released: Thu Sep 8 11:37:44 2016 Summary: Security update for perl Type: security Severity: moderate References: 928292,932894,967082,984906,987887,988311,CVE-2015-8853,CVE-2016-1238,CVE-2016-2381,CVE-2016-6185 Description: This update for Perl fixes the following issues: - CVE-2016-6185: Xsloader looking at a '(eval)' directory. (bsc#988311) - CVE-2016-1238: Searching current directory for optional modules. (bsc#987887) - CVE-2015-8853: Regular expression engine hanging on bad utf8. (bsc) - CVE-2016-2381: Environment dup handling bug. (bsc#967082) - 'Insecure dependency in require' error in taint mode. (bsc#984906) - Memory leak in 'use utf8' handling. (bsc#928292) - Missing lock prototype to the debugger. (bsc#932894) ----------------------------------------------------------------- Advisory ID: SUSE-OU-2016:1358-1 Released: Thu Sep 15 20:54:21 2016 Summary: Optional update for gcc6 Type: optional Severity: low References: 983206 Description: This update ships the GNU Compiler Collection (GCC) in version 6.2. This update is shipped in two parts: - SUSE Linux Enterprise Server 12 and Desktop: The runtime libraries libgcc_s1, libstdc++6, libatomic1, libgomp1, libitm1 and some others can now be used by GCC 6 built binaries. - SUSE Linux Enterprise 12 Toolchain Module: The Toolchain module received the GCC 6 compiler suite with this update. Changes: - The default mode for C++ is now -std=gnu++14 instead of -std=gnu++98. Generic Optimization improvements: - UndefinedBehaviorSanitizer gained a new sanitization option, -fsanitize=bounds-strict, which enables strict checking of array bounds. In particular, it enables -fsanitize=bounds as well as instrumentation of flexible array member-like arrays. - Type-based alias analysis now disambiguates accesses to different pointers. This improves precision of the alias oracle by about 20-30% on higher-level C++ programs. Programs doing invalid type punning of pointer types may now need -fno-strict-aliasing to work correctly. - Alias analysis now correctly supports weakref and alias attributes. This makes it possible to access both a variable and its alias in one translation unit which is common with link-time optimization. - Value range propagation now assumes that the this pointer of C++ member functions is non-null. This eliminates common null pointer checks but also breaks some non-conforming code-bases (such as Qt-5, Chromium, KDevelop). As a temporary work-around -fno-delete-null-pointer-checks can be used. Wrong code can be identified by using -fsanitize=undefined. - Various Link-time optimization improvements. - Inter-procedural optimization improvements: - Basic jump threading is now performed before profile construction and inline analysis, resulting in more realistic size and time estimates that drive the heuristics of the of inliner and function cloning passes. - Function cloning now more aggressively eliminates unused function parameters. - Compared to GCC 5, the GCC 6 release series includes a much improved implementation of the OpenACC 2.0a specification. C language specific improvements: - Version 4.5 of the OpenMP specification is now supported in the C and C++ compilers. - Source locations for the C and C++ compilers are now tracked as ranges, rather than just points, making it easier to identify the subexpression of interest within a complicated expression. In addition, there is now initial support for precise diagnostic locations within strings, - Diagnostics can now contain 'fix-it hints', which are displayed in context underneath the relevant source code. - The C and C++ compilers now offer suggestions for misspelled field names. - New command-line options have been added for the C and C++ compilers: - -Wshift-negative-value warns about left shifting a negative value. - -Wshift-overflow warns about left shift overflows. This warning is enabled by default. -Wshift-overflow=2 also warns about left-shifting 1 into the sign bit. - -Wtautological-compare warns if a self-comparison always evaluates to true or false. This warning is enabled by -Wall. - -Wnull-dereference warns if the compiler detects paths that trigger erroneous or undefined behavior due to dereferencing a null pointer. This option is only active when -fdelete-null-pointer-checks is active, which is enabled by optimizations in most targets. The precision of the warnings depends on the optimization options used. - -Wduplicated-cond warns about duplicated conditions in an if-else-if chain. - -Wmisleading-indentation warns about places where the indentation of the code gives a misleading idea of the block structure of the code to a human reader. This warning is enabled by -Wall. - The C and C++ compilers now emit saner error messages if merge-conflict markers are present in a source file. C improvements: - It is possible to disable warnings when an initialized field of a structure or a union with side effects is being overridden when using designated initializers via a new warning option -Woverride-init-side-effects. - A new type attribute scalar_storage_order applying to structures and unions has been introduced. It specifies the storage order (aka endianness) in memory of scalar fields in structures or unions. C++ improvements: - The default mode has been changed to -std=gnu++14. - C++ Concepts are now supported when compiling with -fconcepts. - -flifetime-dse is more aggressive in dead-store elimination in situations where a memory store to a location precedes a constructor to that memory location. - G++ now supports C++17 fold expressions, u8 character literals, extended static_assert, and nested namespace definitions. - G++ now allows constant evaluation for all non-type template arguments. - G++ now supports C++ Transactional Memory when compiling with -fgnu-tm. libstdc++ improvements: - Extensions to the C++ Library to support mathematical special functions (ISO/IEC 29124:2010), thanks to Edward Smith-Rowland. - Experimental support for C++17. - An experimental implementation of the File System TS. - Experimental support for most features of the second version of the Library Fundamentals TS. This includes polymorphic memory resources and array support in shared_ptr, thanks to Fan You. - Some assertions checked by Debug Mode can now also be enabled by _GLIBCXX_ASSERTIONS. The subset of checks enabled by the new macro have less run-time overhead than the full _GLIBCXX_DEBUG checks and don't affect the library ABI, so can be enabled per-translation unit. Fortran improvements: - Fortran 2008 SUBMODULE support. - Fortran 2015 EVENT_TYPE, EVENT_POST, EVENT_WAIT, and EVENT_QUERY support. - Improved support for Fortran 2003 deferred-length character variables. - Improved support for OpenMP and OpenACC. - The MATMUL intrinsic is now inlined for straightforward cases if front-end optimization is active. The maximum size for inlining can be set to n with the -finline-matmul-limit=n option and turned off with -finline-matmul-limit=0. - The -Wconversion-extra option will warn about REAL constants which have excess precision for their kind. - The -Winteger-division option has been added, which warns about divisions of integer constants which are truncated. This option is included in -Wall by default. Architecture improvements: - AArch64 received a lot of improvements. IA-32/x86-64 improvements: - GCC now supports the Intel CPU named Skylake with AVX-512 extensions through -march=skylake-avx512. The switch enables the following ISA extensions: AVX-512F, AVX512VL, AVX-512CD, AVX-512BW, AVX-512DQ. - Support for new AMD instructions monitorx and mwaitx has been added. This includes new intrinsic and built-in support. It is enabled through option -mmwaitx. The instructions monitorx and mwaitx implement the same functionality as the old monitor and mwait instructions. In addition mwaitx adds a configurable timer. The timer value is received as third argument and stored in register %ebx. - x86-64 targets now allow stack realignment from a word-aligned stack pointer using the command-line option -mstackrealign or __attribute__ ((force_align_arg_pointer)). This allows functions compiled with a vector-aligned stack to be invoked from objects that keep only word-alignment. - Support for address spaces __seg_fs, __seg_gs, and __seg_tls. These can be used to access data via the %fs and %gs segments without having to resort to inline assembly. - Support for AMD Zen (family 17h) processors is now available through the -march=znver1 and -mtune=znver1 options. PowerPC / PowerPC64 / RS6000 improvements: - PowerPC64 now supports IEEE 128-bit floating-point using the __float128 data type. In GCC 6, this is not enabled by default, but you can enable it with -mfloat128. The IEEE 128-bit floating-point support requires the use of the VSX instruction set. IEEE 128-bit floating-point values are passed and returned as a single vector value. The software emulator for IEEE 128-bit floating-point support is only built on PowerPC GNU/Linux systems where the default CPU is at least power7. On future ISA 3.0 systems (POWER 9 and later), you will be able to use the -mfloat128-hardware option to use the ISA 3.0 instructions that support IEEE 128-bit floating-point. An additional type (__ibm128) has been added to refer to the IBM extended double type that normally implements long double. This will allow for a future transition to implementing long double with IEEE 128-bit floating-point. - Basic support has been added for POWER9 hardware that will use the recently published OpenPOWER ISA 3.0 instructions. The following new switches are available: - -mcpu=power9: Implement all of the ISA 3.0 instructions supported by the compiler. - -mtune=power9: In the future, apply tuning for POWER9 systems. Currently, POWER8 tunings are used. - -mmodulo: Generate code using the ISA 3.0 integer instructions (modulus, count trailing zeros, array index support, integer multiply/add). - -mpower9-fusion: Generate code to suitably fuse instruction sequences for a POWER9 system. - -mpower9-dform: Generate code to use the new D-form (register+offset) memory instructions for the vector registers. - -mpower9-vector: Generate code using the new ISA 3.0 vector (VSX or Altivec) instructions. - -mpower9-minmax: Reserved for future development. - -mtoc-fusion: Keep TOC entries together to provide more fusion opportunities. - New constraints have been added to support IEEE 128-bit floating-point and ISA 3.0 instructions. - Support has been added for __builtin_cpu_is() and __builtin_cpu_supports(), allowing for very fast access to AT_PLATFORM, AT_HWCAP, and AT_HWCAP2 values. This requires use of glibc 2.23 or later. - All hardware transactional memory builtins now correctly behave as memory barriers. Programmers can use #ifdef __TM_FENCE__ to determine whether their 'old' compiler treats the builtins as barriers. - Split-stack support has been added for gccgo on PowerPC64 for both big- and little-endian (but not for 32-bit). The gold linker from at least binutils 2.25.1 must be available in the PATH when configuring and building gccgo to enable split stack. (The requirement for binutils 2.25.1 applies to PowerPC64 only.) The split-stack feature allows a small initial stack size to be allocated for each goroutine, which increases as needed. - GCC on PowerPC now supports the standard lround function. - The 'q', 'S', 'T', and 't' asm-constraints have been removed. - The 'b', 'B', 'm', 'M', and 'W' format modifiers have been removed. S/390, System z, IBM z Systems improvements: - Support for the IBM z13 processor has been added. When using the -march=z13 option, the compiler will generate code making use of the new instructions and registers introduced with the vector extension facility. The -mtune=z13 option enables z13 specific instruction scheduling without making use of new instructions. - Compiling code with -march=z13 reduces the default alignment of vector types bigger than 8 bytes to 8. This is an ABI change and care must be taken when linking modules compiled with different arch levels which interchange variables containing vector type values. For newly compiled code the GNU linker will emit a warning. - The -mzvector option enables a C/C++ language extension. This extension provides a new keyword vector which can be used to define vector type variables. (Note: This is not available when enforcing strict standard compliance e.g. with -std=c99. Either enable GNU extensions with e.g. -std=gnu99 or use __vector instead of vector.) - Additionally a set of overloaded builtins is provided which is partially compatible to the PowerPC Altivec builtins. In order to make use of these builtins the vecintrin.h header file needs to be included. - The new command line options -march=native, and -mtune=native are now available on native IBM z Systems. Specifying these options will cause GCC to auto-detect the host CPU and rewrite these options to the optimal setting for that system. If GCC is unable to detect the host CPU these options have no effect. - The IBM z Systems port now supports target attributes and pragmas. Please refer to the documentation for details of available attributes and pragmas as well as usage instructions. - -fsplit-stack is now supported as part of the IBM z Systems port. This feature requires a recent gold linker to be used. - Support for the g5 and g6 -march=/-mtune= CPU level switches has been deprecated and will be removed in a future GCC release. -m31 from now on defaults to -march=z900 if not specified otherwise. -march=native on a g5/g6 machine will default to -march=z900. An even more detailed list of features can be found at: https://gcc.gnu.org/gcc-6/changes.html ----------------------------------------------------------------- Advisory ID: SUSE-SU-2016:1364-1 Released: Fri Sep 16 17:13:43 2016 Summary: Security update for curl Type: security Severity: moderate References: 991389,991390,991391,991746,997420,CVE-2016-5419,CVE-2016-5420,CVE-2016-5421,CVE-2016-7141 Description: This update for curl fixes the following issues: Security issues fixed: - CVE-2016-5419: TLS session resumption client cert bypass (bsc#991389) - CVE-2016-5420: Re-using connections with wrong client cert (bsc#991390) - CVE-2016-5421: use of connection struct after free (bsc#991391) - CVE-2016-7141: Fixed incorrect reuse of client certificates with NSS (bsc#997420) Also the following bug was fixed: - fixing a performance issue (bsc#991746) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2016:1370-1 Released: Wed Sep 21 12:58:14 2016 Summary: Security update for libgcrypt Type: security Severity: moderate References: 994157,CVE-2016-6313 Description: This update for libgcrypt fixes the following issues: - RNG prediction vulnerability (bsc#994157, CVE-2016-6313) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2016:1591-1 Released: Wed Nov 2 12:07:51 2016 Summary: Security update for curl Type: security Severity: important References: 1005633,1005634,1005635,1005637,1005638,1005640,1005642,1005643,1005645,1005646,998760,CVE-2016-7167,CVE-2016-8615,CVE-2016-8616,CVE-2016-8617,CVE-2016-8618,CVE-2016-8619,CVE-2016-8620,CVE-2016-8621,CVE-2016-8622,CVE-2016-8623,CVE-2016-8624 Description: This update for curl fixes the following security issues: - CVE-2016-8624: invalid URL parsing with '#' (bsc#1005646) - CVE-2016-8623: Use-after-free via shared cookies (bsc#1005645) - CVE-2016-8622: URL unescape heap overflow via integer truncation (bsc#1005643) - CVE-2016-8621: curl_getdate read out of bounds (bsc#1005642) - CVE-2016-8620: glob parser write/read out of bounds (bsc#1005640) - CVE-2016-8619: double-free in krb5 code (bsc#1005638) - CVE-2016-8618: double-free in curl_maprintf (bsc#1005637) - CVE-2016-8617: OOB write via unchecked multiplication (bsc#1005635) - CVE-2016-8616: case insensitive password comparison (bsc#1005634) - CVE-2016-8615: cookie injection for other servers (bsc#1005633) - CVE-2016-7167: escape and unescape integer overflows (bsc#998760) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2016:1614-1 Released: Mon Nov 7 20:01:31 2016 Summary: Recommended update for shadow Type: recommended Severity: low References: 1002975 Description: This update for shadow fixes the following issues: - Set file modes according to the permissions package and don't attempt to manipulate them in %files section. (bsc#1002975) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2016:1641-1 Released: Thu Nov 10 20:02:04 2016 Summary: Recommended update for sg3_utils Type: recommended Severity: moderate References: 1006469,958369,979436 Description: This update for sg3_utils provides the following fixes: - Adjust 55-scsi-sg3_id.rules to correctly handle VPD page 0x80. This issue could prevent some IBM Power systems from booting after installation. (bsc#1006469) - Fix 55-scsi_sg3_id.rules to skip sg_inq on recent kernels. (bsc#979436) - In some circumstances, the rescan-scsi-bus.sh script failed to identify new LUNs that have been added to the server. (bsc#958369) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2016:1744-1 Released: Fri Dec 2 11:42:41 2016 Summary: Security update for pcre Type: security Severity: moderate References: 906574,924960,933288,933878,936227,942865,957566,957567,957598,957600,960837,971741,972127,CVE-2014-8964,CVE-2015-2325,CVE-2015-2327,CVE-2015-2328,CVE-2015-3210,CVE-2015-3217,CVE-2015-5073,CVE-2015-8380,CVE-2015-8381,CVE-2015-8382,CVE-2015-8383,CVE-2015-8384,CVE-2015-8385,CVE-2015-8386,CVE-2015-8387,CVE-2015-8388,CVE-2015-8389,CVE-2015-8390,CVE-2015-8391,CVE-2015-8392,CVE-2015-8393,CVE-2015-8394,CVE-2015-8395,CVE-2016-1283,CVE-2016-3191 Description: This update for pcre to version 8.39 (bsc#972127) fixes several issues. If you use pcre extensively please be aware that this is an update to a new version. Please make sure that your software works with the updated version. This version fixes a number of vulnerabilities that affect pcre and applications using the libary when accepting untrusted input as regular expressions or as part thereof. Remote attackers could have caused the application to crash, disclose information or potentially execute arbitrary code. These security issues were fixed: - CVE-2014-8964: Heap-based buffer overflow in PCRE allowed remote attackers to cause a denial of service (crash) or have other unspecified impact via a crafted regular expression, related to an assertion that allows zero repeats (bsc#906574). - CVE-2015-2325: Heap buffer overflow in compile_branch() (bsc#924960). - CVE-2015-3210: Heap buffer overflow in pcre_compile2() / compile_regex() (bsc#933288) - CVE-2015-3217: PCRE Library Call Stack Overflow Vulnerability in match() (bsc#933878). - CVE-2015-5073: Library Heap Overflow Vulnerability in find_fixedlength() (bsc#936227). - bsc#942865: heap overflow in compile_regex() - CVE-2015-8380: The pcre_exec function in pcre_exec.c mishandled a // pattern with a \01 string, which allowed remote attackers to cause a denial of service (heap-based buffer overflow) or possibly have unspecified other impact via a crafted regular expression, as demonstrated by a JavaScript RegExp object encountered by Konqueror (bsc#957566). - CVE-2015-2327: PCRE mishandled certain patterns with internal recursive back references, which allowed remote attackers to cause a denial of service (segmentation fault) or possibly have unspecified other impact via a crafted regular expression, as demonstrated by a JavaScript RegExp object encountered by Konqueror (bsc#957567). - bsc#957598: Various security issues - CVE-2015-8381: Heap Overflow in compile_regex() (bsc#957598). - CVE-2015-8382: Regular Expression Uninitialized Pointer Information Disclosure Vulnerability (ZDI-CAN-2547)(bsc#957598). - CVE-2015-8383: Buffer overflow caused by repeated conditional group(bsc#957598). - CVE-2015-8384: Buffer overflow caused by recursive back reference by name within certain group(bsc#957598). - CVE-2015-8385: Buffer overflow caused by forward reference by name to certain group(bsc#957598). - CVE-2015-8386: Buffer overflow caused by lookbehind assertion(bsc#957598). - CVE-2015-8387: Integer overflow in subroutine calls(bsc#957598). - CVE-2015-8388: Buffer overflow caused by certain patterns with an unmatched closing parenthesis(bsc#957598). - CVE-2015-8389: Infinite recursion in JIT compiler when processing certain patterns(bsc#957598). - CVE-2015-8390: Reading from uninitialized memory when processing certain patterns(bsc#957598). - CVE-2015-8391: Some pathological patterns causes pcre_compile() to run for a very long time(bsc#957598). - CVE-2015-8392: Buffer overflow caused by certain patterns with duplicated named groups(bsc#957598). - CVE-2015-8393: Information leak when running pcgrep -q on crafted binary(bsc#957598). - CVE-2015-8394: Integer overflow caused by missing check for certain conditions(bsc#957598). - CVE-2015-8395: Buffer overflow caused by certain references(bsc#957598). - CVE-2015-2328: PCRE mishandled the /((?(R)a|(?1)))+/ pattern and related patterns with certain recursion, which allowed remote attackers to cause a denial of service (segmentation fault) or possibly have unspecified other impact via a crafted regular expression (bsc#957600). - CVE-2016-1283: The pcre_compile2 function in pcre_compile.c in PCRE mishandled certain patterns with named subgroups, which allowed remote attackers to cause a denial of service (heap-based buffer overflow) or possibly have unspecified other impact via a crafted regular expression (bsc#960837). - CVE-2016-3191: The compile_branch function in pcre_compile.c in pcre2_compile.c mishandled patterns containing an (*ACCEPT) substring in conjunction with nested parentheses, which allowed remote attackers to execute arbitrary code or cause a denial of service (stack-based buffer overflow) via a crafted regular expression (bsc#971741). These non-security issues were fixed: - JIT compiler improvements - performance improvements - The Unicode data tables have been updated to Unicode 7.0.0. ----------------------------------------------------------------- Advisory ID: SUSE-RU-2016:1782-1 Released: Fri Dec 9 13:35:02 2016 Summary: Recommended update for systemd Type: recommended Severity: moderate References: 1001790,1004289,1005404,1006372,1006690,989831,991443 Description: This update for systemd provides the following fixes: - Allow to redirect confirmation messages to a different console. (bsc#1006690) - Do not bind a mount unit to a device, if it was from mountinfo. (bsc#989831) - Decrease systemd-nspawn's non-fatal mount errors to debug level. (bsc#1004289) - Don't emit space usage message right after opening the persistent journal. (bsc#991443) - Change owner of /var/log/journal/remote and create /var/lib/systemd/journal-upload. (bsc#1006372) - Document that *KeyIgnoreInhibited only apply to a subset of locks. - Revert 'logind: really handle *KeyIgnoreInhibited options in logind.conf'. (bsc#1001790, bsc#1005404) - Revert 'kbd-model-map: add more mappings offered by Yast'. - Don't busy loop when we get a notification message we can't process. - Rename kbd-model-map-extra into kbd-model-map.legacy. - Add kbd-model-map-extra file which contains the additional maps needed by YaST. - Drop localfs.service: unused and not needed anymore. ----------------------------------------------------------------- Advisory ID: SUSE-SU-2016:1827-1 Released: Thu Dec 15 12:41:10 2016 Summary: Security update for pcre Type: security Severity: moderate References: 906574,924960,933288,933878,936227,942865,957566,957567,957598,957600,960837,971741,972127,CVE-2014-8964,CVE-2015-2325,CVE-2015-2327,CVE-2015-2328,CVE-2015-3210,CVE-2015-3217,CVE-2015-5073,CVE-2015-8380,CVE-2015-8381,CVE-2015-8382,CVE-2015-8383,CVE-2015-8384,CVE-2015-8385,CVE-2015-8386,CVE-2015-8387,CVE-2015-8388,CVE-2015-8389,CVE-2015-8390,CVE-2015-8391,CVE-2015-8392,CVE-2015-8393,CVE-2015-8394,CVE-2015-8395,CVE-2016-1283,CVE-2016-3191 Description: This update for pcre to version 8.39 (bsc#972127) fixes several issues. If you use pcre extensively please be aware that this is an update to a new version. Please make sure that your software works with the updated version. This version fixes a number of vulnerabilities that affect pcre and applications using the libary when accepting untrusted input as regular expressions or as part thereof. Remote attackers could have caused the application to crash, disclose information or potentially execute arbitrary code. These security issues were fixed: - CVE-2014-8964: Heap-based buffer overflow in PCRE allowed remote attackers to cause a denial of service (crash) or have other unspecified impact via a crafted regular expression, related to an assertion that allows zero repeats (bsc#906574). - CVE-2015-2325: Heap buffer overflow in compile_branch() (bsc#924960). - CVE-2015-3210: Heap buffer overflow in pcre_compile2() / compile_regex() (bsc#933288) - CVE-2015-3217: PCRE Library Call Stack Overflow Vulnerability in match() (bsc#933878). - CVE-2015-5073: Library Heap Overflow Vulnerability in find_fixedlength() (bsc#936227). - bsc#942865: heap overflow in compile_regex() - CVE-2015-8380: The pcre_exec function in pcre_exec.c mishandled a // pattern with a \01 string, which allowed remote attackers to cause a denial of service (heap-based buffer overflow) or possibly have unspecified other impact via a crafted regular expression, as demonstrated by a JavaScript RegExp object encountered by Konqueror (bsc#957566). - CVE-2015-2327: PCRE mishandled certain patterns with internal recursive back references, which allowed remote attackers to cause a denial of service (segmentation fault) or possibly have unspecified other impact via a crafted regular expression, as demonstrated by a JavaScript RegExp object encountered by Konqueror (bsc#957567). - bsc#957598: Various security issues - CVE-2015-8381: Heap Overflow in compile_regex() (bsc#957598). - CVE-2015-8382: Regular Expression Uninitialized Pointer Information Disclosure Vulnerability (ZDI-CAN-2547)(bsc#957598). - CVE-2015-8383: Buffer overflow caused by repeated conditional group(bsc#957598). - CVE-2015-8384: Buffer overflow caused by recursive back reference by name within certain group(bsc#957598). - CVE-2015-8385: Buffer overflow caused by forward reference by name to certain group(bsc#957598). - CVE-2015-8386: Buffer overflow caused by lookbehind assertion(bsc#957598). - CVE-2015-8387: Integer overflow in subroutine calls(bsc#957598). - CVE-2015-8388: Buffer overflow caused by certain patterns with an unmatched closing parenthesis(bsc#957598). - CVE-2015-8389: Infinite recursion in JIT compiler when processing certain patterns(bsc#957598). - CVE-2015-8390: Reading from uninitialized memory when processing certain patterns(bsc#957598). - CVE-2015-8391: Some pathological patterns causes pcre_compile() to run for a very long time(bsc#957598). - CVE-2015-8392: Buffer overflow caused by certain patterns with duplicated named groups(bsc#957598). - CVE-2015-8393: Information leak when running pcgrep -q on crafted binary(bsc#957598). - CVE-2015-8394: Integer overflow caused by missing check for certain conditions(bsc#957598). - CVE-2015-8395: Buffer overflow caused by certain references(bsc#957598). - CVE-2015-2328: PCRE mishandled the /((?(R)a|(?1)))+/ pattern and related patterns with certain recursion, which allowed remote attackers to cause a denial of service (segmentation fault) or possibly have unspecified other impact via a crafted regular expression (bsc#957600). - CVE-2016-1283: The pcre_compile2 function in pcre_compile.c in PCRE mishandled certain patterns with named subgroups, which allowed remote attackers to cause a denial of service (heap-based buffer overflow) or possibly have unspecified other impact via a crafted regular expression (bsc#960837). - CVE-2016-3191: The compile_branch function in pcre_compile.c in pcre2_compile.c mishandled patterns containing an (*ACCEPT) substring in conjunction with nested parentheses, which allowed remote attackers to execute arbitrary code or cause a denial of service (stack-based buffer overflow) via a crafted regular expression (bsc#971741). These non-security issues were fixed: - JIT compiler improvements - performance improvements - The Unicode data tables have been updated to Unicode 7.0.0. ----------------------------------------------------------------- Advisory ID: SUSE-RU-2016:1863-1 Released: Wed Dec 21 10:41:35 2016 Summary: Recommended updated for pth Type: recommended Severity: low References: 1013286 Description: This update adds the 32bit version of libpth20 to SUSE Linux Enterprise 12 SP1 and 12 SP2. ----------------------------------------------------------------- Advisory ID: SUSE-SU-2017:2-1 Released: Mon Jan 2 08:35:08 2017 Summary: Security update for zlib Type: security Severity: moderate References: 1003577,1003579,1003580,1013882,CVE-2016-9840,CVE-2016-9841,CVE-2016-9842,CVE-2016-9843 Description: This update for zlib fixes the following issues: CVE-2016-9843: Big-endian out-of-bounds pointer CVE-2016-9842: Undefined Left Shift of Negative Number (bsc#1003580) CVE-2016-9840 CVE-2016-9841: Out-of-bounds pointer arithmetic in inftrees.c (bsc#1003579) Incompatible declarations for external linkage function deflate (bsc#1003577) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2017:6-1 Released: Tue Jan 3 15:01:58 2017 Summary: Recommended update for systemd Type: recommended Severity: moderate References: 1012390,1012591,1012818,1013989,1015515,909418,912715,945340,953807,963290,990538 Description: This update for systemd fixes the following issues: - core: Make mount units from /proc/self/mountinfo possibly bind to a device. Fixes unmounting issues when ejecting CDs or DVDs. (bsc#909418, bsc#912715, bsc#945340) - fstab-generator: Remove bogus condition that leads to warnings on boot. (bsc#1013989) - coredumpctl: Let gdb handle the SIGINT signal. (bsc#1012591) - Ship kbd-model-map with the correct contents. (bsc#1015515) - rules: Set SYSTEMD_READY=0 on DM_UDEV_DISABLE_OTHER_RULES_FLAG=1 only with ADD event. (bsc#963290, bsc#990538) - tmpfiles: Don't skip path_set_perms on error. (bsc#953807) - nspawn: Properly handle image/directory paths that are symbolic links. (bsc#1012390) - systemctl: Fix 'is-enabled' exit status on failure when executed in chroot. (bsc#1012818) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2017:32-1 Released: Mon Jan 9 11:50:42 2017 Summary: Recommended update for dirmngr Type: recommended Severity: low References: 994794 Description: This update for dirmngr enables support for daemon mode. ----------------------------------------------------------------- Advisory ID: SUSE-RU-2017:47-1 Released: Wed Jan 11 11:42:43 2017 Summary: Recommended update for systemd Type: recommended Severity: important References: 1018214,1018399 Description: This update for systemd fixes the following two issues: - A regression in the previous update (SUSE-RU-2017:0013-1, bsc#909418) could have caused systemd to freeze. (bsc#1018399) - Warnings emitted when udev socket units are restarted during package upgrade were silenced. (bsc#1018214) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2017:98-1 Released: Thu Jan 19 10:17:55 2017 Summary: Recommended update for kmod Type: recommended Severity: low References: 998906 Description: This update for kmod fixes a rare race condition while loading modules. ----------------------------------------------------------------- Advisory ID: SUSE-SU-2017:149-1 Released: Wed Jan 25 09:17:08 2017 Summary: Security update for systemd Type: security Severity: important References: 1012266,1014560,1014566,1020601,997682,CVE-2016-10156 Description: This update for systemd fixes the following issues: This security issue was fixed: - CVE-2016-10156: Fix permissions set on permanent timer timestamp files, preventing local unprivileged users from escalating privileges (bsc#1020601). These non-security issues were fixed: - Fix permission set on /var/lib/systemd/linger/* - install: follow config_path symlink (#3362) - install: fix disable when /etc/systemd/system is a symlink (bsc#1014560) - run: make --slice= work in conjunction with --scope (bsc#1014566) - core: don't dispatch load queue when setting Slice= for transient units - systemctl: remove duplicate entries showed by list-dependencies (#5049) (bsc#1012266) - rule: don't automatically online standby memory on s390x (bsc#997682) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2017:185-1 Released: Thu Feb 2 18:22:37 2017 Summary: Security update for cpio Type: security Severity: moderate References: 1020108,963448,CVE-2016-2037 Description: This update for cpio fixes two issues. This security issue was fixed: - CVE-2016-2037: The cpio_safer_name_suffix function in util.c in cpio allowed remote attackers to cause a denial of service (out-of-bounds write) via a crafted cpio file (bsc#963448). This non-security issue was fixed: - bsc#1020108: Always use 32 bit CRC to prevent checksum errors for files greater than 32MB ----------------------------------------------------------------- Advisory ID: SUSE-SU-2017:192-1 Released: Fri Feb 3 18:46:05 2017 Summary: Security update for libxml2 Type: security Severity: moderate References: 1005544,1010675,1013930,1014873,1017497,CVE-2016-4658,CVE-2016-9318,CVE-2016-9597 Description: This update for libxml2 fixes the following issues: * CVE-2016-4658: use-after-free error could lead to crash [bsc#1005544] * Fix NULL dereference in xpointer.c when in recovery mode [bsc#1014873] * CVE-2016-9597: An XML document with many opening tags could have caused a overflow of the stack not detected by the recursion limits, allowing for DoS (bsc#1017497). For CVE-2016-9318 we decided not to ship a fix since it can break existing setups. Please take appropriate actions if you parse untrusted XML files and use the new -noxxe flag if possible (bnc#1010675, bnc#1013930). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2017:209-1 Released: Tue Feb 7 17:00:47 2017 Summary: Recommended update for libseccomp Type: recommended Severity: low References: 1019900 Description: This update provides libseccomp version 2.3.1 which fixes the following issues: - Fixed a problem with 32-bit x86 socket syscalls on some systems (fate#321647, bsc#1019900) - Fixed problems with ipc syscalls on 32-bit x86 - Fixed problems with socket and ipc syscalls on s390 and s390x ----------------------------------------------------------------- Advisory ID: SUSE-SU-2017:212-1 Released: Wed Feb 8 13:07:24 2017 Summary: Security update for expat Type: security Severity: moderate References: 983215,983216,CVE-2012-6702,CVE-2016-5300 Description: This update for expat fixes the following security issues: - CVE-2012-6702: Expat, when used in a parser that has not called XML_SetHashSalt or passed it a seed of 0, made it easier for context-dependent attackers to defeat cryptographic protection mechanisms via vectors involving use of the srand function. (bsc#983215) - CVE-2016-5300: The XML parser in Expat did not use sufficient entropy for hash initialization, which allowed context-dependent attackers to cause a denial of service (CPU consumption) via crafted identifiers in an XML document. NOTE: this vulnerability exists because of an incomplete fix for CVE-2012-0876. (bsc#983216) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2017:228-1 Released: Fri Feb 10 15:39:32 2017 Summary: Security update for openssl Type: security Severity: moderate References: 1000677,1001912,1009528,1019637,1021641,1022085,1022086,1022271,CVE-2016-7055,CVE-2017-3731,CVE-2017-3732 Description: This update for openssl fixes the following issues contained in the OpenSSL Security Advisory [26 Jan 2017] (bsc#1021641) Security issues fixed: - CVE-2016-7055: The x86_64 optimized montgomery multiplication may produce incorrect results (bsc#1009528) - CVE-2017-3731: Truncated packet could crash via OOB read (bsc#1022085) - CVE-2017-3732: BN_mod_exp may produce incorrect results on x86_64 (bsc#1022086) - Degrade the 3DES cipher to MEDIUM in SSLv2 (bsc#1001912) Non-security issues fixed: - fix crash in openssl speed (bsc#1000677) - fix X509_CERT_FILE path (bsc#1022271) - AES XTS key parts must not be identical in FIPS mode (bsc#1019637) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2017:261-1 Released: Mon Feb 20 11:00:28 2017 Summary: Recommended update for dirmngr Type: recommended Severity: low References: 1019276 Description: This update for dirmngr fixes the following issues: - Properly initialize the dirmngr tmpfilesd files right away and not just during reboot - Own the /usr/lib/tmpfiles.d/ folder as it is needed in older systemds wrt (bsc#1019276) - Proprely require logrotate as we need it for the dirmngr configs ----------------------------------------------------------------- Advisory ID: SUSE-RU-2017:365-1 Released: Fri Mar 10 15:16:59 2017 Summary: Recommended update for sg3_utils Type: recommended Severity: low References: 1006175 Description: This update for sg3_utils fixes the following issue: - Add udev rules to handle legacy CCISS devices (bsc#1006175) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2017:389-1 Released: Thu Mar 16 14:16:43 2017 Summary: Recommended update for systemd Type: recommended Severity: moderate References: 1004094,1006687,1019470,1022014,1022047,1025598,995936 Description: This update for systemd provides the following fixes: - core: Fix memory leak in transient units. (bsc#1025598) - core: Destroy all name watching bus slots when we are kicked off the bus. (bsc#1006687) - sd-event: Fix incorrect assertion. (bsc#995936, bsc#1022014) - journald: Don't flush to /var/log/journal before we get asked to. (bsc#1004094) - core: Downgrade warning about duplicate device names. (bsc#1022047) - units: Remove no longer needed ldconfig service. (bsc#1019470) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2017:439-1 Released: Tue Mar 21 10:48:47 2017 Summary: Recommended update for netcfg Type: recommended Severity: low References: 1028305,959693 Description: This update for netcfg provides the following fixes: - Update script to generate services to use UTF8 by default. (bsc#1028305) - Repack services.bz2 with latest from upstream and adjust the script to not add all the names and emails at the bottom of the file. (bsc#959693) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2017:462-1 Released: Fri Mar 24 21:58:07 2017 Summary: Recommended update for lvm2 Type: recommended Severity: moderate References: 1012973,1015943,1017034,1023283,1025560,1025630 Description: This update for lvm2 fixes the following issues: - Fix clvmd segmentation fault on ppc64le architecture. (bsc#1025630) - Fix several trivial issues about clvmd/cmirrord resource agents. (bsc#1023283, bsc#1025560) - Use {local,remote}-fs-pre.target instead of {local,remote}-fs.target. (bsc#1017034) - Simplify special-case for md in 69-dm-lvm-metadata.rules. (bsc#1012973) - Add systemd_requires to device-mapper package. (bsc#1015943) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2017:464-1 Released: Mon Mar 27 15:50:51 2017 Summary: Recommended update for glibc Type: recommended Severity: moderate References: 1007851,1029725,1029900 Description: This update for glibc fixes a potential segmentation fault in libpthread: - Fork in libpthread cannot use IFUNC resolver. (bsc#1007851, bsc#1029725, bsc#1029900) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2017:580-1 Released: Wed Apr 12 23:58:47 2017 Summary: Recommended update for cpio Type: recommended Severity: important References: 1028410 Description: This update for cpio fixes the following issues: - A regression caused cpio to crash for tar and ustar archive types [bsc#1028410] ----------------------------------------------------------------- Advisory ID: SUSE-SU-2017:609-1 Released: Tue Apr 18 11:28:14 2017 Summary: Security update for curl Type: security Severity: moderate References: 1015332,1027712,1032309,CVE-2016-9586,CVE-2017-7407 Description: This update for curl fixes the following issues: Security issue fixed: - CVE-2016-9586: libcurl printf floating point buffer overflow (bsc#1015332) - CVE-2017-7407: The ourWriteOut function in tool_writeout.c in curl might have allowed physically proximate attackers to obtain sensitive information from process memory in opportunistic circumstances by reading a workstation screen during use of a --write-out argument ending in a '%' character, which lead to a heap-based buffer over-read (bsc#1032309). With this release new default ciphers are active (SUSE_DEFAULT, bsc#1027712). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2017:732-1 Released: Wed May 10 14:03:43 2017 Summary: Recommended update for procps Type: recommended Severity: low References: 1030621 Description: This update for procps fixes the following issues: - Command w(1) with option -n doesn't work. (bsc#1030621) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2017:735-1 Released: Wed May 10 15:43:46 2017 Summary: Recommended update for gpg2 Type: recommended Severity: low References: 1036736,986783 Description: This update for gpg2 provides the following fixes: - Do not install CAcert and other root certificates which are not needed with Let's Encrypt. (bsc#1036736) - Initialize the trustdb before import attempt. (bsc#986783) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2017:751-1 Released: Thu May 11 17:14:30 2017 Summary: Recommended update for systemd Type: recommended Severity: moderate References: 1010220,1025398,1025886,1028263,1028610,1029183,1029691,1030290,1031355,1032538,1032660,1033855,1034565,955770 Description: This update for systemd provides the following fixes: - logind: Update empty and 'infinity' handling for [User]TasksMax. (bsc#1031355) - importd: Support SUSE style checksums. (fate#322054) - journal: Don't remove leading spaces. (bsc#1033855) - Make sure all swap units are ordered before the swap target. (bsc#955770, bsc#1034565) - hwdb: Fix warning 'atkbd serio0: Unknown key pressed'. (bsc#1010220) - logind: Restart logind on package update only on SLE12 distros. (bsc#1032660) - core: Treat masked files as 'unchanged'. (bsc#1032538) - units: Move Before deps for quota services to remote-fs.target. (bsc#1028263) - udev: Support predictable ifnames on vio buses. (bsc#1029183) - udev: Add a persistent rule for ibmvnic devices. (bsc#1029183) - units: Do not throw a warning in emergency mode if plymouth is not installed. (bsc#1025398) - core: Downgrade 'Time has been changed' message to debug level. (bsc#1028610) - vconsole: Don't do GIO_SCRNMAP / GIO_UNISCRNMAP. (bsc#1029691) - udev-rules: Perform whitespace replacement for symlink subst values. (bsc#1025886) - Consider chroot updates in fix-machines-subvol-for-rollbacks.sh. (bsc#1030290) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2017:794-1 Released: Tue May 16 15:41:09 2017 Summary: Security update for bash Type: security Severity: moderate References: 1010845,1035371,CVE-2016-9401 Description: This update for bash fixes an issue that could lead to syntax errors when parsing scripts that use expr(1) inside loops. Additionally, the popd build-in now ensures that the normalized stack offset is within bounds before trying to free that stack entry. This fixes a segmentation fault. ----------------------------------------------------------------- Advisory ID: SUSE-RU-2017:799-1 Released: Wed May 17 00:21:13 2017 Summary: Recommended update for glibc Type: recommended Severity: low References: 1026224,1035445 Description: This update for glibc introduces basic support for IBM POWER9 systems. Additionally, an improper assert in dlclose() has been removed. ----------------------------------------------------------------- Advisory ID: SUSE-SU-2017:865-1 Released: Wed May 24 16:23:20 2017 Summary: Security update for pam Type: security Severity: moderate References: 1015565,1037824,934920,CVE-2015-3238 Description: This update for pam fixes the following issues: - CVE-2015-3238: pam_unix in conjunction with SELinux allowed for DoS attacks (bsc#934920). - log a hint to syslog if /etc/nologin is present, but empty (bsc#1015565). - If /etc/nologin is present, but empty, log a hint to syslog. (bsc#1015565) - Added support for libowcrypt.so, if present, to configure support for BLOWFISH (bsc#1037824) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2017:873-1 Released: Fri May 26 16:19:47 2017 Summary: Recommended update for e2fsprogs Type: recommended Severity: low References: 1009532,960273 Description: This update for e2fsprogs provides the following fixes: - Fix 32/64-bit overflow when multiplying by blocks/clusters per group. This allows resize2fs(8) to resize file systems larger than 20 TB. (bsc#1009532) - Update spec file to regenerate initrd when e2fsprogs is updated or uninstalled. (bsc#960273) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2017:877-1 Released: Mon May 29 15:11:48 2017 Summary: Recommended update for cryptsetup Type: recommended Severity: low References: 1031998 Description: This update for cryptsetup provides the following fix: - Don't use a zero-filled empty key, because in FIPS, XTS mode key parts mustn't be equivalent (bsc#1031998) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2017:891-1 Released: Tue May 30 22:28:21 2017 Summary: Security update for libxml2 Type: security Severity: moderate References: 1039063,1039064,1039066,1039069,1039661,981114,CVE-2016-1839,CVE-2017-9047,CVE-2017-9048,CVE-2017-9049,CVE-2017-9050 Description: This update for libxml2 fixes the following issues: - CVE-2017-9047, CVE-2017-9048: The function xmlSnprintfElementContent in valid.c was vulnerable to a stack buffer overflow (bsc#1039063, bsc#1039064) - CVE-2017-9049: The function xmlDictComputeFastKey in dict.c was vulnerable to a heap-based buffer over-read. (bsc#1039066) - CVE-2017-9050: The function xmlDictAddString was vulnerable to a heap-based buffer over-read (bsc#1039661) - CVE-2016-1839: heap-based buffer overflow (xmlDictAddString func) (bnc#1039069) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2017:907-1 Released: Thu Jun 1 14:23:36 2017 Summary: Recommended update for shadow Type: recommended Severity: low References: 1003978,1031643 Description: This update for shadow fixes the following issues: - Dynamically added users via pam_group are not listed in groups databases but are still valid. (bsc#1031643) - useradd(8) and groupadd(8) performance issue when using SSSD. Previously the entire possible UID/GID was iterated to find an available UID/GID. This could take long time over a network device. Instead, find available UID/GID locally, and then check only those values over network. (bsc#1003978) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2017:918-1 Released: Tue Jun 6 12:35:44 2017 Summary: Recommended update for libsemanage, selinux-policy Type: recommended Severity: moderate References: 1020143,1032445,1035818,1038189 Description: This update for libsemanage, selinux-policy fixes the following issues: - Limit to policy version 29 by default. - Fix policy module build failures and wrong policy path on SLE 12 SP2 (bsc#1038189, bsc#1035818, bsc#1020143, bsc#1032445) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2017:939-1 Released: Mon Jun 12 10:56:22 2017 Summary: Security update for libxml2 Type: security Severity: moderate References: 1039063,1039064,1039066,1039069,1039661,CVE-2017-9047,CVE-2017-9048,CVE-2017-9049,CVE-2017-9050 Description: This update for libxml2 fixes the following security issues: * CVE-2017-9050: A heap-based buffer over-read in xmlDictAddString (bsc#1039069, bsc#1039661) * CVE-2017-9049: A heap-based buffer overflow in xmlDictComputeFastKey (bsc#1039066) * CVE-2017-9048: A stack overflow vulnerability in xmlSnprintfElementContent (bsc#1039063) * CVE-2017-9047: A stack overflow vulnerability in xmlSnprintfElementContent (bsc#1039064) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2017:959-1 Released: Wed Jun 14 14:38:11 2017 Summary: Recommended update for gcc5 Type: recommended Severity: low References: 1043580 Description: This update for gcc5 fixes the version of libffi in its pkg-config configuration file. ----------------------------------------------------------------- Advisory ID: SUSE-SU-2017:962-1 Released: Wed Jun 14 16:33:07 2017 Summary: Security update for openldap2 Type: security Severity: moderate References: 1009470,1037396,1041764,972331,CVE-2017-9287 Description: This update for openldap2 fixes the following issues: Security issues fixed: - CVE-2017-9287: A double free vulnerability in the mdb backend during search with page size 0 was fixed (bsc#1041764) Non security bugs fixed: - Let OpenLDAP read system-wide certificates by default and don't hide the error if the user-specified CA location cannot be read. (bsc#1009470) - Fix an uninitialised variable that causes startup failure (bsc#1037396) - Fix an issue with transaction management that can cause server crash (bsc#972331) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2017:985-1 Released: Mon Jun 19 14:57:41 2017 Summary: Security update for libgcrypt Type: security Severity: moderate References: 1042326,931932,CVE-2017-9526 Description: This update for libgcrypt fixes the following issues: - CVE-2017-9526: Store the session key in secure memory to ensure that constant time point operations are used in the MPI library. (bsc#1042326) - Don't require secure memory for the fips selftests, this prevents the 'Oops, secure memory pool already initialized' warning. (bsc#931932) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2017:990-1 Released: Mon Jun 19 17:19:44 2017 Summary: Security update for glibc Type: security Severity: important References: 1039357,1040043,CVE-2017-1000366 Description: This update for glibc fixes the following issues: - CVE-2017-1000366: Fix a potential privilege escalation vulnerability that allowed unprivileged system users to manipulate the stack of setuid binaries to gain special privileges. [bsc#1039357] - A bug in glibc that could result in deadlocks between malloc() and fork() has been fixed. [bsc#1040043] ----------------------------------------------------------------- Advisory ID: SUSE-RU-2017:1033-1 Released: Fri Jun 23 16:38:55 2017 Summary: Recommended update for e2fsprogs Type: recommended Severity: low References: 1038194 Description: This update for e2fsprogs provides the following fixes: - Don't ignore fsync errors in libext2fs. (bsc#1038194) - Fix fsync(2) detection in libext2fs. (bsc#1038194) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2017:1036-1 Released: Mon Jun 26 08:12:24 2017 Summary: Security update for libxml2 Type: security Severity: moderate References: 1024989,1044337,CVE-2017-0663,CVE-2017-5969 Description: This update for libxml2 fixes the following issues: Security issues fixed: * CVE-2017-0663: Fixed a heap buffer overflow in xmlAddID (bsc#1044337) * CVE-2017-5969: Fixed a NULL pointer deref in xmlDumpElementContent (bsc#1024989) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2017:1040-1 Released: Mon Jun 26 13:22:26 2017 Summary: Recommended update for libsemanage, policycoreutils Type: recommended Severity: low References: 1043237 Description: This update for libsemanage, policycoreutils fixes the following issue: - Show version numbers of modules where they are available (bsc#1043237) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2017:1082-1 Released: Fri Jun 30 10:54:06 2017 Summary: Recommended update for dirmngr Type: recommended Severity: low References: 1045943 Description: This update for dirmngr provides the following fix: - Change logrotate from Requires to Recommends (bsc#1045943) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2017:1086-1 Released: Fri Jun 30 15:36:17 2017 Summary: Security update for libxml2 Type: security Severity: moderate References: 1044887,1044894,CVE-2017-7375,CVE-2017-7376 Description: This update for libxml2 fixes the following issues: Security issues fixed: * CVE-2017-7376: Increase buffer space for port in HTTP redirect support (bsc#1044887) * CVE-2017-7375: Prevent unwanted external entity reference [bsc#1044894, ] ----------------------------------------------------------------- Advisory ID: SUSE-SU-2017:1104-1 Released: Tue Jul 4 16:13:55 2017 Summary: Security update for systemd Type: security Severity: moderate References: 1004995,1029102,1029516,1036873,1038865,1040258,1040614,1040942,1043758,982303,CVE-2017-9217 Description: This update for systemd fixes the following issues: Security issue fixed: - CVE-2017-9217: resolved: Fix null pointer p->question dereferencing that could lead to resolved aborting (bsc#1040614) The update also fixed several non-security bugs: - core/mount: Use the '-c' flag to not canonicalize paths when calling /bin/umount - automount: Handle expire_tokens when the mount unit changes its state (bsc#1040942) - automount: Rework propagation between automount and mount units - build: Make sure tmpfiles.d/systemd-remote.conf get installed when necessary - build: Fix systemd-journal-upload installation - basic: Detect XEN Dom0 as no virtualization (bsc#1036873) - virt: Make sure some errors are not ignored - fstab-generator: Do not skip Before= ordering for noauto mountpoints - fstab-gen: Do not convert device timeout into seconds when initializing JobTimeoutSec - core/device: Use JobRunningTimeoutSec= for device units (bsc#1004995) - fstab-generator: Apply the _netdev option also to device units (bsc#1004995) - job: Add JobRunningTimeoutSec for JOB_RUNNING state (bsc#1004995) - job: Ensure JobRunningTimeoutSec= survives serialization (bsc#1004995) - rules: Export NVMe WWID udev attribute (bsc#1038865) - rules: Introduce disk/by-id (model_serial) symbolic links for NVMe drives - rules: Add rules for NVMe devices - sysusers: Make group shadow support configurable (bsc#1029516) - core: When deserializing a unit, fully restore its cgroup state (bsc#1029102) - core: Introduce cg_mask_from_string()/cg_mask_to_string() - core:execute: Fix handling failures of calling fork() in exec_spawn() (bsc#1040258) - Fix systemd-sysv-convert when a package starts shipping service units (bsc#982303) The database might be missing when upgrading a package which was shipping no sysv init scripts nor unit files (at the time --save was called) but the new version start shipping unit files. - Disable group shadow support (bsc#1029516) - Only check signature job error if signature job exists (bsc#1043758) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2017:1116-1 Released: Thu Jul 6 11:37:18 2017 Summary: Security update for libgcrypt Type: security Severity: moderate References: 1046607,CVE-2017-7526 Description: This update for libgcrypt fixes the following issues: - CVE-2017-7526: Hardening against a local side-channel attack in RSA key handling has been added (bsc#1046607) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2017:1119-1 Released: Fri Jul 7 11:23:20 2017 Summary: Recommended update for ncurses Type: security Severity: important References: 1000662,1046853,1046858,CVE-2017-10684,CVE-2017-10685 Description: This update for ncurses fixes the following issues: Security issues fixed: - CVE-2017-10684: Possible RCE via stack-based buffer overflow in the fmt_entry function. (bsc#1046858) - CVE-2017-10685: Possible RCE with format string vulnerability in the fmt_entry function. (bsc#1046853) Bugfixes: - Drop patch ncurses-5.9-environment.dif as YaST2 ncurses GUI does not need it anymore and as well as it causes bug bsc#1000662 ----------------------------------------------------------------- Advisory ID: SUSE-RU-2017:1160-1 Released: Fri Jul 14 17:20:26 2017 Summary: Recommended update for openldap2 Type: recommended Severity: low References: 1031702 Description: This update for openldap2 provides the following fix: - Fix a regression in handling of non-blocking connection (bsc#1031702) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2017:1174-1 Released: Wed Jul 19 11:12:51 2017 Summary: Security update for systemd, dracut Type: security Severity: important References: 1032029,1033238,1037120,1040153,1040968,1043900,1045290,1046750,986216,CVE-2017-9445 Description: This update for systemd and dracut fixes the following issues: Security issues fixed: - CVE-2017-9445: Possible out-of-bounds write triggered by a specially crafted TCP payload from a DNS server. (bsc#1045290) Non-security issues fixed in systemd: - Automounter issue in combination with NFS volumes (bsc#1040968) - Missing symbolic link for SAS device in /dev/disk/by-path (bsc#1040153) - Add minimal support for boot.d/* scripts in systemd-sysv-convert (bsc#1046750) Non-security issues fixed in dracut: - Bail out if module directory does not exist. (bsc#1043900) - Suppress bogus error message. (bsc#1032029) - Fix module force loading with systemd. (bsc#986216) - Ship udev files required by systemd. (bsc#1040153) - Ignore module resolution errors (e.g. with kgraft). (bsc#1037120) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2017:1222-1 Released: Wed Jul 26 17:15:18 2017 Summary: Recommended update for procps Type: recommended Severity: low References: 1034563,1039941 Description: This update for procps provides the following fixes: - Make pmap handle LazyFree in /proc/smaps (bsc#1034563) - Allow reading and writing content lines longer than 1024 characters under /proc/sys (bsc#1039941) - Avoid printing messages when /proc/sys/net/ipv6/conf/*/stable_secret is not set ----------------------------------------------------------------- Advisory ID: SUSE-SU-2017:1245-1 Released: Thu Aug 3 10:43:15 2017 Summary: Security update for systemd Type: security Severity: moderate References: 1004995,1029102,1029516,1032029,1033238,1036873,1037120,1038865,1040153,1040258,1040614,1040942,1040968,1043758,1043900,1045290,1046750,982303,986216,CVE-2017-9217,CVE-2017-9445 Description: This update for systemd provides several fixes and enhancements. Security issues fixed: - CVE-2017-9217: Null pointer dereferencing that could lead to resolved aborting. (bsc#1040614) - CVE-2017-9445: Possible out-of-bounds write triggered by a specially crafted TCP payload from a DNS server. (bsc#1045290) The update also fixed several non-security bugs: - core/mount: Use the '-c' flag to not canonicalize paths when calling /bin/umount - automount: Handle expire_tokens when the mount unit changes its state (bsc#1040942) - automount: Rework propagation between automount and mount units - build: Make sure tmpfiles.d/systemd-remote.conf get installed when necessary - build: Fix systemd-journal-upload installation - basic: Detect XEN Dom0 as no virtualization (bsc#1036873) - virt: Make sure some errors are not ignored - fstab-generator: Do not skip Before= ordering for noauto mountpoints - fstab-gen: Do not convert device timeout into seconds when initializing JobTimeoutSec - core/device: Use JobRunningTimeoutSec= for device units (bsc#1004995) - fstab-generator: Apply the _netdev option also to device units (bsc#1004995) - job: Add JobRunningTimeoutSec for JOB_RUNNING state (bsc#1004995) - job: Ensure JobRunningTimeoutSec= survives serialization (bsc#1004995) - rules: Export NVMe WWID udev attribute (bsc#1038865) - rules: Introduce disk/by-id (model_serial) symbolic links for NVMe drives - rules: Add rules for NVMe devices - sysusers: Make group shadow support configurable (bsc#1029516) - core: When deserializing a unit, fully restore its cgroup state (bsc#1029102) - core: Introduce cg_mask_from_string()/cg_mask_to_string() - core:execute: Fix handling failures of calling fork() in exec_spawn() (bsc#1040258) - Fix systemd-sysv-convert when a package starts shipping service units (bsc#982303) The database might be missing when upgrading a package which was shipping no sysv init scripts nor unit files (at the time --save was called) but the new version start shipping unit files. - Disable group shadow support (bsc#1029516) - Only check signature job error if signature job exists (bsc#1043758) - Automounter issue in combination with NFS volumes (bsc#1040968) - Missing symbolic link for SAS device in /dev/disk/by-path (bsc#1040153) - Add minimal support for boot.d/* scripts in systemd-sysv-convert (bsc#1046750) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2017:1268-1 Released: Mon Aug 7 10:09:19 2017 Summary: Recommended update for openssl Type: recommended Severity: moderate References: 1019637,1027079,1027688,1027908,1028281,1028723,1029523,1042392,1044095,1044107,1044175,902364 Description: This update for openssl fixes the following issues including fixes for our ongoing FIPS 140-2 evaluation: - Remove DES-CBC3-SHA based ciphers from DEFAULT_SUSE to address SWEET32 problem (bsc#1027908) - Use getrandom syscall instead of reading from /dev/urandom to get at least 128 bits of entropy to comply with FIPS 140.2 IG 7.14 (bsc#1027079 bsc#1044175) - Fix x86 extended feature detection (bsc#1029523) - Allow runtime switching of s390x capabilities via the 'OPENSSL_s390xcap' environmental variable (bsc#1028723) - s_client sent empty client certificate (bsc#1028281) Add back certificate initialization set_cert_key_stuff() which was removed in a previous update. - Fix a bug in XTS key handling (bsc#1019637) - Don't run FIPS power-up self-tests when the checksum files aren't installed (bsc#1042392) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2017:1279-1 Released: Mon Aug 7 14:46:40 2017 Summary: Security update for ncurses Type: security Severity: moderate References: 1046853,1046858,1047964,1047965,1049344,CVE-2017-10684,CVE-2017-10685,CVE-2017-11112,CVE-2017-11113 Description: This update for ncurses fixes the following issues: Security issues fixed: - CVE-2017-11112: Illegal address access in append_acs. (bsc#1047964) - CVE-2017-11113: Dereferencing NULL pointer in _nc_parse_entry. (bsc#1047965) - CVE-2017-10684, CVE-2017-10685: Add modified upstream fix from ncurses 6.0 to avoid broken termcap format (bsc#1046853, bsc#1046858, bsc#1049344) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2017:1316-1 Released: Thu Aug 10 13:54:27 2017 Summary: Recommended update for cyrus-sasl Type: recommended Severity: moderate References: 1014471,1026825,1044840,938657 Description: This update for cyrus-sasl provides the following fixes: - Fix SASL GSSAPI mechanism acceptor wrongly returns zero maxbufsize - Fix unknown authentication mechanism: kerberos5 (bsc#1026825) - Really use SASLAUTHD_PARAMS variable (bsc#938657) - Make sure /usr/sbin/rcsaslauthd exists - Add /usr/sbin/rcsaslauthd symbolic link to /usr/sbin/service (bsc#1014471) - Silence 'GSSAPI client step 1' debug log message (bsc#1044840) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2017:1326-1 Released: Fri Aug 11 16:59:04 2017 Summary: Security update for libxml2 Type: security Severity: low References: 1038444,CVE-2017-8872 Description: This update for libxml2 fixes the following issues: Security issues fixed: - CVE-2017-8872: Out-of-bounds read in htmlParseTryOrFinish. (bsc#1038444) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2017:1330-1 Released: Mon Aug 14 18:41:29 2017 Summary: Recommended update for sed Type: recommended Severity: low References: 954661 Description: This update for sed provides the following fixes: - Don't terminate with a segmentation fault if close of last file descriptor fails. (bsc#954661) ----------------------------------------------------------------- Advisory ID: SUSE-OU-2017:1333-1 Released: Tue Aug 15 17:59:30 2017 Summary: Optional update for libverto Type: optional Severity: low References: 1029561 Description: This update adds the libverto library to OpenStack Cloud Magnum Orchestration channels. ----------------------------------------------------------------- Advisory ID: SUSE-RU-2017:1334-1 Released: Tue Aug 15 20:09:03 2017 Summary: Recommended update for systemd Type: recommended Severity: important References: 1048679,874665 Description: This update for systemd fixes the following issues: - compat-rules: Don't rely on ID_SERIAL when generating 'by-id' links for NVMe devices. (bsc#1048679) - fstab-generator: Handle NFS 'bg' mounts correctly. (bsc#874665, fate#323464) - timesyncd: Don't use compiled-in list if FallbackNTP has been configured explicitly. ----------------------------------------------------------------- Advisory ID: SUSE-SU-2017:1335-1 Released: Wed Aug 16 11:24:21 2017 Summary: Security update for curl Type: security Severity: moderate References: 1051643,1051644,CVE-2017-1000100,CVE-2017-1000101 Description: This update for curl fixes the following issues: - CVE-2017-1000100: TFP sends more than buffer size and it could lead to a denial of service (bsc#1051644) - CVE-2017-1000101: URL globbing out of bounds read could lead to a denial of service (bsc#1051643) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2017:1347-1 Released: Fri Aug 18 11:03:57 2017 Summary: Recommended update for procps Type: recommended Severity: important References: 1053409 Description: This update for procps fixes the following issues: - Fix a regression introduced in a previous update that would result in sysctl dying with a SIGSEGV error (bsc#1053409). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2017:1349-1 Released: Fri Aug 18 12:31:07 2017 Summary: Recommended update for lua51 Type: recommended Severity: low References: 1051626 Description: This update for lua51 provides the following fixes: - Add Lua(API) and Lua(devel) symbols to fix building of lua51-luasocket. (bsc#1051626) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2017:1390-1 Released: Fri Aug 25 15:14:27 2017 Summary: Security update for libzypp Type: security Severity: important References: 1009745,1036659,1038984,1043218,1045735,1046417,1047785,1048315,CVE-2017-7435,CVE-2017-7436,CVE-2017-9269 Description: The Software Update Stack was updated to receive fixes and enhancements. libzypp: - CVE-2017-7435, CVE-2017-7436, CVE-2017-9269: Fix GPG check workflows, mainly for unsigned repositories and packages. (bsc#1045735, bsc#1038984) - Fix gpg-pubkey release (creation time) computation. (bsc#1036659) - Update lsof blacklist. (bsc#1046417) - Re-probe on refresh if the repository type changes. (bsc#1048315) - Propagate proper error code to DownloadProgressReport. (bsc#1047785) - Allow to trigger an appdata refresh unconditionally. (bsc#1009745) - Support custom repo variables defined in /etc/zypp/vars.d. yast2-pkg-bindings: - Do not crash when the repository URL is not defined. (bsc#1043218) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2017:1419-1 Released: Wed Aug 30 15:38:22 2017 Summary: Security update for expat Type: security Severity: moderate References: 1047236,1047240,CVE-2016-9063,CVE-2017-9233 Description: This update for expat fixes the following issues: - CVE-2016-9063: Possible integer overflow to fix inside XML_Parse leading to unexpected behaviour (bsc#1047240) - CVE-2017-9233: External Entity Vulnerability could lead to denial of service (bsc#1047236) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2017:1439-1 Released: Fri Sep 1 15:31:05 2017 Summary: Recommended update for systemd Type: recommended Severity: important References: 1045384,1045987,1046268,1047379,1048605 Description: This update for systemd fixes the following issues: - Revert fix for bsc#1004995 which could have caused boot failure on LVM (bsc#1048605) - compat-rules: drop the bogus 'import everything' rule (bsc#1046268) - core: use an AF_UNIX/SOCK_DGRAM socket for cgroup agent notification (bsc#1045384 bsc#1047379) - udev/path_id: introduce support for NVMe devices (bsc#1045987) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2017:1447-1 Released: Mon Sep 4 15:38:20 2017 Summary: Security update for libzypp, zypper Type: security Severity: important References: 1008325,1038984,1045735,1047785,1054088,1054671,1055920,CVE-2017-7436 Description: The Software Update Stack was updated to receive fixes and enhancements. libzypp: - Adapt to work with GnuPG 2.1.23. (bsc#1054088) - Support signing with subkeys. (bsc#1008325) - Enhance sort order for media.1/products. (bsc#1054671) zypper: - Also show a gpg key's subkeys. (bsc#1008325) - Improve signature check callback messages. (bsc#1045735) - Add options to tune the GPG check settings. (bsc#1045735) - Adapt download callback to report and handle unsigned packages. (bsc#1038984, CVE-2017-7436) - Report missing/optional files as 'not found' rather than 'error'. (bsc#1047785) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2017:1450-1 Released: Mon Sep 4 16:36:07 2017 Summary: Recommended update for insserv-compat Type: recommended Severity: low References: 1035062,944903 Description: This update for insserv-compat fixes the following issues: - Add /etc/init.d hierarchy from former 'filesystem' package. (bsc#1035062) - Fix directory argument parsing. (bsc#944903) - Add perl(Getopt::Long) to list of requirements. ----------------------------------------------------------------- Advisory ID: SUSE-RU-2017:1453-1 Released: Mon Sep 4 21:23:50 2017 Summary: Recommended update for libgcrypt Type: recommended Severity: moderate References: 1043333,1046659,1047008 Description: This update for libgcrypt fixes the following issues: - libgcrypt stored an open file descriptor to the random device in a static variable between invocations. gnome-keyring-daemon on initialization reopened descriptors 0-2 with /dev/null which caused an infinite loop when libgcrypt attempted to read from the random device (bsc#1043333) - Avoid seeding the DRBG during FIPS power-up selftests (bsc#1046659) * don't call gcry_drbg_instantiate() in healthcheck sanity test to save entropy * turn off blinding for RSA decryption in selftests_rsa to avoid allocation of a random integer - fix a bug in gcry_drbg_healthcheck_sanity() which caused skipping some of the tests (bsc#1046659) - dlsym returns PLT address on s390x, dlopen libgcrypt20.so before calling dlsym (bsc#1047008) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2017:1548-1 Released: Fri Sep 15 18:19:12 2017 Summary: Recommended update for sg3_utils Type: recommended Severity: moderate References: 1005063,1009269,1012523,1025176,1050767,1050943 Description: This update for sg3_utils provides the following fixes: - Add lunsearch filter to findresized() so that only LUNs specified using --luns are rescanned or resized. (bsc#1025176) - In case the VPD sysfs attributes are missing or cannot be accessed, fallback to use sg_inq --page when using multipath devices in AutoYast2 installations. (bsc#1012523) - Generate /dev/disk/by-path links based on WWPN for Fibre Channel NPIV setups. (bsc#1005063) - Fix dumping data in hexadecimal format in sg_vpd when using the --hex option. (bsc#1050943) - Fix ID_SERIAL values for KVM disks by exporting all NAA values and removing some validity checking. (bsc#1050767) - Make sure initrd is rebuilt on sg3_utils updates. (bsc#1009269) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2017:1592-1 Released: Tue Sep 26 17:38:03 2017 Summary: Recommended update for lvm2 Type: recommended Severity: moderate References: 1028485,1045628,978055,998893,999878 Description: This update for lvm2 provides the following fixes: - Create /dev/disk/by-part{label,uuid} and gpt-auto-root links. (bsc#1028485) - Try to refresh clvmd's device cache on the first failure. (bsc#978055) - Fix stale device cache in clvmd. (bsc#978055) - Warn if PV size in metadata is larger than disk device size. (bsc#999878) - Fix lvm2 activation issue when used on top of multipath. (bsc#998893) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2017:1644-1 Released: Mon Oct 9 07:52:24 2017 Summary: Security update for krb5 Type: security Severity: moderate References: 1032680,1054028,1056995,903543,CVE-2017-11462 Description: This update for krb5 fixes several issues. This security issue was fixed: - CVE-2017-11462: Prevent automatic security context deletion to prevent double-free (bsc#1056995) These non-security issues were fixed: - Set 'rdns' and 'dns_canonicalize_hostname' to false in krb5.conf in order to improve client security in handling service principle names. (bsc#1054028) - Prevent kadmind.service startup failure caused by absence of LDAP service. (bsc#903543) - Remove main package's dependency on systemd (bsc#1032680) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2017:1663-1 Released: Tue Oct 10 12:05:09 2017 Summary: Recommended update for dbus-1 Type: recommended Severity: moderate References: 1043615,1046173 Description: This update for dbus-1 provides the following fixes: - Fix systemd-logind dbus disconnection by ensuring all required timeouts are restarted. (bsc#1043615) - Remove call to initscripts related macros from the spec file as dbus-1 does not ship any initscript anymore. (bsc#1046173) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2017:1703-1 Released: Tue Oct 17 13:20:12 2017 Summary: Recommended update for audit Type: recommended Severity: low References: 1042781 Description: This update for audit provides the following fix: - Make auditd start by forking the systemd service to fix some initialization failures. (bsc#1042781) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2017:1758-1 Released: Mon Oct 23 08:47:47 2017 Summary: Security update for curl Type: security Severity: moderate References: 1060653,1061876,1063824,CVE-2017-1000254,CVE-2017-1000257 Description: This update for curl fixes the following issues: Security issues fixed: - CVE-2017-1000254: FTP PWD response parser out of bounds read (bsc#1061876) - CVE-2017-1000257: IMAP FETCH response out of bounds read (bsc#1063824) Bugs fixed: - Fixed error 'error:1408F10B:SSL routines' when connecting to ftps via proxy (bsc#1060653) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2017:1796-1 Released: Fri Oct 27 21:25:06 2017 Summary: Recommended update for pcre Type: recommended Severity: moderate References: 1058722 Description: This update for pcre fixes the following issues: - Fixed the pcre stack frame size detection because modern compilers break it due to cloning and inlining pcre match() function (bsc#1058722) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2017:1797-1 Released: Sat Oct 28 12:06:19 2017 Summary: Recommended update for permissions Type: recommended Severity: moderate References: 1028304,1048645,1060738 Description: This update for permissions fixes the following issues: - Allows users to install the HPC 'singularity' toolkit for managing singularity containers in setuid root mode. (bsc#1028304) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2017:1826-1 Released: Wed Nov 8 08:47:17 2017 Summary: Security update for krb5 Type: security Severity: important References: 1065274,CVE-2017-15088 Description: This update for krb5 fixes the following issues: Security issues fixed: - CVE-2017-15088: A buffer overflow in get_matching_data() was fixed that could under specific circumstances be used to execute code (bsc#1065274) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2017:1829-1 Released: Wed Nov 8 08:50:00 2017 Summary: Security update for shadow Type: security Severity: moderate References: 1023895,1052261,980486,CVE-2017-12424 Description: This update for shadow fixes several issues. This security issue was fixed: - CVE-2017-12424: The newusers tool could have been forced to manipulate internal data structures in ways unintended by the authors. Malformed input may have lead to crashes (with a buffer overflow or other memory corruption) or other unspecified behaviors (bsc#1052261). These non-security issues were fixed: - bsc#1023895: Fixed man page to not contain invalid options and also prevent warnings when using these options in certain settings - bsc#980486: Reset user in /var/log/tallylog because of the usage of pam_tally2 ----------------------------------------------------------------- Advisory ID: SUSE-SU-2017:1881-1 Released: Wed Nov 22 16:29:58 2017 Summary: Security update for file Type: security Severity: moderate References: 1009966,1063269,910252,910253,913650,913651,917152,996511,CVE-2014-8116,CVE-2014-8117,CVE-2014-9620,CVE-2014-9621,CVE-2014-9653 Description: The GNU file utility was updated to version 5.22. Security issues fixed: - CVE-2014-9621: The ELF parser in file allowed remote attackers to cause a denial of service via a long string. (bsc#913650) - CVE-2014-9620: The ELF parser in file allowed remote attackers to cause a denial of service via a large number of notes. (bsc#913651) - CVE-2014-9653: readelf.c in file did not consider that pread calls sometimes read only a subset of the available data, which allows remote attackers to cause a denial of service (uninitialized memory access) or possibly have unspecified other impact via a crafted ELF file. (bsc#917152) - CVE-2014-8116: The ELF parser (readelf.c) in file allowed remote attackers to cause a denial of service (CPU consumption or crash) via a large number of (1) program or (2) section headers or (3) invalid capabilities. (bsc#910253) - CVE-2014-8117: softmagic.c in file did not properly limit recursion, which allowed remote attackers to cause a denial of service (CPU consumption or crash) via unspecified vectors. (bsc#910253) Version update to file version 5.22 * add indirect relative for TIFF/Exif * restructure elf note printing to avoid repeated messages * add note limit, suggested by Alexander Cherepanov * Bail out on partial pread()'s (Alexander Cherepanov) * Fix incorrect bounds check in file_printable (Alexander Cherepanov) * PR/405: ignore SIGPIPE from uncompress programs * change printable -> file_printable and use it in more places for safety * in ELF, instead of '(uses dynamic libraries)' when PT_INTERP is present print the interpreter name. Version update to file version 5.21 * there was an incorrect free in magic_load_buffers() * there was an out of bounds read for some pascal strings * there was a memory leak in magic lists * don't interpret strings printed from files using the current locale, convert them to ascii format first. * there was an out of bounds read in elf note reads Update to file version 5.20 * recognize encrypted CDF documents * add magic_load_buffers from Brooks Davis * add thumbs.db support Additional non-security bug fixes: * Fixed a memory corruption during rpmbuild (bsc#1063269) * Backport of a fix for an increased printable string length as found in file 5.30 (bsc#996511) * file command throws 'Composite Document File V2 Document, corrupt: Can't read SSAT' error against excel 97/2003 file format. (bsc#1009966) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2017:1903-1 Released: Fri Nov 24 16:19:37 2017 Summary: Security update for perl Type: security Severity: moderate References: 1047178,1057721,1057724,999735,CVE-2017-12837,CVE-2017-12883,CVE-2017-6512 Description: This update for perl fixes the following issues: Security issues fixed: - CVE-2017-12837: Heap-based buffer overflow in the S_regatom function in regcomp.c in Perl 5 before 5.24.3-RC1 and 5.26.x before 5.26.1-RC1 allows remote attackers to cause a denial of service (out-of-bounds write) via a regular expression with a '\N{}' escape and the case-insensitive modifier. (bnc#1057724) - CVE-2017-12883: Buffer overflow in the S_grok_bslash_N function in regcomp.c in Perl 5 before 5.24.3-RC1 and 5.26.x before 5.26.1-RC1 allows remote attackers to disclose sensitive information or cause a denial of service (application crash) via a crafted regular expression with an invalid '\N{U+...}' escape. (bnc#1057721) - CVE-2017-6512: Race condition in the rmtree and remove_tree functions in the File-Path module before 2.13 for Perl allows attackers to set the mode on arbitrary files via vectors involving directory-permission loosening logic. (bnc#1047178) Bug fixes: - backport set_capture_string changes from upstream (bsc#999735) - reformat baselibs.conf as source validator workaround ----------------------------------------------------------------- Advisory ID: SUSE-RU-2017:1916-1 Released: Fri Nov 24 20:15:01 2017 Summary: Recommended update for libgcrypt Type: recommended Severity: important References: 1043333,1059723 Description: This update for libgcrypt provides the following fix: - Fix a regression in a previous update which caused libgcrypt to leak file descriptors causing failures when starting rtkit-daemon. (bsc#1059723) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2017:1917-1 Released: Mon Nov 27 13:32:07 2017 Summary: Optional update for gcc7 Type: recommended Severity: low References: 1056437,1062591,1062592 Description: The GNU Compiler GCC 7 is being added to the Toolchain Module by this update. New features: - Support for specific IBM Power9 processor instructions. - Support for specific IBM zSeries z14 processor instructions. - New packages cross-npvtx-gcc7 and nvptx-tools added to the Toolchain Module for specific NVIDIA Card offload support. The update also supplies gcc7 compatible libstdc++, libgcc_s1 and other gcc derived libraries for the base products of SUSE Linux Enterprise 12. Various optimizers have been improved in GCC 7, several of bugs fixed, quite some new warnings added and the error pin-pointing and fix-suggestions have been greatly improved. The GNU Compiler page for GCC 7 contains a summary of all the changes that have happened: https://gcc.gnu.org/gcc-7/changes.html ----------------------------------------------------------------- Advisory ID: SUSE-RU-2017:1965-1 Released: Thu Nov 30 12:48:45 2017 Summary: Recommended update for libsolv, libzypp, zypper Type: recommended Severity: moderate References: 1047233,1053671,1057188,1057634,1058695,1058783,1059065,1061384,1062561,1064999,661410 Description: The Software Update Stack was updated to receive fixes and enhancements. libsolv: - Many fixes and improvements for cleandeps. - Always create dup rules for 'distupgrade' jobs. - Use recommends also for ordering packages. - Fix splitprovides handling with addalreadyrecommended turned off. (bsc#1059065) - Expose solver_get_recommendations() in bindings. - Fix bug in solver_prune_to_highest_prio_per_name resulting in bad output from solver_get_recommendations(). - Support 'without' and 'unless' dependencies. - Use same heuristic as upstream to determine source RPMs. - Fix memory leak in bindings. - Add pool_best_solvables() function. - Fix 64bit integer parsing from RPM headers. - Enable bzip2 and xz/lzma compression support. - Enable complex/rich dependencies on distributions with RPM 4.13+. libzypp: - Fix media handling in presence of a repo path prefix. (bsc#1062561) - Fix RepoProvideFile ignoring a repo path prefix. (bsc#1062561) - Remove unused legacy notify-message script. (bsc#1058783) - Support multiple product licenses in repomd. (fate#322276) - Propagate 'rpm --import' errors. (bsc#1057188) - Fix typos in zypp.conf. zypper: - Locale: Fix possible segmentation fault. (bsc#1064999) - Add summary hint if product is better updated by a different command. This is mainly used by rolling distributions like openSUSE Tumbleweed to remind their users to use 'zypper dup' to update (not zypper up or patch). (bsc#1061384) - Unify '(add|modify)(repo|service)' property related arguments. - Fixed 'add' commands supporting to set only a subset of properties. - Introduced '-f/-F' as preferred short option for --[no-]refresh in all four commands. (bsc#661410, bsc#1053671) - Fix missing package names in installation report. (bsc#1058695) - Differ between unsupported and packages with unknown support status. (bsc#1057634) - Return error code '107' if an RPM's %post configuration script fails, but only if ZYPPER_ON_CODE12_RETURN_107=1 is set in the environment. (bsc#1047233) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2017:1966-1 Released: Thu Nov 30 13:45:24 2017 Summary: Recommended update for systemd Type: recommended Severity: moderate References: 1004995,1035386,1039099,1040800,1045472,1048605,1050152,1053137,1053595,1055641,1063249 Description: This update for systemd fixes the following issues: - unit: When JobTimeoutSec= is turned off, implicitly turn off JobRunningTimeoutSec= too. (bsc#1048605, bsc#1004995) - compat-rules: Generate compat by-id symlinks with 'nvme' prefix missing and warn users that have broken symlinks. (bsc#1063249) - compat-rules: Allow to specify the generation number through the kernel command line. - scsi_id: Fixup prefix for pre-SPC inquiry reply. (bsc#1039099) - tmpfiles: Remove old ICE and X11 sockets at boot. - tmpfiles: Silently ignore any path that passes through autofs. (bsc#1045472) - pam_logind: Skip leading /dev/ from PAM_TTY field before passing it on. - shared/machine-pool: Fix another mkfs.btrfs checking. (bsc#1053595) - shutdown: Fix incorrect fscanf() result check. - shutdown: Don't remount,ro network filesystems. (bsc#1035386) - shutdown: Don't be fooled when detaching DM devices with BTRFS. (bsc#1055641) - bash-completion: Add support for --now. (bsc#1053137) - Add convert-lib-udev-path.sh script to convert /lib/udev directory into a symlink pointing to /usr/lib/udev when upgrading from SLE11. (bsc#1050152) - Add a rule to teach hotplug to offline containers transparently. (bsc#1040800) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2017:1968-1 Released: Thu Nov 30 19:49:33 2017 Summary: Recommended update for coreutils Type: recommended Severity: low References: 1026567,1043059,965780 Description: This update for coreutils provides the following fixes: - Fix df(1) to no longer interact with excluded file system types, so for example specifying -x nfs no longer hangs with problematic nfs mounts. (bsc#1026567) - Ensure df -l no longer interacts with dummy file system types, so for example no longer hangs with problematic NFS mounted via system.automount(5). (bsc#1043059) - Significantly speed up df(1) for huge mount lists. (bsc#965780) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2017:1970-1 Released: Thu Nov 30 22:55:41 2017 Summary: Security update for openssl Type: security Severity: moderate References: 1055825,1056058,1065363,1066242,CVE-2017-3735,CVE-2017-3736 Description: This update for openssl fixes the following issues: Security issues fixed: - CVE-2017-3735: openssl1,openssl: Malformed X.509 IPAdressFamily could cause OOB read (bsc#1056058) - CVE-2017-3736: openssl: bn_sqrx8x_internal carry bug on x86_64 (bsc#1066242) - Out of bounds read+crash in DES_fcrypt (bsc#1065363) - openssl DEFAULT_SUSE cipher list is missing ECDHE-ECDSA ciphers (bsc#1055825) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2017:2021-1 Released: Fri Dec 8 10:11:04 2017 Summary: Recommended update for file Type: recommended Severity: moderate References: 1070878,1070958 Description: This update for file fixes detection of JPEG files. ----------------------------------------------------------------- Advisory ID: SUSE-RU-2017:2031-1 Released: Mon Dec 11 12:55:57 2017 Summary: Recommended update for gzip Type: recommended Severity: low References: 1067891 Description: This update for gzip provides the following fix: - Fix mishandling of leading zeros in the end-of-block code (bsc#1067891) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2017:2036-1 Released: Wed Dec 13 16:34:21 2017 Summary: Recommended update for util-linux Type: recommended Severity: low References: 1039276,1040968,1055446,1066500 Description: This update for util-linux provides the following fixes: - Allow unmounting of filesystems without calling stat() on the mount point, when '-c' is used. (bsc#1040968) - Fix an infinite loop, a crash and report the correct minimum and maximum frequencies in lscpu for some processors. (bsc#1055446) - Fix a lscpu failure on Sydney Amazon EC2 region. (bsc#1066500) - If multiple subvolumes are mounted, report the default subvolume. (bsc#1039276) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2017:2097-1 Released: Sat Dec 16 01:59:00 2017 Summary: Security update for openssl Type: security Severity: important References: 1071905,1071906,CVE-2017-3737,CVE-2017-3738 Description: This update for openssl fixes the following issues: - OpenSSL Security Advisory [07 Dec 2017] * CVE-2017-3737: OpenSSL 1.0.2 (starting from version 1.0.2b) introduced an \'error state\' mechanism. The intent was that if a fatal error occurred during a handshake then OpenSSL would move into the error state and would immediately fail if you attempted to continue the handshake. This works as designed for the explicit handshake functions (SSL_do_handshake(), SSL_accept() and SSL_connect()), however due to a bug it does not work correctly if SSL_read() or SSL_write() is called directly. In that scenario, if the handshake fails then a fatal error will be returned in the initial function call. If SSL_read()/SSL_write() is subsequently called by the application for the same SSL object then it will succeed and the data is passed without being decrypted/encrypted directly from the SSL/TLS record layer. In order to exploit this issue an application bug would have to be present that resulted in a call to SSL_read()/SSL_write() being issued after having already received a fatal error. O penSSL version 1.0.2b-1.0.2m are affected. Fixed in OpenSSL 1.0.2n. OpenSSL 1.1.0 is not affected. (bsc#1071905) * CVE-2017-3738: There is an overflow bug in the AVX2 Montgomery multiplication procedure used in exponentiation with 1024-bit moduli. No EC algorithms are affected. Analysis suggests that attacks against RSA and DSA as a result of this defect would be very difficult to perform and are not believed likely. Attacks against DH1024 are considered just feasible, because most of the work necessary to deduce information about a private key may be performed offline. The amount of resources required for such an attack would be significant. However, for an attack on TLS to be meaningful, the server would have to share the DH1024 private key among multiple clients, which is no longer an option since CVE-2016-0701. This only affects processors that support the AVX2 but not ADX extensions like Intel Haswell (4th generation). Note: The impact from this issue is similar to CVE-2017-3736, CVE-2017-3732 and CVE-2015-3193. (bsc#1071906) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2017:2137-1 Released: Thu Dec 21 17:49:12 2017 Summary: Recommended update for dbus-1 Type: recommended Severity: moderate References: 1046173,1071698 Description: This update for dbus-1 provides the following fixes: - The previously released fix for systemd-logind dbus disconnections was missing in some parts of the package, so properly apply it. (bsc#1071698) - Remove call to initscripts related macros from the spec file as dbus-1 does not ship any initscript anymore. (bsc#1046173) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2018:4-1 Released: Tue Jan 2 15:58:20 2018 Summary: Recommended update for libzypp, zypper Type: recommended Severity: moderate References: 1057640,1067605,1068708,1071466,969569 Description: The Software Update Stack was updated to receive fixes and enhancements. libzypp: - Don't store duplicated locks. (bsc#969569) - Fix default for solver.allowNameChange. (bsc#1071466) - Don't filter procs with a different mnt namespace. (bsc#1068708) - Support repo variables in an URIs host:port component. (bsc#1057640, bsc#1067605) zypper: - Update manpage regarding custom repository variable fixes. (bsc#1057640, bsc#1067605) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2018:38-1 Released: Tue Jan 9 14:56:43 2018 Summary: Recommended update for kmod Type: recommended Severity: low References: 1070209 Description: This update for kmod provides the following fix: - Fix resolving .TOC. in modules on 4.4 and older kernel (bsc#1070209) - Fix kernel master build for ppc64le (bsc#1070209) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:55-1 Released: Fri Jan 12 09:45:49 2018 Summary: Security update for glibc Type: security Severity: important References: 1051042,1053188,1063675,1064569,1064580,1064583,1070905,1071319,1073231,1074293,CVE-2017-1000408,CVE-2017-1000409,CVE-2017-15670,CVE-2017-15671,CVE-2017-15804,CVE-2017-16997,CVE-2018-1000001 Description: This update for glibc fixes the following issues: - A privilege escalation bug in the realpath() function has been fixed. [CVE-2018-1000001, bsc#1074293] - A memory leak and a buffer overflow in the dynamic ELF loader has been fixed. [CVE-2017-1000408, CVE-2017-1000409, bsc#1071319] - An issue in the code handling RPATHs was fixed that could have been exploited by an attacker to execute code loaded from arbitrary libraries. [CVE-2017-16997, bsc#1073231] - A potential crash caused by a use-after-free bug in pthread_create() has been fixed. [bsc#1053188] - A bug that prevented users to build shared objects which use the optimized libmvec.so API has been fixed. [bsc#1070905] - A memory leak in the glob() function has been fixed. [CVE-2017-15670, CVE-2017-15671, CVE-2017-15804, bsc#1064569, bsc#1064580, bsc#1064583] - A bug that would lose the syscall error code value in case of crashes has been fixed. [bsc#1063675] ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:86-1 Released: Wed Jan 17 09:38:17 2018 Summary: Security update for ncurses Type: security Severity: moderate References: 1056127,1056128,1056129,1056131,1056132,1056136,CVE-2017-13728,CVE-2017-13729,CVE-2017-13730,CVE-2017-13731,CVE-2017-13732,CVE-2017-13733 Description: This update for ncurses fixes the following issues: Security issues fixed: - CVE-2017-13728: Fix infinite loop in the next_char function in comp_scan.c (bsc#1056136). - CVE-2017-13730: Fix illegal address access in the function _nc_read_entry_source() (bsc#1056131). - CVE-2017-13733: Fix illegal address access in the fmt_entry function (bsc#1056127). - CVE-2017-13729: Fix illegal address access in the _nc_save_str (bsc#1056132). - CVE-2017-13732: Fix illegal address access in the function dump_uses() (bsc#1056128). - CVE-2017-13731: Fix illegal address access in the function postprocess_termcap() (bsc#1056129). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:88-1 Released: Wed Jan 17 14:41:17 2018 Summary: Security update for curl Type: security Severity: moderate References: 1069222,1069226,CVE-2017-8816,CVE-2017-8817 Description: This update for curl fixes the following issues: Security issues fixed: - CVE-2017-8816: Buffer overrun flaw in the NTLM authentication code (bsc#1069226). - CVE-2017-8817: Read out of bounds flaw in the FTP wildcard function (bsc#1069222). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2018:90-1 Released: Wed Jan 17 14:44:33 2018 Summary: Recommended update for lvm2 Type: recommended Severity: low References: 1063051,1067312 Description: This update for lvm2 provides the following fix: - Backport various upstream fixes for clvmd. (bsc#1063051) - Don't print error messages on testing the connection to the daemon. (bsc#1063051) - Fix handling of udev CHANGE events with systemd. (bsc#1067312) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2018:146-1 Released: Thu Jan 25 11:44:23 2018 Summary: Recommended update for openldap2 Type: recommended Severity: moderate References: 1064397,1065083 Description: This update for openldap2 provides the following fixes: - Fix a leak of sockets in case of unsuccessful connection attempts. (bsc#1065083) - Fix a crash that would happen under heavy load when using back-relay. (bsc#1064397) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:149-1 Released: Thu Jan 25 13:38:37 2018 Summary: Security update for curl Type: security Severity: moderate References: 1077001,CVE-2018-1000007 Description: This update for curl fixes one issues. This security issue was fixed: - CVE-2018-1000007: Prevent leaking authentication data to third parties when following redirects (bsc#1077001) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:209-1 Released: Tue Jan 30 10:53:43 2018 Summary: Security update for ncurses Type: security Severity: moderate References: 1056126,1056127,1056128,1056129,1056131,1056132,1056136,CVE-2017-13728,CVE-2017-13729,CVE-2017-13730,CVE-2017-13731,CVE-2017-13732,CVE-2017-13733,CVE-2017-13734 Description: This update for ncurses fixes several issues. These security issues were fixed: - CVE-2017-13734: Prevent illegal address access in the _nc_safe_strcat function in strings.c that might have lead to a remote denial of service attack (bsc#1056126). - CVE-2017-13733: Prevent illegal address access in the fmt_entry function in progs/dump_entry.c that might have lead to a remote denial of service attack (bsc#1056127). - CVE-2017-13732: Prevent illegal address access in the function dump_uses() in progs/dump_entry.c that might have lead to a remote denial of service attack (bsc#1056128). - CVE-2017-13731: Prevent illegal address access in the function postprocess_termcap() in parse_entry.c that might have lead to a remote denial of service attack (bsc#1056129). - CVE-2017-13730: Prevent illegal address access in the function _nc_read_entry_source() in progs/tic.c that might have lead to a remote denial of service attack (bsc#1056131). - CVE-2017-13729: Prevent illegal address access in the _nc_save_str function in alloc_entry.c that might have lead to a remote denial of service attack (bsc#1056132). - CVE-2017-13728: Prevent infinite loop in the next_char function in comp_scan.c that might have lead to a remote denial of service attack (bsc#1056136). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:213-1 Released: Tue Jan 30 14:36:40 2018 Summary: Security update for systemd Type: security Severity: moderate References: 1048510,1065276,1066156,1068251,1070428,1071558,1074254,1075724,1076308,897422,CVE-2017-15908,CVE-2018-1049 Description: This update for systemd fixes several issues. This security issue was fixed: - CVE-2018-1049: Prevent race that can lead to DoS when using automounts (bsc#1076308). These non-security issues were fixed: - core: don't choke if a unit another unit triggers vanishes during reload - delta: don't ignore PREFIX when the given argument is PREFIX/SUFFIX - delta: extend skip logic to work on full directory paths (prefix+suffix) (bsc#1070428) - delta: check if a prefix needs to be skipped only once - delta: skip symlink paths when split-usr is enabled (#4591) - sysctl: use raw file descriptor in sysctl_write (#7753) - sd-netlink: don't take possesion of netlink fd from caller on failure (bsc#1074254) - Fix the regexp used to detect broken by-id symlinks in /etc/crypttab It was missing the following case: '/dev/disk/by-id/cr_-xxx'. - sysctl: disable buffer while writing to /proc (bsc#1071558) - Use read_line() and LONG_LINE_MAX to read values configuration files. (bsc#1071558) - sysctl: no need to check for eof twice - def: add new constant LONG_LINE_MAX - fileio: add new helper call read_line() as bounded getline() replacement - service: Don't stop unneeded units needed by restarted service (#7526) (bsc#1066156) - gpt-auto-generator: fix the handling of the value returned by fstab_has_fstype() in add_swap() (#6280) - gpt-auto-generator: disable gpt auto logic for swaps if at least one is defined in fstab (bsc#897422) - fstab-util: introduce fstab_has_fstype() helper - fstab-generator: ignore root=/dev/nfs (#3591) - fstab-generator: don't process root= if it happens to be 'gpt-auto' (#3452) - virt: use XENFEAT_dom0 to detect the hardware domain (#6442, #6662) (#7581) (bsc#1048510) - analyze: replace --no-man with --man=no in the man page (bsc#1068251) - udev: net_setup_link: don't error out when we couldn't apply link config (#7328) - Add missing /etc/systemd/network directory - Fix parsing of features in detect_vm_xen_dom0 (#7890) (bsc#1048510) - sd-bus: use -- when passing arguments to ssh (#6706) - systemctl: make sure we terminate the bus connection first, and then close the pager (#3550) - sd-bus: bump message queue size (bsc#1075724) - tmpfiles: downgrade warning about duplicate line ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:214-1 Released: Tue Jan 30 14:37:42 2018 Summary: Security update for libtasn1 Type: security Severity: moderate References: 1076832,CVE-2018-6003 Description: This update for libtasn1 fixes one issue. This security issue was fixed: - CVE-2018-6003: Prevent a stack exhaustion in _asn1_decode_simple_ber (lib/decoding.c) when decoding BER encoded structure allowed for DoS (bsc#1076832). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:276-1 Released: Thu Feb 8 17:47:43 2018 Summary: Security update for libxml2 Type: security Severity: moderate References: 1077993,1078806,1078813,CVE-2016-5131,CVE-2017-15412,CVE-2017-5130 Description: This update for libxml2 fixes one issue. This security issue was fixed: - CVE-2017-15412: Prevent use after free when calling XPath extension functions that allowed remote attackers to cause DoS or potentially RCE (bsc#1077993) - CVE-2016-5131: Use-after-free vulnerability in libxml2 allowed remote attackers to cause a denial of service or possibly have unspecified other impact via vectors related to the XPointer range-to function. (bsc#1078813) - CVE-2017-5130: Fixed a potential remote buffer overflow in function xmlMemoryStrdup() (bsc#1078806) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2018:291-1 Released: Mon Feb 12 11:50:39 2018 Summary: Recommended update for bash Type: recommended Severity: low References: 1057452,1076909 Description: This update for bash provides the following fix: - Allow process group assignment on all kernel versions to fix the usage of debug traps. (bsc#1057452) - Fix a crash when filesystem is full. (bsc#1076909) - Enable multi-byte characters by default. ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:314-1 Released: Thu Feb 15 14:47:35 2018 Summary: Security update for glibc Type: security Severity: important References: 1037930,1051791,1073990,1074293,1079036,CVE-2017-12132,CVE-2017-8804,CVE-2018-1000001,CVE-2018-6485,CVE-2018-6551 Description: This update for glibc fixes the following issues: Security issues fixed: - CVE-2017-8804: Fix memory leak after deserialization failure in xdr_bytes, xdr_string (bsc#1037930) - CVE-2017-12132: Reduce EDNS payload size to 1200 bytes (bsc#1051791) - CVE-2018-6485,CVE-2018-6551: Fix integer overflows in internal memalign and malloc functions (bsc#1079036) - CVE-2018-1000001: Avoid underflow of malloced area (bsc#1074293) Non security bugs fixed: - Release read lock after resetting timeout (bsc#1073990) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:355-1 Released: Mon Feb 26 16:34:46 2018 Summary: Security update for systemd Type: security Severity: moderate References: 1057974,1068588,1071224,1071311,1075801,1077925,CVE-2017-18078 Description: This update for systemd fixes the following issues: Security issue fixed: - CVE-2017-18078: tmpfiles: refuse to chown()/chmod() files which are hardlinked, unless protected_hardlinks sysctl is on. This could be used by local attackers to gain privileges (bsc#1077925) Non Security issues fixed: - core: use id unit when retrieving unit file state (#8038) (bsc#1075801) - cryptsetup-generator: run cryptsetup service before swap unit (#5480) - udev-rules: all values can contain escaped double quotes now (#6890) - strv: fix buffer size calculation in strv_join_quoted() - tmpfiles: change ownership of symlinks too - stdio-bridge: Correctly propagate error - stdio-bridge: remove dead code - remove bus-proxyd (bsc#1057974) - core/timer: Prevent timer looping when unit cannot start (bsc#1068588) - Make systemd-timesyncd use the openSUSE NTP servers by default Previously systemd-timesyncd used the Google Public NTP servers time{1..4}.google.com - Don't ship /usr/lib/systemd/system/tmp.mnt at all (bsc#1071224) But we still ship a copy in /var. Users who want to use tmpfs on /tmp are supposed to add a symlink in /etc/ pointing to the copy shipped in /var. To support the update path we automatically create the symlink if tmp.mount in use is located in /usr. - Enable systemd-networkd on Leap distros only (bsc#1071311) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2018:375-1 Released: Wed Feb 28 16:33:37 2018 Summary: Recommended update for net-tools Type: recommended Severity: low References: 1009905,1063910 Description: This update for net-tools provides the following fix: - netstat: fix handling of large socket numbers (bsc#1063910) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:439-1 Released: Fri Mar 9 14:05:22 2018 Summary: Security update for augeas Type: security Severity: low References: 1054171,CVE-2017-7555 Description: This update for augeas fixes the following issues: Security issue fixed: - CVE-2017-7555: Fix a memory corruption bug could have lead to arbitrary code execution by passing crafted strings that would be mis-handled by parse_name() (bsc#1054171). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:443-1 Released: Fri Mar 9 18:02:14 2018 Summary: Security update for glibc Type: security Severity: moderate References: 1081556,CVE-2017-12133 Description: This update for glibc fixes the following issues: - CVE-2017-12133: Avoid use-after-free read access in clntudp_call (bsc#1081556) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:446-1 Released: Mon Mar 12 13:13:55 2018 Summary: Security update for shadow Type: security Severity: moderate References: 1081294,CVE-2018-7169 Description: This update for shadow fixes the following issues: - CVE-2018-7169: Fixed an privilege escalation in newgidmap, which allowed an unprivileged user to be placed in a user namespace where setgroups(2) is allowed. (bsc#1081294) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2018:465-1 Released: Thu Mar 15 07:38:52 2018 Summary: Recommended update for systemd Type: recommended Severity: moderate References: 1075743,1078358,1081170 Description: This update for systemd fixes the following issues: - Add dmi/id conditions to 80-acpi-container-hotplug.rules to restrict the rule that it can only be triggered on Huawei Kunlun 9008, 9016 and 9032 machines. (bsc#1078358, bsc#1081170, bsc#1075743) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2018:472-1 Released: Thu Mar 15 10:47:40 2018 Summary: Recommended update for libsolv, libzypp, zypper Type: recommended Severity: low References: 1074687,1075449,1076415,1079334,953130 Description: This update for libsolv, libzypp and zypper provides the following fixes: libsolv: - Fix a bug that could make fileconflict detection very slow in some cases. (bnc#953130) - Add new configuration options: ENABLE_RPMDB_LIBRPM and ENABLE_RPMPKG_LIBRPM. - Add a new function to change the whatprovides data: pool_set_whatprovides. - Significant improvements in the selection code. libzypp: - Make sure deleted keys are also removed from rpmdb. (bsc#1075449) - plugin: Don't reject header values containing ':'. (bsc#1074687) - RpmDb::checkPackage: Fix parsing localized rpm output. (bsc#1076415) zypper: - Do not recommend cron as it is not a direct dependency of zypper. (bsc#1079334) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:522-1 Released: Thu Mar 22 08:20:46 2018 Summary: Security update for curl Type: security Severity: moderate References: 1084521,1084524,1084532,CVE-2018-1000120,CVE-2018-1000121,CVE-2018-1000122 Description: This update for curl fixes the following issues: Following security issues were fixed: - CVE-2018-1000120: A buffer overflow exists in the FTP URL handling that allowed an attacker to cause a denial of service or possible code execution (bsc#1084521). - CVE-2018-1000121: A NULL pointer dereference exists in the LDAP code that allowed an attacker to cause a denial of service (bsc#1084524). - CVE-2018-1000122: A buffer over-read exists in the RTSP+RTP handling code that allowed an attacker to cause a denial of service or information leakage (bsc#1084532). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:567-1 Released: Thu Mar 29 14:02:08 2018 Summary: Security update for krb5 Type: security Severity: moderate References: 1057662,1081725,1083926,1083927,CVE-2018-5729,CVE-2018-5730 Description: This update for krb5 provides the following fixes: Security issues fixed: - CVE-2018-5730: DN container check bypass by supplying special crafted data (bsc#1083927). - CVE-2018-5729: Null pointer dereference in kadmind or DN container check bypass by supplying special crafted data (bsc#1083926). Non-security issues fixed: - Make it possible for legacy applications (e.g. SAP Netweaver) to remain compatible with newer Kerberos. System administrators who are experiencing this kind of compatibility issues may set the environment variable GSSAPI_ASSUME_MECH_MATCH to a non-empty value, and make sure the environment variable is visible and effective to the application startup script. (bsc#1057662) - Fix a GSS failure in legacy applications by not indicating deprecated GSS mechanisms in gss_indicate_mech() list. (bsc#1081725) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:594-1 Released: Thu Apr 5 17:22:37 2018 Summary: Security update for libidn Type: security Severity: moderate References: 1056450,CVE-2017-14062 Description: This update for libidn fixes one issues. This security issue was fixed: - CVE-2017-14062: Prevent integer overflow in the decode_digit function that allowed remote attackers to cause a denial of service or possibly have unspecified other impact (bsc#1056450). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:624-1 Released: Wed Apr 11 18:02:57 2018 Summary: Security update for openssl Type: security Severity: moderate References: 1087102,CVE-2018-0739 Description: This update for openssl fixes the following issues: - CVE-2018-0739: Constructed ASN.1 types with a recursive definition (such as can be found in PKCS7) could eventually exceed the stack given malicious input with excessive recursion. This could result in a Denial Of Service attack. There are no such structures used within SSL/TLS that come from untrusted sources so this is considered safe. (bsc#1087102). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:730-1 Released: Wed Apr 25 14:14:41 2018 Summary: Security update for perl Type: security Severity: moderate References: 1082216,1082233,1082234,CVE-2018-6797,CVE-2018-6798,CVE-2018-6913 Description: This update for perl fixes the following issues: Security issues fixed: - CVE-2018-6913: Fixed space calculation issues in pp_pack.c (bsc#1082216). - CVE-2018-6798: Fixed heap buffer overflow in regexec.c (bsc#1082233). - CVE-2018-6797: Fixed sharp-s regexp overflow (bsc#1082234). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2018:736-1 Released: Wed Apr 25 14:23:49 2018 Summary: Recommended update for libsolv, libzypp Type: recommended Severity: moderate References: 1075978,1077635,1079991,1082318,1086602 Description: This update for libsolv, libzypp provides the following fixes: Changes in libsolv: - Make sure the product file comes from /etc/products.d for the fallback product search. (bsc#1086602) - Also make use of suggests for ordering packages. (bsc#1077635) - Fix bad assignment in solution refinement that led to a memory leak. (bsc#1075978) - Use license tag instead of doc in the spec file. (bsc#1082318) Changes in libzypp: - Make sure the product file comes from /etc/products.d for the fallback product search. (bsc#1086602) - Fix a memory leak in Digest.cc. (bsc#1075978) - Add /var/lib/gdm to CheckAccessDeleted blacklist to prevent showing superfluous `zypper ps -s` messages. (bsc#1079991) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2018:779-1 Released: Wed May 2 22:16:26 2018 Summary: Recommended update for rpm Type: recommended Severity: low References: 1003714,1027925,1069934 Description: This update for rpm provides the following fixes: - Fix find-lang.sh to handle special case of .qm file paths correctly. (bsc#1027925) - Add %sle_version macro to suse_macros. (bsc#1003714) - Added a %rpm_vercmp macro which accepts two versions as parameters and returns -1, 0, 1 if the first version is less than, equal or greater than the second version respectively. - Added a %pkg_version macro that accepts a package or capability name as argument and returns the version number of the installed package. If no package provides the argument, it returns the string '~~~'. - Added a %pkg_vcmp macro that accepts 3 parameters. The first parameter is a package name or provided capability name, the second argument is an operator ( < <= = >= > != ) and the third parameter is a version string to be compared to the installed version of the first argument. - Added a %pkg_version_cmp macro which accepts a package or capability name as first argument and a version number as second argument and returns -1, 0, 1 or '~~~'. The number values have the same meaning as in %rpm_vercmp and the '~~~' string is returned if the package or capability can't be found. (bsc#1069934) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2018:797-1 Released: Mon May 7 07:07:38 2018 Summary: Recommended update for gcc7 Type: recommended Severity: important References: 1061667,1068967,1074621,1083290,1083946,1084812,1087550,1087930 Description: This update for gcc7 to 7.3 release fixes the following issues: - Update to GCC 7.3 release and further updated to gcc-7-branch head (r258812). - The Spectre v2 mitigation patch for s390x is now included. [bsc#1083946] - Adds backport of x86 retpoline support via -mindirect-branch=, -mfunction-return= and friends. [bsc#1074621] - Update includes a fix for chromium build failure. [bsc#1083290] - Various AArch64 compile fixes are included: * Picks fix to no longer enable -mpc-relative-literal-loads by default with --enable-fix-cortex-a53-843419. * Enable --enable-fix-cortex-a53-843419 for aarch64. [bsc#1084812] [bsc#1087930] * Enable --enable-fix-cortex-a53-835769 for aarch64. * Contains fix for PR82445 which is about a RPI1 bootloader miscompile. [bsc#1061667] * Fixed bogus stack probe instruction on ARM. [bsc#1068967] - Revert the ios_base::failure ABI back to compatible behavior with the default ABI. [bsc#1087550] - Fix nvptx offload target compiler install so GCC can pick up required files. Split out the newlib part into cross-nvptx-newlib7-devel and avoid conflicts with GCC 8 variant via Provides/Conflicts of cross-nvptx-newlib-devel. ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:939-1 Released: Thu May 17 08:41:30 2018 Summary: Security update for curl Type: security Severity: moderate References: 1086825,1092098,CVE-2018-1000301 Description: This update for curl fixes several issues: Security issues fixed: - CVE-2018-1000301: Fixed a RTSP bad headers buffer over-read could crash the curl client (bsc#1092098) Non security issues fixed: - If the DEFAULT_SUSE cipher list is not available use the HIGH cipher alias before failing. (bsc#1086825) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2018:974-1 Released: Wed May 23 16:46:50 2018 Summary: Recommended update for systemd Type: recommended Severity: moderate References: 1045092,1051465,1066422,1075804,1082485,1084626,1085062,1086785,1087323 Description: This update for systemd provides the following fixes: - sysusers: Do not append entries after the NIS ones. (bsc#1085062, bsc#1045092) - sysusers: Also add support for NIS entries in /etc/shadow. - sysusers: Make sure to reset errno before calling fget*ent(). - coredump: Respect ulimit -c 0 settings. (bsc#1075804) - systemctl: Don't make up unit states, and don't eat up errors too eagerly. (bsc#1084626) - systemctl: Don't mangle unit names in check_unit_generic(). - rules, compat-rules: Fix errors detected by the rule syntax checker. - python: Use raw strings for regexp patterns. - compat-rules: Make path_id_compat build with meson. - compat-rules: Get rid of scsi_id when generating compat symlinks for NVMe devices. (bsc#1051465) - Fix memory hotplugging. - systemd: Add offline environmental condition to the udev rules for acpi container to prevent them from being triggered by the 'udevadm trigger' from user space. (bsc#1082485) - systemd-udevd: Limit children-max by the available memory. (bsc#1086785, bsc#1066422) - Rename the tarball to reflect the exact version used, so that it is clear that it contains some additional patches on top of the upstream version. Use the commit hash in the name so the exact version can easily be identified. (bsc#1087323) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:977-1 Released: Wed May 23 17:14:16 2018 Summary: Security update for bash Type: security Severity: moderate References: 1000396,1001299,1086247,CVE-2016-0634,CVE-2016-7543 Description: This update for bash fixes the following issues: Security issues fixed: - CVE-2016-7543: A code execution possibility via SHELLOPTS+PS4 variable was fixed (bsc#1001299) - CVE-2016-0634: Arbitrary code execution via malicious hostname was fixed (bsc#1000396) Non-security issues fixed: - Fix repeating self-calling of traps due the combination of a non-interactive shell, a trap handler for SIGINT, an external process in the trap handler, and a SIGINT within the trap after the external process runs. (bsc#1086247) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2018:978-1 Released: Wed May 23 17:18:39 2018 Summary: Recommended update for zlib Type: recommended Severity: moderate References: 1071321 Description: This update for zlib fixes the following issues: - Fix a segmentation fault which was raised when converting a negative value into an unsigned integer (bsc#1071321) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2018:1028-1 Released: Tue Jun 5 13:20:44 2018 Summary: Recommended update for pam Type: recommended Severity: low References: 1089884 Description: This update for pam fixes the following issues: - Fix order of accessed configuration files in man page. (bsc#1089884) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:1077-1 Released: Wed Jun 6 11:44:25 2018 Summary: Security update for glibc Type: security Severity: important References: 1086690,1094150,1094154,1094161,CVE-2017-18269,CVE-2018-11236,CVE-2018-11237 Description: This update for glibc fixes the following issues: - CVE-2017-18269: Fix SSE2 memmove issue when crossing 2GB boundary (bsc#1094150) - CVE-2018-11236: Fix overflow in path length computation (bsc#1094161) - CVE-2018-11237: Don't write beyond buffer destination in __mempcpy_avx512_no_vzeroupper (bsc#1094154) Non security bugs fixed: - Fix crash in resolver on memory allocation failure (bsc#1086690) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2018:1082-1 Released: Thu Jun 7 12:58:56 2018 Summary: Recommended update for rpm Type: recommended Severity: moderate References: 1073879,1080078,964063 Description: This update for rpm fixes the following issues: - Backport support for no_recompute_build_ids macro. (bsc#964063) - Fix code execution when evaluating common python-related macros. (bsc#1080078) Additionally, this update adds python3-rpm to the SUSE Linux Enterprise Server. ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:1141-1 Released: Fri Jun 15 13:41:08 2018 Summary: Security update for gpg2 Type: security Severity: important References: 1096745,CVE-2018-12020 Description: This update for gpg2 fixes the following security issue: - CVE-2018-12020: GnuPG mishandled the original filename during decryption and verification actions, which allowed remote attackers to spoof the output that GnuPG sends on file descriptor 2 to other programs that use the '--status-fd 2' option (bsc#1096745) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2018:1145-1 Released: Fri Jun 15 19:19:51 2018 Summary: Recommended update for openssl Type: recommended Severity: moderate References: 1090765 Description: This update for openssl provides the following fix: - Suggest libopenssl1_0_0-hmac from libopenssl1_0_0 package to avoid dependency issues during updates. (bsc#1090765) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:1242-1 Released: Thu Jun 28 13:44:16 2018 Summary: Security update for procps Type: security Severity: moderate References: 1092100,CVE-2018-1122,CVE-2018-1123,CVE-2018-1124,CVE-2018-1125,CVE-2018-1126 Description: This update for procps fixes the following security issues: - CVE-2018-1122: Prevent local privilege escalation in top. If a user ran top with HOME unset in an attacker-controlled directory, the attacker could have achieved privilege escalation by exploiting one of several vulnerabilities in the config_file() function (bsc#1092100). - CVE-2018-1123: Prevent denial of service in ps via mmap buffer overflow. Inbuilt protection in ps maped a guard page at the end of the overflowed buffer, ensuring that the impact of this flaw is limited to a crash (temporary denial of service) (bsc#1092100). - CVE-2018-1124: Prevent multiple integer overflows leading to a heap corruption in file2strvec function. This allowed a privilege escalation for a local attacker who can create entries in procfs by starting processes, which could result in crashes or arbitrary code execution in proc utilities run by other users (bsc#1092100). - CVE-2018-1125: Prevent stack buffer overflow in pgrep. This vulnerability was mitigated by FORTIFY limiting the impact to a crash (bsc#1092100). - CVE-2018-1126: Ensure correct integer size in proc/alloc.* to prevent truncation/integer overflow issues (bsc#1092100). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:1276-1 Released: Thu Jul 5 08:36:17 2018 Summary: Security update for openssl Type: security Severity: moderate References: 1097158,1097624,1098592,CVE-2018-0732 Description: This update for openssl fixes the following issues: - CVE-2018-0732: During key agreement in a TLS handshake using a DH(E) based ciphersuite a malicious server could have sent a very large prime value to the client. This caused the client to spend an unreasonably long period of time generating a key for this prime resulting in a hang until the client has finished. This could be exploited in a Denial Of Service attack (bsc#1097158). - Blinding enhancements for ECDSA and DSA (bsc#1097624, bsc#1098592) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:1328-1 Released: Tue Jul 17 08:07:57 2018 Summary: Security update for perl Type: security Severity: important References: 1068565,1082216,1082233,1082234,1096718,CVE-2018-12015,CVE-2018-6797,CVE-2018-6798,CVE-2018-6913 Description: This update for perl fixes the following issues: These security issue were fixed: - CVE-2018-6913: Fixed space calculation issues in pp_pack.c (bsc#1082216). - CVE-2018-6798: Fixed heap buffer overflow in regexec.c (bsc#1082233). - CVE-2018-6797: Fixed sharp-s regexp overflow (bsc#1082234). - CVE-2018-12015: The Archive::Tar module allowed remote attackers to bypass a directory-traversal protection mechanism and overwrite arbitrary files (bsc#1096718) This non-security issue was fixed: - fix debugger crash in tab completion with Term::ReadLine::Gnu [bsc#1068565] ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:1351-1 Released: Thu Jul 19 09:43:21 2018 Summary: Security update for shadow Type: security Severity: important References: 1099310,CVE-2016-6252 Description: This update for shadow fixes the following issues: - CVE-2016-6252: Incorrect integer handling could results in local privilege escalation (bsc#1099310) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:1400-1 Released: Thu Jul 26 16:32:29 2018 Summary: Security update for util-linux Type: security Severity: moderate References: 1072947,1078662,1080740,1084300,CVE-2018-7738 Description: This update for util-linux fixes the following issues: This non-security issue was fixed: - CVE-2018-7738: bash-completion/umount allowed local users to gain privileges by embedding shell commands in a mountpoint name, which was mishandled during a umount command by a different user (bsc#1084300). These non-security issues were fixed: - Fixed crash loop in lscpu (bsc#1072947). - Fixed possible segfault of umount -a - Fixed mount -a on NFS bind mounts (bsc#1080740). - Fixed lsblk on NVMe (bsc#1078662). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:1413-1 Released: Fri Jul 27 12:41:13 2018 Summary: Security update for libgcrypt Type: security Severity: moderate References: 1064455,1090766,1097410,CVE-2018-0495 Description: This update for libgcrypt fixes the following issues: The following security vulnerability was addressed: - CVE-2018-0495: Mitigate a novel side-channel attack by enabling blinding for ECDSA signatures (bsc#1097410). The following other issues were fixed: - Extended the fipsdrv dsa-sign and dsa-verify commands with the --algo parameter for the FIPS testing of DSA SigVer and SigGen (bsc#1064455). - Ensure libgcrypt20-hmac and libgcrypt20 are installed in the correct order. (bsc#1090766) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2018:1450-1 Released: Mon Jul 30 10:10:45 2018 Summary: Recommended update for pam Type: recommended Severity: low References: 1096282 Description: This update for pam provides the following fix: - Added /etc/security/limits.d to the pam package. (bsc#1096282) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2018:1549-1 Released: Mon Aug 13 13:41:22 2018 Summary: Recommended update for sg3_utils Type: recommended Severity: low References: 1065448,1070431,1077787,1092640 Description: This update for sg3_utils provides the following fix: - Decode standard INQUIRY for CD-ROMs correctly. (bsc#1065448, bsc#1070431) - Fix page decoding. (bsc#1077787) - Remove initrd rebuild macros for libsgutils2 subpackage. (bsc#1092640) - Use %post -p for ldconfig. (bsc#1092640) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:1610-1 Released: Thu Aug 16 14:04:25 2018 Summary: Security update for libgcrypt Type: security Severity: moderate References: 1064455,1090766,1097410,CVE-2018-0495 Description: This update for libgcrypt fixes the following issues: The following security vulnerability was addressed: - CVE-2018-0495: Mitigate a novel side-channel attack by enabling blinding for ECDSA signatures (bsc#1097410). The following other issues were fixed: - Extended the fipsdrv dsa-sign and dsa-verify commands with the --algo parameter for the FIPS testing of DSA SigVer and SigGen (bsc#1064455). - Ensure libgcrypt20-hmac and libgcrypt20 are installed in the correct order. (bsc#1090766) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:1620-1 Released: Thu Aug 16 14:49:45 2018 Summary: Security update for shadow Type: security Severity: important References: 1099310,CVE-2016-6252 Description: This update for shadow fixes the following issues: - CVE-2016-6252: Incorrect integer handling could results in local privilege escalation (bsc#1099310) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2018:1632-1 Released: Thu Aug 16 15:27:04 2018 Summary: Recommended update for systemd Type: recommended Severity: moderate References: 1039099,1080382,1082004,1082485,1083158,1088052,1088769,1088890,1089761,1090785,1091265,1093851,1095096 Description: This update for systemd fixes the following issues: - core: In --user mode, report READY=1 as soon as basic.target is reached. - sd-bus: Extend D-Bus authentication timeout considerably. - scsi_id: Fixup prefix for pre-SPC inquiry reply. (bsc#1039099) - udev: Use MAC address match only for ibmveth/ibmvnic/mlx4. (bsc#1095096) - compat-rules: Generate more compat by-id symlinks for NVMe devices. (bsc#1095096) - udev: Whitelist mlx4_core locally-administered MAC addresses in the persistent rule generator. (bsc#1083158) - udev: Don't create by-partlabel/primary and .../logical symlinks. (bsc#1089761) - rules: Add /dev/disk/by-partuuid symlinks also for dos partition tables. - device: Make sure to always retroactively start device dependencies. (bsc#1088052) - device: Skip deserialization of device units when udevd is not running. - install: 'user' and 'global' scopes are equivalent for user presets. (bsc#1093851) - install: Search preset files in /run. - man: Updated systemd-analyze blame description for service-units with Type=simple. (bsc#1091265) - logind: Fix crash when shutdown is not issued from a tty. (bsc#1088890) - logind: Do not use an uninitialized variable. (bsc#1088890) - Disable user services by default. (bsc#1090785) - Ship 99-sysctl.conf instead of creating it during package installation/update. (bsc#1088769) Previously this symlink was created in /etc/sysctl.d during %post which made the symlink not owned and more importantly it was created only if /etc/sysctl.conf is already installed which is not always the case during the installation process it seems. So ship the symlink unconditionally and put it in /usr/lib/sysctl.d instead since it's a distro default behavior that might be overriden by sysadmin later. - systemd: Add offline environmental condition to 80-acpi-container-hotplug.rules. (bsc#1080382, bsc#1082485) Add the offline event environmental condition to restrict the rule that is can only be triggered when the change event is received with the 'offline' environmental data. The 27664c581 'ACPI / scan: Send change uevent with offine environmental data' kernel patch changed the corresponding code in kernel. This change prevents the udev rules for acpi container be triggered by 'udevadm trigger' from user space. - build-sys: Explicitly require python3. (bsc#1082004) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2018:1636-1 Released: Thu Aug 16 15:30:11 2018 Summary: Recommended update for pam Type: recommended Severity: low References: 1096282 Description: This update for pam provides the following fix: - Added /etc/security/limits.d to the pam package. (bsc#1096282) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2018:1689-1 Released: Mon Aug 20 09:02:24 2018 Summary: Recommended update for pam Type: recommended Severity: low References: 1096282 Description: This update for pam provides the following fix: - Added /etc/security/limits.d to the pam package. (bsc#1096282) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2018:1691-1 Released: Mon Aug 20 09:04:17 2018 Summary: Recommended update for sg3_utils Type: recommended Severity: low References: 1065448,1070431,1077787,1092640 Description: This update for sg3_utils provides the following fix: - Decode standard INQUIRY for CD-ROMs correctly. (bsc#1065448, bsc#1070431) - Fix page decoding. (bsc#1077787) - Remove initrd rebuild macros for libsgutils2 subpackage. (bsc#1092640) - Use %post -p for ldconfig. (bsc#1092640) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:1695-1 Released: Mon Aug 20 09:19:20 2018 Summary: Security update for perl Type: security Severity: important References: 1068565,1082216,1082233,1082234,1096718,CVE-2018-12015,CVE-2018-6797,CVE-2018-6798,CVE-2018-6913 Description: This update for perl fixes the following issues: These security issue were fixed: - CVE-2018-6913: Fixed space calculation issues in pp_pack.c (bsc#1082216). - CVE-2018-6798: Fixed heap buffer overflow in regexec.c (bsc#1082233). - CVE-2018-6797: Fixed sharp-s regexp overflow (bsc#1082234). - CVE-2018-12015: The Archive::Tar module allowed remote attackers to bypass a directory-traversal protection mechanism and overwrite arbitrary files (bsc#1096718) This non-security issue was fixed: - fix debugger crash in tab completion with Term::ReadLine::Gnu [bsc#1068565] ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:1698-1 Released: Mon Aug 20 09:19:28 2018 Summary: Security update for shadow Type: security Severity: important References: 1099310,CVE-2016-6252 Description: This update for shadow fixes the following issues: - CVE-2016-6252: Incorrect integer handling could results in local privilege escalation (bsc#1099310) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2018:1834-1 Released: Wed Sep 5 10:17:42 2018 Summary: Recommended update for systemd Type: recommended Severity: moderate References: 1089761,1090944,1101040,1103910 Description: This update for systemd fixes the following issues: - cryptsetup: Add support for sector-size= option. (fate#325634) - resolved: Apply epoch to system time from PID 1. (bsc#1103910) - core/service: Rework the hold-off time over message. - core: Don't freeze OnCalendar= timer units when the clock goes back a lot. (bsc#1090944) - man: SystemMaxUse= clarification in journald.conf(5). (bsc#1101040) - Add udev.no-partlabel-links kernel command-line option. This option can be used to disable the generation of the by-partlabel symlinks regardless of the name used. (bsc#1089761) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:1903-1 Released: Fri Sep 14 12:46:21 2018 Summary: Security update for curl Type: security Severity: moderate References: 1089533,1106019,CVE-2018-14618 Description: This update for curl fixes the following issues: This security issue was fixed: - CVE-2018-14618: Prevent integer overflow in the NTLM authentication code (bsc#1106019) This non-security issue was fixed: - Fixed erroneous debug message when paired with OpenSSL (bsc#1089533) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:1969-1 Released: Mon Sep 24 08:06:42 2018 Summary: Security update for libzypp, zypper Type: security Severity: important References: 1036304,1045735,1049825,1070851,1076192,1088705,1091624,1092413,1096803,1099847,1100028,1101349,1102429,CVE-2017-9269,CVE-2018-7685 Description: This update for libzypp, zypper fixes the following issues: Update libzypp to version 16.17.20: Security issues fixed: - PackageProvider: Validate deta rpms before caching (bsc#1091624, bsc#1088705, CVE-2018-7685) - PackageProvider: Validate downloaded rpm package signatures before caching (bsc#1091624, bsc#1088705, CVE-2018-7685) Other bugs fixed: - lsof: use '-K i' if lsof supports it (bsc#1099847, bsc#1036304) - Handle http error 502 Bad Gateway in curl backend (bsc#1070851) - RepoManager: Explicitly request repo2solv to generate application pseudo packages. - libzypp-devel should not require cmake (bsc#1101349) - HardLocksFile: Prevent against empty commit without Target having been been loaded (bsc#1096803) - Avoid zombie tar processes (bsc#1076192) Update to zypper to version 1.13.45: Security issues fixed: - Improve signature check callback messages (bsc#1045735, CVE-2017-9269) - add/modify repo: Add options to tune the GPG check settings (bsc#1045735, CVE-2017-9269) Other bugs fixed: - XML attribute `packages-to-change` added (bsc#1102429) - man: Strengthen that `--config FILE' affects zypper.conf, not zypp.conf (bsc#1100028) - Prevent nested calls to exit() if aborted by a signal (bsc#1092413) - ansi.h: Prevent ESC sequence strings from going out of scope (bsc#1092413) - Fix: zypper bash completion expands non-existing options (bsc#1049825) - Improve signature check callback messages (bsc#1045735) - add/modify repo: Add options to tune the GPG check settings (bsc#1045735) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2018:1985-1 Released: Mon Sep 24 11:56:08 2018 Summary: Recommended update for openldap2 Type: recommended Severity: moderate References: 1089640 Description: This update for openldap2 provides the following fix: - Fix slapd segfaults in mdb_env_reader_dest. (bsc#1089640) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:1994-1 Released: Mon Sep 24 12:55:57 2018 Summary: Security update for shadow Type: security Severity: moderate References: 1106914 Description: This update for shadow fixes the following security issue: - Prevent useradd from creating intermediate directories with mode 0777 (bsc#1106914) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:2069-1 Released: Fri Sep 28 08:01:25 2018 Summary: Security update for openssl Type: security Severity: moderate References: 1089039,1101246,1101470,1104789,1106197,997043,CVE-2018-0737 Description: This update for openssl fixes the following issues: These security issues were fixed: - Prevent One&Done side-channel attack on RSA that allowed physically near attackers to use EM emanations to recover information (bsc#1104789) - CVE-2018-0737: The RSA Key generation algorithm has been shown to be vulnerable to a cache timing side channel attack. An attacker with sufficient access to mount cache timing attacks during the RSA key generation process could have recovered the private key (bsc#1089039) These non-security issues were fixed: - Add openssl(cli) Provide so the packages that require the openssl binary can require this instead of the new openssl meta package (bsc#1101470) - Fixed path to the engines which are under /lib64 on SLE-12 (bsc#1101246, bsc#997043) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2018:2162-1 Released: Fri Oct 5 14:46:53 2018 Summary: Recommended update for krb5 Type: recommended Severity: moderate References: 1088921 Description: This update for krb5 provides the following fix: - Resolve krb5 GSS credentials immediately if the application requests the lifetime. (bsc#1088921) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:2181-1 Released: Tue Oct 9 11:08:20 2018 Summary: Security update for libxml2 Type: security Severity: moderate References: 1088279,1088601,1102046,1105166,CVE-2017-18258,CVE-2018-14404,CVE-2018-14567,CVE-2018-9251 Description: This update for libxml2 fixes the following security issues: - CVE-2018-9251: The xz_decomp function allowed remote attackers to cause a denial of service (infinite loop) via a crafted XML file that triggers LZMA_MEMLIMIT_ERROR, as demonstrated by xmllint (bsc#1088279). - CVE-2018-14567: Prevent denial of service (infinite loop) via a crafted XML file that triggers LZMA_MEMLIMIT_ERROR, as demonstrated by xmllint (bsc#1105166). - CVE-2018-14404: Prevent NULL pointer dereference in the xmlXPathCompOpEval() function when parsing an invalid XPath expression in the XPATH_OP_AND or XPATH_OP_OR case leading to a denial of service attack (bsc#1102046). - CVE-2017-18258: The xz_head function allowed remote attackers to cause a denial of service (memory consumption) via a crafted LZMA file, because the decoder functionality did not restrict memory usage to what is required for a legitimate file (bsc#1088601). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2018:2196-1 Released: Thu Oct 11 07:45:16 2018 Summary: Optional update for gcc8 Type: recommended Severity: low References: 1084812,1084842,1087550,1094222,1102564 Description: The GNU Compiler GCC 8 is being added to the Toolchain Module by this update. The update also supplies gcc8 compatible libstdc++, libgcc_s1 and other gcc derived libraries for the base products of SUSE Linux Enterprise 12. Various optimizers have been improved in GCC 8, several of bugs fixed, quite some new warnings added and the error pin-pointing and fix-suggestions have been greatly improved. The GNU Compiler page for GCC 8 contains a summary of all the changes that have happened: https://gcc.gnu.org/gcc-8/changes.html Also changes needed or common pitfalls when porting software are described on: https://gcc.gnu.org/gcc-8/porting_to.html ----------------------------------------------------------------- Advisory ID: SUSE-RU-2018:2217-1 Released: Fri Oct 12 15:07:24 2018 Summary: Recommended update for bash Type: recommended Severity: moderate References: 1094121,1107430 Description: This update for bash provides the following fixes: - Fix an inconsistent behaviour regarding expansion of here strings. (bsc#1094121) - Fix mis-matching of null string with '*' pattern. (bsc#1107430) - Fix a crash when the lastpipe option is enabled. - Fix a typo that was preventing the `compat42' shopt option from working as intended. - Help the shell to process any pending traps at redirection. - Fix a crashe due to incorrect conversion from an indexed to associative array. - Avoid the expansion of escape sequences in HOSTNAME in prompt. - Avoid `xtrace' attack over $PS4. ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:2373-1 Released: Mon Oct 22 14:43:47 2018 Summary: Security update for rpm Type: security Severity: moderate References: 1077692,943457,CVE-2017-7500,CVE-2017-7501 Description: This update for rpm fixes the following issues: These security issues were fixed: - CVE-2017-7500: rpm did not properly handle RPM installations when a destination path was a symbolic link to a directory, possibly changing ownership and permissions of an arbitrary directory, and RPM files being placed in an arbitrary destination (bsc#943457). - CVE-2017-7501: rpm used temporary files with predictable names when installing an RPM. An attacker with ability to write in a directory where files will be installed could create symbolic links to an arbitrary location and modify content, and possibly permissions to arbitrary files, which could be used for denial of service or possibly privilege escalation (bsc#943457) This non-security issue was fixed: - Use ksym-provides tool [bsc#1077692] ----------------------------------------------------------------- Advisory ID: SUSE-RU-2018:2435-1 Released: Wed Oct 24 14:42:43 2018 Summary: Recommended update for systemd Type: recommended Severity: important References: 1015254,1091677,1093753,1105031,1107640,1107941,1109197,991901 Description: This update for systemd fixes the following issues: - detect-virt: do not try to read all of /proc/cpuinfo (bsc#1109197) - emergency: make sure console password agents don't interfere with the emergency shell - units: remove udev control socket when systemd stops the socket unit (#4039) (bsc#1015254) - man: document that 'nofail' also has an effect on ordering - journald: take leading spaces into account in syslog_parse_identifier - journal: do not remove multiple spaces after identifier in syslog message - syslog: fix segfault in syslog_parse_priority() - journal: fix syslog_parse_identifier() - tmpfiles: don't adjust qgroups on existing subvolumes (bsc#1093753) - socket-util: attempt SO_RCVBUFFORCE/SO_SNDBUFFORCE only if SO_RCVBUF/SO_SNDBUF fails (bsc#991901) - user at .service: don't kill user manager at runlevel switch (bsc#1091677) - units: make sure user at .service runs with dbus still up - fix race between daemon-reload and other commands (bsc#1105031) - nspawn: always use mode 555 for /sys (bsc#1107640) - cryptsetup: do not define arg_sector_size if libgcrypt is v1.x (#9990) - Enable or disable machines.target according to the presets (bsc#1107941) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2018:2475-1 Released: Thu Oct 25 16:56:24 2018 Summary: Recommended update for libzypp Type: recommended Severity: moderate References: 1099982,1109877,408814,556664,939392 Description: This update for libzypp fixes the following issues: - Add filesize check for downloads with known size (bsc#408814) - Fix conversion of string and glob to regex when compiling queries (bsc#1099982, bsc#939392, bsc#556664) - Fix blocking wait for finished child process (bsc#1109877) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2018:2488-1 Released: Fri Oct 26 12:39:59 2018 Summary: Recommended update for cpio Type: recommended Severity: low References: 1076810,889138 Description: This update for cpio provides the following fix: - Remove an obsolete patch that was causing cpio not to preserve folder permissions. (bsc#1076810, bsc#889138) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2018:2516-1 Released: Mon Oct 29 16:14:48 2018 Summary: Recommended update for console-setup, kbd Type: recommended Severity: moderate References: 1010880,1027379,1056449,1062303,1069468,1085432,360993,675317,825385,830805,958562,963942,984958 Description: This update for kbd and console-setup provides the following fixes: Changes in console-setup: - Add console-setup to SLE 12 to make it possible for kbd to provide converted X keymaps. (fate#325454, fate#318426) - Make the package build reproducible. (bsc#1062303) - Removed unneeded requires to kbd in order to resolve build cycle between kbd and console-setup. (bsc#963942) Changes in kbd: - Update to version 2.0.4, including the following fixes (FATE#325454): * Disable characters greater than or equal to =U+F000 as they do not work properly. (bsc#1085432) * Move initial NumLock handling from systemd back to kbd: * Add kbdsettings service. (bsc#1010880) * Exclude numlockbios support for non x86 platforms * Drop references to KEYTABLE and COMPOSETABLE. (bsc#1010880) * Drop from some fill-up templates and a couple of sysconfig variables not read by systemd anymore. (fate#319454) * Replace references to /var/adm/fillup-templates with new %_fillupdir macro. (bsc#1069468) * Add vlock.pamd PAM file. (bsc#1056449) * Enable vlock (bsc#1056449). * Revert dropping of kdb-legacy requirement as there are still packages and installation flows that needs this to be present. (bsc#1027379) * Fix data/keymaps/i386/querty/br-abnt2.map. (bsc#984958) * Fix missing dependency on coreutils for initrd macros. (bsc#958562) * Call missing initrd macro at postun. (bsc#958562) * Add the genmap4systemd.sh tool to generate entries for systemd's kbd-model-map table from xkeyboard-config converted keymaps. (fate#318426) * genmap4systemd.sh: Use 'abnt2' model for 'br' layouts, 'jp106' model for 'jp' layouts and 'microsoftpro' for anything else (instead of 'pc105' previously used). (fate#318426) * Include xkb layouts from xkeyboard-config converted to console keymaps. (fate#318426) * euro.map, euro1.map and euro2.map now produce correct unicode character for Euro sign. (bsc#360993) * Drop doshell reference from openvt.1 man page. (bsc#675317) * Drop the --userwait option as it is not used. (bsc#830805) * Fix a typo in the mac-querty-layout.inc. (bsc#825385) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2018:2525-1 Released: Tue Oct 30 09:22:45 2018 Summary: Recommended update for bash Type: recommended Severity: important References: 1113117 Description: This update for bash fixes the following issues: Recently released update introduced a change of behavior which resulted in broken customers scripts. (bsc#1113117) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:2563-1 Released: Fri Nov 2 17:09:49 2018 Summary: Security update for curl Type: security Severity: moderate References: 1112758,1113660,CVE-2018-16840,CVE-2018-16842 Description: This update for curl fixes the following issues: - CVE-2018-16840: A use after free in closing SASL handles was fixed (bsc#1112758) - CVE-2018-16842: A Out-of-bounds Read in tool_msgs.c was fixed which could lead to crashes (bsc#1113660) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2018:2567-1 Released: Fri Nov 2 18:59:06 2018 Summary: Recommended update for apparmor Type: recommended Severity: moderate References: 1047937,1057150,1057900,1099452,906858 Description: This update for apparmor provides the following fixes: - Add profile for usr.bin.lessopen.sh (bsc#906858) - Fix dovecot apparmor profile (bsc#1057150) - Fix creating profile rules from scanned logs when the chown operation is used (bsc#1047937) - Fix the traceroute profile to allow ipv6 usage (bsc#1057900) - Fix duplicate entry of capability when performing aa-logprof (bsc#1099452) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2018:2593-1 Released: Wed Nov 7 11:04:00 2018 Summary: Recommended update for rpm Type: recommended Severity: moderate References: 1095148,1113100 Description: This update for rpm fixes the following issues: - Fix superfluous TOC. dependency on PowerPC64 (bsc#1113100) - Update to current find-provides.ksyms and find-requires.ksyms scripts (bsc#1095148) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:2659-1 Released: Wed Nov 14 14:14:41 2018 Summary: Security update for systemd Type: security Severity: important References: 1106923,1108835,1109252,1110445,1111278,1112024,1113083,1113632,1113665,CVE-2018-15686,CVE-2018-15688 Description: This update for systemd fixes the following issues: Security issues fixed: - CVE-2018-15688: A buffer overflow vulnerability in the dhcp6 client of systemd allowed a malicious dhcp6 server to overwrite heap memory in systemd-networkd. (bsc#1113632) - CVE-2018-15686: A vulnerability in unit_deserialize of systemd allows an attacker to supply arbitrary state across systemd re-execution via NotifyAccess. This can be used to improperly influence systemd execution and possibly lead to root privilege escalation. (bsc#1113665) Non-security issues fixed: - dhcp6: split assert_return() to be more debuggable when hit - core: skip unit deserialization and move to the next one when unit_deserialize() fails - core: properly handle deserialization of unknown unit types (#6476) - core: don't create Requires for workdir if 'missing ok' (bsc#1113083) - logind: use manager_get_user_by_pid() where appropriate - logind: rework manager_get_{user|session}_by_pid() a bit - login: fix user at .service case, so we don't allow nested sessions (#8051) (bsc#1112024) - core: be more defensive if we can't determine per-connection socket peer (#7329) - socket-util: introduce port argument in sockaddr_port() - service: fixup ExecStop for socket-activated shutdown (#4120) - service: Continue shutdown on socket activated unit on termination (#4108) (bsc#1106923) - cryptsetup: build fixes for 'add support for sector-size= option' - udev-rules: IMPORT cmdline does not recognize keys with similar names (bsc#1111278) - core: keep the kernel coredump defaults when systemd-coredump is disabled - core: shorten main() a bit, split out coredump initialization - core: set RLIMIT_CORE to unlimited by default (bsc#1108835) - core/mount: fstype may be NULL - journald: don't ship systemd-journald-audit.socket (bsc#1109252) - core: make 'tmpfs' dependencies on swapfs a 'default' dep, not an 'implicit' (bsc#1110445) - mount: make sure we unmount tmpfs mounts before we deactivate swaps (#7076) - tmp.mount.hm4: After swap.target (#3087) - Ship systemd-sysv-install helper via the main package This script was part of systemd-sysvinit sub-package but it was wrong since systemd-sysv-install is a script used to redirect enable/disable operations to chkconfig when the unit targets are sysv init scripts. Therefore it's never been a SySV init tool. ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:2760-1 Released: Thu Nov 22 16:25:38 2018 Summary: Security update for openssl Type: security Severity: moderate References: 1112209,1113534,1113652,1113742,CVE-2018-0734,CVE-2018-5407 Description: This update for openssl fixes the following issues: Security issues fixed: - CVE-2018-0734: Fixed timing vulnerability in DSA signature generation (bsc#1113652). - CVE-2018-5407: Fixed elliptic curve scalar multiplication timing attack defenses (bsc#1113534). - Add missing timing side channel patch for DSA signature generation (bsc#1113742). Non-security issues fixed: - Fixed infinite loop in DSA generation with incorrect parameters (bsc#1112209). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:2766-1 Released: Fri Nov 23 17:07:27 2018 Summary: Security update for rpm Type: security Severity: important References: 943457,CVE-2017-7500,CVE-2017-7501 Description: This update for rpm fixes the following issues: These security issues were fixed: - CVE-2017-7500: rpm did not properly handle RPM installations when a destination path was a symbolic link to a directory, possibly changing ownership and permissions of an arbitrary directory, and RPM files being placed in an arbitrary destination (bsc#943457). - CVE-2017-7501: rpm used temporary files with predictable names when installing an RPM. An attacker with ability to write in a directory where files will be installed could create symbolic links to an arbitrary location and modify content, and possibly permissions to arbitrary files, which could be used for denial of service or possibly privilege escalation (bsc#943457) This is a reissue of the above security fixes for SUSE Linux Enterprise 12 GA, SP1 and SP2 LTSS, they have already been released for SUSE Linux Enterprise Server 12 SP3. ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:1697-1 Released: Fri Nov 23 17:08:32 2018 Summary: Security update for libgcrypt Type: security Severity: moderate References: 1064455,1090766,1097410,CVE-2018-0495 Description: This update for libgcrypt fixes the following issues: The following security vulnerability was addressed: - CVE-2018-0495: Mitigate a novel side-channel attack by enabling blinding for ECDSA signatures (bsc#1097410). The following other issues were fixed: - Extended the fipsdrv dsa-sign and dsa-verify commands with the --algo parameter for the FIPS testing of DSA SigVer and SigGen (bsc#1064455). - Ensure libgcrypt20-hmac and libgcrypt20 are installed in the correct order. (bsc#1090766) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:1696-1 Released: Mon Nov 26 17:46:39 2018 Summary: Security update for procps Type: security Severity: moderate References: 1092100,CVE-2018-1122,CVE-2018-1123,CVE-2018-1124,CVE-2018-1125,CVE-2018-1126 Description: This update for procps fixes the following security issues: - CVE-2018-1122: Prevent local privilege escalation in top. If a user ran top with HOME unset in an attacker-controlled directory, the attacker could have achieved privilege escalation by exploiting one of several vulnerabilities in the config_file() function (bsc#1092100). - CVE-2018-1123: Prevent denial of service in ps via mmap buffer overflow. Inbuilt protection in ps maped a guard page at the end of the overflowed buffer, ensuring that the impact of this flaw is limited to a crash (temporary denial of service) (bsc#1092100). - CVE-2018-1124: Prevent multiple integer overflows leading to a heap corruption in file2strvec function. This allowed a privilege escalation for a local attacker who can create entries in procfs by starting processes, which could result in crashes or arbitrary code execution in proc utilities run by other users (bsc#1092100). - CVE-2018-1125: Prevent stack buffer overflow in pgrep. This vulnerability was mitigated by FORTIFY limiting the impact to a crash (bsc#1092100). - CVE-2018-1126: Ensure correct integer size in proc/alloc.* to prevent truncation/integer overflow issues (bsc#1092100). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:1618-1 Released: Tue Nov 27 13:39:49 2018 Summary: Security update for util-linux Type: security Severity: moderate References: 1072947,1078662,1080740,1084300,CVE-2018-7738 Description: This update for util-linux fixes the following issues: This non-security issue was fixed: - CVE-2018-7738: bash-completion/umount allowed local users to gain privileges by embedding shell commands in a mountpoint name, which was mishandled during a umount command by a different user (bsc#1084300). These non-security issues were fixed: - Fixed crash loop in lscpu (bsc#1072947). - Fixed possible segfault of umount -a - Fixed mount -a on NFS bind mounts (bsc#1080740). - Fixed lsblk on NVMe (bsc#1078662). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:2824-1 Released: Mon Dec 3 15:34:09 2018 Summary: Security update for ncurses Type: security Severity: important References: 1115929,CVE-2018-19211 Description: This update for ncurses fixes the following issue: Security issue fixed: - CVE-2018-19211: Fixed denial of service issue that was triggered by a NULL pointer dereference at function _nc_parse_entry (bsc#1115929). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2018:2836-1 Released: Wed Dec 5 09:29:31 2018 Summary: Recommended update for apparmor Type: recommended Severity: moderate References: 1111965,1113125 Description: This update for apparmor fixes the following issues: - Systemd aware apparmor.spec, remove old insserv from spec file (bsc#1113125) - Fix warnings produced because of use of uninitialized variables (bsc#1111965) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2018:2840-1 Released: Wed Dec 5 09:57:54 2018 Summary: Recommended update for permissions Type: recommended Severity: moderate References: 1028304,1047247,1050467,1097665,1111251 Description: This update for permissions fixes the following issues: - Allow setuid root for start-suid tool of singularity (group only) bsc#1028304 - Allow setuid root for authbind binary (bsc#1111251) - A incorrect error message was adjusted (bsc#1047247 bsc#1097665) - Make btmp root:utmp (bsc#1050467) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2018:2841-1 Released: Wed Dec 5 09:59:45 2018 Summary: Recommended update for glibc Type: recommended Severity: moderate References: 1105236,1110661,1112858 Description: This update for glibc fixes the following issues: - Added more checks for valid ld.so.cache file (bsc#1110661) - Rewrite elf_machine_load_address using _DYNAMIC symbol (bsc#1112858) - Always use __IPC_64 on powerpc as required by the kernel (bsc#1105236) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2018:2906-1 Released: Tue Dec 11 21:48:05 2018 Summary: Recommended update for blog Type: recommended Severity: moderate References: 1071568 Description: This update for blog fixes the following issues: - Hardening of the console list generation (bsc#1071568) - Changed description of blog-plymouth in same manner as used by the release notes ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:2947-1 Released: Mon Dec 17 08:51:28 2018 Summary: Security update for openldap2 Type: security Severity: moderate References: 1073313,CVE-2017-17740 Description: This update for openldap2 fixes the following issues: Security issue fixed: - CVE-2017-17740: When both the nops module and the memberof overlay are enabled, attempts to free a buffer that was allocated on the stack, which allows remote attackers to cause a denial of service (slapd crash) via a member MODDN operation. (bsc#1073313) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2018:3029-1 Released: Fri Dec 21 17:34:05 2018 Summary: Recommended update for libgcrypt Type: recommended Severity: moderate References: 1117355 Description: This update for libgcrypt provides the following fix: - Fail selftests when checksum file is missing in FIPS mode only. (bsc#1117355) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:43-1 Released: Tue Jan 8 13:07:17 2019 Summary: Recommended update for acl Type: recommended Severity: low References: 953659 Description: This update for acl fixes the following issues: - quote: Escape literal backslashes (bsc#953659). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:111-1 Released: Thu Jan 17 14:18:31 2019 Summary: Security update for krb5 Type: security Severity: important References: 1120489,CVE-2018-20217 Description: This update for krb5 fixes the following issues: Security issue fixed: - CVE-2018-20217: Fixed an assertion issue with older encryption types (bsc#1120489) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:135-1 Released: Mon Jan 21 13:53:58 2019 Summary: Security update for systemd Type: security Severity: moderate References: 1005023,1076696,1101591,1114981,1115518,1119971,1120323,CVE-2018-16864,CVE-2018-16865,CVE-2018-16866 Description: This update for systemd provides the following fixes: Security issues fixed: - CVE-2018-16864, CVE-2018-16865: Fixed two memory corruptions through attacker-controlled alloca()s (bsc#1120323) - CVE-2018-16866: Fixed an information leak in journald (bsc#1120323) - Fixed an issue during system startup in relation to encrypted swap disks (bsc#1119971) Non-security issues fixed: - core: Queue loading transient units after setting their properties. (bsc#1115518) - logind: Stop managing VT switches if no sessions are registered on that VT. (bsc#1101591) - terminal-util: introduce vt_release() and vt_restore() helpers. - terminal: Unify code for resetting kbd utf8 mode a bit. - terminal Reset should honour default_utf8 kernel setting. - logind: Make session_restore_vt() static. - udev: Downgrade message when settting inotify watch up fails. (bsc#1005023) - log: Never log into foreign fd #2 in PID 1 or its pre-execve() children. (bsc#1114981) - udev: Ignore the exit code of systemd-detect-virt for memory hot-add. In SLE-12-SP3, 80-hotplug-cpu-mem.rules has a memory hot-add rule that uses systemd-detect-virt to detect non-zvm environment. The systemd-detect-virt returns exit failure code when it detected _none_ state. The exit failure code causes that the hot-add memory block can not be set to online. (bsc#1076696) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:143-1 Released: Tue Jan 22 14:21:55 2019 Summary: Recommended update for ncurses Type: recommended Severity: important References: 1121450 Description: This update for ncurses fixes the following issues: - ncurses applications freezing (bsc#1121450) From sle-updates at lists.suse.com Thu Jan 16 09:56:31 2020 From: sle-updates at lists.suse.com (sle-updates at lists.suse.com) Date: Thu, 16 Jan 2020 17:56:31 +0100 (CET) Subject: SUSE-CU-2019:706-1: Security update of caasp/v4/dnsmasq-nanny Message-ID: <20200116165631.F1321F796@maintenance.suse.de> SUSE Container Update Advisory: caasp/v4/dnsmasq-nanny ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2019:706-1 Container Tags : caasp/v4/dnsmasq-nanny:2.78 , caasp/v4/dnsmasq-nanny:2.78-rev1 , caasp/v4/dnsmasq-nanny:2.78-rev1-build1.2 Severity : important Type : security References : 1000396 1000662 1000677 1001299 1001790 1001912 1002975 1003577 1003579 1003580 1003714 1003978 1004094 1004289 1004995 1004995 1004995 1005023 1005063 1005404 1005544 1005633 1005634 1005635 1005637 1005638 1005640 1005642 1005643 1005645 1005646 1006175 1006372 1006469 1006687 1006690 1007851 1008325 1009269 1009470 1009528 1009532 1009745 1009905 1009966 1010220 1010675 1010845 1010880 1012266 1012390 1012523 1012591 1012818 1012973 1013286 1013882 1013930 1013989 1014471 1014560 1014566 1014873 1015254 1015332 1015515 1015565 1015943 1017034 1017497 1018214 1018399 1019276 1019470 1019518 1019637 1019637 1019900 1020108 1020143 1020601 1021641 1022014 1022047 1022085 1022086 1022271 1023283 1023895 1024989 1025034 1025176 1025398 1025560 1025598 1025630 1025886 1026224 1026567 1026825 1027079 1027282 1027379 1027688 1027712 1027908 1027925 1028263 1028281 1028304 1028304 1028305 1028410 1028485 1028610 1028723 1029102 1029102 1029183 1029516 1029516 1029523 1029561 1029691 1029725 1029900 1030290 1030621 1031355 1031643 1031702 1031998 1032029 1032029 1032309 1032445 1032538 1032660 1032680 1033238 1033238 1033855 1034563 1034565 1035062 1035227 1035371 1035386 1035445 1035818 1036304 1036659 1036736 1036873 1036873 1037120 1037120 1037396 1037824 1037930 1038189 1038194 1038444 1038865 1038865 1038984 1038984 1039063 1039063 1039064 1039064 1039066 1039066 1039069 1039069 1039099 1039099 1039276 1039357 1039661 1039661 1039941 1040043 1040153 1040153 1040258 1040258 1040614 1040614 1040800 1040942 1040942 1040968 1040968 1040968 1041764 1042326 1042392 1042781 1043059 1043218 1043237 1043333 1043333 1043580 1043615 1043758 1043758 1043886 1043900 1043900 1044095 1044107 1044175 1044337 1044840 1044887 1044894 1045092 1045290 1045290 1045384 1045472 1045628 1045735 1045735 1045735 1045943 1045987 1046173 1046173 1046268 1046417 1046607 1046659 1046750 1046750 1046853 1046853 1046858 1046858 1047008 1047178 1047233 1047236 1047240 1047247 1047379 1047785 1047785 1047937 1047964 1047965 1048315 1048510 1048605 1048605 1048645 1048679 1049344 1049825 1050152 1050467 1050767 1050943 1051042 1051465 1051626 1051643 1051644 1051791 1052261 1053137 1053188 1053409 1053595 1053671 1054028 1054088 1054171 1054671 1055446 1055641 1055825 1055920 1056058 1056126 1056127 1056127 1056128 1056128 1056129 1056129 1056131 1056131 1056132 1056132 1056136 1056136 1056437 1056449 1056450 1056995 1057150 1057188 1057452 1057634 1057640 1057662 1057721 1057724 1057900 1057974 1058695 1058722 1058783 1059065 1059723 1060354 1060355 1060360 1060361 1060362 1060364 1060653 1060738 1061384 1061667 1061876 1062303 1062561 1062591 1062592 1063051 1063249 1063269 1063675 1063824 1063910 1064397 1064455 1064455 1064455 1064569 1064580 1064583 1064999 1065083 1065274 1065276 1065363 1065448 1065448 1066156 1066242 1066422 1066500 1067312 1067605 1067891 1068251 1068565 1068565 1068588 1068664 1068708 1068967 1069222 1069226 1069468 1069934 1070209 1070428 1070431 1070431 1070851 1070878 1070905 1070958 1071224 1071311 1071319 1071321 1071466 1071558 1071568 1071698 1071905 1071906 1072947 1072947 1073231 1073313 1073879 1073990 1074254 1074293 1074293 1074621 1074687 1075449 1075724 1075743 1075801 1075804 1075978 1076192 1076308 1076415 1076696 1076810 1076832 1076909 1077001 1077635 1077692 1077787 1077787 1077925 1077993 1078358 1078662 1078662 1078806 1078813 1079036 1079300 1079334 1079991 1080078 1080382 1080740 1080740 1081170 1081294 1081556 1081725 1082004 1082216 1082216 1082216 1082233 1082233 1082233 1082234 1082234 1082234 1082318 1082485 1082485 1083158 1083290 1083507 1083507 1083507 1083926 1083927 1083946 1084300 1084300 1084521 1084524 1084532 1084626 1084812 1084812 1084842 1085062 1085432 1086001 1086247 1086602 1086690 1086785 1086825 1087102 1087323 1087550 1087550 1087930 1088004 1088009 1088052 1088279 1088601 1088705 1088769 1088890 1088921 1089039 1089533 1089640 1089761 1089761 1089884 1090765 1090766 1090766 1090766 1090785 1090944 1091265 1091624 1091677 1092098 1092100 1092100 1092413 1092640 1092640 1093753 1093851 1094121 1094150 1094154 1094161 1094222 1095096 1095148 1096282 1096282 1096282 1096718 1096718 1096745 1096803 1097158 1097410 1097410 1097410 1097624 1097665 1098592 1099310 1099310 1099310 1099452 1099847 1099982 1100028 1101040 1101246 1101349 1101470 1101591 1102046 1102429 1102564 1103910 1104789 1105031 1105166 1105236 1106019 1106197 1106914 1106923 1107430 1107640 1107941 1108835 1109197 1109252 1109663 1109877 1110445 1110661 1111251 1111278 1111965 1112024 1112209 1112758 1112858 1113083 1113100 1113117 1113125 1113534 1113632 1113652 1113660 1113665 1113742 1114981 1115518 1115929 1117355 1119971 1120323 1120489 1121450 360993 408814 556664 658010 661410 675317 825385 829717 830805 874665 888308 889138 889990 892431 894610 896202 896435 897422 898003 899524 899871 900275 900276 901202 901845 901924 902364 902367 902511 903543 904537 905483 906574 906574 906803 906858 907074 907456 908128 908516 909418 910252 910252 910253 910253 911228 911363 911662 912229 912715 912922 913209 913650 913651 915402 915846 917152 917169 918089 918090 918346 919274 920057 920057 920386 921070 922534 923241 924525 924687 924960 924960 926412 926826 927556 927607 927608 927746 927993 928292 928533 928740 929919 930176 931932 932232 932894 933029 933288 933288 933336 933878 933878 934333 934689 934920 936050 936227 936227 936676 937823 938343 938657 939392 939460 940315 942865 942865 943457 943457 944903 945340 945842 945899 952151 952347 953130 953532 953659 953807 953831 954002 954661 955382 955753 955770 957566 957566 957567 957567 957598 957598 957600 957600 958369 958562 959693 960273 960820 960837 960837 961964 962765 962983 962996 963290 963448 963942 964063 964182 964468 964845 964847 964849 965322 965780 965902 966220 967026 967082 967728 967838 968771 969569 970260 970882 971741 971741 972127 972127 972164 972331 974691 978055 979261 979436 979441 979629 979906 980391 980486 981114 981616 982303 982303 983206 983215 983216 983273 983754 984751 984906 984958 985177 985348 986216 986216 986783 986935 987394 987887 988311 989523 989788 989831 990189 990190 990191 990538 991389 991390 991391 991443 991464 991746 991901 992966 994157 994794 995936 996511 997043 997420 997682 998760 998893 998906 999735 999878 CVE-2012-6702 CVE-2013-6435 CVE-2014-3591 CVE-2014-3707 CVE-2014-3710 CVE-2014-8116 CVE-2014-8116 CVE-2014-8117 CVE-2014-8117 CVE-2014-8118 CVE-2014-8150 CVE-2014-8964 CVE-2014-8964 CVE-2014-9087 CVE-2014-9112 CVE-2014-9447 CVE-2014-9620 CVE-2014-9621 CVE-2014-9653 CVE-2015-0247 CVE-2015-0837 CVE-2015-1283 CVE-2015-1572 CVE-2015-1606 CVE-2015-1607 CVE-2015-1782 CVE-2015-2059 CVE-2015-2325 CVE-2015-2325 CVE-2015-2327 CVE-2015-2327 CVE-2015-2328 CVE-2015-2328 CVE-2015-3143 CVE-2015-3144 CVE-2015-3145 CVE-2015-3148 CVE-2015-3153 CVE-2015-3210 CVE-2015-3210 CVE-2015-3217 CVE-2015-3217 CVE-2015-3238 CVE-2015-5073 CVE-2015-5073 CVE-2015-5276 CVE-2015-7511 CVE-2015-8380 CVE-2015-8380 CVE-2015-8381 CVE-2015-8381 CVE-2015-8382 CVE-2015-8382 CVE-2015-8383 CVE-2015-8383 CVE-2015-8384 CVE-2015-8384 CVE-2015-8385 CVE-2015-8385 CVE-2015-8386 CVE-2015-8386 CVE-2015-8387 CVE-2015-8387 CVE-2015-8388 CVE-2015-8388 CVE-2015-8389 CVE-2015-8389 CVE-2015-8390 CVE-2015-8390 CVE-2015-8391 CVE-2015-8391 CVE-2015-8392 CVE-2015-8392 CVE-2015-8393 CVE-2015-8393 CVE-2015-8394 CVE-2015-8394 CVE-2015-8395 CVE-2015-8395 CVE-2015-8803 CVE-2015-8804 CVE-2015-8805 CVE-2015-8853 CVE-2015-8899 CVE-2015-8948 CVE-2016-0634 CVE-2016-0718 CVE-2016-0755 CVE-2016-0772 CVE-2016-0787 CVE-2016-1000110 CVE-2016-10156 CVE-2016-1238 CVE-2016-1283 CVE-2016-1283 CVE-2016-1839 CVE-2016-2037 CVE-2016-2381 CVE-2016-3191 CVE-2016-3191 CVE-2016-4574 CVE-2016-4579 CVE-2016-4658 CVE-2016-5131 CVE-2016-5300 CVE-2016-5419 CVE-2016-5420 CVE-2016-5421 CVE-2016-5636 CVE-2016-5699 CVE-2016-6153 CVE-2016-6185 CVE-2016-6252 CVE-2016-6252 CVE-2016-6252 CVE-2016-6261 CVE-2016-6262 CVE-2016-6263 CVE-2016-6313 CVE-2016-6318 CVE-2016-6489 CVE-2016-7055 CVE-2016-7141 CVE-2016-7167 CVE-2016-7543 CVE-2016-8615 CVE-2016-8616 CVE-2016-8617 CVE-2016-8618 CVE-2016-8619 CVE-2016-8620 CVE-2016-8621 CVE-2016-8622 CVE-2016-8623 CVE-2016-8624 CVE-2016-9063 CVE-2016-9318 CVE-2016-9401 CVE-2016-9586 CVE-2016-9597 CVE-2016-9840 CVE-2016-9841 CVE-2016-9842 CVE-2016-9843 CVE-2017-0663 CVE-2017-1000100 CVE-2017-1000101 CVE-2017-1000158 CVE-2017-1000254 CVE-2017-1000257 CVE-2017-1000366 CVE-2017-1000408 CVE-2017-1000409 CVE-2017-10684 CVE-2017-10684 CVE-2017-10685 CVE-2017-10685 CVE-2017-11112 CVE-2017-11113 CVE-2017-11462 CVE-2017-12132 CVE-2017-12133 CVE-2017-12424 CVE-2017-12837 CVE-2017-12883 CVE-2017-13728 CVE-2017-13728 CVE-2017-13729 CVE-2017-13729 CVE-2017-13730 CVE-2017-13730 CVE-2017-13731 CVE-2017-13731 CVE-2017-13732 CVE-2017-13732 CVE-2017-13733 CVE-2017-13733 CVE-2017-13734 CVE-2017-14062 CVE-2017-14491 CVE-2017-14492 CVE-2017-14493 CVE-2017-14494 CVE-2017-14495 CVE-2017-14496 CVE-2017-15088 CVE-2017-15412 CVE-2017-15670 CVE-2017-15671 CVE-2017-15804 CVE-2017-15908 CVE-2017-16997 CVE-2017-17740 CVE-2017-18078 CVE-2017-18207 CVE-2017-18207 CVE-2017-18207 CVE-2017-18258 CVE-2017-18269 CVE-2017-3731 CVE-2017-3732 CVE-2017-3735 CVE-2017-3736 CVE-2017-3737 CVE-2017-3738 CVE-2017-5130 CVE-2017-5969 CVE-2017-6512 CVE-2017-7375 CVE-2017-7376 CVE-2017-7407 CVE-2017-7435 CVE-2017-7436 CVE-2017-7436 CVE-2017-7500 CVE-2017-7500 CVE-2017-7501 CVE-2017-7501 CVE-2017-7526 CVE-2017-7555 CVE-2017-8804 CVE-2017-8816 CVE-2017-8817 CVE-2017-8872 CVE-2017-9047 CVE-2017-9047 CVE-2017-9048 CVE-2017-9048 CVE-2017-9049 CVE-2017-9049 CVE-2017-9050 CVE-2017-9050 CVE-2017-9217 CVE-2017-9217 CVE-2017-9233 CVE-2017-9269 CVE-2017-9269 CVE-2017-9287 CVE-2017-9445 CVE-2017-9445 CVE-2017-9526 CVE-2018-0495 CVE-2018-0495 CVE-2018-0495 CVE-2018-0732 CVE-2018-0734 CVE-2018-0737 CVE-2018-0739 CVE-2018-1000001 CVE-2018-1000001 CVE-2018-1000007 CVE-2018-1000030 CVE-2018-1000120 CVE-2018-1000121 CVE-2018-1000122 CVE-2018-1000301 CVE-2018-1000802 CVE-2018-1049 CVE-2018-1060 CVE-2018-1061 CVE-2018-1122 CVE-2018-1122 CVE-2018-1123 CVE-2018-1123 CVE-2018-11236 CVE-2018-11237 CVE-2018-1124 CVE-2018-1124 CVE-2018-1125 CVE-2018-1125 CVE-2018-1126 CVE-2018-1126 CVE-2018-12015 CVE-2018-12015 CVE-2018-12020 CVE-2018-14404 CVE-2018-14567 CVE-2018-14618 CVE-2018-15686 CVE-2018-15688 CVE-2018-16840 CVE-2018-16842 CVE-2018-16864 CVE-2018-16865 CVE-2018-16866 CVE-2018-19211 CVE-2018-20217 CVE-2018-5407 CVE-2018-5729 CVE-2018-5730 CVE-2018-6003 CVE-2018-6485 CVE-2018-6551 CVE-2018-6797 CVE-2018-6797 CVE-2018-6797 CVE-2018-6798 CVE-2018-6798 CVE-2018-6798 CVE-2018-6913 CVE-2018-6913 CVE-2018-6913 CVE-2018-7169 CVE-2018-7685 CVE-2018-7738 CVE-2018-7738 CVE-2018-9251 ----------------------------------------------------------------- The container caasp/v4/dnsmasq-nanny was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-RU-2014:85-1 Released: Tue Nov 4 16:29:29 2014 Summary: Recommended update for dirmngr Type: recommended Severity: moderate References: 901845 Description: This update for dirmngr fixes a segmentation fault at start up. (bnc#901845) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2014:66-1 Released: Thu Nov 6 06:23:15 2014 Summary: Recommended update for gcc48 Type: recommended Severity: moderate References: 899871 Description: This update for gcc48 fixes a performance degradation issue caused by generation of unneeded code whe using option -pg. ----------------------------------------------------------------- Advisory ID: SUSE-SU-2014:97-1 Released: Fri Nov 28 10:20:32 2014 Summary: Security update for file Type: security Severity: moderate References: 888308,902367,CVE-2014-3710 Description: file was updated to fix one security issue. This security issue was fixed: - Out-of-bounds read in elf note headers (CVE-2014-3710). This non-security issues was fixed: - Correctly identify GDBM files created by libgdbm4 (bnc#888308). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2014:113-1 Released: Tue Dec 2 18:17:57 2014 Summary: Security update for cpio Type: security Severity: moderate References: 658010,907456,CVE-2014-9112 Description: This cpio security update fixes the following buffer overflow issue and two non security issues: - fix an OOB write with cpio -i (bnc#907456) (CVE-2014-9112) - prevent cpio from extracting over a symlink (bnc#658010) - fix a truncation check in mt ----------------------------------------------------------------- Advisory ID: SUSE-SU-2015:16-1 Released: Thu Dec 11 09:25:27 2014 Summary: Security update for libksba Type: security Severity: moderate References: 907074,CVE-2014-9087 Description: This libksba update fixes the following security issue: - bnc#907074: buffer overflow in OID processing (CVE-2014-9087) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2014:126-1 Released: Fri Dec 19 20:16:00 2014 Summary: Security update for file Type: security Severity: moderate References: 910252,910253,CVE-2014-8116,CVE-2014-8117 Description: This file update fixes the following security issues: - bsc#910252: multiple denial of service issues (resource consumption) (CVE-2014-8116) - bsc#910253: denial of service issue (resource consumption) (CVE-2014-8117) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2015:29-1 Released: Mon Jan 12 11:37:43 2015 Summary: Security update for curl Type: security Severity: moderate References: 901924,911363,CVE-2014-3707,CVE-2014-8150 Description: This update fixes the following security issues - CVE-2014-8150: URL request injection vulnerability (bnc#911363) - CVE-2014-3707: duphandle read out of bounds (bnc#901924) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2015:40-1 Released: Thu Jan 15 18:35:11 2015 Summary: Security update for rpm Type: security Severity: important References: 892431,906803,908128,911228,CVE-2013-6435,CVE-2014-8118 Description: This rpm update fixes the following security and non-security issues: - bnc#908128: Check for bad invalid name sizes (CVE-2014-8118) - bnc#906803: Create files with mode 0 (CVE-2013-6435) - bnc#892431: Honor --noglob in install mode - bnc#911228: Fix noglob patch, it broke files with space. ----------------------------------------------------------------- Advisory ID: SUSE-RU-2015:64-1 Released: Thu Jan 15 23:21:45 2015 Summary: Recommended update for e2fsprogs Type: recommended Severity: moderate References: 912229 Description: This update for e2fsprogs fixes a 'use after free' issue in fsck(8). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2015:76-1 Released: Fri Jan 30 15:01:03 2015 Summary: Security update for elfutils Type: security Severity: moderate References: 911662,CVE-2014-9447 Description: elfutils was updated to fix one security issue. This security issue was fixed: - Directory traversal vulnerability in the read_long_names function (CVE-2014-9447). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2015:55-1 Released: Tue Feb 3 14:51:17 2015 Summary: Recommended update for curl Type: recommended Severity: moderate References: 913209 Description: curl was updated to fix problems when operating in FIPS mode. This patch reenables following methods: - NTLM authentication (e.g. for proxies) (allowing its usage of MD4 and MD5) - HTTP Digest authentication (allowing its usage of MD5) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2015:121-1 Released: Tue Feb 3 16:30:16 2015 Summary: Recommended update for pam Type: recommended Severity: low References: 912922 Description: This update for pam fixes updating of NIS passwords. ----------------------------------------------------------------- Advisory ID: SUSE-SU-2015:157-1 Released: Tue Mar 10 09:01:41 2015 Summary: Security update for libssh2_org Type: security Severity: moderate References: 921070,CVE-2015-1782 Description: The ssh client library libssh2_org was updated to fix a security issue. CVE-2015-1782: A malicious server could send a crafted SSH_MSG_KEXINIT packet, that could lead to a buffer overread and to a crash of the libssh2_org using application. ----------------------------------------------------------------- Advisory ID: SUSE-RU-2015:275-1 Released: Wed Mar 18 18:21:44 2015 Summary: Recommended update for procps Type: recommended Severity: low References: 901202,908516 Description: This update for procps provides the following fixes: - Add description of pgrep's --list-full parameter to usage instructions (--help). (bsc#901202) - Fix handling of arguments to -s option in free(1). (bsc#908516) - Correct package name in descriptions: procps, not props. ----------------------------------------------------------------- Advisory ID: SUSE-SU-2015:235-1 Released: Wed Apr 29 19:05:01 2015 Summary: Security update for curl Type: security Severity: moderate References: 927556,927607,927608,927746,928533,CVE-2015-3143,CVE-2015-3144,CVE-2015-3145,CVE-2015-3148,CVE-2015-3153 Description: curl was updated to fix five security issues. The following vulnerabilities were fixed: * CVE-2015-3143: curl could re-use NTML authenticateds connections * CVE-2015-3144: curl could access memory out of bounds with zero length host names * CVE-2015-3145: curl cookie parser could access memory out of boundary * CVE-2015-3148: curl could treat Negotiate as not connection-oriented * CVE-2015-3153: curl could have sent sensitive HTTP headers also to proxies ----------------------------------------------------------------- Advisory ID: SUSE-SU-2015:296-1 Released: Thu Jun 11 15:46:59 2015 Summary: Security update for libgcrypt Type: security Severity: moderate References: 896202,896435,898003,899524,900275,900276,905483,920057,928740,929919,CVE-2014-3591 Description: This update of libgcrypt fixes one security issue and brings various FIPS 140-2 related improvements. libgcrypt now uses ciphertext blinding for Elgamal decryption (CVE-2014-3591) FIPS 140-2 related changes: * The library performs its self-tests when the module is complete (the -hmac file is also installed). * Added a NIST 800-90a compliant DRBG. * Change DSA key generation to be FIPS 186-4 compliant. * Change RSA key generation to be FIPS 186-4 compliant. * Enable HW support in fips mode (bnc#896435) * Make DSA selftest use 2048 bit keys (bnc#898003) * Added ECDSA selftests and add support for it to the CAVS testing framework (bnc#896202) * Various CAVS testing improvements. ----------------------------------------------------------------- Advisory ID: SUSE-SU-2015:366-1 Released: Mon Jun 29 10:13:43 2015 Summary: Security update for e2fsprogs Type: security Severity: low References: 915402,918346,CVE-2015-0247,CVE-2015-1572 Description: Two security issues were fixed in e2fsprogs: Security issues fixed: * CVE-2015-0247: Various heap overflows were fixed in e2fsprogs (fsck, dumpe2fs, e2image...). * CVE-2015-1572: Fixed a potential buffer overflow in closefs() (bsc#918346 ) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2015:361-1 Released: Wed Jul 15 08:26:27 2015 Summary: Recommended update for gcc48, libffi48, libgcj48 Type: recommended Severity: moderate References: 889990,917169,919274,922534,924525,924687,927993,930176,934689 Description: The system compiler gcc48 was updated to the GCC 4.8.5 release, fixing a lot of bugs and bringing some improvements. It includes various bug fixes found by our customers: * Fixes bogus integer overflow in constant expression. [bnc#934689] * Fixes ICE with atomics on aarch64. [bnc#930176] * Includes fix for -imacros bug. [bnc#917169] * Includes fix for incorrect -Warray-bounds warnings. [bnc#919274] * Includes updated -mhotpatch for s390x. [bnc#924525] * Includes fix for ppc64le issue with doubleword vector extract. [bnc#924687] * Includes patches to allow building against ISL 0.14. * Backport rework of the memory allocator for C++ exceptions used in OOM situations. [bnc#889990] * Fix a reload issue on S390 (GCC PR66306). * Avoid accessing invalid memory when passing aggregates by value. [bnc#922534] ----------------------------------------------------------------- Advisory ID: SUSE-OU-2015:422-1 Released: Tue Jul 28 06:25:51 2015 Summary: The Toolchain module containing GCC 5.2 Type: optional Severity: low References: 926412,936050,937823 Description: This update contains the release of the new SUSE Linux Enterprise Toolchain module. Its major feature is the GNU Compiler Collection 5.2, please see https://gcc.gnu.org/gcc-5/changes.html for important changes. This update also includes a version update of binutils to 2.25 release branch to provide features and bugfixes. Following features have been added to binutils: * IBM zSeries z13 hardware support (fate#318036, bnc#936050). * various IBM Power8 improvements (fate#318238, bnc#926412). * AVX512 support on the Intel EM64T platform (fate#318520). The GNU Debugger gdb was updated to version 7.9.1 bringing various features and lots of bugfixes. Also IBM zSeries z13 hardware support has been added to gdb. (fate#318039) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2015:500-1 Released: Mon Aug 17 11:36:33 2015 Summary: Security update for libgcrypt Type: security Severity: moderate References: 920057,938343,CVE-2015-0837 Description: This update fixes the following issues: Security: * Fixed data-dependent timing variations in modular exponentiation [related to CVE-2015-0837, Last-Level Cache Side-Channel Attacks are Practical] (bsc#920057) Bugfixes: * don't drop privileges when locking secure memory (bsc#938343) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2015:530-1 Released: Wed Aug 26 03:07:07 2015 Summary: Recommended update for sed Type: recommended Severity: low References: 933029 Description: This update for sed fixes the behavior of --follow-symlinks when reading from the standard input (stdin). The behavior of 'sed --follow-symlinks -' is now identical to 'sed -'. In both cases, sed will read from the standard input and no longer from a file named '-'. ----------------------------------------------------------------- Advisory ID: SUSE-RU-2015:568-1 Released: Wed Sep 16 13:30:12 2015 Summary: Recommended update for grep Type: recommended Severity: low References: 920386 Description: This update for grep fixes undefined behaviour with -P and non-utf-8 data. ----------------------------------------------------------------- Advisory ID: SUSE-SU-2015:922-1 Released: Tue Dec 22 08:44:25 2015 Summary: Security update for gpg2 Type: security Severity: moderate References: 918089,918090,952347,955753,CVE-2015-1606,CVE-2015-1607 Description: The gpg2 package was updated to fix the following security and non security issues: - CVE-2015-1606: Fixed invalid memory read using a garbled keyring (bsc#918089). - CVE-2015-1607: Fixed memcpy with overlapping ranges (bsc#918090). - bsc#955753: Fixed a regression of 'gpg --recv' due to keyserver import filter (also boo#952347). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2015:869-1 Released: Wed Dec 23 10:01:16 2015 Summary: Recommended update for libksba Type: security Severity: moderate References: 926826 Description: The libksba package was updated to fix the following security issues: - Fixed an integer overflow, an out of bounds read and a stack overflow issues (bsc#926826). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2015:862-1 Released: Wed Dec 23 17:40:51 2015 Summary: Recommended update for acl Type: recommended Severity: moderate References: 945899 Description: This update for acl provides the following fixes: - Fix segmentation fault of getfacl -e on overly long group name. - Make sure that acl_from_text() always sets errno when it fails. - Fix memory and resource leaks in getfacl. ----------------------------------------------------------------- Advisory ID: SUSE-RU-2016:46-1 Released: Fri Jan 8 12:37:34 2016 Summary: Recommended update for gcr, gnome-keyring, libgcrypt, libsecret Type: recommended Severity: moderate References: 932232 Description: This update for gcr, gnome-keyring, libgcrypt, libsecret fixes issues when the system operates in FIPS mode. The various GNOME libraries and tool have been changed to use the default libgcrypt allocators. GNOME keyring was changed not to use MD5 anymore. libgcrypt was adjusted to free the DRBG on exit to avoid crashes. ----------------------------------------------------------------- Advisory ID: SUSE-SU-2016:201-1 Released: Thu Feb 4 15:51:22 2016 Summary: Security update for curl Type: security Severity: moderate References: 934333,936676,962983,962996,CVE-2016-0755 Description: This update for curl fixes the following issues: - CVE-2016-0755: libcurl would reuse NTLM-authenticated proxy connections without properly making sure that the connection was authenticated with the same credentials as set for this transfer (bsc#962983) The following non-security bugs were fixed: - bsc#936676: secure_getenv or __secure_getenv may not be detected correctly at build time The following tracked bugs only affect the test suite: - bsc#962996: Expired cookie in test 46 caused test failures - bsc#934333: Curl test suite was not run, is now enabled during build ----------------------------------------------------------------- Advisory ID: SUSE-SU-2016:259-1 Released: Mon Feb 15 14:25:02 2016 Summary: Security update for libnettle Type: security Severity: moderate References: 964845,964847,964849,CVE-2015-8803,CVE-2015-8804,CVE-2015-8805 Description: This update for libnettle fixes the following security issues: - CVE-2015-8803: Fixed miscomputation bugs in secp-256r1 modulo functions. (bsc#964845) - CVE-2015-8804: Fixed carry folding bug in x86_64 ecc_384_modp. (bsc#964847) - CVE-2015-8805: Fixed miscomputation bugs in secp-256r1 modulo functions. (bsc#964849) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2016:371-1 Released: Thu Mar 3 15:58:18 2016 Summary: Recommended update for insserv-compat Type: recommended Severity: low References: 960820 Description: This update for insserv-compat fixes the name of the ntpd service. ----------------------------------------------------------------- Advisory ID: SUSE-RU-2016:396-1 Released: Tue Mar 8 17:27:26 2016 Summary: Recommended update for dnsmasq Type: recommended Severity: low References: 902511,904537 Description: This update for dnsmasq fixes the following issues: - Drop PrivateDevices=yes from service file to fix logging. (bsc#902511, bsc#904537) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2016:413-1 Released: Fri Mar 11 10:17:57 2016 Summary: Security update for libssh2_org Type: security Severity: moderate References: 933336,961964,967026,CVE-2016-0787 Description: This update for libssh2_org fixes the following issues: Security issue fixed: - CVE-2016-0787 (bsc#967026): Weakness in diffie-hellman secret key generation lead to much shorter DH groups then needed, which could be used to retrieve server keys. A feature was added: - Support of SHA256 digests for DH group exchanges was added (fate#320343, bsc#961964) Bug fixed: - Properly detect EVP_aes_128_ctr at configure time (bsc#933336) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2016:462-1 Released: Wed Mar 16 18:17:59 2016 Summary: Recommended update for libcap Type: recommended Severity: low References: 967838 Description: This update for libcap adds two new capabilities (CAP_WAKE_ALARM and CAP_BLOCK_SUSPEND) which are available in Linux Kernel 3.12. ----------------------------------------------------------------- Advisory ID: SUSE-RU-2016:543-1 Released: Fri Apr 1 18:44:16 2016 Summary: Recommended update for libgcrypt Type: recommended Severity: moderate References: 970882 Description: This update for libgcrypt fixes a crash in GPG key generation when operating in FIPS mode. (bsc#970882) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2016:565-1 Released: Wed Apr 6 16:26:42 2016 Summary: Security update for gcc5 Type: security Severity: moderate References: 939460,945842,952151,953831,954002,955382,962765,964468,966220,968771,CVE-2015-5276 Description: The GNU Compiler Collection was updated to version 5.3.1, which brings several fixes and enhancements. The following security issue has been fixed: - Fix C++11 std::random_device short read issue that could lead to predictable randomness. (CVE-2015-5276, bsc#945842) The following non-security issues have been fixed: - Enable frame pointer for TARGET_64BIT_MS_ABI when stack is misaligned. Fixes internal compiler error when building Wine. (bsc#966220) - Fix a PowerPC specific issue in gcc-go that broke compilation of newer versions of Docker. (bsc#964468) - Fix HTM built-ins on PowerPC. (bsc#955382) - Fix libgo certificate lookup. (bsc#953831) - Suppress deprecated-declarations warnings for inline definitions of deprecated virtual methods. (bsc#939460) - Build s390[x] with '--with-tune=z9-109 --with-arch=z900' on SLE11 again. (bsc#954002) - Revert accidental libffi ABI breakage on aarch64. (bsc#968771) - On x86_64, set default 32bit code generation to -march=x86-64 rather than -march=i586. - Add experimental File System TS library. ----------------------------------------------------------------- Advisory ID: SUSE-SU-2016:636-1 Released: Mon Apr 18 09:18:19 2016 Summary: Security update for libgcrypt Type: security Severity: moderate References: 965902,CVE-2015-7511 Description: libgcrypt was updated to fix one security issue. This security issue was fixed: - CVE-2015-7511: Side-channel attack on ECDH with Weierstrass curves (bsc#965902). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2016:643-1 Released: Tue Apr 19 09:23:39 2016 Summary: Recommended update for bzip2 Type: recommended Severity: low References: 970260 Description: This update for bzip2 fixes the following issues: - Fix bzgrep wrapper that always returns 0 as exit code when working on multiple archives, even when the pattern is not found. ----------------------------------------------------------------- Advisory ID: SUSE-RU-2016:697-1 Released: Thu Apr 28 16:03:24 2016 Summary: Recommended update for libssh2_org Type: recommended Severity: important References: 974691 Description: This update for libssh2_org fixes a regression introduced by a previous update which could result in a segmentation fault in EVP_DigestInit_Ex(). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2016:801-1 Released: Thu May 19 22:38:01 2016 Summary: Recommended update for curl Type: recommended Severity: moderate References: 915846 Description: This update for curl fixes the following issue: - Fix 'Network is unreachable' error when ipv6 is not available but ipv4. This fixes the same error in applications using libcurl4 (like zypper). (bsc#915846) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2016:835-1 Released: Wed May 25 18:27:30 2016 Summary: Recommended update for libgcrypt Type: recommended Severity: moderate References: 979629 Description: This update for libgcrypt fixes the following issue: - Fix failing reboot after installing fips pattern (bsc#979629) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2016:898-1 Released: Tue Jun 7 09:48:12 2016 Summary: Security update for expat Type: security Severity: important References: 979441,980391,CVE-2015-1283,CVE-2016-0718 Description: This update for expat fixes the following issues: Security issue fixed: - CVE-2016-0718: Fix Expat XML parser that mishandles certain kinds of malformed input documents. (bsc#979441) - CVE-2015-1283: Fix multiple integer overflows. (bnc#980391) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2016:900-1 Released: Tue Jun 7 10:58:37 2016 Summary: Security update for libksba Type: security Severity: moderate References: 979261,979906,CVE-2016-4574,CVE-2016-4579 Description: This update for libksba fixes the following issues: - CVE-2016-4579: Out-of-bounds read in _ksba_ber_parse_tl() - CVE-2016-4574: two OOB read access bugs (remote DoS) (bsc#979261) Also adding reliability fixes from v1.3.4. ----------------------------------------------------------------- Advisory ID: SUSE-RU-2016:987-1 Released: Wed Jun 22 14:32:18 2016 Summary: Recommended update for procps Type: recommended Severity: low References: 981616 Description: This update for procps fixes the following issues: - Improve pmap(1) to be compatible with kernel 4.4. (bsc#981616) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2016:1028-1 Released: Thu Jul 7 11:50:47 2016 Summary: Recommended update for findutils Type: recommended Severity: moderate References: 986935 Description: This update for findutils fixes the following issues: - find -exec + would not pass all arguments for certain specific filename lengths (bsc#986935) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2016:1126-1 Released: Sat Jul 30 00:39:03 2016 Summary: Recommended update for kmod Type: recommended Severity: low References: 983754,989788 Description: This update for kmod fixes libkmod to handle very long lines in /proc/modules. ----------------------------------------------------------------- Advisory ID: SUSE-SU-2016:1141-1 Released: Wed Aug 3 15:24:30 2016 Summary: Security update for sqlite3 Type: security Severity: moderate References: 987394,CVE-2016-6153 Description: This update for sqlite3 fixes the following issues: The following security issue was fixed: - CVE-2016-6153: Fixed a tempdir selection vulnerability (bsc#987394) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2016:1205-1 Released: Thu Aug 11 15:02:18 2016 Summary: Recommended update for rpm Type: recommended Severity: low References: 829717,894610,940315,953532,965322,967728 Description: This update for rpm provides the following fixes: - Add is_opensuse and leap_version macros to suse_macros. (bsc#940315) - Add option to make postinstall scriptlet errors fatal. (bsc#967728) - Normalize big blocksizes to 4096 bytes. (bsc#894610, bsc#829717, bsc#965322) - Fix updating of sources/patches when recursing because of a BuildArch. (bsc#953532) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2016:1228-1 Released: Tue Aug 16 09:29:01 2016 Summary: Security update for libidn Type: security Severity: moderate References: 923241,990189,990190,990191,CVE-2015-2059,CVE-2015-8948,CVE-2016-6261,CVE-2016-6262,CVE-2016-6263 Description: This update for libidn fixes the following issues: - CVE-2016-6262 and CVE-2015-8948: Out-of-bounds-read when reading one zero byte as input (bsc#990189) - CVE-2016-6261: Out-of-bounds stack read in idna_to_ascii_4i (bsc#990190) - CVE-2016-6263: stringprep_utf8_nfkc_normalize reject invalid UTF-8 (bsc#990191) - CVE-2015-2059: out-of-bounds read with stringprep on invalid UTF-8 (bsc#923241) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2016:1245-1 Released: Fri Aug 19 10:31:11 2016 Summary: Security update for python Type: security Severity: moderate References: 984751,985177,985348,989523,CVE-2016-0772,CVE-2016-1000110,CVE-2016-5636,CVE-2016-5699 Description: This update for python fixes the following issues: - CVE-2016-0772: smtplib vulnerability opens startTLS stripping attack (bsc#984751) - CVE-2016-5636: heap overflow when importing malformed zip files (bsc#985177) - CVE-2016-5699: incorrect validation of HTTP headers allow header injection (bsc#985348) - CVE-2016-1000110: HTTPoxy vulnerability in urllib, fixed by disregarding HTTP_PROXY when REQUEST_METHOD is also set (bsc#989523) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2016:1247-1 Released: Fri Aug 19 12:58:39 2016 Summary: Security update for cracklib Type: security Severity: moderate References: 992966,CVE-2016-6318 Description: This update for cracklib fixes the following issues: - Add patch to fix a buffer overflow in GECOS parser (bsc#992966 CVE-2016-6318) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2016:1326-1 Released: Thu Sep 8 11:37:44 2016 Summary: Security update for perl Type: security Severity: moderate References: 928292,932894,967082,984906,987887,988311,CVE-2015-8853,CVE-2016-1238,CVE-2016-2381,CVE-2016-6185 Description: This update for Perl fixes the following issues: - CVE-2016-6185: Xsloader looking at a '(eval)' directory. (bsc#988311) - CVE-2016-1238: Searching current directory for optional modules. (bsc#987887) - CVE-2015-8853: Regular expression engine hanging on bad utf8. (bsc) - CVE-2016-2381: Environment dup handling bug. (bsc#967082) - 'Insecure dependency in require' error in taint mode. (bsc#984906) - Memory leak in 'use utf8' handling. (bsc#928292) - Missing lock prototype to the debugger. (bsc#932894) ----------------------------------------------------------------- Advisory ID: SUSE-OU-2016:1358-1 Released: Thu Sep 15 20:54:21 2016 Summary: Optional update for gcc6 Type: optional Severity: low References: 983206 Description: This update ships the GNU Compiler Collection (GCC) in version 6.2. This update is shipped in two parts: - SUSE Linux Enterprise Server 12 and Desktop: The runtime libraries libgcc_s1, libstdc++6, libatomic1, libgomp1, libitm1 and some others can now be used by GCC 6 built binaries. - SUSE Linux Enterprise 12 Toolchain Module: The Toolchain module received the GCC 6 compiler suite with this update. Changes: - The default mode for C++ is now -std=gnu++14 instead of -std=gnu++98. Generic Optimization improvements: - UndefinedBehaviorSanitizer gained a new sanitization option, -fsanitize=bounds-strict, which enables strict checking of array bounds. In particular, it enables -fsanitize=bounds as well as instrumentation of flexible array member-like arrays. - Type-based alias analysis now disambiguates accesses to different pointers. This improves precision of the alias oracle by about 20-30% on higher-level C++ programs. Programs doing invalid type punning of pointer types may now need -fno-strict-aliasing to work correctly. - Alias analysis now correctly supports weakref and alias attributes. This makes it possible to access both a variable and its alias in one translation unit which is common with link-time optimization. - Value range propagation now assumes that the this pointer of C++ member functions is non-null. This eliminates common null pointer checks but also breaks some non-conforming code-bases (such as Qt-5, Chromium, KDevelop). As a temporary work-around -fno-delete-null-pointer-checks can be used. Wrong code can be identified by using -fsanitize=undefined. - Various Link-time optimization improvements. - Inter-procedural optimization improvements: - Basic jump threading is now performed before profile construction and inline analysis, resulting in more realistic size and time estimates that drive the heuristics of the of inliner and function cloning passes. - Function cloning now more aggressively eliminates unused function parameters. - Compared to GCC 5, the GCC 6 release series includes a much improved implementation of the OpenACC 2.0a specification. C language specific improvements: - Version 4.5 of the OpenMP specification is now supported in the C and C++ compilers. - Source locations for the C and C++ compilers are now tracked as ranges, rather than just points, making it easier to identify the subexpression of interest within a complicated expression. In addition, there is now initial support for precise diagnostic locations within strings, - Diagnostics can now contain 'fix-it hints', which are displayed in context underneath the relevant source code. - The C and C++ compilers now offer suggestions for misspelled field names. - New command-line options have been added for the C and C++ compilers: - -Wshift-negative-value warns about left shifting a negative value. - -Wshift-overflow warns about left shift overflows. This warning is enabled by default. -Wshift-overflow=2 also warns about left-shifting 1 into the sign bit. - -Wtautological-compare warns if a self-comparison always evaluates to true or false. This warning is enabled by -Wall. - -Wnull-dereference warns if the compiler detects paths that trigger erroneous or undefined behavior due to dereferencing a null pointer. This option is only active when -fdelete-null-pointer-checks is active, which is enabled by optimizations in most targets. The precision of the warnings depends on the optimization options used. - -Wduplicated-cond warns about duplicated conditions in an if-else-if chain. - -Wmisleading-indentation warns about places where the indentation of the code gives a misleading idea of the block structure of the code to a human reader. This warning is enabled by -Wall. - The C and C++ compilers now emit saner error messages if merge-conflict markers are present in a source file. C improvements: - It is possible to disable warnings when an initialized field of a structure or a union with side effects is being overridden when using designated initializers via a new warning option -Woverride-init-side-effects. - A new type attribute scalar_storage_order applying to structures and unions has been introduced. It specifies the storage order (aka endianness) in memory of scalar fields in structures or unions. C++ improvements: - The default mode has been changed to -std=gnu++14. - C++ Concepts are now supported when compiling with -fconcepts. - -flifetime-dse is more aggressive in dead-store elimination in situations where a memory store to a location precedes a constructor to that memory location. - G++ now supports C++17 fold expressions, u8 character literals, extended static_assert, and nested namespace definitions. - G++ now allows constant evaluation for all non-type template arguments. - G++ now supports C++ Transactional Memory when compiling with -fgnu-tm. libstdc++ improvements: - Extensions to the C++ Library to support mathematical special functions (ISO/IEC 29124:2010), thanks to Edward Smith-Rowland. - Experimental support for C++17. - An experimental implementation of the File System TS. - Experimental support for most features of the second version of the Library Fundamentals TS. This includes polymorphic memory resources and array support in shared_ptr, thanks to Fan You. - Some assertions checked by Debug Mode can now also be enabled by _GLIBCXX_ASSERTIONS. The subset of checks enabled by the new macro have less run-time overhead than the full _GLIBCXX_DEBUG checks and don't affect the library ABI, so can be enabled per-translation unit. Fortran improvements: - Fortran 2008 SUBMODULE support. - Fortran 2015 EVENT_TYPE, EVENT_POST, EVENT_WAIT, and EVENT_QUERY support. - Improved support for Fortran 2003 deferred-length character variables. - Improved support for OpenMP and OpenACC. - The MATMUL intrinsic is now inlined for straightforward cases if front-end optimization is active. The maximum size for inlining can be set to n with the -finline-matmul-limit=n option and turned off with -finline-matmul-limit=0. - The -Wconversion-extra option will warn about REAL constants which have excess precision for their kind. - The -Winteger-division option has been added, which warns about divisions of integer constants which are truncated. This option is included in -Wall by default. Architecture improvements: - AArch64 received a lot of improvements. IA-32/x86-64 improvements: - GCC now supports the Intel CPU named Skylake with AVX-512 extensions through -march=skylake-avx512. The switch enables the following ISA extensions: AVX-512F, AVX512VL, AVX-512CD, AVX-512BW, AVX-512DQ. - Support for new AMD instructions monitorx and mwaitx has been added. This includes new intrinsic and built-in support. It is enabled through option -mmwaitx. The instructions monitorx and mwaitx implement the same functionality as the old monitor and mwait instructions. In addition mwaitx adds a configurable timer. The timer value is received as third argument and stored in register %ebx. - x86-64 targets now allow stack realignment from a word-aligned stack pointer using the command-line option -mstackrealign or __attribute__ ((force_align_arg_pointer)). This allows functions compiled with a vector-aligned stack to be invoked from objects that keep only word-alignment. - Support for address spaces __seg_fs, __seg_gs, and __seg_tls. These can be used to access data via the %fs and %gs segments without having to resort to inline assembly. - Support for AMD Zen (family 17h) processors is now available through the -march=znver1 and -mtune=znver1 options. PowerPC / PowerPC64 / RS6000 improvements: - PowerPC64 now supports IEEE 128-bit floating-point using the __float128 data type. In GCC 6, this is not enabled by default, but you can enable it with -mfloat128. The IEEE 128-bit floating-point support requires the use of the VSX instruction set. IEEE 128-bit floating-point values are passed and returned as a single vector value. The software emulator for IEEE 128-bit floating-point support is only built on PowerPC GNU/Linux systems where the default CPU is at least power7. On future ISA 3.0 systems (POWER 9 and later), you will be able to use the -mfloat128-hardware option to use the ISA 3.0 instructions that support IEEE 128-bit floating-point. An additional type (__ibm128) has been added to refer to the IBM extended double type that normally implements long double. This will allow for a future transition to implementing long double with IEEE 128-bit floating-point. - Basic support has been added for POWER9 hardware that will use the recently published OpenPOWER ISA 3.0 instructions. The following new switches are available: - -mcpu=power9: Implement all of the ISA 3.0 instructions supported by the compiler. - -mtune=power9: In the future, apply tuning for POWER9 systems. Currently, POWER8 tunings are used. - -mmodulo: Generate code using the ISA 3.0 integer instructions (modulus, count trailing zeros, array index support, integer multiply/add). - -mpower9-fusion: Generate code to suitably fuse instruction sequences for a POWER9 system. - -mpower9-dform: Generate code to use the new D-form (register+offset) memory instructions for the vector registers. - -mpower9-vector: Generate code using the new ISA 3.0 vector (VSX or Altivec) instructions. - -mpower9-minmax: Reserved for future development. - -mtoc-fusion: Keep TOC entries together to provide more fusion opportunities. - New constraints have been added to support IEEE 128-bit floating-point and ISA 3.0 instructions. - Support has been added for __builtin_cpu_is() and __builtin_cpu_supports(), allowing for very fast access to AT_PLATFORM, AT_HWCAP, and AT_HWCAP2 values. This requires use of glibc 2.23 or later. - All hardware transactional memory builtins now correctly behave as memory barriers. Programmers can use #ifdef __TM_FENCE__ to determine whether their 'old' compiler treats the builtins as barriers. - Split-stack support has been added for gccgo on PowerPC64 for both big- and little-endian (but not for 32-bit). The gold linker from at least binutils 2.25.1 must be available in the PATH when configuring and building gccgo to enable split stack. (The requirement for binutils 2.25.1 applies to PowerPC64 only.) The split-stack feature allows a small initial stack size to be allocated for each goroutine, which increases as needed. - GCC on PowerPC now supports the standard lround function. - The 'q', 'S', 'T', and 't' asm-constraints have been removed. - The 'b', 'B', 'm', 'M', and 'W' format modifiers have been removed. S/390, System z, IBM z Systems improvements: - Support for the IBM z13 processor has been added. When using the -march=z13 option, the compiler will generate code making use of the new instructions and registers introduced with the vector extension facility. The -mtune=z13 option enables z13 specific instruction scheduling without making use of new instructions. - Compiling code with -march=z13 reduces the default alignment of vector types bigger than 8 bytes to 8. This is an ABI change and care must be taken when linking modules compiled with different arch levels which interchange variables containing vector type values. For newly compiled code the GNU linker will emit a warning. - The -mzvector option enables a C/C++ language extension. This extension provides a new keyword vector which can be used to define vector type variables. (Note: This is not available when enforcing strict standard compliance e.g. with -std=c99. Either enable GNU extensions with e.g. -std=gnu99 or use __vector instead of vector.) - Additionally a set of overloaded builtins is provided which is partially compatible to the PowerPC Altivec builtins. In order to make use of these builtins the vecintrin.h header file needs to be included. - The new command line options -march=native, and -mtune=native are now available on native IBM z Systems. Specifying these options will cause GCC to auto-detect the host CPU and rewrite these options to the optimal setting for that system. If GCC is unable to detect the host CPU these options have no effect. - The IBM z Systems port now supports target attributes and pragmas. Please refer to the documentation for details of available attributes and pragmas as well as usage instructions. - -fsplit-stack is now supported as part of the IBM z Systems port. This feature requires a recent gold linker to be used. - Support for the g5 and g6 -march=/-mtune= CPU level switches has been deprecated and will be removed in a future GCC release. -m31 from now on defaults to -march=z900 if not specified otherwise. -march=native on a g5/g6 machine will default to -march=z900. An even more detailed list of features can be found at: https://gcc.gnu.org/gcc-6/changes.html ----------------------------------------------------------------- Advisory ID: SUSE-SU-2016:1364-1 Released: Fri Sep 16 17:13:43 2016 Summary: Security update for curl Type: security Severity: moderate References: 991389,991390,991391,991746,997420,CVE-2016-5419,CVE-2016-5420,CVE-2016-5421,CVE-2016-7141 Description: This update for curl fixes the following issues: Security issues fixed: - CVE-2016-5419: TLS session resumption client cert bypass (bsc#991389) - CVE-2016-5420: Re-using connections with wrong client cert (bsc#991390) - CVE-2016-5421: use of connection struct after free (bsc#991391) - CVE-2016-7141: Fixed incorrect reuse of client certificates with NSS (bsc#997420) Also the following bug was fixed: - fixing a performance issue (bsc#991746) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2016:1370-1 Released: Wed Sep 21 12:58:14 2016 Summary: Security update for libgcrypt Type: security Severity: moderate References: 994157,CVE-2016-6313 Description: This update for libgcrypt fixes the following issues: - RNG prediction vulnerability (bsc#994157, CVE-2016-6313) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2016:1591-1 Released: Wed Nov 2 12:07:51 2016 Summary: Security update for curl Type: security Severity: important References: 1005633,1005634,1005635,1005637,1005638,1005640,1005642,1005643,1005645,1005646,998760,CVE-2016-7167,CVE-2016-8615,CVE-2016-8616,CVE-2016-8617,CVE-2016-8618,CVE-2016-8619,CVE-2016-8620,CVE-2016-8621,CVE-2016-8622,CVE-2016-8623,CVE-2016-8624 Description: This update for curl fixes the following security issues: - CVE-2016-8624: invalid URL parsing with '#' (bsc#1005646) - CVE-2016-8623: Use-after-free via shared cookies (bsc#1005645) - CVE-2016-8622: URL unescape heap overflow via integer truncation (bsc#1005643) - CVE-2016-8621: curl_getdate read out of bounds (bsc#1005642) - CVE-2016-8620: glob parser write/read out of bounds (bsc#1005640) - CVE-2016-8619: double-free in krb5 code (bsc#1005638) - CVE-2016-8618: double-free in curl_maprintf (bsc#1005637) - CVE-2016-8617: OOB write via unchecked multiplication (bsc#1005635) - CVE-2016-8616: case insensitive password comparison (bsc#1005634) - CVE-2016-8615: cookie injection for other servers (bsc#1005633) - CVE-2016-7167: escape and unescape integer overflows (bsc#998760) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2016:1614-1 Released: Mon Nov 7 20:01:31 2016 Summary: Recommended update for shadow Type: recommended Severity: low References: 1002975 Description: This update for shadow fixes the following issues: - Set file modes according to the permissions package and don't attempt to manipulate them in %files section. (bsc#1002975) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2016:1641-1 Released: Thu Nov 10 20:02:04 2016 Summary: Recommended update for sg3_utils Type: recommended Severity: moderate References: 1006469,958369,979436 Description: This update for sg3_utils provides the following fixes: - Adjust 55-scsi-sg3_id.rules to correctly handle VPD page 0x80. This issue could prevent some IBM Power systems from booting after installation. (bsc#1006469) - Fix 55-scsi_sg3_id.rules to skip sg_inq on recent kernels. (bsc#979436) - In some circumstances, the rescan-scsi-bus.sh script failed to identify new LUNs that have been added to the server. (bsc#958369) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2016:1744-1 Released: Fri Dec 2 11:42:41 2016 Summary: Security update for pcre Type: security Severity: moderate References: 906574,924960,933288,933878,936227,942865,957566,957567,957598,957600,960837,971741,972127,CVE-2014-8964,CVE-2015-2325,CVE-2015-2327,CVE-2015-2328,CVE-2015-3210,CVE-2015-3217,CVE-2015-5073,CVE-2015-8380,CVE-2015-8381,CVE-2015-8382,CVE-2015-8383,CVE-2015-8384,CVE-2015-8385,CVE-2015-8386,CVE-2015-8387,CVE-2015-8388,CVE-2015-8389,CVE-2015-8390,CVE-2015-8391,CVE-2015-8392,CVE-2015-8393,CVE-2015-8394,CVE-2015-8395,CVE-2016-1283,CVE-2016-3191 Description: This update for pcre to version 8.39 (bsc#972127) fixes several issues. If you use pcre extensively please be aware that this is an update to a new version. Please make sure that your software works with the updated version. This version fixes a number of vulnerabilities that affect pcre and applications using the libary when accepting untrusted input as regular expressions or as part thereof. Remote attackers could have caused the application to crash, disclose information or potentially execute arbitrary code. These security issues were fixed: - CVE-2014-8964: Heap-based buffer overflow in PCRE allowed remote attackers to cause a denial of service (crash) or have other unspecified impact via a crafted regular expression, related to an assertion that allows zero repeats (bsc#906574). - CVE-2015-2325: Heap buffer overflow in compile_branch() (bsc#924960). - CVE-2015-3210: Heap buffer overflow in pcre_compile2() / compile_regex() (bsc#933288) - CVE-2015-3217: PCRE Library Call Stack Overflow Vulnerability in match() (bsc#933878). - CVE-2015-5073: Library Heap Overflow Vulnerability in find_fixedlength() (bsc#936227). - bsc#942865: heap overflow in compile_regex() - CVE-2015-8380: The pcre_exec function in pcre_exec.c mishandled a // pattern with a \01 string, which allowed remote attackers to cause a denial of service (heap-based buffer overflow) or possibly have unspecified other impact via a crafted regular expression, as demonstrated by a JavaScript RegExp object encountered by Konqueror (bsc#957566). - CVE-2015-2327: PCRE mishandled certain patterns with internal recursive back references, which allowed remote attackers to cause a denial of service (segmentation fault) or possibly have unspecified other impact via a crafted regular expression, as demonstrated by a JavaScript RegExp object encountered by Konqueror (bsc#957567). - bsc#957598: Various security issues - CVE-2015-8381: Heap Overflow in compile_regex() (bsc#957598). - CVE-2015-8382: Regular Expression Uninitialized Pointer Information Disclosure Vulnerability (ZDI-CAN-2547)(bsc#957598). - CVE-2015-8383: Buffer overflow caused by repeated conditional group(bsc#957598). - CVE-2015-8384: Buffer overflow caused by recursive back reference by name within certain group(bsc#957598). - CVE-2015-8385: Buffer overflow caused by forward reference by name to certain group(bsc#957598). - CVE-2015-8386: Buffer overflow caused by lookbehind assertion(bsc#957598). - CVE-2015-8387: Integer overflow in subroutine calls(bsc#957598). - CVE-2015-8388: Buffer overflow caused by certain patterns with an unmatched closing parenthesis(bsc#957598). - CVE-2015-8389: Infinite recursion in JIT compiler when processing certain patterns(bsc#957598). - CVE-2015-8390: Reading from uninitialized memory when processing certain patterns(bsc#957598). - CVE-2015-8391: Some pathological patterns causes pcre_compile() to run for a very long time(bsc#957598). - CVE-2015-8392: Buffer overflow caused by certain patterns with duplicated named groups(bsc#957598). - CVE-2015-8393: Information leak when running pcgrep -q on crafted binary(bsc#957598). - CVE-2015-8394: Integer overflow caused by missing check for certain conditions(bsc#957598). - CVE-2015-8395: Buffer overflow caused by certain references(bsc#957598). - CVE-2015-2328: PCRE mishandled the /((?(R)a|(?1)))+/ pattern and related patterns with certain recursion, which allowed remote attackers to cause a denial of service (segmentation fault) or possibly have unspecified other impact via a crafted regular expression (bsc#957600). - CVE-2016-1283: The pcre_compile2 function in pcre_compile.c in PCRE mishandled certain patterns with named subgroups, which allowed remote attackers to cause a denial of service (heap-based buffer overflow) or possibly have unspecified other impact via a crafted regular expression (bsc#960837). - CVE-2016-3191: The compile_branch function in pcre_compile.c in pcre2_compile.c mishandled patterns containing an (*ACCEPT) substring in conjunction with nested parentheses, which allowed remote attackers to execute arbitrary code or cause a denial of service (stack-based buffer overflow) via a crafted regular expression (bsc#971741). These non-security issues were fixed: - JIT compiler improvements - performance improvements - The Unicode data tables have been updated to Unicode 7.0.0. ----------------------------------------------------------------- Advisory ID: SUSE-RU-2016:1782-1 Released: Fri Dec 9 13:35:02 2016 Summary: Recommended update for systemd Type: recommended Severity: moderate References: 1001790,1004289,1005404,1006372,1006690,989831,991443 Description: This update for systemd provides the following fixes: - Allow to redirect confirmation messages to a different console. (bsc#1006690) - Do not bind a mount unit to a device, if it was from mountinfo. (bsc#989831) - Decrease systemd-nspawn's non-fatal mount errors to debug level. (bsc#1004289) - Don't emit space usage message right after opening the persistent journal. (bsc#991443) - Change owner of /var/log/journal/remote and create /var/lib/systemd/journal-upload. (bsc#1006372) - Document that *KeyIgnoreInhibited only apply to a subset of locks. - Revert 'logind: really handle *KeyIgnoreInhibited options in logind.conf'. (bsc#1001790, bsc#1005404) - Revert 'kbd-model-map: add more mappings offered by Yast'. - Don't busy loop when we get a notification message we can't process. - Rename kbd-model-map-extra into kbd-model-map.legacy. - Add kbd-model-map-extra file which contains the additional maps needed by YaST. - Drop localfs.service: unused and not needed anymore. ----------------------------------------------------------------- Advisory ID: SUSE-SU-2016:1827-1 Released: Thu Dec 15 12:41:10 2016 Summary: Security update for pcre Type: security Severity: moderate References: 906574,924960,933288,933878,936227,942865,957566,957567,957598,957600,960837,971741,972127,CVE-2014-8964,CVE-2015-2325,CVE-2015-2327,CVE-2015-2328,CVE-2015-3210,CVE-2015-3217,CVE-2015-5073,CVE-2015-8380,CVE-2015-8381,CVE-2015-8382,CVE-2015-8383,CVE-2015-8384,CVE-2015-8385,CVE-2015-8386,CVE-2015-8387,CVE-2015-8388,CVE-2015-8389,CVE-2015-8390,CVE-2015-8391,CVE-2015-8392,CVE-2015-8393,CVE-2015-8394,CVE-2015-8395,CVE-2016-1283,CVE-2016-3191 Description: This update for pcre to version 8.39 (bsc#972127) fixes several issues. If you use pcre extensively please be aware that this is an update to a new version. Please make sure that your software works with the updated version. This version fixes a number of vulnerabilities that affect pcre and applications using the libary when accepting untrusted input as regular expressions or as part thereof. Remote attackers could have caused the application to crash, disclose information or potentially execute arbitrary code. These security issues were fixed: - CVE-2014-8964: Heap-based buffer overflow in PCRE allowed remote attackers to cause a denial of service (crash) or have other unspecified impact via a crafted regular expression, related to an assertion that allows zero repeats (bsc#906574). - CVE-2015-2325: Heap buffer overflow in compile_branch() (bsc#924960). - CVE-2015-3210: Heap buffer overflow in pcre_compile2() / compile_regex() (bsc#933288) - CVE-2015-3217: PCRE Library Call Stack Overflow Vulnerability in match() (bsc#933878). - CVE-2015-5073: Library Heap Overflow Vulnerability in find_fixedlength() (bsc#936227). - bsc#942865: heap overflow in compile_regex() - CVE-2015-8380: The pcre_exec function in pcre_exec.c mishandled a // pattern with a \01 string, which allowed remote attackers to cause a denial of service (heap-based buffer overflow) or possibly have unspecified other impact via a crafted regular expression, as demonstrated by a JavaScript RegExp object encountered by Konqueror (bsc#957566). - CVE-2015-2327: PCRE mishandled certain patterns with internal recursive back references, which allowed remote attackers to cause a denial of service (segmentation fault) or possibly have unspecified other impact via a crafted regular expression, as demonstrated by a JavaScript RegExp object encountered by Konqueror (bsc#957567). - bsc#957598: Various security issues - CVE-2015-8381: Heap Overflow in compile_regex() (bsc#957598). - CVE-2015-8382: Regular Expression Uninitialized Pointer Information Disclosure Vulnerability (ZDI-CAN-2547)(bsc#957598). - CVE-2015-8383: Buffer overflow caused by repeated conditional group(bsc#957598). - CVE-2015-8384: Buffer overflow caused by recursive back reference by name within certain group(bsc#957598). - CVE-2015-8385: Buffer overflow caused by forward reference by name to certain group(bsc#957598). - CVE-2015-8386: Buffer overflow caused by lookbehind assertion(bsc#957598). - CVE-2015-8387: Integer overflow in subroutine calls(bsc#957598). - CVE-2015-8388: Buffer overflow caused by certain patterns with an unmatched closing parenthesis(bsc#957598). - CVE-2015-8389: Infinite recursion in JIT compiler when processing certain patterns(bsc#957598). - CVE-2015-8390: Reading from uninitialized memory when processing certain patterns(bsc#957598). - CVE-2015-8391: Some pathological patterns causes pcre_compile() to run for a very long time(bsc#957598). - CVE-2015-8392: Buffer overflow caused by certain patterns with duplicated named groups(bsc#957598). - CVE-2015-8393: Information leak when running pcgrep -q on crafted binary(bsc#957598). - CVE-2015-8394: Integer overflow caused by missing check for certain conditions(bsc#957598). - CVE-2015-8395: Buffer overflow caused by certain references(bsc#957598). - CVE-2015-2328: PCRE mishandled the /((?(R)a|(?1)))+/ pattern and related patterns with certain recursion, which allowed remote attackers to cause a denial of service (segmentation fault) or possibly have unspecified other impact via a crafted regular expression (bsc#957600). - CVE-2016-1283: The pcre_compile2 function in pcre_compile.c in PCRE mishandled certain patterns with named subgroups, which allowed remote attackers to cause a denial of service (heap-based buffer overflow) or possibly have unspecified other impact via a crafted regular expression (bsc#960837). - CVE-2016-3191: The compile_branch function in pcre_compile.c in pcre2_compile.c mishandled patterns containing an (*ACCEPT) substring in conjunction with nested parentheses, which allowed remote attackers to execute arbitrary code or cause a denial of service (stack-based buffer overflow) via a crafted regular expression (bsc#971741). These non-security issues were fixed: - JIT compiler improvements - performance improvements - The Unicode data tables have been updated to Unicode 7.0.0. ----------------------------------------------------------------- Advisory ID: SUSE-RU-2016:1863-1 Released: Wed Dec 21 10:41:35 2016 Summary: Recommended updated for pth Type: recommended Severity: low References: 1013286 Description: This update adds the 32bit version of libpth20 to SUSE Linux Enterprise 12 SP1 and 12 SP2. ----------------------------------------------------------------- Advisory ID: SUSE-SU-2016:1912-1 Released: Fri Dec 23 18:02:35 2016 Summary: Security update for dnsmasq Type: security Severity: important References: 983273,CVE-2015-8899 Description: This update for dnsmasq fixes the following issues: - CVE-2015-8899: Denial of service between local and remote dns entries (bsc#983273) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2017:2-1 Released: Mon Jan 2 08:35:08 2017 Summary: Security update for zlib Type: security Severity: moderate References: 1003577,1003579,1003580,1013882,CVE-2016-9840,CVE-2016-9841,CVE-2016-9842,CVE-2016-9843 Description: This update for zlib fixes the following issues: CVE-2016-9843: Big-endian out-of-bounds pointer CVE-2016-9842: Undefined Left Shift of Negative Number (bsc#1003580) CVE-2016-9840 CVE-2016-9841: Out-of-bounds pointer arithmetic in inftrees.c (bsc#1003579) Incompatible declarations for external linkage function deflate (bsc#1003577) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2017:6-1 Released: Tue Jan 3 15:01:58 2017 Summary: Recommended update for systemd Type: recommended Severity: moderate References: 1012390,1012591,1012818,1013989,1015515,909418,912715,945340,953807,963290,990538 Description: This update for systemd fixes the following issues: - core: Make mount units from /proc/self/mountinfo possibly bind to a device. Fixes unmounting issues when ejecting CDs or DVDs. (bsc#909418, bsc#912715, bsc#945340) - fstab-generator: Remove bogus condition that leads to warnings on boot. (bsc#1013989) - coredumpctl: Let gdb handle the SIGINT signal. (bsc#1012591) - Ship kbd-model-map with the correct contents. (bsc#1015515) - rules: Set SYSTEMD_READY=0 on DM_UDEV_DISABLE_OTHER_RULES_FLAG=1 only with ADD event. (bsc#963290, bsc#990538) - tmpfiles: Don't skip path_set_perms on error. (bsc#953807) - nspawn: Properly handle image/directory paths that are symbolic links. (bsc#1012390) - systemctl: Fix 'is-enabled' exit status on failure when executed in chroot. (bsc#1012818) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2017:32-1 Released: Mon Jan 9 11:50:42 2017 Summary: Recommended update for dirmngr Type: recommended Severity: low References: 994794 Description: This update for dirmngr enables support for daemon mode. ----------------------------------------------------------------- Advisory ID: SUSE-RU-2017:47-1 Released: Wed Jan 11 11:42:43 2017 Summary: Recommended update for systemd Type: recommended Severity: important References: 1018214,1018399 Description: This update for systemd fixes the following two issues: - A regression in the previous update (SUSE-RU-2017:0013-1, bsc#909418) could have caused systemd to freeze. (bsc#1018399) - Warnings emitted when udev socket units are restarted during package upgrade were silenced. (bsc#1018214) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2017:98-1 Released: Thu Jan 19 10:17:55 2017 Summary: Recommended update for kmod Type: recommended Severity: low References: 998906 Description: This update for kmod fixes a rare race condition while loading modules. ----------------------------------------------------------------- Advisory ID: SUSE-SU-2017:149-1 Released: Wed Jan 25 09:17:08 2017 Summary: Security update for systemd Type: security Severity: important References: 1012266,1014560,1014566,1020601,997682,CVE-2016-10156 Description: This update for systemd fixes the following issues: This security issue was fixed: - CVE-2016-10156: Fix permissions set on permanent timer timestamp files, preventing local unprivileged users from escalating privileges (bsc#1020601). These non-security issues were fixed: - Fix permission set on /var/lib/systemd/linger/* - install: follow config_path symlink (#3362) - install: fix disable when /etc/systemd/system is a symlink (bsc#1014560) - run: make --slice= work in conjunction with --scope (bsc#1014566) - core: don't dispatch load queue when setting Slice= for transient units - systemctl: remove duplicate entries showed by list-dependencies (#5049) (bsc#1012266) - rule: don't automatically online standby memory on s390x (bsc#997682) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2017:185-1 Released: Thu Feb 2 18:22:37 2017 Summary: Security update for cpio Type: security Severity: moderate References: 1020108,963448,CVE-2016-2037 Description: This update for cpio fixes two issues. This security issue was fixed: - CVE-2016-2037: The cpio_safer_name_suffix function in util.c in cpio allowed remote attackers to cause a denial of service (out-of-bounds write) via a crafted cpio file (bsc#963448). This non-security issue was fixed: - bsc#1020108: Always use 32 bit CRC to prevent checksum errors for files greater than 32MB ----------------------------------------------------------------- Advisory ID: SUSE-SU-2017:192-1 Released: Fri Feb 3 18:46:05 2017 Summary: Security update for libxml2 Type: security Severity: moderate References: 1005544,1010675,1013930,1014873,1017497,CVE-2016-4658,CVE-2016-9318,CVE-2016-9597 Description: This update for libxml2 fixes the following issues: * CVE-2016-4658: use-after-free error could lead to crash [bsc#1005544] * Fix NULL dereference in xpointer.c when in recovery mode [bsc#1014873] * CVE-2016-9597: An XML document with many opening tags could have caused a overflow of the stack not detected by the recursion limits, allowing for DoS (bsc#1017497). For CVE-2016-9318 we decided not to ship a fix since it can break existing setups. Please take appropriate actions if you parse untrusted XML files and use the new -noxxe flag if possible (bnc#1010675, bnc#1013930). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2017:209-1 Released: Tue Feb 7 17:00:47 2017 Summary: Recommended update for libseccomp Type: recommended Severity: low References: 1019900 Description: This update provides libseccomp version 2.3.1 which fixes the following issues: - Fixed a problem with 32-bit x86 socket syscalls on some systems (fate#321647, bsc#1019900) - Fixed problems with ipc syscalls on 32-bit x86 - Fixed problems with socket and ipc syscalls on s390 and s390x ----------------------------------------------------------------- Advisory ID: SUSE-SU-2017:212-1 Released: Wed Feb 8 13:07:24 2017 Summary: Security update for expat Type: security Severity: moderate References: 983215,983216,CVE-2012-6702,CVE-2016-5300 Description: This update for expat fixes the following security issues: - CVE-2012-6702: Expat, when used in a parser that has not called XML_SetHashSalt or passed it a seed of 0, made it easier for context-dependent attackers to defeat cryptographic protection mechanisms via vectors involving use of the srand function. (bsc#983215) - CVE-2016-5300: The XML parser in Expat did not use sufficient entropy for hash initialization, which allowed context-dependent attackers to cause a denial of service (CPU consumption) via crafted identifiers in an XML document. NOTE: this vulnerability exists because of an incomplete fix for CVE-2012-0876. (bsc#983216) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2017:228-1 Released: Fri Feb 10 15:39:32 2017 Summary: Security update for openssl Type: security Severity: moderate References: 1000677,1001912,1009528,1019637,1021641,1022085,1022086,1022271,CVE-2016-7055,CVE-2017-3731,CVE-2017-3732 Description: This update for openssl fixes the following issues contained in the OpenSSL Security Advisory [26 Jan 2017] (bsc#1021641) Security issues fixed: - CVE-2016-7055: The x86_64 optimized montgomery multiplication may produce incorrect results (bsc#1009528) - CVE-2017-3731: Truncated packet could crash via OOB read (bsc#1022085) - CVE-2017-3732: BN_mod_exp may produce incorrect results on x86_64 (bsc#1022086) - Degrade the 3DES cipher to MEDIUM in SSLv2 (bsc#1001912) Non-security issues fixed: - fix crash in openssl speed (bsc#1000677) - fix X509_CERT_FILE path (bsc#1022271) - AES XTS key parts must not be identical in FIPS mode (bsc#1019637) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2017:261-1 Released: Mon Feb 20 11:00:28 2017 Summary: Recommended update for dirmngr Type: recommended Severity: low References: 1019276 Description: This update for dirmngr fixes the following issues: - Properly initialize the dirmngr tmpfilesd files right away and not just during reboot - Own the /usr/lib/tmpfiles.d/ folder as it is needed in older systemds wrt (bsc#1019276) - Proprely require logrotate as we need it for the dirmngr configs ----------------------------------------------------------------- Advisory ID: SUSE-RU-2017:365-1 Released: Fri Mar 10 15:16:59 2017 Summary: Recommended update for sg3_utils Type: recommended Severity: low References: 1006175 Description: This update for sg3_utils fixes the following issue: - Add udev rules to handle legacy CCISS devices (bsc#1006175) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2017:389-1 Released: Thu Mar 16 14:16:43 2017 Summary: Recommended update for systemd Type: recommended Severity: moderate References: 1004094,1006687,1019470,1022014,1022047,1025598,995936 Description: This update for systemd provides the following fixes: - core: Fix memory leak in transient units. (bsc#1025598) - core: Destroy all name watching bus slots when we are kicked off the bus. (bsc#1006687) - sd-event: Fix incorrect assertion. (bsc#995936, bsc#1022014) - journald: Don't flush to /var/log/journal before we get asked to. (bsc#1004094) - core: Downgrade warning about duplicate device names. (bsc#1022047) - units: Remove no longer needed ldconfig service. (bsc#1019470) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2017:439-1 Released: Tue Mar 21 10:48:47 2017 Summary: Recommended update for netcfg Type: recommended Severity: low References: 1028305,959693 Description: This update for netcfg provides the following fixes: - Update script to generate services to use UTF8 by default. (bsc#1028305) - Repack services.bz2 with latest from upstream and adjust the script to not add all the names and emails at the bottom of the file. (bsc#959693) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2017:448-1 Released: Wed Mar 22 13:31:03 2017 Summary: Recommended update for python Type: recommended Severity: moderate References: 1027282,964182 Description: This update provides Python 2.7.13, which brings several bug fixes. - Fix build with NCurses 6.0 and OPAQUE_WINDOW set to 1. - Update cipher lists for OpenSSL wrapper and support OpenSSL 1.1.0 and newer. - Incorporate more integer overflow checks from upstream. (bsc#964182) - Provide python2-* symbols to support new packages built as python2-. For a comprehensive list of changes, please refer to the upstream Release Notes available at https://hg.python.org/cpython/raw-file/v2.7.13/Misc/NEWS ----------------------------------------------------------------- Advisory ID: SUSE-RU-2017:462-1 Released: Fri Mar 24 21:58:07 2017 Summary: Recommended update for lvm2 Type: recommended Severity: moderate References: 1012973,1015943,1017034,1023283,1025560,1025630 Description: This update for lvm2 fixes the following issues: - Fix clvmd segmentation fault on ppc64le architecture. (bsc#1025630) - Fix several trivial issues about clvmd/cmirrord resource agents. (bsc#1023283, bsc#1025560) - Use {local,remote}-fs-pre.target instead of {local,remote}-fs.target. (bsc#1017034) - Simplify special-case for md in 69-dm-lvm-metadata.rules. (bsc#1012973) - Add systemd_requires to device-mapper package. (bsc#1015943) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2017:464-1 Released: Mon Mar 27 15:50:51 2017 Summary: Recommended update for glibc Type: recommended Severity: moderate References: 1007851,1029725,1029900 Description: This update for glibc fixes a potential segmentation fault in libpthread: - Fork in libpthread cannot use IFUNC resolver. (bsc#1007851, bsc#1029725, bsc#1029900) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2017:580-1 Released: Wed Apr 12 23:58:47 2017 Summary: Recommended update for cpio Type: recommended Severity: important References: 1028410 Description: This update for cpio fixes the following issues: - A regression caused cpio to crash for tar and ustar archive types [bsc#1028410] ----------------------------------------------------------------- Advisory ID: SUSE-SU-2017:609-1 Released: Tue Apr 18 11:28:14 2017 Summary: Security update for curl Type: security Severity: moderate References: 1015332,1027712,1032309,CVE-2016-9586,CVE-2017-7407 Description: This update for curl fixes the following issues: Security issue fixed: - CVE-2016-9586: libcurl printf floating point buffer overflow (bsc#1015332) - CVE-2017-7407: The ourWriteOut function in tool_writeout.c in curl might have allowed physically proximate attackers to obtain sensitive information from process memory in opportunistic circumstances by reading a workstation screen during use of a --write-out argument ending in a '%' character, which lead to a heap-based buffer over-read (bsc#1032309). With this release new default ciphers are active (SUSE_DEFAULT, bsc#1027712). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2017:656-1 Released: Fri Apr 28 16:12:30 2017 Summary: Recommended update for sqlite3 Type: recommended Severity: low References: 1019518,1025034 Description: This update for sqlite3 provides the following fixes: - Avoid calling sqlite3OsFetch() on a file-handle for which the xFetch method is NULL. This prevents a potential segmentation fault. (bsc#1025034) - Fix defect in the in-memory journal logic that could leave the read cursor for the in-memory journal in an inconsistent state and result in a segmentation fault. (bsc#1019518) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2017:732-1 Released: Wed May 10 14:03:43 2017 Summary: Recommended update for procps Type: recommended Severity: low References: 1030621 Description: This update for procps fixes the following issues: - Command w(1) with option -n doesn't work. (bsc#1030621) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2017:735-1 Released: Wed May 10 15:43:46 2017 Summary: Recommended update for gpg2 Type: recommended Severity: low References: 1036736,986783 Description: This update for gpg2 provides the following fixes: - Do not install CAcert and other root certificates which are not needed with Let's Encrypt. (bsc#1036736) - Initialize the trustdb before import attempt. (bsc#986783) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2017:751-1 Released: Thu May 11 17:14:30 2017 Summary: Recommended update for systemd Type: recommended Severity: moderate References: 1010220,1025398,1025886,1028263,1028610,1029183,1029691,1030290,1031355,1032538,1032660,1033855,1034565,955770 Description: This update for systemd provides the following fixes: - logind: Update empty and 'infinity' handling for [User]TasksMax. (bsc#1031355) - importd: Support SUSE style checksums. (fate#322054) - journal: Don't remove leading spaces. (bsc#1033855) - Make sure all swap units are ordered before the swap target. (bsc#955770, bsc#1034565) - hwdb: Fix warning 'atkbd serio0: Unknown key pressed'. (bsc#1010220) - logind: Restart logind on package update only on SLE12 distros. (bsc#1032660) - core: Treat masked files as 'unchanged'. (bsc#1032538) - units: Move Before deps for quota services to remote-fs.target. (bsc#1028263) - udev: Support predictable ifnames on vio buses. (bsc#1029183) - udev: Add a persistent rule for ibmvnic devices. (bsc#1029183) - units: Do not throw a warning in emergency mode if plymouth is not installed. (bsc#1025398) - core: Downgrade 'Time has been changed' message to debug level. (bsc#1028610) - vconsole: Don't do GIO_SCRNMAP / GIO_UNISCRNMAP. (bsc#1029691) - udev-rules: Perform whitespace replacement for symlink subst values. (bsc#1025886) - Consider chroot updates in fix-machines-subvol-for-rollbacks.sh. (bsc#1030290) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2017:785-1 Released: Tue May 16 11:53:57 2017 Summary: Recommended update for dnsmasq Type: recommended Severity: low References: 1035227,972164 Description: This update provides dnsmasq 2.76, which brings many fixes and enhancements: - Fix PXE booting for UEFI architectures (fate#322030). - Prevent a man-in-the-middle attack (bsc#972164, fate#321175). This update brings a (small) potential incompatibility in the handling of 'basename' in --pxe-service. Please read the CHANGELOG and the documentation if you are using this option. For a comprehensive list of changes, please refer to http://www.thekelleys.org.uk/dnsmasq/CHANGELOG ----------------------------------------------------------------- Advisory ID: SUSE-SU-2017:794-1 Released: Tue May 16 15:41:09 2017 Summary: Security update for bash Type: security Severity: moderate References: 1010845,1035371,CVE-2016-9401 Description: This update for bash fixes an issue that could lead to syntax errors when parsing scripts that use expr(1) inside loops. Additionally, the popd build-in now ensures that the normalized stack offset is within bounds before trying to free that stack entry. This fixes a segmentation fault. ----------------------------------------------------------------- Advisory ID: SUSE-RU-2017:799-1 Released: Wed May 17 00:21:13 2017 Summary: Recommended update for glibc Type: recommended Severity: low References: 1026224,1035445 Description: This update for glibc introduces basic support for IBM POWER9 systems. Additionally, an improper assert in dlclose() has been removed. ----------------------------------------------------------------- Advisory ID: SUSE-SU-2017:865-1 Released: Wed May 24 16:23:20 2017 Summary: Security update for pam Type: security Severity: moderate References: 1015565,1037824,934920,CVE-2015-3238 Description: This update for pam fixes the following issues: - CVE-2015-3238: pam_unix in conjunction with SELinux allowed for DoS attacks (bsc#934920). - log a hint to syslog if /etc/nologin is present, but empty (bsc#1015565). - If /etc/nologin is present, but empty, log a hint to syslog. (bsc#1015565) - Added support for libowcrypt.so, if present, to configure support for BLOWFISH (bsc#1037824) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2017:873-1 Released: Fri May 26 16:19:47 2017 Summary: Recommended update for e2fsprogs Type: recommended Severity: low References: 1009532,960273 Description: This update for e2fsprogs provides the following fixes: - Fix 32/64-bit overflow when multiplying by blocks/clusters per group. This allows resize2fs(8) to resize file systems larger than 20 TB. (bsc#1009532) - Update spec file to regenerate initrd when e2fsprogs is updated or uninstalled. (bsc#960273) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2017:877-1 Released: Mon May 29 15:11:48 2017 Summary: Recommended update for cryptsetup Type: recommended Severity: low References: 1031998 Description: This update for cryptsetup provides the following fix: - Don't use a zero-filled empty key, because in FIPS, XTS mode key parts mustn't be equivalent (bsc#1031998) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2017:891-1 Released: Tue May 30 22:28:21 2017 Summary: Security update for libxml2 Type: security Severity: moderate References: 1039063,1039064,1039066,1039069,1039661,981114,CVE-2016-1839,CVE-2017-9047,CVE-2017-9048,CVE-2017-9049,CVE-2017-9050 Description: This update for libxml2 fixes the following issues: - CVE-2017-9047, CVE-2017-9048: The function xmlSnprintfElementContent in valid.c was vulnerable to a stack buffer overflow (bsc#1039063, bsc#1039064) - CVE-2017-9049: The function xmlDictComputeFastKey in dict.c was vulnerable to a heap-based buffer over-read. (bsc#1039066) - CVE-2017-9050: The function xmlDictAddString was vulnerable to a heap-based buffer over-read (bsc#1039661) - CVE-2016-1839: heap-based buffer overflow (xmlDictAddString func) (bnc#1039069) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2017:907-1 Released: Thu Jun 1 14:23:36 2017 Summary: Recommended update for shadow Type: recommended Severity: low References: 1003978,1031643 Description: This update for shadow fixes the following issues: - Dynamically added users via pam_group are not listed in groups databases but are still valid. (bsc#1031643) - useradd(8) and groupadd(8) performance issue when using SSSD. Previously the entire possible UID/GID was iterated to find an available UID/GID. This could take long time over a network device. Instead, find available UID/GID locally, and then check only those values over network. (bsc#1003978) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2017:910-1 Released: Fri Jun 2 15:02:55 2017 Summary: Security update for libnettle Type: security Severity: moderate References: 991464,CVE-2016-6489 Description: This update for libnettle fixes the following issues: - CVE-2016-6489: * Reject invalid RSA keys with even modulo. * Check for invalid keys, with even p, in dsa_sign(). * Use function mpz_powm_sec() instead of mpz_powm() (bsc#991464). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2017:918-1 Released: Tue Jun 6 12:35:44 2017 Summary: Recommended update for libsemanage, selinux-policy Type: recommended Severity: moderate References: 1020143,1032445,1035818,1038189 Description: This update for libsemanage, selinux-policy fixes the following issues: - Limit to policy version 29 by default. - Fix policy module build failures and wrong policy path on SLE 12 SP2 (bsc#1038189, bsc#1035818, bsc#1020143, bsc#1032445) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2017:939-1 Released: Mon Jun 12 10:56:22 2017 Summary: Security update for libxml2 Type: security Severity: moderate References: 1039063,1039064,1039066,1039069,1039661,CVE-2017-9047,CVE-2017-9048,CVE-2017-9049,CVE-2017-9050 Description: This update for libxml2 fixes the following security issues: * CVE-2017-9050: A heap-based buffer over-read in xmlDictAddString (bsc#1039069, bsc#1039661) * CVE-2017-9049: A heap-based buffer overflow in xmlDictComputeFastKey (bsc#1039066) * CVE-2017-9048: A stack overflow vulnerability in xmlSnprintfElementContent (bsc#1039063) * CVE-2017-9047: A stack overflow vulnerability in xmlSnprintfElementContent (bsc#1039064) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2017:959-1 Released: Wed Jun 14 14:38:11 2017 Summary: Recommended update for gcc5 Type: recommended Severity: low References: 1043580 Description: This update for gcc5 fixes the version of libffi in its pkg-config configuration file. ----------------------------------------------------------------- Advisory ID: SUSE-SU-2017:962-1 Released: Wed Jun 14 16:33:07 2017 Summary: Security update for openldap2 Type: security Severity: moderate References: 1009470,1037396,1041764,972331,CVE-2017-9287 Description: This update for openldap2 fixes the following issues: Security issues fixed: - CVE-2017-9287: A double free vulnerability in the mdb backend during search with page size 0 was fixed (bsc#1041764) Non security bugs fixed: - Let OpenLDAP read system-wide certificates by default and don't hide the error if the user-specified CA location cannot be read. (bsc#1009470) - Fix an uninitialised variable that causes startup failure (bsc#1037396) - Fix an issue with transaction management that can cause server crash (bsc#972331) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2017:985-1 Released: Mon Jun 19 14:57:41 2017 Summary: Security update for libgcrypt Type: security Severity: moderate References: 1042326,931932,CVE-2017-9526 Description: This update for libgcrypt fixes the following issues: - CVE-2017-9526: Store the session key in secure memory to ensure that constant time point operations are used in the MPI library. (bsc#1042326) - Don't require secure memory for the fips selftests, this prevents the 'Oops, secure memory pool already initialized' warning. (bsc#931932) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2017:990-1 Released: Mon Jun 19 17:19:44 2017 Summary: Security update for glibc Type: security Severity: important References: 1039357,1040043,CVE-2017-1000366 Description: This update for glibc fixes the following issues: - CVE-2017-1000366: Fix a potential privilege escalation vulnerability that allowed unprivileged system users to manipulate the stack of setuid binaries to gain special privileges. [bsc#1039357] - A bug in glibc that could result in deadlocks between malloc() and fork() has been fixed. [bsc#1040043] ----------------------------------------------------------------- Advisory ID: SUSE-RU-2017:1033-1 Released: Fri Jun 23 16:38:55 2017 Summary: Recommended update for e2fsprogs Type: recommended Severity: low References: 1038194 Description: This update for e2fsprogs provides the following fixes: - Don't ignore fsync errors in libext2fs. (bsc#1038194) - Fix fsync(2) detection in libext2fs. (bsc#1038194) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2017:1036-1 Released: Mon Jun 26 08:12:24 2017 Summary: Security update for libxml2 Type: security Severity: moderate References: 1024989,1044337,CVE-2017-0663,CVE-2017-5969 Description: This update for libxml2 fixes the following issues: Security issues fixed: * CVE-2017-0663: Fixed a heap buffer overflow in xmlAddID (bsc#1044337) * CVE-2017-5969: Fixed a NULL pointer deref in xmlDumpElementContent (bsc#1024989) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2017:1040-1 Released: Mon Jun 26 13:22:26 2017 Summary: Recommended update for libsemanage, policycoreutils Type: recommended Severity: low References: 1043237 Description: This update for libsemanage, policycoreutils fixes the following issue: - Show version numbers of modules where they are available (bsc#1043237) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2017:1082-1 Released: Fri Jun 30 10:54:06 2017 Summary: Recommended update for dirmngr Type: recommended Severity: low References: 1045943 Description: This update for dirmngr provides the following fix: - Change logrotate from Requires to Recommends (bsc#1045943) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2017:1086-1 Released: Fri Jun 30 15:36:17 2017 Summary: Security update for libxml2 Type: security Severity: moderate References: 1044887,1044894,CVE-2017-7375,CVE-2017-7376 Description: This update for libxml2 fixes the following issues: Security issues fixed: * CVE-2017-7376: Increase buffer space for port in HTTP redirect support (bsc#1044887) * CVE-2017-7375: Prevent unwanted external entity reference [bsc#1044894, ] ----------------------------------------------------------------- Advisory ID: SUSE-SU-2017:1104-1 Released: Tue Jul 4 16:13:55 2017 Summary: Security update for systemd Type: security Severity: moderate References: 1004995,1029102,1029516,1036873,1038865,1040258,1040614,1040942,1043758,982303,CVE-2017-9217 Description: This update for systemd fixes the following issues: Security issue fixed: - CVE-2017-9217: resolved: Fix null pointer p->question dereferencing that could lead to resolved aborting (bsc#1040614) The update also fixed several non-security bugs: - core/mount: Use the '-c' flag to not canonicalize paths when calling /bin/umount - automount: Handle expire_tokens when the mount unit changes its state (bsc#1040942) - automount: Rework propagation between automount and mount units - build: Make sure tmpfiles.d/systemd-remote.conf get installed when necessary - build: Fix systemd-journal-upload installation - basic: Detect XEN Dom0 as no virtualization (bsc#1036873) - virt: Make sure some errors are not ignored - fstab-generator: Do not skip Before= ordering for noauto mountpoints - fstab-gen: Do not convert device timeout into seconds when initializing JobTimeoutSec - core/device: Use JobRunningTimeoutSec= for device units (bsc#1004995) - fstab-generator: Apply the _netdev option also to device units (bsc#1004995) - job: Add JobRunningTimeoutSec for JOB_RUNNING state (bsc#1004995) - job: Ensure JobRunningTimeoutSec= survives serialization (bsc#1004995) - rules: Export NVMe WWID udev attribute (bsc#1038865) - rules: Introduce disk/by-id (model_serial) symbolic links for NVMe drives - rules: Add rules for NVMe devices - sysusers: Make group shadow support configurable (bsc#1029516) - core: When deserializing a unit, fully restore its cgroup state (bsc#1029102) - core: Introduce cg_mask_from_string()/cg_mask_to_string() - core:execute: Fix handling failures of calling fork() in exec_spawn() (bsc#1040258) - Fix systemd-sysv-convert when a package starts shipping service units (bsc#982303) The database might be missing when upgrading a package which was shipping no sysv init scripts nor unit files (at the time --save was called) but the new version start shipping unit files. - Disable group shadow support (bsc#1029516) - Only check signature job error if signature job exists (bsc#1043758) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2017:1116-1 Released: Thu Jul 6 11:37:18 2017 Summary: Security update for libgcrypt Type: security Severity: moderate References: 1046607,CVE-2017-7526 Description: This update for libgcrypt fixes the following issues: - CVE-2017-7526: Hardening against a local side-channel attack in RSA key handling has been added (bsc#1046607) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2017:1119-1 Released: Fri Jul 7 11:23:20 2017 Summary: Recommended update for ncurses Type: security Severity: important References: 1000662,1046853,1046858,CVE-2017-10684,CVE-2017-10685 Description: This update for ncurses fixes the following issues: Security issues fixed: - CVE-2017-10684: Possible RCE via stack-based buffer overflow in the fmt_entry function. (bsc#1046858) - CVE-2017-10685: Possible RCE with format string vulnerability in the fmt_entry function. (bsc#1046853) Bugfixes: - Drop patch ncurses-5.9-environment.dif as YaST2 ncurses GUI does not need it anymore and as well as it causes bug bsc#1000662 ----------------------------------------------------------------- Advisory ID: SUSE-RU-2017:1160-1 Released: Fri Jul 14 17:20:26 2017 Summary: Recommended update for openldap2 Type: recommended Severity: low References: 1031702 Description: This update for openldap2 provides the following fix: - Fix a regression in handling of non-blocking connection (bsc#1031702) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2017:1174-1 Released: Wed Jul 19 11:12:51 2017 Summary: Security update for systemd, dracut Type: security Severity: important References: 1032029,1033238,1037120,1040153,1040968,1043900,1045290,1046750,986216,CVE-2017-9445 Description: This update for systemd and dracut fixes the following issues: Security issues fixed: - CVE-2017-9445: Possible out-of-bounds write triggered by a specially crafted TCP payload from a DNS server. (bsc#1045290) Non-security issues fixed in systemd: - Automounter issue in combination with NFS volumes (bsc#1040968) - Missing symbolic link for SAS device in /dev/disk/by-path (bsc#1040153) - Add minimal support for boot.d/* scripts in systemd-sysv-convert (bsc#1046750) Non-security issues fixed in dracut: - Bail out if module directory does not exist. (bsc#1043900) - Suppress bogus error message. (bsc#1032029) - Fix module force loading with systemd. (bsc#986216) - Ship udev files required by systemd. (bsc#1040153) - Ignore module resolution errors (e.g. with kgraft). (bsc#1037120) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2017:1222-1 Released: Wed Jul 26 17:15:18 2017 Summary: Recommended update for procps Type: recommended Severity: low References: 1034563,1039941 Description: This update for procps provides the following fixes: - Make pmap handle LazyFree in /proc/smaps (bsc#1034563) - Allow reading and writing content lines longer than 1024 characters under /proc/sys (bsc#1039941) - Avoid printing messages when /proc/sys/net/ipv6/conf/*/stable_secret is not set ----------------------------------------------------------------- Advisory ID: SUSE-SU-2017:1245-1 Released: Thu Aug 3 10:43:15 2017 Summary: Security update for systemd Type: security Severity: moderate References: 1004995,1029102,1029516,1032029,1033238,1036873,1037120,1038865,1040153,1040258,1040614,1040942,1040968,1043758,1043900,1045290,1046750,982303,986216,CVE-2017-9217,CVE-2017-9445 Description: This update for systemd provides several fixes and enhancements. Security issues fixed: - CVE-2017-9217: Null pointer dereferencing that could lead to resolved aborting. (bsc#1040614) - CVE-2017-9445: Possible out-of-bounds write triggered by a specially crafted TCP payload from a DNS server. (bsc#1045290) The update also fixed several non-security bugs: - core/mount: Use the '-c' flag to not canonicalize paths when calling /bin/umount - automount: Handle expire_tokens when the mount unit changes its state (bsc#1040942) - automount: Rework propagation between automount and mount units - build: Make sure tmpfiles.d/systemd-remote.conf get installed when necessary - build: Fix systemd-journal-upload installation - basic: Detect XEN Dom0 as no virtualization (bsc#1036873) - virt: Make sure some errors are not ignored - fstab-generator: Do not skip Before= ordering for noauto mountpoints - fstab-gen: Do not convert device timeout into seconds when initializing JobTimeoutSec - core/device: Use JobRunningTimeoutSec= for device units (bsc#1004995) - fstab-generator: Apply the _netdev option also to device units (bsc#1004995) - job: Add JobRunningTimeoutSec for JOB_RUNNING state (bsc#1004995) - job: Ensure JobRunningTimeoutSec= survives serialization (bsc#1004995) - rules: Export NVMe WWID udev attribute (bsc#1038865) - rules: Introduce disk/by-id (model_serial) symbolic links for NVMe drives - rules: Add rules for NVMe devices - sysusers: Make group shadow support configurable (bsc#1029516) - core: When deserializing a unit, fully restore its cgroup state (bsc#1029102) - core: Introduce cg_mask_from_string()/cg_mask_to_string() - core:execute: Fix handling failures of calling fork() in exec_spawn() (bsc#1040258) - Fix systemd-sysv-convert when a package starts shipping service units (bsc#982303) The database might be missing when upgrading a package which was shipping no sysv init scripts nor unit files (at the time --save was called) but the new version start shipping unit files. - Disable group shadow support (bsc#1029516) - Only check signature job error if signature job exists (bsc#1043758) - Automounter issue in combination with NFS volumes (bsc#1040968) - Missing symbolic link for SAS device in /dev/disk/by-path (bsc#1040153) - Add minimal support for boot.d/* scripts in systemd-sysv-convert (bsc#1046750) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2017:1268-1 Released: Mon Aug 7 10:09:19 2017 Summary: Recommended update for openssl Type: recommended Severity: moderate References: 1019637,1027079,1027688,1027908,1028281,1028723,1029523,1042392,1044095,1044107,1044175,902364 Description: This update for openssl fixes the following issues including fixes for our ongoing FIPS 140-2 evaluation: - Remove DES-CBC3-SHA based ciphers from DEFAULT_SUSE to address SWEET32 problem (bsc#1027908) - Use getrandom syscall instead of reading from /dev/urandom to get at least 128 bits of entropy to comply with FIPS 140.2 IG 7.14 (bsc#1027079 bsc#1044175) - Fix x86 extended feature detection (bsc#1029523) - Allow runtime switching of s390x capabilities via the 'OPENSSL_s390xcap' environmental variable (bsc#1028723) - s_client sent empty client certificate (bsc#1028281) Add back certificate initialization set_cert_key_stuff() which was removed in a previous update. - Fix a bug in XTS key handling (bsc#1019637) - Don't run FIPS power-up self-tests when the checksum files aren't installed (bsc#1042392) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2017:1279-1 Released: Mon Aug 7 14:46:40 2017 Summary: Security update for ncurses Type: security Severity: moderate References: 1046853,1046858,1047964,1047965,1049344,CVE-2017-10684,CVE-2017-10685,CVE-2017-11112,CVE-2017-11113 Description: This update for ncurses fixes the following issues: Security issues fixed: - CVE-2017-11112: Illegal address access in append_acs. (bsc#1047964) - CVE-2017-11113: Dereferencing NULL pointer in _nc_parse_entry. (bsc#1047965) - CVE-2017-10684, CVE-2017-10685: Add modified upstream fix from ncurses 6.0 to avoid broken termcap format (bsc#1046853, bsc#1046858, bsc#1049344) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2017:1316-1 Released: Thu Aug 10 13:54:27 2017 Summary: Recommended update for cyrus-sasl Type: recommended Severity: moderate References: 1014471,1026825,1044840,938657 Description: This update for cyrus-sasl provides the following fixes: - Fix SASL GSSAPI mechanism acceptor wrongly returns zero maxbufsize - Fix unknown authentication mechanism: kerberos5 (bsc#1026825) - Really use SASLAUTHD_PARAMS variable (bsc#938657) - Make sure /usr/sbin/rcsaslauthd exists - Add /usr/sbin/rcsaslauthd symbolic link to /usr/sbin/service (bsc#1014471) - Silence 'GSSAPI client step 1' debug log message (bsc#1044840) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2017:1326-1 Released: Fri Aug 11 16:59:04 2017 Summary: Security update for libxml2 Type: security Severity: low References: 1038444,CVE-2017-8872 Description: This update for libxml2 fixes the following issues: Security issues fixed: - CVE-2017-8872: Out-of-bounds read in htmlParseTryOrFinish. (bsc#1038444) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2017:1330-1 Released: Mon Aug 14 18:41:29 2017 Summary: Recommended update for sed Type: recommended Severity: low References: 954661 Description: This update for sed provides the following fixes: - Don't terminate with a segmentation fault if close of last file descriptor fails. (bsc#954661) ----------------------------------------------------------------- Advisory ID: SUSE-OU-2017:1333-1 Released: Tue Aug 15 17:59:30 2017 Summary: Optional update for libverto Type: optional Severity: low References: 1029561 Description: This update adds the libverto library to OpenStack Cloud Magnum Orchestration channels. ----------------------------------------------------------------- Advisory ID: SUSE-RU-2017:1334-1 Released: Tue Aug 15 20:09:03 2017 Summary: Recommended update for systemd Type: recommended Severity: important References: 1048679,874665 Description: This update for systemd fixes the following issues: - compat-rules: Don't rely on ID_SERIAL when generating 'by-id' links for NVMe devices. (bsc#1048679) - fstab-generator: Handle NFS 'bg' mounts correctly. (bsc#874665, fate#323464) - timesyncd: Don't use compiled-in list if FallbackNTP has been configured explicitly. ----------------------------------------------------------------- Advisory ID: SUSE-SU-2017:1335-1 Released: Wed Aug 16 11:24:21 2017 Summary: Security update for curl Type: security Severity: moderate References: 1051643,1051644,CVE-2017-1000100,CVE-2017-1000101 Description: This update for curl fixes the following issues: - CVE-2017-1000100: TFP sends more than buffer size and it could lead to a denial of service (bsc#1051644) - CVE-2017-1000101: URL globbing out of bounds read could lead to a denial of service (bsc#1051643) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2017:1347-1 Released: Fri Aug 18 11:03:57 2017 Summary: Recommended update for procps Type: recommended Severity: important References: 1053409 Description: This update for procps fixes the following issues: - Fix a regression introduced in a previous update that would result in sysctl dying with a SIGSEGV error (bsc#1053409). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2017:1349-1 Released: Fri Aug 18 12:31:07 2017 Summary: Recommended update for lua51 Type: recommended Severity: low References: 1051626 Description: This update for lua51 provides the following fixes: - Add Lua(API) and Lua(devel) symbols to fix building of lua51-luasocket. (bsc#1051626) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2017:1390-1 Released: Fri Aug 25 15:14:27 2017 Summary: Security update for libzypp Type: security Severity: important References: 1009745,1036659,1038984,1043218,1045735,1046417,1047785,1048315,CVE-2017-7435,CVE-2017-7436,CVE-2017-9269 Description: The Software Update Stack was updated to receive fixes and enhancements. libzypp: - CVE-2017-7435, CVE-2017-7436, CVE-2017-9269: Fix GPG check workflows, mainly for unsigned repositories and packages. (bsc#1045735, bsc#1038984) - Fix gpg-pubkey release (creation time) computation. (bsc#1036659) - Update lsof blacklist. (bsc#1046417) - Re-probe on refresh if the repository type changes. (bsc#1048315) - Propagate proper error code to DownloadProgressReport. (bsc#1047785) - Allow to trigger an appdata refresh unconditionally. (bsc#1009745) - Support custom repo variables defined in /etc/zypp/vars.d. yast2-pkg-bindings: - Do not crash when the repository URL is not defined. (bsc#1043218) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2017:1419-1 Released: Wed Aug 30 15:38:22 2017 Summary: Security update for expat Type: security Severity: moderate References: 1047236,1047240,CVE-2016-9063,CVE-2017-9233 Description: This update for expat fixes the following issues: - CVE-2016-9063: Possible integer overflow to fix inside XML_Parse leading to unexpected behaviour (bsc#1047240) - CVE-2017-9233: External Entity Vulnerability could lead to denial of service (bsc#1047236) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2017:1439-1 Released: Fri Sep 1 15:31:05 2017 Summary: Recommended update for systemd Type: recommended Severity: important References: 1045384,1045987,1046268,1047379,1048605 Description: This update for systemd fixes the following issues: - Revert fix for bsc#1004995 which could have caused boot failure on LVM (bsc#1048605) - compat-rules: drop the bogus 'import everything' rule (bsc#1046268) - core: use an AF_UNIX/SOCK_DGRAM socket for cgroup agent notification (bsc#1045384 bsc#1047379) - udev/path_id: introduce support for NVMe devices (bsc#1045987) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2017:1447-1 Released: Mon Sep 4 15:38:20 2017 Summary: Security update for libzypp, zypper Type: security Severity: important References: 1008325,1038984,1045735,1047785,1054088,1054671,1055920,CVE-2017-7436 Description: The Software Update Stack was updated to receive fixes and enhancements. libzypp: - Adapt to work with GnuPG 2.1.23. (bsc#1054088) - Support signing with subkeys. (bsc#1008325) - Enhance sort order for media.1/products. (bsc#1054671) zypper: - Also show a gpg key's subkeys. (bsc#1008325) - Improve signature check callback messages. (bsc#1045735) - Add options to tune the GPG check settings. (bsc#1045735) - Adapt download callback to report and handle unsigned packages. (bsc#1038984, CVE-2017-7436) - Report missing/optional files as 'not found' rather than 'error'. (bsc#1047785) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2017:1450-1 Released: Mon Sep 4 16:36:07 2017 Summary: Recommended update for insserv-compat Type: recommended Severity: low References: 1035062,944903 Description: This update for insserv-compat fixes the following issues: - Add /etc/init.d hierarchy from former 'filesystem' package. (bsc#1035062) - Fix directory argument parsing. (bsc#944903) - Add perl(Getopt::Long) to list of requirements. ----------------------------------------------------------------- Advisory ID: SUSE-RU-2017:1453-1 Released: Mon Sep 4 21:23:50 2017 Summary: Recommended update for libgcrypt Type: recommended Severity: moderate References: 1043333,1046659,1047008 Description: This update for libgcrypt fixes the following issues: - libgcrypt stored an open file descriptor to the random device in a static variable between invocations. gnome-keyring-daemon on initialization reopened descriptors 0-2 with /dev/null which caused an infinite loop when libgcrypt attempted to read from the random device (bsc#1043333) - Avoid seeding the DRBG during FIPS power-up selftests (bsc#1046659) * don't call gcry_drbg_instantiate() in healthcheck sanity test to save entropy * turn off blinding for RSA decryption in selftests_rsa to avoid allocation of a random integer - fix a bug in gcry_drbg_healthcheck_sanity() which caused skipping some of the tests (bsc#1046659) - dlsym returns PLT address on s390x, dlopen libgcrypt20.so before calling dlsym (bsc#1047008) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2017:1548-1 Released: Fri Sep 15 18:19:12 2017 Summary: Recommended update for sg3_utils Type: recommended Severity: moderate References: 1005063,1009269,1012523,1025176,1050767,1050943 Description: This update for sg3_utils provides the following fixes: - Add lunsearch filter to findresized() so that only LUNs specified using --luns are rescanned or resized. (bsc#1025176) - In case the VPD sysfs attributes are missing or cannot be accessed, fallback to use sg_inq --page when using multipath devices in AutoYast2 installations. (bsc#1012523) - Generate /dev/disk/by-path links based on WWPN for Fibre Channel NPIV setups. (bsc#1005063) - Fix dumping data in hexadecimal format in sg_vpd when using the --hex option. (bsc#1050943) - Fix ID_SERIAL values for KVM disks by exporting all NAA values and removing some validity checking. (bsc#1050767) - Make sure initrd is rebuilt on sg3_utils updates. (bsc#1009269) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2017:1592-1 Released: Tue Sep 26 17:38:03 2017 Summary: Recommended update for lvm2 Type: recommended Severity: moderate References: 1028485,1045628,978055,998893,999878 Description: This update for lvm2 provides the following fixes: - Create /dev/disk/by-part{label,uuid} and gpt-auto-root links. (bsc#1028485) - Try to refresh clvmd's device cache on the first failure. (bsc#978055) - Fix stale device cache in clvmd. (bsc#978055) - Warn if PV size in metadata is larger than disk device size. (bsc#999878) - Fix lvm2 activation issue when used on top of multipath. (bsc#998893) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2017:1615-1 Released: Mon Oct 2 15:52:59 2017 Summary: Security update for dnsmasq Type: security Severity: important References: 1060354,1060355,1060360,1060361,1060362,1060364,CVE-2017-14491,CVE-2017-14492,CVE-2017-14493,CVE-2017-14494,CVE-2017-14495,CVE-2017-14496 Description: This update for dnsmasq fixes the following security issues: - CVE-2017-14491: 2 byte heap based overflow. [bsc#1060354] - CVE-2017-14492: heap based overflow. [bsc#1060355] - CVE-2017-14493: stack based overflow. [bsc#1060360] - CVE-2017-14494: DHCP - info leak. [bsc#1060361] - CVE-2017-14495: DNS - OOM DoS. [bsc#1060362] - CVE-2017-14496: DNS - DoS Integer underflow. [bsc#1060364] ----------------------------------------------------------------- Advisory ID: SUSE-SU-2017:1644-1 Released: Mon Oct 9 07:52:24 2017 Summary: Security update for krb5 Type: security Severity: moderate References: 1032680,1054028,1056995,903543,CVE-2017-11462 Description: This update for krb5 fixes several issues. This security issue was fixed: - CVE-2017-11462: Prevent automatic security context deletion to prevent double-free (bsc#1056995) These non-security issues were fixed: - Set 'rdns' and 'dns_canonicalize_hostname' to false in krb5.conf in order to improve client security in handling service principle names. (bsc#1054028) - Prevent kadmind.service startup failure caused by absence of LDAP service. (bsc#903543) - Remove main package's dependency on systemd (bsc#1032680) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2017:1663-1 Released: Tue Oct 10 12:05:09 2017 Summary: Recommended update for dbus-1 Type: recommended Severity: moderate References: 1043615,1046173 Description: This update for dbus-1 provides the following fixes: - Fix systemd-logind dbus disconnection by ensuring all required timeouts are restarted. (bsc#1043615) - Remove call to initscripts related macros from the spec file as dbus-1 does not ship any initscript anymore. (bsc#1046173) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2017:1703-1 Released: Tue Oct 17 13:20:12 2017 Summary: Recommended update for audit Type: recommended Severity: low References: 1042781 Description: This update for audit provides the following fix: - Make auditd start by forking the systemd service to fix some initialization failures. (bsc#1042781) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2017:1758-1 Released: Mon Oct 23 08:47:47 2017 Summary: Security update for curl Type: security Severity: moderate References: 1060653,1061876,1063824,CVE-2017-1000254,CVE-2017-1000257 Description: This update for curl fixes the following issues: Security issues fixed: - CVE-2017-1000254: FTP PWD response parser out of bounds read (bsc#1061876) - CVE-2017-1000257: IMAP FETCH response out of bounds read (bsc#1063824) Bugs fixed: - Fixed error 'error:1408F10B:SSL routines' when connecting to ftps via proxy (bsc#1060653) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2017:1796-1 Released: Fri Oct 27 21:25:06 2017 Summary: Recommended update for pcre Type: recommended Severity: moderate References: 1058722 Description: This update for pcre fixes the following issues: - Fixed the pcre stack frame size detection because modern compilers break it due to cloning and inlining pcre match() function (bsc#1058722) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2017:1797-1 Released: Sat Oct 28 12:06:19 2017 Summary: Recommended update for permissions Type: recommended Severity: moderate References: 1028304,1048645,1060738 Description: This update for permissions fixes the following issues: - Allows users to install the HPC 'singularity' toolkit for managing singularity containers in setuid root mode. (bsc#1028304) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2017:1826-1 Released: Wed Nov 8 08:47:17 2017 Summary: Security update for krb5 Type: security Severity: important References: 1065274,CVE-2017-15088 Description: This update for krb5 fixes the following issues: Security issues fixed: - CVE-2017-15088: A buffer overflow in get_matching_data() was fixed that could under specific circumstances be used to execute code (bsc#1065274) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2017:1829-1 Released: Wed Nov 8 08:50:00 2017 Summary: Security update for shadow Type: security Severity: moderate References: 1023895,1052261,980486,CVE-2017-12424 Description: This update for shadow fixes several issues. This security issue was fixed: - CVE-2017-12424: The newusers tool could have been forced to manipulate internal data structures in ways unintended by the authors. Malformed input may have lead to crashes (with a buffer overflow or other memory corruption) or other unspecified behaviors (bsc#1052261). These non-security issues were fixed: - bsc#1023895: Fixed man page to not contain invalid options and also prevent warnings when using these options in certain settings - bsc#980486: Reset user in /var/log/tallylog because of the usage of pam_tally2 ----------------------------------------------------------------- Advisory ID: SUSE-SU-2017:1881-1 Released: Wed Nov 22 16:29:58 2017 Summary: Security update for file Type: security Severity: moderate References: 1009966,1063269,910252,910253,913650,913651,917152,996511,CVE-2014-8116,CVE-2014-8117,CVE-2014-9620,CVE-2014-9621,CVE-2014-9653 Description: The GNU file utility was updated to version 5.22. Security issues fixed: - CVE-2014-9621: The ELF parser in file allowed remote attackers to cause a denial of service via a long string. (bsc#913650) - CVE-2014-9620: The ELF parser in file allowed remote attackers to cause a denial of service via a large number of notes. (bsc#913651) - CVE-2014-9653: readelf.c in file did not consider that pread calls sometimes read only a subset of the available data, which allows remote attackers to cause a denial of service (uninitialized memory access) or possibly have unspecified other impact via a crafted ELF file. (bsc#917152) - CVE-2014-8116: The ELF parser (readelf.c) in file allowed remote attackers to cause a denial of service (CPU consumption or crash) via a large number of (1) program or (2) section headers or (3) invalid capabilities. (bsc#910253) - CVE-2014-8117: softmagic.c in file did not properly limit recursion, which allowed remote attackers to cause a denial of service (CPU consumption or crash) via unspecified vectors. (bsc#910253) Version update to file version 5.22 * add indirect relative for TIFF/Exif * restructure elf note printing to avoid repeated messages * add note limit, suggested by Alexander Cherepanov * Bail out on partial pread()'s (Alexander Cherepanov) * Fix incorrect bounds check in file_printable (Alexander Cherepanov) * PR/405: ignore SIGPIPE from uncompress programs * change printable -> file_printable and use it in more places for safety * in ELF, instead of '(uses dynamic libraries)' when PT_INTERP is present print the interpreter name. Version update to file version 5.21 * there was an incorrect free in magic_load_buffers() * there was an out of bounds read for some pascal strings * there was a memory leak in magic lists * don't interpret strings printed from files using the current locale, convert them to ascii format first. * there was an out of bounds read in elf note reads Update to file version 5.20 * recognize encrypted CDF documents * add magic_load_buffers from Brooks Davis * add thumbs.db support Additional non-security bug fixes: * Fixed a memory corruption during rpmbuild (bsc#1063269) * Backport of a fix for an increased printable string length as found in file 5.30 (bsc#996511) * file command throws 'Composite Document File V2 Document, corrupt: Can't read SSAT' error against excel 97/2003 file format. (bsc#1009966) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2017:1903-1 Released: Fri Nov 24 16:19:37 2017 Summary: Security update for perl Type: security Severity: moderate References: 1047178,1057721,1057724,999735,CVE-2017-12837,CVE-2017-12883,CVE-2017-6512 Description: This update for perl fixes the following issues: Security issues fixed: - CVE-2017-12837: Heap-based buffer overflow in the S_regatom function in regcomp.c in Perl 5 before 5.24.3-RC1 and 5.26.x before 5.26.1-RC1 allows remote attackers to cause a denial of service (out-of-bounds write) via a regular expression with a '\N{}' escape and the case-insensitive modifier. (bnc#1057724) - CVE-2017-12883: Buffer overflow in the S_grok_bslash_N function in regcomp.c in Perl 5 before 5.24.3-RC1 and 5.26.x before 5.26.1-RC1 allows remote attackers to disclose sensitive information or cause a denial of service (application crash) via a crafted regular expression with an invalid '\N{U+...}' escape. (bnc#1057721) - CVE-2017-6512: Race condition in the rmtree and remove_tree functions in the File-Path module before 2.13 for Perl allows attackers to set the mode on arbitrary files via vectors involving directory-permission loosening logic. (bnc#1047178) Bug fixes: - backport set_capture_string changes from upstream (bsc#999735) - reformat baselibs.conf as source validator workaround ----------------------------------------------------------------- Advisory ID: SUSE-RU-2017:1916-1 Released: Fri Nov 24 20:15:01 2017 Summary: Recommended update for libgcrypt Type: recommended Severity: important References: 1043333,1059723 Description: This update for libgcrypt provides the following fix: - Fix a regression in a previous update which caused libgcrypt to leak file descriptors causing failures when starting rtkit-daemon. (bsc#1059723) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2017:1917-1 Released: Mon Nov 27 13:32:07 2017 Summary: Optional update for gcc7 Type: recommended Severity: low References: 1056437,1062591,1062592 Description: The GNU Compiler GCC 7 is being added to the Toolchain Module by this update. New features: - Support for specific IBM Power9 processor instructions. - Support for specific IBM zSeries z14 processor instructions. - New packages cross-npvtx-gcc7 and nvptx-tools added to the Toolchain Module for specific NVIDIA Card offload support. The update also supplies gcc7 compatible libstdc++, libgcc_s1 and other gcc derived libraries for the base products of SUSE Linux Enterprise 12. Various optimizers have been improved in GCC 7, several of bugs fixed, quite some new warnings added and the error pin-pointing and fix-suggestions have been greatly improved. The GNU Compiler page for GCC 7 contains a summary of all the changes that have happened: https://gcc.gnu.org/gcc-7/changes.html ----------------------------------------------------------------- Advisory ID: SUSE-RU-2017:1965-1 Released: Thu Nov 30 12:48:45 2017 Summary: Recommended update for libsolv, libzypp, zypper Type: recommended Severity: moderate References: 1047233,1053671,1057188,1057634,1058695,1058783,1059065,1061384,1062561,1064999,661410 Description: The Software Update Stack was updated to receive fixes and enhancements. libsolv: - Many fixes and improvements for cleandeps. - Always create dup rules for 'distupgrade' jobs. - Use recommends also for ordering packages. - Fix splitprovides handling with addalreadyrecommended turned off. (bsc#1059065) - Expose solver_get_recommendations() in bindings. - Fix bug in solver_prune_to_highest_prio_per_name resulting in bad output from solver_get_recommendations(). - Support 'without' and 'unless' dependencies. - Use same heuristic as upstream to determine source RPMs. - Fix memory leak in bindings. - Add pool_best_solvables() function. - Fix 64bit integer parsing from RPM headers. - Enable bzip2 and xz/lzma compression support. - Enable complex/rich dependencies on distributions with RPM 4.13+. libzypp: - Fix media handling in presence of a repo path prefix. (bsc#1062561) - Fix RepoProvideFile ignoring a repo path prefix. (bsc#1062561) - Remove unused legacy notify-message script. (bsc#1058783) - Support multiple product licenses in repomd. (fate#322276) - Propagate 'rpm --import' errors. (bsc#1057188) - Fix typos in zypp.conf. zypper: - Locale: Fix possible segmentation fault. (bsc#1064999) - Add summary hint if product is better updated by a different command. This is mainly used by rolling distributions like openSUSE Tumbleweed to remind their users to use 'zypper dup' to update (not zypper up or patch). (bsc#1061384) - Unify '(add|modify)(repo|service)' property related arguments. - Fixed 'add' commands supporting to set only a subset of properties. - Introduced '-f/-F' as preferred short option for --[no-]refresh in all four commands. (bsc#661410, bsc#1053671) - Fix missing package names in installation report. (bsc#1058695) - Differ between unsupported and packages with unknown support status. (bsc#1057634) - Return error code '107' if an RPM's %post configuration script fails, but only if ZYPPER_ON_CODE12_RETURN_107=1 is set in the environment. (bsc#1047233) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2017:1966-1 Released: Thu Nov 30 13:45:24 2017 Summary: Recommended update for systemd Type: recommended Severity: moderate References: 1004995,1035386,1039099,1040800,1045472,1048605,1050152,1053137,1053595,1055641,1063249 Description: This update for systemd fixes the following issues: - unit: When JobTimeoutSec= is turned off, implicitly turn off JobRunningTimeoutSec= too. (bsc#1048605, bsc#1004995) - compat-rules: Generate compat by-id symlinks with 'nvme' prefix missing and warn users that have broken symlinks. (bsc#1063249) - compat-rules: Allow to specify the generation number through the kernel command line. - scsi_id: Fixup prefix for pre-SPC inquiry reply. (bsc#1039099) - tmpfiles: Remove old ICE and X11 sockets at boot. - tmpfiles: Silently ignore any path that passes through autofs. (bsc#1045472) - pam_logind: Skip leading /dev/ from PAM_TTY field before passing it on. - shared/machine-pool: Fix another mkfs.btrfs checking. (bsc#1053595) - shutdown: Fix incorrect fscanf() result check. - shutdown: Don't remount,ro network filesystems. (bsc#1035386) - shutdown: Don't be fooled when detaching DM devices with BTRFS. (bsc#1055641) - bash-completion: Add support for --now. (bsc#1053137) - Add convert-lib-udev-path.sh script to convert /lib/udev directory into a symlink pointing to /usr/lib/udev when upgrading from SLE11. (bsc#1050152) - Add a rule to teach hotplug to offline containers transparently. (bsc#1040800) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2017:1968-1 Released: Thu Nov 30 19:49:33 2017 Summary: Recommended update for coreutils Type: recommended Severity: low References: 1026567,1043059,965780 Description: This update for coreutils provides the following fixes: - Fix df(1) to no longer interact with excluded file system types, so for example specifying -x nfs no longer hangs with problematic nfs mounts. (bsc#1026567) - Ensure df -l no longer interacts with dummy file system types, so for example no longer hangs with problematic NFS mounted via system.automount(5). (bsc#1043059) - Significantly speed up df(1) for huge mount lists. (bsc#965780) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2017:1970-1 Released: Thu Nov 30 22:55:41 2017 Summary: Security update for openssl Type: security Severity: moderate References: 1055825,1056058,1065363,1066242,CVE-2017-3735,CVE-2017-3736 Description: This update for openssl fixes the following issues: Security issues fixed: - CVE-2017-3735: openssl1,openssl: Malformed X.509 IPAdressFamily could cause OOB read (bsc#1056058) - CVE-2017-3736: openssl: bn_sqrx8x_internal carry bug on x86_64 (bsc#1066242) - Out of bounds read+crash in DES_fcrypt (bsc#1065363) - openssl DEFAULT_SUSE cipher list is missing ECDHE-ECDSA ciphers (bsc#1055825) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2017:2021-1 Released: Fri Dec 8 10:11:04 2017 Summary: Recommended update for file Type: recommended Severity: moderate References: 1070878,1070958 Description: This update for file fixes detection of JPEG files. ----------------------------------------------------------------- Advisory ID: SUSE-RU-2017:2031-1 Released: Mon Dec 11 12:55:57 2017 Summary: Recommended update for gzip Type: recommended Severity: low References: 1067891 Description: This update for gzip provides the following fix: - Fix mishandling of leading zeros in the end-of-block code (bsc#1067891) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2017:2036-1 Released: Wed Dec 13 16:34:21 2017 Summary: Recommended update for util-linux Type: recommended Severity: low References: 1039276,1040968,1055446,1066500 Description: This update for util-linux provides the following fixes: - Allow unmounting of filesystems without calling stat() on the mount point, when '-c' is used. (bsc#1040968) - Fix an infinite loop, a crash and report the correct minimum and maximum frequencies in lscpu for some processors. (bsc#1055446) - Fix a lscpu failure on Sydney Amazon EC2 region. (bsc#1066500) - If multiple subvolumes are mounted, report the default subvolume. (bsc#1039276) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2017:2097-1 Released: Sat Dec 16 01:59:00 2017 Summary: Security update for openssl Type: security Severity: important References: 1071905,1071906,CVE-2017-3737,CVE-2017-3738 Description: This update for openssl fixes the following issues: - OpenSSL Security Advisory [07 Dec 2017] * CVE-2017-3737: OpenSSL 1.0.2 (starting from version 1.0.2b) introduced an \'error state\' mechanism. The intent was that if a fatal error occurred during a handshake then OpenSSL would move into the error state and would immediately fail if you attempted to continue the handshake. This works as designed for the explicit handshake functions (SSL_do_handshake(), SSL_accept() and SSL_connect()), however due to a bug it does not work correctly if SSL_read() or SSL_write() is called directly. In that scenario, if the handshake fails then a fatal error will be returned in the initial function call. If SSL_read()/SSL_write() is subsequently called by the application for the same SSL object then it will succeed and the data is passed without being decrypted/encrypted directly from the SSL/TLS record layer. In order to exploit this issue an application bug would have to be present that resulted in a call to SSL_read()/SSL_write() being issued after having already received a fatal error. O penSSL version 1.0.2b-1.0.2m are affected. Fixed in OpenSSL 1.0.2n. OpenSSL 1.1.0 is not affected. (bsc#1071905) * CVE-2017-3738: There is an overflow bug in the AVX2 Montgomery multiplication procedure used in exponentiation with 1024-bit moduli. No EC algorithms are affected. Analysis suggests that attacks against RSA and DSA as a result of this defect would be very difficult to perform and are not believed likely. Attacks against DH1024 are considered just feasible, because most of the work necessary to deduce information about a private key may be performed offline. The amount of resources required for such an attack would be significant. However, for an attack on TLS to be meaningful, the server would have to share the DH1024 private key among multiple clients, which is no longer an option since CVE-2016-0701. This only affects processors that support the AVX2 but not ADX extensions like Intel Haswell (4th generation). Note: The impact from this issue is similar to CVE-2017-3736, CVE-2017-3732 and CVE-2015-3193. (bsc#1071906) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2017:2137-1 Released: Thu Dec 21 17:49:12 2017 Summary: Recommended update for dbus-1 Type: recommended Severity: moderate References: 1046173,1071698 Description: This update for dbus-1 provides the following fixes: - The previously released fix for systemd-logind dbus disconnections was missing in some parts of the package, so properly apply it. (bsc#1071698) - Remove call to initscripts related macros from the spec file as dbus-1 does not ship any initscript anymore. (bsc#1046173) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2018:4-1 Released: Tue Jan 2 15:58:20 2018 Summary: Recommended update for libzypp, zypper Type: recommended Severity: moderate References: 1057640,1067605,1068708,1071466,969569 Description: The Software Update Stack was updated to receive fixes and enhancements. libzypp: - Don't store duplicated locks. (bsc#969569) - Fix default for solver.allowNameChange. (bsc#1071466) - Don't filter procs with a different mnt namespace. (bsc#1068708) - Support repo variables in an URIs host:port component. (bsc#1057640, bsc#1067605) zypper: - Update manpage regarding custom repository variable fixes. (bsc#1057640, bsc#1067605) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2018:38-1 Released: Tue Jan 9 14:56:43 2018 Summary: Recommended update for kmod Type: recommended Severity: low References: 1070209 Description: This update for kmod provides the following fix: - Fix resolving .TOC. in modules on 4.4 and older kernel (bsc#1070209) - Fix kernel master build for ppc64le (bsc#1070209) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:55-1 Released: Fri Jan 12 09:45:49 2018 Summary: Security update for glibc Type: security Severity: important References: 1051042,1053188,1063675,1064569,1064580,1064583,1070905,1071319,1073231,1074293,CVE-2017-1000408,CVE-2017-1000409,CVE-2017-15670,CVE-2017-15671,CVE-2017-15804,CVE-2017-16997,CVE-2018-1000001 Description: This update for glibc fixes the following issues: - A privilege escalation bug in the realpath() function has been fixed. [CVE-2018-1000001, bsc#1074293] - A memory leak and a buffer overflow in the dynamic ELF loader has been fixed. [CVE-2017-1000408, CVE-2017-1000409, bsc#1071319] - An issue in the code handling RPATHs was fixed that could have been exploited by an attacker to execute code loaded from arbitrary libraries. [CVE-2017-16997, bsc#1073231] - A potential crash caused by a use-after-free bug in pthread_create() has been fixed. [bsc#1053188] - A bug that prevented users to build shared objects which use the optimized libmvec.so API has been fixed. [bsc#1070905] - A memory leak in the glob() function has been fixed. [CVE-2017-15670, CVE-2017-15671, CVE-2017-15804, bsc#1064569, bsc#1064580, bsc#1064583] - A bug that would lose the syscall error code value in case of crashes has been fixed. [bsc#1063675] ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:86-1 Released: Wed Jan 17 09:38:17 2018 Summary: Security update for ncurses Type: security Severity: moderate References: 1056127,1056128,1056129,1056131,1056132,1056136,CVE-2017-13728,CVE-2017-13729,CVE-2017-13730,CVE-2017-13731,CVE-2017-13732,CVE-2017-13733 Description: This update for ncurses fixes the following issues: Security issues fixed: - CVE-2017-13728: Fix infinite loop in the next_char function in comp_scan.c (bsc#1056136). - CVE-2017-13730: Fix illegal address access in the function _nc_read_entry_source() (bsc#1056131). - CVE-2017-13733: Fix illegal address access in the fmt_entry function (bsc#1056127). - CVE-2017-13729: Fix illegal address access in the _nc_save_str (bsc#1056132). - CVE-2017-13732: Fix illegal address access in the function dump_uses() (bsc#1056128). - CVE-2017-13731: Fix illegal address access in the function postprocess_termcap() (bsc#1056129). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:88-1 Released: Wed Jan 17 14:41:17 2018 Summary: Security update for curl Type: security Severity: moderate References: 1069222,1069226,CVE-2017-8816,CVE-2017-8817 Description: This update for curl fixes the following issues: Security issues fixed: - CVE-2017-8816: Buffer overrun flaw in the NTLM authentication code (bsc#1069226). - CVE-2017-8817: Read out of bounds flaw in the FTP wildcard function (bsc#1069222). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2018:90-1 Released: Wed Jan 17 14:44:33 2018 Summary: Recommended update for lvm2 Type: recommended Severity: low References: 1063051,1067312 Description: This update for lvm2 provides the following fix: - Backport various upstream fixes for clvmd. (bsc#1063051) - Don't print error messages on testing the connection to the daemon. (bsc#1063051) - Fix handling of udev CHANGE events with systemd. (bsc#1067312) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2018:146-1 Released: Thu Jan 25 11:44:23 2018 Summary: Recommended update for openldap2 Type: recommended Severity: moderate References: 1064397,1065083 Description: This update for openldap2 provides the following fixes: - Fix a leak of sockets in case of unsuccessful connection attempts. (bsc#1065083) - Fix a crash that would happen under heavy load when using back-relay. (bsc#1064397) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:149-1 Released: Thu Jan 25 13:38:37 2018 Summary: Security update for curl Type: security Severity: moderate References: 1077001,CVE-2018-1000007 Description: This update for curl fixes one issues. This security issue was fixed: - CVE-2018-1000007: Prevent leaking authentication data to third parties when following redirects (bsc#1077001) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:209-1 Released: Tue Jan 30 10:53:43 2018 Summary: Security update for ncurses Type: security Severity: moderate References: 1056126,1056127,1056128,1056129,1056131,1056132,1056136,CVE-2017-13728,CVE-2017-13729,CVE-2017-13730,CVE-2017-13731,CVE-2017-13732,CVE-2017-13733,CVE-2017-13734 Description: This update for ncurses fixes several issues. These security issues were fixed: - CVE-2017-13734: Prevent illegal address access in the _nc_safe_strcat function in strings.c that might have lead to a remote denial of service attack (bsc#1056126). - CVE-2017-13733: Prevent illegal address access in the fmt_entry function in progs/dump_entry.c that might have lead to a remote denial of service attack (bsc#1056127). - CVE-2017-13732: Prevent illegal address access in the function dump_uses() in progs/dump_entry.c that might have lead to a remote denial of service attack (bsc#1056128). - CVE-2017-13731: Prevent illegal address access in the function postprocess_termcap() in parse_entry.c that might have lead to a remote denial of service attack (bsc#1056129). - CVE-2017-13730: Prevent illegal address access in the function _nc_read_entry_source() in progs/tic.c that might have lead to a remote denial of service attack (bsc#1056131). - CVE-2017-13729: Prevent illegal address access in the _nc_save_str function in alloc_entry.c that might have lead to a remote denial of service attack (bsc#1056132). - CVE-2017-13728: Prevent infinite loop in the next_char function in comp_scan.c that might have lead to a remote denial of service attack (bsc#1056136). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:213-1 Released: Tue Jan 30 14:36:40 2018 Summary: Security update for systemd Type: security Severity: moderate References: 1048510,1065276,1066156,1068251,1070428,1071558,1074254,1075724,1076308,897422,CVE-2017-15908,CVE-2018-1049 Description: This update for systemd fixes several issues. This security issue was fixed: - CVE-2018-1049: Prevent race that can lead to DoS when using automounts (bsc#1076308). These non-security issues were fixed: - core: don't choke if a unit another unit triggers vanishes during reload - delta: don't ignore PREFIX when the given argument is PREFIX/SUFFIX - delta: extend skip logic to work on full directory paths (prefix+suffix) (bsc#1070428) - delta: check if a prefix needs to be skipped only once - delta: skip symlink paths when split-usr is enabled (#4591) - sysctl: use raw file descriptor in sysctl_write (#7753) - sd-netlink: don't take possesion of netlink fd from caller on failure (bsc#1074254) - Fix the regexp used to detect broken by-id symlinks in /etc/crypttab It was missing the following case: '/dev/disk/by-id/cr_-xxx'. - sysctl: disable buffer while writing to /proc (bsc#1071558) - Use read_line() and LONG_LINE_MAX to read values configuration files. (bsc#1071558) - sysctl: no need to check for eof twice - def: add new constant LONG_LINE_MAX - fileio: add new helper call read_line() as bounded getline() replacement - service: Don't stop unneeded units needed by restarted service (#7526) (bsc#1066156) - gpt-auto-generator: fix the handling of the value returned by fstab_has_fstype() in add_swap() (#6280) - gpt-auto-generator: disable gpt auto logic for swaps if at least one is defined in fstab (bsc#897422) - fstab-util: introduce fstab_has_fstype() helper - fstab-generator: ignore root=/dev/nfs (#3591) - fstab-generator: don't process root= if it happens to be 'gpt-auto' (#3452) - virt: use XENFEAT_dom0 to detect the hardware domain (#6442, #6662) (#7581) (bsc#1048510) - analyze: replace --no-man with --man=no in the man page (bsc#1068251) - udev: net_setup_link: don't error out when we couldn't apply link config (#7328) - Add missing /etc/systemd/network directory - Fix parsing of features in detect_vm_xen_dom0 (#7890) (bsc#1048510) - sd-bus: use -- when passing arguments to ssh (#6706) - systemctl: make sure we terminate the bus connection first, and then close the pager (#3550) - sd-bus: bump message queue size (bsc#1075724) - tmpfiles: downgrade warning about duplicate line ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:214-1 Released: Tue Jan 30 14:37:42 2018 Summary: Security update for libtasn1 Type: security Severity: moderate References: 1076832,CVE-2018-6003 Description: This update for libtasn1 fixes one issue. This security issue was fixed: - CVE-2018-6003: Prevent a stack exhaustion in _asn1_decode_simple_ber (lib/decoding.c) when decoding BER encoded structure allowed for DoS (bsc#1076832). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:276-1 Released: Thu Feb 8 17:47:43 2018 Summary: Security update for libxml2 Type: security Severity: moderate References: 1077993,1078806,1078813,CVE-2016-5131,CVE-2017-15412,CVE-2017-5130 Description: This update for libxml2 fixes one issue. This security issue was fixed: - CVE-2017-15412: Prevent use after free when calling XPath extension functions that allowed remote attackers to cause DoS or potentially RCE (bsc#1077993) - CVE-2016-5131: Use-after-free vulnerability in libxml2 allowed remote attackers to cause a denial of service or possibly have unspecified other impact via vectors related to the XPointer range-to function. (bsc#1078813) - CVE-2017-5130: Fixed a potential remote buffer overflow in function xmlMemoryStrdup() (bsc#1078806) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2018:291-1 Released: Mon Feb 12 11:50:39 2018 Summary: Recommended update for bash Type: recommended Severity: low References: 1057452,1076909 Description: This update for bash provides the following fix: - Allow process group assignment on all kernel versions to fix the usage of debug traps. (bsc#1057452) - Fix a crash when filesystem is full. (bsc#1076909) - Enable multi-byte characters by default. ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:314-1 Released: Thu Feb 15 14:47:35 2018 Summary: Security update for glibc Type: security Severity: important References: 1037930,1051791,1073990,1074293,1079036,CVE-2017-12132,CVE-2017-8804,CVE-2018-1000001,CVE-2018-6485,CVE-2018-6551 Description: This update for glibc fixes the following issues: Security issues fixed: - CVE-2017-8804: Fix memory leak after deserialization failure in xdr_bytes, xdr_string (bsc#1037930) - CVE-2017-12132: Reduce EDNS payload size to 1200 bytes (bsc#1051791) - CVE-2018-6485,CVE-2018-6551: Fix integer overflows in internal memalign and malloc functions (bsc#1079036) - CVE-2018-1000001: Avoid underflow of malloced area (bsc#1074293) Non security bugs fixed: - Release read lock after resetting timeout (bsc#1073990) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:336-1 Released: Wed Feb 21 14:26:52 2018 Summary: Security update for libdb-4_8 Type: security Severity: moderate References: 1043886 Description: This update for libdb-4_8 fixes the following issues: - A DB_CONFIG file in the current working directory allowed local users to obtain sensitive information via a symlink attack involving a setgid or setuid application using libdb-4_8. (bsc#1043886) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:355-1 Released: Mon Feb 26 16:34:46 2018 Summary: Security update for systemd Type: security Severity: moderate References: 1057974,1068588,1071224,1071311,1075801,1077925,CVE-2017-18078 Description: This update for systemd fixes the following issues: Security issue fixed: - CVE-2017-18078: tmpfiles: refuse to chown()/chmod() files which are hardlinked, unless protected_hardlinks sysctl is on. This could be used by local attackers to gain privileges (bsc#1077925) Non Security issues fixed: - core: use id unit when retrieving unit file state (#8038) (bsc#1075801) - cryptsetup-generator: run cryptsetup service before swap unit (#5480) - udev-rules: all values can contain escaped double quotes now (#6890) - strv: fix buffer size calculation in strv_join_quoted() - tmpfiles: change ownership of symlinks too - stdio-bridge: Correctly propagate error - stdio-bridge: remove dead code - remove bus-proxyd (bsc#1057974) - core/timer: Prevent timer looping when unit cannot start (bsc#1068588) - Make systemd-timesyncd use the openSUSE NTP servers by default Previously systemd-timesyncd used the Google Public NTP servers time{1..4}.google.com - Don't ship /usr/lib/systemd/system/tmp.mnt at all (bsc#1071224) But we still ship a copy in /var. Users who want to use tmpfs on /tmp are supposed to add a symlink in /etc/ pointing to the copy shipped in /var. To support the update path we automatically create the symlink if tmp.mount in use is located in /usr. - Enable systemd-networkd on Leap distros only (bsc#1071311) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2018:375-1 Released: Wed Feb 28 16:33:37 2018 Summary: Recommended update for net-tools Type: recommended Severity: low References: 1009905,1063910 Description: This update for net-tools provides the following fix: - netstat: fix handling of large socket numbers (bsc#1063910) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:439-1 Released: Fri Mar 9 14:05:22 2018 Summary: Security update for augeas Type: security Severity: low References: 1054171,CVE-2017-7555 Description: This update for augeas fixes the following issues: Security issue fixed: - CVE-2017-7555: Fix a memory corruption bug could have lead to arbitrary code execution by passing crafted strings that would be mis-handled by parse_name() (bsc#1054171). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:443-1 Released: Fri Mar 9 18:02:14 2018 Summary: Security update for glibc Type: security Severity: moderate References: 1081556,CVE-2017-12133 Description: This update for glibc fixes the following issues: - CVE-2017-12133: Avoid use-after-free read access in clntudp_call (bsc#1081556) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:446-1 Released: Mon Mar 12 13:13:55 2018 Summary: Security update for shadow Type: security Severity: moderate References: 1081294,CVE-2018-7169 Description: This update for shadow fixes the following issues: - CVE-2018-7169: Fixed an privilege escalation in newgidmap, which allowed an unprivileged user to be placed in a user namespace where setgroups(2) is allowed. (bsc#1081294) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2018:465-1 Released: Thu Mar 15 07:38:52 2018 Summary: Recommended update for systemd Type: recommended Severity: moderate References: 1075743,1078358,1081170 Description: This update for systemd fixes the following issues: - Add dmi/id conditions to 80-acpi-container-hotplug.rules to restrict the rule that it can only be triggered on Huawei Kunlun 9008, 9016 and 9032 machines. (bsc#1078358, bsc#1081170, bsc#1075743) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2018:472-1 Released: Thu Mar 15 10:47:40 2018 Summary: Recommended update for libsolv, libzypp, zypper Type: recommended Severity: low References: 1074687,1075449,1076415,1079334,953130 Description: This update for libsolv, libzypp and zypper provides the following fixes: libsolv: - Fix a bug that could make fileconflict detection very slow in some cases. (bnc#953130) - Add new configuration options: ENABLE_RPMDB_LIBRPM and ENABLE_RPMPKG_LIBRPM. - Add a new function to change the whatprovides data: pool_set_whatprovides. - Significant improvements in the selection code. libzypp: - Make sure deleted keys are also removed from rpmdb. (bsc#1075449) - plugin: Don't reject header values containing ':'. (bsc#1074687) - RpmDb::checkPackage: Fix parsing localized rpm output. (bsc#1076415) zypper: - Do not recommend cron as it is not a direct dependency of zypper. (bsc#1079334) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:522-1 Released: Thu Mar 22 08:20:46 2018 Summary: Security update for curl Type: security Severity: moderate References: 1084521,1084524,1084532,CVE-2018-1000120,CVE-2018-1000121,CVE-2018-1000122 Description: This update for curl fixes the following issues: Following security issues were fixed: - CVE-2018-1000120: A buffer overflow exists in the FTP URL handling that allowed an attacker to cause a denial of service or possible code execution (bsc#1084521). - CVE-2018-1000121: A NULL pointer dereference exists in the LDAP code that allowed an attacker to cause a denial of service (bsc#1084524). - CVE-2018-1000122: A buffer over-read exists in the RTSP+RTP handling code that allowed an attacker to cause a denial of service or information leakage (bsc#1084532). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:567-1 Released: Thu Mar 29 14:02:08 2018 Summary: Security update for krb5 Type: security Severity: moderate References: 1057662,1081725,1083926,1083927,CVE-2018-5729,CVE-2018-5730 Description: This update for krb5 provides the following fixes: Security issues fixed: - CVE-2018-5730: DN container check bypass by supplying special crafted data (bsc#1083927). - CVE-2018-5729: Null pointer dereference in kadmind or DN container check bypass by supplying special crafted data (bsc#1083926). Non-security issues fixed: - Make it possible for legacy applications (e.g. SAP Netweaver) to remain compatible with newer Kerberos. System administrators who are experiencing this kind of compatibility issues may set the environment variable GSSAPI_ASSUME_MECH_MATCH to a non-empty value, and make sure the environment variable is visible and effective to the application startup script. (bsc#1057662) - Fix a GSS failure in legacy applications by not indicating deprecated GSS mechanisms in gss_indicate_mech() list. (bsc#1081725) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:594-1 Released: Thu Apr 5 17:22:37 2018 Summary: Security update for libidn Type: security Severity: moderate References: 1056450,CVE-2017-14062 Description: This update for libidn fixes one issues. This security issue was fixed: - CVE-2017-14062: Prevent integer overflow in the decode_digit function that allowed remote attackers to cause a denial of service or possibly have unspecified other impact (bsc#1056450). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:624-1 Released: Wed Apr 11 18:02:57 2018 Summary: Security update for openssl Type: security Severity: moderate References: 1087102,CVE-2018-0739 Description: This update for openssl fixes the following issues: - CVE-2018-0739: Constructed ASN.1 types with a recursive definition (such as can be found in PKCS7) could eventually exceed the stack given malicious input with excessive recursion. This could result in a Denial Of Service attack. There are no such structures used within SSL/TLS that come from untrusted sources so this is considered safe. (bsc#1087102). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:730-1 Released: Wed Apr 25 14:14:41 2018 Summary: Security update for perl Type: security Severity: moderate References: 1082216,1082233,1082234,CVE-2018-6797,CVE-2018-6798,CVE-2018-6913 Description: This update for perl fixes the following issues: Security issues fixed: - CVE-2018-6913: Fixed space calculation issues in pp_pack.c (bsc#1082216). - CVE-2018-6798: Fixed heap buffer overflow in regexec.c (bsc#1082233). - CVE-2018-6797: Fixed sharp-s regexp overflow (bsc#1082234). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2018:736-1 Released: Wed Apr 25 14:23:49 2018 Summary: Recommended update for libsolv, libzypp Type: recommended Severity: moderate References: 1075978,1077635,1079991,1082318,1086602 Description: This update for libsolv, libzypp provides the following fixes: Changes in libsolv: - Make sure the product file comes from /etc/products.d for the fallback product search. (bsc#1086602) - Also make use of suggests for ordering packages. (bsc#1077635) - Fix bad assignment in solution refinement that led to a memory leak. (bsc#1075978) - Use license tag instead of doc in the spec file. (bsc#1082318) Changes in libzypp: - Make sure the product file comes from /etc/products.d for the fallback product search. (bsc#1086602) - Fix a memory leak in Digest.cc. (bsc#1075978) - Add /var/lib/gdm to CheckAccessDeleted blacklist to prevent showing superfluous `zypper ps -s` messages. (bsc#1079991) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2018:779-1 Released: Wed May 2 22:16:26 2018 Summary: Recommended update for rpm Type: recommended Severity: low References: 1003714,1027925,1069934 Description: This update for rpm provides the following fixes: - Fix find-lang.sh to handle special case of .qm file paths correctly. (bsc#1027925) - Add %sle_version macro to suse_macros. (bsc#1003714) - Added a %rpm_vercmp macro which accepts two versions as parameters and returns -1, 0, 1 if the first version is less than, equal or greater than the second version respectively. - Added a %pkg_version macro that accepts a package or capability name as argument and returns the version number of the installed package. If no package provides the argument, it returns the string '~~~'. - Added a %pkg_vcmp macro that accepts 3 parameters. The first parameter is a package name or provided capability name, the second argument is an operator ( < <= = >= > != ) and the third parameter is a version string to be compared to the installed version of the first argument. - Added a %pkg_version_cmp macro which accepts a package or capability name as first argument and a version number as second argument and returns -1, 0, 1 or '~~~'. The number values have the same meaning as in %rpm_vercmp and the '~~~' string is returned if the package or capability can't be found. (bsc#1069934) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2018:797-1 Released: Mon May 7 07:07:38 2018 Summary: Recommended update for gcc7 Type: recommended Severity: important References: 1061667,1068967,1074621,1083290,1083946,1084812,1087550,1087930 Description: This update for gcc7 to 7.3 release fixes the following issues: - Update to GCC 7.3 release and further updated to gcc-7-branch head (r258812). - The Spectre v2 mitigation patch for s390x is now included. [bsc#1083946] - Adds backport of x86 retpoline support via -mindirect-branch=, -mfunction-return= and friends. [bsc#1074621] - Update includes a fix for chromium build failure. [bsc#1083290] - Various AArch64 compile fixes are included: * Picks fix to no longer enable -mpc-relative-literal-loads by default with --enable-fix-cortex-a53-843419. * Enable --enable-fix-cortex-a53-843419 for aarch64. [bsc#1084812] [bsc#1087930] * Enable --enable-fix-cortex-a53-835769 for aarch64. * Contains fix for PR82445 which is about a RPI1 bootloader miscompile. [bsc#1061667] * Fixed bogus stack probe instruction on ARM. [bsc#1068967] - Revert the ios_base::failure ABI back to compatible behavior with the default ABI. [bsc#1087550] - Fix nvptx offload target compiler install so GCC can pick up required files. Split out the newlib part into cross-nvptx-newlib7-devel and avoid conflicts with GCC 8 variant via Provides/Conflicts of cross-nvptx-newlib-devel. ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:939-1 Released: Thu May 17 08:41:30 2018 Summary: Security update for curl Type: security Severity: moderate References: 1086825,1092098,CVE-2018-1000301 Description: This update for curl fixes several issues: Security issues fixed: - CVE-2018-1000301: Fixed a RTSP bad headers buffer over-read could crash the curl client (bsc#1092098) Non security issues fixed: - If the DEFAULT_SUSE cipher list is not available use the HIGH cipher alias before failing. (bsc#1086825) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:964-1 Released: Tue May 22 18:31:29 2018 Summary: Security update for python Type: security Severity: moderate References: 1068664,1079300,CVE-2017-1000158,CVE-2018-1000030 Description: This update for python fixes the following issues: Security issues fixed: - CVE-2017-1000158: Fixed integer overflows in PyString_DecodeEscape that could have resulted in heap-based buffer overflow attacks and possible arbitrary code execution (bsc#1068664). - CVE-2018-1000030: Fixed crash inside the Python interpreter when multiple threads used the same I/O stream concurrently (bsc#1079300). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2018:974-1 Released: Wed May 23 16:46:50 2018 Summary: Recommended update for systemd Type: recommended Severity: moderate References: 1045092,1051465,1066422,1075804,1082485,1084626,1085062,1086785,1087323 Description: This update for systemd provides the following fixes: - sysusers: Do not append entries after the NIS ones. (bsc#1085062, bsc#1045092) - sysusers: Also add support for NIS entries in /etc/shadow. - sysusers: Make sure to reset errno before calling fget*ent(). - coredump: Respect ulimit -c 0 settings. (bsc#1075804) - systemctl: Don't make up unit states, and don't eat up errors too eagerly. (bsc#1084626) - systemctl: Don't mangle unit names in check_unit_generic(). - rules, compat-rules: Fix errors detected by the rule syntax checker. - python: Use raw strings for regexp patterns. - compat-rules: Make path_id_compat build with meson. - compat-rules: Get rid of scsi_id when generating compat symlinks for NVMe devices. (bsc#1051465) - Fix memory hotplugging. - systemd: Add offline environmental condition to the udev rules for acpi container to prevent them from being triggered by the 'udevadm trigger' from user space. (bsc#1082485) - systemd-udevd: Limit children-max by the available memory. (bsc#1086785, bsc#1066422) - Rename the tarball to reflect the exact version used, so that it is clear that it contains some additional patches on top of the upstream version. Use the commit hash in the name so the exact version can easily be identified. (bsc#1087323) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:977-1 Released: Wed May 23 17:14:16 2018 Summary: Security update for bash Type: security Severity: moderate References: 1000396,1001299,1086247,CVE-2016-0634,CVE-2016-7543 Description: This update for bash fixes the following issues: Security issues fixed: - CVE-2016-7543: A code execution possibility via SHELLOPTS+PS4 variable was fixed (bsc#1001299) - CVE-2016-0634: Arbitrary code execution via malicious hostname was fixed (bsc#1000396) Non-security issues fixed: - Fix repeating self-calling of traps due the combination of a non-interactive shell, a trap handler for SIGINT, an external process in the trap handler, and a SIGINT within the trap after the external process runs. (bsc#1086247) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2018:978-1 Released: Wed May 23 17:18:39 2018 Summary: Recommended update for zlib Type: recommended Severity: moderate References: 1071321 Description: This update for zlib fixes the following issues: - Fix a segmentation fault which was raised when converting a negative value into an unsigned integer (bsc#1071321) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2018:1028-1 Released: Tue Jun 5 13:20:44 2018 Summary: Recommended update for pam Type: recommended Severity: low References: 1089884 Description: This update for pam fixes the following issues: - Fix order of accessed configuration files in man page. (bsc#1089884) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:1077-1 Released: Wed Jun 6 11:44:25 2018 Summary: Security update for glibc Type: security Severity: important References: 1086690,1094150,1094154,1094161,CVE-2017-18269,CVE-2018-11236,CVE-2018-11237 Description: This update for glibc fixes the following issues: - CVE-2017-18269: Fix SSE2 memmove issue when crossing 2GB boundary (bsc#1094150) - CVE-2018-11236: Fix overflow in path length computation (bsc#1094161) - CVE-2018-11237: Don't write beyond buffer destination in __mempcpy_avx512_no_vzeroupper (bsc#1094154) Non security bugs fixed: - Fix crash in resolver on memory allocation failure (bsc#1086690) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2018:1082-1 Released: Thu Jun 7 12:58:56 2018 Summary: Recommended update for rpm Type: recommended Severity: moderate References: 1073879,1080078,964063 Description: This update for rpm fixes the following issues: - Backport support for no_recompute_build_ids macro. (bsc#964063) - Fix code execution when evaluating common python-related macros. (bsc#1080078) Additionally, this update adds python3-rpm to the SUSE Linux Enterprise Server. ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:1141-1 Released: Fri Jun 15 13:41:08 2018 Summary: Security update for gpg2 Type: security Severity: important References: 1096745,CVE-2018-12020 Description: This update for gpg2 fixes the following security issue: - CVE-2018-12020: GnuPG mishandled the original filename during decryption and verification actions, which allowed remote attackers to spoof the output that GnuPG sends on file descriptor 2 to other programs that use the '--status-fd 2' option (bsc#1096745) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2018:1145-1 Released: Fri Jun 15 19:19:51 2018 Summary: Recommended update for openssl Type: recommended Severity: moderate References: 1090765 Description: This update for openssl provides the following fix: - Suggest libopenssl1_0_0-hmac from libopenssl1_0_0 package to avoid dependency issues during updates. (bsc#1090765) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:1242-1 Released: Thu Jun 28 13:44:16 2018 Summary: Security update for procps Type: security Severity: moderate References: 1092100,CVE-2018-1122,CVE-2018-1123,CVE-2018-1124,CVE-2018-1125,CVE-2018-1126 Description: This update for procps fixes the following security issues: - CVE-2018-1122: Prevent local privilege escalation in top. If a user ran top with HOME unset in an attacker-controlled directory, the attacker could have achieved privilege escalation by exploiting one of several vulnerabilities in the config_file() function (bsc#1092100). - CVE-2018-1123: Prevent denial of service in ps via mmap buffer overflow. Inbuilt protection in ps maped a guard page at the end of the overflowed buffer, ensuring that the impact of this flaw is limited to a crash (temporary denial of service) (bsc#1092100). - CVE-2018-1124: Prevent multiple integer overflows leading to a heap corruption in file2strvec function. This allowed a privilege escalation for a local attacker who can create entries in procfs by starting processes, which could result in crashes or arbitrary code execution in proc utilities run by other users (bsc#1092100). - CVE-2018-1125: Prevent stack buffer overflow in pgrep. This vulnerability was mitigated by FORTIFY limiting the impact to a crash (bsc#1092100). - CVE-2018-1126: Ensure correct integer size in proc/alloc.* to prevent truncation/integer overflow issues (bsc#1092100). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:1276-1 Released: Thu Jul 5 08:36:17 2018 Summary: Security update for openssl Type: security Severity: moderate References: 1097158,1097624,1098592,CVE-2018-0732 Description: This update for openssl fixes the following issues: - CVE-2018-0732: During key agreement in a TLS handshake using a DH(E) based ciphersuite a malicious server could have sent a very large prime value to the client. This caused the client to spend an unreasonably long period of time generating a key for this prime resulting in a hang until the client has finished. This could be exploited in a Denial Of Service attack (bsc#1097158). - Blinding enhancements for ECDSA and DSA (bsc#1097624, bsc#1098592) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:1328-1 Released: Tue Jul 17 08:07:57 2018 Summary: Security update for perl Type: security Severity: important References: 1068565,1082216,1082233,1082234,1096718,CVE-2018-12015,CVE-2018-6797,CVE-2018-6798,CVE-2018-6913 Description: This update for perl fixes the following issues: These security issue were fixed: - CVE-2018-6913: Fixed space calculation issues in pp_pack.c (bsc#1082216). - CVE-2018-6798: Fixed heap buffer overflow in regexec.c (bsc#1082233). - CVE-2018-6797: Fixed sharp-s regexp overflow (bsc#1082234). - CVE-2018-12015: The Archive::Tar module allowed remote attackers to bypass a directory-traversal protection mechanism and overwrite arbitrary files (bsc#1096718) This non-security issue was fixed: - fix debugger crash in tab completion with Term::ReadLine::Gnu [bsc#1068565] ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:1351-1 Released: Thu Jul 19 09:43:21 2018 Summary: Security update for shadow Type: security Severity: important References: 1099310,CVE-2016-6252 Description: This update for shadow fixes the following issues: - CVE-2016-6252: Incorrect integer handling could results in local privilege escalation (bsc#1099310) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:1376-1 Released: Mon Jul 23 10:54:47 2018 Summary: Security update for python Type: security Severity: moderate References: 1083507,CVE-2017-18207 Description: This update for python fixes the following issues: The following security vulnerabilities were addressed: - Add a check to Lib/wave.py that verifies that at least one channel is provided. Prior to this, attackers could cause a denial of service via a crafted wav format audio file. [bsc#1083507, CVE-2017-18207] ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:1400-1 Released: Thu Jul 26 16:32:29 2018 Summary: Security update for util-linux Type: security Severity: moderate References: 1072947,1078662,1080740,1084300,CVE-2018-7738 Description: This update for util-linux fixes the following issues: This non-security issue was fixed: - CVE-2018-7738: bash-completion/umount allowed local users to gain privileges by embedding shell commands in a mountpoint name, which was mishandled during a umount command by a different user (bsc#1084300). These non-security issues were fixed: - Fixed crash loop in lscpu (bsc#1072947). - Fixed possible segfault of umount -a - Fixed mount -a on NFS bind mounts (bsc#1080740). - Fixed lsblk on NVMe (bsc#1078662). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:1413-1 Released: Fri Jul 27 12:41:13 2018 Summary: Security update for libgcrypt Type: security Severity: moderate References: 1064455,1090766,1097410,CVE-2018-0495 Description: This update for libgcrypt fixes the following issues: The following security vulnerability was addressed: - CVE-2018-0495: Mitigate a novel side-channel attack by enabling blinding for ECDSA signatures (bsc#1097410). The following other issues were fixed: - Extended the fipsdrv dsa-sign and dsa-verify commands with the --algo parameter for the FIPS testing of DSA SigVer and SigGen (bsc#1064455). - Ensure libgcrypt20-hmac and libgcrypt20 are installed in the correct order. (bsc#1090766) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2018:1450-1 Released: Mon Jul 30 10:10:45 2018 Summary: Recommended update for pam Type: recommended Severity: low References: 1096282 Description: This update for pam provides the following fix: - Added /etc/security/limits.d to the pam package. (bsc#1096282) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2018:1549-1 Released: Mon Aug 13 13:41:22 2018 Summary: Recommended update for sg3_utils Type: recommended Severity: low References: 1065448,1070431,1077787,1092640 Description: This update for sg3_utils provides the following fix: - Decode standard INQUIRY for CD-ROMs correctly. (bsc#1065448, bsc#1070431) - Fix page decoding. (bsc#1077787) - Remove initrd rebuild macros for libsgutils2 subpackage. (bsc#1092640) - Use %post -p for ldconfig. (bsc#1092640) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:1610-1 Released: Thu Aug 16 14:04:25 2018 Summary: Security update for libgcrypt Type: security Severity: moderate References: 1064455,1090766,1097410,CVE-2018-0495 Description: This update for libgcrypt fixes the following issues: The following security vulnerability was addressed: - CVE-2018-0495: Mitigate a novel side-channel attack by enabling blinding for ECDSA signatures (bsc#1097410). The following other issues were fixed: - Extended the fipsdrv dsa-sign and dsa-verify commands with the --algo parameter for the FIPS testing of DSA SigVer and SigGen (bsc#1064455). - Ensure libgcrypt20-hmac and libgcrypt20 are installed in the correct order. (bsc#1090766) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:1612-1 Released: Thu Aug 16 14:04:38 2018 Summary: Security update for python Type: security Severity: moderate References: 1083507,CVE-2017-18207 Description: This update for python fixes the following issues: The following security vulnerabilities were addressed: - Add a check to Lib/wave.py that verifies that at least one channel is provided. Prior to this, attackers could cause a denial of service via a crafted wav format audio file. [bsc#1083507, CVE-2017-18207] ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:1620-1 Released: Thu Aug 16 14:49:45 2018 Summary: Security update for shadow Type: security Severity: important References: 1099310,CVE-2016-6252 Description: This update for shadow fixes the following issues: - CVE-2016-6252: Incorrect integer handling could results in local privilege escalation (bsc#1099310) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2018:1632-1 Released: Thu Aug 16 15:27:04 2018 Summary: Recommended update for systemd Type: recommended Severity: moderate References: 1039099,1080382,1082004,1082485,1083158,1088052,1088769,1088890,1089761,1090785,1091265,1093851,1095096 Description: This update for systemd fixes the following issues: - core: In --user mode, report READY=1 as soon as basic.target is reached. - sd-bus: Extend D-Bus authentication timeout considerably. - scsi_id: Fixup prefix for pre-SPC inquiry reply. (bsc#1039099) - udev: Use MAC address match only for ibmveth/ibmvnic/mlx4. (bsc#1095096) - compat-rules: Generate more compat by-id symlinks for NVMe devices. (bsc#1095096) - udev: Whitelist mlx4_core locally-administered MAC addresses in the persistent rule generator. (bsc#1083158) - udev: Don't create by-partlabel/primary and .../logical symlinks. (bsc#1089761) - rules: Add /dev/disk/by-partuuid symlinks also for dos partition tables. - device: Make sure to always retroactively start device dependencies. (bsc#1088052) - device: Skip deserialization of device units when udevd is not running. - install: 'user' and 'global' scopes are equivalent for user presets. (bsc#1093851) - install: Search preset files in /run. - man: Updated systemd-analyze blame description for service-units with Type=simple. (bsc#1091265) - logind: Fix crash when shutdown is not issued from a tty. (bsc#1088890) - logind: Do not use an uninitialized variable. (bsc#1088890) - Disable user services by default. (bsc#1090785) - Ship 99-sysctl.conf instead of creating it during package installation/update. (bsc#1088769) Previously this symlink was created in /etc/sysctl.d during %post which made the symlink not owned and more importantly it was created only if /etc/sysctl.conf is already installed which is not always the case during the installation process it seems. So ship the symlink unconditionally and put it in /usr/lib/sysctl.d instead since it's a distro default behavior that might be overriden by sysadmin later. - systemd: Add offline environmental condition to 80-acpi-container-hotplug.rules. (bsc#1080382, bsc#1082485) Add the offline event environmental condition to restrict the rule that is can only be triggered when the change event is received with the 'offline' environmental data. The 27664c581 'ACPI / scan: Send change uevent with offine environmental data' kernel patch changed the corresponding code in kernel. This change prevents the udev rules for acpi container be triggered by 'udevadm trigger' from user space. - build-sys: Explicitly require python3. (bsc#1082004) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2018:1636-1 Released: Thu Aug 16 15:30:11 2018 Summary: Recommended update for pam Type: recommended Severity: low References: 1096282 Description: This update for pam provides the following fix: - Added /etc/security/limits.d to the pam package. (bsc#1096282) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2018:1689-1 Released: Mon Aug 20 09:02:24 2018 Summary: Recommended update for pam Type: recommended Severity: low References: 1096282 Description: This update for pam provides the following fix: - Added /etc/security/limits.d to the pam package. (bsc#1096282) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2018:1691-1 Released: Mon Aug 20 09:04:17 2018 Summary: Recommended update for sg3_utils Type: recommended Severity: low References: 1065448,1070431,1077787,1092640 Description: This update for sg3_utils provides the following fix: - Decode standard INQUIRY for CD-ROMs correctly. (bsc#1065448, bsc#1070431) - Fix page decoding. (bsc#1077787) - Remove initrd rebuild macros for libsgutils2 subpackage. (bsc#1092640) - Use %post -p for ldconfig. (bsc#1092640) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:1695-1 Released: Mon Aug 20 09:19:20 2018 Summary: Security update for perl Type: security Severity: important References: 1068565,1082216,1082233,1082234,1096718,CVE-2018-12015,CVE-2018-6797,CVE-2018-6798,CVE-2018-6913 Description: This update for perl fixes the following issues: These security issue were fixed: - CVE-2018-6913: Fixed space calculation issues in pp_pack.c (bsc#1082216). - CVE-2018-6798: Fixed heap buffer overflow in regexec.c (bsc#1082233). - CVE-2018-6797: Fixed sharp-s regexp overflow (bsc#1082234). - CVE-2018-12015: The Archive::Tar module allowed remote attackers to bypass a directory-traversal protection mechanism and overwrite arbitrary files (bsc#1096718) This non-security issue was fixed: - fix debugger crash in tab completion with Term::ReadLine::Gnu [bsc#1068565] ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:1698-1 Released: Mon Aug 20 09:19:28 2018 Summary: Security update for shadow Type: security Severity: important References: 1099310,CVE-2016-6252 Description: This update for shadow fixes the following issues: - CVE-2016-6252: Incorrect integer handling could results in local privilege escalation (bsc#1099310) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:1753-1 Released: Fri Aug 24 14:24:17 2018 Summary: Security update for python Type: security Severity: moderate References: 1083507,CVE-2017-18207 Description: This update for python fixes the following issues: The following security vulnerabilities were addressed: - Add a check to Lib/wave.py that verifies that at least one channel is provided. Prior to this, attackers could cause a denial of service via a crafted wav format audio file. [bsc#1083507, CVE-2017-18207] ----------------------------------------------------------------- Advisory ID: SUSE-RU-2018:1834-1 Released: Wed Sep 5 10:17:42 2018 Summary: Recommended update for systemd Type: recommended Severity: moderate References: 1089761,1090944,1101040,1103910 Description: This update for systemd fixes the following issues: - cryptsetup: Add support for sector-size= option. (fate#325634) - resolved: Apply epoch to system time from PID 1. (bsc#1103910) - core/service: Rework the hold-off time over message. - core: Don't freeze OnCalendar= timer units when the clock goes back a lot. (bsc#1090944) - man: SystemMaxUse= clarification in journald.conf(5). (bsc#1101040) - Add udev.no-partlabel-links kernel command-line option. This option can be used to disable the generation of the by-partlabel symlinks regardless of the name used. (bsc#1089761) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:1903-1 Released: Fri Sep 14 12:46:21 2018 Summary: Security update for curl Type: security Severity: moderate References: 1089533,1106019,CVE-2018-14618 Description: This update for curl fixes the following issues: This security issue was fixed: - CVE-2018-14618: Prevent integer overflow in the NTLM authentication code (bsc#1106019) This non-security issue was fixed: - Fixed erroneous debug message when paired with OpenSSL (bsc#1089533) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:1969-1 Released: Mon Sep 24 08:06:42 2018 Summary: Security update for libzypp, zypper Type: security Severity: important References: 1036304,1045735,1049825,1070851,1076192,1088705,1091624,1092413,1096803,1099847,1100028,1101349,1102429,CVE-2017-9269,CVE-2018-7685 Description: This update for libzypp, zypper fixes the following issues: Update libzypp to version 16.17.20: Security issues fixed: - PackageProvider: Validate deta rpms before caching (bsc#1091624, bsc#1088705, CVE-2018-7685) - PackageProvider: Validate downloaded rpm package signatures before caching (bsc#1091624, bsc#1088705, CVE-2018-7685) Other bugs fixed: - lsof: use '-K i' if lsof supports it (bsc#1099847, bsc#1036304) - Handle http error 502 Bad Gateway in curl backend (bsc#1070851) - RepoManager: Explicitly request repo2solv to generate application pseudo packages. - libzypp-devel should not require cmake (bsc#1101349) - HardLocksFile: Prevent against empty commit without Target having been been loaded (bsc#1096803) - Avoid zombie tar processes (bsc#1076192) Update to zypper to version 1.13.45: Security issues fixed: - Improve signature check callback messages (bsc#1045735, CVE-2017-9269) - add/modify repo: Add options to tune the GPG check settings (bsc#1045735, CVE-2017-9269) Other bugs fixed: - XML attribute `packages-to-change` added (bsc#1102429) - man: Strengthen that `--config FILE' affects zypper.conf, not zypp.conf (bsc#1100028) - Prevent nested calls to exit() if aborted by a signal (bsc#1092413) - ansi.h: Prevent ESC sequence strings from going out of scope (bsc#1092413) - Fix: zypper bash completion expands non-existing options (bsc#1049825) - Improve signature check callback messages (bsc#1045735) - add/modify repo: Add options to tune the GPG check settings (bsc#1045735) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2018:1985-1 Released: Mon Sep 24 11:56:08 2018 Summary: Recommended update for openldap2 Type: recommended Severity: moderate References: 1089640 Description: This update for openldap2 provides the following fix: - Fix slapd segfaults in mdb_env_reader_dest. (bsc#1089640) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:1994-1 Released: Mon Sep 24 12:55:57 2018 Summary: Security update for shadow Type: security Severity: moderate References: 1106914 Description: This update for shadow fixes the following security issue: - Prevent useradd from creating intermediate directories with mode 0777 (bsc#1106914) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:2069-1 Released: Fri Sep 28 08:01:25 2018 Summary: Security update for openssl Type: security Severity: moderate References: 1089039,1101246,1101470,1104789,1106197,997043,CVE-2018-0737 Description: This update for openssl fixes the following issues: These security issues were fixed: - Prevent One&Done side-channel attack on RSA that allowed physically near attackers to use EM emanations to recover information (bsc#1104789) - CVE-2018-0737: The RSA Key generation algorithm has been shown to be vulnerable to a cache timing side channel attack. An attacker with sufficient access to mount cache timing attacks during the RSA key generation process could have recovered the private key (bsc#1089039) These non-security issues were fixed: - Add openssl(cli) Provide so the packages that require the openssl binary can require this instead of the new openssl meta package (bsc#1101470) - Fixed path to the engines which are under /lib64 on SLE-12 (bsc#1101246, bsc#997043) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2018:2162-1 Released: Fri Oct 5 14:46:53 2018 Summary: Recommended update for krb5 Type: recommended Severity: moderate References: 1088921 Description: This update for krb5 provides the following fix: - Resolve krb5 GSS credentials immediately if the application requests the lifetime. (bsc#1088921) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:2181-1 Released: Tue Oct 9 11:08:20 2018 Summary: Security update for libxml2 Type: security Severity: moderate References: 1088279,1088601,1102046,1105166,CVE-2017-18258,CVE-2018-14404,CVE-2018-14567,CVE-2018-9251 Description: This update for libxml2 fixes the following security issues: - CVE-2018-9251: The xz_decomp function allowed remote attackers to cause a denial of service (infinite loop) via a crafted XML file that triggers LZMA_MEMLIMIT_ERROR, as demonstrated by xmllint (bsc#1088279). - CVE-2018-14567: Prevent denial of service (infinite loop) via a crafted XML file that triggers LZMA_MEMLIMIT_ERROR, as demonstrated by xmllint (bsc#1105166). - CVE-2018-14404: Prevent NULL pointer dereference in the xmlXPathCompOpEval() function when parsing an invalid XPath expression in the XPATH_OP_AND or XPATH_OP_OR case leading to a denial of service attack (bsc#1102046). - CVE-2017-18258: The xz_head function allowed remote attackers to cause a denial of service (memory consumption) via a crafted LZMA file, because the decoder functionality did not restrict memory usage to what is required for a legitimate file (bsc#1088601). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2018:2196-1 Released: Thu Oct 11 07:45:16 2018 Summary: Optional update for gcc8 Type: recommended Severity: low References: 1084812,1084842,1087550,1094222,1102564 Description: The GNU Compiler GCC 8 is being added to the Toolchain Module by this update. The update also supplies gcc8 compatible libstdc++, libgcc_s1 and other gcc derived libraries for the base products of SUSE Linux Enterprise 12. Various optimizers have been improved in GCC 8, several of bugs fixed, quite some new warnings added and the error pin-pointing and fix-suggestions have been greatly improved. The GNU Compiler page for GCC 8 contains a summary of all the changes that have happened: https://gcc.gnu.org/gcc-8/changes.html Also changes needed or common pitfalls when porting software are described on: https://gcc.gnu.org/gcc-8/porting_to.html ----------------------------------------------------------------- Advisory ID: SUSE-RU-2018:2217-1 Released: Fri Oct 12 15:07:24 2018 Summary: Recommended update for bash Type: recommended Severity: moderate References: 1094121,1107430 Description: This update for bash provides the following fixes: - Fix an inconsistent behaviour regarding expansion of here strings. (bsc#1094121) - Fix mis-matching of null string with '*' pattern. (bsc#1107430) - Fix a crash when the lastpipe option is enabled. - Fix a typo that was preventing the `compat42' shopt option from working as intended. - Help the shell to process any pending traps at redirection. - Fix a crashe due to incorrect conversion from an indexed to associative array. - Avoid the expansion of escape sequences in HOSTNAME in prompt. - Avoid `xtrace' attack over $PS4. ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:2373-1 Released: Mon Oct 22 14:43:47 2018 Summary: Security update for rpm Type: security Severity: moderate References: 1077692,943457,CVE-2017-7500,CVE-2017-7501 Description: This update for rpm fixes the following issues: These security issues were fixed: - CVE-2017-7500: rpm did not properly handle RPM installations when a destination path was a symbolic link to a directory, possibly changing ownership and permissions of an arbitrary directory, and RPM files being placed in an arbitrary destination (bsc#943457). - CVE-2017-7501: rpm used temporary files with predictable names when installing an RPM. An attacker with ability to write in a directory where files will be installed could create symbolic links to an arbitrary location and modify content, and possibly permissions to arbitrary files, which could be used for denial of service or possibly privilege escalation (bsc#943457) This non-security issue was fixed: - Use ksym-provides tool [bsc#1077692] ----------------------------------------------------------------- Advisory ID: SUSE-RU-2018:2435-1 Released: Wed Oct 24 14:42:43 2018 Summary: Recommended update for systemd Type: recommended Severity: important References: 1015254,1091677,1093753,1105031,1107640,1107941,1109197,991901 Description: This update for systemd fixes the following issues: - detect-virt: do not try to read all of /proc/cpuinfo (bsc#1109197) - emergency: make sure console password agents don't interfere with the emergency shell - units: remove udev control socket when systemd stops the socket unit (#4039) (bsc#1015254) - man: document that 'nofail' also has an effect on ordering - journald: take leading spaces into account in syslog_parse_identifier - journal: do not remove multiple spaces after identifier in syslog message - syslog: fix segfault in syslog_parse_priority() - journal: fix syslog_parse_identifier() - tmpfiles: don't adjust qgroups on existing subvolumes (bsc#1093753) - socket-util: attempt SO_RCVBUFFORCE/SO_SNDBUFFORCE only if SO_RCVBUF/SO_SNDBUF fails (bsc#991901) - user at .service: don't kill user manager at runlevel switch (bsc#1091677) - units: make sure user at .service runs with dbus still up - fix race between daemon-reload and other commands (bsc#1105031) - nspawn: always use mode 555 for /sys (bsc#1107640) - cryptsetup: do not define arg_sector_size if libgcrypt is v1.x (#9990) - Enable or disable machines.target according to the presets (bsc#1107941) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2018:2475-1 Released: Thu Oct 25 16:56:24 2018 Summary: Recommended update for libzypp Type: recommended Severity: moderate References: 1099982,1109877,408814,556664,939392 Description: This update for libzypp fixes the following issues: - Add filesize check for downloads with known size (bsc#408814) - Fix conversion of string and glob to regex when compiling queries (bsc#1099982, bsc#939392, bsc#556664) - Fix blocking wait for finished child process (bsc#1109877) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2018:2488-1 Released: Fri Oct 26 12:39:59 2018 Summary: Recommended update for cpio Type: recommended Severity: low References: 1076810,889138 Description: This update for cpio provides the following fix: - Remove an obsolete patch that was causing cpio not to preserve folder permissions. (bsc#1076810, bsc#889138) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2018:2516-1 Released: Mon Oct 29 16:14:48 2018 Summary: Recommended update for console-setup, kbd Type: recommended Severity: moderate References: 1010880,1027379,1056449,1062303,1069468,1085432,360993,675317,825385,830805,958562,963942,984958 Description: This update for kbd and console-setup provides the following fixes: Changes in console-setup: - Add console-setup to SLE 12 to make it possible for kbd to provide converted X keymaps. (fate#325454, fate#318426) - Make the package build reproducible. (bsc#1062303) - Removed unneeded requires to kbd in order to resolve build cycle between kbd and console-setup. (bsc#963942) Changes in kbd: - Update to version 2.0.4, including the following fixes (FATE#325454): * Disable characters greater than or equal to =U+F000 as they do not work properly. (bsc#1085432) * Move initial NumLock handling from systemd back to kbd: * Add kbdsettings service. (bsc#1010880) * Exclude numlockbios support for non x86 platforms * Drop references to KEYTABLE and COMPOSETABLE. (bsc#1010880) * Drop from some fill-up templates and a couple of sysconfig variables not read by systemd anymore. (fate#319454) * Replace references to /var/adm/fillup-templates with new %_fillupdir macro. (bsc#1069468) * Add vlock.pamd PAM file. (bsc#1056449) * Enable vlock (bsc#1056449). * Revert dropping of kdb-legacy requirement as there are still packages and installation flows that needs this to be present. (bsc#1027379) * Fix data/keymaps/i386/querty/br-abnt2.map. (bsc#984958) * Fix missing dependency on coreutils for initrd macros. (bsc#958562) * Call missing initrd macro at postun. (bsc#958562) * Add the genmap4systemd.sh tool to generate entries for systemd's kbd-model-map table from xkeyboard-config converted keymaps. (fate#318426) * genmap4systemd.sh: Use 'abnt2' model for 'br' layouts, 'jp106' model for 'jp' layouts and 'microsoftpro' for anything else (instead of 'pc105' previously used). (fate#318426) * Include xkb layouts from xkeyboard-config converted to console keymaps. (fate#318426) * euro.map, euro1.map and euro2.map now produce correct unicode character for Euro sign. (bsc#360993) * Drop doshell reference from openvt.1 man page. (bsc#675317) * Drop the --userwait option as it is not used. (bsc#830805) * Fix a typo in the mac-querty-layout.inc. (bsc#825385) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:2520-1 Released: Mon Oct 29 17:28:57 2018 Summary: Security update for python, python-base Type: security Severity: moderate References: 1086001,1088004,1088009,1109663,CVE-2018-1000802,CVE-2018-1060,CVE-2018-1061 Description: This update for python, python-base fixes the following issues: Security issues fixed: - CVE-2018-1000802: Prevent command injection in shutil module (make_archive function) via passage of unfiltered user input (bsc#1109663). - CVE-2018-1061: Fixed DoS via regular expression backtracking in difflib.IS_LINE_JUNK method in difflib (bsc#1088004). - CVE-2018-1060: Fixed DoS via regular expression catastrophic backtracking in apop() method in pop3lib (bsc#1088009). Bug fixes: - bsc#1086001: python tarfile uses random order. ----------------------------------------------------------------- Advisory ID: SUSE-RU-2018:2525-1 Released: Tue Oct 30 09:22:45 2018 Summary: Recommended update for bash Type: recommended Severity: important References: 1113117 Description: This update for bash fixes the following issues: Recently released update introduced a change of behavior which resulted in broken customers scripts. (bsc#1113117) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:2563-1 Released: Fri Nov 2 17:09:49 2018 Summary: Security update for curl Type: security Severity: moderate References: 1112758,1113660,CVE-2018-16840,CVE-2018-16842 Description: This update for curl fixes the following issues: - CVE-2018-16840: A use after free in closing SASL handles was fixed (bsc#1112758) - CVE-2018-16842: A Out-of-bounds Read in tool_msgs.c was fixed which could lead to crashes (bsc#1113660) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2018:2567-1 Released: Fri Nov 2 18:59:06 2018 Summary: Recommended update for apparmor Type: recommended Severity: moderate References: 1047937,1057150,1057900,1099452,906858 Description: This update for apparmor provides the following fixes: - Add profile for usr.bin.lessopen.sh (bsc#906858) - Fix dovecot apparmor profile (bsc#1057150) - Fix creating profile rules from scanned logs when the chown operation is used (bsc#1047937) - Fix the traceroute profile to allow ipv6 usage (bsc#1057900) - Fix duplicate entry of capability when performing aa-logprof (bsc#1099452) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2018:2593-1 Released: Wed Nov 7 11:04:00 2018 Summary: Recommended update for rpm Type: recommended Severity: moderate References: 1095148,1113100 Description: This update for rpm fixes the following issues: - Fix superfluous TOC. dependency on PowerPC64 (bsc#1113100) - Update to current find-provides.ksyms and find-requires.ksyms scripts (bsc#1095148) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:2659-1 Released: Wed Nov 14 14:14:41 2018 Summary: Security update for systemd Type: security Severity: important References: 1106923,1108835,1109252,1110445,1111278,1112024,1113083,1113632,1113665,CVE-2018-15686,CVE-2018-15688 Description: This update for systemd fixes the following issues: Security issues fixed: - CVE-2018-15688: A buffer overflow vulnerability in the dhcp6 client of systemd allowed a malicious dhcp6 server to overwrite heap memory in systemd-networkd. (bsc#1113632) - CVE-2018-15686: A vulnerability in unit_deserialize of systemd allows an attacker to supply arbitrary state across systemd re-execution via NotifyAccess. This can be used to improperly influence systemd execution and possibly lead to root privilege escalation. (bsc#1113665) Non-security issues fixed: - dhcp6: split assert_return() to be more debuggable when hit - core: skip unit deserialization and move to the next one when unit_deserialize() fails - core: properly handle deserialization of unknown unit types (#6476) - core: don't create Requires for workdir if 'missing ok' (bsc#1113083) - logind: use manager_get_user_by_pid() where appropriate - logind: rework manager_get_{user|session}_by_pid() a bit - login: fix user at .service case, so we don't allow nested sessions (#8051) (bsc#1112024) - core: be more defensive if we can't determine per-connection socket peer (#7329) - socket-util: introduce port argument in sockaddr_port() - service: fixup ExecStop for socket-activated shutdown (#4120) - service: Continue shutdown on socket activated unit on termination (#4108) (bsc#1106923) - cryptsetup: build fixes for 'add support for sector-size= option' - udev-rules: IMPORT cmdline does not recognize keys with similar names (bsc#1111278) - core: keep the kernel coredump defaults when systemd-coredump is disabled - core: shorten main() a bit, split out coredump initialization - core: set RLIMIT_CORE to unlimited by default (bsc#1108835) - core/mount: fstype may be NULL - journald: don't ship systemd-journald-audit.socket (bsc#1109252) - core: make 'tmpfs' dependencies on swapfs a 'default' dep, not an 'implicit' (bsc#1110445) - mount: make sure we unmount tmpfs mounts before we deactivate swaps (#7076) - tmp.mount.hm4: After swap.target (#3087) - Ship systemd-sysv-install helper via the main package This script was part of systemd-sysvinit sub-package but it was wrong since systemd-sysv-install is a script used to redirect enable/disable operations to chkconfig when the unit targets are sysv init scripts. Therefore it's never been a SySV init tool. ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:2760-1 Released: Thu Nov 22 16:25:38 2018 Summary: Security update for openssl Type: security Severity: moderate References: 1112209,1113534,1113652,1113742,CVE-2018-0734,CVE-2018-5407 Description: This update for openssl fixes the following issues: Security issues fixed: - CVE-2018-0734: Fixed timing vulnerability in DSA signature generation (bsc#1113652). - CVE-2018-5407: Fixed elliptic curve scalar multiplication timing attack defenses (bsc#1113534). - Add missing timing side channel patch for DSA signature generation (bsc#1113742). Non-security issues fixed: - Fixed infinite loop in DSA generation with incorrect parameters (bsc#1112209). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:2766-1 Released: Fri Nov 23 17:07:27 2018 Summary: Security update for rpm Type: security Severity: important References: 943457,CVE-2017-7500,CVE-2017-7501 Description: This update for rpm fixes the following issues: These security issues were fixed: - CVE-2017-7500: rpm did not properly handle RPM installations when a destination path was a symbolic link to a directory, possibly changing ownership and permissions of an arbitrary directory, and RPM files being placed in an arbitrary destination (bsc#943457). - CVE-2017-7501: rpm used temporary files with predictable names when installing an RPM. An attacker with ability to write in a directory where files will be installed could create symbolic links to an arbitrary location and modify content, and possibly permissions to arbitrary files, which could be used for denial of service or possibly privilege escalation (bsc#943457) This is a reissue of the above security fixes for SUSE Linux Enterprise 12 GA, SP1 and SP2 LTSS, they have already been released for SUSE Linux Enterprise Server 12 SP3. ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:1697-1 Released: Fri Nov 23 17:08:32 2018 Summary: Security update for libgcrypt Type: security Severity: moderate References: 1064455,1090766,1097410,CVE-2018-0495 Description: This update for libgcrypt fixes the following issues: The following security vulnerability was addressed: - CVE-2018-0495: Mitigate a novel side-channel attack by enabling blinding for ECDSA signatures (bsc#1097410). The following other issues were fixed: - Extended the fipsdrv dsa-sign and dsa-verify commands with the --algo parameter for the FIPS testing of DSA SigVer and SigGen (bsc#1064455). - Ensure libgcrypt20-hmac and libgcrypt20 are installed in the correct order. (bsc#1090766) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:1696-1 Released: Mon Nov 26 17:46:39 2018 Summary: Security update for procps Type: security Severity: moderate References: 1092100,CVE-2018-1122,CVE-2018-1123,CVE-2018-1124,CVE-2018-1125,CVE-2018-1126 Description: This update for procps fixes the following security issues: - CVE-2018-1122: Prevent local privilege escalation in top. If a user ran top with HOME unset in an attacker-controlled directory, the attacker could have achieved privilege escalation by exploiting one of several vulnerabilities in the config_file() function (bsc#1092100). - CVE-2018-1123: Prevent denial of service in ps via mmap buffer overflow. Inbuilt protection in ps maped a guard page at the end of the overflowed buffer, ensuring that the impact of this flaw is limited to a crash (temporary denial of service) (bsc#1092100). - CVE-2018-1124: Prevent multiple integer overflows leading to a heap corruption in file2strvec function. This allowed a privilege escalation for a local attacker who can create entries in procfs by starting processes, which could result in crashes or arbitrary code execution in proc utilities run by other users (bsc#1092100). - CVE-2018-1125: Prevent stack buffer overflow in pgrep. This vulnerability was mitigated by FORTIFY limiting the impact to a crash (bsc#1092100). - CVE-2018-1126: Ensure correct integer size in proc/alloc.* to prevent truncation/integer overflow issues (bsc#1092100). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:1618-1 Released: Tue Nov 27 13:39:49 2018 Summary: Security update for util-linux Type: security Severity: moderate References: 1072947,1078662,1080740,1084300,CVE-2018-7738 Description: This update for util-linux fixes the following issues: This non-security issue was fixed: - CVE-2018-7738: bash-completion/umount allowed local users to gain privileges by embedding shell commands in a mountpoint name, which was mishandled during a umount command by a different user (bsc#1084300). These non-security issues were fixed: - Fixed crash loop in lscpu (bsc#1072947). - Fixed possible segfault of umount -a - Fixed mount -a on NFS bind mounts (bsc#1080740). - Fixed lsblk on NVMe (bsc#1078662). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:2824-1 Released: Mon Dec 3 15:34:09 2018 Summary: Security update for ncurses Type: security Severity: important References: 1115929,CVE-2018-19211 Description: This update for ncurses fixes the following issue: Security issue fixed: - CVE-2018-19211: Fixed denial of service issue that was triggered by a NULL pointer dereference at function _nc_parse_entry (bsc#1115929). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2018:2836-1 Released: Wed Dec 5 09:29:31 2018 Summary: Recommended update for apparmor Type: recommended Severity: moderate References: 1111965,1113125 Description: This update for apparmor fixes the following issues: - Systemd aware apparmor.spec, remove old insserv from spec file (bsc#1113125) - Fix warnings produced because of use of uninitialized variables (bsc#1111965) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2018:2840-1 Released: Wed Dec 5 09:57:54 2018 Summary: Recommended update for permissions Type: recommended Severity: moderate References: 1028304,1047247,1050467,1097665,1111251 Description: This update for permissions fixes the following issues: - Allow setuid root for start-suid tool of singularity (group only) bsc#1028304 - Allow setuid root for authbind binary (bsc#1111251) - A incorrect error message was adjusted (bsc#1047247 bsc#1097665) - Make btmp root:utmp (bsc#1050467) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2018:2841-1 Released: Wed Dec 5 09:59:45 2018 Summary: Recommended update for glibc Type: recommended Severity: moderate References: 1105236,1110661,1112858 Description: This update for glibc fixes the following issues: - Added more checks for valid ld.so.cache file (bsc#1110661) - Rewrite elf_machine_load_address using _DYNAMIC symbol (bsc#1112858) - Always use __IPC_64 on powerpc as required by the kernel (bsc#1105236) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2018:2906-1 Released: Tue Dec 11 21:48:05 2018 Summary: Recommended update for blog Type: recommended Severity: moderate References: 1071568 Description: This update for blog fixes the following issues: - Hardening of the console list generation (bsc#1071568) - Changed description of blog-plymouth in same manner as used by the release notes ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:2947-1 Released: Mon Dec 17 08:51:28 2018 Summary: Security update for openldap2 Type: security Severity: moderate References: 1073313,CVE-2017-17740 Description: This update for openldap2 fixes the following issues: Security issue fixed: - CVE-2017-17740: When both the nops module and the memberof overlay are enabled, attempts to free a buffer that was allocated on the stack, which allows remote attackers to cause a denial of service (slapd crash) via a member MODDN operation. (bsc#1073313) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2018:3029-1 Released: Fri Dec 21 17:34:05 2018 Summary: Recommended update for libgcrypt Type: recommended Severity: moderate References: 1117355 Description: This update for libgcrypt provides the following fix: - Fail selftests when checksum file is missing in FIPS mode only. (bsc#1117355) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:43-1 Released: Tue Jan 8 13:07:17 2019 Summary: Recommended update for acl Type: recommended Severity: low References: 953659 Description: This update for acl fixes the following issues: - quote: Escape literal backslashes (bsc#953659). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:111-1 Released: Thu Jan 17 14:18:31 2019 Summary: Security update for krb5 Type: security Severity: important References: 1120489,CVE-2018-20217 Description: This update for krb5 fixes the following issues: Security issue fixed: - CVE-2018-20217: Fixed an assertion issue with older encryption types (bsc#1120489) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:135-1 Released: Mon Jan 21 13:53:58 2019 Summary: Security update for systemd Type: security Severity: moderate References: 1005023,1076696,1101591,1114981,1115518,1119971,1120323,CVE-2018-16864,CVE-2018-16865,CVE-2018-16866 Description: This update for systemd provides the following fixes: Security issues fixed: - CVE-2018-16864, CVE-2018-16865: Fixed two memory corruptions through attacker-controlled alloca()s (bsc#1120323) - CVE-2018-16866: Fixed an information leak in journald (bsc#1120323) - Fixed an issue during system startup in relation to encrypted swap disks (bsc#1119971) Non-security issues fixed: - core: Queue loading transient units after setting their properties. (bsc#1115518) - logind: Stop managing VT switches if no sessions are registered on that VT. (bsc#1101591) - terminal-util: introduce vt_release() and vt_restore() helpers. - terminal: Unify code for resetting kbd utf8 mode a bit. - terminal Reset should honour default_utf8 kernel setting. - logind: Make session_restore_vt() static. - udev: Downgrade message when settting inotify watch up fails. (bsc#1005023) - log: Never log into foreign fd #2 in PID 1 or its pre-execve() children. (bsc#1114981) - udev: Ignore the exit code of systemd-detect-virt for memory hot-add. In SLE-12-SP3, 80-hotplug-cpu-mem.rules has a memory hot-add rule that uses systemd-detect-virt to detect non-zvm environment. The systemd-detect-virt returns exit failure code when it detected _none_ state. The exit failure code causes that the hot-add memory block can not be set to online. (bsc#1076696) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:143-1 Released: Tue Jan 22 14:21:55 2019 Summary: Recommended update for ncurses Type: recommended Severity: important References: 1121450 Description: This update for ncurses fixes the following issues: - ncurses applications freezing (bsc#1121450) From sle-updates at lists.suse.com Thu Jan 16 09:57:50 2020 From: sle-updates at lists.suse.com (sle-updates at lists.suse.com) Date: Thu, 16 Jan 2020 17:57:50 +0100 (CET) Subject: SUSE-CU-2019:714-1: Security update of caasp/v4/sidecar Message-ID: <20200116165750.3E8CAF796@maintenance.suse.de> SUSE Container Update Advisory: caasp/v4/sidecar ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2019:714-1 Container Tags : caasp/v4/sidecar:1.14.1 , caasp/v4/sidecar:1.14.1-rev1 , caasp/v4/sidecar:1.14.1-rev1-build1.1 Severity : important Type : security References : 1000396 1000662 1000677 1001299 1001790 1001912 1002975 1003577 1003579 1003580 1003714 1003978 1004094 1004289 1004995 1004995 1004995 1005023 1005063 1005404 1005544 1005633 1005634 1005635 1005637 1005638 1005640 1005642 1005643 1005645 1005646 1006175 1006372 1006469 1006687 1006690 1007851 1008325 1009269 1009470 1009528 1009532 1009745 1009905 1009966 1010220 1010675 1010845 1010880 1012266 1012390 1012523 1012591 1012818 1012973 1013286 1013882 1013930 1013989 1014471 1014560 1014566 1014873 1015254 1015332 1015515 1015565 1015943 1017034 1017497 1018214 1018399 1019276 1019470 1019637 1019637 1019900 1020108 1020143 1020601 1021641 1022014 1022047 1022085 1022086 1022271 1023283 1023895 1024989 1025176 1025398 1025560 1025598 1025630 1025886 1026224 1026567 1026825 1027079 1027379 1027688 1027712 1027908 1027925 1028263 1028281 1028304 1028304 1028305 1028410 1028485 1028610 1028723 1029102 1029102 1029183 1029516 1029516 1029523 1029561 1029691 1029725 1029900 1030290 1030621 1031355 1031643 1031702 1031998 1032029 1032029 1032309 1032445 1032538 1032660 1032680 1033238 1033238 1033855 1034563 1034565 1035062 1035371 1035386 1035445 1035818 1036304 1036659 1036736 1036873 1036873 1037120 1037120 1037396 1037824 1037930 1038189 1038194 1038444 1038865 1038865 1038984 1038984 1039063 1039063 1039064 1039064 1039066 1039066 1039069 1039069 1039099 1039099 1039276 1039357 1039661 1039661 1039941 1040043 1040153 1040153 1040258 1040258 1040614 1040614 1040800 1040942 1040942 1040968 1040968 1040968 1041764 1042326 1042392 1042781 1043059 1043218 1043237 1043333 1043333 1043580 1043615 1043758 1043758 1043900 1043900 1044095 1044107 1044175 1044337 1044840 1044887 1044894 1045092 1045290 1045290 1045384 1045472 1045628 1045735 1045735 1045735 1045943 1045987 1046173 1046173 1046268 1046417 1046607 1046659 1046750 1046750 1046853 1046853 1046858 1046858 1047008 1047178 1047233 1047236 1047240 1047247 1047379 1047785 1047785 1047937 1047964 1047965 1048315 1048510 1048605 1048605 1048645 1048679 1049344 1049825 1050152 1050467 1050767 1050943 1051042 1051465 1051626 1051643 1051644 1051791 1052261 1053137 1053188 1053409 1053595 1053671 1054028 1054088 1054171 1054671 1055446 1055641 1055825 1055920 1056058 1056126 1056127 1056127 1056128 1056128 1056129 1056129 1056131 1056131 1056132 1056132 1056136 1056136 1056437 1056449 1056450 1056995 1057150 1057188 1057452 1057634 1057640 1057662 1057721 1057724 1057900 1057974 1058695 1058722 1058783 1059065 1059723 1060653 1060738 1061384 1061667 1061876 1062303 1062561 1062591 1062592 1063051 1063249 1063269 1063675 1063824 1063910 1064397 1064455 1064455 1064455 1064569 1064580 1064583 1064999 1065083 1065274 1065276 1065363 1065448 1065448 1066156 1066242 1066422 1066500 1067312 1067605 1067891 1068251 1068565 1068565 1068588 1068708 1068967 1069222 1069226 1069468 1069934 1070209 1070428 1070431 1070431 1070851 1070878 1070905 1070958 1071224 1071311 1071319 1071321 1071466 1071558 1071568 1071698 1071905 1071906 1072947 1072947 1073231 1073313 1073879 1073990 1074254 1074293 1074293 1074621 1074687 1075449 1075724 1075743 1075801 1075804 1075978 1076192 1076308 1076415 1076696 1076810 1076832 1076909 1077001 1077635 1077692 1077787 1077787 1077925 1077993 1078358 1078662 1078662 1078806 1078813 1079036 1079334 1079991 1080078 1080382 1080740 1080740 1081170 1081294 1081556 1081725 1082004 1082216 1082216 1082216 1082233 1082233 1082233 1082234 1082234 1082234 1082318 1082485 1082485 1083158 1083290 1083926 1083927 1083946 1084300 1084300 1084521 1084524 1084532 1084626 1084812 1084812 1084842 1085062 1085432 1086247 1086602 1086690 1086785 1086825 1087102 1087323 1087550 1087550 1087930 1088052 1088279 1088601 1088705 1088769 1088890 1088921 1089039 1089533 1089640 1089761 1089761 1089884 1090765 1090766 1090766 1090766 1090785 1090944 1091265 1091624 1091677 1092098 1092100 1092100 1092413 1092640 1092640 1093753 1093851 1094121 1094150 1094154 1094161 1094222 1095096 1095148 1096282 1096282 1096282 1096718 1096718 1096745 1096803 1097158 1097410 1097410 1097410 1097624 1097665 1098592 1099310 1099310 1099310 1099452 1099847 1099982 1100028 1101040 1101246 1101349 1101470 1101591 1102046 1102429 1102564 1103910 1104789 1105031 1105166 1105236 1106019 1106197 1106914 1106923 1107430 1107640 1107941 1108835 1109197 1109252 1109877 1110445 1110661 1111251 1111278 1111965 1112024 1112209 1112758 1112858 1113083 1113100 1113117 1113125 1113534 1113632 1113652 1113660 1113665 1113742 1114981 1115518 1115929 1117355 1119971 1120323 1120489 1121450 360993 408814 556664 658010 661410 675317 825385 829717 830805 874665 888308 889138 889990 892431 894610 896202 896435 897422 898003 899524 899871 900275 900276 901202 901845 901924 902364 902367 903543 905483 906574 906574 906803 906858 907074 907456 908128 908516 909418 910252 910252 910253 910253 911228 911363 911662 912229 912715 912922 913209 913650 913651 915402 915846 917152 917169 918089 918090 918346 919274 920057 920057 920386 921070 922534 923241 924525 924687 924960 924960 926412 926826 927556 927607 927608 927746 927993 928292 928533 928740 929919 930176 931932 932232 932894 933029 933288 933288 933336 933878 933878 934333 934689 934920 936050 936227 936227 936676 937823 938343 938657 939392 939460 940315 942865 942865 943457 943457 944903 945340 945842 945899 952151 952347 953130 953532 953659 953807 953831 954002 954661 955382 955753 955770 957566 957566 957567 957567 957598 957598 957600 957600 958369 958562 959693 960273 960820 960837 960837 961964 962765 962983 962996 963290 963448 963942 964063 964468 965322 965780 965902 966220 967026 967082 967728 967838 968771 969569 970260 970882 971741 971741 972127 972127 972331 974691 978055 979261 979436 979441 979629 979906 980391 980486 981114 981616 982303 982303 983206 983215 983216 983754 984906 984958 986216 986216 986783 986935 987887 988311 989788 989831 990189 990190 990191 990538 991389 991390 991391 991443 991746 991901 992966 994157 994794 995936 996511 997043 997420 997682 998760 998893 998906 999735 999878 CVE-2012-6702 CVE-2013-6435 CVE-2014-3591 CVE-2014-3707 CVE-2014-3710 CVE-2014-8116 CVE-2014-8116 CVE-2014-8117 CVE-2014-8117 CVE-2014-8118 CVE-2014-8150 CVE-2014-8964 CVE-2014-8964 CVE-2014-9087 CVE-2014-9112 CVE-2014-9447 CVE-2014-9620 CVE-2014-9621 CVE-2014-9653 CVE-2015-0247 CVE-2015-0837 CVE-2015-1283 CVE-2015-1572 CVE-2015-1606 CVE-2015-1607 CVE-2015-1782 CVE-2015-2059 CVE-2015-2325 CVE-2015-2325 CVE-2015-2327 CVE-2015-2327 CVE-2015-2328 CVE-2015-2328 CVE-2015-3143 CVE-2015-3144 CVE-2015-3145 CVE-2015-3148 CVE-2015-3153 CVE-2015-3210 CVE-2015-3210 CVE-2015-3217 CVE-2015-3217 CVE-2015-3238 CVE-2015-5073 CVE-2015-5073 CVE-2015-5276 CVE-2015-7511 CVE-2015-8380 CVE-2015-8380 CVE-2015-8381 CVE-2015-8381 CVE-2015-8382 CVE-2015-8382 CVE-2015-8383 CVE-2015-8383 CVE-2015-8384 CVE-2015-8384 CVE-2015-8385 CVE-2015-8385 CVE-2015-8386 CVE-2015-8386 CVE-2015-8387 CVE-2015-8387 CVE-2015-8388 CVE-2015-8388 CVE-2015-8389 CVE-2015-8389 CVE-2015-8390 CVE-2015-8390 CVE-2015-8391 CVE-2015-8391 CVE-2015-8392 CVE-2015-8392 CVE-2015-8393 CVE-2015-8393 CVE-2015-8394 CVE-2015-8394 CVE-2015-8395 CVE-2015-8395 CVE-2015-8853 CVE-2015-8948 CVE-2016-0634 CVE-2016-0718 CVE-2016-0755 CVE-2016-0787 CVE-2016-10156 CVE-2016-1238 CVE-2016-1283 CVE-2016-1283 CVE-2016-1839 CVE-2016-2037 CVE-2016-2381 CVE-2016-3191 CVE-2016-3191 CVE-2016-4574 CVE-2016-4579 CVE-2016-4658 CVE-2016-5131 CVE-2016-5300 CVE-2016-5419 CVE-2016-5420 CVE-2016-5421 CVE-2016-6185 CVE-2016-6252 CVE-2016-6252 CVE-2016-6252 CVE-2016-6261 CVE-2016-6262 CVE-2016-6263 CVE-2016-6313 CVE-2016-6318 CVE-2016-7055 CVE-2016-7141 CVE-2016-7167 CVE-2016-7543 CVE-2016-8615 CVE-2016-8616 CVE-2016-8617 CVE-2016-8618 CVE-2016-8619 CVE-2016-8620 CVE-2016-8621 CVE-2016-8622 CVE-2016-8623 CVE-2016-8624 CVE-2016-9063 CVE-2016-9318 CVE-2016-9401 CVE-2016-9586 CVE-2016-9597 CVE-2016-9840 CVE-2016-9841 CVE-2016-9842 CVE-2016-9843 CVE-2017-0663 CVE-2017-1000100 CVE-2017-1000101 CVE-2017-1000254 CVE-2017-1000257 CVE-2017-1000366 CVE-2017-1000408 CVE-2017-1000409 CVE-2017-10684 CVE-2017-10684 CVE-2017-10685 CVE-2017-10685 CVE-2017-11112 CVE-2017-11113 CVE-2017-11462 CVE-2017-12132 CVE-2017-12133 CVE-2017-12424 CVE-2017-12837 CVE-2017-12883 CVE-2017-13728 CVE-2017-13728 CVE-2017-13729 CVE-2017-13729 CVE-2017-13730 CVE-2017-13730 CVE-2017-13731 CVE-2017-13731 CVE-2017-13732 CVE-2017-13732 CVE-2017-13733 CVE-2017-13733 CVE-2017-13734 CVE-2017-14062 CVE-2017-15088 CVE-2017-15412 CVE-2017-15670 CVE-2017-15671 CVE-2017-15804 CVE-2017-15908 CVE-2017-16997 CVE-2017-17740 CVE-2017-18078 CVE-2017-18258 CVE-2017-18269 CVE-2017-3731 CVE-2017-3732 CVE-2017-3735 CVE-2017-3736 CVE-2017-3737 CVE-2017-3738 CVE-2017-5130 CVE-2017-5969 CVE-2017-6512 CVE-2017-7375 CVE-2017-7376 CVE-2017-7407 CVE-2017-7435 CVE-2017-7436 CVE-2017-7436 CVE-2017-7500 CVE-2017-7500 CVE-2017-7501 CVE-2017-7501 CVE-2017-7526 CVE-2017-7555 CVE-2017-8804 CVE-2017-8816 CVE-2017-8817 CVE-2017-8872 CVE-2017-9047 CVE-2017-9047 CVE-2017-9048 CVE-2017-9048 CVE-2017-9049 CVE-2017-9049 CVE-2017-9050 CVE-2017-9050 CVE-2017-9217 CVE-2017-9217 CVE-2017-9233 CVE-2017-9269 CVE-2017-9269 CVE-2017-9287 CVE-2017-9445 CVE-2017-9445 CVE-2017-9526 CVE-2018-0495 CVE-2018-0495 CVE-2018-0495 CVE-2018-0732 CVE-2018-0734 CVE-2018-0737 CVE-2018-0739 CVE-2018-1000001 CVE-2018-1000001 CVE-2018-1000007 CVE-2018-1000120 CVE-2018-1000121 CVE-2018-1000122 CVE-2018-1000301 CVE-2018-1049 CVE-2018-1122 CVE-2018-1122 CVE-2018-1123 CVE-2018-1123 CVE-2018-11236 CVE-2018-11237 CVE-2018-1124 CVE-2018-1124 CVE-2018-1125 CVE-2018-1125 CVE-2018-1126 CVE-2018-1126 CVE-2018-12015 CVE-2018-12015 CVE-2018-12020 CVE-2018-14404 CVE-2018-14567 CVE-2018-14618 CVE-2018-15686 CVE-2018-15688 CVE-2018-16840 CVE-2018-16842 CVE-2018-16864 CVE-2018-16865 CVE-2018-16866 CVE-2018-19211 CVE-2018-20217 CVE-2018-5407 CVE-2018-5729 CVE-2018-5730 CVE-2018-6003 CVE-2018-6485 CVE-2018-6551 CVE-2018-6797 CVE-2018-6797 CVE-2018-6797 CVE-2018-6798 CVE-2018-6798 CVE-2018-6798 CVE-2018-6913 CVE-2018-6913 CVE-2018-6913 CVE-2018-7169 CVE-2018-7685 CVE-2018-7738 CVE-2018-7738 CVE-2018-9251 ----------------------------------------------------------------- The container caasp/v4/sidecar was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-RU-2014:85-1 Released: Tue Nov 4 16:29:29 2014 Summary: Recommended update for dirmngr Type: recommended Severity: moderate References: 901845 Description: This update for dirmngr fixes a segmentation fault at start up. (bnc#901845) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2014:66-1 Released: Thu Nov 6 06:23:15 2014 Summary: Recommended update for gcc48 Type: recommended Severity: moderate References: 899871 Description: This update for gcc48 fixes a performance degradation issue caused by generation of unneeded code whe using option -pg. ----------------------------------------------------------------- Advisory ID: SUSE-SU-2014:97-1 Released: Fri Nov 28 10:20:32 2014 Summary: Security update for file Type: security Severity: moderate References: 888308,902367,CVE-2014-3710 Description: file was updated to fix one security issue. This security issue was fixed: - Out-of-bounds read in elf note headers (CVE-2014-3710). This non-security issues was fixed: - Correctly identify GDBM files created by libgdbm4 (bnc#888308). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2014:113-1 Released: Tue Dec 2 18:17:57 2014 Summary: Security update for cpio Type: security Severity: moderate References: 658010,907456,CVE-2014-9112 Description: This cpio security update fixes the following buffer overflow issue and two non security issues: - fix an OOB write with cpio -i (bnc#907456) (CVE-2014-9112) - prevent cpio from extracting over a symlink (bnc#658010) - fix a truncation check in mt ----------------------------------------------------------------- Advisory ID: SUSE-SU-2015:16-1 Released: Thu Dec 11 09:25:27 2014 Summary: Security update for libksba Type: security Severity: moderate References: 907074,CVE-2014-9087 Description: This libksba update fixes the following security issue: - bnc#907074: buffer overflow in OID processing (CVE-2014-9087) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2014:126-1 Released: Fri Dec 19 20:16:00 2014 Summary: Security update for file Type: security Severity: moderate References: 910252,910253,CVE-2014-8116,CVE-2014-8117 Description: This file update fixes the following security issues: - bsc#910252: multiple denial of service issues (resource consumption) (CVE-2014-8116) - bsc#910253: denial of service issue (resource consumption) (CVE-2014-8117) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2015:29-1 Released: Mon Jan 12 11:37:43 2015 Summary: Security update for curl Type: security Severity: moderate References: 901924,911363,CVE-2014-3707,CVE-2014-8150 Description: This update fixes the following security issues - CVE-2014-8150: URL request injection vulnerability (bnc#911363) - CVE-2014-3707: duphandle read out of bounds (bnc#901924) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2015:40-1 Released: Thu Jan 15 18:35:11 2015 Summary: Security update for rpm Type: security Severity: important References: 892431,906803,908128,911228,CVE-2013-6435,CVE-2014-8118 Description: This rpm update fixes the following security and non-security issues: - bnc#908128: Check for bad invalid name sizes (CVE-2014-8118) - bnc#906803: Create files with mode 0 (CVE-2013-6435) - bnc#892431: Honor --noglob in install mode - bnc#911228: Fix noglob patch, it broke files with space. ----------------------------------------------------------------- Advisory ID: SUSE-RU-2015:64-1 Released: Thu Jan 15 23:21:45 2015 Summary: Recommended update for e2fsprogs Type: recommended Severity: moderate References: 912229 Description: This update for e2fsprogs fixes a 'use after free' issue in fsck(8). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2015:76-1 Released: Fri Jan 30 15:01:03 2015 Summary: Security update for elfutils Type: security Severity: moderate References: 911662,CVE-2014-9447 Description: elfutils was updated to fix one security issue. This security issue was fixed: - Directory traversal vulnerability in the read_long_names function (CVE-2014-9447). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2015:55-1 Released: Tue Feb 3 14:51:17 2015 Summary: Recommended update for curl Type: recommended Severity: moderate References: 913209 Description: curl was updated to fix problems when operating in FIPS mode. This patch reenables following methods: - NTLM authentication (e.g. for proxies) (allowing its usage of MD4 and MD5) - HTTP Digest authentication (allowing its usage of MD5) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2015:121-1 Released: Tue Feb 3 16:30:16 2015 Summary: Recommended update for pam Type: recommended Severity: low References: 912922 Description: This update for pam fixes updating of NIS passwords. ----------------------------------------------------------------- Advisory ID: SUSE-SU-2015:157-1 Released: Tue Mar 10 09:01:41 2015 Summary: Security update for libssh2_org Type: security Severity: moderate References: 921070,CVE-2015-1782 Description: The ssh client library libssh2_org was updated to fix a security issue. CVE-2015-1782: A malicious server could send a crafted SSH_MSG_KEXINIT packet, that could lead to a buffer overread and to a crash of the libssh2_org using application. ----------------------------------------------------------------- Advisory ID: SUSE-RU-2015:275-1 Released: Wed Mar 18 18:21:44 2015 Summary: Recommended update for procps Type: recommended Severity: low References: 901202,908516 Description: This update for procps provides the following fixes: - Add description of pgrep's --list-full parameter to usage instructions (--help). (bsc#901202) - Fix handling of arguments to -s option in free(1). (bsc#908516) - Correct package name in descriptions: procps, not props. ----------------------------------------------------------------- Advisory ID: SUSE-SU-2015:235-1 Released: Wed Apr 29 19:05:01 2015 Summary: Security update for curl Type: security Severity: moderate References: 927556,927607,927608,927746,928533,CVE-2015-3143,CVE-2015-3144,CVE-2015-3145,CVE-2015-3148,CVE-2015-3153 Description: curl was updated to fix five security issues. The following vulnerabilities were fixed: * CVE-2015-3143: curl could re-use NTML authenticateds connections * CVE-2015-3144: curl could access memory out of bounds with zero length host names * CVE-2015-3145: curl cookie parser could access memory out of boundary * CVE-2015-3148: curl could treat Negotiate as not connection-oriented * CVE-2015-3153: curl could have sent sensitive HTTP headers also to proxies ----------------------------------------------------------------- Advisory ID: SUSE-SU-2015:296-1 Released: Thu Jun 11 15:46:59 2015 Summary: Security update for libgcrypt Type: security Severity: moderate References: 896202,896435,898003,899524,900275,900276,905483,920057,928740,929919,CVE-2014-3591 Description: This update of libgcrypt fixes one security issue and brings various FIPS 140-2 related improvements. libgcrypt now uses ciphertext blinding for Elgamal decryption (CVE-2014-3591) FIPS 140-2 related changes: * The library performs its self-tests when the module is complete (the -hmac file is also installed). * Added a NIST 800-90a compliant DRBG. * Change DSA key generation to be FIPS 186-4 compliant. * Change RSA key generation to be FIPS 186-4 compliant. * Enable HW support in fips mode (bnc#896435) * Make DSA selftest use 2048 bit keys (bnc#898003) * Added ECDSA selftests and add support for it to the CAVS testing framework (bnc#896202) * Various CAVS testing improvements. ----------------------------------------------------------------- Advisory ID: SUSE-SU-2015:366-1 Released: Mon Jun 29 10:13:43 2015 Summary: Security update for e2fsprogs Type: security Severity: low References: 915402,918346,CVE-2015-0247,CVE-2015-1572 Description: Two security issues were fixed in e2fsprogs: Security issues fixed: * CVE-2015-0247: Various heap overflows were fixed in e2fsprogs (fsck, dumpe2fs, e2image...). * CVE-2015-1572: Fixed a potential buffer overflow in closefs() (bsc#918346 ) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2015:361-1 Released: Wed Jul 15 08:26:27 2015 Summary: Recommended update for gcc48, libffi48, libgcj48 Type: recommended Severity: moderate References: 889990,917169,919274,922534,924525,924687,927993,930176,934689 Description: The system compiler gcc48 was updated to the GCC 4.8.5 release, fixing a lot of bugs and bringing some improvements. It includes various bug fixes found by our customers: * Fixes bogus integer overflow in constant expression. [bnc#934689] * Fixes ICE with atomics on aarch64. [bnc#930176] * Includes fix for -imacros bug. [bnc#917169] * Includes fix for incorrect -Warray-bounds warnings. [bnc#919274] * Includes updated -mhotpatch for s390x. [bnc#924525] * Includes fix for ppc64le issue with doubleword vector extract. [bnc#924687] * Includes patches to allow building against ISL 0.14. * Backport rework of the memory allocator for C++ exceptions used in OOM situations. [bnc#889990] * Fix a reload issue on S390 (GCC PR66306). * Avoid accessing invalid memory when passing aggregates by value. [bnc#922534] ----------------------------------------------------------------- Advisory ID: SUSE-OU-2015:422-1 Released: Tue Jul 28 06:25:51 2015 Summary: The Toolchain module containing GCC 5.2 Type: optional Severity: low References: 926412,936050,937823 Description: This update contains the release of the new SUSE Linux Enterprise Toolchain module. Its major feature is the GNU Compiler Collection 5.2, please see https://gcc.gnu.org/gcc-5/changes.html for important changes. This update also includes a version update of binutils to 2.25 release branch to provide features and bugfixes. Following features have been added to binutils: * IBM zSeries z13 hardware support (fate#318036, bnc#936050). * various IBM Power8 improvements (fate#318238, bnc#926412). * AVX512 support on the Intel EM64T platform (fate#318520). The GNU Debugger gdb was updated to version 7.9.1 bringing various features and lots of bugfixes. Also IBM zSeries z13 hardware support has been added to gdb. (fate#318039) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2015:500-1 Released: Mon Aug 17 11:36:33 2015 Summary: Security update for libgcrypt Type: security Severity: moderate References: 920057,938343,CVE-2015-0837 Description: This update fixes the following issues: Security: * Fixed data-dependent timing variations in modular exponentiation [related to CVE-2015-0837, Last-Level Cache Side-Channel Attacks are Practical] (bsc#920057) Bugfixes: * don't drop privileges when locking secure memory (bsc#938343) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2015:530-1 Released: Wed Aug 26 03:07:07 2015 Summary: Recommended update for sed Type: recommended Severity: low References: 933029 Description: This update for sed fixes the behavior of --follow-symlinks when reading from the standard input (stdin). The behavior of 'sed --follow-symlinks -' is now identical to 'sed -'. In both cases, sed will read from the standard input and no longer from a file named '-'. ----------------------------------------------------------------- Advisory ID: SUSE-RU-2015:568-1 Released: Wed Sep 16 13:30:12 2015 Summary: Recommended update for grep Type: recommended Severity: low References: 920386 Description: This update for grep fixes undefined behaviour with -P and non-utf-8 data. ----------------------------------------------------------------- Advisory ID: SUSE-SU-2015:922-1 Released: Tue Dec 22 08:44:25 2015 Summary: Security update for gpg2 Type: security Severity: moderate References: 918089,918090,952347,955753,CVE-2015-1606,CVE-2015-1607 Description: The gpg2 package was updated to fix the following security and non security issues: - CVE-2015-1606: Fixed invalid memory read using a garbled keyring (bsc#918089). - CVE-2015-1607: Fixed memcpy with overlapping ranges (bsc#918090). - bsc#955753: Fixed a regression of 'gpg --recv' due to keyserver import filter (also boo#952347). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2015:869-1 Released: Wed Dec 23 10:01:16 2015 Summary: Recommended update for libksba Type: security Severity: moderate References: 926826 Description: The libksba package was updated to fix the following security issues: - Fixed an integer overflow, an out of bounds read and a stack overflow issues (bsc#926826). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2015:862-1 Released: Wed Dec 23 17:40:51 2015 Summary: Recommended update for acl Type: recommended Severity: moderate References: 945899 Description: This update for acl provides the following fixes: - Fix segmentation fault of getfacl -e on overly long group name. - Make sure that acl_from_text() always sets errno when it fails. - Fix memory and resource leaks in getfacl. ----------------------------------------------------------------- Advisory ID: SUSE-RU-2016:46-1 Released: Fri Jan 8 12:37:34 2016 Summary: Recommended update for gcr, gnome-keyring, libgcrypt, libsecret Type: recommended Severity: moderate References: 932232 Description: This update for gcr, gnome-keyring, libgcrypt, libsecret fixes issues when the system operates in FIPS mode. The various GNOME libraries and tool have been changed to use the default libgcrypt allocators. GNOME keyring was changed not to use MD5 anymore. libgcrypt was adjusted to free the DRBG on exit to avoid crashes. ----------------------------------------------------------------- Advisory ID: SUSE-SU-2016:201-1 Released: Thu Feb 4 15:51:22 2016 Summary: Security update for curl Type: security Severity: moderate References: 934333,936676,962983,962996,CVE-2016-0755 Description: This update for curl fixes the following issues: - CVE-2016-0755: libcurl would reuse NTLM-authenticated proxy connections without properly making sure that the connection was authenticated with the same credentials as set for this transfer (bsc#962983) The following non-security bugs were fixed: - bsc#936676: secure_getenv or __secure_getenv may not be detected correctly at build time The following tracked bugs only affect the test suite: - bsc#962996: Expired cookie in test 46 caused test failures - bsc#934333: Curl test suite was not run, is now enabled during build ----------------------------------------------------------------- Advisory ID: SUSE-RU-2016:371-1 Released: Thu Mar 3 15:58:18 2016 Summary: Recommended update for insserv-compat Type: recommended Severity: low References: 960820 Description: This update for insserv-compat fixes the name of the ntpd service. ----------------------------------------------------------------- Advisory ID: SUSE-SU-2016:413-1 Released: Fri Mar 11 10:17:57 2016 Summary: Security update for libssh2_org Type: security Severity: moderate References: 933336,961964,967026,CVE-2016-0787 Description: This update for libssh2_org fixes the following issues: Security issue fixed: - CVE-2016-0787 (bsc#967026): Weakness in diffie-hellman secret key generation lead to much shorter DH groups then needed, which could be used to retrieve server keys. A feature was added: - Support of SHA256 digests for DH group exchanges was added (fate#320343, bsc#961964) Bug fixed: - Properly detect EVP_aes_128_ctr at configure time (bsc#933336) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2016:462-1 Released: Wed Mar 16 18:17:59 2016 Summary: Recommended update for libcap Type: recommended Severity: low References: 967838 Description: This update for libcap adds two new capabilities (CAP_WAKE_ALARM and CAP_BLOCK_SUSPEND) which are available in Linux Kernel 3.12. ----------------------------------------------------------------- Advisory ID: SUSE-RU-2016:543-1 Released: Fri Apr 1 18:44:16 2016 Summary: Recommended update for libgcrypt Type: recommended Severity: moderate References: 970882 Description: This update for libgcrypt fixes a crash in GPG key generation when operating in FIPS mode. (bsc#970882) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2016:565-1 Released: Wed Apr 6 16:26:42 2016 Summary: Security update for gcc5 Type: security Severity: moderate References: 939460,945842,952151,953831,954002,955382,962765,964468,966220,968771,CVE-2015-5276 Description: The GNU Compiler Collection was updated to version 5.3.1, which brings several fixes and enhancements. The following security issue has been fixed: - Fix C++11 std::random_device short read issue that could lead to predictable randomness. (CVE-2015-5276, bsc#945842) The following non-security issues have been fixed: - Enable frame pointer for TARGET_64BIT_MS_ABI when stack is misaligned. Fixes internal compiler error when building Wine. (bsc#966220) - Fix a PowerPC specific issue in gcc-go that broke compilation of newer versions of Docker. (bsc#964468) - Fix HTM built-ins on PowerPC. (bsc#955382) - Fix libgo certificate lookup. (bsc#953831) - Suppress deprecated-declarations warnings for inline definitions of deprecated virtual methods. (bsc#939460) - Build s390[x] with '--with-tune=z9-109 --with-arch=z900' on SLE11 again. (bsc#954002) - Revert accidental libffi ABI breakage on aarch64. (bsc#968771) - On x86_64, set default 32bit code generation to -march=x86-64 rather than -march=i586. - Add experimental File System TS library. ----------------------------------------------------------------- Advisory ID: SUSE-SU-2016:636-1 Released: Mon Apr 18 09:18:19 2016 Summary: Security update for libgcrypt Type: security Severity: moderate References: 965902,CVE-2015-7511 Description: libgcrypt was updated to fix one security issue. This security issue was fixed: - CVE-2015-7511: Side-channel attack on ECDH with Weierstrass curves (bsc#965902). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2016:643-1 Released: Tue Apr 19 09:23:39 2016 Summary: Recommended update for bzip2 Type: recommended Severity: low References: 970260 Description: This update for bzip2 fixes the following issues: - Fix bzgrep wrapper that always returns 0 as exit code when working on multiple archives, even when the pattern is not found. ----------------------------------------------------------------- Advisory ID: SUSE-RU-2016:697-1 Released: Thu Apr 28 16:03:24 2016 Summary: Recommended update for libssh2_org Type: recommended Severity: important References: 974691 Description: This update for libssh2_org fixes a regression introduced by a previous update which could result in a segmentation fault in EVP_DigestInit_Ex(). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2016:801-1 Released: Thu May 19 22:38:01 2016 Summary: Recommended update for curl Type: recommended Severity: moderate References: 915846 Description: This update for curl fixes the following issue: - Fix 'Network is unreachable' error when ipv6 is not available but ipv4. This fixes the same error in applications using libcurl4 (like zypper). (bsc#915846) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2016:835-1 Released: Wed May 25 18:27:30 2016 Summary: Recommended update for libgcrypt Type: recommended Severity: moderate References: 979629 Description: This update for libgcrypt fixes the following issue: - Fix failing reboot after installing fips pattern (bsc#979629) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2016:898-1 Released: Tue Jun 7 09:48:12 2016 Summary: Security update for expat Type: security Severity: important References: 979441,980391,CVE-2015-1283,CVE-2016-0718 Description: This update for expat fixes the following issues: Security issue fixed: - CVE-2016-0718: Fix Expat XML parser that mishandles certain kinds of malformed input documents. (bsc#979441) - CVE-2015-1283: Fix multiple integer overflows. (bnc#980391) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2016:900-1 Released: Tue Jun 7 10:58:37 2016 Summary: Security update for libksba Type: security Severity: moderate References: 979261,979906,CVE-2016-4574,CVE-2016-4579 Description: This update for libksba fixes the following issues: - CVE-2016-4579: Out-of-bounds read in _ksba_ber_parse_tl() - CVE-2016-4574: two OOB read access bugs (remote DoS) (bsc#979261) Also adding reliability fixes from v1.3.4. ----------------------------------------------------------------- Advisory ID: SUSE-RU-2016:987-1 Released: Wed Jun 22 14:32:18 2016 Summary: Recommended update for procps Type: recommended Severity: low References: 981616 Description: This update for procps fixes the following issues: - Improve pmap(1) to be compatible with kernel 4.4. (bsc#981616) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2016:1028-1 Released: Thu Jul 7 11:50:47 2016 Summary: Recommended update for findutils Type: recommended Severity: moderate References: 986935 Description: This update for findutils fixes the following issues: - find -exec + would not pass all arguments for certain specific filename lengths (bsc#986935) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2016:1126-1 Released: Sat Jul 30 00:39:03 2016 Summary: Recommended update for kmod Type: recommended Severity: low References: 983754,989788 Description: This update for kmod fixes libkmod to handle very long lines in /proc/modules. ----------------------------------------------------------------- Advisory ID: SUSE-RU-2016:1205-1 Released: Thu Aug 11 15:02:18 2016 Summary: Recommended update for rpm Type: recommended Severity: low References: 829717,894610,940315,953532,965322,967728 Description: This update for rpm provides the following fixes: - Add is_opensuse and leap_version macros to suse_macros. (bsc#940315) - Add option to make postinstall scriptlet errors fatal. (bsc#967728) - Normalize big blocksizes to 4096 bytes. (bsc#894610, bsc#829717, bsc#965322) - Fix updating of sources/patches when recursing because of a BuildArch. (bsc#953532) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2016:1228-1 Released: Tue Aug 16 09:29:01 2016 Summary: Security update for libidn Type: security Severity: moderate References: 923241,990189,990190,990191,CVE-2015-2059,CVE-2015-8948,CVE-2016-6261,CVE-2016-6262,CVE-2016-6263 Description: This update for libidn fixes the following issues: - CVE-2016-6262 and CVE-2015-8948: Out-of-bounds-read when reading one zero byte as input (bsc#990189) - CVE-2016-6261: Out-of-bounds stack read in idna_to_ascii_4i (bsc#990190) - CVE-2016-6263: stringprep_utf8_nfkc_normalize reject invalid UTF-8 (bsc#990191) - CVE-2015-2059: out-of-bounds read with stringprep on invalid UTF-8 (bsc#923241) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2016:1247-1 Released: Fri Aug 19 12:58:39 2016 Summary: Security update for cracklib Type: security Severity: moderate References: 992966,CVE-2016-6318 Description: This update for cracklib fixes the following issues: - Add patch to fix a buffer overflow in GECOS parser (bsc#992966 CVE-2016-6318) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2016:1326-1 Released: Thu Sep 8 11:37:44 2016 Summary: Security update for perl Type: security Severity: moderate References: 928292,932894,967082,984906,987887,988311,CVE-2015-8853,CVE-2016-1238,CVE-2016-2381,CVE-2016-6185 Description: This update for Perl fixes the following issues: - CVE-2016-6185: Xsloader looking at a '(eval)' directory. (bsc#988311) - CVE-2016-1238: Searching current directory for optional modules. (bsc#987887) - CVE-2015-8853: Regular expression engine hanging on bad utf8. (bsc) - CVE-2016-2381: Environment dup handling bug. (bsc#967082) - 'Insecure dependency in require' error in taint mode. (bsc#984906) - Memory leak in 'use utf8' handling. (bsc#928292) - Missing lock prototype to the debugger. (bsc#932894) ----------------------------------------------------------------- Advisory ID: SUSE-OU-2016:1358-1 Released: Thu Sep 15 20:54:21 2016 Summary: Optional update for gcc6 Type: optional Severity: low References: 983206 Description: This update ships the GNU Compiler Collection (GCC) in version 6.2. This update is shipped in two parts: - SUSE Linux Enterprise Server 12 and Desktop: The runtime libraries libgcc_s1, libstdc++6, libatomic1, libgomp1, libitm1 and some others can now be used by GCC 6 built binaries. - SUSE Linux Enterprise 12 Toolchain Module: The Toolchain module received the GCC 6 compiler suite with this update. Changes: - The default mode for C++ is now -std=gnu++14 instead of -std=gnu++98. Generic Optimization improvements: - UndefinedBehaviorSanitizer gained a new sanitization option, -fsanitize=bounds-strict, which enables strict checking of array bounds. In particular, it enables -fsanitize=bounds as well as instrumentation of flexible array member-like arrays. - Type-based alias analysis now disambiguates accesses to different pointers. This improves precision of the alias oracle by about 20-30% on higher-level C++ programs. Programs doing invalid type punning of pointer types may now need -fno-strict-aliasing to work correctly. - Alias analysis now correctly supports weakref and alias attributes. This makes it possible to access both a variable and its alias in one translation unit which is common with link-time optimization. - Value range propagation now assumes that the this pointer of C++ member functions is non-null. This eliminates common null pointer checks but also breaks some non-conforming code-bases (such as Qt-5, Chromium, KDevelop). As a temporary work-around -fno-delete-null-pointer-checks can be used. Wrong code can be identified by using -fsanitize=undefined. - Various Link-time optimization improvements. - Inter-procedural optimization improvements: - Basic jump threading is now performed before profile construction and inline analysis, resulting in more realistic size and time estimates that drive the heuristics of the of inliner and function cloning passes. - Function cloning now more aggressively eliminates unused function parameters. - Compared to GCC 5, the GCC 6 release series includes a much improved implementation of the OpenACC 2.0a specification. C language specific improvements: - Version 4.5 of the OpenMP specification is now supported in the C and C++ compilers. - Source locations for the C and C++ compilers are now tracked as ranges, rather than just points, making it easier to identify the subexpression of interest within a complicated expression. In addition, there is now initial support for precise diagnostic locations within strings, - Diagnostics can now contain 'fix-it hints', which are displayed in context underneath the relevant source code. - The C and C++ compilers now offer suggestions for misspelled field names. - New command-line options have been added for the C and C++ compilers: - -Wshift-negative-value warns about left shifting a negative value. - -Wshift-overflow warns about left shift overflows. This warning is enabled by default. -Wshift-overflow=2 also warns about left-shifting 1 into the sign bit. - -Wtautological-compare warns if a self-comparison always evaluates to true or false. This warning is enabled by -Wall. - -Wnull-dereference warns if the compiler detects paths that trigger erroneous or undefined behavior due to dereferencing a null pointer. This option is only active when -fdelete-null-pointer-checks is active, which is enabled by optimizations in most targets. The precision of the warnings depends on the optimization options used. - -Wduplicated-cond warns about duplicated conditions in an if-else-if chain. - -Wmisleading-indentation warns about places where the indentation of the code gives a misleading idea of the block structure of the code to a human reader. This warning is enabled by -Wall. - The C and C++ compilers now emit saner error messages if merge-conflict markers are present in a source file. C improvements: - It is possible to disable warnings when an initialized field of a structure or a union with side effects is being overridden when using designated initializers via a new warning option -Woverride-init-side-effects. - A new type attribute scalar_storage_order applying to structures and unions has been introduced. It specifies the storage order (aka endianness) in memory of scalar fields in structures or unions. C++ improvements: - The default mode has been changed to -std=gnu++14. - C++ Concepts are now supported when compiling with -fconcepts. - -flifetime-dse is more aggressive in dead-store elimination in situations where a memory store to a location precedes a constructor to that memory location. - G++ now supports C++17 fold expressions, u8 character literals, extended static_assert, and nested namespace definitions. - G++ now allows constant evaluation for all non-type template arguments. - G++ now supports C++ Transactional Memory when compiling with -fgnu-tm. libstdc++ improvements: - Extensions to the C++ Library to support mathematical special functions (ISO/IEC 29124:2010), thanks to Edward Smith-Rowland. - Experimental support for C++17. - An experimental implementation of the File System TS. - Experimental support for most features of the second version of the Library Fundamentals TS. This includes polymorphic memory resources and array support in shared_ptr, thanks to Fan You. - Some assertions checked by Debug Mode can now also be enabled by _GLIBCXX_ASSERTIONS. The subset of checks enabled by the new macro have less run-time overhead than the full _GLIBCXX_DEBUG checks and don't affect the library ABI, so can be enabled per-translation unit. Fortran improvements: - Fortran 2008 SUBMODULE support. - Fortran 2015 EVENT_TYPE, EVENT_POST, EVENT_WAIT, and EVENT_QUERY support. - Improved support for Fortran 2003 deferred-length character variables. - Improved support for OpenMP and OpenACC. - The MATMUL intrinsic is now inlined for straightforward cases if front-end optimization is active. The maximum size for inlining can be set to n with the -finline-matmul-limit=n option and turned off with -finline-matmul-limit=0. - The -Wconversion-extra option will warn about REAL constants which have excess precision for their kind. - The -Winteger-division option has been added, which warns about divisions of integer constants which are truncated. This option is included in -Wall by default. Architecture improvements: - AArch64 received a lot of improvements. IA-32/x86-64 improvements: - GCC now supports the Intel CPU named Skylake with AVX-512 extensions through -march=skylake-avx512. The switch enables the following ISA extensions: AVX-512F, AVX512VL, AVX-512CD, AVX-512BW, AVX-512DQ. - Support for new AMD instructions monitorx and mwaitx has been added. This includes new intrinsic and built-in support. It is enabled through option -mmwaitx. The instructions monitorx and mwaitx implement the same functionality as the old monitor and mwait instructions. In addition mwaitx adds a configurable timer. The timer value is received as third argument and stored in register %ebx. - x86-64 targets now allow stack realignment from a word-aligned stack pointer using the command-line option -mstackrealign or __attribute__ ((force_align_arg_pointer)). This allows functions compiled with a vector-aligned stack to be invoked from objects that keep only word-alignment. - Support for address spaces __seg_fs, __seg_gs, and __seg_tls. These can be used to access data via the %fs and %gs segments without having to resort to inline assembly. - Support for AMD Zen (family 17h) processors is now available through the -march=znver1 and -mtune=znver1 options. PowerPC / PowerPC64 / RS6000 improvements: - PowerPC64 now supports IEEE 128-bit floating-point using the __float128 data type. In GCC 6, this is not enabled by default, but you can enable it with -mfloat128. The IEEE 128-bit floating-point support requires the use of the VSX instruction set. IEEE 128-bit floating-point values are passed and returned as a single vector value. The software emulator for IEEE 128-bit floating-point support is only built on PowerPC GNU/Linux systems where the default CPU is at least power7. On future ISA 3.0 systems (POWER 9 and later), you will be able to use the -mfloat128-hardware option to use the ISA 3.0 instructions that support IEEE 128-bit floating-point. An additional type (__ibm128) has been added to refer to the IBM extended double type that normally implements long double. This will allow for a future transition to implementing long double with IEEE 128-bit floating-point. - Basic support has been added for POWER9 hardware that will use the recently published OpenPOWER ISA 3.0 instructions. The following new switches are available: - -mcpu=power9: Implement all of the ISA 3.0 instructions supported by the compiler. - -mtune=power9: In the future, apply tuning for POWER9 systems. Currently, POWER8 tunings are used. - -mmodulo: Generate code using the ISA 3.0 integer instructions (modulus, count trailing zeros, array index support, integer multiply/add). - -mpower9-fusion: Generate code to suitably fuse instruction sequences for a POWER9 system. - -mpower9-dform: Generate code to use the new D-form (register+offset) memory instructions for the vector registers. - -mpower9-vector: Generate code using the new ISA 3.0 vector (VSX or Altivec) instructions. - -mpower9-minmax: Reserved for future development. - -mtoc-fusion: Keep TOC entries together to provide more fusion opportunities. - New constraints have been added to support IEEE 128-bit floating-point and ISA 3.0 instructions. - Support has been added for __builtin_cpu_is() and __builtin_cpu_supports(), allowing for very fast access to AT_PLATFORM, AT_HWCAP, and AT_HWCAP2 values. This requires use of glibc 2.23 or later. - All hardware transactional memory builtins now correctly behave as memory barriers. Programmers can use #ifdef __TM_FENCE__ to determine whether their 'old' compiler treats the builtins as barriers. - Split-stack support has been added for gccgo on PowerPC64 for both big- and little-endian (but not for 32-bit). The gold linker from at least binutils 2.25.1 must be available in the PATH when configuring and building gccgo to enable split stack. (The requirement for binutils 2.25.1 applies to PowerPC64 only.) The split-stack feature allows a small initial stack size to be allocated for each goroutine, which increases as needed. - GCC on PowerPC now supports the standard lround function. - The 'q', 'S', 'T', and 't' asm-constraints have been removed. - The 'b', 'B', 'm', 'M', and 'W' format modifiers have been removed. S/390, System z, IBM z Systems improvements: - Support for the IBM z13 processor has been added. When using the -march=z13 option, the compiler will generate code making use of the new instructions and registers introduced with the vector extension facility. The -mtune=z13 option enables z13 specific instruction scheduling without making use of new instructions. - Compiling code with -march=z13 reduces the default alignment of vector types bigger than 8 bytes to 8. This is an ABI change and care must be taken when linking modules compiled with different arch levels which interchange variables containing vector type values. For newly compiled code the GNU linker will emit a warning. - The -mzvector option enables a C/C++ language extension. This extension provides a new keyword vector which can be used to define vector type variables. (Note: This is not available when enforcing strict standard compliance e.g. with -std=c99. Either enable GNU extensions with e.g. -std=gnu99 or use __vector instead of vector.) - Additionally a set of overloaded builtins is provided which is partially compatible to the PowerPC Altivec builtins. In order to make use of these builtins the vecintrin.h header file needs to be included. - The new command line options -march=native, and -mtune=native are now available on native IBM z Systems. Specifying these options will cause GCC to auto-detect the host CPU and rewrite these options to the optimal setting for that system. If GCC is unable to detect the host CPU these options have no effect. - The IBM z Systems port now supports target attributes and pragmas. Please refer to the documentation for details of available attributes and pragmas as well as usage instructions. - -fsplit-stack is now supported as part of the IBM z Systems port. This feature requires a recent gold linker to be used. - Support for the g5 and g6 -march=/-mtune= CPU level switches has been deprecated and will be removed in a future GCC release. -m31 from now on defaults to -march=z900 if not specified otherwise. -march=native on a g5/g6 machine will default to -march=z900. An even more detailed list of features can be found at: https://gcc.gnu.org/gcc-6/changes.html ----------------------------------------------------------------- Advisory ID: SUSE-SU-2016:1364-1 Released: Fri Sep 16 17:13:43 2016 Summary: Security update for curl Type: security Severity: moderate References: 991389,991390,991391,991746,997420,CVE-2016-5419,CVE-2016-5420,CVE-2016-5421,CVE-2016-7141 Description: This update for curl fixes the following issues: Security issues fixed: - CVE-2016-5419: TLS session resumption client cert bypass (bsc#991389) - CVE-2016-5420: Re-using connections with wrong client cert (bsc#991390) - CVE-2016-5421: use of connection struct after free (bsc#991391) - CVE-2016-7141: Fixed incorrect reuse of client certificates with NSS (bsc#997420) Also the following bug was fixed: - fixing a performance issue (bsc#991746) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2016:1370-1 Released: Wed Sep 21 12:58:14 2016 Summary: Security update for libgcrypt Type: security Severity: moderate References: 994157,CVE-2016-6313 Description: This update for libgcrypt fixes the following issues: - RNG prediction vulnerability (bsc#994157, CVE-2016-6313) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2016:1591-1 Released: Wed Nov 2 12:07:51 2016 Summary: Security update for curl Type: security Severity: important References: 1005633,1005634,1005635,1005637,1005638,1005640,1005642,1005643,1005645,1005646,998760,CVE-2016-7167,CVE-2016-8615,CVE-2016-8616,CVE-2016-8617,CVE-2016-8618,CVE-2016-8619,CVE-2016-8620,CVE-2016-8621,CVE-2016-8622,CVE-2016-8623,CVE-2016-8624 Description: This update for curl fixes the following security issues: - CVE-2016-8624: invalid URL parsing with '#' (bsc#1005646) - CVE-2016-8623: Use-after-free via shared cookies (bsc#1005645) - CVE-2016-8622: URL unescape heap overflow via integer truncation (bsc#1005643) - CVE-2016-8621: curl_getdate read out of bounds (bsc#1005642) - CVE-2016-8620: glob parser write/read out of bounds (bsc#1005640) - CVE-2016-8619: double-free in krb5 code (bsc#1005638) - CVE-2016-8618: double-free in curl_maprintf (bsc#1005637) - CVE-2016-8617: OOB write via unchecked multiplication (bsc#1005635) - CVE-2016-8616: case insensitive password comparison (bsc#1005634) - CVE-2016-8615: cookie injection for other servers (bsc#1005633) - CVE-2016-7167: escape and unescape integer overflows (bsc#998760) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2016:1614-1 Released: Mon Nov 7 20:01:31 2016 Summary: Recommended update for shadow Type: recommended Severity: low References: 1002975 Description: This update for shadow fixes the following issues: - Set file modes according to the permissions package and don't attempt to manipulate them in %files section. (bsc#1002975) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2016:1641-1 Released: Thu Nov 10 20:02:04 2016 Summary: Recommended update for sg3_utils Type: recommended Severity: moderate References: 1006469,958369,979436 Description: This update for sg3_utils provides the following fixes: - Adjust 55-scsi-sg3_id.rules to correctly handle VPD page 0x80. This issue could prevent some IBM Power systems from booting after installation. (bsc#1006469) - Fix 55-scsi_sg3_id.rules to skip sg_inq on recent kernels. (bsc#979436) - In some circumstances, the rescan-scsi-bus.sh script failed to identify new LUNs that have been added to the server. (bsc#958369) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2016:1744-1 Released: Fri Dec 2 11:42:41 2016 Summary: Security update for pcre Type: security Severity: moderate References: 906574,924960,933288,933878,936227,942865,957566,957567,957598,957600,960837,971741,972127,CVE-2014-8964,CVE-2015-2325,CVE-2015-2327,CVE-2015-2328,CVE-2015-3210,CVE-2015-3217,CVE-2015-5073,CVE-2015-8380,CVE-2015-8381,CVE-2015-8382,CVE-2015-8383,CVE-2015-8384,CVE-2015-8385,CVE-2015-8386,CVE-2015-8387,CVE-2015-8388,CVE-2015-8389,CVE-2015-8390,CVE-2015-8391,CVE-2015-8392,CVE-2015-8393,CVE-2015-8394,CVE-2015-8395,CVE-2016-1283,CVE-2016-3191 Description: This update for pcre to version 8.39 (bsc#972127) fixes several issues. If you use pcre extensively please be aware that this is an update to a new version. Please make sure that your software works with the updated version. This version fixes a number of vulnerabilities that affect pcre and applications using the libary when accepting untrusted input as regular expressions or as part thereof. Remote attackers could have caused the application to crash, disclose information or potentially execute arbitrary code. These security issues were fixed: - CVE-2014-8964: Heap-based buffer overflow in PCRE allowed remote attackers to cause a denial of service (crash) or have other unspecified impact via a crafted regular expression, related to an assertion that allows zero repeats (bsc#906574). - CVE-2015-2325: Heap buffer overflow in compile_branch() (bsc#924960). - CVE-2015-3210: Heap buffer overflow in pcre_compile2() / compile_regex() (bsc#933288) - CVE-2015-3217: PCRE Library Call Stack Overflow Vulnerability in match() (bsc#933878). - CVE-2015-5073: Library Heap Overflow Vulnerability in find_fixedlength() (bsc#936227). - bsc#942865: heap overflow in compile_regex() - CVE-2015-8380: The pcre_exec function in pcre_exec.c mishandled a // pattern with a \01 string, which allowed remote attackers to cause a denial of service (heap-based buffer overflow) or possibly have unspecified other impact via a crafted regular expression, as demonstrated by a JavaScript RegExp object encountered by Konqueror (bsc#957566). - CVE-2015-2327: PCRE mishandled certain patterns with internal recursive back references, which allowed remote attackers to cause a denial of service (segmentation fault) or possibly have unspecified other impact via a crafted regular expression, as demonstrated by a JavaScript RegExp object encountered by Konqueror (bsc#957567). - bsc#957598: Various security issues - CVE-2015-8381: Heap Overflow in compile_regex() (bsc#957598). - CVE-2015-8382: Regular Expression Uninitialized Pointer Information Disclosure Vulnerability (ZDI-CAN-2547)(bsc#957598). - CVE-2015-8383: Buffer overflow caused by repeated conditional group(bsc#957598). - CVE-2015-8384: Buffer overflow caused by recursive back reference by name within certain group(bsc#957598). - CVE-2015-8385: Buffer overflow caused by forward reference by name to certain group(bsc#957598). - CVE-2015-8386: Buffer overflow caused by lookbehind assertion(bsc#957598). - CVE-2015-8387: Integer overflow in subroutine calls(bsc#957598). - CVE-2015-8388: Buffer overflow caused by certain patterns with an unmatched closing parenthesis(bsc#957598). - CVE-2015-8389: Infinite recursion in JIT compiler when processing certain patterns(bsc#957598). - CVE-2015-8390: Reading from uninitialized memory when processing certain patterns(bsc#957598). - CVE-2015-8391: Some pathological patterns causes pcre_compile() to run for a very long time(bsc#957598). - CVE-2015-8392: Buffer overflow caused by certain patterns with duplicated named groups(bsc#957598). - CVE-2015-8393: Information leak when running pcgrep -q on crafted binary(bsc#957598). - CVE-2015-8394: Integer overflow caused by missing check for certain conditions(bsc#957598). - CVE-2015-8395: Buffer overflow caused by certain references(bsc#957598). - CVE-2015-2328: PCRE mishandled the /((?(R)a|(?1)))+/ pattern and related patterns with certain recursion, which allowed remote attackers to cause a denial of service (segmentation fault) or possibly have unspecified other impact via a crafted regular expression (bsc#957600). - CVE-2016-1283: The pcre_compile2 function in pcre_compile.c in PCRE mishandled certain patterns with named subgroups, which allowed remote attackers to cause a denial of service (heap-based buffer overflow) or possibly have unspecified other impact via a crafted regular expression (bsc#960837). - CVE-2016-3191: The compile_branch function in pcre_compile.c in pcre2_compile.c mishandled patterns containing an (*ACCEPT) substring in conjunction with nested parentheses, which allowed remote attackers to execute arbitrary code or cause a denial of service (stack-based buffer overflow) via a crafted regular expression (bsc#971741). These non-security issues were fixed: - JIT compiler improvements - performance improvements - The Unicode data tables have been updated to Unicode 7.0.0. ----------------------------------------------------------------- Advisory ID: SUSE-RU-2016:1782-1 Released: Fri Dec 9 13:35:02 2016 Summary: Recommended update for systemd Type: recommended Severity: moderate References: 1001790,1004289,1005404,1006372,1006690,989831,991443 Description: This update for systemd provides the following fixes: - Allow to redirect confirmation messages to a different console. (bsc#1006690) - Do not bind a mount unit to a device, if it was from mountinfo. (bsc#989831) - Decrease systemd-nspawn's non-fatal mount errors to debug level. (bsc#1004289) - Don't emit space usage message right after opening the persistent journal. (bsc#991443) - Change owner of /var/log/journal/remote and create /var/lib/systemd/journal-upload. (bsc#1006372) - Document that *KeyIgnoreInhibited only apply to a subset of locks. - Revert 'logind: really handle *KeyIgnoreInhibited options in logind.conf'. (bsc#1001790, bsc#1005404) - Revert 'kbd-model-map: add more mappings offered by Yast'. - Don't busy loop when we get a notification message we can't process. - Rename kbd-model-map-extra into kbd-model-map.legacy. - Add kbd-model-map-extra file which contains the additional maps needed by YaST. - Drop localfs.service: unused and not needed anymore. ----------------------------------------------------------------- Advisory ID: SUSE-SU-2016:1827-1 Released: Thu Dec 15 12:41:10 2016 Summary: Security update for pcre Type: security Severity: moderate References: 906574,924960,933288,933878,936227,942865,957566,957567,957598,957600,960837,971741,972127,CVE-2014-8964,CVE-2015-2325,CVE-2015-2327,CVE-2015-2328,CVE-2015-3210,CVE-2015-3217,CVE-2015-5073,CVE-2015-8380,CVE-2015-8381,CVE-2015-8382,CVE-2015-8383,CVE-2015-8384,CVE-2015-8385,CVE-2015-8386,CVE-2015-8387,CVE-2015-8388,CVE-2015-8389,CVE-2015-8390,CVE-2015-8391,CVE-2015-8392,CVE-2015-8393,CVE-2015-8394,CVE-2015-8395,CVE-2016-1283,CVE-2016-3191 Description: This update for pcre to version 8.39 (bsc#972127) fixes several issues. If you use pcre extensively please be aware that this is an update to a new version. Please make sure that your software works with the updated version. This version fixes a number of vulnerabilities that affect pcre and applications using the libary when accepting untrusted input as regular expressions or as part thereof. Remote attackers could have caused the application to crash, disclose information or potentially execute arbitrary code. These security issues were fixed: - CVE-2014-8964: Heap-based buffer overflow in PCRE allowed remote attackers to cause a denial of service (crash) or have other unspecified impact via a crafted regular expression, related to an assertion that allows zero repeats (bsc#906574). - CVE-2015-2325: Heap buffer overflow in compile_branch() (bsc#924960). - CVE-2015-3210: Heap buffer overflow in pcre_compile2() / compile_regex() (bsc#933288) - CVE-2015-3217: PCRE Library Call Stack Overflow Vulnerability in match() (bsc#933878). - CVE-2015-5073: Library Heap Overflow Vulnerability in find_fixedlength() (bsc#936227). - bsc#942865: heap overflow in compile_regex() - CVE-2015-8380: The pcre_exec function in pcre_exec.c mishandled a // pattern with a \01 string, which allowed remote attackers to cause a denial of service (heap-based buffer overflow) or possibly have unspecified other impact via a crafted regular expression, as demonstrated by a JavaScript RegExp object encountered by Konqueror (bsc#957566). - CVE-2015-2327: PCRE mishandled certain patterns with internal recursive back references, which allowed remote attackers to cause a denial of service (segmentation fault) or possibly have unspecified other impact via a crafted regular expression, as demonstrated by a JavaScript RegExp object encountered by Konqueror (bsc#957567). - bsc#957598: Various security issues - CVE-2015-8381: Heap Overflow in compile_regex() (bsc#957598). - CVE-2015-8382: Regular Expression Uninitialized Pointer Information Disclosure Vulnerability (ZDI-CAN-2547)(bsc#957598). - CVE-2015-8383: Buffer overflow caused by repeated conditional group(bsc#957598). - CVE-2015-8384: Buffer overflow caused by recursive back reference by name within certain group(bsc#957598). - CVE-2015-8385: Buffer overflow caused by forward reference by name to certain group(bsc#957598). - CVE-2015-8386: Buffer overflow caused by lookbehind assertion(bsc#957598). - CVE-2015-8387: Integer overflow in subroutine calls(bsc#957598). - CVE-2015-8388: Buffer overflow caused by certain patterns with an unmatched closing parenthesis(bsc#957598). - CVE-2015-8389: Infinite recursion in JIT compiler when processing certain patterns(bsc#957598). - CVE-2015-8390: Reading from uninitialized memory when processing certain patterns(bsc#957598). - CVE-2015-8391: Some pathological patterns causes pcre_compile() to run for a very long time(bsc#957598). - CVE-2015-8392: Buffer overflow caused by certain patterns with duplicated named groups(bsc#957598). - CVE-2015-8393: Information leak when running pcgrep -q on crafted binary(bsc#957598). - CVE-2015-8394: Integer overflow caused by missing check for certain conditions(bsc#957598). - CVE-2015-8395: Buffer overflow caused by certain references(bsc#957598). - CVE-2015-2328: PCRE mishandled the /((?(R)a|(?1)))+/ pattern and related patterns with certain recursion, which allowed remote attackers to cause a denial of service (segmentation fault) or possibly have unspecified other impact via a crafted regular expression (bsc#957600). - CVE-2016-1283: The pcre_compile2 function in pcre_compile.c in PCRE mishandled certain patterns with named subgroups, which allowed remote attackers to cause a denial of service (heap-based buffer overflow) or possibly have unspecified other impact via a crafted regular expression (bsc#960837). - CVE-2016-3191: The compile_branch function in pcre_compile.c in pcre2_compile.c mishandled patterns containing an (*ACCEPT) substring in conjunction with nested parentheses, which allowed remote attackers to execute arbitrary code or cause a denial of service (stack-based buffer overflow) via a crafted regular expression (bsc#971741). These non-security issues were fixed: - JIT compiler improvements - performance improvements - The Unicode data tables have been updated to Unicode 7.0.0. ----------------------------------------------------------------- Advisory ID: SUSE-RU-2016:1863-1 Released: Wed Dec 21 10:41:35 2016 Summary: Recommended updated for pth Type: recommended Severity: low References: 1013286 Description: This update adds the 32bit version of libpth20 to SUSE Linux Enterprise 12 SP1 and 12 SP2. ----------------------------------------------------------------- Advisory ID: SUSE-SU-2017:2-1 Released: Mon Jan 2 08:35:08 2017 Summary: Security update for zlib Type: security Severity: moderate References: 1003577,1003579,1003580,1013882,CVE-2016-9840,CVE-2016-9841,CVE-2016-9842,CVE-2016-9843 Description: This update for zlib fixes the following issues: CVE-2016-9843: Big-endian out-of-bounds pointer CVE-2016-9842: Undefined Left Shift of Negative Number (bsc#1003580) CVE-2016-9840 CVE-2016-9841: Out-of-bounds pointer arithmetic in inftrees.c (bsc#1003579) Incompatible declarations for external linkage function deflate (bsc#1003577) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2017:6-1 Released: Tue Jan 3 15:01:58 2017 Summary: Recommended update for systemd Type: recommended Severity: moderate References: 1012390,1012591,1012818,1013989,1015515,909418,912715,945340,953807,963290,990538 Description: This update for systemd fixes the following issues: - core: Make mount units from /proc/self/mountinfo possibly bind to a device. Fixes unmounting issues when ejecting CDs or DVDs. (bsc#909418, bsc#912715, bsc#945340) - fstab-generator: Remove bogus condition that leads to warnings on boot. (bsc#1013989) - coredumpctl: Let gdb handle the SIGINT signal. (bsc#1012591) - Ship kbd-model-map with the correct contents. (bsc#1015515) - rules: Set SYSTEMD_READY=0 on DM_UDEV_DISABLE_OTHER_RULES_FLAG=1 only with ADD event. (bsc#963290, bsc#990538) - tmpfiles: Don't skip path_set_perms on error. (bsc#953807) - nspawn: Properly handle image/directory paths that are symbolic links. (bsc#1012390) - systemctl: Fix 'is-enabled' exit status on failure when executed in chroot. (bsc#1012818) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2017:32-1 Released: Mon Jan 9 11:50:42 2017 Summary: Recommended update for dirmngr Type: recommended Severity: low References: 994794 Description: This update for dirmngr enables support for daemon mode. ----------------------------------------------------------------- Advisory ID: SUSE-RU-2017:47-1 Released: Wed Jan 11 11:42:43 2017 Summary: Recommended update for systemd Type: recommended Severity: important References: 1018214,1018399 Description: This update for systemd fixes the following two issues: - A regression in the previous update (SUSE-RU-2017:0013-1, bsc#909418) could have caused systemd to freeze. (bsc#1018399) - Warnings emitted when udev socket units are restarted during package upgrade were silenced. (bsc#1018214) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2017:98-1 Released: Thu Jan 19 10:17:55 2017 Summary: Recommended update for kmod Type: recommended Severity: low References: 998906 Description: This update for kmod fixes a rare race condition while loading modules. ----------------------------------------------------------------- Advisory ID: SUSE-SU-2017:149-1 Released: Wed Jan 25 09:17:08 2017 Summary: Security update for systemd Type: security Severity: important References: 1012266,1014560,1014566,1020601,997682,CVE-2016-10156 Description: This update for systemd fixes the following issues: This security issue was fixed: - CVE-2016-10156: Fix permissions set on permanent timer timestamp files, preventing local unprivileged users from escalating privileges (bsc#1020601). These non-security issues were fixed: - Fix permission set on /var/lib/systemd/linger/* - install: follow config_path symlink (#3362) - install: fix disable when /etc/systemd/system is a symlink (bsc#1014560) - run: make --slice= work in conjunction with --scope (bsc#1014566) - core: don't dispatch load queue when setting Slice= for transient units - systemctl: remove duplicate entries showed by list-dependencies (#5049) (bsc#1012266) - rule: don't automatically online standby memory on s390x (bsc#997682) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2017:185-1 Released: Thu Feb 2 18:22:37 2017 Summary: Security update for cpio Type: security Severity: moderate References: 1020108,963448,CVE-2016-2037 Description: This update for cpio fixes two issues. This security issue was fixed: - CVE-2016-2037: The cpio_safer_name_suffix function in util.c in cpio allowed remote attackers to cause a denial of service (out-of-bounds write) via a crafted cpio file (bsc#963448). This non-security issue was fixed: - bsc#1020108: Always use 32 bit CRC to prevent checksum errors for files greater than 32MB ----------------------------------------------------------------- Advisory ID: SUSE-SU-2017:192-1 Released: Fri Feb 3 18:46:05 2017 Summary: Security update for libxml2 Type: security Severity: moderate References: 1005544,1010675,1013930,1014873,1017497,CVE-2016-4658,CVE-2016-9318,CVE-2016-9597 Description: This update for libxml2 fixes the following issues: * CVE-2016-4658: use-after-free error could lead to crash [bsc#1005544] * Fix NULL dereference in xpointer.c when in recovery mode [bsc#1014873] * CVE-2016-9597: An XML document with many opening tags could have caused a overflow of the stack not detected by the recursion limits, allowing for DoS (bsc#1017497). For CVE-2016-9318 we decided not to ship a fix since it can break existing setups. Please take appropriate actions if you parse untrusted XML files and use the new -noxxe flag if possible (bnc#1010675, bnc#1013930). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2017:209-1 Released: Tue Feb 7 17:00:47 2017 Summary: Recommended update for libseccomp Type: recommended Severity: low References: 1019900 Description: This update provides libseccomp version 2.3.1 which fixes the following issues: - Fixed a problem with 32-bit x86 socket syscalls on some systems (fate#321647, bsc#1019900) - Fixed problems with ipc syscalls on 32-bit x86 - Fixed problems with socket and ipc syscalls on s390 and s390x ----------------------------------------------------------------- Advisory ID: SUSE-SU-2017:212-1 Released: Wed Feb 8 13:07:24 2017 Summary: Security update for expat Type: security Severity: moderate References: 983215,983216,CVE-2012-6702,CVE-2016-5300 Description: This update for expat fixes the following security issues: - CVE-2012-6702: Expat, when used in a parser that has not called XML_SetHashSalt or passed it a seed of 0, made it easier for context-dependent attackers to defeat cryptographic protection mechanisms via vectors involving use of the srand function. (bsc#983215) - CVE-2016-5300: The XML parser in Expat did not use sufficient entropy for hash initialization, which allowed context-dependent attackers to cause a denial of service (CPU consumption) via crafted identifiers in an XML document. NOTE: this vulnerability exists because of an incomplete fix for CVE-2012-0876. (bsc#983216) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2017:228-1 Released: Fri Feb 10 15:39:32 2017 Summary: Security update for openssl Type: security Severity: moderate References: 1000677,1001912,1009528,1019637,1021641,1022085,1022086,1022271,CVE-2016-7055,CVE-2017-3731,CVE-2017-3732 Description: This update for openssl fixes the following issues contained in the OpenSSL Security Advisory [26 Jan 2017] (bsc#1021641) Security issues fixed: - CVE-2016-7055: The x86_64 optimized montgomery multiplication may produce incorrect results (bsc#1009528) - CVE-2017-3731: Truncated packet could crash via OOB read (bsc#1022085) - CVE-2017-3732: BN_mod_exp may produce incorrect results on x86_64 (bsc#1022086) - Degrade the 3DES cipher to MEDIUM in SSLv2 (bsc#1001912) Non-security issues fixed: - fix crash in openssl speed (bsc#1000677) - fix X509_CERT_FILE path (bsc#1022271) - AES XTS key parts must not be identical in FIPS mode (bsc#1019637) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2017:261-1 Released: Mon Feb 20 11:00:28 2017 Summary: Recommended update for dirmngr Type: recommended Severity: low References: 1019276 Description: This update for dirmngr fixes the following issues: - Properly initialize the dirmngr tmpfilesd files right away and not just during reboot - Own the /usr/lib/tmpfiles.d/ folder as it is needed in older systemds wrt (bsc#1019276) - Proprely require logrotate as we need it for the dirmngr configs ----------------------------------------------------------------- Advisory ID: SUSE-RU-2017:365-1 Released: Fri Mar 10 15:16:59 2017 Summary: Recommended update for sg3_utils Type: recommended Severity: low References: 1006175 Description: This update for sg3_utils fixes the following issue: - Add udev rules to handle legacy CCISS devices (bsc#1006175) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2017:389-1 Released: Thu Mar 16 14:16:43 2017 Summary: Recommended update for systemd Type: recommended Severity: moderate References: 1004094,1006687,1019470,1022014,1022047,1025598,995936 Description: This update for systemd provides the following fixes: - core: Fix memory leak in transient units. (bsc#1025598) - core: Destroy all name watching bus slots when we are kicked off the bus. (bsc#1006687) - sd-event: Fix incorrect assertion. (bsc#995936, bsc#1022014) - journald: Don't flush to /var/log/journal before we get asked to. (bsc#1004094) - core: Downgrade warning about duplicate device names. (bsc#1022047) - units: Remove no longer needed ldconfig service. (bsc#1019470) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2017:439-1 Released: Tue Mar 21 10:48:47 2017 Summary: Recommended update for netcfg Type: recommended Severity: low References: 1028305,959693 Description: This update for netcfg provides the following fixes: - Update script to generate services to use UTF8 by default. (bsc#1028305) - Repack services.bz2 with latest from upstream and adjust the script to not add all the names and emails at the bottom of the file. (bsc#959693) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2017:462-1 Released: Fri Mar 24 21:58:07 2017 Summary: Recommended update for lvm2 Type: recommended Severity: moderate References: 1012973,1015943,1017034,1023283,1025560,1025630 Description: This update for lvm2 fixes the following issues: - Fix clvmd segmentation fault on ppc64le architecture. (bsc#1025630) - Fix several trivial issues about clvmd/cmirrord resource agents. (bsc#1023283, bsc#1025560) - Use {local,remote}-fs-pre.target instead of {local,remote}-fs.target. (bsc#1017034) - Simplify special-case for md in 69-dm-lvm-metadata.rules. (bsc#1012973) - Add systemd_requires to device-mapper package. (bsc#1015943) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2017:464-1 Released: Mon Mar 27 15:50:51 2017 Summary: Recommended update for glibc Type: recommended Severity: moderate References: 1007851,1029725,1029900 Description: This update for glibc fixes a potential segmentation fault in libpthread: - Fork in libpthread cannot use IFUNC resolver. (bsc#1007851, bsc#1029725, bsc#1029900) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2017:580-1 Released: Wed Apr 12 23:58:47 2017 Summary: Recommended update for cpio Type: recommended Severity: important References: 1028410 Description: This update for cpio fixes the following issues: - A regression caused cpio to crash for tar and ustar archive types [bsc#1028410] ----------------------------------------------------------------- Advisory ID: SUSE-SU-2017:609-1 Released: Tue Apr 18 11:28:14 2017 Summary: Security update for curl Type: security Severity: moderate References: 1015332,1027712,1032309,CVE-2016-9586,CVE-2017-7407 Description: This update for curl fixes the following issues: Security issue fixed: - CVE-2016-9586: libcurl printf floating point buffer overflow (bsc#1015332) - CVE-2017-7407: The ourWriteOut function in tool_writeout.c in curl might have allowed physically proximate attackers to obtain sensitive information from process memory in opportunistic circumstances by reading a workstation screen during use of a --write-out argument ending in a '%' character, which lead to a heap-based buffer over-read (bsc#1032309). With this release new default ciphers are active (SUSE_DEFAULT, bsc#1027712). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2017:732-1 Released: Wed May 10 14:03:43 2017 Summary: Recommended update for procps Type: recommended Severity: low References: 1030621 Description: This update for procps fixes the following issues: - Command w(1) with option -n doesn't work. (bsc#1030621) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2017:735-1 Released: Wed May 10 15:43:46 2017 Summary: Recommended update for gpg2 Type: recommended Severity: low References: 1036736,986783 Description: This update for gpg2 provides the following fixes: - Do not install CAcert and other root certificates which are not needed with Let's Encrypt. (bsc#1036736) - Initialize the trustdb before import attempt. (bsc#986783) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2017:751-1 Released: Thu May 11 17:14:30 2017 Summary: Recommended update for systemd Type: recommended Severity: moderate References: 1010220,1025398,1025886,1028263,1028610,1029183,1029691,1030290,1031355,1032538,1032660,1033855,1034565,955770 Description: This update for systemd provides the following fixes: - logind: Update empty and 'infinity' handling for [User]TasksMax. (bsc#1031355) - importd: Support SUSE style checksums. (fate#322054) - journal: Don't remove leading spaces. (bsc#1033855) - Make sure all swap units are ordered before the swap target. (bsc#955770, bsc#1034565) - hwdb: Fix warning 'atkbd serio0: Unknown key pressed'. (bsc#1010220) - logind: Restart logind on package update only on SLE12 distros. (bsc#1032660) - core: Treat masked files as 'unchanged'. (bsc#1032538) - units: Move Before deps for quota services to remote-fs.target. (bsc#1028263) - udev: Support predictable ifnames on vio buses. (bsc#1029183) - udev: Add a persistent rule for ibmvnic devices. (bsc#1029183) - units: Do not throw a warning in emergency mode if plymouth is not installed. (bsc#1025398) - core: Downgrade 'Time has been changed' message to debug level. (bsc#1028610) - vconsole: Don't do GIO_SCRNMAP / GIO_UNISCRNMAP. (bsc#1029691) - udev-rules: Perform whitespace replacement for symlink subst values. (bsc#1025886) - Consider chroot updates in fix-machines-subvol-for-rollbacks.sh. (bsc#1030290) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2017:794-1 Released: Tue May 16 15:41:09 2017 Summary: Security update for bash Type: security Severity: moderate References: 1010845,1035371,CVE-2016-9401 Description: This update for bash fixes an issue that could lead to syntax errors when parsing scripts that use expr(1) inside loops. Additionally, the popd build-in now ensures that the normalized stack offset is within bounds before trying to free that stack entry. This fixes a segmentation fault. ----------------------------------------------------------------- Advisory ID: SUSE-RU-2017:799-1 Released: Wed May 17 00:21:13 2017 Summary: Recommended update for glibc Type: recommended Severity: low References: 1026224,1035445 Description: This update for glibc introduces basic support for IBM POWER9 systems. Additionally, an improper assert in dlclose() has been removed. ----------------------------------------------------------------- Advisory ID: SUSE-SU-2017:865-1 Released: Wed May 24 16:23:20 2017 Summary: Security update for pam Type: security Severity: moderate References: 1015565,1037824,934920,CVE-2015-3238 Description: This update for pam fixes the following issues: - CVE-2015-3238: pam_unix in conjunction with SELinux allowed for DoS attacks (bsc#934920). - log a hint to syslog if /etc/nologin is present, but empty (bsc#1015565). - If /etc/nologin is present, but empty, log a hint to syslog. (bsc#1015565) - Added support for libowcrypt.so, if present, to configure support for BLOWFISH (bsc#1037824) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2017:873-1 Released: Fri May 26 16:19:47 2017 Summary: Recommended update for e2fsprogs Type: recommended Severity: low References: 1009532,960273 Description: This update for e2fsprogs provides the following fixes: - Fix 32/64-bit overflow when multiplying by blocks/clusters per group. This allows resize2fs(8) to resize file systems larger than 20 TB. (bsc#1009532) - Update spec file to regenerate initrd when e2fsprogs is updated or uninstalled. (bsc#960273) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2017:877-1 Released: Mon May 29 15:11:48 2017 Summary: Recommended update for cryptsetup Type: recommended Severity: low References: 1031998 Description: This update for cryptsetup provides the following fix: - Don't use a zero-filled empty key, because in FIPS, XTS mode key parts mustn't be equivalent (bsc#1031998) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2017:891-1 Released: Tue May 30 22:28:21 2017 Summary: Security update for libxml2 Type: security Severity: moderate References: 1039063,1039064,1039066,1039069,1039661,981114,CVE-2016-1839,CVE-2017-9047,CVE-2017-9048,CVE-2017-9049,CVE-2017-9050 Description: This update for libxml2 fixes the following issues: - CVE-2017-9047, CVE-2017-9048: The function xmlSnprintfElementContent in valid.c was vulnerable to a stack buffer overflow (bsc#1039063, bsc#1039064) - CVE-2017-9049: The function xmlDictComputeFastKey in dict.c was vulnerable to a heap-based buffer over-read. (bsc#1039066) - CVE-2017-9050: The function xmlDictAddString was vulnerable to a heap-based buffer over-read (bsc#1039661) - CVE-2016-1839: heap-based buffer overflow (xmlDictAddString func) (bnc#1039069) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2017:907-1 Released: Thu Jun 1 14:23:36 2017 Summary: Recommended update for shadow Type: recommended Severity: low References: 1003978,1031643 Description: This update for shadow fixes the following issues: - Dynamically added users via pam_group are not listed in groups databases but are still valid. (bsc#1031643) - useradd(8) and groupadd(8) performance issue when using SSSD. Previously the entire possible UID/GID was iterated to find an available UID/GID. This could take long time over a network device. Instead, find available UID/GID locally, and then check only those values over network. (bsc#1003978) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2017:918-1 Released: Tue Jun 6 12:35:44 2017 Summary: Recommended update for libsemanage, selinux-policy Type: recommended Severity: moderate References: 1020143,1032445,1035818,1038189 Description: This update for libsemanage, selinux-policy fixes the following issues: - Limit to policy version 29 by default. - Fix policy module build failures and wrong policy path on SLE 12 SP2 (bsc#1038189, bsc#1035818, bsc#1020143, bsc#1032445) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2017:939-1 Released: Mon Jun 12 10:56:22 2017 Summary: Security update for libxml2 Type: security Severity: moderate References: 1039063,1039064,1039066,1039069,1039661,CVE-2017-9047,CVE-2017-9048,CVE-2017-9049,CVE-2017-9050 Description: This update for libxml2 fixes the following security issues: * CVE-2017-9050: A heap-based buffer over-read in xmlDictAddString (bsc#1039069, bsc#1039661) * CVE-2017-9049: A heap-based buffer overflow in xmlDictComputeFastKey (bsc#1039066) * CVE-2017-9048: A stack overflow vulnerability in xmlSnprintfElementContent (bsc#1039063) * CVE-2017-9047: A stack overflow vulnerability in xmlSnprintfElementContent (bsc#1039064) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2017:959-1 Released: Wed Jun 14 14:38:11 2017 Summary: Recommended update for gcc5 Type: recommended Severity: low References: 1043580 Description: This update for gcc5 fixes the version of libffi in its pkg-config configuration file. ----------------------------------------------------------------- Advisory ID: SUSE-SU-2017:962-1 Released: Wed Jun 14 16:33:07 2017 Summary: Security update for openldap2 Type: security Severity: moderate References: 1009470,1037396,1041764,972331,CVE-2017-9287 Description: This update for openldap2 fixes the following issues: Security issues fixed: - CVE-2017-9287: A double free vulnerability in the mdb backend during search with page size 0 was fixed (bsc#1041764) Non security bugs fixed: - Let OpenLDAP read system-wide certificates by default and don't hide the error if the user-specified CA location cannot be read. (bsc#1009470) - Fix an uninitialised variable that causes startup failure (bsc#1037396) - Fix an issue with transaction management that can cause server crash (bsc#972331) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2017:985-1 Released: Mon Jun 19 14:57:41 2017 Summary: Security update for libgcrypt Type: security Severity: moderate References: 1042326,931932,CVE-2017-9526 Description: This update for libgcrypt fixes the following issues: - CVE-2017-9526: Store the session key in secure memory to ensure that constant time point operations are used in the MPI library. (bsc#1042326) - Don't require secure memory for the fips selftests, this prevents the 'Oops, secure memory pool already initialized' warning. (bsc#931932) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2017:990-1 Released: Mon Jun 19 17:19:44 2017 Summary: Security update for glibc Type: security Severity: important References: 1039357,1040043,CVE-2017-1000366 Description: This update for glibc fixes the following issues: - CVE-2017-1000366: Fix a potential privilege escalation vulnerability that allowed unprivileged system users to manipulate the stack of setuid binaries to gain special privileges. [bsc#1039357] - A bug in glibc that could result in deadlocks between malloc() and fork() has been fixed. [bsc#1040043] ----------------------------------------------------------------- Advisory ID: SUSE-RU-2017:1033-1 Released: Fri Jun 23 16:38:55 2017 Summary: Recommended update for e2fsprogs Type: recommended Severity: low References: 1038194 Description: This update for e2fsprogs provides the following fixes: - Don't ignore fsync errors in libext2fs. (bsc#1038194) - Fix fsync(2) detection in libext2fs. (bsc#1038194) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2017:1036-1 Released: Mon Jun 26 08:12:24 2017 Summary: Security update for libxml2 Type: security Severity: moderate References: 1024989,1044337,CVE-2017-0663,CVE-2017-5969 Description: This update for libxml2 fixes the following issues: Security issues fixed: * CVE-2017-0663: Fixed a heap buffer overflow in xmlAddID (bsc#1044337) * CVE-2017-5969: Fixed a NULL pointer deref in xmlDumpElementContent (bsc#1024989) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2017:1040-1 Released: Mon Jun 26 13:22:26 2017 Summary: Recommended update for libsemanage, policycoreutils Type: recommended Severity: low References: 1043237 Description: This update for libsemanage, policycoreutils fixes the following issue: - Show version numbers of modules where they are available (bsc#1043237) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2017:1082-1 Released: Fri Jun 30 10:54:06 2017 Summary: Recommended update for dirmngr Type: recommended Severity: low References: 1045943 Description: This update for dirmngr provides the following fix: - Change logrotate from Requires to Recommends (bsc#1045943) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2017:1086-1 Released: Fri Jun 30 15:36:17 2017 Summary: Security update for libxml2 Type: security Severity: moderate References: 1044887,1044894,CVE-2017-7375,CVE-2017-7376 Description: This update for libxml2 fixes the following issues: Security issues fixed: * CVE-2017-7376: Increase buffer space for port in HTTP redirect support (bsc#1044887) * CVE-2017-7375: Prevent unwanted external entity reference [bsc#1044894, ] ----------------------------------------------------------------- Advisory ID: SUSE-SU-2017:1104-1 Released: Tue Jul 4 16:13:55 2017 Summary: Security update for systemd Type: security Severity: moderate References: 1004995,1029102,1029516,1036873,1038865,1040258,1040614,1040942,1043758,982303,CVE-2017-9217 Description: This update for systemd fixes the following issues: Security issue fixed: - CVE-2017-9217: resolved: Fix null pointer p->question dereferencing that could lead to resolved aborting (bsc#1040614) The update also fixed several non-security bugs: - core/mount: Use the '-c' flag to not canonicalize paths when calling /bin/umount - automount: Handle expire_tokens when the mount unit changes its state (bsc#1040942) - automount: Rework propagation between automount and mount units - build: Make sure tmpfiles.d/systemd-remote.conf get installed when necessary - build: Fix systemd-journal-upload installation - basic: Detect XEN Dom0 as no virtualization (bsc#1036873) - virt: Make sure some errors are not ignored - fstab-generator: Do not skip Before= ordering for noauto mountpoints - fstab-gen: Do not convert device timeout into seconds when initializing JobTimeoutSec - core/device: Use JobRunningTimeoutSec= for device units (bsc#1004995) - fstab-generator: Apply the _netdev option also to device units (bsc#1004995) - job: Add JobRunningTimeoutSec for JOB_RUNNING state (bsc#1004995) - job: Ensure JobRunningTimeoutSec= survives serialization (bsc#1004995) - rules: Export NVMe WWID udev attribute (bsc#1038865) - rules: Introduce disk/by-id (model_serial) symbolic links for NVMe drives - rules: Add rules for NVMe devices - sysusers: Make group shadow support configurable (bsc#1029516) - core: When deserializing a unit, fully restore its cgroup state (bsc#1029102) - core: Introduce cg_mask_from_string()/cg_mask_to_string() - core:execute: Fix handling failures of calling fork() in exec_spawn() (bsc#1040258) - Fix systemd-sysv-convert when a package starts shipping service units (bsc#982303) The database might be missing when upgrading a package which was shipping no sysv init scripts nor unit files (at the time --save was called) but the new version start shipping unit files. - Disable group shadow support (bsc#1029516) - Only check signature job error if signature job exists (bsc#1043758) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2017:1116-1 Released: Thu Jul 6 11:37:18 2017 Summary: Security update for libgcrypt Type: security Severity: moderate References: 1046607,CVE-2017-7526 Description: This update for libgcrypt fixes the following issues: - CVE-2017-7526: Hardening against a local side-channel attack in RSA key handling has been added (bsc#1046607) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2017:1119-1 Released: Fri Jul 7 11:23:20 2017 Summary: Recommended update for ncurses Type: security Severity: important References: 1000662,1046853,1046858,CVE-2017-10684,CVE-2017-10685 Description: This update for ncurses fixes the following issues: Security issues fixed: - CVE-2017-10684: Possible RCE via stack-based buffer overflow in the fmt_entry function. (bsc#1046858) - CVE-2017-10685: Possible RCE with format string vulnerability in the fmt_entry function. (bsc#1046853) Bugfixes: - Drop patch ncurses-5.9-environment.dif as YaST2 ncurses GUI does not need it anymore and as well as it causes bug bsc#1000662 ----------------------------------------------------------------- Advisory ID: SUSE-RU-2017:1160-1 Released: Fri Jul 14 17:20:26 2017 Summary: Recommended update for openldap2 Type: recommended Severity: low References: 1031702 Description: This update for openldap2 provides the following fix: - Fix a regression in handling of non-blocking connection (bsc#1031702) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2017:1174-1 Released: Wed Jul 19 11:12:51 2017 Summary: Security update for systemd, dracut Type: security Severity: important References: 1032029,1033238,1037120,1040153,1040968,1043900,1045290,1046750,986216,CVE-2017-9445 Description: This update for systemd and dracut fixes the following issues: Security issues fixed: - CVE-2017-9445: Possible out-of-bounds write triggered by a specially crafted TCP payload from a DNS server. (bsc#1045290) Non-security issues fixed in systemd: - Automounter issue in combination with NFS volumes (bsc#1040968) - Missing symbolic link for SAS device in /dev/disk/by-path (bsc#1040153) - Add minimal support for boot.d/* scripts in systemd-sysv-convert (bsc#1046750) Non-security issues fixed in dracut: - Bail out if module directory does not exist. (bsc#1043900) - Suppress bogus error message. (bsc#1032029) - Fix module force loading with systemd. (bsc#986216) - Ship udev files required by systemd. (bsc#1040153) - Ignore module resolution errors (e.g. with kgraft). (bsc#1037120) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2017:1222-1 Released: Wed Jul 26 17:15:18 2017 Summary: Recommended update for procps Type: recommended Severity: low References: 1034563,1039941 Description: This update for procps provides the following fixes: - Make pmap handle LazyFree in /proc/smaps (bsc#1034563) - Allow reading and writing content lines longer than 1024 characters under /proc/sys (bsc#1039941) - Avoid printing messages when /proc/sys/net/ipv6/conf/*/stable_secret is not set ----------------------------------------------------------------- Advisory ID: SUSE-SU-2017:1245-1 Released: Thu Aug 3 10:43:15 2017 Summary: Security update for systemd Type: security Severity: moderate References: 1004995,1029102,1029516,1032029,1033238,1036873,1037120,1038865,1040153,1040258,1040614,1040942,1040968,1043758,1043900,1045290,1046750,982303,986216,CVE-2017-9217,CVE-2017-9445 Description: This update for systemd provides several fixes and enhancements. Security issues fixed: - CVE-2017-9217: Null pointer dereferencing that could lead to resolved aborting. (bsc#1040614) - CVE-2017-9445: Possible out-of-bounds write triggered by a specially crafted TCP payload from a DNS server. (bsc#1045290) The update also fixed several non-security bugs: - core/mount: Use the '-c' flag to not canonicalize paths when calling /bin/umount - automount: Handle expire_tokens when the mount unit changes its state (bsc#1040942) - automount: Rework propagation between automount and mount units - build: Make sure tmpfiles.d/systemd-remote.conf get installed when necessary - build: Fix systemd-journal-upload installation - basic: Detect XEN Dom0 as no virtualization (bsc#1036873) - virt: Make sure some errors are not ignored - fstab-generator: Do not skip Before= ordering for noauto mountpoints - fstab-gen: Do not convert device timeout into seconds when initializing JobTimeoutSec - core/device: Use JobRunningTimeoutSec= for device units (bsc#1004995) - fstab-generator: Apply the _netdev option also to device units (bsc#1004995) - job: Add JobRunningTimeoutSec for JOB_RUNNING state (bsc#1004995) - job: Ensure JobRunningTimeoutSec= survives serialization (bsc#1004995) - rules: Export NVMe WWID udev attribute (bsc#1038865) - rules: Introduce disk/by-id (model_serial) symbolic links for NVMe drives - rules: Add rules for NVMe devices - sysusers: Make group shadow support configurable (bsc#1029516) - core: When deserializing a unit, fully restore its cgroup state (bsc#1029102) - core: Introduce cg_mask_from_string()/cg_mask_to_string() - core:execute: Fix handling failures of calling fork() in exec_spawn() (bsc#1040258) - Fix systemd-sysv-convert when a package starts shipping service units (bsc#982303) The database might be missing when upgrading a package which was shipping no sysv init scripts nor unit files (at the time --save was called) but the new version start shipping unit files. - Disable group shadow support (bsc#1029516) - Only check signature job error if signature job exists (bsc#1043758) - Automounter issue in combination with NFS volumes (bsc#1040968) - Missing symbolic link for SAS device in /dev/disk/by-path (bsc#1040153) - Add minimal support for boot.d/* scripts in systemd-sysv-convert (bsc#1046750) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2017:1268-1 Released: Mon Aug 7 10:09:19 2017 Summary: Recommended update for openssl Type: recommended Severity: moderate References: 1019637,1027079,1027688,1027908,1028281,1028723,1029523,1042392,1044095,1044107,1044175,902364 Description: This update for openssl fixes the following issues including fixes for our ongoing FIPS 140-2 evaluation: - Remove DES-CBC3-SHA based ciphers from DEFAULT_SUSE to address SWEET32 problem (bsc#1027908) - Use getrandom syscall instead of reading from /dev/urandom to get at least 128 bits of entropy to comply with FIPS 140.2 IG 7.14 (bsc#1027079 bsc#1044175) - Fix x86 extended feature detection (bsc#1029523) - Allow runtime switching of s390x capabilities via the 'OPENSSL_s390xcap' environmental variable (bsc#1028723) - s_client sent empty client certificate (bsc#1028281) Add back certificate initialization set_cert_key_stuff() which was removed in a previous update. - Fix a bug in XTS key handling (bsc#1019637) - Don't run FIPS power-up self-tests when the checksum files aren't installed (bsc#1042392) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2017:1279-1 Released: Mon Aug 7 14:46:40 2017 Summary: Security update for ncurses Type: security Severity: moderate References: 1046853,1046858,1047964,1047965,1049344,CVE-2017-10684,CVE-2017-10685,CVE-2017-11112,CVE-2017-11113 Description: This update for ncurses fixes the following issues: Security issues fixed: - CVE-2017-11112: Illegal address access in append_acs. (bsc#1047964) - CVE-2017-11113: Dereferencing NULL pointer in _nc_parse_entry. (bsc#1047965) - CVE-2017-10684, CVE-2017-10685: Add modified upstream fix from ncurses 6.0 to avoid broken termcap format (bsc#1046853, bsc#1046858, bsc#1049344) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2017:1316-1 Released: Thu Aug 10 13:54:27 2017 Summary: Recommended update for cyrus-sasl Type: recommended Severity: moderate References: 1014471,1026825,1044840,938657 Description: This update for cyrus-sasl provides the following fixes: - Fix SASL GSSAPI mechanism acceptor wrongly returns zero maxbufsize - Fix unknown authentication mechanism: kerberos5 (bsc#1026825) - Really use SASLAUTHD_PARAMS variable (bsc#938657) - Make sure /usr/sbin/rcsaslauthd exists - Add /usr/sbin/rcsaslauthd symbolic link to /usr/sbin/service (bsc#1014471) - Silence 'GSSAPI client step 1' debug log message (bsc#1044840) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2017:1326-1 Released: Fri Aug 11 16:59:04 2017 Summary: Security update for libxml2 Type: security Severity: low References: 1038444,CVE-2017-8872 Description: This update for libxml2 fixes the following issues: Security issues fixed: - CVE-2017-8872: Out-of-bounds read in htmlParseTryOrFinish. (bsc#1038444) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2017:1330-1 Released: Mon Aug 14 18:41:29 2017 Summary: Recommended update for sed Type: recommended Severity: low References: 954661 Description: This update for sed provides the following fixes: - Don't terminate with a segmentation fault if close of last file descriptor fails. (bsc#954661) ----------------------------------------------------------------- Advisory ID: SUSE-OU-2017:1333-1 Released: Tue Aug 15 17:59:30 2017 Summary: Optional update for libverto Type: optional Severity: low References: 1029561 Description: This update adds the libverto library to OpenStack Cloud Magnum Orchestration channels. ----------------------------------------------------------------- Advisory ID: SUSE-RU-2017:1334-1 Released: Tue Aug 15 20:09:03 2017 Summary: Recommended update for systemd Type: recommended Severity: important References: 1048679,874665 Description: This update for systemd fixes the following issues: - compat-rules: Don't rely on ID_SERIAL when generating 'by-id' links for NVMe devices. (bsc#1048679) - fstab-generator: Handle NFS 'bg' mounts correctly. (bsc#874665, fate#323464) - timesyncd: Don't use compiled-in list if FallbackNTP has been configured explicitly. ----------------------------------------------------------------- Advisory ID: SUSE-SU-2017:1335-1 Released: Wed Aug 16 11:24:21 2017 Summary: Security update for curl Type: security Severity: moderate References: 1051643,1051644,CVE-2017-1000100,CVE-2017-1000101 Description: This update for curl fixes the following issues: - CVE-2017-1000100: TFP sends more than buffer size and it could lead to a denial of service (bsc#1051644) - CVE-2017-1000101: URL globbing out of bounds read could lead to a denial of service (bsc#1051643) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2017:1347-1 Released: Fri Aug 18 11:03:57 2017 Summary: Recommended update for procps Type: recommended Severity: important References: 1053409 Description: This update for procps fixes the following issues: - Fix a regression introduced in a previous update that would result in sysctl dying with a SIGSEGV error (bsc#1053409). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2017:1349-1 Released: Fri Aug 18 12:31:07 2017 Summary: Recommended update for lua51 Type: recommended Severity: low References: 1051626 Description: This update for lua51 provides the following fixes: - Add Lua(API) and Lua(devel) symbols to fix building of lua51-luasocket. (bsc#1051626) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2017:1390-1 Released: Fri Aug 25 15:14:27 2017 Summary: Security update for libzypp Type: security Severity: important References: 1009745,1036659,1038984,1043218,1045735,1046417,1047785,1048315,CVE-2017-7435,CVE-2017-7436,CVE-2017-9269 Description: The Software Update Stack was updated to receive fixes and enhancements. libzypp: - CVE-2017-7435, CVE-2017-7436, CVE-2017-9269: Fix GPG check workflows, mainly for unsigned repositories and packages. (bsc#1045735, bsc#1038984) - Fix gpg-pubkey release (creation time) computation. (bsc#1036659) - Update lsof blacklist. (bsc#1046417) - Re-probe on refresh if the repository type changes. (bsc#1048315) - Propagate proper error code to DownloadProgressReport. (bsc#1047785) - Allow to trigger an appdata refresh unconditionally. (bsc#1009745) - Support custom repo variables defined in /etc/zypp/vars.d. yast2-pkg-bindings: - Do not crash when the repository URL is not defined. (bsc#1043218) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2017:1419-1 Released: Wed Aug 30 15:38:22 2017 Summary: Security update for expat Type: security Severity: moderate References: 1047236,1047240,CVE-2016-9063,CVE-2017-9233 Description: This update for expat fixes the following issues: - CVE-2016-9063: Possible integer overflow to fix inside XML_Parse leading to unexpected behaviour (bsc#1047240) - CVE-2017-9233: External Entity Vulnerability could lead to denial of service (bsc#1047236) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2017:1439-1 Released: Fri Sep 1 15:31:05 2017 Summary: Recommended update for systemd Type: recommended Severity: important References: 1045384,1045987,1046268,1047379,1048605 Description: This update for systemd fixes the following issues: - Revert fix for bsc#1004995 which could have caused boot failure on LVM (bsc#1048605) - compat-rules: drop the bogus 'import everything' rule (bsc#1046268) - core: use an AF_UNIX/SOCK_DGRAM socket for cgroup agent notification (bsc#1045384 bsc#1047379) - udev/path_id: introduce support for NVMe devices (bsc#1045987) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2017:1447-1 Released: Mon Sep 4 15:38:20 2017 Summary: Security update for libzypp, zypper Type: security Severity: important References: 1008325,1038984,1045735,1047785,1054088,1054671,1055920,CVE-2017-7436 Description: The Software Update Stack was updated to receive fixes and enhancements. libzypp: - Adapt to work with GnuPG 2.1.23. (bsc#1054088) - Support signing with subkeys. (bsc#1008325) - Enhance sort order for media.1/products. (bsc#1054671) zypper: - Also show a gpg key's subkeys. (bsc#1008325) - Improve signature check callback messages. (bsc#1045735) - Add options to tune the GPG check settings. (bsc#1045735) - Adapt download callback to report and handle unsigned packages. (bsc#1038984, CVE-2017-7436) - Report missing/optional files as 'not found' rather than 'error'. (bsc#1047785) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2017:1450-1 Released: Mon Sep 4 16:36:07 2017 Summary: Recommended update for insserv-compat Type: recommended Severity: low References: 1035062,944903 Description: This update for insserv-compat fixes the following issues: - Add /etc/init.d hierarchy from former 'filesystem' package. (bsc#1035062) - Fix directory argument parsing. (bsc#944903) - Add perl(Getopt::Long) to list of requirements. ----------------------------------------------------------------- Advisory ID: SUSE-RU-2017:1453-1 Released: Mon Sep 4 21:23:50 2017 Summary: Recommended update for libgcrypt Type: recommended Severity: moderate References: 1043333,1046659,1047008 Description: This update for libgcrypt fixes the following issues: - libgcrypt stored an open file descriptor to the random device in a static variable between invocations. gnome-keyring-daemon on initialization reopened descriptors 0-2 with /dev/null which caused an infinite loop when libgcrypt attempted to read from the random device (bsc#1043333) - Avoid seeding the DRBG during FIPS power-up selftests (bsc#1046659) * don't call gcry_drbg_instantiate() in healthcheck sanity test to save entropy * turn off blinding for RSA decryption in selftests_rsa to avoid allocation of a random integer - fix a bug in gcry_drbg_healthcheck_sanity() which caused skipping some of the tests (bsc#1046659) - dlsym returns PLT address on s390x, dlopen libgcrypt20.so before calling dlsym (bsc#1047008) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2017:1548-1 Released: Fri Sep 15 18:19:12 2017 Summary: Recommended update for sg3_utils Type: recommended Severity: moderate References: 1005063,1009269,1012523,1025176,1050767,1050943 Description: This update for sg3_utils provides the following fixes: - Add lunsearch filter to findresized() so that only LUNs specified using --luns are rescanned or resized. (bsc#1025176) - In case the VPD sysfs attributes are missing or cannot be accessed, fallback to use sg_inq --page when using multipath devices in AutoYast2 installations. (bsc#1012523) - Generate /dev/disk/by-path links based on WWPN for Fibre Channel NPIV setups. (bsc#1005063) - Fix dumping data in hexadecimal format in sg_vpd when using the --hex option. (bsc#1050943) - Fix ID_SERIAL values for KVM disks by exporting all NAA values and removing some validity checking. (bsc#1050767) - Make sure initrd is rebuilt on sg3_utils updates. (bsc#1009269) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2017:1592-1 Released: Tue Sep 26 17:38:03 2017 Summary: Recommended update for lvm2 Type: recommended Severity: moderate References: 1028485,1045628,978055,998893,999878 Description: This update for lvm2 provides the following fixes: - Create /dev/disk/by-part{label,uuid} and gpt-auto-root links. (bsc#1028485) - Try to refresh clvmd's device cache on the first failure. (bsc#978055) - Fix stale device cache in clvmd. (bsc#978055) - Warn if PV size in metadata is larger than disk device size. (bsc#999878) - Fix lvm2 activation issue when used on top of multipath. (bsc#998893) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2017:1644-1 Released: Mon Oct 9 07:52:24 2017 Summary: Security update for krb5 Type: security Severity: moderate References: 1032680,1054028,1056995,903543,CVE-2017-11462 Description: This update for krb5 fixes several issues. This security issue was fixed: - CVE-2017-11462: Prevent automatic security context deletion to prevent double-free (bsc#1056995) These non-security issues were fixed: - Set 'rdns' and 'dns_canonicalize_hostname' to false in krb5.conf in order to improve client security in handling service principle names. (bsc#1054028) - Prevent kadmind.service startup failure caused by absence of LDAP service. (bsc#903543) - Remove main package's dependency on systemd (bsc#1032680) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2017:1663-1 Released: Tue Oct 10 12:05:09 2017 Summary: Recommended update for dbus-1 Type: recommended Severity: moderate References: 1043615,1046173 Description: This update for dbus-1 provides the following fixes: - Fix systemd-logind dbus disconnection by ensuring all required timeouts are restarted. (bsc#1043615) - Remove call to initscripts related macros from the spec file as dbus-1 does not ship any initscript anymore. (bsc#1046173) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2017:1703-1 Released: Tue Oct 17 13:20:12 2017 Summary: Recommended update for audit Type: recommended Severity: low References: 1042781 Description: This update for audit provides the following fix: - Make auditd start by forking the systemd service to fix some initialization failures. (bsc#1042781) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2017:1758-1 Released: Mon Oct 23 08:47:47 2017 Summary: Security update for curl Type: security Severity: moderate References: 1060653,1061876,1063824,CVE-2017-1000254,CVE-2017-1000257 Description: This update for curl fixes the following issues: Security issues fixed: - CVE-2017-1000254: FTP PWD response parser out of bounds read (bsc#1061876) - CVE-2017-1000257: IMAP FETCH response out of bounds read (bsc#1063824) Bugs fixed: - Fixed error 'error:1408F10B:SSL routines' when connecting to ftps via proxy (bsc#1060653) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2017:1796-1 Released: Fri Oct 27 21:25:06 2017 Summary: Recommended update for pcre Type: recommended Severity: moderate References: 1058722 Description: This update for pcre fixes the following issues: - Fixed the pcre stack frame size detection because modern compilers break it due to cloning and inlining pcre match() function (bsc#1058722) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2017:1797-1 Released: Sat Oct 28 12:06:19 2017 Summary: Recommended update for permissions Type: recommended Severity: moderate References: 1028304,1048645,1060738 Description: This update for permissions fixes the following issues: - Allows users to install the HPC 'singularity' toolkit for managing singularity containers in setuid root mode. (bsc#1028304) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2017:1826-1 Released: Wed Nov 8 08:47:17 2017 Summary: Security update for krb5 Type: security Severity: important References: 1065274,CVE-2017-15088 Description: This update for krb5 fixes the following issues: Security issues fixed: - CVE-2017-15088: A buffer overflow in get_matching_data() was fixed that could under specific circumstances be used to execute code (bsc#1065274) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2017:1829-1 Released: Wed Nov 8 08:50:00 2017 Summary: Security update for shadow Type: security Severity: moderate References: 1023895,1052261,980486,CVE-2017-12424 Description: This update for shadow fixes several issues. This security issue was fixed: - CVE-2017-12424: The newusers tool could have been forced to manipulate internal data structures in ways unintended by the authors. Malformed input may have lead to crashes (with a buffer overflow or other memory corruption) or other unspecified behaviors (bsc#1052261). These non-security issues were fixed: - bsc#1023895: Fixed man page to not contain invalid options and also prevent warnings when using these options in certain settings - bsc#980486: Reset user in /var/log/tallylog because of the usage of pam_tally2 ----------------------------------------------------------------- Advisory ID: SUSE-SU-2017:1881-1 Released: Wed Nov 22 16:29:58 2017 Summary: Security update for file Type: security Severity: moderate References: 1009966,1063269,910252,910253,913650,913651,917152,996511,CVE-2014-8116,CVE-2014-8117,CVE-2014-9620,CVE-2014-9621,CVE-2014-9653 Description: The GNU file utility was updated to version 5.22. Security issues fixed: - CVE-2014-9621: The ELF parser in file allowed remote attackers to cause a denial of service via a long string. (bsc#913650) - CVE-2014-9620: The ELF parser in file allowed remote attackers to cause a denial of service via a large number of notes. (bsc#913651) - CVE-2014-9653: readelf.c in file did not consider that pread calls sometimes read only a subset of the available data, which allows remote attackers to cause a denial of service (uninitialized memory access) or possibly have unspecified other impact via a crafted ELF file. (bsc#917152) - CVE-2014-8116: The ELF parser (readelf.c) in file allowed remote attackers to cause a denial of service (CPU consumption or crash) via a large number of (1) program or (2) section headers or (3) invalid capabilities. (bsc#910253) - CVE-2014-8117: softmagic.c in file did not properly limit recursion, which allowed remote attackers to cause a denial of service (CPU consumption or crash) via unspecified vectors. (bsc#910253) Version update to file version 5.22 * add indirect relative for TIFF/Exif * restructure elf note printing to avoid repeated messages * add note limit, suggested by Alexander Cherepanov * Bail out on partial pread()'s (Alexander Cherepanov) * Fix incorrect bounds check in file_printable (Alexander Cherepanov) * PR/405: ignore SIGPIPE from uncompress programs * change printable -> file_printable and use it in more places for safety * in ELF, instead of '(uses dynamic libraries)' when PT_INTERP is present print the interpreter name. Version update to file version 5.21 * there was an incorrect free in magic_load_buffers() * there was an out of bounds read for some pascal strings * there was a memory leak in magic lists * don't interpret strings printed from files using the current locale, convert them to ascii format first. * there was an out of bounds read in elf note reads Update to file version 5.20 * recognize encrypted CDF documents * add magic_load_buffers from Brooks Davis * add thumbs.db support Additional non-security bug fixes: * Fixed a memory corruption during rpmbuild (bsc#1063269) * Backport of a fix for an increased printable string length as found in file 5.30 (bsc#996511) * file command throws 'Composite Document File V2 Document, corrupt: Can't read SSAT' error against excel 97/2003 file format. (bsc#1009966) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2017:1903-1 Released: Fri Nov 24 16:19:37 2017 Summary: Security update for perl Type: security Severity: moderate References: 1047178,1057721,1057724,999735,CVE-2017-12837,CVE-2017-12883,CVE-2017-6512 Description: This update for perl fixes the following issues: Security issues fixed: - CVE-2017-12837: Heap-based buffer overflow in the S_regatom function in regcomp.c in Perl 5 before 5.24.3-RC1 and 5.26.x before 5.26.1-RC1 allows remote attackers to cause a denial of service (out-of-bounds write) via a regular expression with a '\N{}' escape and the case-insensitive modifier. (bnc#1057724) - CVE-2017-12883: Buffer overflow in the S_grok_bslash_N function in regcomp.c in Perl 5 before 5.24.3-RC1 and 5.26.x before 5.26.1-RC1 allows remote attackers to disclose sensitive information or cause a denial of service (application crash) via a crafted regular expression with an invalid '\N{U+...}' escape. (bnc#1057721) - CVE-2017-6512: Race condition in the rmtree and remove_tree functions in the File-Path module before 2.13 for Perl allows attackers to set the mode on arbitrary files via vectors involving directory-permission loosening logic. (bnc#1047178) Bug fixes: - backport set_capture_string changes from upstream (bsc#999735) - reformat baselibs.conf as source validator workaround ----------------------------------------------------------------- Advisory ID: SUSE-RU-2017:1916-1 Released: Fri Nov 24 20:15:01 2017 Summary: Recommended update for libgcrypt Type: recommended Severity: important References: 1043333,1059723 Description: This update for libgcrypt provides the following fix: - Fix a regression in a previous update which caused libgcrypt to leak file descriptors causing failures when starting rtkit-daemon. (bsc#1059723) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2017:1917-1 Released: Mon Nov 27 13:32:07 2017 Summary: Optional update for gcc7 Type: recommended Severity: low References: 1056437,1062591,1062592 Description: The GNU Compiler GCC 7 is being added to the Toolchain Module by this update. New features: - Support for specific IBM Power9 processor instructions. - Support for specific IBM zSeries z14 processor instructions. - New packages cross-npvtx-gcc7 and nvptx-tools added to the Toolchain Module for specific NVIDIA Card offload support. The update also supplies gcc7 compatible libstdc++, libgcc_s1 and other gcc derived libraries for the base products of SUSE Linux Enterprise 12. Various optimizers have been improved in GCC 7, several of bugs fixed, quite some new warnings added and the error pin-pointing and fix-suggestions have been greatly improved. The GNU Compiler page for GCC 7 contains a summary of all the changes that have happened: https://gcc.gnu.org/gcc-7/changes.html ----------------------------------------------------------------- Advisory ID: SUSE-RU-2017:1965-1 Released: Thu Nov 30 12:48:45 2017 Summary: Recommended update for libsolv, libzypp, zypper Type: recommended Severity: moderate References: 1047233,1053671,1057188,1057634,1058695,1058783,1059065,1061384,1062561,1064999,661410 Description: The Software Update Stack was updated to receive fixes and enhancements. libsolv: - Many fixes and improvements for cleandeps. - Always create dup rules for 'distupgrade' jobs. - Use recommends also for ordering packages. - Fix splitprovides handling with addalreadyrecommended turned off. (bsc#1059065) - Expose solver_get_recommendations() in bindings. - Fix bug in solver_prune_to_highest_prio_per_name resulting in bad output from solver_get_recommendations(). - Support 'without' and 'unless' dependencies. - Use same heuristic as upstream to determine source RPMs. - Fix memory leak in bindings. - Add pool_best_solvables() function. - Fix 64bit integer parsing from RPM headers. - Enable bzip2 and xz/lzma compression support. - Enable complex/rich dependencies on distributions with RPM 4.13+. libzypp: - Fix media handling in presence of a repo path prefix. (bsc#1062561) - Fix RepoProvideFile ignoring a repo path prefix. (bsc#1062561) - Remove unused legacy notify-message script. (bsc#1058783) - Support multiple product licenses in repomd. (fate#322276) - Propagate 'rpm --import' errors. (bsc#1057188) - Fix typos in zypp.conf. zypper: - Locale: Fix possible segmentation fault. (bsc#1064999) - Add summary hint if product is better updated by a different command. This is mainly used by rolling distributions like openSUSE Tumbleweed to remind their users to use 'zypper dup' to update (not zypper up or patch). (bsc#1061384) - Unify '(add|modify)(repo|service)' property related arguments. - Fixed 'add' commands supporting to set only a subset of properties. - Introduced '-f/-F' as preferred short option for --[no-]refresh in all four commands. (bsc#661410, bsc#1053671) - Fix missing package names in installation report. (bsc#1058695) - Differ between unsupported and packages with unknown support status. (bsc#1057634) - Return error code '107' if an RPM's %post configuration script fails, but only if ZYPPER_ON_CODE12_RETURN_107=1 is set in the environment. (bsc#1047233) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2017:1966-1 Released: Thu Nov 30 13:45:24 2017 Summary: Recommended update for systemd Type: recommended Severity: moderate References: 1004995,1035386,1039099,1040800,1045472,1048605,1050152,1053137,1053595,1055641,1063249 Description: This update for systemd fixes the following issues: - unit: When JobTimeoutSec= is turned off, implicitly turn off JobRunningTimeoutSec= too. (bsc#1048605, bsc#1004995) - compat-rules: Generate compat by-id symlinks with 'nvme' prefix missing and warn users that have broken symlinks. (bsc#1063249) - compat-rules: Allow to specify the generation number through the kernel command line. - scsi_id: Fixup prefix for pre-SPC inquiry reply. (bsc#1039099) - tmpfiles: Remove old ICE and X11 sockets at boot. - tmpfiles: Silently ignore any path that passes through autofs. (bsc#1045472) - pam_logind: Skip leading /dev/ from PAM_TTY field before passing it on. - shared/machine-pool: Fix another mkfs.btrfs checking. (bsc#1053595) - shutdown: Fix incorrect fscanf() result check. - shutdown: Don't remount,ro network filesystems. (bsc#1035386) - shutdown: Don't be fooled when detaching DM devices with BTRFS. (bsc#1055641) - bash-completion: Add support for --now. (bsc#1053137) - Add convert-lib-udev-path.sh script to convert /lib/udev directory into a symlink pointing to /usr/lib/udev when upgrading from SLE11. (bsc#1050152) - Add a rule to teach hotplug to offline containers transparently. (bsc#1040800) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2017:1968-1 Released: Thu Nov 30 19:49:33 2017 Summary: Recommended update for coreutils Type: recommended Severity: low References: 1026567,1043059,965780 Description: This update for coreutils provides the following fixes: - Fix df(1) to no longer interact with excluded file system types, so for example specifying -x nfs no longer hangs with problematic nfs mounts. (bsc#1026567) - Ensure df -l no longer interacts with dummy file system types, so for example no longer hangs with problematic NFS mounted via system.automount(5). (bsc#1043059) - Significantly speed up df(1) for huge mount lists. (bsc#965780) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2017:1970-1 Released: Thu Nov 30 22:55:41 2017 Summary: Security update for openssl Type: security Severity: moderate References: 1055825,1056058,1065363,1066242,CVE-2017-3735,CVE-2017-3736 Description: This update for openssl fixes the following issues: Security issues fixed: - CVE-2017-3735: openssl1,openssl: Malformed X.509 IPAdressFamily could cause OOB read (bsc#1056058) - CVE-2017-3736: openssl: bn_sqrx8x_internal carry bug on x86_64 (bsc#1066242) - Out of bounds read+crash in DES_fcrypt (bsc#1065363) - openssl DEFAULT_SUSE cipher list is missing ECDHE-ECDSA ciphers (bsc#1055825) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2017:2021-1 Released: Fri Dec 8 10:11:04 2017 Summary: Recommended update for file Type: recommended Severity: moderate References: 1070878,1070958 Description: This update for file fixes detection of JPEG files. ----------------------------------------------------------------- Advisory ID: SUSE-RU-2017:2031-1 Released: Mon Dec 11 12:55:57 2017 Summary: Recommended update for gzip Type: recommended Severity: low References: 1067891 Description: This update for gzip provides the following fix: - Fix mishandling of leading zeros in the end-of-block code (bsc#1067891) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2017:2036-1 Released: Wed Dec 13 16:34:21 2017 Summary: Recommended update for util-linux Type: recommended Severity: low References: 1039276,1040968,1055446,1066500 Description: This update for util-linux provides the following fixes: - Allow unmounting of filesystems without calling stat() on the mount point, when '-c' is used. (bsc#1040968) - Fix an infinite loop, a crash and report the correct minimum and maximum frequencies in lscpu for some processors. (bsc#1055446) - Fix a lscpu failure on Sydney Amazon EC2 region. (bsc#1066500) - If multiple subvolumes are mounted, report the default subvolume. (bsc#1039276) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2017:2097-1 Released: Sat Dec 16 01:59:00 2017 Summary: Security update for openssl Type: security Severity: important References: 1071905,1071906,CVE-2017-3737,CVE-2017-3738 Description: This update for openssl fixes the following issues: - OpenSSL Security Advisory [07 Dec 2017] * CVE-2017-3737: OpenSSL 1.0.2 (starting from version 1.0.2b) introduced an \'error state\' mechanism. The intent was that if a fatal error occurred during a handshake then OpenSSL would move into the error state and would immediately fail if you attempted to continue the handshake. This works as designed for the explicit handshake functions (SSL_do_handshake(), SSL_accept() and SSL_connect()), however due to a bug it does not work correctly if SSL_read() or SSL_write() is called directly. In that scenario, if the handshake fails then a fatal error will be returned in the initial function call. If SSL_read()/SSL_write() is subsequently called by the application for the same SSL object then it will succeed and the data is passed without being decrypted/encrypted directly from the SSL/TLS record layer. In order to exploit this issue an application bug would have to be present that resulted in a call to SSL_read()/SSL_write() being issued after having already received a fatal error. O penSSL version 1.0.2b-1.0.2m are affected. Fixed in OpenSSL 1.0.2n. OpenSSL 1.1.0 is not affected. (bsc#1071905) * CVE-2017-3738: There is an overflow bug in the AVX2 Montgomery multiplication procedure used in exponentiation with 1024-bit moduli. No EC algorithms are affected. Analysis suggests that attacks against RSA and DSA as a result of this defect would be very difficult to perform and are not believed likely. Attacks against DH1024 are considered just feasible, because most of the work necessary to deduce information about a private key may be performed offline. The amount of resources required for such an attack would be significant. However, for an attack on TLS to be meaningful, the server would have to share the DH1024 private key among multiple clients, which is no longer an option since CVE-2016-0701. This only affects processors that support the AVX2 but not ADX extensions like Intel Haswell (4th generation). Note: The impact from this issue is similar to CVE-2017-3736, CVE-2017-3732 and CVE-2015-3193. (bsc#1071906) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2017:2137-1 Released: Thu Dec 21 17:49:12 2017 Summary: Recommended update for dbus-1 Type: recommended Severity: moderate References: 1046173,1071698 Description: This update for dbus-1 provides the following fixes: - The previously released fix for systemd-logind dbus disconnections was missing in some parts of the package, so properly apply it. (bsc#1071698) - Remove call to initscripts related macros from the spec file as dbus-1 does not ship any initscript anymore. (bsc#1046173) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2018:4-1 Released: Tue Jan 2 15:58:20 2018 Summary: Recommended update for libzypp, zypper Type: recommended Severity: moderate References: 1057640,1067605,1068708,1071466,969569 Description: The Software Update Stack was updated to receive fixes and enhancements. libzypp: - Don't store duplicated locks. (bsc#969569) - Fix default for solver.allowNameChange. (bsc#1071466) - Don't filter procs with a different mnt namespace. (bsc#1068708) - Support repo variables in an URIs host:port component. (bsc#1057640, bsc#1067605) zypper: - Update manpage regarding custom repository variable fixes. (bsc#1057640, bsc#1067605) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2018:38-1 Released: Tue Jan 9 14:56:43 2018 Summary: Recommended update for kmod Type: recommended Severity: low References: 1070209 Description: This update for kmod provides the following fix: - Fix resolving .TOC. in modules on 4.4 and older kernel (bsc#1070209) - Fix kernel master build for ppc64le (bsc#1070209) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:55-1 Released: Fri Jan 12 09:45:49 2018 Summary: Security update for glibc Type: security Severity: important References: 1051042,1053188,1063675,1064569,1064580,1064583,1070905,1071319,1073231,1074293,CVE-2017-1000408,CVE-2017-1000409,CVE-2017-15670,CVE-2017-15671,CVE-2017-15804,CVE-2017-16997,CVE-2018-1000001 Description: This update for glibc fixes the following issues: - A privilege escalation bug in the realpath() function has been fixed. [CVE-2018-1000001, bsc#1074293] - A memory leak and a buffer overflow in the dynamic ELF loader has been fixed. [CVE-2017-1000408, CVE-2017-1000409, bsc#1071319] - An issue in the code handling RPATHs was fixed that could have been exploited by an attacker to execute code loaded from arbitrary libraries. [CVE-2017-16997, bsc#1073231] - A potential crash caused by a use-after-free bug in pthread_create() has been fixed. [bsc#1053188] - A bug that prevented users to build shared objects which use the optimized libmvec.so API has been fixed. [bsc#1070905] - A memory leak in the glob() function has been fixed. [CVE-2017-15670, CVE-2017-15671, CVE-2017-15804, bsc#1064569, bsc#1064580, bsc#1064583] - A bug that would lose the syscall error code value in case of crashes has been fixed. [bsc#1063675] ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:86-1 Released: Wed Jan 17 09:38:17 2018 Summary: Security update for ncurses Type: security Severity: moderate References: 1056127,1056128,1056129,1056131,1056132,1056136,CVE-2017-13728,CVE-2017-13729,CVE-2017-13730,CVE-2017-13731,CVE-2017-13732,CVE-2017-13733 Description: This update for ncurses fixes the following issues: Security issues fixed: - CVE-2017-13728: Fix infinite loop in the next_char function in comp_scan.c (bsc#1056136). - CVE-2017-13730: Fix illegal address access in the function _nc_read_entry_source() (bsc#1056131). - CVE-2017-13733: Fix illegal address access in the fmt_entry function (bsc#1056127). - CVE-2017-13729: Fix illegal address access in the _nc_save_str (bsc#1056132). - CVE-2017-13732: Fix illegal address access in the function dump_uses() (bsc#1056128). - CVE-2017-13731: Fix illegal address access in the function postprocess_termcap() (bsc#1056129). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:88-1 Released: Wed Jan 17 14:41:17 2018 Summary: Security update for curl Type: security Severity: moderate References: 1069222,1069226,CVE-2017-8816,CVE-2017-8817 Description: This update for curl fixes the following issues: Security issues fixed: - CVE-2017-8816: Buffer overrun flaw in the NTLM authentication code (bsc#1069226). - CVE-2017-8817: Read out of bounds flaw in the FTP wildcard function (bsc#1069222). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2018:90-1 Released: Wed Jan 17 14:44:33 2018 Summary: Recommended update for lvm2 Type: recommended Severity: low References: 1063051,1067312 Description: This update for lvm2 provides the following fix: - Backport various upstream fixes for clvmd. (bsc#1063051) - Don't print error messages on testing the connection to the daemon. (bsc#1063051) - Fix handling of udev CHANGE events with systemd. (bsc#1067312) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2018:146-1 Released: Thu Jan 25 11:44:23 2018 Summary: Recommended update for openldap2 Type: recommended Severity: moderate References: 1064397,1065083 Description: This update for openldap2 provides the following fixes: - Fix a leak of sockets in case of unsuccessful connection attempts. (bsc#1065083) - Fix a crash that would happen under heavy load when using back-relay. (bsc#1064397) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:149-1 Released: Thu Jan 25 13:38:37 2018 Summary: Security update for curl Type: security Severity: moderate References: 1077001,CVE-2018-1000007 Description: This update for curl fixes one issues. This security issue was fixed: - CVE-2018-1000007: Prevent leaking authentication data to third parties when following redirects (bsc#1077001) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:209-1 Released: Tue Jan 30 10:53:43 2018 Summary: Security update for ncurses Type: security Severity: moderate References: 1056126,1056127,1056128,1056129,1056131,1056132,1056136,CVE-2017-13728,CVE-2017-13729,CVE-2017-13730,CVE-2017-13731,CVE-2017-13732,CVE-2017-13733,CVE-2017-13734 Description: This update for ncurses fixes several issues. These security issues were fixed: - CVE-2017-13734: Prevent illegal address access in the _nc_safe_strcat function in strings.c that might have lead to a remote denial of service attack (bsc#1056126). - CVE-2017-13733: Prevent illegal address access in the fmt_entry function in progs/dump_entry.c that might have lead to a remote denial of service attack (bsc#1056127). - CVE-2017-13732: Prevent illegal address access in the function dump_uses() in progs/dump_entry.c that might have lead to a remote denial of service attack (bsc#1056128). - CVE-2017-13731: Prevent illegal address access in the function postprocess_termcap() in parse_entry.c that might have lead to a remote denial of service attack (bsc#1056129). - CVE-2017-13730: Prevent illegal address access in the function _nc_read_entry_source() in progs/tic.c that might have lead to a remote denial of service attack (bsc#1056131). - CVE-2017-13729: Prevent illegal address access in the _nc_save_str function in alloc_entry.c that might have lead to a remote denial of service attack (bsc#1056132). - CVE-2017-13728: Prevent infinite loop in the next_char function in comp_scan.c that might have lead to a remote denial of service attack (bsc#1056136). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:213-1 Released: Tue Jan 30 14:36:40 2018 Summary: Security update for systemd Type: security Severity: moderate References: 1048510,1065276,1066156,1068251,1070428,1071558,1074254,1075724,1076308,897422,CVE-2017-15908,CVE-2018-1049 Description: This update for systemd fixes several issues. This security issue was fixed: - CVE-2018-1049: Prevent race that can lead to DoS when using automounts (bsc#1076308). These non-security issues were fixed: - core: don't choke if a unit another unit triggers vanishes during reload - delta: don't ignore PREFIX when the given argument is PREFIX/SUFFIX - delta: extend skip logic to work on full directory paths (prefix+suffix) (bsc#1070428) - delta: check if a prefix needs to be skipped only once - delta: skip symlink paths when split-usr is enabled (#4591) - sysctl: use raw file descriptor in sysctl_write (#7753) - sd-netlink: don't take possesion of netlink fd from caller on failure (bsc#1074254) - Fix the regexp used to detect broken by-id symlinks in /etc/crypttab It was missing the following case: '/dev/disk/by-id/cr_-xxx'. - sysctl: disable buffer while writing to /proc (bsc#1071558) - Use read_line() and LONG_LINE_MAX to read values configuration files. (bsc#1071558) - sysctl: no need to check for eof twice - def: add new constant LONG_LINE_MAX - fileio: add new helper call read_line() as bounded getline() replacement - service: Don't stop unneeded units needed by restarted service (#7526) (bsc#1066156) - gpt-auto-generator: fix the handling of the value returned by fstab_has_fstype() in add_swap() (#6280) - gpt-auto-generator: disable gpt auto logic for swaps if at least one is defined in fstab (bsc#897422) - fstab-util: introduce fstab_has_fstype() helper - fstab-generator: ignore root=/dev/nfs (#3591) - fstab-generator: don't process root= if it happens to be 'gpt-auto' (#3452) - virt: use XENFEAT_dom0 to detect the hardware domain (#6442, #6662) (#7581) (bsc#1048510) - analyze: replace --no-man with --man=no in the man page (bsc#1068251) - udev: net_setup_link: don't error out when we couldn't apply link config (#7328) - Add missing /etc/systemd/network directory - Fix parsing of features in detect_vm_xen_dom0 (#7890) (bsc#1048510) - sd-bus: use -- when passing arguments to ssh (#6706) - systemctl: make sure we terminate the bus connection first, and then close the pager (#3550) - sd-bus: bump message queue size (bsc#1075724) - tmpfiles: downgrade warning about duplicate line ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:214-1 Released: Tue Jan 30 14:37:42 2018 Summary: Security update for libtasn1 Type: security Severity: moderate References: 1076832,CVE-2018-6003 Description: This update for libtasn1 fixes one issue. This security issue was fixed: - CVE-2018-6003: Prevent a stack exhaustion in _asn1_decode_simple_ber (lib/decoding.c) when decoding BER encoded structure allowed for DoS (bsc#1076832). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:276-1 Released: Thu Feb 8 17:47:43 2018 Summary: Security update for libxml2 Type: security Severity: moderate References: 1077993,1078806,1078813,CVE-2016-5131,CVE-2017-15412,CVE-2017-5130 Description: This update for libxml2 fixes one issue. This security issue was fixed: - CVE-2017-15412: Prevent use after free when calling XPath extension functions that allowed remote attackers to cause DoS or potentially RCE (bsc#1077993) - CVE-2016-5131: Use-after-free vulnerability in libxml2 allowed remote attackers to cause a denial of service or possibly have unspecified other impact via vectors related to the XPointer range-to function. (bsc#1078813) - CVE-2017-5130: Fixed a potential remote buffer overflow in function xmlMemoryStrdup() (bsc#1078806) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2018:291-1 Released: Mon Feb 12 11:50:39 2018 Summary: Recommended update for bash Type: recommended Severity: low References: 1057452,1076909 Description: This update for bash provides the following fix: - Allow process group assignment on all kernel versions to fix the usage of debug traps. (bsc#1057452) - Fix a crash when filesystem is full. (bsc#1076909) - Enable multi-byte characters by default. ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:314-1 Released: Thu Feb 15 14:47:35 2018 Summary: Security update for glibc Type: security Severity: important References: 1037930,1051791,1073990,1074293,1079036,CVE-2017-12132,CVE-2017-8804,CVE-2018-1000001,CVE-2018-6485,CVE-2018-6551 Description: This update for glibc fixes the following issues: Security issues fixed: - CVE-2017-8804: Fix memory leak after deserialization failure in xdr_bytes, xdr_string (bsc#1037930) - CVE-2017-12132: Reduce EDNS payload size to 1200 bytes (bsc#1051791) - CVE-2018-6485,CVE-2018-6551: Fix integer overflows in internal memalign and malloc functions (bsc#1079036) - CVE-2018-1000001: Avoid underflow of malloced area (bsc#1074293) Non security bugs fixed: - Release read lock after resetting timeout (bsc#1073990) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:355-1 Released: Mon Feb 26 16:34:46 2018 Summary: Security update for systemd Type: security Severity: moderate References: 1057974,1068588,1071224,1071311,1075801,1077925,CVE-2017-18078 Description: This update for systemd fixes the following issues: Security issue fixed: - CVE-2017-18078: tmpfiles: refuse to chown()/chmod() files which are hardlinked, unless protected_hardlinks sysctl is on. This could be used by local attackers to gain privileges (bsc#1077925) Non Security issues fixed: - core: use id unit when retrieving unit file state (#8038) (bsc#1075801) - cryptsetup-generator: run cryptsetup service before swap unit (#5480) - udev-rules: all values can contain escaped double quotes now (#6890) - strv: fix buffer size calculation in strv_join_quoted() - tmpfiles: change ownership of symlinks too - stdio-bridge: Correctly propagate error - stdio-bridge: remove dead code - remove bus-proxyd (bsc#1057974) - core/timer: Prevent timer looping when unit cannot start (bsc#1068588) - Make systemd-timesyncd use the openSUSE NTP servers by default Previously systemd-timesyncd used the Google Public NTP servers time{1..4}.google.com - Don't ship /usr/lib/systemd/system/tmp.mnt at all (bsc#1071224) But we still ship a copy in /var. Users who want to use tmpfs on /tmp are supposed to add a symlink in /etc/ pointing to the copy shipped in /var. To support the update path we automatically create the symlink if tmp.mount in use is located in /usr. - Enable systemd-networkd on Leap distros only (bsc#1071311) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2018:375-1 Released: Wed Feb 28 16:33:37 2018 Summary: Recommended update for net-tools Type: recommended Severity: low References: 1009905,1063910 Description: This update for net-tools provides the following fix: - netstat: fix handling of large socket numbers (bsc#1063910) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:439-1 Released: Fri Mar 9 14:05:22 2018 Summary: Security update for augeas Type: security Severity: low References: 1054171,CVE-2017-7555 Description: This update for augeas fixes the following issues: Security issue fixed: - CVE-2017-7555: Fix a memory corruption bug could have lead to arbitrary code execution by passing crafted strings that would be mis-handled by parse_name() (bsc#1054171). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:443-1 Released: Fri Mar 9 18:02:14 2018 Summary: Security update for glibc Type: security Severity: moderate References: 1081556,CVE-2017-12133 Description: This update for glibc fixes the following issues: - CVE-2017-12133: Avoid use-after-free read access in clntudp_call (bsc#1081556) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:446-1 Released: Mon Mar 12 13:13:55 2018 Summary: Security update for shadow Type: security Severity: moderate References: 1081294,CVE-2018-7169 Description: This update for shadow fixes the following issues: - CVE-2018-7169: Fixed an privilege escalation in newgidmap, which allowed an unprivileged user to be placed in a user namespace where setgroups(2) is allowed. (bsc#1081294) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2018:465-1 Released: Thu Mar 15 07:38:52 2018 Summary: Recommended update for systemd Type: recommended Severity: moderate References: 1075743,1078358,1081170 Description: This update for systemd fixes the following issues: - Add dmi/id conditions to 80-acpi-container-hotplug.rules to restrict the rule that it can only be triggered on Huawei Kunlun 9008, 9016 and 9032 machines. (bsc#1078358, bsc#1081170, bsc#1075743) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2018:472-1 Released: Thu Mar 15 10:47:40 2018 Summary: Recommended update for libsolv, libzypp, zypper Type: recommended Severity: low References: 1074687,1075449,1076415,1079334,953130 Description: This update for libsolv, libzypp and zypper provides the following fixes: libsolv: - Fix a bug that could make fileconflict detection very slow in some cases. (bnc#953130) - Add new configuration options: ENABLE_RPMDB_LIBRPM and ENABLE_RPMPKG_LIBRPM. - Add a new function to change the whatprovides data: pool_set_whatprovides. - Significant improvements in the selection code. libzypp: - Make sure deleted keys are also removed from rpmdb. (bsc#1075449) - plugin: Don't reject header values containing ':'. (bsc#1074687) - RpmDb::checkPackage: Fix parsing localized rpm output. (bsc#1076415) zypper: - Do not recommend cron as it is not a direct dependency of zypper. (bsc#1079334) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:522-1 Released: Thu Mar 22 08:20:46 2018 Summary: Security update for curl Type: security Severity: moderate References: 1084521,1084524,1084532,CVE-2018-1000120,CVE-2018-1000121,CVE-2018-1000122 Description: This update for curl fixes the following issues: Following security issues were fixed: - CVE-2018-1000120: A buffer overflow exists in the FTP URL handling that allowed an attacker to cause a denial of service or possible code execution (bsc#1084521). - CVE-2018-1000121: A NULL pointer dereference exists in the LDAP code that allowed an attacker to cause a denial of service (bsc#1084524). - CVE-2018-1000122: A buffer over-read exists in the RTSP+RTP handling code that allowed an attacker to cause a denial of service or information leakage (bsc#1084532). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:567-1 Released: Thu Mar 29 14:02:08 2018 Summary: Security update for krb5 Type: security Severity: moderate References: 1057662,1081725,1083926,1083927,CVE-2018-5729,CVE-2018-5730 Description: This update for krb5 provides the following fixes: Security issues fixed: - CVE-2018-5730: DN container check bypass by supplying special crafted data (bsc#1083927). - CVE-2018-5729: Null pointer dereference in kadmind or DN container check bypass by supplying special crafted data (bsc#1083926). Non-security issues fixed: - Make it possible for legacy applications (e.g. SAP Netweaver) to remain compatible with newer Kerberos. System administrators who are experiencing this kind of compatibility issues may set the environment variable GSSAPI_ASSUME_MECH_MATCH to a non-empty value, and make sure the environment variable is visible and effective to the application startup script. (bsc#1057662) - Fix a GSS failure in legacy applications by not indicating deprecated GSS mechanisms in gss_indicate_mech() list. (bsc#1081725) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:594-1 Released: Thu Apr 5 17:22:37 2018 Summary: Security update for libidn Type: security Severity: moderate References: 1056450,CVE-2017-14062 Description: This update for libidn fixes one issues. This security issue was fixed: - CVE-2017-14062: Prevent integer overflow in the decode_digit function that allowed remote attackers to cause a denial of service or possibly have unspecified other impact (bsc#1056450). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:624-1 Released: Wed Apr 11 18:02:57 2018 Summary: Security update for openssl Type: security Severity: moderate References: 1087102,CVE-2018-0739 Description: This update for openssl fixes the following issues: - CVE-2018-0739: Constructed ASN.1 types with a recursive definition (such as can be found in PKCS7) could eventually exceed the stack given malicious input with excessive recursion. This could result in a Denial Of Service attack. There are no such structures used within SSL/TLS that come from untrusted sources so this is considered safe. (bsc#1087102). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:730-1 Released: Wed Apr 25 14:14:41 2018 Summary: Security update for perl Type: security Severity: moderate References: 1082216,1082233,1082234,CVE-2018-6797,CVE-2018-6798,CVE-2018-6913 Description: This update for perl fixes the following issues: Security issues fixed: - CVE-2018-6913: Fixed space calculation issues in pp_pack.c (bsc#1082216). - CVE-2018-6798: Fixed heap buffer overflow in regexec.c (bsc#1082233). - CVE-2018-6797: Fixed sharp-s regexp overflow (bsc#1082234). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2018:736-1 Released: Wed Apr 25 14:23:49 2018 Summary: Recommended update for libsolv, libzypp Type: recommended Severity: moderate References: 1075978,1077635,1079991,1082318,1086602 Description: This update for libsolv, libzypp provides the following fixes: Changes in libsolv: - Make sure the product file comes from /etc/products.d for the fallback product search. (bsc#1086602) - Also make use of suggests for ordering packages. (bsc#1077635) - Fix bad assignment in solution refinement that led to a memory leak. (bsc#1075978) - Use license tag instead of doc in the spec file. (bsc#1082318) Changes in libzypp: - Make sure the product file comes from /etc/products.d for the fallback product search. (bsc#1086602) - Fix a memory leak in Digest.cc. (bsc#1075978) - Add /var/lib/gdm to CheckAccessDeleted blacklist to prevent showing superfluous `zypper ps -s` messages. (bsc#1079991) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2018:779-1 Released: Wed May 2 22:16:26 2018 Summary: Recommended update for rpm Type: recommended Severity: low References: 1003714,1027925,1069934 Description: This update for rpm provides the following fixes: - Fix find-lang.sh to handle special case of .qm file paths correctly. (bsc#1027925) - Add %sle_version macro to suse_macros. (bsc#1003714) - Added a %rpm_vercmp macro which accepts two versions as parameters and returns -1, 0, 1 if the first version is less than, equal or greater than the second version respectively. - Added a %pkg_version macro that accepts a package or capability name as argument and returns the version number of the installed package. If no package provides the argument, it returns the string '~~~'. - Added a %pkg_vcmp macro that accepts 3 parameters. The first parameter is a package name or provided capability name, the second argument is an operator ( < <= = >= > != ) and the third parameter is a version string to be compared to the installed version of the first argument. - Added a %pkg_version_cmp macro which accepts a package or capability name as first argument and a version number as second argument and returns -1, 0, 1 or '~~~'. The number values have the same meaning as in %rpm_vercmp and the '~~~' string is returned if the package or capability can't be found. (bsc#1069934) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2018:797-1 Released: Mon May 7 07:07:38 2018 Summary: Recommended update for gcc7 Type: recommended Severity: important References: 1061667,1068967,1074621,1083290,1083946,1084812,1087550,1087930 Description: This update for gcc7 to 7.3 release fixes the following issues: - Update to GCC 7.3 release and further updated to gcc-7-branch head (r258812). - The Spectre v2 mitigation patch for s390x is now included. [bsc#1083946] - Adds backport of x86 retpoline support via -mindirect-branch=, -mfunction-return= and friends. [bsc#1074621] - Update includes a fix for chromium build failure. [bsc#1083290] - Various AArch64 compile fixes are included: * Picks fix to no longer enable -mpc-relative-literal-loads by default with --enable-fix-cortex-a53-843419. * Enable --enable-fix-cortex-a53-843419 for aarch64. [bsc#1084812] [bsc#1087930] * Enable --enable-fix-cortex-a53-835769 for aarch64. * Contains fix for PR82445 which is about a RPI1 bootloader miscompile. [bsc#1061667] * Fixed bogus stack probe instruction on ARM. [bsc#1068967] - Revert the ios_base::failure ABI back to compatible behavior with the default ABI. [bsc#1087550] - Fix nvptx offload target compiler install so GCC can pick up required files. Split out the newlib part into cross-nvptx-newlib7-devel and avoid conflicts with GCC 8 variant via Provides/Conflicts of cross-nvptx-newlib-devel. ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:939-1 Released: Thu May 17 08:41:30 2018 Summary: Security update for curl Type: security Severity: moderate References: 1086825,1092098,CVE-2018-1000301 Description: This update for curl fixes several issues: Security issues fixed: - CVE-2018-1000301: Fixed a RTSP bad headers buffer over-read could crash the curl client (bsc#1092098) Non security issues fixed: - If the DEFAULT_SUSE cipher list is not available use the HIGH cipher alias before failing. (bsc#1086825) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2018:974-1 Released: Wed May 23 16:46:50 2018 Summary: Recommended update for systemd Type: recommended Severity: moderate References: 1045092,1051465,1066422,1075804,1082485,1084626,1085062,1086785,1087323 Description: This update for systemd provides the following fixes: - sysusers: Do not append entries after the NIS ones. (bsc#1085062, bsc#1045092) - sysusers: Also add support for NIS entries in /etc/shadow. - sysusers: Make sure to reset errno before calling fget*ent(). - coredump: Respect ulimit -c 0 settings. (bsc#1075804) - systemctl: Don't make up unit states, and don't eat up errors too eagerly. (bsc#1084626) - systemctl: Don't mangle unit names in check_unit_generic(). - rules, compat-rules: Fix errors detected by the rule syntax checker. - python: Use raw strings for regexp patterns. - compat-rules: Make path_id_compat build with meson. - compat-rules: Get rid of scsi_id when generating compat symlinks for NVMe devices. (bsc#1051465) - Fix memory hotplugging. - systemd: Add offline environmental condition to the udev rules for acpi container to prevent them from being triggered by the 'udevadm trigger' from user space. (bsc#1082485) - systemd-udevd: Limit children-max by the available memory. (bsc#1086785, bsc#1066422) - Rename the tarball to reflect the exact version used, so that it is clear that it contains some additional patches on top of the upstream version. Use the commit hash in the name so the exact version can easily be identified. (bsc#1087323) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:977-1 Released: Wed May 23 17:14:16 2018 Summary: Security update for bash Type: security Severity: moderate References: 1000396,1001299,1086247,CVE-2016-0634,CVE-2016-7543 Description: This update for bash fixes the following issues: Security issues fixed: - CVE-2016-7543: A code execution possibility via SHELLOPTS+PS4 variable was fixed (bsc#1001299) - CVE-2016-0634: Arbitrary code execution via malicious hostname was fixed (bsc#1000396) Non-security issues fixed: - Fix repeating self-calling of traps due the combination of a non-interactive shell, a trap handler for SIGINT, an external process in the trap handler, and a SIGINT within the trap after the external process runs. (bsc#1086247) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2018:978-1 Released: Wed May 23 17:18:39 2018 Summary: Recommended update for zlib Type: recommended Severity: moderate References: 1071321 Description: This update for zlib fixes the following issues: - Fix a segmentation fault which was raised when converting a negative value into an unsigned integer (bsc#1071321) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2018:1028-1 Released: Tue Jun 5 13:20:44 2018 Summary: Recommended update for pam Type: recommended Severity: low References: 1089884 Description: This update for pam fixes the following issues: - Fix order of accessed configuration files in man page. (bsc#1089884) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:1077-1 Released: Wed Jun 6 11:44:25 2018 Summary: Security update for glibc Type: security Severity: important References: 1086690,1094150,1094154,1094161,CVE-2017-18269,CVE-2018-11236,CVE-2018-11237 Description: This update for glibc fixes the following issues: - CVE-2017-18269: Fix SSE2 memmove issue when crossing 2GB boundary (bsc#1094150) - CVE-2018-11236: Fix overflow in path length computation (bsc#1094161) - CVE-2018-11237: Don't write beyond buffer destination in __mempcpy_avx512_no_vzeroupper (bsc#1094154) Non security bugs fixed: - Fix crash in resolver on memory allocation failure (bsc#1086690) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2018:1082-1 Released: Thu Jun 7 12:58:56 2018 Summary: Recommended update for rpm Type: recommended Severity: moderate References: 1073879,1080078,964063 Description: This update for rpm fixes the following issues: - Backport support for no_recompute_build_ids macro. (bsc#964063) - Fix code execution when evaluating common python-related macros. (bsc#1080078) Additionally, this update adds python3-rpm to the SUSE Linux Enterprise Server. ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:1141-1 Released: Fri Jun 15 13:41:08 2018 Summary: Security update for gpg2 Type: security Severity: important References: 1096745,CVE-2018-12020 Description: This update for gpg2 fixes the following security issue: - CVE-2018-12020: GnuPG mishandled the original filename during decryption and verification actions, which allowed remote attackers to spoof the output that GnuPG sends on file descriptor 2 to other programs that use the '--status-fd 2' option (bsc#1096745) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2018:1145-1 Released: Fri Jun 15 19:19:51 2018 Summary: Recommended update for openssl Type: recommended Severity: moderate References: 1090765 Description: This update for openssl provides the following fix: - Suggest libopenssl1_0_0-hmac from libopenssl1_0_0 package to avoid dependency issues during updates. (bsc#1090765) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:1242-1 Released: Thu Jun 28 13:44:16 2018 Summary: Security update for procps Type: security Severity: moderate References: 1092100,CVE-2018-1122,CVE-2018-1123,CVE-2018-1124,CVE-2018-1125,CVE-2018-1126 Description: This update for procps fixes the following security issues: - CVE-2018-1122: Prevent local privilege escalation in top. If a user ran top with HOME unset in an attacker-controlled directory, the attacker could have achieved privilege escalation by exploiting one of several vulnerabilities in the config_file() function (bsc#1092100). - CVE-2018-1123: Prevent denial of service in ps via mmap buffer overflow. Inbuilt protection in ps maped a guard page at the end of the overflowed buffer, ensuring that the impact of this flaw is limited to a crash (temporary denial of service) (bsc#1092100). - CVE-2018-1124: Prevent multiple integer overflows leading to a heap corruption in file2strvec function. This allowed a privilege escalation for a local attacker who can create entries in procfs by starting processes, which could result in crashes or arbitrary code execution in proc utilities run by other users (bsc#1092100). - CVE-2018-1125: Prevent stack buffer overflow in pgrep. This vulnerability was mitigated by FORTIFY limiting the impact to a crash (bsc#1092100). - CVE-2018-1126: Ensure correct integer size in proc/alloc.* to prevent truncation/integer overflow issues (bsc#1092100). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:1276-1 Released: Thu Jul 5 08:36:17 2018 Summary: Security update for openssl Type: security Severity: moderate References: 1097158,1097624,1098592,CVE-2018-0732 Description: This update for openssl fixes the following issues: - CVE-2018-0732: During key agreement in a TLS handshake using a DH(E) based ciphersuite a malicious server could have sent a very large prime value to the client. This caused the client to spend an unreasonably long period of time generating a key for this prime resulting in a hang until the client has finished. This could be exploited in a Denial Of Service attack (bsc#1097158). - Blinding enhancements for ECDSA and DSA (bsc#1097624, bsc#1098592) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:1328-1 Released: Tue Jul 17 08:07:57 2018 Summary: Security update for perl Type: security Severity: important References: 1068565,1082216,1082233,1082234,1096718,CVE-2018-12015,CVE-2018-6797,CVE-2018-6798,CVE-2018-6913 Description: This update for perl fixes the following issues: These security issue were fixed: - CVE-2018-6913: Fixed space calculation issues in pp_pack.c (bsc#1082216). - CVE-2018-6798: Fixed heap buffer overflow in regexec.c (bsc#1082233). - CVE-2018-6797: Fixed sharp-s regexp overflow (bsc#1082234). - CVE-2018-12015: The Archive::Tar module allowed remote attackers to bypass a directory-traversal protection mechanism and overwrite arbitrary files (bsc#1096718) This non-security issue was fixed: - fix debugger crash in tab completion with Term::ReadLine::Gnu [bsc#1068565] ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:1351-1 Released: Thu Jul 19 09:43:21 2018 Summary: Security update for shadow Type: security Severity: important References: 1099310,CVE-2016-6252 Description: This update for shadow fixes the following issues: - CVE-2016-6252: Incorrect integer handling could results in local privilege escalation (bsc#1099310) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:1400-1 Released: Thu Jul 26 16:32:29 2018 Summary: Security update for util-linux Type: security Severity: moderate References: 1072947,1078662,1080740,1084300,CVE-2018-7738 Description: This update for util-linux fixes the following issues: This non-security issue was fixed: - CVE-2018-7738: bash-completion/umount allowed local users to gain privileges by embedding shell commands in a mountpoint name, which was mishandled during a umount command by a different user (bsc#1084300). These non-security issues were fixed: - Fixed crash loop in lscpu (bsc#1072947). - Fixed possible segfault of umount -a - Fixed mount -a on NFS bind mounts (bsc#1080740). - Fixed lsblk on NVMe (bsc#1078662). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:1413-1 Released: Fri Jul 27 12:41:13 2018 Summary: Security update for libgcrypt Type: security Severity: moderate References: 1064455,1090766,1097410,CVE-2018-0495 Description: This update for libgcrypt fixes the following issues: The following security vulnerability was addressed: - CVE-2018-0495: Mitigate a novel side-channel attack by enabling blinding for ECDSA signatures (bsc#1097410). The following other issues were fixed: - Extended the fipsdrv dsa-sign and dsa-verify commands with the --algo parameter for the FIPS testing of DSA SigVer and SigGen (bsc#1064455). - Ensure libgcrypt20-hmac and libgcrypt20 are installed in the correct order. (bsc#1090766) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2018:1450-1 Released: Mon Jul 30 10:10:45 2018 Summary: Recommended update for pam Type: recommended Severity: low References: 1096282 Description: This update for pam provides the following fix: - Added /etc/security/limits.d to the pam package. (bsc#1096282) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2018:1549-1 Released: Mon Aug 13 13:41:22 2018 Summary: Recommended update for sg3_utils Type: recommended Severity: low References: 1065448,1070431,1077787,1092640 Description: This update for sg3_utils provides the following fix: - Decode standard INQUIRY for CD-ROMs correctly. (bsc#1065448, bsc#1070431) - Fix page decoding. (bsc#1077787) - Remove initrd rebuild macros for libsgutils2 subpackage. (bsc#1092640) - Use %post -p for ldconfig. (bsc#1092640) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:1610-1 Released: Thu Aug 16 14:04:25 2018 Summary: Security update for libgcrypt Type: security Severity: moderate References: 1064455,1090766,1097410,CVE-2018-0495 Description: This update for libgcrypt fixes the following issues: The following security vulnerability was addressed: - CVE-2018-0495: Mitigate a novel side-channel attack by enabling blinding for ECDSA signatures (bsc#1097410). The following other issues were fixed: - Extended the fipsdrv dsa-sign and dsa-verify commands with the --algo parameter for the FIPS testing of DSA SigVer and SigGen (bsc#1064455). - Ensure libgcrypt20-hmac and libgcrypt20 are installed in the correct order. (bsc#1090766) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:1620-1 Released: Thu Aug 16 14:49:45 2018 Summary: Security update for shadow Type: security Severity: important References: 1099310,CVE-2016-6252 Description: This update for shadow fixes the following issues: - CVE-2016-6252: Incorrect integer handling could results in local privilege escalation (bsc#1099310) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2018:1632-1 Released: Thu Aug 16 15:27:04 2018 Summary: Recommended update for systemd Type: recommended Severity: moderate References: 1039099,1080382,1082004,1082485,1083158,1088052,1088769,1088890,1089761,1090785,1091265,1093851,1095096 Description: This update for systemd fixes the following issues: - core: In --user mode, report READY=1 as soon as basic.target is reached. - sd-bus: Extend D-Bus authentication timeout considerably. - scsi_id: Fixup prefix for pre-SPC inquiry reply. (bsc#1039099) - udev: Use MAC address match only for ibmveth/ibmvnic/mlx4. (bsc#1095096) - compat-rules: Generate more compat by-id symlinks for NVMe devices. (bsc#1095096) - udev: Whitelist mlx4_core locally-administered MAC addresses in the persistent rule generator. (bsc#1083158) - udev: Don't create by-partlabel/primary and .../logical symlinks. (bsc#1089761) - rules: Add /dev/disk/by-partuuid symlinks also for dos partition tables. - device: Make sure to always retroactively start device dependencies. (bsc#1088052) - device: Skip deserialization of device units when udevd is not running. - install: 'user' and 'global' scopes are equivalent for user presets. (bsc#1093851) - install: Search preset files in /run. - man: Updated systemd-analyze blame description for service-units with Type=simple. (bsc#1091265) - logind: Fix crash when shutdown is not issued from a tty. (bsc#1088890) - logind: Do not use an uninitialized variable. (bsc#1088890) - Disable user services by default. (bsc#1090785) - Ship 99-sysctl.conf instead of creating it during package installation/update. (bsc#1088769) Previously this symlink was created in /etc/sysctl.d during %post which made the symlink not owned and more importantly it was created only if /etc/sysctl.conf is already installed which is not always the case during the installation process it seems. So ship the symlink unconditionally and put it in /usr/lib/sysctl.d instead since it's a distro default behavior that might be overriden by sysadmin later. - systemd: Add offline environmental condition to 80-acpi-container-hotplug.rules. (bsc#1080382, bsc#1082485) Add the offline event environmental condition to restrict the rule that is can only be triggered when the change event is received with the 'offline' environmental data. The 27664c581 'ACPI / scan: Send change uevent with offine environmental data' kernel patch changed the corresponding code in kernel. This change prevents the udev rules for acpi container be triggered by 'udevadm trigger' from user space. - build-sys: Explicitly require python3. (bsc#1082004) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2018:1636-1 Released: Thu Aug 16 15:30:11 2018 Summary: Recommended update for pam Type: recommended Severity: low References: 1096282 Description: This update for pam provides the following fix: - Added /etc/security/limits.d to the pam package. (bsc#1096282) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2018:1689-1 Released: Mon Aug 20 09:02:24 2018 Summary: Recommended update for pam Type: recommended Severity: low References: 1096282 Description: This update for pam provides the following fix: - Added /etc/security/limits.d to the pam package. (bsc#1096282) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2018:1691-1 Released: Mon Aug 20 09:04:17 2018 Summary: Recommended update for sg3_utils Type: recommended Severity: low References: 1065448,1070431,1077787,1092640 Description: This update for sg3_utils provides the following fix: - Decode standard INQUIRY for CD-ROMs correctly. (bsc#1065448, bsc#1070431) - Fix page decoding. (bsc#1077787) - Remove initrd rebuild macros for libsgutils2 subpackage. (bsc#1092640) - Use %post -p for ldconfig. (bsc#1092640) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:1695-1 Released: Mon Aug 20 09:19:20 2018 Summary: Security update for perl Type: security Severity: important References: 1068565,1082216,1082233,1082234,1096718,CVE-2018-12015,CVE-2018-6797,CVE-2018-6798,CVE-2018-6913 Description: This update for perl fixes the following issues: These security issue were fixed: - CVE-2018-6913: Fixed space calculation issues in pp_pack.c (bsc#1082216). - CVE-2018-6798: Fixed heap buffer overflow in regexec.c (bsc#1082233). - CVE-2018-6797: Fixed sharp-s regexp overflow (bsc#1082234). - CVE-2018-12015: The Archive::Tar module allowed remote attackers to bypass a directory-traversal protection mechanism and overwrite arbitrary files (bsc#1096718) This non-security issue was fixed: - fix debugger crash in tab completion with Term::ReadLine::Gnu [bsc#1068565] ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:1698-1 Released: Mon Aug 20 09:19:28 2018 Summary: Security update for shadow Type: security Severity: important References: 1099310,CVE-2016-6252 Description: This update for shadow fixes the following issues: - CVE-2016-6252: Incorrect integer handling could results in local privilege escalation (bsc#1099310) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2018:1834-1 Released: Wed Sep 5 10:17:42 2018 Summary: Recommended update for systemd Type: recommended Severity: moderate References: 1089761,1090944,1101040,1103910 Description: This update for systemd fixes the following issues: - cryptsetup: Add support for sector-size= option. (fate#325634) - resolved: Apply epoch to system time from PID 1. (bsc#1103910) - core/service: Rework the hold-off time over message. - core: Don't freeze OnCalendar= timer units when the clock goes back a lot. (bsc#1090944) - man: SystemMaxUse= clarification in journald.conf(5). (bsc#1101040) - Add udev.no-partlabel-links kernel command-line option. This option can be used to disable the generation of the by-partlabel symlinks regardless of the name used. (bsc#1089761) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:1903-1 Released: Fri Sep 14 12:46:21 2018 Summary: Security update for curl Type: security Severity: moderate References: 1089533,1106019,CVE-2018-14618 Description: This update for curl fixes the following issues: This security issue was fixed: - CVE-2018-14618: Prevent integer overflow in the NTLM authentication code (bsc#1106019) This non-security issue was fixed: - Fixed erroneous debug message when paired with OpenSSL (bsc#1089533) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:1969-1 Released: Mon Sep 24 08:06:42 2018 Summary: Security update for libzypp, zypper Type: security Severity: important References: 1036304,1045735,1049825,1070851,1076192,1088705,1091624,1092413,1096803,1099847,1100028,1101349,1102429,CVE-2017-9269,CVE-2018-7685 Description: This update for libzypp, zypper fixes the following issues: Update libzypp to version 16.17.20: Security issues fixed: - PackageProvider: Validate deta rpms before caching (bsc#1091624, bsc#1088705, CVE-2018-7685) - PackageProvider: Validate downloaded rpm package signatures before caching (bsc#1091624, bsc#1088705, CVE-2018-7685) Other bugs fixed: - lsof: use '-K i' if lsof supports it (bsc#1099847, bsc#1036304) - Handle http error 502 Bad Gateway in curl backend (bsc#1070851) - RepoManager: Explicitly request repo2solv to generate application pseudo packages. - libzypp-devel should not require cmake (bsc#1101349) - HardLocksFile: Prevent against empty commit without Target having been been loaded (bsc#1096803) - Avoid zombie tar processes (bsc#1076192) Update to zypper to version 1.13.45: Security issues fixed: - Improve signature check callback messages (bsc#1045735, CVE-2017-9269) - add/modify repo: Add options to tune the GPG check settings (bsc#1045735, CVE-2017-9269) Other bugs fixed: - XML attribute `packages-to-change` added (bsc#1102429) - man: Strengthen that `--config FILE' affects zypper.conf, not zypp.conf (bsc#1100028) - Prevent nested calls to exit() if aborted by a signal (bsc#1092413) - ansi.h: Prevent ESC sequence strings from going out of scope (bsc#1092413) - Fix: zypper bash completion expands non-existing options (bsc#1049825) - Improve signature check callback messages (bsc#1045735) - add/modify repo: Add options to tune the GPG check settings (bsc#1045735) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2018:1985-1 Released: Mon Sep 24 11:56:08 2018 Summary: Recommended update for openldap2 Type: recommended Severity: moderate References: 1089640 Description: This update for openldap2 provides the following fix: - Fix slapd segfaults in mdb_env_reader_dest. (bsc#1089640) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:1994-1 Released: Mon Sep 24 12:55:57 2018 Summary: Security update for shadow Type: security Severity: moderate References: 1106914 Description: This update for shadow fixes the following security issue: - Prevent useradd from creating intermediate directories with mode 0777 (bsc#1106914) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:2069-1 Released: Fri Sep 28 08:01:25 2018 Summary: Security update for openssl Type: security Severity: moderate References: 1089039,1101246,1101470,1104789,1106197,997043,CVE-2018-0737 Description: This update for openssl fixes the following issues: These security issues were fixed: - Prevent One&Done side-channel attack on RSA that allowed physically near attackers to use EM emanations to recover information (bsc#1104789) - CVE-2018-0737: The RSA Key generation algorithm has been shown to be vulnerable to a cache timing side channel attack. An attacker with sufficient access to mount cache timing attacks during the RSA key generation process could have recovered the private key (bsc#1089039) These non-security issues were fixed: - Add openssl(cli) Provide so the packages that require the openssl binary can require this instead of the new openssl meta package (bsc#1101470) - Fixed path to the engines which are under /lib64 on SLE-12 (bsc#1101246, bsc#997043) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2018:2162-1 Released: Fri Oct 5 14:46:53 2018 Summary: Recommended update for krb5 Type: recommended Severity: moderate References: 1088921 Description: This update for krb5 provides the following fix: - Resolve krb5 GSS credentials immediately if the application requests the lifetime. (bsc#1088921) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:2181-1 Released: Tue Oct 9 11:08:20 2018 Summary: Security update for libxml2 Type: security Severity: moderate References: 1088279,1088601,1102046,1105166,CVE-2017-18258,CVE-2018-14404,CVE-2018-14567,CVE-2018-9251 Description: This update for libxml2 fixes the following security issues: - CVE-2018-9251: The xz_decomp function allowed remote attackers to cause a denial of service (infinite loop) via a crafted XML file that triggers LZMA_MEMLIMIT_ERROR, as demonstrated by xmllint (bsc#1088279). - CVE-2018-14567: Prevent denial of service (infinite loop) via a crafted XML file that triggers LZMA_MEMLIMIT_ERROR, as demonstrated by xmllint (bsc#1105166). - CVE-2018-14404: Prevent NULL pointer dereference in the xmlXPathCompOpEval() function when parsing an invalid XPath expression in the XPATH_OP_AND or XPATH_OP_OR case leading to a denial of service attack (bsc#1102046). - CVE-2017-18258: The xz_head function allowed remote attackers to cause a denial of service (memory consumption) via a crafted LZMA file, because the decoder functionality did not restrict memory usage to what is required for a legitimate file (bsc#1088601). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2018:2196-1 Released: Thu Oct 11 07:45:16 2018 Summary: Optional update for gcc8 Type: recommended Severity: low References: 1084812,1084842,1087550,1094222,1102564 Description: The GNU Compiler GCC 8 is being added to the Toolchain Module by this update. The update also supplies gcc8 compatible libstdc++, libgcc_s1 and other gcc derived libraries for the base products of SUSE Linux Enterprise 12. Various optimizers have been improved in GCC 8, several of bugs fixed, quite some new warnings added and the error pin-pointing and fix-suggestions have been greatly improved. The GNU Compiler page for GCC 8 contains a summary of all the changes that have happened: https://gcc.gnu.org/gcc-8/changes.html Also changes needed or common pitfalls when porting software are described on: https://gcc.gnu.org/gcc-8/porting_to.html ----------------------------------------------------------------- Advisory ID: SUSE-RU-2018:2217-1 Released: Fri Oct 12 15:07:24 2018 Summary: Recommended update for bash Type: recommended Severity: moderate References: 1094121,1107430 Description: This update for bash provides the following fixes: - Fix an inconsistent behaviour regarding expansion of here strings. (bsc#1094121) - Fix mis-matching of null string with '*' pattern. (bsc#1107430) - Fix a crash when the lastpipe option is enabled. - Fix a typo that was preventing the `compat42' shopt option from working as intended. - Help the shell to process any pending traps at redirection. - Fix a crashe due to incorrect conversion from an indexed to associative array. - Avoid the expansion of escape sequences in HOSTNAME in prompt. - Avoid `xtrace' attack over $PS4. ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:2373-1 Released: Mon Oct 22 14:43:47 2018 Summary: Security update for rpm Type: security Severity: moderate References: 1077692,943457,CVE-2017-7500,CVE-2017-7501 Description: This update for rpm fixes the following issues: These security issues were fixed: - CVE-2017-7500: rpm did not properly handle RPM installations when a destination path was a symbolic link to a directory, possibly changing ownership and permissions of an arbitrary directory, and RPM files being placed in an arbitrary destination (bsc#943457). - CVE-2017-7501: rpm used temporary files with predictable names when installing an RPM. An attacker with ability to write in a directory where files will be installed could create symbolic links to an arbitrary location and modify content, and possibly permissions to arbitrary files, which could be used for denial of service or possibly privilege escalation (bsc#943457) This non-security issue was fixed: - Use ksym-provides tool [bsc#1077692] ----------------------------------------------------------------- Advisory ID: SUSE-RU-2018:2435-1 Released: Wed Oct 24 14:42:43 2018 Summary: Recommended update for systemd Type: recommended Severity: important References: 1015254,1091677,1093753,1105031,1107640,1107941,1109197,991901 Description: This update for systemd fixes the following issues: - detect-virt: do not try to read all of /proc/cpuinfo (bsc#1109197) - emergency: make sure console password agents don't interfere with the emergency shell - units: remove udev control socket when systemd stops the socket unit (#4039) (bsc#1015254) - man: document that 'nofail' also has an effect on ordering - journald: take leading spaces into account in syslog_parse_identifier - journal: do not remove multiple spaces after identifier in syslog message - syslog: fix segfault in syslog_parse_priority() - journal: fix syslog_parse_identifier() - tmpfiles: don't adjust qgroups on existing subvolumes (bsc#1093753) - socket-util: attempt SO_RCVBUFFORCE/SO_SNDBUFFORCE only if SO_RCVBUF/SO_SNDBUF fails (bsc#991901) - user at .service: don't kill user manager at runlevel switch (bsc#1091677) - units: make sure user at .service runs with dbus still up - fix race between daemon-reload and other commands (bsc#1105031) - nspawn: always use mode 555 for /sys (bsc#1107640) - cryptsetup: do not define arg_sector_size if libgcrypt is v1.x (#9990) - Enable or disable machines.target according to the presets (bsc#1107941) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2018:2475-1 Released: Thu Oct 25 16:56:24 2018 Summary: Recommended update for libzypp Type: recommended Severity: moderate References: 1099982,1109877,408814,556664,939392 Description: This update for libzypp fixes the following issues: - Add filesize check for downloads with known size (bsc#408814) - Fix conversion of string and glob to regex when compiling queries (bsc#1099982, bsc#939392, bsc#556664) - Fix blocking wait for finished child process (bsc#1109877) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2018:2488-1 Released: Fri Oct 26 12:39:59 2018 Summary: Recommended update for cpio Type: recommended Severity: low References: 1076810,889138 Description: This update for cpio provides the following fix: - Remove an obsolete patch that was causing cpio not to preserve folder permissions. (bsc#1076810, bsc#889138) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2018:2516-1 Released: Mon Oct 29 16:14:48 2018 Summary: Recommended update for console-setup, kbd Type: recommended Severity: moderate References: 1010880,1027379,1056449,1062303,1069468,1085432,360993,675317,825385,830805,958562,963942,984958 Description: This update for kbd and console-setup provides the following fixes: Changes in console-setup: - Add console-setup to SLE 12 to make it possible for kbd to provide converted X keymaps. (fate#325454, fate#318426) - Make the package build reproducible. (bsc#1062303) - Removed unneeded requires to kbd in order to resolve build cycle between kbd and console-setup. (bsc#963942) Changes in kbd: - Update to version 2.0.4, including the following fixes (FATE#325454): * Disable characters greater than or equal to =U+F000 as they do not work properly. (bsc#1085432) * Move initial NumLock handling from systemd back to kbd: * Add kbdsettings service. (bsc#1010880) * Exclude numlockbios support for non x86 platforms * Drop references to KEYTABLE and COMPOSETABLE. (bsc#1010880) * Drop from some fill-up templates and a couple of sysconfig variables not read by systemd anymore. (fate#319454) * Replace references to /var/adm/fillup-templates with new %_fillupdir macro. (bsc#1069468) * Add vlock.pamd PAM file. (bsc#1056449) * Enable vlock (bsc#1056449). * Revert dropping of kdb-legacy requirement as there are still packages and installation flows that needs this to be present. (bsc#1027379) * Fix data/keymaps/i386/querty/br-abnt2.map. (bsc#984958) * Fix missing dependency on coreutils for initrd macros. (bsc#958562) * Call missing initrd macro at postun. (bsc#958562) * Add the genmap4systemd.sh tool to generate entries for systemd's kbd-model-map table from xkeyboard-config converted keymaps. (fate#318426) * genmap4systemd.sh: Use 'abnt2' model for 'br' layouts, 'jp106' model for 'jp' layouts and 'microsoftpro' for anything else (instead of 'pc105' previously used). (fate#318426) * Include xkb layouts from xkeyboard-config converted to console keymaps. (fate#318426) * euro.map, euro1.map and euro2.map now produce correct unicode character for Euro sign. (bsc#360993) * Drop doshell reference from openvt.1 man page. (bsc#675317) * Drop the --userwait option as it is not used. (bsc#830805) * Fix a typo in the mac-querty-layout.inc. (bsc#825385) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2018:2525-1 Released: Tue Oct 30 09:22:45 2018 Summary: Recommended update for bash Type: recommended Severity: important References: 1113117 Description: This update for bash fixes the following issues: Recently released update introduced a change of behavior which resulted in broken customers scripts. (bsc#1113117) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:2563-1 Released: Fri Nov 2 17:09:49 2018 Summary: Security update for curl Type: security Severity: moderate References: 1112758,1113660,CVE-2018-16840,CVE-2018-16842 Description: This update for curl fixes the following issues: - CVE-2018-16840: A use after free in closing SASL handles was fixed (bsc#1112758) - CVE-2018-16842: A Out-of-bounds Read in tool_msgs.c was fixed which could lead to crashes (bsc#1113660) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2018:2567-1 Released: Fri Nov 2 18:59:06 2018 Summary: Recommended update for apparmor Type: recommended Severity: moderate References: 1047937,1057150,1057900,1099452,906858 Description: This update for apparmor provides the following fixes: - Add profile for usr.bin.lessopen.sh (bsc#906858) - Fix dovecot apparmor profile (bsc#1057150) - Fix creating profile rules from scanned logs when the chown operation is used (bsc#1047937) - Fix the traceroute profile to allow ipv6 usage (bsc#1057900) - Fix duplicate entry of capability when performing aa-logprof (bsc#1099452) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2018:2593-1 Released: Wed Nov 7 11:04:00 2018 Summary: Recommended update for rpm Type: recommended Severity: moderate References: 1095148,1113100 Description: This update for rpm fixes the following issues: - Fix superfluous TOC. dependency on PowerPC64 (bsc#1113100) - Update to current find-provides.ksyms and find-requires.ksyms scripts (bsc#1095148) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:2659-1 Released: Wed Nov 14 14:14:41 2018 Summary: Security update for systemd Type: security Severity: important References: 1106923,1108835,1109252,1110445,1111278,1112024,1113083,1113632,1113665,CVE-2018-15686,CVE-2018-15688 Description: This update for systemd fixes the following issues: Security issues fixed: - CVE-2018-15688: A buffer overflow vulnerability in the dhcp6 client of systemd allowed a malicious dhcp6 server to overwrite heap memory in systemd-networkd. (bsc#1113632) - CVE-2018-15686: A vulnerability in unit_deserialize of systemd allows an attacker to supply arbitrary state across systemd re-execution via NotifyAccess. This can be used to improperly influence systemd execution and possibly lead to root privilege escalation. (bsc#1113665) Non-security issues fixed: - dhcp6: split assert_return() to be more debuggable when hit - core: skip unit deserialization and move to the next one when unit_deserialize() fails - core: properly handle deserialization of unknown unit types (#6476) - core: don't create Requires for workdir if 'missing ok' (bsc#1113083) - logind: use manager_get_user_by_pid() where appropriate - logind: rework manager_get_{user|session}_by_pid() a bit - login: fix user at .service case, so we don't allow nested sessions (#8051) (bsc#1112024) - core: be more defensive if we can't determine per-connection socket peer (#7329) - socket-util: introduce port argument in sockaddr_port() - service: fixup ExecStop for socket-activated shutdown (#4120) - service: Continue shutdown on socket activated unit on termination (#4108) (bsc#1106923) - cryptsetup: build fixes for 'add support for sector-size= option' - udev-rules: IMPORT cmdline does not recognize keys with similar names (bsc#1111278) - core: keep the kernel coredump defaults when systemd-coredump is disabled - core: shorten main() a bit, split out coredump initialization - core: set RLIMIT_CORE to unlimited by default (bsc#1108835) - core/mount: fstype may be NULL - journald: don't ship systemd-journald-audit.socket (bsc#1109252) - core: make 'tmpfs' dependencies on swapfs a 'default' dep, not an 'implicit' (bsc#1110445) - mount: make sure we unmount tmpfs mounts before we deactivate swaps (#7076) - tmp.mount.hm4: After swap.target (#3087) - Ship systemd-sysv-install helper via the main package This script was part of systemd-sysvinit sub-package but it was wrong since systemd-sysv-install is a script used to redirect enable/disable operations to chkconfig when the unit targets are sysv init scripts. Therefore it's never been a SySV init tool. ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:2760-1 Released: Thu Nov 22 16:25:38 2018 Summary: Security update for openssl Type: security Severity: moderate References: 1112209,1113534,1113652,1113742,CVE-2018-0734,CVE-2018-5407 Description: This update for openssl fixes the following issues: Security issues fixed: - CVE-2018-0734: Fixed timing vulnerability in DSA signature generation (bsc#1113652). - CVE-2018-5407: Fixed elliptic curve scalar multiplication timing attack defenses (bsc#1113534). - Add missing timing side channel patch for DSA signature generation (bsc#1113742). Non-security issues fixed: - Fixed infinite loop in DSA generation with incorrect parameters (bsc#1112209). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:2766-1 Released: Fri Nov 23 17:07:27 2018 Summary: Security update for rpm Type: security Severity: important References: 943457,CVE-2017-7500,CVE-2017-7501 Description: This update for rpm fixes the following issues: These security issues were fixed: - CVE-2017-7500: rpm did not properly handle RPM installations when a destination path was a symbolic link to a directory, possibly changing ownership and permissions of an arbitrary directory, and RPM files being placed in an arbitrary destination (bsc#943457). - CVE-2017-7501: rpm used temporary files with predictable names when installing an RPM. An attacker with ability to write in a directory where files will be installed could create symbolic links to an arbitrary location and modify content, and possibly permissions to arbitrary files, which could be used for denial of service or possibly privilege escalation (bsc#943457) This is a reissue of the above security fixes for SUSE Linux Enterprise 12 GA, SP1 and SP2 LTSS, they have already been released for SUSE Linux Enterprise Server 12 SP3. ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:1697-1 Released: Fri Nov 23 17:08:32 2018 Summary: Security update for libgcrypt Type: security Severity: moderate References: 1064455,1090766,1097410,CVE-2018-0495 Description: This update for libgcrypt fixes the following issues: The following security vulnerability was addressed: - CVE-2018-0495: Mitigate a novel side-channel attack by enabling blinding for ECDSA signatures (bsc#1097410). The following other issues were fixed: - Extended the fipsdrv dsa-sign and dsa-verify commands with the --algo parameter for the FIPS testing of DSA SigVer and SigGen (bsc#1064455). - Ensure libgcrypt20-hmac and libgcrypt20 are installed in the correct order. (bsc#1090766) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:1696-1 Released: Mon Nov 26 17:46:39 2018 Summary: Security update for procps Type: security Severity: moderate References: 1092100,CVE-2018-1122,CVE-2018-1123,CVE-2018-1124,CVE-2018-1125,CVE-2018-1126 Description: This update for procps fixes the following security issues: - CVE-2018-1122: Prevent local privilege escalation in top. If a user ran top with HOME unset in an attacker-controlled directory, the attacker could have achieved privilege escalation by exploiting one of several vulnerabilities in the config_file() function (bsc#1092100). - CVE-2018-1123: Prevent denial of service in ps via mmap buffer overflow. Inbuilt protection in ps maped a guard page at the end of the overflowed buffer, ensuring that the impact of this flaw is limited to a crash (temporary denial of service) (bsc#1092100). - CVE-2018-1124: Prevent multiple integer overflows leading to a heap corruption in file2strvec function. This allowed a privilege escalation for a local attacker who can create entries in procfs by starting processes, which could result in crashes or arbitrary code execution in proc utilities run by other users (bsc#1092100). - CVE-2018-1125: Prevent stack buffer overflow in pgrep. This vulnerability was mitigated by FORTIFY limiting the impact to a crash (bsc#1092100). - CVE-2018-1126: Ensure correct integer size in proc/alloc.* to prevent truncation/integer overflow issues (bsc#1092100). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:1618-1 Released: Tue Nov 27 13:39:49 2018 Summary: Security update for util-linux Type: security Severity: moderate References: 1072947,1078662,1080740,1084300,CVE-2018-7738 Description: This update for util-linux fixes the following issues: This non-security issue was fixed: - CVE-2018-7738: bash-completion/umount allowed local users to gain privileges by embedding shell commands in a mountpoint name, which was mishandled during a umount command by a different user (bsc#1084300). These non-security issues were fixed: - Fixed crash loop in lscpu (bsc#1072947). - Fixed possible segfault of umount -a - Fixed mount -a on NFS bind mounts (bsc#1080740). - Fixed lsblk on NVMe (bsc#1078662). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:2824-1 Released: Mon Dec 3 15:34:09 2018 Summary: Security update for ncurses Type: security Severity: important References: 1115929,CVE-2018-19211 Description: This update for ncurses fixes the following issue: Security issue fixed: - CVE-2018-19211: Fixed denial of service issue that was triggered by a NULL pointer dereference at function _nc_parse_entry (bsc#1115929). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2018:2836-1 Released: Wed Dec 5 09:29:31 2018 Summary: Recommended update for apparmor Type: recommended Severity: moderate References: 1111965,1113125 Description: This update for apparmor fixes the following issues: - Systemd aware apparmor.spec, remove old insserv from spec file (bsc#1113125) - Fix warnings produced because of use of uninitialized variables (bsc#1111965) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2018:2840-1 Released: Wed Dec 5 09:57:54 2018 Summary: Recommended update for permissions Type: recommended Severity: moderate References: 1028304,1047247,1050467,1097665,1111251 Description: This update for permissions fixes the following issues: - Allow setuid root for start-suid tool of singularity (group only) bsc#1028304 - Allow setuid root for authbind binary (bsc#1111251) - A incorrect error message was adjusted (bsc#1047247 bsc#1097665) - Make btmp root:utmp (bsc#1050467) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2018:2841-1 Released: Wed Dec 5 09:59:45 2018 Summary: Recommended update for glibc Type: recommended Severity: moderate References: 1105236,1110661,1112858 Description: This update for glibc fixes the following issues: - Added more checks for valid ld.so.cache file (bsc#1110661) - Rewrite elf_machine_load_address using _DYNAMIC symbol (bsc#1112858) - Always use __IPC_64 on powerpc as required by the kernel (bsc#1105236) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2018:2906-1 Released: Tue Dec 11 21:48:05 2018 Summary: Recommended update for blog Type: recommended Severity: moderate References: 1071568 Description: This update for blog fixes the following issues: - Hardening of the console list generation (bsc#1071568) - Changed description of blog-plymouth in same manner as used by the release notes ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:2947-1 Released: Mon Dec 17 08:51:28 2018 Summary: Security update for openldap2 Type: security Severity: moderate References: 1073313,CVE-2017-17740 Description: This update for openldap2 fixes the following issues: Security issue fixed: - CVE-2017-17740: When both the nops module and the memberof overlay are enabled, attempts to free a buffer that was allocated on the stack, which allows remote attackers to cause a denial of service (slapd crash) via a member MODDN operation. (bsc#1073313) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2018:3029-1 Released: Fri Dec 21 17:34:05 2018 Summary: Recommended update for libgcrypt Type: recommended Severity: moderate References: 1117355 Description: This update for libgcrypt provides the following fix: - Fail selftests when checksum file is missing in FIPS mode only. (bsc#1117355) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:43-1 Released: Tue Jan 8 13:07:17 2019 Summary: Recommended update for acl Type: recommended Severity: low References: 953659 Description: This update for acl fixes the following issues: - quote: Escape literal backslashes (bsc#953659). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:111-1 Released: Thu Jan 17 14:18:31 2019 Summary: Security update for krb5 Type: security Severity: important References: 1120489,CVE-2018-20217 Description: This update for krb5 fixes the following issues: Security issue fixed: - CVE-2018-20217: Fixed an assertion issue with older encryption types (bsc#1120489) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:135-1 Released: Mon Jan 21 13:53:58 2019 Summary: Security update for systemd Type: security Severity: moderate References: 1005023,1076696,1101591,1114981,1115518,1119971,1120323,CVE-2018-16864,CVE-2018-16865,CVE-2018-16866 Description: This update for systemd provides the following fixes: Security issues fixed: - CVE-2018-16864, CVE-2018-16865: Fixed two memory corruptions through attacker-controlled alloca()s (bsc#1120323) - CVE-2018-16866: Fixed an information leak in journald (bsc#1120323) - Fixed an issue during system startup in relation to encrypted swap disks (bsc#1119971) Non-security issues fixed: - core: Queue loading transient units after setting their properties. (bsc#1115518) - logind: Stop managing VT switches if no sessions are registered on that VT. (bsc#1101591) - terminal-util: introduce vt_release() and vt_restore() helpers. - terminal: Unify code for resetting kbd utf8 mode a bit. - terminal Reset should honour default_utf8 kernel setting. - logind: Make session_restore_vt() static. - udev: Downgrade message when settting inotify watch up fails. (bsc#1005023) - log: Never log into foreign fd #2 in PID 1 or its pre-execve() children. (bsc#1114981) - udev: Ignore the exit code of systemd-detect-virt for memory hot-add. In SLE-12-SP3, 80-hotplug-cpu-mem.rules has a memory hot-add rule that uses systemd-detect-virt to detect non-zvm environment. The systemd-detect-virt returns exit failure code when it detected _none_ state. The exit failure code causes that the hot-add memory block can not be set to online. (bsc#1076696) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:143-1 Released: Tue Jan 22 14:21:55 2019 Summary: Recommended update for ncurses Type: recommended Severity: important References: 1121450 Description: This update for ncurses fixes the following issues: - ncurses applications freezing (bsc#1121450) From sle-updates at lists.suse.com Thu Jan 16 09:58:33 2020 From: sle-updates at lists.suse.com (sle-updates at lists.suse.com) Date: Thu, 16 Jan 2020 17:58:33 +0100 (CET) Subject: SUSE-CU-2019:719-1: Security update of caasp/v4/mariadb Message-ID: <20200116165833.3A3E8F796@maintenance.suse.de> SUSE Container Update Advisory: caasp/v4/mariadb ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2019:719-1 Container Tags : caasp/v4/mariadb:10.0.35 , caasp/v4/mariadb:10.0.35-rev1 , caasp/v4/mariadb:10.0.35-rev1-build1.2 Severity : important Type : security References : 1000396 1000662 1000677 1001299 1001367 1001790 1001912 1002975 1003577 1003579 1003580 1003714 1003800 1003978 1004094 1004289 1004477 1004995 1004995 1004995 1005023 1005063 1005404 1005544 1005555 1005558 1005562 1005564 1005566 1005569 1005581 1005582 1005633 1005634 1005635 1005637 1005638 1005640 1005642 1005643 1005645 1005646 1006175 1006372 1006469 1006539 1006687 1006690 1007851 1008253 1008318 1008325 1009269 1009470 1009528 1009532 1009745 1009905 1009966 1010220 1010675 1010802 1010845 1010880 1012266 1012390 1012523 1012591 1012818 1012973 1013286 1013882 1013930 1013989 1014471 1014560 1014566 1014873 1015254 1015332 1015515 1015565 1015943 1017034 1017497 1018214 1018399 1019276 1019470 1019637 1019637 1019900 1020108 1020143 1020601 1020868 1020868 1020873 1020875 1020877 1020878 1020882 1020884 1020885 1020890 1020891 1020894 1020896 1020976 1020976 1021641 1022014 1022047 1022085 1022086 1022271 1022428 1022428 1023283 1023895 1024989 1025176 1025398 1025560 1025598 1025630 1025886 1026224 1026567 1026825 1027079 1027379 1027688 1027712 1027908 1027925 1028263 1028281 1028304 1028304 1028305 1028410 1028485 1028610 1028723 1029102 1029102 1029183 1029516 1029516 1029523 1029561 1029691 1029725 1029900 1030290 1030621 1031355 1031643 1031702 1031998 1032029 1032029 1032309 1032445 1032538 1032660 1032680 1033238 1033238 1033855 1034563 1034565 1034911 1035062 1035371 1035386 1035445 1035818 1036304 1036659 1036736 1036873 1036873 1037120 1037120 1037396 1037824 1037930 1038189 1038194 1038444 1038740 1038865 1038865 1038984 1038984 1039034 1039063 1039063 1039064 1039064 1039066 1039066 1039069 1039069 1039099 1039099 1039276 1039357 1039661 1039661 1039941 1040043 1040153 1040153 1040258 1040258 1040614 1040614 1040800 1040942 1040942 1040968 1040968 1040968 1041764 1042326 1042392 1042781 1043059 1043218 1043237 1043333 1043333 1043580 1043615 1043758 1043758 1043900 1043900 1044095 1044107 1044175 1044337 1044840 1044887 1044894 1044970 1044970 1045092 1045290 1045290 1045384 1045472 1045628 1045735 1045735 1045735 1045943 1045987 1046173 1046173 1046268 1046417 1046607 1046659 1046750 1046750 1046853 1046853 1046858 1046858 1047008 1047178 1047233 1047236 1047240 1047247 1047379 1047785 1047785 1047937 1047964 1047965 1048315 1048510 1048605 1048605 1048645 1048679 1048715 1049344 1049399 1049404 1049417 1049825 1050152 1050467 1050767 1050943 1051042 1051465 1051626 1051643 1051644 1051791 1052261 1053137 1053188 1053409 1053595 1053671 1054028 1054088 1054171 1054591 1054671 1055446 1055641 1055825 1055920 1056058 1056126 1056127 1056127 1056128 1056128 1056129 1056129 1056131 1056131 1056132 1056132 1056136 1056136 1056381 1056437 1056449 1056450 1056995 1057150 1057188 1057452 1057634 1057640 1057662 1057721 1057724 1057900 1057974 1058695 1058722 1058722 1058783 1059065 1059723 1060653 1060738 1061384 1061667 1061876 1062303 1062561 1062591 1062592 1063051 1063249 1063269 1063675 1063824 1063910 1064101 1064115 1064397 1064455 1064455 1064455 1064569 1064580 1064583 1064999 1065083 1065274 1065276 1065363 1065448 1065448 1066156 1066242 1066422 1066500 1067312 1067605 1067891 1068251 1068565 1068565 1068588 1068708 1068967 1069222 1069226 1069468 1069934 1070209 1070428 1070431 1070431 1070851 1070878 1070905 1070958 1071224 1071311 1071319 1071321 1071466 1071558 1071568 1071698 1071905 1071906 1072665 1072947 1072947 1073231 1073313 1073879 1073990 1074254 1074293 1074293 1074621 1074687 1075449 1075724 1075743 1075801 1075804 1075978 1076192 1076308 1076415 1076505 1076696 1076810 1076832 1076909 1077001 1077635 1077692 1077787 1077787 1077925 1077993 1078358 1078431 1078662 1078662 1078806 1078813 1079036 1079334 1079991 1080078 1080382 1080740 1080740 1081170 1081294 1081556 1081725 1082004 1082060 1082216 1082216 1082216 1082233 1082233 1082233 1082234 1082234 1082234 1082290 1082318 1082484 1082485 1082485 1083158 1083290 1083926 1083927 1083946 1084300 1084300 1084521 1084524 1084532 1084626 1084812 1084812 1084842 1085062 1085432 1086247 1086602 1086690 1086785 1086825 1087102 1087323 1087550 1087550 1087930 1088052 1088279 1088601 1088681 1088705 1088769 1088890 1088921 1089039 1089533 1089640 1089761 1089761 1089884 1090518 1090765 1090766 1090766 1090766 1090785 1090944 1091265 1091624 1091677 1092098 1092100 1092100 1092413 1092640 1092640 1093753 1093851 1094121 1094150 1094154 1094161 1094222 1095096 1095148 1096282 1096282 1096282 1096718 1096718 1096745 1096803 1097158 1097410 1097410 1097410 1097624 1097665 1098592 1099310 1099310 1099310 1099452 1099847 1099982 1100028 1101040 1101246 1101349 1101470 1101591 1102046 1102429 1102564 1103910 1104789 1105031 1105166 1105236 1106019 1106197 1106914 1106923 1107430 1107640 1107941 1108835 1109197 1109252 1109877 1110445 1110661 1111251 1111278 1111965 1112024 1112209 1112758 1112858 1113083 1113100 1113117 1113125 1113534 1113632 1113652 1113660 1113665 1113742 1114981 1115518 1115929 1117355 1119971 1120323 1120489 1121450 360993 408814 556664 658010 661410 675317 825385 829717 830805 874665 888308 889138 889990 892431 894610 896202 896435 897422 898003 899524 899871 900275 900276 901202 901845 901924 902364 902367 903543 905483 906574 906574 906803 906858 907074 907456 908128 908516 909418 910252 910252 910253 910253 911228 911363 911662 912229 912715 912922 913209 913650 913651 915402 915846 917152 917169 918089 918090 918346 919274 920057 920057 920386 921070 922534 923241 924525 924687 924960 924960 926412 926826 927556 927607 927608 927746 927993 928292 928533 928740 929919 930176 931932 932232 932894 933029 933288 933288 933336 933878 933878 934333 934689 934920 936050 936227 936227 936676 937787 937823 938343 938657 939392 939460 940315 942865 942865 943457 943457 944903 945340 945842 945899 949520 952151 952347 953130 953532 953659 953807 953831 954002 954661 955382 955753 955770 957174 957566 957566 957567 957567 957598 957598 957600 957600 958369 958562 958789 959693 960273 960820 960837 960837 961935 961964 962765 962983 962996 963041 963290 963448 963806 963810 963942 964063 964468 965322 965780 965902 966220 967026 967082 967728 967838 968771 969569 970260 970287 970295 970882 971741 971741 972127 972127 972331 974691 978055 979261 979436 979441 979629 979906 980391 980486 980904 981114 981616 982303 982303 983206 983215 983216 983754 984858 984906 984958 985217 986216 986216 986251 986783 986935 987887 988311 989788 989831 990189 990190 990191 990538 990890 991389 991390 991391 991443 991616 991746 991901 992966 994157 994794 995936 996511 996821 997043 997420 997682 998309 998760 998893 998906 999735 999878 CVE-2012-6702 CVE-2013-6435 CVE-2014-3591 CVE-2014-3707 CVE-2014-3710 CVE-2014-8116 CVE-2014-8116 CVE-2014-8117 CVE-2014-8117 CVE-2014-8118 CVE-2014-8150 CVE-2014-8964 CVE-2014-8964 CVE-2014-9087 CVE-2014-9112 CVE-2014-9447 CVE-2014-9620 CVE-2014-9621 CVE-2014-9653 CVE-2015-0247 CVE-2015-0837 CVE-2015-1283 CVE-2015-1572 CVE-2015-1606 CVE-2015-1607 CVE-2015-1782 CVE-2015-2059 CVE-2015-2325 CVE-2015-2325 CVE-2015-2327 CVE-2015-2327 CVE-2015-2328 CVE-2015-2328 CVE-2015-3143 CVE-2015-3144 CVE-2015-3145 CVE-2015-3148 CVE-2015-3153 CVE-2015-3210 CVE-2015-3210 CVE-2015-3217 CVE-2015-3217 CVE-2015-3238 CVE-2015-4792 CVE-2015-4802 CVE-2015-4807 CVE-2015-4815 CVE-2015-4826 CVE-2015-4830 CVE-2015-4836 CVE-2015-4858 CVE-2015-4861 CVE-2015-4870 CVE-2015-4913 CVE-2015-5073 CVE-2015-5073 CVE-2015-5276 CVE-2015-5969 CVE-2015-7511 CVE-2015-8380 CVE-2015-8380 CVE-2015-8381 CVE-2015-8381 CVE-2015-8382 CVE-2015-8382 CVE-2015-8383 CVE-2015-8383 CVE-2015-8384 CVE-2015-8384 CVE-2015-8385 CVE-2015-8385 CVE-2015-8386 CVE-2015-8386 CVE-2015-8387 CVE-2015-8387 CVE-2015-8388 CVE-2015-8388 CVE-2015-8389 CVE-2015-8389 CVE-2015-8390 CVE-2015-8390 CVE-2015-8391 CVE-2015-8391 CVE-2015-8392 CVE-2015-8392 CVE-2015-8393 CVE-2015-8393 CVE-2015-8394 CVE-2015-8394 CVE-2015-8395 CVE-2015-8395 CVE-2015-8853 CVE-2015-8948 CVE-2016-0505 CVE-2016-0546 CVE-2016-0596 CVE-2016-0597 CVE-2016-0598 CVE-2016-0600 CVE-2016-0606 CVE-2016-0608 CVE-2016-0609 CVE-2016-0616 CVE-2016-0634 CVE-2016-0640 CVE-2016-0641 CVE-2016-0642 CVE-2016-0643 CVE-2016-0644 CVE-2016-0646 CVE-2016-0647 CVE-2016-0648 CVE-2016-0649 CVE-2016-0650 CVE-2016-0651 CVE-2016-0655 CVE-2016-0666 CVE-2016-0668 CVE-2016-0718 CVE-2016-0755 CVE-2016-0787 CVE-2016-10156 CVE-2016-1238 CVE-2016-1283 CVE-2016-1283 CVE-2016-1839 CVE-2016-2037 CVE-2016-2047 CVE-2016-2381 CVE-2016-3191 CVE-2016-3191 CVE-2016-3477 CVE-2016-3492 CVE-2016-3521 CVE-2016-3615 CVE-2016-4574 CVE-2016-4579 CVE-2016-4658 CVE-2016-5131 CVE-2016-5300 CVE-2016-5419 CVE-2016-5420 CVE-2016-5421 CVE-2016-5440 CVE-2016-5584 CVE-2016-5616 CVE-2016-5624 CVE-2016-5626 CVE-2016-5629 CVE-2016-6185 CVE-2016-6252 CVE-2016-6252 CVE-2016-6252 CVE-2016-6261 CVE-2016-6262 CVE-2016-6263 CVE-2016-6313 CVE-2016-6318 CVE-2016-6662 CVE-2016-6663 CVE-2016-6664 CVE-2016-7055 CVE-2016-7141 CVE-2016-7167 CVE-2016-7440 CVE-2016-7543 CVE-2016-8283 CVE-2016-8615 CVE-2016-8616 CVE-2016-8617 CVE-2016-8618 CVE-2016-8619 CVE-2016-8620 CVE-2016-8621 CVE-2016-8622 CVE-2016-8623 CVE-2016-8624 CVE-2016-9063 CVE-2016-9318 CVE-2016-9401 CVE-2016-9586 CVE-2016-9597 CVE-2016-9840 CVE-2016-9841 CVE-2016-9842 CVE-2016-9843 CVE-2017-0663 CVE-2017-1000100 CVE-2017-1000101 CVE-2017-1000254 CVE-2017-1000257 CVE-2017-1000366 CVE-2017-1000408 CVE-2017-1000409 CVE-2017-10268 CVE-2017-10378 CVE-2017-10684 CVE-2017-10684 CVE-2017-10685 CVE-2017-10685 CVE-2017-11112 CVE-2017-11113 CVE-2017-11462 CVE-2017-12132 CVE-2017-12133 CVE-2017-12424 CVE-2017-12837 CVE-2017-12883 CVE-2017-13728 CVE-2017-13728 CVE-2017-13729 CVE-2017-13729 CVE-2017-13730 CVE-2017-13730 CVE-2017-13731 CVE-2017-13731 CVE-2017-13732 CVE-2017-13732 CVE-2017-13733 CVE-2017-13733 CVE-2017-13734 CVE-2017-14062 CVE-2017-15088 CVE-2017-15412 CVE-2017-15670 CVE-2017-15671 CVE-2017-15804 CVE-2017-15908 CVE-2017-16997 CVE-2017-17740 CVE-2017-18078 CVE-2017-18258 CVE-2017-18269 CVE-2017-3238 CVE-2017-3243 CVE-2017-3244 CVE-2017-3257 CVE-2017-3258 CVE-2017-3265 CVE-2017-3291 CVE-2017-3302 CVE-2017-3308 CVE-2017-3309 CVE-2017-3312 CVE-2017-3313 CVE-2017-3317 CVE-2017-3318 CVE-2017-3453 CVE-2017-3456 CVE-2017-3464 CVE-2017-3636 CVE-2017-3641 CVE-2017-3653 CVE-2017-3731 CVE-2017-3732 CVE-2017-3735 CVE-2017-3736 CVE-2017-3737 CVE-2017-3738 CVE-2017-5130 CVE-2017-5969 CVE-2017-6512 CVE-2017-7375 CVE-2017-7376 CVE-2017-7407 CVE-2017-7435 CVE-2017-7436 CVE-2017-7436 CVE-2017-7500 CVE-2017-7500 CVE-2017-7501 CVE-2017-7501 CVE-2017-7526 CVE-2017-7555 CVE-2017-8804 CVE-2017-8816 CVE-2017-8817 CVE-2017-8872 CVE-2017-9047 CVE-2017-9047 CVE-2017-9048 CVE-2017-9048 CVE-2017-9049 CVE-2017-9049 CVE-2017-9050 CVE-2017-9050 CVE-2017-9217 CVE-2017-9217 CVE-2017-9233 CVE-2017-9269 CVE-2017-9269 CVE-2017-9287 CVE-2017-9445 CVE-2017-9445 CVE-2017-9526 CVE-2018-0495 CVE-2018-0495 CVE-2018-0495 CVE-2018-0732 CVE-2018-0734 CVE-2018-0737 CVE-2018-0739 CVE-2018-1000001 CVE-2018-1000001 CVE-2018-1000007 CVE-2018-1000120 CVE-2018-1000121 CVE-2018-1000122 CVE-2018-1000301 CVE-2018-1049 CVE-2018-1122 CVE-2018-1122 CVE-2018-1123 CVE-2018-1123 CVE-2018-11236 CVE-2018-11237 CVE-2018-1124 CVE-2018-1124 CVE-2018-1125 CVE-2018-1125 CVE-2018-1126 CVE-2018-1126 CVE-2018-12015 CVE-2018-12015 CVE-2018-12020 CVE-2018-14404 CVE-2018-14567 CVE-2018-14618 CVE-2018-15686 CVE-2018-15688 CVE-2018-16840 CVE-2018-16842 CVE-2018-16864 CVE-2018-16865 CVE-2018-16866 CVE-2018-19211 CVE-2018-20217 CVE-2018-2562 CVE-2018-2612 CVE-2018-2622 CVE-2018-2640 CVE-2018-2665 CVE-2018-2668 CVE-2018-2755 CVE-2018-2761 CVE-2018-2766 CVE-2018-2767 CVE-2018-2771 CVE-2018-2781 CVE-2018-2782 CVE-2018-2784 CVE-2018-2787 CVE-2018-2813 CVE-2018-2817 CVE-2018-2819 CVE-2018-5407 CVE-2018-5729 CVE-2018-5730 CVE-2018-6003 CVE-2018-6485 CVE-2018-6551 CVE-2018-6797 CVE-2018-6797 CVE-2018-6797 CVE-2018-6798 CVE-2018-6798 CVE-2018-6798 CVE-2018-6913 CVE-2018-6913 CVE-2018-6913 CVE-2018-7169 CVE-2018-7409 CVE-2018-7485 CVE-2018-7685 CVE-2018-7738 CVE-2018-7738 CVE-2018-9251 ----------------------------------------------------------------- The container caasp/v4/mariadb was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-RU-2014:85-1 Released: Tue Nov 4 16:29:29 2014 Summary: Recommended update for dirmngr Type: recommended Severity: moderate References: 901845 Description: This update for dirmngr fixes a segmentation fault at start up. (bnc#901845) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2014:66-1 Released: Thu Nov 6 06:23:15 2014 Summary: Recommended update for gcc48 Type: recommended Severity: moderate References: 899871 Description: This update for gcc48 fixes a performance degradation issue caused by generation of unneeded code whe using option -pg. ----------------------------------------------------------------- Advisory ID: SUSE-SU-2014:97-1 Released: Fri Nov 28 10:20:32 2014 Summary: Security update for file Type: security Severity: moderate References: 888308,902367,CVE-2014-3710 Description: file was updated to fix one security issue. This security issue was fixed: - Out-of-bounds read in elf note headers (CVE-2014-3710). This non-security issues was fixed: - Correctly identify GDBM files created by libgdbm4 (bnc#888308). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2014:113-1 Released: Tue Dec 2 18:17:57 2014 Summary: Security update for cpio Type: security Severity: moderate References: 658010,907456,CVE-2014-9112 Description: This cpio security update fixes the following buffer overflow issue and two non security issues: - fix an OOB write with cpio -i (bnc#907456) (CVE-2014-9112) - prevent cpio from extracting over a symlink (bnc#658010) - fix a truncation check in mt ----------------------------------------------------------------- Advisory ID: SUSE-SU-2015:16-1 Released: Thu Dec 11 09:25:27 2014 Summary: Security update for libksba Type: security Severity: moderate References: 907074,CVE-2014-9087 Description: This libksba update fixes the following security issue: - bnc#907074: buffer overflow in OID processing (CVE-2014-9087) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2014:126-1 Released: Fri Dec 19 20:16:00 2014 Summary: Security update for file Type: security Severity: moderate References: 910252,910253,CVE-2014-8116,CVE-2014-8117 Description: This file update fixes the following security issues: - bsc#910252: multiple denial of service issues (resource consumption) (CVE-2014-8116) - bsc#910253: denial of service issue (resource consumption) (CVE-2014-8117) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2015:29-1 Released: Mon Jan 12 11:37:43 2015 Summary: Security update for curl Type: security Severity: moderate References: 901924,911363,CVE-2014-3707,CVE-2014-8150 Description: This update fixes the following security issues - CVE-2014-8150: URL request injection vulnerability (bnc#911363) - CVE-2014-3707: duphandle read out of bounds (bnc#901924) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2015:40-1 Released: Thu Jan 15 18:35:11 2015 Summary: Security update for rpm Type: security Severity: important References: 892431,906803,908128,911228,CVE-2013-6435,CVE-2014-8118 Description: This rpm update fixes the following security and non-security issues: - bnc#908128: Check for bad invalid name sizes (CVE-2014-8118) - bnc#906803: Create files with mode 0 (CVE-2013-6435) - bnc#892431: Honor --noglob in install mode - bnc#911228: Fix noglob patch, it broke files with space. ----------------------------------------------------------------- Advisory ID: SUSE-RU-2015:64-1 Released: Thu Jan 15 23:21:45 2015 Summary: Recommended update for e2fsprogs Type: recommended Severity: moderate References: 912229 Description: This update for e2fsprogs fixes a 'use after free' issue in fsck(8). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2015:76-1 Released: Fri Jan 30 15:01:03 2015 Summary: Security update for elfutils Type: security Severity: moderate References: 911662,CVE-2014-9447 Description: elfutils was updated to fix one security issue. This security issue was fixed: - Directory traversal vulnerability in the read_long_names function (CVE-2014-9447). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2015:55-1 Released: Tue Feb 3 14:51:17 2015 Summary: Recommended update for curl Type: recommended Severity: moderate References: 913209 Description: curl was updated to fix problems when operating in FIPS mode. This patch reenables following methods: - NTLM authentication (e.g. for proxies) (allowing its usage of MD4 and MD5) - HTTP Digest authentication (allowing its usage of MD5) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2015:121-1 Released: Tue Feb 3 16:30:16 2015 Summary: Recommended update for pam Type: recommended Severity: low References: 912922 Description: This update for pam fixes updating of NIS passwords. ----------------------------------------------------------------- Advisory ID: SUSE-SU-2015:157-1 Released: Tue Mar 10 09:01:41 2015 Summary: Security update for libssh2_org Type: security Severity: moderate References: 921070,CVE-2015-1782 Description: The ssh client library libssh2_org was updated to fix a security issue. CVE-2015-1782: A malicious server could send a crafted SSH_MSG_KEXINIT packet, that could lead to a buffer overread and to a crash of the libssh2_org using application. ----------------------------------------------------------------- Advisory ID: SUSE-RU-2015:275-1 Released: Wed Mar 18 18:21:44 2015 Summary: Recommended update for procps Type: recommended Severity: low References: 901202,908516 Description: This update for procps provides the following fixes: - Add description of pgrep's --list-full parameter to usage instructions (--help). (bsc#901202) - Fix handling of arguments to -s option in free(1). (bsc#908516) - Correct package name in descriptions: procps, not props. ----------------------------------------------------------------- Advisory ID: SUSE-SU-2015:235-1 Released: Wed Apr 29 19:05:01 2015 Summary: Security update for curl Type: security Severity: moderate References: 927556,927607,927608,927746,928533,CVE-2015-3143,CVE-2015-3144,CVE-2015-3145,CVE-2015-3148,CVE-2015-3153 Description: curl was updated to fix five security issues. The following vulnerabilities were fixed: * CVE-2015-3143: curl could re-use NTML authenticateds connections * CVE-2015-3144: curl could access memory out of bounds with zero length host names * CVE-2015-3145: curl cookie parser could access memory out of boundary * CVE-2015-3148: curl could treat Negotiate as not connection-oriented * CVE-2015-3153: curl could have sent sensitive HTTP headers also to proxies ----------------------------------------------------------------- Advisory ID: SUSE-SU-2015:296-1 Released: Thu Jun 11 15:46:59 2015 Summary: Security update for libgcrypt Type: security Severity: moderate References: 896202,896435,898003,899524,900275,900276,905483,920057,928740,929919,CVE-2014-3591 Description: This update of libgcrypt fixes one security issue and brings various FIPS 140-2 related improvements. libgcrypt now uses ciphertext blinding for Elgamal decryption (CVE-2014-3591) FIPS 140-2 related changes: * The library performs its self-tests when the module is complete (the -hmac file is also installed). * Added a NIST 800-90a compliant DRBG. * Change DSA key generation to be FIPS 186-4 compliant. * Change RSA key generation to be FIPS 186-4 compliant. * Enable HW support in fips mode (bnc#896435) * Make DSA selftest use 2048 bit keys (bnc#898003) * Added ECDSA selftests and add support for it to the CAVS testing framework (bnc#896202) * Various CAVS testing improvements. ----------------------------------------------------------------- Advisory ID: SUSE-SU-2015:366-1 Released: Mon Jun 29 10:13:43 2015 Summary: Security update for e2fsprogs Type: security Severity: low References: 915402,918346,CVE-2015-0247,CVE-2015-1572 Description: Two security issues were fixed in e2fsprogs: Security issues fixed: * CVE-2015-0247: Various heap overflows were fixed in e2fsprogs (fsck, dumpe2fs, e2image...). * CVE-2015-1572: Fixed a potential buffer overflow in closefs() (bsc#918346 ) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2015:361-1 Released: Wed Jul 15 08:26:27 2015 Summary: Recommended update for gcc48, libffi48, libgcj48 Type: recommended Severity: moderate References: 889990,917169,919274,922534,924525,924687,927993,930176,934689 Description: The system compiler gcc48 was updated to the GCC 4.8.5 release, fixing a lot of bugs and bringing some improvements. It includes various bug fixes found by our customers: * Fixes bogus integer overflow in constant expression. [bnc#934689] * Fixes ICE with atomics on aarch64. [bnc#930176] * Includes fix for -imacros bug. [bnc#917169] * Includes fix for incorrect -Warray-bounds warnings. [bnc#919274] * Includes updated -mhotpatch for s390x. [bnc#924525] * Includes fix for ppc64le issue with doubleword vector extract. [bnc#924687] * Includes patches to allow building against ISL 0.14. * Backport rework of the memory allocator for C++ exceptions used in OOM situations. [bnc#889990] * Fix a reload issue on S390 (GCC PR66306). * Avoid accessing invalid memory when passing aggregates by value. [bnc#922534] ----------------------------------------------------------------- Advisory ID: SUSE-OU-2015:422-1 Released: Tue Jul 28 06:25:51 2015 Summary: The Toolchain module containing GCC 5.2 Type: optional Severity: low References: 926412,936050,937823 Description: This update contains the release of the new SUSE Linux Enterprise Toolchain module. Its major feature is the GNU Compiler Collection 5.2, please see https://gcc.gnu.org/gcc-5/changes.html for important changes. This update also includes a version update of binutils to 2.25 release branch to provide features and bugfixes. Following features have been added to binutils: * IBM zSeries z13 hardware support (fate#318036, bnc#936050). * various IBM Power8 improvements (fate#318238, bnc#926412). * AVX512 support on the Intel EM64T platform (fate#318520). The GNU Debugger gdb was updated to version 7.9.1 bringing various features and lots of bugfixes. Also IBM zSeries z13 hardware support has been added to gdb. (fate#318039) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2015:500-1 Released: Mon Aug 17 11:36:33 2015 Summary: Security update for libgcrypt Type: security Severity: moderate References: 920057,938343,CVE-2015-0837 Description: This update fixes the following issues: Security: * Fixed data-dependent timing variations in modular exponentiation [related to CVE-2015-0837, Last-Level Cache Side-Channel Attacks are Practical] (bsc#920057) Bugfixes: * don't drop privileges when locking secure memory (bsc#938343) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2015:530-1 Released: Wed Aug 26 03:07:07 2015 Summary: Recommended update for sed Type: recommended Severity: low References: 933029 Description: This update for sed fixes the behavior of --follow-symlinks when reading from the standard input (stdin). The behavior of 'sed --follow-symlinks -' is now identical to 'sed -'. In both cases, sed will read from the standard input and no longer from a file named '-'. ----------------------------------------------------------------- Advisory ID: SUSE-RU-2015:568-1 Released: Wed Sep 16 13:30:12 2015 Summary: Recommended update for grep Type: recommended Severity: low References: 920386 Description: This update for grep fixes undefined behaviour with -P and non-utf-8 data. ----------------------------------------------------------------- Advisory ID: SUSE-SU-2015:922-1 Released: Tue Dec 22 08:44:25 2015 Summary: Security update for gpg2 Type: security Severity: moderate References: 918089,918090,952347,955753,CVE-2015-1606,CVE-2015-1607 Description: The gpg2 package was updated to fix the following security and non security issues: - CVE-2015-1606: Fixed invalid memory read using a garbled keyring (bsc#918089). - CVE-2015-1607: Fixed memcpy with overlapping ranges (bsc#918090). - bsc#955753: Fixed a regression of 'gpg --recv' due to keyserver import filter (also boo#952347). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2015:869-1 Released: Wed Dec 23 10:01:16 2015 Summary: Recommended update for libksba Type: security Severity: moderate References: 926826 Description: The libksba package was updated to fix the following security issues: - Fixed an integer overflow, an out of bounds read and a stack overflow issues (bsc#926826). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2015:862-1 Released: Wed Dec 23 17:40:51 2015 Summary: Recommended update for acl Type: recommended Severity: moderate References: 945899 Description: This update for acl provides the following fixes: - Fix segmentation fault of getfacl -e on overly long group name. - Make sure that acl_from_text() always sets errno when it fails. - Fix memory and resource leaks in getfacl. ----------------------------------------------------------------- Advisory ID: SUSE-RU-2016:46-1 Released: Fri Jan 8 12:37:34 2016 Summary: Recommended update for gcr, gnome-keyring, libgcrypt, libsecret Type: recommended Severity: moderate References: 932232 Description: This update for gcr, gnome-keyring, libgcrypt, libsecret fixes issues when the system operates in FIPS mode. The various GNOME libraries and tool have been changed to use the default libgcrypt allocators. GNOME keyring was changed not to use MD5 anymore. libgcrypt was adjusted to free the DRBG on exit to avoid crashes. ----------------------------------------------------------------- Advisory ID: SUSE-SU-2016:183-1 Released: Mon Feb 1 11:32:26 2016 Summary: Security update for mariadb Type: security Severity: moderate References: 937787,957174,958789,CVE-2015-4792,CVE-2015-4802,CVE-2015-4807,CVE-2015-4815,CVE-2015-4826,CVE-2015-4830,CVE-2015-4836,CVE-2015-4858,CVE-2015-4861,CVE-2015-4870,CVE-2015-4913,CVE-2015-5969 Description: MariaDB has been updated to version 10.0.22, which brings fixes for many security issues and other improvements. The following CVEs have been fixed: - 10.0.22: CVE-2015-4802, CVE-2015-4807, CVE-2015-4815, CVE-2015-4826, CVE-2015-4830, CVE-2015-4836, CVE-2015-4858, CVE-2015-4861, CVE-2015-4870, CVE-2015-4913, CVE-2015-4792 - Fix information leak via mysql-systemd-helper script. (CVE-2015-5969, bsc#957174) For a comprehensive list of changes refer to the upstream Release Notes and Change Log documents: - https://kb.askmonty.org/en/mariadb-10022-release-notes/ - https://kb.askmonty.org/en/mariadb-10022-changelog/ ----------------------------------------------------------------- Advisory ID: SUSE-SU-2016:201-1 Released: Thu Feb 4 15:51:22 2016 Summary: Security update for curl Type: security Severity: moderate References: 934333,936676,962983,962996,CVE-2016-0755 Description: This update for curl fixes the following issues: - CVE-2016-0755: libcurl would reuse NTLM-authenticated proxy connections without properly making sure that the connection was authenticated with the same credentials as set for this transfer (bsc#962983) The following non-security bugs were fixed: - bsc#936676: secure_getenv or __secure_getenv may not be detected correctly at build time The following tracked bugs only affect the test suite: - bsc#962996: Expired cookie in test 46 caused test failures - bsc#934333: Curl test suite was not run, is now enabled during build ----------------------------------------------------------------- Advisory ID: SUSE-RU-2016:371-1 Released: Thu Mar 3 15:58:18 2016 Summary: Recommended update for insserv-compat Type: recommended Severity: low References: 960820 Description: This update for insserv-compat fixes the name of the ntpd service. ----------------------------------------------------------------- Advisory ID: SUSE-SU-2016:413-1 Released: Fri Mar 11 10:17:57 2016 Summary: Security update for libssh2_org Type: security Severity: moderate References: 933336,961964,967026,CVE-2016-0787 Description: This update for libssh2_org fixes the following issues: Security issue fixed: - CVE-2016-0787 (bsc#967026): Weakness in diffie-hellman secret key generation lead to much shorter DH groups then needed, which could be used to retrieve server keys. A feature was added: - Support of SHA256 digests for DH group exchanges was added (fate#320343, bsc#961964) Bug fixed: - Properly detect EVP_aes_128_ctr at configure time (bsc#933336) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2016:462-1 Released: Wed Mar 16 18:17:59 2016 Summary: Recommended update for libcap Type: recommended Severity: low References: 967838 Description: This update for libcap adds two new capabilities (CAP_WAKE_ALARM and CAP_BLOCK_SUSPEND) which are available in Linux Kernel 3.12. ----------------------------------------------------------------- Advisory ID: SUSE-RU-2016:543-1 Released: Fri Apr 1 18:44:16 2016 Summary: Recommended update for libgcrypt Type: recommended Severity: moderate References: 970882 Description: This update for libgcrypt fixes a crash in GPG key generation when operating in FIPS mode. (bsc#970882) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2016:565-1 Released: Wed Apr 6 16:26:42 2016 Summary: Security update for gcc5 Type: security Severity: moderate References: 939460,945842,952151,953831,954002,955382,962765,964468,966220,968771,CVE-2015-5276 Description: The GNU Compiler Collection was updated to version 5.3.1, which brings several fixes and enhancements. The following security issue has been fixed: - Fix C++11 std::random_device short read issue that could lead to predictable randomness. (CVE-2015-5276, bsc#945842) The following non-security issues have been fixed: - Enable frame pointer for TARGET_64BIT_MS_ABI when stack is misaligned. Fixes internal compiler error when building Wine. (bsc#966220) - Fix a PowerPC specific issue in gcc-go that broke compilation of newer versions of Docker. (bsc#964468) - Fix HTM built-ins on PowerPC. (bsc#955382) - Fix libgo certificate lookup. (bsc#953831) - Suppress deprecated-declarations warnings for inline definitions of deprecated virtual methods. (bsc#939460) - Build s390[x] with '--with-tune=z9-109 --with-arch=z900' on SLE11 again. (bsc#954002) - Revert accidental libffi ABI breakage on aarch64. (bsc#968771) - On x86_64, set default 32bit code generation to -march=x86-64 rather than -march=i586. - Add experimental File System TS library. ----------------------------------------------------------------- Advisory ID: SUSE-SU-2016:636-1 Released: Mon Apr 18 09:18:19 2016 Summary: Security update for libgcrypt Type: security Severity: moderate References: 965902,CVE-2015-7511 Description: libgcrypt was updated to fix one security issue. This security issue was fixed: - CVE-2015-7511: Side-channel attack on ECDH with Weierstrass curves (bsc#965902). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2016:643-1 Released: Tue Apr 19 09:23:39 2016 Summary: Recommended update for bzip2 Type: recommended Severity: low References: 970260 Description: This update for bzip2 fixes the following issues: - Fix bzgrep wrapper that always returns 0 as exit code when working on multiple archives, even when the pattern is not found. ----------------------------------------------------------------- Advisory ID: SUSE-RU-2016:697-1 Released: Thu Apr 28 16:03:24 2016 Summary: Recommended update for libssh2_org Type: recommended Severity: important References: 974691 Description: This update for libssh2_org fixes a regression introduced by a previous update which could result in a segmentation fault in EVP_DigestInit_Ex(). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2016:801-1 Released: Thu May 19 22:38:01 2016 Summary: Recommended update for curl Type: recommended Severity: moderate References: 915846 Description: This update for curl fixes the following issue: - Fix 'Network is unreachable' error when ipv6 is not available but ipv4. This fixes the same error in applications using libcurl4 (like zypper). (bsc#915846) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2016:835-1 Released: Wed May 25 18:27:30 2016 Summary: Recommended update for libgcrypt Type: recommended Severity: moderate References: 979629 Description: This update for libgcrypt fixes the following issue: - Fix failing reboot after installing fips pattern (bsc#979629) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2016:898-1 Released: Tue Jun 7 09:48:12 2016 Summary: Security update for expat Type: security Severity: important References: 979441,980391,CVE-2015-1283,CVE-2016-0718 Description: This update for expat fixes the following issues: Security issue fixed: - CVE-2016-0718: Fix Expat XML parser that mishandles certain kinds of malformed input documents. (bsc#979441) - CVE-2015-1283: Fix multiple integer overflows. (bnc#980391) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2016:900-1 Released: Tue Jun 7 10:58:37 2016 Summary: Security update for libksba Type: security Severity: moderate References: 979261,979906,CVE-2016-4574,CVE-2016-4579 Description: This update for libksba fixes the following issues: - CVE-2016-4579: Out-of-bounds read in _ksba_ber_parse_tl() - CVE-2016-4574: two OOB read access bugs (remote DoS) (bsc#979261) Also adding reliability fixes from v1.3.4. ----------------------------------------------------------------- Advisory ID: SUSE-SU-2016:963-1 Released: Fri Jun 17 16:56:18 2016 Summary: Security update for mariadb Type: security Severity: important References: 961935,963806,963810,970287,970295,980904,CVE-2016-0505,CVE-2016-0546,CVE-2016-0596,CVE-2016-0597,CVE-2016-0598,CVE-2016-0600,CVE-2016-0606,CVE-2016-0608,CVE-2016-0609,CVE-2016-0616,CVE-2016-0640,CVE-2016-0641,CVE-2016-0642,CVE-2016-0643,CVE-2016-0644,CVE-2016-0646,CVE-2016-0647,CVE-2016-0648,CVE-2016-0649,CVE-2016-0650,CVE-2016-0651,CVE-2016-0655,CVE-2016-0666,CVE-2016-0668,CVE-2016-2047 Description: mariadb was updated to version 10.0.25 to fix 25 security issues. These security issues were fixed: - CVE-2016-0505: Unspecified vulnerability allowed remote authenticated users to affect availability via unknown vectors related to Options (bsc#980904). - CVE-2016-0546: Unspecified vulnerability allowed local users to affect confidentiality, integrity, and availability via unknown vectors related to Client (bsc#980904). - CVE-2016-0596: Unspecified vulnerability allowed remote authenticated users to affect availability via vectors related to DML (bsc#980904). - CVE-2016-0597: Unspecified vulnerability allowed remote authenticated users to affect availability via unknown vectors related to Optimizer (bsc#980904). - CVE-2016-0598: Unspecified vulnerability allowed remote authenticated users to affect availability via vectors related to DML (bsc#980904). - CVE-2016-0600: Unspecified vulnerability allowed remote authenticated users to affect availability via unknown vectors related to InnoDB (bsc#980904). - CVE-2016-0606: Unspecified vulnerability allowed remote authenticated users to affect integrity via unknown vectors related to encryption (bsc#980904). - CVE-2016-0608: Unspecified vulnerability allowed remote authenticated users to affect availability via vectors related to UDF (bsc#980904). - CVE-2016-0609: Unspecified vulnerability allowed remote authenticated users to affect availability via unknown vectors related to privileges (bsc#980904). - CVE-2016-0616: Unspecified vulnerability allowed remote authenticated users to affect availability via unknown vectors related to Optimizer (bsc#980904). - CVE-2016-0640: Unspecified vulnerability allowed local users to affect integrity and availability via vectors related to DML (bsc#980904). - CVE-2016-0641: Unspecified vulnerability allowed local users to affect confidentiality and availability via vectors related to MyISAM (bsc#980904). - CVE-2016-0642: Unspecified vulnerability allowed local users to affect integrity and availability via vectors related to Federated (bsc#980904). - CVE-2016-0643: Unspecified vulnerability allowed local users to affect confidentiality via vectors related to DML (bsc#980904). - CVE-2016-0644: Unspecified vulnerability allowed local users to affect availability via vectors related to DDL (bsc#980904). - CVE-2016-0646: Unspecified vulnerability allowed local users to affect availability via vectors related to DML (bsc#980904). - CVE-2016-0647: Unspecified vulnerability allowed local users to affect availability via vectors related to FTS (bsc#980904). - CVE-2016-0648: Unspecified vulnerability allowed local users to affect availability via vectors related to PS (bsc#980904). - CVE-2016-0649: Unspecified vulnerability allowed local users to affect availability via vectors related to PS (bsc#980904). - CVE-2016-0650: Unspecified vulnerability allowed local users to affect availability via vectors related to Replication (bsc#980904). - CVE-2016-0651: Unspecified vulnerability allowed local users to affect availability via vectors related to Optimizer (bsc#980904). - CVE-2016-0655: Unspecified vulnerability allowed local users to affect availability via vectors related to InnoDB (bsc#980904). - CVE-2016-0666: Unspecified vulnerability allowed local users to affect availability via vectors related to Security: Privileges (bsc#980904). - CVE-2016-0668: Unspecified vulnerability allowed local users to affect availability via vectors related to InnoDB (bsc#980904). - CVE-2016-2047: The ssl_verify_server_cert function in sql-common/client.c did not properly verify that the server hostname matches a domain name in the subject's Common Name (CN) or subjectAltName field of the X.509 certificate, which allowed man-in-the-middle attackers to spoof SSL servers via a '/CN=' string in a field in a certificate, as demonstrated by '/OU=/CN=bar.com/CN=foo.com (bsc#963806). These non-security issues were fixed: - bsc#961935: Remove the leftovers of 'openSUSE' string in the '-DWITH_COMMENT' and 'DCOMPILATION_COMMENT' options - bsc#970287: remove ha_tokudb.so plugin and tokuft_logprint and tokuftdump binaries as TokuDB storage engine requires the jemalloc library that isn't present in SLE-12-SP1 - bsc#970295: Fix the leftovers of 'logrotate.d/mysql' string in the logrotate error message. Occurrences of this string were changed to 'logrotate.d/mariadb' - bsc#963810: Add 'log-error' and 'secure-file-priv' configuration options * add '/etc/my.cnf.d/error_log.conf' that specifies 'log-error = /var/log/mysql/mysqld.log'. If no path is set, the error log is written to '/var/lib/mysql/$HOSTNAME.err', which is not picked up by logrotate. * add '/etc/my.cnf.d/secure_file_priv.conf' which specifies that 'LOAD DATA', 'SELECT ... INTO' and 'LOAD FILE()' will only work with files in the directory specified by 'secure-file-priv' option (='/var/lib/mysql-files'). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2016:987-1 Released: Wed Jun 22 14:32:18 2016 Summary: Recommended update for procps Type: recommended Severity: low References: 981616 Description: This update for procps fixes the following issues: - Improve pmap(1) to be compatible with kernel 4.4. (bsc#981616) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2016:1028-1 Released: Thu Jul 7 11:50:47 2016 Summary: Recommended update for findutils Type: recommended Severity: moderate References: 986935 Description: This update for findutils fixes the following issues: - find -exec + would not pass all arguments for certain specific filename lengths (bsc#986935) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2016:1126-1 Released: Sat Jul 30 00:39:03 2016 Summary: Recommended update for kmod Type: recommended Severity: low References: 983754,989788 Description: This update for kmod fixes libkmod to handle very long lines in /proc/modules. ----------------------------------------------------------------- Advisory ID: SUSE-RU-2016:1205-1 Released: Thu Aug 11 15:02:18 2016 Summary: Recommended update for rpm Type: recommended Severity: low References: 829717,894610,940315,953532,965322,967728 Description: This update for rpm provides the following fixes: - Add is_opensuse and leap_version macros to suse_macros. (bsc#940315) - Add option to make postinstall scriptlet errors fatal. (bsc#967728) - Normalize big blocksizes to 4096 bytes. (bsc#894610, bsc#829717, bsc#965322) - Fix updating of sources/patches when recursing because of a BuildArch. (bsc#953532) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2016:1228-1 Released: Tue Aug 16 09:29:01 2016 Summary: Security update for libidn Type: security Severity: moderate References: 923241,990189,990190,990191,CVE-2015-2059,CVE-2015-8948,CVE-2016-6261,CVE-2016-6262,CVE-2016-6263 Description: This update for libidn fixes the following issues: - CVE-2016-6262 and CVE-2015-8948: Out-of-bounds-read when reading one zero byte as input (bsc#990189) - CVE-2016-6261: Out-of-bounds stack read in idna_to_ascii_4i (bsc#990190) - CVE-2016-6263: stringprep_utf8_nfkc_normalize reject invalid UTF-8 (bsc#990191) - CVE-2015-2059: out-of-bounds read with stringprep on invalid UTF-8 (bsc#923241) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2016:1247-1 Released: Fri Aug 19 12:58:39 2016 Summary: Security update for cracklib Type: security Severity: moderate References: 992966,CVE-2016-6318 Description: This update for cracklib fixes the following issues: - Add patch to fix a buffer overflow in GECOS parser (bsc#992966 CVE-2016-6318) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2016:1308-1 Released: Fri Sep 2 11:52:13 2016 Summary: Security update for mariadb Type: security Severity: moderate References: 984858,985217,986251,991616,CVE-2016-3477,CVE-2016-3521,CVE-2016-3615,CVE-2016-5440 Description: This update for mariadb fixes the following issues: - CVE-2016-3477: Unspecified vulnerability in subcomponent parser [bsc#991616] - CVE-2016-3521: Unspecified vulnerability in subcomponent types [bsc#991616] - CVE-2016-3615: Unspecified vulnerability in subcomponent dml [bsc#991616] - CVE-2016-5440: Unspecified vulnerability in subcomponent rbr [bsc#991616] - mariadb failing test main.bootstrap [bsc#984858] - left over 'openSUSE' comments in MariaDB on SLE12 GM and SP1 [bsc#985217] - remove unnecessary conditionals from specfile - add '--ignore-db-dir=lost+found' option to rc.mysql-multi in order not to misinterpret the lost+found directory as a database [bsc#986251] ----------------------------------------------------------------- Advisory ID: SUSE-SU-2016:1326-1 Released: Thu Sep 8 11:37:44 2016 Summary: Security update for perl Type: security Severity: moderate References: 928292,932894,967082,984906,987887,988311,CVE-2015-8853,CVE-2016-1238,CVE-2016-2381,CVE-2016-6185 Description: This update for Perl fixes the following issues: - CVE-2016-6185: Xsloader looking at a '(eval)' directory. (bsc#988311) - CVE-2016-1238: Searching current directory for optional modules. (bsc#987887) - CVE-2015-8853: Regular expression engine hanging on bad utf8. (bsc) - CVE-2016-2381: Environment dup handling bug. (bsc#967082) - 'Insecure dependency in require' error in taint mode. (bsc#984906) - Memory leak in 'use utf8' handling. (bsc#928292) - Missing lock prototype to the debugger. (bsc#932894) ----------------------------------------------------------------- Advisory ID: SUSE-OU-2016:1358-1 Released: Thu Sep 15 20:54:21 2016 Summary: Optional update for gcc6 Type: optional Severity: low References: 983206 Description: This update ships the GNU Compiler Collection (GCC) in version 6.2. This update is shipped in two parts: - SUSE Linux Enterprise Server 12 and Desktop: The runtime libraries libgcc_s1, libstdc++6, libatomic1, libgomp1, libitm1 and some others can now be used by GCC 6 built binaries. - SUSE Linux Enterprise 12 Toolchain Module: The Toolchain module received the GCC 6 compiler suite with this update. Changes: - The default mode for C++ is now -std=gnu++14 instead of -std=gnu++98. Generic Optimization improvements: - UndefinedBehaviorSanitizer gained a new sanitization option, -fsanitize=bounds-strict, which enables strict checking of array bounds. In particular, it enables -fsanitize=bounds as well as instrumentation of flexible array member-like arrays. - Type-based alias analysis now disambiguates accesses to different pointers. This improves precision of the alias oracle by about 20-30% on higher-level C++ programs. Programs doing invalid type punning of pointer types may now need -fno-strict-aliasing to work correctly. - Alias analysis now correctly supports weakref and alias attributes. This makes it possible to access both a variable and its alias in one translation unit which is common with link-time optimization. - Value range propagation now assumes that the this pointer of C++ member functions is non-null. This eliminates common null pointer checks but also breaks some non-conforming code-bases (such as Qt-5, Chromium, KDevelop). As a temporary work-around -fno-delete-null-pointer-checks can be used. Wrong code can be identified by using -fsanitize=undefined. - Various Link-time optimization improvements. - Inter-procedural optimization improvements: - Basic jump threading is now performed before profile construction and inline analysis, resulting in more realistic size and time estimates that drive the heuristics of the of inliner and function cloning passes. - Function cloning now more aggressively eliminates unused function parameters. - Compared to GCC 5, the GCC 6 release series includes a much improved implementation of the OpenACC 2.0a specification. C language specific improvements: - Version 4.5 of the OpenMP specification is now supported in the C and C++ compilers. - Source locations for the C and C++ compilers are now tracked as ranges, rather than just points, making it easier to identify the subexpression of interest within a complicated expression. In addition, there is now initial support for precise diagnostic locations within strings, - Diagnostics can now contain 'fix-it hints', which are displayed in context underneath the relevant source code. - The C and C++ compilers now offer suggestions for misspelled field names. - New command-line options have been added for the C and C++ compilers: - -Wshift-negative-value warns about left shifting a negative value. - -Wshift-overflow warns about left shift overflows. This warning is enabled by default. -Wshift-overflow=2 also warns about left-shifting 1 into the sign bit. - -Wtautological-compare warns if a self-comparison always evaluates to true or false. This warning is enabled by -Wall. - -Wnull-dereference warns if the compiler detects paths that trigger erroneous or undefined behavior due to dereferencing a null pointer. This option is only active when -fdelete-null-pointer-checks is active, which is enabled by optimizations in most targets. The precision of the warnings depends on the optimization options used. - -Wduplicated-cond warns about duplicated conditions in an if-else-if chain. - -Wmisleading-indentation warns about places where the indentation of the code gives a misleading idea of the block structure of the code to a human reader. This warning is enabled by -Wall. - The C and C++ compilers now emit saner error messages if merge-conflict markers are present in a source file. C improvements: - It is possible to disable warnings when an initialized field of a structure or a union with side effects is being overridden when using designated initializers via a new warning option -Woverride-init-side-effects. - A new type attribute scalar_storage_order applying to structures and unions has been introduced. It specifies the storage order (aka endianness) in memory of scalar fields in structures or unions. C++ improvements: - The default mode has been changed to -std=gnu++14. - C++ Concepts are now supported when compiling with -fconcepts. - -flifetime-dse is more aggressive in dead-store elimination in situations where a memory store to a location precedes a constructor to that memory location. - G++ now supports C++17 fold expressions, u8 character literals, extended static_assert, and nested namespace definitions. - G++ now allows constant evaluation for all non-type template arguments. - G++ now supports C++ Transactional Memory when compiling with -fgnu-tm. libstdc++ improvements: - Extensions to the C++ Library to support mathematical special functions (ISO/IEC 29124:2010), thanks to Edward Smith-Rowland. - Experimental support for C++17. - An experimental implementation of the File System TS. - Experimental support for most features of the second version of the Library Fundamentals TS. This includes polymorphic memory resources and array support in shared_ptr, thanks to Fan You. - Some assertions checked by Debug Mode can now also be enabled by _GLIBCXX_ASSERTIONS. The subset of checks enabled by the new macro have less run-time overhead than the full _GLIBCXX_DEBUG checks and don't affect the library ABI, so can be enabled per-translation unit. Fortran improvements: - Fortran 2008 SUBMODULE support. - Fortran 2015 EVENT_TYPE, EVENT_POST, EVENT_WAIT, and EVENT_QUERY support. - Improved support for Fortran 2003 deferred-length character variables. - Improved support for OpenMP and OpenACC. - The MATMUL intrinsic is now inlined for straightforward cases if front-end optimization is active. The maximum size for inlining can be set to n with the -finline-matmul-limit=n option and turned off with -finline-matmul-limit=0. - The -Wconversion-extra option will warn about REAL constants which have excess precision for their kind. - The -Winteger-division option has been added, which warns about divisions of integer constants which are truncated. This option is included in -Wall by default. Architecture improvements: - AArch64 received a lot of improvements. IA-32/x86-64 improvements: - GCC now supports the Intel CPU named Skylake with AVX-512 extensions through -march=skylake-avx512. The switch enables the following ISA extensions: AVX-512F, AVX512VL, AVX-512CD, AVX-512BW, AVX-512DQ. - Support for new AMD instructions monitorx and mwaitx has been added. This includes new intrinsic and built-in support. It is enabled through option -mmwaitx. The instructions monitorx and mwaitx implement the same functionality as the old monitor and mwait instructions. In addition mwaitx adds a configurable timer. The timer value is received as third argument and stored in register %ebx. - x86-64 targets now allow stack realignment from a word-aligned stack pointer using the command-line option -mstackrealign or __attribute__ ((force_align_arg_pointer)). This allows functions compiled with a vector-aligned stack to be invoked from objects that keep only word-alignment. - Support for address spaces __seg_fs, __seg_gs, and __seg_tls. These can be used to access data via the %fs and %gs segments without having to resort to inline assembly. - Support for AMD Zen (family 17h) processors is now available through the -march=znver1 and -mtune=znver1 options. PowerPC / PowerPC64 / RS6000 improvements: - PowerPC64 now supports IEEE 128-bit floating-point using the __float128 data type. In GCC 6, this is not enabled by default, but you can enable it with -mfloat128. The IEEE 128-bit floating-point support requires the use of the VSX instruction set. IEEE 128-bit floating-point values are passed and returned as a single vector value. The software emulator for IEEE 128-bit floating-point support is only built on PowerPC GNU/Linux systems where the default CPU is at least power7. On future ISA 3.0 systems (POWER 9 and later), you will be able to use the -mfloat128-hardware option to use the ISA 3.0 instructions that support IEEE 128-bit floating-point. An additional type (__ibm128) has been added to refer to the IBM extended double type that normally implements long double. This will allow for a future transition to implementing long double with IEEE 128-bit floating-point. - Basic support has been added for POWER9 hardware that will use the recently published OpenPOWER ISA 3.0 instructions. The following new switches are available: - -mcpu=power9: Implement all of the ISA 3.0 instructions supported by the compiler. - -mtune=power9: In the future, apply tuning for POWER9 systems. Currently, POWER8 tunings are used. - -mmodulo: Generate code using the ISA 3.0 integer instructions (modulus, count trailing zeros, array index support, integer multiply/add). - -mpower9-fusion: Generate code to suitably fuse instruction sequences for a POWER9 system. - -mpower9-dform: Generate code to use the new D-form (register+offset) memory instructions for the vector registers. - -mpower9-vector: Generate code using the new ISA 3.0 vector (VSX or Altivec) instructions. - -mpower9-minmax: Reserved for future development. - -mtoc-fusion: Keep TOC entries together to provide more fusion opportunities. - New constraints have been added to support IEEE 128-bit floating-point and ISA 3.0 instructions. - Support has been added for __builtin_cpu_is() and __builtin_cpu_supports(), allowing for very fast access to AT_PLATFORM, AT_HWCAP, and AT_HWCAP2 values. This requires use of glibc 2.23 or later. - All hardware transactional memory builtins now correctly behave as memory barriers. Programmers can use #ifdef __TM_FENCE__ to determine whether their 'old' compiler treats the builtins as barriers. - Split-stack support has been added for gccgo on PowerPC64 for both big- and little-endian (but not for 32-bit). The gold linker from at least binutils 2.25.1 must be available in the PATH when configuring and building gccgo to enable split stack. (The requirement for binutils 2.25.1 applies to PowerPC64 only.) The split-stack feature allows a small initial stack size to be allocated for each goroutine, which increases as needed. - GCC on PowerPC now supports the standard lround function. - The 'q', 'S', 'T', and 't' asm-constraints have been removed. - The 'b', 'B', 'm', 'M', and 'W' format modifiers have been removed. S/390, System z, IBM z Systems improvements: - Support for the IBM z13 processor has been added. When using the -march=z13 option, the compiler will generate code making use of the new instructions and registers introduced with the vector extension facility. The -mtune=z13 option enables z13 specific instruction scheduling without making use of new instructions. - Compiling code with -march=z13 reduces the default alignment of vector types bigger than 8 bytes to 8. This is an ABI change and care must be taken when linking modules compiled with different arch levels which interchange variables containing vector type values. For newly compiled code the GNU linker will emit a warning. - The -mzvector option enables a C/C++ language extension. This extension provides a new keyword vector which can be used to define vector type variables. (Note: This is not available when enforcing strict standard compliance e.g. with -std=c99. Either enable GNU extensions with e.g. -std=gnu99 or use __vector instead of vector.) - Additionally a set of overloaded builtins is provided which is partially compatible to the PowerPC Altivec builtins. In order to make use of these builtins the vecintrin.h header file needs to be included. - The new command line options -march=native, and -mtune=native are now available on native IBM z Systems. Specifying these options will cause GCC to auto-detect the host CPU and rewrite these options to the optimal setting for that system. If GCC is unable to detect the host CPU these options have no effect. - The IBM z Systems port now supports target attributes and pragmas. Please refer to the documentation for details of available attributes and pragmas as well as usage instructions. - -fsplit-stack is now supported as part of the IBM z Systems port. This feature requires a recent gold linker to be used. - Support for the g5 and g6 -march=/-mtune= CPU level switches has been deprecated and will be removed in a future GCC release. -m31 from now on defaults to -march=z900 if not specified otherwise. -march=native on a g5/g6 machine will default to -march=z900. An even more detailed list of features can be found at: https://gcc.gnu.org/gcc-6/changes.html ----------------------------------------------------------------- Advisory ID: SUSE-SU-2016:1364-1 Released: Fri Sep 16 17:13:43 2016 Summary: Security update for curl Type: security Severity: moderate References: 991389,991390,991391,991746,997420,CVE-2016-5419,CVE-2016-5420,CVE-2016-5421,CVE-2016-7141 Description: This update for curl fixes the following issues: Security issues fixed: - CVE-2016-5419: TLS session resumption client cert bypass (bsc#991389) - CVE-2016-5420: Re-using connections with wrong client cert (bsc#991390) - CVE-2016-5421: use of connection struct after free (bsc#991391) - CVE-2016-7141: Fixed incorrect reuse of client certificates with NSS (bsc#997420) Also the following bug was fixed: - fixing a performance issue (bsc#991746) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2016:1370-1 Released: Wed Sep 21 12:58:14 2016 Summary: Security update for libgcrypt Type: security Severity: moderate References: 994157,CVE-2016-6313 Description: This update for libgcrypt fixes the following issues: - RNG prediction vulnerability (bsc#994157, CVE-2016-6313) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2016:1397-1 Released: Tue Sep 27 17:49:10 2016 Summary: Security update for mariadb Type: security Severity: important References: 949520,998309,CVE-2016-6662 Description: This update for mariadb to 1.0.0.27 fixes the following issues: Security issue fixed: * CVE-2016-6662: A malicious user with SQL and filesystem access could create a my.cnf in the datadir and, under certain circumstances, execute arbitrary code as mysql (or even root) user. (bsc#998309) * release notes: * https://kb.askmonty.org/en/mariadb-10027-release-notes * changelog: * https://kb.askmonty.org/en/mariadb-10027-changelog Bugs fixed: - Make ORDER BY optimization functions take into account multiple equalities. (bsc#949520) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2016:1591-1 Released: Wed Nov 2 12:07:51 2016 Summary: Security update for curl Type: security Severity: important References: 1005633,1005634,1005635,1005637,1005638,1005640,1005642,1005643,1005645,1005646,998760,CVE-2016-7167,CVE-2016-8615,CVE-2016-8616,CVE-2016-8617,CVE-2016-8618,CVE-2016-8619,CVE-2016-8620,CVE-2016-8621,CVE-2016-8622,CVE-2016-8623,CVE-2016-8624 Description: This update for curl fixes the following security issues: - CVE-2016-8624: invalid URL parsing with '#' (bsc#1005646) - CVE-2016-8623: Use-after-free via shared cookies (bsc#1005645) - CVE-2016-8622: URL unescape heap overflow via integer truncation (bsc#1005643) - CVE-2016-8621: curl_getdate read out of bounds (bsc#1005642) - CVE-2016-8620: glob parser write/read out of bounds (bsc#1005640) - CVE-2016-8619: double-free in krb5 code (bsc#1005638) - CVE-2016-8618: double-free in curl_maprintf (bsc#1005637) - CVE-2016-8617: OOB write via unchecked multiplication (bsc#1005635) - CVE-2016-8616: case insensitive password comparison (bsc#1005634) - CVE-2016-8615: cookie injection for other servers (bsc#1005633) - CVE-2016-7167: escape and unescape integer overflows (bsc#998760) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2016:1614-1 Released: Mon Nov 7 20:01:31 2016 Summary: Recommended update for shadow Type: recommended Severity: low References: 1002975 Description: This update for shadow fixes the following issues: - Set file modes according to the permissions package and don't attempt to manipulate them in %files section. (bsc#1002975) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2016:1641-1 Released: Thu Nov 10 20:02:04 2016 Summary: Recommended update for sg3_utils Type: recommended Severity: moderate References: 1006469,958369,979436 Description: This update for sg3_utils provides the following fixes: - Adjust 55-scsi-sg3_id.rules to correctly handle VPD page 0x80. This issue could prevent some IBM Power systems from booting after installation. (bsc#1006469) - Fix 55-scsi_sg3_id.rules to skip sg_inq on recent kernels. (bsc#979436) - In some circumstances, the rescan-scsi-bus.sh script failed to identify new LUNs that have been added to the server. (bsc#958369) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2016:1717-1 Released: Mon Nov 28 16:24:41 2016 Summary: Recommended update for mariadb Type: security Severity: important References: 1001367,1003800,1004477,1005555,1005558,1005562,1005564,1005566,1005569,1005581,1005582,1006539,1008318,990890,CVE-2016-3492,CVE-2016-5584,CVE-2016-5616,CVE-2016-5624,CVE-2016-5626,CVE-2016-5629,CVE-2016-6663,CVE-2016-7440,CVE-2016-8283 Description: This mariadb update to version 10.0.28 fixes the following issues (bsc#1008318): Security fixes: - CVE-2016-8283: Unspecified vulnerability in subcomponent Types (bsc#1005582) - CVE-2016-7440: Unspecified vulnerability in subcomponent Encryption (bsc#1005581) - CVE-2016-5629: Unspecified vulnerability in subcomponent Federated (bsc#1005569) - CVE-2016-5626: Unspecified vulnerability in subcomponent GIS (bsc#1005566) - CVE-2016-5624: Unspecified vulnerability in subcomponent DML (bsc#1005564) - CVE-2016-5616: Unspecified vulnerability in subcomponent MyISAM (bsc#1005562) - CVE-2016-5584: Unspecified vulnerability in subcomponent Encryption (bsc#1005558) - CVE-2016-3492: Unspecified vulnerability in subcomponent Optimizer (bsc#1005555) - CVE-2016-6663: Privilege Escalation / Race Condition (bsc#1001367) Bugfixes: - mysql_install_db can't find data files (bsc#1006539) - mariadb failing test sys_vars.optimizer_switch_basic (bsc#1003800) - Remove useless mysql at default.service (bsc#1004477) - Replace all occurrences of the string '@sysconfdir@' with '/etc' as it wasn't expanded properly (bsc#990890) - Notable changes: * XtraDB updated to 5.6.33-79.0 * TokuDB updated to 5.6.33-79.0 * Innodb updated to 5.6.33 * Performance Schema updated to 5.6.33 - Release notes and upstream changelog: * https://kb.askmonty.org/en/mariadb-10028-release-notes * https://kb.askmonty.org/en/mariadb-10028-changelog ----------------------------------------------------------------- Advisory ID: SUSE-SU-2016:1744-1 Released: Fri Dec 2 11:42:41 2016 Summary: Security update for pcre Type: security Severity: moderate References: 906574,924960,933288,933878,936227,942865,957566,957567,957598,957600,960837,971741,972127,CVE-2014-8964,CVE-2015-2325,CVE-2015-2327,CVE-2015-2328,CVE-2015-3210,CVE-2015-3217,CVE-2015-5073,CVE-2015-8380,CVE-2015-8381,CVE-2015-8382,CVE-2015-8383,CVE-2015-8384,CVE-2015-8385,CVE-2015-8386,CVE-2015-8387,CVE-2015-8388,CVE-2015-8389,CVE-2015-8390,CVE-2015-8391,CVE-2015-8392,CVE-2015-8393,CVE-2015-8394,CVE-2015-8395,CVE-2016-1283,CVE-2016-3191 Description: This update for pcre to version 8.39 (bsc#972127) fixes several issues. If you use pcre extensively please be aware that this is an update to a new version. Please make sure that your software works with the updated version. This version fixes a number of vulnerabilities that affect pcre and applications using the libary when accepting untrusted input as regular expressions or as part thereof. Remote attackers could have caused the application to crash, disclose information or potentially execute arbitrary code. These security issues were fixed: - CVE-2014-8964: Heap-based buffer overflow in PCRE allowed remote attackers to cause a denial of service (crash) or have other unspecified impact via a crafted regular expression, related to an assertion that allows zero repeats (bsc#906574). - CVE-2015-2325: Heap buffer overflow in compile_branch() (bsc#924960). - CVE-2015-3210: Heap buffer overflow in pcre_compile2() / compile_regex() (bsc#933288) - CVE-2015-3217: PCRE Library Call Stack Overflow Vulnerability in match() (bsc#933878). - CVE-2015-5073: Library Heap Overflow Vulnerability in find_fixedlength() (bsc#936227). - bsc#942865: heap overflow in compile_regex() - CVE-2015-8380: The pcre_exec function in pcre_exec.c mishandled a // pattern with a \01 string, which allowed remote attackers to cause a denial of service (heap-based buffer overflow) or possibly have unspecified other impact via a crafted regular expression, as demonstrated by a JavaScript RegExp object encountered by Konqueror (bsc#957566). - CVE-2015-2327: PCRE mishandled certain patterns with internal recursive back references, which allowed remote attackers to cause a denial of service (segmentation fault) or possibly have unspecified other impact via a crafted regular expression, as demonstrated by a JavaScript RegExp object encountered by Konqueror (bsc#957567). - bsc#957598: Various security issues - CVE-2015-8381: Heap Overflow in compile_regex() (bsc#957598). - CVE-2015-8382: Regular Expression Uninitialized Pointer Information Disclosure Vulnerability (ZDI-CAN-2547)(bsc#957598). - CVE-2015-8383: Buffer overflow caused by repeated conditional group(bsc#957598). - CVE-2015-8384: Buffer overflow caused by recursive back reference by name within certain group(bsc#957598). - CVE-2015-8385: Buffer overflow caused by forward reference by name to certain group(bsc#957598). - CVE-2015-8386: Buffer overflow caused by lookbehind assertion(bsc#957598). - CVE-2015-8387: Integer overflow in subroutine calls(bsc#957598). - CVE-2015-8388: Buffer overflow caused by certain patterns with an unmatched closing parenthesis(bsc#957598). - CVE-2015-8389: Infinite recursion in JIT compiler when processing certain patterns(bsc#957598). - CVE-2015-8390: Reading from uninitialized memory when processing certain patterns(bsc#957598). - CVE-2015-8391: Some pathological patterns causes pcre_compile() to run for a very long time(bsc#957598). - CVE-2015-8392: Buffer overflow caused by certain patterns with duplicated named groups(bsc#957598). - CVE-2015-8393: Information leak when running pcgrep -q on crafted binary(bsc#957598). - CVE-2015-8394: Integer overflow caused by missing check for certain conditions(bsc#957598). - CVE-2015-8395: Buffer overflow caused by certain references(bsc#957598). - CVE-2015-2328: PCRE mishandled the /((?(R)a|(?1)))+/ pattern and related patterns with certain recursion, which allowed remote attackers to cause a denial of service (segmentation fault) or possibly have unspecified other impact via a crafted regular expression (bsc#957600). - CVE-2016-1283: The pcre_compile2 function in pcre_compile.c in PCRE mishandled certain patterns with named subgroups, which allowed remote attackers to cause a denial of service (heap-based buffer overflow) or possibly have unspecified other impact via a crafted regular expression (bsc#960837). - CVE-2016-3191: The compile_branch function in pcre_compile.c in pcre2_compile.c mishandled patterns containing an (*ACCEPT) substring in conjunction with nested parentheses, which allowed remote attackers to execute arbitrary code or cause a denial of service (stack-based buffer overflow) via a crafted regular expression (bsc#971741). These non-security issues were fixed: - JIT compiler improvements - performance improvements - The Unicode data tables have been updated to Unicode 7.0.0. ----------------------------------------------------------------- Advisory ID: SUSE-RU-2016:1782-1 Released: Fri Dec 9 13:35:02 2016 Summary: Recommended update for systemd Type: recommended Severity: moderate References: 1001790,1004289,1005404,1006372,1006690,989831,991443 Description: This update for systemd provides the following fixes: - Allow to redirect confirmation messages to a different console. (bsc#1006690) - Do not bind a mount unit to a device, if it was from mountinfo. (bsc#989831) - Decrease systemd-nspawn's non-fatal mount errors to debug level. (bsc#1004289) - Don't emit space usage message right after opening the persistent journal. (bsc#991443) - Change owner of /var/log/journal/remote and create /var/lib/systemd/journal-upload. (bsc#1006372) - Document that *KeyIgnoreInhibited only apply to a subset of locks. - Revert 'logind: really handle *KeyIgnoreInhibited options in logind.conf'. (bsc#1001790, bsc#1005404) - Revert 'kbd-model-map: add more mappings offered by Yast'. - Don't busy loop when we get a notification message we can't process. - Rename kbd-model-map-extra into kbd-model-map.legacy. - Add kbd-model-map-extra file which contains the additional maps needed by YaST. - Drop localfs.service: unused and not needed anymore. ----------------------------------------------------------------- Advisory ID: SUSE-SU-2016:1827-1 Released: Thu Dec 15 12:41:10 2016 Summary: Security update for pcre Type: security Severity: moderate References: 906574,924960,933288,933878,936227,942865,957566,957567,957598,957600,960837,971741,972127,CVE-2014-8964,CVE-2015-2325,CVE-2015-2327,CVE-2015-2328,CVE-2015-3210,CVE-2015-3217,CVE-2015-5073,CVE-2015-8380,CVE-2015-8381,CVE-2015-8382,CVE-2015-8383,CVE-2015-8384,CVE-2015-8385,CVE-2015-8386,CVE-2015-8387,CVE-2015-8388,CVE-2015-8389,CVE-2015-8390,CVE-2015-8391,CVE-2015-8392,CVE-2015-8393,CVE-2015-8394,CVE-2015-8395,CVE-2016-1283,CVE-2016-3191 Description: This update for pcre to version 8.39 (bsc#972127) fixes several issues. If you use pcre extensively please be aware that this is an update to a new version. Please make sure that your software works with the updated version. This version fixes a number of vulnerabilities that affect pcre and applications using the libary when accepting untrusted input as regular expressions or as part thereof. Remote attackers could have caused the application to crash, disclose information or potentially execute arbitrary code. These security issues were fixed: - CVE-2014-8964: Heap-based buffer overflow in PCRE allowed remote attackers to cause a denial of service (crash) or have other unspecified impact via a crafted regular expression, related to an assertion that allows zero repeats (bsc#906574). - CVE-2015-2325: Heap buffer overflow in compile_branch() (bsc#924960). - CVE-2015-3210: Heap buffer overflow in pcre_compile2() / compile_regex() (bsc#933288) - CVE-2015-3217: PCRE Library Call Stack Overflow Vulnerability in match() (bsc#933878). - CVE-2015-5073: Library Heap Overflow Vulnerability in find_fixedlength() (bsc#936227). - bsc#942865: heap overflow in compile_regex() - CVE-2015-8380: The pcre_exec function in pcre_exec.c mishandled a // pattern with a \01 string, which allowed remote attackers to cause a denial of service (heap-based buffer overflow) or possibly have unspecified other impact via a crafted regular expression, as demonstrated by a JavaScript RegExp object encountered by Konqueror (bsc#957566). - CVE-2015-2327: PCRE mishandled certain patterns with internal recursive back references, which allowed remote attackers to cause a denial of service (segmentation fault) or possibly have unspecified other impact via a crafted regular expression, as demonstrated by a JavaScript RegExp object encountered by Konqueror (bsc#957567). - bsc#957598: Various security issues - CVE-2015-8381: Heap Overflow in compile_regex() (bsc#957598). - CVE-2015-8382: Regular Expression Uninitialized Pointer Information Disclosure Vulnerability (ZDI-CAN-2547)(bsc#957598). - CVE-2015-8383: Buffer overflow caused by repeated conditional group(bsc#957598). - CVE-2015-8384: Buffer overflow caused by recursive back reference by name within certain group(bsc#957598). - CVE-2015-8385: Buffer overflow caused by forward reference by name to certain group(bsc#957598). - CVE-2015-8386: Buffer overflow caused by lookbehind assertion(bsc#957598). - CVE-2015-8387: Integer overflow in subroutine calls(bsc#957598). - CVE-2015-8388: Buffer overflow caused by certain patterns with an unmatched closing parenthesis(bsc#957598). - CVE-2015-8389: Infinite recursion in JIT compiler when processing certain patterns(bsc#957598). - CVE-2015-8390: Reading from uninitialized memory when processing certain patterns(bsc#957598). - CVE-2015-8391: Some pathological patterns causes pcre_compile() to run for a very long time(bsc#957598). - CVE-2015-8392: Buffer overflow caused by certain patterns with duplicated named groups(bsc#957598). - CVE-2015-8393: Information leak when running pcgrep -q on crafted binary(bsc#957598). - CVE-2015-8394: Integer overflow caused by missing check for certain conditions(bsc#957598). - CVE-2015-8395: Buffer overflow caused by certain references(bsc#957598). - CVE-2015-2328: PCRE mishandled the /((?(R)a|(?1)))+/ pattern and related patterns with certain recursion, which allowed remote attackers to cause a denial of service (segmentation fault) or possibly have unspecified other impact via a crafted regular expression (bsc#957600). - CVE-2016-1283: The pcre_compile2 function in pcre_compile.c in PCRE mishandled certain patterns with named subgroups, which allowed remote attackers to cause a denial of service (heap-based buffer overflow) or possibly have unspecified other impact via a crafted regular expression (bsc#960837). - CVE-2016-3191: The compile_branch function in pcre_compile.c in pcre2_compile.c mishandled patterns containing an (*ACCEPT) substring in conjunction with nested parentheses, which allowed remote attackers to execute arbitrary code or cause a denial of service (stack-based buffer overflow) via a crafted regular expression (bsc#971741). These non-security issues were fixed: - JIT compiler improvements - performance improvements - The Unicode data tables have been updated to Unicode 7.0.0. ----------------------------------------------------------------- Advisory ID: SUSE-RU-2016:1863-1 Released: Wed Dec 21 10:41:35 2016 Summary: Recommended updated for pth Type: recommended Severity: low References: 1013286 Description: This update adds the 32bit version of libpth20 to SUSE Linux Enterprise 12 SP1 and 12 SP2. ----------------------------------------------------------------- Advisory ID: SUSE-SU-2017:2-1 Released: Mon Jan 2 08:35:08 2017 Summary: Security update for zlib Type: security Severity: moderate References: 1003577,1003579,1003580,1013882,CVE-2016-9840,CVE-2016-9841,CVE-2016-9842,CVE-2016-9843 Description: This update for zlib fixes the following issues: CVE-2016-9843: Big-endian out-of-bounds pointer CVE-2016-9842: Undefined Left Shift of Negative Number (bsc#1003580) CVE-2016-9840 CVE-2016-9841: Out-of-bounds pointer arithmetic in inftrees.c (bsc#1003579) Incompatible declarations for external linkage function deflate (bsc#1003577) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2017:6-1 Released: Tue Jan 3 15:01:58 2017 Summary: Recommended update for systemd Type: recommended Severity: moderate References: 1012390,1012591,1012818,1013989,1015515,909418,912715,945340,953807,963290,990538 Description: This update for systemd fixes the following issues: - core: Make mount units from /proc/self/mountinfo possibly bind to a device. Fixes unmounting issues when ejecting CDs or DVDs. (bsc#909418, bsc#912715, bsc#945340) - fstab-generator: Remove bogus condition that leads to warnings on boot. (bsc#1013989) - coredumpctl: Let gdb handle the SIGINT signal. (bsc#1012591) - Ship kbd-model-map with the correct contents. (bsc#1015515) - rules: Set SYSTEMD_READY=0 on DM_UDEV_DISABLE_OTHER_RULES_FLAG=1 only with ADD event. (bsc#963290, bsc#990538) - tmpfiles: Don't skip path_set_perms on error. (bsc#953807) - nspawn: Properly handle image/directory paths that are symbolic links. (bsc#1012390) - systemctl: Fix 'is-enabled' exit status on failure when executed in chroot. (bsc#1012818) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2017:32-1 Released: Mon Jan 9 11:50:42 2017 Summary: Recommended update for dirmngr Type: recommended Severity: low References: 994794 Description: This update for dirmngr enables support for daemon mode. ----------------------------------------------------------------- Advisory ID: SUSE-RU-2017:47-1 Released: Wed Jan 11 11:42:43 2017 Summary: Recommended update for systemd Type: recommended Severity: important References: 1018214,1018399 Description: This update for systemd fixes the following two issues: - A regression in the previous update (SUSE-RU-2017:0013-1, bsc#909418) could have caused systemd to freeze. (bsc#1018399) - Warnings emitted when udev socket units are restarted during package upgrade were silenced. (bsc#1018214) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2017:98-1 Released: Thu Jan 19 10:17:55 2017 Summary: Recommended update for kmod Type: recommended Severity: low References: 998906 Description: This update for kmod fixes a rare race condition while loading modules. ----------------------------------------------------------------- Advisory ID: SUSE-SU-2017:149-1 Released: Wed Jan 25 09:17:08 2017 Summary: Security update for systemd Type: security Severity: important References: 1012266,1014560,1014566,1020601,997682,CVE-2016-10156 Description: This update for systemd fixes the following issues: This security issue was fixed: - CVE-2016-10156: Fix permissions set on permanent timer timestamp files, preventing local unprivileged users from escalating privileges (bsc#1020601). These non-security issues were fixed: - Fix permission set on /var/lib/systemd/linger/* - install: follow config_path symlink (#3362) - install: fix disable when /etc/systemd/system is a symlink (bsc#1014560) - run: make --slice= work in conjunction with --scope (bsc#1014566) - core: don't dispatch load queue when setting Slice= for transient units - systemctl: remove duplicate entries showed by list-dependencies (#5049) (bsc#1012266) - rule: don't automatically online standby memory on s390x (bsc#997682) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2017:185-1 Released: Thu Feb 2 18:22:37 2017 Summary: Security update for cpio Type: security Severity: moderate References: 1020108,963448,CVE-2016-2037 Description: This update for cpio fixes two issues. This security issue was fixed: - CVE-2016-2037: The cpio_safer_name_suffix function in util.c in cpio allowed remote attackers to cause a denial of service (out-of-bounds write) via a crafted cpio file (bsc#963448). This non-security issue was fixed: - bsc#1020108: Always use 32 bit CRC to prevent checksum errors for files greater than 32MB ----------------------------------------------------------------- Advisory ID: SUSE-SU-2017:192-1 Released: Fri Feb 3 18:46:05 2017 Summary: Security update for libxml2 Type: security Severity: moderate References: 1005544,1010675,1013930,1014873,1017497,CVE-2016-4658,CVE-2016-9318,CVE-2016-9597 Description: This update for libxml2 fixes the following issues: * CVE-2016-4658: use-after-free error could lead to crash [bsc#1005544] * Fix NULL dereference in xpointer.c when in recovery mode [bsc#1014873] * CVE-2016-9597: An XML document with many opening tags could have caused a overflow of the stack not detected by the recursion limits, allowing for DoS (bsc#1017497). For CVE-2016-9318 we decided not to ship a fix since it can break existing setups. Please take appropriate actions if you parse untrusted XML files and use the new -noxxe flag if possible (bnc#1010675, bnc#1013930). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2017:207-1 Released: Tue Feb 7 13:33:08 2017 Summary: Security update for mariadb Type: security Severity: important References: 1008253,1020868,1020873,1020875,1020877,1020878,1020882,1020884,1020885,1020891,1020894,1020896,1022428,CVE-2016-6664,CVE-2017-3238,CVE-2017-3243,CVE-2017-3244,CVE-2017-3257,CVE-2017-3258,CVE-2017-3265,CVE-2017-3291,CVE-2017-3312,CVE-2017-3317,CVE-2017-3318 Description: This mariadb version update to 10.0.29 fixes the following issues: - CVE-2017-3318: unspecified vulnerability affecting Error Handling (bsc#1020896) - CVE-2017-3317: unspecified vulnerability affecting Logging (bsc#1020894) - CVE-2017-3312: insecure error log file handling in mysqld_safe, incomplete CVE-2016-6664 (bsc#1020873) - CVE-2017-3291: unrestricted mysqld_safe's ledir (bsc#1020884) - CVE-2017-3265: unsafe chmod/chown use in init script (bsc#1020885) - CVE-2017-3258: unspecified vulnerability in the DDL component (bsc#1020875) - CVE-2017-3257: unspecified vulnerability affecting InnoDB (bsc#1020878) - CVE-2017-3244: unspecified vulnerability affecing the DML component (bsc#1020877) - CVE-2017-3243: unspecified vulnerability affecting the Charsets component (bsc#1020891) - CVE-2017-3238: unspecified vulnerability affecting the Optimizer component (bsc#1020882) - CVE-2016-6664: Root Privilege Escalation (bsc#1008253) - Applications using the client library for MySQL (libmysqlclient.so) had a use-after-free issue that could cause the applications to crash (bsc#1022428) - notable changes: * XtraDB updated to 5.6.34-79.1 * TokuDB updated to 5.6.34-79.1 * Innodb updated to 5.6.35 * Performance Schema updated to 5.6.35 Release notes and changelog: * https://kb.askmonty.org/en/mariadb-10029-release-notes * https://kb.askmonty.org/en/mariadb-10029-changelog ----------------------------------------------------------------- Advisory ID: SUSE-RU-2017:209-1 Released: Tue Feb 7 17:00:47 2017 Summary: Recommended update for libseccomp Type: recommended Severity: low References: 1019900 Description: This update provides libseccomp version 2.3.1 which fixes the following issues: - Fixed a problem with 32-bit x86 socket syscalls on some systems (fate#321647, bsc#1019900) - Fixed problems with ipc syscalls on 32-bit x86 - Fixed problems with socket and ipc syscalls on s390 and s390x ----------------------------------------------------------------- Advisory ID: SUSE-SU-2017:212-1 Released: Wed Feb 8 13:07:24 2017 Summary: Security update for expat Type: security Severity: moderate References: 983215,983216,CVE-2012-6702,CVE-2016-5300 Description: This update for expat fixes the following security issues: - CVE-2012-6702: Expat, when used in a parser that has not called XML_SetHashSalt or passed it a seed of 0, made it easier for context-dependent attackers to defeat cryptographic protection mechanisms via vectors involving use of the srand function. (bsc#983215) - CVE-2016-5300: The XML parser in Expat did not use sufficient entropy for hash initialization, which allowed context-dependent attackers to cause a denial of service (CPU consumption) via crafted identifiers in an XML document. NOTE: this vulnerability exists because of an incomplete fix for CVE-2012-0876. (bsc#983216) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2017:228-1 Released: Fri Feb 10 15:39:32 2017 Summary: Security update for openssl Type: security Severity: moderate References: 1000677,1001912,1009528,1019637,1021641,1022085,1022086,1022271,CVE-2016-7055,CVE-2017-3731,CVE-2017-3732 Description: This update for openssl fixes the following issues contained in the OpenSSL Security Advisory [26 Jan 2017] (bsc#1021641) Security issues fixed: - CVE-2016-7055: The x86_64 optimized montgomery multiplication may produce incorrect results (bsc#1009528) - CVE-2017-3731: Truncated packet could crash via OOB read (bsc#1022085) - CVE-2017-3732: BN_mod_exp may produce incorrect results on x86_64 (bsc#1022086) - Degrade the 3DES cipher to MEDIUM in SSLv2 (bsc#1001912) Non-security issues fixed: - fix crash in openssl speed (bsc#1000677) - fix X509_CERT_FILE path (bsc#1022271) - AES XTS key parts must not be identical in FIPS mode (bsc#1019637) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2017:261-1 Released: Mon Feb 20 11:00:28 2017 Summary: Recommended update for dirmngr Type: recommended Severity: low References: 1019276 Description: This update for dirmngr fixes the following issues: - Properly initialize the dirmngr tmpfilesd files right away and not just during reboot - Own the /usr/lib/tmpfiles.d/ folder as it is needed in older systemds wrt (bsc#1019276) - Proprely require logrotate as we need it for the dirmngr configs ----------------------------------------------------------------- Advisory ID: SUSE-RU-2017:365-1 Released: Fri Mar 10 15:16:59 2017 Summary: Recommended update for sg3_utils Type: recommended Severity: low References: 1006175 Description: This update for sg3_utils fixes the following issue: - Add udev rules to handle legacy CCISS devices (bsc#1006175) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2017:389-1 Released: Thu Mar 16 14:16:43 2017 Summary: Recommended update for systemd Type: recommended Severity: moderate References: 1004094,1006687,1019470,1022014,1022047,1025598,995936 Description: This update for systemd provides the following fixes: - core: Fix memory leak in transient units. (bsc#1025598) - core: Destroy all name watching bus slots when we are kicked off the bus. (bsc#1006687) - sd-event: Fix incorrect assertion. (bsc#995936, bsc#1022014) - journald: Don't flush to /var/log/journal before we get asked to. (bsc#1004094) - core: Downgrade warning about duplicate device names. (bsc#1022047) - units: Remove no longer needed ldconfig service. (bsc#1019470) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2017:439-1 Released: Tue Mar 21 10:48:47 2017 Summary: Recommended update for netcfg Type: recommended Severity: low References: 1028305,959693 Description: This update for netcfg provides the following fixes: - Update script to generate services to use UTF8 by default. (bsc#1028305) - Repack services.bz2 with latest from upstream and adjust the script to not add all the names and emails at the bottom of the file. (bsc#959693) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2017:462-1 Released: Fri Mar 24 21:58:07 2017 Summary: Recommended update for lvm2 Type: recommended Severity: moderate References: 1012973,1015943,1017034,1023283,1025560,1025630 Description: This update for lvm2 fixes the following issues: - Fix clvmd segmentation fault on ppc64le architecture. (bsc#1025630) - Fix several trivial issues about clvmd/cmirrord resource agents. (bsc#1023283, bsc#1025560) - Use {local,remote}-fs-pre.target instead of {local,remote}-fs.target. (bsc#1017034) - Simplify special-case for md in 69-dm-lvm-metadata.rules. (bsc#1012973) - Add systemd_requires to device-mapper package. (bsc#1015943) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2017:464-1 Released: Mon Mar 27 15:50:51 2017 Summary: Recommended update for glibc Type: recommended Severity: moderate References: 1007851,1029725,1029900 Description: This update for glibc fixes a potential segmentation fault in libpthread: - Fork in libpthread cannot use IFUNC resolver. (bsc#1007851, bsc#1029725, bsc#1029900) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2017:580-1 Released: Wed Apr 12 23:58:47 2017 Summary: Recommended update for cpio Type: recommended Severity: important References: 1028410 Description: This update for cpio fixes the following issues: - A regression caused cpio to crash for tar and ustar archive types [bsc#1028410] ----------------------------------------------------------------- Advisory ID: SUSE-RU-2017:589-1 Released: Thu Apr 13 13:12:45 2017 Summary: Recommended update for libtool Type: recommended Severity: moderate References: 1010802 Description: This update for libtool prevents a segmentation fault caused by insufficient error handling on out-of-memory situations. ----------------------------------------------------------------- Advisory ID: SUSE-SU-2017:609-1 Released: Tue Apr 18 11:28:14 2017 Summary: Security update for curl Type: security Severity: moderate References: 1015332,1027712,1032309,CVE-2016-9586,CVE-2017-7407 Description: This update for curl fixes the following issues: Security issue fixed: - CVE-2016-9586: libcurl printf floating point buffer overflow (bsc#1015332) - CVE-2017-7407: The ourWriteOut function in tool_writeout.c in curl might have allowed physically proximate attackers to obtain sensitive information from process memory in opportunistic circumstances by reading a workstation screen during use of a --write-out argument ending in a '%' character, which lead to a heap-based buffer over-read (bsc#1032309). With this release new default ciphers are active (SUSE_DEFAULT, bsc#1027712). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2017:732-1 Released: Wed May 10 14:03:43 2017 Summary: Recommended update for procps Type: recommended Severity: low References: 1030621 Description: This update for procps fixes the following issues: - Command w(1) with option -n doesn't work. (bsc#1030621) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2017:735-1 Released: Wed May 10 15:43:46 2017 Summary: Recommended update for gpg2 Type: recommended Severity: low References: 1036736,986783 Description: This update for gpg2 provides the following fixes: - Do not install CAcert and other root certificates which are not needed with Let's Encrypt. (bsc#1036736) - Initialize the trustdb before import attempt. (bsc#986783) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2017:751-1 Released: Thu May 11 17:14:30 2017 Summary: Recommended update for systemd Type: recommended Severity: moderate References: 1010220,1025398,1025886,1028263,1028610,1029183,1029691,1030290,1031355,1032538,1032660,1033855,1034565,955770 Description: This update for systemd provides the following fixes: - logind: Update empty and 'infinity' handling for [User]TasksMax. (bsc#1031355) - importd: Support SUSE style checksums. (fate#322054) - journal: Don't remove leading spaces. (bsc#1033855) - Make sure all swap units are ordered before the swap target. (bsc#955770, bsc#1034565) - hwdb: Fix warning 'atkbd serio0: Unknown key pressed'. (bsc#1010220) - logind: Restart logind on package update only on SLE12 distros. (bsc#1032660) - core: Treat masked files as 'unchanged'. (bsc#1032538) - units: Move Before deps for quota services to remote-fs.target. (bsc#1028263) - udev: Support predictable ifnames on vio buses. (bsc#1029183) - udev: Add a persistent rule for ibmvnic devices. (bsc#1029183) - units: Do not throw a warning in emergency mode if plymouth is not installed. (bsc#1025398) - core: Downgrade 'Time has been changed' message to debug level. (bsc#1028610) - vconsole: Don't do GIO_SCRNMAP / GIO_UNISCRNMAP. (bsc#1029691) - udev-rules: Perform whitespace replacement for symlink subst values. (bsc#1025886) - Consider chroot updates in fix-machines-subvol-for-rollbacks.sh. (bsc#1030290) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2017:794-1 Released: Tue May 16 15:41:09 2017 Summary: Security update for bash Type: security Severity: moderate References: 1010845,1035371,CVE-2016-9401 Description: This update for bash fixes an issue that could lead to syntax errors when parsing scripts that use expr(1) inside loops. Additionally, the popd build-in now ensures that the normalized stack offset is within bounds before trying to free that stack entry. This fixes a segmentation fault. ----------------------------------------------------------------- Advisory ID: SUSE-SU-2017:795-1 Released: Tue May 16 15:41:28 2017 Summary: Security update for mariadb Type: security Severity: important References: 1020868,1020890,1020976,1022428,1034911,996821,CVE-2017-3302,CVE-2017-3313 Description: This update for mariadb fixes the following issues: - update to MariaDB 10.0.30 GA * notable changes: * XtraDB updated to 5.6.35-80.0 * TokuDB updated to 5.6.35-80.0 * PCRE updated to 8.40 * MDEV-11027: better InnoDB crash recovery progress reporting * MDEV-11520: improvements to how InnoDB data files are extended * Improvements to InnoDB startup/shutdown to make it more robust * MDEV-11233: fix for FULLTEXT index crash * MDEV-6143: MariaDB Linux binary tarballs will now always untar to directories that match their filename * release notes and changelog: * https://kb.askmonty.org/en/mariadb-10030-release-notes * https://kb.askmonty.org/en/mariadb-10030-changelog * fixes the following CVEs: CVE-2017-3313: unspecified vulnerability affecting the MyISAM component [bsc#1020890] CVE-2017-3302: Use after free in libmysqlclient.so [bsc#1022428] - set the default umask to 077 in mysql-systemd-helper [bsc#1020976] - [bsc#1034911] - tracker bug * fixes also [bsc#1020868] ----------------------------------------------------------------- Advisory ID: SUSE-RU-2017:799-1 Released: Wed May 17 00:21:13 2017 Summary: Recommended update for glibc Type: recommended Severity: low References: 1026224,1035445 Description: This update for glibc introduces basic support for IBM POWER9 systems. Additionally, an improper assert in dlclose() has been removed. ----------------------------------------------------------------- Advisory ID: SUSE-RU-2017:857-1 Released: Wed May 24 15:42:31 2017 Summary: Recommended update for mariadb Type: recommended Severity: important References: 1020976,1038740 Description: This update for mariadb fixes permissions for /var/run/mysql in mysql-systemd-helper that were incorrectly set to 700 instead of 755 due to umask. This prevented non-root users from connecting to the database. ----------------------------------------------------------------- Advisory ID: SUSE-SU-2017:865-1 Released: Wed May 24 16:23:20 2017 Summary: Security update for pam Type: security Severity: moderate References: 1015565,1037824,934920,CVE-2015-3238 Description: This update for pam fixes the following issues: - CVE-2015-3238: pam_unix in conjunction with SELinux allowed for DoS attacks (bsc#934920). - log a hint to syslog if /etc/nologin is present, but empty (bsc#1015565). - If /etc/nologin is present, but empty, log a hint to syslog. (bsc#1015565) - Added support for libowcrypt.so, if present, to configure support for BLOWFISH (bsc#1037824) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2017:873-1 Released: Fri May 26 16:19:47 2017 Summary: Recommended update for e2fsprogs Type: recommended Severity: low References: 1009532,960273 Description: This update for e2fsprogs provides the following fixes: - Fix 32/64-bit overflow when multiplying by blocks/clusters per group. This allows resize2fs(8) to resize file systems larger than 20 TB. (bsc#1009532) - Update spec file to regenerate initrd when e2fsprogs is updated or uninstalled. (bsc#960273) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2017:877-1 Released: Mon May 29 15:11:48 2017 Summary: Recommended update for cryptsetup Type: recommended Severity: low References: 1031998 Description: This update for cryptsetup provides the following fix: - Don't use a zero-filled empty key, because in FIPS, XTS mode key parts mustn't be equivalent (bsc#1031998) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2017:891-1 Released: Tue May 30 22:28:21 2017 Summary: Security update for libxml2 Type: security Severity: moderate References: 1039063,1039064,1039066,1039069,1039661,981114,CVE-2016-1839,CVE-2017-9047,CVE-2017-9048,CVE-2017-9049,CVE-2017-9050 Description: This update for libxml2 fixes the following issues: - CVE-2017-9047, CVE-2017-9048: The function xmlSnprintfElementContent in valid.c was vulnerable to a stack buffer overflow (bsc#1039063, bsc#1039064) - CVE-2017-9049: The function xmlDictComputeFastKey in dict.c was vulnerable to a heap-based buffer over-read. (bsc#1039066) - CVE-2017-9050: The function xmlDictAddString was vulnerable to a heap-based buffer over-read (bsc#1039661) - CVE-2016-1839: heap-based buffer overflow (xmlDictAddString func) (bnc#1039069) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2017:907-1 Released: Thu Jun 1 14:23:36 2017 Summary: Recommended update for shadow Type: recommended Severity: low References: 1003978,1031643 Description: This update for shadow fixes the following issues: - Dynamically added users via pam_group are not listed in groups databases but are still valid. (bsc#1031643) - useradd(8) and groupadd(8) performance issue when using SSSD. Previously the entire possible UID/GID was iterated to find an available UID/GID. This could take long time over a network device. Instead, find available UID/GID locally, and then check only those values over network. (bsc#1003978) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2017:918-1 Released: Tue Jun 6 12:35:44 2017 Summary: Recommended update for libsemanage, selinux-policy Type: recommended Severity: moderate References: 1020143,1032445,1035818,1038189 Description: This update for libsemanage, selinux-policy fixes the following issues: - Limit to policy version 29 by default. - Fix policy module build failures and wrong policy path on SLE 12 SP2 (bsc#1038189, bsc#1035818, bsc#1020143, bsc#1032445) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2017:939-1 Released: Mon Jun 12 10:56:22 2017 Summary: Security update for libxml2 Type: security Severity: moderate References: 1039063,1039064,1039066,1039069,1039661,CVE-2017-9047,CVE-2017-9048,CVE-2017-9049,CVE-2017-9050 Description: This update for libxml2 fixes the following security issues: * CVE-2017-9050: A heap-based buffer over-read in xmlDictAddString (bsc#1039069, bsc#1039661) * CVE-2017-9049: A heap-based buffer overflow in xmlDictComputeFastKey (bsc#1039066) * CVE-2017-9048: A stack overflow vulnerability in xmlSnprintfElementContent (bsc#1039063) * CVE-2017-9047: A stack overflow vulnerability in xmlSnprintfElementContent (bsc#1039064) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2017:959-1 Released: Wed Jun 14 14:38:11 2017 Summary: Recommended update for gcc5 Type: recommended Severity: low References: 1043580 Description: This update for gcc5 fixes the version of libffi in its pkg-config configuration file. ----------------------------------------------------------------- Advisory ID: SUSE-SU-2017:962-1 Released: Wed Jun 14 16:33:07 2017 Summary: Security update for openldap2 Type: security Severity: moderate References: 1009470,1037396,1041764,972331,CVE-2017-9287 Description: This update for openldap2 fixes the following issues: Security issues fixed: - CVE-2017-9287: A double free vulnerability in the mdb backend during search with page size 0 was fixed (bsc#1041764) Non security bugs fixed: - Let OpenLDAP read system-wide certificates by default and don't hide the error if the user-specified CA location cannot be read. (bsc#1009470) - Fix an uninitialised variable that causes startup failure (bsc#1037396) - Fix an issue with transaction management that can cause server crash (bsc#972331) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2017:985-1 Released: Mon Jun 19 14:57:41 2017 Summary: Security update for libgcrypt Type: security Severity: moderate References: 1042326,931932,CVE-2017-9526 Description: This update for libgcrypt fixes the following issues: - CVE-2017-9526: Store the session key in secure memory to ensure that constant time point operations are used in the MPI library. (bsc#1042326) - Don't require secure memory for the fips selftests, this prevents the 'Oops, secure memory pool already initialized' warning. (bsc#931932) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2017:990-1 Released: Mon Jun 19 17:19:44 2017 Summary: Security update for glibc Type: security Severity: important References: 1039357,1040043,CVE-2017-1000366 Description: This update for glibc fixes the following issues: - CVE-2017-1000366: Fix a potential privilege escalation vulnerability that allowed unprivileged system users to manipulate the stack of setuid binaries to gain special privileges. [bsc#1039357] - A bug in glibc that could result in deadlocks between malloc() and fork() has been fixed. [bsc#1040043] ----------------------------------------------------------------- Advisory ID: SUSE-RU-2017:1033-1 Released: Fri Jun 23 16:38:55 2017 Summary: Recommended update for e2fsprogs Type: recommended Severity: low References: 1038194 Description: This update for e2fsprogs provides the following fixes: - Don't ignore fsync errors in libext2fs. (bsc#1038194) - Fix fsync(2) detection in libext2fs. (bsc#1038194) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2017:1036-1 Released: Mon Jun 26 08:12:24 2017 Summary: Security update for libxml2 Type: security Severity: moderate References: 1024989,1044337,CVE-2017-0663,CVE-2017-5969 Description: This update for libxml2 fixes the following issues: Security issues fixed: * CVE-2017-0663: Fixed a heap buffer overflow in xmlAddID (bsc#1044337) * CVE-2017-5969: Fixed a NULL pointer deref in xmlDumpElementContent (bsc#1024989) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2017:1040-1 Released: Mon Jun 26 13:22:26 2017 Summary: Recommended update for libsemanage, policycoreutils Type: recommended Severity: low References: 1043237 Description: This update for libsemanage, policycoreutils fixes the following issue: - Show version numbers of modules where they are available (bsc#1043237) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2017:1082-1 Released: Fri Jun 30 10:54:06 2017 Summary: Recommended update for dirmngr Type: recommended Severity: low References: 1045943 Description: This update for dirmngr provides the following fix: - Change logrotate from Requires to Recommends (bsc#1045943) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2017:1086-1 Released: Fri Jun 30 15:36:17 2017 Summary: Security update for libxml2 Type: security Severity: moderate References: 1044887,1044894,CVE-2017-7375,CVE-2017-7376 Description: This update for libxml2 fixes the following issues: Security issues fixed: * CVE-2017-7376: Increase buffer space for port in HTTP redirect support (bsc#1044887) * CVE-2017-7375: Prevent unwanted external entity reference [bsc#1044894, ] ----------------------------------------------------------------- Advisory ID: SUSE-SU-2017:1104-1 Released: Tue Jul 4 16:13:55 2017 Summary: Security update for systemd Type: security Severity: moderate References: 1004995,1029102,1029516,1036873,1038865,1040258,1040614,1040942,1043758,982303,CVE-2017-9217 Description: This update for systemd fixes the following issues: Security issue fixed: - CVE-2017-9217: resolved: Fix null pointer p->question dereferencing that could lead to resolved aborting (bsc#1040614) The update also fixed several non-security bugs: - core/mount: Use the '-c' flag to not canonicalize paths when calling /bin/umount - automount: Handle expire_tokens when the mount unit changes its state (bsc#1040942) - automount: Rework propagation between automount and mount units - build: Make sure tmpfiles.d/systemd-remote.conf get installed when necessary - build: Fix systemd-journal-upload installation - basic: Detect XEN Dom0 as no virtualization (bsc#1036873) - virt: Make sure some errors are not ignored - fstab-generator: Do not skip Before= ordering for noauto mountpoints - fstab-gen: Do not convert device timeout into seconds when initializing JobTimeoutSec - core/device: Use JobRunningTimeoutSec= for device units (bsc#1004995) - fstab-generator: Apply the _netdev option also to device units (bsc#1004995) - job: Add JobRunningTimeoutSec for JOB_RUNNING state (bsc#1004995) - job: Ensure JobRunningTimeoutSec= survives serialization (bsc#1004995) - rules: Export NVMe WWID udev attribute (bsc#1038865) - rules: Introduce disk/by-id (model_serial) symbolic links for NVMe drives - rules: Add rules for NVMe devices - sysusers: Make group shadow support configurable (bsc#1029516) - core: When deserializing a unit, fully restore its cgroup state (bsc#1029102) - core: Introduce cg_mask_from_string()/cg_mask_to_string() - core:execute: Fix handling failures of calling fork() in exec_spawn() (bsc#1040258) - Fix systemd-sysv-convert when a package starts shipping service units (bsc#982303) The database might be missing when upgrading a package which was shipping no sysv init scripts nor unit files (at the time --save was called) but the new version start shipping unit files. - Disable group shadow support (bsc#1029516) - Only check signature job error if signature job exists (bsc#1043758) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2017:1116-1 Released: Thu Jul 6 11:37:18 2017 Summary: Security update for libgcrypt Type: security Severity: moderate References: 1046607,CVE-2017-7526 Description: This update for libgcrypt fixes the following issues: - CVE-2017-7526: Hardening against a local side-channel attack in RSA key handling has been added (bsc#1046607) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2017:1119-1 Released: Fri Jul 7 11:23:20 2017 Summary: Recommended update for ncurses Type: security Severity: important References: 1000662,1046853,1046858,CVE-2017-10684,CVE-2017-10685 Description: This update for ncurses fixes the following issues: Security issues fixed: - CVE-2017-10684: Possible RCE via stack-based buffer overflow in the fmt_entry function. (bsc#1046858) - CVE-2017-10685: Possible RCE with format string vulnerability in the fmt_entry function. (bsc#1046853) Bugfixes: - Drop patch ncurses-5.9-environment.dif as YaST2 ncurses GUI does not need it anymore and as well as it causes bug bsc#1000662 ----------------------------------------------------------------- Advisory ID: SUSE-RU-2017:1160-1 Released: Fri Jul 14 17:20:26 2017 Summary: Recommended update for openldap2 Type: recommended Severity: low References: 1031702 Description: This update for openldap2 provides the following fix: - Fix a regression in handling of non-blocking connection (bsc#1031702) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2017:1174-1 Released: Wed Jul 19 11:12:51 2017 Summary: Security update for systemd, dracut Type: security Severity: important References: 1032029,1033238,1037120,1040153,1040968,1043900,1045290,1046750,986216,CVE-2017-9445 Description: This update for systemd and dracut fixes the following issues: Security issues fixed: - CVE-2017-9445: Possible out-of-bounds write triggered by a specially crafted TCP payload from a DNS server. (bsc#1045290) Non-security issues fixed in systemd: - Automounter issue in combination with NFS volumes (bsc#1040968) - Missing symbolic link for SAS device in /dev/disk/by-path (bsc#1040153) - Add minimal support for boot.d/* scripts in systemd-sysv-convert (bsc#1046750) Non-security issues fixed in dracut: - Bail out if module directory does not exist. (bsc#1043900) - Suppress bogus error message. (bsc#1032029) - Fix module force loading with systemd. (bsc#986216) - Ship udev files required by systemd. (bsc#1040153) - Ignore module resolution errors (e.g. with kgraft). (bsc#1037120) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2017:1222-1 Released: Wed Jul 26 17:15:18 2017 Summary: Recommended update for procps Type: recommended Severity: low References: 1034563,1039941 Description: This update for procps provides the following fixes: - Make pmap handle LazyFree in /proc/smaps (bsc#1034563) - Allow reading and writing content lines longer than 1024 characters under /proc/sys (bsc#1039941) - Avoid printing messages when /proc/sys/net/ipv6/conf/*/stable_secret is not set ----------------------------------------------------------------- Advisory ID: SUSE-SU-2017:1245-1 Released: Thu Aug 3 10:43:15 2017 Summary: Security update for systemd Type: security Severity: moderate References: 1004995,1029102,1029516,1032029,1033238,1036873,1037120,1038865,1040153,1040258,1040614,1040942,1040968,1043758,1043900,1045290,1046750,982303,986216,CVE-2017-9217,CVE-2017-9445 Description: This update for systemd provides several fixes and enhancements. Security issues fixed: - CVE-2017-9217: Null pointer dereferencing that could lead to resolved aborting. (bsc#1040614) - CVE-2017-9445: Possible out-of-bounds write triggered by a specially crafted TCP payload from a DNS server. (bsc#1045290) The update also fixed several non-security bugs: - core/mount: Use the '-c' flag to not canonicalize paths when calling /bin/umount - automount: Handle expire_tokens when the mount unit changes its state (bsc#1040942) - automount: Rework propagation between automount and mount units - build: Make sure tmpfiles.d/systemd-remote.conf get installed when necessary - build: Fix systemd-journal-upload installation - basic: Detect XEN Dom0 as no virtualization (bsc#1036873) - virt: Make sure some errors are not ignored - fstab-generator: Do not skip Before= ordering for noauto mountpoints - fstab-gen: Do not convert device timeout into seconds when initializing JobTimeoutSec - core/device: Use JobRunningTimeoutSec= for device units (bsc#1004995) - fstab-generator: Apply the _netdev option also to device units (bsc#1004995) - job: Add JobRunningTimeoutSec for JOB_RUNNING state (bsc#1004995) - job: Ensure JobRunningTimeoutSec= survives serialization (bsc#1004995) - rules: Export NVMe WWID udev attribute (bsc#1038865) - rules: Introduce disk/by-id (model_serial) symbolic links for NVMe drives - rules: Add rules for NVMe devices - sysusers: Make group shadow support configurable (bsc#1029516) - core: When deserializing a unit, fully restore its cgroup state (bsc#1029102) - core: Introduce cg_mask_from_string()/cg_mask_to_string() - core:execute: Fix handling failures of calling fork() in exec_spawn() (bsc#1040258) - Fix systemd-sysv-convert when a package starts shipping service units (bsc#982303) The database might be missing when upgrading a package which was shipping no sysv init scripts nor unit files (at the time --save was called) but the new version start shipping unit files. - Disable group shadow support (bsc#1029516) - Only check signature job error if signature job exists (bsc#1043758) - Automounter issue in combination with NFS volumes (bsc#1040968) - Missing symbolic link for SAS device in /dev/disk/by-path (bsc#1040153) - Add minimal support for boot.d/* scripts in systemd-sysv-convert (bsc#1046750) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2017:1247-1 Released: Thu Aug 3 10:44:44 2017 Summary: Security update for mariadb Type: security Severity: important References: 1048715,963041,CVE-2017-3308,CVE-2017-3309,CVE-2017-3453,CVE-2017-3456,CVE-2017-3464 Description: This MariaDB update to version 10.0.31 GA fixes the following issues: Security issues fixed: - CVE-2017-3308: Subcomponent: Server: DML: Easily 'exploitable' vulnerability allows low privileged attacker with network access via multiple protocols to compromise MariaDB Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS). (bsc#1048715) - CVE-2017-3309: Subcomponent: Server: Optimizer: Easily 'exploitable' vulnerability allows low privileged attacker with network access via multiple protocols to compromise MariaDB Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS). (bsc#1048715) - CVE-2017-3453: Subcomponent: Server: Optimizer: Easily 'exploitable' vulnerability allows low privileged attacker with network access via multiple protocols to compromise MariaDB Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS). (bsc#1048715) - CVE-2017-3456: Subcomponent: Server: DML: Easily 'exploitable' vulnerability allows low privileged attacker with network access via multiple protocols to compromise MariaDB Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS). (bsc#1048715) - CVE-2017-3464: Subcomponent: Server: DDL: Easily 'exploitable' vulnerability allows low privileged attacker with network access via multiple protocols to compromise MariaDB Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS). (bsc#1048715) Bug fixes: - switch from 'Restart=on-failure' to 'Restart=on-abort' in mysql.service in order to follow the upstream. It also fixes hanging mysql-systemd-helper when mariadb fails (e.g. because of the misconfiguration) (bsc#963041) - XtraDB updated to 5.6.36-82.0 - TokuDB updated to 5.6.36-82.0 - Innodb updated to 5.6.36 - Performance Schema updated to 5.6.36 Release notes and changelog: - https://kb.askmonty.org/en/mariadb-10031-release-notes - https://kb.askmonty.org/en/mariadb-10031-changelog ----------------------------------------------------------------- Advisory ID: SUSE-RU-2017:1268-1 Released: Mon Aug 7 10:09:19 2017 Summary: Recommended update for openssl Type: recommended Severity: moderate References: 1019637,1027079,1027688,1027908,1028281,1028723,1029523,1042392,1044095,1044107,1044175,902364 Description: This update for openssl fixes the following issues including fixes for our ongoing FIPS 140-2 evaluation: - Remove DES-CBC3-SHA based ciphers from DEFAULT_SUSE to address SWEET32 problem (bsc#1027908) - Use getrandom syscall instead of reading from /dev/urandom to get at least 128 bits of entropy to comply with FIPS 140.2 IG 7.14 (bsc#1027079 bsc#1044175) - Fix x86 extended feature detection (bsc#1029523) - Allow runtime switching of s390x capabilities via the 'OPENSSL_s390xcap' environmental variable (bsc#1028723) - s_client sent empty client certificate (bsc#1028281) Add back certificate initialization set_cert_key_stuff() which was removed in a previous update. - Fix a bug in XTS key handling (bsc#1019637) - Don't run FIPS power-up self-tests when the checksum files aren't installed (bsc#1042392) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2017:1279-1 Released: Mon Aug 7 14:46:40 2017 Summary: Security update for ncurses Type: security Severity: moderate References: 1046853,1046858,1047964,1047965,1049344,CVE-2017-10684,CVE-2017-10685,CVE-2017-11112,CVE-2017-11113 Description: This update for ncurses fixes the following issues: Security issues fixed: - CVE-2017-11112: Illegal address access in append_acs. (bsc#1047964) - CVE-2017-11113: Dereferencing NULL pointer in _nc_parse_entry. (bsc#1047965) - CVE-2017-10684, CVE-2017-10685: Add modified upstream fix from ncurses 6.0 to avoid broken termcap format (bsc#1046853, bsc#1046858, bsc#1049344) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2017:1316-1 Released: Thu Aug 10 13:54:27 2017 Summary: Recommended update for cyrus-sasl Type: recommended Severity: moderate References: 1014471,1026825,1044840,938657 Description: This update for cyrus-sasl provides the following fixes: - Fix SASL GSSAPI mechanism acceptor wrongly returns zero maxbufsize - Fix unknown authentication mechanism: kerberos5 (bsc#1026825) - Really use SASLAUTHD_PARAMS variable (bsc#938657) - Make sure /usr/sbin/rcsaslauthd exists - Add /usr/sbin/rcsaslauthd symbolic link to /usr/sbin/service (bsc#1014471) - Silence 'GSSAPI client step 1' debug log message (bsc#1044840) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2017:1326-1 Released: Fri Aug 11 16:59:04 2017 Summary: Security update for libxml2 Type: security Severity: low References: 1038444,CVE-2017-8872 Description: This update for libxml2 fixes the following issues: Security issues fixed: - CVE-2017-8872: Out-of-bounds read in htmlParseTryOrFinish. (bsc#1038444) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2017:1330-1 Released: Mon Aug 14 18:41:29 2017 Summary: Recommended update for sed Type: recommended Severity: low References: 954661 Description: This update for sed provides the following fixes: - Don't terminate with a segmentation fault if close of last file descriptor fails. (bsc#954661) ----------------------------------------------------------------- Advisory ID: SUSE-OU-2017:1333-1 Released: Tue Aug 15 17:59:30 2017 Summary: Optional update for libverto Type: optional Severity: low References: 1029561 Description: This update adds the libverto library to OpenStack Cloud Magnum Orchestration channels. ----------------------------------------------------------------- Advisory ID: SUSE-RU-2017:1334-1 Released: Tue Aug 15 20:09:03 2017 Summary: Recommended update for systemd Type: recommended Severity: important References: 1048679,874665 Description: This update for systemd fixes the following issues: - compat-rules: Don't rely on ID_SERIAL when generating 'by-id' links for NVMe devices. (bsc#1048679) - fstab-generator: Handle NFS 'bg' mounts correctly. (bsc#874665, fate#323464) - timesyncd: Don't use compiled-in list if FallbackNTP has been configured explicitly. ----------------------------------------------------------------- Advisory ID: SUSE-SU-2017:1335-1 Released: Wed Aug 16 11:24:21 2017 Summary: Security update for curl Type: security Severity: moderate References: 1051643,1051644,CVE-2017-1000100,CVE-2017-1000101 Description: This update for curl fixes the following issues: - CVE-2017-1000100: TFP sends more than buffer size and it could lead to a denial of service (bsc#1051644) - CVE-2017-1000101: URL globbing out of bounds read could lead to a denial of service (bsc#1051643) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2017:1347-1 Released: Fri Aug 18 11:03:57 2017 Summary: Recommended update for procps Type: recommended Severity: important References: 1053409 Description: This update for procps fixes the following issues: - Fix a regression introduced in a previous update that would result in sysctl dying with a SIGSEGV error (bsc#1053409). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2017:1349-1 Released: Fri Aug 18 12:31:07 2017 Summary: Recommended update for lua51 Type: recommended Severity: low References: 1051626 Description: This update for lua51 provides the following fixes: - Add Lua(API) and Lua(devel) symbols to fix building of lua51-luasocket. (bsc#1051626) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2017:1390-1 Released: Fri Aug 25 15:14:27 2017 Summary: Security update for libzypp Type: security Severity: important References: 1009745,1036659,1038984,1043218,1045735,1046417,1047785,1048315,CVE-2017-7435,CVE-2017-7436,CVE-2017-9269 Description: The Software Update Stack was updated to receive fixes and enhancements. libzypp: - CVE-2017-7435, CVE-2017-7436, CVE-2017-9269: Fix GPG check workflows, mainly for unsigned repositories and packages. (bsc#1045735, bsc#1038984) - Fix gpg-pubkey release (creation time) computation. (bsc#1036659) - Update lsof blacklist. (bsc#1046417) - Re-probe on refresh if the repository type changes. (bsc#1048315) - Propagate proper error code to DownloadProgressReport. (bsc#1047785) - Allow to trigger an appdata refresh unconditionally. (bsc#1009745) - Support custom repo variables defined in /etc/zypp/vars.d. yast2-pkg-bindings: - Do not crash when the repository URL is not defined. (bsc#1043218) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2017:1419-1 Released: Wed Aug 30 15:38:22 2017 Summary: Security update for expat Type: security Severity: moderate References: 1047236,1047240,CVE-2016-9063,CVE-2017-9233 Description: This update for expat fixes the following issues: - CVE-2016-9063: Possible integer overflow to fix inside XML_Parse leading to unexpected behaviour (bsc#1047240) - CVE-2017-9233: External Entity Vulnerability could lead to denial of service (bsc#1047236) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2017:1439-1 Released: Fri Sep 1 15:31:05 2017 Summary: Recommended update for systemd Type: recommended Severity: important References: 1045384,1045987,1046268,1047379,1048605 Description: This update for systemd fixes the following issues: - Revert fix for bsc#1004995 which could have caused boot failure on LVM (bsc#1048605) - compat-rules: drop the bogus 'import everything' rule (bsc#1046268) - core: use an AF_UNIX/SOCK_DGRAM socket for cgroup agent notification (bsc#1045384 bsc#1047379) - udev/path_id: introduce support for NVMe devices (bsc#1045987) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2017:1447-1 Released: Mon Sep 4 15:38:20 2017 Summary: Security update for libzypp, zypper Type: security Severity: important References: 1008325,1038984,1045735,1047785,1054088,1054671,1055920,CVE-2017-7436 Description: The Software Update Stack was updated to receive fixes and enhancements. libzypp: - Adapt to work with GnuPG 2.1.23. (bsc#1054088) - Support signing with subkeys. (bsc#1008325) - Enhance sort order for media.1/products. (bsc#1054671) zypper: - Also show a gpg key's subkeys. (bsc#1008325) - Improve signature check callback messages. (bsc#1045735) - Add options to tune the GPG check settings. (bsc#1045735) - Adapt download callback to report and handle unsigned packages. (bsc#1038984, CVE-2017-7436) - Report missing/optional files as 'not found' rather than 'error'. (bsc#1047785) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2017:1450-1 Released: Mon Sep 4 16:36:07 2017 Summary: Recommended update for insserv-compat Type: recommended Severity: low References: 1035062,944903 Description: This update for insserv-compat fixes the following issues: - Add /etc/init.d hierarchy from former 'filesystem' package. (bsc#1035062) - Fix directory argument parsing. (bsc#944903) - Add perl(Getopt::Long) to list of requirements. ----------------------------------------------------------------- Advisory ID: SUSE-RU-2017:1453-1 Released: Mon Sep 4 21:23:50 2017 Summary: Recommended update for libgcrypt Type: recommended Severity: moderate References: 1043333,1046659,1047008 Description: This update for libgcrypt fixes the following issues: - libgcrypt stored an open file descriptor to the random device in a static variable between invocations. gnome-keyring-daemon on initialization reopened descriptors 0-2 with /dev/null which caused an infinite loop when libgcrypt attempted to read from the random device (bsc#1043333) - Avoid seeding the DRBG during FIPS power-up selftests (bsc#1046659) * don't call gcry_drbg_instantiate() in healthcheck sanity test to save entropy * turn off blinding for RSA decryption in selftests_rsa to avoid allocation of a random integer - fix a bug in gcry_drbg_healthcheck_sanity() which caused skipping some of the tests (bsc#1046659) - dlsym returns PLT address on s390x, dlopen libgcrypt20.so before calling dlsym (bsc#1047008) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2017:1487-1 Released: Mon Sep 11 12:35:07 2017 Summary: Recommended update for unixODBC Type: recommended Severity: low References: 1044970 Description: This update for unixODBC provides the following enhancements: - Enable compile time option --enable-fastvalidate. This disables some internal validation checks performed on connection handles by unixODBC, increasing performance specially when many handles are used on multi-threaded systems. (fate#323520, bsc#1044970) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2017:1548-1 Released: Fri Sep 15 18:19:12 2017 Summary: Recommended update for sg3_utils Type: recommended Severity: moderate References: 1005063,1009269,1012523,1025176,1050767,1050943 Description: This update for sg3_utils provides the following fixes: - Add lunsearch filter to findresized() so that only LUNs specified using --luns are rescanned or resized. (bsc#1025176) - In case the VPD sysfs attributes are missing or cannot be accessed, fallback to use sg_inq --page when using multipath devices in AutoYast2 installations. (bsc#1012523) - Generate /dev/disk/by-path links based on WWPN for Fibre Channel NPIV setups. (bsc#1005063) - Fix dumping data in hexadecimal format in sg_vpd when using the --hex option. (bsc#1050943) - Fix ID_SERIAL values for KVM disks by exporting all NAA values and removing some validity checking. (bsc#1050767) - Make sure initrd is rebuilt on sg3_utils updates. (bsc#1009269) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2017:1592-1 Released: Tue Sep 26 17:38:03 2017 Summary: Recommended update for lvm2 Type: recommended Severity: moderate References: 1028485,1045628,978055,998893,999878 Description: This update for lvm2 provides the following fixes: - Create /dev/disk/by-part{label,uuid} and gpt-auto-root links. (bsc#1028485) - Try to refresh clvmd's device cache on the first failure. (bsc#978055) - Fix stale device cache in clvmd. (bsc#978055) - Warn if PV size in metadata is larger than disk device size. (bsc#999878) - Fix lvm2 activation issue when used on top of multipath. (bsc#998893) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2017:1644-1 Released: Mon Oct 9 07:52:24 2017 Summary: Security update for krb5 Type: security Severity: moderate References: 1032680,1054028,1056995,903543,CVE-2017-11462 Description: This update for krb5 fixes several issues. This security issue was fixed: - CVE-2017-11462: Prevent automatic security context deletion to prevent double-free (bsc#1056995) These non-security issues were fixed: - Set 'rdns' and 'dns_canonicalize_hostname' to false in krb5.conf in order to improve client security in handling service principle names. (bsc#1054028) - Prevent kadmind.service startup failure caused by absence of LDAP service. (bsc#903543) - Remove main package's dependency on systemd (bsc#1032680) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2017:1663-1 Released: Tue Oct 10 12:05:09 2017 Summary: Recommended update for dbus-1 Type: recommended Severity: moderate References: 1043615,1046173 Description: This update for dbus-1 provides the following fixes: - Fix systemd-logind dbus disconnection by ensuring all required timeouts are restarted. (bsc#1043615) - Remove call to initscripts related macros from the spec file as dbus-1 does not ship any initscript anymore. (bsc#1046173) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2017:1703-1 Released: Tue Oct 17 13:20:12 2017 Summary: Recommended update for audit Type: recommended Severity: low References: 1042781 Description: This update for audit provides the following fix: - Make auditd start by forking the systemd service to fix some initialization failures. (bsc#1042781) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2017:1758-1 Released: Mon Oct 23 08:47:47 2017 Summary: Security update for curl Type: security Severity: moderate References: 1060653,1061876,1063824,CVE-2017-1000254,CVE-2017-1000257 Description: This update for curl fixes the following issues: Security issues fixed: - CVE-2017-1000254: FTP PWD response parser out of bounds read (bsc#1061876) - CVE-2017-1000257: IMAP FETCH response out of bounds read (bsc#1063824) Bugs fixed: - Fixed error 'error:1408F10B:SSL routines' when connecting to ftps via proxy (bsc#1060653) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2017:1796-1 Released: Fri Oct 27 21:25:06 2017 Summary: Recommended update for pcre Type: recommended Severity: moderate References: 1058722 Description: This update for pcre fixes the following issues: - Fixed the pcre stack frame size detection because modern compilers break it due to cloning and inlining pcre match() function (bsc#1058722) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2017:1797-1 Released: Sat Oct 28 12:06:19 2017 Summary: Recommended update for permissions Type: recommended Severity: moderate References: 1028304,1048645,1060738 Description: This update for permissions fixes the following issues: - Allows users to install the HPC 'singularity' toolkit for managing singularity containers in setuid root mode. (bsc#1028304) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2017:1826-1 Released: Wed Nov 8 08:47:17 2017 Summary: Security update for krb5 Type: security Severity: important References: 1065274,CVE-2017-15088 Description: This update for krb5 fixes the following issues: Security issues fixed: - CVE-2017-15088: A buffer overflow in get_matching_data() was fixed that could under specific circumstances be used to execute code (bsc#1065274) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2017:1829-1 Released: Wed Nov 8 08:50:00 2017 Summary: Security update for shadow Type: security Severity: moderate References: 1023895,1052261,980486,CVE-2017-12424 Description: This update for shadow fixes several issues. This security issue was fixed: - CVE-2017-12424: The newusers tool could have been forced to manipulate internal data structures in ways unintended by the authors. Malformed input may have lead to crashes (with a buffer overflow or other memory corruption) or other unspecified behaviors (bsc#1052261). These non-security issues were fixed: - bsc#1023895: Fixed man page to not contain invalid options and also prevent warnings when using these options in certain settings - bsc#980486: Reset user in /var/log/tallylog because of the usage of pam_tally2 ----------------------------------------------------------------- Advisory ID: SUSE-SU-2017:1881-1 Released: Wed Nov 22 16:29:58 2017 Summary: Security update for file Type: security Severity: moderate References: 1009966,1063269,910252,910253,913650,913651,917152,996511,CVE-2014-8116,CVE-2014-8117,CVE-2014-9620,CVE-2014-9621,CVE-2014-9653 Description: The GNU file utility was updated to version 5.22. Security issues fixed: - CVE-2014-9621: The ELF parser in file allowed remote attackers to cause a denial of service via a long string. (bsc#913650) - CVE-2014-9620: The ELF parser in file allowed remote attackers to cause a denial of service via a large number of notes. (bsc#913651) - CVE-2014-9653: readelf.c in file did not consider that pread calls sometimes read only a subset of the available data, which allows remote attackers to cause a denial of service (uninitialized memory access) or possibly have unspecified other impact via a crafted ELF file. (bsc#917152) - CVE-2014-8116: The ELF parser (readelf.c) in file allowed remote attackers to cause a denial of service (CPU consumption or crash) via a large number of (1) program or (2) section headers or (3) invalid capabilities. (bsc#910253) - CVE-2014-8117: softmagic.c in file did not properly limit recursion, which allowed remote attackers to cause a denial of service (CPU consumption or crash) via unspecified vectors. (bsc#910253) Version update to file version 5.22 * add indirect relative for TIFF/Exif * restructure elf note printing to avoid repeated messages * add note limit, suggested by Alexander Cherepanov * Bail out on partial pread()'s (Alexander Cherepanov) * Fix incorrect bounds check in file_printable (Alexander Cherepanov) * PR/405: ignore SIGPIPE from uncompress programs * change printable -> file_printable and use it in more places for safety * in ELF, instead of '(uses dynamic libraries)' when PT_INTERP is present print the interpreter name. Version update to file version 5.21 * there was an incorrect free in magic_load_buffers() * there was an out of bounds read for some pascal strings * there was a memory leak in magic lists * don't interpret strings printed from files using the current locale, convert them to ascii format first. * there was an out of bounds read in elf note reads Update to file version 5.20 * recognize encrypted CDF documents * add magic_load_buffers from Brooks Davis * add thumbs.db support Additional non-security bug fixes: * Fixed a memory corruption during rpmbuild (bsc#1063269) * Backport of a fix for an increased printable string length as found in file 5.30 (bsc#996511) * file command throws 'Composite Document File V2 Document, corrupt: Can't read SSAT' error against excel 97/2003 file format. (bsc#1009966) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2017:1903-1 Released: Fri Nov 24 16:19:37 2017 Summary: Security update for perl Type: security Severity: moderate References: 1047178,1057721,1057724,999735,CVE-2017-12837,CVE-2017-12883,CVE-2017-6512 Description: This update for perl fixes the following issues: Security issues fixed: - CVE-2017-12837: Heap-based buffer overflow in the S_regatom function in regcomp.c in Perl 5 before 5.24.3-RC1 and 5.26.x before 5.26.1-RC1 allows remote attackers to cause a denial of service (out-of-bounds write) via a regular expression with a '\N{}' escape and the case-insensitive modifier. (bnc#1057724) - CVE-2017-12883: Buffer overflow in the S_grok_bslash_N function in regcomp.c in Perl 5 before 5.24.3-RC1 and 5.26.x before 5.26.1-RC1 allows remote attackers to disclose sensitive information or cause a denial of service (application crash) via a crafted regular expression with an invalid '\N{U+...}' escape. (bnc#1057721) - CVE-2017-6512: Race condition in the rmtree and remove_tree functions in the File-Path module before 2.13 for Perl allows attackers to set the mode on arbitrary files via vectors involving directory-permission loosening logic. (bnc#1047178) Bug fixes: - backport set_capture_string changes from upstream (bsc#999735) - reformat baselibs.conf as source validator workaround ----------------------------------------------------------------- Advisory ID: SUSE-RU-2017:1916-1 Released: Fri Nov 24 20:15:01 2017 Summary: Recommended update for libgcrypt Type: recommended Severity: important References: 1043333,1059723 Description: This update for libgcrypt provides the following fix: - Fix a regression in a previous update which caused libgcrypt to leak file descriptors causing failures when starting rtkit-daemon. (bsc#1059723) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2017:1917-1 Released: Mon Nov 27 13:32:07 2017 Summary: Optional update for gcc7 Type: recommended Severity: low References: 1056437,1062591,1062592 Description: The GNU Compiler GCC 7 is being added to the Toolchain Module by this update. New features: - Support for specific IBM Power9 processor instructions. - Support for specific IBM zSeries z14 processor instructions. - New packages cross-npvtx-gcc7 and nvptx-tools added to the Toolchain Module for specific NVIDIA Card offload support. The update also supplies gcc7 compatible libstdc++, libgcc_s1 and other gcc derived libraries for the base products of SUSE Linux Enterprise 12. Various optimizers have been improved in GCC 7, several of bugs fixed, quite some new warnings added and the error pin-pointing and fix-suggestions have been greatly improved. The GNU Compiler page for GCC 7 contains a summary of all the changes that have happened: https://gcc.gnu.org/gcc-7/changes.html ----------------------------------------------------------------- Advisory ID: SUSE-RU-2017:1965-1 Released: Thu Nov 30 12:48:45 2017 Summary: Recommended update for libsolv, libzypp, zypper Type: recommended Severity: moderate References: 1047233,1053671,1057188,1057634,1058695,1058783,1059065,1061384,1062561,1064999,661410 Description: The Software Update Stack was updated to receive fixes and enhancements. libsolv: - Many fixes and improvements for cleandeps. - Always create dup rules for 'distupgrade' jobs. - Use recommends also for ordering packages. - Fix splitprovides handling with addalreadyrecommended turned off. (bsc#1059065) - Expose solver_get_recommendations() in bindings. - Fix bug in solver_prune_to_highest_prio_per_name resulting in bad output from solver_get_recommendations(). - Support 'without' and 'unless' dependencies. - Use same heuristic as upstream to determine source RPMs. - Fix memory leak in bindings. - Add pool_best_solvables() function. - Fix 64bit integer parsing from RPM headers. - Enable bzip2 and xz/lzma compression support. - Enable complex/rich dependencies on distributions with RPM 4.13+. libzypp: - Fix media handling in presence of a repo path prefix. (bsc#1062561) - Fix RepoProvideFile ignoring a repo path prefix. (bsc#1062561) - Remove unused legacy notify-message script. (bsc#1058783) - Support multiple product licenses in repomd. (fate#322276) - Propagate 'rpm --import' errors. (bsc#1057188) - Fix typos in zypp.conf. zypper: - Locale: Fix possible segmentation fault. (bsc#1064999) - Add summary hint if product is better updated by a different command. This is mainly used by rolling distributions like openSUSE Tumbleweed to remind their users to use 'zypper dup' to update (not zypper up or patch). (bsc#1061384) - Unify '(add|modify)(repo|service)' property related arguments. - Fixed 'add' commands supporting to set only a subset of properties. - Introduced '-f/-F' as preferred short option for --[no-]refresh in all four commands. (bsc#661410, bsc#1053671) - Fix missing package names in installation report. (bsc#1058695) - Differ between unsupported and packages with unknown support status. (bsc#1057634) - Return error code '107' if an RPM's %post configuration script fails, but only if ZYPPER_ON_CODE12_RETURN_107=1 is set in the environment. (bsc#1047233) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2017:1966-1 Released: Thu Nov 30 13:45:24 2017 Summary: Recommended update for systemd Type: recommended Severity: moderate References: 1004995,1035386,1039099,1040800,1045472,1048605,1050152,1053137,1053595,1055641,1063249 Description: This update for systemd fixes the following issues: - unit: When JobTimeoutSec= is turned off, implicitly turn off JobRunningTimeoutSec= too. (bsc#1048605, bsc#1004995) - compat-rules: Generate compat by-id symlinks with 'nvme' prefix missing and warn users that have broken symlinks. (bsc#1063249) - compat-rules: Allow to specify the generation number through the kernel command line. - scsi_id: Fixup prefix for pre-SPC inquiry reply. (bsc#1039099) - tmpfiles: Remove old ICE and X11 sockets at boot. - tmpfiles: Silently ignore any path that passes through autofs. (bsc#1045472) - pam_logind: Skip leading /dev/ from PAM_TTY field before passing it on. - shared/machine-pool: Fix another mkfs.btrfs checking. (bsc#1053595) - shutdown: Fix incorrect fscanf() result check. - shutdown: Don't remount,ro network filesystems. (bsc#1035386) - shutdown: Don't be fooled when detaching DM devices with BTRFS. (bsc#1055641) - bash-completion: Add support for --now. (bsc#1053137) - Add convert-lib-udev-path.sh script to convert /lib/udev directory into a symlink pointing to /usr/lib/udev when upgrading from SLE11. (bsc#1050152) - Add a rule to teach hotplug to offline containers transparently. (bsc#1040800) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2017:1968-1 Released: Thu Nov 30 19:49:33 2017 Summary: Recommended update for coreutils Type: recommended Severity: low References: 1026567,1043059,965780 Description: This update for coreutils provides the following fixes: - Fix df(1) to no longer interact with excluded file system types, so for example specifying -x nfs no longer hangs with problematic nfs mounts. (bsc#1026567) - Ensure df -l no longer interacts with dummy file system types, so for example no longer hangs with problematic NFS mounted via system.automount(5). (bsc#1043059) - Significantly speed up df(1) for huge mount lists. (bsc#965780) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2017:1969-1 Released: Thu Nov 30 19:50:53 2017 Summary: Recommended update for libtool Type: recommended Severity: low References: 1056381 Description: This update for libtool provides the following fix: - Add missing dependencies and provides to baselibs.conf to make sure libltdl libraries are properly installed. (bsc#1056381) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2017:1970-1 Released: Thu Nov 30 22:55:41 2017 Summary: Security update for openssl Type: security Severity: moderate References: 1055825,1056058,1065363,1066242,CVE-2017-3735,CVE-2017-3736 Description: This update for openssl fixes the following issues: Security issues fixed: - CVE-2017-3735: openssl1,openssl: Malformed X.509 IPAdressFamily could cause OOB read (bsc#1056058) - CVE-2017-3736: openssl: bn_sqrx8x_internal carry bug on x86_64 (bsc#1066242) - Out of bounds read+crash in DES_fcrypt (bsc#1065363) - openssl DEFAULT_SUSE cipher list is missing ECDHE-ECDSA ciphers (bsc#1055825) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2017:2021-1 Released: Fri Dec 8 10:11:04 2017 Summary: Recommended update for file Type: recommended Severity: moderate References: 1070878,1070958 Description: This update for file fixes detection of JPEG files. ----------------------------------------------------------------- Advisory ID: SUSE-RU-2017:2031-1 Released: Mon Dec 11 12:55:57 2017 Summary: Recommended update for gzip Type: recommended Severity: low References: 1067891 Description: This update for gzip provides the following fix: - Fix mishandling of leading zeros in the end-of-block code (bsc#1067891) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2017:2036-1 Released: Wed Dec 13 16:34:21 2017 Summary: Recommended update for util-linux Type: recommended Severity: low References: 1039276,1040968,1055446,1066500 Description: This update for util-linux provides the following fixes: - Allow unmounting of filesystems without calling stat() on the mount point, when '-c' is used. (bsc#1040968) - Fix an infinite loop, a crash and report the correct minimum and maximum frequencies in lscpu for some processors. (bsc#1055446) - Fix a lscpu failure on Sydney Amazon EC2 region. (bsc#1066500) - If multiple subvolumes are mounted, report the default subvolume. (bsc#1039276) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2017:2097-1 Released: Sat Dec 16 01:59:00 2017 Summary: Security update for openssl Type: security Severity: important References: 1071905,1071906,CVE-2017-3737,CVE-2017-3738 Description: This update for openssl fixes the following issues: - OpenSSL Security Advisory [07 Dec 2017] * CVE-2017-3737: OpenSSL 1.0.2 (starting from version 1.0.2b) introduced an \'error state\' mechanism. The intent was that if a fatal error occurred during a handshake then OpenSSL would move into the error state and would immediately fail if you attempted to continue the handshake. This works as designed for the explicit handshake functions (SSL_do_handshake(), SSL_accept() and SSL_connect()), however due to a bug it does not work correctly if SSL_read() or SSL_write() is called directly. In that scenario, if the handshake fails then a fatal error will be returned in the initial function call. If SSL_read()/SSL_write() is subsequently called by the application for the same SSL object then it will succeed and the data is passed without being decrypted/encrypted directly from the SSL/TLS record layer. In order to exploit this issue an application bug would have to be present that resulted in a call to SSL_read()/SSL_write() being issued after having already received a fatal error. O penSSL version 1.0.2b-1.0.2m are affected. Fixed in OpenSSL 1.0.2n. OpenSSL 1.1.0 is not affected. (bsc#1071905) * CVE-2017-3738: There is an overflow bug in the AVX2 Montgomery multiplication procedure used in exponentiation with 1024-bit moduli. No EC algorithms are affected. Analysis suggests that attacks against RSA and DSA as a result of this defect would be very difficult to perform and are not believed likely. Attacks against DH1024 are considered just feasible, because most of the work necessary to deduce information about a private key may be performed offline. The amount of resources required for such an attack would be significant. However, for an attack on TLS to be meaningful, the server would have to share the DH1024 private key among multiple clients, which is no longer an option since CVE-2016-0701. This only affects processors that support the AVX2 but not ADX extensions like Intel Haswell (4th generation). Note: The impact from this issue is similar to CVE-2017-3736, CVE-2017-3732 and CVE-2015-3193. (bsc#1071906) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2017:2137-1 Released: Thu Dec 21 17:49:12 2017 Summary: Recommended update for dbus-1 Type: recommended Severity: moderate References: 1046173,1071698 Description: This update for dbus-1 provides the following fixes: - The previously released fix for systemd-logind dbus disconnections was missing in some parts of the package, so properly apply it. (bsc#1071698) - Remove call to initscripts related macros from the spec file as dbus-1 does not ship any initscript anymore. (bsc#1046173) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2018:4-1 Released: Tue Jan 2 15:58:20 2018 Summary: Recommended update for libzypp, zypper Type: recommended Severity: moderate References: 1057640,1067605,1068708,1071466,969569 Description: The Software Update Stack was updated to receive fixes and enhancements. libzypp: - Don't store duplicated locks. (bsc#969569) - Fix default for solver.allowNameChange. (bsc#1071466) - Don't filter procs with a different mnt namespace. (bsc#1068708) - Support repo variables in an URIs host:port component. (bsc#1057640, bsc#1067605) zypper: - Update manpage regarding custom repository variable fixes. (bsc#1057640, bsc#1067605) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2018:38-1 Released: Tue Jan 9 14:56:43 2018 Summary: Recommended update for kmod Type: recommended Severity: low References: 1070209 Description: This update for kmod provides the following fix: - Fix resolving .TOC. in modules on 4.4 and older kernel (bsc#1070209) - Fix kernel master build for ppc64le (bsc#1070209) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:55-1 Released: Fri Jan 12 09:45:49 2018 Summary: Security update for glibc Type: security Severity: important References: 1051042,1053188,1063675,1064569,1064580,1064583,1070905,1071319,1073231,1074293,CVE-2017-1000408,CVE-2017-1000409,CVE-2017-15670,CVE-2017-15671,CVE-2017-15804,CVE-2017-16997,CVE-2018-1000001 Description: This update for glibc fixes the following issues: - A privilege escalation bug in the realpath() function has been fixed. [CVE-2018-1000001, bsc#1074293] - A memory leak and a buffer overflow in the dynamic ELF loader has been fixed. [CVE-2017-1000408, CVE-2017-1000409, bsc#1071319] - An issue in the code handling RPATHs was fixed that could have been exploited by an attacker to execute code loaded from arbitrary libraries. [CVE-2017-16997, bsc#1073231] - A potential crash caused by a use-after-free bug in pthread_create() has been fixed. [bsc#1053188] - A bug that prevented users to build shared objects which use the optimized libmvec.so API has been fixed. [bsc#1070905] - A memory leak in the glob() function has been fixed. [CVE-2017-15670, CVE-2017-15671, CVE-2017-15804, bsc#1064569, bsc#1064580, bsc#1064583] - A bug that would lose the syscall error code value in case of crashes has been fixed. [bsc#1063675] ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:64-1 Released: Fri Jan 12 16:19:28 2018 Summary: Security update for mariadb Type: security Severity: moderate References: 1039034,1049399,1049404,1049417,1054591,1072665,CVE-2017-3636,CVE-2017-3641,CVE-2017-3653 Description: This update for mariadb fixes several issues. These security issues were fixed: - CVE-2017-3636: Client programs had an unspecified vulnerability that could lead to unauthorized access and denial of service (bsc#1049399) - CVE-2017-3641: DDL unspecified vulnerability could lead to denial of service (bsc#1049404) - CVE-2017-3653: DML Unspecified vulnerability could lead to unauthorized database access (bsc#1049417) This non-security issues was fixed: - Add ODBC support for Connect engine (bsc#1039034) - Relax required version for mariadb-errormessages (bsc#1072665) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:86-1 Released: Wed Jan 17 09:38:17 2018 Summary: Security update for ncurses Type: security Severity: moderate References: 1056127,1056128,1056129,1056131,1056132,1056136,CVE-2017-13728,CVE-2017-13729,CVE-2017-13730,CVE-2017-13731,CVE-2017-13732,CVE-2017-13733 Description: This update for ncurses fixes the following issues: Security issues fixed: - CVE-2017-13728: Fix infinite loop in the next_char function in comp_scan.c (bsc#1056136). - CVE-2017-13730: Fix illegal address access in the function _nc_read_entry_source() (bsc#1056131). - CVE-2017-13733: Fix illegal address access in the fmt_entry function (bsc#1056127). - CVE-2017-13729: Fix illegal address access in the _nc_save_str (bsc#1056132). - CVE-2017-13732: Fix illegal address access in the function dump_uses() (bsc#1056128). - CVE-2017-13731: Fix illegal address access in the function postprocess_termcap() (bsc#1056129). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:88-1 Released: Wed Jan 17 14:41:17 2018 Summary: Security update for curl Type: security Severity: moderate References: 1069222,1069226,CVE-2017-8816,CVE-2017-8817 Description: This update for curl fixes the following issues: Security issues fixed: - CVE-2017-8816: Buffer overrun flaw in the NTLM authentication code (bsc#1069226). - CVE-2017-8817: Read out of bounds flaw in the FTP wildcard function (bsc#1069222). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2018:90-1 Released: Wed Jan 17 14:44:33 2018 Summary: Recommended update for lvm2 Type: recommended Severity: low References: 1063051,1067312 Description: This update for lvm2 provides the following fix: - Backport various upstream fixes for clvmd. (bsc#1063051) - Don't print error messages on testing the connection to the daemon. (bsc#1063051) - Fix handling of udev CHANGE events with systemd. (bsc#1067312) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2018:146-1 Released: Thu Jan 25 11:44:23 2018 Summary: Recommended update for openldap2 Type: recommended Severity: moderate References: 1064397,1065083 Description: This update for openldap2 provides the following fixes: - Fix a leak of sockets in case of unsuccessful connection attempts. (bsc#1065083) - Fix a crash that would happen under heavy load when using back-relay. (bsc#1064397) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:149-1 Released: Thu Jan 25 13:38:37 2018 Summary: Security update for curl Type: security Severity: moderate References: 1077001,CVE-2018-1000007 Description: This update for curl fixes one issues. This security issue was fixed: - CVE-2018-1000007: Prevent leaking authentication data to third parties when following redirects (bsc#1077001) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:209-1 Released: Tue Jan 30 10:53:43 2018 Summary: Security update for ncurses Type: security Severity: moderate References: 1056126,1056127,1056128,1056129,1056131,1056132,1056136,CVE-2017-13728,CVE-2017-13729,CVE-2017-13730,CVE-2017-13731,CVE-2017-13732,CVE-2017-13733,CVE-2017-13734 Description: This update for ncurses fixes several issues. These security issues were fixed: - CVE-2017-13734: Prevent illegal address access in the _nc_safe_strcat function in strings.c that might have lead to a remote denial of service attack (bsc#1056126). - CVE-2017-13733: Prevent illegal address access in the fmt_entry function in progs/dump_entry.c that might have lead to a remote denial of service attack (bsc#1056127). - CVE-2017-13732: Prevent illegal address access in the function dump_uses() in progs/dump_entry.c that might have lead to a remote denial of service attack (bsc#1056128). - CVE-2017-13731: Prevent illegal address access in the function postprocess_termcap() in parse_entry.c that might have lead to a remote denial of service attack (bsc#1056129). - CVE-2017-13730: Prevent illegal address access in the function _nc_read_entry_source() in progs/tic.c that might have lead to a remote denial of service attack (bsc#1056131). - CVE-2017-13729: Prevent illegal address access in the _nc_save_str function in alloc_entry.c that might have lead to a remote denial of service attack (bsc#1056132). - CVE-2017-13728: Prevent infinite loop in the next_char function in comp_scan.c that might have lead to a remote denial of service attack (bsc#1056136). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:213-1 Released: Tue Jan 30 14:36:40 2018 Summary: Security update for systemd Type: security Severity: moderate References: 1048510,1065276,1066156,1068251,1070428,1071558,1074254,1075724,1076308,897422,CVE-2017-15908,CVE-2018-1049 Description: This update for systemd fixes several issues. This security issue was fixed: - CVE-2018-1049: Prevent race that can lead to DoS when using automounts (bsc#1076308). These non-security issues were fixed: - core: don't choke if a unit another unit triggers vanishes during reload - delta: don't ignore PREFIX when the given argument is PREFIX/SUFFIX - delta: extend skip logic to work on full directory paths (prefix+suffix) (bsc#1070428) - delta: check if a prefix needs to be skipped only once - delta: skip symlink paths when split-usr is enabled (#4591) - sysctl: use raw file descriptor in sysctl_write (#7753) - sd-netlink: don't take possesion of netlink fd from caller on failure (bsc#1074254) - Fix the regexp used to detect broken by-id symlinks in /etc/crypttab It was missing the following case: '/dev/disk/by-id/cr_-xxx'. - sysctl: disable buffer while writing to /proc (bsc#1071558) - Use read_line() and LONG_LINE_MAX to read values configuration files. (bsc#1071558) - sysctl: no need to check for eof twice - def: add new constant LONG_LINE_MAX - fileio: add new helper call read_line() as bounded getline() replacement - service: Don't stop unneeded units needed by restarted service (#7526) (bsc#1066156) - gpt-auto-generator: fix the handling of the value returned by fstab_has_fstype() in add_swap() (#6280) - gpt-auto-generator: disable gpt auto logic for swaps if at least one is defined in fstab (bsc#897422) - fstab-util: introduce fstab_has_fstype() helper - fstab-generator: ignore root=/dev/nfs (#3591) - fstab-generator: don't process root= if it happens to be 'gpt-auto' (#3452) - virt: use XENFEAT_dom0 to detect the hardware domain (#6442, #6662) (#7581) (bsc#1048510) - analyze: replace --no-man with --man=no in the man page (bsc#1068251) - udev: net_setup_link: don't error out when we couldn't apply link config (#7328) - Add missing /etc/systemd/network directory - Fix parsing of features in detect_vm_xen_dom0 (#7890) (bsc#1048510) - sd-bus: use -- when passing arguments to ssh (#6706) - systemctl: make sure we terminate the bus connection first, and then close the pager (#3550) - sd-bus: bump message queue size (bsc#1075724) - tmpfiles: downgrade warning about duplicate line ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:214-1 Released: Tue Jan 30 14:37:42 2018 Summary: Security update for libtasn1 Type: security Severity: moderate References: 1076832,CVE-2018-6003 Description: This update for libtasn1 fixes one issue. This security issue was fixed: - CVE-2018-6003: Prevent a stack exhaustion in _asn1_decode_simple_ber (lib/decoding.c) when decoding BER encoded structure allowed for DoS (bsc#1076832). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:270-1 Released: Wed Feb 7 14:34:19 2018 Summary: Security update for mariadb Type: security Severity: moderate References: 1058722,1064101,1064115,1076505,CVE-2017-10268,CVE-2017-10378 Description: This update for mariadb to version 10.0.33 fixes several issues. These security issues were fixed: - CVE-2017-10378: Vulnerability in subcomponent: Server: Optimizer. Easily exploitable vulnerability allowed low privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server (bsc#1064115). - CVE-2017-10268: Vulnerability in subcomponent: Server: Replication. Difficult to exploit vulnerability allowed high privileged attacker with logon to the infrastructure where MySQL Server executes to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all MySQL Server accessible data (bsc#1064101). These non-security issues were fixed: - CHECK TABLE no longer returns an error when run on a CONNECT table - 'Undo log record is too big.' error occurring in very narrow range of string lengths - Race condition between INFORMATION_SCHEMA.INNODB_SYS_TABLESTATS and ALTER/DROP/TRUNCATE TABLE - Wrong result after altering a partitioned table fixed bugs in InnoDB FULLTEXT INDEX - InnoDB FTS duplicate key error - InnoDB crash after failed ADD INDEX and table_definition_cache eviction - fts_create_doc_id() unnecessarily allocates 8 bytes for every inserted row - IMPORT TABLESPACE may corrupt ROW_FORMAT=REDUNDANT tables For additional details please see https://kb.askmonty.org/en/mariadb-10033-changelog ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:276-1 Released: Thu Feb 8 17:47:43 2018 Summary: Security update for libxml2 Type: security Severity: moderate References: 1077993,1078806,1078813,CVE-2016-5131,CVE-2017-15412,CVE-2017-5130 Description: This update for libxml2 fixes one issue. This security issue was fixed: - CVE-2017-15412: Prevent use after free when calling XPath extension functions that allowed remote attackers to cause DoS or potentially RCE (bsc#1077993) - CVE-2016-5131: Use-after-free vulnerability in libxml2 allowed remote attackers to cause a denial of service or possibly have unspecified other impact via vectors related to the XPointer range-to function. (bsc#1078813) - CVE-2017-5130: Fixed a potential remote buffer overflow in function xmlMemoryStrdup() (bsc#1078806) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2018:291-1 Released: Mon Feb 12 11:50:39 2018 Summary: Recommended update for bash Type: recommended Severity: low References: 1057452,1076909 Description: This update for bash provides the following fix: - Allow process group assignment on all kernel versions to fix the usage of debug traps. (bsc#1057452) - Fix a crash when filesystem is full. (bsc#1076909) - Enable multi-byte characters by default. ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:314-1 Released: Thu Feb 15 14:47:35 2018 Summary: Security update for glibc Type: security Severity: important References: 1037930,1051791,1073990,1074293,1079036,CVE-2017-12132,CVE-2017-8804,CVE-2018-1000001,CVE-2018-6485,CVE-2018-6551 Description: This update for glibc fixes the following issues: Security issues fixed: - CVE-2017-8804: Fix memory leak after deserialization failure in xdr_bytes, xdr_string (bsc#1037930) - CVE-2017-12132: Reduce EDNS payload size to 1200 bytes (bsc#1051791) - CVE-2018-6485,CVE-2018-6551: Fix integer overflows in internal memalign and malloc functions (bsc#1079036) - CVE-2018-1000001: Avoid underflow of malloced area (bsc#1074293) Non security bugs fixed: - Release read lock after resetting timeout (bsc#1073990) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:355-1 Released: Mon Feb 26 16:34:46 2018 Summary: Security update for systemd Type: security Severity: moderate References: 1057974,1068588,1071224,1071311,1075801,1077925,CVE-2017-18078 Description: This update for systemd fixes the following issues: Security issue fixed: - CVE-2017-18078: tmpfiles: refuse to chown()/chmod() files which are hardlinked, unless protected_hardlinks sysctl is on. This could be used by local attackers to gain privileges (bsc#1077925) Non Security issues fixed: - core: use id unit when retrieving unit file state (#8038) (bsc#1075801) - cryptsetup-generator: run cryptsetup service before swap unit (#5480) - udev-rules: all values can contain escaped double quotes now (#6890) - strv: fix buffer size calculation in strv_join_quoted() - tmpfiles: change ownership of symlinks too - stdio-bridge: Correctly propagate error - stdio-bridge: remove dead code - remove bus-proxyd (bsc#1057974) - core/timer: Prevent timer looping when unit cannot start (bsc#1068588) - Make systemd-timesyncd use the openSUSE NTP servers by default Previously systemd-timesyncd used the Google Public NTP servers time{1..4}.google.com - Don't ship /usr/lib/systemd/system/tmp.mnt at all (bsc#1071224) But we still ship a copy in /var. Users who want to use tmpfs on /tmp are supposed to add a symlink in /etc/ pointing to the copy shipped in /var. To support the update path we automatically create the symlink if tmp.mount in use is located in /usr. - Enable systemd-networkd on Leap distros only (bsc#1071311) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2018:375-1 Released: Wed Feb 28 16:33:37 2018 Summary: Recommended update for net-tools Type: recommended Severity: low References: 1009905,1063910 Description: This update for net-tools provides the following fix: - netstat: fix handling of large socket numbers (bsc#1063910) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:439-1 Released: Fri Mar 9 14:05:22 2018 Summary: Security update for augeas Type: security Severity: low References: 1054171,CVE-2017-7555 Description: This update for augeas fixes the following issues: Security issue fixed: - CVE-2017-7555: Fix a memory corruption bug could have lead to arbitrary code execution by passing crafted strings that would be mis-handled by parse_name() (bsc#1054171). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:443-1 Released: Fri Mar 9 18:02:14 2018 Summary: Security update for glibc Type: security Severity: moderate References: 1081556,CVE-2017-12133 Description: This update for glibc fixes the following issues: - CVE-2017-12133: Avoid use-after-free read access in clntudp_call (bsc#1081556) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:446-1 Released: Mon Mar 12 13:13:55 2018 Summary: Security update for shadow Type: security Severity: moderate References: 1081294,CVE-2018-7169 Description: This update for shadow fixes the following issues: - CVE-2018-7169: Fixed an privilege escalation in newgidmap, which allowed an unprivileged user to be placed in a user namespace where setgroups(2) is allowed. (bsc#1081294) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2018:465-1 Released: Thu Mar 15 07:38:52 2018 Summary: Recommended update for systemd Type: recommended Severity: moderate References: 1075743,1078358,1081170 Description: This update for systemd fixes the following issues: - Add dmi/id conditions to 80-acpi-container-hotplug.rules to restrict the rule that it can only be triggered on Huawei Kunlun 9008, 9016 and 9032 machines. (bsc#1078358, bsc#1081170, bsc#1075743) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2018:472-1 Released: Thu Mar 15 10:47:40 2018 Summary: Recommended update for libsolv, libzypp, zypper Type: recommended Severity: low References: 1074687,1075449,1076415,1079334,953130 Description: This update for libsolv, libzypp and zypper provides the following fixes: libsolv: - Fix a bug that could make fileconflict detection very slow in some cases. (bnc#953130) - Add new configuration options: ENABLE_RPMDB_LIBRPM and ENABLE_RPMPKG_LIBRPM. - Add a new function to change the whatprovides data: pool_set_whatprovides. - Significant improvements in the selection code. libzypp: - Make sure deleted keys are also removed from rpmdb. (bsc#1075449) - plugin: Don't reject header values containing ':'. (bsc#1074687) - RpmDb::checkPackage: Fix parsing localized rpm output. (bsc#1076415) zypper: - Do not recommend cron as it is not a direct dependency of zypper. (bsc#1079334) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:478-1 Released: Thu Mar 15 16:56:52 2018 Summary: Security update for mariadb Type: security Severity: important References: 1078431,CVE-2018-2562,CVE-2018-2612,CVE-2018-2622,CVE-2018-2640,CVE-2018-2665,CVE-2018-2668 Description: This update for mariadb fixes the following issues: MariaDB was updated to 10.0.34 (bsc#1078431) The following security vulnerabilities are fixed: - CVE-2018-2562: Vulnerability in the MySQL Server subcomponent: Server : Partition. Easily exploitable vulnerability allowed low privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server as well as unauthorized update, insert or delete access to some of MySQL Server accessible data. - CVE-2018-2622: Vulnerability in the MySQL Server subcomponent: Server: DDL. Easily exploitable vulnerability allowed low privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. - CVE-2018-2640: Vulnerability in the MySQL Server subcomponent: Server: Optimizer. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. - CVE-2018-2665: Vulnerability in the MySQL Server subcomponent: Server: Optimizer. Easily exploitable vulnerability allowed low privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. - CVE-2018-2668: Vulnerability in the MySQL Server subcomponent: Server: Optimizer. Easily exploitable vulnerability allowed low privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. - CVE-2018-2612: Vulnerability in the MySQL Server subcomponent: InnoDB. Easily exploitable vulnerability allowed high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all MySQL Server accessible data and unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. The MariaDB external release notes and changelog for this release: * https://kb.askmonty.org/en/mariadb-10034-release-notes * https://kb.askmonty.org/en/mariadb-10034-changelog ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:522-1 Released: Thu Mar 22 08:20:46 2018 Summary: Security update for curl Type: security Severity: moderate References: 1084521,1084524,1084532,CVE-2018-1000120,CVE-2018-1000121,CVE-2018-1000122 Description: This update for curl fixes the following issues: Following security issues were fixed: - CVE-2018-1000120: A buffer overflow exists in the FTP URL handling that allowed an attacker to cause a denial of service or possible code execution (bsc#1084521). - CVE-2018-1000121: A NULL pointer dereference exists in the LDAP code that allowed an attacker to cause a denial of service (bsc#1084524). - CVE-2018-1000122: A buffer over-read exists in the RTSP+RTP handling code that allowed an attacker to cause a denial of service or information leakage (bsc#1084532). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:567-1 Released: Thu Mar 29 14:02:08 2018 Summary: Security update for krb5 Type: security Severity: moderate References: 1057662,1081725,1083926,1083927,CVE-2018-5729,CVE-2018-5730 Description: This update for krb5 provides the following fixes: Security issues fixed: - CVE-2018-5730: DN container check bypass by supplying special crafted data (bsc#1083927). - CVE-2018-5729: Null pointer dereference in kadmind or DN container check bypass by supplying special crafted data (bsc#1083926). Non-security issues fixed: - Make it possible for legacy applications (e.g. SAP Netweaver) to remain compatible with newer Kerberos. System administrators who are experiencing this kind of compatibility issues may set the environment variable GSSAPI_ASSUME_MECH_MATCH to a non-empty value, and make sure the environment variable is visible and effective to the application startup script. (bsc#1057662) - Fix a GSS failure in legacy applications by not indicating deprecated GSS mechanisms in gss_indicate_mech() list. (bsc#1081725) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:594-1 Released: Thu Apr 5 17:22:37 2018 Summary: Security update for libidn Type: security Severity: moderate References: 1056450,CVE-2017-14062 Description: This update for libidn fixes one issues. This security issue was fixed: - CVE-2017-14062: Prevent integer overflow in the decode_digit function that allowed remote attackers to cause a denial of service or possibly have unspecified other impact (bsc#1056450). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:624-1 Released: Wed Apr 11 18:02:57 2018 Summary: Security update for openssl Type: security Severity: moderate References: 1087102,CVE-2018-0739 Description: This update for openssl fixes the following issues: - CVE-2018-0739: Constructed ASN.1 types with a recursive definition (such as can be found in PKCS7) could eventually exceed the stack given malicious input with excessive recursion. This could result in a Denial Of Service attack. There are no such structures used within SSL/TLS that come from untrusted sources so this is considered safe. (bsc#1087102). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:730-1 Released: Wed Apr 25 14:14:41 2018 Summary: Security update for perl Type: security Severity: moderate References: 1082216,1082233,1082234,CVE-2018-6797,CVE-2018-6798,CVE-2018-6913 Description: This update for perl fixes the following issues: Security issues fixed: - CVE-2018-6913: Fixed space calculation issues in pp_pack.c (bsc#1082216). - CVE-2018-6798: Fixed heap buffer overflow in regexec.c (bsc#1082233). - CVE-2018-6797: Fixed sharp-s regexp overflow (bsc#1082234). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2018:736-1 Released: Wed Apr 25 14:23:49 2018 Summary: Recommended update for libsolv, libzypp Type: recommended Severity: moderate References: 1075978,1077635,1079991,1082318,1086602 Description: This update for libsolv, libzypp provides the following fixes: Changes in libsolv: - Make sure the product file comes from /etc/products.d for the fallback product search. (bsc#1086602) - Also make use of suggests for ordering packages. (bsc#1077635) - Fix bad assignment in solution refinement that led to a memory leak. (bsc#1075978) - Use license tag instead of doc in the spec file. (bsc#1082318) Changes in libzypp: - Make sure the product file comes from /etc/products.d for the fallback product search. (bsc#1086602) - Fix a memory leak in Digest.cc. (bsc#1075978) - Add /var/lib/gdm to CheckAccessDeleted blacklist to prevent showing superfluous `zypper ps -s` messages. (bsc#1079991) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2018:779-1 Released: Wed May 2 22:16:26 2018 Summary: Recommended update for rpm Type: recommended Severity: low References: 1003714,1027925,1069934 Description: This update for rpm provides the following fixes: - Fix find-lang.sh to handle special case of .qm file paths correctly. (bsc#1027925) - Add %sle_version macro to suse_macros. (bsc#1003714) - Added a %rpm_vercmp macro which accepts two versions as parameters and returns -1, 0, 1 if the first version is less than, equal or greater than the second version respectively. - Added a %pkg_version macro that accepts a package or capability name as argument and returns the version number of the installed package. If no package provides the argument, it returns the string '~~~'. - Added a %pkg_vcmp macro that accepts 3 parameters. The first parameter is a package name or provided capability name, the second argument is an operator ( < <= = >= > != ) and the third parameter is a version string to be compared to the installed version of the first argument. - Added a %pkg_version_cmp macro which accepts a package or capability name as first argument and a version number as second argument and returns -1, 0, 1 or '~~~'. The number values have the same meaning as in %rpm_vercmp and the '~~~' string is returned if the package or capability can't be found. (bsc#1069934) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2018:797-1 Released: Mon May 7 07:07:38 2018 Summary: Recommended update for gcc7 Type: recommended Severity: important References: 1061667,1068967,1074621,1083290,1083946,1084812,1087550,1087930 Description: This update for gcc7 to 7.3 release fixes the following issues: - Update to GCC 7.3 release and further updated to gcc-7-branch head (r258812). - The Spectre v2 mitigation patch for s390x is now included. [bsc#1083946] - Adds backport of x86 retpoline support via -mindirect-branch=, -mfunction-return= and friends. [bsc#1074621] - Update includes a fix for chromium build failure. [bsc#1083290] - Various AArch64 compile fixes are included: * Picks fix to no longer enable -mpc-relative-literal-loads by default with --enable-fix-cortex-a53-843419. * Enable --enable-fix-cortex-a53-843419 for aarch64. [bsc#1084812] [bsc#1087930] * Enable --enable-fix-cortex-a53-835769 for aarch64. * Contains fix for PR82445 which is about a RPI1 bootloader miscompile. [bsc#1061667] * Fixed bogus stack probe instruction on ARM. [bsc#1068967] - Revert the ios_base::failure ABI back to compatible behavior with the default ABI. [bsc#1087550] - Fix nvptx offload target compiler install so GCC can pick up required files. Split out the newlib part into cross-nvptx-newlib7-devel and avoid conflicts with GCC 8 variant via Provides/Conflicts of cross-nvptx-newlib-devel. ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:939-1 Released: Thu May 17 08:41:30 2018 Summary: Security update for curl Type: security Severity: moderate References: 1086825,1092098,CVE-2018-1000301 Description: This update for curl fixes several issues: Security issues fixed: - CVE-2018-1000301: Fixed a RTSP bad headers buffer over-read could crash the curl client (bsc#1092098) Non security issues fixed: - If the DEFAULT_SUSE cipher list is not available use the HIGH cipher alias before failing. (bsc#1086825) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2018:974-1 Released: Wed May 23 16:46:50 2018 Summary: Recommended update for systemd Type: recommended Severity: moderate References: 1045092,1051465,1066422,1075804,1082485,1084626,1085062,1086785,1087323 Description: This update for systemd provides the following fixes: - sysusers: Do not append entries after the NIS ones. (bsc#1085062, bsc#1045092) - sysusers: Also add support for NIS entries in /etc/shadow. - sysusers: Make sure to reset errno before calling fget*ent(). - coredump: Respect ulimit -c 0 settings. (bsc#1075804) - systemctl: Don't make up unit states, and don't eat up errors too eagerly. (bsc#1084626) - systemctl: Don't mangle unit names in check_unit_generic(). - rules, compat-rules: Fix errors detected by the rule syntax checker. - python: Use raw strings for regexp patterns. - compat-rules: Make path_id_compat build with meson. - compat-rules: Get rid of scsi_id when generating compat symlinks for NVMe devices. (bsc#1051465) - Fix memory hotplugging. - systemd: Add offline environmental condition to the udev rules for acpi container to prevent them from being triggered by the 'udevadm trigger' from user space. (bsc#1082485) - systemd-udevd: Limit children-max by the available memory. (bsc#1086785, bsc#1066422) - Rename the tarball to reflect the exact version used, so that it is clear that it contains some additional patches on top of the upstream version. Use the commit hash in the name so the exact version can easily be identified. (bsc#1087323) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:977-1 Released: Wed May 23 17:14:16 2018 Summary: Security update for bash Type: security Severity: moderate References: 1000396,1001299,1086247,CVE-2016-0634,CVE-2016-7543 Description: This update for bash fixes the following issues: Security issues fixed: - CVE-2016-7543: A code execution possibility via SHELLOPTS+PS4 variable was fixed (bsc#1001299) - CVE-2016-0634: Arbitrary code execution via malicious hostname was fixed (bsc#1000396) Non-security issues fixed: - Fix repeating self-calling of traps due the combination of a non-interactive shell, a trap handler for SIGINT, an external process in the trap handler, and a SIGINT within the trap after the external process runs. (bsc#1086247) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2018:978-1 Released: Wed May 23 17:18:39 2018 Summary: Recommended update for zlib Type: recommended Severity: moderate References: 1071321 Description: This update for zlib fixes the following issues: - Fix a segmentation fault which was raised when converting a negative value into an unsigned integer (bsc#1071321) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2018:1028-1 Released: Tue Jun 5 13:20:44 2018 Summary: Recommended update for pam Type: recommended Severity: low References: 1089884 Description: This update for pam fixes the following issues: - Fix order of accessed configuration files in man page. (bsc#1089884) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:1077-1 Released: Wed Jun 6 11:44:25 2018 Summary: Security update for glibc Type: security Severity: important References: 1086690,1094150,1094154,1094161,CVE-2017-18269,CVE-2018-11236,CVE-2018-11237 Description: This update for glibc fixes the following issues: - CVE-2017-18269: Fix SSE2 memmove issue when crossing 2GB boundary (bsc#1094150) - CVE-2018-11236: Fix overflow in path length computation (bsc#1094161) - CVE-2018-11237: Don't write beyond buffer destination in __mempcpy_avx512_no_vzeroupper (bsc#1094154) Non security bugs fixed: - Fix crash in resolver on memory allocation failure (bsc#1086690) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2018:1082-1 Released: Thu Jun 7 12:58:56 2018 Summary: Recommended update for rpm Type: recommended Severity: moderate References: 1073879,1080078,964063 Description: This update for rpm fixes the following issues: - Backport support for no_recompute_build_ids macro. (bsc#964063) - Fix code execution when evaluating common python-related macros. (bsc#1080078) Additionally, this update adds python3-rpm to the SUSE Linux Enterprise Server. ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:1141-1 Released: Fri Jun 15 13:41:08 2018 Summary: Security update for gpg2 Type: security Severity: important References: 1096745,CVE-2018-12020 Description: This update for gpg2 fixes the following security issue: - CVE-2018-12020: GnuPG mishandled the original filename during decryption and verification actions, which allowed remote attackers to spoof the output that GnuPG sends on file descriptor 2 to other programs that use the '--status-fd 2' option (bsc#1096745) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2018:1145-1 Released: Fri Jun 15 19:19:51 2018 Summary: Recommended update for openssl Type: recommended Severity: moderate References: 1090765 Description: This update for openssl provides the following fix: - Suggest libopenssl1_0_0-hmac from libopenssl1_0_0 package to avoid dependency issues during updates. (bsc#1090765) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:1202-1 Released: Fri Jun 22 07:40:27 2018 Summary: Security update for mariadb Type: security Severity: important References: 1088681,1090518,CVE-2018-2755,CVE-2018-2761,CVE-2018-2766,CVE-2018-2767,CVE-2018-2771,CVE-2018-2781,CVE-2018-2782,CVE-2018-2784,CVE-2018-2787,CVE-2018-2813,CVE-2018-2817,CVE-2018-2819 Description: MariaDB was updated to 10.0.35 (bsc#1090518) Notable changes: * PCRE updated to 8.42 * XtraDB updated to 5.6.39-83.1 * TokuDB updated to 5.6.39-83.1 * InnoDB updated to 5.6.40 * The embedded server library now supports SSL when connecting to remote servers [bsc#1088681], [CVE-2018-2767] * MDEV-15249 - Crash in MVCC read after IMPORT TABLESPACE * MDEV-14988 - innodb_read_only tries to modify files if transactions were recovered in COMMITTED state * MDEV-14773 - DROP TABLE hangs for InnoDB table with FULLTEXT index * MDEV-15723 - Crash in INFORMATION_SCHEMA.INNODB_SYS_TABLES when accessing corrupted record * fixes for the following security vulnerabilities: CVE-2018-2782, CVE-2018-2784, CVE-2018-2787, CVE-2018-2766, CVE-2018-2755, CVE-2018-2819, CVE-2018-2817, CVE-2018-2761, CVE-2018-2781, CVE-2018-2771, CVE-2018-2813 * Release notes and changelog: * https://kb.askmonty.org/en/mariadb-10035-release-notes * https://kb.askmonty.org/en/mariadb-10035-changelog ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:1240-1 Released: Wed Jun 27 22:20:12 2018 Summary: Security update for unixODBC Type: security Severity: moderate References: 1044970,1082060,1082290,1082484,CVE-2018-7409,CVE-2018-7485 Description: This update for unixODBC to version 2.3.6 fixes the following issues: - CVE-2018-7409: Buffer overflow in unicode_to_ansi_copy() was fixed in 2.3.5 (bsc#1082290) - CVE-2018-7485: Swapped arguments in SQLWriteFileDSN() in odbcinst/SQLWriteFileDSN.c (bsc#1082484) Other fixes: - Enabled --enable-fastvalidate option in configure (bsc#1044970) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:1242-1 Released: Thu Jun 28 13:44:16 2018 Summary: Security update for procps Type: security Severity: moderate References: 1092100,CVE-2018-1122,CVE-2018-1123,CVE-2018-1124,CVE-2018-1125,CVE-2018-1126 Description: This update for procps fixes the following security issues: - CVE-2018-1122: Prevent local privilege escalation in top. If a user ran top with HOME unset in an attacker-controlled directory, the attacker could have achieved privilege escalation by exploiting one of several vulnerabilities in the config_file() function (bsc#1092100). - CVE-2018-1123: Prevent denial of service in ps via mmap buffer overflow. Inbuilt protection in ps maped a guard page at the end of the overflowed buffer, ensuring that the impact of this flaw is limited to a crash (temporary denial of service) (bsc#1092100). - CVE-2018-1124: Prevent multiple integer overflows leading to a heap corruption in file2strvec function. This allowed a privilege escalation for a local attacker who can create entries in procfs by starting processes, which could result in crashes or arbitrary code execution in proc utilities run by other users (bsc#1092100). - CVE-2018-1125: Prevent stack buffer overflow in pgrep. This vulnerability was mitigated by FORTIFY limiting the impact to a crash (bsc#1092100). - CVE-2018-1126: Ensure correct integer size in proc/alloc.* to prevent truncation/integer overflow issues (bsc#1092100). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:1276-1 Released: Thu Jul 5 08:36:17 2018 Summary: Security update for openssl Type: security Severity: moderate References: 1097158,1097624,1098592,CVE-2018-0732 Description: This update for openssl fixes the following issues: - CVE-2018-0732: During key agreement in a TLS handshake using a DH(E) based ciphersuite a malicious server could have sent a very large prime value to the client. This caused the client to spend an unreasonably long period of time generating a key for this prime resulting in a hang until the client has finished. This could be exploited in a Denial Of Service attack (bsc#1097158). - Blinding enhancements for ECDSA and DSA (bsc#1097624, bsc#1098592) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:1328-1 Released: Tue Jul 17 08:07:57 2018 Summary: Security update for perl Type: security Severity: important References: 1068565,1082216,1082233,1082234,1096718,CVE-2018-12015,CVE-2018-6797,CVE-2018-6798,CVE-2018-6913 Description: This update for perl fixes the following issues: These security issue were fixed: - CVE-2018-6913: Fixed space calculation issues in pp_pack.c (bsc#1082216). - CVE-2018-6798: Fixed heap buffer overflow in regexec.c (bsc#1082233). - CVE-2018-6797: Fixed sharp-s regexp overflow (bsc#1082234). - CVE-2018-12015: The Archive::Tar module allowed remote attackers to bypass a directory-traversal protection mechanism and overwrite arbitrary files (bsc#1096718) This non-security issue was fixed: - fix debugger crash in tab completion with Term::ReadLine::Gnu [bsc#1068565] ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:1351-1 Released: Thu Jul 19 09:43:21 2018 Summary: Security update for shadow Type: security Severity: important References: 1099310,CVE-2016-6252 Description: This update for shadow fixes the following issues: - CVE-2016-6252: Incorrect integer handling could results in local privilege escalation (bsc#1099310) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:1400-1 Released: Thu Jul 26 16:32:29 2018 Summary: Security update for util-linux Type: security Severity: moderate References: 1072947,1078662,1080740,1084300,CVE-2018-7738 Description: This update for util-linux fixes the following issues: This non-security issue was fixed: - CVE-2018-7738: bash-completion/umount allowed local users to gain privileges by embedding shell commands in a mountpoint name, which was mishandled during a umount command by a different user (bsc#1084300). These non-security issues were fixed: - Fixed crash loop in lscpu (bsc#1072947). - Fixed possible segfault of umount -a - Fixed mount -a on NFS bind mounts (bsc#1080740). - Fixed lsblk on NVMe (bsc#1078662). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:1413-1 Released: Fri Jul 27 12:41:13 2018 Summary: Security update for libgcrypt Type: security Severity: moderate References: 1064455,1090766,1097410,CVE-2018-0495 Description: This update for libgcrypt fixes the following issues: The following security vulnerability was addressed: - CVE-2018-0495: Mitigate a novel side-channel attack by enabling blinding for ECDSA signatures (bsc#1097410). The following other issues were fixed: - Extended the fipsdrv dsa-sign and dsa-verify commands with the --algo parameter for the FIPS testing of DSA SigVer and SigGen (bsc#1064455). - Ensure libgcrypt20-hmac and libgcrypt20 are installed in the correct order. (bsc#1090766) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2018:1450-1 Released: Mon Jul 30 10:10:45 2018 Summary: Recommended update for pam Type: recommended Severity: low References: 1096282 Description: This update for pam provides the following fix: - Added /etc/security/limits.d to the pam package. (bsc#1096282) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2018:1549-1 Released: Mon Aug 13 13:41:22 2018 Summary: Recommended update for sg3_utils Type: recommended Severity: low References: 1065448,1070431,1077787,1092640 Description: This update for sg3_utils provides the following fix: - Decode standard INQUIRY for CD-ROMs correctly. (bsc#1065448, bsc#1070431) - Fix page decoding. (bsc#1077787) - Remove initrd rebuild macros for libsgutils2 subpackage. (bsc#1092640) - Use %post -p for ldconfig. (bsc#1092640) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:1610-1 Released: Thu Aug 16 14:04:25 2018 Summary: Security update for libgcrypt Type: security Severity: moderate References: 1064455,1090766,1097410,CVE-2018-0495 Description: This update for libgcrypt fixes the following issues: The following security vulnerability was addressed: - CVE-2018-0495: Mitigate a novel side-channel attack by enabling blinding for ECDSA signatures (bsc#1097410). The following other issues were fixed: - Extended the fipsdrv dsa-sign and dsa-verify commands with the --algo parameter for the FIPS testing of DSA SigVer and SigGen (bsc#1064455). - Ensure libgcrypt20-hmac and libgcrypt20 are installed in the correct order. (bsc#1090766) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:1620-1 Released: Thu Aug 16 14:49:45 2018 Summary: Security update for shadow Type: security Severity: important References: 1099310,CVE-2016-6252 Description: This update for shadow fixes the following issues: - CVE-2016-6252: Incorrect integer handling could results in local privilege escalation (bsc#1099310) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2018:1632-1 Released: Thu Aug 16 15:27:04 2018 Summary: Recommended update for systemd Type: recommended Severity: moderate References: 1039099,1080382,1082004,1082485,1083158,1088052,1088769,1088890,1089761,1090785,1091265,1093851,1095096 Description: This update for systemd fixes the following issues: - core: In --user mode, report READY=1 as soon as basic.target is reached. - sd-bus: Extend D-Bus authentication timeout considerably. - scsi_id: Fixup prefix for pre-SPC inquiry reply. (bsc#1039099) - udev: Use MAC address match only for ibmveth/ibmvnic/mlx4. (bsc#1095096) - compat-rules: Generate more compat by-id symlinks for NVMe devices. (bsc#1095096) - udev: Whitelist mlx4_core locally-administered MAC addresses in the persistent rule generator. (bsc#1083158) - udev: Don't create by-partlabel/primary and .../logical symlinks. (bsc#1089761) - rules: Add /dev/disk/by-partuuid symlinks also for dos partition tables. - device: Make sure to always retroactively start device dependencies. (bsc#1088052) - device: Skip deserialization of device units when udevd is not running. - install: 'user' and 'global' scopes are equivalent for user presets. (bsc#1093851) - install: Search preset files in /run. - man: Updated systemd-analyze blame description for service-units with Type=simple. (bsc#1091265) - logind: Fix crash when shutdown is not issued from a tty. (bsc#1088890) - logind: Do not use an uninitialized variable. (bsc#1088890) - Disable user services by default. (bsc#1090785) - Ship 99-sysctl.conf instead of creating it during package installation/update. (bsc#1088769) Previously this symlink was created in /etc/sysctl.d during %post which made the symlink not owned and more importantly it was created only if /etc/sysctl.conf is already installed which is not always the case during the installation process it seems. So ship the symlink unconditionally and put it in /usr/lib/sysctl.d instead since it's a distro default behavior that might be overriden by sysadmin later. - systemd: Add offline environmental condition to 80-acpi-container-hotplug.rules. (bsc#1080382, bsc#1082485) Add the offline event environmental condition to restrict the rule that is can only be triggered when the change event is received with the 'offline' environmental data. The 27664c581 'ACPI / scan: Send change uevent with offine environmental data' kernel patch changed the corresponding code in kernel. This change prevents the udev rules for acpi container be triggered by 'udevadm trigger' from user space. - build-sys: Explicitly require python3. (bsc#1082004) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2018:1636-1 Released: Thu Aug 16 15:30:11 2018 Summary: Recommended update for pam Type: recommended Severity: low References: 1096282 Description: This update for pam provides the following fix: - Added /etc/security/limits.d to the pam package. (bsc#1096282) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2018:1689-1 Released: Mon Aug 20 09:02:24 2018 Summary: Recommended update for pam Type: recommended Severity: low References: 1096282 Description: This update for pam provides the following fix: - Added /etc/security/limits.d to the pam package. (bsc#1096282) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2018:1691-1 Released: Mon Aug 20 09:04:17 2018 Summary: Recommended update for sg3_utils Type: recommended Severity: low References: 1065448,1070431,1077787,1092640 Description: This update for sg3_utils provides the following fix: - Decode standard INQUIRY for CD-ROMs correctly. (bsc#1065448, bsc#1070431) - Fix page decoding. (bsc#1077787) - Remove initrd rebuild macros for libsgutils2 subpackage. (bsc#1092640) - Use %post -p for ldconfig. (bsc#1092640) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:1695-1 Released: Mon Aug 20 09:19:20 2018 Summary: Security update for perl Type: security Severity: important References: 1068565,1082216,1082233,1082234,1096718,CVE-2018-12015,CVE-2018-6797,CVE-2018-6798,CVE-2018-6913 Description: This update for perl fixes the following issues: These security issue were fixed: - CVE-2018-6913: Fixed space calculation issues in pp_pack.c (bsc#1082216). - CVE-2018-6798: Fixed heap buffer overflow in regexec.c (bsc#1082233). - CVE-2018-6797: Fixed sharp-s regexp overflow (bsc#1082234). - CVE-2018-12015: The Archive::Tar module allowed remote attackers to bypass a directory-traversal protection mechanism and overwrite arbitrary files (bsc#1096718) This non-security issue was fixed: - fix debugger crash in tab completion with Term::ReadLine::Gnu [bsc#1068565] ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:1698-1 Released: Mon Aug 20 09:19:28 2018 Summary: Security update for shadow Type: security Severity: important References: 1099310,CVE-2016-6252 Description: This update for shadow fixes the following issues: - CVE-2016-6252: Incorrect integer handling could results in local privilege escalation (bsc#1099310) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2018:1834-1 Released: Wed Sep 5 10:17:42 2018 Summary: Recommended update for systemd Type: recommended Severity: moderate References: 1089761,1090944,1101040,1103910 Description: This update for systemd fixes the following issues: - cryptsetup: Add support for sector-size= option. (fate#325634) - resolved: Apply epoch to system time from PID 1. (bsc#1103910) - core/service: Rework the hold-off time over message. - core: Don't freeze OnCalendar= timer units when the clock goes back a lot. (bsc#1090944) - man: SystemMaxUse= clarification in journald.conf(5). (bsc#1101040) - Add udev.no-partlabel-links kernel command-line option. This option can be used to disable the generation of the by-partlabel symlinks regardless of the name used. (bsc#1089761) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:1903-1 Released: Fri Sep 14 12:46:21 2018 Summary: Security update for curl Type: security Severity: moderate References: 1089533,1106019,CVE-2018-14618 Description: This update for curl fixes the following issues: This security issue was fixed: - CVE-2018-14618: Prevent integer overflow in the NTLM authentication code (bsc#1106019) This non-security issue was fixed: - Fixed erroneous debug message when paired with OpenSSL (bsc#1089533) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:1969-1 Released: Mon Sep 24 08:06:42 2018 Summary: Security update for libzypp, zypper Type: security Severity: important References: 1036304,1045735,1049825,1070851,1076192,1088705,1091624,1092413,1096803,1099847,1100028,1101349,1102429,CVE-2017-9269,CVE-2018-7685 Description: This update for libzypp, zypper fixes the following issues: Update libzypp to version 16.17.20: Security issues fixed: - PackageProvider: Validate deta rpms before caching (bsc#1091624, bsc#1088705, CVE-2018-7685) - PackageProvider: Validate downloaded rpm package signatures before caching (bsc#1091624, bsc#1088705, CVE-2018-7685) Other bugs fixed: - lsof: use '-K i' if lsof supports it (bsc#1099847, bsc#1036304) - Handle http error 502 Bad Gateway in curl backend (bsc#1070851) - RepoManager: Explicitly request repo2solv to generate application pseudo packages. - libzypp-devel should not require cmake (bsc#1101349) - HardLocksFile: Prevent against empty commit without Target having been been loaded (bsc#1096803) - Avoid zombie tar processes (bsc#1076192) Update to zypper to version 1.13.45: Security issues fixed: - Improve signature check callback messages (bsc#1045735, CVE-2017-9269) - add/modify repo: Add options to tune the GPG check settings (bsc#1045735, CVE-2017-9269) Other bugs fixed: - XML attribute `packages-to-change` added (bsc#1102429) - man: Strengthen that `--config FILE' affects zypper.conf, not zypp.conf (bsc#1100028) - Prevent nested calls to exit() if aborted by a signal (bsc#1092413) - ansi.h: Prevent ESC sequence strings from going out of scope (bsc#1092413) - Fix: zypper bash completion expands non-existing options (bsc#1049825) - Improve signature check callback messages (bsc#1045735) - add/modify repo: Add options to tune the GPG check settings (bsc#1045735) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2018:1985-1 Released: Mon Sep 24 11:56:08 2018 Summary: Recommended update for openldap2 Type: recommended Severity: moderate References: 1089640 Description: This update for openldap2 provides the following fix: - Fix slapd segfaults in mdb_env_reader_dest. (bsc#1089640) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:1994-1 Released: Mon Sep 24 12:55:57 2018 Summary: Security update for shadow Type: security Severity: moderate References: 1106914 Description: This update for shadow fixes the following security issue: - Prevent useradd from creating intermediate directories with mode 0777 (bsc#1106914) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:2069-1 Released: Fri Sep 28 08:01:25 2018 Summary: Security update for openssl Type: security Severity: moderate References: 1089039,1101246,1101470,1104789,1106197,997043,CVE-2018-0737 Description: This update for openssl fixes the following issues: These security issues were fixed: - Prevent One&Done side-channel attack on RSA that allowed physically near attackers to use EM emanations to recover information (bsc#1104789) - CVE-2018-0737: The RSA Key generation algorithm has been shown to be vulnerable to a cache timing side channel attack. An attacker with sufficient access to mount cache timing attacks during the RSA key generation process could have recovered the private key (bsc#1089039) These non-security issues were fixed: - Add openssl(cli) Provide so the packages that require the openssl binary can require this instead of the new openssl meta package (bsc#1101470) - Fixed path to the engines which are under /lib64 on SLE-12 (bsc#1101246, bsc#997043) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2018:2162-1 Released: Fri Oct 5 14:46:53 2018 Summary: Recommended update for krb5 Type: recommended Severity: moderate References: 1088921 Description: This update for krb5 provides the following fix: - Resolve krb5 GSS credentials immediately if the application requests the lifetime. (bsc#1088921) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:2181-1 Released: Tue Oct 9 11:08:20 2018 Summary: Security update for libxml2 Type: security Severity: moderate References: 1088279,1088601,1102046,1105166,CVE-2017-18258,CVE-2018-14404,CVE-2018-14567,CVE-2018-9251 Description: This update for libxml2 fixes the following security issues: - CVE-2018-9251: The xz_decomp function allowed remote attackers to cause a denial of service (infinite loop) via a crafted XML file that triggers LZMA_MEMLIMIT_ERROR, as demonstrated by xmllint (bsc#1088279). - CVE-2018-14567: Prevent denial of service (infinite loop) via a crafted XML file that triggers LZMA_MEMLIMIT_ERROR, as demonstrated by xmllint (bsc#1105166). - CVE-2018-14404: Prevent NULL pointer dereference in the xmlXPathCompOpEval() function when parsing an invalid XPath expression in the XPATH_OP_AND or XPATH_OP_OR case leading to a denial of service attack (bsc#1102046). - CVE-2017-18258: The xz_head function allowed remote attackers to cause a denial of service (memory consumption) via a crafted LZMA file, because the decoder functionality did not restrict memory usage to what is required for a legitimate file (bsc#1088601). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2018:2196-1 Released: Thu Oct 11 07:45:16 2018 Summary: Optional update for gcc8 Type: recommended Severity: low References: 1084812,1084842,1087550,1094222,1102564 Description: The GNU Compiler GCC 8 is being added to the Toolchain Module by this update. The update also supplies gcc8 compatible libstdc++, libgcc_s1 and other gcc derived libraries for the base products of SUSE Linux Enterprise 12. Various optimizers have been improved in GCC 8, several of bugs fixed, quite some new warnings added and the error pin-pointing and fix-suggestions have been greatly improved. The GNU Compiler page for GCC 8 contains a summary of all the changes that have happened: https://gcc.gnu.org/gcc-8/changes.html Also changes needed or common pitfalls when porting software are described on: https://gcc.gnu.org/gcc-8/porting_to.html ----------------------------------------------------------------- Advisory ID: SUSE-RU-2018:2217-1 Released: Fri Oct 12 15:07:24 2018 Summary: Recommended update for bash Type: recommended Severity: moderate References: 1094121,1107430 Description: This update for bash provides the following fixes: - Fix an inconsistent behaviour regarding expansion of here strings. (bsc#1094121) - Fix mis-matching of null string with '*' pattern. (bsc#1107430) - Fix a crash when the lastpipe option is enabled. - Fix a typo that was preventing the `compat42' shopt option from working as intended. - Help the shell to process any pending traps at redirection. - Fix a crashe due to incorrect conversion from an indexed to associative array. - Avoid the expansion of escape sequences in HOSTNAME in prompt. - Avoid `xtrace' attack over $PS4. ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:2373-1 Released: Mon Oct 22 14:43:47 2018 Summary: Security update for rpm Type: security Severity: moderate References: 1077692,943457,CVE-2017-7500,CVE-2017-7501 Description: This update for rpm fixes the following issues: These security issues were fixed: - CVE-2017-7500: rpm did not properly handle RPM installations when a destination path was a symbolic link to a directory, possibly changing ownership and permissions of an arbitrary directory, and RPM files being placed in an arbitrary destination (bsc#943457). - CVE-2017-7501: rpm used temporary files with predictable names when installing an RPM. An attacker with ability to write in a directory where files will be installed could create symbolic links to an arbitrary location and modify content, and possibly permissions to arbitrary files, which could be used for denial of service or possibly privilege escalation (bsc#943457) This non-security issue was fixed: - Use ksym-provides tool [bsc#1077692] ----------------------------------------------------------------- Advisory ID: SUSE-RU-2018:2435-1 Released: Wed Oct 24 14:42:43 2018 Summary: Recommended update for systemd Type: recommended Severity: important References: 1015254,1091677,1093753,1105031,1107640,1107941,1109197,991901 Description: This update for systemd fixes the following issues: - detect-virt: do not try to read all of /proc/cpuinfo (bsc#1109197) - emergency: make sure console password agents don't interfere with the emergency shell - units: remove udev control socket when systemd stops the socket unit (#4039) (bsc#1015254) - man: document that 'nofail' also has an effect on ordering - journald: take leading spaces into account in syslog_parse_identifier - journal: do not remove multiple spaces after identifier in syslog message - syslog: fix segfault in syslog_parse_priority() - journal: fix syslog_parse_identifier() - tmpfiles: don't adjust qgroups on existing subvolumes (bsc#1093753) - socket-util: attempt SO_RCVBUFFORCE/SO_SNDBUFFORCE only if SO_RCVBUF/SO_SNDBUF fails (bsc#991901) - user at .service: don't kill user manager at runlevel switch (bsc#1091677) - units: make sure user at .service runs with dbus still up - fix race between daemon-reload and other commands (bsc#1105031) - nspawn: always use mode 555 for /sys (bsc#1107640) - cryptsetup: do not define arg_sector_size if libgcrypt is v1.x (#9990) - Enable or disable machines.target according to the presets (bsc#1107941) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2018:2475-1 Released: Thu Oct 25 16:56:24 2018 Summary: Recommended update for libzypp Type: recommended Severity: moderate References: 1099982,1109877,408814,556664,939392 Description: This update for libzypp fixes the following issues: - Add filesize check for downloads with known size (bsc#408814) - Fix conversion of string and glob to regex when compiling queries (bsc#1099982, bsc#939392, bsc#556664) - Fix blocking wait for finished child process (bsc#1109877) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2018:2488-1 Released: Fri Oct 26 12:39:59 2018 Summary: Recommended update for cpio Type: recommended Severity: low References: 1076810,889138 Description: This update for cpio provides the following fix: - Remove an obsolete patch that was causing cpio not to preserve folder permissions. (bsc#1076810, bsc#889138) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2018:2516-1 Released: Mon Oct 29 16:14:48 2018 Summary: Recommended update for console-setup, kbd Type: recommended Severity: moderate References: 1010880,1027379,1056449,1062303,1069468,1085432,360993,675317,825385,830805,958562,963942,984958 Description: This update for kbd and console-setup provides the following fixes: Changes in console-setup: - Add console-setup to SLE 12 to make it possible for kbd to provide converted X keymaps. (fate#325454, fate#318426) - Make the package build reproducible. (bsc#1062303) - Removed unneeded requires to kbd in order to resolve build cycle between kbd and console-setup. (bsc#963942) Changes in kbd: - Update to version 2.0.4, including the following fixes (FATE#325454): * Disable characters greater than or equal to =U+F000 as they do not work properly. (bsc#1085432) * Move initial NumLock handling from systemd back to kbd: * Add kbdsettings service. (bsc#1010880) * Exclude numlockbios support for non x86 platforms * Drop references to KEYTABLE and COMPOSETABLE. (bsc#1010880) * Drop from some fill-up templates and a couple of sysconfig variables not read by systemd anymore. (fate#319454) * Replace references to /var/adm/fillup-templates with new %_fillupdir macro. (bsc#1069468) * Add vlock.pamd PAM file. (bsc#1056449) * Enable vlock (bsc#1056449). * Revert dropping of kdb-legacy requirement as there are still packages and installation flows that needs this to be present. (bsc#1027379) * Fix data/keymaps/i386/querty/br-abnt2.map. (bsc#984958) * Fix missing dependency on coreutils for initrd macros. (bsc#958562) * Call missing initrd macro at postun. (bsc#958562) * Add the genmap4systemd.sh tool to generate entries for systemd's kbd-model-map table from xkeyboard-config converted keymaps. (fate#318426) * genmap4systemd.sh: Use 'abnt2' model for 'br' layouts, 'jp106' model for 'jp' layouts and 'microsoftpro' for anything else (instead of 'pc105' previously used). (fate#318426) * Include xkb layouts from xkeyboard-config converted to console keymaps. (fate#318426) * euro.map, euro1.map and euro2.map now produce correct unicode character for Euro sign. (bsc#360993) * Drop doshell reference from openvt.1 man page. (bsc#675317) * Drop the --userwait option as it is not used. (bsc#830805) * Fix a typo in the mac-querty-layout.inc. (bsc#825385) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2018:2525-1 Released: Tue Oct 30 09:22:45 2018 Summary: Recommended update for bash Type: recommended Severity: important References: 1113117 Description: This update for bash fixes the following issues: Recently released update introduced a change of behavior which resulted in broken customers scripts. (bsc#1113117) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:2563-1 Released: Fri Nov 2 17:09:49 2018 Summary: Security update for curl Type: security Severity: moderate References: 1112758,1113660,CVE-2018-16840,CVE-2018-16842 Description: This update for curl fixes the following issues: - CVE-2018-16840: A use after free in closing SASL handles was fixed (bsc#1112758) - CVE-2018-16842: A Out-of-bounds Read in tool_msgs.c was fixed which could lead to crashes (bsc#1113660) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2018:2567-1 Released: Fri Nov 2 18:59:06 2018 Summary: Recommended update for apparmor Type: recommended Severity: moderate References: 1047937,1057150,1057900,1099452,906858 Description: This update for apparmor provides the following fixes: - Add profile for usr.bin.lessopen.sh (bsc#906858) - Fix dovecot apparmor profile (bsc#1057150) - Fix creating profile rules from scanned logs when the chown operation is used (bsc#1047937) - Fix the traceroute profile to allow ipv6 usage (bsc#1057900) - Fix duplicate entry of capability when performing aa-logprof (bsc#1099452) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2018:2593-1 Released: Wed Nov 7 11:04:00 2018 Summary: Recommended update for rpm Type: recommended Severity: moderate References: 1095148,1113100 Description: This update for rpm fixes the following issues: - Fix superfluous TOC. dependency on PowerPC64 (bsc#1113100) - Update to current find-provides.ksyms and find-requires.ksyms scripts (bsc#1095148) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:2659-1 Released: Wed Nov 14 14:14:41 2018 Summary: Security update for systemd Type: security Severity: important References: 1106923,1108835,1109252,1110445,1111278,1112024,1113083,1113632,1113665,CVE-2018-15686,CVE-2018-15688 Description: This update for systemd fixes the following issues: Security issues fixed: - CVE-2018-15688: A buffer overflow vulnerability in the dhcp6 client of systemd allowed a malicious dhcp6 server to overwrite heap memory in systemd-networkd. (bsc#1113632) - CVE-2018-15686: A vulnerability in unit_deserialize of systemd allows an attacker to supply arbitrary state across systemd re-execution via NotifyAccess. This can be used to improperly influence systemd execution and possibly lead to root privilege escalation. (bsc#1113665) Non-security issues fixed: - dhcp6: split assert_return() to be more debuggable when hit - core: skip unit deserialization and move to the next one when unit_deserialize() fails - core: properly handle deserialization of unknown unit types (#6476) - core: don't create Requires for workdir if 'missing ok' (bsc#1113083) - logind: use manager_get_user_by_pid() where appropriate - logind: rework manager_get_{user|session}_by_pid() a bit - login: fix user at .service case, so we don't allow nested sessions (#8051) (bsc#1112024) - core: be more defensive if we can't determine per-connection socket peer (#7329) - socket-util: introduce port argument in sockaddr_port() - service: fixup ExecStop for socket-activated shutdown (#4120) - service: Continue shutdown on socket activated unit on termination (#4108) (bsc#1106923) - cryptsetup: build fixes for 'add support for sector-size= option' - udev-rules: IMPORT cmdline does not recognize keys with similar names (bsc#1111278) - core: keep the kernel coredump defaults when systemd-coredump is disabled - core: shorten main() a bit, split out coredump initialization - core: set RLIMIT_CORE to unlimited by default (bsc#1108835) - core/mount: fstype may be NULL - journald: don't ship systemd-journald-audit.socket (bsc#1109252) - core: make 'tmpfs' dependencies on swapfs a 'default' dep, not an 'implicit' (bsc#1110445) - mount: make sure we unmount tmpfs mounts before we deactivate swaps (#7076) - tmp.mount.hm4: After swap.target (#3087) - Ship systemd-sysv-install helper via the main package This script was part of systemd-sysvinit sub-package but it was wrong since systemd-sysv-install is a script used to redirect enable/disable operations to chkconfig when the unit targets are sysv init scripts. Therefore it's never been a SySV init tool. ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:2760-1 Released: Thu Nov 22 16:25:38 2018 Summary: Security update for openssl Type: security Severity: moderate References: 1112209,1113534,1113652,1113742,CVE-2018-0734,CVE-2018-5407 Description: This update for openssl fixes the following issues: Security issues fixed: - CVE-2018-0734: Fixed timing vulnerability in DSA signature generation (bsc#1113652). - CVE-2018-5407: Fixed elliptic curve scalar multiplication timing attack defenses (bsc#1113534). - Add missing timing side channel patch for DSA signature generation (bsc#1113742). Non-security issues fixed: - Fixed infinite loop in DSA generation with incorrect parameters (bsc#1112209). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:2766-1 Released: Fri Nov 23 17:07:27 2018 Summary: Security update for rpm Type: security Severity: important References: 943457,CVE-2017-7500,CVE-2017-7501 Description: This update for rpm fixes the following issues: These security issues were fixed: - CVE-2017-7500: rpm did not properly handle RPM installations when a destination path was a symbolic link to a directory, possibly changing ownership and permissions of an arbitrary directory, and RPM files being placed in an arbitrary destination (bsc#943457). - CVE-2017-7501: rpm used temporary files with predictable names when installing an RPM. An attacker with ability to write in a directory where files will be installed could create symbolic links to an arbitrary location and modify content, and possibly permissions to arbitrary files, which could be used for denial of service or possibly privilege escalation (bsc#943457) This is a reissue of the above security fixes for SUSE Linux Enterprise 12 GA, SP1 and SP2 LTSS, they have already been released for SUSE Linux Enterprise Server 12 SP3. ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:1697-1 Released: Fri Nov 23 17:08:32 2018 Summary: Security update for libgcrypt Type: security Severity: moderate References: 1064455,1090766,1097410,CVE-2018-0495 Description: This update for libgcrypt fixes the following issues: The following security vulnerability was addressed: - CVE-2018-0495: Mitigate a novel side-channel attack by enabling blinding for ECDSA signatures (bsc#1097410). The following other issues were fixed: - Extended the fipsdrv dsa-sign and dsa-verify commands with the --algo parameter for the FIPS testing of DSA SigVer and SigGen (bsc#1064455). - Ensure libgcrypt20-hmac and libgcrypt20 are installed in the correct order. (bsc#1090766) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:1696-1 Released: Mon Nov 26 17:46:39 2018 Summary: Security update for procps Type: security Severity: moderate References: 1092100,CVE-2018-1122,CVE-2018-1123,CVE-2018-1124,CVE-2018-1125,CVE-2018-1126 Description: This update for procps fixes the following security issues: - CVE-2018-1122: Prevent local privilege escalation in top. If a user ran top with HOME unset in an attacker-controlled directory, the attacker could have achieved privilege escalation by exploiting one of several vulnerabilities in the config_file() function (bsc#1092100). - CVE-2018-1123: Prevent denial of service in ps via mmap buffer overflow. Inbuilt protection in ps maped a guard page at the end of the overflowed buffer, ensuring that the impact of this flaw is limited to a crash (temporary denial of service) (bsc#1092100). - CVE-2018-1124: Prevent multiple integer overflows leading to a heap corruption in file2strvec function. This allowed a privilege escalation for a local attacker who can create entries in procfs by starting processes, which could result in crashes or arbitrary code execution in proc utilities run by other users (bsc#1092100). - CVE-2018-1125: Prevent stack buffer overflow in pgrep. This vulnerability was mitigated by FORTIFY limiting the impact to a crash (bsc#1092100). - CVE-2018-1126: Ensure correct integer size in proc/alloc.* to prevent truncation/integer overflow issues (bsc#1092100). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:1618-1 Released: Tue Nov 27 13:39:49 2018 Summary: Security update for util-linux Type: security Severity: moderate References: 1072947,1078662,1080740,1084300,CVE-2018-7738 Description: This update for util-linux fixes the following issues: This non-security issue was fixed: - CVE-2018-7738: bash-completion/umount allowed local users to gain privileges by embedding shell commands in a mountpoint name, which was mishandled during a umount command by a different user (bsc#1084300). These non-security issues were fixed: - Fixed crash loop in lscpu (bsc#1072947). - Fixed possible segfault of umount -a - Fixed mount -a on NFS bind mounts (bsc#1080740). - Fixed lsblk on NVMe (bsc#1078662). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:2824-1 Released: Mon Dec 3 15:34:09 2018 Summary: Security update for ncurses Type: security Severity: important References: 1115929,CVE-2018-19211 Description: This update for ncurses fixes the following issue: Security issue fixed: - CVE-2018-19211: Fixed denial of service issue that was triggered by a NULL pointer dereference at function _nc_parse_entry (bsc#1115929). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2018:2836-1 Released: Wed Dec 5 09:29:31 2018 Summary: Recommended update for apparmor Type: recommended Severity: moderate References: 1111965,1113125 Description: This update for apparmor fixes the following issues: - Systemd aware apparmor.spec, remove old insserv from spec file (bsc#1113125) - Fix warnings produced because of use of uninitialized variables (bsc#1111965) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2018:2840-1 Released: Wed Dec 5 09:57:54 2018 Summary: Recommended update for permissions Type: recommended Severity: moderate References: 1028304,1047247,1050467,1097665,1111251 Description: This update for permissions fixes the following issues: - Allow setuid root for start-suid tool of singularity (group only) bsc#1028304 - Allow setuid root for authbind binary (bsc#1111251) - A incorrect error message was adjusted (bsc#1047247 bsc#1097665) - Make btmp root:utmp (bsc#1050467) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2018:2841-1 Released: Wed Dec 5 09:59:45 2018 Summary: Recommended update for glibc Type: recommended Severity: moderate References: 1105236,1110661,1112858 Description: This update for glibc fixes the following issues: - Added more checks for valid ld.so.cache file (bsc#1110661) - Rewrite elf_machine_load_address using _DYNAMIC symbol (bsc#1112858) - Always use __IPC_64 on powerpc as required by the kernel (bsc#1105236) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2018:2906-1 Released: Tue Dec 11 21:48:05 2018 Summary: Recommended update for blog Type: recommended Severity: moderate References: 1071568 Description: This update for blog fixes the following issues: - Hardening of the console list generation (bsc#1071568) - Changed description of blog-plymouth in same manner as used by the release notes ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:2947-1 Released: Mon Dec 17 08:51:28 2018 Summary: Security update for openldap2 Type: security Severity: moderate References: 1073313,CVE-2017-17740 Description: This update for openldap2 fixes the following issues: Security issue fixed: - CVE-2017-17740: When both the nops module and the memberof overlay are enabled, attempts to free a buffer that was allocated on the stack, which allows remote attackers to cause a denial of service (slapd crash) via a member MODDN operation. (bsc#1073313) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2018:3029-1 Released: Fri Dec 21 17:34:05 2018 Summary: Recommended update for libgcrypt Type: recommended Severity: moderate References: 1117355 Description: This update for libgcrypt provides the following fix: - Fail selftests when checksum file is missing in FIPS mode only. (bsc#1117355) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:43-1 Released: Tue Jan 8 13:07:17 2019 Summary: Recommended update for acl Type: recommended Severity: low References: 953659 Description: This update for acl fixes the following issues: - quote: Escape literal backslashes (bsc#953659). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:111-1 Released: Thu Jan 17 14:18:31 2019 Summary: Security update for krb5 Type: security Severity: important References: 1120489,CVE-2018-20217 Description: This update for krb5 fixes the following issues: Security issue fixed: - CVE-2018-20217: Fixed an assertion issue with older encryption types (bsc#1120489) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:135-1 Released: Mon Jan 21 13:53:58 2019 Summary: Security update for systemd Type: security Severity: moderate References: 1005023,1076696,1101591,1114981,1115518,1119971,1120323,CVE-2018-16864,CVE-2018-16865,CVE-2018-16866 Description: This update for systemd provides the following fixes: Security issues fixed: - CVE-2018-16864, CVE-2018-16865: Fixed two memory corruptions through attacker-controlled alloca()s (bsc#1120323) - CVE-2018-16866: Fixed an information leak in journald (bsc#1120323) - Fixed an issue during system startup in relation to encrypted swap disks (bsc#1119971) Non-security issues fixed: - core: Queue loading transient units after setting their properties. (bsc#1115518) - logind: Stop managing VT switches if no sessions are registered on that VT. (bsc#1101591) - terminal-util: introduce vt_release() and vt_restore() helpers. - terminal: Unify code for resetting kbd utf8 mode a bit. - terminal Reset should honour default_utf8 kernel setting. - logind: Make session_restore_vt() static. - udev: Downgrade message when settting inotify watch up fails. (bsc#1005023) - log: Never log into foreign fd #2 in PID 1 or its pre-execve() children. (bsc#1114981) - udev: Ignore the exit code of systemd-detect-virt for memory hot-add. In SLE-12-SP3, 80-hotplug-cpu-mem.rules has a memory hot-add rule that uses systemd-detect-virt to detect non-zvm environment. The systemd-detect-virt returns exit failure code when it detected _none_ state. The exit failure code causes that the hot-add memory block can not be set to online. (bsc#1076696) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:143-1 Released: Tue Jan 22 14:21:55 2019 Summary: Recommended update for ncurses Type: recommended Severity: important References: 1121450 Description: This update for ncurses fixes the following issues: - ncurses applications freezing (bsc#1121450) From sle-updates at lists.suse.com Thu Jan 16 10:02:25 2020 From: sle-updates at lists.suse.com (sle-updates at lists.suse.com) Date: Thu, 16 Jan 2020 18:02:25 +0100 (CET) Subject: SUSE-CU-2019:739-1: Recommended update of caasp/v4/velum Message-ID: <20200116170225.504A0F79E@maintenance.suse.de> SUSE Container Update Advisory: caasp/v4/velum ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2019:739-1 Container Tags : caasp/v4/velum:4.0.0 , caasp/v4/velum:4.0.0-rev1 , caasp/v4/velum:4.0.0-rev1-build2.1 , caasp/v4/velum:beta1 Severity : low Type : recommended References : ----------------------------------------------------------------- The container caasp/v4/velum was updated. The following patches have been included in this update: From sle-updates at lists.suse.com Thu Jan 16 10:00:23 2020 From: sle-updates at lists.suse.com (sle-updates at lists.suse.com) Date: Thu, 16 Jan 2020 18:00:23 +0100 (CET) Subject: SUSE-CU-2019:729-1: Security update of caasp/v4/salt-api Message-ID: <20200116170023.508D7F798@maintenance.suse.de> SUSE Container Update Advisory: caasp/v4/salt-api ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2019:729-1 Container Tags : caasp/v4/salt-api:2018.3.0 , caasp/v4/salt-api:2018.3.0-rev1 , caasp/v4/salt-api:2018.3.0-rev1-build1.1 Severity : important Type : security References : 1000396 1000662 1000677 1001299 1001790 1001912 1002529 1002576 1002895 1002895 1002895 1002975 1003449 1003449 1003577 1003579 1003580 1003714 1003978 1004047 1004047 1004094 1004260 1004260 1004289 1004723 1004723 1004995 1004995 1004995 1005023 1005063 1005404 1005544 1005633 1005634 1005635 1005637 1005638 1005640 1005642 1005643 1005645 1005646 1006175 1006372 1006469 1006687 1006690 1007851 1008325 1008933 1009269 1009470 1009528 1009532 1009745 1009905 1009966 1010220 1010675 1010845 1010880 1011304 1011800 1012266 1012390 1012398 1012523 1012591 1012818 1012973 1012999 1013286 1013882 1013930 1013989 1014471 1014560 1014566 1014873 1015254 1015332 1015515 1015565 1015943 1017034 1017078 1017078 1017420 1017497 1018214 1018399 1019276 1019386 1019470 1019518 1019637 1019637 1019900 1020108 1020143 1020601 1020831 1021641 1022014 1022047 1022085 1022086 1022271 1022562 1022841 1023283 1023535 1023895 1024989 1025034 1025176 1025398 1025560 1025598 1025630 1025886 1025896 1026224 1026567 1026825 1027044 1027079 1027240 1027240 1027282 1027379 1027688 1027712 1027722 1027722 1027908 1027925 1028263 1028281 1028304 1028304 1028305 1028410 1028485 1028610 1028723 1029102 1029102 1029183 1029516 1029516 1029523 1029561 1029691 1029725 1029900 1030009 1030009 1030073 1030290 1030621 1031355 1031643 1031702 1031998 1032029 1032029 1032213 1032309 1032445 1032452 1032538 1032660 1032680 1032931 1033238 1033238 1033855 1034563 1034565 1035062 1035371 1035386 1035445 1035818 1035912 1035914 1036125 1036125 1036304 1036659 1036736 1036873 1036873 1037120 1037120 1037396 1037824 1037930 1038189 1038194 1038444 1038855 1038865 1038865 1038984 1038984 1039063 1039063 1039064 1039064 1039066 1039066 1039069 1039069 1039099 1039099 1039276 1039357 1039370 1039661 1039661 1039941 1040043 1040153 1040153 1040258 1040258 1040584 1040614 1040614 1040800 1040886 1040942 1040942 1040968 1040968 1040968 1041764 1041993 1042326 1042392 1042749 1042781 1043059 1043111 1043218 1043237 1043333 1043333 1043580 1043589 1043615 1043758 1043758 1043886 1043900 1043900 1044095 1044107 1044175 1044337 1044840 1044887 1044894 1045092 1045290 1045290 1045384 1045472 1045628 1045735 1045735 1045735 1045943 1045987 1046173 1046173 1046268 1046417 1046607 1046659 1046667 1046750 1046750 1046853 1046853 1046858 1046858 1047008 1047178 1047233 1047236 1047240 1047247 1047379 1047666 1047785 1047785 1047937 1047964 1047965 1048315 1048510 1048605 1048605 1048645 1048679 1049344 1049825 1050003 1050003 1050152 1050467 1050767 1050943 1051042 1051465 1051626 1051643 1051644 1051791 1051948 1052261 1052264 1053137 1053188 1053376 1053409 1053595 1053671 1053955 1054028 1054088 1054171 1054671 1055446 1055641 1055825 1055920 1056058 1056126 1056127 1056127 1056128 1056128 1056129 1056129 1056131 1056131 1056132 1056132 1056136 1056136 1056437 1056449 1056450 1056995 1057150 1057188 1057452 1057634 1057635 1057640 1057662 1057721 1057724 1057801 1057900 1057974 1058695 1058722 1058783 1059065 1059291 1059291 1059723 1059758 1060230 1060653 1060738 1061384 1061407 1061667 1061876 1062303 1062462 1062464 1062464 1062561 1062591 1062592 1063051 1063249 1063269 1063419 1063675 1063824 1063910 1064397 1064455 1064455 1064455 1064520 1064569 1064580 1064583 1064999 1065083 1065274 1065276 1065363 1065448 1065448 1065792 1066156 1066242 1066422 1066500 1067312 1067605 1067891 1068251 1068446 1068565 1068565 1068566 1068588 1068664 1068708 1068967 1069222 1069226 1069468 1069934 1070209 1070428 1070431 1070431 1070851 1070878 1070905 1070958 1071224 1071311 1071319 1071321 1071322 1071466 1071543 1071558 1071568 1071698 1071905 1071906 1072218 1072599 1072947 1072947 1072973 1073231 1073313 1073618 1073715 1073879 1073879 1073879 1073879 1073879 1073879 1073879 1073879 1073879 1073879 1073879 1073990 1074227 1074254 1074293 1074293 1074621 1074687 1075449 1075724 1075743 1075801 1075804 1075950 1075978 1076192 1076308 1076415 1076696 1076810 1076832 1076909 1077001 1077635 1077692 1077787 1077787 1077925 1077993 1078001 1078358 1078662 1078662 1078806 1078813 1079036 1079048 1079300 1079334 1079398 1079991 1080078 1080382 1080740 1080740 1081170 1081294 1081556 1081592 1081596 1081725 1082004 1082216 1082216 1082216 1082233 1082233 1082233 1082234 1082234 1082234 1082318 1082485 1082485 1083158 1083290 1083507 1083507 1083507 1083926 1083927 1083946 1084300 1084300 1084521 1084524 1084532 1084626 1084812 1084812 1084842 1085062 1085432 1085635 1086001 1086247 1086602 1086690 1086785 1086825 1087055 1087102 1087278 1087323 1087550 1087550 1087581 1087891 1087930 1088004 1088009 1088052 1088279 1088601 1088705 1088769 1088888 1088890 1088921 1089039 1089112 1089362 1089526 1089526 1089533 1089640 1089761 1089761 1089884 1090242 1090765 1090766 1090766 1090766 1090785 1090944 1091265 1091371 1091624 1091677 1092098 1092100 1092100 1092161 1092373 1092413 1092640 1092640 1093617 1093753 1093851 1094055 1094121 1094150 1094154 1094161 1094222 1095096 1095148 1095507 1095651 1095942 1096282 1096282 1096282 1096514 1096718 1096718 1096745 1096803 1097158 1097174 1097410 1097410 1097410 1097413 1097624 1097665 1098394 1098592 1099310 1099310 1099310 1099323 1099452 1099460 1099847 1099887 1099945 1099982 1100028 1100142 1100225 1100697 1101040 1101246 1101349 1101470 1101591 1101812 1101880 1102013 1102046 1102218 1102265 1102429 1102564 1102861 1103530 1103910 1104154 1104491 1104789 1105031 1105166 1105236 1106019 1106164 1106197 1106914 1106923 1107333 1107430 1107640 1107941 1108557 1108834 1108835 1108969 1108995 1109197 1109252 1109663 1109877 1109893 1110445 1110661 1110938 1111251 1111278 1111800 1111965 1112024 1112209 1112758 1112858 1112874 1113083 1113100 1113117 1113125 1113534 1113632 1113652 1113660 1113665 1113698 1113699 1113742 1113784 1114029 1114197 1114474 1114824 1114981 1115518 1115929 1116837 1117355 1117995 1119971 1120323 1120489 1121091 1121450 1123044 1123512 360993 408814 556664 658010 661410 675317 825385 829717 830805 874665 888308 889138 889990 892431 894610 896202 896435 897422 898003 899524 899871 900275 900276 901202 901845 901924 902364 902367 903543 905483 906574 906574 906803 906858 907074 907456 907809 908128 908516 909418 910252 910252 910253 910253 911228 911363 911662 912229 912460 912715 912922 913209 913650 913651 913799 914521 915402 915846 917152 917169 917309 918089 918090 918346 919274 920057 920057 920386 921070 921588 922448 922534 923241 924525 924687 924960 924960 926412 926826 927556 927607 927608 927746 927993 928292 928533 928740 929736 929919 930176 930361 930362 931932 931978 932232 932894 933029 933288 933288 933336 933878 933878 934333 934689 934920 935252 936050 936227 936227 936676 937823 938343 938657 939392 939460 940315 940813 942865 942865 943457 943457 944903 945340 945842 945899 946907 948930 948995 948996 952151 952347 952625 953130 953532 953659 953807 953831 954002 954661 955382 955753 955770 956981 957566 957566 957567 957567 957598 957598 957600 957600 958369 958562 959693 960273 960820 960837 960837 961596 961964 962765 962983 962996 963290 963448 963942 964063 964182 964468 964932 965322 965780 965902 966220 967026 967082 967128 967128 967728 967838 968771 969320 969569 970260 970550 970669 970882 970989 971372 971741 971741 972127 972127 972311 972331 973418 974657 974691 974864 974993 975093 975303 975306 975733 975757 976148 976826 977264 978055 978150 978833 979261 979313 979436 979441 979448 979629 979676 979906 980313 980391 980486 981114 981616 982303 982303 983017 983206 983215 983216 983512 983754 984622 984751 984906 984958 984998 985112 985177 985348 985661 986019 986019 986216 986216 986447 986783 986935 986978 987394 987887 988311 988506 989193 989523 989693 989788 989831 990029 990189 990190 990191 990439 990440 990538 990738 991048 991389 991390 991391 991443 991746 991901 992966 993039 993549 994157 994619 994794 995936 996455 996511 997043 997420 997682 998185 998760 998893 998906 999735 999852 999852 999878 CVE-2012-6702 CVE-2013-6435 CVE-2013-7459 CVE-2014-3591 CVE-2014-3707 CVE-2014-3710 CVE-2014-8116 CVE-2014-8116 CVE-2014-8117 CVE-2014-8117 CVE-2014-8118 CVE-2014-8150 CVE-2014-8964 CVE-2014-8964 CVE-2014-9087 CVE-2014-9112 CVE-2014-9130 CVE-2014-9130 CVE-2014-9447 CVE-2014-9620 CVE-2014-9621 CVE-2014-9653 CVE-2014-9720 CVE-2014-9721 CVE-2015-0247 CVE-2015-0837 CVE-2015-1283 CVE-2015-1572 CVE-2015-1606 CVE-2015-1607 CVE-2015-1782 CVE-2015-2059 CVE-2015-2296 CVE-2015-2325 CVE-2015-2325 CVE-2015-2327 CVE-2015-2327 CVE-2015-2328 CVE-2015-2328 CVE-2015-3143 CVE-2015-3144 CVE-2015-3145 CVE-2015-3148 CVE-2015-3153 CVE-2015-3210 CVE-2015-3210 CVE-2015-3217 CVE-2015-3217 CVE-2015-3238 CVE-2015-5073 CVE-2015-5073 CVE-2015-5276 CVE-2015-7511 CVE-2015-8380 CVE-2015-8380 CVE-2015-8381 CVE-2015-8381 CVE-2015-8382 CVE-2015-8382 CVE-2015-8383 CVE-2015-8383 CVE-2015-8384 CVE-2015-8384 CVE-2015-8385 CVE-2015-8385 CVE-2015-8386 CVE-2015-8386 CVE-2015-8387 CVE-2015-8387 CVE-2015-8388 CVE-2015-8388 CVE-2015-8389 CVE-2015-8389 CVE-2015-8390 CVE-2015-8390 CVE-2015-8391 CVE-2015-8391 CVE-2015-8392 CVE-2015-8392 CVE-2015-8393 CVE-2015-8393 CVE-2015-8394 CVE-2015-8394 CVE-2015-8395 CVE-2015-8395 CVE-2015-8853 CVE-2015-8948 CVE-2016-0634 CVE-2016-0718 CVE-2016-0755 CVE-2016-0772 CVE-2016-0787 CVE-2016-1000110 CVE-2016-10156 CVE-2016-1238 CVE-2016-1283 CVE-2016-1283 CVE-2016-1839 CVE-2016-2037 CVE-2016-2381 CVE-2016-3191 CVE-2016-3191 CVE-2016-4574 CVE-2016-4579 CVE-2016-4658 CVE-2016-5131 CVE-2016-5300 CVE-2016-5419 CVE-2016-5420 CVE-2016-5421 CVE-2016-5636 CVE-2016-5699 CVE-2016-6153 CVE-2016-6185 CVE-2016-6252 CVE-2016-6252 CVE-2016-6252 CVE-2016-6261 CVE-2016-6262 CVE-2016-6263 CVE-2016-6313 CVE-2016-6318 CVE-2016-7055 CVE-2016-7141 CVE-2016-7167 CVE-2016-7543 CVE-2016-8615 CVE-2016-8616 CVE-2016-8617 CVE-2016-8618 CVE-2016-8619 CVE-2016-8620 CVE-2016-8621 CVE-2016-8622 CVE-2016-8623 CVE-2016-8624 CVE-2016-9063 CVE-2016-9318 CVE-2016-9401 CVE-2016-9586 CVE-2016-9597 CVE-2016-9639 CVE-2016-9840 CVE-2016-9841 CVE-2016-9842 CVE-2016-9843 CVE-2017-0663 CVE-2017-1000100 CVE-2017-1000101 CVE-2017-1000158 CVE-2017-1000254 CVE-2017-1000257 CVE-2017-1000366 CVE-2017-1000408 CVE-2017-1000409 CVE-2017-10684 CVE-2017-10684 CVE-2017-10685 CVE-2017-10685 CVE-2017-11112 CVE-2017-11113 CVE-2017-11462 CVE-2017-12132 CVE-2017-12133 CVE-2017-12424 CVE-2017-12791 CVE-2017-12837 CVE-2017-12883 CVE-2017-13728 CVE-2017-13728 CVE-2017-13729 CVE-2017-13729 CVE-2017-13730 CVE-2017-13730 CVE-2017-13731 CVE-2017-13731 CVE-2017-13732 CVE-2017-13732 CVE-2017-13733 CVE-2017-13733 CVE-2017-13734 CVE-2017-14062 CVE-2017-14695 CVE-2017-14695 CVE-2017-14696 CVE-2017-14696 CVE-2017-15088 CVE-2017-15412 CVE-2017-15670 CVE-2017-15671 CVE-2017-15804 CVE-2017-15908 CVE-2017-16997 CVE-2017-17740 CVE-2017-18078 CVE-2017-18207 CVE-2017-18207 CVE-2017-18207 CVE-2017-18258 CVE-2017-18269 CVE-2017-3731 CVE-2017-3732 CVE-2017-3735 CVE-2017-3736 CVE-2017-3737 CVE-2017-3738 CVE-2017-5130 CVE-2017-5200 CVE-2017-5969 CVE-2017-6512 CVE-2017-7375 CVE-2017-7376 CVE-2017-7407 CVE-2017-7435 CVE-2017-7436 CVE-2017-7436 CVE-2017-7500 CVE-2017-7500 CVE-2017-7501 CVE-2017-7501 CVE-2017-7526 CVE-2017-7555 CVE-2017-8109 CVE-2017-8804 CVE-2017-8816 CVE-2017-8817 CVE-2017-8872 CVE-2017-9047 CVE-2017-9047 CVE-2017-9048 CVE-2017-9048 CVE-2017-9049 CVE-2017-9049 CVE-2017-9050 CVE-2017-9050 CVE-2017-9217 CVE-2017-9217 CVE-2017-9233 CVE-2017-9269 CVE-2017-9269 CVE-2017-9287 CVE-2017-9445 CVE-2017-9445 CVE-2017-9526 CVE-2018-0495 CVE-2018-0495 CVE-2018-0495 CVE-2018-0732 CVE-2018-0734 CVE-2018-0737 CVE-2018-0739 CVE-2018-1000001 CVE-2018-1000001 CVE-2018-1000007 CVE-2018-1000030 CVE-2018-1000120 CVE-2018-1000121 CVE-2018-1000122 CVE-2018-1000301 CVE-2018-1000802 CVE-2018-1049 CVE-2018-1060 CVE-2018-1061 CVE-2018-1122 CVE-2018-1122 CVE-2018-1123 CVE-2018-1123 CVE-2018-11236 CVE-2018-11237 CVE-2018-1124 CVE-2018-1124 CVE-2018-1125 CVE-2018-1125 CVE-2018-1126 CVE-2018-1126 CVE-2018-12015 CVE-2018-12015 CVE-2018-12020 CVE-2018-14404 CVE-2018-14567 CVE-2018-14618 CVE-2018-15686 CVE-2018-15688 CVE-2018-15750 CVE-2018-15751 CVE-2018-16840 CVE-2018-16842 CVE-2018-16864 CVE-2018-16865 CVE-2018-16866 CVE-2018-19211 CVE-2018-20217 CVE-2018-5407 CVE-2018-5729 CVE-2018-5730 CVE-2018-6003 CVE-2018-6485 CVE-2018-6551 CVE-2018-6797 CVE-2018-6797 CVE-2018-6797 CVE-2018-6798 CVE-2018-6798 CVE-2018-6798 CVE-2018-6913 CVE-2018-6913 CVE-2018-6913 CVE-2018-7169 CVE-2018-7685 CVE-2018-7738 CVE-2018-7738 CVE-2018-9251 ----------------------------------------------------------------- The container caasp/v4/salt-api was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-RU-2014:85-1 Released: Tue Nov 4 16:29:29 2014 Summary: Recommended update for dirmngr Type: recommended Severity: moderate References: 901845 Description: This update for dirmngr fixes a segmentation fault at start up. (bnc#901845) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2014:66-1 Released: Thu Nov 6 06:23:15 2014 Summary: Recommended update for gcc48 Type: recommended Severity: moderate References: 899871 Description: This update for gcc48 fixes a performance degradation issue caused by generation of unneeded code whe using option -pg. ----------------------------------------------------------------- Advisory ID: SUSE-SU-2014:97-1 Released: Fri Nov 28 10:20:32 2014 Summary: Security update for file Type: security Severity: moderate References: 888308,902367,CVE-2014-3710 Description: file was updated to fix one security issue. This security issue was fixed: - Out-of-bounds read in elf note headers (CVE-2014-3710). This non-security issues was fixed: - Correctly identify GDBM files created by libgdbm4 (bnc#888308). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2014:113-1 Released: Tue Dec 2 18:17:57 2014 Summary: Security update for cpio Type: security Severity: moderate References: 658010,907456,CVE-2014-9112 Description: This cpio security update fixes the following buffer overflow issue and two non security issues: - fix an OOB write with cpio -i (bnc#907456) (CVE-2014-9112) - prevent cpio from extracting over a symlink (bnc#658010) - fix a truncation check in mt ----------------------------------------------------------------- Advisory ID: SUSE-SU-2015:4-1 Released: Wed Dec 3 15:57:25 2014 Summary: Security update for libyaml Type: security Severity: moderate References: 907809,CVE-2014-9130 Description: This libyaml update fixes the following security issue: - bnc#907809: assert failure when processing wrapped strings (CVE-2014-9130) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2015:16-1 Released: Thu Dec 11 09:25:27 2014 Summary: Security update for libksba Type: security Severity: moderate References: 907074,CVE-2014-9087 Description: This libksba update fixes the following security issue: - bnc#907074: buffer overflow in OID processing (CVE-2014-9087) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2014:126-1 Released: Fri Dec 19 20:16:00 2014 Summary: Security update for file Type: security Severity: moderate References: 910252,910253,CVE-2014-8116,CVE-2014-8117 Description: This file update fixes the following security issues: - bsc#910252: multiple denial of service issues (resource consumption) (CVE-2014-8116) - bsc#910253: denial of service issue (resource consumption) (CVE-2014-8117) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2015:29-1 Released: Mon Jan 12 11:37:43 2015 Summary: Security update for curl Type: security Severity: moderate References: 901924,911363,CVE-2014-3707,CVE-2014-8150 Description: This update fixes the following security issues - CVE-2014-8150: URL request injection vulnerability (bnc#911363) - CVE-2014-3707: duphandle read out of bounds (bnc#901924) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2015:40-1 Released: Thu Jan 15 18:35:11 2015 Summary: Security update for rpm Type: security Severity: important References: 892431,906803,908128,911228,CVE-2013-6435,CVE-2014-8118 Description: This rpm update fixes the following security and non-security issues: - bnc#908128: Check for bad invalid name sizes (CVE-2014-8118) - bnc#906803: Create files with mode 0 (CVE-2013-6435) - bnc#892431: Honor --noglob in install mode - bnc#911228: Fix noglob patch, it broke files with space. ----------------------------------------------------------------- Advisory ID: SUSE-RU-2015:64-1 Released: Thu Jan 15 23:21:45 2015 Summary: Recommended update for e2fsprogs Type: recommended Severity: moderate References: 912229 Description: This update for e2fsprogs fixes a 'use after free' issue in fsck(8). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2015:76-1 Released: Fri Jan 30 15:01:03 2015 Summary: Security update for elfutils Type: security Severity: moderate References: 911662,CVE-2014-9447 Description: elfutils was updated to fix one security issue. This security issue was fixed: - Directory traversal vulnerability in the read_long_names function (CVE-2014-9447). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2015:55-1 Released: Tue Feb 3 14:51:17 2015 Summary: Recommended update for curl Type: recommended Severity: moderate References: 913209 Description: curl was updated to fix problems when operating in FIPS mode. This patch reenables following methods: - NTLM authentication (e.g. for proxies) (allowing its usage of MD4 and MD5) - HTTP Digest authentication (allowing its usage of MD5) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2015:121-1 Released: Tue Feb 3 16:30:16 2015 Summary: Recommended update for pam Type: recommended Severity: low References: 912922 Description: This update for pam fixes updating of NIS passwords. ----------------------------------------------------------------- Advisory ID: SUSE-SU-2015:157-1 Released: Tue Mar 10 09:01:41 2015 Summary: Security update for libssh2_org Type: security Severity: moderate References: 921070,CVE-2015-1782 Description: The ssh client library libssh2_org was updated to fix a security issue. CVE-2015-1782: A malicious server could send a crafted SSH_MSG_KEXINIT packet, that could lead to a buffer overread and to a crash of the libssh2_org using application. ----------------------------------------------------------------- Advisory ID: SUSE-SU-2015:208-1 Released: Thu Mar 12 10:43:10 2015 Summary: Security update for python-PyYAML Type: security Severity: moderate References: 921588,CVE-2014-9130 Description: python-PyYAML was updated to fix one security issue which could have allowed an attacker to cause a denial of service by supplying specially crafted strings The following issue was fixed: - #921588: python-PyYAML: assert failure when processing wrapped strings (equivalent to CVE-2014-9130 in LibYAML) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2015:275-1 Released: Wed Mar 18 18:21:44 2015 Summary: Recommended update for procps Type: recommended Severity: low References: 901202,908516 Description: This update for procps provides the following fixes: - Add description of pgrep's --list-full parameter to usage instructions (--help). (bsc#901202) - Fix handling of arguments to -s option in free(1). (bsc#908516) - Correct package name in descriptions: procps, not props. ----------------------------------------------------------------- Advisory ID: SUSE-OU-2015:143-1 Released: Mon Mar 23 21:46:58 2015 Summary: Initial release of SUSE Enterprise Storage client Type: optional Severity: low References: 913799,914521,917309 Description: This update provides the functionality required for SUSE Linux Enterprise Server 12 to act as a client for SUSE Enterprise Storage. qemu can now use storage provided by the SUSE Enterprise Storage Ceph cluster via the RADOS Block Device (rbd) backend. Applications can now be enhanced to directly incorporate object or block storage backed by the SUSE Enterprise Storage cluster, by linking with the librados and librbd client libraries. Also included is the rbd tool to manage RADOS block devices mapped via the rbd kernel module, for use as a standard generic block device. ----------------------------------------------------------------- Advisory ID: SUSE-SU-2015:235-1 Released: Wed Apr 29 19:05:01 2015 Summary: Security update for curl Type: security Severity: moderate References: 927556,927607,927608,927746,928533,CVE-2015-3143,CVE-2015-3144,CVE-2015-3145,CVE-2015-3148,CVE-2015-3153 Description: curl was updated to fix five security issues. The following vulnerabilities were fixed: * CVE-2015-3143: curl could re-use NTML authenticateds connections * CVE-2015-3144: curl could access memory out of bounds with zero length host names * CVE-2015-3145: curl cookie parser could access memory out of boundary * CVE-2015-3148: curl could treat Negotiate as not connection-oriented * CVE-2015-3153: curl could have sent sensitive HTTP headers also to proxies ----------------------------------------------------------------- Advisory ID: SUSE-SU-2015:296-1 Released: Thu Jun 11 15:46:59 2015 Summary: Security update for libgcrypt Type: security Severity: moderate References: 896202,896435,898003,899524,900275,900276,905483,920057,928740,929919,CVE-2014-3591 Description: This update of libgcrypt fixes one security issue and brings various FIPS 140-2 related improvements. libgcrypt now uses ciphertext blinding for Elgamal decryption (CVE-2014-3591) FIPS 140-2 related changes: * The library performs its self-tests when the module is complete (the -hmac file is also installed). * Added a NIST 800-90a compliant DRBG. * Change DSA key generation to be FIPS 186-4 compliant. * Change RSA key generation to be FIPS 186-4 compliant. * Enable HW support in fips mode (bnc#896435) * Make DSA selftest use 2048 bit keys (bnc#898003) * Added ECDSA selftests and add support for it to the CAVS testing framework (bnc#896202) * Various CAVS testing improvements. ----------------------------------------------------------------- Advisory ID: SUSE-SU-2015:366-1 Released: Mon Jun 29 10:13:43 2015 Summary: Security update for e2fsprogs Type: security Severity: low References: 915402,918346,CVE-2015-0247,CVE-2015-1572 Description: Two security issues were fixed in e2fsprogs: Security issues fixed: * CVE-2015-0247: Various heap overflows were fixed in e2fsprogs (fsck, dumpe2fs, e2image...). * CVE-2015-1572: Fixed a potential buffer overflow in closefs() (bsc#918346 ) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2015:361-1 Released: Wed Jul 15 08:26:27 2015 Summary: Recommended update for gcc48, libffi48, libgcj48 Type: recommended Severity: moderate References: 889990,917169,919274,922534,924525,924687,927993,930176,934689 Description: The system compiler gcc48 was updated to the GCC 4.8.5 release, fixing a lot of bugs and bringing some improvements. It includes various bug fixes found by our customers: * Fixes bogus integer overflow in constant expression. [bnc#934689] * Fixes ICE with atomics on aarch64. [bnc#930176] * Includes fix for -imacros bug. [bnc#917169] * Includes fix for incorrect -Warray-bounds warnings. [bnc#919274] * Includes updated -mhotpatch for s390x. [bnc#924525] * Includes fix for ppc64le issue with doubleword vector extract. [bnc#924687] * Includes patches to allow building against ISL 0.14. * Backport rework of the memory allocator for C++ exceptions used in OOM situations. [bnc#889990] * Fix a reload issue on S390 (GCC PR66306). * Avoid accessing invalid memory when passing aggregates by value. [bnc#922534] ----------------------------------------------------------------- Advisory ID: SUSE-OU-2015:422-1 Released: Tue Jul 28 06:25:51 2015 Summary: The Toolchain module containing GCC 5.2 Type: optional Severity: low References: 926412,936050,937823 Description: This update contains the release of the new SUSE Linux Enterprise Toolchain module. Its major feature is the GNU Compiler Collection 5.2, please see https://gcc.gnu.org/gcc-5/changes.html for important changes. This update also includes a version update of binutils to 2.25 release branch to provide features and bugfixes. Following features have been added to binutils: * IBM zSeries z13 hardware support (fate#318036, bnc#936050). * various IBM Power8 improvements (fate#318238, bnc#926412). * AVX512 support on the Intel EM64T platform (fate#318520). The GNU Debugger gdb was updated to version 7.9.1 bringing various features and lots of bugfixes. Also IBM zSeries z13 hardware support has been added to gdb. (fate#318039) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2015:556-1 Released: Tue Aug 4 14:52:55 2015 Summary: Recommended update for python-requests Type: recommended Severity: moderate References: 935252 Description: python-requests was updated to use the system CA certificate store. ----------------------------------------------------------------- Advisory ID: SUSE-SU-2015:500-1 Released: Mon Aug 17 11:36:33 2015 Summary: Security update for libgcrypt Type: security Severity: moderate References: 920057,938343,CVE-2015-0837 Description: This update fixes the following issues: Security: * Fixed data-dependent timing variations in modular exponentiation [related to CVE-2015-0837, Last-Level Cache Side-Channel Attacks are Practical] (bsc#920057) Bugfixes: * don't drop privileges when locking secure memory (bsc#938343) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2015:530-1 Released: Wed Aug 26 03:07:07 2015 Summary: Recommended update for sed Type: recommended Severity: low References: 933029 Description: This update for sed fixes the behavior of --follow-symlinks when reading from the standard input (stdin). The behavior of 'sed --follow-symlinks -' is now identical to 'sed -'. In both cases, sed will read from the standard input and no longer from a file named '-'. ----------------------------------------------------------------- Advisory ID: SUSE-SU-2015:499-1 Released: Mon Aug 31 11:55:14 2015 Summary: Security update for zeromq Type: security Severity: moderate References: 912460,931978,CVE-2014-9721 Description: zeromq was updated to fix one security issue and one non-security bug. The following vulnerability was fixed: * CVE-2014-9721: zeromq protocol downgrade attack on sockets using the ZMTP v3 protocol (boo#931978) The following bug was fixed: * boo#912460: avoid curve test to hang for ppc ppc64 ppc64le architectures ----------------------------------------------------------------- Advisory ID: SUSE-RU-2015:568-1 Released: Wed Sep 16 13:30:12 2015 Summary: Recommended update for grep Type: recommended Severity: low References: 920386 Description: This update for grep fixes undefined behaviour with -P and non-utf-8 data. ----------------------------------------------------------------- Advisory ID: SUSE-RU-2015:727-1 Released: Wed Oct 7 09:26:23 2015 Summary: Recommended update for cloud-init Type: recommended Severity: low References: 948930,948995,948996 Description: cloud-init uses the Jinja2 Python module to generate configuration files from templates, but this dependency was not defined in the package's spec file. This update adds the missing requirement to cloud-init. ----------------------------------------------------------------- Advisory ID: SUSE-RU-2015:776-1 Released: Fri Oct 30 08:06:58 2015 Summary: Recommended update for libyaml Type: recommended Severity: low References: 952625 Description: This update adjusts libyaml's packaging to require pkg-config at build time. ----------------------------------------------------------------- Advisory ID: SUSE-OU-2015:817-1 Released: Fri Nov 6 23:42:46 2015 Summary: Initial release of python-azurectl Type: optional Severity: low References: 946907 Description: This update provides a set of command line tools to interact with the Microsoft Azure public cloud framework. Refer to the azurectl(1) man page, included in python-azurectl, for comprehensive documentation and usage instructions. ----------------------------------------------------------------- Advisory ID: SUSE-RU-2015:834-1 Released: Thu Nov 12 13:52:22 2015 Summary: Recommended update for python-Twisted Type: recommended Severity: moderate References: 940813 Description: python-Twisted has been updated to version 15.2.1, which brings several fixes and enhancements such as: - twisted.positioning, a new API for positioning systems such as GPS, has been added. It comes with an implementation of NMEA, the most common wire protocol for GPS devices. It will supersede twisted.protocols.gps. - IReactorUDP.listenUDP, IUDPTransport.write and IUDPTransport.connect now accept ipv6 address literals. - A new API, twisted.internet.ssl.optionsForClientTLS, allows clients to specify and verify the identity of the peer they're communicating with. When used with the service_identity library from PyPI, this provides support for service identity verification from RFC 6125, as well as server name indication from RFC 6066. - Twisted's TLS support now provides a way to ask for user-configured trust roots rather than having to manually configure such certificate authority certificates. - twisted.internet.ssl.CertificateOptions now supports ECDHE for servers by default on pyOpenSSL 0.14 and later, if the underlying versions of cryptography.io and OpenSSL support it. - twisted.internet.ssl.CertificateOptions now allows the user to set acceptable ciphers and uses secure ones by default. - The new package twisted.logger provides a new, fully tested, and feature-rich logging framework. The old module twisted.python.log is now implemented using the new framework. - twisted.conch.ssh.forwarding now supports local->remote forwarding of IPv6. - twisted.mail.smtp.sendmail now uses ESMTP. It will opportunistically enable encryption and allow the use of authentication. - twisted.internet.ssl.CertificateOptions now enables TLSv1.1 and TLSv1.2 by default (in addition to TLSv1.0) if the underlying version of OpenSSL supports these protocol versions. - twisted.internet.ssl.CertificateOptions now supports Diffie-Hellman key exchange. - twisted.internet.ssl.CertificateOptions now disables TLS compression to avoid CRIME attacks and, for servers, uses server preference to choose the cipher. - MSN protocol support has been marked as deprecated. - Removed deprecated UDPClient. - Better support and integration with Python 3. For a comprehensive list of changes, please refer to the file NEWS shipped within the package. ----------------------------------------------------------------- Advisory ID: SUSE-SU-2015:922-1 Released: Tue Dec 22 08:44:25 2015 Summary: Security update for gpg2 Type: security Severity: moderate References: 918089,918090,952347,955753,CVE-2015-1606,CVE-2015-1607 Description: The gpg2 package was updated to fix the following security and non security issues: - CVE-2015-1606: Fixed invalid memory read using a garbled keyring (bsc#918089). - CVE-2015-1607: Fixed memcpy with overlapping ranges (bsc#918090). - bsc#955753: Fixed a regression of 'gpg --recv' due to keyserver import filter (also boo#952347). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2015:869-1 Released: Wed Dec 23 10:01:16 2015 Summary: Recommended update for libksba Type: security Severity: moderate References: 926826 Description: The libksba package was updated to fix the following security issues: - Fixed an integer overflow, an out of bounds read and a stack overflow issues (bsc#926826). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2015:862-1 Released: Wed Dec 23 17:40:51 2015 Summary: Recommended update for acl Type: recommended Severity: moderate References: 945899 Description: This update for acl provides the following fixes: - Fix segmentation fault of getfacl -e on overly long group name. - Make sure that acl_from_text() always sets errno when it fails. - Fix memory and resource leaks in getfacl. ----------------------------------------------------------------- Advisory ID: SUSE-RU-2016:46-1 Released: Fri Jan 8 12:37:34 2016 Summary: Recommended update for gcr, gnome-keyring, libgcrypt, libsecret Type: recommended Severity: moderate References: 932232 Description: This update for gcr, gnome-keyring, libgcrypt, libsecret fixes issues when the system operates in FIPS mode. The various GNOME libraries and tool have been changed to use the default libgcrypt allocators. GNOME keyring was changed not to use MD5 anymore. libgcrypt was adjusted to free the DRBG on exit to avoid crashes. ----------------------------------------------------------------- Advisory ID: SUSE-SU-2016:80-1 Released: Wed Jan 13 21:05:28 2016 Summary: Security update for python-requests Type: security Severity: moderate References: 922448,929736,961596,CVE-2015-2296 Description: The python-requests module has been updated to version 2.8.1, which brings several fixes and enhancements: - Fix handling of cookies on redirect. Previously a cookie without a host value set would use the hostname for the redirected URL exposing requests users to session fixation attacks and potentially cookie stealing. (bsc#922448, CVE-2015-2296) - Add support for per-host proxies. This allows the proxies dictionary to have entries of the form {'://': ''}. Host-specific proxies will be used in preference to the previously-supported scheme-specific ones, but the previous syntax will continue to work. - Update certificate bundle to match 'certifi' 2015.9.6.2's weak certificate bundle. - Response.raise_for_status now prints the URL that failed as part of the exception message. - requests.utils.get_netrc_auth now takes an raise_errors kwarg, defaulting to False. When True, errors parsing .netrc files cause exceptions to be thrown. - Change to bundled projects import logic to make it easier to unbundle requests downstream. - Change the default User-Agent string to avoid leaking data on Linux: now contains only the requests version. - The json parameter to post() and friends will now only be used if neither data nor files are present, consistent with the documentation. - Empty fields in the NO_PROXY environment variable are now ignored. - Fix problem where httplib.BadStatusLine would get raised if combining stream=True with contextlib.closing. - Prevent bugs where we would attempt to return the same connection back to the connection pool twice when sending a Chunked body. - Digest Auth support is now thread safe. - Resolved several bugs involving chunked transfer encoding and response framing. - Copy a PreparedRequest's CookieJar more reliably. - Support bytearrays when passed as parameters in the 'files' argument. - Avoid data duplication when creating a request with 'str', 'bytes', or 'bytearray' input to the 'files' argument. - 'Connection: keep-alive' header is now sent automatically. - Support for connect timeouts. Timeout now accepts a tuple (connect, read) which is used to set individual connect and read timeouts. For a comprehensive list of changes please refer to the package's change log or the Release Notes at http://docs.python-requests.org/en/latest/community/updates/#id3 ----------------------------------------------------------------- Advisory ID: SUSE-SU-2016:201-1 Released: Thu Feb 4 15:51:22 2016 Summary: Security update for curl Type: security Severity: moderate References: 934333,936676,962983,962996,CVE-2016-0755 Description: This update for curl fixes the following issues: - CVE-2016-0755: libcurl would reuse NTLM-authenticated proxy connections without properly making sure that the connection was authenticated with the same credentials as set for this transfer (bsc#962983) The following non-security bugs were fixed: - bsc#936676: secure_getenv or __secure_getenv may not be detected correctly at build time The following tracked bugs only affect the test suite: - bsc#962996: Expired cookie in test 46 caused test failures - bsc#934333: Curl test suite was not run, is now enabled during build ----------------------------------------------------------------- Advisory ID: SUSE-RU-2016:371-1 Released: Thu Mar 3 15:58:18 2016 Summary: Recommended update for insserv-compat Type: recommended Severity: low References: 960820 Description: This update for insserv-compat fixes the name of the ntpd service. ----------------------------------------------------------------- Advisory ID: SUSE-SU-2016:413-1 Released: Fri Mar 11 10:17:57 2016 Summary: Security update for libssh2_org Type: security Severity: moderate References: 933336,961964,967026,CVE-2016-0787 Description: This update for libssh2_org fixes the following issues: Security issue fixed: - CVE-2016-0787 (bsc#967026): Weakness in diffie-hellman secret key generation lead to much shorter DH groups then needed, which could be used to retrieve server keys. A feature was added: - Support of SHA256 digests for DH group exchanges was added (fate#320343, bsc#961964) Bug fixed: - Properly detect EVP_aes_128_ctr at configure time (bsc#933336) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2016:462-1 Released: Wed Mar 16 18:17:59 2016 Summary: Recommended update for libcap Type: recommended Severity: low References: 967838 Description: This update for libcap adds two new capabilities (CAP_WAKE_ALARM and CAP_BLOCK_SUSPEND) which are available in Linux Kernel 3.12. ----------------------------------------------------------------- Advisory ID: SUSE-RU-2016:543-1 Released: Fri Apr 1 18:44:16 2016 Summary: Recommended update for libgcrypt Type: recommended Severity: moderate References: 970882 Description: This update for libgcrypt fixes a crash in GPG key generation when operating in FIPS mode. (bsc#970882) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2016:565-1 Released: Wed Apr 6 16:26:42 2016 Summary: Security update for gcc5 Type: security Severity: moderate References: 939460,945842,952151,953831,954002,955382,962765,964468,966220,968771,CVE-2015-5276 Description: The GNU Compiler Collection was updated to version 5.3.1, which brings several fixes and enhancements. The following security issue has been fixed: - Fix C++11 std::random_device short read issue that could lead to predictable randomness. (CVE-2015-5276, bsc#945842) The following non-security issues have been fixed: - Enable frame pointer for TARGET_64BIT_MS_ABI when stack is misaligned. Fixes internal compiler error when building Wine. (bsc#966220) - Fix a PowerPC specific issue in gcc-go that broke compilation of newer versions of Docker. (bsc#964468) - Fix HTM built-ins on PowerPC. (bsc#955382) - Fix libgo certificate lookup. (bsc#953831) - Suppress deprecated-declarations warnings for inline definitions of deprecated virtual methods. (bsc#939460) - Build s390[x] with '--with-tune=z9-109 --with-arch=z900' on SLE11 again. (bsc#954002) - Revert accidental libffi ABI breakage on aarch64. (bsc#968771) - On x86_64, set default 32bit code generation to -march=x86-64 rather than -march=i586. - Add experimental File System TS library. ----------------------------------------------------------------- Advisory ID: SUSE-SU-2016:636-1 Released: Mon Apr 18 09:18:19 2016 Summary: Security update for libgcrypt Type: security Severity: moderate References: 965902,CVE-2015-7511 Description: libgcrypt was updated to fix one security issue. This security issue was fixed: - CVE-2015-7511: Side-channel attack on ECDH with Weierstrass curves (bsc#965902). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2016:643-1 Released: Tue Apr 19 09:23:39 2016 Summary: Recommended update for bzip2 Type: recommended Severity: low References: 970260 Description: This update for bzip2 fixes the following issues: - Fix bzgrep wrapper that always returns 0 as exit code when working on multiple archives, even when the pattern is not found. ----------------------------------------------------------------- Advisory ID: SUSE-RU-2016:652-1 Released: Wed Apr 20 10:34:05 2016 Summary: Recommended update for SUSE Manager Client Tools Type: recommended Severity: moderate References: 956981,970550,970989,974864,975093 Description: This update for SUSE Manager Client Tools provides the following new features: - Integrate SaltStack for configuration management. (fate#312447) - Replace upstream subscription counting with new subscription matching. (fate#311619) This update fixes the following issues: osad: - Fix file permissions. (bsc#970550) - Add possibility for OSAD to work in failover mode. rhn-custom-info: - Version update. rhn-virtualization: - Version update. rhncfg: - Fix file permissions. (bsc#970550) - Fix removal of temporary files during transaction rollback for rhncfg-manager. - Fix removal of directories which rhncfg-manager didn't create. - Remove temporary files when exception occurs. - Make rhncfg support sha256 and use it by default. - Fix for assigning all groups user belongs to running process. - Show server modified time with rhncfg-client diff. rhnlib: - Use TLSv1_METHOD in SSL Context. (bsc#970989) rhnpush: - Don't count on having newest rhn-client-tools. - Allow to use existing rpcServer when creating RhnServer. - Wire in timeout for rhnpush. spacecmd: - Text description missing for remote command by Spacecmd. - Added functions to add/edit SSL certificates for repositories. - Mimetype detection to set the binary flag requires 'file' tool. - Always base64 encode to avoid trim() bugs in the XML-RPC library. - Replace upstream subscription counting with new subscription matching. (fate#311619) spacewalk-backend: - Version update. spacewalk-client-tools: - Convert dbus.Int32 to int to fix a TypeError during registration. (bsc#974864) - Fix client registration for network interfaces with labels. (bsc#956981) - Show a descriptive message on reboot. - Replace upstream subscription counting with new subscription matching. (fate#311619) spacewalk-koan: - Fix file permissions. (bsc#970550) - Switch to KVM if possible. spacewalk-oscap: - Still require openscap-utils on RHEL5. spacewalk-remote-utils: - Add RHEL 7.2 channel definitions. - Update RHEL 6.7 and 7.1 channel definitions. - Use hostname instead of localhost for https connections. - Spacewalk-create-channel added -o option to clone channel to current state. spacewalksd: - Delete file with input files after template is created. suseRegisterInfo: - Fix file permissions. (bsc#970550) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2016:697-1 Released: Thu Apr 28 16:03:24 2016 Summary: Recommended update for libssh2_org Type: recommended Severity: important References: 974691 Description: This update for libssh2_org fixes a regression introduced by a previous update which could result in a segmentation fault in EVP_DigestInit_Ex(). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2016:589-1 Released: Mon May 2 15:01:37 2016 Summary: Security update for python-tornado Type: security Severity: moderate References: 930361,930362,974657,CVE-2014-9720 Description: The python-tornado module was updated to version 4.2.1, which brings several fixes, enhancements and new features. The following security issues have been fixed: - A path traversal vulnerability in StaticFileHandler, in which files whose names started with the static_path directory but were not actually in that directory could be accessed. - The XSRF token is now encoded with a random mask on each request. This makes it safe to include in compressed pages without being vulnerable to the BREACH attack. This applies to most applications that use both the xsrf_cookies and gzip options (or have gzip applied by a proxy). (bsc#930362, CVE-2014-9720) - The signed-value format used by RequestHandler.{g,s}et_secure_cookie changed to be more secure. (bsc#930361) The following enhancements have been implemented: - SSLIOStream.connect and IOStream.start_tls now validate certificates by default. - Certificate validation will now use the system CA root certificates. - The default SSL configuration has become stricter, using ssl.create_default_context where available on the client side. - The deprecated classes in the tornado.auth module, GoogleMixin, FacebookMixin and FriendFeedMixin have been removed. - New modules have been added: tornado.locks and tornado.queues. - The tornado.websocket module now supports compression via the 'permessage-deflate' extension. - Tornado now depends on the backports.ssl_match_hostname when running on Python 2. For a comprehensive list of changes, please refer to the release notes: - http://www.tornadoweb.org/en/stable/releases/v4.2.0.html - http://www.tornadoweb.org/en/stable/releases/v4.1.0.html - http://www.tornadoweb.org/en/stable/releases/v4.0.0.html - http://www.tornadoweb.org/en/stable/releases/v3.2.0.html ----------------------------------------------------------------- Advisory ID: SUSE-RU-2016:797-1 Released: Thu May 19 13:26:11 2016 Summary: Recommended update for python-futures Type: recommended Severity: low References: 974993 Description: This update for python-futures provides version 3.0.2 required from python-s3transfer (fate#320748) and fixes the following issues: - Made multiprocessing optional again on implementations other than just Jython - Made Executor.map() non-greedy - Dropped Python 2.5 and 3.1 support - Removed the deprecated 'futures' top level package - Remove CFLAGS: this is a python only module - Remove futures from package files: not provided anymore - Added the set_exception_info() and exception_info() methods to Future to enable extraction of tracebacks on Python 2.x - Added support for Future.set_exception_info() to ThreadPoolExecutor ----------------------------------------------------------------- Advisory ID: SUSE-RU-2016:801-1 Released: Thu May 19 22:38:01 2016 Summary: Recommended update for curl Type: recommended Severity: moderate References: 915846 Description: This update for curl fixes the following issue: - Fix 'Network is unreachable' error when ipv6 is not available but ipv4. This fixes the same error in applications using libcurl4 (like zypper). (bsc#915846) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2016:835-1 Released: Wed May 25 18:27:30 2016 Summary: Recommended update for libgcrypt Type: recommended Severity: moderate References: 979629 Description: This update for libgcrypt fixes the following issue: - Fix failing reboot after installing fips pattern (bsc#979629) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2016:898-1 Released: Tue Jun 7 09:48:12 2016 Summary: Security update for expat Type: security Severity: important References: 979441,980391,CVE-2015-1283,CVE-2016-0718 Description: This update for expat fixes the following issues: Security issue fixed: - CVE-2016-0718: Fix Expat XML parser that mishandles certain kinds of malformed input documents. (bsc#979441) - CVE-2015-1283: Fix multiple integer overflows. (bnc#980391) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2016:900-1 Released: Tue Jun 7 10:58:37 2016 Summary: Security update for libksba Type: security Severity: moderate References: 979261,979906,CVE-2016-4574,CVE-2016-4579 Description: This update for libksba fixes the following issues: - CVE-2016-4579: Out-of-bounds read in _ksba_ber_parse_tl() - CVE-2016-4574: two OOB read access bugs (remote DoS) (bsc#979261) Also adding reliability fixes from v1.3.4. ----------------------------------------------------------------- Advisory ID: SUSE-RU-2016:984-1 Released: Wed Jun 22 11:11:35 2016 Summary: Recommended update for SUSE Manager Server, Proxy and Client Tools Type: recommended Severity: moderate References: 964932,969320,971372,973418,975303,975306,975733,975757,976148,976826,977264,978833,979313,979676,980313 Description: This update fixes the following issues for the SUSE Manager Server 3.0 and Client Tools: zypp-plugin-spacewalk: - Fix failover for multiple URLs per repo. (bsc#964932) The following issues for SUSE Manager Proxy 3.0 and Client Tools have been fixed: cobbler: - Remove grubby-compat because perl-Bootloader gets dropped. - Disabling 'get-loaders' command and 'check' fixed. (bsc#973418) - Add logrotate file for cobbler. (bsc#976826) Additionally the following issues for the SUSE Linux Enterprise 12 Clienttools have been fixed: salt: - Remove option -f from startproc. (bsc#975733) - Changed Zypper's plugin. Added Unit test and related to that data. (bsc#980313) - Zypper plugin: alter the generated event name on package set change. - Fix file ownership on master keys and cache directories during upgrade. (handles upgrading from salt 2014, where the daemon ran as root, to 2015 where it runs as the salt user, bsc#979676) - Salt-proxy .service file created. (bsc#975306) - Prevent salt-proxy test.ping crash. (bsc#975303) - Fix shared directories ownership issues. - Add Zypper plugin to generate an event, once Zypper is used outside the Salt infrastructure demand. (bsc#971372) - Restore boolean values from the repo configuration - Fix priority attribute (bsc#978833) - Unblock-Zypper. (bsc#976148) - Modify-environment. (bsc#971372) - Prevent crash if pygit2 package is requesting re-compilation. - Align OS grains from older SLES with current one. (bsc#975757) - Bugfix: salt-key crashes if tries to generate keys to the directory w/o write access. (bsc#969320) spacecmd: - Make spacecmd createRepo compatible with SUSE Manager 2.1 API. (bsc#977264) spacewalk-backend: - Better error message for system that is already registered as minion. - Fix GPG bad signature detection and improve error messages. (bsc#979313) - Send and save machine_id on traditional registration. - Add machine info capability spacewalk-client-tools: - Send and save machine_id on traditional registration. - Send machine info only if server has machine info capability. ----------------------------------------------------------------- Advisory ID: SUSE-RU-2016:987-1 Released: Wed Jun 22 14:32:18 2016 Summary: Recommended update for procps Type: recommended Severity: low References: 981616 Description: This update for procps fixes the following issues: - Improve pmap(1) to be compatible with kernel 4.4. (bsc#981616) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2016:1028-1 Released: Thu Jul 7 11:50:47 2016 Summary: Recommended update for findutils Type: recommended Severity: moderate References: 986935 Description: This update for findutils fixes the following issues: - find -exec + would not pass all arguments for certain specific filename lengths (bsc#986935) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2016:1126-1 Released: Sat Jul 30 00:39:03 2016 Summary: Recommended update for kmod Type: recommended Severity: low References: 983754,989788 Description: This update for kmod fixes libkmod to handle very long lines in /proc/modules. ----------------------------------------------------------------- Advisory ID: SUSE-SU-2016:1141-1 Released: Wed Aug 3 15:24:30 2016 Summary: Security update for sqlite3 Type: security Severity: moderate References: 987394,CVE-2016-6153 Description: This update for sqlite3 fixes the following issues: The following security issue was fixed: - CVE-2016-6153: Fixed a tempdir selection vulnerability (bsc#987394) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2016:1205-1 Released: Thu Aug 11 15:02:18 2016 Summary: Recommended update for rpm Type: recommended Severity: low References: 829717,894610,940315,953532,965322,967728 Description: This update for rpm provides the following fixes: - Add is_opensuse and leap_version macros to suse_macros. (bsc#940315) - Add option to make postinstall scriptlet errors fatal. (bsc#967728) - Normalize big blocksizes to 4096 bytes. (bsc#894610, bsc#829717, bsc#965322) - Fix updating of sources/patches when recursing because of a BuildArch. (bsc#953532) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2016:1216-1 Released: Fri Aug 12 18:19:22 2016 Summary: Recommended update for SUSE Manager 3.0 and Client Tools Type: recommended Severity: moderate References: 970669,972311,978150,979448,983017,983512,984622,984998,985661,988506,989193 Description: This consolidated update includes multiple patchinfos for SUSE Manager Server, Proxy and SUSE Enterprise Storage 3. This patchinfo is used for the codestream release only ----------------------------------------------------------------- Advisory ID: SUSE-SU-2016:1228-1 Released: Tue Aug 16 09:29:01 2016 Summary: Security update for libidn Type: security Severity: moderate References: 923241,990189,990190,990191,CVE-2015-2059,CVE-2015-8948,CVE-2016-6261,CVE-2016-6262,CVE-2016-6263 Description: This update for libidn fixes the following issues: - CVE-2016-6262 and CVE-2015-8948: Out-of-bounds-read when reading one zero byte as input (bsc#990189) - CVE-2016-6261: Out-of-bounds stack read in idna_to_ascii_4i (bsc#990190) - CVE-2016-6263: stringprep_utf8_nfkc_normalize reject invalid UTF-8 (bsc#990191) - CVE-2015-2059: out-of-bounds read with stringprep on invalid UTF-8 (bsc#923241) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2016:1245-1 Released: Fri Aug 19 10:31:11 2016 Summary: Security update for python Type: security Severity: moderate References: 984751,985177,985348,989523,CVE-2016-0772,CVE-2016-1000110,CVE-2016-5636,CVE-2016-5699 Description: This update for python fixes the following issues: - CVE-2016-0772: smtplib vulnerability opens startTLS stripping attack (bsc#984751) - CVE-2016-5636: heap overflow when importing malformed zip files (bsc#985177) - CVE-2016-5699: incorrect validation of HTTP headers allow header injection (bsc#985348) - CVE-2016-1000110: HTTPoxy vulnerability in urllib, fixed by disregarding HTTP_PROXY when REQUEST_METHOD is also set (bsc#989523) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2016:1247-1 Released: Fri Aug 19 12:58:39 2016 Summary: Security update for cracklib Type: security Severity: moderate References: 992966,CVE-2016-6318 Description: This update for cracklib fixes the following issues: - Add patch to fix a buffer overflow in GECOS parser (bsc#992966 CVE-2016-6318) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2016:1326-1 Released: Thu Sep 8 11:37:44 2016 Summary: Security update for perl Type: security Severity: moderate References: 928292,932894,967082,984906,987887,988311,CVE-2015-8853,CVE-2016-1238,CVE-2016-2381,CVE-2016-6185 Description: This update for Perl fixes the following issues: - CVE-2016-6185: Xsloader looking at a '(eval)' directory. (bsc#988311) - CVE-2016-1238: Searching current directory for optional modules. (bsc#987887) - CVE-2015-8853: Regular expression engine hanging on bad utf8. (bsc) - CVE-2016-2381: Environment dup handling bug. (bsc#967082) - 'Insecure dependency in require' error in taint mode. (bsc#984906) - Memory leak in 'use utf8' handling. (bsc#928292) - Missing lock prototype to the debugger. (bsc#932894) ----------------------------------------------------------------- Advisory ID: SUSE-OU-2016:1358-1 Released: Thu Sep 15 20:54:21 2016 Summary: Optional update for gcc6 Type: optional Severity: low References: 983206 Description: This update ships the GNU Compiler Collection (GCC) in version 6.2. This update is shipped in two parts: - SUSE Linux Enterprise Server 12 and Desktop: The runtime libraries libgcc_s1, libstdc++6, libatomic1, libgomp1, libitm1 and some others can now be used by GCC 6 built binaries. - SUSE Linux Enterprise 12 Toolchain Module: The Toolchain module received the GCC 6 compiler suite with this update. Changes: - The default mode for C++ is now -std=gnu++14 instead of -std=gnu++98. Generic Optimization improvements: - UndefinedBehaviorSanitizer gained a new sanitization option, -fsanitize=bounds-strict, which enables strict checking of array bounds. In particular, it enables -fsanitize=bounds as well as instrumentation of flexible array member-like arrays. - Type-based alias analysis now disambiguates accesses to different pointers. This improves precision of the alias oracle by about 20-30% on higher-level C++ programs. Programs doing invalid type punning of pointer types may now need -fno-strict-aliasing to work correctly. - Alias analysis now correctly supports weakref and alias attributes. This makes it possible to access both a variable and its alias in one translation unit which is common with link-time optimization. - Value range propagation now assumes that the this pointer of C++ member functions is non-null. This eliminates common null pointer checks but also breaks some non-conforming code-bases (such as Qt-5, Chromium, KDevelop). As a temporary work-around -fno-delete-null-pointer-checks can be used. Wrong code can be identified by using -fsanitize=undefined. - Various Link-time optimization improvements. - Inter-procedural optimization improvements: - Basic jump threading is now performed before profile construction and inline analysis, resulting in more realistic size and time estimates that drive the heuristics of the of inliner and function cloning passes. - Function cloning now more aggressively eliminates unused function parameters. - Compared to GCC 5, the GCC 6 release series includes a much improved implementation of the OpenACC 2.0a specification. C language specific improvements: - Version 4.5 of the OpenMP specification is now supported in the C and C++ compilers. - Source locations for the C and C++ compilers are now tracked as ranges, rather than just points, making it easier to identify the subexpression of interest within a complicated expression. In addition, there is now initial support for precise diagnostic locations within strings, - Diagnostics can now contain 'fix-it hints', which are displayed in context underneath the relevant source code. - The C and C++ compilers now offer suggestions for misspelled field names. - New command-line options have been added for the C and C++ compilers: - -Wshift-negative-value warns about left shifting a negative value. - -Wshift-overflow warns about left shift overflows. This warning is enabled by default. -Wshift-overflow=2 also warns about left-shifting 1 into the sign bit. - -Wtautological-compare warns if a self-comparison always evaluates to true or false. This warning is enabled by -Wall. - -Wnull-dereference warns if the compiler detects paths that trigger erroneous or undefined behavior due to dereferencing a null pointer. This option is only active when -fdelete-null-pointer-checks is active, which is enabled by optimizations in most targets. The precision of the warnings depends on the optimization options used. - -Wduplicated-cond warns about duplicated conditions in an if-else-if chain. - -Wmisleading-indentation warns about places where the indentation of the code gives a misleading idea of the block structure of the code to a human reader. This warning is enabled by -Wall. - The C and C++ compilers now emit saner error messages if merge-conflict markers are present in a source file. C improvements: - It is possible to disable warnings when an initialized field of a structure or a union with side effects is being overridden when using designated initializers via a new warning option -Woverride-init-side-effects. - A new type attribute scalar_storage_order applying to structures and unions has been introduced. It specifies the storage order (aka endianness) in memory of scalar fields in structures or unions. C++ improvements: - The default mode has been changed to -std=gnu++14. - C++ Concepts are now supported when compiling with -fconcepts. - -flifetime-dse is more aggressive in dead-store elimination in situations where a memory store to a location precedes a constructor to that memory location. - G++ now supports C++17 fold expressions, u8 character literals, extended static_assert, and nested namespace definitions. - G++ now allows constant evaluation for all non-type template arguments. - G++ now supports C++ Transactional Memory when compiling with -fgnu-tm. libstdc++ improvements: - Extensions to the C++ Library to support mathematical special functions (ISO/IEC 29124:2010), thanks to Edward Smith-Rowland. - Experimental support for C++17. - An experimental implementation of the File System TS. - Experimental support for most features of the second version of the Library Fundamentals TS. This includes polymorphic memory resources and array support in shared_ptr, thanks to Fan You. - Some assertions checked by Debug Mode can now also be enabled by _GLIBCXX_ASSERTIONS. The subset of checks enabled by the new macro have less run-time overhead than the full _GLIBCXX_DEBUG checks and don't affect the library ABI, so can be enabled per-translation unit. Fortran improvements: - Fortran 2008 SUBMODULE support. - Fortran 2015 EVENT_TYPE, EVENT_POST, EVENT_WAIT, and EVENT_QUERY support. - Improved support for Fortran 2003 deferred-length character variables. - Improved support for OpenMP and OpenACC. - The MATMUL intrinsic is now inlined for straightforward cases if front-end optimization is active. The maximum size for inlining can be set to n with the -finline-matmul-limit=n option and turned off with -finline-matmul-limit=0. - The -Wconversion-extra option will warn about REAL constants which have excess precision for their kind. - The -Winteger-division option has been added, which warns about divisions of integer constants which are truncated. This option is included in -Wall by default. Architecture improvements: - AArch64 received a lot of improvements. IA-32/x86-64 improvements: - GCC now supports the Intel CPU named Skylake with AVX-512 extensions through -march=skylake-avx512. The switch enables the following ISA extensions: AVX-512F, AVX512VL, AVX-512CD, AVX-512BW, AVX-512DQ. - Support for new AMD instructions monitorx and mwaitx has been added. This includes new intrinsic and built-in support. It is enabled through option -mmwaitx. The instructions monitorx and mwaitx implement the same functionality as the old monitor and mwait instructions. In addition mwaitx adds a configurable timer. The timer value is received as third argument and stored in register %ebx. - x86-64 targets now allow stack realignment from a word-aligned stack pointer using the command-line option -mstackrealign or __attribute__ ((force_align_arg_pointer)). This allows functions compiled with a vector-aligned stack to be invoked from objects that keep only word-alignment. - Support for address spaces __seg_fs, __seg_gs, and __seg_tls. These can be used to access data via the %fs and %gs segments without having to resort to inline assembly. - Support for AMD Zen (family 17h) processors is now available through the -march=znver1 and -mtune=znver1 options. PowerPC / PowerPC64 / RS6000 improvements: - PowerPC64 now supports IEEE 128-bit floating-point using the __float128 data type. In GCC 6, this is not enabled by default, but you can enable it with -mfloat128. The IEEE 128-bit floating-point support requires the use of the VSX instruction set. IEEE 128-bit floating-point values are passed and returned as a single vector value. The software emulator for IEEE 128-bit floating-point support is only built on PowerPC GNU/Linux systems where the default CPU is at least power7. On future ISA 3.0 systems (POWER 9 and later), you will be able to use the -mfloat128-hardware option to use the ISA 3.0 instructions that support IEEE 128-bit floating-point. An additional type (__ibm128) has been added to refer to the IBM extended double type that normally implements long double. This will allow for a future transition to implementing long double with IEEE 128-bit floating-point. - Basic support has been added for POWER9 hardware that will use the recently published OpenPOWER ISA 3.0 instructions. The following new switches are available: - -mcpu=power9: Implement all of the ISA 3.0 instructions supported by the compiler. - -mtune=power9: In the future, apply tuning for POWER9 systems. Currently, POWER8 tunings are used. - -mmodulo: Generate code using the ISA 3.0 integer instructions (modulus, count trailing zeros, array index support, integer multiply/add). - -mpower9-fusion: Generate code to suitably fuse instruction sequences for a POWER9 system. - -mpower9-dform: Generate code to use the new D-form (register+offset) memory instructions for the vector registers. - -mpower9-vector: Generate code using the new ISA 3.0 vector (VSX or Altivec) instructions. - -mpower9-minmax: Reserved for future development. - -mtoc-fusion: Keep TOC entries together to provide more fusion opportunities. - New constraints have been added to support IEEE 128-bit floating-point and ISA 3.0 instructions. - Support has been added for __builtin_cpu_is() and __builtin_cpu_supports(), allowing for very fast access to AT_PLATFORM, AT_HWCAP, and AT_HWCAP2 values. This requires use of glibc 2.23 or later. - All hardware transactional memory builtins now correctly behave as memory barriers. Programmers can use #ifdef __TM_FENCE__ to determine whether their 'old' compiler treats the builtins as barriers. - Split-stack support has been added for gccgo on PowerPC64 for both big- and little-endian (but not for 32-bit). The gold linker from at least binutils 2.25.1 must be available in the PATH when configuring and building gccgo to enable split stack. (The requirement for binutils 2.25.1 applies to PowerPC64 only.) The split-stack feature allows a small initial stack size to be allocated for each goroutine, which increases as needed. - GCC on PowerPC now supports the standard lround function. - The 'q', 'S', 'T', and 't' asm-constraints have been removed. - The 'b', 'B', 'm', 'M', and 'W' format modifiers have been removed. S/390, System z, IBM z Systems improvements: - Support for the IBM z13 processor has been added. When using the -march=z13 option, the compiler will generate code making use of the new instructions and registers introduced with the vector extension facility. The -mtune=z13 option enables z13 specific instruction scheduling without making use of new instructions. - Compiling code with -march=z13 reduces the default alignment of vector types bigger than 8 bytes to 8. This is an ABI change and care must be taken when linking modules compiled with different arch levels which interchange variables containing vector type values. For newly compiled code the GNU linker will emit a warning. - The -mzvector option enables a C/C++ language extension. This extension provides a new keyword vector which can be used to define vector type variables. (Note: This is not available when enforcing strict standard compliance e.g. with -std=c99. Either enable GNU extensions with e.g. -std=gnu99 or use __vector instead of vector.) - Additionally a set of overloaded builtins is provided which is partially compatible to the PowerPC Altivec builtins. In order to make use of these builtins the vecintrin.h header file needs to be included. - The new command line options -march=native, and -mtune=native are now available on native IBM z Systems. Specifying these options will cause GCC to auto-detect the host CPU and rewrite these options to the optimal setting for that system. If GCC is unable to detect the host CPU these options have no effect. - The IBM z Systems port now supports target attributes and pragmas. Please refer to the documentation for details of available attributes and pragmas as well as usage instructions. - -fsplit-stack is now supported as part of the IBM z Systems port. This feature requires a recent gold linker to be used. - Support for the g5 and g6 -march=/-mtune= CPU level switches has been deprecated and will be removed in a future GCC release. -m31 from now on defaults to -march=z900 if not specified otherwise. -march=native on a g5/g6 machine will default to -march=z900. An even more detailed list of features can be found at: https://gcc.gnu.org/gcc-6/changes.html ----------------------------------------------------------------- Advisory ID: SUSE-SU-2016:1364-1 Released: Fri Sep 16 17:13:43 2016 Summary: Security update for curl Type: security Severity: moderate References: 991389,991390,991391,991746,997420,CVE-2016-5419,CVE-2016-5420,CVE-2016-5421,CVE-2016-7141 Description: This update for curl fixes the following issues: Security issues fixed: - CVE-2016-5419: TLS session resumption client cert bypass (bsc#991389) - CVE-2016-5420: Re-using connections with wrong client cert (bsc#991390) - CVE-2016-5421: use of connection struct after free (bsc#991391) - CVE-2016-7141: Fixed incorrect reuse of client certificates with NSS (bsc#997420) Also the following bug was fixed: - fixing a performance issue (bsc#991746) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2016:1370-1 Released: Wed Sep 21 12:58:14 2016 Summary: Security update for libgcrypt Type: security Severity: moderate References: 994157,CVE-2016-6313 Description: This update for libgcrypt fixes the following issues: - RNG prediction vulnerability (bsc#994157, CVE-2016-6313) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2016:1533-1 Released: Mon Oct 24 14:12:29 2016 Summary: Recommended update for SUSE Manager Client Tools Type: recommended Severity: moderate References: 1002529,986447,986978,990029,990439,990440,990738,991048,993039,993549,994619,996455,998185 Description: This update fixes the following issues: cobbler: - Enabling PXE grub2 support for PowerPC (bsc#986978) rhnlib: - Add function aliases for backward compatibility (bsc#998185) salt: - Setting up OS grains for SLES-ES (SLES Expanded Support platform) - Move salt home directory to /var/lib/salt (bsc#1002529) - Generate Salt Thin with configured extra modules (bsc#990439) - Prevent pkg.install failure for expired keys (bsc#996455) - Required D-Bus and generating machine ID - Fix python-jinja2 requirements in rhel - Fix pkg.installed refresh repository failure (bsc#993549) - Fix salt.states.pkgrepo.management no change failure (bsc#990440) - Prevent snapper module crash on load if no DBus is available in the system (bsc#993039) - Prevent continuous restart, if a dependency wasn't installed (bsc#991048) - Fix beacon list to include all beacons being process - Run salt-api as user salt like the master (bsc#990029) spacewalk-backend: - Fix for non-integer IDs for bugzilla bug - Silently ignore non-existing errata severity label on errata import, remove non-used exception (bsc#986447) - Make suseLib usable on a proxy spacewalk-client-tools: - Logging message in case of malformed XML file - Prevent crashes if machine-id is None (bsc#994619) - Print invalid package name and replace the invalid character - Ignore packages with not UTF-8 characters in name, version and release (bsc#990738) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2016:1591-1 Released: Wed Nov 2 12:07:51 2016 Summary: Security update for curl Type: security Severity: important References: 1005633,1005634,1005635,1005637,1005638,1005640,1005642,1005643,1005645,1005646,998760,CVE-2016-7167,CVE-2016-8615,CVE-2016-8616,CVE-2016-8617,CVE-2016-8618,CVE-2016-8619,CVE-2016-8620,CVE-2016-8621,CVE-2016-8622,CVE-2016-8623,CVE-2016-8624 Description: This update for curl fixes the following security issues: - CVE-2016-8624: invalid URL parsing with '#' (bsc#1005646) - CVE-2016-8623: Use-after-free via shared cookies (bsc#1005645) - CVE-2016-8622: URL unescape heap overflow via integer truncation (bsc#1005643) - CVE-2016-8621: curl_getdate read out of bounds (bsc#1005642) - CVE-2016-8620: glob parser write/read out of bounds (bsc#1005640) - CVE-2016-8619: double-free in krb5 code (bsc#1005638) - CVE-2016-8618: double-free in curl_maprintf (bsc#1005637) - CVE-2016-8617: OOB write via unchecked multiplication (bsc#1005635) - CVE-2016-8616: case insensitive password comparison (bsc#1005634) - CVE-2016-8615: cookie injection for other servers (bsc#1005633) - CVE-2016-7167: escape and unescape integer overflows (bsc#998760) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2016:1614-1 Released: Mon Nov 7 20:01:31 2016 Summary: Recommended update for shadow Type: recommended Severity: low References: 1002975 Description: This update for shadow fixes the following issues: - Set file modes according to the permissions package and don't attempt to manipulate them in %files section. (bsc#1002975) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2016:1641-1 Released: Thu Nov 10 20:02:04 2016 Summary: Recommended update for sg3_utils Type: recommended Severity: moderate References: 1006469,958369,979436 Description: This update for sg3_utils provides the following fixes: - Adjust 55-scsi-sg3_id.rules to correctly handle VPD page 0x80. This issue could prevent some IBM Power systems from booting after installation. (bsc#1006469) - Fix 55-scsi_sg3_id.rules to skip sg_inq on recent kernels. (bsc#979436) - In some circumstances, the rescan-scsi-bus.sh script failed to identify new LUNs that have been added to the server. (bsc#958369) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2016:1716-1 Released: Mon Nov 28 14:52:36 2016 Summary: Recommended update for SUSE Manager Client Tools Type: recommended Severity: moderate References: 1003449,1004047,1004260,1004723,986019,999852 Description: This update includes the following new features: - Support Service Pack migration for Salt minions. (fate#320559) This update fixes the following issues: salt: - Fix exit codes of sysv init script. (bsc#999852) - Include resolution parameters in the Zypper debug-solver call during a dry-run dist-upgrade. - Fix Salt API crash via salt-ssh on empty roster. (bsc#1004723) - Add 'dist-upgrade' support to zypper module. (fate#320559) - Fix position of -X option to setfacl. (bsc#1004260) - Fix generated shebang in scripts on SLES-ES 7. (bsc#1004047) spacecmd: - Make exception class more generic and code fixes. (bsc#1003449) - Handle exceptions raised by listChannels. (bsc#1003449) - Alert if a non-unique package ID is detected. ----------------------------------------------------------------- Advisory ID: SUSE-SU-2016:1744-1 Released: Fri Dec 2 11:42:41 2016 Summary: Security update for pcre Type: security Severity: moderate References: 906574,924960,933288,933878,936227,942865,957566,957567,957598,957600,960837,971741,972127,CVE-2014-8964,CVE-2015-2325,CVE-2015-2327,CVE-2015-2328,CVE-2015-3210,CVE-2015-3217,CVE-2015-5073,CVE-2015-8380,CVE-2015-8381,CVE-2015-8382,CVE-2015-8383,CVE-2015-8384,CVE-2015-8385,CVE-2015-8386,CVE-2015-8387,CVE-2015-8388,CVE-2015-8389,CVE-2015-8390,CVE-2015-8391,CVE-2015-8392,CVE-2015-8393,CVE-2015-8394,CVE-2015-8395,CVE-2016-1283,CVE-2016-3191 Description: This update for pcre to version 8.39 (bsc#972127) fixes several issues. If you use pcre extensively please be aware that this is an update to a new version. Please make sure that your software works with the updated version. This version fixes a number of vulnerabilities that affect pcre and applications using the libary when accepting untrusted input as regular expressions or as part thereof. Remote attackers could have caused the application to crash, disclose information or potentially execute arbitrary code. These security issues were fixed: - CVE-2014-8964: Heap-based buffer overflow in PCRE allowed remote attackers to cause a denial of service (crash) or have other unspecified impact via a crafted regular expression, related to an assertion that allows zero repeats (bsc#906574). - CVE-2015-2325: Heap buffer overflow in compile_branch() (bsc#924960). - CVE-2015-3210: Heap buffer overflow in pcre_compile2() / compile_regex() (bsc#933288) - CVE-2015-3217: PCRE Library Call Stack Overflow Vulnerability in match() (bsc#933878). - CVE-2015-5073: Library Heap Overflow Vulnerability in find_fixedlength() (bsc#936227). - bsc#942865: heap overflow in compile_regex() - CVE-2015-8380: The pcre_exec function in pcre_exec.c mishandled a // pattern with a \01 string, which allowed remote attackers to cause a denial of service (heap-based buffer overflow) or possibly have unspecified other impact via a crafted regular expression, as demonstrated by a JavaScript RegExp object encountered by Konqueror (bsc#957566). - CVE-2015-2327: PCRE mishandled certain patterns with internal recursive back references, which allowed remote attackers to cause a denial of service (segmentation fault) or possibly have unspecified other impact via a crafted regular expression, as demonstrated by a JavaScript RegExp object encountered by Konqueror (bsc#957567). - bsc#957598: Various security issues - CVE-2015-8381: Heap Overflow in compile_regex() (bsc#957598). - CVE-2015-8382: Regular Expression Uninitialized Pointer Information Disclosure Vulnerability (ZDI-CAN-2547)(bsc#957598). - CVE-2015-8383: Buffer overflow caused by repeated conditional group(bsc#957598). - CVE-2015-8384: Buffer overflow caused by recursive back reference by name within certain group(bsc#957598). - CVE-2015-8385: Buffer overflow caused by forward reference by name to certain group(bsc#957598). - CVE-2015-8386: Buffer overflow caused by lookbehind assertion(bsc#957598). - CVE-2015-8387: Integer overflow in subroutine calls(bsc#957598). - CVE-2015-8388: Buffer overflow caused by certain patterns with an unmatched closing parenthesis(bsc#957598). - CVE-2015-8389: Infinite recursion in JIT compiler when processing certain patterns(bsc#957598). - CVE-2015-8390: Reading from uninitialized memory when processing certain patterns(bsc#957598). - CVE-2015-8391: Some pathological patterns causes pcre_compile() to run for a very long time(bsc#957598). - CVE-2015-8392: Buffer overflow caused by certain patterns with duplicated named groups(bsc#957598). - CVE-2015-8393: Information leak when running pcgrep -q on crafted binary(bsc#957598). - CVE-2015-8394: Integer overflow caused by missing check for certain conditions(bsc#957598). - CVE-2015-8395: Buffer overflow caused by certain references(bsc#957598). - CVE-2015-2328: PCRE mishandled the /((?(R)a|(?1)))+/ pattern and related patterns with certain recursion, which allowed remote attackers to cause a denial of service (segmentation fault) or possibly have unspecified other impact via a crafted regular expression (bsc#957600). - CVE-2016-1283: The pcre_compile2 function in pcre_compile.c in PCRE mishandled certain patterns with named subgroups, which allowed remote attackers to cause a denial of service (heap-based buffer overflow) or possibly have unspecified other impact via a crafted regular expression (bsc#960837). - CVE-2016-3191: The compile_branch function in pcre_compile.c in pcre2_compile.c mishandled patterns containing an (*ACCEPT) substring in conjunction with nested parentheses, which allowed remote attackers to execute arbitrary code or cause a denial of service (stack-based buffer overflow) via a crafted regular expression (bsc#971741). These non-security issues were fixed: - JIT compiler improvements - performance improvements - The Unicode data tables have been updated to Unicode 7.0.0. ----------------------------------------------------------------- Advisory ID: SUSE-RU-2016:1782-1 Released: Fri Dec 9 13:35:02 2016 Summary: Recommended update for systemd Type: recommended Severity: moderate References: 1001790,1004289,1005404,1006372,1006690,989831,991443 Description: This update for systemd provides the following fixes: - Allow to redirect confirmation messages to a different console. (bsc#1006690) - Do not bind a mount unit to a device, if it was from mountinfo. (bsc#989831) - Decrease systemd-nspawn's non-fatal mount errors to debug level. (bsc#1004289) - Don't emit space usage message right after opening the persistent journal. (bsc#991443) - Change owner of /var/log/journal/remote and create /var/lib/systemd/journal-upload. (bsc#1006372) - Document that *KeyIgnoreInhibited only apply to a subset of locks. - Revert 'logind: really handle *KeyIgnoreInhibited options in logind.conf'. (bsc#1001790, bsc#1005404) - Revert 'kbd-model-map: add more mappings offered by Yast'. - Don't busy loop when we get a notification message we can't process. - Rename kbd-model-map-extra into kbd-model-map.legacy. - Add kbd-model-map-extra file which contains the additional maps needed by YaST. - Drop localfs.service: unused and not needed anymore. ----------------------------------------------------------------- Advisory ID: SUSE-SU-2016:1827-1 Released: Thu Dec 15 12:41:10 2016 Summary: Security update for pcre Type: security Severity: moderate References: 906574,924960,933288,933878,936227,942865,957566,957567,957598,957600,960837,971741,972127,CVE-2014-8964,CVE-2015-2325,CVE-2015-2327,CVE-2015-2328,CVE-2015-3210,CVE-2015-3217,CVE-2015-5073,CVE-2015-8380,CVE-2015-8381,CVE-2015-8382,CVE-2015-8383,CVE-2015-8384,CVE-2015-8385,CVE-2015-8386,CVE-2015-8387,CVE-2015-8388,CVE-2015-8389,CVE-2015-8390,CVE-2015-8391,CVE-2015-8392,CVE-2015-8393,CVE-2015-8394,CVE-2015-8395,CVE-2016-1283,CVE-2016-3191 Description: This update for pcre to version 8.39 (bsc#972127) fixes several issues. If you use pcre extensively please be aware that this is an update to a new version. Please make sure that your software works with the updated version. This version fixes a number of vulnerabilities that affect pcre and applications using the libary when accepting untrusted input as regular expressions or as part thereof. Remote attackers could have caused the application to crash, disclose information or potentially execute arbitrary code. These security issues were fixed: - CVE-2014-8964: Heap-based buffer overflow in PCRE allowed remote attackers to cause a denial of service (crash) or have other unspecified impact via a crafted regular expression, related to an assertion that allows zero repeats (bsc#906574). - CVE-2015-2325: Heap buffer overflow in compile_branch() (bsc#924960). - CVE-2015-3210: Heap buffer overflow in pcre_compile2() / compile_regex() (bsc#933288) - CVE-2015-3217: PCRE Library Call Stack Overflow Vulnerability in match() (bsc#933878). - CVE-2015-5073: Library Heap Overflow Vulnerability in find_fixedlength() (bsc#936227). - bsc#942865: heap overflow in compile_regex() - CVE-2015-8380: The pcre_exec function in pcre_exec.c mishandled a // pattern with a \01 string, which allowed remote attackers to cause a denial of service (heap-based buffer overflow) or possibly have unspecified other impact via a crafted regular expression, as demonstrated by a JavaScript RegExp object encountered by Konqueror (bsc#957566). - CVE-2015-2327: PCRE mishandled certain patterns with internal recursive back references, which allowed remote attackers to cause a denial of service (segmentation fault) or possibly have unspecified other impact via a crafted regular expression, as demonstrated by a JavaScript RegExp object encountered by Konqueror (bsc#957567). - bsc#957598: Various security issues - CVE-2015-8381: Heap Overflow in compile_regex() (bsc#957598). - CVE-2015-8382: Regular Expression Uninitialized Pointer Information Disclosure Vulnerability (ZDI-CAN-2547)(bsc#957598). - CVE-2015-8383: Buffer overflow caused by repeated conditional group(bsc#957598). - CVE-2015-8384: Buffer overflow caused by recursive back reference by name within certain group(bsc#957598). - CVE-2015-8385: Buffer overflow caused by forward reference by name to certain group(bsc#957598). - CVE-2015-8386: Buffer overflow caused by lookbehind assertion(bsc#957598). - CVE-2015-8387: Integer overflow in subroutine calls(bsc#957598). - CVE-2015-8388: Buffer overflow caused by certain patterns with an unmatched closing parenthesis(bsc#957598). - CVE-2015-8389: Infinite recursion in JIT compiler when processing certain patterns(bsc#957598). - CVE-2015-8390: Reading from uninitialized memory when processing certain patterns(bsc#957598). - CVE-2015-8391: Some pathological patterns causes pcre_compile() to run for a very long time(bsc#957598). - CVE-2015-8392: Buffer overflow caused by certain patterns with duplicated named groups(bsc#957598). - CVE-2015-8393: Information leak when running pcgrep -q on crafted binary(bsc#957598). - CVE-2015-8394: Integer overflow caused by missing check for certain conditions(bsc#957598). - CVE-2015-8395: Buffer overflow caused by certain references(bsc#957598). - CVE-2015-2328: PCRE mishandled the /((?(R)a|(?1)))+/ pattern and related patterns with certain recursion, which allowed remote attackers to cause a denial of service (segmentation fault) or possibly have unspecified other impact via a crafted regular expression (bsc#957600). - CVE-2016-1283: The pcre_compile2 function in pcre_compile.c in PCRE mishandled certain patterns with named subgroups, which allowed remote attackers to cause a denial of service (heap-based buffer overflow) or possibly have unspecified other impact via a crafted regular expression (bsc#960837). - CVE-2016-3191: The compile_branch function in pcre_compile.c in pcre2_compile.c mishandled patterns containing an (*ACCEPT) substring in conjunction with nested parentheses, which allowed remote attackers to execute arbitrary code or cause a denial of service (stack-based buffer overflow) via a crafted regular expression (bsc#971741). These non-security issues were fixed: - JIT compiler improvements - performance improvements - The Unicode data tables have been updated to Unicode 7.0.0. ----------------------------------------------------------------- Advisory ID: SUSE-RU-2016:1863-1 Released: Wed Dec 21 10:41:35 2016 Summary: Recommended updated for pth Type: recommended Severity: low References: 1013286 Description: This update adds the 32bit version of libpth20 to SUSE Linux Enterprise 12 SP1 and 12 SP2. ----------------------------------------------------------------- Advisory ID: SUSE-OU-2016:1901-1 Released: Thu Dec 22 17:33:41 2016 Summary: Optional update for SLE 12 Modules for ARM64 Type: optional Severity: low References: 1002576 Description: This update introduces many packages that were missing in the ARM64 version of the Web and Scripting, Manager Tools and Public Cloud Modules for SUSE Linux Enterprise Server 12 SP2. ----------------------------------------------------------------- Advisory ID: SUSE-SU-2017:2-1 Released: Mon Jan 2 08:35:08 2017 Summary: Security update for zlib Type: security Severity: moderate References: 1003577,1003579,1003580,1013882,CVE-2016-9840,CVE-2016-9841,CVE-2016-9842,CVE-2016-9843 Description: This update for zlib fixes the following issues: CVE-2016-9843: Big-endian out-of-bounds pointer CVE-2016-9842: Undefined Left Shift of Negative Number (bsc#1003580) CVE-2016-9840 CVE-2016-9841: Out-of-bounds pointer arithmetic in inftrees.c (bsc#1003579) Incompatible declarations for external linkage function deflate (bsc#1003577) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2017:6-1 Released: Tue Jan 3 15:01:58 2017 Summary: Recommended update for systemd Type: recommended Severity: moderate References: 1012390,1012591,1012818,1013989,1015515,909418,912715,945340,953807,963290,990538 Description: This update for systemd fixes the following issues: - core: Make mount units from /proc/self/mountinfo possibly bind to a device. Fixes unmounting issues when ejecting CDs or DVDs. (bsc#909418, bsc#912715, bsc#945340) - fstab-generator: Remove bogus condition that leads to warnings on boot. (bsc#1013989) - coredumpctl: Let gdb handle the SIGINT signal. (bsc#1012591) - Ship kbd-model-map with the correct contents. (bsc#1015515) - rules: Set SYSTEMD_READY=0 on DM_UDEV_DISABLE_OTHER_RULES_FLAG=1 only with ADD event. (bsc#963290, bsc#990538) - tmpfiles: Don't skip path_set_perms on error. (bsc#953807) - nspawn: Properly handle image/directory paths that are symbolic links. (bsc#1012390) - systemctl: Fix 'is-enabled' exit status on failure when executed in chroot. (bsc#1012818) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2017:32-1 Released: Mon Jan 9 11:50:42 2017 Summary: Recommended update for dirmngr Type: recommended Severity: low References: 994794 Description: This update for dirmngr enables support for daemon mode. ----------------------------------------------------------------- Advisory ID: SUSE-RU-2017:47-1 Released: Wed Jan 11 11:42:43 2017 Summary: Recommended update for systemd Type: recommended Severity: important References: 1018214,1018399 Description: This update for systemd fixes the following two issues: - A regression in the previous update (SUSE-RU-2017:0013-1, bsc#909418) could have caused systemd to freeze. (bsc#1018399) - Warnings emitted when udev socket units are restarted during package upgrade were silenced. (bsc#1018214) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2017:77-1 Released: Tue Jan 17 10:06:02 2017 Summary: Recommended update for salt Type: recommended Severity: moderate References: 1003449,1004047,1004260,1004723,1008933,1012398,986019,999852,CVE-2016-9639 Description: This update for Salt fixes one security issue and several non-security issues. The following security issue has been fixed: - Fix possible information leak due to revoked keys still being used. (bsc#1012398, CVE-2016-9639) The following non-security issues have been fixed: - Update to 2015.8.12 - Add pre-require to salt for minions. - Do not restart salt-minion in salt package. - Add try-restart to sys-v init scripts. - Add 'Restart=on-failure' for salt-minion systemd service. - Re-introduce 'KillMode=process' for salt-minion systemd service. - Successfully exit of salt-api child processes when SIGTERM is received. - Fix exit codes of sysv init script. (bsc#999852) - Include resolution parameters in the Zypper debug-solver call during a dry-run dist-upgrade. - Fix Salt API crash via salt-ssh on empty roster. (bsc#1004723) - Add 'dist-upgrade' support to zypper module. (fate#320559) - Fix position of -X option to setfacl. (bsc#1004260) - Fix generated shebang in scripts on SLES-ES 7. (bsc#1004047) - Fix changing default-timezone. (bsc#1008933) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2017:98-1 Released: Thu Jan 19 10:17:55 2017 Summary: Recommended update for kmod Type: recommended Severity: low References: 998906 Description: This update for kmod fixes a rare race condition while loading modules. ----------------------------------------------------------------- Advisory ID: SUSE-SU-2017:149-1 Released: Wed Jan 25 09:17:08 2017 Summary: Security update for systemd Type: security Severity: important References: 1012266,1014560,1014566,1020601,997682,CVE-2016-10156 Description: This update for systemd fixes the following issues: This security issue was fixed: - CVE-2016-10156: Fix permissions set on permanent timer timestamp files, preventing local unprivileged users from escalating privileges (bsc#1020601). These non-security issues were fixed: - Fix permission set on /var/lib/systemd/linger/* - install: follow config_path symlink (#3362) - install: fix disable when /etc/systemd/system is a symlink (bsc#1014560) - run: make --slice= work in conjunction with --scope (bsc#1014566) - core: don't dispatch load queue when setting Slice= for transient units - systemctl: remove duplicate entries showed by list-dependencies (#5049) (bsc#1012266) - rule: don't automatically online standby memory on s390x (bsc#997682) ----------------------------------------------------------------- Advisory ID: SUSE-OU-2017:170-1 Released: Mon Jan 30 19:13:36 2017 Summary: Initial release of Salt Type: optional Severity: low References: 989693 Description: This update adds Salt to the Advanced Systems Management 12 Module. Salt is a distributed remote execution system used to execute commands and query data. It was developed in order to bring the best solutions found in the world of remote execution together and make them better, faster and more malleable. Salt accomplishes this via its ability to handle larger loads of information, and not just dozens, but hundreds or even thousands of individual servers, handle them quickly and through a simple and manageable interface. ----------------------------------------------------------------- Advisory ID: SUSE-SU-2017:185-1 Released: Thu Feb 2 18:22:37 2017 Summary: Security update for cpio Type: security Severity: moderate References: 1020108,963448,CVE-2016-2037 Description: This update for cpio fixes two issues. This security issue was fixed: - CVE-2016-2037: The cpio_safer_name_suffix function in util.c in cpio allowed remote attackers to cause a denial of service (out-of-bounds write) via a crafted cpio file (bsc#963448). This non-security issue was fixed: - bsc#1020108: Always use 32 bit CRC to prevent checksum errors for files greater than 32MB ----------------------------------------------------------------- Advisory ID: SUSE-SU-2017:192-1 Released: Fri Feb 3 18:46:05 2017 Summary: Security update for libxml2 Type: security Severity: moderate References: 1005544,1010675,1013930,1014873,1017497,CVE-2016-4658,CVE-2016-9318,CVE-2016-9597 Description: This update for libxml2 fixes the following issues: * CVE-2016-4658: use-after-free error could lead to crash [bsc#1005544] * Fix NULL dereference in xpointer.c when in recovery mode [bsc#1014873] * CVE-2016-9597: An XML document with many opening tags could have caused a overflow of the stack not detected by the recursion limits, allowing for DoS (bsc#1017497). For CVE-2016-9318 we decided not to ship a fix since it can break existing setups. Please take appropriate actions if you parse untrusted XML files and use the new -noxxe flag if possible (bnc#1010675, bnc#1013930). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2017:209-1 Released: Tue Feb 7 17:00:47 2017 Summary: Recommended update for libseccomp Type: recommended Severity: low References: 1019900 Description: This update provides libseccomp version 2.3.1 which fixes the following issues: - Fixed a problem with 32-bit x86 socket syscalls on some systems (fate#321647, bsc#1019900) - Fixed problems with ipc syscalls on 32-bit x86 - Fixed problems with socket and ipc syscalls on s390 and s390x ----------------------------------------------------------------- Advisory ID: SUSE-SU-2017:212-1 Released: Wed Feb 8 13:07:24 2017 Summary: Security update for expat Type: security Severity: moderate References: 983215,983216,CVE-2012-6702,CVE-2016-5300 Description: This update for expat fixes the following security issues: - CVE-2012-6702: Expat, when used in a parser that has not called XML_SetHashSalt or passed it a seed of 0, made it easier for context-dependent attackers to defeat cryptographic protection mechanisms via vectors involving use of the srand function. (bsc#983215) - CVE-2016-5300: The XML parser in Expat did not use sufficient entropy for hash initialization, which allowed context-dependent attackers to cause a denial of service (CPU consumption) via crafted identifiers in an XML document. NOTE: this vulnerability exists because of an incomplete fix for CVE-2012-0876. (bsc#983216) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2017:228-1 Released: Fri Feb 10 15:39:32 2017 Summary: Security update for openssl Type: security Severity: moderate References: 1000677,1001912,1009528,1019637,1021641,1022085,1022086,1022271,CVE-2016-7055,CVE-2017-3731,CVE-2017-3732 Description: This update for openssl fixes the following issues contained in the OpenSSL Security Advisory [26 Jan 2017] (bsc#1021641) Security issues fixed: - CVE-2016-7055: The x86_64 optimized montgomery multiplication may produce incorrect results (bsc#1009528) - CVE-2017-3731: Truncated packet could crash via OOB read (bsc#1022085) - CVE-2017-3732: BN_mod_exp may produce incorrect results on x86_64 (bsc#1022086) - Degrade the 3DES cipher to MEDIUM in SSLv2 (bsc#1001912) Non-security issues fixed: - fix crash in openssl speed (bsc#1000677) - fix X509_CERT_FILE path (bsc#1022271) - AES XTS key parts must not be identical in FIPS mode (bsc#1019637) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2017:261-1 Released: Mon Feb 20 11:00:28 2017 Summary: Recommended update for dirmngr Type: recommended Severity: low References: 1019276 Description: This update for dirmngr fixes the following issues: - Properly initialize the dirmngr tmpfilesd files right away and not just during reboot - Own the /usr/lib/tmpfiles.d/ folder as it is needed in older systemds wrt (bsc#1019276) - Proprely require logrotate as we need it for the dirmngr configs ----------------------------------------------------------------- Advisory ID: SUSE-RU-2017:347-1 Released: Wed Mar 8 12:23:47 2017 Summary: Recommended update for Salt Type: recommended Severity: moderate References: 1011304,1017078 Description: This update for salt fixes the following issues: - Fix invalid chars allowed for data IDs. (bsc#1011304) - Fix timezone: Should be always in UTC. (bsc#1017078) - Fixes wrong 'enabled' opts for yumnotify plugin. - SSH-option parameter for salt-ssh command. ----------------------------------------------------------------- Advisory ID: SUSE-RU-2017:365-1 Released: Fri Mar 10 15:16:59 2017 Summary: Recommended update for sg3_utils Type: recommended Severity: low References: 1006175 Description: This update for sg3_utils fixes the following issue: - Add udev rules to handle legacy CCISS devices (bsc#1006175) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2017:389-1 Released: Thu Mar 16 14:16:43 2017 Summary: Recommended update for systemd Type: recommended Severity: moderate References: 1004094,1006687,1019470,1022014,1022047,1025598,995936 Description: This update for systemd provides the following fixes: - core: Fix memory leak in transient units. (bsc#1025598) - core: Destroy all name watching bus slots when we are kicked off the bus. (bsc#1006687) - sd-event: Fix incorrect assertion. (bsc#995936, bsc#1022014) - journald: Don't flush to /var/log/journal before we get asked to. (bsc#1004094) - core: Downgrade warning about duplicate device names. (bsc#1022047) - units: Remove no longer needed ldconfig service. (bsc#1019470) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2017:439-1 Released: Tue Mar 21 10:48:47 2017 Summary: Recommended update for netcfg Type: recommended Severity: low References: 1028305,959693 Description: This update for netcfg provides the following fixes: - Update script to generate services to use UTF8 by default. (bsc#1028305) - Repack services.bz2 with latest from upstream and adjust the script to not add all the names and emails at the bottom of the file. (bsc#959693) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2017:448-1 Released: Wed Mar 22 13:31:03 2017 Summary: Recommended update for python Type: recommended Severity: moderate References: 1027282,964182 Description: This update provides Python 2.7.13, which brings several bug fixes. - Fix build with NCurses 6.0 and OPAQUE_WINDOW set to 1. - Update cipher lists for OpenSSL wrapper and support OpenSSL 1.1.0 and newer. - Incorporate more integer overflow checks from upstream. (bsc#964182) - Provide python2-* symbols to support new packages built as python2-. For a comprehensive list of changes, please refer to the upstream Release Notes available at https://hg.python.org/cpython/raw-file/v2.7.13/Misc/NEWS ----------------------------------------------------------------- Advisory ID: SUSE-RU-2017:462-1 Released: Fri Mar 24 21:58:07 2017 Summary: Recommended update for lvm2 Type: recommended Severity: moderate References: 1012973,1015943,1017034,1023283,1025560,1025630 Description: This update for lvm2 fixes the following issues: - Fix clvmd segmentation fault on ppc64le architecture. (bsc#1025630) - Fix several trivial issues about clvmd/cmirrord resource agents. (bsc#1023283, bsc#1025560) - Use {local,remote}-fs-pre.target instead of {local,remote}-fs.target. (bsc#1017034) - Simplify special-case for md in 69-dm-lvm-metadata.rules. (bsc#1012973) - Add systemd_requires to device-mapper package. (bsc#1015943) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2017:464-1 Released: Mon Mar 27 15:50:51 2017 Summary: Recommended update for glibc Type: recommended Severity: moderate References: 1007851,1029725,1029900 Description: This update for glibc fixes a potential segmentation fault in libpthread: - Fork in libpthread cannot use IFUNC resolver. (bsc#1007851, bsc#1029725, bsc#1029900) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2017:580-1 Released: Wed Apr 12 23:58:47 2017 Summary: Recommended update for cpio Type: recommended Severity: important References: 1028410 Description: This update for cpio fixes the following issues: - A regression caused cpio to crash for tar and ustar archive types [bsc#1028410] ----------------------------------------------------------------- Advisory ID: SUSE-SU-2017:609-1 Released: Tue Apr 18 11:28:14 2017 Summary: Security update for curl Type: security Severity: moderate References: 1015332,1027712,1032309,CVE-2016-9586,CVE-2017-7407 Description: This update for curl fixes the following issues: Security issue fixed: - CVE-2016-9586: libcurl printf floating point buffer overflow (bsc#1015332) - CVE-2017-7407: The ourWriteOut function in tool_writeout.c in curl might have allowed physically proximate attackers to obtain sensitive information from process memory in opportunistic circumstances by reading a workstation screen during use of a --write-out argument ending in a '%' character, which lead to a heap-based buffer over-read (bsc#1032309). With this release new default ciphers are active (SUSE_DEFAULT, bsc#1027712). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2017:656-1 Released: Fri Apr 28 16:12:30 2017 Summary: Recommended update for sqlite3 Type: recommended Severity: low References: 1019518,1025034 Description: This update for sqlite3 provides the following fixes: - Avoid calling sqlite3OsFetch() on a file-handle for which the xFetch method is NULL. This prevents a potential segmentation fault. (bsc#1025034) - Fix defect in the in-memory journal logic that could leave the read cursor for the in-memory journal in an inconsistent state and result in a segmentation fault. (bsc#1019518) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2017:732-1 Released: Wed May 10 14:03:43 2017 Summary: Recommended update for procps Type: recommended Severity: low References: 1030621 Description: This update for procps fixes the following issues: - Command w(1) with option -n doesn't work. (bsc#1030621) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2017:735-1 Released: Wed May 10 15:43:46 2017 Summary: Recommended update for gpg2 Type: recommended Severity: low References: 1036736,986783 Description: This update for gpg2 provides the following fixes: - Do not install CAcert and other root certificates which are not needed with Let's Encrypt. (bsc#1036736) - Initialize the trustdb before import attempt. (bsc#986783) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2017:751-1 Released: Thu May 11 17:14:30 2017 Summary: Recommended update for systemd Type: recommended Severity: moderate References: 1010220,1025398,1025886,1028263,1028610,1029183,1029691,1030290,1031355,1032538,1032660,1033855,1034565,955770 Description: This update for systemd provides the following fixes: - logind: Update empty and 'infinity' handling for [User]TasksMax. (bsc#1031355) - importd: Support SUSE style checksums. (fate#322054) - journal: Don't remove leading spaces. (bsc#1033855) - Make sure all swap units are ordered before the swap target. (bsc#955770, bsc#1034565) - hwdb: Fix warning 'atkbd serio0: Unknown key pressed'. (bsc#1010220) - logind: Restart logind on package update only on SLE12 distros. (bsc#1032660) - core: Treat masked files as 'unchanged'. (bsc#1032538) - units: Move Before deps for quota services to remote-fs.target. (bsc#1028263) - udev: Support predictable ifnames on vio buses. (bsc#1029183) - udev: Add a persistent rule for ibmvnic devices. (bsc#1029183) - units: Do not throw a warning in emergency mode if plymouth is not installed. (bsc#1025398) - core: Downgrade 'Time has been changed' message to debug level. (bsc#1028610) - vconsole: Don't do GIO_SCRNMAP / GIO_UNISCRNMAP. (bsc#1029691) - udev-rules: Perform whitespace replacement for symlink subst values. (bsc#1025886) - Consider chroot updates in fix-machines-subvol-for-rollbacks.sh. (bsc#1030290) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2017:794-1 Released: Tue May 16 15:41:09 2017 Summary: Security update for bash Type: security Severity: moderate References: 1010845,1035371,CVE-2016-9401 Description: This update for bash fixes an issue that could lead to syntax errors when parsing scripts that use expr(1) inside loops. Additionally, the popd build-in now ensures that the normalized stack offset is within bounds before trying to free that stack entry. This fixes a segmentation fault. ----------------------------------------------------------------- Advisory ID: SUSE-RU-2017:799-1 Released: Wed May 17 00:21:13 2017 Summary: Recommended update for glibc Type: recommended Severity: low References: 1026224,1035445 Description: This update for glibc introduces basic support for IBM POWER9 systems. Additionally, an improper assert in dlclose() has been removed. ----------------------------------------------------------------- Advisory ID: SUSE-RU-2017:821-1 Released: Fri May 19 00:17:44 2017 Summary: Recommended update for Salt Type: recommended Severity: moderate References: 1019386,1022841,1023535,1027044,1027240,1027722,1030009,1032213,1032452 Description: This update for salt fixes the following issues: - Refactoring on Zypper and Yum execution and state modules to allow installation of patches/errata. - Fix log rotation permission issue (bsc#1030009) - Use pkg/suse/salt-api.service by this package - Set SHELL environment variable for the salt-api.service. - Fix 'timeout' and 'gather_job_timeout' kwargs parameters for 'local_batch' client. - Add missing bootstrap script for Salt Cloud. (bsc#1032452) - Add missing /var/cache/salt/cloud directory. (bsc#1032213) - Add test case for race conditions on cache directory creation. - Add 'pkg.install downloadonly=True' support to yum/dnf execution module. - Makes sure 'gather_job_timeout' is an Integer. - Add 'pkg.downloaded' state and support for installing patches/erratas. - Merge master_tops output. - Fix race condition on cache directory creation. - Cleanup salt user environment preparation. (bsc#1027722) - Don't send passwords after shim delimiter is found. (bsc#1019386) - Allow to set 'timeout' and 'gather_job_timeout' via kwargs. - Allow to set custom timeouts for 'manage.up' and 'manage.status'. - Define with system for fedora and RHEL 7. (bsc#1027240) - Fix service state returning stacktrace. (bsc#1027044) - Add OpenSCAP Module. - Prevents 'OSError' exception in case certain job cache path doesn't exist. (bsc#1023535) - Fix issue with cp.push. - Fix salt-minion update on RHEL. (bsc#1022841) - Adding new functions to Snapper execution module. ----------------------------------------------------------------- Advisory ID: SUSE-SU-2017:865-1 Released: Wed May 24 16:23:20 2017 Summary: Security update for pam Type: security Severity: moderate References: 1015565,1037824,934920,CVE-2015-3238 Description: This update for pam fixes the following issues: - CVE-2015-3238: pam_unix in conjunction with SELinux allowed for DoS attacks (bsc#934920). - log a hint to syslog if /etc/nologin is present, but empty (bsc#1015565). - If /etc/nologin is present, but empty, log a hint to syslog. (bsc#1015565) - Added support for libowcrypt.so, if present, to configure support for BLOWFISH (bsc#1037824) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2017:873-1 Released: Fri May 26 16:19:47 2017 Summary: Recommended update for e2fsprogs Type: recommended Severity: low References: 1009532,960273 Description: This update for e2fsprogs provides the following fixes: - Fix 32/64-bit overflow when multiplying by blocks/clusters per group. This allows resize2fs(8) to resize file systems larger than 20 TB. (bsc#1009532) - Update spec file to regenerate initrd when e2fsprogs is updated or uninstalled. (bsc#960273) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2017:877-1 Released: Mon May 29 15:11:48 2017 Summary: Recommended update for cryptsetup Type: recommended Severity: low References: 1031998 Description: This update for cryptsetup provides the following fix: - Don't use a zero-filled empty key, because in FIPS, XTS mode key parts mustn't be equivalent (bsc#1031998) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2017:891-1 Released: Tue May 30 22:28:21 2017 Summary: Security update for libxml2 Type: security Severity: moderate References: 1039063,1039064,1039066,1039069,1039661,981114,CVE-2016-1839,CVE-2017-9047,CVE-2017-9048,CVE-2017-9049,CVE-2017-9050 Description: This update for libxml2 fixes the following issues: - CVE-2017-9047, CVE-2017-9048: The function xmlSnprintfElementContent in valid.c was vulnerable to a stack buffer overflow (bsc#1039063, bsc#1039064) - CVE-2017-9049: The function xmlDictComputeFastKey in dict.c was vulnerable to a heap-based buffer over-read. (bsc#1039066) - CVE-2017-9050: The function xmlDictAddString was vulnerable to a heap-based buffer over-read (bsc#1039661) - CVE-2016-1839: heap-based buffer overflow (xmlDictAddString func) (bnc#1039069) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2017:907-1 Released: Thu Jun 1 14:23:36 2017 Summary: Recommended update for shadow Type: recommended Severity: low References: 1003978,1031643 Description: This update for shadow fixes the following issues: - Dynamically added users via pam_group are not listed in groups databases but are still valid. (bsc#1031643) - useradd(8) and groupadd(8) performance issue when using SSSD. Previously the entire possible UID/GID was iterated to find an available UID/GID. This could take long time over a network device. Instead, find available UID/GID locally, and then check only those values over network. (bsc#1003978) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2017:918-1 Released: Tue Jun 6 12:35:44 2017 Summary: Recommended update for libsemanage, selinux-policy Type: recommended Severity: moderate References: 1020143,1032445,1035818,1038189 Description: This update for libsemanage, selinux-policy fixes the following issues: - Limit to policy version 29 by default. - Fix policy module build failures and wrong policy path on SLE 12 SP2 (bsc#1038189, bsc#1035818, bsc#1020143, bsc#1032445) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2017:939-1 Released: Mon Jun 12 10:56:22 2017 Summary: Security update for libxml2 Type: security Severity: moderate References: 1039063,1039064,1039066,1039069,1039661,CVE-2017-9047,CVE-2017-9048,CVE-2017-9049,CVE-2017-9050 Description: This update for libxml2 fixes the following security issues: * CVE-2017-9050: A heap-based buffer over-read in xmlDictAddString (bsc#1039069, bsc#1039661) * CVE-2017-9049: A heap-based buffer overflow in xmlDictComputeFastKey (bsc#1039066) * CVE-2017-9048: A stack overflow vulnerability in xmlSnprintfElementContent (bsc#1039063) * CVE-2017-9047: A stack overflow vulnerability in xmlSnprintfElementContent (bsc#1039064) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2017:959-1 Released: Wed Jun 14 14:38:11 2017 Summary: Recommended update for gcc5 Type: recommended Severity: low References: 1043580 Description: This update for gcc5 fixes the version of libffi in its pkg-config configuration file. ----------------------------------------------------------------- Advisory ID: SUSE-SU-2017:962-1 Released: Wed Jun 14 16:33:07 2017 Summary: Security update for openldap2 Type: security Severity: moderate References: 1009470,1037396,1041764,972331,CVE-2017-9287 Description: This update for openldap2 fixes the following issues: Security issues fixed: - CVE-2017-9287: A double free vulnerability in the mdb backend during search with page size 0 was fixed (bsc#1041764) Non security bugs fixed: - Let OpenLDAP read system-wide certificates by default and don't hide the error if the user-specified CA location cannot be read. (bsc#1009470) - Fix an uninitialised variable that causes startup failure (bsc#1037396) - Fix an issue with transaction management that can cause server crash (bsc#972331) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2017:974-1 Released: Fri Jun 16 13:49:05 2017 Summary: Security update for Salt Type: security Severity: moderate References: 1011800,1012999,1017078,1020831,1022562,1025896,1027240,1027722,1030009,1030073,1032931,1035912,1035914,1036125,1038855,1039370,1040584,1040886,1043111,CVE-2017-5200,CVE-2017-8109 Description: This update for salt provides version 2016.11.4 and brings various fixes and improvements: - Adding a salt-minion watchdog for RHEL6 and SLES11 systems (sysV) to restart salt-minion in case of crashes during upgrade. - Fix format error. (bsc#1043111) - Fix ownership for whole master cache directory. (bsc#1035914) - Disable 3rd party runtime packages to be explicitly recommended. (bsc#1040886) - Fix insecure permissions in salt-ssh temporary files. (bsc#1035912, CVE-2017-8109) - Disable custom rosters for Salt SSH via Salt API. (bsc#1011800, CVE-2017-5200) - Orchestrate and batches don't return false failed information anymore. - Speed-up cherrypy by removing sleep call. - Fix os_family grains on SUSE. (bsc#1038855) - Fix setting the language on SUSE systems. (bsc#1038855) - Use SUSE specific salt-api.service. (bsc#1039370) - Fix using hostname for minion ID as '127'. - Fix core grains constants for timezone. (bsc#1032931) - Minor fixes on new pkg.list_downloaded. - Listing all type of advisory patches for Yum module. - Prevents zero length error on Python 2.6. - Fixes zypper test error after backporting. - Raet protocol is no longer supported. (bsc#1020831) - Fix moving SSH data to the new home. (bsc#1027722) - Fix logrotating /var/log/salt/minion. (bsc#1030009) - Fix result of master_tops extension is mutually overwritten. (bsc#1030073) - Allows to set 'timeout' and 'gather_job_timeout' via kwargs. - Allows to set custom timeouts for 'manage.up' and 'manage.status'. - Use salt's ordereddict for comparison. - Fix scripts for salt-proxy. - Add openscap module. - File.get_managed regression fix. - Fix translate variable arguments if they contain hidden keywords. (bsc#1025896) - Added unit test for dockerng.sls_build dryrun. - Added dryrun to dockerng.sls_build. - Update dockerng minimal version requirements. - Fix format error in error parsing. - Keep fix for migrating salt home directory. (bsc#1022562) - Fix salt pkg.latest raises exception if package is not available. (bsc#1012999) - Timezone should always be in UTC. (bsc#1017078) - Fix timezone handling for rpm installtime. (bsc#1017078) - Increasing timeouts for running integrations tests. - Add buildargs option to dockerng.build module. - Fix error when missing ssh-option parameter. - Re-add yum notify plugin. - All kwargs to dockerng.create to provide all features to sls_build as well. - Datetime should be returned always in UTC. - Fix possible crash while deserialising data on infinite recursion in scheduled state. (bsc#1036125) - Documentation refresh to 2016.11.4 - For a detailed description, please refer to: + https://docs.saltstack.com/en/develop/topics/releases/2016.11.4.html + https://docs.saltstack.com/en/develop/topics/releases/2016.11.3.html + https://docs.saltstack.com/en/develop/topics/releases/2016.11.2.html + https://docs.saltstack.com/en/develop/topics/releases/2016.11.1.html ----------------------------------------------------------------- Advisory ID: SUSE-SU-2017:985-1 Released: Mon Jun 19 14:57:41 2017 Summary: Security update for libgcrypt Type: security Severity: moderate References: 1042326,931932,CVE-2017-9526 Description: This update for libgcrypt fixes the following issues: - CVE-2017-9526: Store the session key in secure memory to ensure that constant time point operations are used in the MPI library. (bsc#1042326) - Don't require secure memory for the fips selftests, this prevents the 'Oops, secure memory pool already initialized' warning. (bsc#931932) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2017:990-1 Released: Mon Jun 19 17:19:44 2017 Summary: Security update for glibc Type: security Severity: important References: 1039357,1040043,CVE-2017-1000366 Description: This update for glibc fixes the following issues: - CVE-2017-1000366: Fix a potential privilege escalation vulnerability that allowed unprivileged system users to manipulate the stack of setuid binaries to gain special privileges. [bsc#1039357] - A bug in glibc that could result in deadlocks between malloc() and fork() has been fixed. [bsc#1040043] ----------------------------------------------------------------- Advisory ID: SUSE-RU-2017:1033-1 Released: Fri Jun 23 16:38:55 2017 Summary: Recommended update for e2fsprogs Type: recommended Severity: low References: 1038194 Description: This update for e2fsprogs provides the following fixes: - Don't ignore fsync errors in libext2fs. (bsc#1038194) - Fix fsync(2) detection in libext2fs. (bsc#1038194) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2017:1036-1 Released: Mon Jun 26 08:12:24 2017 Summary: Security update for libxml2 Type: security Severity: moderate References: 1024989,1044337,CVE-2017-0663,CVE-2017-5969 Description: This update for libxml2 fixes the following issues: Security issues fixed: * CVE-2017-0663: Fixed a heap buffer overflow in xmlAddID (bsc#1044337) * CVE-2017-5969: Fixed a NULL pointer deref in xmlDumpElementContent (bsc#1024989) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2017:1040-1 Released: Mon Jun 26 13:22:26 2017 Summary: Recommended update for libsemanage, policycoreutils Type: recommended Severity: low References: 1043237 Description: This update for libsemanage, policycoreutils fixes the following issue: - Show version numbers of modules where they are available (bsc#1043237) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2017:1075-1 Released: Thu Jun 29 18:18:50 2017 Summary: Recommended update for python-PyYAML Type: recommended Severity: low References: 1002895 Description: This update for python-PyYAML fixes the following issues: - Adding an implicit resolver to a derived loader should not affect the base loader. - Uniform representation for OrderedDict? across different versions of Python. - Fixed comparison to None warning. ----------------------------------------------------------------- Advisory ID: SUSE-RU-2017:1082-1 Released: Fri Jun 30 10:54:06 2017 Summary: Recommended update for dirmngr Type: recommended Severity: low References: 1045943 Description: This update for dirmngr provides the following fix: - Change logrotate from Requires to Recommends (bsc#1045943) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2017:1086-1 Released: Fri Jun 30 15:36:17 2017 Summary: Security update for libxml2 Type: security Severity: moderate References: 1044887,1044894,CVE-2017-7375,CVE-2017-7376 Description: This update for libxml2 fixes the following issues: Security issues fixed: * CVE-2017-7376: Increase buffer space for port in HTTP redirect support (bsc#1044887) * CVE-2017-7375: Prevent unwanted external entity reference [bsc#1044894, ] ----------------------------------------------------------------- Advisory ID: SUSE-SU-2017:1104-1 Released: Tue Jul 4 16:13:55 2017 Summary: Security update for systemd Type: security Severity: moderate References: 1004995,1029102,1029516,1036873,1038865,1040258,1040614,1040942,1043758,982303,CVE-2017-9217 Description: This update for systemd fixes the following issues: Security issue fixed: - CVE-2017-9217: resolved: Fix null pointer p->question dereferencing that could lead to resolved aborting (bsc#1040614) The update also fixed several non-security bugs: - core/mount: Use the '-c' flag to not canonicalize paths when calling /bin/umount - automount: Handle expire_tokens when the mount unit changes its state (bsc#1040942) - automount: Rework propagation between automount and mount units - build: Make sure tmpfiles.d/systemd-remote.conf get installed when necessary - build: Fix systemd-journal-upload installation - basic: Detect XEN Dom0 as no virtualization (bsc#1036873) - virt: Make sure some errors are not ignored - fstab-generator: Do not skip Before= ordering for noauto mountpoints - fstab-gen: Do not convert device timeout into seconds when initializing JobTimeoutSec - core/device: Use JobRunningTimeoutSec= for device units (bsc#1004995) - fstab-generator: Apply the _netdev option also to device units (bsc#1004995) - job: Add JobRunningTimeoutSec for JOB_RUNNING state (bsc#1004995) - job: Ensure JobRunningTimeoutSec= survives serialization (bsc#1004995) - rules: Export NVMe WWID udev attribute (bsc#1038865) - rules: Introduce disk/by-id (model_serial) symbolic links for NVMe drives - rules: Add rules for NVMe devices - sysusers: Make group shadow support configurable (bsc#1029516) - core: When deserializing a unit, fully restore its cgroup state (bsc#1029102) - core: Introduce cg_mask_from_string()/cg_mask_to_string() - core:execute: Fix handling failures of calling fork() in exec_spawn() (bsc#1040258) - Fix systemd-sysv-convert when a package starts shipping service units (bsc#982303) The database might be missing when upgrading a package which was shipping no sysv init scripts nor unit files (at the time --save was called) but the new version start shipping unit files. - Disable group shadow support (bsc#1029516) - Only check signature job error if signature job exists (bsc#1043758) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2017:1116-1 Released: Thu Jul 6 11:37:18 2017 Summary: Security update for libgcrypt Type: security Severity: moderate References: 1046607,CVE-2017-7526 Description: This update for libgcrypt fixes the following issues: - CVE-2017-7526: Hardening against a local side-channel attack in RSA key handling has been added (bsc#1046607) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2017:1119-1 Released: Fri Jul 7 11:23:20 2017 Summary: Recommended update for ncurses Type: security Severity: important References: 1000662,1046853,1046858,CVE-2017-10684,CVE-2017-10685 Description: This update for ncurses fixes the following issues: Security issues fixed: - CVE-2017-10684: Possible RCE via stack-based buffer overflow in the fmt_entry function. (bsc#1046858) - CVE-2017-10685: Possible RCE with format string vulnerability in the fmt_entry function. (bsc#1046853) Bugfixes: - Drop patch ncurses-5.9-environment.dif as YaST2 ncurses GUI does not need it anymore and as well as it causes bug bsc#1000662 ----------------------------------------------------------------- Advisory ID: SUSE-RU-2017:1126-1 Released: Fri Jul 7 21:23:02 2017 Summary: Recommended update for python-requests Type: recommended Severity: low References: 967128 Description: This update provides python-requests 2.11.1, which brings many fixes and enhancements: - Strip Content-Type and Transfer-Encoding headers from the header block when following a redirect that transforms the verb from POST/PUT to GET. - Added support for the ALL_PROXY environment variable. - Reject header values that contain leading whitespace or newline characters to reduce risk of header smuggling. - Fixed occasional TypeError when attempting to decode a JSON response that occurred in an error case. Now correctly returns a ValueError. - Requests would incorrectly ignore a non-CIDR IP address in the NO_PROXY environment variables: Requests now treats it as a specific IP. - Fixed a bug when sending JSON data that could cause us to encounter obscure OpenSSL errors in certain network conditions. - Added type checks to ensure that iter_content only accepts integers and None for chunk sizes. - Fixed issue where responses whose body had not been fully consumed would have the underlying connection closed but not returned to the connection pool, which could cause Requests to hang in situations where the HTTPAdapter had been configured to use a blocking connection pool. - Change built-in CaseInsensitiveDict to use OrderedDict as its underlying datastore. - Don't use redirect_cache if allow_redirects=False. - When passed objects that throw exceptions from tell(), send them via chunked transfer encoding instead of failing. - Raise a ProxyError for proxy related connection issues. - The verify keyword argument now supports being passed a path to a directory of CA certificates, not just a single-file bundle. - Warnings are now emitted when sending files opened in text mode. - Added the 511 Network Authentication Required status code to the status code registry. - For file-like objects that are not seeked to the very beginning, we now send the content length for the number of bytes we will actually read, rather than the total size of the file, allowing partial file uploads. - When uploading file-like objects, if they are empty or have no obvious content length we set Transfer-Encoding: chunked rather than Content-Length: 0. - We correctly receive the response in buffered mode when uploading chunked bodies. - We now handle being passed a query string as a bytestring on Python 3, by decoding it as UTF-8. - Sessions are now closed in all cases (exceptional and not) when using the functional API rather than leaking and waiting for the garbage collector to clean them up. - Correctly handle digest auth headers with a malformed qop directive that contains no token, by treating it the same as if no qop directive was provided at all. - Minor performance improvements when removing specific cookies by name. ----------------------------------------------------------------- Advisory ID: SUSE-RU-2017:1154-1 Released: Fri Jul 14 17:13:35 2017 Summary: Recommended update for python-CherryPy Type: recommended Severity: moderate References: 1043589,1046667 Description: This update for python-CherryPy fixes an SSL compatibility issue with CPython 2.7 and its built-in version of pyOpenSSL. ----------------------------------------------------------------- Advisory ID: SUSE-RU-2017:1160-1 Released: Fri Jul 14 17:20:26 2017 Summary: Recommended update for openldap2 Type: recommended Severity: low References: 1031702 Description: This update for openldap2 provides the following fix: - Fix a regression in handling of non-blocking connection (bsc#1031702) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2017:1174-1 Released: Wed Jul 19 11:12:51 2017 Summary: Security update for systemd, dracut Type: security Severity: important References: 1032029,1033238,1037120,1040153,1040968,1043900,1045290,1046750,986216,CVE-2017-9445 Description: This update for systemd and dracut fixes the following issues: Security issues fixed: - CVE-2017-9445: Possible out-of-bounds write triggered by a specially crafted TCP payload from a DNS server. (bsc#1045290) Non-security issues fixed in systemd: - Automounter issue in combination with NFS volumes (bsc#1040968) - Missing symbolic link for SAS device in /dev/disk/by-path (bsc#1040153) - Add minimal support for boot.d/* scripts in systemd-sysv-convert (bsc#1046750) Non-security issues fixed in dracut: - Bail out if module directory does not exist. (bsc#1043900) - Suppress bogus error message. (bsc#1032029) - Fix module force loading with systemd. (bsc#986216) - Ship udev files required by systemd. (bsc#1040153) - Ignore module resolution errors (e.g. with kgraft). (bsc#1037120) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2017:1198-1 Released: Fri Jul 21 14:04:23 2017 Summary: Recommended update for python-boto, python-simplejson Type: recommended Severity: low References: 1002895 Description: This update provides python-boto 2.42.0 and python-simplejson 3.8.2, which bring many fixes and enhancements. python-boto: - Respect is_secure parameter in generate_url_sigv4 - Update MTurk API - Update endpoints.json - Allow s3 bucket lifecycle policies with multiple transitions - Fixes upload parts for glacier - Autodetect sigv4 for ap-northeast-2 - Added support for ap-northeast-2 - Remove VeriSign Class 3 CA from trusted certs - Add note about boto3 on all pages of boto docs - Fix for listing EMR steps based on cluster_states filter - Fixed param name in set_contents_from_string docstring - Spelling and documentation fixes - Add deprecation notice to emr methods - Add some GovCloud endpoints. python-simplejson: - Fix issue with iterable_as_array and indent option - New iterable_as_array encoder option to perform lazy serialization of any iterable objects, without having to convert to tuple or list - Do not cache Decimal class in encoder, only reference the decimal module - No longer trust custom str/repr methods for int, long, float subclasses: these instances are now formatted as if they were exact instances of those types - Fix reference leak when an error occurs during dict encoding - Fix dump when only sort_keys is set - Automatically strip any UTF-8 BOM from input to more closely follow the latest specs - Fix lower bound checking in scan_once / raw_decode API - Consistently reject int_as_string_bitcount settings that are not positive integers - Add int_as_string_bitcount encoder option - Fix potential crash when encoder created with incorrect options - Documentation updates. ----------------------------------------------------------------- Advisory ID: SUSE-RU-2017:1222-1 Released: Wed Jul 26 17:15:18 2017 Summary: Recommended update for procps Type: recommended Severity: low References: 1034563,1039941 Description: This update for procps provides the following fixes: - Make pmap handle LazyFree in /proc/smaps (bsc#1034563) - Allow reading and writing content lines longer than 1024 characters under /proc/sys (bsc#1039941) - Avoid printing messages when /proc/sys/net/ipv6/conf/*/stable_secret is not set ----------------------------------------------------------------- Advisory ID: SUSE-SU-2017:1245-1 Released: Thu Aug 3 10:43:15 2017 Summary: Security update for systemd Type: security Severity: moderate References: 1004995,1029102,1029516,1032029,1033238,1036873,1037120,1038865,1040153,1040258,1040614,1040942,1040968,1043758,1043900,1045290,1046750,982303,986216,CVE-2017-9217,CVE-2017-9445 Description: This update for systemd provides several fixes and enhancements. Security issues fixed: - CVE-2017-9217: Null pointer dereferencing that could lead to resolved aborting. (bsc#1040614) - CVE-2017-9445: Possible out-of-bounds write triggered by a specially crafted TCP payload from a DNS server. (bsc#1045290) The update also fixed several non-security bugs: - core/mount: Use the '-c' flag to not canonicalize paths when calling /bin/umount - automount: Handle expire_tokens when the mount unit changes its state (bsc#1040942) - automount: Rework propagation between automount and mount units - build: Make sure tmpfiles.d/systemd-remote.conf get installed when necessary - build: Fix systemd-journal-upload installation - basic: Detect XEN Dom0 as no virtualization (bsc#1036873) - virt: Make sure some errors are not ignored - fstab-generator: Do not skip Before= ordering for noauto mountpoints - fstab-gen: Do not convert device timeout into seconds when initializing JobTimeoutSec - core/device: Use JobRunningTimeoutSec= for device units (bsc#1004995) - fstab-generator: Apply the _netdev option also to device units (bsc#1004995) - job: Add JobRunningTimeoutSec for JOB_RUNNING state (bsc#1004995) - job: Ensure JobRunningTimeoutSec= survives serialization (bsc#1004995) - rules: Export NVMe WWID udev attribute (bsc#1038865) - rules: Introduce disk/by-id (model_serial) symbolic links for NVMe drives - rules: Add rules for NVMe devices - sysusers: Make group shadow support configurable (bsc#1029516) - core: When deserializing a unit, fully restore its cgroup state (bsc#1029102) - core: Introduce cg_mask_from_string()/cg_mask_to_string() - core:execute: Fix handling failures of calling fork() in exec_spawn() (bsc#1040258) - Fix systemd-sysv-convert when a package starts shipping service units (bsc#982303) The database might be missing when upgrading a package which was shipping no sysv init scripts nor unit files (at the time --save was called) but the new version start shipping unit files. - Disable group shadow support (bsc#1029516) - Only check signature job error if signature job exists (bsc#1043758) - Automounter issue in combination with NFS volumes (bsc#1040968) - Missing symbolic link for SAS device in /dev/disk/by-path (bsc#1040153) - Add minimal support for boot.d/* scripts in systemd-sysv-convert (bsc#1046750) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2017:1268-1 Released: Mon Aug 7 10:09:19 2017 Summary: Recommended update for openssl Type: recommended Severity: moderate References: 1019637,1027079,1027688,1027908,1028281,1028723,1029523,1042392,1044095,1044107,1044175,902364 Description: This update for openssl fixes the following issues including fixes for our ongoing FIPS 140-2 evaluation: - Remove DES-CBC3-SHA based ciphers from DEFAULT_SUSE to address SWEET32 problem (bsc#1027908) - Use getrandom syscall instead of reading from /dev/urandom to get at least 128 bits of entropy to comply with FIPS 140.2 IG 7.14 (bsc#1027079 bsc#1044175) - Fix x86 extended feature detection (bsc#1029523) - Allow runtime switching of s390x capabilities via the 'OPENSSL_s390xcap' environmental variable (bsc#1028723) - s_client sent empty client certificate (bsc#1028281) Add back certificate initialization set_cert_key_stuff() which was removed in a previous update. - Fix a bug in XTS key handling (bsc#1019637) - Don't run FIPS power-up self-tests when the checksum files aren't installed (bsc#1042392) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2017:1279-1 Released: Mon Aug 7 14:46:40 2017 Summary: Security update for ncurses Type: security Severity: moderate References: 1046853,1046858,1047964,1047965,1049344,CVE-2017-10684,CVE-2017-10685,CVE-2017-11112,CVE-2017-11113 Description: This update for ncurses fixes the following issues: Security issues fixed: - CVE-2017-11112: Illegal address access in append_acs. (bsc#1047964) - CVE-2017-11113: Dereferencing NULL pointer in _nc_parse_entry. (bsc#1047965) - CVE-2017-10684, CVE-2017-10685: Add modified upstream fix from ncurses 6.0 to avoid broken termcap format (bsc#1046853, bsc#1046858, bsc#1049344) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2017:1316-1 Released: Thu Aug 10 13:54:27 2017 Summary: Recommended update for cyrus-sasl Type: recommended Severity: moderate References: 1014471,1026825,1044840,938657 Description: This update for cyrus-sasl provides the following fixes: - Fix SASL GSSAPI mechanism acceptor wrongly returns zero maxbufsize - Fix unknown authentication mechanism: kerberos5 (bsc#1026825) - Really use SASLAUTHD_PARAMS variable (bsc#938657) - Make sure /usr/sbin/rcsaslauthd exists - Add /usr/sbin/rcsaslauthd symbolic link to /usr/sbin/service (bsc#1014471) - Silence 'GSSAPI client step 1' debug log message (bsc#1044840) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2017:1326-1 Released: Fri Aug 11 16:59:04 2017 Summary: Security update for libxml2 Type: security Severity: low References: 1038444,CVE-2017-8872 Description: This update for libxml2 fixes the following issues: Security issues fixed: - CVE-2017-8872: Out-of-bounds read in htmlParseTryOrFinish. (bsc#1038444) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2017:1330-1 Released: Mon Aug 14 18:41:29 2017 Summary: Recommended update for sed Type: recommended Severity: low References: 954661 Description: This update for sed provides the following fixes: - Don't terminate with a segmentation fault if close of last file descriptor fails. (bsc#954661) ----------------------------------------------------------------- Advisory ID: SUSE-OU-2017:1333-1 Released: Tue Aug 15 17:59:30 2017 Summary: Optional update for libverto Type: optional Severity: low References: 1029561 Description: This update adds the libverto library to OpenStack Cloud Magnum Orchestration channels. ----------------------------------------------------------------- Advisory ID: SUSE-RU-2017:1334-1 Released: Tue Aug 15 20:09:03 2017 Summary: Recommended update for systemd Type: recommended Severity: important References: 1048679,874665 Description: This update for systemd fixes the following issues: - compat-rules: Don't rely on ID_SERIAL when generating 'by-id' links for NVMe devices. (bsc#1048679) - fstab-generator: Handle NFS 'bg' mounts correctly. (bsc#874665, fate#323464) - timesyncd: Don't use compiled-in list if FallbackNTP has been configured explicitly. ----------------------------------------------------------------- Advisory ID: SUSE-SU-2017:1335-1 Released: Wed Aug 16 11:24:21 2017 Summary: Security update for curl Type: security Severity: moderate References: 1051643,1051644,CVE-2017-1000100,CVE-2017-1000101 Description: This update for curl fixes the following issues: - CVE-2017-1000100: TFP sends more than buffer size and it could lead to a denial of service (bsc#1051644) - CVE-2017-1000101: URL globbing out of bounds read could lead to a denial of service (bsc#1051643) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2017:1344-1 Released: Thu Aug 17 12:20:25 2017 Summary: Recommended update for python-simplejson Type: recommended Severity: low References: 1002895 Description: This update provides python-simplejson 3.8.2, which brings many fixes and enhancements: - Fix issue with iterable_as_array and indent option - New iterable_as_array encoder option to perform lazy serialization of any iterable objects, without having to convert to tuple or list - Do not cache Decimal class in encoder, only reference the decimal module - No longer trust custom str/repr methods for int, long, float subclasses: these instances are now formatted as if they were exact instances of those types - Fix reference leak when an error occurs during dict encoding - Fix dump when only sort_keys is set - Automatically strip any UTF-8 BOM from input to more closely follow the latest specs - Fix lower bound checking in scan_once / raw_decode API - Consistently reject int_as_string_bitcount settings that are not positive integers - Add int_as_string_bitcount encoder option - Fix potential crash when encoder created with incorrect options - Documentation updates. ----------------------------------------------------------------- Advisory ID: SUSE-RU-2017:1347-1 Released: Fri Aug 18 11:03:57 2017 Summary: Recommended update for procps Type: recommended Severity: important References: 1053409 Description: This update for procps fixes the following issues: - Fix a regression introduced in a previous update that would result in sysctl dying with a SIGSEGV error (bsc#1053409). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2017:1349-1 Released: Fri Aug 18 12:31:07 2017 Summary: Recommended update for lua51 Type: recommended Severity: low References: 1051626 Description: This update for lua51 provides the following fixes: - Add Lua(API) and Lua(devel) symbols to fix building of lua51-luasocket. (bsc#1051626) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2017:1384-1 Released: Fri Aug 25 13:39:19 2017 Summary: Recommended update for Salt Type: recommended Severity: moderate References: 1036125 Description: This update for salt fixes the following issues: - Added bugfix when jobs scheduled to run at a future time stay pending for Salt minions. (bsc#1036125) - Adding procps as dependency. This provides 'ps' and 'pgrep' utils which are called from different Salt modules and also from new salt-minion watchdog. ----------------------------------------------------------------- Advisory ID: SUSE-SU-2017:1390-1 Released: Fri Aug 25 15:14:27 2017 Summary: Security update for libzypp Type: security Severity: important References: 1009745,1036659,1038984,1043218,1045735,1046417,1047785,1048315,CVE-2017-7435,CVE-2017-7436,CVE-2017-9269 Description: The Software Update Stack was updated to receive fixes and enhancements. libzypp: - CVE-2017-7435, CVE-2017-7436, CVE-2017-9269: Fix GPG check workflows, mainly for unsigned repositories and packages. (bsc#1045735, bsc#1038984) - Fix gpg-pubkey release (creation time) computation. (bsc#1036659) - Update lsof blacklist. (bsc#1046417) - Re-probe on refresh if the repository type changes. (bsc#1048315) - Propagate proper error code to DownloadProgressReport. (bsc#1047785) - Allow to trigger an appdata refresh unconditionally. (bsc#1009745) - Support custom repo variables defined in /etc/zypp/vars.d. yast2-pkg-bindings: - Do not crash when the repository URL is not defined. (bsc#1043218) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2017:1412-1 Released: Tue Aug 29 18:29:00 2017 Summary: Recommended update for python-requests Type: recommended Severity: low References: 967128 Description: This update provides python-requests 2.11.1, which brings many fixes and enhancements: - Strip Content-Type and Transfer-Encoding headers from the header block when following a redirect that transforms the verb from POST/PUT to GET. - Added support for the ALL_PROXY environment variable. - Reject header values that contain leading whitespace or newline characters to reduce risk of header smuggling. - Fixed occasional TypeError when attempting to decode a JSON response that occurred in an error case. Now correctly returns a ValueError. - Requests would incorrectly ignore a non-CIDR IP address in the NO_PROXY environment variables: Requests now treats it as a specific IP. - Fixed a bug when sending JSON data that could cause us to encounter obscure OpenSSL errors in certain network conditions. - Added type checks to ensure that iter_content only accepts integers and None for chunk sizes. - Fixed issue where responses whose body had not been fully consumed would have the underlying connection closed but not returned to the connection pool, which could cause Requests to hang in situations where the HTTPAdapter had been configured to use a blocking connection pool. - Change built-in CaseInsensitiveDict to use OrderedDict as its underlying datastore. - Don't use redirect_cache if allow_redirects=False. - When passed objects that throw exceptions from tell(), send them via chunked transfer encoding instead of failing. - Raise a ProxyError for proxy related connection issues. - The verify keyword argument now supports being passed a path to a directory of CA certificates, not just a single-file bundle. - Warnings are now emitted when sending files opened in text mode. - Added the 511 Network Authentication Required status code to the status code registry. - For file-like objects that are not seeked to the very beginning, we now send the content length for the number of bytes we will actually read, rather than the total size of the file, allowing partial file uploads. - When uploading file-like objects, if they are empty or have no obvious content length we set Transfer-Encoding: chunked rather than Content-Length: 0. - We correctly receive the response in buffered mode when uploading chunked bodies. - We now handle being passed a query string as a bytestring on Python 3, by decoding it as UTF-8. - Sessions are now closed in all cases (exceptional and not) when using the functional API rather than leaking and waiting for the garbage collector to clean them up. - Correctly handle digest auth headers with a malformed qop directive that contains no token, by treating it the same as if no qop directive was provided at all. - Minor performance improvements when removing specific cookies by name. ----------------------------------------------------------------- Advisory ID: SUSE-SU-2017:1419-1 Released: Wed Aug 30 15:38:22 2017 Summary: Security update for expat Type: security Severity: moderate References: 1047236,1047240,CVE-2016-9063,CVE-2017-9233 Description: This update for expat fixes the following issues: - CVE-2016-9063: Possible integer overflow to fix inside XML_Parse leading to unexpected behaviour (bsc#1047240) - CVE-2017-9233: External Entity Vulnerability could lead to denial of service (bsc#1047236) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2017:1439-1 Released: Fri Sep 1 15:31:05 2017 Summary: Recommended update for systemd Type: recommended Severity: important References: 1045384,1045987,1046268,1047379,1048605 Description: This update for systemd fixes the following issues: - Revert fix for bsc#1004995 which could have caused boot failure on LVM (bsc#1048605) - compat-rules: drop the bogus 'import everything' rule (bsc#1046268) - core: use an AF_UNIX/SOCK_DGRAM socket for cgroup agent notification (bsc#1045384 bsc#1047379) - udev/path_id: introduce support for NVMe devices (bsc#1045987) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2017:1447-1 Released: Mon Sep 4 15:38:20 2017 Summary: Security update for libzypp, zypper Type: security Severity: important References: 1008325,1038984,1045735,1047785,1054088,1054671,1055920,CVE-2017-7436 Description: The Software Update Stack was updated to receive fixes and enhancements. libzypp: - Adapt to work with GnuPG 2.1.23. (bsc#1054088) - Support signing with subkeys. (bsc#1008325) - Enhance sort order for media.1/products. (bsc#1054671) zypper: - Also show a gpg key's subkeys. (bsc#1008325) - Improve signature check callback messages. (bsc#1045735) - Add options to tune the GPG check settings. (bsc#1045735) - Adapt download callback to report and handle unsigned packages. (bsc#1038984, CVE-2017-7436) - Report missing/optional files as 'not found' rather than 'error'. (bsc#1047785) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2017:1450-1 Released: Mon Sep 4 16:36:07 2017 Summary: Recommended update for insserv-compat Type: recommended Severity: low References: 1035062,944903 Description: This update for insserv-compat fixes the following issues: - Add /etc/init.d hierarchy from former 'filesystem' package. (bsc#1035062) - Fix directory argument parsing. (bsc#944903) - Add perl(Getopt::Long) to list of requirements. ----------------------------------------------------------------- Advisory ID: SUSE-RU-2017:1453-1 Released: Mon Sep 4 21:23:50 2017 Summary: Recommended update for libgcrypt Type: recommended Severity: moderate References: 1043333,1046659,1047008 Description: This update for libgcrypt fixes the following issues: - libgcrypt stored an open file descriptor to the random device in a static variable between invocations. gnome-keyring-daemon on initialization reopened descriptors 0-2 with /dev/null which caused an infinite loop when libgcrypt attempted to read from the random device (bsc#1043333) - Avoid seeding the DRBG during FIPS power-up selftests (bsc#1046659) * don't call gcry_drbg_instantiate() in healthcheck sanity test to save entropy * turn off blinding for RSA decryption in selftests_rsa to avoid allocation of a random integer - fix a bug in gcry_drbg_healthcheck_sanity() which caused skipping some of the tests (bsc#1046659) - dlsym returns PLT address on s390x, dlopen libgcrypt20.so before calling dlsym (bsc#1047008) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2017:1457-1 Released: Tue Sep 5 14:40:18 2017 Summary: Security update for python-pycrypto Type: security Severity: important References: 1017420,1047666,CVE-2013-7459 Description: This update for python-pycrypto fixes the following issues: - CVE-2013-7459: Fixed a potential heap buffer overflow in ALGnew (bsc#1017420). python-paramiko was adjusted to work together with this python-pycrypto change. (bsc#1047666) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2017:1548-1 Released: Fri Sep 15 18:19:12 2017 Summary: Recommended update for sg3_utils Type: recommended Severity: moderate References: 1005063,1009269,1012523,1025176,1050767,1050943 Description: This update for sg3_utils provides the following fixes: - Add lunsearch filter to findresized() so that only LUNs specified using --luns are rescanned or resized. (bsc#1025176) - In case the VPD sysfs attributes are missing or cannot be accessed, fallback to use sg_inq --page when using multipath devices in AutoYast2 installations. (bsc#1012523) - Generate /dev/disk/by-path links based on WWPN for Fibre Channel NPIV setups. (bsc#1005063) - Fix dumping data in hexadecimal format in sg_vpd when using the --hex option. (bsc#1050943) - Fix ID_SERIAL values for KVM disks by exporting all NAA values and removing some validity checking. (bsc#1050767) - Make sure initrd is rebuilt on sg3_utils updates. (bsc#1009269) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2017:1592-1 Released: Tue Sep 26 17:38:03 2017 Summary: Recommended update for lvm2 Type: recommended Severity: moderate References: 1028485,1045628,978055,998893,999878 Description: This update for lvm2 provides the following fixes: - Create /dev/disk/by-part{label,uuid} and gpt-auto-root links. (bsc#1028485) - Try to refresh clvmd's device cache on the first failure. (bsc#978055) - Fix stale device cache in clvmd. (bsc#978055) - Warn if PV size in metadata is larger than disk device size. (bsc#999878) - Fix lvm2 activation issue when used on top of multipath. (bsc#998893) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2017:1644-1 Released: Mon Oct 9 07:52:24 2017 Summary: Security update for krb5 Type: security Severity: moderate References: 1032680,1054028,1056995,903543,CVE-2017-11462 Description: This update for krb5 fixes several issues. This security issue was fixed: - CVE-2017-11462: Prevent automatic security context deletion to prevent double-free (bsc#1056995) These non-security issues were fixed: - Set 'rdns' and 'dns_canonicalize_hostname' to false in krb5.conf in order to improve client security in handling service principle names. (bsc#1054028) - Prevent kadmind.service startup failure caused by absence of LDAP service. (bsc#903543) - Remove main package's dependency on systemd (bsc#1032680) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2017:1660-1 Released: Mon Oct 9 15:39:22 2017 Summary: Security update for Salt Type: security Severity: moderate References: 1051948,1052264,1053376,1053955,CVE-2017-12791 Description: This update for salt fixes one security issue and bugs: The following security issue has been fixed: - CVE-2017-12791: Directory traversal vulnerability in minion id validation allowed remote minions with incorrect credentials to authenticate to a master via a crafted minion ID (bsc#1053955). Additionally, the following non-security issues have been fixed: - Added support for SUSE Manager scalability features. (bsc#1052264) - Introduced the kubernetes module. (bsc#1051948) - Notify systemd synchronously via NOTIFY_SOCKET. (bsc#1053376) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2017:1663-1 Released: Tue Oct 10 12:05:09 2017 Summary: Recommended update for dbus-1 Type: recommended Severity: moderate References: 1043615,1046173 Description: This update for dbus-1 provides the following fixes: - Fix systemd-logind dbus disconnection by ensuring all required timeouts are restarted. (bsc#1043615) - Remove call to initscripts related macros from the spec file as dbus-1 does not ship any initscript anymore. (bsc#1046173) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2017:1703-1 Released: Tue Oct 17 13:20:12 2017 Summary: Recommended update for audit Type: recommended Severity: low References: 1042781 Description: This update for audit provides the following fix: - Make auditd start by forking the systemd service to fix some initialization failures. (bsc#1042781) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2017:1758-1 Released: Mon Oct 23 08:47:47 2017 Summary: Security update for curl Type: security Severity: moderate References: 1060653,1061876,1063824,CVE-2017-1000254,CVE-2017-1000257 Description: This update for curl fixes the following issues: Security issues fixed: - CVE-2017-1000254: FTP PWD response parser out of bounds read (bsc#1061876) - CVE-2017-1000257: IMAP FETCH response out of bounds read (bsc#1063824) Bugs fixed: - Fixed error 'error:1408F10B:SSL routines' when connecting to ftps via proxy (bsc#1060653) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2017:1772-1 Released: Wed Oct 25 14:10:42 2017 Summary: Recommended update for logrotate Type: recommended Severity: low References: 1057801 Description: This update for logrotate provides the following fix: - Make sure log files continue to rotate properly when a stale status file is found. (bsc#1057801) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2017:1796-1 Released: Fri Oct 27 21:25:06 2017 Summary: Recommended update for pcre Type: recommended Severity: moderate References: 1058722 Description: This update for pcre fixes the following issues: - Fixed the pcre stack frame size detection because modern compilers break it due to cloning and inlining pcre match() function (bsc#1058722) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2017:1797-1 Released: Sat Oct 28 12:06:19 2017 Summary: Recommended update for permissions Type: recommended Severity: moderate References: 1028304,1048645,1060738 Description: This update for permissions fixes the following issues: - Allows users to install the HPC 'singularity' toolkit for managing singularity containers in setuid root mode. (bsc#1028304) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2017:1826-1 Released: Wed Nov 8 08:47:17 2017 Summary: Security update for krb5 Type: security Severity: important References: 1065274,CVE-2017-15088 Description: This update for krb5 fixes the following issues: Security issues fixed: - CVE-2017-15088: A buffer overflow in get_matching_data() was fixed that could under specific circumstances be used to execute code (bsc#1065274) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2017:1829-1 Released: Wed Nov 8 08:50:00 2017 Summary: Security update for shadow Type: security Severity: moderate References: 1023895,1052261,980486,CVE-2017-12424 Description: This update for shadow fixes several issues. This security issue was fixed: - CVE-2017-12424: The newusers tool could have been forced to manipulate internal data structures in ways unintended by the authors. Malformed input may have lead to crashes (with a buffer overflow or other memory corruption) or other unspecified behaviors (bsc#1052261). These non-security issues were fixed: - bsc#1023895: Fixed man page to not contain invalid options and also prevent warnings when using these options in certain settings - bsc#980486: Reset user in /var/log/tallylog because of the usage of pam_tally2 ----------------------------------------------------------------- Advisory ID: SUSE-SU-2017:1881-1 Released: Wed Nov 22 16:29:58 2017 Summary: Security update for file Type: security Severity: moderate References: 1009966,1063269,910252,910253,913650,913651,917152,996511,CVE-2014-8116,CVE-2014-8117,CVE-2014-9620,CVE-2014-9621,CVE-2014-9653 Description: The GNU file utility was updated to version 5.22. Security issues fixed: - CVE-2014-9621: The ELF parser in file allowed remote attackers to cause a denial of service via a long string. (bsc#913650) - CVE-2014-9620: The ELF parser in file allowed remote attackers to cause a denial of service via a large number of notes. (bsc#913651) - CVE-2014-9653: readelf.c in file did not consider that pread calls sometimes read only a subset of the available data, which allows remote attackers to cause a denial of service (uninitialized memory access) or possibly have unspecified other impact via a crafted ELF file. (bsc#917152) - CVE-2014-8116: The ELF parser (readelf.c) in file allowed remote attackers to cause a denial of service (CPU consumption or crash) via a large number of (1) program or (2) section headers or (3) invalid capabilities. (bsc#910253) - CVE-2014-8117: softmagic.c in file did not properly limit recursion, which allowed remote attackers to cause a denial of service (CPU consumption or crash) via unspecified vectors. (bsc#910253) Version update to file version 5.22 * add indirect relative for TIFF/Exif * restructure elf note printing to avoid repeated messages * add note limit, suggested by Alexander Cherepanov * Bail out on partial pread()'s (Alexander Cherepanov) * Fix incorrect bounds check in file_printable (Alexander Cherepanov) * PR/405: ignore SIGPIPE from uncompress programs * change printable -> file_printable and use it in more places for safety * in ELF, instead of '(uses dynamic libraries)' when PT_INTERP is present print the interpreter name. Version update to file version 5.21 * there was an incorrect free in magic_load_buffers() * there was an out of bounds read for some pascal strings * there was a memory leak in magic lists * don't interpret strings printed from files using the current locale, convert them to ascii format first. * there was an out of bounds read in elf note reads Update to file version 5.20 * recognize encrypted CDF documents * add magic_load_buffers from Brooks Davis * add thumbs.db support Additional non-security bug fixes: * Fixed a memory corruption during rpmbuild (bsc#1063269) * Backport of a fix for an increased printable string length as found in file 5.30 (bsc#996511) * file command throws 'Composite Document File V2 Document, corrupt: Can't read SSAT' error against excel 97/2003 file format. (bsc#1009966) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2017:1903-1 Released: Fri Nov 24 16:19:37 2017 Summary: Security update for perl Type: security Severity: moderate References: 1047178,1057721,1057724,999735,CVE-2017-12837,CVE-2017-12883,CVE-2017-6512 Description: This update for perl fixes the following issues: Security issues fixed: - CVE-2017-12837: Heap-based buffer overflow in the S_regatom function in regcomp.c in Perl 5 before 5.24.3-RC1 and 5.26.x before 5.26.1-RC1 allows remote attackers to cause a denial of service (out-of-bounds write) via a regular expression with a '\N{}' escape and the case-insensitive modifier. (bnc#1057724) - CVE-2017-12883: Buffer overflow in the S_grok_bslash_N function in regcomp.c in Perl 5 before 5.24.3-RC1 and 5.26.x before 5.26.1-RC1 allows remote attackers to disclose sensitive information or cause a denial of service (application crash) via a crafted regular expression with an invalid '\N{U+...}' escape. (bnc#1057721) - CVE-2017-6512: Race condition in the rmtree and remove_tree functions in the File-Path module before 2.13 for Perl allows attackers to set the mode on arbitrary files via vectors involving directory-permission loosening logic. (bnc#1047178) Bug fixes: - backport set_capture_string changes from upstream (bsc#999735) - reformat baselibs.conf as source validator workaround ----------------------------------------------------------------- Advisory ID: SUSE-RU-2017:1916-1 Released: Fri Nov 24 20:15:01 2017 Summary: Recommended update for libgcrypt Type: recommended Severity: important References: 1043333,1059723 Description: This update for libgcrypt provides the following fix: - Fix a regression in a previous update which caused libgcrypt to leak file descriptors causing failures when starting rtkit-daemon. (bsc#1059723) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2017:1917-1 Released: Mon Nov 27 13:32:07 2017 Summary: Optional update for gcc7 Type: recommended Severity: low References: 1056437,1062591,1062592 Description: The GNU Compiler GCC 7 is being added to the Toolchain Module by this update. New features: - Support for specific IBM Power9 processor instructions. - Support for specific IBM zSeries z14 processor instructions. - New packages cross-npvtx-gcc7 and nvptx-tools added to the Toolchain Module for specific NVIDIA Card offload support. The update also supplies gcc7 compatible libstdc++, libgcc_s1 and other gcc derived libraries for the base products of SUSE Linux Enterprise 12. Various optimizers have been improved in GCC 7, several of bugs fixed, quite some new warnings added and the error pin-pointing and fix-suggestions have been greatly improved. The GNU Compiler page for GCC 7 contains a summary of all the changes that have happened: https://gcc.gnu.org/gcc-7/changes.html ----------------------------------------------------------------- Advisory ID: SUSE-RU-2017:1965-1 Released: Thu Nov 30 12:48:45 2017 Summary: Recommended update for libsolv, libzypp, zypper Type: recommended Severity: moderate References: 1047233,1053671,1057188,1057634,1058695,1058783,1059065,1061384,1062561,1064999,661410 Description: The Software Update Stack was updated to receive fixes and enhancements. libsolv: - Many fixes and improvements for cleandeps. - Always create dup rules for 'distupgrade' jobs. - Use recommends also for ordering packages. - Fix splitprovides handling with addalreadyrecommended turned off. (bsc#1059065) - Expose solver_get_recommendations() in bindings. - Fix bug in solver_prune_to_highest_prio_per_name resulting in bad output from solver_get_recommendations(). - Support 'without' and 'unless' dependencies. - Use same heuristic as upstream to determine source RPMs. - Fix memory leak in bindings. - Add pool_best_solvables() function. - Fix 64bit integer parsing from RPM headers. - Enable bzip2 and xz/lzma compression support. - Enable complex/rich dependencies on distributions with RPM 4.13+. libzypp: - Fix media handling in presence of a repo path prefix. (bsc#1062561) - Fix RepoProvideFile ignoring a repo path prefix. (bsc#1062561) - Remove unused legacy notify-message script. (bsc#1058783) - Support multiple product licenses in repomd. (fate#322276) - Propagate 'rpm --import' errors. (bsc#1057188) - Fix typos in zypp.conf. zypper: - Locale: Fix possible segmentation fault. (bsc#1064999) - Add summary hint if product is better updated by a different command. This is mainly used by rolling distributions like openSUSE Tumbleweed to remind their users to use 'zypper dup' to update (not zypper up or patch). (bsc#1061384) - Unify '(add|modify)(repo|service)' property related arguments. - Fixed 'add' commands supporting to set only a subset of properties. - Introduced '-f/-F' as preferred short option for --[no-]refresh in all four commands. (bsc#661410, bsc#1053671) - Fix missing package names in installation report. (bsc#1058695) - Differ between unsupported and packages with unknown support status. (bsc#1057634) - Return error code '107' if an RPM's %post configuration script fails, but only if ZYPPER_ON_CODE12_RETURN_107=1 is set in the environment. (bsc#1047233) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2017:1966-1 Released: Thu Nov 30 13:45:24 2017 Summary: Recommended update for systemd Type: recommended Severity: moderate References: 1004995,1035386,1039099,1040800,1045472,1048605,1050152,1053137,1053595,1055641,1063249 Description: This update for systemd fixes the following issues: - unit: When JobTimeoutSec= is turned off, implicitly turn off JobRunningTimeoutSec= too. (bsc#1048605, bsc#1004995) - compat-rules: Generate compat by-id symlinks with 'nvme' prefix missing and warn users that have broken symlinks. (bsc#1063249) - compat-rules: Allow to specify the generation number through the kernel command line. - scsi_id: Fixup prefix for pre-SPC inquiry reply. (bsc#1039099) - tmpfiles: Remove old ICE and X11 sockets at boot. - tmpfiles: Silently ignore any path that passes through autofs. (bsc#1045472) - pam_logind: Skip leading /dev/ from PAM_TTY field before passing it on. - shared/machine-pool: Fix another mkfs.btrfs checking. (bsc#1053595) - shutdown: Fix incorrect fscanf() result check. - shutdown: Don't remount,ro network filesystems. (bsc#1035386) - shutdown: Don't be fooled when detaching DM devices with BTRFS. (bsc#1055641) - bash-completion: Add support for --now. (bsc#1053137) - Add convert-lib-udev-path.sh script to convert /lib/udev directory into a symlink pointing to /usr/lib/udev when upgrading from SLE11. (bsc#1050152) - Add a rule to teach hotplug to offline containers transparently. (bsc#1040800) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2017:1968-1 Released: Thu Nov 30 19:49:33 2017 Summary: Recommended update for coreutils Type: recommended Severity: low References: 1026567,1043059,965780 Description: This update for coreutils provides the following fixes: - Fix df(1) to no longer interact with excluded file system types, so for example specifying -x nfs no longer hangs with problematic nfs mounts. (bsc#1026567) - Ensure df -l no longer interacts with dummy file system types, so for example no longer hangs with problematic NFS mounted via system.automount(5). (bsc#1043059) - Significantly speed up df(1) for huge mount lists. (bsc#965780) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2017:1970-1 Released: Thu Nov 30 22:55:41 2017 Summary: Security update for openssl Type: security Severity: moderate References: 1055825,1056058,1065363,1066242,CVE-2017-3735,CVE-2017-3736 Description: This update for openssl fixes the following issues: Security issues fixed: - CVE-2017-3735: openssl1,openssl: Malformed X.509 IPAdressFamily could cause OOB read (bsc#1056058) - CVE-2017-3736: openssl: bn_sqrx8x_internal carry bug on x86_64 (bsc#1066242) - Out of bounds read+crash in DES_fcrypt (bsc#1065363) - openssl DEFAULT_SUSE cipher list is missing ECDHE-ECDSA ciphers (bsc#1055825) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2017:2021-1 Released: Fri Dec 8 10:11:04 2017 Summary: Recommended update for file Type: recommended Severity: moderate References: 1070878,1070958 Description: This update for file fixes detection of JPEG files. ----------------------------------------------------------------- Advisory ID: SUSE-RU-2017:2031-1 Released: Mon Dec 11 12:55:57 2017 Summary: Recommended update for gzip Type: recommended Severity: low References: 1067891 Description: This update for gzip provides the following fix: - Fix mishandling of leading zeros in the end-of-block code (bsc#1067891) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2017:2036-1 Released: Wed Dec 13 16:34:21 2017 Summary: Recommended update for util-linux Type: recommended Severity: low References: 1039276,1040968,1055446,1066500 Description: This update for util-linux provides the following fixes: - Allow unmounting of filesystems without calling stat() on the mount point, when '-c' is used. (bsc#1040968) - Fix an infinite loop, a crash and report the correct minimum and maximum frequencies in lscpu for some processors. (bsc#1055446) - Fix a lscpu failure on Sydney Amazon EC2 region. (bsc#1066500) - If multiple subvolumes are mounted, report the default subvolume. (bsc#1039276) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2017:2097-1 Released: Sat Dec 16 01:59:00 2017 Summary: Security update for openssl Type: security Severity: important References: 1071905,1071906,CVE-2017-3737,CVE-2017-3738 Description: This update for openssl fixes the following issues: - OpenSSL Security Advisory [07 Dec 2017] * CVE-2017-3737: OpenSSL 1.0.2 (starting from version 1.0.2b) introduced an \'error state\' mechanism. The intent was that if a fatal error occurred during a handshake then OpenSSL would move into the error state and would immediately fail if you attempted to continue the handshake. This works as designed for the explicit handshake functions (SSL_do_handshake(), SSL_accept() and SSL_connect()), however due to a bug it does not work correctly if SSL_read() or SSL_write() is called directly. In that scenario, if the handshake fails then a fatal error will be returned in the initial function call. If SSL_read()/SSL_write() is subsequently called by the application for the same SSL object then it will succeed and the data is passed without being decrypted/encrypted directly from the SSL/TLS record layer. In order to exploit this issue an application bug would have to be present that resulted in a call to SSL_read()/SSL_write() being issued after having already received a fatal error. O penSSL version 1.0.2b-1.0.2m are affected. Fixed in OpenSSL 1.0.2n. OpenSSL 1.1.0 is not affected. (bsc#1071905) * CVE-2017-3738: There is an overflow bug in the AVX2 Montgomery multiplication procedure used in exponentiation with 1024-bit moduli. No EC algorithms are affected. Analysis suggests that attacks against RSA and DSA as a result of this defect would be very difficult to perform and are not believed likely. Attacks against DH1024 are considered just feasible, because most of the work necessary to deduce information about a private key may be performed offline. The amount of resources required for such an attack would be significant. However, for an attack on TLS to be meaningful, the server would have to share the DH1024 private key among multiple clients, which is no longer an option since CVE-2016-0701. This only affects processors that support the AVX2 but not ADX extensions like Intel Haswell (4th generation). Note: The impact from this issue is similar to CVE-2017-3736, CVE-2017-3732 and CVE-2015-3193. (bsc#1071906) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2017:2111-1 Released: Wed Dec 20 12:12:49 2017 Summary: Security update for Salt Type: security Severity: moderate References: 1041993,1042749,1050003,1059291,1059758,1060230,1062462,1062464,985112,CVE-2017-14695,CVE-2017-14696 Description: This update for salt fixes one security issue and bugs. The following security issues have been fixed: - CVE-2017-14695: A directory traversal vulnerability in minion id validation allowed remote minions with incorrect credentials to authenticate to a master via a crafted minion ID. (bsc#1062462) - CVE-2017-14696: It was possible to force a remote Denial of Service with a specially crafted authentication request. (bsc#1062464) Additionally, the following non-security issues have been fixed: - Removed deprecation warning for beacon configuration using dictionaries. (bsc#1041993) - Fixed beacons failure when pillar-based suppressing config-based. (bsc#1060230) - Fixed minion resource exhaustion when many functions are being executed in parallel. (bsc#1059758) - Remove 'TasksTask' attribute from salt-master.service in older versions of systemd. (bsc#985112) - Fix for delete_deployment in Kubernetes module. (bsc#1059291) - Catching error when PIDfile cannot be deleted. (bsc#1050003) - Use $HOME to get the user home directory instead using '~' char. (bsc#1042749) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2017:2137-1 Released: Thu Dec 21 17:49:12 2017 Summary: Recommended update for dbus-1 Type: recommended Severity: moderate References: 1046173,1071698 Description: This update for dbus-1 provides the following fixes: - The previously released fix for systemd-logind dbus disconnections was missing in some parts of the package, so properly apply it. (bsc#1071698) - Remove call to initscripts related macros from the spec file as dbus-1 does not ship any initscript anymore. (bsc#1046173) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2018:4-1 Released: Tue Jan 2 15:58:20 2018 Summary: Recommended update for libzypp, zypper Type: recommended Severity: moderate References: 1057640,1067605,1068708,1071466,969569 Description: The Software Update Stack was updated to receive fixes and enhancements. libzypp: - Don't store duplicated locks. (bsc#969569) - Fix default for solver.allowNameChange. (bsc#1071466) - Don't filter procs with a different mnt namespace. (bsc#1068708) - Support repo variables in an URIs host:port component. (bsc#1057640, bsc#1067605) zypper: - Update manpage regarding custom repository variable fixes. (bsc#1057640, bsc#1067605) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2018:38-1 Released: Tue Jan 9 14:56:43 2018 Summary: Recommended update for kmod Type: recommended Severity: low References: 1070209 Description: This update for kmod provides the following fix: - Fix resolving .TOC. in modules on 4.4 and older kernel (bsc#1070209) - Fix kernel master build for ppc64le (bsc#1070209) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:55-1 Released: Fri Jan 12 09:45:49 2018 Summary: Security update for glibc Type: security Severity: important References: 1051042,1053188,1063675,1064569,1064580,1064583,1070905,1071319,1073231,1074293,CVE-2017-1000408,CVE-2017-1000409,CVE-2017-15670,CVE-2017-15671,CVE-2017-15804,CVE-2017-16997,CVE-2018-1000001 Description: This update for glibc fixes the following issues: - A privilege escalation bug in the realpath() function has been fixed. [CVE-2018-1000001, bsc#1074293] - A memory leak and a buffer overflow in the dynamic ELF loader has been fixed. [CVE-2017-1000408, CVE-2017-1000409, bsc#1071319] - An issue in the code handling RPATHs was fixed that could have been exploited by an attacker to execute code loaded from arbitrary libraries. [CVE-2017-16997, bsc#1073231] - A potential crash caused by a use-after-free bug in pthread_create() has been fixed. [bsc#1053188] - A bug that prevented users to build shared objects which use the optimized libmvec.so API has been fixed. [bsc#1070905] - A memory leak in the glob() function has been fixed. [CVE-2017-15670, CVE-2017-15671, CVE-2017-15804, bsc#1064569, bsc#1064580, bsc#1064583] - A bug that would lose the syscall error code value in case of crashes has been fixed. [bsc#1063675] ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:86-1 Released: Wed Jan 17 09:38:17 2018 Summary: Security update for ncurses Type: security Severity: moderate References: 1056127,1056128,1056129,1056131,1056132,1056136,CVE-2017-13728,CVE-2017-13729,CVE-2017-13730,CVE-2017-13731,CVE-2017-13732,CVE-2017-13733 Description: This update for ncurses fixes the following issues: Security issues fixed: - CVE-2017-13728: Fix infinite loop in the next_char function in comp_scan.c (bsc#1056136). - CVE-2017-13730: Fix illegal address access in the function _nc_read_entry_source() (bsc#1056131). - CVE-2017-13733: Fix illegal address access in the fmt_entry function (bsc#1056127). - CVE-2017-13729: Fix illegal address access in the _nc_save_str (bsc#1056132). - CVE-2017-13732: Fix illegal address access in the function dump_uses() (bsc#1056128). - CVE-2017-13731: Fix illegal address access in the function postprocess_termcap() (bsc#1056129). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:88-1 Released: Wed Jan 17 14:41:17 2018 Summary: Security update for curl Type: security Severity: moderate References: 1069222,1069226,CVE-2017-8816,CVE-2017-8817 Description: This update for curl fixes the following issues: Security issues fixed: - CVE-2017-8816: Buffer overrun flaw in the NTLM authentication code (bsc#1069226). - CVE-2017-8817: Read out of bounds flaw in the FTP wildcard function (bsc#1069222). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2018:90-1 Released: Wed Jan 17 14:44:33 2018 Summary: Recommended update for lvm2 Type: recommended Severity: low References: 1063051,1067312 Description: This update for lvm2 provides the following fix: - Backport various upstream fixes for clvmd. (bsc#1063051) - Don't print error messages on testing the connection to the daemon. (bsc#1063051) - Fix handling of udev CHANGE events with systemd. (bsc#1067312) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2018:146-1 Released: Thu Jan 25 11:44:23 2018 Summary: Recommended update for openldap2 Type: recommended Severity: moderate References: 1064397,1065083 Description: This update for openldap2 provides the following fixes: - Fix a leak of sockets in case of unsuccessful connection attempts. (bsc#1065083) - Fix a crash that would happen under heavy load when using back-relay. (bsc#1064397) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:149-1 Released: Thu Jan 25 13:38:37 2018 Summary: Security update for curl Type: security Severity: moderate References: 1077001,CVE-2018-1000007 Description: This update for curl fixes one issues. This security issue was fixed: - CVE-2018-1000007: Prevent leaking authentication data to third parties when following redirects (bsc#1077001) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:209-1 Released: Tue Jan 30 10:53:43 2018 Summary: Security update for ncurses Type: security Severity: moderate References: 1056126,1056127,1056128,1056129,1056131,1056132,1056136,CVE-2017-13728,CVE-2017-13729,CVE-2017-13730,CVE-2017-13731,CVE-2017-13732,CVE-2017-13733,CVE-2017-13734 Description: This update for ncurses fixes several issues. These security issues were fixed: - CVE-2017-13734: Prevent illegal address access in the _nc_safe_strcat function in strings.c that might have lead to a remote denial of service attack (bsc#1056126). - CVE-2017-13733: Prevent illegal address access in the fmt_entry function in progs/dump_entry.c that might have lead to a remote denial of service attack (bsc#1056127). - CVE-2017-13732: Prevent illegal address access in the function dump_uses() in progs/dump_entry.c that might have lead to a remote denial of service attack (bsc#1056128). - CVE-2017-13731: Prevent illegal address access in the function postprocess_termcap() in parse_entry.c that might have lead to a remote denial of service attack (bsc#1056129). - CVE-2017-13730: Prevent illegal address access in the function _nc_read_entry_source() in progs/tic.c that might have lead to a remote denial of service attack (bsc#1056131). - CVE-2017-13729: Prevent illegal address access in the _nc_save_str function in alloc_entry.c that might have lead to a remote denial of service attack (bsc#1056132). - CVE-2017-13728: Prevent infinite loop in the next_char function in comp_scan.c that might have lead to a remote denial of service attack (bsc#1056136). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:213-1 Released: Tue Jan 30 14:36:40 2018 Summary: Security update for systemd Type: security Severity: moderate References: 1048510,1065276,1066156,1068251,1070428,1071558,1074254,1075724,1076308,897422,CVE-2017-15908,CVE-2018-1049 Description: This update for systemd fixes several issues. This security issue was fixed: - CVE-2018-1049: Prevent race that can lead to DoS when using automounts (bsc#1076308). These non-security issues were fixed: - core: don't choke if a unit another unit triggers vanishes during reload - delta: don't ignore PREFIX when the given argument is PREFIX/SUFFIX - delta: extend skip logic to work on full directory paths (prefix+suffix) (bsc#1070428) - delta: check if a prefix needs to be skipped only once - delta: skip symlink paths when split-usr is enabled (#4591) - sysctl: use raw file descriptor in sysctl_write (#7753) - sd-netlink: don't take possesion of netlink fd from caller on failure (bsc#1074254) - Fix the regexp used to detect broken by-id symlinks in /etc/crypttab It was missing the following case: '/dev/disk/by-id/cr_-xxx'. - sysctl: disable buffer while writing to /proc (bsc#1071558) - Use read_line() and LONG_LINE_MAX to read values configuration files. (bsc#1071558) - sysctl: no need to check for eof twice - def: add new constant LONG_LINE_MAX - fileio: add new helper call read_line() as bounded getline() replacement - service: Don't stop unneeded units needed by restarted service (#7526) (bsc#1066156) - gpt-auto-generator: fix the handling of the value returned by fstab_has_fstype() in add_swap() (#6280) - gpt-auto-generator: disable gpt auto logic for swaps if at least one is defined in fstab (bsc#897422) - fstab-util: introduce fstab_has_fstype() helper - fstab-generator: ignore root=/dev/nfs (#3591) - fstab-generator: don't process root= if it happens to be 'gpt-auto' (#3452) - virt: use XENFEAT_dom0 to detect the hardware domain (#6442, #6662) (#7581) (bsc#1048510) - analyze: replace --no-man with --man=no in the man page (bsc#1068251) - udev: net_setup_link: don't error out when we couldn't apply link config (#7328) - Add missing /etc/systemd/network directory - Fix parsing of features in detect_vm_xen_dom0 (#7890) (bsc#1048510) - sd-bus: use -- when passing arguments to ssh (#6706) - systemctl: make sure we terminate the bus connection first, and then close the pager (#3550) - sd-bus: bump message queue size (bsc#1075724) - tmpfiles: downgrade warning about duplicate line ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:214-1 Released: Tue Jan 30 14:37:42 2018 Summary: Security update for libtasn1 Type: security Severity: moderate References: 1076832,CVE-2018-6003 Description: This update for libtasn1 fixes one issue. This security issue was fixed: - CVE-2018-6003: Prevent a stack exhaustion in _asn1_decode_simple_ber (lib/decoding.c) when decoding BER encoded structure allowed for DoS (bsc#1076832). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2018:231-1 Released: Thu Feb 1 09:56:36 2018 Summary: Recommended update for systemd-rpm-macros Type: recommended Severity: low References: 1071543,1073715 Description: This update for systemd-rpm-macros provides the following fixes: - Make sure to apply presets if packages start shipping units during upgrades. (bsc#1071543, bsc#1073715) - Remove a useless test in %service_add_pre(). The test was placed where the condition '[ '$FIRST_ARG' -gt 1 ]' was always true. ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:276-1 Released: Thu Feb 8 17:47:43 2018 Summary: Security update for libxml2 Type: security Severity: moderate References: 1077993,1078806,1078813,CVE-2016-5131,CVE-2017-15412,CVE-2017-5130 Description: This update for libxml2 fixes one issue. This security issue was fixed: - CVE-2017-15412: Prevent use after free when calling XPath extension functions that allowed remote attackers to cause DoS or potentially RCE (bsc#1077993) - CVE-2016-5131: Use-after-free vulnerability in libxml2 allowed remote attackers to cause a denial of service or possibly have unspecified other impact via vectors related to the XPointer range-to function. (bsc#1078813) - CVE-2017-5130: Fixed a potential remote buffer overflow in function xmlMemoryStrdup() (bsc#1078806) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2018:291-1 Released: Mon Feb 12 11:50:39 2018 Summary: Recommended update for bash Type: recommended Severity: low References: 1057452,1076909 Description: This update for bash provides the following fix: - Allow process group assignment on all kernel versions to fix the usage of debug traps. (bsc#1057452) - Fix a crash when filesystem is full. (bsc#1076909) - Enable multi-byte characters by default. ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:314-1 Released: Thu Feb 15 14:47:35 2018 Summary: Security update for glibc Type: security Severity: important References: 1037930,1051791,1073990,1074293,1079036,CVE-2017-12132,CVE-2017-8804,CVE-2018-1000001,CVE-2018-6485,CVE-2018-6551 Description: This update for glibc fixes the following issues: Security issues fixed: - CVE-2017-8804: Fix memory leak after deserialization failure in xdr_bytes, xdr_string (bsc#1037930) - CVE-2017-12132: Reduce EDNS payload size to 1200 bytes (bsc#1051791) - CVE-2018-6485,CVE-2018-6551: Fix integer overflows in internal memalign and malloc functions (bsc#1079036) - CVE-2018-1000001: Avoid underflow of malloced area (bsc#1074293) Non security bugs fixed: - Release read lock after resetting timeout (bsc#1073990) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:336-1 Released: Wed Feb 21 14:26:52 2018 Summary: Security update for libdb-4_8 Type: security Severity: moderate References: 1043886 Description: This update for libdb-4_8 fixes the following issues: - A DB_CONFIG file in the current working directory allowed local users to obtain sensitive information via a symlink attack involving a setgid or setuid application using libdb-4_8. (bsc#1043886) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:355-1 Released: Mon Feb 26 16:34:46 2018 Summary: Security update for systemd Type: security Severity: moderate References: 1057974,1068588,1071224,1071311,1075801,1077925,CVE-2017-18078 Description: This update for systemd fixes the following issues: Security issue fixed: - CVE-2017-18078: tmpfiles: refuse to chown()/chmod() files which are hardlinked, unless protected_hardlinks sysctl is on. This could be used by local attackers to gain privileges (bsc#1077925) Non Security issues fixed: - core: use id unit when retrieving unit file state (#8038) (bsc#1075801) - cryptsetup-generator: run cryptsetup service before swap unit (#5480) - udev-rules: all values can contain escaped double quotes now (#6890) - strv: fix buffer size calculation in strv_join_quoted() - tmpfiles: change ownership of symlinks too - stdio-bridge: Correctly propagate error - stdio-bridge: remove dead code - remove bus-proxyd (bsc#1057974) - core/timer: Prevent timer looping when unit cannot start (bsc#1068588) - Make systemd-timesyncd use the openSUSE NTP servers by default Previously systemd-timesyncd used the Google Public NTP servers time{1..4}.google.com - Don't ship /usr/lib/systemd/system/tmp.mnt at all (bsc#1071224) But we still ship a copy in /var. Users who want to use tmpfs on /tmp are supposed to add a symlink in /etc/ pointing to the copy shipped in /var. To support the update path we automatically create the symlink if tmp.mount in use is located in /usr. - Enable systemd-networkd on Leap distros only (bsc#1071311) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2018:375-1 Released: Wed Feb 28 16:33:37 2018 Summary: Recommended update for net-tools Type: recommended Severity: low References: 1009905,1063910 Description: This update for net-tools provides the following fix: - netstat: fix handling of large socket numbers (bsc#1063910) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2018:377-1 Released: Wed Feb 28 21:31:59 2018 Summary: Recommended update for Salt Type: recommended Severity: moderate References: 1050003,1063419,1065792,1068446,1068566,1071322,1072218,1073618,1074227,1078001 Description: This update for salt fixes the following issues: - Fix state files with unicode. (bsc#1074227) - Catch ImportError for kubernetes.client import. (bsc#1078001) - Fix epoch handling for Rhel 6 and 7. - Fix zypper module to return UTC dates on 'pkg.list_downloaded'. - Fix return value parsing when calling vm_state. (bsc#1073618) - Fix 'user.present' when 'gid_from_name' is set but group does not exist. - Split only strings, if they are such. (bsc#1072218) - Feat: Add grain for all FQDNs. (bsc#1063419) - Fix 'No service execution module loaded' issue. (bsc#1065792) - Removed unnecessary logging on shutdown. (bsc#1050003) - Add grain for retrieving FQDNs. (bsc#1063419) - Older logrotate need su directive. (bsc#1071322) - Fix for wrong version processing during yum pkg install. (bsc#1068566) - Avoid excessive syslogging by watchdog cronjob. - Check pillar: Fix the logic according to the exact described purpose of the function. (bsc#1068446) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:439-1 Released: Fri Mar 9 14:05:22 2018 Summary: Security update for augeas Type: security Severity: low References: 1054171,CVE-2017-7555 Description: This update for augeas fixes the following issues: Security issue fixed: - CVE-2017-7555: Fix a memory corruption bug could have lead to arbitrary code execution by passing crafted strings that would be mis-handled by parse_name() (bsc#1054171). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:443-1 Released: Fri Mar 9 18:02:14 2018 Summary: Security update for glibc Type: security Severity: moderate References: 1081556,CVE-2017-12133 Description: This update for glibc fixes the following issues: - CVE-2017-12133: Avoid use-after-free read access in clntudp_call (bsc#1081556) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:446-1 Released: Mon Mar 12 13:13:55 2018 Summary: Security update for shadow Type: security Severity: moderate References: 1081294,CVE-2018-7169 Description: This update for shadow fixes the following issues: - CVE-2018-7169: Fixed an privilege escalation in newgidmap, which allowed an unprivileged user to be placed in a user namespace where setgroups(2) is allowed. (bsc#1081294) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2018:465-1 Released: Thu Mar 15 07:38:52 2018 Summary: Recommended update for systemd Type: recommended Severity: moderate References: 1075743,1078358,1081170 Description: This update for systemd fixes the following issues: - Add dmi/id conditions to 80-acpi-container-hotplug.rules to restrict the rule that it can only be triggered on Huawei Kunlun 9008, 9016 and 9032 machines. (bsc#1078358, bsc#1081170, bsc#1075743) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2018:472-1 Released: Thu Mar 15 10:47:40 2018 Summary: Recommended update for libsolv, libzypp, zypper Type: recommended Severity: low References: 1074687,1075449,1076415,1079334,953130 Description: This update for libsolv, libzypp and zypper provides the following fixes: libsolv: - Fix a bug that could make fileconflict detection very slow in some cases. (bnc#953130) - Add new configuration options: ENABLE_RPMDB_LIBRPM and ENABLE_RPMPKG_LIBRPM. - Add a new function to change the whatprovides data: pool_set_whatprovides. - Significant improvements in the selection code. libzypp: - Make sure deleted keys are also removed from rpmdb. (bsc#1075449) - plugin: Don't reject header values containing ':'. (bsc#1074687) - RpmDb::checkPackage: Fix parsing localized rpm output. (bsc#1076415) zypper: - Do not recommend cron as it is not a direct dependency of zypper. (bsc#1079334) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:522-1 Released: Thu Mar 22 08:20:46 2018 Summary: Security update for curl Type: security Severity: moderate References: 1084521,1084524,1084532,CVE-2018-1000120,CVE-2018-1000121,CVE-2018-1000122 Description: This update for curl fixes the following issues: Following security issues were fixed: - CVE-2018-1000120: A buffer overflow exists in the FTP URL handling that allowed an attacker to cause a denial of service or possible code execution (bsc#1084521). - CVE-2018-1000121: A NULL pointer dereference exists in the LDAP code that allowed an attacker to cause a denial of service (bsc#1084524). - CVE-2018-1000122: A buffer over-read exists in the RTSP+RTP handling code that allowed an attacker to cause a denial of service or information leakage (bsc#1084532). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2018:524-1 Released: Thu Mar 22 11:53:28 2018 Summary: Recommended update for zypp-plugin Type: recommended Severity: low References: 1081596 Description: This update provides the new Python 3 module for the zypp-plugin. ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:567-1 Released: Thu Mar 29 14:02:08 2018 Summary: Security update for krb5 Type: security Severity: moderate References: 1057662,1081725,1083926,1083927,CVE-2018-5729,CVE-2018-5730 Description: This update for krb5 provides the following fixes: Security issues fixed: - CVE-2018-5730: DN container check bypass by supplying special crafted data (bsc#1083927). - CVE-2018-5729: Null pointer dereference in kadmind or DN container check bypass by supplying special crafted data (bsc#1083926). Non-security issues fixed: - Make it possible for legacy applications (e.g. SAP Netweaver) to remain compatible with newer Kerberos. System administrators who are experiencing this kind of compatibility issues may set the environment variable GSSAPI_ASSUME_MECH_MATCH to a non-empty value, and make sure the environment variable is visible and effective to the application startup script. (bsc#1057662) - Fix a GSS failure in legacy applications by not indicating deprecated GSS mechanisms in gss_indicate_mech() list. (bsc#1081725) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:594-1 Released: Thu Apr 5 17:22:37 2018 Summary: Security update for libidn Type: security Severity: moderate References: 1056450,CVE-2017-14062 Description: This update for libidn fixes one issues. This security issue was fixed: - CVE-2017-14062: Prevent integer overflow in the decode_digit function that allowed remote attackers to cause a denial of service or possibly have unspecified other impact (bsc#1056450). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:624-1 Released: Wed Apr 11 18:02:57 2018 Summary: Security update for openssl Type: security Severity: moderate References: 1087102,CVE-2018-0739 Description: This update for openssl fixes the following issues: - CVE-2018-0739: Constructed ASN.1 types with a recursive definition (such as can be found in PKCS7) could eventually exceed the stack given malicious input with excessive recursion. This could result in a Denial Of Service attack. There are no such structures used within SSL/TLS that come from untrusted sources so this is considered safe. (bsc#1087102). ----------------------------------------------------------------- Advisory ID: SUSE-OU-2018:651-1 Released: Mon Apr 16 19:25:08 2018 Summary: Initial release of python3-cssselect, -lxml, -pycparser, -simplejson and -pycurl Type: optional Severity: low References: 1073879 Description: This update provides the following new Python 3 modules for the SUSE Linux Enterprise Server: - python3-cssselect - python3-lxml - python3-pycparser - python3-pycurl - python3-simplejson ----------------------------------------------------------------- Advisory ID: SUSE-OU-2018:727-1 Released: Tue Apr 24 12:50:53 2018 Summary: Initial release of python3-pyzmq Type: optional Severity: low References: 1073879 Description: This update provides the following new Python 3 module: - python3-pyzmq ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:730-1 Released: Wed Apr 25 14:14:41 2018 Summary: Security update for perl Type: security Severity: moderate References: 1082216,1082233,1082234,CVE-2018-6797,CVE-2018-6798,CVE-2018-6913 Description: This update for perl fixes the following issues: Security issues fixed: - CVE-2018-6913: Fixed space calculation issues in pp_pack.c (bsc#1082216). - CVE-2018-6798: Fixed heap buffer overflow in regexec.c (bsc#1082233). - CVE-2018-6797: Fixed sharp-s regexp overflow (bsc#1082234). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2018:736-1 Released: Wed Apr 25 14:23:49 2018 Summary: Recommended update for libsolv, libzypp Type: recommended Severity: moderate References: 1075978,1077635,1079991,1082318,1086602 Description: This update for libsolv, libzypp provides the following fixes: Changes in libsolv: - Make sure the product file comes from /etc/products.d for the fallback product search. (bsc#1086602) - Also make use of suggests for ordering packages. (bsc#1077635) - Fix bad assignment in solution refinement that led to a memory leak. (bsc#1075978) - Use license tag instead of doc in the spec file. (bsc#1082318) Changes in libzypp: - Make sure the product file comes from /etc/products.d for the fallback product search. (bsc#1086602) - Fix a memory leak in Digest.cc. (bsc#1075978) - Add /var/lib/gdm to CheckAccessDeleted blacklist to prevent showing superfluous `zypper ps -s` messages. (bsc#1079991) ----------------------------------------------------------------- Advisory ID: SUSE-OU-2018:743-1 Released: Thu Apr 26 15:40:28 2018 Summary: Initial release of python3-psutil and -pycrypto Type: optional Severity: low References: 1073879 Description: This update provides the following new Python 3 modules: - python3-psutil - python3-pycrypto ----------------------------------------------------------------- Advisory ID: SUSE-RU-2018:759-1 Released: Mon Apr 30 12:03:07 2018 Summary: Recommended update for Salt Type: recommended Severity: moderate References: 1072973,1079398,1085635 Description: This update for salt fixes the following issues: - Make module result usable in states module.run. (bsc#1085635) - Fix Augeas module 'stripped quotes' issue. (bsc#1079398) - Fix logging with FQDNs. - Explore 'module.run' state module output in depth to catch the 'result' properly. - Fix x509 unit test to run on 2016.11.4 version. - Fix TypeError, thrown by M2Crypto on missing fields. (bsc#1072973) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2018:779-1 Released: Wed May 2 22:16:26 2018 Summary: Recommended update for rpm Type: recommended Severity: low References: 1003714,1027925,1069934 Description: This update for rpm provides the following fixes: - Fix find-lang.sh to handle special case of .qm file paths correctly. (bsc#1027925) - Add %sle_version macro to suse_macros. (bsc#1003714) - Added a %rpm_vercmp macro which accepts two versions as parameters and returns -1, 0, 1 if the first version is less than, equal or greater than the second version respectively. - Added a %pkg_version macro that accepts a package or capability name as argument and returns the version number of the installed package. If no package provides the argument, it returns the string '~~~'. - Added a %pkg_vcmp macro that accepts 3 parameters. The first parameter is a package name or provided capability name, the second argument is an operator ( < <= = >= > != ) and the third parameter is a version string to be compared to the installed version of the first argument. - Added a %pkg_version_cmp macro which accepts a package or capability name as first argument and a version number as second argument and returns -1, 0, 1 or '~~~'. The number values have the same meaning as in %rpm_vercmp and the '~~~' string is returned if the package or capability can't be found. (bsc#1069934) ----------------------------------------------------------------- Advisory ID: SUSE-OU-2018:793-1 Released: Fri May 4 10:25:21 2018 Summary: Initial release of python3-CherryPy Type: optional Severity: low References: 1073879 Description: This update provides the following new Python 3 module: - python3-CherryPy ----------------------------------------------------------------- Advisory ID: SUSE-RU-2018:797-1 Released: Mon May 7 07:07:38 2018 Summary: Recommended update for gcc7 Type: recommended Severity: important References: 1061667,1068967,1074621,1083290,1083946,1084812,1087550,1087930 Description: This update for gcc7 to 7.3 release fixes the following issues: - Update to GCC 7.3 release and further updated to gcc-7-branch head (r258812). - The Spectre v2 mitigation patch for s390x is now included. [bsc#1083946] - Adds backport of x86 retpoline support via -mindirect-branch=, -mfunction-return= and friends. [bsc#1074621] - Update includes a fix for chromium build failure. [bsc#1083290] - Various AArch64 compile fixes are included: * Picks fix to no longer enable -mpc-relative-literal-loads by default with --enable-fix-cortex-a53-843419. * Enable --enable-fix-cortex-a53-843419 for aarch64. [bsc#1084812] [bsc#1087930] * Enable --enable-fix-cortex-a53-835769 for aarch64. * Contains fix for PR82445 which is about a RPI1 bootloader miscompile. [bsc#1061667] * Fixed bogus stack probe instruction on ARM. [bsc#1068967] - Revert the ios_base::failure ABI back to compatible behavior with the default ABI. [bsc#1087550] - Fix nvptx offload target compiler install so GCC can pick up required files. Split out the newlib part into cross-nvptx-newlib7-devel and avoid conflicts with GCC 8 variant via Provides/Conflicts of cross-nvptx-newlib-devel. ----------------------------------------------------------------- Advisory ID: SUSE-OU-2018:801-1 Released: Mon May 7 12:59:12 2018 Summary: Initial release of python3-msgpack-python Type: optional Severity: low References: 1073879 Description: This update provides the following new Python 3 module: - python3-msgpack-python ----------------------------------------------------------------- Advisory ID: SUSE-OU-2018:806-1 Released: Tue May 8 12:31:07 2018 Summary: Initial release of python3-MarkupSafe Type: optional Severity: low References: 1073879 Description: This update provides the following new Python 3 module: - python3-MarkupSafe ----------------------------------------------------------------- Advisory ID: SUSE-OU-2018:807-1 Released: Tue May 8 12:33:03 2018 Summary: Initial release of python3-Jinja2 Type: optional Severity: low References: 1073879 Description: This update provides the following new Python 3 module: - python3-Jinja2 ----------------------------------------------------------------- Advisory ID: SUSE-OU-2018:810-1 Released: Tue May 8 17:20:51 2018 Summary: Initial release of python3-PyYAML Type: optional Severity: low References: 1073879 Description: This update provides the following new Python 3 module: - python3-PyYAML ----------------------------------------------------------------- Advisory ID: SUSE-OU-2018:919-1 Released: Tue May 15 16:30:21 2018 Summary: Initial release of python3-tornado Type: optional Severity: low References: 1073879 Description: This update provides the following new Python 3 module: - python3-tornado ----------------------------------------------------------------- Advisory ID: SUSE-OU-2018:925-1 Released: Wed May 16 10:09:28 2018 Summary: Initial release of python3-requests Type: optional Severity: low References: 1073879 Description: This update provides the following new Python 3 module: - python3-requests ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:939-1 Released: Thu May 17 08:41:30 2018 Summary: Security update for curl Type: security Severity: moderate References: 1086825,1092098,CVE-2018-1000301 Description: This update for curl fixes several issues: Security issues fixed: - CVE-2018-1000301: Fixed a RTSP bad headers buffer over-read could crash the curl client (bsc#1092098) Non security issues fixed: - If the DEFAULT_SUSE cipher list is not available use the HIGH cipher alias before failing. (bsc#1086825) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:964-1 Released: Tue May 22 18:31:29 2018 Summary: Security update for python Type: security Severity: moderate References: 1068664,1079300,CVE-2017-1000158,CVE-2018-1000030 Description: This update for python fixes the following issues: Security issues fixed: - CVE-2017-1000158: Fixed integer overflows in PyString_DecodeEscape that could have resulted in heap-based buffer overflow attacks and possible arbitrary code execution (bsc#1068664). - CVE-2018-1000030: Fixed crash inside the Python interpreter when multiple threads used the same I/O stream concurrently (bsc#1079300). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2018:974-1 Released: Wed May 23 16:46:50 2018 Summary: Recommended update for systemd Type: recommended Severity: moderate References: 1045092,1051465,1066422,1075804,1082485,1084626,1085062,1086785,1087323 Description: This update for systemd provides the following fixes: - sysusers: Do not append entries after the NIS ones. (bsc#1085062, bsc#1045092) - sysusers: Also add support for NIS entries in /etc/shadow. - sysusers: Make sure to reset errno before calling fget*ent(). - coredump: Respect ulimit -c 0 settings. (bsc#1075804) - systemctl: Don't make up unit states, and don't eat up errors too eagerly. (bsc#1084626) - systemctl: Don't mangle unit names in check_unit_generic(). - rules, compat-rules: Fix errors detected by the rule syntax checker. - python: Use raw strings for regexp patterns. - compat-rules: Make path_id_compat build with meson. - compat-rules: Get rid of scsi_id when generating compat symlinks for NVMe devices. (bsc#1051465) - Fix memory hotplugging. - systemd: Add offline environmental condition to the udev rules for acpi container to prevent them from being triggered by the 'udevadm trigger' from user space. (bsc#1082485) - systemd-udevd: Limit children-max by the available memory. (bsc#1086785, bsc#1066422) - Rename the tarball to reflect the exact version used, so that it is clear that it contains some additional patches on top of the upstream version. Use the commit hash in the name so the exact version can easily be identified. (bsc#1087323) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:977-1 Released: Wed May 23 17:14:16 2018 Summary: Security update for bash Type: security Severity: moderate References: 1000396,1001299,1086247,CVE-2016-0634,CVE-2016-7543 Description: This update for bash fixes the following issues: Security issues fixed: - CVE-2016-7543: A code execution possibility via SHELLOPTS+PS4 variable was fixed (bsc#1001299) - CVE-2016-0634: Arbitrary code execution via malicious hostname was fixed (bsc#1000396) Non-security issues fixed: - Fix repeating self-calling of traps due the combination of a non-interactive shell, a trap handler for SIGINT, an external process in the trap handler, and a SIGINT within the trap after the external process runs. (bsc#1086247) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2018:978-1 Released: Wed May 23 17:18:39 2018 Summary: Recommended update for zlib Type: recommended Severity: moderate References: 1071321 Description: This update for zlib fixes the following issues: - Fix a segmentation fault which was raised when converting a negative value into an unsigned integer (bsc#1071321) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2018:1028-1 Released: Tue Jun 5 13:20:44 2018 Summary: Recommended update for pam Type: recommended Severity: low References: 1089884 Description: This update for pam fixes the following issues: - Fix order of accessed configuration files in man page. (bsc#1089884) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:1077-1 Released: Wed Jun 6 11:44:25 2018 Summary: Security update for glibc Type: security Severity: important References: 1086690,1094150,1094154,1094161,CVE-2017-18269,CVE-2018-11236,CVE-2018-11237 Description: This update for glibc fixes the following issues: - CVE-2017-18269: Fix SSE2 memmove issue when crossing 2GB boundary (bsc#1094150) - CVE-2018-11236: Fix overflow in path length computation (bsc#1094161) - CVE-2018-11237: Don't write beyond buffer destination in __mempcpy_avx512_no_vzeroupper (bsc#1094154) Non security bugs fixed: - Fix crash in resolver on memory allocation failure (bsc#1086690) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2018:1082-1 Released: Thu Jun 7 12:58:56 2018 Summary: Recommended update for rpm Type: recommended Severity: moderate References: 1073879,1080078,964063 Description: This update for rpm fixes the following issues: - Backport support for no_recompute_build_ids macro. (bsc#964063) - Fix code execution when evaluating common python-related macros. (bsc#1080078) Additionally, this update adds python3-rpm to the SUSE Linux Enterprise Server. ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:1141-1 Released: Fri Jun 15 13:41:08 2018 Summary: Security update for gpg2 Type: security Severity: important References: 1096745,CVE-2018-12020 Description: This update for gpg2 fixes the following security issue: - CVE-2018-12020: GnuPG mishandled the original filename during decryption and verification actions, which allowed remote attackers to spoof the output that GnuPG sends on file descriptor 2 to other programs that use the '--status-fd 2' option (bsc#1096745) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2018:1144-1 Released: Fri Jun 15 19:19:29 2018 Summary: Recommended update for logrotate Type: recommended Severity: moderate References: 1093617 Description: This update for logrotate provides the following fix: - Ensure the HOME environment variable is set to /root when logrotate is started via systemd. This allows mariadb to rotate its logs when the database has a root password defined. (bsc#1093617) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2018:1145-1 Released: Fri Jun 15 19:19:51 2018 Summary: Recommended update for openssl Type: recommended Severity: moderate References: 1090765 Description: This update for openssl provides the following fix: - Suggest libopenssl1_0_0-hmac from libopenssl1_0_0 package to avoid dependency issues during updates. (bsc#1090765) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:1157-1 Released: Tue Jun 19 15:31:48 2018 Summary: Security update for salt Type: security Severity: moderate References: 1059291,1061407,1062464,1064520,1075950,1079048,1081592,1087055,1087278,1087581,1087891,1088888,1089112,1089362,1089526,1090242,1091371,1092161,1092373,1094055,1097174,1097413,CVE-2017-14695,CVE-2017-14696 Description: This update for salt provides version 2018.3 and brings many fixes and improvements: - Fix for sorting of multi-version packages (bsc#1097174 and bsc#1097413) - Align SUSE salt-master.service 'LimitNOFILES' limit with upstream Salt - Add 'other' attribute to GECOS fields to avoid inconsistencies with chfn - Prevent zypper from parsing repo configuration from not .repo files (bsc#1094055) - Collect all versions of installed packages on SUSE and RHEL systems (bsc#1089526) - No more AWS EC2 rate limitations in salt-cloud. (bsc#1088888) - MySQL returner now also allows to use Unix sockets. (bsc#1091371) - Do not override jid on returners, only sending back to master. (bsc#1092373) - Remove minion/thin/version if exists to force thin regeneration. (bsc#1092161) - Fix minion scheduler to return a 'retcode' attribute. (bsc#1089112) - Fix for logging during network interface querying. (bsc#1087581) - Fix rhel packages requires both net-tools and iproute. (bsc#1087055) - Fix patchinstall on yum module. Bad comparison. (bsc#1087278) - Strip trailing commas on Linux user's GECOS fields. (bsc#1089362) - Fallback to PyMySQL. (bsc#1087891) - Fix for [Errno 0] Resolver Error 0 (no error). (bsc#1087581) - Add python-2.6 support to salt-ssh. - Make it possible to use docker login, pull and push from module.run and detect errors. - Fix unicode decode error with salt-ssh. - Fix cp.push empty file. (bsc#1075950) - Fix grains containing trailing '\n'. - Remove salt-minion python2 requirement when python3 is default. (bsc#1081592) - Restoring installation of packages for Rhel 6 and 7. - Prevent queryformat pattern from expanding. (bsc#1079048) - Fix for delete_deployment in Kubernetes module. (bsc#1059291) - Fix bsc#1062464 and CVE-2017-14696 already included in 2017.7.2. - Fix wrong version reported by Salt. (bsc#1061407) - Run salt-api as user salt. (bsc#1064520) For a detailed description, please refer to the upstream-changelog at https://docs.saltstack.com/en/latest/topics/releases/index.html or to the rpm-changelog. supportutils-plugin-salt: - Collect salt-api, salt-broker and salt-ssh log files (bsc#1090242) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:1242-1 Released: Thu Jun 28 13:44:16 2018 Summary: Security update for procps Type: security Severity: moderate References: 1092100,CVE-2018-1122,CVE-2018-1123,CVE-2018-1124,CVE-2018-1125,CVE-2018-1126 Description: This update for procps fixes the following security issues: - CVE-2018-1122: Prevent local privilege escalation in top. If a user ran top with HOME unset in an attacker-controlled directory, the attacker could have achieved privilege escalation by exploiting one of several vulnerabilities in the config_file() function (bsc#1092100). - CVE-2018-1123: Prevent denial of service in ps via mmap buffer overflow. Inbuilt protection in ps maped a guard page at the end of the overflowed buffer, ensuring that the impact of this flaw is limited to a crash (temporary denial of service) (bsc#1092100). - CVE-2018-1124: Prevent multiple integer overflows leading to a heap corruption in file2strvec function. This allowed a privilege escalation for a local attacker who can create entries in procfs by starting processes, which could result in crashes or arbitrary code execution in proc utilities run by other users (bsc#1092100). - CVE-2018-1125: Prevent stack buffer overflow in pgrep. This vulnerability was mitigated by FORTIFY limiting the impact to a crash (bsc#1092100). - CVE-2018-1126: Ensure correct integer size in proc/alloc.* to prevent truncation/integer overflow issues (bsc#1092100). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:1276-1 Released: Thu Jul 5 08:36:17 2018 Summary: Security update for openssl Type: security Severity: moderate References: 1097158,1097624,1098592,CVE-2018-0732 Description: This update for openssl fixes the following issues: - CVE-2018-0732: During key agreement in a TLS handshake using a DH(E) based ciphersuite a malicious server could have sent a very large prime value to the client. This caused the client to spend an unreasonably long period of time generating a key for this prime resulting in a hang until the client has finished. This could be exploited in a Denial Of Service attack (bsc#1097158). - Blinding enhancements for ECDSA and DSA (bsc#1097624, bsc#1098592) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:1328-1 Released: Tue Jul 17 08:07:57 2018 Summary: Security update for perl Type: security Severity: important References: 1068565,1082216,1082233,1082234,1096718,CVE-2018-12015,CVE-2018-6797,CVE-2018-6798,CVE-2018-6913 Description: This update for perl fixes the following issues: These security issue were fixed: - CVE-2018-6913: Fixed space calculation issues in pp_pack.c (bsc#1082216). - CVE-2018-6798: Fixed heap buffer overflow in regexec.c (bsc#1082233). - CVE-2018-6797: Fixed sharp-s regexp overflow (bsc#1082234). - CVE-2018-12015: The Archive::Tar module allowed remote attackers to bypass a directory-traversal protection mechanism and overwrite arbitrary files (bsc#1096718) This non-security issue was fixed: - fix debugger crash in tab completion with Term::ReadLine::Gnu [bsc#1068565] ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:1351-1 Released: Thu Jul 19 09:43:21 2018 Summary: Security update for shadow Type: security Severity: important References: 1099310,CVE-2016-6252 Description: This update for shadow fixes the following issues: - CVE-2016-6252: Incorrect integer handling could results in local privilege escalation (bsc#1099310) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:1376-1 Released: Mon Jul 23 10:54:47 2018 Summary: Security update for python Type: security Severity: moderate References: 1083507,CVE-2017-18207 Description: This update for python fixes the following issues: The following security vulnerabilities were addressed: - Add a check to Lib/wave.py that verifies that at least one channel is provided. Prior to this, attackers could cause a denial of service via a crafted wav format audio file. [bsc#1083507, CVE-2017-18207] ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:1400-1 Released: Thu Jul 26 16:32:29 2018 Summary: Security update for util-linux Type: security Severity: moderate References: 1072947,1078662,1080740,1084300,CVE-2018-7738 Description: This update for util-linux fixes the following issues: This non-security issue was fixed: - CVE-2018-7738: bash-completion/umount allowed local users to gain privileges by embedding shell commands in a mountpoint name, which was mishandled during a umount command by a different user (bsc#1084300). These non-security issues were fixed: - Fixed crash loop in lscpu (bsc#1072947). - Fixed possible segfault of umount -a - Fixed mount -a on NFS bind mounts (bsc#1080740). - Fixed lsblk on NVMe (bsc#1078662). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:1413-1 Released: Fri Jul 27 12:41:13 2018 Summary: Security update for libgcrypt Type: security Severity: moderate References: 1064455,1090766,1097410,CVE-2018-0495 Description: This update for libgcrypt fixes the following issues: The following security vulnerability was addressed: - CVE-2018-0495: Mitigate a novel side-channel attack by enabling blinding for ECDSA signatures (bsc#1097410). The following other issues were fixed: - Extended the fipsdrv dsa-sign and dsa-verify commands with the --algo parameter for the FIPS testing of DSA SigVer and SigGen (bsc#1064455). - Ensure libgcrypt20-hmac and libgcrypt20 are installed in the correct order. (bsc#1090766) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2018:1450-1 Released: Mon Jul 30 10:10:45 2018 Summary: Recommended update for pam Type: recommended Severity: low References: 1096282 Description: This update for pam provides the following fix: - Added /etc/security/limits.d to the pam package. (bsc#1096282) ----------------------------------------------------------------- Advisory ID: SUSE-OU-2018:1515-1 Released: Tue Aug 7 20:19:04 2018 Summary: Introduce packages added to SLES 12 SP3 after release Type: optional Severity: low References: 1102861 Description: This update adds packages to the SUSE Linux Enterprise Server 12 SP3 for Teradata which were added after the released of SLES 12 SP3. ----------------------------------------------------------------- Advisory ID: SUSE-RU-2018:1549-1 Released: Mon Aug 13 13:41:22 2018 Summary: Recommended update for sg3_utils Type: recommended Severity: low References: 1065448,1070431,1077787,1092640 Description: This update for sg3_utils provides the following fix: - Decode standard INQUIRY for CD-ROMs correctly. (bsc#1065448, bsc#1070431) - Fix page decoding. (bsc#1077787) - Remove initrd rebuild macros for libsgutils2 subpackage. (bsc#1092640) - Use %post -p for ldconfig. (bsc#1092640) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:1610-1 Released: Thu Aug 16 14:04:25 2018 Summary: Security update for libgcrypt Type: security Severity: moderate References: 1064455,1090766,1097410,CVE-2018-0495 Description: This update for libgcrypt fixes the following issues: The following security vulnerability was addressed: - CVE-2018-0495: Mitigate a novel side-channel attack by enabling blinding for ECDSA signatures (bsc#1097410). The following other issues were fixed: - Extended the fipsdrv dsa-sign and dsa-verify commands with the --algo parameter for the FIPS testing of DSA SigVer and SigGen (bsc#1064455). - Ensure libgcrypt20-hmac and libgcrypt20 are installed in the correct order. (bsc#1090766) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:1612-1 Released: Thu Aug 16 14:04:38 2018 Summary: Security update for python Type: security Severity: moderate References: 1083507,CVE-2017-18207 Description: This update for python fixes the following issues: The following security vulnerabilities were addressed: - Add a check to Lib/wave.py that verifies that at least one channel is provided. Prior to this, attackers could cause a denial of service via a crafted wav format audio file. [bsc#1083507, CVE-2017-18207] ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:1620-1 Released: Thu Aug 16 14:49:45 2018 Summary: Security update for shadow Type: security Severity: important References: 1099310,CVE-2016-6252 Description: This update for shadow fixes the following issues: - CVE-2016-6252: Incorrect integer handling could results in local privilege escalation (bsc#1099310) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2018:1632-1 Released: Thu Aug 16 15:27:04 2018 Summary: Recommended update for systemd Type: recommended Severity: moderate References: 1039099,1080382,1082004,1082485,1083158,1088052,1088769,1088890,1089761,1090785,1091265,1093851,1095096 Description: This update for systemd fixes the following issues: - core: In --user mode, report READY=1 as soon as basic.target is reached. - sd-bus: Extend D-Bus authentication timeout considerably. - scsi_id: Fixup prefix for pre-SPC inquiry reply. (bsc#1039099) - udev: Use MAC address match only for ibmveth/ibmvnic/mlx4. (bsc#1095096) - compat-rules: Generate more compat by-id symlinks for NVMe devices. (bsc#1095096) - udev: Whitelist mlx4_core locally-administered MAC addresses in the persistent rule generator. (bsc#1083158) - udev: Don't create by-partlabel/primary and .../logical symlinks. (bsc#1089761) - rules: Add /dev/disk/by-partuuid symlinks also for dos partition tables. - device: Make sure to always retroactively start device dependencies. (bsc#1088052) - device: Skip deserialization of device units when udevd is not running. - install: 'user' and 'global' scopes are equivalent for user presets. (bsc#1093851) - install: Search preset files in /run. - man: Updated systemd-analyze blame description for service-units with Type=simple. (bsc#1091265) - logind: Fix crash when shutdown is not issued from a tty. (bsc#1088890) - logind: Do not use an uninitialized variable. (bsc#1088890) - Disable user services by default. (bsc#1090785) - Ship 99-sysctl.conf instead of creating it during package installation/update. (bsc#1088769) Previously this symlink was created in /etc/sysctl.d during %post which made the symlink not owned and more importantly it was created only if /etc/sysctl.conf is already installed which is not always the case during the installation process it seems. So ship the symlink unconditionally and put it in /usr/lib/sysctl.d instead since it's a distro default behavior that might be overriden by sysadmin later. - systemd: Add offline environmental condition to 80-acpi-container-hotplug.rules. (bsc#1080382, bsc#1082485) Add the offline event environmental condition to restrict the rule that is can only be triggered when the change event is received with the 'offline' environmental data. The 27664c581 'ACPI / scan: Send change uevent with offine environmental data' kernel patch changed the corresponding code in kernel. This change prevents the udev rules for acpi container be triggered by 'udevadm trigger' from user space. - build-sys: Explicitly require python3. (bsc#1082004) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2018:1636-1 Released: Thu Aug 16 15:30:11 2018 Summary: Recommended update for pam Type: recommended Severity: low References: 1096282 Description: This update for pam provides the following fix: - Added /etc/security/limits.d to the pam package. (bsc#1096282) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2018:1689-1 Released: Mon Aug 20 09:02:24 2018 Summary: Recommended update for pam Type: recommended Severity: low References: 1096282 Description: This update for pam provides the following fix: - Added /etc/security/limits.d to the pam package. (bsc#1096282) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2018:1691-1 Released: Mon Aug 20 09:04:17 2018 Summary: Recommended update for sg3_utils Type: recommended Severity: low References: 1065448,1070431,1077787,1092640 Description: This update for sg3_utils provides the following fix: - Decode standard INQUIRY for CD-ROMs correctly. (bsc#1065448, bsc#1070431) - Fix page decoding. (bsc#1077787) - Remove initrd rebuild macros for libsgutils2 subpackage. (bsc#1092640) - Use %post -p for ldconfig. (bsc#1092640) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:1695-1 Released: Mon Aug 20 09:19:20 2018 Summary: Security update for perl Type: security Severity: important References: 1068565,1082216,1082233,1082234,1096718,CVE-2018-12015,CVE-2018-6797,CVE-2018-6798,CVE-2018-6913 Description: This update for perl fixes the following issues: These security issue were fixed: - CVE-2018-6913: Fixed space calculation issues in pp_pack.c (bsc#1082216). - CVE-2018-6798: Fixed heap buffer overflow in regexec.c (bsc#1082233). - CVE-2018-6797: Fixed sharp-s regexp overflow (bsc#1082234). - CVE-2018-12015: The Archive::Tar module allowed remote attackers to bypass a directory-traversal protection mechanism and overwrite arbitrary files (bsc#1096718) This non-security issue was fixed: - fix debugger crash in tab completion with Term::ReadLine::Gnu [bsc#1068565] ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:1698-1 Released: Mon Aug 20 09:19:28 2018 Summary: Security update for shadow Type: security Severity: important References: 1099310,CVE-2016-6252 Description: This update for shadow fixes the following issues: - CVE-2016-6252: Incorrect integer handling could results in local privilege escalation (bsc#1099310) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2018:1716-1 Released: Mon Aug 20 17:03:40 2018 Summary: Recommended update for Salt Type: recommended Severity: moderate References: 1057635,1072599,1089526,1095507,1096514,1098394,1099323,1099460,1099945,1100142,1100225,1100697,1101812,1101880,1102218,1102265 Description: This update for salt fixes the following issues: - Fix file.blockreplace to avoid throwing IndexError. (bsc#1101812) - Fix pkg.upgrade reports when dealing with multiversion packages. (bsc#1102265) - Fix UnicodeDecodeError using is_binary check. (bsc#1100225) - Fix corrupt public key with m2crypto python3. (bsc#1099323) - Prevent payload crash on decoding binary data. (bsc#1100697) - Accounting for when files in an archive contain non-ascii characters. (bsc#1099460) - Handle packages with multiple version properly with zypper. (bsc#1096514) - Fix file.get_diff regression on 2018.3. (bsc#1098394) - Provide python version mismatch solutions. (bsc#1072599) - Add custom SUSE capabilities as Grains. (bsc#1089526) - Fix file.managed binary file utf8 error. (bsc#1098394) - Multiversion patch plus upstream fix and patch reordering. - Add environment variable to know if yum is invoked from Salt. (bsc#1057635) - Prevent deprecation warning with salt-ssh. (bsc#1095507) - Add missing dateutils import (bsc#1099945) - Check dmidecoder executable on each 'smbios' call to avoid race condition (bsc#1101880) - Fix mine.get not returning data - workaround for #48020 (bsc#1100142) - Add API log rotation on SUSE package (bsc#1102218) - Backport the new libvirt_events engine from upstream ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:1753-1 Released: Fri Aug 24 14:24:17 2018 Summary: Security update for python Type: security Severity: moderate References: 1083507,CVE-2017-18207 Description: This update for python fixes the following issues: The following security vulnerabilities were addressed: - Add a check to Lib/wave.py that verifies that at least one channel is provided. Prior to this, attackers could cause a denial of service via a crafted wav format audio file. [bsc#1083507, CVE-2017-18207] ----------------------------------------------------------------- Advisory ID: SUSE-RU-2018:1834-1 Released: Wed Sep 5 10:17:42 2018 Summary: Recommended update for systemd Type: recommended Severity: moderate References: 1089761,1090944,1101040,1103910 Description: This update for systemd fixes the following issues: - cryptsetup: Add support for sector-size= option. (fate#325634) - resolved: Apply epoch to system time from PID 1. (bsc#1103910) - core/service: Rework the hold-off time over message. - core: Don't freeze OnCalendar= timer units when the clock goes back a lot. (bsc#1090944) - man: SystemMaxUse= clarification in journald.conf(5). (bsc#1101040) - Add udev.no-partlabel-links kernel command-line option. This option can be used to disable the generation of the by-partlabel symlinks regardless of the name used. (bsc#1089761) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:1903-1 Released: Fri Sep 14 12:46:21 2018 Summary: Security update for curl Type: security Severity: moderate References: 1089533,1106019,CVE-2018-14618 Description: This update for curl fixes the following issues: This security issue was fixed: - CVE-2018-14618: Prevent integer overflow in the NTLM authentication code (bsc#1106019) This non-security issue was fixed: - Fixed erroneous debug message when paired with OpenSSL (bsc#1089533) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:1969-1 Released: Mon Sep 24 08:06:42 2018 Summary: Security update for libzypp, zypper Type: security Severity: important References: 1036304,1045735,1049825,1070851,1076192,1088705,1091624,1092413,1096803,1099847,1100028,1101349,1102429,CVE-2017-9269,CVE-2018-7685 Description: This update for libzypp, zypper fixes the following issues: Update libzypp to version 16.17.20: Security issues fixed: - PackageProvider: Validate deta rpms before caching (bsc#1091624, bsc#1088705, CVE-2018-7685) - PackageProvider: Validate downloaded rpm package signatures before caching (bsc#1091624, bsc#1088705, CVE-2018-7685) Other bugs fixed: - lsof: use '-K i' if lsof supports it (bsc#1099847, bsc#1036304) - Handle http error 502 Bad Gateway in curl backend (bsc#1070851) - RepoManager: Explicitly request repo2solv to generate application pseudo packages. - libzypp-devel should not require cmake (bsc#1101349) - HardLocksFile: Prevent against empty commit without Target having been been loaded (bsc#1096803) - Avoid zombie tar processes (bsc#1076192) Update to zypper to version 1.13.45: Security issues fixed: - Improve signature check callback messages (bsc#1045735, CVE-2017-9269) - add/modify repo: Add options to tune the GPG check settings (bsc#1045735, CVE-2017-9269) Other bugs fixed: - XML attribute `packages-to-change` added (bsc#1102429) - man: Strengthen that `--config FILE' affects zypper.conf, not zypp.conf (bsc#1100028) - Prevent nested calls to exit() if aborted by a signal (bsc#1092413) - ansi.h: Prevent ESC sequence strings from going out of scope (bsc#1092413) - Fix: zypper bash completion expands non-existing options (bsc#1049825) - Improve signature check callback messages (bsc#1045735) - add/modify repo: Add options to tune the GPG check settings (bsc#1045735) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2018:1985-1 Released: Mon Sep 24 11:56:08 2018 Summary: Recommended update for openldap2 Type: recommended Severity: moderate References: 1089640 Description: This update for openldap2 provides the following fix: - Fix slapd segfaults in mdb_env_reader_dest. (bsc#1089640) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:1994-1 Released: Mon Sep 24 12:55:57 2018 Summary: Security update for shadow Type: security Severity: moderate References: 1106914 Description: This update for shadow fixes the following security issue: - Prevent useradd from creating intermediate directories with mode 0777 (bsc#1106914) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2018:2023-1 Released: Wed Sep 26 09:48:49 2018 Summary: Recommended update for patchinfo.salt, salt Type: recommended Severity: moderate References: 1095942,1102013,1103530,1104154 Description: This update for salt fixes the following issues: - Prepend current directory when path is just filename. (bsc#1095942) - Only do reverse DNS lookup on IPs for salt-ssh. (bsc#1104154) - Add support for Python 3.7 and Tornado 5.0. - Decode file contents for python2. (bsc#1102013, bsc#1103530) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:2069-1 Released: Fri Sep 28 08:01:25 2018 Summary: Security update for openssl Type: security Severity: moderate References: 1089039,1101246,1101470,1104789,1106197,997043,CVE-2018-0737 Description: This update for openssl fixes the following issues: These security issues were fixed: - Prevent One&Done side-channel attack on RSA that allowed physically near attackers to use EM emanations to recover information (bsc#1104789) - CVE-2018-0737: The RSA Key generation algorithm has been shown to be vulnerable to a cache timing side channel attack. An attacker with sufficient access to mount cache timing attacks during the RSA key generation process could have recovered the private key (bsc#1089039) These non-security issues were fixed: - Add openssl(cli) Provide so the packages that require the openssl binary can require this instead of the new openssl meta package (bsc#1101470) - Fixed path to the engines which are under /lib64 on SLE-12 (bsc#1101246, bsc#997043) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2018:2162-1 Released: Fri Oct 5 14:46:53 2018 Summary: Recommended update for krb5 Type: recommended Severity: moderate References: 1088921 Description: This update for krb5 provides the following fix: - Resolve krb5 GSS credentials immediately if the application requests the lifetime. (bsc#1088921) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:2181-1 Released: Tue Oct 9 11:08:20 2018 Summary: Security update for libxml2 Type: security Severity: moderate References: 1088279,1088601,1102046,1105166,CVE-2017-18258,CVE-2018-14404,CVE-2018-14567,CVE-2018-9251 Description: This update for libxml2 fixes the following security issues: - CVE-2018-9251: The xz_decomp function allowed remote attackers to cause a denial of service (infinite loop) via a crafted XML file that triggers LZMA_MEMLIMIT_ERROR, as demonstrated by xmllint (bsc#1088279). - CVE-2018-14567: Prevent denial of service (infinite loop) via a crafted XML file that triggers LZMA_MEMLIMIT_ERROR, as demonstrated by xmllint (bsc#1105166). - CVE-2018-14404: Prevent NULL pointer dereference in the xmlXPathCompOpEval() function when parsing an invalid XPath expression in the XPATH_OP_AND or XPATH_OP_OR case leading to a denial of service attack (bsc#1102046). - CVE-2017-18258: The xz_head function allowed remote attackers to cause a denial of service (memory consumption) via a crafted LZMA file, because the decoder functionality did not restrict memory usage to what is required for a legitimate file (bsc#1088601). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2018:2196-1 Released: Thu Oct 11 07:45:16 2018 Summary: Optional update for gcc8 Type: recommended Severity: low References: 1084812,1084842,1087550,1094222,1102564 Description: The GNU Compiler GCC 8 is being added to the Toolchain Module by this update. The update also supplies gcc8 compatible libstdc++, libgcc_s1 and other gcc derived libraries for the base products of SUSE Linux Enterprise 12. Various optimizers have been improved in GCC 8, several of bugs fixed, quite some new warnings added and the error pin-pointing and fix-suggestions have been greatly improved. The GNU Compiler page for GCC 8 contains a summary of all the changes that have happened: https://gcc.gnu.org/gcc-8/changes.html Also changes needed or common pitfalls when porting software are described on: https://gcc.gnu.org/gcc-8/porting_to.html ----------------------------------------------------------------- Advisory ID: SUSE-RU-2018:2217-1 Released: Fri Oct 12 15:07:24 2018 Summary: Recommended update for bash Type: recommended Severity: moderate References: 1094121,1107430 Description: This update for bash provides the following fixes: - Fix an inconsistent behaviour regarding expansion of here strings. (bsc#1094121) - Fix mis-matching of null string with '*' pattern. (bsc#1107430) - Fix a crash when the lastpipe option is enabled. - Fix a typo that was preventing the `compat42' shopt option from working as intended. - Help the shell to process any pending traps at redirection. - Fix a crashe due to incorrect conversion from an indexed to associative array. - Avoid the expansion of escape sequences in HOSTNAME in prompt. - Avoid `xtrace' attack over $PS4. ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:2373-1 Released: Mon Oct 22 14:43:47 2018 Summary: Security update for rpm Type: security Severity: moderate References: 1077692,943457,CVE-2017-7500,CVE-2017-7501 Description: This update for rpm fixes the following issues: These security issues were fixed: - CVE-2017-7500: rpm did not properly handle RPM installations when a destination path was a symbolic link to a directory, possibly changing ownership and permissions of an arbitrary directory, and RPM files being placed in an arbitrary destination (bsc#943457). - CVE-2017-7501: rpm used temporary files with predictable names when installing an RPM. An attacker with ability to write in a directory where files will be installed could create symbolic links to an arbitrary location and modify content, and possibly permissions to arbitrary files, which could be used for denial of service or possibly privilege escalation (bsc#943457) This non-security issue was fixed: - Use ksym-provides tool [bsc#1077692] ----------------------------------------------------------------- Advisory ID: SUSE-RU-2018:2379-1 Released: Tue Oct 23 10:32:56 2018 Summary: Recommended update for Salt Type: recommended Severity: moderate References: 1095651,1104491,1106164,1107333,1108557,1108834,1108969,1108995,1109893 Description: This update fixes the following issues: salt: - Improved IPv6 address handling (bsc#1108557) - Better handling for zypper exiting with exit code ZYPPER_EXIT_NO_REPOS (bsc#1108834, bsc#1109893) - Fix for dependency problem with pip (bsc#1104491) - Fix loosen azure sdk dependencies in azurearm cloud driver (bsc#1107333) - Fix for Python3 issue in zypper (bsc#1108995) - Allow running salt-cloud in GCE using instance credentials (bsc#1108969) - Improved handling of Python unicode literals in YAML parsing (bsc#1095651) - Fix for Salt 'acl.present' and 'acl.absent' states to make them successfully work recursively when 'recurse=True'. (bsc#1106164) - Fix for Python3 byte/unicode mismatch and additional minor bugfixes to x509 module. - Integration of MSI authentication for azurearm - Compound list targeting wrongly returned with minions specified in 'not'. - Fixes the x509 module to work, when using the sign_remote_certificate functionality. - Fix for SUSE Expanded Support os grain detection (returned 'Redhat' instead of 'Centos') ----------------------------------------------------------------- Advisory ID: SUSE-RU-2018:2435-1 Released: Wed Oct 24 14:42:43 2018 Summary: Recommended update for systemd Type: recommended Severity: important References: 1015254,1091677,1093753,1105031,1107640,1107941,1109197,991901 Description: This update for systemd fixes the following issues: - detect-virt: do not try to read all of /proc/cpuinfo (bsc#1109197) - emergency: make sure console password agents don't interfere with the emergency shell - units: remove udev control socket when systemd stops the socket unit (#4039) (bsc#1015254) - man: document that 'nofail' also has an effect on ordering - journald: take leading spaces into account in syslog_parse_identifier - journal: do not remove multiple spaces after identifier in syslog message - syslog: fix segfault in syslog_parse_priority() - journal: fix syslog_parse_identifier() - tmpfiles: don't adjust qgroups on existing subvolumes (bsc#1093753) - socket-util: attempt SO_RCVBUFFORCE/SO_SNDBUFFORCE only if SO_RCVBUF/SO_SNDBUF fails (bsc#991901) - user at .service: don't kill user manager at runlevel switch (bsc#1091677) - units: make sure user at .service runs with dbus still up - fix race between daemon-reload and other commands (bsc#1105031) - nspawn: always use mode 555 for /sys (bsc#1107640) - cryptsetup: do not define arg_sector_size if libgcrypt is v1.x (#9990) - Enable or disable machines.target according to the presets (bsc#1107941) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2018:2475-1 Released: Thu Oct 25 16:56:24 2018 Summary: Recommended update for libzypp Type: recommended Severity: moderate References: 1099982,1109877,408814,556664,939392 Description: This update for libzypp fixes the following issues: - Add filesize check for downloads with known size (bsc#408814) - Fix conversion of string and glob to regex when compiling queries (bsc#1099982, bsc#939392, bsc#556664) - Fix blocking wait for finished child process (bsc#1109877) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2018:2488-1 Released: Fri Oct 26 12:39:59 2018 Summary: Recommended update for cpio Type: recommended Severity: low References: 1076810,889138 Description: This update for cpio provides the following fix: - Remove an obsolete patch that was causing cpio not to preserve folder permissions. (bsc#1076810, bsc#889138) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2018:2516-1 Released: Mon Oct 29 16:14:48 2018 Summary: Recommended update for console-setup, kbd Type: recommended Severity: moderate References: 1010880,1027379,1056449,1062303,1069468,1085432,360993,675317,825385,830805,958562,963942,984958 Description: This update for kbd and console-setup provides the following fixes: Changes in console-setup: - Add console-setup to SLE 12 to make it possible for kbd to provide converted X keymaps. (fate#325454, fate#318426) - Make the package build reproducible. (bsc#1062303) - Removed unneeded requires to kbd in order to resolve build cycle between kbd and console-setup. (bsc#963942) Changes in kbd: - Update to version 2.0.4, including the following fixes (FATE#325454): * Disable characters greater than or equal to =U+F000 as they do not work properly. (bsc#1085432) * Move initial NumLock handling from systemd back to kbd: * Add kbdsettings service. (bsc#1010880) * Exclude numlockbios support for non x86 platforms * Drop references to KEYTABLE and COMPOSETABLE. (bsc#1010880) * Drop from some fill-up templates and a couple of sysconfig variables not read by systemd anymore. (fate#319454) * Replace references to /var/adm/fillup-templates with new %_fillupdir macro. (bsc#1069468) * Add vlock.pamd PAM file. (bsc#1056449) * Enable vlock (bsc#1056449). * Revert dropping of kdb-legacy requirement as there are still packages and installation flows that needs this to be present. (bsc#1027379) * Fix data/keymaps/i386/querty/br-abnt2.map. (bsc#984958) * Fix missing dependency on coreutils for initrd macros. (bsc#958562) * Call missing initrd macro at postun. (bsc#958562) * Add the genmap4systemd.sh tool to generate entries for systemd's kbd-model-map table from xkeyboard-config converted keymaps. (fate#318426) * genmap4systemd.sh: Use 'abnt2' model for 'br' layouts, 'jp106' model for 'jp' layouts and 'microsoftpro' for anything else (instead of 'pc105' previously used). (fate#318426) * Include xkb layouts from xkeyboard-config converted to console keymaps. (fate#318426) * euro.map, euro1.map and euro2.map now produce correct unicode character for Euro sign. (bsc#360993) * Drop doshell reference from openvt.1 man page. (bsc#675317) * Drop the --userwait option as it is not used. (bsc#830805) * Fix a typo in the mac-querty-layout.inc. (bsc#825385) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:2520-1 Released: Mon Oct 29 17:28:57 2018 Summary: Security update for python, python-base Type: security Severity: moderate References: 1086001,1088004,1088009,1109663,CVE-2018-1000802,CVE-2018-1060,CVE-2018-1061 Description: This update for python, python-base fixes the following issues: Security issues fixed: - CVE-2018-1000802: Prevent command injection in shutil module (make_archive function) via passage of unfiltered user input (bsc#1109663). - CVE-2018-1061: Fixed DoS via regular expression backtracking in difflib.IS_LINE_JUNK method in difflib (bsc#1088004). - CVE-2018-1060: Fixed DoS via regular expression catastrophic backtracking in apop() method in pop3lib (bsc#1088009). Bug fixes: - bsc#1086001: python tarfile uses random order. ----------------------------------------------------------------- Advisory ID: SUSE-RU-2018:2525-1 Released: Tue Oct 30 09:22:45 2018 Summary: Recommended update for bash Type: recommended Severity: important References: 1113117 Description: This update for bash fixes the following issues: Recently released update introduced a change of behavior which resulted in broken customers scripts. (bsc#1113117) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:2563-1 Released: Fri Nov 2 17:09:49 2018 Summary: Security update for curl Type: security Severity: moderate References: 1112758,1113660,CVE-2018-16840,CVE-2018-16842 Description: This update for curl fixes the following issues: - CVE-2018-16840: A use after free in closing SASL handles was fixed (bsc#1112758) - CVE-2018-16842: A Out-of-bounds Read in tool_msgs.c was fixed which could lead to crashes (bsc#1113660) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2018:2567-1 Released: Fri Nov 2 18:59:06 2018 Summary: Recommended update for apparmor Type: recommended Severity: moderate References: 1047937,1057150,1057900,1099452,906858 Description: This update for apparmor provides the following fixes: - Add profile for usr.bin.lessopen.sh (bsc#906858) - Fix dovecot apparmor profile (bsc#1057150) - Fix creating profile rules from scanned logs when the chown operation is used (bsc#1047937) - Fix the traceroute profile to allow ipv6 usage (bsc#1057900) - Fix duplicate entry of capability when performing aa-logprof (bsc#1099452) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2018:2593-1 Released: Wed Nov 7 11:04:00 2018 Summary: Recommended update for rpm Type: recommended Severity: moderate References: 1095148,1113100 Description: This update for rpm fixes the following issues: - Fix superfluous TOC. dependency on PowerPC64 (bsc#1113100) - Update to current find-provides.ksyms and find-requires.ksyms scripts (bsc#1095148) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:2659-1 Released: Wed Nov 14 14:14:41 2018 Summary: Security update for systemd Type: security Severity: important References: 1106923,1108835,1109252,1110445,1111278,1112024,1113083,1113632,1113665,CVE-2018-15686,CVE-2018-15688 Description: This update for systemd fixes the following issues: Security issues fixed: - CVE-2018-15688: A buffer overflow vulnerability in the dhcp6 client of systemd allowed a malicious dhcp6 server to overwrite heap memory in systemd-networkd. (bsc#1113632) - CVE-2018-15686: A vulnerability in unit_deserialize of systemd allows an attacker to supply arbitrary state across systemd re-execution via NotifyAccess. This can be used to improperly influence systemd execution and possibly lead to root privilege escalation. (bsc#1113665) Non-security issues fixed: - dhcp6: split assert_return() to be more debuggable when hit - core: skip unit deserialization and move to the next one when unit_deserialize() fails - core: properly handle deserialization of unknown unit types (#6476) - core: don't create Requires for workdir if 'missing ok' (bsc#1113083) - logind: use manager_get_user_by_pid() where appropriate - logind: rework manager_get_{user|session}_by_pid() a bit - login: fix user at .service case, so we don't allow nested sessions (#8051) (bsc#1112024) - core: be more defensive if we can't determine per-connection socket peer (#7329) - socket-util: introduce port argument in sockaddr_port() - service: fixup ExecStop for socket-activated shutdown (#4120) - service: Continue shutdown on socket activated unit on termination (#4108) (bsc#1106923) - cryptsetup: build fixes for 'add support for sector-size= option' - udev-rules: IMPORT cmdline does not recognize keys with similar names (bsc#1111278) - core: keep the kernel coredump defaults when systemd-coredump is disabled - core: shorten main() a bit, split out coredump initialization - core: set RLIMIT_CORE to unlimited by default (bsc#1108835) - core/mount: fstype may be NULL - journald: don't ship systemd-journald-audit.socket (bsc#1109252) - core: make 'tmpfs' dependencies on swapfs a 'default' dep, not an 'implicit' (bsc#1110445) - mount: make sure we unmount tmpfs mounts before we deactivate swaps (#7076) - tmp.mount.hm4: After swap.target (#3087) - Ship systemd-sysv-install helper via the main package This script was part of systemd-sysvinit sub-package but it was wrong since systemd-sysv-install is a script used to redirect enable/disable operations to chkconfig when the unit targets are sysv init scripts. Therefore it's never been a SySV init tool. ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:2745-1 Released: Thu Nov 22 16:13:42 2018 Summary: Security update for salt Type: security Severity: important References: 1110938,1113698,1113699,1113784,1114197,CVE-2018-15750,CVE-2018-15751 Description: This update for salt fixes the following issues: Security issues fixed: - CVE-2018-15750: Fixed directory traversal vulnerability in salt-api (bsc#1113698). - CVE-2018-15751: Fixed remote authentication bypass in salt-api(netapi) that allows to execute arbitrary commands (bsc#1113699). Non-security issues fixed: - Improved handling of LDAP group id. gid is no longer treated as a string, which could have lead to faulty group creations (bsc#1113784). - Fix async call to process manager (bsc#1110938). - Fixed OS arch detection when RPM is not installed (bsc#1114197). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:2760-1 Released: Thu Nov 22 16:25:38 2018 Summary: Security update for openssl Type: security Severity: moderate References: 1112209,1113534,1113652,1113742,CVE-2018-0734,CVE-2018-5407 Description: This update for openssl fixes the following issues: Security issues fixed: - CVE-2018-0734: Fixed timing vulnerability in DSA signature generation (bsc#1113652). - CVE-2018-5407: Fixed elliptic curve scalar multiplication timing attack defenses (bsc#1113534). - Add missing timing side channel patch for DSA signature generation (bsc#1113742). Non-security issues fixed: - Fixed infinite loop in DSA generation with incorrect parameters (bsc#1112209). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:2766-1 Released: Fri Nov 23 17:07:27 2018 Summary: Security update for rpm Type: security Severity: important References: 943457,CVE-2017-7500,CVE-2017-7501 Description: This update for rpm fixes the following issues: These security issues were fixed: - CVE-2017-7500: rpm did not properly handle RPM installations when a destination path was a symbolic link to a directory, possibly changing ownership and permissions of an arbitrary directory, and RPM files being placed in an arbitrary destination (bsc#943457). - CVE-2017-7501: rpm used temporary files with predictable names when installing an RPM. An attacker with ability to write in a directory where files will be installed could create symbolic links to an arbitrary location and modify content, and possibly permissions to arbitrary files, which could be used for denial of service or possibly privilege escalation (bsc#943457) This is a reissue of the above security fixes for SUSE Linux Enterprise 12 GA, SP1 and SP2 LTSS, they have already been released for SUSE Linux Enterprise Server 12 SP3. ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:1697-1 Released: Fri Nov 23 17:08:32 2018 Summary: Security update for libgcrypt Type: security Severity: moderate References: 1064455,1090766,1097410,CVE-2018-0495 Description: This update for libgcrypt fixes the following issues: The following security vulnerability was addressed: - CVE-2018-0495: Mitigate a novel side-channel attack by enabling blinding for ECDSA signatures (bsc#1097410). The following other issues were fixed: - Extended the fipsdrv dsa-sign and dsa-verify commands with the --algo parameter for the FIPS testing of DSA SigVer and SigGen (bsc#1064455). - Ensure libgcrypt20-hmac and libgcrypt20 are installed in the correct order. (bsc#1090766) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:1696-1 Released: Mon Nov 26 17:46:39 2018 Summary: Security update for procps Type: security Severity: moderate References: 1092100,CVE-2018-1122,CVE-2018-1123,CVE-2018-1124,CVE-2018-1125,CVE-2018-1126 Description: This update for procps fixes the following security issues: - CVE-2018-1122: Prevent local privilege escalation in top. If a user ran top with HOME unset in an attacker-controlled directory, the attacker could have achieved privilege escalation by exploiting one of several vulnerabilities in the config_file() function (bsc#1092100). - CVE-2018-1123: Prevent denial of service in ps via mmap buffer overflow. Inbuilt protection in ps maped a guard page at the end of the overflowed buffer, ensuring that the impact of this flaw is limited to a crash (temporary denial of service) (bsc#1092100). - CVE-2018-1124: Prevent multiple integer overflows leading to a heap corruption in file2strvec function. This allowed a privilege escalation for a local attacker who can create entries in procfs by starting processes, which could result in crashes or arbitrary code execution in proc utilities run by other users (bsc#1092100). - CVE-2018-1125: Prevent stack buffer overflow in pgrep. This vulnerability was mitigated by FORTIFY limiting the impact to a crash (bsc#1092100). - CVE-2018-1126: Ensure correct integer size in proc/alloc.* to prevent truncation/integer overflow issues (bsc#1092100). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:1618-1 Released: Tue Nov 27 13:39:49 2018 Summary: Security update for util-linux Type: security Severity: moderate References: 1072947,1078662,1080740,1084300,CVE-2018-7738 Description: This update for util-linux fixes the following issues: This non-security issue was fixed: - CVE-2018-7738: bash-completion/umount allowed local users to gain privileges by embedding shell commands in a mountpoint name, which was mishandled during a umount command by a different user (bsc#1084300). These non-security issues were fixed: - Fixed crash loop in lscpu (bsc#1072947). - Fixed possible segfault of umount -a - Fixed mount -a on NFS bind mounts (bsc#1080740). - Fixed lsblk on NVMe (bsc#1078662). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:2824-1 Released: Mon Dec 3 15:34:09 2018 Summary: Security update for ncurses Type: security Severity: important References: 1115929,CVE-2018-19211 Description: This update for ncurses fixes the following issue: Security issue fixed: - CVE-2018-19211: Fixed denial of service issue that was triggered by a NULL pointer dereference at function _nc_parse_entry (bsc#1115929). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2018:2836-1 Released: Wed Dec 5 09:29:31 2018 Summary: Recommended update for apparmor Type: recommended Severity: moderate References: 1111965,1113125 Description: This update for apparmor fixes the following issues: - Systemd aware apparmor.spec, remove old insserv from spec file (bsc#1113125) - Fix warnings produced because of use of uninitialized variables (bsc#1111965) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2018:2840-1 Released: Wed Dec 5 09:57:54 2018 Summary: Recommended update for permissions Type: recommended Severity: moderate References: 1028304,1047247,1050467,1097665,1111251 Description: This update for permissions fixes the following issues: - Allow setuid root for start-suid tool of singularity (group only) bsc#1028304 - Allow setuid root for authbind binary (bsc#1111251) - A incorrect error message was adjusted (bsc#1047247 bsc#1097665) - Make btmp root:utmp (bsc#1050467) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2018:2841-1 Released: Wed Dec 5 09:59:45 2018 Summary: Recommended update for glibc Type: recommended Severity: moderate References: 1105236,1110661,1112858 Description: This update for glibc fixes the following issues: - Added more checks for valid ld.so.cache file (bsc#1110661) - Rewrite elf_machine_load_address using _DYNAMIC symbol (bsc#1112858) - Always use __IPC_64 on powerpc as required by the kernel (bsc#1105236) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2018:2880-1 Released: Fri Dec 7 14:50:23 2018 Summary: Recommended update for Salt Type: recommended Severity: moderate References: 1112874,1114824 Description: This update fixes the following issues: salt: - Crontab module fix: file attributes option missing (bsc#1114824) - Fix git_pillar merging across multiple __env__ repositories (bsc#1112874) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2018:2906-1 Released: Tue Dec 11 21:48:05 2018 Summary: Recommended update for blog Type: recommended Severity: moderate References: 1071568 Description: This update for blog fixes the following issues: - Hardening of the console list generation (bsc#1071568) - Changed description of blog-plymouth in same manner as used by the release notes ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:2947-1 Released: Mon Dec 17 08:51:28 2018 Summary: Security update for openldap2 Type: security Severity: moderate References: 1073313,CVE-2017-17740 Description: This update for openldap2 fixes the following issues: Security issue fixed: - CVE-2017-17740: When both the nops module and the memberof overlay are enabled, attempts to free a buffer that was allocated on the stack, which allows remote attackers to cause a denial of service (slapd crash) via a member MODDN operation. (bsc#1073313) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2018:2975-1 Released: Tue Dec 18 13:45:02 2018 Summary: Recommended update for python-psutil Type: recommended Severity: moderate References: 1111800 Description: python-psutil was updated to version 5.2.2 to fulfill requirements of other packages. (FATE#326775, bsc#1111800) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2018:3029-1 Released: Fri Dec 21 17:34:05 2018 Summary: Recommended update for libgcrypt Type: recommended Severity: moderate References: 1117355 Description: This update for libgcrypt provides the following fix: - Fail selftests when checksum file is missing in FIPS mode only. (bsc#1117355) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:43-1 Released: Tue Jan 8 13:07:17 2019 Summary: Recommended update for acl Type: recommended Severity: low References: 953659 Description: This update for acl fixes the following issues: - quote: Escape literal backslashes (bsc#953659). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:111-1 Released: Thu Jan 17 14:18:31 2019 Summary: Security update for krb5 Type: security Severity: important References: 1120489,CVE-2018-20217 Description: This update for krb5 fixes the following issues: Security issue fixed: - CVE-2018-20217: Fixed an assertion issue with older encryption types (bsc#1120489) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:135-1 Released: Mon Jan 21 13:53:58 2019 Summary: Security update for systemd Type: security Severity: moderate References: 1005023,1076696,1101591,1114981,1115518,1119971,1120323,CVE-2018-16864,CVE-2018-16865,CVE-2018-16866 Description: This update for systemd provides the following fixes: Security issues fixed: - CVE-2018-16864, CVE-2018-16865: Fixed two memory corruptions through attacker-controlled alloca()s (bsc#1120323) - CVE-2018-16866: Fixed an information leak in journald (bsc#1120323) - Fixed an issue during system startup in relation to encrypted swap disks (bsc#1119971) Non-security issues fixed: - core: Queue loading transient units after setting their properties. (bsc#1115518) - logind: Stop managing VT switches if no sessions are registered on that VT. (bsc#1101591) - terminal-util: introduce vt_release() and vt_restore() helpers. - terminal: Unify code for resetting kbd utf8 mode a bit. - terminal Reset should honour default_utf8 kernel setting. - logind: Make session_restore_vt() static. - udev: Downgrade message when settting inotify watch up fails. (bsc#1005023) - log: Never log into foreign fd #2 in PID 1 or its pre-execve() children. (bsc#1114981) - udev: Ignore the exit code of systemd-detect-virt for memory hot-add. In SLE-12-SP3, 80-hotplug-cpu-mem.rules has a memory hot-add rule that uses systemd-detect-virt to detect non-zvm environment. The systemd-detect-virt returns exit failure code when it detected _none_ state. The exit failure code causes that the hot-add memory block can not be set to online. (bsc#1076696) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:143-1 Released: Tue Jan 22 14:21:55 2019 Summary: Recommended update for ncurses Type: recommended Severity: important References: 1121450 Description: This update for ncurses fixes the following issues: - ncurses applications freezing (bsc#1121450) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:342-1 Released: Wed Feb 13 11:04:32 2019 Summary: Recommended update for Salt Type: recommended Severity: moderate References: 1099887,1114029,1114474,1116837,1117995,1121091,1123044,1123512 Description: This update fixes the following issues: salt: - Remove patch unable install salt minions on SLE 15 (bsc#1123512) - Fix integration tests in state compiler (U#2068) - Fix 'pkg.list_pkgs' output when using 'attr' to take the arch into account (bsc#1114029) - Fix powerpc null server_id_arch (bsc#1117995) - Fix module 'azure.storage' has no attribute '__version__' (bsc#1121091) - Add supportconfig module and states for minions and SaltSSH - Fix FIPS enabled RES clients (bsc#1099887) - Add hold/unhold functions. Fix Debian repo 'signed-by'. - Strip architecture from debian package names - Fix latin1 encoding problems on file module (bsc#1116837) - Don't error on retcode 0 in libcrypto.OPENSSL_init_crypto - Handle anycast IPv6 addresses on network.routes (bsc#1114474) - Debian info_installed compatibility (U#50453) - Add compatibility with other package modules for 'list_repos' function - Remove MSI Azure cloud module authentication patch (bsc#1123044) - Don't encode response string from role API From sle-updates at lists.suse.com Thu Jan 16 09:56:23 2020 From: sle-updates at lists.suse.com (sle-updates at lists.suse.com) Date: Thu, 16 Jan 2020 17:56:23 +0100 (CET) Subject: SUSE-CU-2019:705-1: Recommended update of caasp/v4/default-http-backend Message-ID: <20200116165623.60ABAF796@maintenance.suse.de> SUSE Container Update Advisory: caasp/v4/default-http-backend ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2019:705-1 Container Tags : caasp/v4/default-http-backend:0.15.0 , caasp/v4/default-http-backend:0.15.0-rev1 , caasp/v4/default-http-backend:0.15.0-rev1-build2.1 , caasp/v4/default-http-backend:beta1 Severity : low Type : recommended References : ----------------------------------------------------------------- The container caasp/v4/default-http-backend was updated. The following patches have been included in this update: From sle-updates at lists.suse.com Thu Jan 16 10:01:37 2020 From: sle-updates at lists.suse.com (sle-updates at lists.suse.com) Date: Thu, 16 Jan 2020 18:01:37 +0100 (CET) Subject: SUSE-CU-2019:734-1: Recommended update of caasp/v4/salt-minion Message-ID: <20200116170137.5EF15F798@maintenance.suse.de> SUSE Container Update Advisory: caasp/v4/salt-minion ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2019:734-1 Container Tags : caasp/v4/salt-minion:2018.3.0 , caasp/v4/salt-minion:2018.3.0-rev1 , caasp/v4/salt-minion:2018.3.0-rev1-build2.1 , caasp/v4/salt-minion:beta1 Severity : low Type : recommended References : ----------------------------------------------------------------- The container caasp/v4/salt-minion was updated. The following patches have been included in this update: From sle-updates at lists.suse.com Thu Jan 16 09:56:40 2020 From: sle-updates at lists.suse.com (sle-updates at lists.suse.com) Date: Thu, 16 Jan 2020 17:56:40 +0100 (CET) Subject: SUSE-CU-2019:707-1: Recommended update of caasp/v4/dnsmasq-nanny Message-ID: <20200116165640.32296F796@maintenance.suse.de> SUSE Container Update Advisory: caasp/v4/dnsmasq-nanny ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2019:707-1 Container Tags : caasp/v4/dnsmasq-nanny:2.78 , caasp/v4/dnsmasq-nanny:2.78-rev1 , caasp/v4/dnsmasq-nanny:2.78-rev1-build2.1 , caasp/v4/dnsmasq-nanny:beta1 Severity : low Type : recommended References : ----------------------------------------------------------------- The container caasp/v4/dnsmasq-nanny was updated. The following patches have been included in this update: From sle-updates at lists.suse.com Thu Jan 16 09:57:21 2020 From: sle-updates at lists.suse.com (sle-updates at lists.suse.com) Date: Thu, 16 Jan 2020 17:57:21 +0100 (CET) Subject: SUSE-CU-2019:711-1: Recommended update of caasp/v4/haproxy Message-ID: <20200116165721.B9861F796@maintenance.suse.de> SUSE Container Update Advisory: caasp/v4/haproxy ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2019:711-1 Container Tags : caasp/v4/haproxy:1.6.11 , caasp/v4/haproxy:1.6.11-rev1 , caasp/v4/haproxy:1.6.11-rev1-build2.1 , caasp/v4/haproxy:beta1 Severity : low Type : recommended References : ----------------------------------------------------------------- The container caasp/v4/haproxy was updated. The following patches have been included in this update: From sle-updates at lists.suse.com Thu Jan 16 10:01:00 2020 From: sle-updates at lists.suse.com (sle-updates at lists.suse.com) Date: Thu, 16 Jan 2020 18:01:00 +0100 (CET) Subject: SUSE-CU-2019:731-1: Security update of caasp/v4/salt-master Message-ID: <20200116170100.735FCF798@maintenance.suse.de> SUSE Container Update Advisory: caasp/v4/salt-master ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2019:731-1 Container Tags : caasp/v4/salt-master:2018.3.0 , caasp/v4/salt-master:2018.3.0-rev1 , caasp/v4/salt-master:2018.3.0-rev1-build1.2 Severity : important Type : security References : 1000396 1000662 1000677 1001299 1001367 1001790 1001912 1002529 1002576 1002895 1002895 1002895 1002975 1003449 1003449 1003577 1003579 1003580 1003714 1003800 1003978 1004047 1004047 1004094 1004260 1004260 1004289 1004477 1004723 1004723 1004995 1004995 1004995 1005023 1005063 1005404 1005544 1005555 1005558 1005562 1005564 1005566 1005569 1005581 1005582 1005633 1005634 1005635 1005637 1005638 1005640 1005642 1005643 1005645 1005646 1006175 1006372 1006469 1006539 1006687 1006690 1007851 1008253 1008318 1008325 1008933 1009269 1009470 1009528 1009532 1009745 1009905 1009966 1010220 1010675 1010845 1010880 1011304 1011800 1012266 1012390 1012398 1012523 1012591 1012818 1012973 1012999 1013286 1013882 1013930 1013989 1014471 1014560 1014566 1014873 1015254 1015332 1015515 1015565 1015943 1017034 1017078 1017078 1017420 1017497 1018214 1018399 1019276 1019386 1019470 1019518 1019637 1019637 1019900 1020108 1020143 1020601 1020831 1020868 1020868 1020873 1020875 1020877 1020878 1020882 1020884 1020885 1020890 1020891 1020894 1020896 1020976 1020976 1021641 1022014 1022047 1022085 1022086 1022271 1022428 1022428 1022562 1022841 1023283 1023535 1023895 1024989 1025034 1025176 1025398 1025560 1025598 1025630 1025886 1025896 1026224 1026567 1026825 1027044 1027079 1027240 1027240 1027282 1027379 1027688 1027712 1027722 1027722 1027908 1027925 1028263 1028281 1028304 1028304 1028305 1028410 1028485 1028610 1028723 1029102 1029102 1029183 1029516 1029516 1029523 1029561 1029691 1029725 1029900 1030009 1030009 1030073 1030290 1030621 1031355 1031643 1031702 1031998 1032029 1032029 1032213 1032309 1032445 1032452 1032538 1032660 1032680 1032931 1033238 1033238 1033855 1034563 1034565 1034911 1035062 1035371 1035386 1035445 1035818 1035912 1035914 1036125 1036125 1036304 1036659 1036736 1036873 1036873 1037120 1037120 1037396 1037824 1037930 1038189 1038194 1038444 1038740 1038855 1038865 1038865 1038984 1038984 1039034 1039063 1039063 1039064 1039064 1039066 1039066 1039069 1039069 1039099 1039099 1039276 1039357 1039370 1039661 1039661 1039941 1040043 1040153 1040153 1040258 1040258 1040584 1040614 1040614 1040800 1040886 1040942 1040942 1040968 1040968 1040968 1041764 1041993 1042326 1042392 1042749 1042781 1043059 1043111 1043218 1043237 1043333 1043333 1043580 1043615 1043758 1043758 1043886 1043900 1043900 1044095 1044107 1044175 1044337 1044840 1044887 1044894 1045092 1045290 1045290 1045384 1045472 1045628 1045735 1045735 1045735 1045943 1045987 1046173 1046173 1046268 1046417 1046607 1046659 1046750 1046750 1046853 1046853 1046858 1046858 1047008 1047178 1047233 1047236 1047240 1047247 1047379 1047666 1047785 1047785 1047937 1047964 1047965 1048315 1048510 1048605 1048605 1048645 1048679 1048715 1049344 1049399 1049404 1049417 1049825 1050003 1050003 1050152 1050467 1050767 1050943 1051042 1051465 1051626 1051643 1051644 1051791 1051948 1052261 1052264 1053137 1053188 1053376 1053409 1053595 1053671 1053955 1054028 1054088 1054171 1054591 1054671 1055446 1055641 1055825 1055920 1056058 1056126 1056127 1056127 1056128 1056128 1056129 1056129 1056131 1056131 1056132 1056132 1056136 1056136 1056437 1056449 1056450 1056995 1057150 1057188 1057452 1057634 1057635 1057640 1057662 1057721 1057724 1057801 1057900 1057974 1058695 1058722 1058722 1058783 1059065 1059291 1059291 1059723 1059758 1060230 1060653 1060738 1061384 1061407 1061667 1061876 1062303 1062462 1062464 1062464 1062561 1062591 1062592 1063051 1063249 1063269 1063419 1063675 1063824 1063910 1064101 1064115 1064397 1064455 1064455 1064455 1064520 1064569 1064580 1064583 1064999 1065083 1065274 1065276 1065363 1065448 1065448 1065792 1066156 1066242 1066422 1066500 1067312 1067605 1067891 1068251 1068446 1068565 1068565 1068566 1068588 1068664 1068708 1068967 1069222 1069226 1069468 1069934 1070209 1070428 1070431 1070431 1070851 1070878 1070905 1070958 1071224 1071311 1071319 1071321 1071322 1071466 1071543 1071558 1071568 1071698 1071905 1071906 1072218 1072599 1072665 1072947 1072947 1072973 1073231 1073313 1073618 1073715 1073879 1073879 1073879 1073879 1073879 1073879 1073879 1073879 1073879 1073879 1073990 1074227 1074254 1074293 1074293 1074621 1074687 1075449 1075724 1075743 1075801 1075804 1075950 1075978 1076192 1076308 1076415 1076505 1076696 1076810 1076832 1076909 1077001 1077635 1077692 1077787 1077787 1077925 1077993 1078001 1078358 1078431 1078662 1078662 1078806 1078813 1079036 1079048 1079300 1079334 1079398 1079991 1080078 1080382 1080740 1080740 1081170 1081294 1081556 1081592 1081596 1081725 1082004 1082216 1082216 1082216 1082233 1082233 1082233 1082234 1082234 1082234 1082318 1082485 1082485 1083158 1083290 1083507 1083507 1083507 1083926 1083927 1083946 1084300 1084300 1084521 1084524 1084532 1084626 1084812 1084812 1084842 1085062 1085432 1085635 1086001 1086247 1086602 1086690 1086785 1086825 1087055 1087102 1087278 1087323 1087550 1087550 1087581 1087891 1087930 1088004 1088009 1088052 1088279 1088601 1088681 1088705 1088769 1088888 1088890 1088921 1089039 1089112 1089362 1089526 1089526 1089533 1089640 1089761 1089761 1089884 1090242 1090518 1090765 1090766 1090766 1090766 1090785 1090944 1091265 1091371 1091624 1091677 1092098 1092100 1092100 1092161 1092373 1092413 1092640 1092640 1093617 1093753 1093851 1094055 1094121 1094150 1094154 1094161 1094222 1095096 1095148 1095507 1095651 1095942 1096282 1096282 1096282 1096514 1096718 1096718 1096745 1096803 1097158 1097174 1097410 1097410 1097410 1097413 1097624 1097665 1098394 1098592 1099310 1099310 1099310 1099323 1099452 1099460 1099847 1099887 1099945 1099982 1100028 1100142 1100225 1100697 1101040 1101246 1101349 1101470 1101591 1101812 1101880 1102013 1102046 1102218 1102265 1102429 1102564 1102861 1103530 1103910 1104154 1104491 1104789 1105031 1105166 1105236 1106019 1106164 1106197 1106914 1106923 1107333 1107430 1107640 1107941 1108557 1108834 1108835 1108969 1108995 1109197 1109252 1109663 1109877 1109893 1110445 1110661 1110938 1111251 1111278 1111800 1111965 1112024 1112209 1112758 1112858 1112874 1113083 1113100 1113117 1113125 1113534 1113632 1113652 1113660 1113665 1113698 1113699 1113742 1113784 1114029 1114197 1114474 1114824 1114981 1115518 1115929 1116837 1117355 1117995 1119971 1120323 1120489 1121091 1121450 1123044 1123512 360993 408814 556664 658010 661410 675317 825385 829717 830805 874665 888308 889138 889990 892431 894610 896202 896435 897422 898003 899524 899871 900275 900276 901202 901845 901924 902364 902367 903543 905483 906574 906574 906803 906858 907074 907456 907809 908128 908516 909418 910252 910252 910253 910253 911228 911363 911662 912229 912460 912715 912922 913209 913650 913651 913799 914521 915402 915846 917152 917169 917309 918089 918090 918346 919274 920057 920057 920386 921070 921588 922448 922534 923241 924525 924687 924960 924960 926412 926826 927556 927607 927608 927746 927993 928292 928533 928740 929736 929919 930176 930361 930362 931932 931978 932232 932894 933029 933288 933288 933336 933878 933878 934333 934689 934920 935252 936050 936227 936227 936676 937787 937823 938343 938657 939392 939460 940315 940813 942865 942865 943457 943457 944903 945340 945842 945899 946907 948930 948995 948996 949520 952151 952347 952625 953130 953532 953659 953807 953831 954002 954661 955382 955753 955770 956981 957174 957566 957566 957567 957567 957598 957598 957600 957600 958369 958562 958789 959693 960273 960820 960837 960837 961596 961935 961964 962765 962983 962996 963041 963290 963448 963806 963810 963942 964063 964182 964468 964932 965322 965780 965902 966220 967026 967082 967128 967128 967728 967838 968771 969320 969569 970260 970287 970295 970550 970669 970882 970989 971372 971741 971741 972127 972127 972311 972331 973418 974657 974691 974864 974993 975093 975303 975306 975733 975757 976148 976826 977264 978055 978150 978833 979261 979313 979436 979441 979448 979629 979676 979906 980313 980391 980486 980904 981114 981616 982303 982303 983017 983206 983215 983216 983512 983754 984622 984751 984858 984906 984958 984998 985112 985177 985217 985348 985661 986019 986019 986216 986216 986251 986447 986783 986935 986978 987394 987887 988311 988506 989193 989523 989693 989788 989831 990029 990189 990190 990191 990439 990440 990538 990738 990890 991048 991389 991390 991391 991443 991616 991746 991901 992966 993039 993549 994157 994619 994794 995936 996455 996511 996821 997043 997420 997682 998185 998309 998760 998893 998906 999735 999852 999852 999878 CVE-2012-6702 CVE-2013-6435 CVE-2013-7459 CVE-2014-3591 CVE-2014-3707 CVE-2014-3710 CVE-2014-8116 CVE-2014-8116 CVE-2014-8117 CVE-2014-8117 CVE-2014-8118 CVE-2014-8150 CVE-2014-8964 CVE-2014-8964 CVE-2014-9087 CVE-2014-9112 CVE-2014-9130 CVE-2014-9130 CVE-2014-9447 CVE-2014-9620 CVE-2014-9621 CVE-2014-9653 CVE-2014-9720 CVE-2014-9721 CVE-2015-0247 CVE-2015-0837 CVE-2015-1283 CVE-2015-1572 CVE-2015-1606 CVE-2015-1607 CVE-2015-1782 CVE-2015-2059 CVE-2015-2296 CVE-2015-2325 CVE-2015-2325 CVE-2015-2327 CVE-2015-2327 CVE-2015-2328 CVE-2015-2328 CVE-2015-3143 CVE-2015-3144 CVE-2015-3145 CVE-2015-3148 CVE-2015-3153 CVE-2015-3210 CVE-2015-3210 CVE-2015-3217 CVE-2015-3217 CVE-2015-3238 CVE-2015-4792 CVE-2015-4802 CVE-2015-4807 CVE-2015-4815 CVE-2015-4826 CVE-2015-4830 CVE-2015-4836 CVE-2015-4858 CVE-2015-4861 CVE-2015-4870 CVE-2015-4913 CVE-2015-5073 CVE-2015-5073 CVE-2015-5276 CVE-2015-5969 CVE-2015-7511 CVE-2015-8380 CVE-2015-8380 CVE-2015-8381 CVE-2015-8381 CVE-2015-8382 CVE-2015-8382 CVE-2015-8383 CVE-2015-8383 CVE-2015-8384 CVE-2015-8384 CVE-2015-8385 CVE-2015-8385 CVE-2015-8386 CVE-2015-8386 CVE-2015-8387 CVE-2015-8387 CVE-2015-8388 CVE-2015-8388 CVE-2015-8389 CVE-2015-8389 CVE-2015-8390 CVE-2015-8390 CVE-2015-8391 CVE-2015-8391 CVE-2015-8392 CVE-2015-8392 CVE-2015-8393 CVE-2015-8393 CVE-2015-8394 CVE-2015-8394 CVE-2015-8395 CVE-2015-8395 CVE-2015-8853 CVE-2015-8948 CVE-2016-0505 CVE-2016-0546 CVE-2016-0596 CVE-2016-0597 CVE-2016-0598 CVE-2016-0600 CVE-2016-0606 CVE-2016-0608 CVE-2016-0609 CVE-2016-0616 CVE-2016-0634 CVE-2016-0640 CVE-2016-0641 CVE-2016-0642 CVE-2016-0643 CVE-2016-0644 CVE-2016-0646 CVE-2016-0647 CVE-2016-0648 CVE-2016-0649 CVE-2016-0650 CVE-2016-0651 CVE-2016-0655 CVE-2016-0666 CVE-2016-0668 CVE-2016-0718 CVE-2016-0755 CVE-2016-0772 CVE-2016-0787 CVE-2016-1000110 CVE-2016-10156 CVE-2016-1238 CVE-2016-1283 CVE-2016-1283 CVE-2016-1839 CVE-2016-2037 CVE-2016-2047 CVE-2016-2381 CVE-2016-3191 CVE-2016-3191 CVE-2016-3477 CVE-2016-3492 CVE-2016-3521 CVE-2016-3615 CVE-2016-4574 CVE-2016-4579 CVE-2016-4658 CVE-2016-5131 CVE-2016-5300 CVE-2016-5419 CVE-2016-5420 CVE-2016-5421 CVE-2016-5440 CVE-2016-5584 CVE-2016-5616 CVE-2016-5624 CVE-2016-5626 CVE-2016-5629 CVE-2016-5636 CVE-2016-5699 CVE-2016-6153 CVE-2016-6185 CVE-2016-6252 CVE-2016-6252 CVE-2016-6252 CVE-2016-6261 CVE-2016-6262 CVE-2016-6263 CVE-2016-6313 CVE-2016-6318 CVE-2016-6662 CVE-2016-6663 CVE-2016-6664 CVE-2016-7055 CVE-2016-7141 CVE-2016-7167 CVE-2016-7440 CVE-2016-7543 CVE-2016-8283 CVE-2016-8615 CVE-2016-8616 CVE-2016-8617 CVE-2016-8618 CVE-2016-8619 CVE-2016-8620 CVE-2016-8621 CVE-2016-8622 CVE-2016-8623 CVE-2016-8624 CVE-2016-9063 CVE-2016-9318 CVE-2016-9401 CVE-2016-9586 CVE-2016-9597 CVE-2016-9639 CVE-2016-9840 CVE-2016-9841 CVE-2016-9842 CVE-2016-9843 CVE-2017-0663 CVE-2017-1000100 CVE-2017-1000101 CVE-2017-1000158 CVE-2017-1000254 CVE-2017-1000257 CVE-2017-1000366 CVE-2017-1000408 CVE-2017-1000409 CVE-2017-10268 CVE-2017-10378 CVE-2017-10684 CVE-2017-10684 CVE-2017-10685 CVE-2017-10685 CVE-2017-11112 CVE-2017-11113 CVE-2017-11462 CVE-2017-12132 CVE-2017-12133 CVE-2017-12424 CVE-2017-12791 CVE-2017-12837 CVE-2017-12883 CVE-2017-13728 CVE-2017-13728 CVE-2017-13729 CVE-2017-13729 CVE-2017-13730 CVE-2017-13730 CVE-2017-13731 CVE-2017-13731 CVE-2017-13732 CVE-2017-13732 CVE-2017-13733 CVE-2017-13733 CVE-2017-13734 CVE-2017-14062 CVE-2017-14695 CVE-2017-14695 CVE-2017-14696 CVE-2017-14696 CVE-2017-15088 CVE-2017-15412 CVE-2017-15670 CVE-2017-15671 CVE-2017-15804 CVE-2017-15908 CVE-2017-16997 CVE-2017-17740 CVE-2017-18078 CVE-2017-18207 CVE-2017-18207 CVE-2017-18207 CVE-2017-18258 CVE-2017-18269 CVE-2017-3238 CVE-2017-3243 CVE-2017-3244 CVE-2017-3257 CVE-2017-3258 CVE-2017-3265 CVE-2017-3291 CVE-2017-3302 CVE-2017-3308 CVE-2017-3309 CVE-2017-3312 CVE-2017-3313 CVE-2017-3317 CVE-2017-3318 CVE-2017-3453 CVE-2017-3456 CVE-2017-3464 CVE-2017-3636 CVE-2017-3641 CVE-2017-3653 CVE-2017-3731 CVE-2017-3732 CVE-2017-3735 CVE-2017-3736 CVE-2017-3737 CVE-2017-3738 CVE-2017-5130 CVE-2017-5200 CVE-2017-5969 CVE-2017-6512 CVE-2017-7375 CVE-2017-7376 CVE-2017-7407 CVE-2017-7435 CVE-2017-7436 CVE-2017-7436 CVE-2017-7500 CVE-2017-7500 CVE-2017-7501 CVE-2017-7501 CVE-2017-7526 CVE-2017-7555 CVE-2017-8109 CVE-2017-8804 CVE-2017-8816 CVE-2017-8817 CVE-2017-8872 CVE-2017-9047 CVE-2017-9047 CVE-2017-9048 CVE-2017-9048 CVE-2017-9049 CVE-2017-9049 CVE-2017-9050 CVE-2017-9050 CVE-2017-9217 CVE-2017-9217 CVE-2017-9233 CVE-2017-9269 CVE-2017-9269 CVE-2017-9287 CVE-2017-9445 CVE-2017-9445 CVE-2017-9526 CVE-2018-0495 CVE-2018-0495 CVE-2018-0495 CVE-2018-0732 CVE-2018-0734 CVE-2018-0737 CVE-2018-0739 CVE-2018-1000001 CVE-2018-1000001 CVE-2018-1000007 CVE-2018-1000030 CVE-2018-1000120 CVE-2018-1000121 CVE-2018-1000122 CVE-2018-1000301 CVE-2018-1000802 CVE-2018-1049 CVE-2018-1060 CVE-2018-1061 CVE-2018-1122 CVE-2018-1122 CVE-2018-1123 CVE-2018-1123 CVE-2018-11236 CVE-2018-11237 CVE-2018-1124 CVE-2018-1124 CVE-2018-1125 CVE-2018-1125 CVE-2018-1126 CVE-2018-1126 CVE-2018-12015 CVE-2018-12015 CVE-2018-12020 CVE-2018-14404 CVE-2018-14567 CVE-2018-14618 CVE-2018-15686 CVE-2018-15688 CVE-2018-15750 CVE-2018-15751 CVE-2018-16840 CVE-2018-16842 CVE-2018-16864 CVE-2018-16865 CVE-2018-16866 CVE-2018-19211 CVE-2018-20217 CVE-2018-2562 CVE-2018-2612 CVE-2018-2622 CVE-2018-2640 CVE-2018-2665 CVE-2018-2668 CVE-2018-2755 CVE-2018-2761 CVE-2018-2766 CVE-2018-2767 CVE-2018-2771 CVE-2018-2781 CVE-2018-2782 CVE-2018-2784 CVE-2018-2787 CVE-2018-2813 CVE-2018-2817 CVE-2018-2819 CVE-2018-5407 CVE-2018-5729 CVE-2018-5730 CVE-2018-6003 CVE-2018-6485 CVE-2018-6551 CVE-2018-6797 CVE-2018-6797 CVE-2018-6797 CVE-2018-6798 CVE-2018-6798 CVE-2018-6798 CVE-2018-6913 CVE-2018-6913 CVE-2018-6913 CVE-2018-7169 CVE-2018-7685 CVE-2018-7738 CVE-2018-7738 CVE-2018-9251 ----------------------------------------------------------------- The container caasp/v4/salt-master was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-RU-2014:85-1 Released: Tue Nov 4 16:29:29 2014 Summary: Recommended update for dirmngr Type: recommended Severity: moderate References: 901845 Description: This update for dirmngr fixes a segmentation fault at start up. (bnc#901845) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2014:66-1 Released: Thu Nov 6 06:23:15 2014 Summary: Recommended update for gcc48 Type: recommended Severity: moderate References: 899871 Description: This update for gcc48 fixes a performance degradation issue caused by generation of unneeded code whe using option -pg. ----------------------------------------------------------------- Advisory ID: SUSE-SU-2014:97-1 Released: Fri Nov 28 10:20:32 2014 Summary: Security update for file Type: security Severity: moderate References: 888308,902367,CVE-2014-3710 Description: file was updated to fix one security issue. This security issue was fixed: - Out-of-bounds read in elf note headers (CVE-2014-3710). This non-security issues was fixed: - Correctly identify GDBM files created by libgdbm4 (bnc#888308). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2014:113-1 Released: Tue Dec 2 18:17:57 2014 Summary: Security update for cpio Type: security Severity: moderate References: 658010,907456,CVE-2014-9112 Description: This cpio security update fixes the following buffer overflow issue and two non security issues: - fix an OOB write with cpio -i (bnc#907456) (CVE-2014-9112) - prevent cpio from extracting over a symlink (bnc#658010) - fix a truncation check in mt ----------------------------------------------------------------- Advisory ID: SUSE-SU-2015:4-1 Released: Wed Dec 3 15:57:25 2014 Summary: Security update for libyaml Type: security Severity: moderate References: 907809,CVE-2014-9130 Description: This libyaml update fixes the following security issue: - bnc#907809: assert failure when processing wrapped strings (CVE-2014-9130) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2015:16-1 Released: Thu Dec 11 09:25:27 2014 Summary: Security update for libksba Type: security Severity: moderate References: 907074,CVE-2014-9087 Description: This libksba update fixes the following security issue: - bnc#907074: buffer overflow in OID processing (CVE-2014-9087) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2014:126-1 Released: Fri Dec 19 20:16:00 2014 Summary: Security update for file Type: security Severity: moderate References: 910252,910253,CVE-2014-8116,CVE-2014-8117 Description: This file update fixes the following security issues: - bsc#910252: multiple denial of service issues (resource consumption) (CVE-2014-8116) - bsc#910253: denial of service issue (resource consumption) (CVE-2014-8117) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2015:29-1 Released: Mon Jan 12 11:37:43 2015 Summary: Security update for curl Type: security Severity: moderate References: 901924,911363,CVE-2014-3707,CVE-2014-8150 Description: This update fixes the following security issues - CVE-2014-8150: URL request injection vulnerability (bnc#911363) - CVE-2014-3707: duphandle read out of bounds (bnc#901924) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2015:40-1 Released: Thu Jan 15 18:35:11 2015 Summary: Security update for rpm Type: security Severity: important References: 892431,906803,908128,911228,CVE-2013-6435,CVE-2014-8118 Description: This rpm update fixes the following security and non-security issues: - bnc#908128: Check for bad invalid name sizes (CVE-2014-8118) - bnc#906803: Create files with mode 0 (CVE-2013-6435) - bnc#892431: Honor --noglob in install mode - bnc#911228: Fix noglob patch, it broke files with space. ----------------------------------------------------------------- Advisory ID: SUSE-RU-2015:64-1 Released: Thu Jan 15 23:21:45 2015 Summary: Recommended update for e2fsprogs Type: recommended Severity: moderate References: 912229 Description: This update for e2fsprogs fixes a 'use after free' issue in fsck(8). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2015:76-1 Released: Fri Jan 30 15:01:03 2015 Summary: Security update for elfutils Type: security Severity: moderate References: 911662,CVE-2014-9447 Description: elfutils was updated to fix one security issue. This security issue was fixed: - Directory traversal vulnerability in the read_long_names function (CVE-2014-9447). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2015:55-1 Released: Tue Feb 3 14:51:17 2015 Summary: Recommended update for curl Type: recommended Severity: moderate References: 913209 Description: curl was updated to fix problems when operating in FIPS mode. This patch reenables following methods: - NTLM authentication (e.g. for proxies) (allowing its usage of MD4 and MD5) - HTTP Digest authentication (allowing its usage of MD5) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2015:121-1 Released: Tue Feb 3 16:30:16 2015 Summary: Recommended update for pam Type: recommended Severity: low References: 912922 Description: This update for pam fixes updating of NIS passwords. ----------------------------------------------------------------- Advisory ID: SUSE-SU-2015:157-1 Released: Tue Mar 10 09:01:41 2015 Summary: Security update for libssh2_org Type: security Severity: moderate References: 921070,CVE-2015-1782 Description: The ssh client library libssh2_org was updated to fix a security issue. CVE-2015-1782: A malicious server could send a crafted SSH_MSG_KEXINIT packet, that could lead to a buffer overread and to a crash of the libssh2_org using application. ----------------------------------------------------------------- Advisory ID: SUSE-SU-2015:208-1 Released: Thu Mar 12 10:43:10 2015 Summary: Security update for python-PyYAML Type: security Severity: moderate References: 921588,CVE-2014-9130 Description: python-PyYAML was updated to fix one security issue which could have allowed an attacker to cause a denial of service by supplying specially crafted strings The following issue was fixed: - #921588: python-PyYAML: assert failure when processing wrapped strings (equivalent to CVE-2014-9130 in LibYAML) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2015:275-1 Released: Wed Mar 18 18:21:44 2015 Summary: Recommended update for procps Type: recommended Severity: low References: 901202,908516 Description: This update for procps provides the following fixes: - Add description of pgrep's --list-full parameter to usage instructions (--help). (bsc#901202) - Fix handling of arguments to -s option in free(1). (bsc#908516) - Correct package name in descriptions: procps, not props. ----------------------------------------------------------------- Advisory ID: SUSE-OU-2015:143-1 Released: Mon Mar 23 21:46:58 2015 Summary: Initial release of SUSE Enterprise Storage client Type: optional Severity: low References: 913799,914521,917309 Description: This update provides the functionality required for SUSE Linux Enterprise Server 12 to act as a client for SUSE Enterprise Storage. qemu can now use storage provided by the SUSE Enterprise Storage Ceph cluster via the RADOS Block Device (rbd) backend. Applications can now be enhanced to directly incorporate object or block storage backed by the SUSE Enterprise Storage cluster, by linking with the librados and librbd client libraries. Also included is the rbd tool to manage RADOS block devices mapped via the rbd kernel module, for use as a standard generic block device. ----------------------------------------------------------------- Advisory ID: SUSE-SU-2015:235-1 Released: Wed Apr 29 19:05:01 2015 Summary: Security update for curl Type: security Severity: moderate References: 927556,927607,927608,927746,928533,CVE-2015-3143,CVE-2015-3144,CVE-2015-3145,CVE-2015-3148,CVE-2015-3153 Description: curl was updated to fix five security issues. The following vulnerabilities were fixed: * CVE-2015-3143: curl could re-use NTML authenticateds connections * CVE-2015-3144: curl could access memory out of bounds with zero length host names * CVE-2015-3145: curl cookie parser could access memory out of boundary * CVE-2015-3148: curl could treat Negotiate as not connection-oriented * CVE-2015-3153: curl could have sent sensitive HTTP headers also to proxies ----------------------------------------------------------------- Advisory ID: SUSE-SU-2015:296-1 Released: Thu Jun 11 15:46:59 2015 Summary: Security update for libgcrypt Type: security Severity: moderate References: 896202,896435,898003,899524,900275,900276,905483,920057,928740,929919,CVE-2014-3591 Description: This update of libgcrypt fixes one security issue and brings various FIPS 140-2 related improvements. libgcrypt now uses ciphertext blinding for Elgamal decryption (CVE-2014-3591) FIPS 140-2 related changes: * The library performs its self-tests when the module is complete (the -hmac file is also installed). * Added a NIST 800-90a compliant DRBG. * Change DSA key generation to be FIPS 186-4 compliant. * Change RSA key generation to be FIPS 186-4 compliant. * Enable HW support in fips mode (bnc#896435) * Make DSA selftest use 2048 bit keys (bnc#898003) * Added ECDSA selftests and add support for it to the CAVS testing framework (bnc#896202) * Various CAVS testing improvements. ----------------------------------------------------------------- Advisory ID: SUSE-SU-2015:366-1 Released: Mon Jun 29 10:13:43 2015 Summary: Security update for e2fsprogs Type: security Severity: low References: 915402,918346,CVE-2015-0247,CVE-2015-1572 Description: Two security issues were fixed in e2fsprogs: Security issues fixed: * CVE-2015-0247: Various heap overflows were fixed in e2fsprogs (fsck, dumpe2fs, e2image...). * CVE-2015-1572: Fixed a potential buffer overflow in closefs() (bsc#918346 ) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2015:361-1 Released: Wed Jul 15 08:26:27 2015 Summary: Recommended update for gcc48, libffi48, libgcj48 Type: recommended Severity: moderate References: 889990,917169,919274,922534,924525,924687,927993,930176,934689 Description: The system compiler gcc48 was updated to the GCC 4.8.5 release, fixing a lot of bugs and bringing some improvements. It includes various bug fixes found by our customers: * Fixes bogus integer overflow in constant expression. [bnc#934689] * Fixes ICE with atomics on aarch64. [bnc#930176] * Includes fix for -imacros bug. [bnc#917169] * Includes fix for incorrect -Warray-bounds warnings. [bnc#919274] * Includes updated -mhotpatch for s390x. [bnc#924525] * Includes fix for ppc64le issue with doubleword vector extract. [bnc#924687] * Includes patches to allow building against ISL 0.14. * Backport rework of the memory allocator for C++ exceptions used in OOM situations. [bnc#889990] * Fix a reload issue on S390 (GCC PR66306). * Avoid accessing invalid memory when passing aggregates by value. [bnc#922534] ----------------------------------------------------------------- Advisory ID: SUSE-OU-2015:422-1 Released: Tue Jul 28 06:25:51 2015 Summary: The Toolchain module containing GCC 5.2 Type: optional Severity: low References: 926412,936050,937823 Description: This update contains the release of the new SUSE Linux Enterprise Toolchain module. Its major feature is the GNU Compiler Collection 5.2, please see https://gcc.gnu.org/gcc-5/changes.html for important changes. This update also includes a version update of binutils to 2.25 release branch to provide features and bugfixes. Following features have been added to binutils: * IBM zSeries z13 hardware support (fate#318036, bnc#936050). * various IBM Power8 improvements (fate#318238, bnc#926412). * AVX512 support on the Intel EM64T platform (fate#318520). The GNU Debugger gdb was updated to version 7.9.1 bringing various features and lots of bugfixes. Also IBM zSeries z13 hardware support has been added to gdb. (fate#318039) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2015:556-1 Released: Tue Aug 4 14:52:55 2015 Summary: Recommended update for python-requests Type: recommended Severity: moderate References: 935252 Description: python-requests was updated to use the system CA certificate store. ----------------------------------------------------------------- Advisory ID: SUSE-SU-2015:500-1 Released: Mon Aug 17 11:36:33 2015 Summary: Security update for libgcrypt Type: security Severity: moderate References: 920057,938343,CVE-2015-0837 Description: This update fixes the following issues: Security: * Fixed data-dependent timing variations in modular exponentiation [related to CVE-2015-0837, Last-Level Cache Side-Channel Attacks are Practical] (bsc#920057) Bugfixes: * don't drop privileges when locking secure memory (bsc#938343) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2015:530-1 Released: Wed Aug 26 03:07:07 2015 Summary: Recommended update for sed Type: recommended Severity: low References: 933029 Description: This update for sed fixes the behavior of --follow-symlinks when reading from the standard input (stdin). The behavior of 'sed --follow-symlinks -' is now identical to 'sed -'. In both cases, sed will read from the standard input and no longer from a file named '-'. ----------------------------------------------------------------- Advisory ID: SUSE-SU-2015:499-1 Released: Mon Aug 31 11:55:14 2015 Summary: Security update for zeromq Type: security Severity: moderate References: 912460,931978,CVE-2014-9721 Description: zeromq was updated to fix one security issue and one non-security bug. The following vulnerability was fixed: * CVE-2014-9721: zeromq protocol downgrade attack on sockets using the ZMTP v3 protocol (boo#931978) The following bug was fixed: * boo#912460: avoid curve test to hang for ppc ppc64 ppc64le architectures ----------------------------------------------------------------- Advisory ID: SUSE-RU-2015:568-1 Released: Wed Sep 16 13:30:12 2015 Summary: Recommended update for grep Type: recommended Severity: low References: 920386 Description: This update for grep fixes undefined behaviour with -P and non-utf-8 data. ----------------------------------------------------------------- Advisory ID: SUSE-RU-2015:727-1 Released: Wed Oct 7 09:26:23 2015 Summary: Recommended update for cloud-init Type: recommended Severity: low References: 948930,948995,948996 Description: cloud-init uses the Jinja2 Python module to generate configuration files from templates, but this dependency was not defined in the package's spec file. This update adds the missing requirement to cloud-init. ----------------------------------------------------------------- Advisory ID: SUSE-RU-2015:776-1 Released: Fri Oct 30 08:06:58 2015 Summary: Recommended update for libyaml Type: recommended Severity: low References: 952625 Description: This update adjusts libyaml's packaging to require pkg-config at build time. ----------------------------------------------------------------- Advisory ID: SUSE-OU-2015:817-1 Released: Fri Nov 6 23:42:46 2015 Summary: Initial release of python-azurectl Type: optional Severity: low References: 946907 Description: This update provides a set of command line tools to interact with the Microsoft Azure public cloud framework. Refer to the azurectl(1) man page, included in python-azurectl, for comprehensive documentation and usage instructions. ----------------------------------------------------------------- Advisory ID: SUSE-RU-2015:834-1 Released: Thu Nov 12 13:52:22 2015 Summary: Recommended update for python-Twisted Type: recommended Severity: moderate References: 940813 Description: python-Twisted has been updated to version 15.2.1, which brings several fixes and enhancements such as: - twisted.positioning, a new API for positioning systems such as GPS, has been added. It comes with an implementation of NMEA, the most common wire protocol for GPS devices. It will supersede twisted.protocols.gps. - IReactorUDP.listenUDP, IUDPTransport.write and IUDPTransport.connect now accept ipv6 address literals. - A new API, twisted.internet.ssl.optionsForClientTLS, allows clients to specify and verify the identity of the peer they're communicating with. When used with the service_identity library from PyPI, this provides support for service identity verification from RFC 6125, as well as server name indication from RFC 6066. - Twisted's TLS support now provides a way to ask for user-configured trust roots rather than having to manually configure such certificate authority certificates. - twisted.internet.ssl.CertificateOptions now supports ECDHE for servers by default on pyOpenSSL 0.14 and later, if the underlying versions of cryptography.io and OpenSSL support it. - twisted.internet.ssl.CertificateOptions now allows the user to set acceptable ciphers and uses secure ones by default. - The new package twisted.logger provides a new, fully tested, and feature-rich logging framework. The old module twisted.python.log is now implemented using the new framework. - twisted.conch.ssh.forwarding now supports local->remote forwarding of IPv6. - twisted.mail.smtp.sendmail now uses ESMTP. It will opportunistically enable encryption and allow the use of authentication. - twisted.internet.ssl.CertificateOptions now enables TLSv1.1 and TLSv1.2 by default (in addition to TLSv1.0) if the underlying version of OpenSSL supports these protocol versions. - twisted.internet.ssl.CertificateOptions now supports Diffie-Hellman key exchange. - twisted.internet.ssl.CertificateOptions now disables TLS compression to avoid CRIME attacks and, for servers, uses server preference to choose the cipher. - MSN protocol support has been marked as deprecated. - Removed deprecated UDPClient. - Better support and integration with Python 3. For a comprehensive list of changes, please refer to the file NEWS shipped within the package. ----------------------------------------------------------------- Advisory ID: SUSE-SU-2015:922-1 Released: Tue Dec 22 08:44:25 2015 Summary: Security update for gpg2 Type: security Severity: moderate References: 918089,918090,952347,955753,CVE-2015-1606,CVE-2015-1607 Description: The gpg2 package was updated to fix the following security and non security issues: - CVE-2015-1606: Fixed invalid memory read using a garbled keyring (bsc#918089). - CVE-2015-1607: Fixed memcpy with overlapping ranges (bsc#918090). - bsc#955753: Fixed a regression of 'gpg --recv' due to keyserver import filter (also boo#952347). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2015:869-1 Released: Wed Dec 23 10:01:16 2015 Summary: Recommended update for libksba Type: security Severity: moderate References: 926826 Description: The libksba package was updated to fix the following security issues: - Fixed an integer overflow, an out of bounds read and a stack overflow issues (bsc#926826). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2015:862-1 Released: Wed Dec 23 17:40:51 2015 Summary: Recommended update for acl Type: recommended Severity: moderate References: 945899 Description: This update for acl provides the following fixes: - Fix segmentation fault of getfacl -e on overly long group name. - Make sure that acl_from_text() always sets errno when it fails. - Fix memory and resource leaks in getfacl. ----------------------------------------------------------------- Advisory ID: SUSE-RU-2016:46-1 Released: Fri Jan 8 12:37:34 2016 Summary: Recommended update for gcr, gnome-keyring, libgcrypt, libsecret Type: recommended Severity: moderate References: 932232 Description: This update for gcr, gnome-keyring, libgcrypt, libsecret fixes issues when the system operates in FIPS mode. The various GNOME libraries and tool have been changed to use the default libgcrypt allocators. GNOME keyring was changed not to use MD5 anymore. libgcrypt was adjusted to free the DRBG on exit to avoid crashes. ----------------------------------------------------------------- Advisory ID: SUSE-SU-2016:80-1 Released: Wed Jan 13 21:05:28 2016 Summary: Security update for python-requests Type: security Severity: moderate References: 922448,929736,961596,CVE-2015-2296 Description: The python-requests module has been updated to version 2.8.1, which brings several fixes and enhancements: - Fix handling of cookies on redirect. Previously a cookie without a host value set would use the hostname for the redirected URL exposing requests users to session fixation attacks and potentially cookie stealing. (bsc#922448, CVE-2015-2296) - Add support for per-host proxies. This allows the proxies dictionary to have entries of the form {'://': ''}. Host-specific proxies will be used in preference to the previously-supported scheme-specific ones, but the previous syntax will continue to work. - Update certificate bundle to match 'certifi' 2015.9.6.2's weak certificate bundle. - Response.raise_for_status now prints the URL that failed as part of the exception message. - requests.utils.get_netrc_auth now takes an raise_errors kwarg, defaulting to False. When True, errors parsing .netrc files cause exceptions to be thrown. - Change to bundled projects import logic to make it easier to unbundle requests downstream. - Change the default User-Agent string to avoid leaking data on Linux: now contains only the requests version. - The json parameter to post() and friends will now only be used if neither data nor files are present, consistent with the documentation. - Empty fields in the NO_PROXY environment variable are now ignored. - Fix problem where httplib.BadStatusLine would get raised if combining stream=True with contextlib.closing. - Prevent bugs where we would attempt to return the same connection back to the connection pool twice when sending a Chunked body. - Digest Auth support is now thread safe. - Resolved several bugs involving chunked transfer encoding and response framing. - Copy a PreparedRequest's CookieJar more reliably. - Support bytearrays when passed as parameters in the 'files' argument. - Avoid data duplication when creating a request with 'str', 'bytes', or 'bytearray' input to the 'files' argument. - 'Connection: keep-alive' header is now sent automatically. - Support for connect timeouts. Timeout now accepts a tuple (connect, read) which is used to set individual connect and read timeouts. For a comprehensive list of changes please refer to the package's change log or the Release Notes at http://docs.python-requests.org/en/latest/community/updates/#id3 ----------------------------------------------------------------- Advisory ID: SUSE-SU-2016:183-1 Released: Mon Feb 1 11:32:26 2016 Summary: Security update for mariadb Type: security Severity: moderate References: 937787,957174,958789,CVE-2015-4792,CVE-2015-4802,CVE-2015-4807,CVE-2015-4815,CVE-2015-4826,CVE-2015-4830,CVE-2015-4836,CVE-2015-4858,CVE-2015-4861,CVE-2015-4870,CVE-2015-4913,CVE-2015-5969 Description: MariaDB has been updated to version 10.0.22, which brings fixes for many security issues and other improvements. The following CVEs have been fixed: - 10.0.22: CVE-2015-4802, CVE-2015-4807, CVE-2015-4815, CVE-2015-4826, CVE-2015-4830, CVE-2015-4836, CVE-2015-4858, CVE-2015-4861, CVE-2015-4870, CVE-2015-4913, CVE-2015-4792 - Fix information leak via mysql-systemd-helper script. (CVE-2015-5969, bsc#957174) For a comprehensive list of changes refer to the upstream Release Notes and Change Log documents: - https://kb.askmonty.org/en/mariadb-10022-release-notes/ - https://kb.askmonty.org/en/mariadb-10022-changelog/ ----------------------------------------------------------------- Advisory ID: SUSE-SU-2016:201-1 Released: Thu Feb 4 15:51:22 2016 Summary: Security update for curl Type: security Severity: moderate References: 934333,936676,962983,962996,CVE-2016-0755 Description: This update for curl fixes the following issues: - CVE-2016-0755: libcurl would reuse NTLM-authenticated proxy connections without properly making sure that the connection was authenticated with the same credentials as set for this transfer (bsc#962983) The following non-security bugs were fixed: - bsc#936676: secure_getenv or __secure_getenv may not be detected correctly at build time The following tracked bugs only affect the test suite: - bsc#962996: Expired cookie in test 46 caused test failures - bsc#934333: Curl test suite was not run, is now enabled during build ----------------------------------------------------------------- Advisory ID: SUSE-RU-2016:371-1 Released: Thu Mar 3 15:58:18 2016 Summary: Recommended update for insserv-compat Type: recommended Severity: low References: 960820 Description: This update for insserv-compat fixes the name of the ntpd service. ----------------------------------------------------------------- Advisory ID: SUSE-SU-2016:413-1 Released: Fri Mar 11 10:17:57 2016 Summary: Security update for libssh2_org Type: security Severity: moderate References: 933336,961964,967026,CVE-2016-0787 Description: This update for libssh2_org fixes the following issues: Security issue fixed: - CVE-2016-0787 (bsc#967026): Weakness in diffie-hellman secret key generation lead to much shorter DH groups then needed, which could be used to retrieve server keys. A feature was added: - Support of SHA256 digests for DH group exchanges was added (fate#320343, bsc#961964) Bug fixed: - Properly detect EVP_aes_128_ctr at configure time (bsc#933336) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2016:462-1 Released: Wed Mar 16 18:17:59 2016 Summary: Recommended update for libcap Type: recommended Severity: low References: 967838 Description: This update for libcap adds two new capabilities (CAP_WAKE_ALARM and CAP_BLOCK_SUSPEND) which are available in Linux Kernel 3.12. ----------------------------------------------------------------- Advisory ID: SUSE-RU-2016:543-1 Released: Fri Apr 1 18:44:16 2016 Summary: Recommended update for libgcrypt Type: recommended Severity: moderate References: 970882 Description: This update for libgcrypt fixes a crash in GPG key generation when operating in FIPS mode. (bsc#970882) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2016:565-1 Released: Wed Apr 6 16:26:42 2016 Summary: Security update for gcc5 Type: security Severity: moderate References: 939460,945842,952151,953831,954002,955382,962765,964468,966220,968771,CVE-2015-5276 Description: The GNU Compiler Collection was updated to version 5.3.1, which brings several fixes and enhancements. The following security issue has been fixed: - Fix C++11 std::random_device short read issue that could lead to predictable randomness. (CVE-2015-5276, bsc#945842) The following non-security issues have been fixed: - Enable frame pointer for TARGET_64BIT_MS_ABI when stack is misaligned. Fixes internal compiler error when building Wine. (bsc#966220) - Fix a PowerPC specific issue in gcc-go that broke compilation of newer versions of Docker. (bsc#964468) - Fix HTM built-ins on PowerPC. (bsc#955382) - Fix libgo certificate lookup. (bsc#953831) - Suppress deprecated-declarations warnings for inline definitions of deprecated virtual methods. (bsc#939460) - Build s390[x] with '--with-tune=z9-109 --with-arch=z900' on SLE11 again. (bsc#954002) - Revert accidental libffi ABI breakage on aarch64. (bsc#968771) - On x86_64, set default 32bit code generation to -march=x86-64 rather than -march=i586. - Add experimental File System TS library. ----------------------------------------------------------------- Advisory ID: SUSE-SU-2016:636-1 Released: Mon Apr 18 09:18:19 2016 Summary: Security update for libgcrypt Type: security Severity: moderate References: 965902,CVE-2015-7511 Description: libgcrypt was updated to fix one security issue. This security issue was fixed: - CVE-2015-7511: Side-channel attack on ECDH with Weierstrass curves (bsc#965902). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2016:643-1 Released: Tue Apr 19 09:23:39 2016 Summary: Recommended update for bzip2 Type: recommended Severity: low References: 970260 Description: This update for bzip2 fixes the following issues: - Fix bzgrep wrapper that always returns 0 as exit code when working on multiple archives, even when the pattern is not found. ----------------------------------------------------------------- Advisory ID: SUSE-RU-2016:652-1 Released: Wed Apr 20 10:34:05 2016 Summary: Recommended update for SUSE Manager Client Tools Type: recommended Severity: moderate References: 956981,970550,970989,974864,975093 Description: This update for SUSE Manager Client Tools provides the following new features: - Integrate SaltStack for configuration management. (fate#312447) - Replace upstream subscription counting with new subscription matching. (fate#311619) This update fixes the following issues: osad: - Fix file permissions. (bsc#970550) - Add possibility for OSAD to work in failover mode. rhn-custom-info: - Version update. rhn-virtualization: - Version update. rhncfg: - Fix file permissions. (bsc#970550) - Fix removal of temporary files during transaction rollback for rhncfg-manager. - Fix removal of directories which rhncfg-manager didn't create. - Remove temporary files when exception occurs. - Make rhncfg support sha256 and use it by default. - Fix for assigning all groups user belongs to running process. - Show server modified time with rhncfg-client diff. rhnlib: - Use TLSv1_METHOD in SSL Context. (bsc#970989) rhnpush: - Don't count on having newest rhn-client-tools. - Allow to use existing rpcServer when creating RhnServer. - Wire in timeout for rhnpush. spacecmd: - Text description missing for remote command by Spacecmd. - Added functions to add/edit SSL certificates for repositories. - Mimetype detection to set the binary flag requires 'file' tool. - Always base64 encode to avoid trim() bugs in the XML-RPC library. - Replace upstream subscription counting with new subscription matching. (fate#311619) spacewalk-backend: - Version update. spacewalk-client-tools: - Convert dbus.Int32 to int to fix a TypeError during registration. (bsc#974864) - Fix client registration for network interfaces with labels. (bsc#956981) - Show a descriptive message on reboot. - Replace upstream subscription counting with new subscription matching. (fate#311619) spacewalk-koan: - Fix file permissions. (bsc#970550) - Switch to KVM if possible. spacewalk-oscap: - Still require openscap-utils on RHEL5. spacewalk-remote-utils: - Add RHEL 7.2 channel definitions. - Update RHEL 6.7 and 7.1 channel definitions. - Use hostname instead of localhost for https connections. - Spacewalk-create-channel added -o option to clone channel to current state. spacewalksd: - Delete file with input files after template is created. suseRegisterInfo: - Fix file permissions. (bsc#970550) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2016:697-1 Released: Thu Apr 28 16:03:24 2016 Summary: Recommended update for libssh2_org Type: recommended Severity: important References: 974691 Description: This update for libssh2_org fixes a regression introduced by a previous update which could result in a segmentation fault in EVP_DigestInit_Ex(). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2016:589-1 Released: Mon May 2 15:01:37 2016 Summary: Security update for python-tornado Type: security Severity: moderate References: 930361,930362,974657,CVE-2014-9720 Description: The python-tornado module was updated to version 4.2.1, which brings several fixes, enhancements and new features. The following security issues have been fixed: - A path traversal vulnerability in StaticFileHandler, in which files whose names started with the static_path directory but were not actually in that directory could be accessed. - The XSRF token is now encoded with a random mask on each request. This makes it safe to include in compressed pages without being vulnerable to the BREACH attack. This applies to most applications that use both the xsrf_cookies and gzip options (or have gzip applied by a proxy). (bsc#930362, CVE-2014-9720) - The signed-value format used by RequestHandler.{g,s}et_secure_cookie changed to be more secure. (bsc#930361) The following enhancements have been implemented: - SSLIOStream.connect and IOStream.start_tls now validate certificates by default. - Certificate validation will now use the system CA root certificates. - The default SSL configuration has become stricter, using ssl.create_default_context where available on the client side. - The deprecated classes in the tornado.auth module, GoogleMixin, FacebookMixin and FriendFeedMixin have been removed. - New modules have been added: tornado.locks and tornado.queues. - The tornado.websocket module now supports compression via the 'permessage-deflate' extension. - Tornado now depends on the backports.ssl_match_hostname when running on Python 2. For a comprehensive list of changes, please refer to the release notes: - http://www.tornadoweb.org/en/stable/releases/v4.2.0.html - http://www.tornadoweb.org/en/stable/releases/v4.1.0.html - http://www.tornadoweb.org/en/stable/releases/v4.0.0.html - http://www.tornadoweb.org/en/stable/releases/v3.2.0.html ----------------------------------------------------------------- Advisory ID: SUSE-RU-2016:797-1 Released: Thu May 19 13:26:11 2016 Summary: Recommended update for python-futures Type: recommended Severity: low References: 974993 Description: This update for python-futures provides version 3.0.2 required from python-s3transfer (fate#320748) and fixes the following issues: - Made multiprocessing optional again on implementations other than just Jython - Made Executor.map() non-greedy - Dropped Python 2.5 and 3.1 support - Removed the deprecated 'futures' top level package - Remove CFLAGS: this is a python only module - Remove futures from package files: not provided anymore - Added the set_exception_info() and exception_info() methods to Future to enable extraction of tracebacks on Python 2.x - Added support for Future.set_exception_info() to ThreadPoolExecutor ----------------------------------------------------------------- Advisory ID: SUSE-RU-2016:801-1 Released: Thu May 19 22:38:01 2016 Summary: Recommended update for curl Type: recommended Severity: moderate References: 915846 Description: This update for curl fixes the following issue: - Fix 'Network is unreachable' error when ipv6 is not available but ipv4. This fixes the same error in applications using libcurl4 (like zypper). (bsc#915846) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2016:835-1 Released: Wed May 25 18:27:30 2016 Summary: Recommended update for libgcrypt Type: recommended Severity: moderate References: 979629 Description: This update for libgcrypt fixes the following issue: - Fix failing reboot after installing fips pattern (bsc#979629) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2016:898-1 Released: Tue Jun 7 09:48:12 2016 Summary: Security update for expat Type: security Severity: important References: 979441,980391,CVE-2015-1283,CVE-2016-0718 Description: This update for expat fixes the following issues: Security issue fixed: - CVE-2016-0718: Fix Expat XML parser that mishandles certain kinds of malformed input documents. (bsc#979441) - CVE-2015-1283: Fix multiple integer overflows. (bnc#980391) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2016:900-1 Released: Tue Jun 7 10:58:37 2016 Summary: Security update for libksba Type: security Severity: moderate References: 979261,979906,CVE-2016-4574,CVE-2016-4579 Description: This update for libksba fixes the following issues: - CVE-2016-4579: Out-of-bounds read in _ksba_ber_parse_tl() - CVE-2016-4574: two OOB read access bugs (remote DoS) (bsc#979261) Also adding reliability fixes from v1.3.4. ----------------------------------------------------------------- Advisory ID: SUSE-SU-2016:963-1 Released: Fri Jun 17 16:56:18 2016 Summary: Security update for mariadb Type: security Severity: important References: 961935,963806,963810,970287,970295,980904,CVE-2016-0505,CVE-2016-0546,CVE-2016-0596,CVE-2016-0597,CVE-2016-0598,CVE-2016-0600,CVE-2016-0606,CVE-2016-0608,CVE-2016-0609,CVE-2016-0616,CVE-2016-0640,CVE-2016-0641,CVE-2016-0642,CVE-2016-0643,CVE-2016-0644,CVE-2016-0646,CVE-2016-0647,CVE-2016-0648,CVE-2016-0649,CVE-2016-0650,CVE-2016-0651,CVE-2016-0655,CVE-2016-0666,CVE-2016-0668,CVE-2016-2047 Description: mariadb was updated to version 10.0.25 to fix 25 security issues. These security issues were fixed: - CVE-2016-0505: Unspecified vulnerability allowed remote authenticated users to affect availability via unknown vectors related to Options (bsc#980904). - CVE-2016-0546: Unspecified vulnerability allowed local users to affect confidentiality, integrity, and availability via unknown vectors related to Client (bsc#980904). - CVE-2016-0596: Unspecified vulnerability allowed remote authenticated users to affect availability via vectors related to DML (bsc#980904). - CVE-2016-0597: Unspecified vulnerability allowed remote authenticated users to affect availability via unknown vectors related to Optimizer (bsc#980904). - CVE-2016-0598: Unspecified vulnerability allowed remote authenticated users to affect availability via vectors related to DML (bsc#980904). - CVE-2016-0600: Unspecified vulnerability allowed remote authenticated users to affect availability via unknown vectors related to InnoDB (bsc#980904). - CVE-2016-0606: Unspecified vulnerability allowed remote authenticated users to affect integrity via unknown vectors related to encryption (bsc#980904). - CVE-2016-0608: Unspecified vulnerability allowed remote authenticated users to affect availability via vectors related to UDF (bsc#980904). - CVE-2016-0609: Unspecified vulnerability allowed remote authenticated users to affect availability via unknown vectors related to privileges (bsc#980904). - CVE-2016-0616: Unspecified vulnerability allowed remote authenticated users to affect availability via unknown vectors related to Optimizer (bsc#980904). - CVE-2016-0640: Unspecified vulnerability allowed local users to affect integrity and availability via vectors related to DML (bsc#980904). - CVE-2016-0641: Unspecified vulnerability allowed local users to affect confidentiality and availability via vectors related to MyISAM (bsc#980904). - CVE-2016-0642: Unspecified vulnerability allowed local users to affect integrity and availability via vectors related to Federated (bsc#980904). - CVE-2016-0643: Unspecified vulnerability allowed local users to affect confidentiality via vectors related to DML (bsc#980904). - CVE-2016-0644: Unspecified vulnerability allowed local users to affect availability via vectors related to DDL (bsc#980904). - CVE-2016-0646: Unspecified vulnerability allowed local users to affect availability via vectors related to DML (bsc#980904). - CVE-2016-0647: Unspecified vulnerability allowed local users to affect availability via vectors related to FTS (bsc#980904). - CVE-2016-0648: Unspecified vulnerability allowed local users to affect availability via vectors related to PS (bsc#980904). - CVE-2016-0649: Unspecified vulnerability allowed local users to affect availability via vectors related to PS (bsc#980904). - CVE-2016-0650: Unspecified vulnerability allowed local users to affect availability via vectors related to Replication (bsc#980904). - CVE-2016-0651: Unspecified vulnerability allowed local users to affect availability via vectors related to Optimizer (bsc#980904). - CVE-2016-0655: Unspecified vulnerability allowed local users to affect availability via vectors related to InnoDB (bsc#980904). - CVE-2016-0666: Unspecified vulnerability allowed local users to affect availability via vectors related to Security: Privileges (bsc#980904). - CVE-2016-0668: Unspecified vulnerability allowed local users to affect availability via vectors related to InnoDB (bsc#980904). - CVE-2016-2047: The ssl_verify_server_cert function in sql-common/client.c did not properly verify that the server hostname matches a domain name in the subject's Common Name (CN) or subjectAltName field of the X.509 certificate, which allowed man-in-the-middle attackers to spoof SSL servers via a '/CN=' string in a field in a certificate, as demonstrated by '/OU=/CN=bar.com/CN=foo.com (bsc#963806). These non-security issues were fixed: - bsc#961935: Remove the leftovers of 'openSUSE' string in the '-DWITH_COMMENT' and 'DCOMPILATION_COMMENT' options - bsc#970287: remove ha_tokudb.so plugin and tokuft_logprint and tokuftdump binaries as TokuDB storage engine requires the jemalloc library that isn't present in SLE-12-SP1 - bsc#970295: Fix the leftovers of 'logrotate.d/mysql' string in the logrotate error message. Occurrences of this string were changed to 'logrotate.d/mariadb' - bsc#963810: Add 'log-error' and 'secure-file-priv' configuration options * add '/etc/my.cnf.d/error_log.conf' that specifies 'log-error = /var/log/mysql/mysqld.log'. If no path is set, the error log is written to '/var/lib/mysql/$HOSTNAME.err', which is not picked up by logrotate. * add '/etc/my.cnf.d/secure_file_priv.conf' which specifies that 'LOAD DATA', 'SELECT ... INTO' and 'LOAD FILE()' will only work with files in the directory specified by 'secure-file-priv' option (='/var/lib/mysql-files'). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2016:984-1 Released: Wed Jun 22 11:11:35 2016 Summary: Recommended update for SUSE Manager Server, Proxy and Client Tools Type: recommended Severity: moderate References: 964932,969320,971372,973418,975303,975306,975733,975757,976148,976826,977264,978833,979313,979676,980313 Description: This update fixes the following issues for the SUSE Manager Server 3.0 and Client Tools: zypp-plugin-spacewalk: - Fix failover for multiple URLs per repo. (bsc#964932) The following issues for SUSE Manager Proxy 3.0 and Client Tools have been fixed: cobbler: - Remove grubby-compat because perl-Bootloader gets dropped. - Disabling 'get-loaders' command and 'check' fixed. (bsc#973418) - Add logrotate file for cobbler. (bsc#976826) Additionally the following issues for the SUSE Linux Enterprise 12 Clienttools have been fixed: salt: - Remove option -f from startproc. (bsc#975733) - Changed Zypper's plugin. Added Unit test and related to that data. (bsc#980313) - Zypper plugin: alter the generated event name on package set change. - Fix file ownership on master keys and cache directories during upgrade. (handles upgrading from salt 2014, where the daemon ran as root, to 2015 where it runs as the salt user, bsc#979676) - Salt-proxy .service file created. (bsc#975306) - Prevent salt-proxy test.ping crash. (bsc#975303) - Fix shared directories ownership issues. - Add Zypper plugin to generate an event, once Zypper is used outside the Salt infrastructure demand. (bsc#971372) - Restore boolean values from the repo configuration - Fix priority attribute (bsc#978833) - Unblock-Zypper. (bsc#976148) - Modify-environment. (bsc#971372) - Prevent crash if pygit2 package is requesting re-compilation. - Align OS grains from older SLES with current one. (bsc#975757) - Bugfix: salt-key crashes if tries to generate keys to the directory w/o write access. (bsc#969320) spacecmd: - Make spacecmd createRepo compatible with SUSE Manager 2.1 API. (bsc#977264) spacewalk-backend: - Better error message for system that is already registered as minion. - Fix GPG bad signature detection and improve error messages. (bsc#979313) - Send and save machine_id on traditional registration. - Add machine info capability spacewalk-client-tools: - Send and save machine_id on traditional registration. - Send machine info only if server has machine info capability. ----------------------------------------------------------------- Advisory ID: SUSE-RU-2016:987-1 Released: Wed Jun 22 14:32:18 2016 Summary: Recommended update for procps Type: recommended Severity: low References: 981616 Description: This update for procps fixes the following issues: - Improve pmap(1) to be compatible with kernel 4.4. (bsc#981616) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2016:1028-1 Released: Thu Jul 7 11:50:47 2016 Summary: Recommended update for findutils Type: recommended Severity: moderate References: 986935 Description: This update for findutils fixes the following issues: - find -exec + would not pass all arguments for certain specific filename lengths (bsc#986935) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2016:1126-1 Released: Sat Jul 30 00:39:03 2016 Summary: Recommended update for kmod Type: recommended Severity: low References: 983754,989788 Description: This update for kmod fixes libkmod to handle very long lines in /proc/modules. ----------------------------------------------------------------- Advisory ID: SUSE-SU-2016:1141-1 Released: Wed Aug 3 15:24:30 2016 Summary: Security update for sqlite3 Type: security Severity: moderate References: 987394,CVE-2016-6153 Description: This update for sqlite3 fixes the following issues: The following security issue was fixed: - CVE-2016-6153: Fixed a tempdir selection vulnerability (bsc#987394) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2016:1205-1 Released: Thu Aug 11 15:02:18 2016 Summary: Recommended update for rpm Type: recommended Severity: low References: 829717,894610,940315,953532,965322,967728 Description: This update for rpm provides the following fixes: - Add is_opensuse and leap_version macros to suse_macros. (bsc#940315) - Add option to make postinstall scriptlet errors fatal. (bsc#967728) - Normalize big blocksizes to 4096 bytes. (bsc#894610, bsc#829717, bsc#965322) - Fix updating of sources/patches when recursing because of a BuildArch. (bsc#953532) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2016:1216-1 Released: Fri Aug 12 18:19:22 2016 Summary: Recommended update for SUSE Manager 3.0 and Client Tools Type: recommended Severity: moderate References: 970669,972311,978150,979448,983017,983512,984622,984998,985661,988506,989193 Description: This consolidated update includes multiple patchinfos for SUSE Manager Server, Proxy and SUSE Enterprise Storage 3. This patchinfo is used for the codestream release only ----------------------------------------------------------------- Advisory ID: SUSE-SU-2016:1228-1 Released: Tue Aug 16 09:29:01 2016 Summary: Security update for libidn Type: security Severity: moderate References: 923241,990189,990190,990191,CVE-2015-2059,CVE-2015-8948,CVE-2016-6261,CVE-2016-6262,CVE-2016-6263 Description: This update for libidn fixes the following issues: - CVE-2016-6262 and CVE-2015-8948: Out-of-bounds-read when reading one zero byte as input (bsc#990189) - CVE-2016-6261: Out-of-bounds stack read in idna_to_ascii_4i (bsc#990190) - CVE-2016-6263: stringprep_utf8_nfkc_normalize reject invalid UTF-8 (bsc#990191) - CVE-2015-2059: out-of-bounds read with stringprep on invalid UTF-8 (bsc#923241) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2016:1245-1 Released: Fri Aug 19 10:31:11 2016 Summary: Security update for python Type: security Severity: moderate References: 984751,985177,985348,989523,CVE-2016-0772,CVE-2016-1000110,CVE-2016-5636,CVE-2016-5699 Description: This update for python fixes the following issues: - CVE-2016-0772: smtplib vulnerability opens startTLS stripping attack (bsc#984751) - CVE-2016-5636: heap overflow when importing malformed zip files (bsc#985177) - CVE-2016-5699: incorrect validation of HTTP headers allow header injection (bsc#985348) - CVE-2016-1000110: HTTPoxy vulnerability in urllib, fixed by disregarding HTTP_PROXY when REQUEST_METHOD is also set (bsc#989523) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2016:1247-1 Released: Fri Aug 19 12:58:39 2016 Summary: Security update for cracklib Type: security Severity: moderate References: 992966,CVE-2016-6318 Description: This update for cracklib fixes the following issues: - Add patch to fix a buffer overflow in GECOS parser (bsc#992966 CVE-2016-6318) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2016:1308-1 Released: Fri Sep 2 11:52:13 2016 Summary: Security update for mariadb Type: security Severity: moderate References: 984858,985217,986251,991616,CVE-2016-3477,CVE-2016-3521,CVE-2016-3615,CVE-2016-5440 Description: This update for mariadb fixes the following issues: - CVE-2016-3477: Unspecified vulnerability in subcomponent parser [bsc#991616] - CVE-2016-3521: Unspecified vulnerability in subcomponent types [bsc#991616] - CVE-2016-3615: Unspecified vulnerability in subcomponent dml [bsc#991616] - CVE-2016-5440: Unspecified vulnerability in subcomponent rbr [bsc#991616] - mariadb failing test main.bootstrap [bsc#984858] - left over 'openSUSE' comments in MariaDB on SLE12 GM and SP1 [bsc#985217] - remove unnecessary conditionals from specfile - add '--ignore-db-dir=lost+found' option to rc.mysql-multi in order not to misinterpret the lost+found directory as a database [bsc#986251] ----------------------------------------------------------------- Advisory ID: SUSE-SU-2016:1326-1 Released: Thu Sep 8 11:37:44 2016 Summary: Security update for perl Type: security Severity: moderate References: 928292,932894,967082,984906,987887,988311,CVE-2015-8853,CVE-2016-1238,CVE-2016-2381,CVE-2016-6185 Description: This update for Perl fixes the following issues: - CVE-2016-6185: Xsloader looking at a '(eval)' directory. (bsc#988311) - CVE-2016-1238: Searching current directory for optional modules. (bsc#987887) - CVE-2015-8853: Regular expression engine hanging on bad utf8. (bsc) - CVE-2016-2381: Environment dup handling bug. (bsc#967082) - 'Insecure dependency in require' error in taint mode. (bsc#984906) - Memory leak in 'use utf8' handling. (bsc#928292) - Missing lock prototype to the debugger. (bsc#932894) ----------------------------------------------------------------- Advisory ID: SUSE-OU-2016:1358-1 Released: Thu Sep 15 20:54:21 2016 Summary: Optional update for gcc6 Type: optional Severity: low References: 983206 Description: This update ships the GNU Compiler Collection (GCC) in version 6.2. This update is shipped in two parts: - SUSE Linux Enterprise Server 12 and Desktop: The runtime libraries libgcc_s1, libstdc++6, libatomic1, libgomp1, libitm1 and some others can now be used by GCC 6 built binaries. - SUSE Linux Enterprise 12 Toolchain Module: The Toolchain module received the GCC 6 compiler suite with this update. Changes: - The default mode for C++ is now -std=gnu++14 instead of -std=gnu++98. Generic Optimization improvements: - UndefinedBehaviorSanitizer gained a new sanitization option, -fsanitize=bounds-strict, which enables strict checking of array bounds. In particular, it enables -fsanitize=bounds as well as instrumentation of flexible array member-like arrays. - Type-based alias analysis now disambiguates accesses to different pointers. This improves precision of the alias oracle by about 20-30% on higher-level C++ programs. Programs doing invalid type punning of pointer types may now need -fno-strict-aliasing to work correctly. - Alias analysis now correctly supports weakref and alias attributes. This makes it possible to access both a variable and its alias in one translation unit which is common with link-time optimization. - Value range propagation now assumes that the this pointer of C++ member functions is non-null. This eliminates common null pointer checks but also breaks some non-conforming code-bases (such as Qt-5, Chromium, KDevelop). As a temporary work-around -fno-delete-null-pointer-checks can be used. Wrong code can be identified by using -fsanitize=undefined. - Various Link-time optimization improvements. - Inter-procedural optimization improvements: - Basic jump threading is now performed before profile construction and inline analysis, resulting in more realistic size and time estimates that drive the heuristics of the of inliner and function cloning passes. - Function cloning now more aggressively eliminates unused function parameters. - Compared to GCC 5, the GCC 6 release series includes a much improved implementation of the OpenACC 2.0a specification. C language specific improvements: - Version 4.5 of the OpenMP specification is now supported in the C and C++ compilers. - Source locations for the C and C++ compilers are now tracked as ranges, rather than just points, making it easier to identify the subexpression of interest within a complicated expression. In addition, there is now initial support for precise diagnostic locations within strings, - Diagnostics can now contain 'fix-it hints', which are displayed in context underneath the relevant source code. - The C and C++ compilers now offer suggestions for misspelled field names. - New command-line options have been added for the C and C++ compilers: - -Wshift-negative-value warns about left shifting a negative value. - -Wshift-overflow warns about left shift overflows. This warning is enabled by default. -Wshift-overflow=2 also warns about left-shifting 1 into the sign bit. - -Wtautological-compare warns if a self-comparison always evaluates to true or false. This warning is enabled by -Wall. - -Wnull-dereference warns if the compiler detects paths that trigger erroneous or undefined behavior due to dereferencing a null pointer. This option is only active when -fdelete-null-pointer-checks is active, which is enabled by optimizations in most targets. The precision of the warnings depends on the optimization options used. - -Wduplicated-cond warns about duplicated conditions in an if-else-if chain. - -Wmisleading-indentation warns about places where the indentation of the code gives a misleading idea of the block structure of the code to a human reader. This warning is enabled by -Wall. - The C and C++ compilers now emit saner error messages if merge-conflict markers are present in a source file. C improvements: - It is possible to disable warnings when an initialized field of a structure or a union with side effects is being overridden when using designated initializers via a new warning option -Woverride-init-side-effects. - A new type attribute scalar_storage_order applying to structures and unions has been introduced. It specifies the storage order (aka endianness) in memory of scalar fields in structures or unions. C++ improvements: - The default mode has been changed to -std=gnu++14. - C++ Concepts are now supported when compiling with -fconcepts. - -flifetime-dse is more aggressive in dead-store elimination in situations where a memory store to a location precedes a constructor to that memory location. - G++ now supports C++17 fold expressions, u8 character literals, extended static_assert, and nested namespace definitions. - G++ now allows constant evaluation for all non-type template arguments. - G++ now supports C++ Transactional Memory when compiling with -fgnu-tm. libstdc++ improvements: - Extensions to the C++ Library to support mathematical special functions (ISO/IEC 29124:2010), thanks to Edward Smith-Rowland. - Experimental support for C++17. - An experimental implementation of the File System TS. - Experimental support for most features of the second version of the Library Fundamentals TS. This includes polymorphic memory resources and array support in shared_ptr, thanks to Fan You. - Some assertions checked by Debug Mode can now also be enabled by _GLIBCXX_ASSERTIONS. The subset of checks enabled by the new macro have less run-time overhead than the full _GLIBCXX_DEBUG checks and don't affect the library ABI, so can be enabled per-translation unit. Fortran improvements: - Fortran 2008 SUBMODULE support. - Fortran 2015 EVENT_TYPE, EVENT_POST, EVENT_WAIT, and EVENT_QUERY support. - Improved support for Fortran 2003 deferred-length character variables. - Improved support for OpenMP and OpenACC. - The MATMUL intrinsic is now inlined for straightforward cases if front-end optimization is active. The maximum size for inlining can be set to n with the -finline-matmul-limit=n option and turned off with -finline-matmul-limit=0. - The -Wconversion-extra option will warn about REAL constants which have excess precision for their kind. - The -Winteger-division option has been added, which warns about divisions of integer constants which are truncated. This option is included in -Wall by default. Architecture improvements: - AArch64 received a lot of improvements. IA-32/x86-64 improvements: - GCC now supports the Intel CPU named Skylake with AVX-512 extensions through -march=skylake-avx512. The switch enables the following ISA extensions: AVX-512F, AVX512VL, AVX-512CD, AVX-512BW, AVX-512DQ. - Support for new AMD instructions monitorx and mwaitx has been added. This includes new intrinsic and built-in support. It is enabled through option -mmwaitx. The instructions monitorx and mwaitx implement the same functionality as the old monitor and mwait instructions. In addition mwaitx adds a configurable timer. The timer value is received as third argument and stored in register %ebx. - x86-64 targets now allow stack realignment from a word-aligned stack pointer using the command-line option -mstackrealign or __attribute__ ((force_align_arg_pointer)). This allows functions compiled with a vector-aligned stack to be invoked from objects that keep only word-alignment. - Support for address spaces __seg_fs, __seg_gs, and __seg_tls. These can be used to access data via the %fs and %gs segments without having to resort to inline assembly. - Support for AMD Zen (family 17h) processors is now available through the -march=znver1 and -mtune=znver1 options. PowerPC / PowerPC64 / RS6000 improvements: - PowerPC64 now supports IEEE 128-bit floating-point using the __float128 data type. In GCC 6, this is not enabled by default, but you can enable it with -mfloat128. The IEEE 128-bit floating-point support requires the use of the VSX instruction set. IEEE 128-bit floating-point values are passed and returned as a single vector value. The software emulator for IEEE 128-bit floating-point support is only built on PowerPC GNU/Linux systems where the default CPU is at least power7. On future ISA 3.0 systems (POWER 9 and later), you will be able to use the -mfloat128-hardware option to use the ISA 3.0 instructions that support IEEE 128-bit floating-point. An additional type (__ibm128) has been added to refer to the IBM extended double type that normally implements long double. This will allow for a future transition to implementing long double with IEEE 128-bit floating-point. - Basic support has been added for POWER9 hardware that will use the recently published OpenPOWER ISA 3.0 instructions. The following new switches are available: - -mcpu=power9: Implement all of the ISA 3.0 instructions supported by the compiler. - -mtune=power9: In the future, apply tuning for POWER9 systems. Currently, POWER8 tunings are used. - -mmodulo: Generate code using the ISA 3.0 integer instructions (modulus, count trailing zeros, array index support, integer multiply/add). - -mpower9-fusion: Generate code to suitably fuse instruction sequences for a POWER9 system. - -mpower9-dform: Generate code to use the new D-form (register+offset) memory instructions for the vector registers. - -mpower9-vector: Generate code using the new ISA 3.0 vector (VSX or Altivec) instructions. - -mpower9-minmax: Reserved for future development. - -mtoc-fusion: Keep TOC entries together to provide more fusion opportunities. - New constraints have been added to support IEEE 128-bit floating-point and ISA 3.0 instructions. - Support has been added for __builtin_cpu_is() and __builtin_cpu_supports(), allowing for very fast access to AT_PLATFORM, AT_HWCAP, and AT_HWCAP2 values. This requires use of glibc 2.23 or later. - All hardware transactional memory builtins now correctly behave as memory barriers. Programmers can use #ifdef __TM_FENCE__ to determine whether their 'old' compiler treats the builtins as barriers. - Split-stack support has been added for gccgo on PowerPC64 for both big- and little-endian (but not for 32-bit). The gold linker from at least binutils 2.25.1 must be available in the PATH when configuring and building gccgo to enable split stack. (The requirement for binutils 2.25.1 applies to PowerPC64 only.) The split-stack feature allows a small initial stack size to be allocated for each goroutine, which increases as needed. - GCC on PowerPC now supports the standard lround function. - The 'q', 'S', 'T', and 't' asm-constraints have been removed. - The 'b', 'B', 'm', 'M', and 'W' format modifiers have been removed. S/390, System z, IBM z Systems improvements: - Support for the IBM z13 processor has been added. When using the -march=z13 option, the compiler will generate code making use of the new instructions and registers introduced with the vector extension facility. The -mtune=z13 option enables z13 specific instruction scheduling without making use of new instructions. - Compiling code with -march=z13 reduces the default alignment of vector types bigger than 8 bytes to 8. This is an ABI change and care must be taken when linking modules compiled with different arch levels which interchange variables containing vector type values. For newly compiled code the GNU linker will emit a warning. - The -mzvector option enables a C/C++ language extension. This extension provides a new keyword vector which can be used to define vector type variables. (Note: This is not available when enforcing strict standard compliance e.g. with -std=c99. Either enable GNU extensions with e.g. -std=gnu99 or use __vector instead of vector.) - Additionally a set of overloaded builtins is provided which is partially compatible to the PowerPC Altivec builtins. In order to make use of these builtins the vecintrin.h header file needs to be included. - The new command line options -march=native, and -mtune=native are now available on native IBM z Systems. Specifying these options will cause GCC to auto-detect the host CPU and rewrite these options to the optimal setting for that system. If GCC is unable to detect the host CPU these options have no effect. - The IBM z Systems port now supports target attributes and pragmas. Please refer to the documentation for details of available attributes and pragmas as well as usage instructions. - -fsplit-stack is now supported as part of the IBM z Systems port. This feature requires a recent gold linker to be used. - Support for the g5 and g6 -march=/-mtune= CPU level switches has been deprecated and will be removed in a future GCC release. -m31 from now on defaults to -march=z900 if not specified otherwise. -march=native on a g5/g6 machine will default to -march=z900. An even more detailed list of features can be found at: https://gcc.gnu.org/gcc-6/changes.html ----------------------------------------------------------------- Advisory ID: SUSE-SU-2016:1364-1 Released: Fri Sep 16 17:13:43 2016 Summary: Security update for curl Type: security Severity: moderate References: 991389,991390,991391,991746,997420,CVE-2016-5419,CVE-2016-5420,CVE-2016-5421,CVE-2016-7141 Description: This update for curl fixes the following issues: Security issues fixed: - CVE-2016-5419: TLS session resumption client cert bypass (bsc#991389) - CVE-2016-5420: Re-using connections with wrong client cert (bsc#991390) - CVE-2016-5421: use of connection struct after free (bsc#991391) - CVE-2016-7141: Fixed incorrect reuse of client certificates with NSS (bsc#997420) Also the following bug was fixed: - fixing a performance issue (bsc#991746) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2016:1370-1 Released: Wed Sep 21 12:58:14 2016 Summary: Security update for libgcrypt Type: security Severity: moderate References: 994157,CVE-2016-6313 Description: This update for libgcrypt fixes the following issues: - RNG prediction vulnerability (bsc#994157, CVE-2016-6313) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2016:1397-1 Released: Tue Sep 27 17:49:10 2016 Summary: Security update for mariadb Type: security Severity: important References: 949520,998309,CVE-2016-6662 Description: This update for mariadb to 1.0.0.27 fixes the following issues: Security issue fixed: * CVE-2016-6662: A malicious user with SQL and filesystem access could create a my.cnf in the datadir and, under certain circumstances, execute arbitrary code as mysql (or even root) user. (bsc#998309) * release notes: * https://kb.askmonty.org/en/mariadb-10027-release-notes * changelog: * https://kb.askmonty.org/en/mariadb-10027-changelog Bugs fixed: - Make ORDER BY optimization functions take into account multiple equalities. (bsc#949520) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2016:1533-1 Released: Mon Oct 24 14:12:29 2016 Summary: Recommended update for SUSE Manager Client Tools Type: recommended Severity: moderate References: 1002529,986447,986978,990029,990439,990440,990738,991048,993039,993549,994619,996455,998185 Description: This update fixes the following issues: cobbler: - Enabling PXE grub2 support for PowerPC (bsc#986978) rhnlib: - Add function aliases for backward compatibility (bsc#998185) salt: - Setting up OS grains for SLES-ES (SLES Expanded Support platform) - Move salt home directory to /var/lib/salt (bsc#1002529) - Generate Salt Thin with configured extra modules (bsc#990439) - Prevent pkg.install failure for expired keys (bsc#996455) - Required D-Bus and generating machine ID - Fix python-jinja2 requirements in rhel - Fix pkg.installed refresh repository failure (bsc#993549) - Fix salt.states.pkgrepo.management no change failure (bsc#990440) - Prevent snapper module crash on load if no DBus is available in the system (bsc#993039) - Prevent continuous restart, if a dependency wasn't installed (bsc#991048) - Fix beacon list to include all beacons being process - Run salt-api as user salt like the master (bsc#990029) spacewalk-backend: - Fix for non-integer IDs for bugzilla bug - Silently ignore non-existing errata severity label on errata import, remove non-used exception (bsc#986447) - Make suseLib usable on a proxy spacewalk-client-tools: - Logging message in case of malformed XML file - Prevent crashes if machine-id is None (bsc#994619) - Print invalid package name and replace the invalid character - Ignore packages with not UTF-8 characters in name, version and release (bsc#990738) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2016:1591-1 Released: Wed Nov 2 12:07:51 2016 Summary: Security update for curl Type: security Severity: important References: 1005633,1005634,1005635,1005637,1005638,1005640,1005642,1005643,1005645,1005646,998760,CVE-2016-7167,CVE-2016-8615,CVE-2016-8616,CVE-2016-8617,CVE-2016-8618,CVE-2016-8619,CVE-2016-8620,CVE-2016-8621,CVE-2016-8622,CVE-2016-8623,CVE-2016-8624 Description: This update for curl fixes the following security issues: - CVE-2016-8624: invalid URL parsing with '#' (bsc#1005646) - CVE-2016-8623: Use-after-free via shared cookies (bsc#1005645) - CVE-2016-8622: URL unescape heap overflow via integer truncation (bsc#1005643) - CVE-2016-8621: curl_getdate read out of bounds (bsc#1005642) - CVE-2016-8620: glob parser write/read out of bounds (bsc#1005640) - CVE-2016-8619: double-free in krb5 code (bsc#1005638) - CVE-2016-8618: double-free in curl_maprintf (bsc#1005637) - CVE-2016-8617: OOB write via unchecked multiplication (bsc#1005635) - CVE-2016-8616: case insensitive password comparison (bsc#1005634) - CVE-2016-8615: cookie injection for other servers (bsc#1005633) - CVE-2016-7167: escape and unescape integer overflows (bsc#998760) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2016:1614-1 Released: Mon Nov 7 20:01:31 2016 Summary: Recommended update for shadow Type: recommended Severity: low References: 1002975 Description: This update for shadow fixes the following issues: - Set file modes according to the permissions package and don't attempt to manipulate them in %files section. (bsc#1002975) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2016:1641-1 Released: Thu Nov 10 20:02:04 2016 Summary: Recommended update for sg3_utils Type: recommended Severity: moderate References: 1006469,958369,979436 Description: This update for sg3_utils provides the following fixes: - Adjust 55-scsi-sg3_id.rules to correctly handle VPD page 0x80. This issue could prevent some IBM Power systems from booting after installation. (bsc#1006469) - Fix 55-scsi_sg3_id.rules to skip sg_inq on recent kernels. (bsc#979436) - In some circumstances, the rescan-scsi-bus.sh script failed to identify new LUNs that have been added to the server. (bsc#958369) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2016:1716-1 Released: Mon Nov 28 14:52:36 2016 Summary: Recommended update for SUSE Manager Client Tools Type: recommended Severity: moderate References: 1003449,1004047,1004260,1004723,986019,999852 Description: This update includes the following new features: - Support Service Pack migration for Salt minions. (fate#320559) This update fixes the following issues: salt: - Fix exit codes of sysv init script. (bsc#999852) - Include resolution parameters in the Zypper debug-solver call during a dry-run dist-upgrade. - Fix Salt API crash via salt-ssh on empty roster. (bsc#1004723) - Add 'dist-upgrade' support to zypper module. (fate#320559) - Fix position of -X option to setfacl. (bsc#1004260) - Fix generated shebang in scripts on SLES-ES 7. (bsc#1004047) spacecmd: - Make exception class more generic and code fixes. (bsc#1003449) - Handle exceptions raised by listChannels. (bsc#1003449) - Alert if a non-unique package ID is detected. ----------------------------------------------------------------- Advisory ID: SUSE-SU-2016:1717-1 Released: Mon Nov 28 16:24:41 2016 Summary: Recommended update for mariadb Type: security Severity: important References: 1001367,1003800,1004477,1005555,1005558,1005562,1005564,1005566,1005569,1005581,1005582,1006539,1008318,990890,CVE-2016-3492,CVE-2016-5584,CVE-2016-5616,CVE-2016-5624,CVE-2016-5626,CVE-2016-5629,CVE-2016-6663,CVE-2016-7440,CVE-2016-8283 Description: This mariadb update to version 10.0.28 fixes the following issues (bsc#1008318): Security fixes: - CVE-2016-8283: Unspecified vulnerability in subcomponent Types (bsc#1005582) - CVE-2016-7440: Unspecified vulnerability in subcomponent Encryption (bsc#1005581) - CVE-2016-5629: Unspecified vulnerability in subcomponent Federated (bsc#1005569) - CVE-2016-5626: Unspecified vulnerability in subcomponent GIS (bsc#1005566) - CVE-2016-5624: Unspecified vulnerability in subcomponent DML (bsc#1005564) - CVE-2016-5616: Unspecified vulnerability in subcomponent MyISAM (bsc#1005562) - CVE-2016-5584: Unspecified vulnerability in subcomponent Encryption (bsc#1005558) - CVE-2016-3492: Unspecified vulnerability in subcomponent Optimizer (bsc#1005555) - CVE-2016-6663: Privilege Escalation / Race Condition (bsc#1001367) Bugfixes: - mysql_install_db can't find data files (bsc#1006539) - mariadb failing test sys_vars.optimizer_switch_basic (bsc#1003800) - Remove useless mysql at default.service (bsc#1004477) - Replace all occurrences of the string '@sysconfdir@' with '/etc' as it wasn't expanded properly (bsc#990890) - Notable changes: * XtraDB updated to 5.6.33-79.0 * TokuDB updated to 5.6.33-79.0 * Innodb updated to 5.6.33 * Performance Schema updated to 5.6.33 - Release notes and upstream changelog: * https://kb.askmonty.org/en/mariadb-10028-release-notes * https://kb.askmonty.org/en/mariadb-10028-changelog ----------------------------------------------------------------- Advisory ID: SUSE-SU-2016:1744-1 Released: Fri Dec 2 11:42:41 2016 Summary: Security update for pcre Type: security Severity: moderate References: 906574,924960,933288,933878,936227,942865,957566,957567,957598,957600,960837,971741,972127,CVE-2014-8964,CVE-2015-2325,CVE-2015-2327,CVE-2015-2328,CVE-2015-3210,CVE-2015-3217,CVE-2015-5073,CVE-2015-8380,CVE-2015-8381,CVE-2015-8382,CVE-2015-8383,CVE-2015-8384,CVE-2015-8385,CVE-2015-8386,CVE-2015-8387,CVE-2015-8388,CVE-2015-8389,CVE-2015-8390,CVE-2015-8391,CVE-2015-8392,CVE-2015-8393,CVE-2015-8394,CVE-2015-8395,CVE-2016-1283,CVE-2016-3191 Description: This update for pcre to version 8.39 (bsc#972127) fixes several issues. If you use pcre extensively please be aware that this is an update to a new version. Please make sure that your software works with the updated version. This version fixes a number of vulnerabilities that affect pcre and applications using the libary when accepting untrusted input as regular expressions or as part thereof. Remote attackers could have caused the application to crash, disclose information or potentially execute arbitrary code. These security issues were fixed: - CVE-2014-8964: Heap-based buffer overflow in PCRE allowed remote attackers to cause a denial of service (crash) or have other unspecified impact via a crafted regular expression, related to an assertion that allows zero repeats (bsc#906574). - CVE-2015-2325: Heap buffer overflow in compile_branch() (bsc#924960). - CVE-2015-3210: Heap buffer overflow in pcre_compile2() / compile_regex() (bsc#933288) - CVE-2015-3217: PCRE Library Call Stack Overflow Vulnerability in match() (bsc#933878). - CVE-2015-5073: Library Heap Overflow Vulnerability in find_fixedlength() (bsc#936227). - bsc#942865: heap overflow in compile_regex() - CVE-2015-8380: The pcre_exec function in pcre_exec.c mishandled a // pattern with a \01 string, which allowed remote attackers to cause a denial of service (heap-based buffer overflow) or possibly have unspecified other impact via a crafted regular expression, as demonstrated by a JavaScript RegExp object encountered by Konqueror (bsc#957566). - CVE-2015-2327: PCRE mishandled certain patterns with internal recursive back references, which allowed remote attackers to cause a denial of service (segmentation fault) or possibly have unspecified other impact via a crafted regular expression, as demonstrated by a JavaScript RegExp object encountered by Konqueror (bsc#957567). - bsc#957598: Various security issues - CVE-2015-8381: Heap Overflow in compile_regex() (bsc#957598). - CVE-2015-8382: Regular Expression Uninitialized Pointer Information Disclosure Vulnerability (ZDI-CAN-2547)(bsc#957598). - CVE-2015-8383: Buffer overflow caused by repeated conditional group(bsc#957598). - CVE-2015-8384: Buffer overflow caused by recursive back reference by name within certain group(bsc#957598). - CVE-2015-8385: Buffer overflow caused by forward reference by name to certain group(bsc#957598). - CVE-2015-8386: Buffer overflow caused by lookbehind assertion(bsc#957598). - CVE-2015-8387: Integer overflow in subroutine calls(bsc#957598). - CVE-2015-8388: Buffer overflow caused by certain patterns with an unmatched closing parenthesis(bsc#957598). - CVE-2015-8389: Infinite recursion in JIT compiler when processing certain patterns(bsc#957598). - CVE-2015-8390: Reading from uninitialized memory when processing certain patterns(bsc#957598). - CVE-2015-8391: Some pathological patterns causes pcre_compile() to run for a very long time(bsc#957598). - CVE-2015-8392: Buffer overflow caused by certain patterns with duplicated named groups(bsc#957598). - CVE-2015-8393: Information leak when running pcgrep -q on crafted binary(bsc#957598). - CVE-2015-8394: Integer overflow caused by missing check for certain conditions(bsc#957598). - CVE-2015-8395: Buffer overflow caused by certain references(bsc#957598). - CVE-2015-2328: PCRE mishandled the /((?(R)a|(?1)))+/ pattern and related patterns with certain recursion, which allowed remote attackers to cause a denial of service (segmentation fault) or possibly have unspecified other impact via a crafted regular expression (bsc#957600). - CVE-2016-1283: The pcre_compile2 function in pcre_compile.c in PCRE mishandled certain patterns with named subgroups, which allowed remote attackers to cause a denial of service (heap-based buffer overflow) or possibly have unspecified other impact via a crafted regular expression (bsc#960837). - CVE-2016-3191: The compile_branch function in pcre_compile.c in pcre2_compile.c mishandled patterns containing an (*ACCEPT) substring in conjunction with nested parentheses, which allowed remote attackers to execute arbitrary code or cause a denial of service (stack-based buffer overflow) via a crafted regular expression (bsc#971741). These non-security issues were fixed: - JIT compiler improvements - performance improvements - The Unicode data tables have been updated to Unicode 7.0.0. ----------------------------------------------------------------- Advisory ID: SUSE-RU-2016:1782-1 Released: Fri Dec 9 13:35:02 2016 Summary: Recommended update for systemd Type: recommended Severity: moderate References: 1001790,1004289,1005404,1006372,1006690,989831,991443 Description: This update for systemd provides the following fixes: - Allow to redirect confirmation messages to a different console. (bsc#1006690) - Do not bind a mount unit to a device, if it was from mountinfo. (bsc#989831) - Decrease systemd-nspawn's non-fatal mount errors to debug level. (bsc#1004289) - Don't emit space usage message right after opening the persistent journal. (bsc#991443) - Change owner of /var/log/journal/remote and create /var/lib/systemd/journal-upload. (bsc#1006372) - Document that *KeyIgnoreInhibited only apply to a subset of locks. - Revert 'logind: really handle *KeyIgnoreInhibited options in logind.conf'. (bsc#1001790, bsc#1005404) - Revert 'kbd-model-map: add more mappings offered by Yast'. - Don't busy loop when we get a notification message we can't process. - Rename kbd-model-map-extra into kbd-model-map.legacy. - Add kbd-model-map-extra file which contains the additional maps needed by YaST. - Drop localfs.service: unused and not needed anymore. ----------------------------------------------------------------- Advisory ID: SUSE-SU-2016:1827-1 Released: Thu Dec 15 12:41:10 2016 Summary: Security update for pcre Type: security Severity: moderate References: 906574,924960,933288,933878,936227,942865,957566,957567,957598,957600,960837,971741,972127,CVE-2014-8964,CVE-2015-2325,CVE-2015-2327,CVE-2015-2328,CVE-2015-3210,CVE-2015-3217,CVE-2015-5073,CVE-2015-8380,CVE-2015-8381,CVE-2015-8382,CVE-2015-8383,CVE-2015-8384,CVE-2015-8385,CVE-2015-8386,CVE-2015-8387,CVE-2015-8388,CVE-2015-8389,CVE-2015-8390,CVE-2015-8391,CVE-2015-8392,CVE-2015-8393,CVE-2015-8394,CVE-2015-8395,CVE-2016-1283,CVE-2016-3191 Description: This update for pcre to version 8.39 (bsc#972127) fixes several issues. If you use pcre extensively please be aware that this is an update to a new version. Please make sure that your software works with the updated version. This version fixes a number of vulnerabilities that affect pcre and applications using the libary when accepting untrusted input as regular expressions or as part thereof. Remote attackers could have caused the application to crash, disclose information or potentially execute arbitrary code. These security issues were fixed: - CVE-2014-8964: Heap-based buffer overflow in PCRE allowed remote attackers to cause a denial of service (crash) or have other unspecified impact via a crafted regular expression, related to an assertion that allows zero repeats (bsc#906574). - CVE-2015-2325: Heap buffer overflow in compile_branch() (bsc#924960). - CVE-2015-3210: Heap buffer overflow in pcre_compile2() / compile_regex() (bsc#933288) - CVE-2015-3217: PCRE Library Call Stack Overflow Vulnerability in match() (bsc#933878). - CVE-2015-5073: Library Heap Overflow Vulnerability in find_fixedlength() (bsc#936227). - bsc#942865: heap overflow in compile_regex() - CVE-2015-8380: The pcre_exec function in pcre_exec.c mishandled a // pattern with a \01 string, which allowed remote attackers to cause a denial of service (heap-based buffer overflow) or possibly have unspecified other impact via a crafted regular expression, as demonstrated by a JavaScript RegExp object encountered by Konqueror (bsc#957566). - CVE-2015-2327: PCRE mishandled certain patterns with internal recursive back references, which allowed remote attackers to cause a denial of service (segmentation fault) or possibly have unspecified other impact via a crafted regular expression, as demonstrated by a JavaScript RegExp object encountered by Konqueror (bsc#957567). - bsc#957598: Various security issues - CVE-2015-8381: Heap Overflow in compile_regex() (bsc#957598). - CVE-2015-8382: Regular Expression Uninitialized Pointer Information Disclosure Vulnerability (ZDI-CAN-2547)(bsc#957598). - CVE-2015-8383: Buffer overflow caused by repeated conditional group(bsc#957598). - CVE-2015-8384: Buffer overflow caused by recursive back reference by name within certain group(bsc#957598). - CVE-2015-8385: Buffer overflow caused by forward reference by name to certain group(bsc#957598). - CVE-2015-8386: Buffer overflow caused by lookbehind assertion(bsc#957598). - CVE-2015-8387: Integer overflow in subroutine calls(bsc#957598). - CVE-2015-8388: Buffer overflow caused by certain patterns with an unmatched closing parenthesis(bsc#957598). - CVE-2015-8389: Infinite recursion in JIT compiler when processing certain patterns(bsc#957598). - CVE-2015-8390: Reading from uninitialized memory when processing certain patterns(bsc#957598). - CVE-2015-8391: Some pathological patterns causes pcre_compile() to run for a very long time(bsc#957598). - CVE-2015-8392: Buffer overflow caused by certain patterns with duplicated named groups(bsc#957598). - CVE-2015-8393: Information leak when running pcgrep -q on crafted binary(bsc#957598). - CVE-2015-8394: Integer overflow caused by missing check for certain conditions(bsc#957598). - CVE-2015-8395: Buffer overflow caused by certain references(bsc#957598). - CVE-2015-2328: PCRE mishandled the /((?(R)a|(?1)))+/ pattern and related patterns with certain recursion, which allowed remote attackers to cause a denial of service (segmentation fault) or possibly have unspecified other impact via a crafted regular expression (bsc#957600). - CVE-2016-1283: The pcre_compile2 function in pcre_compile.c in PCRE mishandled certain patterns with named subgroups, which allowed remote attackers to cause a denial of service (heap-based buffer overflow) or possibly have unspecified other impact via a crafted regular expression (bsc#960837). - CVE-2016-3191: The compile_branch function in pcre_compile.c in pcre2_compile.c mishandled patterns containing an (*ACCEPT) substring in conjunction with nested parentheses, which allowed remote attackers to execute arbitrary code or cause a denial of service (stack-based buffer overflow) via a crafted regular expression (bsc#971741). These non-security issues were fixed: - JIT compiler improvements - performance improvements - The Unicode data tables have been updated to Unicode 7.0.0. ----------------------------------------------------------------- Advisory ID: SUSE-RU-2016:1863-1 Released: Wed Dec 21 10:41:35 2016 Summary: Recommended updated for pth Type: recommended Severity: low References: 1013286 Description: This update adds the 32bit version of libpth20 to SUSE Linux Enterprise 12 SP1 and 12 SP2. ----------------------------------------------------------------- Advisory ID: SUSE-OU-2016:1901-1 Released: Thu Dec 22 17:33:41 2016 Summary: Optional update for SLE 12 Modules for ARM64 Type: optional Severity: low References: 1002576 Description: This update introduces many packages that were missing in the ARM64 version of the Web and Scripting, Manager Tools and Public Cloud Modules for SUSE Linux Enterprise Server 12 SP2. ----------------------------------------------------------------- Advisory ID: SUSE-SU-2017:2-1 Released: Mon Jan 2 08:35:08 2017 Summary: Security update for zlib Type: security Severity: moderate References: 1003577,1003579,1003580,1013882,CVE-2016-9840,CVE-2016-9841,CVE-2016-9842,CVE-2016-9843 Description: This update for zlib fixes the following issues: CVE-2016-9843: Big-endian out-of-bounds pointer CVE-2016-9842: Undefined Left Shift of Negative Number (bsc#1003580) CVE-2016-9840 CVE-2016-9841: Out-of-bounds pointer arithmetic in inftrees.c (bsc#1003579) Incompatible declarations for external linkage function deflate (bsc#1003577) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2017:6-1 Released: Tue Jan 3 15:01:58 2017 Summary: Recommended update for systemd Type: recommended Severity: moderate References: 1012390,1012591,1012818,1013989,1015515,909418,912715,945340,953807,963290,990538 Description: This update for systemd fixes the following issues: - core: Make mount units from /proc/self/mountinfo possibly bind to a device. Fixes unmounting issues when ejecting CDs or DVDs. (bsc#909418, bsc#912715, bsc#945340) - fstab-generator: Remove bogus condition that leads to warnings on boot. (bsc#1013989) - coredumpctl: Let gdb handle the SIGINT signal. (bsc#1012591) - Ship kbd-model-map with the correct contents. (bsc#1015515) - rules: Set SYSTEMD_READY=0 on DM_UDEV_DISABLE_OTHER_RULES_FLAG=1 only with ADD event. (bsc#963290, bsc#990538) - tmpfiles: Don't skip path_set_perms on error. (bsc#953807) - nspawn: Properly handle image/directory paths that are symbolic links. (bsc#1012390) - systemctl: Fix 'is-enabled' exit status on failure when executed in chroot. (bsc#1012818) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2017:32-1 Released: Mon Jan 9 11:50:42 2017 Summary: Recommended update for dirmngr Type: recommended Severity: low References: 994794 Description: This update for dirmngr enables support for daemon mode. ----------------------------------------------------------------- Advisory ID: SUSE-RU-2017:47-1 Released: Wed Jan 11 11:42:43 2017 Summary: Recommended update for systemd Type: recommended Severity: important References: 1018214,1018399 Description: This update for systemd fixes the following two issues: - A regression in the previous update (SUSE-RU-2017:0013-1, bsc#909418) could have caused systemd to freeze. (bsc#1018399) - Warnings emitted when udev socket units are restarted during package upgrade were silenced. (bsc#1018214) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2017:77-1 Released: Tue Jan 17 10:06:02 2017 Summary: Recommended update for salt Type: recommended Severity: moderate References: 1003449,1004047,1004260,1004723,1008933,1012398,986019,999852,CVE-2016-9639 Description: This update for Salt fixes one security issue and several non-security issues. The following security issue has been fixed: - Fix possible information leak due to revoked keys still being used. (bsc#1012398, CVE-2016-9639) The following non-security issues have been fixed: - Update to 2015.8.12 - Add pre-require to salt for minions. - Do not restart salt-minion in salt package. - Add try-restart to sys-v init scripts. - Add 'Restart=on-failure' for salt-minion systemd service. - Re-introduce 'KillMode=process' for salt-minion systemd service. - Successfully exit of salt-api child processes when SIGTERM is received. - Fix exit codes of sysv init script. (bsc#999852) - Include resolution parameters in the Zypper debug-solver call during a dry-run dist-upgrade. - Fix Salt API crash via salt-ssh on empty roster. (bsc#1004723) - Add 'dist-upgrade' support to zypper module. (fate#320559) - Fix position of -X option to setfacl. (bsc#1004260) - Fix generated shebang in scripts on SLES-ES 7. (bsc#1004047) - Fix changing default-timezone. (bsc#1008933) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2017:98-1 Released: Thu Jan 19 10:17:55 2017 Summary: Recommended update for kmod Type: recommended Severity: low References: 998906 Description: This update for kmod fixes a rare race condition while loading modules. ----------------------------------------------------------------- Advisory ID: SUSE-SU-2017:149-1 Released: Wed Jan 25 09:17:08 2017 Summary: Security update for systemd Type: security Severity: important References: 1012266,1014560,1014566,1020601,997682,CVE-2016-10156 Description: This update for systemd fixes the following issues: This security issue was fixed: - CVE-2016-10156: Fix permissions set on permanent timer timestamp files, preventing local unprivileged users from escalating privileges (bsc#1020601). These non-security issues were fixed: - Fix permission set on /var/lib/systemd/linger/* - install: follow config_path symlink (#3362) - install: fix disable when /etc/systemd/system is a symlink (bsc#1014560) - run: make --slice= work in conjunction with --scope (bsc#1014566) - core: don't dispatch load queue when setting Slice= for transient units - systemctl: remove duplicate entries showed by list-dependencies (#5049) (bsc#1012266) - rule: don't automatically online standby memory on s390x (bsc#997682) ----------------------------------------------------------------- Advisory ID: SUSE-OU-2017:170-1 Released: Mon Jan 30 19:13:36 2017 Summary: Initial release of Salt Type: optional Severity: low References: 989693 Description: This update adds Salt to the Advanced Systems Management 12 Module. Salt is a distributed remote execution system used to execute commands and query data. It was developed in order to bring the best solutions found in the world of remote execution together and make them better, faster and more malleable. Salt accomplishes this via its ability to handle larger loads of information, and not just dozens, but hundreds or even thousands of individual servers, handle them quickly and through a simple and manageable interface. ----------------------------------------------------------------- Advisory ID: SUSE-SU-2017:185-1 Released: Thu Feb 2 18:22:37 2017 Summary: Security update for cpio Type: security Severity: moderate References: 1020108,963448,CVE-2016-2037 Description: This update for cpio fixes two issues. This security issue was fixed: - CVE-2016-2037: The cpio_safer_name_suffix function in util.c in cpio allowed remote attackers to cause a denial of service (out-of-bounds write) via a crafted cpio file (bsc#963448). This non-security issue was fixed: - bsc#1020108: Always use 32 bit CRC to prevent checksum errors for files greater than 32MB ----------------------------------------------------------------- Advisory ID: SUSE-SU-2017:192-1 Released: Fri Feb 3 18:46:05 2017 Summary: Security update for libxml2 Type: security Severity: moderate References: 1005544,1010675,1013930,1014873,1017497,CVE-2016-4658,CVE-2016-9318,CVE-2016-9597 Description: This update for libxml2 fixes the following issues: * CVE-2016-4658: use-after-free error could lead to crash [bsc#1005544] * Fix NULL dereference in xpointer.c when in recovery mode [bsc#1014873] * CVE-2016-9597: An XML document with many opening tags could have caused a overflow of the stack not detected by the recursion limits, allowing for DoS (bsc#1017497). For CVE-2016-9318 we decided not to ship a fix since it can break existing setups. Please take appropriate actions if you parse untrusted XML files and use the new -noxxe flag if possible (bnc#1010675, bnc#1013930). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2017:207-1 Released: Tue Feb 7 13:33:08 2017 Summary: Security update for mariadb Type: security Severity: important References: 1008253,1020868,1020873,1020875,1020877,1020878,1020882,1020884,1020885,1020891,1020894,1020896,1022428,CVE-2016-6664,CVE-2017-3238,CVE-2017-3243,CVE-2017-3244,CVE-2017-3257,CVE-2017-3258,CVE-2017-3265,CVE-2017-3291,CVE-2017-3312,CVE-2017-3317,CVE-2017-3318 Description: This mariadb version update to 10.0.29 fixes the following issues: - CVE-2017-3318: unspecified vulnerability affecting Error Handling (bsc#1020896) - CVE-2017-3317: unspecified vulnerability affecting Logging (bsc#1020894) - CVE-2017-3312: insecure error log file handling in mysqld_safe, incomplete CVE-2016-6664 (bsc#1020873) - CVE-2017-3291: unrestricted mysqld_safe's ledir (bsc#1020884) - CVE-2017-3265: unsafe chmod/chown use in init script (bsc#1020885) - CVE-2017-3258: unspecified vulnerability in the DDL component (bsc#1020875) - CVE-2017-3257: unspecified vulnerability affecting InnoDB (bsc#1020878) - CVE-2017-3244: unspecified vulnerability affecing the DML component (bsc#1020877) - CVE-2017-3243: unspecified vulnerability affecting the Charsets component (bsc#1020891) - CVE-2017-3238: unspecified vulnerability affecting the Optimizer component (bsc#1020882) - CVE-2016-6664: Root Privilege Escalation (bsc#1008253) - Applications using the client library for MySQL (libmysqlclient.so) had a use-after-free issue that could cause the applications to crash (bsc#1022428) - notable changes: * XtraDB updated to 5.6.34-79.1 * TokuDB updated to 5.6.34-79.1 * Innodb updated to 5.6.35 * Performance Schema updated to 5.6.35 Release notes and changelog: * https://kb.askmonty.org/en/mariadb-10029-release-notes * https://kb.askmonty.org/en/mariadb-10029-changelog ----------------------------------------------------------------- Advisory ID: SUSE-RU-2017:209-1 Released: Tue Feb 7 17:00:47 2017 Summary: Recommended update for libseccomp Type: recommended Severity: low References: 1019900 Description: This update provides libseccomp version 2.3.1 which fixes the following issues: - Fixed a problem with 32-bit x86 socket syscalls on some systems (fate#321647, bsc#1019900) - Fixed problems with ipc syscalls on 32-bit x86 - Fixed problems with socket and ipc syscalls on s390 and s390x ----------------------------------------------------------------- Advisory ID: SUSE-SU-2017:212-1 Released: Wed Feb 8 13:07:24 2017 Summary: Security update for expat Type: security Severity: moderate References: 983215,983216,CVE-2012-6702,CVE-2016-5300 Description: This update for expat fixes the following security issues: - CVE-2012-6702: Expat, when used in a parser that has not called XML_SetHashSalt or passed it a seed of 0, made it easier for context-dependent attackers to defeat cryptographic protection mechanisms via vectors involving use of the srand function. (bsc#983215) - CVE-2016-5300: The XML parser in Expat did not use sufficient entropy for hash initialization, which allowed context-dependent attackers to cause a denial of service (CPU consumption) via crafted identifiers in an XML document. NOTE: this vulnerability exists because of an incomplete fix for CVE-2012-0876. (bsc#983216) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2017:228-1 Released: Fri Feb 10 15:39:32 2017 Summary: Security update for openssl Type: security Severity: moderate References: 1000677,1001912,1009528,1019637,1021641,1022085,1022086,1022271,CVE-2016-7055,CVE-2017-3731,CVE-2017-3732 Description: This update for openssl fixes the following issues contained in the OpenSSL Security Advisory [26 Jan 2017] (bsc#1021641) Security issues fixed: - CVE-2016-7055: The x86_64 optimized montgomery multiplication may produce incorrect results (bsc#1009528) - CVE-2017-3731: Truncated packet could crash via OOB read (bsc#1022085) - CVE-2017-3732: BN_mod_exp may produce incorrect results on x86_64 (bsc#1022086) - Degrade the 3DES cipher to MEDIUM in SSLv2 (bsc#1001912) Non-security issues fixed: - fix crash in openssl speed (bsc#1000677) - fix X509_CERT_FILE path (bsc#1022271) - AES XTS key parts must not be identical in FIPS mode (bsc#1019637) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2017:261-1 Released: Mon Feb 20 11:00:28 2017 Summary: Recommended update for dirmngr Type: recommended Severity: low References: 1019276 Description: This update for dirmngr fixes the following issues: - Properly initialize the dirmngr tmpfilesd files right away and not just during reboot - Own the /usr/lib/tmpfiles.d/ folder as it is needed in older systemds wrt (bsc#1019276) - Proprely require logrotate as we need it for the dirmngr configs ----------------------------------------------------------------- Advisory ID: SUSE-RU-2017:347-1 Released: Wed Mar 8 12:23:47 2017 Summary: Recommended update for Salt Type: recommended Severity: moderate References: 1011304,1017078 Description: This update for salt fixes the following issues: - Fix invalid chars allowed for data IDs. (bsc#1011304) - Fix timezone: Should be always in UTC. (bsc#1017078) - Fixes wrong 'enabled' opts for yumnotify plugin. - SSH-option parameter for salt-ssh command. ----------------------------------------------------------------- Advisory ID: SUSE-RU-2017:365-1 Released: Fri Mar 10 15:16:59 2017 Summary: Recommended update for sg3_utils Type: recommended Severity: low References: 1006175 Description: This update for sg3_utils fixes the following issue: - Add udev rules to handle legacy CCISS devices (bsc#1006175) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2017:389-1 Released: Thu Mar 16 14:16:43 2017 Summary: Recommended update for systemd Type: recommended Severity: moderate References: 1004094,1006687,1019470,1022014,1022047,1025598,995936 Description: This update for systemd provides the following fixes: - core: Fix memory leak in transient units. (bsc#1025598) - core: Destroy all name watching bus slots when we are kicked off the bus. (bsc#1006687) - sd-event: Fix incorrect assertion. (bsc#995936, bsc#1022014) - journald: Don't flush to /var/log/journal before we get asked to. (bsc#1004094) - core: Downgrade warning about duplicate device names. (bsc#1022047) - units: Remove no longer needed ldconfig service. (bsc#1019470) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2017:439-1 Released: Tue Mar 21 10:48:47 2017 Summary: Recommended update for netcfg Type: recommended Severity: low References: 1028305,959693 Description: This update for netcfg provides the following fixes: - Update script to generate services to use UTF8 by default. (bsc#1028305) - Repack services.bz2 with latest from upstream and adjust the script to not add all the names and emails at the bottom of the file. (bsc#959693) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2017:448-1 Released: Wed Mar 22 13:31:03 2017 Summary: Recommended update for python Type: recommended Severity: moderate References: 1027282,964182 Description: This update provides Python 2.7.13, which brings several bug fixes. - Fix build with NCurses 6.0 and OPAQUE_WINDOW set to 1. - Update cipher lists for OpenSSL wrapper and support OpenSSL 1.1.0 and newer. - Incorporate more integer overflow checks from upstream. (bsc#964182) - Provide python2-* symbols to support new packages built as python2-. For a comprehensive list of changes, please refer to the upstream Release Notes available at https://hg.python.org/cpython/raw-file/v2.7.13/Misc/NEWS ----------------------------------------------------------------- Advisory ID: SUSE-RU-2017:462-1 Released: Fri Mar 24 21:58:07 2017 Summary: Recommended update for lvm2 Type: recommended Severity: moderate References: 1012973,1015943,1017034,1023283,1025560,1025630 Description: This update for lvm2 fixes the following issues: - Fix clvmd segmentation fault on ppc64le architecture. (bsc#1025630) - Fix several trivial issues about clvmd/cmirrord resource agents. (bsc#1023283, bsc#1025560) - Use {local,remote}-fs-pre.target instead of {local,remote}-fs.target. (bsc#1017034) - Simplify special-case for md in 69-dm-lvm-metadata.rules. (bsc#1012973) - Add systemd_requires to device-mapper package. (bsc#1015943) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2017:464-1 Released: Mon Mar 27 15:50:51 2017 Summary: Recommended update for glibc Type: recommended Severity: moderate References: 1007851,1029725,1029900 Description: This update for glibc fixes a potential segmentation fault in libpthread: - Fork in libpthread cannot use IFUNC resolver. (bsc#1007851, bsc#1029725, bsc#1029900) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2017:580-1 Released: Wed Apr 12 23:58:47 2017 Summary: Recommended update for cpio Type: recommended Severity: important References: 1028410 Description: This update for cpio fixes the following issues: - A regression caused cpio to crash for tar and ustar archive types [bsc#1028410] ----------------------------------------------------------------- Advisory ID: SUSE-SU-2017:609-1 Released: Tue Apr 18 11:28:14 2017 Summary: Security update for curl Type: security Severity: moderate References: 1015332,1027712,1032309,CVE-2016-9586,CVE-2017-7407 Description: This update for curl fixes the following issues: Security issue fixed: - CVE-2016-9586: libcurl printf floating point buffer overflow (bsc#1015332) - CVE-2017-7407: The ourWriteOut function in tool_writeout.c in curl might have allowed physically proximate attackers to obtain sensitive information from process memory in opportunistic circumstances by reading a workstation screen during use of a --write-out argument ending in a '%' character, which lead to a heap-based buffer over-read (bsc#1032309). With this release new default ciphers are active (SUSE_DEFAULT, bsc#1027712). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2017:656-1 Released: Fri Apr 28 16:12:30 2017 Summary: Recommended update for sqlite3 Type: recommended Severity: low References: 1019518,1025034 Description: This update for sqlite3 provides the following fixes: - Avoid calling sqlite3OsFetch() on a file-handle for which the xFetch method is NULL. This prevents a potential segmentation fault. (bsc#1025034) - Fix defect in the in-memory journal logic that could leave the read cursor for the in-memory journal in an inconsistent state and result in a segmentation fault. (bsc#1019518) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2017:732-1 Released: Wed May 10 14:03:43 2017 Summary: Recommended update for procps Type: recommended Severity: low References: 1030621 Description: This update for procps fixes the following issues: - Command w(1) with option -n doesn't work. (bsc#1030621) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2017:735-1 Released: Wed May 10 15:43:46 2017 Summary: Recommended update for gpg2 Type: recommended Severity: low References: 1036736,986783 Description: This update for gpg2 provides the following fixes: - Do not install CAcert and other root certificates which are not needed with Let's Encrypt. (bsc#1036736) - Initialize the trustdb before import attempt. (bsc#986783) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2017:751-1 Released: Thu May 11 17:14:30 2017 Summary: Recommended update for systemd Type: recommended Severity: moderate References: 1010220,1025398,1025886,1028263,1028610,1029183,1029691,1030290,1031355,1032538,1032660,1033855,1034565,955770 Description: This update for systemd provides the following fixes: - logind: Update empty and 'infinity' handling for [User]TasksMax. (bsc#1031355) - importd: Support SUSE style checksums. (fate#322054) - journal: Don't remove leading spaces. (bsc#1033855) - Make sure all swap units are ordered before the swap target. (bsc#955770, bsc#1034565) - hwdb: Fix warning 'atkbd serio0: Unknown key pressed'. (bsc#1010220) - logind: Restart logind on package update only on SLE12 distros. (bsc#1032660) - core: Treat masked files as 'unchanged'. (bsc#1032538) - units: Move Before deps for quota services to remote-fs.target. (bsc#1028263) - udev: Support predictable ifnames on vio buses. (bsc#1029183) - udev: Add a persistent rule for ibmvnic devices. (bsc#1029183) - units: Do not throw a warning in emergency mode if plymouth is not installed. (bsc#1025398) - core: Downgrade 'Time has been changed' message to debug level. (bsc#1028610) - vconsole: Don't do GIO_SCRNMAP / GIO_UNISCRNMAP. (bsc#1029691) - udev-rules: Perform whitespace replacement for symlink subst values. (bsc#1025886) - Consider chroot updates in fix-machines-subvol-for-rollbacks.sh. (bsc#1030290) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2017:794-1 Released: Tue May 16 15:41:09 2017 Summary: Security update for bash Type: security Severity: moderate References: 1010845,1035371,CVE-2016-9401 Description: This update for bash fixes an issue that could lead to syntax errors when parsing scripts that use expr(1) inside loops. Additionally, the popd build-in now ensures that the normalized stack offset is within bounds before trying to free that stack entry. This fixes a segmentation fault. ----------------------------------------------------------------- Advisory ID: SUSE-SU-2017:795-1 Released: Tue May 16 15:41:28 2017 Summary: Security update for mariadb Type: security Severity: important References: 1020868,1020890,1020976,1022428,1034911,996821,CVE-2017-3302,CVE-2017-3313 Description: This update for mariadb fixes the following issues: - update to MariaDB 10.0.30 GA * notable changes: * XtraDB updated to 5.6.35-80.0 * TokuDB updated to 5.6.35-80.0 * PCRE updated to 8.40 * MDEV-11027: better InnoDB crash recovery progress reporting * MDEV-11520: improvements to how InnoDB data files are extended * Improvements to InnoDB startup/shutdown to make it more robust * MDEV-11233: fix for FULLTEXT index crash * MDEV-6143: MariaDB Linux binary tarballs will now always untar to directories that match their filename * release notes and changelog: * https://kb.askmonty.org/en/mariadb-10030-release-notes * https://kb.askmonty.org/en/mariadb-10030-changelog * fixes the following CVEs: CVE-2017-3313: unspecified vulnerability affecting the MyISAM component [bsc#1020890] CVE-2017-3302: Use after free in libmysqlclient.so [bsc#1022428] - set the default umask to 077 in mysql-systemd-helper [bsc#1020976] - [bsc#1034911] - tracker bug * fixes also [bsc#1020868] ----------------------------------------------------------------- Advisory ID: SUSE-RU-2017:799-1 Released: Wed May 17 00:21:13 2017 Summary: Recommended update for glibc Type: recommended Severity: low References: 1026224,1035445 Description: This update for glibc introduces basic support for IBM POWER9 systems. Additionally, an improper assert in dlclose() has been removed. ----------------------------------------------------------------- Advisory ID: SUSE-RU-2017:821-1 Released: Fri May 19 00:17:44 2017 Summary: Recommended update for Salt Type: recommended Severity: moderate References: 1019386,1022841,1023535,1027044,1027240,1027722,1030009,1032213,1032452 Description: This update for salt fixes the following issues: - Refactoring on Zypper and Yum execution and state modules to allow installation of patches/errata. - Fix log rotation permission issue (bsc#1030009) - Use pkg/suse/salt-api.service by this package - Set SHELL environment variable for the salt-api.service. - Fix 'timeout' and 'gather_job_timeout' kwargs parameters for 'local_batch' client. - Add missing bootstrap script for Salt Cloud. (bsc#1032452) - Add missing /var/cache/salt/cloud directory. (bsc#1032213) - Add test case for race conditions on cache directory creation. - Add 'pkg.install downloadonly=True' support to yum/dnf execution module. - Makes sure 'gather_job_timeout' is an Integer. - Add 'pkg.downloaded' state and support for installing patches/erratas. - Merge master_tops output. - Fix race condition on cache directory creation. - Cleanup salt user environment preparation. (bsc#1027722) - Don't send passwords after shim delimiter is found. (bsc#1019386) - Allow to set 'timeout' and 'gather_job_timeout' via kwargs. - Allow to set custom timeouts for 'manage.up' and 'manage.status'. - Define with system for fedora and RHEL 7. (bsc#1027240) - Fix service state returning stacktrace. (bsc#1027044) - Add OpenSCAP Module. - Prevents 'OSError' exception in case certain job cache path doesn't exist. (bsc#1023535) - Fix issue with cp.push. - Fix salt-minion update on RHEL. (bsc#1022841) - Adding new functions to Snapper execution module. ----------------------------------------------------------------- Advisory ID: SUSE-RU-2017:857-1 Released: Wed May 24 15:42:31 2017 Summary: Recommended update for mariadb Type: recommended Severity: important References: 1020976,1038740 Description: This update for mariadb fixes permissions for /var/run/mysql in mysql-systemd-helper that were incorrectly set to 700 instead of 755 due to umask. This prevented non-root users from connecting to the database. ----------------------------------------------------------------- Advisory ID: SUSE-SU-2017:865-1 Released: Wed May 24 16:23:20 2017 Summary: Security update for pam Type: security Severity: moderate References: 1015565,1037824,934920,CVE-2015-3238 Description: This update for pam fixes the following issues: - CVE-2015-3238: pam_unix in conjunction with SELinux allowed for DoS attacks (bsc#934920). - log a hint to syslog if /etc/nologin is present, but empty (bsc#1015565). - If /etc/nologin is present, but empty, log a hint to syslog. (bsc#1015565) - Added support for libowcrypt.so, if present, to configure support for BLOWFISH (bsc#1037824) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2017:873-1 Released: Fri May 26 16:19:47 2017 Summary: Recommended update for e2fsprogs Type: recommended Severity: low References: 1009532,960273 Description: This update for e2fsprogs provides the following fixes: - Fix 32/64-bit overflow when multiplying by blocks/clusters per group. This allows resize2fs(8) to resize file systems larger than 20 TB. (bsc#1009532) - Update spec file to regenerate initrd when e2fsprogs is updated or uninstalled. (bsc#960273) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2017:877-1 Released: Mon May 29 15:11:48 2017 Summary: Recommended update for cryptsetup Type: recommended Severity: low References: 1031998 Description: This update for cryptsetup provides the following fix: - Don't use a zero-filled empty key, because in FIPS, XTS mode key parts mustn't be equivalent (bsc#1031998) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2017:891-1 Released: Tue May 30 22:28:21 2017 Summary: Security update for libxml2 Type: security Severity: moderate References: 1039063,1039064,1039066,1039069,1039661,981114,CVE-2016-1839,CVE-2017-9047,CVE-2017-9048,CVE-2017-9049,CVE-2017-9050 Description: This update for libxml2 fixes the following issues: - CVE-2017-9047, CVE-2017-9048: The function xmlSnprintfElementContent in valid.c was vulnerable to a stack buffer overflow (bsc#1039063, bsc#1039064) - CVE-2017-9049: The function xmlDictComputeFastKey in dict.c was vulnerable to a heap-based buffer over-read. (bsc#1039066) - CVE-2017-9050: The function xmlDictAddString was vulnerable to a heap-based buffer over-read (bsc#1039661) - CVE-2016-1839: heap-based buffer overflow (xmlDictAddString func) (bnc#1039069) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2017:907-1 Released: Thu Jun 1 14:23:36 2017 Summary: Recommended update for shadow Type: recommended Severity: low References: 1003978,1031643 Description: This update for shadow fixes the following issues: - Dynamically added users via pam_group are not listed in groups databases but are still valid. (bsc#1031643) - useradd(8) and groupadd(8) performance issue when using SSSD. Previously the entire possible UID/GID was iterated to find an available UID/GID. This could take long time over a network device. Instead, find available UID/GID locally, and then check only those values over network. (bsc#1003978) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2017:918-1 Released: Tue Jun 6 12:35:44 2017 Summary: Recommended update for libsemanage, selinux-policy Type: recommended Severity: moderate References: 1020143,1032445,1035818,1038189 Description: This update for libsemanage, selinux-policy fixes the following issues: - Limit to policy version 29 by default. - Fix policy module build failures and wrong policy path on SLE 12 SP2 (bsc#1038189, bsc#1035818, bsc#1020143, bsc#1032445) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2017:939-1 Released: Mon Jun 12 10:56:22 2017 Summary: Security update for libxml2 Type: security Severity: moderate References: 1039063,1039064,1039066,1039069,1039661,CVE-2017-9047,CVE-2017-9048,CVE-2017-9049,CVE-2017-9050 Description: This update for libxml2 fixes the following security issues: * CVE-2017-9050: A heap-based buffer over-read in xmlDictAddString (bsc#1039069, bsc#1039661) * CVE-2017-9049: A heap-based buffer overflow in xmlDictComputeFastKey (bsc#1039066) * CVE-2017-9048: A stack overflow vulnerability in xmlSnprintfElementContent (bsc#1039063) * CVE-2017-9047: A stack overflow vulnerability in xmlSnprintfElementContent (bsc#1039064) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2017:959-1 Released: Wed Jun 14 14:38:11 2017 Summary: Recommended update for gcc5 Type: recommended Severity: low References: 1043580 Description: This update for gcc5 fixes the version of libffi in its pkg-config configuration file. ----------------------------------------------------------------- Advisory ID: SUSE-SU-2017:962-1 Released: Wed Jun 14 16:33:07 2017 Summary: Security update for openldap2 Type: security Severity: moderate References: 1009470,1037396,1041764,972331,CVE-2017-9287 Description: This update for openldap2 fixes the following issues: Security issues fixed: - CVE-2017-9287: A double free vulnerability in the mdb backend during search with page size 0 was fixed (bsc#1041764) Non security bugs fixed: - Let OpenLDAP read system-wide certificates by default and don't hide the error if the user-specified CA location cannot be read. (bsc#1009470) - Fix an uninitialised variable that causes startup failure (bsc#1037396) - Fix an issue with transaction management that can cause server crash (bsc#972331) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2017:974-1 Released: Fri Jun 16 13:49:05 2017 Summary: Security update for Salt Type: security Severity: moderate References: 1011800,1012999,1017078,1020831,1022562,1025896,1027240,1027722,1030009,1030073,1032931,1035912,1035914,1036125,1038855,1039370,1040584,1040886,1043111,CVE-2017-5200,CVE-2017-8109 Description: This update for salt provides version 2016.11.4 and brings various fixes and improvements: - Adding a salt-minion watchdog for RHEL6 and SLES11 systems (sysV) to restart salt-minion in case of crashes during upgrade. - Fix format error. (bsc#1043111) - Fix ownership for whole master cache directory. (bsc#1035914) - Disable 3rd party runtime packages to be explicitly recommended. (bsc#1040886) - Fix insecure permissions in salt-ssh temporary files. (bsc#1035912, CVE-2017-8109) - Disable custom rosters for Salt SSH via Salt API. (bsc#1011800, CVE-2017-5200) - Orchestrate and batches don't return false failed information anymore. - Speed-up cherrypy by removing sleep call. - Fix os_family grains on SUSE. (bsc#1038855) - Fix setting the language on SUSE systems. (bsc#1038855) - Use SUSE specific salt-api.service. (bsc#1039370) - Fix using hostname for minion ID as '127'. - Fix core grains constants for timezone. (bsc#1032931) - Minor fixes on new pkg.list_downloaded. - Listing all type of advisory patches for Yum module. - Prevents zero length error on Python 2.6. - Fixes zypper test error after backporting. - Raet protocol is no longer supported. (bsc#1020831) - Fix moving SSH data to the new home. (bsc#1027722) - Fix logrotating /var/log/salt/minion. (bsc#1030009) - Fix result of master_tops extension is mutually overwritten. (bsc#1030073) - Allows to set 'timeout' and 'gather_job_timeout' via kwargs. - Allows to set custom timeouts for 'manage.up' and 'manage.status'. - Use salt's ordereddict for comparison. - Fix scripts for salt-proxy. - Add openscap module. - File.get_managed regression fix. - Fix translate variable arguments if they contain hidden keywords. (bsc#1025896) - Added unit test for dockerng.sls_build dryrun. - Added dryrun to dockerng.sls_build. - Update dockerng minimal version requirements. - Fix format error in error parsing. - Keep fix for migrating salt home directory. (bsc#1022562) - Fix salt pkg.latest raises exception if package is not available. (bsc#1012999) - Timezone should always be in UTC. (bsc#1017078) - Fix timezone handling for rpm installtime. (bsc#1017078) - Increasing timeouts for running integrations tests. - Add buildargs option to dockerng.build module. - Fix error when missing ssh-option parameter. - Re-add yum notify plugin. - All kwargs to dockerng.create to provide all features to sls_build as well. - Datetime should be returned always in UTC. - Fix possible crash while deserialising data on infinite recursion in scheduled state. (bsc#1036125) - Documentation refresh to 2016.11.4 - For a detailed description, please refer to: + https://docs.saltstack.com/en/develop/topics/releases/2016.11.4.html + https://docs.saltstack.com/en/develop/topics/releases/2016.11.3.html + https://docs.saltstack.com/en/develop/topics/releases/2016.11.2.html + https://docs.saltstack.com/en/develop/topics/releases/2016.11.1.html ----------------------------------------------------------------- Advisory ID: SUSE-SU-2017:985-1 Released: Mon Jun 19 14:57:41 2017 Summary: Security update for libgcrypt Type: security Severity: moderate References: 1042326,931932,CVE-2017-9526 Description: This update for libgcrypt fixes the following issues: - CVE-2017-9526: Store the session key in secure memory to ensure that constant time point operations are used in the MPI library. (bsc#1042326) - Don't require secure memory for the fips selftests, this prevents the 'Oops, secure memory pool already initialized' warning. (bsc#931932) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2017:990-1 Released: Mon Jun 19 17:19:44 2017 Summary: Security update for glibc Type: security Severity: important References: 1039357,1040043,CVE-2017-1000366 Description: This update for glibc fixes the following issues: - CVE-2017-1000366: Fix a potential privilege escalation vulnerability that allowed unprivileged system users to manipulate the stack of setuid binaries to gain special privileges. [bsc#1039357] - A bug in glibc that could result in deadlocks between malloc() and fork() has been fixed. [bsc#1040043] ----------------------------------------------------------------- Advisory ID: SUSE-RU-2017:1033-1 Released: Fri Jun 23 16:38:55 2017 Summary: Recommended update for e2fsprogs Type: recommended Severity: low References: 1038194 Description: This update for e2fsprogs provides the following fixes: - Don't ignore fsync errors in libext2fs. (bsc#1038194) - Fix fsync(2) detection in libext2fs. (bsc#1038194) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2017:1036-1 Released: Mon Jun 26 08:12:24 2017 Summary: Security update for libxml2 Type: security Severity: moderate References: 1024989,1044337,CVE-2017-0663,CVE-2017-5969 Description: This update for libxml2 fixes the following issues: Security issues fixed: * CVE-2017-0663: Fixed a heap buffer overflow in xmlAddID (bsc#1044337) * CVE-2017-5969: Fixed a NULL pointer deref in xmlDumpElementContent (bsc#1024989) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2017:1040-1 Released: Mon Jun 26 13:22:26 2017 Summary: Recommended update for libsemanage, policycoreutils Type: recommended Severity: low References: 1043237 Description: This update for libsemanage, policycoreutils fixes the following issue: - Show version numbers of modules where they are available (bsc#1043237) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2017:1075-1 Released: Thu Jun 29 18:18:50 2017 Summary: Recommended update for python-PyYAML Type: recommended Severity: low References: 1002895 Description: This update for python-PyYAML fixes the following issues: - Adding an implicit resolver to a derived loader should not affect the base loader. - Uniform representation for OrderedDict? across different versions of Python. - Fixed comparison to None warning. ----------------------------------------------------------------- Advisory ID: SUSE-RU-2017:1082-1 Released: Fri Jun 30 10:54:06 2017 Summary: Recommended update for dirmngr Type: recommended Severity: low References: 1045943 Description: This update for dirmngr provides the following fix: - Change logrotate from Requires to Recommends (bsc#1045943) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2017:1086-1 Released: Fri Jun 30 15:36:17 2017 Summary: Security update for libxml2 Type: security Severity: moderate References: 1044887,1044894,CVE-2017-7375,CVE-2017-7376 Description: This update for libxml2 fixes the following issues: Security issues fixed: * CVE-2017-7376: Increase buffer space for port in HTTP redirect support (bsc#1044887) * CVE-2017-7375: Prevent unwanted external entity reference [bsc#1044894, ] ----------------------------------------------------------------- Advisory ID: SUSE-SU-2017:1104-1 Released: Tue Jul 4 16:13:55 2017 Summary: Security update for systemd Type: security Severity: moderate References: 1004995,1029102,1029516,1036873,1038865,1040258,1040614,1040942,1043758,982303,CVE-2017-9217 Description: This update for systemd fixes the following issues: Security issue fixed: - CVE-2017-9217: resolved: Fix null pointer p->question dereferencing that could lead to resolved aborting (bsc#1040614) The update also fixed several non-security bugs: - core/mount: Use the '-c' flag to not canonicalize paths when calling /bin/umount - automount: Handle expire_tokens when the mount unit changes its state (bsc#1040942) - automount: Rework propagation between automount and mount units - build: Make sure tmpfiles.d/systemd-remote.conf get installed when necessary - build: Fix systemd-journal-upload installation - basic: Detect XEN Dom0 as no virtualization (bsc#1036873) - virt: Make sure some errors are not ignored - fstab-generator: Do not skip Before= ordering for noauto mountpoints - fstab-gen: Do not convert device timeout into seconds when initializing JobTimeoutSec - core/device: Use JobRunningTimeoutSec= for device units (bsc#1004995) - fstab-generator: Apply the _netdev option also to device units (bsc#1004995) - job: Add JobRunningTimeoutSec for JOB_RUNNING state (bsc#1004995) - job: Ensure JobRunningTimeoutSec= survives serialization (bsc#1004995) - rules: Export NVMe WWID udev attribute (bsc#1038865) - rules: Introduce disk/by-id (model_serial) symbolic links for NVMe drives - rules: Add rules for NVMe devices - sysusers: Make group shadow support configurable (bsc#1029516) - core: When deserializing a unit, fully restore its cgroup state (bsc#1029102) - core: Introduce cg_mask_from_string()/cg_mask_to_string() - core:execute: Fix handling failures of calling fork() in exec_spawn() (bsc#1040258) - Fix systemd-sysv-convert when a package starts shipping service units (bsc#982303) The database might be missing when upgrading a package which was shipping no sysv init scripts nor unit files (at the time --save was called) but the new version start shipping unit files. - Disable group shadow support (bsc#1029516) - Only check signature job error if signature job exists (bsc#1043758) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2017:1116-1 Released: Thu Jul 6 11:37:18 2017 Summary: Security update for libgcrypt Type: security Severity: moderate References: 1046607,CVE-2017-7526 Description: This update for libgcrypt fixes the following issues: - CVE-2017-7526: Hardening against a local side-channel attack in RSA key handling has been added (bsc#1046607) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2017:1119-1 Released: Fri Jul 7 11:23:20 2017 Summary: Recommended update for ncurses Type: security Severity: important References: 1000662,1046853,1046858,CVE-2017-10684,CVE-2017-10685 Description: This update for ncurses fixes the following issues: Security issues fixed: - CVE-2017-10684: Possible RCE via stack-based buffer overflow in the fmt_entry function. (bsc#1046858) - CVE-2017-10685: Possible RCE with format string vulnerability in the fmt_entry function. (bsc#1046853) Bugfixes: - Drop patch ncurses-5.9-environment.dif as YaST2 ncurses GUI does not need it anymore and as well as it causes bug bsc#1000662 ----------------------------------------------------------------- Advisory ID: SUSE-RU-2017:1126-1 Released: Fri Jul 7 21:23:02 2017 Summary: Recommended update for python-requests Type: recommended Severity: low References: 967128 Description: This update provides python-requests 2.11.1, which brings many fixes and enhancements: - Strip Content-Type and Transfer-Encoding headers from the header block when following a redirect that transforms the verb from POST/PUT to GET. - Added support for the ALL_PROXY environment variable. - Reject header values that contain leading whitespace or newline characters to reduce risk of header smuggling. - Fixed occasional TypeError when attempting to decode a JSON response that occurred in an error case. Now correctly returns a ValueError. - Requests would incorrectly ignore a non-CIDR IP address in the NO_PROXY environment variables: Requests now treats it as a specific IP. - Fixed a bug when sending JSON data that could cause us to encounter obscure OpenSSL errors in certain network conditions. - Added type checks to ensure that iter_content only accepts integers and None for chunk sizes. - Fixed issue where responses whose body had not been fully consumed would have the underlying connection closed but not returned to the connection pool, which could cause Requests to hang in situations where the HTTPAdapter had been configured to use a blocking connection pool. - Change built-in CaseInsensitiveDict to use OrderedDict as its underlying datastore. - Don't use redirect_cache if allow_redirects=False. - When passed objects that throw exceptions from tell(), send them via chunked transfer encoding instead of failing. - Raise a ProxyError for proxy related connection issues. - The verify keyword argument now supports being passed a path to a directory of CA certificates, not just a single-file bundle. - Warnings are now emitted when sending files opened in text mode. - Added the 511 Network Authentication Required status code to the status code registry. - For file-like objects that are not seeked to the very beginning, we now send the content length for the number of bytes we will actually read, rather than the total size of the file, allowing partial file uploads. - When uploading file-like objects, if they are empty or have no obvious content length we set Transfer-Encoding: chunked rather than Content-Length: 0. - We correctly receive the response in buffered mode when uploading chunked bodies. - We now handle being passed a query string as a bytestring on Python 3, by decoding it as UTF-8. - Sessions are now closed in all cases (exceptional and not) when using the functional API rather than leaking and waiting for the garbage collector to clean them up. - Correctly handle digest auth headers with a malformed qop directive that contains no token, by treating it the same as if no qop directive was provided at all. - Minor performance improvements when removing specific cookies by name. ----------------------------------------------------------------- Advisory ID: SUSE-RU-2017:1160-1 Released: Fri Jul 14 17:20:26 2017 Summary: Recommended update for openldap2 Type: recommended Severity: low References: 1031702 Description: This update for openldap2 provides the following fix: - Fix a regression in handling of non-blocking connection (bsc#1031702) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2017:1174-1 Released: Wed Jul 19 11:12:51 2017 Summary: Security update for systemd, dracut Type: security Severity: important References: 1032029,1033238,1037120,1040153,1040968,1043900,1045290,1046750,986216,CVE-2017-9445 Description: This update for systemd and dracut fixes the following issues: Security issues fixed: - CVE-2017-9445: Possible out-of-bounds write triggered by a specially crafted TCP payload from a DNS server. (bsc#1045290) Non-security issues fixed in systemd: - Automounter issue in combination with NFS volumes (bsc#1040968) - Missing symbolic link for SAS device in /dev/disk/by-path (bsc#1040153) - Add minimal support for boot.d/* scripts in systemd-sysv-convert (bsc#1046750) Non-security issues fixed in dracut: - Bail out if module directory does not exist. (bsc#1043900) - Suppress bogus error message. (bsc#1032029) - Fix module force loading with systemd. (bsc#986216) - Ship udev files required by systemd. (bsc#1040153) - Ignore module resolution errors (e.g. with kgraft). (bsc#1037120) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2017:1198-1 Released: Fri Jul 21 14:04:23 2017 Summary: Recommended update for python-boto, python-simplejson Type: recommended Severity: low References: 1002895 Description: This update provides python-boto 2.42.0 and python-simplejson 3.8.2, which bring many fixes and enhancements. python-boto: - Respect is_secure parameter in generate_url_sigv4 - Update MTurk API - Update endpoints.json - Allow s3 bucket lifecycle policies with multiple transitions - Fixes upload parts for glacier - Autodetect sigv4 for ap-northeast-2 - Added support for ap-northeast-2 - Remove VeriSign Class 3 CA from trusted certs - Add note about boto3 on all pages of boto docs - Fix for listing EMR steps based on cluster_states filter - Fixed param name in set_contents_from_string docstring - Spelling and documentation fixes - Add deprecation notice to emr methods - Add some GovCloud endpoints. python-simplejson: - Fix issue with iterable_as_array and indent option - New iterable_as_array encoder option to perform lazy serialization of any iterable objects, without having to convert to tuple or list - Do not cache Decimal class in encoder, only reference the decimal module - No longer trust custom str/repr methods for int, long, float subclasses: these instances are now formatted as if they were exact instances of those types - Fix reference leak when an error occurs during dict encoding - Fix dump when only sort_keys is set - Automatically strip any UTF-8 BOM from input to more closely follow the latest specs - Fix lower bound checking in scan_once / raw_decode API - Consistently reject int_as_string_bitcount settings that are not positive integers - Add int_as_string_bitcount encoder option - Fix potential crash when encoder created with incorrect options - Documentation updates. ----------------------------------------------------------------- Advisory ID: SUSE-RU-2017:1222-1 Released: Wed Jul 26 17:15:18 2017 Summary: Recommended update for procps Type: recommended Severity: low References: 1034563,1039941 Description: This update for procps provides the following fixes: - Make pmap handle LazyFree in /proc/smaps (bsc#1034563) - Allow reading and writing content lines longer than 1024 characters under /proc/sys (bsc#1039941) - Avoid printing messages when /proc/sys/net/ipv6/conf/*/stable_secret is not set ----------------------------------------------------------------- Advisory ID: SUSE-SU-2017:1245-1 Released: Thu Aug 3 10:43:15 2017 Summary: Security update for systemd Type: security Severity: moderate References: 1004995,1029102,1029516,1032029,1033238,1036873,1037120,1038865,1040153,1040258,1040614,1040942,1040968,1043758,1043900,1045290,1046750,982303,986216,CVE-2017-9217,CVE-2017-9445 Description: This update for systemd provides several fixes and enhancements. Security issues fixed: - CVE-2017-9217: Null pointer dereferencing that could lead to resolved aborting. (bsc#1040614) - CVE-2017-9445: Possible out-of-bounds write triggered by a specially crafted TCP payload from a DNS server. (bsc#1045290) The update also fixed several non-security bugs: - core/mount: Use the '-c' flag to not canonicalize paths when calling /bin/umount - automount: Handle expire_tokens when the mount unit changes its state (bsc#1040942) - automount: Rework propagation between automount and mount units - build: Make sure tmpfiles.d/systemd-remote.conf get installed when necessary - build: Fix systemd-journal-upload installation - basic: Detect XEN Dom0 as no virtualization (bsc#1036873) - virt: Make sure some errors are not ignored - fstab-generator: Do not skip Before= ordering for noauto mountpoints - fstab-gen: Do not convert device timeout into seconds when initializing JobTimeoutSec - core/device: Use JobRunningTimeoutSec= for device units (bsc#1004995) - fstab-generator: Apply the _netdev option also to device units (bsc#1004995) - job: Add JobRunningTimeoutSec for JOB_RUNNING state (bsc#1004995) - job: Ensure JobRunningTimeoutSec= survives serialization (bsc#1004995) - rules: Export NVMe WWID udev attribute (bsc#1038865) - rules: Introduce disk/by-id (model_serial) symbolic links for NVMe drives - rules: Add rules for NVMe devices - sysusers: Make group shadow support configurable (bsc#1029516) - core: When deserializing a unit, fully restore its cgroup state (bsc#1029102) - core: Introduce cg_mask_from_string()/cg_mask_to_string() - core:execute: Fix handling failures of calling fork() in exec_spawn() (bsc#1040258) - Fix systemd-sysv-convert when a package starts shipping service units (bsc#982303) The database might be missing when upgrading a package which was shipping no sysv init scripts nor unit files (at the time --save was called) but the new version start shipping unit files. - Disable group shadow support (bsc#1029516) - Only check signature job error if signature job exists (bsc#1043758) - Automounter issue in combination with NFS volumes (bsc#1040968) - Missing symbolic link for SAS device in /dev/disk/by-path (bsc#1040153) - Add minimal support for boot.d/* scripts in systemd-sysv-convert (bsc#1046750) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2017:1247-1 Released: Thu Aug 3 10:44:44 2017 Summary: Security update for mariadb Type: security Severity: important References: 1048715,963041,CVE-2017-3308,CVE-2017-3309,CVE-2017-3453,CVE-2017-3456,CVE-2017-3464 Description: This MariaDB update to version 10.0.31 GA fixes the following issues: Security issues fixed: - CVE-2017-3308: Subcomponent: Server: DML: Easily 'exploitable' vulnerability allows low privileged attacker with network access via multiple protocols to compromise MariaDB Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS). (bsc#1048715) - CVE-2017-3309: Subcomponent: Server: Optimizer: Easily 'exploitable' vulnerability allows low privileged attacker with network access via multiple protocols to compromise MariaDB Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS). (bsc#1048715) - CVE-2017-3453: Subcomponent: Server: Optimizer: Easily 'exploitable' vulnerability allows low privileged attacker with network access via multiple protocols to compromise MariaDB Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS). (bsc#1048715) - CVE-2017-3456: Subcomponent: Server: DML: Easily 'exploitable' vulnerability allows low privileged attacker with network access via multiple protocols to compromise MariaDB Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS). (bsc#1048715) - CVE-2017-3464: Subcomponent: Server: DDL: Easily 'exploitable' vulnerability allows low privileged attacker with network access via multiple protocols to compromise MariaDB Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS). (bsc#1048715) Bug fixes: - switch from 'Restart=on-failure' to 'Restart=on-abort' in mysql.service in order to follow the upstream. It also fixes hanging mysql-systemd-helper when mariadb fails (e.g. because of the misconfiguration) (bsc#963041) - XtraDB updated to 5.6.36-82.0 - TokuDB updated to 5.6.36-82.0 - Innodb updated to 5.6.36 - Performance Schema updated to 5.6.36 Release notes and changelog: - https://kb.askmonty.org/en/mariadb-10031-release-notes - https://kb.askmonty.org/en/mariadb-10031-changelog ----------------------------------------------------------------- Advisory ID: SUSE-RU-2017:1268-1 Released: Mon Aug 7 10:09:19 2017 Summary: Recommended update for openssl Type: recommended Severity: moderate References: 1019637,1027079,1027688,1027908,1028281,1028723,1029523,1042392,1044095,1044107,1044175,902364 Description: This update for openssl fixes the following issues including fixes for our ongoing FIPS 140-2 evaluation: - Remove DES-CBC3-SHA based ciphers from DEFAULT_SUSE to address SWEET32 problem (bsc#1027908) - Use getrandom syscall instead of reading from /dev/urandom to get at least 128 bits of entropy to comply with FIPS 140.2 IG 7.14 (bsc#1027079 bsc#1044175) - Fix x86 extended feature detection (bsc#1029523) - Allow runtime switching of s390x capabilities via the 'OPENSSL_s390xcap' environmental variable (bsc#1028723) - s_client sent empty client certificate (bsc#1028281) Add back certificate initialization set_cert_key_stuff() which was removed in a previous update. - Fix a bug in XTS key handling (bsc#1019637) - Don't run FIPS power-up self-tests when the checksum files aren't installed (bsc#1042392) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2017:1279-1 Released: Mon Aug 7 14:46:40 2017 Summary: Security update for ncurses Type: security Severity: moderate References: 1046853,1046858,1047964,1047965,1049344,CVE-2017-10684,CVE-2017-10685,CVE-2017-11112,CVE-2017-11113 Description: This update for ncurses fixes the following issues: Security issues fixed: - CVE-2017-11112: Illegal address access in append_acs. (bsc#1047964) - CVE-2017-11113: Dereferencing NULL pointer in _nc_parse_entry. (bsc#1047965) - CVE-2017-10684, CVE-2017-10685: Add modified upstream fix from ncurses 6.0 to avoid broken termcap format (bsc#1046853, bsc#1046858, bsc#1049344) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2017:1316-1 Released: Thu Aug 10 13:54:27 2017 Summary: Recommended update for cyrus-sasl Type: recommended Severity: moderate References: 1014471,1026825,1044840,938657 Description: This update for cyrus-sasl provides the following fixes: - Fix SASL GSSAPI mechanism acceptor wrongly returns zero maxbufsize - Fix unknown authentication mechanism: kerberos5 (bsc#1026825) - Really use SASLAUTHD_PARAMS variable (bsc#938657) - Make sure /usr/sbin/rcsaslauthd exists - Add /usr/sbin/rcsaslauthd symbolic link to /usr/sbin/service (bsc#1014471) - Silence 'GSSAPI client step 1' debug log message (bsc#1044840) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2017:1326-1 Released: Fri Aug 11 16:59:04 2017 Summary: Security update for libxml2 Type: security Severity: low References: 1038444,CVE-2017-8872 Description: This update for libxml2 fixes the following issues: Security issues fixed: - CVE-2017-8872: Out-of-bounds read in htmlParseTryOrFinish. (bsc#1038444) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2017:1330-1 Released: Mon Aug 14 18:41:29 2017 Summary: Recommended update for sed Type: recommended Severity: low References: 954661 Description: This update for sed provides the following fixes: - Don't terminate with a segmentation fault if close of last file descriptor fails. (bsc#954661) ----------------------------------------------------------------- Advisory ID: SUSE-OU-2017:1333-1 Released: Tue Aug 15 17:59:30 2017 Summary: Optional update for libverto Type: optional Severity: low References: 1029561 Description: This update adds the libverto library to OpenStack Cloud Magnum Orchestration channels. ----------------------------------------------------------------- Advisory ID: SUSE-RU-2017:1334-1 Released: Tue Aug 15 20:09:03 2017 Summary: Recommended update for systemd Type: recommended Severity: important References: 1048679,874665 Description: This update for systemd fixes the following issues: - compat-rules: Don't rely on ID_SERIAL when generating 'by-id' links for NVMe devices. (bsc#1048679) - fstab-generator: Handle NFS 'bg' mounts correctly. (bsc#874665, fate#323464) - timesyncd: Don't use compiled-in list if FallbackNTP has been configured explicitly. ----------------------------------------------------------------- Advisory ID: SUSE-SU-2017:1335-1 Released: Wed Aug 16 11:24:21 2017 Summary: Security update for curl Type: security Severity: moderate References: 1051643,1051644,CVE-2017-1000100,CVE-2017-1000101 Description: This update for curl fixes the following issues: - CVE-2017-1000100: TFP sends more than buffer size and it could lead to a denial of service (bsc#1051644) - CVE-2017-1000101: URL globbing out of bounds read could lead to a denial of service (bsc#1051643) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2017:1344-1 Released: Thu Aug 17 12:20:25 2017 Summary: Recommended update for python-simplejson Type: recommended Severity: low References: 1002895 Description: This update provides python-simplejson 3.8.2, which brings many fixes and enhancements: - Fix issue with iterable_as_array and indent option - New iterable_as_array encoder option to perform lazy serialization of any iterable objects, without having to convert to tuple or list - Do not cache Decimal class in encoder, only reference the decimal module - No longer trust custom str/repr methods for int, long, float subclasses: these instances are now formatted as if they were exact instances of those types - Fix reference leak when an error occurs during dict encoding - Fix dump when only sort_keys is set - Automatically strip any UTF-8 BOM from input to more closely follow the latest specs - Fix lower bound checking in scan_once / raw_decode API - Consistently reject int_as_string_bitcount settings that are not positive integers - Add int_as_string_bitcount encoder option - Fix potential crash when encoder created with incorrect options - Documentation updates. ----------------------------------------------------------------- Advisory ID: SUSE-RU-2017:1347-1 Released: Fri Aug 18 11:03:57 2017 Summary: Recommended update for procps Type: recommended Severity: important References: 1053409 Description: This update for procps fixes the following issues: - Fix a regression introduced in a previous update that would result in sysctl dying with a SIGSEGV error (bsc#1053409). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2017:1349-1 Released: Fri Aug 18 12:31:07 2017 Summary: Recommended update for lua51 Type: recommended Severity: low References: 1051626 Description: This update for lua51 provides the following fixes: - Add Lua(API) and Lua(devel) symbols to fix building of lua51-luasocket. (bsc#1051626) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2017:1384-1 Released: Fri Aug 25 13:39:19 2017 Summary: Recommended update for Salt Type: recommended Severity: moderate References: 1036125 Description: This update for salt fixes the following issues: - Added bugfix when jobs scheduled to run at a future time stay pending for Salt minions. (bsc#1036125) - Adding procps as dependency. This provides 'ps' and 'pgrep' utils which are called from different Salt modules and also from new salt-minion watchdog. ----------------------------------------------------------------- Advisory ID: SUSE-SU-2017:1390-1 Released: Fri Aug 25 15:14:27 2017 Summary: Security update for libzypp Type: security Severity: important References: 1009745,1036659,1038984,1043218,1045735,1046417,1047785,1048315,CVE-2017-7435,CVE-2017-7436,CVE-2017-9269 Description: The Software Update Stack was updated to receive fixes and enhancements. libzypp: - CVE-2017-7435, CVE-2017-7436, CVE-2017-9269: Fix GPG check workflows, mainly for unsigned repositories and packages. (bsc#1045735, bsc#1038984) - Fix gpg-pubkey release (creation time) computation. (bsc#1036659) - Update lsof blacklist. (bsc#1046417) - Re-probe on refresh if the repository type changes. (bsc#1048315) - Propagate proper error code to DownloadProgressReport. (bsc#1047785) - Allow to trigger an appdata refresh unconditionally. (bsc#1009745) - Support custom repo variables defined in /etc/zypp/vars.d. yast2-pkg-bindings: - Do not crash when the repository URL is not defined. (bsc#1043218) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2017:1412-1 Released: Tue Aug 29 18:29:00 2017 Summary: Recommended update for python-requests Type: recommended Severity: low References: 967128 Description: This update provides python-requests 2.11.1, which brings many fixes and enhancements: - Strip Content-Type and Transfer-Encoding headers from the header block when following a redirect that transforms the verb from POST/PUT to GET. - Added support for the ALL_PROXY environment variable. - Reject header values that contain leading whitespace or newline characters to reduce risk of header smuggling. - Fixed occasional TypeError when attempting to decode a JSON response that occurred in an error case. Now correctly returns a ValueError. - Requests would incorrectly ignore a non-CIDR IP address in the NO_PROXY environment variables: Requests now treats it as a specific IP. - Fixed a bug when sending JSON data that could cause us to encounter obscure OpenSSL errors in certain network conditions. - Added type checks to ensure that iter_content only accepts integers and None for chunk sizes. - Fixed issue where responses whose body had not been fully consumed would have the underlying connection closed but not returned to the connection pool, which could cause Requests to hang in situations where the HTTPAdapter had been configured to use a blocking connection pool. - Change built-in CaseInsensitiveDict to use OrderedDict as its underlying datastore. - Don't use redirect_cache if allow_redirects=False. - When passed objects that throw exceptions from tell(), send them via chunked transfer encoding instead of failing. - Raise a ProxyError for proxy related connection issues. - The verify keyword argument now supports being passed a path to a directory of CA certificates, not just a single-file bundle. - Warnings are now emitted when sending files opened in text mode. - Added the 511 Network Authentication Required status code to the status code registry. - For file-like objects that are not seeked to the very beginning, we now send the content length for the number of bytes we will actually read, rather than the total size of the file, allowing partial file uploads. - When uploading file-like objects, if they are empty or have no obvious content length we set Transfer-Encoding: chunked rather than Content-Length: 0. - We correctly receive the response in buffered mode when uploading chunked bodies. - We now handle being passed a query string as a bytestring on Python 3, by decoding it as UTF-8. - Sessions are now closed in all cases (exceptional and not) when using the functional API rather than leaking and waiting for the garbage collector to clean them up. - Correctly handle digest auth headers with a malformed qop directive that contains no token, by treating it the same as if no qop directive was provided at all. - Minor performance improvements when removing specific cookies by name. ----------------------------------------------------------------- Advisory ID: SUSE-SU-2017:1419-1 Released: Wed Aug 30 15:38:22 2017 Summary: Security update for expat Type: security Severity: moderate References: 1047236,1047240,CVE-2016-9063,CVE-2017-9233 Description: This update for expat fixes the following issues: - CVE-2016-9063: Possible integer overflow to fix inside XML_Parse leading to unexpected behaviour (bsc#1047240) - CVE-2017-9233: External Entity Vulnerability could lead to denial of service (bsc#1047236) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2017:1439-1 Released: Fri Sep 1 15:31:05 2017 Summary: Recommended update for systemd Type: recommended Severity: important References: 1045384,1045987,1046268,1047379,1048605 Description: This update for systemd fixes the following issues: - Revert fix for bsc#1004995 which could have caused boot failure on LVM (bsc#1048605) - compat-rules: drop the bogus 'import everything' rule (bsc#1046268) - core: use an AF_UNIX/SOCK_DGRAM socket for cgroup agent notification (bsc#1045384 bsc#1047379) - udev/path_id: introduce support for NVMe devices (bsc#1045987) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2017:1447-1 Released: Mon Sep 4 15:38:20 2017 Summary: Security update for libzypp, zypper Type: security Severity: important References: 1008325,1038984,1045735,1047785,1054088,1054671,1055920,CVE-2017-7436 Description: The Software Update Stack was updated to receive fixes and enhancements. libzypp: - Adapt to work with GnuPG 2.1.23. (bsc#1054088) - Support signing with subkeys. (bsc#1008325) - Enhance sort order for media.1/products. (bsc#1054671) zypper: - Also show a gpg key's subkeys. (bsc#1008325) - Improve signature check callback messages. (bsc#1045735) - Add options to tune the GPG check settings. (bsc#1045735) - Adapt download callback to report and handle unsigned packages. (bsc#1038984, CVE-2017-7436) - Report missing/optional files as 'not found' rather than 'error'. (bsc#1047785) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2017:1450-1 Released: Mon Sep 4 16:36:07 2017 Summary: Recommended update for insserv-compat Type: recommended Severity: low References: 1035062,944903 Description: This update for insserv-compat fixes the following issues: - Add /etc/init.d hierarchy from former 'filesystem' package. (bsc#1035062) - Fix directory argument parsing. (bsc#944903) - Add perl(Getopt::Long) to list of requirements. ----------------------------------------------------------------- Advisory ID: SUSE-RU-2017:1453-1 Released: Mon Sep 4 21:23:50 2017 Summary: Recommended update for libgcrypt Type: recommended Severity: moderate References: 1043333,1046659,1047008 Description: This update for libgcrypt fixes the following issues: - libgcrypt stored an open file descriptor to the random device in a static variable between invocations. gnome-keyring-daemon on initialization reopened descriptors 0-2 with /dev/null which caused an infinite loop when libgcrypt attempted to read from the random device (bsc#1043333) - Avoid seeding the DRBG during FIPS power-up selftests (bsc#1046659) * don't call gcry_drbg_instantiate() in healthcheck sanity test to save entropy * turn off blinding for RSA decryption in selftests_rsa to avoid allocation of a random integer - fix a bug in gcry_drbg_healthcheck_sanity() which caused skipping some of the tests (bsc#1046659) - dlsym returns PLT address on s390x, dlopen libgcrypt20.so before calling dlsym (bsc#1047008) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2017:1457-1 Released: Tue Sep 5 14:40:18 2017 Summary: Security update for python-pycrypto Type: security Severity: important References: 1017420,1047666,CVE-2013-7459 Description: This update for python-pycrypto fixes the following issues: - CVE-2013-7459: Fixed a potential heap buffer overflow in ALGnew (bsc#1017420). python-paramiko was adjusted to work together with this python-pycrypto change. (bsc#1047666) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2017:1548-1 Released: Fri Sep 15 18:19:12 2017 Summary: Recommended update for sg3_utils Type: recommended Severity: moderate References: 1005063,1009269,1012523,1025176,1050767,1050943 Description: This update for sg3_utils provides the following fixes: - Add lunsearch filter to findresized() so that only LUNs specified using --luns are rescanned or resized. (bsc#1025176) - In case the VPD sysfs attributes are missing or cannot be accessed, fallback to use sg_inq --page when using multipath devices in AutoYast2 installations. (bsc#1012523) - Generate /dev/disk/by-path links based on WWPN for Fibre Channel NPIV setups. (bsc#1005063) - Fix dumping data in hexadecimal format in sg_vpd when using the --hex option. (bsc#1050943) - Fix ID_SERIAL values for KVM disks by exporting all NAA values and removing some validity checking. (bsc#1050767) - Make sure initrd is rebuilt on sg3_utils updates. (bsc#1009269) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2017:1592-1 Released: Tue Sep 26 17:38:03 2017 Summary: Recommended update for lvm2 Type: recommended Severity: moderate References: 1028485,1045628,978055,998893,999878 Description: This update for lvm2 provides the following fixes: - Create /dev/disk/by-part{label,uuid} and gpt-auto-root links. (bsc#1028485) - Try to refresh clvmd's device cache on the first failure. (bsc#978055) - Fix stale device cache in clvmd. (bsc#978055) - Warn if PV size in metadata is larger than disk device size. (bsc#999878) - Fix lvm2 activation issue when used on top of multipath. (bsc#998893) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2017:1644-1 Released: Mon Oct 9 07:52:24 2017 Summary: Security update for krb5 Type: security Severity: moderate References: 1032680,1054028,1056995,903543,CVE-2017-11462 Description: This update for krb5 fixes several issues. This security issue was fixed: - CVE-2017-11462: Prevent automatic security context deletion to prevent double-free (bsc#1056995) These non-security issues were fixed: - Set 'rdns' and 'dns_canonicalize_hostname' to false in krb5.conf in order to improve client security in handling service principle names. (bsc#1054028) - Prevent kadmind.service startup failure caused by absence of LDAP service. (bsc#903543) - Remove main package's dependency on systemd (bsc#1032680) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2017:1660-1 Released: Mon Oct 9 15:39:22 2017 Summary: Security update for Salt Type: security Severity: moderate References: 1051948,1052264,1053376,1053955,CVE-2017-12791 Description: This update for salt fixes one security issue and bugs: The following security issue has been fixed: - CVE-2017-12791: Directory traversal vulnerability in minion id validation allowed remote minions with incorrect credentials to authenticate to a master via a crafted minion ID (bsc#1053955). Additionally, the following non-security issues have been fixed: - Added support for SUSE Manager scalability features. (bsc#1052264) - Introduced the kubernetes module. (bsc#1051948) - Notify systemd synchronously via NOTIFY_SOCKET. (bsc#1053376) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2017:1663-1 Released: Tue Oct 10 12:05:09 2017 Summary: Recommended update for dbus-1 Type: recommended Severity: moderate References: 1043615,1046173 Description: This update for dbus-1 provides the following fixes: - Fix systemd-logind dbus disconnection by ensuring all required timeouts are restarted. (bsc#1043615) - Remove call to initscripts related macros from the spec file as dbus-1 does not ship any initscript anymore. (bsc#1046173) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2017:1703-1 Released: Tue Oct 17 13:20:12 2017 Summary: Recommended update for audit Type: recommended Severity: low References: 1042781 Description: This update for audit provides the following fix: - Make auditd start by forking the systemd service to fix some initialization failures. (bsc#1042781) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2017:1758-1 Released: Mon Oct 23 08:47:47 2017 Summary: Security update for curl Type: security Severity: moderate References: 1060653,1061876,1063824,CVE-2017-1000254,CVE-2017-1000257 Description: This update for curl fixes the following issues: Security issues fixed: - CVE-2017-1000254: FTP PWD response parser out of bounds read (bsc#1061876) - CVE-2017-1000257: IMAP FETCH response out of bounds read (bsc#1063824) Bugs fixed: - Fixed error 'error:1408F10B:SSL routines' when connecting to ftps via proxy (bsc#1060653) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2017:1772-1 Released: Wed Oct 25 14:10:42 2017 Summary: Recommended update for logrotate Type: recommended Severity: low References: 1057801 Description: This update for logrotate provides the following fix: - Make sure log files continue to rotate properly when a stale status file is found. (bsc#1057801) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2017:1796-1 Released: Fri Oct 27 21:25:06 2017 Summary: Recommended update for pcre Type: recommended Severity: moderate References: 1058722 Description: This update for pcre fixes the following issues: - Fixed the pcre stack frame size detection because modern compilers break it due to cloning and inlining pcre match() function (bsc#1058722) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2017:1797-1 Released: Sat Oct 28 12:06:19 2017 Summary: Recommended update for permissions Type: recommended Severity: moderate References: 1028304,1048645,1060738 Description: This update for permissions fixes the following issues: - Allows users to install the HPC 'singularity' toolkit for managing singularity containers in setuid root mode. (bsc#1028304) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2017:1826-1 Released: Wed Nov 8 08:47:17 2017 Summary: Security update for krb5 Type: security Severity: important References: 1065274,CVE-2017-15088 Description: This update for krb5 fixes the following issues: Security issues fixed: - CVE-2017-15088: A buffer overflow in get_matching_data() was fixed that could under specific circumstances be used to execute code (bsc#1065274) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2017:1829-1 Released: Wed Nov 8 08:50:00 2017 Summary: Security update for shadow Type: security Severity: moderate References: 1023895,1052261,980486,CVE-2017-12424 Description: This update for shadow fixes several issues. This security issue was fixed: - CVE-2017-12424: The newusers tool could have been forced to manipulate internal data structures in ways unintended by the authors. Malformed input may have lead to crashes (with a buffer overflow or other memory corruption) or other unspecified behaviors (bsc#1052261). These non-security issues were fixed: - bsc#1023895: Fixed man page to not contain invalid options and also prevent warnings when using these options in certain settings - bsc#980486: Reset user in /var/log/tallylog because of the usage of pam_tally2 ----------------------------------------------------------------- Advisory ID: SUSE-SU-2017:1881-1 Released: Wed Nov 22 16:29:58 2017 Summary: Security update for file Type: security Severity: moderate References: 1009966,1063269,910252,910253,913650,913651,917152,996511,CVE-2014-8116,CVE-2014-8117,CVE-2014-9620,CVE-2014-9621,CVE-2014-9653 Description: The GNU file utility was updated to version 5.22. Security issues fixed: - CVE-2014-9621: The ELF parser in file allowed remote attackers to cause a denial of service via a long string. (bsc#913650) - CVE-2014-9620: The ELF parser in file allowed remote attackers to cause a denial of service via a large number of notes. (bsc#913651) - CVE-2014-9653: readelf.c in file did not consider that pread calls sometimes read only a subset of the available data, which allows remote attackers to cause a denial of service (uninitialized memory access) or possibly have unspecified other impact via a crafted ELF file. (bsc#917152) - CVE-2014-8116: The ELF parser (readelf.c) in file allowed remote attackers to cause a denial of service (CPU consumption or crash) via a large number of (1) program or (2) section headers or (3) invalid capabilities. (bsc#910253) - CVE-2014-8117: softmagic.c in file did not properly limit recursion, which allowed remote attackers to cause a denial of service (CPU consumption or crash) via unspecified vectors. (bsc#910253) Version update to file version 5.22 * add indirect relative for TIFF/Exif * restructure elf note printing to avoid repeated messages * add note limit, suggested by Alexander Cherepanov * Bail out on partial pread()'s (Alexander Cherepanov) * Fix incorrect bounds check in file_printable (Alexander Cherepanov) * PR/405: ignore SIGPIPE from uncompress programs * change printable -> file_printable and use it in more places for safety * in ELF, instead of '(uses dynamic libraries)' when PT_INTERP is present print the interpreter name. Version update to file version 5.21 * there was an incorrect free in magic_load_buffers() * there was an out of bounds read for some pascal strings * there was a memory leak in magic lists * don't interpret strings printed from files using the current locale, convert them to ascii format first. * there was an out of bounds read in elf note reads Update to file version 5.20 * recognize encrypted CDF documents * add magic_load_buffers from Brooks Davis * add thumbs.db support Additional non-security bug fixes: * Fixed a memory corruption during rpmbuild (bsc#1063269) * Backport of a fix for an increased printable string length as found in file 5.30 (bsc#996511) * file command throws 'Composite Document File V2 Document, corrupt: Can't read SSAT' error against excel 97/2003 file format. (bsc#1009966) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2017:1903-1 Released: Fri Nov 24 16:19:37 2017 Summary: Security update for perl Type: security Severity: moderate References: 1047178,1057721,1057724,999735,CVE-2017-12837,CVE-2017-12883,CVE-2017-6512 Description: This update for perl fixes the following issues: Security issues fixed: - CVE-2017-12837: Heap-based buffer overflow in the S_regatom function in regcomp.c in Perl 5 before 5.24.3-RC1 and 5.26.x before 5.26.1-RC1 allows remote attackers to cause a denial of service (out-of-bounds write) via a regular expression with a '\N{}' escape and the case-insensitive modifier. (bnc#1057724) - CVE-2017-12883: Buffer overflow in the S_grok_bslash_N function in regcomp.c in Perl 5 before 5.24.3-RC1 and 5.26.x before 5.26.1-RC1 allows remote attackers to disclose sensitive information or cause a denial of service (application crash) via a crafted regular expression with an invalid '\N{U+...}' escape. (bnc#1057721) - CVE-2017-6512: Race condition in the rmtree and remove_tree functions in the File-Path module before 2.13 for Perl allows attackers to set the mode on arbitrary files via vectors involving directory-permission loosening logic. (bnc#1047178) Bug fixes: - backport set_capture_string changes from upstream (bsc#999735) - reformat baselibs.conf as source validator workaround ----------------------------------------------------------------- Advisory ID: SUSE-RU-2017:1916-1 Released: Fri Nov 24 20:15:01 2017 Summary: Recommended update for libgcrypt Type: recommended Severity: important References: 1043333,1059723 Description: This update for libgcrypt provides the following fix: - Fix a regression in a previous update which caused libgcrypt to leak file descriptors causing failures when starting rtkit-daemon. (bsc#1059723) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2017:1917-1 Released: Mon Nov 27 13:32:07 2017 Summary: Optional update for gcc7 Type: recommended Severity: low References: 1056437,1062591,1062592 Description: The GNU Compiler GCC 7 is being added to the Toolchain Module by this update. New features: - Support for specific IBM Power9 processor instructions. - Support for specific IBM zSeries z14 processor instructions. - New packages cross-npvtx-gcc7 and nvptx-tools added to the Toolchain Module for specific NVIDIA Card offload support. The update also supplies gcc7 compatible libstdc++, libgcc_s1 and other gcc derived libraries for the base products of SUSE Linux Enterprise 12. Various optimizers have been improved in GCC 7, several of bugs fixed, quite some new warnings added and the error pin-pointing and fix-suggestions have been greatly improved. The GNU Compiler page for GCC 7 contains a summary of all the changes that have happened: https://gcc.gnu.org/gcc-7/changes.html ----------------------------------------------------------------- Advisory ID: SUSE-RU-2017:1965-1 Released: Thu Nov 30 12:48:45 2017 Summary: Recommended update for libsolv, libzypp, zypper Type: recommended Severity: moderate References: 1047233,1053671,1057188,1057634,1058695,1058783,1059065,1061384,1062561,1064999,661410 Description: The Software Update Stack was updated to receive fixes and enhancements. libsolv: - Many fixes and improvements for cleandeps. - Always create dup rules for 'distupgrade' jobs. - Use recommends also for ordering packages. - Fix splitprovides handling with addalreadyrecommended turned off. (bsc#1059065) - Expose solver_get_recommendations() in bindings. - Fix bug in solver_prune_to_highest_prio_per_name resulting in bad output from solver_get_recommendations(). - Support 'without' and 'unless' dependencies. - Use same heuristic as upstream to determine source RPMs. - Fix memory leak in bindings. - Add pool_best_solvables() function. - Fix 64bit integer parsing from RPM headers. - Enable bzip2 and xz/lzma compression support. - Enable complex/rich dependencies on distributions with RPM 4.13+. libzypp: - Fix media handling in presence of a repo path prefix. (bsc#1062561) - Fix RepoProvideFile ignoring a repo path prefix. (bsc#1062561) - Remove unused legacy notify-message script. (bsc#1058783) - Support multiple product licenses in repomd. (fate#322276) - Propagate 'rpm --import' errors. (bsc#1057188) - Fix typos in zypp.conf. zypper: - Locale: Fix possible segmentation fault. (bsc#1064999) - Add summary hint if product is better updated by a different command. This is mainly used by rolling distributions like openSUSE Tumbleweed to remind their users to use 'zypper dup' to update (not zypper up or patch). (bsc#1061384) - Unify '(add|modify)(repo|service)' property related arguments. - Fixed 'add' commands supporting to set only a subset of properties. - Introduced '-f/-F' as preferred short option for --[no-]refresh in all four commands. (bsc#661410, bsc#1053671) - Fix missing package names in installation report. (bsc#1058695) - Differ between unsupported and packages with unknown support status. (bsc#1057634) - Return error code '107' if an RPM's %post configuration script fails, but only if ZYPPER_ON_CODE12_RETURN_107=1 is set in the environment. (bsc#1047233) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2017:1966-1 Released: Thu Nov 30 13:45:24 2017 Summary: Recommended update for systemd Type: recommended Severity: moderate References: 1004995,1035386,1039099,1040800,1045472,1048605,1050152,1053137,1053595,1055641,1063249 Description: This update for systemd fixes the following issues: - unit: When JobTimeoutSec= is turned off, implicitly turn off JobRunningTimeoutSec= too. (bsc#1048605, bsc#1004995) - compat-rules: Generate compat by-id symlinks with 'nvme' prefix missing and warn users that have broken symlinks. (bsc#1063249) - compat-rules: Allow to specify the generation number through the kernel command line. - scsi_id: Fixup prefix for pre-SPC inquiry reply. (bsc#1039099) - tmpfiles: Remove old ICE and X11 sockets at boot. - tmpfiles: Silently ignore any path that passes through autofs. (bsc#1045472) - pam_logind: Skip leading /dev/ from PAM_TTY field before passing it on. - shared/machine-pool: Fix another mkfs.btrfs checking. (bsc#1053595) - shutdown: Fix incorrect fscanf() result check. - shutdown: Don't remount,ro network filesystems. (bsc#1035386) - shutdown: Don't be fooled when detaching DM devices with BTRFS. (bsc#1055641) - bash-completion: Add support for --now. (bsc#1053137) - Add convert-lib-udev-path.sh script to convert /lib/udev directory into a symlink pointing to /usr/lib/udev when upgrading from SLE11. (bsc#1050152) - Add a rule to teach hotplug to offline containers transparently. (bsc#1040800) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2017:1968-1 Released: Thu Nov 30 19:49:33 2017 Summary: Recommended update for coreutils Type: recommended Severity: low References: 1026567,1043059,965780 Description: This update for coreutils provides the following fixes: - Fix df(1) to no longer interact with excluded file system types, so for example specifying -x nfs no longer hangs with problematic nfs mounts. (bsc#1026567) - Ensure df -l no longer interacts with dummy file system types, so for example no longer hangs with problematic NFS mounted via system.automount(5). (bsc#1043059) - Significantly speed up df(1) for huge mount lists. (bsc#965780) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2017:1970-1 Released: Thu Nov 30 22:55:41 2017 Summary: Security update for openssl Type: security Severity: moderate References: 1055825,1056058,1065363,1066242,CVE-2017-3735,CVE-2017-3736 Description: This update for openssl fixes the following issues: Security issues fixed: - CVE-2017-3735: openssl1,openssl: Malformed X.509 IPAdressFamily could cause OOB read (bsc#1056058) - CVE-2017-3736: openssl: bn_sqrx8x_internal carry bug on x86_64 (bsc#1066242) - Out of bounds read+crash in DES_fcrypt (bsc#1065363) - openssl DEFAULT_SUSE cipher list is missing ECDHE-ECDSA ciphers (bsc#1055825) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2017:2021-1 Released: Fri Dec 8 10:11:04 2017 Summary: Recommended update for file Type: recommended Severity: moderate References: 1070878,1070958 Description: This update for file fixes detection of JPEG files. ----------------------------------------------------------------- Advisory ID: SUSE-RU-2017:2031-1 Released: Mon Dec 11 12:55:57 2017 Summary: Recommended update for gzip Type: recommended Severity: low References: 1067891 Description: This update for gzip provides the following fix: - Fix mishandling of leading zeros in the end-of-block code (bsc#1067891) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2017:2036-1 Released: Wed Dec 13 16:34:21 2017 Summary: Recommended update for util-linux Type: recommended Severity: low References: 1039276,1040968,1055446,1066500 Description: This update for util-linux provides the following fixes: - Allow unmounting of filesystems without calling stat() on the mount point, when '-c' is used. (bsc#1040968) - Fix an infinite loop, a crash and report the correct minimum and maximum frequencies in lscpu for some processors. (bsc#1055446) - Fix a lscpu failure on Sydney Amazon EC2 region. (bsc#1066500) - If multiple subvolumes are mounted, report the default subvolume. (bsc#1039276) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2017:2097-1 Released: Sat Dec 16 01:59:00 2017 Summary: Security update for openssl Type: security Severity: important References: 1071905,1071906,CVE-2017-3737,CVE-2017-3738 Description: This update for openssl fixes the following issues: - OpenSSL Security Advisory [07 Dec 2017] * CVE-2017-3737: OpenSSL 1.0.2 (starting from version 1.0.2b) introduced an \'error state\' mechanism. The intent was that if a fatal error occurred during a handshake then OpenSSL would move into the error state and would immediately fail if you attempted to continue the handshake. This works as designed for the explicit handshake functions (SSL_do_handshake(), SSL_accept() and SSL_connect()), however due to a bug it does not work correctly if SSL_read() or SSL_write() is called directly. In that scenario, if the handshake fails then a fatal error will be returned in the initial function call. If SSL_read()/SSL_write() is subsequently called by the application for the same SSL object then it will succeed and the data is passed without being decrypted/encrypted directly from the SSL/TLS record layer. In order to exploit this issue an application bug would have to be present that resulted in a call to SSL_read()/SSL_write() being issued after having already received a fatal error. O penSSL version 1.0.2b-1.0.2m are affected. Fixed in OpenSSL 1.0.2n. OpenSSL 1.1.0 is not affected. (bsc#1071905) * CVE-2017-3738: There is an overflow bug in the AVX2 Montgomery multiplication procedure used in exponentiation with 1024-bit moduli. No EC algorithms are affected. Analysis suggests that attacks against RSA and DSA as a result of this defect would be very difficult to perform and are not believed likely. Attacks against DH1024 are considered just feasible, because most of the work necessary to deduce information about a private key may be performed offline. The amount of resources required for such an attack would be significant. However, for an attack on TLS to be meaningful, the server would have to share the DH1024 private key among multiple clients, which is no longer an option since CVE-2016-0701. This only affects processors that support the AVX2 but not ADX extensions like Intel Haswell (4th generation). Note: The impact from this issue is similar to CVE-2017-3736, CVE-2017-3732 and CVE-2015-3193. (bsc#1071906) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2017:2111-1 Released: Wed Dec 20 12:12:49 2017 Summary: Security update for Salt Type: security Severity: moderate References: 1041993,1042749,1050003,1059291,1059758,1060230,1062462,1062464,985112,CVE-2017-14695,CVE-2017-14696 Description: This update for salt fixes one security issue and bugs. The following security issues have been fixed: - CVE-2017-14695: A directory traversal vulnerability in minion id validation allowed remote minions with incorrect credentials to authenticate to a master via a crafted minion ID. (bsc#1062462) - CVE-2017-14696: It was possible to force a remote Denial of Service with a specially crafted authentication request. (bsc#1062464) Additionally, the following non-security issues have been fixed: - Removed deprecation warning for beacon configuration using dictionaries. (bsc#1041993) - Fixed beacons failure when pillar-based suppressing config-based. (bsc#1060230) - Fixed minion resource exhaustion when many functions are being executed in parallel. (bsc#1059758) - Remove 'TasksTask' attribute from salt-master.service in older versions of systemd. (bsc#985112) - Fix for delete_deployment in Kubernetes module. (bsc#1059291) - Catching error when PIDfile cannot be deleted. (bsc#1050003) - Use $HOME to get the user home directory instead using '~' char. (bsc#1042749) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2017:2137-1 Released: Thu Dec 21 17:49:12 2017 Summary: Recommended update for dbus-1 Type: recommended Severity: moderate References: 1046173,1071698 Description: This update for dbus-1 provides the following fixes: - The previously released fix for systemd-logind dbus disconnections was missing in some parts of the package, so properly apply it. (bsc#1071698) - Remove call to initscripts related macros from the spec file as dbus-1 does not ship any initscript anymore. (bsc#1046173) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2018:4-1 Released: Tue Jan 2 15:58:20 2018 Summary: Recommended update for libzypp, zypper Type: recommended Severity: moderate References: 1057640,1067605,1068708,1071466,969569 Description: The Software Update Stack was updated to receive fixes and enhancements. libzypp: - Don't store duplicated locks. (bsc#969569) - Fix default for solver.allowNameChange. (bsc#1071466) - Don't filter procs with a different mnt namespace. (bsc#1068708) - Support repo variables in an URIs host:port component. (bsc#1057640, bsc#1067605) zypper: - Update manpage regarding custom repository variable fixes. (bsc#1057640, bsc#1067605) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2018:38-1 Released: Tue Jan 9 14:56:43 2018 Summary: Recommended update for kmod Type: recommended Severity: low References: 1070209 Description: This update for kmod provides the following fix: - Fix resolving .TOC. in modules on 4.4 and older kernel (bsc#1070209) - Fix kernel master build for ppc64le (bsc#1070209) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:55-1 Released: Fri Jan 12 09:45:49 2018 Summary: Security update for glibc Type: security Severity: important References: 1051042,1053188,1063675,1064569,1064580,1064583,1070905,1071319,1073231,1074293,CVE-2017-1000408,CVE-2017-1000409,CVE-2017-15670,CVE-2017-15671,CVE-2017-15804,CVE-2017-16997,CVE-2018-1000001 Description: This update for glibc fixes the following issues: - A privilege escalation bug in the realpath() function has been fixed. [CVE-2018-1000001, bsc#1074293] - A memory leak and a buffer overflow in the dynamic ELF loader has been fixed. [CVE-2017-1000408, CVE-2017-1000409, bsc#1071319] - An issue in the code handling RPATHs was fixed that could have been exploited by an attacker to execute code loaded from arbitrary libraries. [CVE-2017-16997, bsc#1073231] - A potential crash caused by a use-after-free bug in pthread_create() has been fixed. [bsc#1053188] - A bug that prevented users to build shared objects which use the optimized libmvec.so API has been fixed. [bsc#1070905] - A memory leak in the glob() function has been fixed. [CVE-2017-15670, CVE-2017-15671, CVE-2017-15804, bsc#1064569, bsc#1064580, bsc#1064583] - A bug that would lose the syscall error code value in case of crashes has been fixed. [bsc#1063675] ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:64-1 Released: Fri Jan 12 16:19:28 2018 Summary: Security update for mariadb Type: security Severity: moderate References: 1039034,1049399,1049404,1049417,1054591,1072665,CVE-2017-3636,CVE-2017-3641,CVE-2017-3653 Description: This update for mariadb fixes several issues. These security issues were fixed: - CVE-2017-3636: Client programs had an unspecified vulnerability that could lead to unauthorized access and denial of service (bsc#1049399) - CVE-2017-3641: DDL unspecified vulnerability could lead to denial of service (bsc#1049404) - CVE-2017-3653: DML Unspecified vulnerability could lead to unauthorized database access (bsc#1049417) This non-security issues was fixed: - Add ODBC support for Connect engine (bsc#1039034) - Relax required version for mariadb-errormessages (bsc#1072665) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:86-1 Released: Wed Jan 17 09:38:17 2018 Summary: Security update for ncurses Type: security Severity: moderate References: 1056127,1056128,1056129,1056131,1056132,1056136,CVE-2017-13728,CVE-2017-13729,CVE-2017-13730,CVE-2017-13731,CVE-2017-13732,CVE-2017-13733 Description: This update for ncurses fixes the following issues: Security issues fixed: - CVE-2017-13728: Fix infinite loop in the next_char function in comp_scan.c (bsc#1056136). - CVE-2017-13730: Fix illegal address access in the function _nc_read_entry_source() (bsc#1056131). - CVE-2017-13733: Fix illegal address access in the fmt_entry function (bsc#1056127). - CVE-2017-13729: Fix illegal address access in the _nc_save_str (bsc#1056132). - CVE-2017-13732: Fix illegal address access in the function dump_uses() (bsc#1056128). - CVE-2017-13731: Fix illegal address access in the function postprocess_termcap() (bsc#1056129). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:88-1 Released: Wed Jan 17 14:41:17 2018 Summary: Security update for curl Type: security Severity: moderate References: 1069222,1069226,CVE-2017-8816,CVE-2017-8817 Description: This update for curl fixes the following issues: Security issues fixed: - CVE-2017-8816: Buffer overrun flaw in the NTLM authentication code (bsc#1069226). - CVE-2017-8817: Read out of bounds flaw in the FTP wildcard function (bsc#1069222). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2018:90-1 Released: Wed Jan 17 14:44:33 2018 Summary: Recommended update for lvm2 Type: recommended Severity: low References: 1063051,1067312 Description: This update for lvm2 provides the following fix: - Backport various upstream fixes for clvmd. (bsc#1063051) - Don't print error messages on testing the connection to the daemon. (bsc#1063051) - Fix handling of udev CHANGE events with systemd. (bsc#1067312) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2018:146-1 Released: Thu Jan 25 11:44:23 2018 Summary: Recommended update for openldap2 Type: recommended Severity: moderate References: 1064397,1065083 Description: This update for openldap2 provides the following fixes: - Fix a leak of sockets in case of unsuccessful connection attempts. (bsc#1065083) - Fix a crash that would happen under heavy load when using back-relay. (bsc#1064397) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:149-1 Released: Thu Jan 25 13:38:37 2018 Summary: Security update for curl Type: security Severity: moderate References: 1077001,CVE-2018-1000007 Description: This update for curl fixes one issues. This security issue was fixed: - CVE-2018-1000007: Prevent leaking authentication data to third parties when following redirects (bsc#1077001) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:209-1 Released: Tue Jan 30 10:53:43 2018 Summary: Security update for ncurses Type: security Severity: moderate References: 1056126,1056127,1056128,1056129,1056131,1056132,1056136,CVE-2017-13728,CVE-2017-13729,CVE-2017-13730,CVE-2017-13731,CVE-2017-13732,CVE-2017-13733,CVE-2017-13734 Description: This update for ncurses fixes several issues. These security issues were fixed: - CVE-2017-13734: Prevent illegal address access in the _nc_safe_strcat function in strings.c that might have lead to a remote denial of service attack (bsc#1056126). - CVE-2017-13733: Prevent illegal address access in the fmt_entry function in progs/dump_entry.c that might have lead to a remote denial of service attack (bsc#1056127). - CVE-2017-13732: Prevent illegal address access in the function dump_uses() in progs/dump_entry.c that might have lead to a remote denial of service attack (bsc#1056128). - CVE-2017-13731: Prevent illegal address access in the function postprocess_termcap() in parse_entry.c that might have lead to a remote denial of service attack (bsc#1056129). - CVE-2017-13730: Prevent illegal address access in the function _nc_read_entry_source() in progs/tic.c that might have lead to a remote denial of service attack (bsc#1056131). - CVE-2017-13729: Prevent illegal address access in the _nc_save_str function in alloc_entry.c that might have lead to a remote denial of service attack (bsc#1056132). - CVE-2017-13728: Prevent infinite loop in the next_char function in comp_scan.c that might have lead to a remote denial of service attack (bsc#1056136). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:213-1 Released: Tue Jan 30 14:36:40 2018 Summary: Security update for systemd Type: security Severity: moderate References: 1048510,1065276,1066156,1068251,1070428,1071558,1074254,1075724,1076308,897422,CVE-2017-15908,CVE-2018-1049 Description: This update for systemd fixes several issues. This security issue was fixed: - CVE-2018-1049: Prevent race that can lead to DoS when using automounts (bsc#1076308). These non-security issues were fixed: - core: don't choke if a unit another unit triggers vanishes during reload - delta: don't ignore PREFIX when the given argument is PREFIX/SUFFIX - delta: extend skip logic to work on full directory paths (prefix+suffix) (bsc#1070428) - delta: check if a prefix needs to be skipped only once - delta: skip symlink paths when split-usr is enabled (#4591) - sysctl: use raw file descriptor in sysctl_write (#7753) - sd-netlink: don't take possesion of netlink fd from caller on failure (bsc#1074254) - Fix the regexp used to detect broken by-id symlinks in /etc/crypttab It was missing the following case: '/dev/disk/by-id/cr_-xxx'. - sysctl: disable buffer while writing to /proc (bsc#1071558) - Use read_line() and LONG_LINE_MAX to read values configuration files. (bsc#1071558) - sysctl: no need to check for eof twice - def: add new constant LONG_LINE_MAX - fileio: add new helper call read_line() as bounded getline() replacement - service: Don't stop unneeded units needed by restarted service (#7526) (bsc#1066156) - gpt-auto-generator: fix the handling of the value returned by fstab_has_fstype() in add_swap() (#6280) - gpt-auto-generator: disable gpt auto logic for swaps if at least one is defined in fstab (bsc#897422) - fstab-util: introduce fstab_has_fstype() helper - fstab-generator: ignore root=/dev/nfs (#3591) - fstab-generator: don't process root= if it happens to be 'gpt-auto' (#3452) - virt: use XENFEAT_dom0 to detect the hardware domain (#6442, #6662) (#7581) (bsc#1048510) - analyze: replace --no-man with --man=no in the man page (bsc#1068251) - udev: net_setup_link: don't error out when we couldn't apply link config (#7328) - Add missing /etc/systemd/network directory - Fix parsing of features in detect_vm_xen_dom0 (#7890) (bsc#1048510) - sd-bus: use -- when passing arguments to ssh (#6706) - systemctl: make sure we terminate the bus connection first, and then close the pager (#3550) - sd-bus: bump message queue size (bsc#1075724) - tmpfiles: downgrade warning about duplicate line ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:214-1 Released: Tue Jan 30 14:37:42 2018 Summary: Security update for libtasn1 Type: security Severity: moderate References: 1076832,CVE-2018-6003 Description: This update for libtasn1 fixes one issue. This security issue was fixed: - CVE-2018-6003: Prevent a stack exhaustion in _asn1_decode_simple_ber (lib/decoding.c) when decoding BER encoded structure allowed for DoS (bsc#1076832). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2018:231-1 Released: Thu Feb 1 09:56:36 2018 Summary: Recommended update for systemd-rpm-macros Type: recommended Severity: low References: 1071543,1073715 Description: This update for systemd-rpm-macros provides the following fixes: - Make sure to apply presets if packages start shipping units during upgrades. (bsc#1071543, bsc#1073715) - Remove a useless test in %service_add_pre(). The test was placed where the condition '[ '$FIRST_ARG' -gt 1 ]' was always true. ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:270-1 Released: Wed Feb 7 14:34:19 2018 Summary: Security update for mariadb Type: security Severity: moderate References: 1058722,1064101,1064115,1076505,CVE-2017-10268,CVE-2017-10378 Description: This update for mariadb to version 10.0.33 fixes several issues. These security issues were fixed: - CVE-2017-10378: Vulnerability in subcomponent: Server: Optimizer. Easily exploitable vulnerability allowed low privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server (bsc#1064115). - CVE-2017-10268: Vulnerability in subcomponent: Server: Replication. Difficult to exploit vulnerability allowed high privileged attacker with logon to the infrastructure where MySQL Server executes to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all MySQL Server accessible data (bsc#1064101). These non-security issues were fixed: - CHECK TABLE no longer returns an error when run on a CONNECT table - 'Undo log record is too big.' error occurring in very narrow range of string lengths - Race condition between INFORMATION_SCHEMA.INNODB_SYS_TABLESTATS and ALTER/DROP/TRUNCATE TABLE - Wrong result after altering a partitioned table fixed bugs in InnoDB FULLTEXT INDEX - InnoDB FTS duplicate key error - InnoDB crash after failed ADD INDEX and table_definition_cache eviction - fts_create_doc_id() unnecessarily allocates 8 bytes for every inserted row - IMPORT TABLESPACE may corrupt ROW_FORMAT=REDUNDANT tables For additional details please see https://kb.askmonty.org/en/mariadb-10033-changelog ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:276-1 Released: Thu Feb 8 17:47:43 2018 Summary: Security update for libxml2 Type: security Severity: moderate References: 1077993,1078806,1078813,CVE-2016-5131,CVE-2017-15412,CVE-2017-5130 Description: This update for libxml2 fixes one issue. This security issue was fixed: - CVE-2017-15412: Prevent use after free when calling XPath extension functions that allowed remote attackers to cause DoS or potentially RCE (bsc#1077993) - CVE-2016-5131: Use-after-free vulnerability in libxml2 allowed remote attackers to cause a denial of service or possibly have unspecified other impact via vectors related to the XPointer range-to function. (bsc#1078813) - CVE-2017-5130: Fixed a potential remote buffer overflow in function xmlMemoryStrdup() (bsc#1078806) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2018:291-1 Released: Mon Feb 12 11:50:39 2018 Summary: Recommended update for bash Type: recommended Severity: low References: 1057452,1076909 Description: This update for bash provides the following fix: - Allow process group assignment on all kernel versions to fix the usage of debug traps. (bsc#1057452) - Fix a crash when filesystem is full. (bsc#1076909) - Enable multi-byte characters by default. ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:314-1 Released: Thu Feb 15 14:47:35 2018 Summary: Security update for glibc Type: security Severity: important References: 1037930,1051791,1073990,1074293,1079036,CVE-2017-12132,CVE-2017-8804,CVE-2018-1000001,CVE-2018-6485,CVE-2018-6551 Description: This update for glibc fixes the following issues: Security issues fixed: - CVE-2017-8804: Fix memory leak after deserialization failure in xdr_bytes, xdr_string (bsc#1037930) - CVE-2017-12132: Reduce EDNS payload size to 1200 bytes (bsc#1051791) - CVE-2018-6485,CVE-2018-6551: Fix integer overflows in internal memalign and malloc functions (bsc#1079036) - CVE-2018-1000001: Avoid underflow of malloced area (bsc#1074293) Non security bugs fixed: - Release read lock after resetting timeout (bsc#1073990) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:336-1 Released: Wed Feb 21 14:26:52 2018 Summary: Security update for libdb-4_8 Type: security Severity: moderate References: 1043886 Description: This update for libdb-4_8 fixes the following issues: - A DB_CONFIG file in the current working directory allowed local users to obtain sensitive information via a symlink attack involving a setgid or setuid application using libdb-4_8. (bsc#1043886) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:355-1 Released: Mon Feb 26 16:34:46 2018 Summary: Security update for systemd Type: security Severity: moderate References: 1057974,1068588,1071224,1071311,1075801,1077925,CVE-2017-18078 Description: This update for systemd fixes the following issues: Security issue fixed: - CVE-2017-18078: tmpfiles: refuse to chown()/chmod() files which are hardlinked, unless protected_hardlinks sysctl is on. This could be used by local attackers to gain privileges (bsc#1077925) Non Security issues fixed: - core: use id unit when retrieving unit file state (#8038) (bsc#1075801) - cryptsetup-generator: run cryptsetup service before swap unit (#5480) - udev-rules: all values can contain escaped double quotes now (#6890) - strv: fix buffer size calculation in strv_join_quoted() - tmpfiles: change ownership of symlinks too - stdio-bridge: Correctly propagate error - stdio-bridge: remove dead code - remove bus-proxyd (bsc#1057974) - core/timer: Prevent timer looping when unit cannot start (bsc#1068588) - Make systemd-timesyncd use the openSUSE NTP servers by default Previously systemd-timesyncd used the Google Public NTP servers time{1..4}.google.com - Don't ship /usr/lib/systemd/system/tmp.mnt at all (bsc#1071224) But we still ship a copy in /var. Users who want to use tmpfs on /tmp are supposed to add a symlink in /etc/ pointing to the copy shipped in /var. To support the update path we automatically create the symlink if tmp.mount in use is located in /usr. - Enable systemd-networkd on Leap distros only (bsc#1071311) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2018:375-1 Released: Wed Feb 28 16:33:37 2018 Summary: Recommended update for net-tools Type: recommended Severity: low References: 1009905,1063910 Description: This update for net-tools provides the following fix: - netstat: fix handling of large socket numbers (bsc#1063910) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2018:377-1 Released: Wed Feb 28 21:31:59 2018 Summary: Recommended update for Salt Type: recommended Severity: moderate References: 1050003,1063419,1065792,1068446,1068566,1071322,1072218,1073618,1074227,1078001 Description: This update for salt fixes the following issues: - Fix state files with unicode. (bsc#1074227) - Catch ImportError for kubernetes.client import. (bsc#1078001) - Fix epoch handling for Rhel 6 and 7. - Fix zypper module to return UTC dates on 'pkg.list_downloaded'. - Fix return value parsing when calling vm_state. (bsc#1073618) - Fix 'user.present' when 'gid_from_name' is set but group does not exist. - Split only strings, if they are such. (bsc#1072218) - Feat: Add grain for all FQDNs. (bsc#1063419) - Fix 'No service execution module loaded' issue. (bsc#1065792) - Removed unnecessary logging on shutdown. (bsc#1050003) - Add grain for retrieving FQDNs. (bsc#1063419) - Older logrotate need su directive. (bsc#1071322) - Fix for wrong version processing during yum pkg install. (bsc#1068566) - Avoid excessive syslogging by watchdog cronjob. - Check pillar: Fix the logic according to the exact described purpose of the function. (bsc#1068446) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:439-1 Released: Fri Mar 9 14:05:22 2018 Summary: Security update for augeas Type: security Severity: low References: 1054171,CVE-2017-7555 Description: This update for augeas fixes the following issues: Security issue fixed: - CVE-2017-7555: Fix a memory corruption bug could have lead to arbitrary code execution by passing crafted strings that would be mis-handled by parse_name() (bsc#1054171). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:443-1 Released: Fri Mar 9 18:02:14 2018 Summary: Security update for glibc Type: security Severity: moderate References: 1081556,CVE-2017-12133 Description: This update for glibc fixes the following issues: - CVE-2017-12133: Avoid use-after-free read access in clntudp_call (bsc#1081556) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:446-1 Released: Mon Mar 12 13:13:55 2018 Summary: Security update for shadow Type: security Severity: moderate References: 1081294,CVE-2018-7169 Description: This update for shadow fixes the following issues: - CVE-2018-7169: Fixed an privilege escalation in newgidmap, which allowed an unprivileged user to be placed in a user namespace where setgroups(2) is allowed. (bsc#1081294) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2018:465-1 Released: Thu Mar 15 07:38:52 2018 Summary: Recommended update for systemd Type: recommended Severity: moderate References: 1075743,1078358,1081170 Description: This update for systemd fixes the following issues: - Add dmi/id conditions to 80-acpi-container-hotplug.rules to restrict the rule that it can only be triggered on Huawei Kunlun 9008, 9016 and 9032 machines. (bsc#1078358, bsc#1081170, bsc#1075743) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2018:472-1 Released: Thu Mar 15 10:47:40 2018 Summary: Recommended update for libsolv, libzypp, zypper Type: recommended Severity: low References: 1074687,1075449,1076415,1079334,953130 Description: This update for libsolv, libzypp and zypper provides the following fixes: libsolv: - Fix a bug that could make fileconflict detection very slow in some cases. (bnc#953130) - Add new configuration options: ENABLE_RPMDB_LIBRPM and ENABLE_RPMPKG_LIBRPM. - Add a new function to change the whatprovides data: pool_set_whatprovides. - Significant improvements in the selection code. libzypp: - Make sure deleted keys are also removed from rpmdb. (bsc#1075449) - plugin: Don't reject header values containing ':'. (bsc#1074687) - RpmDb::checkPackage: Fix parsing localized rpm output. (bsc#1076415) zypper: - Do not recommend cron as it is not a direct dependency of zypper. (bsc#1079334) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:478-1 Released: Thu Mar 15 16:56:52 2018 Summary: Security update for mariadb Type: security Severity: important References: 1078431,CVE-2018-2562,CVE-2018-2612,CVE-2018-2622,CVE-2018-2640,CVE-2018-2665,CVE-2018-2668 Description: This update for mariadb fixes the following issues: MariaDB was updated to 10.0.34 (bsc#1078431) The following security vulnerabilities are fixed: - CVE-2018-2562: Vulnerability in the MySQL Server subcomponent: Server : Partition. Easily exploitable vulnerability allowed low privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server as well as unauthorized update, insert or delete access to some of MySQL Server accessible data. - CVE-2018-2622: Vulnerability in the MySQL Server subcomponent: Server: DDL. Easily exploitable vulnerability allowed low privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. - CVE-2018-2640: Vulnerability in the MySQL Server subcomponent: Server: Optimizer. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. - CVE-2018-2665: Vulnerability in the MySQL Server subcomponent: Server: Optimizer. Easily exploitable vulnerability allowed low privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. - CVE-2018-2668: Vulnerability in the MySQL Server subcomponent: Server: Optimizer. Easily exploitable vulnerability allowed low privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. - CVE-2018-2612: Vulnerability in the MySQL Server subcomponent: InnoDB. Easily exploitable vulnerability allowed high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all MySQL Server accessible data and unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. The MariaDB external release notes and changelog for this release: * https://kb.askmonty.org/en/mariadb-10034-release-notes * https://kb.askmonty.org/en/mariadb-10034-changelog ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:522-1 Released: Thu Mar 22 08:20:46 2018 Summary: Security update for curl Type: security Severity: moderate References: 1084521,1084524,1084532,CVE-2018-1000120,CVE-2018-1000121,CVE-2018-1000122 Description: This update for curl fixes the following issues: Following security issues were fixed: - CVE-2018-1000120: A buffer overflow exists in the FTP URL handling that allowed an attacker to cause a denial of service or possible code execution (bsc#1084521). - CVE-2018-1000121: A NULL pointer dereference exists in the LDAP code that allowed an attacker to cause a denial of service (bsc#1084524). - CVE-2018-1000122: A buffer over-read exists in the RTSP+RTP handling code that allowed an attacker to cause a denial of service or information leakage (bsc#1084532). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2018:524-1 Released: Thu Mar 22 11:53:28 2018 Summary: Recommended update for zypp-plugin Type: recommended Severity: low References: 1081596 Description: This update provides the new Python 3 module for the zypp-plugin. ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:567-1 Released: Thu Mar 29 14:02:08 2018 Summary: Security update for krb5 Type: security Severity: moderate References: 1057662,1081725,1083926,1083927,CVE-2018-5729,CVE-2018-5730 Description: This update for krb5 provides the following fixes: Security issues fixed: - CVE-2018-5730: DN container check bypass by supplying special crafted data (bsc#1083927). - CVE-2018-5729: Null pointer dereference in kadmind or DN container check bypass by supplying special crafted data (bsc#1083926). Non-security issues fixed: - Make it possible for legacy applications (e.g. SAP Netweaver) to remain compatible with newer Kerberos. System administrators who are experiencing this kind of compatibility issues may set the environment variable GSSAPI_ASSUME_MECH_MATCH to a non-empty value, and make sure the environment variable is visible and effective to the application startup script. (bsc#1057662) - Fix a GSS failure in legacy applications by not indicating deprecated GSS mechanisms in gss_indicate_mech() list. (bsc#1081725) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:594-1 Released: Thu Apr 5 17:22:37 2018 Summary: Security update for libidn Type: security Severity: moderate References: 1056450,CVE-2017-14062 Description: This update for libidn fixes one issues. This security issue was fixed: - CVE-2017-14062: Prevent integer overflow in the decode_digit function that allowed remote attackers to cause a denial of service or possibly have unspecified other impact (bsc#1056450). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:624-1 Released: Wed Apr 11 18:02:57 2018 Summary: Security update for openssl Type: security Severity: moderate References: 1087102,CVE-2018-0739 Description: This update for openssl fixes the following issues: - CVE-2018-0739: Constructed ASN.1 types with a recursive definition (such as can be found in PKCS7) could eventually exceed the stack given malicious input with excessive recursion. This could result in a Denial Of Service attack. There are no such structures used within SSL/TLS that come from untrusted sources so this is considered safe. (bsc#1087102). ----------------------------------------------------------------- Advisory ID: SUSE-OU-2018:651-1 Released: Mon Apr 16 19:25:08 2018 Summary: Initial release of python3-cssselect, -lxml, -pycparser, -simplejson and -pycurl Type: optional Severity: low References: 1073879 Description: This update provides the following new Python 3 modules for the SUSE Linux Enterprise Server: - python3-cssselect - python3-lxml - python3-pycparser - python3-pycurl - python3-simplejson ----------------------------------------------------------------- Advisory ID: SUSE-OU-2018:727-1 Released: Tue Apr 24 12:50:53 2018 Summary: Initial release of python3-pyzmq Type: optional Severity: low References: 1073879 Description: This update provides the following new Python 3 module: - python3-pyzmq ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:730-1 Released: Wed Apr 25 14:14:41 2018 Summary: Security update for perl Type: security Severity: moderate References: 1082216,1082233,1082234,CVE-2018-6797,CVE-2018-6798,CVE-2018-6913 Description: This update for perl fixes the following issues: Security issues fixed: - CVE-2018-6913: Fixed space calculation issues in pp_pack.c (bsc#1082216). - CVE-2018-6798: Fixed heap buffer overflow in regexec.c (bsc#1082233). - CVE-2018-6797: Fixed sharp-s regexp overflow (bsc#1082234). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2018:736-1 Released: Wed Apr 25 14:23:49 2018 Summary: Recommended update for libsolv, libzypp Type: recommended Severity: moderate References: 1075978,1077635,1079991,1082318,1086602 Description: This update for libsolv, libzypp provides the following fixes: Changes in libsolv: - Make sure the product file comes from /etc/products.d for the fallback product search. (bsc#1086602) - Also make use of suggests for ordering packages. (bsc#1077635) - Fix bad assignment in solution refinement that led to a memory leak. (bsc#1075978) - Use license tag instead of doc in the spec file. (bsc#1082318) Changes in libzypp: - Make sure the product file comes from /etc/products.d for the fallback product search. (bsc#1086602) - Fix a memory leak in Digest.cc. (bsc#1075978) - Add /var/lib/gdm to CheckAccessDeleted blacklist to prevent showing superfluous `zypper ps -s` messages. (bsc#1079991) ----------------------------------------------------------------- Advisory ID: SUSE-OU-2018:743-1 Released: Thu Apr 26 15:40:28 2018 Summary: Initial release of python3-psutil and -pycrypto Type: optional Severity: low References: 1073879 Description: This update provides the following new Python 3 modules: - python3-psutil - python3-pycrypto ----------------------------------------------------------------- Advisory ID: SUSE-RU-2018:759-1 Released: Mon Apr 30 12:03:07 2018 Summary: Recommended update for Salt Type: recommended Severity: moderate References: 1072973,1079398,1085635 Description: This update for salt fixes the following issues: - Make module result usable in states module.run. (bsc#1085635) - Fix Augeas module 'stripped quotes' issue. (bsc#1079398) - Fix logging with FQDNs. - Explore 'module.run' state module output in depth to catch the 'result' properly. - Fix x509 unit test to run on 2016.11.4 version. - Fix TypeError, thrown by M2Crypto on missing fields. (bsc#1072973) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2018:779-1 Released: Wed May 2 22:16:26 2018 Summary: Recommended update for rpm Type: recommended Severity: low References: 1003714,1027925,1069934 Description: This update for rpm provides the following fixes: - Fix find-lang.sh to handle special case of .qm file paths correctly. (bsc#1027925) - Add %sle_version macro to suse_macros. (bsc#1003714) - Added a %rpm_vercmp macro which accepts two versions as parameters and returns -1, 0, 1 if the first version is less than, equal or greater than the second version respectively. - Added a %pkg_version macro that accepts a package or capability name as argument and returns the version number of the installed package. If no package provides the argument, it returns the string '~~~'. - Added a %pkg_vcmp macro that accepts 3 parameters. The first parameter is a package name or provided capability name, the second argument is an operator ( < <= = >= > != ) and the third parameter is a version string to be compared to the installed version of the first argument. - Added a %pkg_version_cmp macro which accepts a package or capability name as first argument and a version number as second argument and returns -1, 0, 1 or '~~~'. The number values have the same meaning as in %rpm_vercmp and the '~~~' string is returned if the package or capability can't be found. (bsc#1069934) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2018:797-1 Released: Mon May 7 07:07:38 2018 Summary: Recommended update for gcc7 Type: recommended Severity: important References: 1061667,1068967,1074621,1083290,1083946,1084812,1087550,1087930 Description: This update for gcc7 to 7.3 release fixes the following issues: - Update to GCC 7.3 release and further updated to gcc-7-branch head (r258812). - The Spectre v2 mitigation patch for s390x is now included. [bsc#1083946] - Adds backport of x86 retpoline support via -mindirect-branch=, -mfunction-return= and friends. [bsc#1074621] - Update includes a fix for chromium build failure. [bsc#1083290] - Various AArch64 compile fixes are included: * Picks fix to no longer enable -mpc-relative-literal-loads by default with --enable-fix-cortex-a53-843419. * Enable --enable-fix-cortex-a53-843419 for aarch64. [bsc#1084812] [bsc#1087930] * Enable --enable-fix-cortex-a53-835769 for aarch64. * Contains fix for PR82445 which is about a RPI1 bootloader miscompile. [bsc#1061667] * Fixed bogus stack probe instruction on ARM. [bsc#1068967] - Revert the ios_base::failure ABI back to compatible behavior with the default ABI. [bsc#1087550] - Fix nvptx offload target compiler install so GCC can pick up required files. Split out the newlib part into cross-nvptx-newlib7-devel and avoid conflicts with GCC 8 variant via Provides/Conflicts of cross-nvptx-newlib-devel. ----------------------------------------------------------------- Advisory ID: SUSE-OU-2018:801-1 Released: Mon May 7 12:59:12 2018 Summary: Initial release of python3-msgpack-python Type: optional Severity: low References: 1073879 Description: This update provides the following new Python 3 module: - python3-msgpack-python ----------------------------------------------------------------- Advisory ID: SUSE-OU-2018:806-1 Released: Tue May 8 12:31:07 2018 Summary: Initial release of python3-MarkupSafe Type: optional Severity: low References: 1073879 Description: This update provides the following new Python 3 module: - python3-MarkupSafe ----------------------------------------------------------------- Advisory ID: SUSE-OU-2018:807-1 Released: Tue May 8 12:33:03 2018 Summary: Initial release of python3-Jinja2 Type: optional Severity: low References: 1073879 Description: This update provides the following new Python 3 module: - python3-Jinja2 ----------------------------------------------------------------- Advisory ID: SUSE-OU-2018:810-1 Released: Tue May 8 17:20:51 2018 Summary: Initial release of python3-PyYAML Type: optional Severity: low References: 1073879 Description: This update provides the following new Python 3 module: - python3-PyYAML ----------------------------------------------------------------- Advisory ID: SUSE-OU-2018:919-1 Released: Tue May 15 16:30:21 2018 Summary: Initial release of python3-tornado Type: optional Severity: low References: 1073879 Description: This update provides the following new Python 3 module: - python3-tornado ----------------------------------------------------------------- Advisory ID: SUSE-OU-2018:925-1 Released: Wed May 16 10:09:28 2018 Summary: Initial release of python3-requests Type: optional Severity: low References: 1073879 Description: This update provides the following new Python 3 module: - python3-requests ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:939-1 Released: Thu May 17 08:41:30 2018 Summary: Security update for curl Type: security Severity: moderate References: 1086825,1092098,CVE-2018-1000301 Description: This update for curl fixes several issues: Security issues fixed: - CVE-2018-1000301: Fixed a RTSP bad headers buffer over-read could crash the curl client (bsc#1092098) Non security issues fixed: - If the DEFAULT_SUSE cipher list is not available use the HIGH cipher alias before failing. (bsc#1086825) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:964-1 Released: Tue May 22 18:31:29 2018 Summary: Security update for python Type: security Severity: moderate References: 1068664,1079300,CVE-2017-1000158,CVE-2018-1000030 Description: This update for python fixes the following issues: Security issues fixed: - CVE-2017-1000158: Fixed integer overflows in PyString_DecodeEscape that could have resulted in heap-based buffer overflow attacks and possible arbitrary code execution (bsc#1068664). - CVE-2018-1000030: Fixed crash inside the Python interpreter when multiple threads used the same I/O stream concurrently (bsc#1079300). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2018:974-1 Released: Wed May 23 16:46:50 2018 Summary: Recommended update for systemd Type: recommended Severity: moderate References: 1045092,1051465,1066422,1075804,1082485,1084626,1085062,1086785,1087323 Description: This update for systemd provides the following fixes: - sysusers: Do not append entries after the NIS ones. (bsc#1085062, bsc#1045092) - sysusers: Also add support for NIS entries in /etc/shadow. - sysusers: Make sure to reset errno before calling fget*ent(). - coredump: Respect ulimit -c 0 settings. (bsc#1075804) - systemctl: Don't make up unit states, and don't eat up errors too eagerly. (bsc#1084626) - systemctl: Don't mangle unit names in check_unit_generic(). - rules, compat-rules: Fix errors detected by the rule syntax checker. - python: Use raw strings for regexp patterns. - compat-rules: Make path_id_compat build with meson. - compat-rules: Get rid of scsi_id when generating compat symlinks for NVMe devices. (bsc#1051465) - Fix memory hotplugging. - systemd: Add offline environmental condition to the udev rules for acpi container to prevent them from being triggered by the 'udevadm trigger' from user space. (bsc#1082485) - systemd-udevd: Limit children-max by the available memory. (bsc#1086785, bsc#1066422) - Rename the tarball to reflect the exact version used, so that it is clear that it contains some additional patches on top of the upstream version. Use the commit hash in the name so the exact version can easily be identified. (bsc#1087323) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:977-1 Released: Wed May 23 17:14:16 2018 Summary: Security update for bash Type: security Severity: moderate References: 1000396,1001299,1086247,CVE-2016-0634,CVE-2016-7543 Description: This update for bash fixes the following issues: Security issues fixed: - CVE-2016-7543: A code execution possibility via SHELLOPTS+PS4 variable was fixed (bsc#1001299) - CVE-2016-0634: Arbitrary code execution via malicious hostname was fixed (bsc#1000396) Non-security issues fixed: - Fix repeating self-calling of traps due the combination of a non-interactive shell, a trap handler for SIGINT, an external process in the trap handler, and a SIGINT within the trap after the external process runs. (bsc#1086247) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2018:978-1 Released: Wed May 23 17:18:39 2018 Summary: Recommended update for zlib Type: recommended Severity: moderate References: 1071321 Description: This update for zlib fixes the following issues: - Fix a segmentation fault which was raised when converting a negative value into an unsigned integer (bsc#1071321) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2018:1028-1 Released: Tue Jun 5 13:20:44 2018 Summary: Recommended update for pam Type: recommended Severity: low References: 1089884 Description: This update for pam fixes the following issues: - Fix order of accessed configuration files in man page. (bsc#1089884) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:1077-1 Released: Wed Jun 6 11:44:25 2018 Summary: Security update for glibc Type: security Severity: important References: 1086690,1094150,1094154,1094161,CVE-2017-18269,CVE-2018-11236,CVE-2018-11237 Description: This update for glibc fixes the following issues: - CVE-2017-18269: Fix SSE2 memmove issue when crossing 2GB boundary (bsc#1094150) - CVE-2018-11236: Fix overflow in path length computation (bsc#1094161) - CVE-2018-11237: Don't write beyond buffer destination in __mempcpy_avx512_no_vzeroupper (bsc#1094154) Non security bugs fixed: - Fix crash in resolver on memory allocation failure (bsc#1086690) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2018:1082-1 Released: Thu Jun 7 12:58:56 2018 Summary: Recommended update for rpm Type: recommended Severity: moderate References: 1073879,1080078,964063 Description: This update for rpm fixes the following issues: - Backport support for no_recompute_build_ids macro. (bsc#964063) - Fix code execution when evaluating common python-related macros. (bsc#1080078) Additionally, this update adds python3-rpm to the SUSE Linux Enterprise Server. ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:1141-1 Released: Fri Jun 15 13:41:08 2018 Summary: Security update for gpg2 Type: security Severity: important References: 1096745,CVE-2018-12020 Description: This update for gpg2 fixes the following security issue: - CVE-2018-12020: GnuPG mishandled the original filename during decryption and verification actions, which allowed remote attackers to spoof the output that GnuPG sends on file descriptor 2 to other programs that use the '--status-fd 2' option (bsc#1096745) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2018:1144-1 Released: Fri Jun 15 19:19:29 2018 Summary: Recommended update for logrotate Type: recommended Severity: moderate References: 1093617 Description: This update for logrotate provides the following fix: - Ensure the HOME environment variable is set to /root when logrotate is started via systemd. This allows mariadb to rotate its logs when the database has a root password defined. (bsc#1093617) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2018:1145-1 Released: Fri Jun 15 19:19:51 2018 Summary: Recommended update for openssl Type: recommended Severity: moderate References: 1090765 Description: This update for openssl provides the following fix: - Suggest libopenssl1_0_0-hmac from libopenssl1_0_0 package to avoid dependency issues during updates. (bsc#1090765) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:1157-1 Released: Tue Jun 19 15:31:48 2018 Summary: Security update for salt Type: security Severity: moderate References: 1059291,1061407,1062464,1064520,1075950,1079048,1081592,1087055,1087278,1087581,1087891,1088888,1089112,1089362,1089526,1090242,1091371,1092161,1092373,1094055,1097174,1097413,CVE-2017-14695,CVE-2017-14696 Description: This update for salt provides version 2018.3 and brings many fixes and improvements: - Fix for sorting of multi-version packages (bsc#1097174 and bsc#1097413) - Align SUSE salt-master.service 'LimitNOFILES' limit with upstream Salt - Add 'other' attribute to GECOS fields to avoid inconsistencies with chfn - Prevent zypper from parsing repo configuration from not .repo files (bsc#1094055) - Collect all versions of installed packages on SUSE and RHEL systems (bsc#1089526) - No more AWS EC2 rate limitations in salt-cloud. (bsc#1088888) - MySQL returner now also allows to use Unix sockets. (bsc#1091371) - Do not override jid on returners, only sending back to master. (bsc#1092373) - Remove minion/thin/version if exists to force thin regeneration. (bsc#1092161) - Fix minion scheduler to return a 'retcode' attribute. (bsc#1089112) - Fix for logging during network interface querying. (bsc#1087581) - Fix rhel packages requires both net-tools and iproute. (bsc#1087055) - Fix patchinstall on yum module. Bad comparison. (bsc#1087278) - Strip trailing commas on Linux user's GECOS fields. (bsc#1089362) - Fallback to PyMySQL. (bsc#1087891) - Fix for [Errno 0] Resolver Error 0 (no error). (bsc#1087581) - Add python-2.6 support to salt-ssh. - Make it possible to use docker login, pull and push from module.run and detect errors. - Fix unicode decode error with salt-ssh. - Fix cp.push empty file. (bsc#1075950) - Fix grains containing trailing '\n'. - Remove salt-minion python2 requirement when python3 is default. (bsc#1081592) - Restoring installation of packages for Rhel 6 and 7. - Prevent queryformat pattern from expanding. (bsc#1079048) - Fix for delete_deployment in Kubernetes module. (bsc#1059291) - Fix bsc#1062464 and CVE-2017-14696 already included in 2017.7.2. - Fix wrong version reported by Salt. (bsc#1061407) - Run salt-api as user salt. (bsc#1064520) For a detailed description, please refer to the upstream-changelog at https://docs.saltstack.com/en/latest/topics/releases/index.html or to the rpm-changelog. supportutils-plugin-salt: - Collect salt-api, salt-broker and salt-ssh log files (bsc#1090242) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:1202-1 Released: Fri Jun 22 07:40:27 2018 Summary: Security update for mariadb Type: security Severity: important References: 1088681,1090518,CVE-2018-2755,CVE-2018-2761,CVE-2018-2766,CVE-2018-2767,CVE-2018-2771,CVE-2018-2781,CVE-2018-2782,CVE-2018-2784,CVE-2018-2787,CVE-2018-2813,CVE-2018-2817,CVE-2018-2819 Description: MariaDB was updated to 10.0.35 (bsc#1090518) Notable changes: * PCRE updated to 8.42 * XtraDB updated to 5.6.39-83.1 * TokuDB updated to 5.6.39-83.1 * InnoDB updated to 5.6.40 * The embedded server library now supports SSL when connecting to remote servers [bsc#1088681], [CVE-2018-2767] * MDEV-15249 - Crash in MVCC read after IMPORT TABLESPACE * MDEV-14988 - innodb_read_only tries to modify files if transactions were recovered in COMMITTED state * MDEV-14773 - DROP TABLE hangs for InnoDB table with FULLTEXT index * MDEV-15723 - Crash in INFORMATION_SCHEMA.INNODB_SYS_TABLES when accessing corrupted record * fixes for the following security vulnerabilities: CVE-2018-2782, CVE-2018-2784, CVE-2018-2787, CVE-2018-2766, CVE-2018-2755, CVE-2018-2819, CVE-2018-2817, CVE-2018-2761, CVE-2018-2781, CVE-2018-2771, CVE-2018-2813 * Release notes and changelog: * https://kb.askmonty.org/en/mariadb-10035-release-notes * https://kb.askmonty.org/en/mariadb-10035-changelog ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:1242-1 Released: Thu Jun 28 13:44:16 2018 Summary: Security update for procps Type: security Severity: moderate References: 1092100,CVE-2018-1122,CVE-2018-1123,CVE-2018-1124,CVE-2018-1125,CVE-2018-1126 Description: This update for procps fixes the following security issues: - CVE-2018-1122: Prevent local privilege escalation in top. If a user ran top with HOME unset in an attacker-controlled directory, the attacker could have achieved privilege escalation by exploiting one of several vulnerabilities in the config_file() function (bsc#1092100). - CVE-2018-1123: Prevent denial of service in ps via mmap buffer overflow. Inbuilt protection in ps maped a guard page at the end of the overflowed buffer, ensuring that the impact of this flaw is limited to a crash (temporary denial of service) (bsc#1092100). - CVE-2018-1124: Prevent multiple integer overflows leading to a heap corruption in file2strvec function. This allowed a privilege escalation for a local attacker who can create entries in procfs by starting processes, which could result in crashes or arbitrary code execution in proc utilities run by other users (bsc#1092100). - CVE-2018-1125: Prevent stack buffer overflow in pgrep. This vulnerability was mitigated by FORTIFY limiting the impact to a crash (bsc#1092100). - CVE-2018-1126: Ensure correct integer size in proc/alloc.* to prevent truncation/integer overflow issues (bsc#1092100). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:1276-1 Released: Thu Jul 5 08:36:17 2018 Summary: Security update for openssl Type: security Severity: moderate References: 1097158,1097624,1098592,CVE-2018-0732 Description: This update for openssl fixes the following issues: - CVE-2018-0732: During key agreement in a TLS handshake using a DH(E) based ciphersuite a malicious server could have sent a very large prime value to the client. This caused the client to spend an unreasonably long period of time generating a key for this prime resulting in a hang until the client has finished. This could be exploited in a Denial Of Service attack (bsc#1097158). - Blinding enhancements for ECDSA and DSA (bsc#1097624, bsc#1098592) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:1328-1 Released: Tue Jul 17 08:07:57 2018 Summary: Security update for perl Type: security Severity: important References: 1068565,1082216,1082233,1082234,1096718,CVE-2018-12015,CVE-2018-6797,CVE-2018-6798,CVE-2018-6913 Description: This update for perl fixes the following issues: These security issue were fixed: - CVE-2018-6913: Fixed space calculation issues in pp_pack.c (bsc#1082216). - CVE-2018-6798: Fixed heap buffer overflow in regexec.c (bsc#1082233). - CVE-2018-6797: Fixed sharp-s regexp overflow (bsc#1082234). - CVE-2018-12015: The Archive::Tar module allowed remote attackers to bypass a directory-traversal protection mechanism and overwrite arbitrary files (bsc#1096718) This non-security issue was fixed: - fix debugger crash in tab completion with Term::ReadLine::Gnu [bsc#1068565] ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:1351-1 Released: Thu Jul 19 09:43:21 2018 Summary: Security update for shadow Type: security Severity: important References: 1099310,CVE-2016-6252 Description: This update for shadow fixes the following issues: - CVE-2016-6252: Incorrect integer handling could results in local privilege escalation (bsc#1099310) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:1376-1 Released: Mon Jul 23 10:54:47 2018 Summary: Security update for python Type: security Severity: moderate References: 1083507,CVE-2017-18207 Description: This update for python fixes the following issues: The following security vulnerabilities were addressed: - Add a check to Lib/wave.py that verifies that at least one channel is provided. Prior to this, attackers could cause a denial of service via a crafted wav format audio file. [bsc#1083507, CVE-2017-18207] ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:1400-1 Released: Thu Jul 26 16:32:29 2018 Summary: Security update for util-linux Type: security Severity: moderate References: 1072947,1078662,1080740,1084300,CVE-2018-7738 Description: This update for util-linux fixes the following issues: This non-security issue was fixed: - CVE-2018-7738: bash-completion/umount allowed local users to gain privileges by embedding shell commands in a mountpoint name, which was mishandled during a umount command by a different user (bsc#1084300). These non-security issues were fixed: - Fixed crash loop in lscpu (bsc#1072947). - Fixed possible segfault of umount -a - Fixed mount -a on NFS bind mounts (bsc#1080740). - Fixed lsblk on NVMe (bsc#1078662). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:1413-1 Released: Fri Jul 27 12:41:13 2018 Summary: Security update for libgcrypt Type: security Severity: moderate References: 1064455,1090766,1097410,CVE-2018-0495 Description: This update for libgcrypt fixes the following issues: The following security vulnerability was addressed: - CVE-2018-0495: Mitigate a novel side-channel attack by enabling blinding for ECDSA signatures (bsc#1097410). The following other issues were fixed: - Extended the fipsdrv dsa-sign and dsa-verify commands with the --algo parameter for the FIPS testing of DSA SigVer and SigGen (bsc#1064455). - Ensure libgcrypt20-hmac and libgcrypt20 are installed in the correct order. (bsc#1090766) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2018:1450-1 Released: Mon Jul 30 10:10:45 2018 Summary: Recommended update for pam Type: recommended Severity: low References: 1096282 Description: This update for pam provides the following fix: - Added /etc/security/limits.d to the pam package. (bsc#1096282) ----------------------------------------------------------------- Advisory ID: SUSE-OU-2018:1515-1 Released: Tue Aug 7 20:19:04 2018 Summary: Introduce packages added to SLES 12 SP3 after release Type: optional Severity: low References: 1102861 Description: This update adds packages to the SUSE Linux Enterprise Server 12 SP3 for Teradata which were added after the released of SLES 12 SP3. ----------------------------------------------------------------- Advisory ID: SUSE-RU-2018:1549-1 Released: Mon Aug 13 13:41:22 2018 Summary: Recommended update for sg3_utils Type: recommended Severity: low References: 1065448,1070431,1077787,1092640 Description: This update for sg3_utils provides the following fix: - Decode standard INQUIRY for CD-ROMs correctly. (bsc#1065448, bsc#1070431) - Fix page decoding. (bsc#1077787) - Remove initrd rebuild macros for libsgutils2 subpackage. (bsc#1092640) - Use %post -p for ldconfig. (bsc#1092640) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:1610-1 Released: Thu Aug 16 14:04:25 2018 Summary: Security update for libgcrypt Type: security Severity: moderate References: 1064455,1090766,1097410,CVE-2018-0495 Description: This update for libgcrypt fixes the following issues: The following security vulnerability was addressed: - CVE-2018-0495: Mitigate a novel side-channel attack by enabling blinding for ECDSA signatures (bsc#1097410). The following other issues were fixed: - Extended the fipsdrv dsa-sign and dsa-verify commands with the --algo parameter for the FIPS testing of DSA SigVer and SigGen (bsc#1064455). - Ensure libgcrypt20-hmac and libgcrypt20 are installed in the correct order. (bsc#1090766) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:1612-1 Released: Thu Aug 16 14:04:38 2018 Summary: Security update for python Type: security Severity: moderate References: 1083507,CVE-2017-18207 Description: This update for python fixes the following issues: The following security vulnerabilities were addressed: - Add a check to Lib/wave.py that verifies that at least one channel is provided. Prior to this, attackers could cause a denial of service via a crafted wav format audio file. [bsc#1083507, CVE-2017-18207] ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:1620-1 Released: Thu Aug 16 14:49:45 2018 Summary: Security update for shadow Type: security Severity: important References: 1099310,CVE-2016-6252 Description: This update for shadow fixes the following issues: - CVE-2016-6252: Incorrect integer handling could results in local privilege escalation (bsc#1099310) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2018:1632-1 Released: Thu Aug 16 15:27:04 2018 Summary: Recommended update for systemd Type: recommended Severity: moderate References: 1039099,1080382,1082004,1082485,1083158,1088052,1088769,1088890,1089761,1090785,1091265,1093851,1095096 Description: This update for systemd fixes the following issues: - core: In --user mode, report READY=1 as soon as basic.target is reached. - sd-bus: Extend D-Bus authentication timeout considerably. - scsi_id: Fixup prefix for pre-SPC inquiry reply. (bsc#1039099) - udev: Use MAC address match only for ibmveth/ibmvnic/mlx4. (bsc#1095096) - compat-rules: Generate more compat by-id symlinks for NVMe devices. (bsc#1095096) - udev: Whitelist mlx4_core locally-administered MAC addresses in the persistent rule generator. (bsc#1083158) - udev: Don't create by-partlabel/primary and .../logical symlinks. (bsc#1089761) - rules: Add /dev/disk/by-partuuid symlinks also for dos partition tables. - device: Make sure to always retroactively start device dependencies. (bsc#1088052) - device: Skip deserialization of device units when udevd is not running. - install: 'user' and 'global' scopes are equivalent for user presets. (bsc#1093851) - install: Search preset files in /run. - man: Updated systemd-analyze blame description for service-units with Type=simple. (bsc#1091265) - logind: Fix crash when shutdown is not issued from a tty. (bsc#1088890) - logind: Do not use an uninitialized variable. (bsc#1088890) - Disable user services by default. (bsc#1090785) - Ship 99-sysctl.conf instead of creating it during package installation/update. (bsc#1088769) Previously this symlink was created in /etc/sysctl.d during %post which made the symlink not owned and more importantly it was created only if /etc/sysctl.conf is already installed which is not always the case during the installation process it seems. So ship the symlink unconditionally and put it in /usr/lib/sysctl.d instead since it's a distro default behavior that might be overriden by sysadmin later. - systemd: Add offline environmental condition to 80-acpi-container-hotplug.rules. (bsc#1080382, bsc#1082485) Add the offline event environmental condition to restrict the rule that is can only be triggered when the change event is received with the 'offline' environmental data. The 27664c581 'ACPI / scan: Send change uevent with offine environmental data' kernel patch changed the corresponding code in kernel. This change prevents the udev rules for acpi container be triggered by 'udevadm trigger' from user space. - build-sys: Explicitly require python3. (bsc#1082004) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2018:1636-1 Released: Thu Aug 16 15:30:11 2018 Summary: Recommended update for pam Type: recommended Severity: low References: 1096282 Description: This update for pam provides the following fix: - Added /etc/security/limits.d to the pam package. (bsc#1096282) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2018:1689-1 Released: Mon Aug 20 09:02:24 2018 Summary: Recommended update for pam Type: recommended Severity: low References: 1096282 Description: This update for pam provides the following fix: - Added /etc/security/limits.d to the pam package. (bsc#1096282) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2018:1691-1 Released: Mon Aug 20 09:04:17 2018 Summary: Recommended update for sg3_utils Type: recommended Severity: low References: 1065448,1070431,1077787,1092640 Description: This update for sg3_utils provides the following fix: - Decode standard INQUIRY for CD-ROMs correctly. (bsc#1065448, bsc#1070431) - Fix page decoding. (bsc#1077787) - Remove initrd rebuild macros for libsgutils2 subpackage. (bsc#1092640) - Use %post -p for ldconfig. (bsc#1092640) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:1695-1 Released: Mon Aug 20 09:19:20 2018 Summary: Security update for perl Type: security Severity: important References: 1068565,1082216,1082233,1082234,1096718,CVE-2018-12015,CVE-2018-6797,CVE-2018-6798,CVE-2018-6913 Description: This update for perl fixes the following issues: These security issue were fixed: - CVE-2018-6913: Fixed space calculation issues in pp_pack.c (bsc#1082216). - CVE-2018-6798: Fixed heap buffer overflow in regexec.c (bsc#1082233). - CVE-2018-6797: Fixed sharp-s regexp overflow (bsc#1082234). - CVE-2018-12015: The Archive::Tar module allowed remote attackers to bypass a directory-traversal protection mechanism and overwrite arbitrary files (bsc#1096718) This non-security issue was fixed: - fix debugger crash in tab completion with Term::ReadLine::Gnu [bsc#1068565] ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:1698-1 Released: Mon Aug 20 09:19:28 2018 Summary: Security update for shadow Type: security Severity: important References: 1099310,CVE-2016-6252 Description: This update for shadow fixes the following issues: - CVE-2016-6252: Incorrect integer handling could results in local privilege escalation (bsc#1099310) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2018:1716-1 Released: Mon Aug 20 17:03:40 2018 Summary: Recommended update for Salt Type: recommended Severity: moderate References: 1057635,1072599,1089526,1095507,1096514,1098394,1099323,1099460,1099945,1100142,1100225,1100697,1101812,1101880,1102218,1102265 Description: This update for salt fixes the following issues: - Fix file.blockreplace to avoid throwing IndexError. (bsc#1101812) - Fix pkg.upgrade reports when dealing with multiversion packages. (bsc#1102265) - Fix UnicodeDecodeError using is_binary check. (bsc#1100225) - Fix corrupt public key with m2crypto python3. (bsc#1099323) - Prevent payload crash on decoding binary data. (bsc#1100697) - Accounting for when files in an archive contain non-ascii characters. (bsc#1099460) - Handle packages with multiple version properly with zypper. (bsc#1096514) - Fix file.get_diff regression on 2018.3. (bsc#1098394) - Provide python version mismatch solutions. (bsc#1072599) - Add custom SUSE capabilities as Grains. (bsc#1089526) - Fix file.managed binary file utf8 error. (bsc#1098394) - Multiversion patch plus upstream fix and patch reordering. - Add environment variable to know if yum is invoked from Salt. (bsc#1057635) - Prevent deprecation warning with salt-ssh. (bsc#1095507) - Add missing dateutils import (bsc#1099945) - Check dmidecoder executable on each 'smbios' call to avoid race condition (bsc#1101880) - Fix mine.get not returning data - workaround for #48020 (bsc#1100142) - Add API log rotation on SUSE package (bsc#1102218) - Backport the new libvirt_events engine from upstream ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:1753-1 Released: Fri Aug 24 14:24:17 2018 Summary: Security update for python Type: security Severity: moderate References: 1083507,CVE-2017-18207 Description: This update for python fixes the following issues: The following security vulnerabilities were addressed: - Add a check to Lib/wave.py that verifies that at least one channel is provided. Prior to this, attackers could cause a denial of service via a crafted wav format audio file. [bsc#1083507, CVE-2017-18207] ----------------------------------------------------------------- Advisory ID: SUSE-RU-2018:1834-1 Released: Wed Sep 5 10:17:42 2018 Summary: Recommended update for systemd Type: recommended Severity: moderate References: 1089761,1090944,1101040,1103910 Description: This update for systemd fixes the following issues: - cryptsetup: Add support for sector-size= option. (fate#325634) - resolved: Apply epoch to system time from PID 1. (bsc#1103910) - core/service: Rework the hold-off time over message. - core: Don't freeze OnCalendar= timer units when the clock goes back a lot. (bsc#1090944) - man: SystemMaxUse= clarification in journald.conf(5). (bsc#1101040) - Add udev.no-partlabel-links kernel command-line option. This option can be used to disable the generation of the by-partlabel symlinks regardless of the name used. (bsc#1089761) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:1903-1 Released: Fri Sep 14 12:46:21 2018 Summary: Security update for curl Type: security Severity: moderate References: 1089533,1106019,CVE-2018-14618 Description: This update for curl fixes the following issues: This security issue was fixed: - CVE-2018-14618: Prevent integer overflow in the NTLM authentication code (bsc#1106019) This non-security issue was fixed: - Fixed erroneous debug message when paired with OpenSSL (bsc#1089533) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:1969-1 Released: Mon Sep 24 08:06:42 2018 Summary: Security update for libzypp, zypper Type: security Severity: important References: 1036304,1045735,1049825,1070851,1076192,1088705,1091624,1092413,1096803,1099847,1100028,1101349,1102429,CVE-2017-9269,CVE-2018-7685 Description: This update for libzypp, zypper fixes the following issues: Update libzypp to version 16.17.20: Security issues fixed: - PackageProvider: Validate deta rpms before caching (bsc#1091624, bsc#1088705, CVE-2018-7685) - PackageProvider: Validate downloaded rpm package signatures before caching (bsc#1091624, bsc#1088705, CVE-2018-7685) Other bugs fixed: - lsof: use '-K i' if lsof supports it (bsc#1099847, bsc#1036304) - Handle http error 502 Bad Gateway in curl backend (bsc#1070851) - RepoManager: Explicitly request repo2solv to generate application pseudo packages. - libzypp-devel should not require cmake (bsc#1101349) - HardLocksFile: Prevent against empty commit without Target having been been loaded (bsc#1096803) - Avoid zombie tar processes (bsc#1076192) Update to zypper to version 1.13.45: Security issues fixed: - Improve signature check callback messages (bsc#1045735, CVE-2017-9269) - add/modify repo: Add options to tune the GPG check settings (bsc#1045735, CVE-2017-9269) Other bugs fixed: - XML attribute `packages-to-change` added (bsc#1102429) - man: Strengthen that `--config FILE' affects zypper.conf, not zypp.conf (bsc#1100028) - Prevent nested calls to exit() if aborted by a signal (bsc#1092413) - ansi.h: Prevent ESC sequence strings from going out of scope (bsc#1092413) - Fix: zypper bash completion expands non-existing options (bsc#1049825) - Improve signature check callback messages (bsc#1045735) - add/modify repo: Add options to tune the GPG check settings (bsc#1045735) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2018:1985-1 Released: Mon Sep 24 11:56:08 2018 Summary: Recommended update for openldap2 Type: recommended Severity: moderate References: 1089640 Description: This update for openldap2 provides the following fix: - Fix slapd segfaults in mdb_env_reader_dest. (bsc#1089640) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:1994-1 Released: Mon Sep 24 12:55:57 2018 Summary: Security update for shadow Type: security Severity: moderate References: 1106914 Description: This update for shadow fixes the following security issue: - Prevent useradd from creating intermediate directories with mode 0777 (bsc#1106914) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2018:2023-1 Released: Wed Sep 26 09:48:49 2018 Summary: Recommended update for patchinfo.salt, salt Type: recommended Severity: moderate References: 1095942,1102013,1103530,1104154 Description: This update for salt fixes the following issues: - Prepend current directory when path is just filename. (bsc#1095942) - Only do reverse DNS lookup on IPs for salt-ssh. (bsc#1104154) - Add support for Python 3.7 and Tornado 5.0. - Decode file contents for python2. (bsc#1102013, bsc#1103530) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:2069-1 Released: Fri Sep 28 08:01:25 2018 Summary: Security update for openssl Type: security Severity: moderate References: 1089039,1101246,1101470,1104789,1106197,997043,CVE-2018-0737 Description: This update for openssl fixes the following issues: These security issues were fixed: - Prevent One&Done side-channel attack on RSA that allowed physically near attackers to use EM emanations to recover information (bsc#1104789) - CVE-2018-0737: The RSA Key generation algorithm has been shown to be vulnerable to a cache timing side channel attack. An attacker with sufficient access to mount cache timing attacks during the RSA key generation process could have recovered the private key (bsc#1089039) These non-security issues were fixed: - Add openssl(cli) Provide so the packages that require the openssl binary can require this instead of the new openssl meta package (bsc#1101470) - Fixed path to the engines which are under /lib64 on SLE-12 (bsc#1101246, bsc#997043) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2018:2162-1 Released: Fri Oct 5 14:46:53 2018 Summary: Recommended update for krb5 Type: recommended Severity: moderate References: 1088921 Description: This update for krb5 provides the following fix: - Resolve krb5 GSS credentials immediately if the application requests the lifetime. (bsc#1088921) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:2181-1 Released: Tue Oct 9 11:08:20 2018 Summary: Security update for libxml2 Type: security Severity: moderate References: 1088279,1088601,1102046,1105166,CVE-2017-18258,CVE-2018-14404,CVE-2018-14567,CVE-2018-9251 Description: This update for libxml2 fixes the following security issues: - CVE-2018-9251: The xz_decomp function allowed remote attackers to cause a denial of service (infinite loop) via a crafted XML file that triggers LZMA_MEMLIMIT_ERROR, as demonstrated by xmllint (bsc#1088279). - CVE-2018-14567: Prevent denial of service (infinite loop) via a crafted XML file that triggers LZMA_MEMLIMIT_ERROR, as demonstrated by xmllint (bsc#1105166). - CVE-2018-14404: Prevent NULL pointer dereference in the xmlXPathCompOpEval() function when parsing an invalid XPath expression in the XPATH_OP_AND or XPATH_OP_OR case leading to a denial of service attack (bsc#1102046). - CVE-2017-18258: The xz_head function allowed remote attackers to cause a denial of service (memory consumption) via a crafted LZMA file, because the decoder functionality did not restrict memory usage to what is required for a legitimate file (bsc#1088601). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2018:2196-1 Released: Thu Oct 11 07:45:16 2018 Summary: Optional update for gcc8 Type: recommended Severity: low References: 1084812,1084842,1087550,1094222,1102564 Description: The GNU Compiler GCC 8 is being added to the Toolchain Module by this update. The update also supplies gcc8 compatible libstdc++, libgcc_s1 and other gcc derived libraries for the base products of SUSE Linux Enterprise 12. Various optimizers have been improved in GCC 8, several of bugs fixed, quite some new warnings added and the error pin-pointing and fix-suggestions have been greatly improved. The GNU Compiler page for GCC 8 contains a summary of all the changes that have happened: https://gcc.gnu.org/gcc-8/changes.html Also changes needed or common pitfalls when porting software are described on: https://gcc.gnu.org/gcc-8/porting_to.html ----------------------------------------------------------------- Advisory ID: SUSE-RU-2018:2217-1 Released: Fri Oct 12 15:07:24 2018 Summary: Recommended update for bash Type: recommended Severity: moderate References: 1094121,1107430 Description: This update for bash provides the following fixes: - Fix an inconsistent behaviour regarding expansion of here strings. (bsc#1094121) - Fix mis-matching of null string with '*' pattern. (bsc#1107430) - Fix a crash when the lastpipe option is enabled. - Fix a typo that was preventing the `compat42' shopt option from working as intended. - Help the shell to process any pending traps at redirection. - Fix a crashe due to incorrect conversion from an indexed to associative array. - Avoid the expansion of escape sequences in HOSTNAME in prompt. - Avoid `xtrace' attack over $PS4. ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:2373-1 Released: Mon Oct 22 14:43:47 2018 Summary: Security update for rpm Type: security Severity: moderate References: 1077692,943457,CVE-2017-7500,CVE-2017-7501 Description: This update for rpm fixes the following issues: These security issues were fixed: - CVE-2017-7500: rpm did not properly handle RPM installations when a destination path was a symbolic link to a directory, possibly changing ownership and permissions of an arbitrary directory, and RPM files being placed in an arbitrary destination (bsc#943457). - CVE-2017-7501: rpm used temporary files with predictable names when installing an RPM. An attacker with ability to write in a directory where files will be installed could create symbolic links to an arbitrary location and modify content, and possibly permissions to arbitrary files, which could be used for denial of service or possibly privilege escalation (bsc#943457) This non-security issue was fixed: - Use ksym-provides tool [bsc#1077692] ----------------------------------------------------------------- Advisory ID: SUSE-RU-2018:2379-1 Released: Tue Oct 23 10:32:56 2018 Summary: Recommended update for Salt Type: recommended Severity: moderate References: 1095651,1104491,1106164,1107333,1108557,1108834,1108969,1108995,1109893 Description: This update fixes the following issues: salt: - Improved IPv6 address handling (bsc#1108557) - Better handling for zypper exiting with exit code ZYPPER_EXIT_NO_REPOS (bsc#1108834, bsc#1109893) - Fix for dependency problem with pip (bsc#1104491) - Fix loosen azure sdk dependencies in azurearm cloud driver (bsc#1107333) - Fix for Python3 issue in zypper (bsc#1108995) - Allow running salt-cloud in GCE using instance credentials (bsc#1108969) - Improved handling of Python unicode literals in YAML parsing (bsc#1095651) - Fix for Salt 'acl.present' and 'acl.absent' states to make them successfully work recursively when 'recurse=True'. (bsc#1106164) - Fix for Python3 byte/unicode mismatch and additional minor bugfixes to x509 module. - Integration of MSI authentication for azurearm - Compound list targeting wrongly returned with minions specified in 'not'. - Fixes the x509 module to work, when using the sign_remote_certificate functionality. - Fix for SUSE Expanded Support os grain detection (returned 'Redhat' instead of 'Centos') ----------------------------------------------------------------- Advisory ID: SUSE-RU-2018:2435-1 Released: Wed Oct 24 14:42:43 2018 Summary: Recommended update for systemd Type: recommended Severity: important References: 1015254,1091677,1093753,1105031,1107640,1107941,1109197,991901 Description: This update for systemd fixes the following issues: - detect-virt: do not try to read all of /proc/cpuinfo (bsc#1109197) - emergency: make sure console password agents don't interfere with the emergency shell - units: remove udev control socket when systemd stops the socket unit (#4039) (bsc#1015254) - man: document that 'nofail' also has an effect on ordering - journald: take leading spaces into account in syslog_parse_identifier - journal: do not remove multiple spaces after identifier in syslog message - syslog: fix segfault in syslog_parse_priority() - journal: fix syslog_parse_identifier() - tmpfiles: don't adjust qgroups on existing subvolumes (bsc#1093753) - socket-util: attempt SO_RCVBUFFORCE/SO_SNDBUFFORCE only if SO_RCVBUF/SO_SNDBUF fails (bsc#991901) - user at .service: don't kill user manager at runlevel switch (bsc#1091677) - units: make sure user at .service runs with dbus still up - fix race between daemon-reload and other commands (bsc#1105031) - nspawn: always use mode 555 for /sys (bsc#1107640) - cryptsetup: do not define arg_sector_size if libgcrypt is v1.x (#9990) - Enable or disable machines.target according to the presets (bsc#1107941) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2018:2475-1 Released: Thu Oct 25 16:56:24 2018 Summary: Recommended update for libzypp Type: recommended Severity: moderate References: 1099982,1109877,408814,556664,939392 Description: This update for libzypp fixes the following issues: - Add filesize check for downloads with known size (bsc#408814) - Fix conversion of string and glob to regex when compiling queries (bsc#1099982, bsc#939392, bsc#556664) - Fix blocking wait for finished child process (bsc#1109877) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2018:2488-1 Released: Fri Oct 26 12:39:59 2018 Summary: Recommended update for cpio Type: recommended Severity: low References: 1076810,889138 Description: This update for cpio provides the following fix: - Remove an obsolete patch that was causing cpio not to preserve folder permissions. (bsc#1076810, bsc#889138) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2018:2516-1 Released: Mon Oct 29 16:14:48 2018 Summary: Recommended update for console-setup, kbd Type: recommended Severity: moderate References: 1010880,1027379,1056449,1062303,1069468,1085432,360993,675317,825385,830805,958562,963942,984958 Description: This update for kbd and console-setup provides the following fixes: Changes in console-setup: - Add console-setup to SLE 12 to make it possible for kbd to provide converted X keymaps. (fate#325454, fate#318426) - Make the package build reproducible. (bsc#1062303) - Removed unneeded requires to kbd in order to resolve build cycle between kbd and console-setup. (bsc#963942) Changes in kbd: - Update to version 2.0.4, including the following fixes (FATE#325454): * Disable characters greater than or equal to =U+F000 as they do not work properly. (bsc#1085432) * Move initial NumLock handling from systemd back to kbd: * Add kbdsettings service. (bsc#1010880) * Exclude numlockbios support for non x86 platforms * Drop references to KEYTABLE and COMPOSETABLE. (bsc#1010880) * Drop from some fill-up templates and a couple of sysconfig variables not read by systemd anymore. (fate#319454) * Replace references to /var/adm/fillup-templates with new %_fillupdir macro. (bsc#1069468) * Add vlock.pamd PAM file. (bsc#1056449) * Enable vlock (bsc#1056449). * Revert dropping of kdb-legacy requirement as there are still packages and installation flows that needs this to be present. (bsc#1027379) * Fix data/keymaps/i386/querty/br-abnt2.map. (bsc#984958) * Fix missing dependency on coreutils for initrd macros. (bsc#958562) * Call missing initrd macro at postun. (bsc#958562) * Add the genmap4systemd.sh tool to generate entries for systemd's kbd-model-map table from xkeyboard-config converted keymaps. (fate#318426) * genmap4systemd.sh: Use 'abnt2' model for 'br' layouts, 'jp106' model for 'jp' layouts and 'microsoftpro' for anything else (instead of 'pc105' previously used). (fate#318426) * Include xkb layouts from xkeyboard-config converted to console keymaps. (fate#318426) * euro.map, euro1.map and euro2.map now produce correct unicode character for Euro sign. (bsc#360993) * Drop doshell reference from openvt.1 man page. (bsc#675317) * Drop the --userwait option as it is not used. (bsc#830805) * Fix a typo in the mac-querty-layout.inc. (bsc#825385) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:2520-1 Released: Mon Oct 29 17:28:57 2018 Summary: Security update for python, python-base Type: security Severity: moderate References: 1086001,1088004,1088009,1109663,CVE-2018-1000802,CVE-2018-1060,CVE-2018-1061 Description: This update for python, python-base fixes the following issues: Security issues fixed: - CVE-2018-1000802: Prevent command injection in shutil module (make_archive function) via passage of unfiltered user input (bsc#1109663). - CVE-2018-1061: Fixed DoS via regular expression backtracking in difflib.IS_LINE_JUNK method in difflib (bsc#1088004). - CVE-2018-1060: Fixed DoS via regular expression catastrophic backtracking in apop() method in pop3lib (bsc#1088009). Bug fixes: - bsc#1086001: python tarfile uses random order. ----------------------------------------------------------------- Advisory ID: SUSE-RU-2018:2525-1 Released: Tue Oct 30 09:22:45 2018 Summary: Recommended update for bash Type: recommended Severity: important References: 1113117 Description: This update for bash fixes the following issues: Recently released update introduced a change of behavior which resulted in broken customers scripts. (bsc#1113117) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:2563-1 Released: Fri Nov 2 17:09:49 2018 Summary: Security update for curl Type: security Severity: moderate References: 1112758,1113660,CVE-2018-16840,CVE-2018-16842 Description: This update for curl fixes the following issues: - CVE-2018-16840: A use after free in closing SASL handles was fixed (bsc#1112758) - CVE-2018-16842: A Out-of-bounds Read in tool_msgs.c was fixed which could lead to crashes (bsc#1113660) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2018:2567-1 Released: Fri Nov 2 18:59:06 2018 Summary: Recommended update for apparmor Type: recommended Severity: moderate References: 1047937,1057150,1057900,1099452,906858 Description: This update for apparmor provides the following fixes: - Add profile for usr.bin.lessopen.sh (bsc#906858) - Fix dovecot apparmor profile (bsc#1057150) - Fix creating profile rules from scanned logs when the chown operation is used (bsc#1047937) - Fix the traceroute profile to allow ipv6 usage (bsc#1057900) - Fix duplicate entry of capability when performing aa-logprof (bsc#1099452) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2018:2593-1 Released: Wed Nov 7 11:04:00 2018 Summary: Recommended update for rpm Type: recommended Severity: moderate References: 1095148,1113100 Description: This update for rpm fixes the following issues: - Fix superfluous TOC. dependency on PowerPC64 (bsc#1113100) - Update to current find-provides.ksyms and find-requires.ksyms scripts (bsc#1095148) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:2659-1 Released: Wed Nov 14 14:14:41 2018 Summary: Security update for systemd Type: security Severity: important References: 1106923,1108835,1109252,1110445,1111278,1112024,1113083,1113632,1113665,CVE-2018-15686,CVE-2018-15688 Description: This update for systemd fixes the following issues: Security issues fixed: - CVE-2018-15688: A buffer overflow vulnerability in the dhcp6 client of systemd allowed a malicious dhcp6 server to overwrite heap memory in systemd-networkd. (bsc#1113632) - CVE-2018-15686: A vulnerability in unit_deserialize of systemd allows an attacker to supply arbitrary state across systemd re-execution via NotifyAccess. This can be used to improperly influence systemd execution and possibly lead to root privilege escalation. (bsc#1113665) Non-security issues fixed: - dhcp6: split assert_return() to be more debuggable when hit - core: skip unit deserialization and move to the next one when unit_deserialize() fails - core: properly handle deserialization of unknown unit types (#6476) - core: don't create Requires for workdir if 'missing ok' (bsc#1113083) - logind: use manager_get_user_by_pid() where appropriate - logind: rework manager_get_{user|session}_by_pid() a bit - login: fix user at .service case, so we don't allow nested sessions (#8051) (bsc#1112024) - core: be more defensive if we can't determine per-connection socket peer (#7329) - socket-util: introduce port argument in sockaddr_port() - service: fixup ExecStop for socket-activated shutdown (#4120) - service: Continue shutdown on socket activated unit on termination (#4108) (bsc#1106923) - cryptsetup: build fixes for 'add support for sector-size= option' - udev-rules: IMPORT cmdline does not recognize keys with similar names (bsc#1111278) - core: keep the kernel coredump defaults when systemd-coredump is disabled - core: shorten main() a bit, split out coredump initialization - core: set RLIMIT_CORE to unlimited by default (bsc#1108835) - core/mount: fstype may be NULL - journald: don't ship systemd-journald-audit.socket (bsc#1109252) - core: make 'tmpfs' dependencies on swapfs a 'default' dep, not an 'implicit' (bsc#1110445) - mount: make sure we unmount tmpfs mounts before we deactivate swaps (#7076) - tmp.mount.hm4: After swap.target (#3087) - Ship systemd-sysv-install helper via the main package This script was part of systemd-sysvinit sub-package but it was wrong since systemd-sysv-install is a script used to redirect enable/disable operations to chkconfig when the unit targets are sysv init scripts. Therefore it's never been a SySV init tool. ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:2745-1 Released: Thu Nov 22 16:13:42 2018 Summary: Security update for salt Type: security Severity: important References: 1110938,1113698,1113699,1113784,1114197,CVE-2018-15750,CVE-2018-15751 Description: This update for salt fixes the following issues: Security issues fixed: - CVE-2018-15750: Fixed directory traversal vulnerability in salt-api (bsc#1113698). - CVE-2018-15751: Fixed remote authentication bypass in salt-api(netapi) that allows to execute arbitrary commands (bsc#1113699). Non-security issues fixed: - Improved handling of LDAP group id. gid is no longer treated as a string, which could have lead to faulty group creations (bsc#1113784). - Fix async call to process manager (bsc#1110938). - Fixed OS arch detection when RPM is not installed (bsc#1114197). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:2760-1 Released: Thu Nov 22 16:25:38 2018 Summary: Security update for openssl Type: security Severity: moderate References: 1112209,1113534,1113652,1113742,CVE-2018-0734,CVE-2018-5407 Description: This update for openssl fixes the following issues: Security issues fixed: - CVE-2018-0734: Fixed timing vulnerability in DSA signature generation (bsc#1113652). - CVE-2018-5407: Fixed elliptic curve scalar multiplication timing attack defenses (bsc#1113534). - Add missing timing side channel patch for DSA signature generation (bsc#1113742). Non-security issues fixed: - Fixed infinite loop in DSA generation with incorrect parameters (bsc#1112209). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:2766-1 Released: Fri Nov 23 17:07:27 2018 Summary: Security update for rpm Type: security Severity: important References: 943457,CVE-2017-7500,CVE-2017-7501 Description: This update for rpm fixes the following issues: These security issues were fixed: - CVE-2017-7500: rpm did not properly handle RPM installations when a destination path was a symbolic link to a directory, possibly changing ownership and permissions of an arbitrary directory, and RPM files being placed in an arbitrary destination (bsc#943457). - CVE-2017-7501: rpm used temporary files with predictable names when installing an RPM. An attacker with ability to write in a directory where files will be installed could create symbolic links to an arbitrary location and modify content, and possibly permissions to arbitrary files, which could be used for denial of service or possibly privilege escalation (bsc#943457) This is a reissue of the above security fixes for SUSE Linux Enterprise 12 GA, SP1 and SP2 LTSS, they have already been released for SUSE Linux Enterprise Server 12 SP3. ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:1697-1 Released: Fri Nov 23 17:08:32 2018 Summary: Security update for libgcrypt Type: security Severity: moderate References: 1064455,1090766,1097410,CVE-2018-0495 Description: This update for libgcrypt fixes the following issues: The following security vulnerability was addressed: - CVE-2018-0495: Mitigate a novel side-channel attack by enabling blinding for ECDSA signatures (bsc#1097410). The following other issues were fixed: - Extended the fipsdrv dsa-sign and dsa-verify commands with the --algo parameter for the FIPS testing of DSA SigVer and SigGen (bsc#1064455). - Ensure libgcrypt20-hmac and libgcrypt20 are installed in the correct order. (bsc#1090766) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:1696-1 Released: Mon Nov 26 17:46:39 2018 Summary: Security update for procps Type: security Severity: moderate References: 1092100,CVE-2018-1122,CVE-2018-1123,CVE-2018-1124,CVE-2018-1125,CVE-2018-1126 Description: This update for procps fixes the following security issues: - CVE-2018-1122: Prevent local privilege escalation in top. If a user ran top with HOME unset in an attacker-controlled directory, the attacker could have achieved privilege escalation by exploiting one of several vulnerabilities in the config_file() function (bsc#1092100). - CVE-2018-1123: Prevent denial of service in ps via mmap buffer overflow. Inbuilt protection in ps maped a guard page at the end of the overflowed buffer, ensuring that the impact of this flaw is limited to a crash (temporary denial of service) (bsc#1092100). - CVE-2018-1124: Prevent multiple integer overflows leading to a heap corruption in file2strvec function. This allowed a privilege escalation for a local attacker who can create entries in procfs by starting processes, which could result in crashes or arbitrary code execution in proc utilities run by other users (bsc#1092100). - CVE-2018-1125: Prevent stack buffer overflow in pgrep. This vulnerability was mitigated by FORTIFY limiting the impact to a crash (bsc#1092100). - CVE-2018-1126: Ensure correct integer size in proc/alloc.* to prevent truncation/integer overflow issues (bsc#1092100). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:1618-1 Released: Tue Nov 27 13:39:49 2018 Summary: Security update for util-linux Type: security Severity: moderate References: 1072947,1078662,1080740,1084300,CVE-2018-7738 Description: This update for util-linux fixes the following issues: This non-security issue was fixed: - CVE-2018-7738: bash-completion/umount allowed local users to gain privileges by embedding shell commands in a mountpoint name, which was mishandled during a umount command by a different user (bsc#1084300). These non-security issues were fixed: - Fixed crash loop in lscpu (bsc#1072947). - Fixed possible segfault of umount -a - Fixed mount -a on NFS bind mounts (bsc#1080740). - Fixed lsblk on NVMe (bsc#1078662). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:2824-1 Released: Mon Dec 3 15:34:09 2018 Summary: Security update for ncurses Type: security Severity: important References: 1115929,CVE-2018-19211 Description: This update for ncurses fixes the following issue: Security issue fixed: - CVE-2018-19211: Fixed denial of service issue that was triggered by a NULL pointer dereference at function _nc_parse_entry (bsc#1115929). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2018:2836-1 Released: Wed Dec 5 09:29:31 2018 Summary: Recommended update for apparmor Type: recommended Severity: moderate References: 1111965,1113125 Description: This update for apparmor fixes the following issues: - Systemd aware apparmor.spec, remove old insserv from spec file (bsc#1113125) - Fix warnings produced because of use of uninitialized variables (bsc#1111965) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2018:2840-1 Released: Wed Dec 5 09:57:54 2018 Summary: Recommended update for permissions Type: recommended Severity: moderate References: 1028304,1047247,1050467,1097665,1111251 Description: This update for permissions fixes the following issues: - Allow setuid root for start-suid tool of singularity (group only) bsc#1028304 - Allow setuid root for authbind binary (bsc#1111251) - A incorrect error message was adjusted (bsc#1047247 bsc#1097665) - Make btmp root:utmp (bsc#1050467) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2018:2841-1 Released: Wed Dec 5 09:59:45 2018 Summary: Recommended update for glibc Type: recommended Severity: moderate References: 1105236,1110661,1112858 Description: This update for glibc fixes the following issues: - Added more checks for valid ld.so.cache file (bsc#1110661) - Rewrite elf_machine_load_address using _DYNAMIC symbol (bsc#1112858) - Always use __IPC_64 on powerpc as required by the kernel (bsc#1105236) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2018:2880-1 Released: Fri Dec 7 14:50:23 2018 Summary: Recommended update for Salt Type: recommended Severity: moderate References: 1112874,1114824 Description: This update fixes the following issues: salt: - Crontab module fix: file attributes option missing (bsc#1114824) - Fix git_pillar merging across multiple __env__ repositories (bsc#1112874) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2018:2906-1 Released: Tue Dec 11 21:48:05 2018 Summary: Recommended update for blog Type: recommended Severity: moderate References: 1071568 Description: This update for blog fixes the following issues: - Hardening of the console list generation (bsc#1071568) - Changed description of blog-plymouth in same manner as used by the release notes ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:2947-1 Released: Mon Dec 17 08:51:28 2018 Summary: Security update for openldap2 Type: security Severity: moderate References: 1073313,CVE-2017-17740 Description: This update for openldap2 fixes the following issues: Security issue fixed: - CVE-2017-17740: When both the nops module and the memberof overlay are enabled, attempts to free a buffer that was allocated on the stack, which allows remote attackers to cause a denial of service (slapd crash) via a member MODDN operation. (bsc#1073313) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2018:2975-1 Released: Tue Dec 18 13:45:02 2018 Summary: Recommended update for python-psutil Type: recommended Severity: moderate References: 1111800 Description: python-psutil was updated to version 5.2.2 to fulfill requirements of other packages. (FATE#326775, bsc#1111800) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2018:3029-1 Released: Fri Dec 21 17:34:05 2018 Summary: Recommended update for libgcrypt Type: recommended Severity: moderate References: 1117355 Description: This update for libgcrypt provides the following fix: - Fail selftests when checksum file is missing in FIPS mode only. (bsc#1117355) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:43-1 Released: Tue Jan 8 13:07:17 2019 Summary: Recommended update for acl Type: recommended Severity: low References: 953659 Description: This update for acl fixes the following issues: - quote: Escape literal backslashes (bsc#953659). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:111-1 Released: Thu Jan 17 14:18:31 2019 Summary: Security update for krb5 Type: security Severity: important References: 1120489,CVE-2018-20217 Description: This update for krb5 fixes the following issues: Security issue fixed: - CVE-2018-20217: Fixed an assertion issue with older encryption types (bsc#1120489) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:135-1 Released: Mon Jan 21 13:53:58 2019 Summary: Security update for systemd Type: security Severity: moderate References: 1005023,1076696,1101591,1114981,1115518,1119971,1120323,CVE-2018-16864,CVE-2018-16865,CVE-2018-16866 Description: This update for systemd provides the following fixes: Security issues fixed: - CVE-2018-16864, CVE-2018-16865: Fixed two memory corruptions through attacker-controlled alloca()s (bsc#1120323) - CVE-2018-16866: Fixed an information leak in journald (bsc#1120323) - Fixed an issue during system startup in relation to encrypted swap disks (bsc#1119971) Non-security issues fixed: - core: Queue loading transient units after setting their properties. (bsc#1115518) - logind: Stop managing VT switches if no sessions are registered on that VT. (bsc#1101591) - terminal-util: introduce vt_release() and vt_restore() helpers. - terminal: Unify code for resetting kbd utf8 mode a bit. - terminal Reset should honour default_utf8 kernel setting. - logind: Make session_restore_vt() static. - udev: Downgrade message when settting inotify watch up fails. (bsc#1005023) - log: Never log into foreign fd #2 in PID 1 or its pre-execve() children. (bsc#1114981) - udev: Ignore the exit code of systemd-detect-virt for memory hot-add. In SLE-12-SP3, 80-hotplug-cpu-mem.rules has a memory hot-add rule that uses systemd-detect-virt to detect non-zvm environment. The systemd-detect-virt returns exit failure code when it detected _none_ state. The exit failure code causes that the hot-add memory block can not be set to online. (bsc#1076696) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:143-1 Released: Tue Jan 22 14:21:55 2019 Summary: Recommended update for ncurses Type: recommended Severity: important References: 1121450 Description: This update for ncurses fixes the following issues: - ncurses applications freezing (bsc#1121450) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:342-1 Released: Wed Feb 13 11:04:32 2019 Summary: Recommended update for Salt Type: recommended Severity: moderate References: 1099887,1114029,1114474,1116837,1117995,1121091,1123044,1123512 Description: This update fixes the following issues: salt: - Remove patch unable install salt minions on SLE 15 (bsc#1123512) - Fix integration tests in state compiler (U#2068) - Fix 'pkg.list_pkgs' output when using 'attr' to take the arch into account (bsc#1114029) - Fix powerpc null server_id_arch (bsc#1117995) - Fix module 'azure.storage' has no attribute '__version__' (bsc#1121091) - Add supportconfig module and states for minions and SaltSSH - Fix FIPS enabled RES clients (bsc#1099887) - Add hold/unhold functions. Fix Debian repo 'signed-by'. - Strip architecture from debian package names - Fix latin1 encoding problems on file module (bsc#1116837) - Don't error on retcode 0 in libcrypto.OPENSSL_init_crypto - Handle anycast IPv6 addresses on network.routes (bsc#1114474) - Debian info_installed compatibility (U#50453) - Add compatibility with other package modules for 'list_repos' function - Remove MSI Azure cloud module authentication patch (bsc#1123044) - Don't encode response string from role API From sle-updates at lists.suse.com Thu Jan 16 09:58:06 2020 From: sle-updates at lists.suse.com (sle-updates at lists.suse.com) Date: Thu, 16 Jan 2020 17:58:06 +0100 (CET) Subject: SUSE-CU-2019:716-1: Security update of caasp/v4/pause Message-ID: <20200116165806.96B80F796@maintenance.suse.de> SUSE Container Update Advisory: caasp/v4/pause ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2019:716-1 Container Tags : caasp/v4/pause:0.1 , caasp/v4/pause:0.1-rev1 , caasp/v4/pause:0.1-rev1-build1.1 Severity : important Type : security References : 1000396 1000662 1000677 1001299 1001790 1001912 1002975 1003577 1003579 1003580 1003714 1003978 1004094 1004289 1004995 1004995 1004995 1005023 1005063 1005404 1005544 1005633 1005634 1005635 1005637 1005638 1005640 1005642 1005643 1005645 1005646 1006175 1006372 1006469 1006687 1006690 1007851 1008325 1009269 1009470 1009528 1009532 1009745 1009905 1009966 1010220 1010675 1010845 1010880 1012266 1012390 1012523 1012591 1012818 1012973 1013286 1013882 1013930 1013989 1014471 1014560 1014566 1014873 1015254 1015332 1015515 1015565 1015943 1017034 1017497 1018214 1018399 1019276 1019470 1019637 1019637 1019900 1020108 1020143 1020601 1021641 1022014 1022047 1022085 1022086 1022271 1023283 1023895 1024989 1025176 1025398 1025560 1025598 1025630 1025886 1026224 1026567 1026825 1027079 1027379 1027688 1027712 1027908 1027925 1028263 1028281 1028304 1028304 1028305 1028410 1028485 1028610 1028723 1029102 1029102 1029183 1029516 1029516 1029523 1029561 1029691 1029725 1029900 1030290 1030621 1031355 1031643 1031702 1031998 1032029 1032029 1032309 1032445 1032538 1032660 1032680 1033238 1033238 1033855 1034563 1034565 1035062 1035371 1035386 1035445 1035818 1036304 1036659 1036736 1036873 1036873 1037120 1037120 1037396 1037824 1037930 1038189 1038194 1038444 1038865 1038865 1038984 1038984 1039063 1039063 1039064 1039064 1039066 1039066 1039069 1039069 1039099 1039099 1039276 1039357 1039661 1039661 1039941 1040043 1040153 1040153 1040258 1040258 1040614 1040614 1040800 1040942 1040942 1040968 1040968 1040968 1041764 1042326 1042392 1042781 1043059 1043218 1043237 1043333 1043333 1043580 1043615 1043758 1043758 1043900 1043900 1044095 1044107 1044175 1044337 1044840 1044887 1044894 1045092 1045290 1045290 1045384 1045472 1045628 1045735 1045735 1045735 1045943 1045987 1046173 1046173 1046268 1046417 1046607 1046659 1046750 1046750 1046853 1046853 1046858 1046858 1047008 1047178 1047233 1047236 1047240 1047247 1047379 1047785 1047785 1047937 1047964 1047965 1048315 1048510 1048605 1048605 1048645 1048679 1049344 1049825 1050152 1050467 1050767 1050943 1051042 1051465 1051626 1051643 1051644 1051791 1052261 1053137 1053188 1053409 1053595 1053671 1054028 1054088 1054171 1054671 1055446 1055641 1055825 1055920 1056058 1056126 1056127 1056127 1056128 1056128 1056129 1056129 1056131 1056131 1056132 1056132 1056136 1056136 1056437 1056449 1056450 1056995 1057150 1057188 1057452 1057634 1057640 1057662 1057721 1057724 1057900 1057974 1058695 1058722 1058783 1059065 1059723 1060653 1060738 1061384 1061667 1061876 1062303 1062561 1062591 1062592 1063051 1063249 1063269 1063675 1063824 1063910 1064397 1064455 1064455 1064455 1064569 1064580 1064583 1064999 1065083 1065274 1065276 1065363 1065448 1065448 1066156 1066242 1066422 1066500 1067312 1067605 1067891 1068251 1068565 1068565 1068588 1068708 1068967 1069222 1069226 1069468 1069934 1070209 1070428 1070431 1070431 1070851 1070878 1070905 1070958 1071224 1071311 1071319 1071321 1071466 1071558 1071568 1071698 1071905 1071906 1072947 1072947 1073231 1073313 1073879 1073990 1074254 1074293 1074293 1074621 1074687 1075449 1075724 1075743 1075801 1075804 1075978 1076192 1076308 1076415 1076696 1076810 1076832 1076909 1077001 1077635 1077692 1077787 1077787 1077925 1077993 1078358 1078662 1078662 1078806 1078813 1079036 1079334 1079991 1080078 1080382 1080740 1080740 1081170 1081294 1081556 1081725 1082004 1082216 1082216 1082216 1082233 1082233 1082233 1082234 1082234 1082234 1082318 1082485 1082485 1083158 1083290 1083926 1083927 1083946 1084300 1084300 1084521 1084524 1084532 1084626 1084812 1084812 1084842 1085062 1085432 1086247 1086602 1086690 1086785 1086825 1087102 1087323 1087550 1087550 1087930 1088052 1088279 1088601 1088705 1088769 1088890 1088921 1089039 1089533 1089640 1089761 1089761 1089884 1090765 1090766 1090766 1090766 1090785 1090944 1091265 1091624 1091677 1092098 1092100 1092100 1092413 1092640 1092640 1093753 1093851 1094121 1094150 1094154 1094161 1094222 1095096 1095148 1096282 1096282 1096282 1096718 1096718 1096745 1096803 1097158 1097410 1097410 1097410 1097624 1097665 1098592 1099310 1099310 1099310 1099452 1099847 1099982 1100028 1101040 1101246 1101349 1101470 1101591 1102046 1102429 1102564 1103910 1104789 1105031 1105166 1105236 1106019 1106197 1106914 1106923 1107430 1107640 1107941 1108835 1109197 1109252 1109877 1110445 1110661 1111251 1111278 1111965 1112024 1112209 1112758 1112858 1113083 1113100 1113117 1113125 1113534 1113632 1113652 1113660 1113665 1113742 1114981 1115518 1115929 1117355 1119971 1120323 1120489 1121450 360993 408814 556664 658010 661410 675317 825385 829717 830805 874665 888308 889138 889990 892431 894610 896202 896435 897422 898003 899524 899871 900275 900276 901202 901845 901924 902364 902367 903543 905483 906574 906574 906803 906858 907074 907456 908128 908516 909418 910252 910252 910253 910253 911228 911363 911662 912229 912715 912922 913209 913650 913651 915402 915846 917152 917169 918089 918090 918346 919274 920057 920057 920386 921070 922534 923241 924525 924687 924960 924960 926412 926826 927556 927607 927608 927746 927993 928292 928533 928740 929919 930176 931932 932232 932894 933029 933288 933288 933336 933878 933878 934333 934689 934920 936050 936227 936227 936676 937823 938343 938657 939392 939460 940315 942865 942865 943457 943457 944903 945340 945842 945899 952151 952347 953130 953532 953659 953807 953831 954002 954661 955382 955753 955770 957566 957566 957567 957567 957598 957598 957600 957600 958369 958562 959693 960273 960820 960837 960837 961964 962765 962983 962996 963290 963448 963942 964063 964468 965322 965780 965902 966220 967026 967082 967728 967838 968771 969569 970260 970882 971741 971741 972127 972127 972331 974691 978055 979261 979436 979441 979629 979906 980391 980486 981114 981616 982303 982303 983206 983215 983216 983754 984906 984958 986216 986216 986783 986935 987887 988311 989788 989831 990189 990190 990191 990538 991389 991390 991391 991443 991746 991901 992966 994157 994794 995936 996511 997043 997420 997682 998760 998893 998906 999735 999878 CVE-2012-6702 CVE-2013-6435 CVE-2014-3591 CVE-2014-3707 CVE-2014-3710 CVE-2014-8116 CVE-2014-8116 CVE-2014-8117 CVE-2014-8117 CVE-2014-8118 CVE-2014-8150 CVE-2014-8964 CVE-2014-8964 CVE-2014-9087 CVE-2014-9112 CVE-2014-9447 CVE-2014-9620 CVE-2014-9621 CVE-2014-9653 CVE-2015-0247 CVE-2015-0837 CVE-2015-1283 CVE-2015-1572 CVE-2015-1606 CVE-2015-1607 CVE-2015-1782 CVE-2015-2059 CVE-2015-2325 CVE-2015-2325 CVE-2015-2327 CVE-2015-2327 CVE-2015-2328 CVE-2015-2328 CVE-2015-3143 CVE-2015-3144 CVE-2015-3145 CVE-2015-3148 CVE-2015-3153 CVE-2015-3210 CVE-2015-3210 CVE-2015-3217 CVE-2015-3217 CVE-2015-3238 CVE-2015-5073 CVE-2015-5073 CVE-2015-5276 CVE-2015-7511 CVE-2015-8380 CVE-2015-8380 CVE-2015-8381 CVE-2015-8381 CVE-2015-8382 CVE-2015-8382 CVE-2015-8383 CVE-2015-8383 CVE-2015-8384 CVE-2015-8384 CVE-2015-8385 CVE-2015-8385 CVE-2015-8386 CVE-2015-8386 CVE-2015-8387 CVE-2015-8387 CVE-2015-8388 CVE-2015-8388 CVE-2015-8389 CVE-2015-8389 CVE-2015-8390 CVE-2015-8390 CVE-2015-8391 CVE-2015-8391 CVE-2015-8392 CVE-2015-8392 CVE-2015-8393 CVE-2015-8393 CVE-2015-8394 CVE-2015-8394 CVE-2015-8395 CVE-2015-8395 CVE-2015-8853 CVE-2015-8948 CVE-2016-0634 CVE-2016-0718 CVE-2016-0755 CVE-2016-0787 CVE-2016-10156 CVE-2016-1238 CVE-2016-1283 CVE-2016-1283 CVE-2016-1839 CVE-2016-2037 CVE-2016-2381 CVE-2016-3191 CVE-2016-3191 CVE-2016-4574 CVE-2016-4579 CVE-2016-4658 CVE-2016-5131 CVE-2016-5300 CVE-2016-5419 CVE-2016-5420 CVE-2016-5421 CVE-2016-6185 CVE-2016-6252 CVE-2016-6252 CVE-2016-6252 CVE-2016-6261 CVE-2016-6262 CVE-2016-6263 CVE-2016-6313 CVE-2016-6318 CVE-2016-7055 CVE-2016-7141 CVE-2016-7167 CVE-2016-7543 CVE-2016-8615 CVE-2016-8616 CVE-2016-8617 CVE-2016-8618 CVE-2016-8619 CVE-2016-8620 CVE-2016-8621 CVE-2016-8622 CVE-2016-8623 CVE-2016-8624 CVE-2016-9063 CVE-2016-9318 CVE-2016-9401 CVE-2016-9586 CVE-2016-9597 CVE-2016-9840 CVE-2016-9841 CVE-2016-9842 CVE-2016-9843 CVE-2017-0663 CVE-2017-1000100 CVE-2017-1000101 CVE-2017-1000254 CVE-2017-1000257 CVE-2017-1000366 CVE-2017-1000408 CVE-2017-1000409 CVE-2017-10684 CVE-2017-10684 CVE-2017-10685 CVE-2017-10685 CVE-2017-11112 CVE-2017-11113 CVE-2017-11462 CVE-2017-12132 CVE-2017-12133 CVE-2017-12424 CVE-2017-12837 CVE-2017-12883 CVE-2017-13728 CVE-2017-13728 CVE-2017-13729 CVE-2017-13729 CVE-2017-13730 CVE-2017-13730 CVE-2017-13731 CVE-2017-13731 CVE-2017-13732 CVE-2017-13732 CVE-2017-13733 CVE-2017-13733 CVE-2017-13734 CVE-2017-14062 CVE-2017-15088 CVE-2017-15412 CVE-2017-15670 CVE-2017-15671 CVE-2017-15804 CVE-2017-15908 CVE-2017-16997 CVE-2017-17740 CVE-2017-18078 CVE-2017-18258 CVE-2017-18269 CVE-2017-3731 CVE-2017-3732 CVE-2017-3735 CVE-2017-3736 CVE-2017-3737 CVE-2017-3738 CVE-2017-5130 CVE-2017-5969 CVE-2017-6512 CVE-2017-7375 CVE-2017-7376 CVE-2017-7407 CVE-2017-7435 CVE-2017-7436 CVE-2017-7436 CVE-2017-7500 CVE-2017-7500 CVE-2017-7501 CVE-2017-7501 CVE-2017-7526 CVE-2017-7555 CVE-2017-8804 CVE-2017-8816 CVE-2017-8817 CVE-2017-8872 CVE-2017-9047 CVE-2017-9047 CVE-2017-9048 CVE-2017-9048 CVE-2017-9049 CVE-2017-9049 CVE-2017-9050 CVE-2017-9050 CVE-2017-9217 CVE-2017-9217 CVE-2017-9233 CVE-2017-9269 CVE-2017-9269 CVE-2017-9287 CVE-2017-9445 CVE-2017-9445 CVE-2017-9526 CVE-2018-0495 CVE-2018-0495 CVE-2018-0495 CVE-2018-0732 CVE-2018-0734 CVE-2018-0737 CVE-2018-0739 CVE-2018-1000001 CVE-2018-1000001 CVE-2018-1000007 CVE-2018-1000120 CVE-2018-1000121 CVE-2018-1000122 CVE-2018-1000301 CVE-2018-1049 CVE-2018-1122 CVE-2018-1122 CVE-2018-1123 CVE-2018-1123 CVE-2018-11236 CVE-2018-11237 CVE-2018-1124 CVE-2018-1124 CVE-2018-1125 CVE-2018-1125 CVE-2018-1126 CVE-2018-1126 CVE-2018-12015 CVE-2018-12015 CVE-2018-12020 CVE-2018-14404 CVE-2018-14567 CVE-2018-14618 CVE-2018-15686 CVE-2018-15688 CVE-2018-16840 CVE-2018-16842 CVE-2018-16864 CVE-2018-16865 CVE-2018-16866 CVE-2018-19211 CVE-2018-20217 CVE-2018-5407 CVE-2018-5729 CVE-2018-5730 CVE-2018-6003 CVE-2018-6485 CVE-2018-6551 CVE-2018-6797 CVE-2018-6797 CVE-2018-6797 CVE-2018-6798 CVE-2018-6798 CVE-2018-6798 CVE-2018-6913 CVE-2018-6913 CVE-2018-6913 CVE-2018-7169 CVE-2018-7685 CVE-2018-7738 CVE-2018-7738 CVE-2018-9251 ----------------------------------------------------------------- The container caasp/v4/pause was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-RU-2014:85-1 Released: Tue Nov 4 16:29:29 2014 Summary: Recommended update for dirmngr Type: recommended Severity: moderate References: 901845 Description: This update for dirmngr fixes a segmentation fault at start up. (bnc#901845) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2014:66-1 Released: Thu Nov 6 06:23:15 2014 Summary: Recommended update for gcc48 Type: recommended Severity: moderate References: 899871 Description: This update for gcc48 fixes a performance degradation issue caused by generation of unneeded code whe using option -pg. ----------------------------------------------------------------- Advisory ID: SUSE-SU-2014:97-1 Released: Fri Nov 28 10:20:32 2014 Summary: Security update for file Type: security Severity: moderate References: 888308,902367,CVE-2014-3710 Description: file was updated to fix one security issue. This security issue was fixed: - Out-of-bounds read in elf note headers (CVE-2014-3710). This non-security issues was fixed: - Correctly identify GDBM files created by libgdbm4 (bnc#888308). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2014:113-1 Released: Tue Dec 2 18:17:57 2014 Summary: Security update for cpio Type: security Severity: moderate References: 658010,907456,CVE-2014-9112 Description: This cpio security update fixes the following buffer overflow issue and two non security issues: - fix an OOB write with cpio -i (bnc#907456) (CVE-2014-9112) - prevent cpio from extracting over a symlink (bnc#658010) - fix a truncation check in mt ----------------------------------------------------------------- Advisory ID: SUSE-SU-2015:16-1 Released: Thu Dec 11 09:25:27 2014 Summary: Security update for libksba Type: security Severity: moderate References: 907074,CVE-2014-9087 Description: This libksba update fixes the following security issue: - bnc#907074: buffer overflow in OID processing (CVE-2014-9087) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2014:126-1 Released: Fri Dec 19 20:16:00 2014 Summary: Security update for file Type: security Severity: moderate References: 910252,910253,CVE-2014-8116,CVE-2014-8117 Description: This file update fixes the following security issues: - bsc#910252: multiple denial of service issues (resource consumption) (CVE-2014-8116) - bsc#910253: denial of service issue (resource consumption) (CVE-2014-8117) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2015:29-1 Released: Mon Jan 12 11:37:43 2015 Summary: Security update for curl Type: security Severity: moderate References: 901924,911363,CVE-2014-3707,CVE-2014-8150 Description: This update fixes the following security issues - CVE-2014-8150: URL request injection vulnerability (bnc#911363) - CVE-2014-3707: duphandle read out of bounds (bnc#901924) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2015:40-1 Released: Thu Jan 15 18:35:11 2015 Summary: Security update for rpm Type: security Severity: important References: 892431,906803,908128,911228,CVE-2013-6435,CVE-2014-8118 Description: This rpm update fixes the following security and non-security issues: - bnc#908128: Check for bad invalid name sizes (CVE-2014-8118) - bnc#906803: Create files with mode 0 (CVE-2013-6435) - bnc#892431: Honor --noglob in install mode - bnc#911228: Fix noglob patch, it broke files with space. ----------------------------------------------------------------- Advisory ID: SUSE-RU-2015:64-1 Released: Thu Jan 15 23:21:45 2015 Summary: Recommended update for e2fsprogs Type: recommended Severity: moderate References: 912229 Description: This update for e2fsprogs fixes a 'use after free' issue in fsck(8). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2015:76-1 Released: Fri Jan 30 15:01:03 2015 Summary: Security update for elfutils Type: security Severity: moderate References: 911662,CVE-2014-9447 Description: elfutils was updated to fix one security issue. This security issue was fixed: - Directory traversal vulnerability in the read_long_names function (CVE-2014-9447). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2015:55-1 Released: Tue Feb 3 14:51:17 2015 Summary: Recommended update for curl Type: recommended Severity: moderate References: 913209 Description: curl was updated to fix problems when operating in FIPS mode. This patch reenables following methods: - NTLM authentication (e.g. for proxies) (allowing its usage of MD4 and MD5) - HTTP Digest authentication (allowing its usage of MD5) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2015:121-1 Released: Tue Feb 3 16:30:16 2015 Summary: Recommended update for pam Type: recommended Severity: low References: 912922 Description: This update for pam fixes updating of NIS passwords. ----------------------------------------------------------------- Advisory ID: SUSE-SU-2015:157-1 Released: Tue Mar 10 09:01:41 2015 Summary: Security update for libssh2_org Type: security Severity: moderate References: 921070,CVE-2015-1782 Description: The ssh client library libssh2_org was updated to fix a security issue. CVE-2015-1782: A malicious server could send a crafted SSH_MSG_KEXINIT packet, that could lead to a buffer overread and to a crash of the libssh2_org using application. ----------------------------------------------------------------- Advisory ID: SUSE-RU-2015:275-1 Released: Wed Mar 18 18:21:44 2015 Summary: Recommended update for procps Type: recommended Severity: low References: 901202,908516 Description: This update for procps provides the following fixes: - Add description of pgrep's --list-full parameter to usage instructions (--help). (bsc#901202) - Fix handling of arguments to -s option in free(1). (bsc#908516) - Correct package name in descriptions: procps, not props. ----------------------------------------------------------------- Advisory ID: SUSE-SU-2015:235-1 Released: Wed Apr 29 19:05:01 2015 Summary: Security update for curl Type: security Severity: moderate References: 927556,927607,927608,927746,928533,CVE-2015-3143,CVE-2015-3144,CVE-2015-3145,CVE-2015-3148,CVE-2015-3153 Description: curl was updated to fix five security issues. The following vulnerabilities were fixed: * CVE-2015-3143: curl could re-use NTML authenticateds connections * CVE-2015-3144: curl could access memory out of bounds with zero length host names * CVE-2015-3145: curl cookie parser could access memory out of boundary * CVE-2015-3148: curl could treat Negotiate as not connection-oriented * CVE-2015-3153: curl could have sent sensitive HTTP headers also to proxies ----------------------------------------------------------------- Advisory ID: SUSE-SU-2015:296-1 Released: Thu Jun 11 15:46:59 2015 Summary: Security update for libgcrypt Type: security Severity: moderate References: 896202,896435,898003,899524,900275,900276,905483,920057,928740,929919,CVE-2014-3591 Description: This update of libgcrypt fixes one security issue and brings various FIPS 140-2 related improvements. libgcrypt now uses ciphertext blinding for Elgamal decryption (CVE-2014-3591) FIPS 140-2 related changes: * The library performs its self-tests when the module is complete (the -hmac file is also installed). * Added a NIST 800-90a compliant DRBG. * Change DSA key generation to be FIPS 186-4 compliant. * Change RSA key generation to be FIPS 186-4 compliant. * Enable HW support in fips mode (bnc#896435) * Make DSA selftest use 2048 bit keys (bnc#898003) * Added ECDSA selftests and add support for it to the CAVS testing framework (bnc#896202) * Various CAVS testing improvements. ----------------------------------------------------------------- Advisory ID: SUSE-SU-2015:366-1 Released: Mon Jun 29 10:13:43 2015 Summary: Security update for e2fsprogs Type: security Severity: low References: 915402,918346,CVE-2015-0247,CVE-2015-1572 Description: Two security issues were fixed in e2fsprogs: Security issues fixed: * CVE-2015-0247: Various heap overflows were fixed in e2fsprogs (fsck, dumpe2fs, e2image...). * CVE-2015-1572: Fixed a potential buffer overflow in closefs() (bsc#918346 ) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2015:361-1 Released: Wed Jul 15 08:26:27 2015 Summary: Recommended update for gcc48, libffi48, libgcj48 Type: recommended Severity: moderate References: 889990,917169,919274,922534,924525,924687,927993,930176,934689 Description: The system compiler gcc48 was updated to the GCC 4.8.5 release, fixing a lot of bugs and bringing some improvements. It includes various bug fixes found by our customers: * Fixes bogus integer overflow in constant expression. [bnc#934689] * Fixes ICE with atomics on aarch64. [bnc#930176] * Includes fix for -imacros bug. [bnc#917169] * Includes fix for incorrect -Warray-bounds warnings. [bnc#919274] * Includes updated -mhotpatch for s390x. [bnc#924525] * Includes fix for ppc64le issue with doubleword vector extract. [bnc#924687] * Includes patches to allow building against ISL 0.14. * Backport rework of the memory allocator for C++ exceptions used in OOM situations. [bnc#889990] * Fix a reload issue on S390 (GCC PR66306). * Avoid accessing invalid memory when passing aggregates by value. [bnc#922534] ----------------------------------------------------------------- Advisory ID: SUSE-OU-2015:422-1 Released: Tue Jul 28 06:25:51 2015 Summary: The Toolchain module containing GCC 5.2 Type: optional Severity: low References: 926412,936050,937823 Description: This update contains the release of the new SUSE Linux Enterprise Toolchain module. Its major feature is the GNU Compiler Collection 5.2, please see https://gcc.gnu.org/gcc-5/changes.html for important changes. This update also includes a version update of binutils to 2.25 release branch to provide features and bugfixes. Following features have been added to binutils: * IBM zSeries z13 hardware support (fate#318036, bnc#936050). * various IBM Power8 improvements (fate#318238, bnc#926412). * AVX512 support on the Intel EM64T platform (fate#318520). The GNU Debugger gdb was updated to version 7.9.1 bringing various features and lots of bugfixes. Also IBM zSeries z13 hardware support has been added to gdb. (fate#318039) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2015:500-1 Released: Mon Aug 17 11:36:33 2015 Summary: Security update for libgcrypt Type: security Severity: moderate References: 920057,938343,CVE-2015-0837 Description: This update fixes the following issues: Security: * Fixed data-dependent timing variations in modular exponentiation [related to CVE-2015-0837, Last-Level Cache Side-Channel Attacks are Practical] (bsc#920057) Bugfixes: * don't drop privileges when locking secure memory (bsc#938343) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2015:530-1 Released: Wed Aug 26 03:07:07 2015 Summary: Recommended update for sed Type: recommended Severity: low References: 933029 Description: This update for sed fixes the behavior of --follow-symlinks when reading from the standard input (stdin). The behavior of 'sed --follow-symlinks -' is now identical to 'sed -'. In both cases, sed will read from the standard input and no longer from a file named '-'. ----------------------------------------------------------------- Advisory ID: SUSE-RU-2015:568-1 Released: Wed Sep 16 13:30:12 2015 Summary: Recommended update for grep Type: recommended Severity: low References: 920386 Description: This update for grep fixes undefined behaviour with -P and non-utf-8 data. ----------------------------------------------------------------- Advisory ID: SUSE-SU-2015:922-1 Released: Tue Dec 22 08:44:25 2015 Summary: Security update for gpg2 Type: security Severity: moderate References: 918089,918090,952347,955753,CVE-2015-1606,CVE-2015-1607 Description: The gpg2 package was updated to fix the following security and non security issues: - CVE-2015-1606: Fixed invalid memory read using a garbled keyring (bsc#918089). - CVE-2015-1607: Fixed memcpy with overlapping ranges (bsc#918090). - bsc#955753: Fixed a regression of 'gpg --recv' due to keyserver import filter (also boo#952347). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2015:869-1 Released: Wed Dec 23 10:01:16 2015 Summary: Recommended update for libksba Type: security Severity: moderate References: 926826 Description: The libksba package was updated to fix the following security issues: - Fixed an integer overflow, an out of bounds read and a stack overflow issues (bsc#926826). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2015:862-1 Released: Wed Dec 23 17:40:51 2015 Summary: Recommended update for acl Type: recommended Severity: moderate References: 945899 Description: This update for acl provides the following fixes: - Fix segmentation fault of getfacl -e on overly long group name. - Make sure that acl_from_text() always sets errno when it fails. - Fix memory and resource leaks in getfacl. ----------------------------------------------------------------- Advisory ID: SUSE-RU-2016:46-1 Released: Fri Jan 8 12:37:34 2016 Summary: Recommended update for gcr, gnome-keyring, libgcrypt, libsecret Type: recommended Severity: moderate References: 932232 Description: This update for gcr, gnome-keyring, libgcrypt, libsecret fixes issues when the system operates in FIPS mode. The various GNOME libraries and tool have been changed to use the default libgcrypt allocators. GNOME keyring was changed not to use MD5 anymore. libgcrypt was adjusted to free the DRBG on exit to avoid crashes. ----------------------------------------------------------------- Advisory ID: SUSE-SU-2016:201-1 Released: Thu Feb 4 15:51:22 2016 Summary: Security update for curl Type: security Severity: moderate References: 934333,936676,962983,962996,CVE-2016-0755 Description: This update for curl fixes the following issues: - CVE-2016-0755: libcurl would reuse NTLM-authenticated proxy connections without properly making sure that the connection was authenticated with the same credentials as set for this transfer (bsc#962983) The following non-security bugs were fixed: - bsc#936676: secure_getenv or __secure_getenv may not be detected correctly at build time The following tracked bugs only affect the test suite: - bsc#962996: Expired cookie in test 46 caused test failures - bsc#934333: Curl test suite was not run, is now enabled during build ----------------------------------------------------------------- Advisory ID: SUSE-RU-2016:371-1 Released: Thu Mar 3 15:58:18 2016 Summary: Recommended update for insserv-compat Type: recommended Severity: low References: 960820 Description: This update for insserv-compat fixes the name of the ntpd service. ----------------------------------------------------------------- Advisory ID: SUSE-SU-2016:413-1 Released: Fri Mar 11 10:17:57 2016 Summary: Security update for libssh2_org Type: security Severity: moderate References: 933336,961964,967026,CVE-2016-0787 Description: This update for libssh2_org fixes the following issues: Security issue fixed: - CVE-2016-0787 (bsc#967026): Weakness in diffie-hellman secret key generation lead to much shorter DH groups then needed, which could be used to retrieve server keys. A feature was added: - Support of SHA256 digests for DH group exchanges was added (fate#320343, bsc#961964) Bug fixed: - Properly detect EVP_aes_128_ctr at configure time (bsc#933336) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2016:462-1 Released: Wed Mar 16 18:17:59 2016 Summary: Recommended update for libcap Type: recommended Severity: low References: 967838 Description: This update for libcap adds two new capabilities (CAP_WAKE_ALARM and CAP_BLOCK_SUSPEND) which are available in Linux Kernel 3.12. ----------------------------------------------------------------- Advisory ID: SUSE-RU-2016:543-1 Released: Fri Apr 1 18:44:16 2016 Summary: Recommended update for libgcrypt Type: recommended Severity: moderate References: 970882 Description: This update for libgcrypt fixes a crash in GPG key generation when operating in FIPS mode. (bsc#970882) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2016:565-1 Released: Wed Apr 6 16:26:42 2016 Summary: Security update for gcc5 Type: security Severity: moderate References: 939460,945842,952151,953831,954002,955382,962765,964468,966220,968771,CVE-2015-5276 Description: The GNU Compiler Collection was updated to version 5.3.1, which brings several fixes and enhancements. The following security issue has been fixed: - Fix C++11 std::random_device short read issue that could lead to predictable randomness. (CVE-2015-5276, bsc#945842) The following non-security issues have been fixed: - Enable frame pointer for TARGET_64BIT_MS_ABI when stack is misaligned. Fixes internal compiler error when building Wine. (bsc#966220) - Fix a PowerPC specific issue in gcc-go that broke compilation of newer versions of Docker. (bsc#964468) - Fix HTM built-ins on PowerPC. (bsc#955382) - Fix libgo certificate lookup. (bsc#953831) - Suppress deprecated-declarations warnings for inline definitions of deprecated virtual methods. (bsc#939460) - Build s390[x] with '--with-tune=z9-109 --with-arch=z900' on SLE11 again. (bsc#954002) - Revert accidental libffi ABI breakage on aarch64. (bsc#968771) - On x86_64, set default 32bit code generation to -march=x86-64 rather than -march=i586. - Add experimental File System TS library. ----------------------------------------------------------------- Advisory ID: SUSE-SU-2016:636-1 Released: Mon Apr 18 09:18:19 2016 Summary: Security update for libgcrypt Type: security Severity: moderate References: 965902,CVE-2015-7511 Description: libgcrypt was updated to fix one security issue. This security issue was fixed: - CVE-2015-7511: Side-channel attack on ECDH with Weierstrass curves (bsc#965902). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2016:643-1 Released: Tue Apr 19 09:23:39 2016 Summary: Recommended update for bzip2 Type: recommended Severity: low References: 970260 Description: This update for bzip2 fixes the following issues: - Fix bzgrep wrapper that always returns 0 as exit code when working on multiple archives, even when the pattern is not found. ----------------------------------------------------------------- Advisory ID: SUSE-RU-2016:697-1 Released: Thu Apr 28 16:03:24 2016 Summary: Recommended update for libssh2_org Type: recommended Severity: important References: 974691 Description: This update for libssh2_org fixes a regression introduced by a previous update which could result in a segmentation fault in EVP_DigestInit_Ex(). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2016:801-1 Released: Thu May 19 22:38:01 2016 Summary: Recommended update for curl Type: recommended Severity: moderate References: 915846 Description: This update for curl fixes the following issue: - Fix 'Network is unreachable' error when ipv6 is not available but ipv4. This fixes the same error in applications using libcurl4 (like zypper). (bsc#915846) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2016:835-1 Released: Wed May 25 18:27:30 2016 Summary: Recommended update for libgcrypt Type: recommended Severity: moderate References: 979629 Description: This update for libgcrypt fixes the following issue: - Fix failing reboot after installing fips pattern (bsc#979629) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2016:898-1 Released: Tue Jun 7 09:48:12 2016 Summary: Security update for expat Type: security Severity: important References: 979441,980391,CVE-2015-1283,CVE-2016-0718 Description: This update for expat fixes the following issues: Security issue fixed: - CVE-2016-0718: Fix Expat XML parser that mishandles certain kinds of malformed input documents. (bsc#979441) - CVE-2015-1283: Fix multiple integer overflows. (bnc#980391) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2016:900-1 Released: Tue Jun 7 10:58:37 2016 Summary: Security update for libksba Type: security Severity: moderate References: 979261,979906,CVE-2016-4574,CVE-2016-4579 Description: This update for libksba fixes the following issues: - CVE-2016-4579: Out-of-bounds read in _ksba_ber_parse_tl() - CVE-2016-4574: two OOB read access bugs (remote DoS) (bsc#979261) Also adding reliability fixes from v1.3.4. ----------------------------------------------------------------- Advisory ID: SUSE-RU-2016:987-1 Released: Wed Jun 22 14:32:18 2016 Summary: Recommended update for procps Type: recommended Severity: low References: 981616 Description: This update for procps fixes the following issues: - Improve pmap(1) to be compatible with kernel 4.4. (bsc#981616) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2016:1028-1 Released: Thu Jul 7 11:50:47 2016 Summary: Recommended update for findutils Type: recommended Severity: moderate References: 986935 Description: This update for findutils fixes the following issues: - find -exec + would not pass all arguments for certain specific filename lengths (bsc#986935) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2016:1126-1 Released: Sat Jul 30 00:39:03 2016 Summary: Recommended update for kmod Type: recommended Severity: low References: 983754,989788 Description: This update for kmod fixes libkmod to handle very long lines in /proc/modules. ----------------------------------------------------------------- Advisory ID: SUSE-RU-2016:1205-1 Released: Thu Aug 11 15:02:18 2016 Summary: Recommended update for rpm Type: recommended Severity: low References: 829717,894610,940315,953532,965322,967728 Description: This update for rpm provides the following fixes: - Add is_opensuse and leap_version macros to suse_macros. (bsc#940315) - Add option to make postinstall scriptlet errors fatal. (bsc#967728) - Normalize big blocksizes to 4096 bytes. (bsc#894610, bsc#829717, bsc#965322) - Fix updating of sources/patches when recursing because of a BuildArch. (bsc#953532) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2016:1228-1 Released: Tue Aug 16 09:29:01 2016 Summary: Security update for libidn Type: security Severity: moderate References: 923241,990189,990190,990191,CVE-2015-2059,CVE-2015-8948,CVE-2016-6261,CVE-2016-6262,CVE-2016-6263 Description: This update for libidn fixes the following issues: - CVE-2016-6262 and CVE-2015-8948: Out-of-bounds-read when reading one zero byte as input (bsc#990189) - CVE-2016-6261: Out-of-bounds stack read in idna_to_ascii_4i (bsc#990190) - CVE-2016-6263: stringprep_utf8_nfkc_normalize reject invalid UTF-8 (bsc#990191) - CVE-2015-2059: out-of-bounds read with stringprep on invalid UTF-8 (bsc#923241) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2016:1247-1 Released: Fri Aug 19 12:58:39 2016 Summary: Security update for cracklib Type: security Severity: moderate References: 992966,CVE-2016-6318 Description: This update for cracklib fixes the following issues: - Add patch to fix a buffer overflow in GECOS parser (bsc#992966 CVE-2016-6318) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2016:1326-1 Released: Thu Sep 8 11:37:44 2016 Summary: Security update for perl Type: security Severity: moderate References: 928292,932894,967082,984906,987887,988311,CVE-2015-8853,CVE-2016-1238,CVE-2016-2381,CVE-2016-6185 Description: This update for Perl fixes the following issues: - CVE-2016-6185: Xsloader looking at a '(eval)' directory. (bsc#988311) - CVE-2016-1238: Searching current directory for optional modules. (bsc#987887) - CVE-2015-8853: Regular expression engine hanging on bad utf8. (bsc) - CVE-2016-2381: Environment dup handling bug. (bsc#967082) - 'Insecure dependency in require' error in taint mode. (bsc#984906) - Memory leak in 'use utf8' handling. (bsc#928292) - Missing lock prototype to the debugger. (bsc#932894) ----------------------------------------------------------------- Advisory ID: SUSE-OU-2016:1358-1 Released: Thu Sep 15 20:54:21 2016 Summary: Optional update for gcc6 Type: optional Severity: low References: 983206 Description: This update ships the GNU Compiler Collection (GCC) in version 6.2. This update is shipped in two parts: - SUSE Linux Enterprise Server 12 and Desktop: The runtime libraries libgcc_s1, libstdc++6, libatomic1, libgomp1, libitm1 and some others can now be used by GCC 6 built binaries. - SUSE Linux Enterprise 12 Toolchain Module: The Toolchain module received the GCC 6 compiler suite with this update. Changes: - The default mode for C++ is now -std=gnu++14 instead of -std=gnu++98. Generic Optimization improvements: - UndefinedBehaviorSanitizer gained a new sanitization option, -fsanitize=bounds-strict, which enables strict checking of array bounds. In particular, it enables -fsanitize=bounds as well as instrumentation of flexible array member-like arrays. - Type-based alias analysis now disambiguates accesses to different pointers. This improves precision of the alias oracle by about 20-30% on higher-level C++ programs. Programs doing invalid type punning of pointer types may now need -fno-strict-aliasing to work correctly. - Alias analysis now correctly supports weakref and alias attributes. This makes it possible to access both a variable and its alias in one translation unit which is common with link-time optimization. - Value range propagation now assumes that the this pointer of C++ member functions is non-null. This eliminates common null pointer checks but also breaks some non-conforming code-bases (such as Qt-5, Chromium, KDevelop). As a temporary work-around -fno-delete-null-pointer-checks can be used. Wrong code can be identified by using -fsanitize=undefined. - Various Link-time optimization improvements. - Inter-procedural optimization improvements: - Basic jump threading is now performed before profile construction and inline analysis, resulting in more realistic size and time estimates that drive the heuristics of the of inliner and function cloning passes. - Function cloning now more aggressively eliminates unused function parameters. - Compared to GCC 5, the GCC 6 release series includes a much improved implementation of the OpenACC 2.0a specification. C language specific improvements: - Version 4.5 of the OpenMP specification is now supported in the C and C++ compilers. - Source locations for the C and C++ compilers are now tracked as ranges, rather than just points, making it easier to identify the subexpression of interest within a complicated expression. In addition, there is now initial support for precise diagnostic locations within strings, - Diagnostics can now contain 'fix-it hints', which are displayed in context underneath the relevant source code. - The C and C++ compilers now offer suggestions for misspelled field names. - New command-line options have been added for the C and C++ compilers: - -Wshift-negative-value warns about left shifting a negative value. - -Wshift-overflow warns about left shift overflows. This warning is enabled by default. -Wshift-overflow=2 also warns about left-shifting 1 into the sign bit. - -Wtautological-compare warns if a self-comparison always evaluates to true or false. This warning is enabled by -Wall. - -Wnull-dereference warns if the compiler detects paths that trigger erroneous or undefined behavior due to dereferencing a null pointer. This option is only active when -fdelete-null-pointer-checks is active, which is enabled by optimizations in most targets. The precision of the warnings depends on the optimization options used. - -Wduplicated-cond warns about duplicated conditions in an if-else-if chain. - -Wmisleading-indentation warns about places where the indentation of the code gives a misleading idea of the block structure of the code to a human reader. This warning is enabled by -Wall. - The C and C++ compilers now emit saner error messages if merge-conflict markers are present in a source file. C improvements: - It is possible to disable warnings when an initialized field of a structure or a union with side effects is being overridden when using designated initializers via a new warning option -Woverride-init-side-effects. - A new type attribute scalar_storage_order applying to structures and unions has been introduced. It specifies the storage order (aka endianness) in memory of scalar fields in structures or unions. C++ improvements: - The default mode has been changed to -std=gnu++14. - C++ Concepts are now supported when compiling with -fconcepts. - -flifetime-dse is more aggressive in dead-store elimination in situations where a memory store to a location precedes a constructor to that memory location. - G++ now supports C++17 fold expressions, u8 character literals, extended static_assert, and nested namespace definitions. - G++ now allows constant evaluation for all non-type template arguments. - G++ now supports C++ Transactional Memory when compiling with -fgnu-tm. libstdc++ improvements: - Extensions to the C++ Library to support mathematical special functions (ISO/IEC 29124:2010), thanks to Edward Smith-Rowland. - Experimental support for C++17. - An experimental implementation of the File System TS. - Experimental support for most features of the second version of the Library Fundamentals TS. This includes polymorphic memory resources and array support in shared_ptr, thanks to Fan You. - Some assertions checked by Debug Mode can now also be enabled by _GLIBCXX_ASSERTIONS. The subset of checks enabled by the new macro have less run-time overhead than the full _GLIBCXX_DEBUG checks and don't affect the library ABI, so can be enabled per-translation unit. Fortran improvements: - Fortran 2008 SUBMODULE support. - Fortran 2015 EVENT_TYPE, EVENT_POST, EVENT_WAIT, and EVENT_QUERY support. - Improved support for Fortran 2003 deferred-length character variables. - Improved support for OpenMP and OpenACC. - The MATMUL intrinsic is now inlined for straightforward cases if front-end optimization is active. The maximum size for inlining can be set to n with the -finline-matmul-limit=n option and turned off with -finline-matmul-limit=0. - The -Wconversion-extra option will warn about REAL constants which have excess precision for their kind. - The -Winteger-division option has been added, which warns about divisions of integer constants which are truncated. This option is included in -Wall by default. Architecture improvements: - AArch64 received a lot of improvements. IA-32/x86-64 improvements: - GCC now supports the Intel CPU named Skylake with AVX-512 extensions through -march=skylake-avx512. The switch enables the following ISA extensions: AVX-512F, AVX512VL, AVX-512CD, AVX-512BW, AVX-512DQ. - Support for new AMD instructions monitorx and mwaitx has been added. This includes new intrinsic and built-in support. It is enabled through option -mmwaitx. The instructions monitorx and mwaitx implement the same functionality as the old monitor and mwait instructions. In addition mwaitx adds a configurable timer. The timer value is received as third argument and stored in register %ebx. - x86-64 targets now allow stack realignment from a word-aligned stack pointer using the command-line option -mstackrealign or __attribute__ ((force_align_arg_pointer)). This allows functions compiled with a vector-aligned stack to be invoked from objects that keep only word-alignment. - Support for address spaces __seg_fs, __seg_gs, and __seg_tls. These can be used to access data via the %fs and %gs segments without having to resort to inline assembly. - Support for AMD Zen (family 17h) processors is now available through the -march=znver1 and -mtune=znver1 options. PowerPC / PowerPC64 / RS6000 improvements: - PowerPC64 now supports IEEE 128-bit floating-point using the __float128 data type. In GCC 6, this is not enabled by default, but you can enable it with -mfloat128. The IEEE 128-bit floating-point support requires the use of the VSX instruction set. IEEE 128-bit floating-point values are passed and returned as a single vector value. The software emulator for IEEE 128-bit floating-point support is only built on PowerPC GNU/Linux systems where the default CPU is at least power7. On future ISA 3.0 systems (POWER 9 and later), you will be able to use the -mfloat128-hardware option to use the ISA 3.0 instructions that support IEEE 128-bit floating-point. An additional type (__ibm128) has been added to refer to the IBM extended double type that normally implements long double. This will allow for a future transition to implementing long double with IEEE 128-bit floating-point. - Basic support has been added for POWER9 hardware that will use the recently published OpenPOWER ISA 3.0 instructions. The following new switches are available: - -mcpu=power9: Implement all of the ISA 3.0 instructions supported by the compiler. - -mtune=power9: In the future, apply tuning for POWER9 systems. Currently, POWER8 tunings are used. - -mmodulo: Generate code using the ISA 3.0 integer instructions (modulus, count trailing zeros, array index support, integer multiply/add). - -mpower9-fusion: Generate code to suitably fuse instruction sequences for a POWER9 system. - -mpower9-dform: Generate code to use the new D-form (register+offset) memory instructions for the vector registers. - -mpower9-vector: Generate code using the new ISA 3.0 vector (VSX or Altivec) instructions. - -mpower9-minmax: Reserved for future development. - -mtoc-fusion: Keep TOC entries together to provide more fusion opportunities. - New constraints have been added to support IEEE 128-bit floating-point and ISA 3.0 instructions. - Support has been added for __builtin_cpu_is() and __builtin_cpu_supports(), allowing for very fast access to AT_PLATFORM, AT_HWCAP, and AT_HWCAP2 values. This requires use of glibc 2.23 or later. - All hardware transactional memory builtins now correctly behave as memory barriers. Programmers can use #ifdef __TM_FENCE__ to determine whether their 'old' compiler treats the builtins as barriers. - Split-stack support has been added for gccgo on PowerPC64 for both big- and little-endian (but not for 32-bit). The gold linker from at least binutils 2.25.1 must be available in the PATH when configuring and building gccgo to enable split stack. (The requirement for binutils 2.25.1 applies to PowerPC64 only.) The split-stack feature allows a small initial stack size to be allocated for each goroutine, which increases as needed. - GCC on PowerPC now supports the standard lround function. - The 'q', 'S', 'T', and 't' asm-constraints have been removed. - The 'b', 'B', 'm', 'M', and 'W' format modifiers have been removed. S/390, System z, IBM z Systems improvements: - Support for the IBM z13 processor has been added. When using the -march=z13 option, the compiler will generate code making use of the new instructions and registers introduced with the vector extension facility. The -mtune=z13 option enables z13 specific instruction scheduling without making use of new instructions. - Compiling code with -march=z13 reduces the default alignment of vector types bigger than 8 bytes to 8. This is an ABI change and care must be taken when linking modules compiled with different arch levels which interchange variables containing vector type values. For newly compiled code the GNU linker will emit a warning. - The -mzvector option enables a C/C++ language extension. This extension provides a new keyword vector which can be used to define vector type variables. (Note: This is not available when enforcing strict standard compliance e.g. with -std=c99. Either enable GNU extensions with e.g. -std=gnu99 or use __vector instead of vector.) - Additionally a set of overloaded builtins is provided which is partially compatible to the PowerPC Altivec builtins. In order to make use of these builtins the vecintrin.h header file needs to be included. - The new command line options -march=native, and -mtune=native are now available on native IBM z Systems. Specifying these options will cause GCC to auto-detect the host CPU and rewrite these options to the optimal setting for that system. If GCC is unable to detect the host CPU these options have no effect. - The IBM z Systems port now supports target attributes and pragmas. Please refer to the documentation for details of available attributes and pragmas as well as usage instructions. - -fsplit-stack is now supported as part of the IBM z Systems port. This feature requires a recent gold linker to be used. - Support for the g5 and g6 -march=/-mtune= CPU level switches has been deprecated and will be removed in a future GCC release. -m31 from now on defaults to -march=z900 if not specified otherwise. -march=native on a g5/g6 machine will default to -march=z900. An even more detailed list of features can be found at: https://gcc.gnu.org/gcc-6/changes.html ----------------------------------------------------------------- Advisory ID: SUSE-SU-2016:1364-1 Released: Fri Sep 16 17:13:43 2016 Summary: Security update for curl Type: security Severity: moderate References: 991389,991390,991391,991746,997420,CVE-2016-5419,CVE-2016-5420,CVE-2016-5421,CVE-2016-7141 Description: This update for curl fixes the following issues: Security issues fixed: - CVE-2016-5419: TLS session resumption client cert bypass (bsc#991389) - CVE-2016-5420: Re-using connections with wrong client cert (bsc#991390) - CVE-2016-5421: use of connection struct after free (bsc#991391) - CVE-2016-7141: Fixed incorrect reuse of client certificates with NSS (bsc#997420) Also the following bug was fixed: - fixing a performance issue (bsc#991746) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2016:1370-1 Released: Wed Sep 21 12:58:14 2016 Summary: Security update for libgcrypt Type: security Severity: moderate References: 994157,CVE-2016-6313 Description: This update for libgcrypt fixes the following issues: - RNG prediction vulnerability (bsc#994157, CVE-2016-6313) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2016:1591-1 Released: Wed Nov 2 12:07:51 2016 Summary: Security update for curl Type: security Severity: important References: 1005633,1005634,1005635,1005637,1005638,1005640,1005642,1005643,1005645,1005646,998760,CVE-2016-7167,CVE-2016-8615,CVE-2016-8616,CVE-2016-8617,CVE-2016-8618,CVE-2016-8619,CVE-2016-8620,CVE-2016-8621,CVE-2016-8622,CVE-2016-8623,CVE-2016-8624 Description: This update for curl fixes the following security issues: - CVE-2016-8624: invalid URL parsing with '#' (bsc#1005646) - CVE-2016-8623: Use-after-free via shared cookies (bsc#1005645) - CVE-2016-8622: URL unescape heap overflow via integer truncation (bsc#1005643) - CVE-2016-8621: curl_getdate read out of bounds (bsc#1005642) - CVE-2016-8620: glob parser write/read out of bounds (bsc#1005640) - CVE-2016-8619: double-free in krb5 code (bsc#1005638) - CVE-2016-8618: double-free in curl_maprintf (bsc#1005637) - CVE-2016-8617: OOB write via unchecked multiplication (bsc#1005635) - CVE-2016-8616: case insensitive password comparison (bsc#1005634) - CVE-2016-8615: cookie injection for other servers (bsc#1005633) - CVE-2016-7167: escape and unescape integer overflows (bsc#998760) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2016:1614-1 Released: Mon Nov 7 20:01:31 2016 Summary: Recommended update for shadow Type: recommended Severity: low References: 1002975 Description: This update for shadow fixes the following issues: - Set file modes according to the permissions package and don't attempt to manipulate them in %files section. (bsc#1002975) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2016:1641-1 Released: Thu Nov 10 20:02:04 2016 Summary: Recommended update for sg3_utils Type: recommended Severity: moderate References: 1006469,958369,979436 Description: This update for sg3_utils provides the following fixes: - Adjust 55-scsi-sg3_id.rules to correctly handle VPD page 0x80. This issue could prevent some IBM Power systems from booting after installation. (bsc#1006469) - Fix 55-scsi_sg3_id.rules to skip sg_inq on recent kernels. (bsc#979436) - In some circumstances, the rescan-scsi-bus.sh script failed to identify new LUNs that have been added to the server. (bsc#958369) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2016:1744-1 Released: Fri Dec 2 11:42:41 2016 Summary: Security update for pcre Type: security Severity: moderate References: 906574,924960,933288,933878,936227,942865,957566,957567,957598,957600,960837,971741,972127,CVE-2014-8964,CVE-2015-2325,CVE-2015-2327,CVE-2015-2328,CVE-2015-3210,CVE-2015-3217,CVE-2015-5073,CVE-2015-8380,CVE-2015-8381,CVE-2015-8382,CVE-2015-8383,CVE-2015-8384,CVE-2015-8385,CVE-2015-8386,CVE-2015-8387,CVE-2015-8388,CVE-2015-8389,CVE-2015-8390,CVE-2015-8391,CVE-2015-8392,CVE-2015-8393,CVE-2015-8394,CVE-2015-8395,CVE-2016-1283,CVE-2016-3191 Description: This update for pcre to version 8.39 (bsc#972127) fixes several issues. If you use pcre extensively please be aware that this is an update to a new version. Please make sure that your software works with the updated version. This version fixes a number of vulnerabilities that affect pcre and applications using the libary when accepting untrusted input as regular expressions or as part thereof. Remote attackers could have caused the application to crash, disclose information or potentially execute arbitrary code. These security issues were fixed: - CVE-2014-8964: Heap-based buffer overflow in PCRE allowed remote attackers to cause a denial of service (crash) or have other unspecified impact via a crafted regular expression, related to an assertion that allows zero repeats (bsc#906574). - CVE-2015-2325: Heap buffer overflow in compile_branch() (bsc#924960). - CVE-2015-3210: Heap buffer overflow in pcre_compile2() / compile_regex() (bsc#933288) - CVE-2015-3217: PCRE Library Call Stack Overflow Vulnerability in match() (bsc#933878). - CVE-2015-5073: Library Heap Overflow Vulnerability in find_fixedlength() (bsc#936227). - bsc#942865: heap overflow in compile_regex() - CVE-2015-8380: The pcre_exec function in pcre_exec.c mishandled a // pattern with a \01 string, which allowed remote attackers to cause a denial of service (heap-based buffer overflow) or possibly have unspecified other impact via a crafted regular expression, as demonstrated by a JavaScript RegExp object encountered by Konqueror (bsc#957566). - CVE-2015-2327: PCRE mishandled certain patterns with internal recursive back references, which allowed remote attackers to cause a denial of service (segmentation fault) or possibly have unspecified other impact via a crafted regular expression, as demonstrated by a JavaScript RegExp object encountered by Konqueror (bsc#957567). - bsc#957598: Various security issues - CVE-2015-8381: Heap Overflow in compile_regex() (bsc#957598). - CVE-2015-8382: Regular Expression Uninitialized Pointer Information Disclosure Vulnerability (ZDI-CAN-2547)(bsc#957598). - CVE-2015-8383: Buffer overflow caused by repeated conditional group(bsc#957598). - CVE-2015-8384: Buffer overflow caused by recursive back reference by name within certain group(bsc#957598). - CVE-2015-8385: Buffer overflow caused by forward reference by name to certain group(bsc#957598). - CVE-2015-8386: Buffer overflow caused by lookbehind assertion(bsc#957598). - CVE-2015-8387: Integer overflow in subroutine calls(bsc#957598). - CVE-2015-8388: Buffer overflow caused by certain patterns with an unmatched closing parenthesis(bsc#957598). - CVE-2015-8389: Infinite recursion in JIT compiler when processing certain patterns(bsc#957598). - CVE-2015-8390: Reading from uninitialized memory when processing certain patterns(bsc#957598). - CVE-2015-8391: Some pathological patterns causes pcre_compile() to run for a very long time(bsc#957598). - CVE-2015-8392: Buffer overflow caused by certain patterns with duplicated named groups(bsc#957598). - CVE-2015-8393: Information leak when running pcgrep -q on crafted binary(bsc#957598). - CVE-2015-8394: Integer overflow caused by missing check for certain conditions(bsc#957598). - CVE-2015-8395: Buffer overflow caused by certain references(bsc#957598). - CVE-2015-2328: PCRE mishandled the /((?(R)a|(?1)))+/ pattern and related patterns with certain recursion, which allowed remote attackers to cause a denial of service (segmentation fault) or possibly have unspecified other impact via a crafted regular expression (bsc#957600). - CVE-2016-1283: The pcre_compile2 function in pcre_compile.c in PCRE mishandled certain patterns with named subgroups, which allowed remote attackers to cause a denial of service (heap-based buffer overflow) or possibly have unspecified other impact via a crafted regular expression (bsc#960837). - CVE-2016-3191: The compile_branch function in pcre_compile.c in pcre2_compile.c mishandled patterns containing an (*ACCEPT) substring in conjunction with nested parentheses, which allowed remote attackers to execute arbitrary code or cause a denial of service (stack-based buffer overflow) via a crafted regular expression (bsc#971741). These non-security issues were fixed: - JIT compiler improvements - performance improvements - The Unicode data tables have been updated to Unicode 7.0.0. ----------------------------------------------------------------- Advisory ID: SUSE-RU-2016:1782-1 Released: Fri Dec 9 13:35:02 2016 Summary: Recommended update for systemd Type: recommended Severity: moderate References: 1001790,1004289,1005404,1006372,1006690,989831,991443 Description: This update for systemd provides the following fixes: - Allow to redirect confirmation messages to a different console. (bsc#1006690) - Do not bind a mount unit to a device, if it was from mountinfo. (bsc#989831) - Decrease systemd-nspawn's non-fatal mount errors to debug level. (bsc#1004289) - Don't emit space usage message right after opening the persistent journal. (bsc#991443) - Change owner of /var/log/journal/remote and create /var/lib/systemd/journal-upload. (bsc#1006372) - Document that *KeyIgnoreInhibited only apply to a subset of locks. - Revert 'logind: really handle *KeyIgnoreInhibited options in logind.conf'. (bsc#1001790, bsc#1005404) - Revert 'kbd-model-map: add more mappings offered by Yast'. - Don't busy loop when we get a notification message we can't process. - Rename kbd-model-map-extra into kbd-model-map.legacy. - Add kbd-model-map-extra file which contains the additional maps needed by YaST. - Drop localfs.service: unused and not needed anymore. ----------------------------------------------------------------- Advisory ID: SUSE-SU-2016:1827-1 Released: Thu Dec 15 12:41:10 2016 Summary: Security update for pcre Type: security Severity: moderate References: 906574,924960,933288,933878,936227,942865,957566,957567,957598,957600,960837,971741,972127,CVE-2014-8964,CVE-2015-2325,CVE-2015-2327,CVE-2015-2328,CVE-2015-3210,CVE-2015-3217,CVE-2015-5073,CVE-2015-8380,CVE-2015-8381,CVE-2015-8382,CVE-2015-8383,CVE-2015-8384,CVE-2015-8385,CVE-2015-8386,CVE-2015-8387,CVE-2015-8388,CVE-2015-8389,CVE-2015-8390,CVE-2015-8391,CVE-2015-8392,CVE-2015-8393,CVE-2015-8394,CVE-2015-8395,CVE-2016-1283,CVE-2016-3191 Description: This update for pcre to version 8.39 (bsc#972127) fixes several issues. If you use pcre extensively please be aware that this is an update to a new version. Please make sure that your software works with the updated version. This version fixes a number of vulnerabilities that affect pcre and applications using the libary when accepting untrusted input as regular expressions or as part thereof. Remote attackers could have caused the application to crash, disclose information or potentially execute arbitrary code. These security issues were fixed: - CVE-2014-8964: Heap-based buffer overflow in PCRE allowed remote attackers to cause a denial of service (crash) or have other unspecified impact via a crafted regular expression, related to an assertion that allows zero repeats (bsc#906574). - CVE-2015-2325: Heap buffer overflow in compile_branch() (bsc#924960). - CVE-2015-3210: Heap buffer overflow in pcre_compile2() / compile_regex() (bsc#933288) - CVE-2015-3217: PCRE Library Call Stack Overflow Vulnerability in match() (bsc#933878). - CVE-2015-5073: Library Heap Overflow Vulnerability in find_fixedlength() (bsc#936227). - bsc#942865: heap overflow in compile_regex() - CVE-2015-8380: The pcre_exec function in pcre_exec.c mishandled a // pattern with a \01 string, which allowed remote attackers to cause a denial of service (heap-based buffer overflow) or possibly have unspecified other impact via a crafted regular expression, as demonstrated by a JavaScript RegExp object encountered by Konqueror (bsc#957566). - CVE-2015-2327: PCRE mishandled certain patterns with internal recursive back references, which allowed remote attackers to cause a denial of service (segmentation fault) or possibly have unspecified other impact via a crafted regular expression, as demonstrated by a JavaScript RegExp object encountered by Konqueror (bsc#957567). - bsc#957598: Various security issues - CVE-2015-8381: Heap Overflow in compile_regex() (bsc#957598). - CVE-2015-8382: Regular Expression Uninitialized Pointer Information Disclosure Vulnerability (ZDI-CAN-2547)(bsc#957598). - CVE-2015-8383: Buffer overflow caused by repeated conditional group(bsc#957598). - CVE-2015-8384: Buffer overflow caused by recursive back reference by name within certain group(bsc#957598). - CVE-2015-8385: Buffer overflow caused by forward reference by name to certain group(bsc#957598). - CVE-2015-8386: Buffer overflow caused by lookbehind assertion(bsc#957598). - CVE-2015-8387: Integer overflow in subroutine calls(bsc#957598). - CVE-2015-8388: Buffer overflow caused by certain patterns with an unmatched closing parenthesis(bsc#957598). - CVE-2015-8389: Infinite recursion in JIT compiler when processing certain patterns(bsc#957598). - CVE-2015-8390: Reading from uninitialized memory when processing certain patterns(bsc#957598). - CVE-2015-8391: Some pathological patterns causes pcre_compile() to run for a very long time(bsc#957598). - CVE-2015-8392: Buffer overflow caused by certain patterns with duplicated named groups(bsc#957598). - CVE-2015-8393: Information leak when running pcgrep -q on crafted binary(bsc#957598). - CVE-2015-8394: Integer overflow caused by missing check for certain conditions(bsc#957598). - CVE-2015-8395: Buffer overflow caused by certain references(bsc#957598). - CVE-2015-2328: PCRE mishandled the /((?(R)a|(?1)))+/ pattern and related patterns with certain recursion, which allowed remote attackers to cause a denial of service (segmentation fault) or possibly have unspecified other impact via a crafted regular expression (bsc#957600). - CVE-2016-1283: The pcre_compile2 function in pcre_compile.c in PCRE mishandled certain patterns with named subgroups, which allowed remote attackers to cause a denial of service (heap-based buffer overflow) or possibly have unspecified other impact via a crafted regular expression (bsc#960837). - CVE-2016-3191: The compile_branch function in pcre_compile.c in pcre2_compile.c mishandled patterns containing an (*ACCEPT) substring in conjunction with nested parentheses, which allowed remote attackers to execute arbitrary code or cause a denial of service (stack-based buffer overflow) via a crafted regular expression (bsc#971741). These non-security issues were fixed: - JIT compiler improvements - performance improvements - The Unicode data tables have been updated to Unicode 7.0.0. ----------------------------------------------------------------- Advisory ID: SUSE-RU-2016:1863-1 Released: Wed Dec 21 10:41:35 2016 Summary: Recommended updated for pth Type: recommended Severity: low References: 1013286 Description: This update adds the 32bit version of libpth20 to SUSE Linux Enterprise 12 SP1 and 12 SP2. ----------------------------------------------------------------- Advisory ID: SUSE-SU-2017:2-1 Released: Mon Jan 2 08:35:08 2017 Summary: Security update for zlib Type: security Severity: moderate References: 1003577,1003579,1003580,1013882,CVE-2016-9840,CVE-2016-9841,CVE-2016-9842,CVE-2016-9843 Description: This update for zlib fixes the following issues: CVE-2016-9843: Big-endian out-of-bounds pointer CVE-2016-9842: Undefined Left Shift of Negative Number (bsc#1003580) CVE-2016-9840 CVE-2016-9841: Out-of-bounds pointer arithmetic in inftrees.c (bsc#1003579) Incompatible declarations for external linkage function deflate (bsc#1003577) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2017:6-1 Released: Tue Jan 3 15:01:58 2017 Summary: Recommended update for systemd Type: recommended Severity: moderate References: 1012390,1012591,1012818,1013989,1015515,909418,912715,945340,953807,963290,990538 Description: This update for systemd fixes the following issues: - core: Make mount units from /proc/self/mountinfo possibly bind to a device. Fixes unmounting issues when ejecting CDs or DVDs. (bsc#909418, bsc#912715, bsc#945340) - fstab-generator: Remove bogus condition that leads to warnings on boot. (bsc#1013989) - coredumpctl: Let gdb handle the SIGINT signal. (bsc#1012591) - Ship kbd-model-map with the correct contents. (bsc#1015515) - rules: Set SYSTEMD_READY=0 on DM_UDEV_DISABLE_OTHER_RULES_FLAG=1 only with ADD event. (bsc#963290, bsc#990538) - tmpfiles: Don't skip path_set_perms on error. (bsc#953807) - nspawn: Properly handle image/directory paths that are symbolic links. (bsc#1012390) - systemctl: Fix 'is-enabled' exit status on failure when executed in chroot. (bsc#1012818) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2017:32-1 Released: Mon Jan 9 11:50:42 2017 Summary: Recommended update for dirmngr Type: recommended Severity: low References: 994794 Description: This update for dirmngr enables support for daemon mode. ----------------------------------------------------------------- Advisory ID: SUSE-RU-2017:47-1 Released: Wed Jan 11 11:42:43 2017 Summary: Recommended update for systemd Type: recommended Severity: important References: 1018214,1018399 Description: This update for systemd fixes the following two issues: - A regression in the previous update (SUSE-RU-2017:0013-1, bsc#909418) could have caused systemd to freeze. (bsc#1018399) - Warnings emitted when udev socket units are restarted during package upgrade were silenced. (bsc#1018214) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2017:98-1 Released: Thu Jan 19 10:17:55 2017 Summary: Recommended update for kmod Type: recommended Severity: low References: 998906 Description: This update for kmod fixes a rare race condition while loading modules. ----------------------------------------------------------------- Advisory ID: SUSE-SU-2017:149-1 Released: Wed Jan 25 09:17:08 2017 Summary: Security update for systemd Type: security Severity: important References: 1012266,1014560,1014566,1020601,997682,CVE-2016-10156 Description: This update for systemd fixes the following issues: This security issue was fixed: - CVE-2016-10156: Fix permissions set on permanent timer timestamp files, preventing local unprivileged users from escalating privileges (bsc#1020601). These non-security issues were fixed: - Fix permission set on /var/lib/systemd/linger/* - install: follow config_path symlink (#3362) - install: fix disable when /etc/systemd/system is a symlink (bsc#1014560) - run: make --slice= work in conjunction with --scope (bsc#1014566) - core: don't dispatch load queue when setting Slice= for transient units - systemctl: remove duplicate entries showed by list-dependencies (#5049) (bsc#1012266) - rule: don't automatically online standby memory on s390x (bsc#997682) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2017:185-1 Released: Thu Feb 2 18:22:37 2017 Summary: Security update for cpio Type: security Severity: moderate References: 1020108,963448,CVE-2016-2037 Description: This update for cpio fixes two issues. This security issue was fixed: - CVE-2016-2037: The cpio_safer_name_suffix function in util.c in cpio allowed remote attackers to cause a denial of service (out-of-bounds write) via a crafted cpio file (bsc#963448). This non-security issue was fixed: - bsc#1020108: Always use 32 bit CRC to prevent checksum errors for files greater than 32MB ----------------------------------------------------------------- Advisory ID: SUSE-SU-2017:192-1 Released: Fri Feb 3 18:46:05 2017 Summary: Security update for libxml2 Type: security Severity: moderate References: 1005544,1010675,1013930,1014873,1017497,CVE-2016-4658,CVE-2016-9318,CVE-2016-9597 Description: This update for libxml2 fixes the following issues: * CVE-2016-4658: use-after-free error could lead to crash [bsc#1005544] * Fix NULL dereference in xpointer.c when in recovery mode [bsc#1014873] * CVE-2016-9597: An XML document with many opening tags could have caused a overflow of the stack not detected by the recursion limits, allowing for DoS (bsc#1017497). For CVE-2016-9318 we decided not to ship a fix since it can break existing setups. Please take appropriate actions if you parse untrusted XML files and use the new -noxxe flag if possible (bnc#1010675, bnc#1013930). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2017:209-1 Released: Tue Feb 7 17:00:47 2017 Summary: Recommended update for libseccomp Type: recommended Severity: low References: 1019900 Description: This update provides libseccomp version 2.3.1 which fixes the following issues: - Fixed a problem with 32-bit x86 socket syscalls on some systems (fate#321647, bsc#1019900) - Fixed problems with ipc syscalls on 32-bit x86 - Fixed problems with socket and ipc syscalls on s390 and s390x ----------------------------------------------------------------- Advisory ID: SUSE-SU-2017:212-1 Released: Wed Feb 8 13:07:24 2017 Summary: Security update for expat Type: security Severity: moderate References: 983215,983216,CVE-2012-6702,CVE-2016-5300 Description: This update for expat fixes the following security issues: - CVE-2012-6702: Expat, when used in a parser that has not called XML_SetHashSalt or passed it a seed of 0, made it easier for context-dependent attackers to defeat cryptographic protection mechanisms via vectors involving use of the srand function. (bsc#983215) - CVE-2016-5300: The XML parser in Expat did not use sufficient entropy for hash initialization, which allowed context-dependent attackers to cause a denial of service (CPU consumption) via crafted identifiers in an XML document. NOTE: this vulnerability exists because of an incomplete fix for CVE-2012-0876. (bsc#983216) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2017:228-1 Released: Fri Feb 10 15:39:32 2017 Summary: Security update for openssl Type: security Severity: moderate References: 1000677,1001912,1009528,1019637,1021641,1022085,1022086,1022271,CVE-2016-7055,CVE-2017-3731,CVE-2017-3732 Description: This update for openssl fixes the following issues contained in the OpenSSL Security Advisory [26 Jan 2017] (bsc#1021641) Security issues fixed: - CVE-2016-7055: The x86_64 optimized montgomery multiplication may produce incorrect results (bsc#1009528) - CVE-2017-3731: Truncated packet could crash via OOB read (bsc#1022085) - CVE-2017-3732: BN_mod_exp may produce incorrect results on x86_64 (bsc#1022086) - Degrade the 3DES cipher to MEDIUM in SSLv2 (bsc#1001912) Non-security issues fixed: - fix crash in openssl speed (bsc#1000677) - fix X509_CERT_FILE path (bsc#1022271) - AES XTS key parts must not be identical in FIPS mode (bsc#1019637) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2017:261-1 Released: Mon Feb 20 11:00:28 2017 Summary: Recommended update for dirmngr Type: recommended Severity: low References: 1019276 Description: This update for dirmngr fixes the following issues: - Properly initialize the dirmngr tmpfilesd files right away and not just during reboot - Own the /usr/lib/tmpfiles.d/ folder as it is needed in older systemds wrt (bsc#1019276) - Proprely require logrotate as we need it for the dirmngr configs ----------------------------------------------------------------- Advisory ID: SUSE-RU-2017:365-1 Released: Fri Mar 10 15:16:59 2017 Summary: Recommended update for sg3_utils Type: recommended Severity: low References: 1006175 Description: This update for sg3_utils fixes the following issue: - Add udev rules to handle legacy CCISS devices (bsc#1006175) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2017:389-1 Released: Thu Mar 16 14:16:43 2017 Summary: Recommended update for systemd Type: recommended Severity: moderate References: 1004094,1006687,1019470,1022014,1022047,1025598,995936 Description: This update for systemd provides the following fixes: - core: Fix memory leak in transient units. (bsc#1025598) - core: Destroy all name watching bus slots when we are kicked off the bus. (bsc#1006687) - sd-event: Fix incorrect assertion. (bsc#995936, bsc#1022014) - journald: Don't flush to /var/log/journal before we get asked to. (bsc#1004094) - core: Downgrade warning about duplicate device names. (bsc#1022047) - units: Remove no longer needed ldconfig service. (bsc#1019470) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2017:439-1 Released: Tue Mar 21 10:48:47 2017 Summary: Recommended update for netcfg Type: recommended Severity: low References: 1028305,959693 Description: This update for netcfg provides the following fixes: - Update script to generate services to use UTF8 by default. (bsc#1028305) - Repack services.bz2 with latest from upstream and adjust the script to not add all the names and emails at the bottom of the file. (bsc#959693) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2017:462-1 Released: Fri Mar 24 21:58:07 2017 Summary: Recommended update for lvm2 Type: recommended Severity: moderate References: 1012973,1015943,1017034,1023283,1025560,1025630 Description: This update for lvm2 fixes the following issues: - Fix clvmd segmentation fault on ppc64le architecture. (bsc#1025630) - Fix several trivial issues about clvmd/cmirrord resource agents. (bsc#1023283, bsc#1025560) - Use {local,remote}-fs-pre.target instead of {local,remote}-fs.target. (bsc#1017034) - Simplify special-case for md in 69-dm-lvm-metadata.rules. (bsc#1012973) - Add systemd_requires to device-mapper package. (bsc#1015943) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2017:464-1 Released: Mon Mar 27 15:50:51 2017 Summary: Recommended update for glibc Type: recommended Severity: moderate References: 1007851,1029725,1029900 Description: This update for glibc fixes a potential segmentation fault in libpthread: - Fork in libpthread cannot use IFUNC resolver. (bsc#1007851, bsc#1029725, bsc#1029900) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2017:580-1 Released: Wed Apr 12 23:58:47 2017 Summary: Recommended update for cpio Type: recommended Severity: important References: 1028410 Description: This update for cpio fixes the following issues: - A regression caused cpio to crash for tar and ustar archive types [bsc#1028410] ----------------------------------------------------------------- Advisory ID: SUSE-SU-2017:609-1 Released: Tue Apr 18 11:28:14 2017 Summary: Security update for curl Type: security Severity: moderate References: 1015332,1027712,1032309,CVE-2016-9586,CVE-2017-7407 Description: This update for curl fixes the following issues: Security issue fixed: - CVE-2016-9586: libcurl printf floating point buffer overflow (bsc#1015332) - CVE-2017-7407: The ourWriteOut function in tool_writeout.c in curl might have allowed physically proximate attackers to obtain sensitive information from process memory in opportunistic circumstances by reading a workstation screen during use of a --write-out argument ending in a '%' character, which lead to a heap-based buffer over-read (bsc#1032309). With this release new default ciphers are active (SUSE_DEFAULT, bsc#1027712). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2017:732-1 Released: Wed May 10 14:03:43 2017 Summary: Recommended update for procps Type: recommended Severity: low References: 1030621 Description: This update for procps fixes the following issues: - Command w(1) with option -n doesn't work. (bsc#1030621) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2017:735-1 Released: Wed May 10 15:43:46 2017 Summary: Recommended update for gpg2 Type: recommended Severity: low References: 1036736,986783 Description: This update for gpg2 provides the following fixes: - Do not install CAcert and other root certificates which are not needed with Let's Encrypt. (bsc#1036736) - Initialize the trustdb before import attempt. (bsc#986783) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2017:751-1 Released: Thu May 11 17:14:30 2017 Summary: Recommended update for systemd Type: recommended Severity: moderate References: 1010220,1025398,1025886,1028263,1028610,1029183,1029691,1030290,1031355,1032538,1032660,1033855,1034565,955770 Description: This update for systemd provides the following fixes: - logind: Update empty and 'infinity' handling for [User]TasksMax. (bsc#1031355) - importd: Support SUSE style checksums. (fate#322054) - journal: Don't remove leading spaces. (bsc#1033855) - Make sure all swap units are ordered before the swap target. (bsc#955770, bsc#1034565) - hwdb: Fix warning 'atkbd serio0: Unknown key pressed'. (bsc#1010220) - logind: Restart logind on package update only on SLE12 distros. (bsc#1032660) - core: Treat masked files as 'unchanged'. (bsc#1032538) - units: Move Before deps for quota services to remote-fs.target. (bsc#1028263) - udev: Support predictable ifnames on vio buses. (bsc#1029183) - udev: Add a persistent rule for ibmvnic devices. (bsc#1029183) - units: Do not throw a warning in emergency mode if plymouth is not installed. (bsc#1025398) - core: Downgrade 'Time has been changed' message to debug level. (bsc#1028610) - vconsole: Don't do GIO_SCRNMAP / GIO_UNISCRNMAP. (bsc#1029691) - udev-rules: Perform whitespace replacement for symlink subst values. (bsc#1025886) - Consider chroot updates in fix-machines-subvol-for-rollbacks.sh. (bsc#1030290) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2017:794-1 Released: Tue May 16 15:41:09 2017 Summary: Security update for bash Type: security Severity: moderate References: 1010845,1035371,CVE-2016-9401 Description: This update for bash fixes an issue that could lead to syntax errors when parsing scripts that use expr(1) inside loops. Additionally, the popd build-in now ensures that the normalized stack offset is within bounds before trying to free that stack entry. This fixes a segmentation fault. ----------------------------------------------------------------- Advisory ID: SUSE-RU-2017:799-1 Released: Wed May 17 00:21:13 2017 Summary: Recommended update for glibc Type: recommended Severity: low References: 1026224,1035445 Description: This update for glibc introduces basic support for IBM POWER9 systems. Additionally, an improper assert in dlclose() has been removed. ----------------------------------------------------------------- Advisory ID: SUSE-SU-2017:865-1 Released: Wed May 24 16:23:20 2017 Summary: Security update for pam Type: security Severity: moderate References: 1015565,1037824,934920,CVE-2015-3238 Description: This update for pam fixes the following issues: - CVE-2015-3238: pam_unix in conjunction with SELinux allowed for DoS attacks (bsc#934920). - log a hint to syslog if /etc/nologin is present, but empty (bsc#1015565). - If /etc/nologin is present, but empty, log a hint to syslog. (bsc#1015565) - Added support for libowcrypt.so, if present, to configure support for BLOWFISH (bsc#1037824) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2017:873-1 Released: Fri May 26 16:19:47 2017 Summary: Recommended update for e2fsprogs Type: recommended Severity: low References: 1009532,960273 Description: This update for e2fsprogs provides the following fixes: - Fix 32/64-bit overflow when multiplying by blocks/clusters per group. This allows resize2fs(8) to resize file systems larger than 20 TB. (bsc#1009532) - Update spec file to regenerate initrd when e2fsprogs is updated or uninstalled. (bsc#960273) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2017:877-1 Released: Mon May 29 15:11:48 2017 Summary: Recommended update for cryptsetup Type: recommended Severity: low References: 1031998 Description: This update for cryptsetup provides the following fix: - Don't use a zero-filled empty key, because in FIPS, XTS mode key parts mustn't be equivalent (bsc#1031998) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2017:891-1 Released: Tue May 30 22:28:21 2017 Summary: Security update for libxml2 Type: security Severity: moderate References: 1039063,1039064,1039066,1039069,1039661,981114,CVE-2016-1839,CVE-2017-9047,CVE-2017-9048,CVE-2017-9049,CVE-2017-9050 Description: This update for libxml2 fixes the following issues: - CVE-2017-9047, CVE-2017-9048: The function xmlSnprintfElementContent in valid.c was vulnerable to a stack buffer overflow (bsc#1039063, bsc#1039064) - CVE-2017-9049: The function xmlDictComputeFastKey in dict.c was vulnerable to a heap-based buffer over-read. (bsc#1039066) - CVE-2017-9050: The function xmlDictAddString was vulnerable to a heap-based buffer over-read (bsc#1039661) - CVE-2016-1839: heap-based buffer overflow (xmlDictAddString func) (bnc#1039069) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2017:907-1 Released: Thu Jun 1 14:23:36 2017 Summary: Recommended update for shadow Type: recommended Severity: low References: 1003978,1031643 Description: This update for shadow fixes the following issues: - Dynamically added users via pam_group are not listed in groups databases but are still valid. (bsc#1031643) - useradd(8) and groupadd(8) performance issue when using SSSD. Previously the entire possible UID/GID was iterated to find an available UID/GID. This could take long time over a network device. Instead, find available UID/GID locally, and then check only those values over network. (bsc#1003978) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2017:918-1 Released: Tue Jun 6 12:35:44 2017 Summary: Recommended update for libsemanage, selinux-policy Type: recommended Severity: moderate References: 1020143,1032445,1035818,1038189 Description: This update for libsemanage, selinux-policy fixes the following issues: - Limit to policy version 29 by default. - Fix policy module build failures and wrong policy path on SLE 12 SP2 (bsc#1038189, bsc#1035818, bsc#1020143, bsc#1032445) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2017:939-1 Released: Mon Jun 12 10:56:22 2017 Summary: Security update for libxml2 Type: security Severity: moderate References: 1039063,1039064,1039066,1039069,1039661,CVE-2017-9047,CVE-2017-9048,CVE-2017-9049,CVE-2017-9050 Description: This update for libxml2 fixes the following security issues: * CVE-2017-9050: A heap-based buffer over-read in xmlDictAddString (bsc#1039069, bsc#1039661) * CVE-2017-9049: A heap-based buffer overflow in xmlDictComputeFastKey (bsc#1039066) * CVE-2017-9048: A stack overflow vulnerability in xmlSnprintfElementContent (bsc#1039063) * CVE-2017-9047: A stack overflow vulnerability in xmlSnprintfElementContent (bsc#1039064) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2017:959-1 Released: Wed Jun 14 14:38:11 2017 Summary: Recommended update for gcc5 Type: recommended Severity: low References: 1043580 Description: This update for gcc5 fixes the version of libffi in its pkg-config configuration file. ----------------------------------------------------------------- Advisory ID: SUSE-SU-2017:962-1 Released: Wed Jun 14 16:33:07 2017 Summary: Security update for openldap2 Type: security Severity: moderate References: 1009470,1037396,1041764,972331,CVE-2017-9287 Description: This update for openldap2 fixes the following issues: Security issues fixed: - CVE-2017-9287: A double free vulnerability in the mdb backend during search with page size 0 was fixed (bsc#1041764) Non security bugs fixed: - Let OpenLDAP read system-wide certificates by default and don't hide the error if the user-specified CA location cannot be read. (bsc#1009470) - Fix an uninitialised variable that causes startup failure (bsc#1037396) - Fix an issue with transaction management that can cause server crash (bsc#972331) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2017:985-1 Released: Mon Jun 19 14:57:41 2017 Summary: Security update for libgcrypt Type: security Severity: moderate References: 1042326,931932,CVE-2017-9526 Description: This update for libgcrypt fixes the following issues: - CVE-2017-9526: Store the session key in secure memory to ensure that constant time point operations are used in the MPI library. (bsc#1042326) - Don't require secure memory for the fips selftests, this prevents the 'Oops, secure memory pool already initialized' warning. (bsc#931932) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2017:990-1 Released: Mon Jun 19 17:19:44 2017 Summary: Security update for glibc Type: security Severity: important References: 1039357,1040043,CVE-2017-1000366 Description: This update for glibc fixes the following issues: - CVE-2017-1000366: Fix a potential privilege escalation vulnerability that allowed unprivileged system users to manipulate the stack of setuid binaries to gain special privileges. [bsc#1039357] - A bug in glibc that could result in deadlocks between malloc() and fork() has been fixed. [bsc#1040043] ----------------------------------------------------------------- Advisory ID: SUSE-RU-2017:1033-1 Released: Fri Jun 23 16:38:55 2017 Summary: Recommended update for e2fsprogs Type: recommended Severity: low References: 1038194 Description: This update for e2fsprogs provides the following fixes: - Don't ignore fsync errors in libext2fs. (bsc#1038194) - Fix fsync(2) detection in libext2fs. (bsc#1038194) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2017:1036-1 Released: Mon Jun 26 08:12:24 2017 Summary: Security update for libxml2 Type: security Severity: moderate References: 1024989,1044337,CVE-2017-0663,CVE-2017-5969 Description: This update for libxml2 fixes the following issues: Security issues fixed: * CVE-2017-0663: Fixed a heap buffer overflow in xmlAddID (bsc#1044337) * CVE-2017-5969: Fixed a NULL pointer deref in xmlDumpElementContent (bsc#1024989) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2017:1040-1 Released: Mon Jun 26 13:22:26 2017 Summary: Recommended update for libsemanage, policycoreutils Type: recommended Severity: low References: 1043237 Description: This update for libsemanage, policycoreutils fixes the following issue: - Show version numbers of modules where they are available (bsc#1043237) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2017:1082-1 Released: Fri Jun 30 10:54:06 2017 Summary: Recommended update for dirmngr Type: recommended Severity: low References: 1045943 Description: This update for dirmngr provides the following fix: - Change logrotate from Requires to Recommends (bsc#1045943) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2017:1086-1 Released: Fri Jun 30 15:36:17 2017 Summary: Security update for libxml2 Type: security Severity: moderate References: 1044887,1044894,CVE-2017-7375,CVE-2017-7376 Description: This update for libxml2 fixes the following issues: Security issues fixed: * CVE-2017-7376: Increase buffer space for port in HTTP redirect support (bsc#1044887) * CVE-2017-7375: Prevent unwanted external entity reference [bsc#1044894, ] ----------------------------------------------------------------- Advisory ID: SUSE-SU-2017:1104-1 Released: Tue Jul 4 16:13:55 2017 Summary: Security update for systemd Type: security Severity: moderate References: 1004995,1029102,1029516,1036873,1038865,1040258,1040614,1040942,1043758,982303,CVE-2017-9217 Description: This update for systemd fixes the following issues: Security issue fixed: - CVE-2017-9217: resolved: Fix null pointer p->question dereferencing that could lead to resolved aborting (bsc#1040614) The update also fixed several non-security bugs: - core/mount: Use the '-c' flag to not canonicalize paths when calling /bin/umount - automount: Handle expire_tokens when the mount unit changes its state (bsc#1040942) - automount: Rework propagation between automount and mount units - build: Make sure tmpfiles.d/systemd-remote.conf get installed when necessary - build: Fix systemd-journal-upload installation - basic: Detect XEN Dom0 as no virtualization (bsc#1036873) - virt: Make sure some errors are not ignored - fstab-generator: Do not skip Before= ordering for noauto mountpoints - fstab-gen: Do not convert device timeout into seconds when initializing JobTimeoutSec - core/device: Use JobRunningTimeoutSec= for device units (bsc#1004995) - fstab-generator: Apply the _netdev option also to device units (bsc#1004995) - job: Add JobRunningTimeoutSec for JOB_RUNNING state (bsc#1004995) - job: Ensure JobRunningTimeoutSec= survives serialization (bsc#1004995) - rules: Export NVMe WWID udev attribute (bsc#1038865) - rules: Introduce disk/by-id (model_serial) symbolic links for NVMe drives - rules: Add rules for NVMe devices - sysusers: Make group shadow support configurable (bsc#1029516) - core: When deserializing a unit, fully restore its cgroup state (bsc#1029102) - core: Introduce cg_mask_from_string()/cg_mask_to_string() - core:execute: Fix handling failures of calling fork() in exec_spawn() (bsc#1040258) - Fix systemd-sysv-convert when a package starts shipping service units (bsc#982303) The database might be missing when upgrading a package which was shipping no sysv init scripts nor unit files (at the time --save was called) but the new version start shipping unit files. - Disable group shadow support (bsc#1029516) - Only check signature job error if signature job exists (bsc#1043758) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2017:1116-1 Released: Thu Jul 6 11:37:18 2017 Summary: Security update for libgcrypt Type: security Severity: moderate References: 1046607,CVE-2017-7526 Description: This update for libgcrypt fixes the following issues: - CVE-2017-7526: Hardening against a local side-channel attack in RSA key handling has been added (bsc#1046607) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2017:1119-1 Released: Fri Jul 7 11:23:20 2017 Summary: Recommended update for ncurses Type: security Severity: important References: 1000662,1046853,1046858,CVE-2017-10684,CVE-2017-10685 Description: This update for ncurses fixes the following issues: Security issues fixed: - CVE-2017-10684: Possible RCE via stack-based buffer overflow in the fmt_entry function. (bsc#1046858) - CVE-2017-10685: Possible RCE with format string vulnerability in the fmt_entry function. (bsc#1046853) Bugfixes: - Drop patch ncurses-5.9-environment.dif as YaST2 ncurses GUI does not need it anymore and as well as it causes bug bsc#1000662 ----------------------------------------------------------------- Advisory ID: SUSE-RU-2017:1160-1 Released: Fri Jul 14 17:20:26 2017 Summary: Recommended update for openldap2 Type: recommended Severity: low References: 1031702 Description: This update for openldap2 provides the following fix: - Fix a regression in handling of non-blocking connection (bsc#1031702) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2017:1174-1 Released: Wed Jul 19 11:12:51 2017 Summary: Security update for systemd, dracut Type: security Severity: important References: 1032029,1033238,1037120,1040153,1040968,1043900,1045290,1046750,986216,CVE-2017-9445 Description: This update for systemd and dracut fixes the following issues: Security issues fixed: - CVE-2017-9445: Possible out-of-bounds write triggered by a specially crafted TCP payload from a DNS server. (bsc#1045290) Non-security issues fixed in systemd: - Automounter issue in combination with NFS volumes (bsc#1040968) - Missing symbolic link for SAS device in /dev/disk/by-path (bsc#1040153) - Add minimal support for boot.d/* scripts in systemd-sysv-convert (bsc#1046750) Non-security issues fixed in dracut: - Bail out if module directory does not exist. (bsc#1043900) - Suppress bogus error message. (bsc#1032029) - Fix module force loading with systemd. (bsc#986216) - Ship udev files required by systemd. (bsc#1040153) - Ignore module resolution errors (e.g. with kgraft). (bsc#1037120) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2017:1222-1 Released: Wed Jul 26 17:15:18 2017 Summary: Recommended update for procps Type: recommended Severity: low References: 1034563,1039941 Description: This update for procps provides the following fixes: - Make pmap handle LazyFree in /proc/smaps (bsc#1034563) - Allow reading and writing content lines longer than 1024 characters under /proc/sys (bsc#1039941) - Avoid printing messages when /proc/sys/net/ipv6/conf/*/stable_secret is not set ----------------------------------------------------------------- Advisory ID: SUSE-SU-2017:1245-1 Released: Thu Aug 3 10:43:15 2017 Summary: Security update for systemd Type: security Severity: moderate References: 1004995,1029102,1029516,1032029,1033238,1036873,1037120,1038865,1040153,1040258,1040614,1040942,1040968,1043758,1043900,1045290,1046750,982303,986216,CVE-2017-9217,CVE-2017-9445 Description: This update for systemd provides several fixes and enhancements. Security issues fixed: - CVE-2017-9217: Null pointer dereferencing that could lead to resolved aborting. (bsc#1040614) - CVE-2017-9445: Possible out-of-bounds write triggered by a specially crafted TCP payload from a DNS server. (bsc#1045290) The update also fixed several non-security bugs: - core/mount: Use the '-c' flag to not canonicalize paths when calling /bin/umount - automount: Handle expire_tokens when the mount unit changes its state (bsc#1040942) - automount: Rework propagation between automount and mount units - build: Make sure tmpfiles.d/systemd-remote.conf get installed when necessary - build: Fix systemd-journal-upload installation - basic: Detect XEN Dom0 as no virtualization (bsc#1036873) - virt: Make sure some errors are not ignored - fstab-generator: Do not skip Before= ordering for noauto mountpoints - fstab-gen: Do not convert device timeout into seconds when initializing JobTimeoutSec - core/device: Use JobRunningTimeoutSec= for device units (bsc#1004995) - fstab-generator: Apply the _netdev option also to device units (bsc#1004995) - job: Add JobRunningTimeoutSec for JOB_RUNNING state (bsc#1004995) - job: Ensure JobRunningTimeoutSec= survives serialization (bsc#1004995) - rules: Export NVMe WWID udev attribute (bsc#1038865) - rules: Introduce disk/by-id (model_serial) symbolic links for NVMe drives - rules: Add rules for NVMe devices - sysusers: Make group shadow support configurable (bsc#1029516) - core: When deserializing a unit, fully restore its cgroup state (bsc#1029102) - core: Introduce cg_mask_from_string()/cg_mask_to_string() - core:execute: Fix handling failures of calling fork() in exec_spawn() (bsc#1040258) - Fix systemd-sysv-convert when a package starts shipping service units (bsc#982303) The database might be missing when upgrading a package which was shipping no sysv init scripts nor unit files (at the time --save was called) but the new version start shipping unit files. - Disable group shadow support (bsc#1029516) - Only check signature job error if signature job exists (bsc#1043758) - Automounter issue in combination with NFS volumes (bsc#1040968) - Missing symbolic link for SAS device in /dev/disk/by-path (bsc#1040153) - Add minimal support for boot.d/* scripts in systemd-sysv-convert (bsc#1046750) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2017:1268-1 Released: Mon Aug 7 10:09:19 2017 Summary: Recommended update for openssl Type: recommended Severity: moderate References: 1019637,1027079,1027688,1027908,1028281,1028723,1029523,1042392,1044095,1044107,1044175,902364 Description: This update for openssl fixes the following issues including fixes for our ongoing FIPS 140-2 evaluation: - Remove DES-CBC3-SHA based ciphers from DEFAULT_SUSE to address SWEET32 problem (bsc#1027908) - Use getrandom syscall instead of reading from /dev/urandom to get at least 128 bits of entropy to comply with FIPS 140.2 IG 7.14 (bsc#1027079 bsc#1044175) - Fix x86 extended feature detection (bsc#1029523) - Allow runtime switching of s390x capabilities via the 'OPENSSL_s390xcap' environmental variable (bsc#1028723) - s_client sent empty client certificate (bsc#1028281) Add back certificate initialization set_cert_key_stuff() which was removed in a previous update. - Fix a bug in XTS key handling (bsc#1019637) - Don't run FIPS power-up self-tests when the checksum files aren't installed (bsc#1042392) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2017:1279-1 Released: Mon Aug 7 14:46:40 2017 Summary: Security update for ncurses Type: security Severity: moderate References: 1046853,1046858,1047964,1047965,1049344,CVE-2017-10684,CVE-2017-10685,CVE-2017-11112,CVE-2017-11113 Description: This update for ncurses fixes the following issues: Security issues fixed: - CVE-2017-11112: Illegal address access in append_acs. (bsc#1047964) - CVE-2017-11113: Dereferencing NULL pointer in _nc_parse_entry. (bsc#1047965) - CVE-2017-10684, CVE-2017-10685: Add modified upstream fix from ncurses 6.0 to avoid broken termcap format (bsc#1046853, bsc#1046858, bsc#1049344) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2017:1316-1 Released: Thu Aug 10 13:54:27 2017 Summary: Recommended update for cyrus-sasl Type: recommended Severity: moderate References: 1014471,1026825,1044840,938657 Description: This update for cyrus-sasl provides the following fixes: - Fix SASL GSSAPI mechanism acceptor wrongly returns zero maxbufsize - Fix unknown authentication mechanism: kerberos5 (bsc#1026825) - Really use SASLAUTHD_PARAMS variable (bsc#938657) - Make sure /usr/sbin/rcsaslauthd exists - Add /usr/sbin/rcsaslauthd symbolic link to /usr/sbin/service (bsc#1014471) - Silence 'GSSAPI client step 1' debug log message (bsc#1044840) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2017:1326-1 Released: Fri Aug 11 16:59:04 2017 Summary: Security update for libxml2 Type: security Severity: low References: 1038444,CVE-2017-8872 Description: This update for libxml2 fixes the following issues: Security issues fixed: - CVE-2017-8872: Out-of-bounds read in htmlParseTryOrFinish. (bsc#1038444) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2017:1330-1 Released: Mon Aug 14 18:41:29 2017 Summary: Recommended update for sed Type: recommended Severity: low References: 954661 Description: This update for sed provides the following fixes: - Don't terminate with a segmentation fault if close of last file descriptor fails. (bsc#954661) ----------------------------------------------------------------- Advisory ID: SUSE-OU-2017:1333-1 Released: Tue Aug 15 17:59:30 2017 Summary: Optional update for libverto Type: optional Severity: low References: 1029561 Description: This update adds the libverto library to OpenStack Cloud Magnum Orchestration channels. ----------------------------------------------------------------- Advisory ID: SUSE-RU-2017:1334-1 Released: Tue Aug 15 20:09:03 2017 Summary: Recommended update for systemd Type: recommended Severity: important References: 1048679,874665 Description: This update for systemd fixes the following issues: - compat-rules: Don't rely on ID_SERIAL when generating 'by-id' links for NVMe devices. (bsc#1048679) - fstab-generator: Handle NFS 'bg' mounts correctly. (bsc#874665, fate#323464) - timesyncd: Don't use compiled-in list if FallbackNTP has been configured explicitly. ----------------------------------------------------------------- Advisory ID: SUSE-SU-2017:1335-1 Released: Wed Aug 16 11:24:21 2017 Summary: Security update for curl Type: security Severity: moderate References: 1051643,1051644,CVE-2017-1000100,CVE-2017-1000101 Description: This update for curl fixes the following issues: - CVE-2017-1000100: TFP sends more than buffer size and it could lead to a denial of service (bsc#1051644) - CVE-2017-1000101: URL globbing out of bounds read could lead to a denial of service (bsc#1051643) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2017:1347-1 Released: Fri Aug 18 11:03:57 2017 Summary: Recommended update for procps Type: recommended Severity: important References: 1053409 Description: This update for procps fixes the following issues: - Fix a regression introduced in a previous update that would result in sysctl dying with a SIGSEGV error (bsc#1053409). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2017:1349-1 Released: Fri Aug 18 12:31:07 2017 Summary: Recommended update for lua51 Type: recommended Severity: low References: 1051626 Description: This update for lua51 provides the following fixes: - Add Lua(API) and Lua(devel) symbols to fix building of lua51-luasocket. (bsc#1051626) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2017:1390-1 Released: Fri Aug 25 15:14:27 2017 Summary: Security update for libzypp Type: security Severity: important References: 1009745,1036659,1038984,1043218,1045735,1046417,1047785,1048315,CVE-2017-7435,CVE-2017-7436,CVE-2017-9269 Description: The Software Update Stack was updated to receive fixes and enhancements. libzypp: - CVE-2017-7435, CVE-2017-7436, CVE-2017-9269: Fix GPG check workflows, mainly for unsigned repositories and packages. (bsc#1045735, bsc#1038984) - Fix gpg-pubkey release (creation time) computation. (bsc#1036659) - Update lsof blacklist. (bsc#1046417) - Re-probe on refresh if the repository type changes. (bsc#1048315) - Propagate proper error code to DownloadProgressReport. (bsc#1047785) - Allow to trigger an appdata refresh unconditionally. (bsc#1009745) - Support custom repo variables defined in /etc/zypp/vars.d. yast2-pkg-bindings: - Do not crash when the repository URL is not defined. (bsc#1043218) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2017:1419-1 Released: Wed Aug 30 15:38:22 2017 Summary: Security update for expat Type: security Severity: moderate References: 1047236,1047240,CVE-2016-9063,CVE-2017-9233 Description: This update for expat fixes the following issues: - CVE-2016-9063: Possible integer overflow to fix inside XML_Parse leading to unexpected behaviour (bsc#1047240) - CVE-2017-9233: External Entity Vulnerability could lead to denial of service (bsc#1047236) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2017:1439-1 Released: Fri Sep 1 15:31:05 2017 Summary: Recommended update for systemd Type: recommended Severity: important References: 1045384,1045987,1046268,1047379,1048605 Description: This update for systemd fixes the following issues: - Revert fix for bsc#1004995 which could have caused boot failure on LVM (bsc#1048605) - compat-rules: drop the bogus 'import everything' rule (bsc#1046268) - core: use an AF_UNIX/SOCK_DGRAM socket for cgroup agent notification (bsc#1045384 bsc#1047379) - udev/path_id: introduce support for NVMe devices (bsc#1045987) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2017:1447-1 Released: Mon Sep 4 15:38:20 2017 Summary: Security update for libzypp, zypper Type: security Severity: important References: 1008325,1038984,1045735,1047785,1054088,1054671,1055920,CVE-2017-7436 Description: The Software Update Stack was updated to receive fixes and enhancements. libzypp: - Adapt to work with GnuPG 2.1.23. (bsc#1054088) - Support signing with subkeys. (bsc#1008325) - Enhance sort order for media.1/products. (bsc#1054671) zypper: - Also show a gpg key's subkeys. (bsc#1008325) - Improve signature check callback messages. (bsc#1045735) - Add options to tune the GPG check settings. (bsc#1045735) - Adapt download callback to report and handle unsigned packages. (bsc#1038984, CVE-2017-7436) - Report missing/optional files as 'not found' rather than 'error'. (bsc#1047785) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2017:1450-1 Released: Mon Sep 4 16:36:07 2017 Summary: Recommended update for insserv-compat Type: recommended Severity: low References: 1035062,944903 Description: This update for insserv-compat fixes the following issues: - Add /etc/init.d hierarchy from former 'filesystem' package. (bsc#1035062) - Fix directory argument parsing. (bsc#944903) - Add perl(Getopt::Long) to list of requirements. ----------------------------------------------------------------- Advisory ID: SUSE-RU-2017:1453-1 Released: Mon Sep 4 21:23:50 2017 Summary: Recommended update for libgcrypt Type: recommended Severity: moderate References: 1043333,1046659,1047008 Description: This update for libgcrypt fixes the following issues: - libgcrypt stored an open file descriptor to the random device in a static variable between invocations. gnome-keyring-daemon on initialization reopened descriptors 0-2 with /dev/null which caused an infinite loop when libgcrypt attempted to read from the random device (bsc#1043333) - Avoid seeding the DRBG during FIPS power-up selftests (bsc#1046659) * don't call gcry_drbg_instantiate() in healthcheck sanity test to save entropy * turn off blinding for RSA decryption in selftests_rsa to avoid allocation of a random integer - fix a bug in gcry_drbg_healthcheck_sanity() which caused skipping some of the tests (bsc#1046659) - dlsym returns PLT address on s390x, dlopen libgcrypt20.so before calling dlsym (bsc#1047008) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2017:1548-1 Released: Fri Sep 15 18:19:12 2017 Summary: Recommended update for sg3_utils Type: recommended Severity: moderate References: 1005063,1009269,1012523,1025176,1050767,1050943 Description: This update for sg3_utils provides the following fixes: - Add lunsearch filter to findresized() so that only LUNs specified using --luns are rescanned or resized. (bsc#1025176) - In case the VPD sysfs attributes are missing or cannot be accessed, fallback to use sg_inq --page when using multipath devices in AutoYast2 installations. (bsc#1012523) - Generate /dev/disk/by-path links based on WWPN for Fibre Channel NPIV setups. (bsc#1005063) - Fix dumping data in hexadecimal format in sg_vpd when using the --hex option. (bsc#1050943) - Fix ID_SERIAL values for KVM disks by exporting all NAA values and removing some validity checking. (bsc#1050767) - Make sure initrd is rebuilt on sg3_utils updates. (bsc#1009269) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2017:1592-1 Released: Tue Sep 26 17:38:03 2017 Summary: Recommended update for lvm2 Type: recommended Severity: moderate References: 1028485,1045628,978055,998893,999878 Description: This update for lvm2 provides the following fixes: - Create /dev/disk/by-part{label,uuid} and gpt-auto-root links. (bsc#1028485) - Try to refresh clvmd's device cache on the first failure. (bsc#978055) - Fix stale device cache in clvmd. (bsc#978055) - Warn if PV size in metadata is larger than disk device size. (bsc#999878) - Fix lvm2 activation issue when used on top of multipath. (bsc#998893) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2017:1644-1 Released: Mon Oct 9 07:52:24 2017 Summary: Security update for krb5 Type: security Severity: moderate References: 1032680,1054028,1056995,903543,CVE-2017-11462 Description: This update for krb5 fixes several issues. This security issue was fixed: - CVE-2017-11462: Prevent automatic security context deletion to prevent double-free (bsc#1056995) These non-security issues were fixed: - Set 'rdns' and 'dns_canonicalize_hostname' to false in krb5.conf in order to improve client security in handling service principle names. (bsc#1054028) - Prevent kadmind.service startup failure caused by absence of LDAP service. (bsc#903543) - Remove main package's dependency on systemd (bsc#1032680) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2017:1663-1 Released: Tue Oct 10 12:05:09 2017 Summary: Recommended update for dbus-1 Type: recommended Severity: moderate References: 1043615,1046173 Description: This update for dbus-1 provides the following fixes: - Fix systemd-logind dbus disconnection by ensuring all required timeouts are restarted. (bsc#1043615) - Remove call to initscripts related macros from the spec file as dbus-1 does not ship any initscript anymore. (bsc#1046173) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2017:1703-1 Released: Tue Oct 17 13:20:12 2017 Summary: Recommended update for audit Type: recommended Severity: low References: 1042781 Description: This update for audit provides the following fix: - Make auditd start by forking the systemd service to fix some initialization failures. (bsc#1042781) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2017:1758-1 Released: Mon Oct 23 08:47:47 2017 Summary: Security update for curl Type: security Severity: moderate References: 1060653,1061876,1063824,CVE-2017-1000254,CVE-2017-1000257 Description: This update for curl fixes the following issues: Security issues fixed: - CVE-2017-1000254: FTP PWD response parser out of bounds read (bsc#1061876) - CVE-2017-1000257: IMAP FETCH response out of bounds read (bsc#1063824) Bugs fixed: - Fixed error 'error:1408F10B:SSL routines' when connecting to ftps via proxy (bsc#1060653) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2017:1796-1 Released: Fri Oct 27 21:25:06 2017 Summary: Recommended update for pcre Type: recommended Severity: moderate References: 1058722 Description: This update for pcre fixes the following issues: - Fixed the pcre stack frame size detection because modern compilers break it due to cloning and inlining pcre match() function (bsc#1058722) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2017:1797-1 Released: Sat Oct 28 12:06:19 2017 Summary: Recommended update for permissions Type: recommended Severity: moderate References: 1028304,1048645,1060738 Description: This update for permissions fixes the following issues: - Allows users to install the HPC 'singularity' toolkit for managing singularity containers in setuid root mode. (bsc#1028304) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2017:1826-1 Released: Wed Nov 8 08:47:17 2017 Summary: Security update for krb5 Type: security Severity: important References: 1065274,CVE-2017-15088 Description: This update for krb5 fixes the following issues: Security issues fixed: - CVE-2017-15088: A buffer overflow in get_matching_data() was fixed that could under specific circumstances be used to execute code (bsc#1065274) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2017:1829-1 Released: Wed Nov 8 08:50:00 2017 Summary: Security update for shadow Type: security Severity: moderate References: 1023895,1052261,980486,CVE-2017-12424 Description: This update for shadow fixes several issues. This security issue was fixed: - CVE-2017-12424: The newusers tool could have been forced to manipulate internal data structures in ways unintended by the authors. Malformed input may have lead to crashes (with a buffer overflow or other memory corruption) or other unspecified behaviors (bsc#1052261). These non-security issues were fixed: - bsc#1023895: Fixed man page to not contain invalid options and also prevent warnings when using these options in certain settings - bsc#980486: Reset user in /var/log/tallylog because of the usage of pam_tally2 ----------------------------------------------------------------- Advisory ID: SUSE-SU-2017:1881-1 Released: Wed Nov 22 16:29:58 2017 Summary: Security update for file Type: security Severity: moderate References: 1009966,1063269,910252,910253,913650,913651,917152,996511,CVE-2014-8116,CVE-2014-8117,CVE-2014-9620,CVE-2014-9621,CVE-2014-9653 Description: The GNU file utility was updated to version 5.22. Security issues fixed: - CVE-2014-9621: The ELF parser in file allowed remote attackers to cause a denial of service via a long string. (bsc#913650) - CVE-2014-9620: The ELF parser in file allowed remote attackers to cause a denial of service via a large number of notes. (bsc#913651) - CVE-2014-9653: readelf.c in file did not consider that pread calls sometimes read only a subset of the available data, which allows remote attackers to cause a denial of service (uninitialized memory access) or possibly have unspecified other impact via a crafted ELF file. (bsc#917152) - CVE-2014-8116: The ELF parser (readelf.c) in file allowed remote attackers to cause a denial of service (CPU consumption or crash) via a large number of (1) program or (2) section headers or (3) invalid capabilities. (bsc#910253) - CVE-2014-8117: softmagic.c in file did not properly limit recursion, which allowed remote attackers to cause a denial of service (CPU consumption or crash) via unspecified vectors. (bsc#910253) Version update to file version 5.22 * add indirect relative for TIFF/Exif * restructure elf note printing to avoid repeated messages * add note limit, suggested by Alexander Cherepanov * Bail out on partial pread()'s (Alexander Cherepanov) * Fix incorrect bounds check in file_printable (Alexander Cherepanov) * PR/405: ignore SIGPIPE from uncompress programs * change printable -> file_printable and use it in more places for safety * in ELF, instead of '(uses dynamic libraries)' when PT_INTERP is present print the interpreter name. Version update to file version 5.21 * there was an incorrect free in magic_load_buffers() * there was an out of bounds read for some pascal strings * there was a memory leak in magic lists * don't interpret strings printed from files using the current locale, convert them to ascii format first. * there was an out of bounds read in elf note reads Update to file version 5.20 * recognize encrypted CDF documents * add magic_load_buffers from Brooks Davis * add thumbs.db support Additional non-security bug fixes: * Fixed a memory corruption during rpmbuild (bsc#1063269) * Backport of a fix for an increased printable string length as found in file 5.30 (bsc#996511) * file command throws 'Composite Document File V2 Document, corrupt: Can't read SSAT' error against excel 97/2003 file format. (bsc#1009966) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2017:1903-1 Released: Fri Nov 24 16:19:37 2017 Summary: Security update for perl Type: security Severity: moderate References: 1047178,1057721,1057724,999735,CVE-2017-12837,CVE-2017-12883,CVE-2017-6512 Description: This update for perl fixes the following issues: Security issues fixed: - CVE-2017-12837: Heap-based buffer overflow in the S_regatom function in regcomp.c in Perl 5 before 5.24.3-RC1 and 5.26.x before 5.26.1-RC1 allows remote attackers to cause a denial of service (out-of-bounds write) via a regular expression with a '\N{}' escape and the case-insensitive modifier. (bnc#1057724) - CVE-2017-12883: Buffer overflow in the S_grok_bslash_N function in regcomp.c in Perl 5 before 5.24.3-RC1 and 5.26.x before 5.26.1-RC1 allows remote attackers to disclose sensitive information or cause a denial of service (application crash) via a crafted regular expression with an invalid '\N{U+...}' escape. (bnc#1057721) - CVE-2017-6512: Race condition in the rmtree and remove_tree functions in the File-Path module before 2.13 for Perl allows attackers to set the mode on arbitrary files via vectors involving directory-permission loosening logic. (bnc#1047178) Bug fixes: - backport set_capture_string changes from upstream (bsc#999735) - reformat baselibs.conf as source validator workaround ----------------------------------------------------------------- Advisory ID: SUSE-RU-2017:1916-1 Released: Fri Nov 24 20:15:01 2017 Summary: Recommended update for libgcrypt Type: recommended Severity: important References: 1043333,1059723 Description: This update for libgcrypt provides the following fix: - Fix a regression in a previous update which caused libgcrypt to leak file descriptors causing failures when starting rtkit-daemon. (bsc#1059723) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2017:1917-1 Released: Mon Nov 27 13:32:07 2017 Summary: Optional update for gcc7 Type: recommended Severity: low References: 1056437,1062591,1062592 Description: The GNU Compiler GCC 7 is being added to the Toolchain Module by this update. New features: - Support for specific IBM Power9 processor instructions. - Support for specific IBM zSeries z14 processor instructions. - New packages cross-npvtx-gcc7 and nvptx-tools added to the Toolchain Module for specific NVIDIA Card offload support. The update also supplies gcc7 compatible libstdc++, libgcc_s1 and other gcc derived libraries for the base products of SUSE Linux Enterprise 12. Various optimizers have been improved in GCC 7, several of bugs fixed, quite some new warnings added and the error pin-pointing and fix-suggestions have been greatly improved. The GNU Compiler page for GCC 7 contains a summary of all the changes that have happened: https://gcc.gnu.org/gcc-7/changes.html ----------------------------------------------------------------- Advisory ID: SUSE-RU-2017:1965-1 Released: Thu Nov 30 12:48:45 2017 Summary: Recommended update for libsolv, libzypp, zypper Type: recommended Severity: moderate References: 1047233,1053671,1057188,1057634,1058695,1058783,1059065,1061384,1062561,1064999,661410 Description: The Software Update Stack was updated to receive fixes and enhancements. libsolv: - Many fixes and improvements for cleandeps. - Always create dup rules for 'distupgrade' jobs. - Use recommends also for ordering packages. - Fix splitprovides handling with addalreadyrecommended turned off. (bsc#1059065) - Expose solver_get_recommendations() in bindings. - Fix bug in solver_prune_to_highest_prio_per_name resulting in bad output from solver_get_recommendations(). - Support 'without' and 'unless' dependencies. - Use same heuristic as upstream to determine source RPMs. - Fix memory leak in bindings. - Add pool_best_solvables() function. - Fix 64bit integer parsing from RPM headers. - Enable bzip2 and xz/lzma compression support. - Enable complex/rich dependencies on distributions with RPM 4.13+. libzypp: - Fix media handling in presence of a repo path prefix. (bsc#1062561) - Fix RepoProvideFile ignoring a repo path prefix. (bsc#1062561) - Remove unused legacy notify-message script. (bsc#1058783) - Support multiple product licenses in repomd. (fate#322276) - Propagate 'rpm --import' errors. (bsc#1057188) - Fix typos in zypp.conf. zypper: - Locale: Fix possible segmentation fault. (bsc#1064999) - Add summary hint if product is better updated by a different command. This is mainly used by rolling distributions like openSUSE Tumbleweed to remind their users to use 'zypper dup' to update (not zypper up or patch). (bsc#1061384) - Unify '(add|modify)(repo|service)' property related arguments. - Fixed 'add' commands supporting to set only a subset of properties. - Introduced '-f/-F' as preferred short option for --[no-]refresh in all four commands. (bsc#661410, bsc#1053671) - Fix missing package names in installation report. (bsc#1058695) - Differ between unsupported and packages with unknown support status. (bsc#1057634) - Return error code '107' if an RPM's %post configuration script fails, but only if ZYPPER_ON_CODE12_RETURN_107=1 is set in the environment. (bsc#1047233) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2017:1966-1 Released: Thu Nov 30 13:45:24 2017 Summary: Recommended update for systemd Type: recommended Severity: moderate References: 1004995,1035386,1039099,1040800,1045472,1048605,1050152,1053137,1053595,1055641,1063249 Description: This update for systemd fixes the following issues: - unit: When JobTimeoutSec= is turned off, implicitly turn off JobRunningTimeoutSec= too. (bsc#1048605, bsc#1004995) - compat-rules: Generate compat by-id symlinks with 'nvme' prefix missing and warn users that have broken symlinks. (bsc#1063249) - compat-rules: Allow to specify the generation number through the kernel command line. - scsi_id: Fixup prefix for pre-SPC inquiry reply. (bsc#1039099) - tmpfiles: Remove old ICE and X11 sockets at boot. - tmpfiles: Silently ignore any path that passes through autofs. (bsc#1045472) - pam_logind: Skip leading /dev/ from PAM_TTY field before passing it on. - shared/machine-pool: Fix another mkfs.btrfs checking. (bsc#1053595) - shutdown: Fix incorrect fscanf() result check. - shutdown: Don't remount,ro network filesystems. (bsc#1035386) - shutdown: Don't be fooled when detaching DM devices with BTRFS. (bsc#1055641) - bash-completion: Add support for --now. (bsc#1053137) - Add convert-lib-udev-path.sh script to convert /lib/udev directory into a symlink pointing to /usr/lib/udev when upgrading from SLE11. (bsc#1050152) - Add a rule to teach hotplug to offline containers transparently. (bsc#1040800) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2017:1968-1 Released: Thu Nov 30 19:49:33 2017 Summary: Recommended update for coreutils Type: recommended Severity: low References: 1026567,1043059,965780 Description: This update for coreutils provides the following fixes: - Fix df(1) to no longer interact with excluded file system types, so for example specifying -x nfs no longer hangs with problematic nfs mounts. (bsc#1026567) - Ensure df -l no longer interacts with dummy file system types, so for example no longer hangs with problematic NFS mounted via system.automount(5). (bsc#1043059) - Significantly speed up df(1) for huge mount lists. (bsc#965780) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2017:1970-1 Released: Thu Nov 30 22:55:41 2017 Summary: Security update for openssl Type: security Severity: moderate References: 1055825,1056058,1065363,1066242,CVE-2017-3735,CVE-2017-3736 Description: This update for openssl fixes the following issues: Security issues fixed: - CVE-2017-3735: openssl1,openssl: Malformed X.509 IPAdressFamily could cause OOB read (bsc#1056058) - CVE-2017-3736: openssl: bn_sqrx8x_internal carry bug on x86_64 (bsc#1066242) - Out of bounds read+crash in DES_fcrypt (bsc#1065363) - openssl DEFAULT_SUSE cipher list is missing ECDHE-ECDSA ciphers (bsc#1055825) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2017:2021-1 Released: Fri Dec 8 10:11:04 2017 Summary: Recommended update for file Type: recommended Severity: moderate References: 1070878,1070958 Description: This update for file fixes detection of JPEG files. ----------------------------------------------------------------- Advisory ID: SUSE-RU-2017:2031-1 Released: Mon Dec 11 12:55:57 2017 Summary: Recommended update for gzip Type: recommended Severity: low References: 1067891 Description: This update for gzip provides the following fix: - Fix mishandling of leading zeros in the end-of-block code (bsc#1067891) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2017:2036-1 Released: Wed Dec 13 16:34:21 2017 Summary: Recommended update for util-linux Type: recommended Severity: low References: 1039276,1040968,1055446,1066500 Description: This update for util-linux provides the following fixes: - Allow unmounting of filesystems without calling stat() on the mount point, when '-c' is used. (bsc#1040968) - Fix an infinite loop, a crash and report the correct minimum and maximum frequencies in lscpu for some processors. (bsc#1055446) - Fix a lscpu failure on Sydney Amazon EC2 region. (bsc#1066500) - If multiple subvolumes are mounted, report the default subvolume. (bsc#1039276) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2017:2097-1 Released: Sat Dec 16 01:59:00 2017 Summary: Security update for openssl Type: security Severity: important References: 1071905,1071906,CVE-2017-3737,CVE-2017-3738 Description: This update for openssl fixes the following issues: - OpenSSL Security Advisory [07 Dec 2017] * CVE-2017-3737: OpenSSL 1.0.2 (starting from version 1.0.2b) introduced an \'error state\' mechanism. The intent was that if a fatal error occurred during a handshake then OpenSSL would move into the error state and would immediately fail if you attempted to continue the handshake. This works as designed for the explicit handshake functions (SSL_do_handshake(), SSL_accept() and SSL_connect()), however due to a bug it does not work correctly if SSL_read() or SSL_write() is called directly. In that scenario, if the handshake fails then a fatal error will be returned in the initial function call. If SSL_read()/SSL_write() is subsequently called by the application for the same SSL object then it will succeed and the data is passed without being decrypted/encrypted directly from the SSL/TLS record layer. In order to exploit this issue an application bug would have to be present that resulted in a call to SSL_read()/SSL_write() being issued after having already received a fatal error. O penSSL version 1.0.2b-1.0.2m are affected. Fixed in OpenSSL 1.0.2n. OpenSSL 1.1.0 is not affected. (bsc#1071905) * CVE-2017-3738: There is an overflow bug in the AVX2 Montgomery multiplication procedure used in exponentiation with 1024-bit moduli. No EC algorithms are affected. Analysis suggests that attacks against RSA and DSA as a result of this defect would be very difficult to perform and are not believed likely. Attacks against DH1024 are considered just feasible, because most of the work necessary to deduce information about a private key may be performed offline. The amount of resources required for such an attack would be significant. However, for an attack on TLS to be meaningful, the server would have to share the DH1024 private key among multiple clients, which is no longer an option since CVE-2016-0701. This only affects processors that support the AVX2 but not ADX extensions like Intel Haswell (4th generation). Note: The impact from this issue is similar to CVE-2017-3736, CVE-2017-3732 and CVE-2015-3193. (bsc#1071906) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2017:2137-1 Released: Thu Dec 21 17:49:12 2017 Summary: Recommended update for dbus-1 Type: recommended Severity: moderate References: 1046173,1071698 Description: This update for dbus-1 provides the following fixes: - The previously released fix for systemd-logind dbus disconnections was missing in some parts of the package, so properly apply it. (bsc#1071698) - Remove call to initscripts related macros from the spec file as dbus-1 does not ship any initscript anymore. (bsc#1046173) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2018:4-1 Released: Tue Jan 2 15:58:20 2018 Summary: Recommended update for libzypp, zypper Type: recommended Severity: moderate References: 1057640,1067605,1068708,1071466,969569 Description: The Software Update Stack was updated to receive fixes and enhancements. libzypp: - Don't store duplicated locks. (bsc#969569) - Fix default for solver.allowNameChange. (bsc#1071466) - Don't filter procs with a different mnt namespace. (bsc#1068708) - Support repo variables in an URIs host:port component. (bsc#1057640, bsc#1067605) zypper: - Update manpage regarding custom repository variable fixes. (bsc#1057640, bsc#1067605) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2018:38-1 Released: Tue Jan 9 14:56:43 2018 Summary: Recommended update for kmod Type: recommended Severity: low References: 1070209 Description: This update for kmod provides the following fix: - Fix resolving .TOC. in modules on 4.4 and older kernel (bsc#1070209) - Fix kernel master build for ppc64le (bsc#1070209) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:55-1 Released: Fri Jan 12 09:45:49 2018 Summary: Security update for glibc Type: security Severity: important References: 1051042,1053188,1063675,1064569,1064580,1064583,1070905,1071319,1073231,1074293,CVE-2017-1000408,CVE-2017-1000409,CVE-2017-15670,CVE-2017-15671,CVE-2017-15804,CVE-2017-16997,CVE-2018-1000001 Description: This update for glibc fixes the following issues: - A privilege escalation bug in the realpath() function has been fixed. [CVE-2018-1000001, bsc#1074293] - A memory leak and a buffer overflow in the dynamic ELF loader has been fixed. [CVE-2017-1000408, CVE-2017-1000409, bsc#1071319] - An issue in the code handling RPATHs was fixed that could have been exploited by an attacker to execute code loaded from arbitrary libraries. [CVE-2017-16997, bsc#1073231] - A potential crash caused by a use-after-free bug in pthread_create() has been fixed. [bsc#1053188] - A bug that prevented users to build shared objects which use the optimized libmvec.so API has been fixed. [bsc#1070905] - A memory leak in the glob() function has been fixed. [CVE-2017-15670, CVE-2017-15671, CVE-2017-15804, bsc#1064569, bsc#1064580, bsc#1064583] - A bug that would lose the syscall error code value in case of crashes has been fixed. [bsc#1063675] ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:86-1 Released: Wed Jan 17 09:38:17 2018 Summary: Security update for ncurses Type: security Severity: moderate References: 1056127,1056128,1056129,1056131,1056132,1056136,CVE-2017-13728,CVE-2017-13729,CVE-2017-13730,CVE-2017-13731,CVE-2017-13732,CVE-2017-13733 Description: This update for ncurses fixes the following issues: Security issues fixed: - CVE-2017-13728: Fix infinite loop in the next_char function in comp_scan.c (bsc#1056136). - CVE-2017-13730: Fix illegal address access in the function _nc_read_entry_source() (bsc#1056131). - CVE-2017-13733: Fix illegal address access in the fmt_entry function (bsc#1056127). - CVE-2017-13729: Fix illegal address access in the _nc_save_str (bsc#1056132). - CVE-2017-13732: Fix illegal address access in the function dump_uses() (bsc#1056128). - CVE-2017-13731: Fix illegal address access in the function postprocess_termcap() (bsc#1056129). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:88-1 Released: Wed Jan 17 14:41:17 2018 Summary: Security update for curl Type: security Severity: moderate References: 1069222,1069226,CVE-2017-8816,CVE-2017-8817 Description: This update for curl fixes the following issues: Security issues fixed: - CVE-2017-8816: Buffer overrun flaw in the NTLM authentication code (bsc#1069226). - CVE-2017-8817: Read out of bounds flaw in the FTP wildcard function (bsc#1069222). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2018:90-1 Released: Wed Jan 17 14:44:33 2018 Summary: Recommended update for lvm2 Type: recommended Severity: low References: 1063051,1067312 Description: This update for lvm2 provides the following fix: - Backport various upstream fixes for clvmd. (bsc#1063051) - Don't print error messages on testing the connection to the daemon. (bsc#1063051) - Fix handling of udev CHANGE events with systemd. (bsc#1067312) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2018:146-1 Released: Thu Jan 25 11:44:23 2018 Summary: Recommended update for openldap2 Type: recommended Severity: moderate References: 1064397,1065083 Description: This update for openldap2 provides the following fixes: - Fix a leak of sockets in case of unsuccessful connection attempts. (bsc#1065083) - Fix a crash that would happen under heavy load when using back-relay. (bsc#1064397) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:149-1 Released: Thu Jan 25 13:38:37 2018 Summary: Security update for curl Type: security Severity: moderate References: 1077001,CVE-2018-1000007 Description: This update for curl fixes one issues. This security issue was fixed: - CVE-2018-1000007: Prevent leaking authentication data to third parties when following redirects (bsc#1077001) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:209-1 Released: Tue Jan 30 10:53:43 2018 Summary: Security update for ncurses Type: security Severity: moderate References: 1056126,1056127,1056128,1056129,1056131,1056132,1056136,CVE-2017-13728,CVE-2017-13729,CVE-2017-13730,CVE-2017-13731,CVE-2017-13732,CVE-2017-13733,CVE-2017-13734 Description: This update for ncurses fixes several issues. These security issues were fixed: - CVE-2017-13734: Prevent illegal address access in the _nc_safe_strcat function in strings.c that might have lead to a remote denial of service attack (bsc#1056126). - CVE-2017-13733: Prevent illegal address access in the fmt_entry function in progs/dump_entry.c that might have lead to a remote denial of service attack (bsc#1056127). - CVE-2017-13732: Prevent illegal address access in the function dump_uses() in progs/dump_entry.c that might have lead to a remote denial of service attack (bsc#1056128). - CVE-2017-13731: Prevent illegal address access in the function postprocess_termcap() in parse_entry.c that might have lead to a remote denial of service attack (bsc#1056129). - CVE-2017-13730: Prevent illegal address access in the function _nc_read_entry_source() in progs/tic.c that might have lead to a remote denial of service attack (bsc#1056131). - CVE-2017-13729: Prevent illegal address access in the _nc_save_str function in alloc_entry.c that might have lead to a remote denial of service attack (bsc#1056132). - CVE-2017-13728: Prevent infinite loop in the next_char function in comp_scan.c that might have lead to a remote denial of service attack (bsc#1056136). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:213-1 Released: Tue Jan 30 14:36:40 2018 Summary: Security update for systemd Type: security Severity: moderate References: 1048510,1065276,1066156,1068251,1070428,1071558,1074254,1075724,1076308,897422,CVE-2017-15908,CVE-2018-1049 Description: This update for systemd fixes several issues. This security issue was fixed: - CVE-2018-1049: Prevent race that can lead to DoS when using automounts (bsc#1076308). These non-security issues were fixed: - core: don't choke if a unit another unit triggers vanishes during reload - delta: don't ignore PREFIX when the given argument is PREFIX/SUFFIX - delta: extend skip logic to work on full directory paths (prefix+suffix) (bsc#1070428) - delta: check if a prefix needs to be skipped only once - delta: skip symlink paths when split-usr is enabled (#4591) - sysctl: use raw file descriptor in sysctl_write (#7753) - sd-netlink: don't take possesion of netlink fd from caller on failure (bsc#1074254) - Fix the regexp used to detect broken by-id symlinks in /etc/crypttab It was missing the following case: '/dev/disk/by-id/cr_-xxx'. - sysctl: disable buffer while writing to /proc (bsc#1071558) - Use read_line() and LONG_LINE_MAX to read values configuration files. (bsc#1071558) - sysctl: no need to check for eof twice - def: add new constant LONG_LINE_MAX - fileio: add new helper call read_line() as bounded getline() replacement - service: Don't stop unneeded units needed by restarted service (#7526) (bsc#1066156) - gpt-auto-generator: fix the handling of the value returned by fstab_has_fstype() in add_swap() (#6280) - gpt-auto-generator: disable gpt auto logic for swaps if at least one is defined in fstab (bsc#897422) - fstab-util: introduce fstab_has_fstype() helper - fstab-generator: ignore root=/dev/nfs (#3591) - fstab-generator: don't process root= if it happens to be 'gpt-auto' (#3452) - virt: use XENFEAT_dom0 to detect the hardware domain (#6442, #6662) (#7581) (bsc#1048510) - analyze: replace --no-man with --man=no in the man page (bsc#1068251) - udev: net_setup_link: don't error out when we couldn't apply link config (#7328) - Add missing /etc/systemd/network directory - Fix parsing of features in detect_vm_xen_dom0 (#7890) (bsc#1048510) - sd-bus: use -- when passing arguments to ssh (#6706) - systemctl: make sure we terminate the bus connection first, and then close the pager (#3550) - sd-bus: bump message queue size (bsc#1075724) - tmpfiles: downgrade warning about duplicate line ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:214-1 Released: Tue Jan 30 14:37:42 2018 Summary: Security update for libtasn1 Type: security Severity: moderate References: 1076832,CVE-2018-6003 Description: This update for libtasn1 fixes one issue. This security issue was fixed: - CVE-2018-6003: Prevent a stack exhaustion in _asn1_decode_simple_ber (lib/decoding.c) when decoding BER encoded structure allowed for DoS (bsc#1076832). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:276-1 Released: Thu Feb 8 17:47:43 2018 Summary: Security update for libxml2 Type: security Severity: moderate References: 1077993,1078806,1078813,CVE-2016-5131,CVE-2017-15412,CVE-2017-5130 Description: This update for libxml2 fixes one issue. This security issue was fixed: - CVE-2017-15412: Prevent use after free when calling XPath extension functions that allowed remote attackers to cause DoS or potentially RCE (bsc#1077993) - CVE-2016-5131: Use-after-free vulnerability in libxml2 allowed remote attackers to cause a denial of service or possibly have unspecified other impact via vectors related to the XPointer range-to function. (bsc#1078813) - CVE-2017-5130: Fixed a potential remote buffer overflow in function xmlMemoryStrdup() (bsc#1078806) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2018:291-1 Released: Mon Feb 12 11:50:39 2018 Summary: Recommended update for bash Type: recommended Severity: low References: 1057452,1076909 Description: This update for bash provides the following fix: - Allow process group assignment on all kernel versions to fix the usage of debug traps. (bsc#1057452) - Fix a crash when filesystem is full. (bsc#1076909) - Enable multi-byte characters by default. ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:314-1 Released: Thu Feb 15 14:47:35 2018 Summary: Security update for glibc Type: security Severity: important References: 1037930,1051791,1073990,1074293,1079036,CVE-2017-12132,CVE-2017-8804,CVE-2018-1000001,CVE-2018-6485,CVE-2018-6551 Description: This update for glibc fixes the following issues: Security issues fixed: - CVE-2017-8804: Fix memory leak after deserialization failure in xdr_bytes, xdr_string (bsc#1037930) - CVE-2017-12132: Reduce EDNS payload size to 1200 bytes (bsc#1051791) - CVE-2018-6485,CVE-2018-6551: Fix integer overflows in internal memalign and malloc functions (bsc#1079036) - CVE-2018-1000001: Avoid underflow of malloced area (bsc#1074293) Non security bugs fixed: - Release read lock after resetting timeout (bsc#1073990) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:355-1 Released: Mon Feb 26 16:34:46 2018 Summary: Security update for systemd Type: security Severity: moderate References: 1057974,1068588,1071224,1071311,1075801,1077925,CVE-2017-18078 Description: This update for systemd fixes the following issues: Security issue fixed: - CVE-2017-18078: tmpfiles: refuse to chown()/chmod() files which are hardlinked, unless protected_hardlinks sysctl is on. This could be used by local attackers to gain privileges (bsc#1077925) Non Security issues fixed: - core: use id unit when retrieving unit file state (#8038) (bsc#1075801) - cryptsetup-generator: run cryptsetup service before swap unit (#5480) - udev-rules: all values can contain escaped double quotes now (#6890) - strv: fix buffer size calculation in strv_join_quoted() - tmpfiles: change ownership of symlinks too - stdio-bridge: Correctly propagate error - stdio-bridge: remove dead code - remove bus-proxyd (bsc#1057974) - core/timer: Prevent timer looping when unit cannot start (bsc#1068588) - Make systemd-timesyncd use the openSUSE NTP servers by default Previously systemd-timesyncd used the Google Public NTP servers time{1..4}.google.com - Don't ship /usr/lib/systemd/system/tmp.mnt at all (bsc#1071224) But we still ship a copy in /var. Users who want to use tmpfs on /tmp are supposed to add a symlink in /etc/ pointing to the copy shipped in /var. To support the update path we automatically create the symlink if tmp.mount in use is located in /usr. - Enable systemd-networkd on Leap distros only (bsc#1071311) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2018:375-1 Released: Wed Feb 28 16:33:37 2018 Summary: Recommended update for net-tools Type: recommended Severity: low References: 1009905,1063910 Description: This update for net-tools provides the following fix: - netstat: fix handling of large socket numbers (bsc#1063910) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:439-1 Released: Fri Mar 9 14:05:22 2018 Summary: Security update for augeas Type: security Severity: low References: 1054171,CVE-2017-7555 Description: This update for augeas fixes the following issues: Security issue fixed: - CVE-2017-7555: Fix a memory corruption bug could have lead to arbitrary code execution by passing crafted strings that would be mis-handled by parse_name() (bsc#1054171). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:443-1 Released: Fri Mar 9 18:02:14 2018 Summary: Security update for glibc Type: security Severity: moderate References: 1081556,CVE-2017-12133 Description: This update for glibc fixes the following issues: - CVE-2017-12133: Avoid use-after-free read access in clntudp_call (bsc#1081556) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:446-1 Released: Mon Mar 12 13:13:55 2018 Summary: Security update for shadow Type: security Severity: moderate References: 1081294,CVE-2018-7169 Description: This update for shadow fixes the following issues: - CVE-2018-7169: Fixed an privilege escalation in newgidmap, which allowed an unprivileged user to be placed in a user namespace where setgroups(2) is allowed. (bsc#1081294) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2018:465-1 Released: Thu Mar 15 07:38:52 2018 Summary: Recommended update for systemd Type: recommended Severity: moderate References: 1075743,1078358,1081170 Description: This update for systemd fixes the following issues: - Add dmi/id conditions to 80-acpi-container-hotplug.rules to restrict the rule that it can only be triggered on Huawei Kunlun 9008, 9016 and 9032 machines. (bsc#1078358, bsc#1081170, bsc#1075743) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2018:472-1 Released: Thu Mar 15 10:47:40 2018 Summary: Recommended update for libsolv, libzypp, zypper Type: recommended Severity: low References: 1074687,1075449,1076415,1079334,953130 Description: This update for libsolv, libzypp and zypper provides the following fixes: libsolv: - Fix a bug that could make fileconflict detection very slow in some cases. (bnc#953130) - Add new configuration options: ENABLE_RPMDB_LIBRPM and ENABLE_RPMPKG_LIBRPM. - Add a new function to change the whatprovides data: pool_set_whatprovides. - Significant improvements in the selection code. libzypp: - Make sure deleted keys are also removed from rpmdb. (bsc#1075449) - plugin: Don't reject header values containing ':'. (bsc#1074687) - RpmDb::checkPackage: Fix parsing localized rpm output. (bsc#1076415) zypper: - Do not recommend cron as it is not a direct dependency of zypper. (bsc#1079334) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:522-1 Released: Thu Mar 22 08:20:46 2018 Summary: Security update for curl Type: security Severity: moderate References: 1084521,1084524,1084532,CVE-2018-1000120,CVE-2018-1000121,CVE-2018-1000122 Description: This update for curl fixes the following issues: Following security issues were fixed: - CVE-2018-1000120: A buffer overflow exists in the FTP URL handling that allowed an attacker to cause a denial of service or possible code execution (bsc#1084521). - CVE-2018-1000121: A NULL pointer dereference exists in the LDAP code that allowed an attacker to cause a denial of service (bsc#1084524). - CVE-2018-1000122: A buffer over-read exists in the RTSP+RTP handling code that allowed an attacker to cause a denial of service or information leakage (bsc#1084532). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:567-1 Released: Thu Mar 29 14:02:08 2018 Summary: Security update for krb5 Type: security Severity: moderate References: 1057662,1081725,1083926,1083927,CVE-2018-5729,CVE-2018-5730 Description: This update for krb5 provides the following fixes: Security issues fixed: - CVE-2018-5730: DN container check bypass by supplying special crafted data (bsc#1083927). - CVE-2018-5729: Null pointer dereference in kadmind or DN container check bypass by supplying special crafted data (bsc#1083926). Non-security issues fixed: - Make it possible for legacy applications (e.g. SAP Netweaver) to remain compatible with newer Kerberos. System administrators who are experiencing this kind of compatibility issues may set the environment variable GSSAPI_ASSUME_MECH_MATCH to a non-empty value, and make sure the environment variable is visible and effective to the application startup script. (bsc#1057662) - Fix a GSS failure in legacy applications by not indicating deprecated GSS mechanisms in gss_indicate_mech() list. (bsc#1081725) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:594-1 Released: Thu Apr 5 17:22:37 2018 Summary: Security update for libidn Type: security Severity: moderate References: 1056450,CVE-2017-14062 Description: This update for libidn fixes one issues. This security issue was fixed: - CVE-2017-14062: Prevent integer overflow in the decode_digit function that allowed remote attackers to cause a denial of service or possibly have unspecified other impact (bsc#1056450). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:624-1 Released: Wed Apr 11 18:02:57 2018 Summary: Security update for openssl Type: security Severity: moderate References: 1087102,CVE-2018-0739 Description: This update for openssl fixes the following issues: - CVE-2018-0739: Constructed ASN.1 types with a recursive definition (such as can be found in PKCS7) could eventually exceed the stack given malicious input with excessive recursion. This could result in a Denial Of Service attack. There are no such structures used within SSL/TLS that come from untrusted sources so this is considered safe. (bsc#1087102). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:730-1 Released: Wed Apr 25 14:14:41 2018 Summary: Security update for perl Type: security Severity: moderate References: 1082216,1082233,1082234,CVE-2018-6797,CVE-2018-6798,CVE-2018-6913 Description: This update for perl fixes the following issues: Security issues fixed: - CVE-2018-6913: Fixed space calculation issues in pp_pack.c (bsc#1082216). - CVE-2018-6798: Fixed heap buffer overflow in regexec.c (bsc#1082233). - CVE-2018-6797: Fixed sharp-s regexp overflow (bsc#1082234). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2018:736-1 Released: Wed Apr 25 14:23:49 2018 Summary: Recommended update for libsolv, libzypp Type: recommended Severity: moderate References: 1075978,1077635,1079991,1082318,1086602 Description: This update for libsolv, libzypp provides the following fixes: Changes in libsolv: - Make sure the product file comes from /etc/products.d for the fallback product search. (bsc#1086602) - Also make use of suggests for ordering packages. (bsc#1077635) - Fix bad assignment in solution refinement that led to a memory leak. (bsc#1075978) - Use license tag instead of doc in the spec file. (bsc#1082318) Changes in libzypp: - Make sure the product file comes from /etc/products.d for the fallback product search. (bsc#1086602) - Fix a memory leak in Digest.cc. (bsc#1075978) - Add /var/lib/gdm to CheckAccessDeleted blacklist to prevent showing superfluous `zypper ps -s` messages. (bsc#1079991) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2018:779-1 Released: Wed May 2 22:16:26 2018 Summary: Recommended update for rpm Type: recommended Severity: low References: 1003714,1027925,1069934 Description: This update for rpm provides the following fixes: - Fix find-lang.sh to handle special case of .qm file paths correctly. (bsc#1027925) - Add %sle_version macro to suse_macros. (bsc#1003714) - Added a %rpm_vercmp macro which accepts two versions as parameters and returns -1, 0, 1 if the first version is less than, equal or greater than the second version respectively. - Added a %pkg_version macro that accepts a package or capability name as argument and returns the version number of the installed package. If no package provides the argument, it returns the string '~~~'. - Added a %pkg_vcmp macro that accepts 3 parameters. The first parameter is a package name or provided capability name, the second argument is an operator ( < <= = >= > != ) and the third parameter is a version string to be compared to the installed version of the first argument. - Added a %pkg_version_cmp macro which accepts a package or capability name as first argument and a version number as second argument and returns -1, 0, 1 or '~~~'. The number values have the same meaning as in %rpm_vercmp and the '~~~' string is returned if the package or capability can't be found. (bsc#1069934) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2018:797-1 Released: Mon May 7 07:07:38 2018 Summary: Recommended update for gcc7 Type: recommended Severity: important References: 1061667,1068967,1074621,1083290,1083946,1084812,1087550,1087930 Description: This update for gcc7 to 7.3 release fixes the following issues: - Update to GCC 7.3 release and further updated to gcc-7-branch head (r258812). - The Spectre v2 mitigation patch for s390x is now included. [bsc#1083946] - Adds backport of x86 retpoline support via -mindirect-branch=, -mfunction-return= and friends. [bsc#1074621] - Update includes a fix for chromium build failure. [bsc#1083290] - Various AArch64 compile fixes are included: * Picks fix to no longer enable -mpc-relative-literal-loads by default with --enable-fix-cortex-a53-843419. * Enable --enable-fix-cortex-a53-843419 for aarch64. [bsc#1084812] [bsc#1087930] * Enable --enable-fix-cortex-a53-835769 for aarch64. * Contains fix for PR82445 which is about a RPI1 bootloader miscompile. [bsc#1061667] * Fixed bogus stack probe instruction on ARM. [bsc#1068967] - Revert the ios_base::failure ABI back to compatible behavior with the default ABI. [bsc#1087550] - Fix nvptx offload target compiler install so GCC can pick up required files. Split out the newlib part into cross-nvptx-newlib7-devel and avoid conflicts with GCC 8 variant via Provides/Conflicts of cross-nvptx-newlib-devel. ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:939-1 Released: Thu May 17 08:41:30 2018 Summary: Security update for curl Type: security Severity: moderate References: 1086825,1092098,CVE-2018-1000301 Description: This update for curl fixes several issues: Security issues fixed: - CVE-2018-1000301: Fixed a RTSP bad headers buffer over-read could crash the curl client (bsc#1092098) Non security issues fixed: - If the DEFAULT_SUSE cipher list is not available use the HIGH cipher alias before failing. (bsc#1086825) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2018:974-1 Released: Wed May 23 16:46:50 2018 Summary: Recommended update for systemd Type: recommended Severity: moderate References: 1045092,1051465,1066422,1075804,1082485,1084626,1085062,1086785,1087323 Description: This update for systemd provides the following fixes: - sysusers: Do not append entries after the NIS ones. (bsc#1085062, bsc#1045092) - sysusers: Also add support for NIS entries in /etc/shadow. - sysusers: Make sure to reset errno before calling fget*ent(). - coredump: Respect ulimit -c 0 settings. (bsc#1075804) - systemctl: Don't make up unit states, and don't eat up errors too eagerly. (bsc#1084626) - systemctl: Don't mangle unit names in check_unit_generic(). - rules, compat-rules: Fix errors detected by the rule syntax checker. - python: Use raw strings for regexp patterns. - compat-rules: Make path_id_compat build with meson. - compat-rules: Get rid of scsi_id when generating compat symlinks for NVMe devices. (bsc#1051465) - Fix memory hotplugging. - systemd: Add offline environmental condition to the udev rules for acpi container to prevent them from being triggered by the 'udevadm trigger' from user space. (bsc#1082485) - systemd-udevd: Limit children-max by the available memory. (bsc#1086785, bsc#1066422) - Rename the tarball to reflect the exact version used, so that it is clear that it contains some additional patches on top of the upstream version. Use the commit hash in the name so the exact version can easily be identified. (bsc#1087323) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:977-1 Released: Wed May 23 17:14:16 2018 Summary: Security update for bash Type: security Severity: moderate References: 1000396,1001299,1086247,CVE-2016-0634,CVE-2016-7543 Description: This update for bash fixes the following issues: Security issues fixed: - CVE-2016-7543: A code execution possibility via SHELLOPTS+PS4 variable was fixed (bsc#1001299) - CVE-2016-0634: Arbitrary code execution via malicious hostname was fixed (bsc#1000396) Non-security issues fixed: - Fix repeating self-calling of traps due the combination of a non-interactive shell, a trap handler for SIGINT, an external process in the trap handler, and a SIGINT within the trap after the external process runs. (bsc#1086247) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2018:978-1 Released: Wed May 23 17:18:39 2018 Summary: Recommended update for zlib Type: recommended Severity: moderate References: 1071321 Description: This update for zlib fixes the following issues: - Fix a segmentation fault which was raised when converting a negative value into an unsigned integer (bsc#1071321) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2018:1028-1 Released: Tue Jun 5 13:20:44 2018 Summary: Recommended update for pam Type: recommended Severity: low References: 1089884 Description: This update for pam fixes the following issues: - Fix order of accessed configuration files in man page. (bsc#1089884) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:1077-1 Released: Wed Jun 6 11:44:25 2018 Summary: Security update for glibc Type: security Severity: important References: 1086690,1094150,1094154,1094161,CVE-2017-18269,CVE-2018-11236,CVE-2018-11237 Description: This update for glibc fixes the following issues: - CVE-2017-18269: Fix SSE2 memmove issue when crossing 2GB boundary (bsc#1094150) - CVE-2018-11236: Fix overflow in path length computation (bsc#1094161) - CVE-2018-11237: Don't write beyond buffer destination in __mempcpy_avx512_no_vzeroupper (bsc#1094154) Non security bugs fixed: - Fix crash in resolver on memory allocation failure (bsc#1086690) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2018:1082-1 Released: Thu Jun 7 12:58:56 2018 Summary: Recommended update for rpm Type: recommended Severity: moderate References: 1073879,1080078,964063 Description: This update for rpm fixes the following issues: - Backport support for no_recompute_build_ids macro. (bsc#964063) - Fix code execution when evaluating common python-related macros. (bsc#1080078) Additionally, this update adds python3-rpm to the SUSE Linux Enterprise Server. ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:1141-1 Released: Fri Jun 15 13:41:08 2018 Summary: Security update for gpg2 Type: security Severity: important References: 1096745,CVE-2018-12020 Description: This update for gpg2 fixes the following security issue: - CVE-2018-12020: GnuPG mishandled the original filename during decryption and verification actions, which allowed remote attackers to spoof the output that GnuPG sends on file descriptor 2 to other programs that use the '--status-fd 2' option (bsc#1096745) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2018:1145-1 Released: Fri Jun 15 19:19:51 2018 Summary: Recommended update for openssl Type: recommended Severity: moderate References: 1090765 Description: This update for openssl provides the following fix: - Suggest libopenssl1_0_0-hmac from libopenssl1_0_0 package to avoid dependency issues during updates. (bsc#1090765) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:1242-1 Released: Thu Jun 28 13:44:16 2018 Summary: Security update for procps Type: security Severity: moderate References: 1092100,CVE-2018-1122,CVE-2018-1123,CVE-2018-1124,CVE-2018-1125,CVE-2018-1126 Description: This update for procps fixes the following security issues: - CVE-2018-1122: Prevent local privilege escalation in top. If a user ran top with HOME unset in an attacker-controlled directory, the attacker could have achieved privilege escalation by exploiting one of several vulnerabilities in the config_file() function (bsc#1092100). - CVE-2018-1123: Prevent denial of service in ps via mmap buffer overflow. Inbuilt protection in ps maped a guard page at the end of the overflowed buffer, ensuring that the impact of this flaw is limited to a crash (temporary denial of service) (bsc#1092100). - CVE-2018-1124: Prevent multiple integer overflows leading to a heap corruption in file2strvec function. This allowed a privilege escalation for a local attacker who can create entries in procfs by starting processes, which could result in crashes or arbitrary code execution in proc utilities run by other users (bsc#1092100). - CVE-2018-1125: Prevent stack buffer overflow in pgrep. This vulnerability was mitigated by FORTIFY limiting the impact to a crash (bsc#1092100). - CVE-2018-1126: Ensure correct integer size in proc/alloc.* to prevent truncation/integer overflow issues (bsc#1092100). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:1276-1 Released: Thu Jul 5 08:36:17 2018 Summary: Security update for openssl Type: security Severity: moderate References: 1097158,1097624,1098592,CVE-2018-0732 Description: This update for openssl fixes the following issues: - CVE-2018-0732: During key agreement in a TLS handshake using a DH(E) based ciphersuite a malicious server could have sent a very large prime value to the client. This caused the client to spend an unreasonably long period of time generating a key for this prime resulting in a hang until the client has finished. This could be exploited in a Denial Of Service attack (bsc#1097158). - Blinding enhancements for ECDSA and DSA (bsc#1097624, bsc#1098592) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:1328-1 Released: Tue Jul 17 08:07:57 2018 Summary: Security update for perl Type: security Severity: important References: 1068565,1082216,1082233,1082234,1096718,CVE-2018-12015,CVE-2018-6797,CVE-2018-6798,CVE-2018-6913 Description: This update for perl fixes the following issues: These security issue were fixed: - CVE-2018-6913: Fixed space calculation issues in pp_pack.c (bsc#1082216). - CVE-2018-6798: Fixed heap buffer overflow in regexec.c (bsc#1082233). - CVE-2018-6797: Fixed sharp-s regexp overflow (bsc#1082234). - CVE-2018-12015: The Archive::Tar module allowed remote attackers to bypass a directory-traversal protection mechanism and overwrite arbitrary files (bsc#1096718) This non-security issue was fixed: - fix debugger crash in tab completion with Term::ReadLine::Gnu [bsc#1068565] ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:1351-1 Released: Thu Jul 19 09:43:21 2018 Summary: Security update for shadow Type: security Severity: important References: 1099310,CVE-2016-6252 Description: This update for shadow fixes the following issues: - CVE-2016-6252: Incorrect integer handling could results in local privilege escalation (bsc#1099310) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:1400-1 Released: Thu Jul 26 16:32:29 2018 Summary: Security update for util-linux Type: security Severity: moderate References: 1072947,1078662,1080740,1084300,CVE-2018-7738 Description: This update for util-linux fixes the following issues: This non-security issue was fixed: - CVE-2018-7738: bash-completion/umount allowed local users to gain privileges by embedding shell commands in a mountpoint name, which was mishandled during a umount command by a different user (bsc#1084300). These non-security issues were fixed: - Fixed crash loop in lscpu (bsc#1072947). - Fixed possible segfault of umount -a - Fixed mount -a on NFS bind mounts (bsc#1080740). - Fixed lsblk on NVMe (bsc#1078662). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:1413-1 Released: Fri Jul 27 12:41:13 2018 Summary: Security update for libgcrypt Type: security Severity: moderate References: 1064455,1090766,1097410,CVE-2018-0495 Description: This update for libgcrypt fixes the following issues: The following security vulnerability was addressed: - CVE-2018-0495: Mitigate a novel side-channel attack by enabling blinding for ECDSA signatures (bsc#1097410). The following other issues were fixed: - Extended the fipsdrv dsa-sign and dsa-verify commands with the --algo parameter for the FIPS testing of DSA SigVer and SigGen (bsc#1064455). - Ensure libgcrypt20-hmac and libgcrypt20 are installed in the correct order. (bsc#1090766) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2018:1450-1 Released: Mon Jul 30 10:10:45 2018 Summary: Recommended update for pam Type: recommended Severity: low References: 1096282 Description: This update for pam provides the following fix: - Added /etc/security/limits.d to the pam package. (bsc#1096282) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2018:1549-1 Released: Mon Aug 13 13:41:22 2018 Summary: Recommended update for sg3_utils Type: recommended Severity: low References: 1065448,1070431,1077787,1092640 Description: This update for sg3_utils provides the following fix: - Decode standard INQUIRY for CD-ROMs correctly. (bsc#1065448, bsc#1070431) - Fix page decoding. (bsc#1077787) - Remove initrd rebuild macros for libsgutils2 subpackage. (bsc#1092640) - Use %post -p for ldconfig. (bsc#1092640) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:1610-1 Released: Thu Aug 16 14:04:25 2018 Summary: Security update for libgcrypt Type: security Severity: moderate References: 1064455,1090766,1097410,CVE-2018-0495 Description: This update for libgcrypt fixes the following issues: The following security vulnerability was addressed: - CVE-2018-0495: Mitigate a novel side-channel attack by enabling blinding for ECDSA signatures (bsc#1097410). The following other issues were fixed: - Extended the fipsdrv dsa-sign and dsa-verify commands with the --algo parameter for the FIPS testing of DSA SigVer and SigGen (bsc#1064455). - Ensure libgcrypt20-hmac and libgcrypt20 are installed in the correct order. (bsc#1090766) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:1620-1 Released: Thu Aug 16 14:49:45 2018 Summary: Security update for shadow Type: security Severity: important References: 1099310,CVE-2016-6252 Description: This update for shadow fixes the following issues: - CVE-2016-6252: Incorrect integer handling could results in local privilege escalation (bsc#1099310) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2018:1632-1 Released: Thu Aug 16 15:27:04 2018 Summary: Recommended update for systemd Type: recommended Severity: moderate References: 1039099,1080382,1082004,1082485,1083158,1088052,1088769,1088890,1089761,1090785,1091265,1093851,1095096 Description: This update for systemd fixes the following issues: - core: In --user mode, report READY=1 as soon as basic.target is reached. - sd-bus: Extend D-Bus authentication timeout considerably. - scsi_id: Fixup prefix for pre-SPC inquiry reply. (bsc#1039099) - udev: Use MAC address match only for ibmveth/ibmvnic/mlx4. (bsc#1095096) - compat-rules: Generate more compat by-id symlinks for NVMe devices. (bsc#1095096) - udev: Whitelist mlx4_core locally-administered MAC addresses in the persistent rule generator. (bsc#1083158) - udev: Don't create by-partlabel/primary and .../logical symlinks. (bsc#1089761) - rules: Add /dev/disk/by-partuuid symlinks also for dos partition tables. - device: Make sure to always retroactively start device dependencies. (bsc#1088052) - device: Skip deserialization of device units when udevd is not running. - install: 'user' and 'global' scopes are equivalent for user presets. (bsc#1093851) - install: Search preset files in /run. - man: Updated systemd-analyze blame description for service-units with Type=simple. (bsc#1091265) - logind: Fix crash when shutdown is not issued from a tty. (bsc#1088890) - logind: Do not use an uninitialized variable. (bsc#1088890) - Disable user services by default. (bsc#1090785) - Ship 99-sysctl.conf instead of creating it during package installation/update. (bsc#1088769) Previously this symlink was created in /etc/sysctl.d during %post which made the symlink not owned and more importantly it was created only if /etc/sysctl.conf is already installed which is not always the case during the installation process it seems. So ship the symlink unconditionally and put it in /usr/lib/sysctl.d instead since it's a distro default behavior that might be overriden by sysadmin later. - systemd: Add offline environmental condition to 80-acpi-container-hotplug.rules. (bsc#1080382, bsc#1082485) Add the offline event environmental condition to restrict the rule that is can only be triggered when the change event is received with the 'offline' environmental data. The 27664c581 'ACPI / scan: Send change uevent with offine environmental data' kernel patch changed the corresponding code in kernel. This change prevents the udev rules for acpi container be triggered by 'udevadm trigger' from user space. - build-sys: Explicitly require python3. (bsc#1082004) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2018:1636-1 Released: Thu Aug 16 15:30:11 2018 Summary: Recommended update for pam Type: recommended Severity: low References: 1096282 Description: This update for pam provides the following fix: - Added /etc/security/limits.d to the pam package. (bsc#1096282) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2018:1689-1 Released: Mon Aug 20 09:02:24 2018 Summary: Recommended update for pam Type: recommended Severity: low References: 1096282 Description: This update for pam provides the following fix: - Added /etc/security/limits.d to the pam package. (bsc#1096282) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2018:1691-1 Released: Mon Aug 20 09:04:17 2018 Summary: Recommended update for sg3_utils Type: recommended Severity: low References: 1065448,1070431,1077787,1092640 Description: This update for sg3_utils provides the following fix: - Decode standard INQUIRY for CD-ROMs correctly. (bsc#1065448, bsc#1070431) - Fix page decoding. (bsc#1077787) - Remove initrd rebuild macros for libsgutils2 subpackage. (bsc#1092640) - Use %post -p for ldconfig. (bsc#1092640) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:1695-1 Released: Mon Aug 20 09:19:20 2018 Summary: Security update for perl Type: security Severity: important References: 1068565,1082216,1082233,1082234,1096718,CVE-2018-12015,CVE-2018-6797,CVE-2018-6798,CVE-2018-6913 Description: This update for perl fixes the following issues: These security issue were fixed: - CVE-2018-6913: Fixed space calculation issues in pp_pack.c (bsc#1082216). - CVE-2018-6798: Fixed heap buffer overflow in regexec.c (bsc#1082233). - CVE-2018-6797: Fixed sharp-s regexp overflow (bsc#1082234). - CVE-2018-12015: The Archive::Tar module allowed remote attackers to bypass a directory-traversal protection mechanism and overwrite arbitrary files (bsc#1096718) This non-security issue was fixed: - fix debugger crash in tab completion with Term::ReadLine::Gnu [bsc#1068565] ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:1698-1 Released: Mon Aug 20 09:19:28 2018 Summary: Security update for shadow Type: security Severity: important References: 1099310,CVE-2016-6252 Description: This update for shadow fixes the following issues: - CVE-2016-6252: Incorrect integer handling could results in local privilege escalation (bsc#1099310) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2018:1834-1 Released: Wed Sep 5 10:17:42 2018 Summary: Recommended update for systemd Type: recommended Severity: moderate References: 1089761,1090944,1101040,1103910 Description: This update for systemd fixes the following issues: - cryptsetup: Add support for sector-size= option. (fate#325634) - resolved: Apply epoch to system time from PID 1. (bsc#1103910) - core/service: Rework the hold-off time over message. - core: Don't freeze OnCalendar= timer units when the clock goes back a lot. (bsc#1090944) - man: SystemMaxUse= clarification in journald.conf(5). (bsc#1101040) - Add udev.no-partlabel-links kernel command-line option. This option can be used to disable the generation of the by-partlabel symlinks regardless of the name used. (bsc#1089761) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:1903-1 Released: Fri Sep 14 12:46:21 2018 Summary: Security update for curl Type: security Severity: moderate References: 1089533,1106019,CVE-2018-14618 Description: This update for curl fixes the following issues: This security issue was fixed: - CVE-2018-14618: Prevent integer overflow in the NTLM authentication code (bsc#1106019) This non-security issue was fixed: - Fixed erroneous debug message when paired with OpenSSL (bsc#1089533) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:1969-1 Released: Mon Sep 24 08:06:42 2018 Summary: Security update for libzypp, zypper Type: security Severity: important References: 1036304,1045735,1049825,1070851,1076192,1088705,1091624,1092413,1096803,1099847,1100028,1101349,1102429,CVE-2017-9269,CVE-2018-7685 Description: This update for libzypp, zypper fixes the following issues: Update libzypp to version 16.17.20: Security issues fixed: - PackageProvider: Validate deta rpms before caching (bsc#1091624, bsc#1088705, CVE-2018-7685) - PackageProvider: Validate downloaded rpm package signatures before caching (bsc#1091624, bsc#1088705, CVE-2018-7685) Other bugs fixed: - lsof: use '-K i' if lsof supports it (bsc#1099847, bsc#1036304) - Handle http error 502 Bad Gateway in curl backend (bsc#1070851) - RepoManager: Explicitly request repo2solv to generate application pseudo packages. - libzypp-devel should not require cmake (bsc#1101349) - HardLocksFile: Prevent against empty commit without Target having been been loaded (bsc#1096803) - Avoid zombie tar processes (bsc#1076192) Update to zypper to version 1.13.45: Security issues fixed: - Improve signature check callback messages (bsc#1045735, CVE-2017-9269) - add/modify repo: Add options to tune the GPG check settings (bsc#1045735, CVE-2017-9269) Other bugs fixed: - XML attribute `packages-to-change` added (bsc#1102429) - man: Strengthen that `--config FILE' affects zypper.conf, not zypp.conf (bsc#1100028) - Prevent nested calls to exit() if aborted by a signal (bsc#1092413) - ansi.h: Prevent ESC sequence strings from going out of scope (bsc#1092413) - Fix: zypper bash completion expands non-existing options (bsc#1049825) - Improve signature check callback messages (bsc#1045735) - add/modify repo: Add options to tune the GPG check settings (bsc#1045735) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2018:1985-1 Released: Mon Sep 24 11:56:08 2018 Summary: Recommended update for openldap2 Type: recommended Severity: moderate References: 1089640 Description: This update for openldap2 provides the following fix: - Fix slapd segfaults in mdb_env_reader_dest. (bsc#1089640) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:1994-1 Released: Mon Sep 24 12:55:57 2018 Summary: Security update for shadow Type: security Severity: moderate References: 1106914 Description: This update for shadow fixes the following security issue: - Prevent useradd from creating intermediate directories with mode 0777 (bsc#1106914) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:2069-1 Released: Fri Sep 28 08:01:25 2018 Summary: Security update for openssl Type: security Severity: moderate References: 1089039,1101246,1101470,1104789,1106197,997043,CVE-2018-0737 Description: This update for openssl fixes the following issues: These security issues were fixed: - Prevent One&Done side-channel attack on RSA that allowed physically near attackers to use EM emanations to recover information (bsc#1104789) - CVE-2018-0737: The RSA Key generation algorithm has been shown to be vulnerable to a cache timing side channel attack. An attacker with sufficient access to mount cache timing attacks during the RSA key generation process could have recovered the private key (bsc#1089039) These non-security issues were fixed: - Add openssl(cli) Provide so the packages that require the openssl binary can require this instead of the new openssl meta package (bsc#1101470) - Fixed path to the engines which are under /lib64 on SLE-12 (bsc#1101246, bsc#997043) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2018:2162-1 Released: Fri Oct 5 14:46:53 2018 Summary: Recommended update for krb5 Type: recommended Severity: moderate References: 1088921 Description: This update for krb5 provides the following fix: - Resolve krb5 GSS credentials immediately if the application requests the lifetime. (bsc#1088921) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:2181-1 Released: Tue Oct 9 11:08:20 2018 Summary: Security update for libxml2 Type: security Severity: moderate References: 1088279,1088601,1102046,1105166,CVE-2017-18258,CVE-2018-14404,CVE-2018-14567,CVE-2018-9251 Description: This update for libxml2 fixes the following security issues: - CVE-2018-9251: The xz_decomp function allowed remote attackers to cause a denial of service (infinite loop) via a crafted XML file that triggers LZMA_MEMLIMIT_ERROR, as demonstrated by xmllint (bsc#1088279). - CVE-2018-14567: Prevent denial of service (infinite loop) via a crafted XML file that triggers LZMA_MEMLIMIT_ERROR, as demonstrated by xmllint (bsc#1105166). - CVE-2018-14404: Prevent NULL pointer dereference in the xmlXPathCompOpEval() function when parsing an invalid XPath expression in the XPATH_OP_AND or XPATH_OP_OR case leading to a denial of service attack (bsc#1102046). - CVE-2017-18258: The xz_head function allowed remote attackers to cause a denial of service (memory consumption) via a crafted LZMA file, because the decoder functionality did not restrict memory usage to what is required for a legitimate file (bsc#1088601). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2018:2196-1 Released: Thu Oct 11 07:45:16 2018 Summary: Optional update for gcc8 Type: recommended Severity: low References: 1084812,1084842,1087550,1094222,1102564 Description: The GNU Compiler GCC 8 is being added to the Toolchain Module by this update. The update also supplies gcc8 compatible libstdc++, libgcc_s1 and other gcc derived libraries for the base products of SUSE Linux Enterprise 12. Various optimizers have been improved in GCC 8, several of bugs fixed, quite some new warnings added and the error pin-pointing and fix-suggestions have been greatly improved. The GNU Compiler page for GCC 8 contains a summary of all the changes that have happened: https://gcc.gnu.org/gcc-8/changes.html Also changes needed or common pitfalls when porting software are described on: https://gcc.gnu.org/gcc-8/porting_to.html ----------------------------------------------------------------- Advisory ID: SUSE-RU-2018:2217-1 Released: Fri Oct 12 15:07:24 2018 Summary: Recommended update for bash Type: recommended Severity: moderate References: 1094121,1107430 Description: This update for bash provides the following fixes: - Fix an inconsistent behaviour regarding expansion of here strings. (bsc#1094121) - Fix mis-matching of null string with '*' pattern. (bsc#1107430) - Fix a crash when the lastpipe option is enabled. - Fix a typo that was preventing the `compat42' shopt option from working as intended. - Help the shell to process any pending traps at redirection. - Fix a crashe due to incorrect conversion from an indexed to associative array. - Avoid the expansion of escape sequences in HOSTNAME in prompt. - Avoid `xtrace' attack over $PS4. ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:2373-1 Released: Mon Oct 22 14:43:47 2018 Summary: Security update for rpm Type: security Severity: moderate References: 1077692,943457,CVE-2017-7500,CVE-2017-7501 Description: This update for rpm fixes the following issues: These security issues were fixed: - CVE-2017-7500: rpm did not properly handle RPM installations when a destination path was a symbolic link to a directory, possibly changing ownership and permissions of an arbitrary directory, and RPM files being placed in an arbitrary destination (bsc#943457). - CVE-2017-7501: rpm used temporary files with predictable names when installing an RPM. An attacker with ability to write in a directory where files will be installed could create symbolic links to an arbitrary location and modify content, and possibly permissions to arbitrary files, which could be used for denial of service or possibly privilege escalation (bsc#943457) This non-security issue was fixed: - Use ksym-provides tool [bsc#1077692] ----------------------------------------------------------------- Advisory ID: SUSE-RU-2018:2435-1 Released: Wed Oct 24 14:42:43 2018 Summary: Recommended update for systemd Type: recommended Severity: important References: 1015254,1091677,1093753,1105031,1107640,1107941,1109197,991901 Description: This update for systemd fixes the following issues: - detect-virt: do not try to read all of /proc/cpuinfo (bsc#1109197) - emergency: make sure console password agents don't interfere with the emergency shell - units: remove udev control socket when systemd stops the socket unit (#4039) (bsc#1015254) - man: document that 'nofail' also has an effect on ordering - journald: take leading spaces into account in syslog_parse_identifier - journal: do not remove multiple spaces after identifier in syslog message - syslog: fix segfault in syslog_parse_priority() - journal: fix syslog_parse_identifier() - tmpfiles: don't adjust qgroups on existing subvolumes (bsc#1093753) - socket-util: attempt SO_RCVBUFFORCE/SO_SNDBUFFORCE only if SO_RCVBUF/SO_SNDBUF fails (bsc#991901) - user at .service: don't kill user manager at runlevel switch (bsc#1091677) - units: make sure user at .service runs with dbus still up - fix race between daemon-reload and other commands (bsc#1105031) - nspawn: always use mode 555 for /sys (bsc#1107640) - cryptsetup: do not define arg_sector_size if libgcrypt is v1.x (#9990) - Enable or disable machines.target according to the presets (bsc#1107941) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2018:2475-1 Released: Thu Oct 25 16:56:24 2018 Summary: Recommended update for libzypp Type: recommended Severity: moderate References: 1099982,1109877,408814,556664,939392 Description: This update for libzypp fixes the following issues: - Add filesize check for downloads with known size (bsc#408814) - Fix conversion of string and glob to regex when compiling queries (bsc#1099982, bsc#939392, bsc#556664) - Fix blocking wait for finished child process (bsc#1109877) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2018:2488-1 Released: Fri Oct 26 12:39:59 2018 Summary: Recommended update for cpio Type: recommended Severity: low References: 1076810,889138 Description: This update for cpio provides the following fix: - Remove an obsolete patch that was causing cpio not to preserve folder permissions. (bsc#1076810, bsc#889138) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2018:2516-1 Released: Mon Oct 29 16:14:48 2018 Summary: Recommended update for console-setup, kbd Type: recommended Severity: moderate References: 1010880,1027379,1056449,1062303,1069468,1085432,360993,675317,825385,830805,958562,963942,984958 Description: This update for kbd and console-setup provides the following fixes: Changes in console-setup: - Add console-setup to SLE 12 to make it possible for kbd to provide converted X keymaps. (fate#325454, fate#318426) - Make the package build reproducible. (bsc#1062303) - Removed unneeded requires to kbd in order to resolve build cycle between kbd and console-setup. (bsc#963942) Changes in kbd: - Update to version 2.0.4, including the following fixes (FATE#325454): * Disable characters greater than or equal to =U+F000 as they do not work properly. (bsc#1085432) * Move initial NumLock handling from systemd back to kbd: * Add kbdsettings service. (bsc#1010880) * Exclude numlockbios support for non x86 platforms * Drop references to KEYTABLE and COMPOSETABLE. (bsc#1010880) * Drop from some fill-up templates and a couple of sysconfig variables not read by systemd anymore. (fate#319454) * Replace references to /var/adm/fillup-templates with new %_fillupdir macro. (bsc#1069468) * Add vlock.pamd PAM file. (bsc#1056449) * Enable vlock (bsc#1056449). * Revert dropping of kdb-legacy requirement as there are still packages and installation flows that needs this to be present. (bsc#1027379) * Fix data/keymaps/i386/querty/br-abnt2.map. (bsc#984958) * Fix missing dependency on coreutils for initrd macros. (bsc#958562) * Call missing initrd macro at postun. (bsc#958562) * Add the genmap4systemd.sh tool to generate entries for systemd's kbd-model-map table from xkeyboard-config converted keymaps. (fate#318426) * genmap4systemd.sh: Use 'abnt2' model for 'br' layouts, 'jp106' model for 'jp' layouts and 'microsoftpro' for anything else (instead of 'pc105' previously used). (fate#318426) * Include xkb layouts from xkeyboard-config converted to console keymaps. (fate#318426) * euro.map, euro1.map and euro2.map now produce correct unicode character for Euro sign. (bsc#360993) * Drop doshell reference from openvt.1 man page. (bsc#675317) * Drop the --userwait option as it is not used. (bsc#830805) * Fix a typo in the mac-querty-layout.inc. (bsc#825385) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2018:2525-1 Released: Tue Oct 30 09:22:45 2018 Summary: Recommended update for bash Type: recommended Severity: important References: 1113117 Description: This update for bash fixes the following issues: Recently released update introduced a change of behavior which resulted in broken customers scripts. (bsc#1113117) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:2563-1 Released: Fri Nov 2 17:09:49 2018 Summary: Security update for curl Type: security Severity: moderate References: 1112758,1113660,CVE-2018-16840,CVE-2018-16842 Description: This update for curl fixes the following issues: - CVE-2018-16840: A use after free in closing SASL handles was fixed (bsc#1112758) - CVE-2018-16842: A Out-of-bounds Read in tool_msgs.c was fixed which could lead to crashes (bsc#1113660) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2018:2567-1 Released: Fri Nov 2 18:59:06 2018 Summary: Recommended update for apparmor Type: recommended Severity: moderate References: 1047937,1057150,1057900,1099452,906858 Description: This update for apparmor provides the following fixes: - Add profile for usr.bin.lessopen.sh (bsc#906858) - Fix dovecot apparmor profile (bsc#1057150) - Fix creating profile rules from scanned logs when the chown operation is used (bsc#1047937) - Fix the traceroute profile to allow ipv6 usage (bsc#1057900) - Fix duplicate entry of capability when performing aa-logprof (bsc#1099452) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2018:2593-1 Released: Wed Nov 7 11:04:00 2018 Summary: Recommended update for rpm Type: recommended Severity: moderate References: 1095148,1113100 Description: This update for rpm fixes the following issues: - Fix superfluous TOC. dependency on PowerPC64 (bsc#1113100) - Update to current find-provides.ksyms and find-requires.ksyms scripts (bsc#1095148) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:2659-1 Released: Wed Nov 14 14:14:41 2018 Summary: Security update for systemd Type: security Severity: important References: 1106923,1108835,1109252,1110445,1111278,1112024,1113083,1113632,1113665,CVE-2018-15686,CVE-2018-15688 Description: This update for systemd fixes the following issues: Security issues fixed: - CVE-2018-15688: A buffer overflow vulnerability in the dhcp6 client of systemd allowed a malicious dhcp6 server to overwrite heap memory in systemd-networkd. (bsc#1113632) - CVE-2018-15686: A vulnerability in unit_deserialize of systemd allows an attacker to supply arbitrary state across systemd re-execution via NotifyAccess. This can be used to improperly influence systemd execution and possibly lead to root privilege escalation. (bsc#1113665) Non-security issues fixed: - dhcp6: split assert_return() to be more debuggable when hit - core: skip unit deserialization and move to the next one when unit_deserialize() fails - core: properly handle deserialization of unknown unit types (#6476) - core: don't create Requires for workdir if 'missing ok' (bsc#1113083) - logind: use manager_get_user_by_pid() where appropriate - logind: rework manager_get_{user|session}_by_pid() a bit - login: fix user at .service case, so we don't allow nested sessions (#8051) (bsc#1112024) - core: be more defensive if we can't determine per-connection socket peer (#7329) - socket-util: introduce port argument in sockaddr_port() - service: fixup ExecStop for socket-activated shutdown (#4120) - service: Continue shutdown on socket activated unit on termination (#4108) (bsc#1106923) - cryptsetup: build fixes for 'add support for sector-size= option' - udev-rules: IMPORT cmdline does not recognize keys with similar names (bsc#1111278) - core: keep the kernel coredump defaults when systemd-coredump is disabled - core: shorten main() a bit, split out coredump initialization - core: set RLIMIT_CORE to unlimited by default (bsc#1108835) - core/mount: fstype may be NULL - journald: don't ship systemd-journald-audit.socket (bsc#1109252) - core: make 'tmpfs' dependencies on swapfs a 'default' dep, not an 'implicit' (bsc#1110445) - mount: make sure we unmount tmpfs mounts before we deactivate swaps (#7076) - tmp.mount.hm4: After swap.target (#3087) - Ship systemd-sysv-install helper via the main package This script was part of systemd-sysvinit sub-package but it was wrong since systemd-sysv-install is a script used to redirect enable/disable operations to chkconfig when the unit targets are sysv init scripts. Therefore it's never been a SySV init tool. ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:2760-1 Released: Thu Nov 22 16:25:38 2018 Summary: Security update for openssl Type: security Severity: moderate References: 1112209,1113534,1113652,1113742,CVE-2018-0734,CVE-2018-5407 Description: This update for openssl fixes the following issues: Security issues fixed: - CVE-2018-0734: Fixed timing vulnerability in DSA signature generation (bsc#1113652). - CVE-2018-5407: Fixed elliptic curve scalar multiplication timing attack defenses (bsc#1113534). - Add missing timing side channel patch for DSA signature generation (bsc#1113742). Non-security issues fixed: - Fixed infinite loop in DSA generation with incorrect parameters (bsc#1112209). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:2766-1 Released: Fri Nov 23 17:07:27 2018 Summary: Security update for rpm Type: security Severity: important References: 943457,CVE-2017-7500,CVE-2017-7501 Description: This update for rpm fixes the following issues: These security issues were fixed: - CVE-2017-7500: rpm did not properly handle RPM installations when a destination path was a symbolic link to a directory, possibly changing ownership and permissions of an arbitrary directory, and RPM files being placed in an arbitrary destination (bsc#943457). - CVE-2017-7501: rpm used temporary files with predictable names when installing an RPM. An attacker with ability to write in a directory where files will be installed could create symbolic links to an arbitrary location and modify content, and possibly permissions to arbitrary files, which could be used for denial of service or possibly privilege escalation (bsc#943457) This is a reissue of the above security fixes for SUSE Linux Enterprise 12 GA, SP1 and SP2 LTSS, they have already been released for SUSE Linux Enterprise Server 12 SP3. ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:1697-1 Released: Fri Nov 23 17:08:32 2018 Summary: Security update for libgcrypt Type: security Severity: moderate References: 1064455,1090766,1097410,CVE-2018-0495 Description: This update for libgcrypt fixes the following issues: The following security vulnerability was addressed: - CVE-2018-0495: Mitigate a novel side-channel attack by enabling blinding for ECDSA signatures (bsc#1097410). The following other issues were fixed: - Extended the fipsdrv dsa-sign and dsa-verify commands with the --algo parameter for the FIPS testing of DSA SigVer and SigGen (bsc#1064455). - Ensure libgcrypt20-hmac and libgcrypt20 are installed in the correct order. (bsc#1090766) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:1696-1 Released: Mon Nov 26 17:46:39 2018 Summary: Security update for procps Type: security Severity: moderate References: 1092100,CVE-2018-1122,CVE-2018-1123,CVE-2018-1124,CVE-2018-1125,CVE-2018-1126 Description: This update for procps fixes the following security issues: - CVE-2018-1122: Prevent local privilege escalation in top. If a user ran top with HOME unset in an attacker-controlled directory, the attacker could have achieved privilege escalation by exploiting one of several vulnerabilities in the config_file() function (bsc#1092100). - CVE-2018-1123: Prevent denial of service in ps via mmap buffer overflow. Inbuilt protection in ps maped a guard page at the end of the overflowed buffer, ensuring that the impact of this flaw is limited to a crash (temporary denial of service) (bsc#1092100). - CVE-2018-1124: Prevent multiple integer overflows leading to a heap corruption in file2strvec function. This allowed a privilege escalation for a local attacker who can create entries in procfs by starting processes, which could result in crashes or arbitrary code execution in proc utilities run by other users (bsc#1092100). - CVE-2018-1125: Prevent stack buffer overflow in pgrep. This vulnerability was mitigated by FORTIFY limiting the impact to a crash (bsc#1092100). - CVE-2018-1126: Ensure correct integer size in proc/alloc.* to prevent truncation/integer overflow issues (bsc#1092100). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:1618-1 Released: Tue Nov 27 13:39:49 2018 Summary: Security update for util-linux Type: security Severity: moderate References: 1072947,1078662,1080740,1084300,CVE-2018-7738 Description: This update for util-linux fixes the following issues: This non-security issue was fixed: - CVE-2018-7738: bash-completion/umount allowed local users to gain privileges by embedding shell commands in a mountpoint name, which was mishandled during a umount command by a different user (bsc#1084300). These non-security issues were fixed: - Fixed crash loop in lscpu (bsc#1072947). - Fixed possible segfault of umount -a - Fixed mount -a on NFS bind mounts (bsc#1080740). - Fixed lsblk on NVMe (bsc#1078662). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:2824-1 Released: Mon Dec 3 15:34:09 2018 Summary: Security update for ncurses Type: security Severity: important References: 1115929,CVE-2018-19211 Description: This update for ncurses fixes the following issue: Security issue fixed: - CVE-2018-19211: Fixed denial of service issue that was triggered by a NULL pointer dereference at function _nc_parse_entry (bsc#1115929). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2018:2836-1 Released: Wed Dec 5 09:29:31 2018 Summary: Recommended update for apparmor Type: recommended Severity: moderate References: 1111965,1113125 Description: This update for apparmor fixes the following issues: - Systemd aware apparmor.spec, remove old insserv from spec file (bsc#1113125) - Fix warnings produced because of use of uninitialized variables (bsc#1111965) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2018:2840-1 Released: Wed Dec 5 09:57:54 2018 Summary: Recommended update for permissions Type: recommended Severity: moderate References: 1028304,1047247,1050467,1097665,1111251 Description: This update for permissions fixes the following issues: - Allow setuid root for start-suid tool of singularity (group only) bsc#1028304 - Allow setuid root for authbind binary (bsc#1111251) - A incorrect error message was adjusted (bsc#1047247 bsc#1097665) - Make btmp root:utmp (bsc#1050467) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2018:2841-1 Released: Wed Dec 5 09:59:45 2018 Summary: Recommended update for glibc Type: recommended Severity: moderate References: 1105236,1110661,1112858 Description: This update for glibc fixes the following issues: - Added more checks for valid ld.so.cache file (bsc#1110661) - Rewrite elf_machine_load_address using _DYNAMIC symbol (bsc#1112858) - Always use __IPC_64 on powerpc as required by the kernel (bsc#1105236) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2018:2906-1 Released: Tue Dec 11 21:48:05 2018 Summary: Recommended update for blog Type: recommended Severity: moderate References: 1071568 Description: This update for blog fixes the following issues: - Hardening of the console list generation (bsc#1071568) - Changed description of blog-plymouth in same manner as used by the release notes ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:2947-1 Released: Mon Dec 17 08:51:28 2018 Summary: Security update for openldap2 Type: security Severity: moderate References: 1073313,CVE-2017-17740 Description: This update for openldap2 fixes the following issues: Security issue fixed: - CVE-2017-17740: When both the nops module and the memberof overlay are enabled, attempts to free a buffer that was allocated on the stack, which allows remote attackers to cause a denial of service (slapd crash) via a member MODDN operation. (bsc#1073313) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2018:3029-1 Released: Fri Dec 21 17:34:05 2018 Summary: Recommended update for libgcrypt Type: recommended Severity: moderate References: 1117355 Description: This update for libgcrypt provides the following fix: - Fail selftests when checksum file is missing in FIPS mode only. (bsc#1117355) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:43-1 Released: Tue Jan 8 13:07:17 2019 Summary: Recommended update for acl Type: recommended Severity: low References: 953659 Description: This update for acl fixes the following issues: - quote: Escape literal backslashes (bsc#953659). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:111-1 Released: Thu Jan 17 14:18:31 2019 Summary: Security update for krb5 Type: security Severity: important References: 1120489,CVE-2018-20217 Description: This update for krb5 fixes the following issues: Security issue fixed: - CVE-2018-20217: Fixed an assertion issue with older encryption types (bsc#1120489) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:135-1 Released: Mon Jan 21 13:53:58 2019 Summary: Security update for systemd Type: security Severity: moderate References: 1005023,1076696,1101591,1114981,1115518,1119971,1120323,CVE-2018-16864,CVE-2018-16865,CVE-2018-16866 Description: This update for systemd provides the following fixes: Security issues fixed: - CVE-2018-16864, CVE-2018-16865: Fixed two memory corruptions through attacker-controlled alloca()s (bsc#1120323) - CVE-2018-16866: Fixed an information leak in journald (bsc#1120323) - Fixed an issue during system startup in relation to encrypted swap disks (bsc#1119971) Non-security issues fixed: - core: Queue loading transient units after setting their properties. (bsc#1115518) - logind: Stop managing VT switches if no sessions are registered on that VT. (bsc#1101591) - terminal-util: introduce vt_release() and vt_restore() helpers. - terminal: Unify code for resetting kbd utf8 mode a bit. - terminal Reset should honour default_utf8 kernel setting. - logind: Make session_restore_vt() static. - udev: Downgrade message when settting inotify watch up fails. (bsc#1005023) - log: Never log into foreign fd #2 in PID 1 or its pre-execve() children. (bsc#1114981) - udev: Ignore the exit code of systemd-detect-virt for memory hot-add. In SLE-12-SP3, 80-hotplug-cpu-mem.rules has a memory hot-add rule that uses systemd-detect-virt to detect non-zvm environment. The systemd-detect-virt returns exit failure code when it detected _none_ state. The exit failure code causes that the hot-add memory block can not be set to online. (bsc#1076696) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:143-1 Released: Tue Jan 22 14:21:55 2019 Summary: Recommended update for ncurses Type: recommended Severity: important References: 1121450 Description: This update for ncurses fixes the following issues: - ncurses applications freezing (bsc#1121450) From sle-updates at lists.suse.com Thu Jan 16 09:57:09 2020 From: sle-updates at lists.suse.com (sle-updates at lists.suse.com) Date: Thu, 16 Jan 2020 17:57:09 +0100 (CET) Subject: SUSE-CU-2019:710-1: Security update of caasp/v4/haproxy Message-ID: <20200116165709.F1CA0F796@maintenance.suse.de> SUSE Container Update Advisory: caasp/v4/haproxy ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2019:710-1 Container Tags : caasp/v4/haproxy:1.6.11 , caasp/v4/haproxy:1.6.11-rev1 , caasp/v4/haproxy:1.6.11-rev1-build1.1 Severity : important Type : security References : 1000396 1000662 1000677 1001299 1001790 1001912 1002975 1003264 1003577 1003579 1003580 1003714 1003978 1004094 1004289 1004995 1004995 1004995 1005023 1005063 1005404 1005544 1005633 1005634 1005635 1005637 1005638 1005640 1005642 1005643 1005645 1005646 1006175 1006372 1006469 1006687 1006690 1007851 1007909 1008325 1009269 1009470 1009528 1009532 1009745 1009801 1009905 1009966 1010220 1010675 1010685 1010845 1010880 1012266 1012390 1012523 1012591 1012818 1012973 1013286 1013882 1013930 1013989 1014471 1014560 1014566 1014873 1015254 1015332 1015515 1015565 1015943 1017034 1017497 1018214 1018399 1018870 1019276 1019470 1019637 1019637 1019900 1020108 1020143 1020601 1021641 1021914 1022014 1022047 1022085 1022086 1022271 1022872 1023141 1023283 1023895 1024724 1024989 1025176 1025398 1025560 1025598 1025630 1025757 1025886 1026224 1026567 1026683 1026780 1026807 1026825 1027053 1027057 1027079 1027099 1027231 1027379 1027688 1027712 1027908 1027925 1028263 1028281 1028304 1028304 1028305 1028410 1028485 1028610 1028723 1029102 1029102 1029133 1029183 1029516 1029516 1029523 1029561 1029691 1029725 1029900 1030053 1030290 1030621 1031355 1031643 1031702 1031998 1032029 1032029 1032309 1032445 1032538 1032660 1032680 1033238 1033238 1033855 1034563 1034565 1035062 1035371 1035386 1035445 1035818 1036304 1036619 1036659 1036675 1036736 1036873 1036873 1037120 1037120 1037396 1037824 1037930 1038189 1038194 1038444 1038865 1038865 1038984 1038984 1039063 1039063 1039064 1039064 1039066 1039066 1039069 1039069 1039099 1039099 1039276 1039357 1039661 1039661 1039941 1040043 1040153 1040153 1040258 1040258 1040614 1040614 1040800 1040942 1040942 1040968 1040968 1040968 1041764 1042326 1042392 1042781 1043059 1043218 1043237 1043333 1043333 1043580 1043615 1043758 1043758 1043883 1043886 1043900 1043900 1044095 1044107 1044175 1044337 1044840 1044887 1044894 1045092 1045290 1045290 1045384 1045472 1045522 1045628 1045735 1045735 1045735 1045943 1045987 1046173 1046173 1046268 1046417 1046607 1046659 1046750 1046750 1046853 1046853 1046858 1046858 1047008 1047178 1047233 1047236 1047240 1047247 1047379 1047785 1047785 1047937 1047964 1047965 1048315 1048510 1048605 1048605 1048645 1048679 1049344 1049825 1050152 1050258 1050467 1050767 1050943 1051042 1051465 1051626 1051643 1051644 1051791 1052261 1053137 1053188 1053409 1053595 1053671 1054028 1054088 1054171 1054671 1055446 1055641 1055825 1055920 1056058 1056126 1056127 1056127 1056128 1056128 1056129 1056129 1056131 1056131 1056132 1056132 1056136 1056136 1056437 1056449 1056450 1056995 1057007 1057007 1057150 1057188 1057452 1057634 1057640 1057662 1057721 1057724 1057801 1057900 1057974 1058695 1058722 1058783 1059065 1059292 1059723 1060653 1060738 1061051 1061384 1061667 1061876 1062303 1062561 1062591 1062592 1063051 1063249 1063269 1063675 1063824 1063910 1064397 1064455 1064455 1064455 1064569 1064580 1064583 1064999 1065083 1065274 1065276 1065363 1065448 1065448 1066156 1066242 1066422 1066500 1067312 1067605 1067891 1068251 1068565 1068565 1068588 1068708 1068967 1069222 1069226 1069468 1069468 1069934 1070209 1070428 1070431 1070431 1070851 1070878 1070905 1070958 1071224 1071311 1071319 1071321 1071466 1071543 1071558 1071568 1071698 1071905 1071906 1072343 1072947 1072947 1073231 1073313 1073715 1073879 1073990 1074254 1074293 1074293 1074621 1074687 1075449 1075724 1075743 1075801 1075804 1075978 1076192 1076308 1076415 1076696 1076810 1076832 1076909 1077001 1077635 1077692 1077787 1077787 1077925 1077993 1078245 1078358 1078662 1078662 1078806 1078813 1079036 1079334 1079991 1080078 1080382 1080740 1080740 1081170 1081294 1081556 1081725 1082004 1082216 1082216 1082216 1082233 1082233 1082233 1082234 1082234 1082234 1082318 1082485 1082485 1083158 1083290 1083670 1083926 1083927 1083946 1084300 1084300 1084462 1084521 1084524 1084527 1084532 1084626 1084682 1084812 1084812 1084842 1085020 1085062 1085432 1085786 1086247 1086602 1086690 1086785 1086825 1087102 1087323 1087550 1087550 1087930 1088052 1088279 1088601 1088705 1088769 1088890 1088921 1089039 1089533 1089640 1089761 1089761 1089884 1090765 1090766 1090766 1090766 1090785 1090944 1091265 1091624 1091677 1092098 1092100 1092100 1092413 1092640 1092640 1093617 1093753 1093851 1094121 1094150 1094154 1094161 1094222 1095096 1095148 1095818 1096282 1096282 1096282 1096718 1096718 1096745 1096803 1097158 1097410 1097410 1097410 1097624 1097665 1098592 1099310 1099310 1099310 1099452 1099847 1099982 1100028 1101040 1101246 1101349 1101470 1101591 1102046 1102429 1102564 1102871 1103910 1104789 1105031 1105166 1105236 1106019 1106197 1106914 1106923 1107430 1107579 1107640 1107941 1108835 1109147 1109197 1109252 1109877 1110445 1110661 1111251 1111278 1111965 1112024 1112209 1112758 1112858 1113083 1113100 1113117 1113125 1113534 1113632 1113652 1113660 1113665 1113742 1114981 1115518 1115929 1117355 1119971 1120323 1120489 1121450 1123164 360993 408814 556664 658010 661410 675317 825385 829717 830805 874665 888308 889138 889990 892431 894610 896202 896435 897422 898003 899524 899871 900275 900276 901202 901418 901845 901924 902364 902367 903543 905483 906574 906574 906803 906858 907074 907456 908128 908516 909418 910252 910252 910253 910253 911228 911363 911662 912229 912715 912922 913209 913650 913651 915402 915846 917152 917169 918089 918090 918346 919274 920057 920057 920386 921070 922534 923241 924525 924687 924960 924960 926412 926826 927556 927607 927608 927746 927993 928292 928533 928740 929919 930176 931932 932232 932894 933029 933288 933288 933336 933878 933878 934333 934689 934920 935393 936050 936227 936227 936676 937823 938343 938657 939392 939460 940315 942865 942865 943457 943457 944903 945340 945842 945899 952151 952347 953130 953532 953659 953807 953831 954002 954661 954758 955382 955753 955770 957566 957566 957567 957567 957598 957598 957600 957600 958369 958562 959693 960273 960820 960837 960837 961964 962765 962983 962996 963290 963448 963942 964063 964468 965322 965780 965902 966220 967026 967082 967728 967838 968771 969569 970260 970882 971741 971741 972127 972127 972331 972463 972471 974691 975466 978055 979261 979436 979441 979629 979906 980391 980486 981114 981616 982303 982303 983206 983215 983216 983754 984906 984958 986216 986216 986783 986935 987887 988311 988794 988903 988954 989788 989831 990189 990190 990191 990538 991389 991390 991391 991443 991746 991901 992966 994157 994794 995936 996511 997027 997043 997420 997682 998413 998760 998893 998906 999735 999878 CVE-2012-6702 CVE-2013-6435 CVE-2014-3591 CVE-2014-3707 CVE-2014-3710 CVE-2014-8116 CVE-2014-8116 CVE-2014-8117 CVE-2014-8117 CVE-2014-8118 CVE-2014-8150 CVE-2014-8964 CVE-2014-8964 CVE-2014-9087 CVE-2014-9112 CVE-2014-9447 CVE-2014-9620 CVE-2014-9621 CVE-2014-9653 CVE-2015-0247 CVE-2015-0837 CVE-2015-1283 CVE-2015-1572 CVE-2015-1606 CVE-2015-1607 CVE-2015-1782 CVE-2015-2059 CVE-2015-2325 CVE-2015-2325 CVE-2015-2327 CVE-2015-2327 CVE-2015-2328 CVE-2015-2328 CVE-2015-3143 CVE-2015-3144 CVE-2015-3145 CVE-2015-3148 CVE-2015-3153 CVE-2015-3210 CVE-2015-3210 CVE-2015-3217 CVE-2015-3217 CVE-2015-3238 CVE-2015-3243 CVE-2015-5073 CVE-2015-5073 CVE-2015-5276 CVE-2015-7511 CVE-2015-8380 CVE-2015-8380 CVE-2015-8381 CVE-2015-8381 CVE-2015-8382 CVE-2015-8382 CVE-2015-8383 CVE-2015-8383 CVE-2015-8384 CVE-2015-8384 CVE-2015-8385 CVE-2015-8385 CVE-2015-8386 CVE-2015-8386 CVE-2015-8387 CVE-2015-8387 CVE-2015-8388 CVE-2015-8388 CVE-2015-8389 CVE-2015-8389 CVE-2015-8390 CVE-2015-8390 CVE-2015-8391 CVE-2015-8391 CVE-2015-8392 CVE-2015-8392 CVE-2015-8393 CVE-2015-8393 CVE-2015-8394 CVE-2015-8394 CVE-2015-8395 CVE-2015-8395 CVE-2015-8853 CVE-2015-8948 CVE-2016-0634 CVE-2016-0718 CVE-2016-0755 CVE-2016-0787 CVE-2016-10156 CVE-2016-1238 CVE-2016-1248 CVE-2016-1283 CVE-2016-1283 CVE-2016-1839 CVE-2016-2037 CVE-2016-2381 CVE-2016-3191 CVE-2016-3191 CVE-2016-4574 CVE-2016-4579 CVE-2016-4658 CVE-2016-5131 CVE-2016-5300 CVE-2016-5419 CVE-2016-5420 CVE-2016-5421 CVE-2016-6185 CVE-2016-6252 CVE-2016-6252 CVE-2016-6252 CVE-2016-6261 CVE-2016-6262 CVE-2016-6263 CVE-2016-6313 CVE-2016-6318 CVE-2016-7055 CVE-2016-7141 CVE-2016-7167 CVE-2016-7543 CVE-2016-8615 CVE-2016-8616 CVE-2016-8617 CVE-2016-8618 CVE-2016-8619 CVE-2016-8620 CVE-2016-8621 CVE-2016-8622 CVE-2016-8623 CVE-2016-8624 CVE-2016-9063 CVE-2016-9318 CVE-2016-9401 CVE-2016-9586 CVE-2016-9597 CVE-2016-9840 CVE-2016-9841 CVE-2016-9842 CVE-2016-9843 CVE-2017-0663 CVE-2017-1000100 CVE-2017-1000101 CVE-2017-1000254 CVE-2017-1000257 CVE-2017-1000366 CVE-2017-1000408 CVE-2017-1000409 CVE-2017-10684 CVE-2017-10684 CVE-2017-10685 CVE-2017-10685 CVE-2017-11112 CVE-2017-11113 CVE-2017-11462 CVE-2017-12132 CVE-2017-12133 CVE-2017-12424 CVE-2017-12837 CVE-2017-12883 CVE-2017-13728 CVE-2017-13728 CVE-2017-13729 CVE-2017-13729 CVE-2017-13730 CVE-2017-13730 CVE-2017-13731 CVE-2017-13731 CVE-2017-13732 CVE-2017-13732 CVE-2017-13733 CVE-2017-13733 CVE-2017-13734 CVE-2017-14062 CVE-2017-15088 CVE-2017-15412 CVE-2017-15670 CVE-2017-15671 CVE-2017-15804 CVE-2017-15908 CVE-2017-16997 CVE-2017-17740 CVE-2017-18078 CVE-2017-18258 CVE-2017-18269 CVE-2017-3731 CVE-2017-3732 CVE-2017-3735 CVE-2017-3736 CVE-2017-3737 CVE-2017-3738 CVE-2017-5130 CVE-2017-5953 CVE-2017-5969 CVE-2017-6349 CVE-2017-6350 CVE-2017-6512 CVE-2017-7375 CVE-2017-7376 CVE-2017-7407 CVE-2017-7435 CVE-2017-7436 CVE-2017-7436 CVE-2017-7500 CVE-2017-7500 CVE-2017-7501 CVE-2017-7501 CVE-2017-7526 CVE-2017-7555 CVE-2017-8804 CVE-2017-8816 CVE-2017-8817 CVE-2017-8872 CVE-2017-9047 CVE-2017-9047 CVE-2017-9048 CVE-2017-9048 CVE-2017-9049 CVE-2017-9049 CVE-2017-9050 CVE-2017-9050 CVE-2017-9217 CVE-2017-9217 CVE-2017-9233 CVE-2017-9269 CVE-2017-9269 CVE-2017-9287 CVE-2017-9445 CVE-2017-9445 CVE-2017-9526 CVE-2018-0495 CVE-2018-0495 CVE-2018-0495 CVE-2018-0732 CVE-2018-0734 CVE-2018-0737 CVE-2018-0739 CVE-2018-1000001 CVE-2018-1000001 CVE-2018-1000007 CVE-2018-1000120 CVE-2018-1000121 CVE-2018-1000122 CVE-2018-1000301 CVE-2018-1049 CVE-2018-1122 CVE-2018-1122 CVE-2018-1123 CVE-2018-1123 CVE-2018-11236 CVE-2018-11237 CVE-2018-1124 CVE-2018-1124 CVE-2018-1125 CVE-2018-1125 CVE-2018-1126 CVE-2018-1126 CVE-2018-12015 CVE-2018-12015 CVE-2018-12020 CVE-2018-14404 CVE-2018-14567 CVE-2018-14618 CVE-2018-15686 CVE-2018-15688 CVE-2018-16840 CVE-2018-16842 CVE-2018-16864 CVE-2018-16865 CVE-2018-16866 CVE-2018-16881 CVE-2018-19211 CVE-2018-20217 CVE-2018-5407 CVE-2018-5729 CVE-2018-5730 CVE-2018-6003 CVE-2018-6485 CVE-2018-6551 CVE-2018-6797 CVE-2018-6797 CVE-2018-6797 CVE-2018-6798 CVE-2018-6798 CVE-2018-6798 CVE-2018-6913 CVE-2018-6913 CVE-2018-6913 CVE-2018-7169 CVE-2018-7685 CVE-2018-7738 CVE-2018-7738 CVE-2018-9251 ----------------------------------------------------------------- The container caasp/v4/haproxy was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-RU-2014:85-1 Released: Tue Nov 4 16:29:29 2014 Summary: Recommended update for dirmngr Type: recommended Severity: moderate References: 901845 Description: This update for dirmngr fixes a segmentation fault at start up. (bnc#901845) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2014:66-1 Released: Thu Nov 6 06:23:15 2014 Summary: Recommended update for gcc48 Type: recommended Severity: moderate References: 899871 Description: This update for gcc48 fixes a performance degradation issue caused by generation of unneeded code whe using option -pg. ----------------------------------------------------------------- Advisory ID: SUSE-SU-2014:97-1 Released: Fri Nov 28 10:20:32 2014 Summary: Security update for file Type: security Severity: moderate References: 888308,902367,CVE-2014-3710 Description: file was updated to fix one security issue. This security issue was fixed: - Out-of-bounds read in elf note headers (CVE-2014-3710). This non-security issues was fixed: - Correctly identify GDBM files created by libgdbm4 (bnc#888308). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2014:113-1 Released: Tue Dec 2 18:17:57 2014 Summary: Security update for cpio Type: security Severity: moderate References: 658010,907456,CVE-2014-9112 Description: This cpio security update fixes the following buffer overflow issue and two non security issues: - fix an OOB write with cpio -i (bnc#907456) (CVE-2014-9112) - prevent cpio from extracting over a symlink (bnc#658010) - fix a truncation check in mt ----------------------------------------------------------------- Advisory ID: SUSE-SU-2015:16-1 Released: Thu Dec 11 09:25:27 2014 Summary: Security update for libksba Type: security Severity: moderate References: 907074,CVE-2014-9087 Description: This libksba update fixes the following security issue: - bnc#907074: buffer overflow in OID processing (CVE-2014-9087) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2014:126-1 Released: Fri Dec 19 20:16:00 2014 Summary: Security update for file Type: security Severity: moderate References: 910252,910253,CVE-2014-8116,CVE-2014-8117 Description: This file update fixes the following security issues: - bsc#910252: multiple denial of service issues (resource consumption) (CVE-2014-8116) - bsc#910253: denial of service issue (resource consumption) (CVE-2014-8117) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2015:29-1 Released: Mon Jan 12 11:37:43 2015 Summary: Security update for curl Type: security Severity: moderate References: 901924,911363,CVE-2014-3707,CVE-2014-8150 Description: This update fixes the following security issues - CVE-2014-8150: URL request injection vulnerability (bnc#911363) - CVE-2014-3707: duphandle read out of bounds (bnc#901924) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2015:40-1 Released: Thu Jan 15 18:35:11 2015 Summary: Security update for rpm Type: security Severity: important References: 892431,906803,908128,911228,CVE-2013-6435,CVE-2014-8118 Description: This rpm update fixes the following security and non-security issues: - bnc#908128: Check for bad invalid name sizes (CVE-2014-8118) - bnc#906803: Create files with mode 0 (CVE-2013-6435) - bnc#892431: Honor --noglob in install mode - bnc#911228: Fix noglob patch, it broke files with space. ----------------------------------------------------------------- Advisory ID: SUSE-RU-2015:64-1 Released: Thu Jan 15 23:21:45 2015 Summary: Recommended update for e2fsprogs Type: recommended Severity: moderate References: 912229 Description: This update for e2fsprogs fixes a 'use after free' issue in fsck(8). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2015:76-1 Released: Fri Jan 30 15:01:03 2015 Summary: Security update for elfutils Type: security Severity: moderate References: 911662,CVE-2014-9447 Description: elfutils was updated to fix one security issue. This security issue was fixed: - Directory traversal vulnerability in the read_long_names function (CVE-2014-9447). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2015:55-1 Released: Tue Feb 3 14:51:17 2015 Summary: Recommended update for curl Type: recommended Severity: moderate References: 913209 Description: curl was updated to fix problems when operating in FIPS mode. This patch reenables following methods: - NTLM authentication (e.g. for proxies) (allowing its usage of MD4 and MD5) - HTTP Digest authentication (allowing its usage of MD5) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2015:121-1 Released: Tue Feb 3 16:30:16 2015 Summary: Recommended update for pam Type: recommended Severity: low References: 912922 Description: This update for pam fixes updating of NIS passwords. ----------------------------------------------------------------- Advisory ID: SUSE-SU-2015:157-1 Released: Tue Mar 10 09:01:41 2015 Summary: Security update for libssh2_org Type: security Severity: moderate References: 921070,CVE-2015-1782 Description: The ssh client library libssh2_org was updated to fix a security issue. CVE-2015-1782: A malicious server could send a crafted SSH_MSG_KEXINIT packet, that could lead to a buffer overread and to a crash of the libssh2_org using application. ----------------------------------------------------------------- Advisory ID: SUSE-RU-2015:275-1 Released: Wed Mar 18 18:21:44 2015 Summary: Recommended update for procps Type: recommended Severity: low References: 901202,908516 Description: This update for procps provides the following fixes: - Add description of pgrep's --list-full parameter to usage instructions (--help). (bsc#901202) - Fix handling of arguments to -s option in free(1). (bsc#908516) - Correct package name in descriptions: procps, not props. ----------------------------------------------------------------- Advisory ID: SUSE-SU-2015:235-1 Released: Wed Apr 29 19:05:01 2015 Summary: Security update for curl Type: security Severity: moderate References: 927556,927607,927608,927746,928533,CVE-2015-3143,CVE-2015-3144,CVE-2015-3145,CVE-2015-3148,CVE-2015-3153 Description: curl was updated to fix five security issues. The following vulnerabilities were fixed: * CVE-2015-3143: curl could re-use NTML authenticateds connections * CVE-2015-3144: curl could access memory out of bounds with zero length host names * CVE-2015-3145: curl cookie parser could access memory out of boundary * CVE-2015-3148: curl could treat Negotiate as not connection-oriented * CVE-2015-3153: curl could have sent sensitive HTTP headers also to proxies ----------------------------------------------------------------- Advisory ID: SUSE-SU-2015:296-1 Released: Thu Jun 11 15:46:59 2015 Summary: Security update for libgcrypt Type: security Severity: moderate References: 896202,896435,898003,899524,900275,900276,905483,920057,928740,929919,CVE-2014-3591 Description: This update of libgcrypt fixes one security issue and brings various FIPS 140-2 related improvements. libgcrypt now uses ciphertext blinding for Elgamal decryption (CVE-2014-3591) FIPS 140-2 related changes: * The library performs its self-tests when the module is complete (the -hmac file is also installed). * Added a NIST 800-90a compliant DRBG. * Change DSA key generation to be FIPS 186-4 compliant. * Change RSA key generation to be FIPS 186-4 compliant. * Enable HW support in fips mode (bnc#896435) * Make DSA selftest use 2048 bit keys (bnc#898003) * Added ECDSA selftests and add support for it to the CAVS testing framework (bnc#896202) * Various CAVS testing improvements. ----------------------------------------------------------------- Advisory ID: SUSE-SU-2015:366-1 Released: Mon Jun 29 10:13:43 2015 Summary: Security update for e2fsprogs Type: security Severity: low References: 915402,918346,CVE-2015-0247,CVE-2015-1572 Description: Two security issues were fixed in e2fsprogs: Security issues fixed: * CVE-2015-0247: Various heap overflows were fixed in e2fsprogs (fsck, dumpe2fs, e2image...). * CVE-2015-1572: Fixed a potential buffer overflow in closefs() (bsc#918346 ) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2015:361-1 Released: Wed Jul 15 08:26:27 2015 Summary: Recommended update for gcc48, libffi48, libgcj48 Type: recommended Severity: moderate References: 889990,917169,919274,922534,924525,924687,927993,930176,934689 Description: The system compiler gcc48 was updated to the GCC 4.8.5 release, fixing a lot of bugs and bringing some improvements. It includes various bug fixes found by our customers: * Fixes bogus integer overflow in constant expression. [bnc#934689] * Fixes ICE with atomics on aarch64. [bnc#930176] * Includes fix for -imacros bug. [bnc#917169] * Includes fix for incorrect -Warray-bounds warnings. [bnc#919274] * Includes updated -mhotpatch for s390x. [bnc#924525] * Includes fix for ppc64le issue with doubleword vector extract. [bnc#924687] * Includes patches to allow building against ISL 0.14. * Backport rework of the memory allocator for C++ exceptions used in OOM situations. [bnc#889990] * Fix a reload issue on S390 (GCC PR66306). * Avoid accessing invalid memory when passing aggregates by value. [bnc#922534] ----------------------------------------------------------------- Advisory ID: SUSE-OU-2015:422-1 Released: Tue Jul 28 06:25:51 2015 Summary: The Toolchain module containing GCC 5.2 Type: optional Severity: low References: 926412,936050,937823 Description: This update contains the release of the new SUSE Linux Enterprise Toolchain module. Its major feature is the GNU Compiler Collection 5.2, please see https://gcc.gnu.org/gcc-5/changes.html for important changes. This update also includes a version update of binutils to 2.25 release branch to provide features and bugfixes. Following features have been added to binutils: * IBM zSeries z13 hardware support (fate#318036, bnc#936050). * various IBM Power8 improvements (fate#318238, bnc#926412). * AVX512 support on the Intel EM64T platform (fate#318520). The GNU Debugger gdb was updated to version 7.9.1 bringing various features and lots of bugfixes. Also IBM zSeries z13 hardware support has been added to gdb. (fate#318039) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2015:500-1 Released: Mon Aug 17 11:36:33 2015 Summary: Security update for libgcrypt Type: security Severity: moderate References: 920057,938343,CVE-2015-0837 Description: This update fixes the following issues: Security: * Fixed data-dependent timing variations in modular exponentiation [related to CVE-2015-0837, Last-Level Cache Side-Channel Attacks are Practical] (bsc#920057) Bugfixes: * don't drop privileges when locking secure memory (bsc#938343) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2015:530-1 Released: Wed Aug 26 03:07:07 2015 Summary: Recommended update for sed Type: recommended Severity: low References: 933029 Description: This update for sed fixes the behavior of --follow-symlinks when reading from the standard input (stdin). The behavior of 'sed --follow-symlinks -' is now identical to 'sed -'. In both cases, sed will read from the standard input and no longer from a file named '-'. ----------------------------------------------------------------- Advisory ID: SUSE-RU-2015:568-1 Released: Wed Sep 16 13:30:12 2015 Summary: Recommended update for grep Type: recommended Severity: low References: 920386 Description: This update for grep fixes undefined behaviour with -P and non-utf-8 data. ----------------------------------------------------------------- Advisory ID: SUSE-SU-2015:922-1 Released: Tue Dec 22 08:44:25 2015 Summary: Security update for gpg2 Type: security Severity: moderate References: 918089,918090,952347,955753,CVE-2015-1606,CVE-2015-1607 Description: The gpg2 package was updated to fix the following security and non security issues: - CVE-2015-1606: Fixed invalid memory read using a garbled keyring (bsc#918089). - CVE-2015-1607: Fixed memcpy with overlapping ranges (bsc#918090). - bsc#955753: Fixed a regression of 'gpg --recv' due to keyserver import filter (also boo#952347). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2015:869-1 Released: Wed Dec 23 10:01:16 2015 Summary: Recommended update for libksba Type: security Severity: moderate References: 926826 Description: The libksba package was updated to fix the following security issues: - Fixed an integer overflow, an out of bounds read and a stack overflow issues (bsc#926826). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2015:862-1 Released: Wed Dec 23 17:40:51 2015 Summary: Recommended update for acl Type: recommended Severity: moderate References: 945899 Description: This update for acl provides the following fixes: - Fix segmentation fault of getfacl -e on overly long group name. - Make sure that acl_from_text() always sets errno when it fails. - Fix memory and resource leaks in getfacl. ----------------------------------------------------------------- Advisory ID: SUSE-RU-2016:46-1 Released: Fri Jan 8 12:37:34 2016 Summary: Recommended update for gcr, gnome-keyring, libgcrypt, libsecret Type: recommended Severity: moderate References: 932232 Description: This update for gcr, gnome-keyring, libgcrypt, libsecret fixes issues when the system operates in FIPS mode. The various GNOME libraries and tool have been changed to use the default libgcrypt allocators. GNOME keyring was changed not to use MD5 anymore. libgcrypt was adjusted to free the DRBG on exit to avoid crashes. ----------------------------------------------------------------- Advisory ID: SUSE-SU-2016:201-1 Released: Thu Feb 4 15:51:22 2016 Summary: Security update for curl Type: security Severity: moderate References: 934333,936676,962983,962996,CVE-2016-0755 Description: This update for curl fixes the following issues: - CVE-2016-0755: libcurl would reuse NTLM-authenticated proxy connections without properly making sure that the connection was authenticated with the same credentials as set for this transfer (bsc#962983) The following non-security bugs were fixed: - bsc#936676: secure_getenv or __secure_getenv may not be detected correctly at build time The following tracked bugs only affect the test suite: - bsc#962996: Expired cookie in test 46 caused test failures - bsc#934333: Curl test suite was not run, is now enabled during build ----------------------------------------------------------------- Advisory ID: SUSE-RU-2016:371-1 Released: Thu Mar 3 15:58:18 2016 Summary: Recommended update for insserv-compat Type: recommended Severity: low References: 960820 Description: This update for insserv-compat fixes the name of the ntpd service. ----------------------------------------------------------------- Advisory ID: SUSE-SU-2016:413-1 Released: Fri Mar 11 10:17:57 2016 Summary: Security update for libssh2_org Type: security Severity: moderate References: 933336,961964,967026,CVE-2016-0787 Description: This update for libssh2_org fixes the following issues: Security issue fixed: - CVE-2016-0787 (bsc#967026): Weakness in diffie-hellman secret key generation lead to much shorter DH groups then needed, which could be used to retrieve server keys. A feature was added: - Support of SHA256 digests for DH group exchanges was added (fate#320343, bsc#961964) Bug fixed: - Properly detect EVP_aes_128_ctr at configure time (bsc#933336) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2016:462-1 Released: Wed Mar 16 18:17:59 2016 Summary: Recommended update for libcap Type: recommended Severity: low References: 967838 Description: This update for libcap adds two new capabilities (CAP_WAKE_ALARM and CAP_BLOCK_SUSPEND) which are available in Linux Kernel 3.12. ----------------------------------------------------------------- Advisory ID: SUSE-RU-2016:543-1 Released: Fri Apr 1 18:44:16 2016 Summary: Recommended update for libgcrypt Type: recommended Severity: moderate References: 970882 Description: This update for libgcrypt fixes a crash in GPG key generation when operating in FIPS mode. (bsc#970882) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2016:565-1 Released: Wed Apr 6 16:26:42 2016 Summary: Security update for gcc5 Type: security Severity: moderate References: 939460,945842,952151,953831,954002,955382,962765,964468,966220,968771,CVE-2015-5276 Description: The GNU Compiler Collection was updated to version 5.3.1, which brings several fixes and enhancements. The following security issue has been fixed: - Fix C++11 std::random_device short read issue that could lead to predictable randomness. (CVE-2015-5276, bsc#945842) The following non-security issues have been fixed: - Enable frame pointer for TARGET_64BIT_MS_ABI when stack is misaligned. Fixes internal compiler error when building Wine. (bsc#966220) - Fix a PowerPC specific issue in gcc-go that broke compilation of newer versions of Docker. (bsc#964468) - Fix HTM built-ins on PowerPC. (bsc#955382) - Fix libgo certificate lookup. (bsc#953831) - Suppress deprecated-declarations warnings for inline definitions of deprecated virtual methods. (bsc#939460) - Build s390[x] with '--with-tune=z9-109 --with-arch=z900' on SLE11 again. (bsc#954002) - Revert accidental libffi ABI breakage on aarch64. (bsc#968771) - On x86_64, set default 32bit code generation to -march=x86-64 rather than -march=i586. - Add experimental File System TS library. ----------------------------------------------------------------- Advisory ID: SUSE-SU-2016:636-1 Released: Mon Apr 18 09:18:19 2016 Summary: Security update for libgcrypt Type: security Severity: moderate References: 965902,CVE-2015-7511 Description: libgcrypt was updated to fix one security issue. This security issue was fixed: - CVE-2015-7511: Side-channel attack on ECDH with Weierstrass curves (bsc#965902). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2016:643-1 Released: Tue Apr 19 09:23:39 2016 Summary: Recommended update for bzip2 Type: recommended Severity: low References: 970260 Description: This update for bzip2 fixes the following issues: - Fix bzgrep wrapper that always returns 0 as exit code when working on multiple archives, even when the pattern is not found. ----------------------------------------------------------------- Advisory ID: SUSE-RU-2016:697-1 Released: Thu Apr 28 16:03:24 2016 Summary: Recommended update for libssh2_org Type: recommended Severity: important References: 974691 Description: This update for libssh2_org fixes a regression introduced by a previous update which could result in a segmentation fault in EVP_DigestInit_Ex(). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2016:801-1 Released: Thu May 19 22:38:01 2016 Summary: Recommended update for curl Type: recommended Severity: moderate References: 915846 Description: This update for curl fixes the following issue: - Fix 'Network is unreachable' error when ipv6 is not available but ipv4. This fixes the same error in applications using libcurl4 (like zypper). (bsc#915846) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2016:835-1 Released: Wed May 25 18:27:30 2016 Summary: Recommended update for libgcrypt Type: recommended Severity: moderate References: 979629 Description: This update for libgcrypt fixes the following issue: - Fix failing reboot after installing fips pattern (bsc#979629) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2016:898-1 Released: Tue Jun 7 09:48:12 2016 Summary: Security update for expat Type: security Severity: important References: 979441,980391,CVE-2015-1283,CVE-2016-0718 Description: This update for expat fixes the following issues: Security issue fixed: - CVE-2016-0718: Fix Expat XML parser that mishandles certain kinds of malformed input documents. (bsc#979441) - CVE-2015-1283: Fix multiple integer overflows. (bnc#980391) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2016:900-1 Released: Tue Jun 7 10:58:37 2016 Summary: Security update for libksba Type: security Severity: moderate References: 979261,979906,CVE-2016-4574,CVE-2016-4579 Description: This update for libksba fixes the following issues: - CVE-2016-4579: Out-of-bounds read in _ksba_ber_parse_tl() - CVE-2016-4574: two OOB read access bugs (remote DoS) (bsc#979261) Also adding reliability fixes from v1.3.4. ----------------------------------------------------------------- Advisory ID: SUSE-RU-2016:987-1 Released: Wed Jun 22 14:32:18 2016 Summary: Recommended update for procps Type: recommended Severity: low References: 981616 Description: This update for procps fixes the following issues: - Improve pmap(1) to be compatible with kernel 4.4. (bsc#981616) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2016:1028-1 Released: Thu Jul 7 11:50:47 2016 Summary: Recommended update for findutils Type: recommended Severity: moderate References: 986935 Description: This update for findutils fixes the following issues: - find -exec + would not pass all arguments for certain specific filename lengths (bsc#986935) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2016:1126-1 Released: Sat Jul 30 00:39:03 2016 Summary: Recommended update for kmod Type: recommended Severity: low References: 983754,989788 Description: This update for kmod fixes libkmod to handle very long lines in /proc/modules. ----------------------------------------------------------------- Advisory ID: SUSE-RU-2016:1205-1 Released: Thu Aug 11 15:02:18 2016 Summary: Recommended update for rpm Type: recommended Severity: low References: 829717,894610,940315,953532,965322,967728 Description: This update for rpm provides the following fixes: - Add is_opensuse and leap_version macros to suse_macros. (bsc#940315) - Add option to make postinstall scriptlet errors fatal. (bsc#967728) - Normalize big blocksizes to 4096 bytes. (bsc#894610, bsc#829717, bsc#965322) - Fix updating of sources/patches when recursing because of a BuildArch. (bsc#953532) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2016:1228-1 Released: Tue Aug 16 09:29:01 2016 Summary: Security update for libidn Type: security Severity: moderate References: 923241,990189,990190,990191,CVE-2015-2059,CVE-2015-8948,CVE-2016-6261,CVE-2016-6262,CVE-2016-6263 Description: This update for libidn fixes the following issues: - CVE-2016-6262 and CVE-2015-8948: Out-of-bounds-read when reading one zero byte as input (bsc#990189) - CVE-2016-6261: Out-of-bounds stack read in idna_to_ascii_4i (bsc#990190) - CVE-2016-6263: stringprep_utf8_nfkc_normalize reject invalid UTF-8 (bsc#990191) - CVE-2015-2059: out-of-bounds read with stringprep on invalid UTF-8 (bsc#923241) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2016:1247-1 Released: Fri Aug 19 12:58:39 2016 Summary: Security update for cracklib Type: security Severity: moderate References: 992966,CVE-2016-6318 Description: This update for cracklib fixes the following issues: - Add patch to fix a buffer overflow in GECOS parser (bsc#992966 CVE-2016-6318) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2016:1326-1 Released: Thu Sep 8 11:37:44 2016 Summary: Security update for perl Type: security Severity: moderate References: 928292,932894,967082,984906,987887,988311,CVE-2015-8853,CVE-2016-1238,CVE-2016-2381,CVE-2016-6185 Description: This update for Perl fixes the following issues: - CVE-2016-6185: Xsloader looking at a '(eval)' directory. (bsc#988311) - CVE-2016-1238: Searching current directory for optional modules. (bsc#987887) - CVE-2015-8853: Regular expression engine hanging on bad utf8. (bsc) - CVE-2016-2381: Environment dup handling bug. (bsc#967082) - 'Insecure dependency in require' error in taint mode. (bsc#984906) - Memory leak in 'use utf8' handling. (bsc#928292) - Missing lock prototype to the debugger. (bsc#932894) ----------------------------------------------------------------- Advisory ID: SUSE-OU-2016:1358-1 Released: Thu Sep 15 20:54:21 2016 Summary: Optional update for gcc6 Type: optional Severity: low References: 983206 Description: This update ships the GNU Compiler Collection (GCC) in version 6.2. This update is shipped in two parts: - SUSE Linux Enterprise Server 12 and Desktop: The runtime libraries libgcc_s1, libstdc++6, libatomic1, libgomp1, libitm1 and some others can now be used by GCC 6 built binaries. - SUSE Linux Enterprise 12 Toolchain Module: The Toolchain module received the GCC 6 compiler suite with this update. Changes: - The default mode for C++ is now -std=gnu++14 instead of -std=gnu++98. Generic Optimization improvements: - UndefinedBehaviorSanitizer gained a new sanitization option, -fsanitize=bounds-strict, which enables strict checking of array bounds. In particular, it enables -fsanitize=bounds as well as instrumentation of flexible array member-like arrays. - Type-based alias analysis now disambiguates accesses to different pointers. This improves precision of the alias oracle by about 20-30% on higher-level C++ programs. Programs doing invalid type punning of pointer types may now need -fno-strict-aliasing to work correctly. - Alias analysis now correctly supports weakref and alias attributes. This makes it possible to access both a variable and its alias in one translation unit which is common with link-time optimization. - Value range propagation now assumes that the this pointer of C++ member functions is non-null. This eliminates common null pointer checks but also breaks some non-conforming code-bases (such as Qt-5, Chromium, KDevelop). As a temporary work-around -fno-delete-null-pointer-checks can be used. Wrong code can be identified by using -fsanitize=undefined. - Various Link-time optimization improvements. - Inter-procedural optimization improvements: - Basic jump threading is now performed before profile construction and inline analysis, resulting in more realistic size and time estimates that drive the heuristics of the of inliner and function cloning passes. - Function cloning now more aggressively eliminates unused function parameters. - Compared to GCC 5, the GCC 6 release series includes a much improved implementation of the OpenACC 2.0a specification. C language specific improvements: - Version 4.5 of the OpenMP specification is now supported in the C and C++ compilers. - Source locations for the C and C++ compilers are now tracked as ranges, rather than just points, making it easier to identify the subexpression of interest within a complicated expression. In addition, there is now initial support for precise diagnostic locations within strings, - Diagnostics can now contain 'fix-it hints', which are displayed in context underneath the relevant source code. - The C and C++ compilers now offer suggestions for misspelled field names. - New command-line options have been added for the C and C++ compilers: - -Wshift-negative-value warns about left shifting a negative value. - -Wshift-overflow warns about left shift overflows. This warning is enabled by default. -Wshift-overflow=2 also warns about left-shifting 1 into the sign bit. - -Wtautological-compare warns if a self-comparison always evaluates to true or false. This warning is enabled by -Wall. - -Wnull-dereference warns if the compiler detects paths that trigger erroneous or undefined behavior due to dereferencing a null pointer. This option is only active when -fdelete-null-pointer-checks is active, which is enabled by optimizations in most targets. The precision of the warnings depends on the optimization options used. - -Wduplicated-cond warns about duplicated conditions in an if-else-if chain. - -Wmisleading-indentation warns about places where the indentation of the code gives a misleading idea of the block structure of the code to a human reader. This warning is enabled by -Wall. - The C and C++ compilers now emit saner error messages if merge-conflict markers are present in a source file. C improvements: - It is possible to disable warnings when an initialized field of a structure or a union with side effects is being overridden when using designated initializers via a new warning option -Woverride-init-side-effects. - A new type attribute scalar_storage_order applying to structures and unions has been introduced. It specifies the storage order (aka endianness) in memory of scalar fields in structures or unions. C++ improvements: - The default mode has been changed to -std=gnu++14. - C++ Concepts are now supported when compiling with -fconcepts. - -flifetime-dse is more aggressive in dead-store elimination in situations where a memory store to a location precedes a constructor to that memory location. - G++ now supports C++17 fold expressions, u8 character literals, extended static_assert, and nested namespace definitions. - G++ now allows constant evaluation for all non-type template arguments. - G++ now supports C++ Transactional Memory when compiling with -fgnu-tm. libstdc++ improvements: - Extensions to the C++ Library to support mathematical special functions (ISO/IEC 29124:2010), thanks to Edward Smith-Rowland. - Experimental support for C++17. - An experimental implementation of the File System TS. - Experimental support for most features of the second version of the Library Fundamentals TS. This includes polymorphic memory resources and array support in shared_ptr, thanks to Fan You. - Some assertions checked by Debug Mode can now also be enabled by _GLIBCXX_ASSERTIONS. The subset of checks enabled by the new macro have less run-time overhead than the full _GLIBCXX_DEBUG checks and don't affect the library ABI, so can be enabled per-translation unit. Fortran improvements: - Fortran 2008 SUBMODULE support. - Fortran 2015 EVENT_TYPE, EVENT_POST, EVENT_WAIT, and EVENT_QUERY support. - Improved support for Fortran 2003 deferred-length character variables. - Improved support for OpenMP and OpenACC. - The MATMUL intrinsic is now inlined for straightforward cases if front-end optimization is active. The maximum size for inlining can be set to n with the -finline-matmul-limit=n option and turned off with -finline-matmul-limit=0. - The -Wconversion-extra option will warn about REAL constants which have excess precision for their kind. - The -Winteger-division option has been added, which warns about divisions of integer constants which are truncated. This option is included in -Wall by default. Architecture improvements: - AArch64 received a lot of improvements. IA-32/x86-64 improvements: - GCC now supports the Intel CPU named Skylake with AVX-512 extensions through -march=skylake-avx512. The switch enables the following ISA extensions: AVX-512F, AVX512VL, AVX-512CD, AVX-512BW, AVX-512DQ. - Support for new AMD instructions monitorx and mwaitx has been added. This includes new intrinsic and built-in support. It is enabled through option -mmwaitx. The instructions monitorx and mwaitx implement the same functionality as the old monitor and mwait instructions. In addition mwaitx adds a configurable timer. The timer value is received as third argument and stored in register %ebx. - x86-64 targets now allow stack realignment from a word-aligned stack pointer using the command-line option -mstackrealign or __attribute__ ((force_align_arg_pointer)). This allows functions compiled with a vector-aligned stack to be invoked from objects that keep only word-alignment. - Support for address spaces __seg_fs, __seg_gs, and __seg_tls. These can be used to access data via the %fs and %gs segments without having to resort to inline assembly. - Support for AMD Zen (family 17h) processors is now available through the -march=znver1 and -mtune=znver1 options. PowerPC / PowerPC64 / RS6000 improvements: - PowerPC64 now supports IEEE 128-bit floating-point using the __float128 data type. In GCC 6, this is not enabled by default, but you can enable it with -mfloat128. The IEEE 128-bit floating-point support requires the use of the VSX instruction set. IEEE 128-bit floating-point values are passed and returned as a single vector value. The software emulator for IEEE 128-bit floating-point support is only built on PowerPC GNU/Linux systems where the default CPU is at least power7. On future ISA 3.0 systems (POWER 9 and later), you will be able to use the -mfloat128-hardware option to use the ISA 3.0 instructions that support IEEE 128-bit floating-point. An additional type (__ibm128) has been added to refer to the IBM extended double type that normally implements long double. This will allow for a future transition to implementing long double with IEEE 128-bit floating-point. - Basic support has been added for POWER9 hardware that will use the recently published OpenPOWER ISA 3.0 instructions. The following new switches are available: - -mcpu=power9: Implement all of the ISA 3.0 instructions supported by the compiler. - -mtune=power9: In the future, apply tuning for POWER9 systems. Currently, POWER8 tunings are used. - -mmodulo: Generate code using the ISA 3.0 integer instructions (modulus, count trailing zeros, array index support, integer multiply/add). - -mpower9-fusion: Generate code to suitably fuse instruction sequences for a POWER9 system. - -mpower9-dform: Generate code to use the new D-form (register+offset) memory instructions for the vector registers. - -mpower9-vector: Generate code using the new ISA 3.0 vector (VSX or Altivec) instructions. - -mpower9-minmax: Reserved for future development. - -mtoc-fusion: Keep TOC entries together to provide more fusion opportunities. - New constraints have been added to support IEEE 128-bit floating-point and ISA 3.0 instructions. - Support has been added for __builtin_cpu_is() and __builtin_cpu_supports(), allowing for very fast access to AT_PLATFORM, AT_HWCAP, and AT_HWCAP2 values. This requires use of glibc 2.23 or later. - All hardware transactional memory builtins now correctly behave as memory barriers. Programmers can use #ifdef __TM_FENCE__ to determine whether their 'old' compiler treats the builtins as barriers. - Split-stack support has been added for gccgo on PowerPC64 for both big- and little-endian (but not for 32-bit). The gold linker from at least binutils 2.25.1 must be available in the PATH when configuring and building gccgo to enable split stack. (The requirement for binutils 2.25.1 applies to PowerPC64 only.) The split-stack feature allows a small initial stack size to be allocated for each goroutine, which increases as needed. - GCC on PowerPC now supports the standard lround function. - The 'q', 'S', 'T', and 't' asm-constraints have been removed. - The 'b', 'B', 'm', 'M', and 'W' format modifiers have been removed. S/390, System z, IBM z Systems improvements: - Support for the IBM z13 processor has been added. When using the -march=z13 option, the compiler will generate code making use of the new instructions and registers introduced with the vector extension facility. The -mtune=z13 option enables z13 specific instruction scheduling without making use of new instructions. - Compiling code with -march=z13 reduces the default alignment of vector types bigger than 8 bytes to 8. This is an ABI change and care must be taken when linking modules compiled with different arch levels which interchange variables containing vector type values. For newly compiled code the GNU linker will emit a warning. - The -mzvector option enables a C/C++ language extension. This extension provides a new keyword vector which can be used to define vector type variables. (Note: This is not available when enforcing strict standard compliance e.g. with -std=c99. Either enable GNU extensions with e.g. -std=gnu99 or use __vector instead of vector.) - Additionally a set of overloaded builtins is provided which is partially compatible to the PowerPC Altivec builtins. In order to make use of these builtins the vecintrin.h header file needs to be included. - The new command line options -march=native, and -mtune=native are now available on native IBM z Systems. Specifying these options will cause GCC to auto-detect the host CPU and rewrite these options to the optimal setting for that system. If GCC is unable to detect the host CPU these options have no effect. - The IBM z Systems port now supports target attributes and pragmas. Please refer to the documentation for details of available attributes and pragmas as well as usage instructions. - -fsplit-stack is now supported as part of the IBM z Systems port. This feature requires a recent gold linker to be used. - Support for the g5 and g6 -march=/-mtune= CPU level switches has been deprecated and will be removed in a future GCC release. -m31 from now on defaults to -march=z900 if not specified otherwise. -march=native on a g5/g6 machine will default to -march=z900. An even more detailed list of features can be found at: https://gcc.gnu.org/gcc-6/changes.html ----------------------------------------------------------------- Advisory ID: SUSE-SU-2016:1364-1 Released: Fri Sep 16 17:13:43 2016 Summary: Security update for curl Type: security Severity: moderate References: 991389,991390,991391,991746,997420,CVE-2016-5419,CVE-2016-5420,CVE-2016-5421,CVE-2016-7141 Description: This update for curl fixes the following issues: Security issues fixed: - CVE-2016-5419: TLS session resumption client cert bypass (bsc#991389) - CVE-2016-5420: Re-using connections with wrong client cert (bsc#991390) - CVE-2016-5421: use of connection struct after free (bsc#991391) - CVE-2016-7141: Fixed incorrect reuse of client certificates with NSS (bsc#997420) Also the following bug was fixed: - fixing a performance issue (bsc#991746) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2016:1370-1 Released: Wed Sep 21 12:58:14 2016 Summary: Security update for libgcrypt Type: security Severity: moderate References: 994157,CVE-2016-6313 Description: This update for libgcrypt fixes the following issues: - RNG prediction vulnerability (bsc#994157, CVE-2016-6313) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2016:1591-1 Released: Wed Nov 2 12:07:51 2016 Summary: Security update for curl Type: security Severity: important References: 1005633,1005634,1005635,1005637,1005638,1005640,1005642,1005643,1005645,1005646,998760,CVE-2016-7167,CVE-2016-8615,CVE-2016-8616,CVE-2016-8617,CVE-2016-8618,CVE-2016-8619,CVE-2016-8620,CVE-2016-8621,CVE-2016-8622,CVE-2016-8623,CVE-2016-8624 Description: This update for curl fixes the following security issues: - CVE-2016-8624: invalid URL parsing with '#' (bsc#1005646) - CVE-2016-8623: Use-after-free via shared cookies (bsc#1005645) - CVE-2016-8622: URL unescape heap overflow via integer truncation (bsc#1005643) - CVE-2016-8621: curl_getdate read out of bounds (bsc#1005642) - CVE-2016-8620: glob parser write/read out of bounds (bsc#1005640) - CVE-2016-8619: double-free in krb5 code (bsc#1005638) - CVE-2016-8618: double-free in curl_maprintf (bsc#1005637) - CVE-2016-8617: OOB write via unchecked multiplication (bsc#1005635) - CVE-2016-8616: case insensitive password comparison (bsc#1005634) - CVE-2016-8615: cookie injection for other servers (bsc#1005633) - CVE-2016-7167: escape and unescape integer overflows (bsc#998760) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2016:1614-1 Released: Mon Nov 7 20:01:31 2016 Summary: Recommended update for shadow Type: recommended Severity: low References: 1002975 Description: This update for shadow fixes the following issues: - Set file modes according to the permissions package and don't attempt to manipulate them in %files section. (bsc#1002975) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2016:1641-1 Released: Thu Nov 10 20:02:04 2016 Summary: Recommended update for sg3_utils Type: recommended Severity: moderate References: 1006469,958369,979436 Description: This update for sg3_utils provides the following fixes: - Adjust 55-scsi-sg3_id.rules to correctly handle VPD page 0x80. This issue could prevent some IBM Power systems from booting after installation. (bsc#1006469) - Fix 55-scsi_sg3_id.rules to skip sg_inq on recent kernels. (bsc#979436) - In some circumstances, the rescan-scsi-bus.sh script failed to identify new LUNs that have been added to the server. (bsc#958369) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2016:1721-1 Released: Tue Nov 29 13:12:31 2016 Summary: Security update for vim Type: security Severity: important References: 1010685,988903,CVE-2016-1248 Description: This update for vim fixes the following security issues: - Fixed CVE-2016-1248 an arbitrary command execution vulnerability (bsc#1010685) This update for vim fixes the following issues: - Fix build with Python 3.5. (bsc#988903) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2016:1744-1 Released: Fri Dec 2 11:42:41 2016 Summary: Security update for pcre Type: security Severity: moderate References: 906574,924960,933288,933878,936227,942865,957566,957567,957598,957600,960837,971741,972127,CVE-2014-8964,CVE-2015-2325,CVE-2015-2327,CVE-2015-2328,CVE-2015-3210,CVE-2015-3217,CVE-2015-5073,CVE-2015-8380,CVE-2015-8381,CVE-2015-8382,CVE-2015-8383,CVE-2015-8384,CVE-2015-8385,CVE-2015-8386,CVE-2015-8387,CVE-2015-8388,CVE-2015-8389,CVE-2015-8390,CVE-2015-8391,CVE-2015-8392,CVE-2015-8393,CVE-2015-8394,CVE-2015-8395,CVE-2016-1283,CVE-2016-3191 Description: This update for pcre to version 8.39 (bsc#972127) fixes several issues. If you use pcre extensively please be aware that this is an update to a new version. Please make sure that your software works with the updated version. This version fixes a number of vulnerabilities that affect pcre and applications using the libary when accepting untrusted input as regular expressions or as part thereof. Remote attackers could have caused the application to crash, disclose information or potentially execute arbitrary code. These security issues were fixed: - CVE-2014-8964: Heap-based buffer overflow in PCRE allowed remote attackers to cause a denial of service (crash) or have other unspecified impact via a crafted regular expression, related to an assertion that allows zero repeats (bsc#906574). - CVE-2015-2325: Heap buffer overflow in compile_branch() (bsc#924960). - CVE-2015-3210: Heap buffer overflow in pcre_compile2() / compile_regex() (bsc#933288) - CVE-2015-3217: PCRE Library Call Stack Overflow Vulnerability in match() (bsc#933878). - CVE-2015-5073: Library Heap Overflow Vulnerability in find_fixedlength() (bsc#936227). - bsc#942865: heap overflow in compile_regex() - CVE-2015-8380: The pcre_exec function in pcre_exec.c mishandled a // pattern with a \01 string, which allowed remote attackers to cause a denial of service (heap-based buffer overflow) or possibly have unspecified other impact via a crafted regular expression, as demonstrated by a JavaScript RegExp object encountered by Konqueror (bsc#957566). - CVE-2015-2327: PCRE mishandled certain patterns with internal recursive back references, which allowed remote attackers to cause a denial of service (segmentation fault) or possibly have unspecified other impact via a crafted regular expression, as demonstrated by a JavaScript RegExp object encountered by Konqueror (bsc#957567). - bsc#957598: Various security issues - CVE-2015-8381: Heap Overflow in compile_regex() (bsc#957598). - CVE-2015-8382: Regular Expression Uninitialized Pointer Information Disclosure Vulnerability (ZDI-CAN-2547)(bsc#957598). - CVE-2015-8383: Buffer overflow caused by repeated conditional group(bsc#957598). - CVE-2015-8384: Buffer overflow caused by recursive back reference by name within certain group(bsc#957598). - CVE-2015-8385: Buffer overflow caused by forward reference by name to certain group(bsc#957598). - CVE-2015-8386: Buffer overflow caused by lookbehind assertion(bsc#957598). - CVE-2015-8387: Integer overflow in subroutine calls(bsc#957598). - CVE-2015-8388: Buffer overflow caused by certain patterns with an unmatched closing parenthesis(bsc#957598). - CVE-2015-8389: Infinite recursion in JIT compiler when processing certain patterns(bsc#957598). - CVE-2015-8390: Reading from uninitialized memory when processing certain patterns(bsc#957598). - CVE-2015-8391: Some pathological patterns causes pcre_compile() to run for a very long time(bsc#957598). - CVE-2015-8392: Buffer overflow caused by certain patterns with duplicated named groups(bsc#957598). - CVE-2015-8393: Information leak when running pcgrep -q on crafted binary(bsc#957598). - CVE-2015-8394: Integer overflow caused by missing check for certain conditions(bsc#957598). - CVE-2015-8395: Buffer overflow caused by certain references(bsc#957598). - CVE-2015-2328: PCRE mishandled the /((?(R)a|(?1)))+/ pattern and related patterns with certain recursion, which allowed remote attackers to cause a denial of service (segmentation fault) or possibly have unspecified other impact via a crafted regular expression (bsc#957600). - CVE-2016-1283: The pcre_compile2 function in pcre_compile.c in PCRE mishandled certain patterns with named subgroups, which allowed remote attackers to cause a denial of service (heap-based buffer overflow) or possibly have unspecified other impact via a crafted regular expression (bsc#960837). - CVE-2016-3191: The compile_branch function in pcre_compile.c in pcre2_compile.c mishandled patterns containing an (*ACCEPT) substring in conjunction with nested parentheses, which allowed remote attackers to execute arbitrary code or cause a denial of service (stack-based buffer overflow) via a crafted regular expression (bsc#971741). These non-security issues were fixed: - JIT compiler improvements - performance improvements - The Unicode data tables have been updated to Unicode 7.0.0. ----------------------------------------------------------------- Advisory ID: SUSE-RU-2016:1778-1 Released: Thu Dec 8 11:12:31 2016 Summary: Recommended update for wicked Type: recommended Severity: moderate References: 972471,975466,988794,988954,997027,998413 Description: This update provides Wicked 0.6.39, which brings the following fixes and enhancements: - dhcp: Support to define and request custom options, documented in wicked-config(5) and ifcfg-dhcp(5) manual pages. (bsc#988954) - dhcp6: Fix refresh on newprefix workaround. (bsc#972471) - dhcp4: Do not fail in capture on link type change. (bsc#975466) - dhcp4: Ignore invalid options, do not discard complete message. - dhcp4: Log and add sender (server or relay) ethernet hw-address to the lease. - ifdown: Show reasons to skip an action. (bsc#997027) - ifconfig: Fix to consider address scope in dbus model. (bsc#988794) - bonding: Set the primary slave in the master at enslave of the primary when it were not yet ready while setting up bond. (bsc#998413) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2016:1782-1 Released: Fri Dec 9 13:35:02 2016 Summary: Recommended update for systemd Type: recommended Severity: moderate References: 1001790,1004289,1005404,1006372,1006690,989831,991443 Description: This update for systemd provides the following fixes: - Allow to redirect confirmation messages to a different console. (bsc#1006690) - Do not bind a mount unit to a device, if it was from mountinfo. (bsc#989831) - Decrease systemd-nspawn's non-fatal mount errors to debug level. (bsc#1004289) - Don't emit space usage message right after opening the persistent journal. (bsc#991443) - Change owner of /var/log/journal/remote and create /var/lib/systemd/journal-upload. (bsc#1006372) - Document that *KeyIgnoreInhibited only apply to a subset of locks. - Revert 'logind: really handle *KeyIgnoreInhibited options in logind.conf'. (bsc#1001790, bsc#1005404) - Revert 'kbd-model-map: add more mappings offered by Yast'. - Don't busy loop when we get a notification message we can't process. - Rename kbd-model-map-extra into kbd-model-map.legacy. - Add kbd-model-map-extra file which contains the additional maps needed by YaST. - Drop localfs.service: unused and not needed anymore. ----------------------------------------------------------------- Advisory ID: SUSE-RU-2016:1784-1 Released: Fri Dec 9 13:39:17 2016 Summary: Recommended update for haproxy Type: recommended Severity: moderate References: 1003264 Description: This update provides haproxy version 1.6.9, which brings fixes and enhancements: - Properly mark the server address as unset on connect retry. - Fix possible crash when using sc_trackers with wrong table. - Fix random problems with the 'sni' directive. - Initialize avail_in/next_in even during flush. - Fix listening IP address storage for frontends. - Fix breakage of 'reqdeny' causing random crashes. - Use asynchronous signal delivery and do not unblock undesired signals. ----------------------------------------------------------------- Advisory ID: SUSE-SU-2016:1827-1 Released: Thu Dec 15 12:41:10 2016 Summary: Security update for pcre Type: security Severity: moderate References: 906574,924960,933288,933878,936227,942865,957566,957567,957598,957600,960837,971741,972127,CVE-2014-8964,CVE-2015-2325,CVE-2015-2327,CVE-2015-2328,CVE-2015-3210,CVE-2015-3217,CVE-2015-5073,CVE-2015-8380,CVE-2015-8381,CVE-2015-8382,CVE-2015-8383,CVE-2015-8384,CVE-2015-8385,CVE-2015-8386,CVE-2015-8387,CVE-2015-8388,CVE-2015-8389,CVE-2015-8390,CVE-2015-8391,CVE-2015-8392,CVE-2015-8393,CVE-2015-8394,CVE-2015-8395,CVE-2016-1283,CVE-2016-3191 Description: This update for pcre to version 8.39 (bsc#972127) fixes several issues. If you use pcre extensively please be aware that this is an update to a new version. Please make sure that your software works with the updated version. This version fixes a number of vulnerabilities that affect pcre and applications using the libary when accepting untrusted input as regular expressions or as part thereof. Remote attackers could have caused the application to crash, disclose information or potentially execute arbitrary code. These security issues were fixed: - CVE-2014-8964: Heap-based buffer overflow in PCRE allowed remote attackers to cause a denial of service (crash) or have other unspecified impact via a crafted regular expression, related to an assertion that allows zero repeats (bsc#906574). - CVE-2015-2325: Heap buffer overflow in compile_branch() (bsc#924960). - CVE-2015-3210: Heap buffer overflow in pcre_compile2() / compile_regex() (bsc#933288) - CVE-2015-3217: PCRE Library Call Stack Overflow Vulnerability in match() (bsc#933878). - CVE-2015-5073: Library Heap Overflow Vulnerability in find_fixedlength() (bsc#936227). - bsc#942865: heap overflow in compile_regex() - CVE-2015-8380: The pcre_exec function in pcre_exec.c mishandled a // pattern with a \01 string, which allowed remote attackers to cause a denial of service (heap-based buffer overflow) or possibly have unspecified other impact via a crafted regular expression, as demonstrated by a JavaScript RegExp object encountered by Konqueror (bsc#957566). - CVE-2015-2327: PCRE mishandled certain patterns with internal recursive back references, which allowed remote attackers to cause a denial of service (segmentation fault) or possibly have unspecified other impact via a crafted regular expression, as demonstrated by a JavaScript RegExp object encountered by Konqueror (bsc#957567). - bsc#957598: Various security issues - CVE-2015-8381: Heap Overflow in compile_regex() (bsc#957598). - CVE-2015-8382: Regular Expression Uninitialized Pointer Information Disclosure Vulnerability (ZDI-CAN-2547)(bsc#957598). - CVE-2015-8383: Buffer overflow caused by repeated conditional group(bsc#957598). - CVE-2015-8384: Buffer overflow caused by recursive back reference by name within certain group(bsc#957598). - CVE-2015-8385: Buffer overflow caused by forward reference by name to certain group(bsc#957598). - CVE-2015-8386: Buffer overflow caused by lookbehind assertion(bsc#957598). - CVE-2015-8387: Integer overflow in subroutine calls(bsc#957598). - CVE-2015-8388: Buffer overflow caused by certain patterns with an unmatched closing parenthesis(bsc#957598). - CVE-2015-8389: Infinite recursion in JIT compiler when processing certain patterns(bsc#957598). - CVE-2015-8390: Reading from uninitialized memory when processing certain patterns(bsc#957598). - CVE-2015-8391: Some pathological patterns causes pcre_compile() to run for a very long time(bsc#957598). - CVE-2015-8392: Buffer overflow caused by certain patterns with duplicated named groups(bsc#957598). - CVE-2015-8393: Information leak when running pcgrep -q on crafted binary(bsc#957598). - CVE-2015-8394: Integer overflow caused by missing check for certain conditions(bsc#957598). - CVE-2015-8395: Buffer overflow caused by certain references(bsc#957598). - CVE-2015-2328: PCRE mishandled the /((?(R)a|(?1)))+/ pattern and related patterns with certain recursion, which allowed remote attackers to cause a denial of service (segmentation fault) or possibly have unspecified other impact via a crafted regular expression (bsc#957600). - CVE-2016-1283: The pcre_compile2 function in pcre_compile.c in PCRE mishandled certain patterns with named subgroups, which allowed remote attackers to cause a denial of service (heap-based buffer overflow) or possibly have unspecified other impact via a crafted regular expression (bsc#960837). - CVE-2016-3191: The compile_branch function in pcre_compile.c in pcre2_compile.c mishandled patterns containing an (*ACCEPT) substring in conjunction with nested parentheses, which allowed remote attackers to execute arbitrary code or cause a denial of service (stack-based buffer overflow) via a crafted regular expression (bsc#971741). These non-security issues were fixed: - JIT compiler improvements - performance improvements - The Unicode data tables have been updated to Unicode 7.0.0. ----------------------------------------------------------------- Advisory ID: SUSE-RU-2016:1863-1 Released: Wed Dec 21 10:41:35 2016 Summary: Recommended updated for pth Type: recommended Severity: low References: 1013286 Description: This update adds the 32bit version of libpth20 to SUSE Linux Enterprise 12 SP1 and 12 SP2. ----------------------------------------------------------------- Advisory ID: SUSE-SU-2017:2-1 Released: Mon Jan 2 08:35:08 2017 Summary: Security update for zlib Type: security Severity: moderate References: 1003577,1003579,1003580,1013882,CVE-2016-9840,CVE-2016-9841,CVE-2016-9842,CVE-2016-9843 Description: This update for zlib fixes the following issues: CVE-2016-9843: Big-endian out-of-bounds pointer CVE-2016-9842: Undefined Left Shift of Negative Number (bsc#1003580) CVE-2016-9840 CVE-2016-9841: Out-of-bounds pointer arithmetic in inftrees.c (bsc#1003579) Incompatible declarations for external linkage function deflate (bsc#1003577) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2017:6-1 Released: Tue Jan 3 15:01:58 2017 Summary: Recommended update for systemd Type: recommended Severity: moderate References: 1012390,1012591,1012818,1013989,1015515,909418,912715,945340,953807,963290,990538 Description: This update for systemd fixes the following issues: - core: Make mount units from /proc/self/mountinfo possibly bind to a device. Fixes unmounting issues when ejecting CDs or DVDs. (bsc#909418, bsc#912715, bsc#945340) - fstab-generator: Remove bogus condition that leads to warnings on boot. (bsc#1013989) - coredumpctl: Let gdb handle the SIGINT signal. (bsc#1012591) - Ship kbd-model-map with the correct contents. (bsc#1015515) - rules: Set SYSTEMD_READY=0 on DM_UDEV_DISABLE_OTHER_RULES_FLAG=1 only with ADD event. (bsc#963290, bsc#990538) - tmpfiles: Don't skip path_set_perms on error. (bsc#953807) - nspawn: Properly handle image/directory paths that are symbolic links. (bsc#1012390) - systemctl: Fix 'is-enabled' exit status on failure when executed in chroot. (bsc#1012818) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2017:32-1 Released: Mon Jan 9 11:50:42 2017 Summary: Recommended update for dirmngr Type: recommended Severity: low References: 994794 Description: This update for dirmngr enables support for daemon mode. ----------------------------------------------------------------- Advisory ID: SUSE-RU-2017:47-1 Released: Wed Jan 11 11:42:43 2017 Summary: Recommended update for systemd Type: recommended Severity: important References: 1018214,1018399 Description: This update for systemd fixes the following two issues: - A regression in the previous update (SUSE-RU-2017:0013-1, bsc#909418) could have caused systemd to freeze. (bsc#1018399) - Warnings emitted when udev socket units are restarted during package upgrade were silenced. (bsc#1018214) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2017:98-1 Released: Thu Jan 19 10:17:55 2017 Summary: Recommended update for kmod Type: recommended Severity: low References: 998906 Description: This update for kmod fixes a rare race condition while loading modules. ----------------------------------------------------------------- Advisory ID: SUSE-SU-2017:149-1 Released: Wed Jan 25 09:17:08 2017 Summary: Security update for systemd Type: security Severity: important References: 1012266,1014560,1014566,1020601,997682,CVE-2016-10156 Description: This update for systemd fixes the following issues: This security issue was fixed: - CVE-2016-10156: Fix permissions set on permanent timer timestamp files, preventing local unprivileged users from escalating privileges (bsc#1020601). These non-security issues were fixed: - Fix permission set on /var/lib/systemd/linger/* - install: follow config_path symlink (#3362) - install: fix disable when /etc/systemd/system is a symlink (bsc#1014560) - run: make --slice= work in conjunction with --scope (bsc#1014566) - core: don't dispatch load queue when setting Slice= for transient units - systemctl: remove duplicate entries showed by list-dependencies (#5049) (bsc#1012266) - rule: don't automatically online standby memory on s390x (bsc#997682) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2017:185-1 Released: Thu Feb 2 18:22:37 2017 Summary: Security update for cpio Type: security Severity: moderate References: 1020108,963448,CVE-2016-2037 Description: This update for cpio fixes two issues. This security issue was fixed: - CVE-2016-2037: The cpio_safer_name_suffix function in util.c in cpio allowed remote attackers to cause a denial of service (out-of-bounds write) via a crafted cpio file (bsc#963448). This non-security issue was fixed: - bsc#1020108: Always use 32 bit CRC to prevent checksum errors for files greater than 32MB ----------------------------------------------------------------- Advisory ID: SUSE-SU-2017:192-1 Released: Fri Feb 3 18:46:05 2017 Summary: Security update for libxml2 Type: security Severity: moderate References: 1005544,1010675,1013930,1014873,1017497,CVE-2016-4658,CVE-2016-9318,CVE-2016-9597 Description: This update for libxml2 fixes the following issues: * CVE-2016-4658: use-after-free error could lead to crash [bsc#1005544] * Fix NULL dereference in xpointer.c when in recovery mode [bsc#1014873] * CVE-2016-9597: An XML document with many opening tags could have caused a overflow of the stack not detected by the recursion limits, allowing for DoS (bsc#1017497). For CVE-2016-9318 we decided not to ship a fix since it can break existing setups. Please take appropriate actions if you parse untrusted XML files and use the new -noxxe flag if possible (bnc#1010675, bnc#1013930). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2017:209-1 Released: Tue Feb 7 17:00:47 2017 Summary: Recommended update for libseccomp Type: recommended Severity: low References: 1019900 Description: This update provides libseccomp version 2.3.1 which fixes the following issues: - Fixed a problem with 32-bit x86 socket syscalls on some systems (fate#321647, bsc#1019900) - Fixed problems with ipc syscalls on 32-bit x86 - Fixed problems with socket and ipc syscalls on s390 and s390x ----------------------------------------------------------------- Advisory ID: SUSE-SU-2017:212-1 Released: Wed Feb 8 13:07:24 2017 Summary: Security update for expat Type: security Severity: moderate References: 983215,983216,CVE-2012-6702,CVE-2016-5300 Description: This update for expat fixes the following security issues: - CVE-2012-6702: Expat, when used in a parser that has not called XML_SetHashSalt or passed it a seed of 0, made it easier for context-dependent attackers to defeat cryptographic protection mechanisms via vectors involving use of the srand function. (bsc#983215) - CVE-2016-5300: The XML parser in Expat did not use sufficient entropy for hash initialization, which allowed context-dependent attackers to cause a denial of service (CPU consumption) via crafted identifiers in an XML document. NOTE: this vulnerability exists because of an incomplete fix for CVE-2012-0876. (bsc#983216) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2017:228-1 Released: Fri Feb 10 15:39:32 2017 Summary: Security update for openssl Type: security Severity: moderate References: 1000677,1001912,1009528,1019637,1021641,1022085,1022086,1022271,CVE-2016-7055,CVE-2017-3731,CVE-2017-3732 Description: This update for openssl fixes the following issues contained in the OpenSSL Security Advisory [26 Jan 2017] (bsc#1021641) Security issues fixed: - CVE-2016-7055: The x86_64 optimized montgomery multiplication may produce incorrect results (bsc#1009528) - CVE-2017-3731: Truncated packet could crash via OOB read (bsc#1022085) - CVE-2017-3732: BN_mod_exp may produce incorrect results on x86_64 (bsc#1022086) - Degrade the 3DES cipher to MEDIUM in SSLv2 (bsc#1001912) Non-security issues fixed: - fix crash in openssl speed (bsc#1000677) - fix X509_CERT_FILE path (bsc#1022271) - AES XTS key parts must not be identical in FIPS mode (bsc#1019637) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2017:261-1 Released: Mon Feb 20 11:00:28 2017 Summary: Recommended update for dirmngr Type: recommended Severity: low References: 1019276 Description: This update for dirmngr fixes the following issues: - Properly initialize the dirmngr tmpfilesd files right away and not just during reboot - Own the /usr/lib/tmpfiles.d/ folder as it is needed in older systemds wrt (bsc#1019276) - Proprely require logrotate as we need it for the dirmngr configs ----------------------------------------------------------------- Advisory ID: SUSE-RU-2017:308-1 Released: Thu Mar 2 13:35:13 2017 Summary: Recommended update for haproxy Type: recommended Severity: moderate References: 1023141 Description: This update provides haproxy 1.6.11, which brings several fixes and enhancements: - systemd-wrapper: Return correct exit codes. - srv-state: Properly restore the DRAIN state. - srv-state: Allow to have both CMAINT and FDRAIN flags. - servers: Properly propagate the maintenance states during startup. - vars: Fix 'set-var' converter because of a typo. - channel: Fix bad unlikely macro. - doc/ssl: Use correct wording for ca-sign-pass. - stick-table: Handle out-of-memory condition gracefully. - connection: Check the control layer before stopping polling. - stick-table: Fix regression caused by recent fix for out-of-memory. - cli: Properly decrement ref count on tables during failed dumps. - lua: In some case, the return of sample-fetches is ignored. - cli: Fix pointer size when reporting data/transport layer name. - cli: Dequeue from the proxy when changing a maxconn. - cli: Wake up the CLI's task after a timeout update. - freq-ctr: Make swrate_add() support larger values. - proxy: Return 'none' and 'unknown' for unknown LB algos. - stream: Fix session abort on resource shortage. - http: Don't send an extra CRLF after a Set-Cookie in a redirect. - variables: Some variable name can hide another ones. - cli: Be sure to always warn the cli applet when input buffer is full. - applet: Count number of (active) applets. - task: Rename run_queue and run_queue_cur counters. - stream: Save unprocessed events for a stream. - Fix how the list of entities waiting for a buffer is handled. - stream-int: Automatically release SI_FL_WAIT_DATA on SHUTW_NOW. - doc/lua: Section declared twice. - doc: Fix small typo in fe_id (backend instead of frontend). - lua: Fix memory leak executing tasks. - ssl: Properly reset the reused_sess during a forced handshake. - ssl: Avoid double free when releasing bind_confs. - backend: nbsrv() should return 0 if backend is disabled. - ssl: For a handshake when server-side SNI changes. - systemd: Prevent potential zombie processes. ----------------------------------------------------------------- Advisory ID: SUSE-RU-2017:365-1 Released: Fri Mar 10 15:16:59 2017 Summary: Recommended update for sg3_utils Type: recommended Severity: low References: 1006175 Description: This update for sg3_utils fixes the following issue: - Add udev rules to handle legacy CCISS devices (bsc#1006175) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2017:389-1 Released: Thu Mar 16 14:16:43 2017 Summary: Recommended update for systemd Type: recommended Severity: moderate References: 1004094,1006687,1019470,1022014,1022047,1025598,995936 Description: This update for systemd provides the following fixes: - core: Fix memory leak in transient units. (bsc#1025598) - core: Destroy all name watching bus slots when we are kicked off the bus. (bsc#1006687) - sd-event: Fix incorrect assertion. (bsc#995936, bsc#1022014) - journald: Don't flush to /var/log/journal before we get asked to. (bsc#1004094) - core: Downgrade warning about duplicate device names. (bsc#1022047) - units: Remove no longer needed ldconfig service. (bsc#1019470) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2017:439-1 Released: Tue Mar 21 10:48:47 2017 Summary: Recommended update for netcfg Type: recommended Severity: low References: 1028305,959693 Description: This update for netcfg provides the following fixes: - Update script to generate services to use UTF8 by default. (bsc#1028305) - Repack services.bz2 with latest from upstream and adjust the script to not add all the names and emails at the bottom of the file. (bsc#959693) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2017:462-1 Released: Fri Mar 24 21:58:07 2017 Summary: Recommended update for lvm2 Type: recommended Severity: moderate References: 1012973,1015943,1017034,1023283,1025560,1025630 Description: This update for lvm2 fixes the following issues: - Fix clvmd segmentation fault on ppc64le architecture. (bsc#1025630) - Fix several trivial issues about clvmd/cmirrord resource agents. (bsc#1023283, bsc#1025560) - Use {local,remote}-fs-pre.target instead of {local,remote}-fs.target. (bsc#1017034) - Simplify special-case for md in 69-dm-lvm-metadata.rules. (bsc#1012973) - Add systemd_requires to device-mapper package. (bsc#1015943) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2017:464-1 Released: Mon Mar 27 15:50:51 2017 Summary: Recommended update for glibc Type: recommended Severity: moderate References: 1007851,1029725,1029900 Description: This update for glibc fixes a potential segmentation fault in libpthread: - Fork in libpthread cannot use IFUNC resolver. (bsc#1007851, bsc#1029725, bsc#1029900) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2017:580-1 Released: Wed Apr 12 23:58:47 2017 Summary: Recommended update for cpio Type: recommended Severity: important References: 1028410 Description: This update for cpio fixes the following issues: - A regression caused cpio to crash for tar and ustar archive types [bsc#1028410] ----------------------------------------------------------------- Advisory ID: SUSE-SU-2017:609-1 Released: Tue Apr 18 11:28:14 2017 Summary: Security update for curl Type: security Severity: moderate References: 1015332,1027712,1032309,CVE-2016-9586,CVE-2017-7407 Description: This update for curl fixes the following issues: Security issue fixed: - CVE-2016-9586: libcurl printf floating point buffer overflow (bsc#1015332) - CVE-2017-7407: The ourWriteOut function in tool_writeout.c in curl might have allowed physically proximate attackers to obtain sensitive information from process memory in opportunistic circumstances by reading a workstation screen during use of a --write-out argument ending in a '%' character, which lead to a heap-based buffer over-read (bsc#1032309). With this release new default ciphers are active (SUSE_DEFAULT, bsc#1027712). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2017:732-1 Released: Wed May 10 14:03:43 2017 Summary: Recommended update for procps Type: recommended Severity: low References: 1030621 Description: This update for procps fixes the following issues: - Command w(1) with option -n doesn't work. (bsc#1030621) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2017:735-1 Released: Wed May 10 15:43:46 2017 Summary: Recommended update for gpg2 Type: recommended Severity: low References: 1036736,986783 Description: This update for gpg2 provides the following fixes: - Do not install CAcert and other root certificates which are not needed with Let's Encrypt. (bsc#1036736) - Initialize the trustdb before import attempt. (bsc#986783) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2017:751-1 Released: Thu May 11 17:14:30 2017 Summary: Recommended update for systemd Type: recommended Severity: moderate References: 1010220,1025398,1025886,1028263,1028610,1029183,1029691,1030290,1031355,1032538,1032660,1033855,1034565,955770 Description: This update for systemd provides the following fixes: - logind: Update empty and 'infinity' handling for [User]TasksMax. (bsc#1031355) - importd: Support SUSE style checksums. (fate#322054) - journal: Don't remove leading spaces. (bsc#1033855) - Make sure all swap units are ordered before the swap target. (bsc#955770, bsc#1034565) - hwdb: Fix warning 'atkbd serio0: Unknown key pressed'. (bsc#1010220) - logind: Restart logind on package update only on SLE12 distros. (bsc#1032660) - core: Treat masked files as 'unchanged'. (bsc#1032538) - units: Move Before deps for quota services to remote-fs.target. (bsc#1028263) - udev: Support predictable ifnames on vio buses. (bsc#1029183) - udev: Add a persistent rule for ibmvnic devices. (bsc#1029183) - units: Do not throw a warning in emergency mode if plymouth is not installed. (bsc#1025398) - core: Downgrade 'Time has been changed' message to debug level. (bsc#1028610) - vconsole: Don't do GIO_SCRNMAP / GIO_UNISCRNMAP. (bsc#1029691) - udev-rules: Perform whitespace replacement for symlink subst values. (bsc#1025886) - Consider chroot updates in fix-machines-subvol-for-rollbacks.sh. (bsc#1030290) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2017:761-1 Released: Mon May 15 16:51:15 2017 Summary: Recommended update for wicked Type: recommended Severity: moderate References: 1007909,1009801,1021914,1025757,1026683,1026780,1027231,1029133,1030053 Description: This update provides Wicked 0.6.40, which brings the following fixes and enhancements: - fsm: Clone bound config and cleanup references fixing ifindex reference handling in iBFT vlan configuration. (bsc#1030053) - updater: Fix to not leave orphaned background jobs on device delete, causing to block processing of synchronized jobs. (bsc#1029133) - vxlan: Add initial support. (bsc#1026780) - dhcp: Correct and complete fqdn option support. (bsc#1025757) - bonding: Properly send primary reselect to kernel, (bsc#1027231) - dbus: Fix caller-uid timeout to 15sec, not 15ms. (bsc#1026683) - ethtool: Handle ring,coalesce,eee parameters. (bsc#1007909) - bond: Fix xmit-hash-policy option mismatch. (bsc#1021914) - ifconfig: Avoid timeouts on large number of IPs by performing IPv4 duplicate address detection, apply and sending gratuitous ARP for chunks of multiple addresses at once. (bsc#1009801) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2017:794-1 Released: Tue May 16 15:41:09 2017 Summary: Security update for bash Type: security Severity: moderate References: 1010845,1035371,CVE-2016-9401 Description: This update for bash fixes an issue that could lead to syntax errors when parsing scripts that use expr(1) inside loops. Additionally, the popd build-in now ensures that the normalized stack offset is within bounds before trying to free that stack entry. This fixes a segmentation fault. ----------------------------------------------------------------- Advisory ID: SUSE-RU-2017:799-1 Released: Wed May 17 00:21:13 2017 Summary: Recommended update for glibc Type: recommended Severity: low References: 1026224,1035445 Description: This update for glibc introduces basic support for IBM POWER9 systems. Additionally, an improper assert in dlclose() has been removed. ----------------------------------------------------------------- Advisory ID: SUSE-SU-2017:865-1 Released: Wed May 24 16:23:20 2017 Summary: Security update for pam Type: security Severity: moderate References: 1015565,1037824,934920,CVE-2015-3238 Description: This update for pam fixes the following issues: - CVE-2015-3238: pam_unix in conjunction with SELinux allowed for DoS attacks (bsc#934920). - log a hint to syslog if /etc/nologin is present, but empty (bsc#1015565). - If /etc/nologin is present, but empty, log a hint to syslog. (bsc#1015565) - Added support for libowcrypt.so, if present, to configure support for BLOWFISH (bsc#1037824) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2017:873-1 Released: Fri May 26 16:19:47 2017 Summary: Recommended update for e2fsprogs Type: recommended Severity: low References: 1009532,960273 Description: This update for e2fsprogs provides the following fixes: - Fix 32/64-bit overflow when multiplying by blocks/clusters per group. This allows resize2fs(8) to resize file systems larger than 20 TB. (bsc#1009532) - Update spec file to regenerate initrd when e2fsprogs is updated or uninstalled. (bsc#960273) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2017:877-1 Released: Mon May 29 15:11:48 2017 Summary: Recommended update for cryptsetup Type: recommended Severity: low References: 1031998 Description: This update for cryptsetup provides the following fix: - Don't use a zero-filled empty key, because in FIPS, XTS mode key parts mustn't be equivalent (bsc#1031998) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2017:891-1 Released: Tue May 30 22:28:21 2017 Summary: Security update for libxml2 Type: security Severity: moderate References: 1039063,1039064,1039066,1039069,1039661,981114,CVE-2016-1839,CVE-2017-9047,CVE-2017-9048,CVE-2017-9049,CVE-2017-9050 Description: This update for libxml2 fixes the following issues: - CVE-2017-9047, CVE-2017-9048: The function xmlSnprintfElementContent in valid.c was vulnerable to a stack buffer overflow (bsc#1039063, bsc#1039064) - CVE-2017-9049: The function xmlDictComputeFastKey in dict.c was vulnerable to a heap-based buffer over-read. (bsc#1039066) - CVE-2017-9050: The function xmlDictAddString was vulnerable to a heap-based buffer over-read (bsc#1039661) - CVE-2016-1839: heap-based buffer overflow (xmlDictAddString func) (bnc#1039069) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2017:907-1 Released: Thu Jun 1 14:23:36 2017 Summary: Recommended update for shadow Type: recommended Severity: low References: 1003978,1031643 Description: This update for shadow fixes the following issues: - Dynamically added users via pam_group are not listed in groups databases but are still valid. (bsc#1031643) - useradd(8) and groupadd(8) performance issue when using SSSD. Previously the entire possible UID/GID was iterated to find an available UID/GID. This could take long time over a network device. Instead, find available UID/GID locally, and then check only those values over network. (bsc#1003978) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2017:918-1 Released: Tue Jun 6 12:35:44 2017 Summary: Recommended update for libsemanage, selinux-policy Type: recommended Severity: moderate References: 1020143,1032445,1035818,1038189 Description: This update for libsemanage, selinux-policy fixes the following issues: - Limit to policy version 29 by default. - Fix policy module build failures and wrong policy path on SLE 12 SP2 (bsc#1038189, bsc#1035818, bsc#1020143, bsc#1032445) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2017:939-1 Released: Mon Jun 12 10:56:22 2017 Summary: Security update for libxml2 Type: security Severity: moderate References: 1039063,1039064,1039066,1039069,1039661,CVE-2017-9047,CVE-2017-9048,CVE-2017-9049,CVE-2017-9050 Description: This update for libxml2 fixes the following security issues: * CVE-2017-9050: A heap-based buffer over-read in xmlDictAddString (bsc#1039069, bsc#1039661) * CVE-2017-9049: A heap-based buffer overflow in xmlDictComputeFastKey (bsc#1039066) * CVE-2017-9048: A stack overflow vulnerability in xmlSnprintfElementContent (bsc#1039063) * CVE-2017-9047: A stack overflow vulnerability in xmlSnprintfElementContent (bsc#1039064) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2017:959-1 Released: Wed Jun 14 14:38:11 2017 Summary: Recommended update for gcc5 Type: recommended Severity: low References: 1043580 Description: This update for gcc5 fixes the version of libffi in its pkg-config configuration file. ----------------------------------------------------------------- Advisory ID: SUSE-SU-2017:962-1 Released: Wed Jun 14 16:33:07 2017 Summary: Security update for openldap2 Type: security Severity: moderate References: 1009470,1037396,1041764,972331,CVE-2017-9287 Description: This update for openldap2 fixes the following issues: Security issues fixed: - CVE-2017-9287: A double free vulnerability in the mdb backend during search with page size 0 was fixed (bsc#1041764) Non security bugs fixed: - Let OpenLDAP read system-wide certificates by default and don't hide the error if the user-specified CA location cannot be read. (bsc#1009470) - Fix an uninitialised variable that causes startup failure (bsc#1037396) - Fix an issue with transaction management that can cause server crash (bsc#972331) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2017:985-1 Released: Mon Jun 19 14:57:41 2017 Summary: Security update for libgcrypt Type: security Severity: moderate References: 1042326,931932,CVE-2017-9526 Description: This update for libgcrypt fixes the following issues: - CVE-2017-9526: Store the session key in secure memory to ensure that constant time point operations are used in the MPI library. (bsc#1042326) - Don't require secure memory for the fips selftests, this prevents the 'Oops, secure memory pool already initialized' warning. (bsc#931932) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2017:990-1 Released: Mon Jun 19 17:19:44 2017 Summary: Security update for glibc Type: security Severity: important References: 1039357,1040043,CVE-2017-1000366 Description: This update for glibc fixes the following issues: - CVE-2017-1000366: Fix a potential privilege escalation vulnerability that allowed unprivileged system users to manipulate the stack of setuid binaries to gain special privileges. [bsc#1039357] - A bug in glibc that could result in deadlocks between malloc() and fork() has been fixed. [bsc#1040043] ----------------------------------------------------------------- Advisory ID: SUSE-RU-2017:1033-1 Released: Fri Jun 23 16:38:55 2017 Summary: Recommended update for e2fsprogs Type: recommended Severity: low References: 1038194 Description: This update for e2fsprogs provides the following fixes: - Don't ignore fsync errors in libext2fs. (bsc#1038194) - Fix fsync(2) detection in libext2fs. (bsc#1038194) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2017:1036-1 Released: Mon Jun 26 08:12:24 2017 Summary: Security update for libxml2 Type: security Severity: moderate References: 1024989,1044337,CVE-2017-0663,CVE-2017-5969 Description: This update for libxml2 fixes the following issues: Security issues fixed: * CVE-2017-0663: Fixed a heap buffer overflow in xmlAddID (bsc#1044337) * CVE-2017-5969: Fixed a NULL pointer deref in xmlDumpElementContent (bsc#1024989) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2017:1040-1 Released: Mon Jun 26 13:22:26 2017 Summary: Recommended update for libsemanage, policycoreutils Type: recommended Severity: low References: 1043237 Description: This update for libsemanage, policycoreutils fixes the following issue: - Show version numbers of modules where they are available (bsc#1043237) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2017:1063-1 Released: Wed Jun 28 21:15:03 2017 Summary: Security update for vim Type: security Severity: moderate References: 1018870,1024724,1027053,1027057,CVE-2017-5953,CVE-2017-6349,CVE-2017-6350 Description: This update for vim fixes the following issues: Security issues fixed: - CVE-2017-5953: Fixed a possible overflow with corrupted spell file (bsc#1024724) - CVE-2017-6350: Fixed a possible overflow when reading a corrupted undo file (bsc#1027053) - CVE-2017-6349: Fixed a possible overflow when reading a corrupted undo file (bsc#1027057) Non security issues fixed: - Speed up YAML syntax highlighting (bsc#1018870) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2017:1082-1 Released: Fri Jun 30 10:54:06 2017 Summary: Recommended update for dirmngr Type: recommended Severity: low References: 1045943 Description: This update for dirmngr provides the following fix: - Change logrotate from Requires to Recommends (bsc#1045943) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2017:1086-1 Released: Fri Jun 30 15:36:17 2017 Summary: Security update for libxml2 Type: security Severity: moderate References: 1044887,1044894,CVE-2017-7375,CVE-2017-7376 Description: This update for libxml2 fixes the following issues: Security issues fixed: * CVE-2017-7376: Increase buffer space for port in HTTP redirect support (bsc#1044887) * CVE-2017-7375: Prevent unwanted external entity reference [bsc#1044894, ] ----------------------------------------------------------------- Advisory ID: SUSE-SU-2017:1104-1 Released: Tue Jul 4 16:13:55 2017 Summary: Security update for systemd Type: security Severity: moderate References: 1004995,1029102,1029516,1036873,1038865,1040258,1040614,1040942,1043758,982303,CVE-2017-9217 Description: This update for systemd fixes the following issues: Security issue fixed: - CVE-2017-9217: resolved: Fix null pointer p->question dereferencing that could lead to resolved aborting (bsc#1040614) The update also fixed several non-security bugs: - core/mount: Use the '-c' flag to not canonicalize paths when calling /bin/umount - automount: Handle expire_tokens when the mount unit changes its state (bsc#1040942) - automount: Rework propagation between automount and mount units - build: Make sure tmpfiles.d/systemd-remote.conf get installed when necessary - build: Fix systemd-journal-upload installation - basic: Detect XEN Dom0 as no virtualization (bsc#1036873) - virt: Make sure some errors are not ignored - fstab-generator: Do not skip Before= ordering for noauto mountpoints - fstab-gen: Do not convert device timeout into seconds when initializing JobTimeoutSec - core/device: Use JobRunningTimeoutSec= for device units (bsc#1004995) - fstab-generator: Apply the _netdev option also to device units (bsc#1004995) - job: Add JobRunningTimeoutSec for JOB_RUNNING state (bsc#1004995) - job: Ensure JobRunningTimeoutSec= survives serialization (bsc#1004995) - rules: Export NVMe WWID udev attribute (bsc#1038865) - rules: Introduce disk/by-id (model_serial) symbolic links for NVMe drives - rules: Add rules for NVMe devices - sysusers: Make group shadow support configurable (bsc#1029516) - core: When deserializing a unit, fully restore its cgroup state (bsc#1029102) - core: Introduce cg_mask_from_string()/cg_mask_to_string() - core:execute: Fix handling failures of calling fork() in exec_spawn() (bsc#1040258) - Fix systemd-sysv-convert when a package starts shipping service units (bsc#982303) The database might be missing when upgrading a package which was shipping no sysv init scripts nor unit files (at the time --save was called) but the new version start shipping unit files. - Disable group shadow support (bsc#1029516) - Only check signature job error if signature job exists (bsc#1043758) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2017:1116-1 Released: Thu Jul 6 11:37:18 2017 Summary: Security update for libgcrypt Type: security Severity: moderate References: 1046607,CVE-2017-7526 Description: This update for libgcrypt fixes the following issues: - CVE-2017-7526: Hardening against a local side-channel attack in RSA key handling has been added (bsc#1046607) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2017:1119-1 Released: Fri Jul 7 11:23:20 2017 Summary: Recommended update for ncurses Type: security Severity: important References: 1000662,1046853,1046858,CVE-2017-10684,CVE-2017-10685 Description: This update for ncurses fixes the following issues: Security issues fixed: - CVE-2017-10684: Possible RCE via stack-based buffer overflow in the fmt_entry function. (bsc#1046858) - CVE-2017-10685: Possible RCE with format string vulnerability in the fmt_entry function. (bsc#1046853) Bugfixes: - Drop patch ncurses-5.9-environment.dif as YaST2 ncurses GUI does not need it anymore and as well as it causes bug bsc#1000662 ----------------------------------------------------------------- Advisory ID: SUSE-RU-2017:1160-1 Released: Fri Jul 14 17:20:26 2017 Summary: Recommended update for openldap2 Type: recommended Severity: low References: 1031702 Description: This update for openldap2 provides the following fix: - Fix a regression in handling of non-blocking connection (bsc#1031702) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2017:1174-1 Released: Wed Jul 19 11:12:51 2017 Summary: Security update for systemd, dracut Type: security Severity: important References: 1032029,1033238,1037120,1040153,1040968,1043900,1045290,1046750,986216,CVE-2017-9445 Description: This update for systemd and dracut fixes the following issues: Security issues fixed: - CVE-2017-9445: Possible out-of-bounds write triggered by a specially crafted TCP payload from a DNS server. (bsc#1045290) Non-security issues fixed in systemd: - Automounter issue in combination with NFS volumes (bsc#1040968) - Missing symbolic link for SAS device in /dev/disk/by-path (bsc#1040153) - Add minimal support for boot.d/* scripts in systemd-sysv-convert (bsc#1046750) Non-security issues fixed in dracut: - Bail out if module directory does not exist. (bsc#1043900) - Suppress bogus error message. (bsc#1032029) - Fix module force loading with systemd. (bsc#986216) - Ship udev files required by systemd. (bsc#1040153) - Ignore module resolution errors (e.g. with kgraft). (bsc#1037120) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2017:1222-1 Released: Wed Jul 26 17:15:18 2017 Summary: Recommended update for procps Type: recommended Severity: low References: 1034563,1039941 Description: This update for procps provides the following fixes: - Make pmap handle LazyFree in /proc/smaps (bsc#1034563) - Allow reading and writing content lines longer than 1024 characters under /proc/sys (bsc#1039941) - Avoid printing messages when /proc/sys/net/ipv6/conf/*/stable_secret is not set ----------------------------------------------------------------- Advisory ID: SUSE-SU-2017:1245-1 Released: Thu Aug 3 10:43:15 2017 Summary: Security update for systemd Type: security Severity: moderate References: 1004995,1029102,1029516,1032029,1033238,1036873,1037120,1038865,1040153,1040258,1040614,1040942,1040968,1043758,1043900,1045290,1046750,982303,986216,CVE-2017-9217,CVE-2017-9445 Description: This update for systemd provides several fixes and enhancements. Security issues fixed: - CVE-2017-9217: Null pointer dereferencing that could lead to resolved aborting. (bsc#1040614) - CVE-2017-9445: Possible out-of-bounds write triggered by a specially crafted TCP payload from a DNS server. (bsc#1045290) The update also fixed several non-security bugs: - core/mount: Use the '-c' flag to not canonicalize paths when calling /bin/umount - automount: Handle expire_tokens when the mount unit changes its state (bsc#1040942) - automount: Rework propagation between automount and mount units - build: Make sure tmpfiles.d/systemd-remote.conf get installed when necessary - build: Fix systemd-journal-upload installation - basic: Detect XEN Dom0 as no virtualization (bsc#1036873) - virt: Make sure some errors are not ignored - fstab-generator: Do not skip Before= ordering for noauto mountpoints - fstab-gen: Do not convert device timeout into seconds when initializing JobTimeoutSec - core/device: Use JobRunningTimeoutSec= for device units (bsc#1004995) - fstab-generator: Apply the _netdev option also to device units (bsc#1004995) - job: Add JobRunningTimeoutSec for JOB_RUNNING state (bsc#1004995) - job: Ensure JobRunningTimeoutSec= survives serialization (bsc#1004995) - rules: Export NVMe WWID udev attribute (bsc#1038865) - rules: Introduce disk/by-id (model_serial) symbolic links for NVMe drives - rules: Add rules for NVMe devices - sysusers: Make group shadow support configurable (bsc#1029516) - core: When deserializing a unit, fully restore its cgroup state (bsc#1029102) - core: Introduce cg_mask_from_string()/cg_mask_to_string() - core:execute: Fix handling failures of calling fork() in exec_spawn() (bsc#1040258) - Fix systemd-sysv-convert when a package starts shipping service units (bsc#982303) The database might be missing when upgrading a package which was shipping no sysv init scripts nor unit files (at the time --save was called) but the new version start shipping unit files. - Disable group shadow support (bsc#1029516) - Only check signature job error if signature job exists (bsc#1043758) - Automounter issue in combination with NFS volumes (bsc#1040968) - Missing symbolic link for SAS device in /dev/disk/by-path (bsc#1040153) - Add minimal support for boot.d/* scripts in systemd-sysv-convert (bsc#1046750) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2017:1268-1 Released: Mon Aug 7 10:09:19 2017 Summary: Recommended update for openssl Type: recommended Severity: moderate References: 1019637,1027079,1027688,1027908,1028281,1028723,1029523,1042392,1044095,1044107,1044175,902364 Description: This update for openssl fixes the following issues including fixes for our ongoing FIPS 140-2 evaluation: - Remove DES-CBC3-SHA based ciphers from DEFAULT_SUSE to address SWEET32 problem (bsc#1027908) - Use getrandom syscall instead of reading from /dev/urandom to get at least 128 bits of entropy to comply with FIPS 140.2 IG 7.14 (bsc#1027079 bsc#1044175) - Fix x86 extended feature detection (bsc#1029523) - Allow runtime switching of s390x capabilities via the 'OPENSSL_s390xcap' environmental variable (bsc#1028723) - s_client sent empty client certificate (bsc#1028281) Add back certificate initialization set_cert_key_stuff() which was removed in a previous update. - Fix a bug in XTS key handling (bsc#1019637) - Don't run FIPS power-up self-tests when the checksum files aren't installed (bsc#1042392) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2017:1279-1 Released: Mon Aug 7 14:46:40 2017 Summary: Security update for ncurses Type: security Severity: moderate References: 1046853,1046858,1047964,1047965,1049344,CVE-2017-10684,CVE-2017-10685,CVE-2017-11112,CVE-2017-11113 Description: This update for ncurses fixes the following issues: Security issues fixed: - CVE-2017-11112: Illegal address access in append_acs. (bsc#1047964) - CVE-2017-11113: Dereferencing NULL pointer in _nc_parse_entry. (bsc#1047965) - CVE-2017-10684, CVE-2017-10685: Add modified upstream fix from ncurses 6.0 to avoid broken termcap format (bsc#1046853, bsc#1046858, bsc#1049344) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2017:1316-1 Released: Thu Aug 10 13:54:27 2017 Summary: Recommended update for cyrus-sasl Type: recommended Severity: moderate References: 1014471,1026825,1044840,938657 Description: This update for cyrus-sasl provides the following fixes: - Fix SASL GSSAPI mechanism acceptor wrongly returns zero maxbufsize - Fix unknown authentication mechanism: kerberos5 (bsc#1026825) - Really use SASLAUTHD_PARAMS variable (bsc#938657) - Make sure /usr/sbin/rcsaslauthd exists - Add /usr/sbin/rcsaslauthd symbolic link to /usr/sbin/service (bsc#1014471) - Silence 'GSSAPI client step 1' debug log message (bsc#1044840) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2017:1326-1 Released: Fri Aug 11 16:59:04 2017 Summary: Security update for libxml2 Type: security Severity: low References: 1038444,CVE-2017-8872 Description: This update for libxml2 fixes the following issues: Security issues fixed: - CVE-2017-8872: Out-of-bounds read in htmlParseTryOrFinish. (bsc#1038444) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2017:1330-1 Released: Mon Aug 14 18:41:29 2017 Summary: Recommended update for sed Type: recommended Severity: low References: 954661 Description: This update for sed provides the following fixes: - Don't terminate with a segmentation fault if close of last file descriptor fails. (bsc#954661) ----------------------------------------------------------------- Advisory ID: SUSE-OU-2017:1333-1 Released: Tue Aug 15 17:59:30 2017 Summary: Optional update for libverto Type: optional Severity: low References: 1029561 Description: This update adds the libverto library to OpenStack Cloud Magnum Orchestration channels. ----------------------------------------------------------------- Advisory ID: SUSE-RU-2017:1334-1 Released: Tue Aug 15 20:09:03 2017 Summary: Recommended update for systemd Type: recommended Severity: important References: 1048679,874665 Description: This update for systemd fixes the following issues: - compat-rules: Don't rely on ID_SERIAL when generating 'by-id' links for NVMe devices. (bsc#1048679) - fstab-generator: Handle NFS 'bg' mounts correctly. (bsc#874665, fate#323464) - timesyncd: Don't use compiled-in list if FallbackNTP has been configured explicitly. ----------------------------------------------------------------- Advisory ID: SUSE-SU-2017:1335-1 Released: Wed Aug 16 11:24:21 2017 Summary: Security update for curl Type: security Severity: moderate References: 1051643,1051644,CVE-2017-1000100,CVE-2017-1000101 Description: This update for curl fixes the following issues: - CVE-2017-1000100: TFP sends more than buffer size and it could lead to a denial of service (bsc#1051644) - CVE-2017-1000101: URL globbing out of bounds read could lead to a denial of service (bsc#1051643) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2017:1347-1 Released: Fri Aug 18 11:03:57 2017 Summary: Recommended update for procps Type: recommended Severity: important References: 1053409 Description: This update for procps fixes the following issues: - Fix a regression introduced in a previous update that would result in sysctl dying with a SIGSEGV error (bsc#1053409). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2017:1349-1 Released: Fri Aug 18 12:31:07 2017 Summary: Recommended update for lua51 Type: recommended Severity: low References: 1051626 Description: This update for lua51 provides the following fixes: - Add Lua(API) and Lua(devel) symbols to fix building of lua51-luasocket. (bsc#1051626) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2017:1390-1 Released: Fri Aug 25 15:14:27 2017 Summary: Security update for libzypp Type: security Severity: important References: 1009745,1036659,1038984,1043218,1045735,1046417,1047785,1048315,CVE-2017-7435,CVE-2017-7436,CVE-2017-9269 Description: The Software Update Stack was updated to receive fixes and enhancements. libzypp: - CVE-2017-7435, CVE-2017-7436, CVE-2017-9269: Fix GPG check workflows, mainly for unsigned repositories and packages. (bsc#1045735, bsc#1038984) - Fix gpg-pubkey release (creation time) computation. (bsc#1036659) - Update lsof blacklist. (bsc#1046417) - Re-probe on refresh if the repository type changes. (bsc#1048315) - Propagate proper error code to DownloadProgressReport. (bsc#1047785) - Allow to trigger an appdata refresh unconditionally. (bsc#1009745) - Support custom repo variables defined in /etc/zypp/vars.d. yast2-pkg-bindings: - Do not crash when the repository URL is not defined. (bsc#1043218) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2017:1419-1 Released: Wed Aug 30 15:38:22 2017 Summary: Security update for expat Type: security Severity: moderate References: 1047236,1047240,CVE-2016-9063,CVE-2017-9233 Description: This update for expat fixes the following issues: - CVE-2016-9063: Possible integer overflow to fix inside XML_Parse leading to unexpected behaviour (bsc#1047240) - CVE-2017-9233: External Entity Vulnerability could lead to denial of service (bsc#1047236) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2017:1439-1 Released: Fri Sep 1 15:31:05 2017 Summary: Recommended update for systemd Type: recommended Severity: important References: 1045384,1045987,1046268,1047379,1048605 Description: This update for systemd fixes the following issues: - Revert fix for bsc#1004995 which could have caused boot failure on LVM (bsc#1048605) - compat-rules: drop the bogus 'import everything' rule (bsc#1046268) - core: use an AF_UNIX/SOCK_DGRAM socket for cgroup agent notification (bsc#1045384 bsc#1047379) - udev/path_id: introduce support for NVMe devices (bsc#1045987) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2017:1447-1 Released: Mon Sep 4 15:38:20 2017 Summary: Security update for libzypp, zypper Type: security Severity: important References: 1008325,1038984,1045735,1047785,1054088,1054671,1055920,CVE-2017-7436 Description: The Software Update Stack was updated to receive fixes and enhancements. libzypp: - Adapt to work with GnuPG 2.1.23. (bsc#1054088) - Support signing with subkeys. (bsc#1008325) - Enhance sort order for media.1/products. (bsc#1054671) zypper: - Also show a gpg key's subkeys. (bsc#1008325) - Improve signature check callback messages. (bsc#1045735) - Add options to tune the GPG check settings. (bsc#1045735) - Adapt download callback to report and handle unsigned packages. (bsc#1038984, CVE-2017-7436) - Report missing/optional files as 'not found' rather than 'error'. (bsc#1047785) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2017:1450-1 Released: Mon Sep 4 16:36:07 2017 Summary: Recommended update for insserv-compat Type: recommended Severity: low References: 1035062,944903 Description: This update for insserv-compat fixes the following issues: - Add /etc/init.d hierarchy from former 'filesystem' package. (bsc#1035062) - Fix directory argument parsing. (bsc#944903) - Add perl(Getopt::Long) to list of requirements. ----------------------------------------------------------------- Advisory ID: SUSE-RU-2017:1453-1 Released: Mon Sep 4 21:23:50 2017 Summary: Recommended update for libgcrypt Type: recommended Severity: moderate References: 1043333,1046659,1047008 Description: This update for libgcrypt fixes the following issues: - libgcrypt stored an open file descriptor to the random device in a static variable between invocations. gnome-keyring-daemon on initialization reopened descriptors 0-2 with /dev/null which caused an infinite loop when libgcrypt attempted to read from the random device (bsc#1043333) - Avoid seeding the DRBG during FIPS power-up selftests (bsc#1046659) * don't call gcry_drbg_instantiate() in healthcheck sanity test to save entropy * turn off blinding for RSA decryption in selftests_rsa to avoid allocation of a random integer - fix a bug in gcry_drbg_healthcheck_sanity() which caused skipping some of the tests (bsc#1046659) - dlsym returns PLT address on s390x, dlopen libgcrypt20.so before calling dlsym (bsc#1047008) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2017:1548-1 Released: Fri Sep 15 18:19:12 2017 Summary: Recommended update for sg3_utils Type: recommended Severity: moderate References: 1005063,1009269,1012523,1025176,1050767,1050943 Description: This update for sg3_utils provides the following fixes: - Add lunsearch filter to findresized() so that only LUNs specified using --luns are rescanned or resized. (bsc#1025176) - In case the VPD sysfs attributes are missing or cannot be accessed, fallback to use sg_inq --page when using multipath devices in AutoYast2 installations. (bsc#1012523) - Generate /dev/disk/by-path links based on WWPN for Fibre Channel NPIV setups. (bsc#1005063) - Fix dumping data in hexadecimal format in sg_vpd when using the --hex option. (bsc#1050943) - Fix ID_SERIAL values for KVM disks by exporting all NAA values and removing some validity checking. (bsc#1050767) - Make sure initrd is rebuilt on sg3_utils updates. (bsc#1009269) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2017:1592-1 Released: Tue Sep 26 17:38:03 2017 Summary: Recommended update for lvm2 Type: recommended Severity: moderate References: 1028485,1045628,978055,998893,999878 Description: This update for lvm2 provides the following fixes: - Create /dev/disk/by-part{label,uuid} and gpt-auto-root links. (bsc#1028485) - Try to refresh clvmd's device cache on the first failure. (bsc#978055) - Fix stale device cache in clvmd. (bsc#978055) - Warn if PV size in metadata is larger than disk device size. (bsc#999878) - Fix lvm2 activation issue when used on top of multipath. (bsc#998893) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2017:1644-1 Released: Mon Oct 9 07:52:24 2017 Summary: Security update for krb5 Type: security Severity: moderate References: 1032680,1054028,1056995,903543,CVE-2017-11462 Description: This update for krb5 fixes several issues. This security issue was fixed: - CVE-2017-11462: Prevent automatic security context deletion to prevent double-free (bsc#1056995) These non-security issues were fixed: - Set 'rdns' and 'dns_canonicalize_hostname' to false in krb5.conf in order to improve client security in handling service principle names. (bsc#1054028) - Prevent kadmind.service startup failure caused by absence of LDAP service. (bsc#903543) - Remove main package's dependency on systemd (bsc#1032680) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2017:1663-1 Released: Tue Oct 10 12:05:09 2017 Summary: Recommended update for dbus-1 Type: recommended Severity: moderate References: 1043615,1046173 Description: This update for dbus-1 provides the following fixes: - Fix systemd-logind dbus disconnection by ensuring all required timeouts are restarted. (bsc#1043615) - Remove call to initscripts related macros from the spec file as dbus-1 does not ship any initscript anymore. (bsc#1046173) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2017:1703-1 Released: Tue Oct 17 13:20:12 2017 Summary: Recommended update for audit Type: recommended Severity: low References: 1042781 Description: This update for audit provides the following fix: - Make auditd start by forking the systemd service to fix some initialization failures. (bsc#1042781) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2017:1758-1 Released: Mon Oct 23 08:47:47 2017 Summary: Security update for curl Type: security Severity: moderate References: 1060653,1061876,1063824,CVE-2017-1000254,CVE-2017-1000257 Description: This update for curl fixes the following issues: Security issues fixed: - CVE-2017-1000254: FTP PWD response parser out of bounds read (bsc#1061876) - CVE-2017-1000257: IMAP FETCH response out of bounds read (bsc#1063824) Bugs fixed: - Fixed error 'error:1408F10B:SSL routines' when connecting to ftps via proxy (bsc#1060653) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2017:1772-1 Released: Wed Oct 25 14:10:42 2017 Summary: Recommended update for logrotate Type: recommended Severity: low References: 1057801 Description: This update for logrotate provides the following fix: - Make sure log files continue to rotate properly when a stale status file is found. (bsc#1057801) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2017:1796-1 Released: Fri Oct 27 21:25:06 2017 Summary: Recommended update for pcre Type: recommended Severity: moderate References: 1058722 Description: This update for pcre fixes the following issues: - Fixed the pcre stack frame size detection because modern compilers break it due to cloning and inlining pcre match() function (bsc#1058722) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2017:1797-1 Released: Sat Oct 28 12:06:19 2017 Summary: Recommended update for permissions Type: recommended Severity: moderate References: 1028304,1048645,1060738 Description: This update for permissions fixes the following issues: - Allows users to install the HPC 'singularity' toolkit for managing singularity containers in setuid root mode. (bsc#1028304) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2017:1826-1 Released: Wed Nov 8 08:47:17 2017 Summary: Security update for krb5 Type: security Severity: important References: 1065274,CVE-2017-15088 Description: This update for krb5 fixes the following issues: Security issues fixed: - CVE-2017-15088: A buffer overflow in get_matching_data() was fixed that could under specific circumstances be used to execute code (bsc#1065274) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2017:1829-1 Released: Wed Nov 8 08:50:00 2017 Summary: Security update for shadow Type: security Severity: moderate References: 1023895,1052261,980486,CVE-2017-12424 Description: This update for shadow fixes several issues. This security issue was fixed: - CVE-2017-12424: The newusers tool could have been forced to manipulate internal data structures in ways unintended by the authors. Malformed input may have lead to crashes (with a buffer overflow or other memory corruption) or other unspecified behaviors (bsc#1052261). These non-security issues were fixed: - bsc#1023895: Fixed man page to not contain invalid options and also prevent warnings when using these options in certain settings - bsc#980486: Reset user in /var/log/tallylog because of the usage of pam_tally2 ----------------------------------------------------------------- Advisory ID: SUSE-SU-2017:1881-1 Released: Wed Nov 22 16:29:58 2017 Summary: Security update for file Type: security Severity: moderate References: 1009966,1063269,910252,910253,913650,913651,917152,996511,CVE-2014-8116,CVE-2014-8117,CVE-2014-9620,CVE-2014-9621,CVE-2014-9653 Description: The GNU file utility was updated to version 5.22. Security issues fixed: - CVE-2014-9621: The ELF parser in file allowed remote attackers to cause a denial of service via a long string. (bsc#913650) - CVE-2014-9620: The ELF parser in file allowed remote attackers to cause a denial of service via a large number of notes. (bsc#913651) - CVE-2014-9653: readelf.c in file did not consider that pread calls sometimes read only a subset of the available data, which allows remote attackers to cause a denial of service (uninitialized memory access) or possibly have unspecified other impact via a crafted ELF file. (bsc#917152) - CVE-2014-8116: The ELF parser (readelf.c) in file allowed remote attackers to cause a denial of service (CPU consumption or crash) via a large number of (1) program or (2) section headers or (3) invalid capabilities. (bsc#910253) - CVE-2014-8117: softmagic.c in file did not properly limit recursion, which allowed remote attackers to cause a denial of service (CPU consumption or crash) via unspecified vectors. (bsc#910253) Version update to file version 5.22 * add indirect relative for TIFF/Exif * restructure elf note printing to avoid repeated messages * add note limit, suggested by Alexander Cherepanov * Bail out on partial pread()'s (Alexander Cherepanov) * Fix incorrect bounds check in file_printable (Alexander Cherepanov) * PR/405: ignore SIGPIPE from uncompress programs * change printable -> file_printable and use it in more places for safety * in ELF, instead of '(uses dynamic libraries)' when PT_INTERP is present print the interpreter name. Version update to file version 5.21 * there was an incorrect free in magic_load_buffers() * there was an out of bounds read for some pascal strings * there was a memory leak in magic lists * don't interpret strings printed from files using the current locale, convert them to ascii format first. * there was an out of bounds read in elf note reads Update to file version 5.20 * recognize encrypted CDF documents * add magic_load_buffers from Brooks Davis * add thumbs.db support Additional non-security bug fixes: * Fixed a memory corruption during rpmbuild (bsc#1063269) * Backport of a fix for an increased printable string length as found in file 5.30 (bsc#996511) * file command throws 'Composite Document File V2 Document, corrupt: Can't read SSAT' error against excel 97/2003 file format. (bsc#1009966) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2017:1903-1 Released: Fri Nov 24 16:19:37 2017 Summary: Security update for perl Type: security Severity: moderate References: 1047178,1057721,1057724,999735,CVE-2017-12837,CVE-2017-12883,CVE-2017-6512 Description: This update for perl fixes the following issues: Security issues fixed: - CVE-2017-12837: Heap-based buffer overflow in the S_regatom function in regcomp.c in Perl 5 before 5.24.3-RC1 and 5.26.x before 5.26.1-RC1 allows remote attackers to cause a denial of service (out-of-bounds write) via a regular expression with a '\N{}' escape and the case-insensitive modifier. (bnc#1057724) - CVE-2017-12883: Buffer overflow in the S_grok_bslash_N function in regcomp.c in Perl 5 before 5.24.3-RC1 and 5.26.x before 5.26.1-RC1 allows remote attackers to disclose sensitive information or cause a denial of service (application crash) via a crafted regular expression with an invalid '\N{U+...}' escape. (bnc#1057721) - CVE-2017-6512: Race condition in the rmtree and remove_tree functions in the File-Path module before 2.13 for Perl allows attackers to set the mode on arbitrary files via vectors involving directory-permission loosening logic. (bnc#1047178) Bug fixes: - backport set_capture_string changes from upstream (bsc#999735) - reformat baselibs.conf as source validator workaround ----------------------------------------------------------------- Advisory ID: SUSE-RU-2017:1916-1 Released: Fri Nov 24 20:15:01 2017 Summary: Recommended update for libgcrypt Type: recommended Severity: important References: 1043333,1059723 Description: This update for libgcrypt provides the following fix: - Fix a regression in a previous update which caused libgcrypt to leak file descriptors causing failures when starting rtkit-daemon. (bsc#1059723) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2017:1917-1 Released: Mon Nov 27 13:32:07 2017 Summary: Optional update for gcc7 Type: recommended Severity: low References: 1056437,1062591,1062592 Description: The GNU Compiler GCC 7 is being added to the Toolchain Module by this update. New features: - Support for specific IBM Power9 processor instructions. - Support for specific IBM zSeries z14 processor instructions. - New packages cross-npvtx-gcc7 and nvptx-tools added to the Toolchain Module for specific NVIDIA Card offload support. The update also supplies gcc7 compatible libstdc++, libgcc_s1 and other gcc derived libraries for the base products of SUSE Linux Enterprise 12. Various optimizers have been improved in GCC 7, several of bugs fixed, quite some new warnings added and the error pin-pointing and fix-suggestions have been greatly improved. The GNU Compiler page for GCC 7 contains a summary of all the changes that have happened: https://gcc.gnu.org/gcc-7/changes.html ----------------------------------------------------------------- Advisory ID: SUSE-RU-2017:1965-1 Released: Thu Nov 30 12:48:45 2017 Summary: Recommended update for libsolv, libzypp, zypper Type: recommended Severity: moderate References: 1047233,1053671,1057188,1057634,1058695,1058783,1059065,1061384,1062561,1064999,661410 Description: The Software Update Stack was updated to receive fixes and enhancements. libsolv: - Many fixes and improvements for cleandeps. - Always create dup rules for 'distupgrade' jobs. - Use recommends also for ordering packages. - Fix splitprovides handling with addalreadyrecommended turned off. (bsc#1059065) - Expose solver_get_recommendations() in bindings. - Fix bug in solver_prune_to_highest_prio_per_name resulting in bad output from solver_get_recommendations(). - Support 'without' and 'unless' dependencies. - Use same heuristic as upstream to determine source RPMs. - Fix memory leak in bindings. - Add pool_best_solvables() function. - Fix 64bit integer parsing from RPM headers. - Enable bzip2 and xz/lzma compression support. - Enable complex/rich dependencies on distributions with RPM 4.13+. libzypp: - Fix media handling in presence of a repo path prefix. (bsc#1062561) - Fix RepoProvideFile ignoring a repo path prefix. (bsc#1062561) - Remove unused legacy notify-message script. (bsc#1058783) - Support multiple product licenses in repomd. (fate#322276) - Propagate 'rpm --import' errors. (bsc#1057188) - Fix typos in zypp.conf. zypper: - Locale: Fix possible segmentation fault. (bsc#1064999) - Add summary hint if product is better updated by a different command. This is mainly used by rolling distributions like openSUSE Tumbleweed to remind their users to use 'zypper dup' to update (not zypper up or patch). (bsc#1061384) - Unify '(add|modify)(repo|service)' property related arguments. - Fixed 'add' commands supporting to set only a subset of properties. - Introduced '-f/-F' as preferred short option for --[no-]refresh in all four commands. (bsc#661410, bsc#1053671) - Fix missing package names in installation report. (bsc#1058695) - Differ between unsupported and packages with unknown support status. (bsc#1057634) - Return error code '107' if an RPM's %post configuration script fails, but only if ZYPPER_ON_CODE12_RETURN_107=1 is set in the environment. (bsc#1047233) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2017:1966-1 Released: Thu Nov 30 13:45:24 2017 Summary: Recommended update for systemd Type: recommended Severity: moderate References: 1004995,1035386,1039099,1040800,1045472,1048605,1050152,1053137,1053595,1055641,1063249 Description: This update for systemd fixes the following issues: - unit: When JobTimeoutSec= is turned off, implicitly turn off JobRunningTimeoutSec= too. (bsc#1048605, bsc#1004995) - compat-rules: Generate compat by-id symlinks with 'nvme' prefix missing and warn users that have broken symlinks. (bsc#1063249) - compat-rules: Allow to specify the generation number through the kernel command line. - scsi_id: Fixup prefix for pre-SPC inquiry reply. (bsc#1039099) - tmpfiles: Remove old ICE and X11 sockets at boot. - tmpfiles: Silently ignore any path that passes through autofs. (bsc#1045472) - pam_logind: Skip leading /dev/ from PAM_TTY field before passing it on. - shared/machine-pool: Fix another mkfs.btrfs checking. (bsc#1053595) - shutdown: Fix incorrect fscanf() result check. - shutdown: Don't remount,ro network filesystems. (bsc#1035386) - shutdown: Don't be fooled when detaching DM devices with BTRFS. (bsc#1055641) - bash-completion: Add support for --now. (bsc#1053137) - Add convert-lib-udev-path.sh script to convert /lib/udev directory into a symlink pointing to /usr/lib/udev when upgrading from SLE11. (bsc#1050152) - Add a rule to teach hotplug to offline containers transparently. (bsc#1040800) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2017:1968-1 Released: Thu Nov 30 19:49:33 2017 Summary: Recommended update for coreutils Type: recommended Severity: low References: 1026567,1043059,965780 Description: This update for coreutils provides the following fixes: - Fix df(1) to no longer interact with excluded file system types, so for example specifying -x nfs no longer hangs with problematic nfs mounts. (bsc#1026567) - Ensure df -l no longer interacts with dummy file system types, so for example no longer hangs with problematic NFS mounted via system.automount(5). (bsc#1043059) - Significantly speed up df(1) for huge mount lists. (bsc#965780) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2017:1970-1 Released: Thu Nov 30 22:55:41 2017 Summary: Security update for openssl Type: security Severity: moderate References: 1055825,1056058,1065363,1066242,CVE-2017-3735,CVE-2017-3736 Description: This update for openssl fixes the following issues: Security issues fixed: - CVE-2017-3735: openssl1,openssl: Malformed X.509 IPAdressFamily could cause OOB read (bsc#1056058) - CVE-2017-3736: openssl: bn_sqrx8x_internal carry bug on x86_64 (bsc#1066242) - Out of bounds read+crash in DES_fcrypt (bsc#1065363) - openssl DEFAULT_SUSE cipher list is missing ECDHE-ECDSA ciphers (bsc#1055825) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2017:2021-1 Released: Fri Dec 8 10:11:04 2017 Summary: Recommended update for file Type: recommended Severity: moderate References: 1070878,1070958 Description: This update for file fixes detection of JPEG files. ----------------------------------------------------------------- Advisory ID: SUSE-RU-2017:2031-1 Released: Mon Dec 11 12:55:57 2017 Summary: Recommended update for gzip Type: recommended Severity: low References: 1067891 Description: This update for gzip provides the following fix: - Fix mishandling of leading zeros in the end-of-block code (bsc#1067891) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2017:2036-1 Released: Wed Dec 13 16:34:21 2017 Summary: Recommended update for util-linux Type: recommended Severity: low References: 1039276,1040968,1055446,1066500 Description: This update for util-linux provides the following fixes: - Allow unmounting of filesystems without calling stat() on the mount point, when '-c' is used. (bsc#1040968) - Fix an infinite loop, a crash and report the correct minimum and maximum frequencies in lscpu for some processors. (bsc#1055446) - Fix a lscpu failure on Sydney Amazon EC2 region. (bsc#1066500) - If multiple subvolumes are mounted, report the default subvolume. (bsc#1039276) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2017:2097-1 Released: Sat Dec 16 01:59:00 2017 Summary: Security update for openssl Type: security Severity: important References: 1071905,1071906,CVE-2017-3737,CVE-2017-3738 Description: This update for openssl fixes the following issues: - OpenSSL Security Advisory [07 Dec 2017] * CVE-2017-3737: OpenSSL 1.0.2 (starting from version 1.0.2b) introduced an \'error state\' mechanism. The intent was that if a fatal error occurred during a handshake then OpenSSL would move into the error state and would immediately fail if you attempted to continue the handshake. This works as designed for the explicit handshake functions (SSL_do_handshake(), SSL_accept() and SSL_connect()), however due to a bug it does not work correctly if SSL_read() or SSL_write() is called directly. In that scenario, if the handshake fails then a fatal error will be returned in the initial function call. If SSL_read()/SSL_write() is subsequently called by the application for the same SSL object then it will succeed and the data is passed without being decrypted/encrypted directly from the SSL/TLS record layer. In order to exploit this issue an application bug would have to be present that resulted in a call to SSL_read()/SSL_write() being issued after having already received a fatal error. O penSSL version 1.0.2b-1.0.2m are affected. Fixed in OpenSSL 1.0.2n. OpenSSL 1.1.0 is not affected. (bsc#1071905) * CVE-2017-3738: There is an overflow bug in the AVX2 Montgomery multiplication procedure used in exponentiation with 1024-bit moduli. No EC algorithms are affected. Analysis suggests that attacks against RSA and DSA as a result of this defect would be very difficult to perform and are not believed likely. Attacks against DH1024 are considered just feasible, because most of the work necessary to deduce information about a private key may be performed offline. The amount of resources required for such an attack would be significant. However, for an attack on TLS to be meaningful, the server would have to share the DH1024 private key among multiple clients, which is no longer an option since CVE-2016-0701. This only affects processors that support the AVX2 but not ADX extensions like Intel Haswell (4th generation). Note: The impact from this issue is similar to CVE-2017-3736, CVE-2017-3732 and CVE-2015-3193. (bsc#1071906) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2017:2100-1 Released: Mon Dec 18 17:25:18 2017 Summary: Recommended update for wicked Type: recommended Severity: important References: 1036619,1043883,1045522,1050258,1057007,1059292 Description: This update for wicked fixes the following issues: - A regression in wicked was causing the hostname not to be set correctly via DHCP in some cases. [bsc#1057007,bsc#1050258] - Configure the interface MTU correctly even in cases where the interface was up already. [bsc#1059292] - Don't abort the process that adds configures routes if one route fails. [bsc#1036619] - Handle DHCP4 user-class ids properly. [bsc#1045522] - ethtool: handle channels parameters. [bsc#1043883] ----------------------------------------------------------------- Advisory ID: SUSE-RU-2017:2137-1 Released: Thu Dec 21 17:49:12 2017 Summary: Recommended update for dbus-1 Type: recommended Severity: moderate References: 1046173,1071698 Description: This update for dbus-1 provides the following fixes: - The previously released fix for systemd-logind dbus disconnections was missing in some parts of the package, so properly apply it. (bsc#1071698) - Remove call to initscripts related macros from the spec file as dbus-1 does not ship any initscript anymore. (bsc#1046173) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2018:4-1 Released: Tue Jan 2 15:58:20 2018 Summary: Recommended update for libzypp, zypper Type: recommended Severity: moderate References: 1057640,1067605,1068708,1071466,969569 Description: The Software Update Stack was updated to receive fixes and enhancements. libzypp: - Don't store duplicated locks. (bsc#969569) - Fix default for solver.allowNameChange. (bsc#1071466) - Don't filter procs with a different mnt namespace. (bsc#1068708) - Support repo variables in an URIs host:port component. (bsc#1057640, bsc#1067605) zypper: - Update manpage regarding custom repository variable fixes. (bsc#1057640, bsc#1067605) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2018:38-1 Released: Tue Jan 9 14:56:43 2018 Summary: Recommended update for kmod Type: recommended Severity: low References: 1070209 Description: This update for kmod provides the following fix: - Fix resolving .TOC. in modules on 4.4 and older kernel (bsc#1070209) - Fix kernel master build for ppc64le (bsc#1070209) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:55-1 Released: Fri Jan 12 09:45:49 2018 Summary: Security update for glibc Type: security Severity: important References: 1051042,1053188,1063675,1064569,1064580,1064583,1070905,1071319,1073231,1074293,CVE-2017-1000408,CVE-2017-1000409,CVE-2017-15670,CVE-2017-15671,CVE-2017-15804,CVE-2017-16997,CVE-2018-1000001 Description: This update for glibc fixes the following issues: - A privilege escalation bug in the realpath() function has been fixed. [CVE-2018-1000001, bsc#1074293] - A memory leak and a buffer overflow in the dynamic ELF loader has been fixed. [CVE-2017-1000408, CVE-2017-1000409, bsc#1071319] - An issue in the code handling RPATHs was fixed that could have been exploited by an attacker to execute code loaded from arbitrary libraries. [CVE-2017-16997, bsc#1073231] - A potential crash caused by a use-after-free bug in pthread_create() has been fixed. [bsc#1053188] - A bug that prevented users to build shared objects which use the optimized libmvec.so API has been fixed. [bsc#1070905] - A memory leak in the glob() function has been fixed. [CVE-2017-15670, CVE-2017-15671, CVE-2017-15804, bsc#1064569, bsc#1064580, bsc#1064583] - A bug that would lose the syscall error code value in case of crashes has been fixed. [bsc#1063675] ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:86-1 Released: Wed Jan 17 09:38:17 2018 Summary: Security update for ncurses Type: security Severity: moderate References: 1056127,1056128,1056129,1056131,1056132,1056136,CVE-2017-13728,CVE-2017-13729,CVE-2017-13730,CVE-2017-13731,CVE-2017-13732,CVE-2017-13733 Description: This update for ncurses fixes the following issues: Security issues fixed: - CVE-2017-13728: Fix infinite loop in the next_char function in comp_scan.c (bsc#1056136). - CVE-2017-13730: Fix illegal address access in the function _nc_read_entry_source() (bsc#1056131). - CVE-2017-13733: Fix illegal address access in the fmt_entry function (bsc#1056127). - CVE-2017-13729: Fix illegal address access in the _nc_save_str (bsc#1056132). - CVE-2017-13732: Fix illegal address access in the function dump_uses() (bsc#1056128). - CVE-2017-13731: Fix illegal address access in the function postprocess_termcap() (bsc#1056129). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:88-1 Released: Wed Jan 17 14:41:17 2018 Summary: Security update for curl Type: security Severity: moderate References: 1069222,1069226,CVE-2017-8816,CVE-2017-8817 Description: This update for curl fixes the following issues: Security issues fixed: - CVE-2017-8816: Buffer overrun flaw in the NTLM authentication code (bsc#1069226). - CVE-2017-8817: Read out of bounds flaw in the FTP wildcard function (bsc#1069222). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2018:90-1 Released: Wed Jan 17 14:44:33 2018 Summary: Recommended update for lvm2 Type: recommended Severity: low References: 1063051,1067312 Description: This update for lvm2 provides the following fix: - Backport various upstream fixes for clvmd. (bsc#1063051) - Don't print error messages on testing the connection to the daemon. (bsc#1063051) - Fix handling of udev CHANGE events with systemd. (bsc#1067312) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2018:146-1 Released: Thu Jan 25 11:44:23 2018 Summary: Recommended update for openldap2 Type: recommended Severity: moderate References: 1064397,1065083 Description: This update for openldap2 provides the following fixes: - Fix a leak of sockets in case of unsuccessful connection attempts. (bsc#1065083) - Fix a crash that would happen under heavy load when using back-relay. (bsc#1064397) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:149-1 Released: Thu Jan 25 13:38:37 2018 Summary: Security update for curl Type: security Severity: moderate References: 1077001,CVE-2018-1000007 Description: This update for curl fixes one issues. This security issue was fixed: - CVE-2018-1000007: Prevent leaking authentication data to third parties when following redirects (bsc#1077001) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:209-1 Released: Tue Jan 30 10:53:43 2018 Summary: Security update for ncurses Type: security Severity: moderate References: 1056126,1056127,1056128,1056129,1056131,1056132,1056136,CVE-2017-13728,CVE-2017-13729,CVE-2017-13730,CVE-2017-13731,CVE-2017-13732,CVE-2017-13733,CVE-2017-13734 Description: This update for ncurses fixes several issues. These security issues were fixed: - CVE-2017-13734: Prevent illegal address access in the _nc_safe_strcat function in strings.c that might have lead to a remote denial of service attack (bsc#1056126). - CVE-2017-13733: Prevent illegal address access in the fmt_entry function in progs/dump_entry.c that might have lead to a remote denial of service attack (bsc#1056127). - CVE-2017-13732: Prevent illegal address access in the function dump_uses() in progs/dump_entry.c that might have lead to a remote denial of service attack (bsc#1056128). - CVE-2017-13731: Prevent illegal address access in the function postprocess_termcap() in parse_entry.c that might have lead to a remote denial of service attack (bsc#1056129). - CVE-2017-13730: Prevent illegal address access in the function _nc_read_entry_source() in progs/tic.c that might have lead to a remote denial of service attack (bsc#1056131). - CVE-2017-13729: Prevent illegal address access in the _nc_save_str function in alloc_entry.c that might have lead to a remote denial of service attack (bsc#1056132). - CVE-2017-13728: Prevent infinite loop in the next_char function in comp_scan.c that might have lead to a remote denial of service attack (bsc#1056136). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:213-1 Released: Tue Jan 30 14:36:40 2018 Summary: Security update for systemd Type: security Severity: moderate References: 1048510,1065276,1066156,1068251,1070428,1071558,1074254,1075724,1076308,897422,CVE-2017-15908,CVE-2018-1049 Description: This update for systemd fixes several issues. This security issue was fixed: - CVE-2018-1049: Prevent race that can lead to DoS when using automounts (bsc#1076308). These non-security issues were fixed: - core: don't choke if a unit another unit triggers vanishes during reload - delta: don't ignore PREFIX when the given argument is PREFIX/SUFFIX - delta: extend skip logic to work on full directory paths (prefix+suffix) (bsc#1070428) - delta: check if a prefix needs to be skipped only once - delta: skip symlink paths when split-usr is enabled (#4591) - sysctl: use raw file descriptor in sysctl_write (#7753) - sd-netlink: don't take possesion of netlink fd from caller on failure (bsc#1074254) - Fix the regexp used to detect broken by-id symlinks in /etc/crypttab It was missing the following case: '/dev/disk/by-id/cr_-xxx'. - sysctl: disable buffer while writing to /proc (bsc#1071558) - Use read_line() and LONG_LINE_MAX to read values configuration files. (bsc#1071558) - sysctl: no need to check for eof twice - def: add new constant LONG_LINE_MAX - fileio: add new helper call read_line() as bounded getline() replacement - service: Don't stop unneeded units needed by restarted service (#7526) (bsc#1066156) - gpt-auto-generator: fix the handling of the value returned by fstab_has_fstype() in add_swap() (#6280) - gpt-auto-generator: disable gpt auto logic for swaps if at least one is defined in fstab (bsc#897422) - fstab-util: introduce fstab_has_fstype() helper - fstab-generator: ignore root=/dev/nfs (#3591) - fstab-generator: don't process root= if it happens to be 'gpt-auto' (#3452) - virt: use XENFEAT_dom0 to detect the hardware domain (#6442, #6662) (#7581) (bsc#1048510) - analyze: replace --no-man with --man=no in the man page (bsc#1068251) - udev: net_setup_link: don't error out when we couldn't apply link config (#7328) - Add missing /etc/systemd/network directory - Fix parsing of features in detect_vm_xen_dom0 (#7890) (bsc#1048510) - sd-bus: use -- when passing arguments to ssh (#6706) - systemctl: make sure we terminate the bus connection first, and then close the pager (#3550) - sd-bus: bump message queue size (bsc#1075724) - tmpfiles: downgrade warning about duplicate line ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:214-1 Released: Tue Jan 30 14:37:42 2018 Summary: Security update for libtasn1 Type: security Severity: moderate References: 1076832,CVE-2018-6003 Description: This update for libtasn1 fixes one issue. This security issue was fixed: - CVE-2018-6003: Prevent a stack exhaustion in _asn1_decode_simple_ber (lib/decoding.c) when decoding BER encoded structure allowed for DoS (bsc#1076832). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2018:231-1 Released: Thu Feb 1 09:56:36 2018 Summary: Recommended update for systemd-rpm-macros Type: recommended Severity: low References: 1071543,1073715 Description: This update for systemd-rpm-macros provides the following fixes: - Make sure to apply presets if packages start shipping units during upgrades. (bsc#1071543, bsc#1073715) - Remove a useless test in %service_add_pre(). The test was placed where the condition '[ '$FIRST_ARG' -gt 1 ]' was always true. ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:276-1 Released: Thu Feb 8 17:47:43 2018 Summary: Security update for libxml2 Type: security Severity: moderate References: 1077993,1078806,1078813,CVE-2016-5131,CVE-2017-15412,CVE-2017-5130 Description: This update for libxml2 fixes one issue. This security issue was fixed: - CVE-2017-15412: Prevent use after free when calling XPath extension functions that allowed remote attackers to cause DoS or potentially RCE (bsc#1077993) - CVE-2016-5131: Use-after-free vulnerability in libxml2 allowed remote attackers to cause a denial of service or possibly have unspecified other impact via vectors related to the XPointer range-to function. (bsc#1078813) - CVE-2017-5130: Fixed a potential remote buffer overflow in function xmlMemoryStrdup() (bsc#1078806) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2018:291-1 Released: Mon Feb 12 11:50:39 2018 Summary: Recommended update for bash Type: recommended Severity: low References: 1057452,1076909 Description: This update for bash provides the following fix: - Allow process group assignment on all kernel versions to fix the usage of debug traps. (bsc#1057452) - Fix a crash when filesystem is full. (bsc#1076909) - Enable multi-byte characters by default. ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:314-1 Released: Thu Feb 15 14:47:35 2018 Summary: Security update for glibc Type: security Severity: important References: 1037930,1051791,1073990,1074293,1079036,CVE-2017-12132,CVE-2017-8804,CVE-2018-1000001,CVE-2018-6485,CVE-2018-6551 Description: This update for glibc fixes the following issues: Security issues fixed: - CVE-2017-8804: Fix memory leak after deserialization failure in xdr_bytes, xdr_string (bsc#1037930) - CVE-2017-12132: Reduce EDNS payload size to 1200 bytes (bsc#1051791) - CVE-2018-6485,CVE-2018-6551: Fix integer overflows in internal memalign and malloc functions (bsc#1079036) - CVE-2018-1000001: Avoid underflow of malloced area (bsc#1074293) Non security bugs fixed: - Release read lock after resetting timeout (bsc#1073990) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:336-1 Released: Wed Feb 21 14:26:52 2018 Summary: Security update for libdb-4_8 Type: security Severity: moderate References: 1043886 Description: This update for libdb-4_8 fixes the following issues: - A DB_CONFIG file in the current working directory allowed local users to obtain sensitive information via a symlink attack involving a setgid or setuid application using libdb-4_8. (bsc#1043886) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:355-1 Released: Mon Feb 26 16:34:46 2018 Summary: Security update for systemd Type: security Severity: moderate References: 1057974,1068588,1071224,1071311,1075801,1077925,CVE-2017-18078 Description: This update for systemd fixes the following issues: Security issue fixed: - CVE-2017-18078: tmpfiles: refuse to chown()/chmod() files which are hardlinked, unless protected_hardlinks sysctl is on. This could be used by local attackers to gain privileges (bsc#1077925) Non Security issues fixed: - core: use id unit when retrieving unit file state (#8038) (bsc#1075801) - cryptsetup-generator: run cryptsetup service before swap unit (#5480) - udev-rules: all values can contain escaped double quotes now (#6890) - strv: fix buffer size calculation in strv_join_quoted() - tmpfiles: change ownership of symlinks too - stdio-bridge: Correctly propagate error - stdio-bridge: remove dead code - remove bus-proxyd (bsc#1057974) - core/timer: Prevent timer looping when unit cannot start (bsc#1068588) - Make systemd-timesyncd use the openSUSE NTP servers by default Previously systemd-timesyncd used the Google Public NTP servers time{1..4}.google.com - Don't ship /usr/lib/systemd/system/tmp.mnt at all (bsc#1071224) But we still ship a copy in /var. Users who want to use tmpfs on /tmp are supposed to add a symlink in /etc/ pointing to the copy shipped in /var. To support the update path we automatically create the symlink if tmp.mount in use is located in /usr. - Enable systemd-networkd on Leap distros only (bsc#1071311) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2018:375-1 Released: Wed Feb 28 16:33:37 2018 Summary: Recommended update for net-tools Type: recommended Severity: low References: 1009905,1063910 Description: This update for net-tools provides the following fix: - netstat: fix handling of large socket numbers (bsc#1063910) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:439-1 Released: Fri Mar 9 14:05:22 2018 Summary: Security update for augeas Type: security Severity: low References: 1054171,CVE-2017-7555 Description: This update for augeas fixes the following issues: Security issue fixed: - CVE-2017-7555: Fix a memory corruption bug could have lead to arbitrary code execution by passing crafted strings that would be mis-handled by parse_name() (bsc#1054171). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:443-1 Released: Fri Mar 9 18:02:14 2018 Summary: Security update for glibc Type: security Severity: moderate References: 1081556,CVE-2017-12133 Description: This update for glibc fixes the following issues: - CVE-2017-12133: Avoid use-after-free read access in clntudp_call (bsc#1081556) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:446-1 Released: Mon Mar 12 13:13:55 2018 Summary: Security update for shadow Type: security Severity: moderate References: 1081294,CVE-2018-7169 Description: This update for shadow fixes the following issues: - CVE-2018-7169: Fixed an privilege escalation in newgidmap, which allowed an unprivileged user to be placed in a user namespace where setgroups(2) is allowed. (bsc#1081294) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2018:465-1 Released: Thu Mar 15 07:38:52 2018 Summary: Recommended update for systemd Type: recommended Severity: moderate References: 1075743,1078358,1081170 Description: This update for systemd fixes the following issues: - Add dmi/id conditions to 80-acpi-container-hotplug.rules to restrict the rule that it can only be triggered on Huawei Kunlun 9008, 9016 and 9032 machines. (bsc#1078358, bsc#1081170, bsc#1075743) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2018:472-1 Released: Thu Mar 15 10:47:40 2018 Summary: Recommended update for libsolv, libzypp, zypper Type: recommended Severity: low References: 1074687,1075449,1076415,1079334,953130 Description: This update for libsolv, libzypp and zypper provides the following fixes: libsolv: - Fix a bug that could make fileconflict detection very slow in some cases. (bnc#953130) - Add new configuration options: ENABLE_RPMDB_LIBRPM and ENABLE_RPMPKG_LIBRPM. - Add a new function to change the whatprovides data: pool_set_whatprovides. - Significant improvements in the selection code. libzypp: - Make sure deleted keys are also removed from rpmdb. (bsc#1075449) - plugin: Don't reject header values containing ':'. (bsc#1074687) - RpmDb::checkPackage: Fix parsing localized rpm output. (bsc#1076415) zypper: - Do not recommend cron as it is not a direct dependency of zypper. (bsc#1079334) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:522-1 Released: Thu Mar 22 08:20:46 2018 Summary: Security update for curl Type: security Severity: moderate References: 1084521,1084524,1084532,CVE-2018-1000120,CVE-2018-1000121,CVE-2018-1000122 Description: This update for curl fixes the following issues: Following security issues were fixed: - CVE-2018-1000120: A buffer overflow exists in the FTP URL handling that allowed an attacker to cause a denial of service or possible code execution (bsc#1084521). - CVE-2018-1000121: A NULL pointer dereference exists in the LDAP code that allowed an attacker to cause a denial of service (bsc#1084524). - CVE-2018-1000122: A buffer over-read exists in the RTSP+RTP handling code that allowed an attacker to cause a denial of service or information leakage (bsc#1084532). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:567-1 Released: Thu Mar 29 14:02:08 2018 Summary: Security update for krb5 Type: security Severity: moderate References: 1057662,1081725,1083926,1083927,CVE-2018-5729,CVE-2018-5730 Description: This update for krb5 provides the following fixes: Security issues fixed: - CVE-2018-5730: DN container check bypass by supplying special crafted data (bsc#1083927). - CVE-2018-5729: Null pointer dereference in kadmind or DN container check bypass by supplying special crafted data (bsc#1083926). Non-security issues fixed: - Make it possible for legacy applications (e.g. SAP Netweaver) to remain compatible with newer Kerberos. System administrators who are experiencing this kind of compatibility issues may set the environment variable GSSAPI_ASSUME_MECH_MATCH to a non-empty value, and make sure the environment variable is visible and effective to the application startup script. (bsc#1057662) - Fix a GSS failure in legacy applications by not indicating deprecated GSS mechanisms in gss_indicate_mech() list. (bsc#1081725) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:594-1 Released: Thu Apr 5 17:22:37 2018 Summary: Security update for libidn Type: security Severity: moderate References: 1056450,CVE-2017-14062 Description: This update for libidn fixes one issues. This security issue was fixed: - CVE-2017-14062: Prevent integer overflow in the decode_digit function that allowed remote attackers to cause a denial of service or possibly have unspecified other impact (bsc#1056450). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:624-1 Released: Wed Apr 11 18:02:57 2018 Summary: Security update for openssl Type: security Severity: moderate References: 1087102,CVE-2018-0739 Description: This update for openssl fixes the following issues: - CVE-2018-0739: Constructed ASN.1 types with a recursive definition (such as can be found in PKCS7) could eventually exceed the stack given malicious input with excessive recursion. This could result in a Denial Of Service attack. There are no such structures used within SSL/TLS that come from untrusted sources so this is considered safe. (bsc#1087102). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:730-1 Released: Wed Apr 25 14:14:41 2018 Summary: Security update for perl Type: security Severity: moderate References: 1082216,1082233,1082234,CVE-2018-6797,CVE-2018-6798,CVE-2018-6913 Description: This update for perl fixes the following issues: Security issues fixed: - CVE-2018-6913: Fixed space calculation issues in pp_pack.c (bsc#1082216). - CVE-2018-6798: Fixed heap buffer overflow in regexec.c (bsc#1082233). - CVE-2018-6797: Fixed sharp-s regexp overflow (bsc#1082234). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2018:736-1 Released: Wed Apr 25 14:23:49 2018 Summary: Recommended update for libsolv, libzypp Type: recommended Severity: moderate References: 1075978,1077635,1079991,1082318,1086602 Description: This update for libsolv, libzypp provides the following fixes: Changes in libsolv: - Make sure the product file comes from /etc/products.d for the fallback product search. (bsc#1086602) - Also make use of suggests for ordering packages. (bsc#1077635) - Fix bad assignment in solution refinement that led to a memory leak. (bsc#1075978) - Use license tag instead of doc in the spec file. (bsc#1082318) Changes in libzypp: - Make sure the product file comes from /etc/products.d for the fallback product search. (bsc#1086602) - Fix a memory leak in Digest.cc. (bsc#1075978) - Add /var/lib/gdm to CheckAccessDeleted blacklist to prevent showing superfluous `zypper ps -s` messages. (bsc#1079991) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2018:779-1 Released: Wed May 2 22:16:26 2018 Summary: Recommended update for rpm Type: recommended Severity: low References: 1003714,1027925,1069934 Description: This update for rpm provides the following fixes: - Fix find-lang.sh to handle special case of .qm file paths correctly. (bsc#1027925) - Add %sle_version macro to suse_macros. (bsc#1003714) - Added a %rpm_vercmp macro which accepts two versions as parameters and returns -1, 0, 1 if the first version is less than, equal or greater than the second version respectively. - Added a %pkg_version macro that accepts a package or capability name as argument and returns the version number of the installed package. If no package provides the argument, it returns the string '~~~'. - Added a %pkg_vcmp macro that accepts 3 parameters. The first parameter is a package name or provided capability name, the second argument is an operator ( < <= = >= > != ) and the third parameter is a version string to be compared to the installed version of the first argument. - Added a %pkg_version_cmp macro which accepts a package or capability name as first argument and a version number as second argument and returns -1, 0, 1 or '~~~'. The number values have the same meaning as in %rpm_vercmp and the '~~~' string is returned if the package or capability can't be found. (bsc#1069934) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2018:797-1 Released: Mon May 7 07:07:38 2018 Summary: Recommended update for gcc7 Type: recommended Severity: important References: 1061667,1068967,1074621,1083290,1083946,1084812,1087550,1087930 Description: This update for gcc7 to 7.3 release fixes the following issues: - Update to GCC 7.3 release and further updated to gcc-7-branch head (r258812). - The Spectre v2 mitigation patch for s390x is now included. [bsc#1083946] - Adds backport of x86 retpoline support via -mindirect-branch=, -mfunction-return= and friends. [bsc#1074621] - Update includes a fix for chromium build failure. [bsc#1083290] - Various AArch64 compile fixes are included: * Picks fix to no longer enable -mpc-relative-literal-loads by default with --enable-fix-cortex-a53-843419. * Enable --enable-fix-cortex-a53-843419 for aarch64. [bsc#1084812] [bsc#1087930] * Enable --enable-fix-cortex-a53-835769 for aarch64. * Contains fix for PR82445 which is about a RPI1 bootloader miscompile. [bsc#1061667] * Fixed bogus stack probe instruction on ARM. [bsc#1068967] - Revert the ios_base::failure ABI back to compatible behavior with the default ABI. [bsc#1087550] - Fix nvptx offload target compiler install so GCC can pick up required files. Split out the newlib part into cross-nvptx-newlib7-devel and avoid conflicts with GCC 8 variant via Provides/Conflicts of cross-nvptx-newlib-devel. ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:939-1 Released: Thu May 17 08:41:30 2018 Summary: Security update for curl Type: security Severity: moderate References: 1086825,1092098,CVE-2018-1000301 Description: This update for curl fixes several issues: Security issues fixed: - CVE-2018-1000301: Fixed a RTSP bad headers buffer over-read could crash the curl client (bsc#1092098) Non security issues fixed: - If the DEFAULT_SUSE cipher list is not available use the HIGH cipher alias before failing. (bsc#1086825) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2018:974-1 Released: Wed May 23 16:46:50 2018 Summary: Recommended update for systemd Type: recommended Severity: moderate References: 1045092,1051465,1066422,1075804,1082485,1084626,1085062,1086785,1087323 Description: This update for systemd provides the following fixes: - sysusers: Do not append entries after the NIS ones. (bsc#1085062, bsc#1045092) - sysusers: Also add support for NIS entries in /etc/shadow. - sysusers: Make sure to reset errno before calling fget*ent(). - coredump: Respect ulimit -c 0 settings. (bsc#1075804) - systemctl: Don't make up unit states, and don't eat up errors too eagerly. (bsc#1084626) - systemctl: Don't mangle unit names in check_unit_generic(). - rules, compat-rules: Fix errors detected by the rule syntax checker. - python: Use raw strings for regexp patterns. - compat-rules: Make path_id_compat build with meson. - compat-rules: Get rid of scsi_id when generating compat symlinks for NVMe devices. (bsc#1051465) - Fix memory hotplugging. - systemd: Add offline environmental condition to the udev rules for acpi container to prevent them from being triggered by the 'udevadm trigger' from user space. (bsc#1082485) - systemd-udevd: Limit children-max by the available memory. (bsc#1086785, bsc#1066422) - Rename the tarball to reflect the exact version used, so that it is clear that it contains some additional patches on top of the upstream version. Use the commit hash in the name so the exact version can easily be identified. (bsc#1087323) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:977-1 Released: Wed May 23 17:14:16 2018 Summary: Security update for bash Type: security Severity: moderate References: 1000396,1001299,1086247,CVE-2016-0634,CVE-2016-7543 Description: This update for bash fixes the following issues: Security issues fixed: - CVE-2016-7543: A code execution possibility via SHELLOPTS+PS4 variable was fixed (bsc#1001299) - CVE-2016-0634: Arbitrary code execution via malicious hostname was fixed (bsc#1000396) Non-security issues fixed: - Fix repeating self-calling of traps due the combination of a non-interactive shell, a trap handler for SIGINT, an external process in the trap handler, and a SIGINT within the trap after the external process runs. (bsc#1086247) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2018:978-1 Released: Wed May 23 17:18:39 2018 Summary: Recommended update for zlib Type: recommended Severity: moderate References: 1071321 Description: This update for zlib fixes the following issues: - Fix a segmentation fault which was raised when converting a negative value into an unsigned integer (bsc#1071321) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2018:1028-1 Released: Tue Jun 5 13:20:44 2018 Summary: Recommended update for pam Type: recommended Severity: low References: 1089884 Description: This update for pam fixes the following issues: - Fix order of accessed configuration files in man page. (bsc#1089884) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:1077-1 Released: Wed Jun 6 11:44:25 2018 Summary: Security update for glibc Type: security Severity: important References: 1086690,1094150,1094154,1094161,CVE-2017-18269,CVE-2018-11236,CVE-2018-11237 Description: This update for glibc fixes the following issues: - CVE-2017-18269: Fix SSE2 memmove issue when crossing 2GB boundary (bsc#1094150) - CVE-2018-11236: Fix overflow in path length computation (bsc#1094161) - CVE-2018-11237: Don't write beyond buffer destination in __mempcpy_avx512_no_vzeroupper (bsc#1094154) Non security bugs fixed: - Fix crash in resolver on memory allocation failure (bsc#1086690) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2018:1082-1 Released: Thu Jun 7 12:58:56 2018 Summary: Recommended update for rpm Type: recommended Severity: moderate References: 1073879,1080078,964063 Description: This update for rpm fixes the following issues: - Backport support for no_recompute_build_ids macro. (bsc#964063) - Fix code execution when evaluating common python-related macros. (bsc#1080078) Additionally, this update adds python3-rpm to the SUSE Linux Enterprise Server. ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:1141-1 Released: Fri Jun 15 13:41:08 2018 Summary: Security update for gpg2 Type: security Severity: important References: 1096745,CVE-2018-12020 Description: This update for gpg2 fixes the following security issue: - CVE-2018-12020: GnuPG mishandled the original filename during decryption and verification actions, which allowed remote attackers to spoof the output that GnuPG sends on file descriptor 2 to other programs that use the '--status-fd 2' option (bsc#1096745) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2018:1144-1 Released: Fri Jun 15 19:19:29 2018 Summary: Recommended update for logrotate Type: recommended Severity: moderate References: 1093617 Description: This update for logrotate provides the following fix: - Ensure the HOME environment variable is set to /root when logrotate is started via systemd. This allows mariadb to rotate its logs when the database has a root password defined. (bsc#1093617) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2018:1145-1 Released: Fri Jun 15 19:19:51 2018 Summary: Recommended update for openssl Type: recommended Severity: moderate References: 1090765 Description: This update for openssl provides the following fix: - Suggest libopenssl1_0_0-hmac from libopenssl1_0_0 package to avoid dependency issues during updates. (bsc#1090765) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:1242-1 Released: Thu Jun 28 13:44:16 2018 Summary: Security update for procps Type: security Severity: moderate References: 1092100,CVE-2018-1122,CVE-2018-1123,CVE-2018-1124,CVE-2018-1125,CVE-2018-1126 Description: This update for procps fixes the following security issues: - CVE-2018-1122: Prevent local privilege escalation in top. If a user ran top with HOME unset in an attacker-controlled directory, the attacker could have achieved privilege escalation by exploiting one of several vulnerabilities in the config_file() function (bsc#1092100). - CVE-2018-1123: Prevent denial of service in ps via mmap buffer overflow. Inbuilt protection in ps maped a guard page at the end of the overflowed buffer, ensuring that the impact of this flaw is limited to a crash (temporary denial of service) (bsc#1092100). - CVE-2018-1124: Prevent multiple integer overflows leading to a heap corruption in file2strvec function. This allowed a privilege escalation for a local attacker who can create entries in procfs by starting processes, which could result in crashes or arbitrary code execution in proc utilities run by other users (bsc#1092100). - CVE-2018-1125: Prevent stack buffer overflow in pgrep. This vulnerability was mitigated by FORTIFY limiting the impact to a crash (bsc#1092100). - CVE-2018-1126: Ensure correct integer size in proc/alloc.* to prevent truncation/integer overflow issues (bsc#1092100). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:1276-1 Released: Thu Jul 5 08:36:17 2018 Summary: Security update for openssl Type: security Severity: moderate References: 1097158,1097624,1098592,CVE-2018-0732 Description: This update for openssl fixes the following issues: - CVE-2018-0732: During key agreement in a TLS handshake using a DH(E) based ciphersuite a malicious server could have sent a very large prime value to the client. This caused the client to spend an unreasonably long period of time generating a key for this prime resulting in a hang until the client has finished. This could be exploited in a Denial Of Service attack (bsc#1097158). - Blinding enhancements for ECDSA and DSA (bsc#1097624, bsc#1098592) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:1328-1 Released: Tue Jul 17 08:07:57 2018 Summary: Security update for perl Type: security Severity: important References: 1068565,1082216,1082233,1082234,1096718,CVE-2018-12015,CVE-2018-6797,CVE-2018-6798,CVE-2018-6913 Description: This update for perl fixes the following issues: These security issue were fixed: - CVE-2018-6913: Fixed space calculation issues in pp_pack.c (bsc#1082216). - CVE-2018-6798: Fixed heap buffer overflow in regexec.c (bsc#1082233). - CVE-2018-6797: Fixed sharp-s regexp overflow (bsc#1082234). - CVE-2018-12015: The Archive::Tar module allowed remote attackers to bypass a directory-traversal protection mechanism and overwrite arbitrary files (bsc#1096718) This non-security issue was fixed: - fix debugger crash in tab completion with Term::ReadLine::Gnu [bsc#1068565] ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:1351-1 Released: Thu Jul 19 09:43:21 2018 Summary: Security update for shadow Type: security Severity: important References: 1099310,CVE-2016-6252 Description: This update for shadow fixes the following issues: - CVE-2016-6252: Incorrect integer handling could results in local privilege escalation (bsc#1099310) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:1375-1 Released: Mon Jul 23 10:51:02 2018 Summary: Security update for rsyslog Type: security Severity: moderate References: 935393,CVE-2015-3243 Description: This update for rsyslog fixes the following issues: The following security vulnerability was addressed: CVE-2015-3243: Make sure that log files are not created world-readable (bsc#935393) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:1400-1 Released: Thu Jul 26 16:32:29 2018 Summary: Security update for util-linux Type: security Severity: moderate References: 1072947,1078662,1080740,1084300,CVE-2018-7738 Description: This update for util-linux fixes the following issues: This non-security issue was fixed: - CVE-2018-7738: bash-completion/umount allowed local users to gain privileges by embedding shell commands in a mountpoint name, which was mishandled during a umount command by a different user (bsc#1084300). These non-security issues were fixed: - Fixed crash loop in lscpu (bsc#1072947). - Fixed possible segfault of umount -a - Fixed mount -a on NFS bind mounts (bsc#1080740). - Fixed lsblk on NVMe (bsc#1078662). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:1413-1 Released: Fri Jul 27 12:41:13 2018 Summary: Security update for libgcrypt Type: security Severity: moderate References: 1064455,1090766,1097410,CVE-2018-0495 Description: This update for libgcrypt fixes the following issues: The following security vulnerability was addressed: - CVE-2018-0495: Mitigate a novel side-channel attack by enabling blinding for ECDSA signatures (bsc#1097410). The following other issues were fixed: - Extended the fipsdrv dsa-sign and dsa-verify commands with the --algo parameter for the FIPS testing of DSA SigVer and SigGen (bsc#1064455). - Ensure libgcrypt20-hmac and libgcrypt20 are installed in the correct order. (bsc#1090766) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2018:1450-1 Released: Mon Jul 30 10:10:45 2018 Summary: Recommended update for pam Type: recommended Severity: low References: 1096282 Description: This update for pam provides the following fix: - Added /etc/security/limits.d to the pam package. (bsc#1096282) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2018:1549-1 Released: Mon Aug 13 13:41:22 2018 Summary: Recommended update for sg3_utils Type: recommended Severity: low References: 1065448,1070431,1077787,1092640 Description: This update for sg3_utils provides the following fix: - Decode standard INQUIRY for CD-ROMs correctly. (bsc#1065448, bsc#1070431) - Fix page decoding. (bsc#1077787) - Remove initrd rebuild macros for libsgutils2 subpackage. (bsc#1092640) - Use %post -p for ldconfig. (bsc#1092640) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:1610-1 Released: Thu Aug 16 14:04:25 2018 Summary: Security update for libgcrypt Type: security Severity: moderate References: 1064455,1090766,1097410,CVE-2018-0495 Description: This update for libgcrypt fixes the following issues: The following security vulnerability was addressed: - CVE-2018-0495: Mitigate a novel side-channel attack by enabling blinding for ECDSA signatures (bsc#1097410). The following other issues were fixed: - Extended the fipsdrv dsa-sign and dsa-verify commands with the --algo parameter for the FIPS testing of DSA SigVer and SigGen (bsc#1064455). - Ensure libgcrypt20-hmac and libgcrypt20 are installed in the correct order. (bsc#1090766) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:1620-1 Released: Thu Aug 16 14:49:45 2018 Summary: Security update for shadow Type: security Severity: important References: 1099310,CVE-2016-6252 Description: This update for shadow fixes the following issues: - CVE-2016-6252: Incorrect integer handling could results in local privilege escalation (bsc#1099310) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2018:1632-1 Released: Thu Aug 16 15:27:04 2018 Summary: Recommended update for systemd Type: recommended Severity: moderate References: 1039099,1080382,1082004,1082485,1083158,1088052,1088769,1088890,1089761,1090785,1091265,1093851,1095096 Description: This update for systemd fixes the following issues: - core: In --user mode, report READY=1 as soon as basic.target is reached. - sd-bus: Extend D-Bus authentication timeout considerably. - scsi_id: Fixup prefix for pre-SPC inquiry reply. (bsc#1039099) - udev: Use MAC address match only for ibmveth/ibmvnic/mlx4. (bsc#1095096) - compat-rules: Generate more compat by-id symlinks for NVMe devices. (bsc#1095096) - udev: Whitelist mlx4_core locally-administered MAC addresses in the persistent rule generator. (bsc#1083158) - udev: Don't create by-partlabel/primary and .../logical symlinks. (bsc#1089761) - rules: Add /dev/disk/by-partuuid symlinks also for dos partition tables. - device: Make sure to always retroactively start device dependencies. (bsc#1088052) - device: Skip deserialization of device units when udevd is not running. - install: 'user' and 'global' scopes are equivalent for user presets. (bsc#1093851) - install: Search preset files in /run. - man: Updated systemd-analyze blame description for service-units with Type=simple. (bsc#1091265) - logind: Fix crash when shutdown is not issued from a tty. (bsc#1088890) - logind: Do not use an uninitialized variable. (bsc#1088890) - Disable user services by default. (bsc#1090785) - Ship 99-sysctl.conf instead of creating it during package installation/update. (bsc#1088769) Previously this symlink was created in /etc/sysctl.d during %post which made the symlink not owned and more importantly it was created only if /etc/sysctl.conf is already installed which is not always the case during the installation process it seems. So ship the symlink unconditionally and put it in /usr/lib/sysctl.d instead since it's a distro default behavior that might be overriden by sysadmin later. - systemd: Add offline environmental condition to 80-acpi-container-hotplug.rules. (bsc#1080382, bsc#1082485) Add the offline event environmental condition to restrict the rule that is can only be triggered when the change event is received with the 'offline' environmental data. The 27664c581 'ACPI / scan: Send change uevent with offine environmental data' kernel patch changed the corresponding code in kernel. This change prevents the udev rules for acpi container be triggered by 'udevadm trigger' from user space. - build-sys: Explicitly require python3. (bsc#1082004) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2018:1636-1 Released: Thu Aug 16 15:30:11 2018 Summary: Recommended update for pam Type: recommended Severity: low References: 1096282 Description: This update for pam provides the following fix: - Added /etc/security/limits.d to the pam package. (bsc#1096282) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2018:1689-1 Released: Mon Aug 20 09:02:24 2018 Summary: Recommended update for pam Type: recommended Severity: low References: 1096282 Description: This update for pam provides the following fix: - Added /etc/security/limits.d to the pam package. (bsc#1096282) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2018:1691-1 Released: Mon Aug 20 09:04:17 2018 Summary: Recommended update for sg3_utils Type: recommended Severity: low References: 1065448,1070431,1077787,1092640 Description: This update for sg3_utils provides the following fix: - Decode standard INQUIRY for CD-ROMs correctly. (bsc#1065448, bsc#1070431) - Fix page decoding. (bsc#1077787) - Remove initrd rebuild macros for libsgutils2 subpackage. (bsc#1092640) - Use %post -p for ldconfig. (bsc#1092640) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:1695-1 Released: Mon Aug 20 09:19:20 2018 Summary: Security update for perl Type: security Severity: important References: 1068565,1082216,1082233,1082234,1096718,CVE-2018-12015,CVE-2018-6797,CVE-2018-6798,CVE-2018-6913 Description: This update for perl fixes the following issues: These security issue were fixed: - CVE-2018-6913: Fixed space calculation issues in pp_pack.c (bsc#1082216). - CVE-2018-6798: Fixed heap buffer overflow in regexec.c (bsc#1082233). - CVE-2018-6797: Fixed sharp-s regexp overflow (bsc#1082234). - CVE-2018-12015: The Archive::Tar module allowed remote attackers to bypass a directory-traversal protection mechanism and overwrite arbitrary files (bsc#1096718) This non-security issue was fixed: - fix debugger crash in tab completion with Term::ReadLine::Gnu [bsc#1068565] ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:1698-1 Released: Mon Aug 20 09:19:28 2018 Summary: Security update for shadow Type: security Severity: important References: 1099310,CVE-2016-6252 Description: This update for shadow fixes the following issues: - CVE-2016-6252: Incorrect integer handling could results in local privilege escalation (bsc#1099310) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2018:1834-1 Released: Wed Sep 5 10:17:42 2018 Summary: Recommended update for systemd Type: recommended Severity: moderate References: 1089761,1090944,1101040,1103910 Description: This update for systemd fixes the following issues: - cryptsetup: Add support for sector-size= option. (fate#325634) - resolved: Apply epoch to system time from PID 1. (bsc#1103910) - core/service: Rework the hold-off time over message. - core: Don't freeze OnCalendar= timer units when the clock goes back a lot. (bsc#1090944) - man: SystemMaxUse= clarification in journald.conf(5). (bsc#1101040) - Add udev.no-partlabel-links kernel command-line option. This option can be used to disable the generation of the by-partlabel symlinks regardless of the name used. (bsc#1089761) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:1903-1 Released: Fri Sep 14 12:46:21 2018 Summary: Security update for curl Type: security Severity: moderate References: 1089533,1106019,CVE-2018-14618 Description: This update for curl fixes the following issues: This security issue was fixed: - CVE-2018-14618: Prevent integer overflow in the NTLM authentication code (bsc#1106019) This non-security issue was fixed: - Fixed erroneous debug message when paired with OpenSSL (bsc#1089533) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:1969-1 Released: Mon Sep 24 08:06:42 2018 Summary: Security update for libzypp, zypper Type: security Severity: important References: 1036304,1045735,1049825,1070851,1076192,1088705,1091624,1092413,1096803,1099847,1100028,1101349,1102429,CVE-2017-9269,CVE-2018-7685 Description: This update for libzypp, zypper fixes the following issues: Update libzypp to version 16.17.20: Security issues fixed: - PackageProvider: Validate deta rpms before caching (bsc#1091624, bsc#1088705, CVE-2018-7685) - PackageProvider: Validate downloaded rpm package signatures before caching (bsc#1091624, bsc#1088705, CVE-2018-7685) Other bugs fixed: - lsof: use '-K i' if lsof supports it (bsc#1099847, bsc#1036304) - Handle http error 502 Bad Gateway in curl backend (bsc#1070851) - RepoManager: Explicitly request repo2solv to generate application pseudo packages. - libzypp-devel should not require cmake (bsc#1101349) - HardLocksFile: Prevent against empty commit without Target having been been loaded (bsc#1096803) - Avoid zombie tar processes (bsc#1076192) Update to zypper to version 1.13.45: Security issues fixed: - Improve signature check callback messages (bsc#1045735, CVE-2017-9269) - add/modify repo: Add options to tune the GPG check settings (bsc#1045735, CVE-2017-9269) Other bugs fixed: - XML attribute `packages-to-change` added (bsc#1102429) - man: Strengthen that `--config FILE' affects zypper.conf, not zypp.conf (bsc#1100028) - Prevent nested calls to exit() if aborted by a signal (bsc#1092413) - ansi.h: Prevent ESC sequence strings from going out of scope (bsc#1092413) - Fix: zypper bash completion expands non-existing options (bsc#1049825) - Improve signature check callback messages (bsc#1045735) - add/modify repo: Add options to tune the GPG check settings (bsc#1045735) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2018:1985-1 Released: Mon Sep 24 11:56:08 2018 Summary: Recommended update for openldap2 Type: recommended Severity: moderate References: 1089640 Description: This update for openldap2 provides the following fix: - Fix slapd segfaults in mdb_env_reader_dest. (bsc#1089640) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:1994-1 Released: Mon Sep 24 12:55:57 2018 Summary: Security update for shadow Type: security Severity: moderate References: 1106914 Description: This update for shadow fixes the following security issue: - Prevent useradd from creating intermediate directories with mode 0777 (bsc#1106914) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:2069-1 Released: Fri Sep 28 08:01:25 2018 Summary: Security update for openssl Type: security Severity: moderate References: 1089039,1101246,1101470,1104789,1106197,997043,CVE-2018-0737 Description: This update for openssl fixes the following issues: These security issues were fixed: - Prevent One&Done side-channel attack on RSA that allowed physically near attackers to use EM emanations to recover information (bsc#1104789) - CVE-2018-0737: The RSA Key generation algorithm has been shown to be vulnerable to a cache timing side channel attack. An attacker with sufficient access to mount cache timing attacks during the RSA key generation process could have recovered the private key (bsc#1089039) These non-security issues were fixed: - Add openssl(cli) Provide so the packages that require the openssl binary can require this instead of the new openssl meta package (bsc#1101470) - Fixed path to the engines which are under /lib64 on SLE-12 (bsc#1101246, bsc#997043) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2018:2162-1 Released: Fri Oct 5 14:46:53 2018 Summary: Recommended update for krb5 Type: recommended Severity: moderate References: 1088921 Description: This update for krb5 provides the following fix: - Resolve krb5 GSS credentials immediately if the application requests the lifetime. (bsc#1088921) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:2181-1 Released: Tue Oct 9 11:08:20 2018 Summary: Security update for libxml2 Type: security Severity: moderate References: 1088279,1088601,1102046,1105166,CVE-2017-18258,CVE-2018-14404,CVE-2018-14567,CVE-2018-9251 Description: This update for libxml2 fixes the following security issues: - CVE-2018-9251: The xz_decomp function allowed remote attackers to cause a denial of service (infinite loop) via a crafted XML file that triggers LZMA_MEMLIMIT_ERROR, as demonstrated by xmllint (bsc#1088279). - CVE-2018-14567: Prevent denial of service (infinite loop) via a crafted XML file that triggers LZMA_MEMLIMIT_ERROR, as demonstrated by xmllint (bsc#1105166). - CVE-2018-14404: Prevent NULL pointer dereference in the xmlXPathCompOpEval() function when parsing an invalid XPath expression in the XPATH_OP_AND or XPATH_OP_OR case leading to a denial of service attack (bsc#1102046). - CVE-2017-18258: The xz_head function allowed remote attackers to cause a denial of service (memory consumption) via a crafted LZMA file, because the decoder functionality did not restrict memory usage to what is required for a legitimate file (bsc#1088601). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2018:2196-1 Released: Thu Oct 11 07:45:16 2018 Summary: Optional update for gcc8 Type: recommended Severity: low References: 1084812,1084842,1087550,1094222,1102564 Description: The GNU Compiler GCC 8 is being added to the Toolchain Module by this update. The update also supplies gcc8 compatible libstdc++, libgcc_s1 and other gcc derived libraries for the base products of SUSE Linux Enterprise 12. Various optimizers have been improved in GCC 8, several of bugs fixed, quite some new warnings added and the error pin-pointing and fix-suggestions have been greatly improved. The GNU Compiler page for GCC 8 contains a summary of all the changes that have happened: https://gcc.gnu.org/gcc-8/changes.html Also changes needed or common pitfalls when porting software are described on: https://gcc.gnu.org/gcc-8/porting_to.html ----------------------------------------------------------------- Advisory ID: SUSE-RU-2018:2217-1 Released: Fri Oct 12 15:07:24 2018 Summary: Recommended update for bash Type: recommended Severity: moderate References: 1094121,1107430 Description: This update for bash provides the following fixes: - Fix an inconsistent behaviour regarding expansion of here strings. (bsc#1094121) - Fix mis-matching of null string with '*' pattern. (bsc#1107430) - Fix a crash when the lastpipe option is enabled. - Fix a typo that was preventing the `compat42' shopt option from working as intended. - Help the shell to process any pending traps at redirection. - Fix a crashe due to incorrect conversion from an indexed to associative array. - Avoid the expansion of escape sequences in HOSTNAME in prompt. - Avoid `xtrace' attack over $PS4. ----------------------------------------------------------------- Advisory ID: SUSE-RU-2018:2248-1 Released: Tue Oct 16 14:25:25 2018 Summary: Recommended update for rsyslog Type: recommended Severity: moderate References: 1084682,901418 Description: This update for rsyslog provides the following fixes: - Fix path to extra apparmor profiles. (bsc#901418) - omfile: Assure proper logfile flush when using a configuration template that configures messages to be written to multiple files, otherwise only the last file would be flushed. (bsc#1084682) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:2373-1 Released: Mon Oct 22 14:43:47 2018 Summary: Security update for rpm Type: security Severity: moderate References: 1077692,943457,CVE-2017-7500,CVE-2017-7501 Description: This update for rpm fixes the following issues: These security issues were fixed: - CVE-2017-7500: rpm did not properly handle RPM installations when a destination path was a symbolic link to a directory, possibly changing ownership and permissions of an arbitrary directory, and RPM files being placed in an arbitrary destination (bsc#943457). - CVE-2017-7501: rpm used temporary files with predictable names when installing an RPM. An attacker with ability to write in a directory where files will be installed could create symbolic links to an arbitrary location and modify content, and possibly permissions to arbitrary files, which could be used for denial of service or possibly privilege escalation (bsc#943457) This non-security issue was fixed: - Use ksym-provides tool [bsc#1077692] ----------------------------------------------------------------- Advisory ID: SUSE-RU-2018:2435-1 Released: Wed Oct 24 14:42:43 2018 Summary: Recommended update for systemd Type: recommended Severity: important References: 1015254,1091677,1093753,1105031,1107640,1107941,1109197,991901 Description: This update for systemd fixes the following issues: - detect-virt: do not try to read all of /proc/cpuinfo (bsc#1109197) - emergency: make sure console password agents don't interfere with the emergency shell - units: remove udev control socket when systemd stops the socket unit (#4039) (bsc#1015254) - man: document that 'nofail' also has an effect on ordering - journald: take leading spaces into account in syslog_parse_identifier - journal: do not remove multiple spaces after identifier in syslog message - syslog: fix segfault in syslog_parse_priority() - journal: fix syslog_parse_identifier() - tmpfiles: don't adjust qgroups on existing subvolumes (bsc#1093753) - socket-util: attempt SO_RCVBUFFORCE/SO_SNDBUFFORCE only if SO_RCVBUF/SO_SNDBUF fails (bsc#991901) - user at .service: don't kill user manager at runlevel switch (bsc#1091677) - units: make sure user at .service runs with dbus still up - fix race between daemon-reload and other commands (bsc#1105031) - nspawn: always use mode 555 for /sys (bsc#1107640) - cryptsetup: do not define arg_sector_size if libgcrypt is v1.x (#9990) - Enable or disable machines.target according to the presets (bsc#1107941) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2018:2475-1 Released: Thu Oct 25 16:56:24 2018 Summary: Recommended update for libzypp Type: recommended Severity: moderate References: 1099982,1109877,408814,556664,939392 Description: This update for libzypp fixes the following issues: - Add filesize check for downloads with known size (bsc#408814) - Fix conversion of string and glob to regex when compiling queries (bsc#1099982, bsc#939392, bsc#556664) - Fix blocking wait for finished child process (bsc#1109877) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2018:2488-1 Released: Fri Oct 26 12:39:59 2018 Summary: Recommended update for cpio Type: recommended Severity: low References: 1076810,889138 Description: This update for cpio provides the following fix: - Remove an obsolete patch that was causing cpio not to preserve folder permissions. (bsc#1076810, bsc#889138) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2018:2516-1 Released: Mon Oct 29 16:14:48 2018 Summary: Recommended update for console-setup, kbd Type: recommended Severity: moderate References: 1010880,1027379,1056449,1062303,1069468,1085432,360993,675317,825385,830805,958562,963942,984958 Description: This update for kbd and console-setup provides the following fixes: Changes in console-setup: - Add console-setup to SLE 12 to make it possible for kbd to provide converted X keymaps. (fate#325454, fate#318426) - Make the package build reproducible. (bsc#1062303) - Removed unneeded requires to kbd in order to resolve build cycle between kbd and console-setup. (bsc#963942) Changes in kbd: - Update to version 2.0.4, including the following fixes (FATE#325454): * Disable characters greater than or equal to =U+F000 as they do not work properly. (bsc#1085432) * Move initial NumLock handling from systemd back to kbd: * Add kbdsettings service. (bsc#1010880) * Exclude numlockbios support for non x86 platforms * Drop references to KEYTABLE and COMPOSETABLE. (bsc#1010880) * Drop from some fill-up templates and a couple of sysconfig variables not read by systemd anymore. (fate#319454) * Replace references to /var/adm/fillup-templates with new %_fillupdir macro. (bsc#1069468) * Add vlock.pamd PAM file. (bsc#1056449) * Enable vlock (bsc#1056449). * Revert dropping of kdb-legacy requirement as there are still packages and installation flows that needs this to be present. (bsc#1027379) * Fix data/keymaps/i386/querty/br-abnt2.map. (bsc#984958) * Fix missing dependency on coreutils for initrd macros. (bsc#958562) * Call missing initrd macro at postun. (bsc#958562) * Add the genmap4systemd.sh tool to generate entries for systemd's kbd-model-map table from xkeyboard-config converted keymaps. (fate#318426) * genmap4systemd.sh: Use 'abnt2' model for 'br' layouts, 'jp106' model for 'jp' layouts and 'microsoftpro' for anything else (instead of 'pc105' previously used). (fate#318426) * Include xkb layouts from xkeyboard-config converted to console keymaps. (fate#318426) * euro.map, euro1.map and euro2.map now produce correct unicode character for Euro sign. (bsc#360993) * Drop doshell reference from openvt.1 man page. (bsc#675317) * Drop the --userwait option as it is not used. (bsc#830805) * Fix a typo in the mac-querty-layout.inc. (bsc#825385) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2018:2525-1 Released: Tue Oct 30 09:22:45 2018 Summary: Recommended update for bash Type: recommended Severity: important References: 1113117 Description: This update for bash fixes the following issues: Recently released update introduced a change of behavior which resulted in broken customers scripts. (bsc#1113117) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:2563-1 Released: Fri Nov 2 17:09:49 2018 Summary: Security update for curl Type: security Severity: moderate References: 1112758,1113660,CVE-2018-16840,CVE-2018-16842 Description: This update for curl fixes the following issues: - CVE-2018-16840: A use after free in closing SASL handles was fixed (bsc#1112758) - CVE-2018-16842: A Out-of-bounds Read in tool_msgs.c was fixed which could lead to crashes (bsc#1113660) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2018:2567-1 Released: Fri Nov 2 18:59:06 2018 Summary: Recommended update for apparmor Type: recommended Severity: moderate References: 1047937,1057150,1057900,1099452,906858 Description: This update for apparmor provides the following fixes: - Add profile for usr.bin.lessopen.sh (bsc#906858) - Fix dovecot apparmor profile (bsc#1057150) - Fix creating profile rules from scanned logs when the chown operation is used (bsc#1047937) - Fix the traceroute profile to allow ipv6 usage (bsc#1057900) - Fix duplicate entry of capability when performing aa-logprof (bsc#1099452) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2018:2593-1 Released: Wed Nov 7 11:04:00 2018 Summary: Recommended update for rpm Type: recommended Severity: moderate References: 1095148,1113100 Description: This update for rpm fixes the following issues: - Fix superfluous TOC. dependency on PowerPC64 (bsc#1113100) - Update to current find-provides.ksyms and find-requires.ksyms scripts (bsc#1095148) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:2659-1 Released: Wed Nov 14 14:14:41 2018 Summary: Security update for systemd Type: security Severity: important References: 1106923,1108835,1109252,1110445,1111278,1112024,1113083,1113632,1113665,CVE-2018-15686,CVE-2018-15688 Description: This update for systemd fixes the following issues: Security issues fixed: - CVE-2018-15688: A buffer overflow vulnerability in the dhcp6 client of systemd allowed a malicious dhcp6 server to overwrite heap memory in systemd-networkd. (bsc#1113632) - CVE-2018-15686: A vulnerability in unit_deserialize of systemd allows an attacker to supply arbitrary state across systemd re-execution via NotifyAccess. This can be used to improperly influence systemd execution and possibly lead to root privilege escalation. (bsc#1113665) Non-security issues fixed: - dhcp6: split assert_return() to be more debuggable when hit - core: skip unit deserialization and move to the next one when unit_deserialize() fails - core: properly handle deserialization of unknown unit types (#6476) - core: don't create Requires for workdir if 'missing ok' (bsc#1113083) - logind: use manager_get_user_by_pid() where appropriate - logind: rework manager_get_{user|session}_by_pid() a bit - login: fix user at .service case, so we don't allow nested sessions (#8051) (bsc#1112024) - core: be more defensive if we can't determine per-connection socket peer (#7329) - socket-util: introduce port argument in sockaddr_port() - service: fixup ExecStop for socket-activated shutdown (#4120) - service: Continue shutdown on socket activated unit on termination (#4108) (bsc#1106923) - cryptsetup: build fixes for 'add support for sector-size= option' - udev-rules: IMPORT cmdline does not recognize keys with similar names (bsc#1111278) - core: keep the kernel coredump defaults when systemd-coredump is disabled - core: shorten main() a bit, split out coredump initialization - core: set RLIMIT_CORE to unlimited by default (bsc#1108835) - core/mount: fstype may be NULL - journald: don't ship systemd-journald-audit.socket (bsc#1109252) - core: make 'tmpfs' dependencies on swapfs a 'default' dep, not an 'implicit' (bsc#1110445) - mount: make sure we unmount tmpfs mounts before we deactivate swaps (#7076) - tmp.mount.hm4: After swap.target (#3087) - Ship systemd-sysv-install helper via the main package This script was part of systemd-sysvinit sub-package but it was wrong since systemd-sysv-install is a script used to redirect enable/disable operations to chkconfig when the unit targets are sysv init scripts. Therefore it's never been a SySV init tool. ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:2760-1 Released: Thu Nov 22 16:25:38 2018 Summary: Security update for openssl Type: security Severity: moderate References: 1112209,1113534,1113652,1113742,CVE-2018-0734,CVE-2018-5407 Description: This update for openssl fixes the following issues: Security issues fixed: - CVE-2018-0734: Fixed timing vulnerability in DSA signature generation (bsc#1113652). - CVE-2018-5407: Fixed elliptic curve scalar multiplication timing attack defenses (bsc#1113534). - Add missing timing side channel patch for DSA signature generation (bsc#1113742). Non-security issues fixed: - Fixed infinite loop in DSA generation with incorrect parameters (bsc#1112209). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:2766-1 Released: Fri Nov 23 17:07:27 2018 Summary: Security update for rpm Type: security Severity: important References: 943457,CVE-2017-7500,CVE-2017-7501 Description: This update for rpm fixes the following issues: These security issues were fixed: - CVE-2017-7500: rpm did not properly handle RPM installations when a destination path was a symbolic link to a directory, possibly changing ownership and permissions of an arbitrary directory, and RPM files being placed in an arbitrary destination (bsc#943457). - CVE-2017-7501: rpm used temporary files with predictable names when installing an RPM. An attacker with ability to write in a directory where files will be installed could create symbolic links to an arbitrary location and modify content, and possibly permissions to arbitrary files, which could be used for denial of service or possibly privilege escalation (bsc#943457) This is a reissue of the above security fixes for SUSE Linux Enterprise 12 GA, SP1 and SP2 LTSS, they have already been released for SUSE Linux Enterprise Server 12 SP3. ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:1697-1 Released: Fri Nov 23 17:08:32 2018 Summary: Security update for libgcrypt Type: security Severity: moderate References: 1064455,1090766,1097410,CVE-2018-0495 Description: This update for libgcrypt fixes the following issues: The following security vulnerability was addressed: - CVE-2018-0495: Mitigate a novel side-channel attack by enabling blinding for ECDSA signatures (bsc#1097410). The following other issues were fixed: - Extended the fipsdrv dsa-sign and dsa-verify commands with the --algo parameter for the FIPS testing of DSA SigVer and SigGen (bsc#1064455). - Ensure libgcrypt20-hmac and libgcrypt20 are installed in the correct order. (bsc#1090766) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:1696-1 Released: Mon Nov 26 17:46:39 2018 Summary: Security update for procps Type: security Severity: moderate References: 1092100,CVE-2018-1122,CVE-2018-1123,CVE-2018-1124,CVE-2018-1125,CVE-2018-1126 Description: This update for procps fixes the following security issues: - CVE-2018-1122: Prevent local privilege escalation in top. If a user ran top with HOME unset in an attacker-controlled directory, the attacker could have achieved privilege escalation by exploiting one of several vulnerabilities in the config_file() function (bsc#1092100). - CVE-2018-1123: Prevent denial of service in ps via mmap buffer overflow. Inbuilt protection in ps maped a guard page at the end of the overflowed buffer, ensuring that the impact of this flaw is limited to a crash (temporary denial of service) (bsc#1092100). - CVE-2018-1124: Prevent multiple integer overflows leading to a heap corruption in file2strvec function. This allowed a privilege escalation for a local attacker who can create entries in procfs by starting processes, which could result in crashes or arbitrary code execution in proc utilities run by other users (bsc#1092100). - CVE-2018-1125: Prevent stack buffer overflow in pgrep. This vulnerability was mitigated by FORTIFY limiting the impact to a crash (bsc#1092100). - CVE-2018-1126: Ensure correct integer size in proc/alloc.* to prevent truncation/integer overflow issues (bsc#1092100). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:1618-1 Released: Tue Nov 27 13:39:49 2018 Summary: Security update for util-linux Type: security Severity: moderate References: 1072947,1078662,1080740,1084300,CVE-2018-7738 Description: This update for util-linux fixes the following issues: This non-security issue was fixed: - CVE-2018-7738: bash-completion/umount allowed local users to gain privileges by embedding shell commands in a mountpoint name, which was mishandled during a umount command by a different user (bsc#1084300). These non-security issues were fixed: - Fixed crash loop in lscpu (bsc#1072947). - Fixed possible segfault of umount -a - Fixed mount -a on NFS bind mounts (bsc#1080740). - Fixed lsblk on NVMe (bsc#1078662). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:2824-1 Released: Mon Dec 3 15:34:09 2018 Summary: Security update for ncurses Type: security Severity: important References: 1115929,CVE-2018-19211 Description: This update for ncurses fixes the following issue: Security issue fixed: - CVE-2018-19211: Fixed denial of service issue that was triggered by a NULL pointer dereference at function _nc_parse_entry (bsc#1115929). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2018:2836-1 Released: Wed Dec 5 09:29:31 2018 Summary: Recommended update for apparmor Type: recommended Severity: moderate References: 1111965,1113125 Description: This update for apparmor fixes the following issues: - Systemd aware apparmor.spec, remove old insserv from spec file (bsc#1113125) - Fix warnings produced because of use of uninitialized variables (bsc#1111965) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2018:2840-1 Released: Wed Dec 5 09:57:54 2018 Summary: Recommended update for permissions Type: recommended Severity: moderate References: 1028304,1047247,1050467,1097665,1111251 Description: This update for permissions fixes the following issues: - Allow setuid root for start-suid tool of singularity (group only) bsc#1028304 - Allow setuid root for authbind binary (bsc#1111251) - A incorrect error message was adjusted (bsc#1047247 bsc#1097665) - Make btmp root:utmp (bsc#1050467) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2018:2841-1 Released: Wed Dec 5 09:59:45 2018 Summary: Recommended update for glibc Type: recommended Severity: moderate References: 1105236,1110661,1112858 Description: This update for glibc fixes the following issues: - Added more checks for valid ld.so.cache file (bsc#1110661) - Rewrite elf_machine_load_address using _DYNAMIC symbol (bsc#1112858) - Always use __IPC_64 on powerpc as required by the kernel (bsc#1105236) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2018:2906-1 Released: Tue Dec 11 21:48:05 2018 Summary: Recommended update for blog Type: recommended Severity: moderate References: 1071568 Description: This update for blog fixes the following issues: - Hardening of the console list generation (bsc#1071568) - Changed description of blog-plymouth in same manner as used by the release notes ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:2947-1 Released: Mon Dec 17 08:51:28 2018 Summary: Security update for openldap2 Type: security Severity: moderate References: 1073313,CVE-2017-17740 Description: This update for openldap2 fixes the following issues: Security issue fixed: - CVE-2017-17740: When both the nops module and the memberof overlay are enabled, attempts to free a buffer that was allocated on the stack, which allows remote attackers to cause a denial of service (slapd crash) via a member MODDN operation. (bsc#1073313) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2018:3029-1 Released: Fri Dec 21 17:34:05 2018 Summary: Recommended update for libgcrypt Type: recommended Severity: moderate References: 1117355 Description: This update for libgcrypt provides the following fix: - Fail selftests when checksum file is missing in FIPS mode only. (bsc#1117355) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:43-1 Released: Tue Jan 8 13:07:17 2019 Summary: Recommended update for acl Type: recommended Severity: low References: 953659 Description: This update for acl fixes the following issues: - quote: Escape literal backslashes (bsc#953659). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:111-1 Released: Thu Jan 17 14:18:31 2019 Summary: Security update for krb5 Type: security Severity: important References: 1120489,CVE-2018-20217 Description: This update for krb5 fixes the following issues: Security issue fixed: - CVE-2018-20217: Fixed an assertion issue with older encryption types (bsc#1120489) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:135-1 Released: Mon Jan 21 13:53:58 2019 Summary: Security update for systemd Type: security Severity: moderate References: 1005023,1076696,1101591,1114981,1115518,1119971,1120323,CVE-2018-16864,CVE-2018-16865,CVE-2018-16866 Description: This update for systemd provides the following fixes: Security issues fixed: - CVE-2018-16864, CVE-2018-16865: Fixed two memory corruptions through attacker-controlled alloca()s (bsc#1120323) - CVE-2018-16866: Fixed an information leak in journald (bsc#1120323) - Fixed an issue during system startup in relation to encrypted swap disks (bsc#1119971) Non-security issues fixed: - core: Queue loading transient units after setting their properties. (bsc#1115518) - logind: Stop managing VT switches if no sessions are registered on that VT. (bsc#1101591) - terminal-util: introduce vt_release() and vt_restore() helpers. - terminal: Unify code for resetting kbd utf8 mode a bit. - terminal Reset should honour default_utf8 kernel setting. - logind: Make session_restore_vt() static. - udev: Downgrade message when settting inotify watch up fails. (bsc#1005023) - log: Never log into foreign fd #2 in PID 1 or its pre-execve() children. (bsc#1114981) - udev: Ignore the exit code of systemd-detect-virt for memory hot-add. In SLE-12-SP3, 80-hotplug-cpu-mem.rules has a memory hot-add rule that uses systemd-detect-virt to detect non-zvm environment. The systemd-detect-virt returns exit failure code when it detected _none_ state. The exit failure code causes that the hot-add memory block can not be set to online. (bsc#1076696) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:143-1 Released: Tue Jan 22 14:21:55 2019 Summary: Recommended update for ncurses Type: recommended Severity: important References: 1121450 Description: This update for ncurses fixes the following issues: - ncurses applications freezing (bsc#1121450) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:168-1 Released: Fri Jan 25 08:06:14 2019 Summary: Recommended update for wicked Type: recommended Severity: moderate References: 1022872,1026807,1027099,1036675,1057007,1061051,1069468,1072343,1078245,1083670,1084462,1084527,1085020,1085786,1095818,1102871,1107579,1109147,954758,972463 Description: wicked was updated to version 0.6.52. Following issues have been addressed: - wickedd: fix netdev detection bootstrap race (bsc#1107579) - compat: fix ifcfg parsing crash if network/config is missed - wireless: fix eap peap auth mapping for wpa-supplicant (bsc#1026807) - vxlan: fix to convert dst_port to network byte order - firewall: do not assign default zone, but pass as is (bsc#1109147) - nanny: fix memory leaks on fast create-delete calls (bsc#1095818) + fsm: cleanup worker reset (reinit) vs. free + fsm: do not process or pass pending workers to nanny + nanny: catch init failures in device registration + netdev: allow NULL in get and put functions + model: fix to call (netif) dbus object destructors + model: removed server specific call in netif destroy + fsm: handle NULL in worker get and release calls + fsm: process device delete event separately + calls: split get netif service and netif list utils + xml-schema: fix range constraint values parsing + xml-schema: remove underscores from ni_xs_type_new + xml-schema: fix type leak around ni_xs_build_one_type + fsm: free worker control mode on worker free + xpath: trace and free complete xpath expression tree + nanny: fix config leak in ni_nanny_recheck_policy + dbus: free pending call in ni_dbus_connection_call + dbus: free dbus_message_iter_get_signature result - dhcp6: fix to properly decline dynamic addresses - extensions: do not use /etc/HOSTNAME artifact (bsc#972463) - ethtool: call offload ioctl if requested by offload name, e.g. tso has been splitted into several features and the old STSO offload ioctl sets multiple features at once. - ethtool: add missing pause support (bsc#1102871) - dhcp6: refresh info using rfc4242 info-refresh-time - dhcp6: add ia and ia addr list search utilities, improve status utils and use timeval struct in ia acquired times - dhcp6: restart on NotOnLink status request reply - ifcfg: show unknown/invalid bootproto as error - dhcp6: Fix server preference and weight option behaviour - dhcp6: retrigger duplicate detection on all address updates - man: add ifcfg-lo.5 manual page - man: add missing documentation for DHCLIENT6_CLIENT_ID - man: improved create-cid docs in wicked-config(5) (bsc#1084527) - address cache-info and lease acquisition time fixes and cleanups - ethtool: streamline options available on all devices (bsc#1085786) - dhcp4: expose broadcast response as DHCLIENT_BROADCAST in ifcfg - ipoib: do not fail setup on mode or umcast set failure (bsc#1084462) - bond: avoid reenslave failure in fail_over_mac mode (bsc#1083670) - Fix show-xml filtering by interface name (issue #735,bsc#954758) - ifconfig: refresh state before link reenslave hotfix (bsc#1061051 - ethtool: query priv-flags bitmap first (bsc#1085020) - util: fix a memory leak in ni_var_array_free - client: refactor arp utility to add missed arp ping (bsc#1078245) - dbus: omit zero-length hwaddr data properties - ibft: no IP setup on bnx2x storage-only interfaces (bsc#1072343) - fixed format, self compare and always true issues - client: fixed broken wicked arp utility command (bsc#1078245) - cleanup: add mising/explicit designated field initializers - pkgconfig: fix to request libnl3 instead of libnl1 - dbus: add missing DBUS_ERROR_FAILED type to a dbus_set_error call and enforce formatting input as string when an extension did not returned any error message. - wickedd: clear master references on slaves when a master gets deleted and the deletion event arrives before unenslave event to avoid a bridge reenslave failure on restart (bsc#1061051). - dhcp6: reapply confirmed addresses, also on any confirm status other to not-on-link - dhcp: clear hostname on lease recovery/reboot (bsc#1057007) - firewall: add firewalld and zone support (fate#320794) - ifconfig: cleanup slaves before enslaving (bsc#1036675) - ethtool: add rxvlan, txvlan, ntuple and rxhash offloads - dhcp6: fix to send up to 5 release retransmissions - dhcp4: fix to use rfc4361 client-id on infiniband (bsc#1022872) - man: ifcfg.5: Fix directory name for compatibility scripts - dhcp: cleanup common option update flags (bsc#1027099) - vxlan: convert ifcfg VXLAN_REMOTE_IP to remote-ip ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:209-1 Released: Thu Jan 31 09:41:23 2019 Summary: Security update for rsyslog Type: security Severity: important References: 1123164,CVE-2018-16881 Description: This update for rsyslog fixes the following issues: Security issue fixed: - CVE-2018-16881: Fixed a denial of service when both the imtcp module and Octet-Counted TCP Framing is enabled (bsc#1123164). From sle-updates at lists.suse.com Fri Jan 17 04:11:21 2020 From: sle-updates at lists.suse.com (sle-updates at lists.suse.com) Date: Fri, 17 Jan 2020 12:11:21 +0100 (CET) Subject: SUSE-RU-2020:0120-1: moderate: Recommended update for python-jsonpatch Message-ID: <20200117111121.5C828F796@maintenance.suse.de> SUSE Recommended Update: Recommended update for python-jsonpatch ______________________________________________________________________________ Announcement ID: SUSE-RU-2020:0120-1 Rating: moderate References: #1160978 Affected Products: SUSE Linux Enterprise Module for Public Cloud 15 SUSE Linux Enterprise Module for Packagehub Subpackages 15 SUSE Linux Enterprise Module for Open Buildservice Development Tools 15 ______________________________________________________________________________ An update that has one recommended fix can now be installed. Description: This update for python-jsonpatch fixes the following issues: - Drop jsondiff binary to avoid conflict with python-jsondiff package. Patch Instructions: To install this SUSE Recommended Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Module for Public Cloud 15: zypper in -t patch SUSE-SLE-Module-Public-Cloud-15-2020-120=1 - SUSE Linux Enterprise Module for Packagehub Subpackages 15: zypper in -t patch SUSE-SLE-Module-Packagehub-Subpackages-15-2020-120=1 - SUSE Linux Enterprise Module for Open Buildservice Development Tools 15: zypper in -t patch SUSE-SLE-Module-Development-Tools-OBS-15-2020-120=1 Package List: - SUSE Linux Enterprise Module for Public Cloud 15 (noarch): python3-jsonpatch-1.16-3.3.1 - SUSE Linux Enterprise Module for Packagehub Subpackages 15 (noarch): python2-jsonpatch-1.16-3.3.1 - SUSE Linux Enterprise Module for Open Buildservice Development Tools 15 (noarch): python2-jsonpatch-1.16-3.3.1 References: https://bugzilla.suse.com/1160978 From sle-updates at lists.suse.com Fri Jan 17 04:12:03 2020 From: sle-updates at lists.suse.com (sle-updates at lists.suse.com) Date: Fri, 17 Jan 2020 12:12:03 +0100 (CET) Subject: SUSE-SU-2020:0121-1: moderate: Security update for LibreOffice Message-ID: <20200117111203.D5EFAF796@maintenance.suse.de> SUSE Security Update: Security update for LibreOffice ______________________________________________________________________________ Announcement ID: SUSE-SU-2020:0121-1 Rating: moderate References: #1061210 #1144522 #1152684 Cross-References: CVE-2019-9853 Affected Products: SUSE Linux Enterprise Workstation Extension 15-SP1 SUSE Linux Enterprise Module for Open Buildservice Development Tools 15-SP1 ______________________________________________________________________________ An update that solves one vulnerability and has two fixes is now available. Description: This update libreoffice to version 6.3.3 fixes the following issues: LibreOffice was updated to 6.3.3 (jsc#SLE-8705), bringing many bug and stability fixes. More information for the 6.3 release at: https://wiki.documentfoundation.org/ReleaseNotes/6.3 Security issue fixed: - CVE-2019-9853: Fixed an issue where by executing macros, the security settings could have been bypassed (bsc#1152684). Other issues addressed: - Dropped disable-kde4 switch, since it is no longer known by configure - Disabled gtk2 because it will be removed in future releases - librelogo is now a standalone sub-package (bsc#1144522). - Partial fixes for an issue where Table(s) from DOCX showed wrong position or color (bsc#1061210). Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Workstation Extension 15-SP1: zypper in -t patch SUSE-SLE-Product-WE-15-SP1-2020-121=1 - SUSE Linux Enterprise Module for Open Buildservice Development Tools 15-SP1: zypper in -t patch SUSE-SLE-Module-Development-Tools-OBS-15-SP1-2020-121=1 Package List: - SUSE Linux Enterprise Workstation Extension 15-SP1 (noarch): libreoffice-branding-upstream-6.3.3.2-8.13.1 libreoffice-icon-themes-6.3.3.2-8.13.1 libreoffice-l10n-af-6.3.3.2-8.13.1 libreoffice-l10n-ar-6.3.3.2-8.13.1 libreoffice-l10n-as-6.3.3.2-8.13.1 libreoffice-l10n-bg-6.3.3.2-8.13.1 libreoffice-l10n-bn-6.3.3.2-8.13.1 libreoffice-l10n-br-6.3.3.2-8.13.1 libreoffice-l10n-ca-6.3.3.2-8.13.1 libreoffice-l10n-cs-6.3.3.2-8.13.1 libreoffice-l10n-cy-6.3.3.2-8.13.1 libreoffice-l10n-da-6.3.3.2-8.13.1 libreoffice-l10n-de-6.3.3.2-8.13.1 libreoffice-l10n-dz-6.3.3.2-8.13.1 libreoffice-l10n-el-6.3.3.2-8.13.1 libreoffice-l10n-en-6.3.3.2-8.13.1 libreoffice-l10n-eo-6.3.3.2-8.13.1 libreoffice-l10n-es-6.3.3.2-8.13.1 libreoffice-l10n-et-6.3.3.2-8.13.1 libreoffice-l10n-eu-6.3.3.2-8.13.1 libreoffice-l10n-fa-6.3.3.2-8.13.1 libreoffice-l10n-fi-6.3.3.2-8.13.1 libreoffice-l10n-fr-6.3.3.2-8.13.1 libreoffice-l10n-ga-6.3.3.2-8.13.1 libreoffice-l10n-gl-6.3.3.2-8.13.1 libreoffice-l10n-gu-6.3.3.2-8.13.1 libreoffice-l10n-he-6.3.3.2-8.13.1 libreoffice-l10n-hi-6.3.3.2-8.13.1 libreoffice-l10n-hr-6.3.3.2-8.13.1 libreoffice-l10n-hu-6.3.3.2-8.13.1 libreoffice-l10n-it-6.3.3.2-8.13.1 libreoffice-l10n-ja-6.3.3.2-8.13.1 libreoffice-l10n-kk-6.3.3.2-8.13.1 libreoffice-l10n-kn-6.3.3.2-8.13.1 libreoffice-l10n-ko-6.3.3.2-8.13.1 libreoffice-l10n-lt-6.3.3.2-8.13.1 libreoffice-l10n-lv-6.3.3.2-8.13.1 libreoffice-l10n-mai-6.3.3.2-8.13.1 libreoffice-l10n-ml-6.3.3.2-8.13.1 libreoffice-l10n-mr-6.3.3.2-8.13.1 libreoffice-l10n-nb-6.3.3.2-8.13.1 libreoffice-l10n-nl-6.3.3.2-8.13.1 libreoffice-l10n-nn-6.3.3.2-8.13.1 libreoffice-l10n-nr-6.3.3.2-8.13.1 libreoffice-l10n-nso-6.3.3.2-8.13.1 libreoffice-l10n-or-6.3.3.2-8.13.1 libreoffice-l10n-pa-6.3.3.2-8.13.1 libreoffice-l10n-pl-6.3.3.2-8.13.1 libreoffice-l10n-pt_BR-6.3.3.2-8.13.1 libreoffice-l10n-pt_PT-6.3.3.2-8.13.1 libreoffice-l10n-ro-6.3.3.2-8.13.1 libreoffice-l10n-ru-6.3.3.2-8.13.1 libreoffice-l10n-si-6.3.3.2-8.13.1 libreoffice-l10n-sk-6.3.3.2-8.13.1 libreoffice-l10n-sl-6.3.3.2-8.13.1 libreoffice-l10n-sr-6.3.3.2-8.13.1 libreoffice-l10n-ss-6.3.3.2-8.13.1 libreoffice-l10n-st-6.3.3.2-8.13.1 libreoffice-l10n-sv-6.3.3.2-8.13.1 libreoffice-l10n-ta-6.3.3.2-8.13.1 libreoffice-l10n-te-6.3.3.2-8.13.1 libreoffice-l10n-th-6.3.3.2-8.13.1 libreoffice-l10n-tn-6.3.3.2-8.13.1 libreoffice-l10n-tr-6.3.3.2-8.13.1 libreoffice-l10n-ts-6.3.3.2-8.13.1 libreoffice-l10n-uk-6.3.3.2-8.13.1 libreoffice-l10n-ve-6.3.3.2-8.13.1 libreoffice-l10n-xh-6.3.3.2-8.13.1 libreoffice-l10n-zh_CN-6.3.3.2-8.13.1 libreoffice-l10n-zh_TW-6.3.3.2-8.13.1 libreoffice-l10n-zu-6.3.3.2-8.13.1 - SUSE Linux Enterprise Workstation Extension 15-SP1 (x86_64): libreoffice-6.3.3.2-8.13.1 libreoffice-base-6.3.3.2-8.13.1 libreoffice-base-debuginfo-6.3.3.2-8.13.1 libreoffice-base-drivers-postgresql-6.3.3.2-8.13.1 libreoffice-base-drivers-postgresql-debuginfo-6.3.3.2-8.13.1 libreoffice-calc-6.3.3.2-8.13.1 libreoffice-calc-debuginfo-6.3.3.2-8.13.1 libreoffice-calc-extensions-6.3.3.2-8.13.1 libreoffice-debuginfo-6.3.3.2-8.13.1 libreoffice-debugsource-6.3.3.2-8.13.1 libreoffice-draw-6.3.3.2-8.13.1 libreoffice-draw-debuginfo-6.3.3.2-8.13.1 libreoffice-filters-optional-6.3.3.2-8.13.1 libreoffice-gnome-6.3.3.2-8.13.1 libreoffice-gnome-debuginfo-6.3.3.2-8.13.1 libreoffice-gtk3-6.3.3.2-8.13.1 libreoffice-gtk3-debuginfo-6.3.3.2-8.13.1 libreoffice-impress-6.3.3.2-8.13.1 libreoffice-impress-debuginfo-6.3.3.2-8.13.1 libreoffice-mailmerge-6.3.3.2-8.13.1 libreoffice-math-6.3.3.2-8.13.1 libreoffice-math-debuginfo-6.3.3.2-8.13.1 libreoffice-officebean-6.3.3.2-8.13.1 libreoffice-officebean-debuginfo-6.3.3.2-8.13.1 libreoffice-pyuno-6.3.3.2-8.13.1 libreoffice-pyuno-debuginfo-6.3.3.2-8.13.1 libreoffice-writer-6.3.3.2-8.13.1 libreoffice-writer-debuginfo-6.3.3.2-8.13.1 libreoffice-writer-extensions-6.3.3.2-8.13.1 libreofficekit-6.3.3.2-8.13.1 - SUSE Linux Enterprise Module for Open Buildservice Development Tools 15-SP1 (aarch64 x86_64): libreoffice-debuginfo-6.3.3.2-8.13.1 libreoffice-debugsource-6.3.3.2-8.13.1 libreoffice-sdk-6.3.3.2-8.13.1 libreoffice-sdk-debuginfo-6.3.3.2-8.13.1 libreoffice-sdk-doc-6.3.3.2-8.13.1 libreofficekit-devel-6.3.3.2-8.13.1 - SUSE Linux Enterprise Module for Open Buildservice Development Tools 15-SP1 (noarch): libreoffice-gdb-pretty-printers-6.3.3.2-8.13.1 libreoffice-glade-6.3.3.2-8.13.1 libreoffice-l10n-am-6.3.3.2-8.13.1 libreoffice-l10n-ast-6.3.3.2-8.13.1 libreoffice-l10n-be-6.3.3.2-8.13.1 libreoffice-l10n-bn_IN-6.3.3.2-8.13.1 libreoffice-l10n-bo-6.3.3.2-8.13.1 libreoffice-l10n-brx-6.3.3.2-8.13.1 libreoffice-l10n-bs-6.3.3.2-8.13.1 libreoffice-l10n-ca_valencia-6.3.3.2-8.13.1 libreoffice-l10n-dgo-6.3.3.2-8.13.1 libreoffice-l10n-en_GB-6.3.3.2-8.13.1 libreoffice-l10n-en_ZA-6.3.3.2-8.13.1 libreoffice-l10n-fy-6.3.3.2-8.13.1 libreoffice-l10n-gd-6.3.3.2-8.13.1 libreoffice-l10n-gug-6.3.3.2-8.13.1 libreoffice-l10n-hsb-6.3.3.2-8.13.1 libreoffice-l10n-id-6.3.3.2-8.13.1 libreoffice-l10n-is-6.3.3.2-8.13.1 libreoffice-l10n-ka-6.3.3.2-8.13.1 libreoffice-l10n-kab-6.3.3.2-8.13.1 libreoffice-l10n-km-6.3.3.2-8.13.1 libreoffice-l10n-kmr_Latn-6.3.3.2-8.13.1 libreoffice-l10n-kok-6.3.3.2-8.13.1 libreoffice-l10n-ks-6.3.3.2-8.13.1 libreoffice-l10n-lb-6.3.3.2-8.13.1 libreoffice-l10n-lo-6.3.3.2-8.13.1 libreoffice-l10n-mk-6.3.3.2-8.13.1 libreoffice-l10n-mn-6.3.3.2-8.13.1 libreoffice-l10n-mni-6.3.3.2-8.13.1 libreoffice-l10n-my-6.3.3.2-8.13.1 libreoffice-l10n-ne-6.3.3.2-8.13.1 libreoffice-l10n-oc-6.3.3.2-8.13.1 libreoffice-l10n-om-6.3.3.2-8.13.1 libreoffice-l10n-rw-6.3.3.2-8.13.1 libreoffice-l10n-sa_IN-6.3.3.2-8.13.1 libreoffice-l10n-sat-6.3.3.2-8.13.1 libreoffice-l10n-sd-6.3.3.2-8.13.1 libreoffice-l10n-sid-6.3.3.2-8.13.1 libreoffice-l10n-sq-6.3.3.2-8.13.1 libreoffice-l10n-sw_TZ-6.3.3.2-8.13.1 libreoffice-l10n-tg-6.3.3.2-8.13.1 libreoffice-l10n-tt-6.3.3.2-8.13.1 libreoffice-l10n-ug-6.3.3.2-8.13.1 libreoffice-l10n-uz-6.3.3.2-8.13.1 libreoffice-l10n-vec-6.3.3.2-8.13.1 libreoffice-l10n-vi-6.3.3.2-8.13.1 References: https://www.suse.com/security/cve/CVE-2019-9853.html https://bugzilla.suse.com/1061210 https://bugzilla.suse.com/1144522 https://bugzilla.suse.com/1152684 From sle-updates at lists.suse.com Fri Jan 17 07:10:48 2020 From: sle-updates at lists.suse.com (sle-updates at lists.suse.com) Date: Fri, 17 Jan 2020 15:10:48 +0100 (CET) Subject: SUSE-RU-2020:0122-1: moderate: Recommended update for container-suseconnect Message-ID: <20200117141048.84232F796@maintenance.suse.de> SUSE Recommended Update: Recommended update for container-suseconnect ______________________________________________________________________________ Announcement ID: SUSE-RU-2020:0122-1 Rating: moderate References: #1138731 #1154247 #1157960 Affected Products: SUSE Linux Enterprise Module for Containers 15-SP1 SUSE Linux Enterprise Module for Containers 15 ______________________________________________________________________________ An update that has three recommended fixes can now be installed. Description: This update for container-suseconnect fixes the following issues: - Fix usage with RMT and SMT. (bsc#1157960) - Parse the /etc/products.d/*.prod files. - Fix function comments based on best practices from Effective Go. (bsc#1138731) - Implement interacting with SCC behind proxy and SMT. (bsc#1154247) Patch Instructions: To install this SUSE Recommended Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Module for Containers 15-SP1: zypper in -t patch SUSE-SLE-Module-Containers-15-SP1-2020-122=1 - SUSE Linux Enterprise Module for Containers 15: zypper in -t patch SUSE-SLE-Module-Containers-15-2020-122=1 Package List: - SUSE Linux Enterprise Module for Containers 15-SP1 (aarch64 ppc64le s390x x86_64): container-suseconnect-2.2.0-4.9.3 - SUSE Linux Enterprise Module for Containers 15 (ppc64le s390x x86_64): container-suseconnect-2.2.0-4.9.3 References: https://bugzilla.suse.com/1138731 https://bugzilla.suse.com/1154247 https://bugzilla.suse.com/1157960 From sle-updates at lists.suse.com Fri Jan 17 07:11:39 2020 From: sle-updates at lists.suse.com (sle-updates at lists.suse.com) Date: Fri, 17 Jan 2020 15:11:39 +0100 (CET) Subject: SUSE-RU-2020:0123-1: moderate: Recommended update for rpcbind Message-ID: <20200117141139.69538F796@maintenance.suse.de> SUSE Recommended Update: Recommended update for rpcbind ______________________________________________________________________________ Announcement ID: SUSE-RU-2020:0123-1 Rating: moderate References: #1142343 Affected Products: SUSE Linux Enterprise Server for SAP 12-SP1 SUSE Linux Enterprise Server 12-SP1-LTSS ______________________________________________________________________________ An update that has one recommended fix can now be installed. Description: This update for rpcbind fixes the following issues: - Return correct IP address with multiple ip addresses in the same subnet. (bsc#1142343) Patch Instructions: To install this SUSE Recommended Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Server for SAP 12-SP1: zypper in -t patch SUSE-SLE-SAP-12-SP1-2020-123=1 - SUSE Linux Enterprise Server 12-SP1-LTSS: zypper in -t patch SUSE-SLE-SERVER-12-SP1-2020-123=1 Package List: - SUSE Linux Enterprise Server for SAP 12-SP1 (x86_64): rpcbind-0.2.1_rc4-17.6.1 rpcbind-debuginfo-0.2.1_rc4-17.6.1 rpcbind-debugsource-0.2.1_rc4-17.6.1 - SUSE Linux Enterprise Server 12-SP1-LTSS (ppc64le s390x x86_64): rpcbind-0.2.1_rc4-17.6.1 rpcbind-debuginfo-0.2.1_rc4-17.6.1 rpcbind-debugsource-0.2.1_rc4-17.6.1 References: https://bugzilla.suse.com/1142343 From sle-updates at lists.suse.com Fri Jan 17 07:12:15 2020 From: sle-updates at lists.suse.com (sle-updates at lists.suse.com) Date: Fri, 17 Jan 2020 15:12:15 +0100 (CET) Subject: SUSE-RU-2020:0124-1: moderate: Recommended update for md_monitor Message-ID: <20200117141215.79687F796@maintenance.suse.de> SUSE Recommended Update: Recommended update for md_monitor ______________________________________________________________________________ Announcement ID: SUSE-RU-2020:0124-1 Rating: moderate References: #1123046 #1125281 #1136542 #1139268 #1149316 Affected Products: SUSE Linux Enterprise Server 12-SP5 SUSE Linux Enterprise Server 12-SP4 ______________________________________________________________________________ An update that has 5 recommended fixes can now be installed. Description: This update for md_monitor fixes the following issues: - md_monitor: Check for device and alias name in 'lookup_md_new()' function. (bsc#1125281) - md_monitor: send 'SIGHUP' to thread before cancellation. (bsc#1125281) - md_monitor: Do not set 'REMOVED' state if 'ioctl' fails. (bsc#1125281) - md_monitor: Close race in setting dev-thread. (bsc#1125281) - md_monitor: Add 'pthread' synchronisation points. (bsc#1125281) - md_monitor: Fix md structure initialisation. (bsc#1125281) - md_monitor: Fix possible corruption of 'pending_list'. (bsc#1149316) - md_monitor: Fix locking of 'md_dev_status_lock' in 'mdadm_exec_thread()'. (bsc#1149316) - md_monitor: Use correct blocksize in 'io_prep_pread()'. (bsc#1139268) - md_monitor: Add newly (re-)discovered devices to the device list. (bsc#1136542) - md_monitor: Skip non-RAID10 arrays. (bsc#1123046) Patch Instructions: To install this SUSE Recommended Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Server 12-SP5: zypper in -t patch SUSE-SLE-SERVER-12-SP5-2020-124=1 - SUSE Linux Enterprise Server 12-SP4: zypper in -t patch SUSE-SLE-SERVER-12-SP4-2020-124=1 Package List: - SUSE Linux Enterprise Server 12-SP5 (s390x): md_monitor-6.5+0+g5f1f461-7.7.1 md_monitor-debuginfo-6.5+0+g5f1f461-7.7.1 md_monitor-debugsource-6.5+0+g5f1f461-7.7.1 - SUSE Linux Enterprise Server 12-SP4 (s390x): md_monitor-6.5+0+g5f1f461-7.7.1 md_monitor-debuginfo-6.5+0+g5f1f461-7.7.1 md_monitor-debugsource-6.5+0+g5f1f461-7.7.1 References: https://bugzilla.suse.com/1123046 https://bugzilla.suse.com/1125281 https://bugzilla.suse.com/1136542 https://bugzilla.suse.com/1139268 https://bugzilla.suse.com/1149316 From sle-updates at lists.suse.com Fri Jan 17 10:13:30 2020 From: sle-updates at lists.suse.com (sle-updates at lists.suse.com) Date: Fri, 17 Jan 2020 18:13:30 +0100 (CET) Subject: SUSE-RU-2020:0125-1: important: Recommended update for icu Message-ID: <20200117171330.49157F796@maintenance.suse.de> SUSE Recommended Update: Recommended update for icu ______________________________________________________________________________ Announcement ID: SUSE-RU-2020:0125-1 Rating: important References: #1161007 Affected Products: SUSE Linux Enterprise Module for Open Buildservice Development Tools 15-SP1 SUSE Linux Enterprise Module for Open Buildservice Development Tools 15 SUSE Linux Enterprise Module for Basesystem 15-SP1 SUSE Linux Enterprise Module for Basesystem 15 ______________________________________________________________________________ An update that has one recommended fix can now be installed. Description: This update for icu provides the following fix: - Re-add the libicu provides to the spec file to fix installation of SAP HANA on SLE-15 and SLE-15-SP1. (bsc#1161007) Patch Instructions: To install this SUSE Recommended Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Module for Open Buildservice Development Tools 15-SP1: zypper in -t patch SUSE-SLE-Module-Development-Tools-OBS-15-SP1-2020-125=1 - SUSE Linux Enterprise Module for Open Buildservice Development Tools 15: zypper in -t patch SUSE-SLE-Module-Development-Tools-OBS-15-2020-125=1 - SUSE Linux Enterprise Module for Basesystem 15-SP1: zypper in -t patch SUSE-SLE-Module-Basesystem-15-SP1-2020-125=1 - SUSE Linux Enterprise Module for Basesystem 15: zypper in -t patch SUSE-SLE-Module-Basesystem-15-2020-125=1 Package List: - SUSE Linux Enterprise Module for Open Buildservice Development Tools 15-SP1 (aarch64 ppc64le s390x x86_64): icu-60.2-3.6.1 icu-debuginfo-60.2-3.6.1 icu-debugsource-60.2-3.6.1 libicu-doc-60.2-3.6.1 - SUSE Linux Enterprise Module for Open Buildservice Development Tools 15-SP1 (x86_64): libicu-devel-32bit-60.2-3.6.1 - SUSE Linux Enterprise Module for Open Buildservice Development Tools 15 (aarch64 ppc64le s390x x86_64): icu-60.2-3.6.1 icu-debuginfo-60.2-3.6.1 icu-debugsource-60.2-3.6.1 libicu-doc-60.2-3.6.1 - SUSE Linux Enterprise Module for Basesystem 15-SP1 (aarch64 ppc64le s390x x86_64): icu-debuginfo-60.2-3.6.1 icu-debugsource-60.2-3.6.1 libicu-devel-60.2-3.6.1 libicu60_2-60.2-3.6.1 libicu60_2-debuginfo-60.2-3.6.1 - SUSE Linux Enterprise Module for Basesystem 15-SP1 (noarch): libicu60_2-bedata-60.2-3.6.1 libicu60_2-ledata-60.2-3.6.1 - SUSE Linux Enterprise Module for Basesystem 15 (aarch64 ppc64le s390x x86_64): icu-debuginfo-60.2-3.6.1 icu-debugsource-60.2-3.6.1 libicu-devel-60.2-3.6.1 libicu60_2-60.2-3.6.1 libicu60_2-debuginfo-60.2-3.6.1 - SUSE Linux Enterprise Module for Basesystem 15 (noarch): libicu60_2-bedata-60.2-3.6.1 libicu60_2-ledata-60.2-3.6.1 References: https://bugzilla.suse.com/1161007 From sle-updates at lists.suse.com Fri Jan 17 13:10:55 2020 From: sle-updates at lists.suse.com (sle-updates at lists.suse.com) Date: Fri, 17 Jan 2020 21:10:55 +0100 (CET) Subject: SUSE-RU-2020:0126-1: moderate: Recommended update for kernel-firmware Message-ID: <20200117201055.B546BF798@maintenance.suse.de> SUSE Recommended Update: Recommended update for kernel-firmware ______________________________________________________________________________ Announcement ID: SUSE-RU-2020:0126-1 Rating: moderate References: #1154395 Affected Products: SUSE Linux Enterprise Module for Basesystem 15 ______________________________________________________________________________ An update that has one recommended fix can now be installed. Description: This update for kernel-firmware fixes the following issues: - Update to version 20191118 (git commit e8a0f4c93147): * rtl_nic: add firmware rtl8168fp-3 * linux-firmware: Update NXP Management Complex firmware to version 10.18.0 Update to version 20191113 (git commit c62c3c26a5e7): * linux-firmware: Update firmware file for Intel Bluetooth AX201 * linux-firmware: Update firmware file for Intel Bluetooth AX200 * linux-firmware: Update firmware file for Intel Bluetooth 9560 * linux-firmware: Update firmware file for Intel Bluetooth 9260 * amdgpu: update navi14 vcn firmware * amdgpu: update navi10 vcn firmware Update to version 20191108 (git commit f1100ddf581f): (bsc#1154395): * i915: Add HuC firmware v7.0.3 for TGL * i915: Add GuC firmware v35.2.0 for TGL * i915: Add HuC firmware v9.0.0 for EHL * i915: Add GuC firmware v33.0.4 for EHL * rtw88: RTL8723D: add firmware file v48 * qed: Add firmware 8.40.33.0 * amdgpu: add new navi14 wks gfx firmware for 19.30 * amdgpu: update navi14 firmware for 19.30 * amdgpu: update raven firmware for 19.30 * linux-firmware: Add firmware file for Intel Bluetooth AX201 Patch Instructions: To install this SUSE Recommended Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Module for Basesystem 15: zypper in -t patch SUSE-SLE-Module-Basesystem-15-2020-126=1 Package List: - SUSE Linux Enterprise Module for Basesystem 15 (noarch): kernel-firmware-20191118-3.31.2 ucode-amd-20191118-3.31.2 References: https://bugzilla.suse.com/1154395 From sle-updates at lists.suse.com Fri Jan 17 13:11:36 2020 From: sle-updates at lists.suse.com (sle-updates at lists.suse.com) Date: Fri, 17 Jan 2020 21:11:36 +0100 (CET) Subject: SUSE-RU-2020:14269-1: moderate: Recommended update for firefox-gcc8 Message-ID: <20200117201136.0F69FF798@maintenance.suse.de> SUSE Recommended Update: Recommended update for firefox-gcc8 ______________________________________________________________________________ Announcement ID: SUSE-RU-2020:14269-1 Rating: moderate References: #1159218 Affected Products: SUSE Linux Enterprise Server 11-SP4-LTSS ______________________________________________________________________________ An update that has one recommended fix can now be installed. Description: This update for firefox-gcc8 fixes the following issues: The previous Firefox helper update shipped "firefox-libstdc++6-gcc8" and "firefox-libgcc_s1-gcc8" packages instead of "firefox-libstdc++6" and "firefox-libgcc_s1" updates. This led to problems with third party update stacks and has been changed back. (bsc#1159218) Patch Instructions: To install this SUSE Recommended Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Server 11-SP4-LTSS: zypper in -t patch slessp4-firefox-gcc8-14269=1 Package List: - SUSE Linux Enterprise Server 11-SP4-LTSS (x86_64): firefox-libgcc_s1-8.2.1+r264010-2.8.1 firefox-libstdc++6-8.2.1+r264010-2.8.1 References: https://bugzilla.suse.com/1159218 From sle-updates at lists.suse.com Sat Jan 18 11:22:16 2020 From: sle-updates at lists.suse.com (sle-updates at lists.suse.com) Date: Sat, 18 Jan 2020 19:22:16 +0100 (CET) Subject: SUSE-CU-2020:18-1: Recommended update of suse/sle15 Message-ID: <20200118182216.A03ECFC56@maintenance.suse.de> SUSE Container Update Advisory: suse/sle15 ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2020:18-1 Container Tags : suse/sle15:15.0 , suse/sle15:15.0.4.22.132 Severity : moderate Type : recommended References : 1138731 1154247 1157960 ----------------------------------------------------------------- The container suse/sle15 was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:122-1 Released: Fri Jan 17 10:56:07 2020 Summary: Recommended update for container-suseconnect Type: recommended Severity: moderate References: 1138731,1154247,1157960 Description: This update for container-suseconnect fixes the following issues: - Fix usage with RMT and SMT. (bsc#1157960) - Parse the /etc/products.d/*.prod files. - Fix function comments based on best practices from Effective Go. (bsc#1138731) - Implement interacting with SCC behind proxy and SMT. (bsc#1154247) From sle-updates at lists.suse.com Sat Jan 18 11:24:14 2020 From: sle-updates at lists.suse.com (sle-updates at lists.suse.com) Date: Sat, 18 Jan 2020 19:24:14 +0100 (CET) Subject: SUSE-CU-2020:19-1: Recommended update of suse/sle15 Message-ID: <20200118182414.66F56FC56@maintenance.suse.de> SUSE Container Update Advisory: suse/sle15 ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2020:19-1 Container Tags : suse/sle15:15.1 , suse/sle15:15.1.6.2.143 Severity : moderate Type : recommended References : 1138731 1154247 1157960 ----------------------------------------------------------------- The container suse/sle15 was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:122-1 Released: Fri Jan 17 10:56:07 2020 Summary: Recommended update for container-suseconnect Type: recommended Severity: moderate References: 1138731,1154247,1157960 Description: This update for container-suseconnect fixes the following issues: - Fix usage with RMT and SMT. (bsc#1157960) - Parse the /etc/products.d/*.prod files. - Fix function comments based on best practices from Effective Go. (bsc#1138731) - Implement interacting with SCC behind proxy and SMT. (bsc#1154247) From sle-updates at lists.suse.com Mon Jan 20 10:12:33 2020 From: sle-updates at lists.suse.com (sle-updates at lists.suse.com) Date: Mon, 20 Jan 2020 18:12:33 +0100 (CET) Subject: SUSE-SU-2020:0131-1: important: Security update for libssh Message-ID: <20200120171233.E0031FC56@maintenance.suse.de> SUSE Security Update: Security update for libssh ______________________________________________________________________________ Announcement ID: SUSE-SU-2020:0131-1 Rating: important References: #1158095 Cross-References: CVE-2019-14889 Affected Products: SUSE Linux Enterprise Software Development Kit 12-SP5 SUSE Linux Enterprise Server 12-SP5 ______________________________________________________________________________ An update that fixes one vulnerability is now available. Description: This update for libssh fixes the following issues: - CVE-2019-14889: Fixed an unwanted command execution in scp caused by unsanitized location (bsc#1158095). Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Software Development Kit 12-SP5: zypper in -t patch SUSE-SLE-SDK-12-SP5-2020-131=1 - SUSE Linux Enterprise Server 12-SP5: zypper in -t patch SUSE-SLE-SERVER-12-SP5-2020-131=1 Package List: - SUSE Linux Enterprise Software Development Kit 12-SP5 (aarch64 ppc64le s390x x86_64): libssh-debugsource-0.8.7-3.6.1 libssh-devel-0.8.7-3.6.1 libssh4-0.8.7-3.6.1 libssh4-debuginfo-0.8.7-3.6.1 - SUSE Linux Enterprise Server 12-SP5 (aarch64 ppc64le s390x x86_64): libssh-debugsource-0.8.7-3.6.1 libssh4-0.8.7-3.6.1 libssh4-debuginfo-0.8.7-3.6.1 - SUSE Linux Enterprise Server 12-SP5 (s390x x86_64): libssh4-32bit-0.8.7-3.6.1 libssh4-debuginfo-32bit-0.8.7-3.6.1 References: https://www.suse.com/security/cve/CVE-2019-14889.html https://bugzilla.suse.com/1158095 From sle-updates at lists.suse.com Mon Jan 20 10:13:19 2020 From: sle-updates at lists.suse.com (sle-updates at lists.suse.com) Date: Mon, 20 Jan 2020 18:13:19 +0100 (CET) Subject: SUSE-RU-2020:0136-1: moderate: Recommended update for yast2-firstboot Message-ID: <20200120171319.1D3DEFC56@maintenance.suse.de> SUSE Recommended Update: Recommended update for yast2-firstboot ______________________________________________________________________________ Announcement ID: SUSE-RU-2020:0136-1 Rating: moderate References: #1154708 Affected Products: SUSE Linux Enterprise Server 12-SP4 SUSE Linux Enterprise Desktop 12-SP4 ______________________________________________________________________________ An update that has one recommended fix can now be installed. Description: This update for yast2-firstboot fixes the following issues: - Improve the "firstboot_licenses" client to give precedence to the directory argument, allowing to use it multiple times to show different licenses (bsc#1154708). Patch Instructions: To install this SUSE Recommended Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Server 12-SP4: zypper in -t patch SUSE-SLE-SERVER-12-SP4-2020-136=1 - SUSE Linux Enterprise Desktop 12-SP4: zypper in -t patch SUSE-SLE-DESKTOP-12-SP4-2020-136=1 Package List: - SUSE Linux Enterprise Server 12-SP4 (noarch): yast2-firstboot-3.1.25-3.9.1 - SUSE Linux Enterprise Desktop 12-SP4 (noarch): yast2-firstboot-3.1.25-3.9.1 References: https://bugzilla.suse.com/1154708 From sle-updates at lists.suse.com Mon Jan 20 10:14:04 2020 From: sle-updates at lists.suse.com (sle-updates at lists.suse.com) Date: Mon, 20 Jan 2020 18:14:04 +0100 (CET) Subject: SUSE-SU-2020:0140-1: important: Security update for java-11-openjdk Message-ID: <20200120171404.6230FFC56@maintenance.suse.de> SUSE Security Update: Security update for java-11-openjdk ______________________________________________________________________________ Announcement ID: SUSE-SU-2020:0140-1 Rating: important References: #1160968 Cross-References: CVE-2020-2583 CVE-2020-2590 CVE-2020-2593 CVE-2020-2601 CVE-2020-2604 CVE-2020-2654 CVE-2020-2655 Affected Products: SUSE Linux Enterprise Server 12-SP5 ______________________________________________________________________________ An update that fixes 7 vulnerabilities is now available. Description: This update for java-11-openjdk fixes the following issues: Update to version jdk-11.0.6-10 (January 2020 CPU, bsc#1160968) Fixing these security related issues: - CVE-2020-2583: Unlink Set of LinkedHashSets - CVE-2020-2590: Improve Kerberos interop capabilities - CVE-2020-2593: Normalize normalization for all - CVE-2020-2601: Better Ticket Granting Services - CVE-2020-2604: Better serial filter handling - CVE-2020-2655: Better TLS messaging support - CVE-2020-2654: Improve Object Identifier Processing Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Server 12-SP5: zypper in -t patch SUSE-SLE-SERVER-12-SP5-2020-140=1 Package List: - SUSE Linux Enterprise Server 12-SP5 (aarch64 ppc64le s390x x86_64): java-11-openjdk-11.0.6.0-3.6.1 java-11-openjdk-debuginfo-11.0.6.0-3.6.1 java-11-openjdk-debugsource-11.0.6.0-3.6.1 java-11-openjdk-demo-11.0.6.0-3.6.1 java-11-openjdk-devel-11.0.6.0-3.6.1 java-11-openjdk-headless-11.0.6.0-3.6.1 References: https://www.suse.com/security/cve/CVE-2020-2583.html https://www.suse.com/security/cve/CVE-2020-2590.html https://www.suse.com/security/cve/CVE-2020-2593.html https://www.suse.com/security/cve/CVE-2020-2601.html https://www.suse.com/security/cve/CVE-2020-2604.html https://www.suse.com/security/cve/CVE-2020-2654.html https://www.suse.com/security/cve/CVE-2020-2655.html https://bugzilla.suse.com/1160968 From sle-updates at lists.suse.com Mon Jan 20 10:14:49 2020 From: sle-updates at lists.suse.com (sle-updates at lists.suse.com) Date: Mon, 20 Jan 2020 18:14:49 +0100 (CET) Subject: SUSE-SU-2020:0129-1: important: Security update for libssh Message-ID: <20200120171449.1A0D6FC56@maintenance.suse.de> SUSE Security Update: Security update for libssh ______________________________________________________________________________ Announcement ID: SUSE-SU-2020:0129-1 Rating: important References: #1158095 Cross-References: CVE-2019-14889 Affected Products: SUSE Linux Enterprise Module for Open Buildservice Development Tools 15-SP1 SUSE Linux Enterprise Module for Basesystem 15-SP1 ______________________________________________________________________________ An update that fixes one vulnerability is now available. Description: This update for libssh fixes the following issues: - CVE-2019-14889: Fixed an unwanted command execution in scp caused by unsanitized location (bsc#1158095). Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Module for Open Buildservice Development Tools 15-SP1: zypper in -t patch SUSE-SLE-Module-Development-Tools-OBS-15-SP1-2020-129=1 - SUSE Linux Enterprise Module for Basesystem 15-SP1: zypper in -t patch SUSE-SLE-Module-Basesystem-15-SP1-2020-129=1 Package List: - SUSE Linux Enterprise Module for Open Buildservice Development Tools 15-SP1 (aarch64 ppc64le s390x x86_64): libssh-debugsource-0.8.7-10.9.1 - SUSE Linux Enterprise Module for Basesystem 15-SP1 (aarch64 ppc64le s390x x86_64): libssh-debugsource-0.8.7-10.9.1 libssh-devel-0.8.7-10.9.1 libssh4-0.8.7-10.9.1 libssh4-debuginfo-0.8.7-10.9.1 - SUSE Linux Enterprise Module for Basesystem 15-SP1 (x86_64): libssh4-32bit-0.8.7-10.9.1 libssh4-32bit-debuginfo-0.8.7-10.9.1 References: https://www.suse.com/security/cve/CVE-2019-14889.html https://bugzilla.suse.com/1158095 From sle-updates at lists.suse.com Mon Jan 20 10:15:41 2020 From: sle-updates at lists.suse.com (sle-updates at lists.suse.com) Date: Mon, 20 Jan 2020 18:15:41 +0100 (CET) Subject: SUSE-RU-2020:0134-1: moderate: Recommended update for ClusterTools2 Message-ID: <20200120171541.A7948FCEF@maintenance.suse.de> SUSE Recommended Update: Recommended update for ClusterTools2 ______________________________________________________________________________ Announcement ID: SUSE-RU-2020:0134-1 Rating: moderate References: #1097134 #1115405 Affected Products: SUSE Linux Enterprise Server for SAP 12-SP5 SUSE Linux Enterprise Server for SAP 12-SP4 SUSE Linux Enterprise Server for SAP 12-SP3 SUSE Linux Enterprise Server for SAP 12-SP2 ______________________________________________________________________________ An update that has two recommended fixes can now be installed. Description: This update for ClusterTools2 fixes the following issues: - Replace cron jobs with systemd timers. (bsc#1097134, jsc#SLE-9199) - As the ClusterTools2 does not contain any active cronjob it is removed. (bsc#1115405, fate#323635) Patch Instructions: To install this SUSE Recommended Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Server for SAP 12-SP5: zypper in -t patch SUSE-SLE-SAP-12-SP5-2020-134=1 - SUSE Linux Enterprise Server for SAP 12-SP4: zypper in -t patch SUSE-SLE-SAP-12-SP4-2020-134=1 - SUSE Linux Enterprise Server for SAP 12-SP3: zypper in -t patch SUSE-SLE-SAP-12-SP3-2020-134=1 - SUSE Linux Enterprise Server for SAP 12-SP2: zypper in -t patch SUSE-SLE-SAP-12-SP2-2020-134=1 Package List: - SUSE Linux Enterprise Server for SAP 12-SP5 (noarch): ClusterTools2-3.1.0-19.6.1 - SUSE Linux Enterprise Server for SAP 12-SP4 (noarch): ClusterTools2-3.1.0-19.6.1 - SUSE Linux Enterprise Server for SAP 12-SP3 (noarch): ClusterTools2-3.1.0-19.6.1 - SUSE Linux Enterprise Server for SAP 12-SP2 (noarch): ClusterTools2-3.1.0-19.6.1 References: https://bugzilla.suse.com/1097134 https://bugzilla.suse.com/1115405 From sle-updates at lists.suse.com Mon Jan 20 10:16:38 2020 From: sle-updates at lists.suse.com (sle-updates at lists.suse.com) Date: Mon, 20 Jan 2020 18:16:38 +0100 (CET) Subject: SUSE-RU-2020:0141-1: moderate: Recommended update for autoyast2 Message-ID: <20200120171638.9DF5FFCEF@maintenance.suse.de> SUSE Recommended Update: Recommended update for autoyast2 ______________________________________________________________________________ Announcement ID: SUSE-RU-2020:0141-1 Rating: moderate References: #1155576 #1156567 #1156905 #1159157 Affected Products: SUSE Linux Enterprise Server Installer 12-SP5 SUSE Linux Enterprise Server 12-SP5 ______________________________________________________________________________ An update that has four recommended fixes can now be installed. Description: This update for autoyast2 fixes the following issues: - Warn the user if no partition has been found due the given 'skip_list' list. (bsc#1155576) - Add YaST-AutoInstSchema 'firstboot.rnc' to the desktop file to avoid error on profile validation during checking autoyast custom scripts. (bsc#1156905) - Consider extended partitions when trying to figure out whether the partitioning layout described in the profile fits. (bsc#1156567). - Report XML parsing errors instead of just crashing. (bsc#1159157) Patch Instructions: To install this SUSE Recommended Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Server Installer 12-SP5: zypper in -t patch SUSE-SLE-SERVER-INSTALLER-12-SP5-2020-141=1 - SUSE Linux Enterprise Server 12-SP5: zypper in -t patch SUSE-SLE-SERVER-12-SP5-2020-141=1 Package List: - SUSE Linux Enterprise Server Installer 12-SP5 (noarch): autoyast2-3.2.42-3.9.2 autoyast2-installation-3.2.42-3.9.2 - SUSE Linux Enterprise Server 12-SP5 (aarch64 ppc64le s390x x86_64): yast2-schema-3.3.1-3.3.1 - SUSE Linux Enterprise Server 12-SP5 (noarch): autoyast2-3.2.42-3.9.2 autoyast2-installation-3.2.42-3.9.2 References: https://bugzilla.suse.com/1155576 https://bugzilla.suse.com/1156567 https://bugzilla.suse.com/1156905 https://bugzilla.suse.com/1159157 From sle-updates at lists.suse.com Mon Jan 20 10:17:54 2020 From: sle-updates at lists.suse.com (sle-updates at lists.suse.com) Date: Mon, 20 Jan 2020 18:17:54 +0100 (CET) Subject: SUSE-SU-2020:0130-1: important: Security update for libssh Message-ID: <20200120171754.8CD58FCEF@maintenance.suse.de> SUSE Security Update: Security update for libssh ______________________________________________________________________________ Announcement ID: SUSE-SU-2020:0130-1 Rating: important References: #1158095 Cross-References: CVE-2019-14889 Affected Products: SUSE Linux Enterprise Server for SAP 15 SUSE Linux Enterprise Server 15-LTSS SUSE Linux Enterprise Module for Open Buildservice Development Tools 15 SUSE Linux Enterprise Module for Basesystem 15 SUSE Linux Enterprise High Performance Computing 15-LTSS SUSE Linux Enterprise High Performance Computing 15-ESPOS ______________________________________________________________________________ An update that fixes one vulnerability is now available. Description: This update for libssh fixes the following issues: - CVE-2019-14889: Fixed an unwanted command execution in scp caused by unsanitized location (bsc#1158095). Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Server for SAP 15: zypper in -t patch SUSE-SLE-Product-SLES_SAP-15-2020-130=1 - SUSE Linux Enterprise Server 15-LTSS: zypper in -t patch SUSE-SLE-Product-SLES-15-2020-130=1 - SUSE Linux Enterprise Module for Open Buildservice Development Tools 15: zypper in -t patch SUSE-SLE-Module-Development-Tools-OBS-15-2020-130=1 - SUSE Linux Enterprise Module for Basesystem 15: zypper in -t patch SUSE-SLE-Module-Basesystem-15-2020-130=1 - SUSE Linux Enterprise High Performance Computing 15-LTSS: zypper in -t patch SUSE-SLE-Product-HPC-15-2020-130=1 - SUSE Linux Enterprise High Performance Computing 15-ESPOS: zypper in -t patch SUSE-SLE-Product-HPC-15-2020-130=1 Package List: - SUSE Linux Enterprise Server for SAP 15 (ppc64le x86_64): libssh-debugsource-0.7.5-6.9.2 libssh-devel-0.7.5-6.9.2 libssh4-0.7.5-6.9.2 libssh4-debuginfo-0.7.5-6.9.2 - SUSE Linux Enterprise Server for SAP 15 (x86_64): libssh4-32bit-0.7.5-6.9.2 libssh4-32bit-debuginfo-0.7.5-6.9.2 - SUSE Linux Enterprise Server 15-LTSS (aarch64 s390x): libssh-debugsource-0.7.5-6.9.2 libssh-devel-0.7.5-6.9.2 libssh4-0.7.5-6.9.2 libssh4-debuginfo-0.7.5-6.9.2 - SUSE Linux Enterprise Module for Open Buildservice Development Tools 15 (aarch64 ppc64le s390x x86_64): libssh-debugsource-0.7.5-6.9.2 libssh-devel-doc-0.7.5-6.9.2 - SUSE Linux Enterprise Module for Basesystem 15 (aarch64 ppc64le s390x x86_64): libssh-debugsource-0.7.5-6.9.2 libssh-devel-0.7.5-6.9.2 libssh4-0.7.5-6.9.2 libssh4-debuginfo-0.7.5-6.9.2 - SUSE Linux Enterprise Module for Basesystem 15 (x86_64): libssh4-32bit-0.7.5-6.9.2 libssh4-32bit-debuginfo-0.7.5-6.9.2 - SUSE Linux Enterprise High Performance Computing 15-LTSS (aarch64 x86_64): libssh-debugsource-0.7.5-6.9.2 libssh-devel-0.7.5-6.9.2 libssh4-0.7.5-6.9.2 libssh4-debuginfo-0.7.5-6.9.2 - SUSE Linux Enterprise High Performance Computing 15-LTSS (x86_64): libssh4-32bit-0.7.5-6.9.2 libssh4-32bit-debuginfo-0.7.5-6.9.2 - SUSE Linux Enterprise High Performance Computing 15-ESPOS (aarch64 x86_64): libssh-debugsource-0.7.5-6.9.2 libssh-devel-0.7.5-6.9.2 libssh4-0.7.5-6.9.2 libssh4-debuginfo-0.7.5-6.9.2 - SUSE Linux Enterprise High Performance Computing 15-ESPOS (x86_64): libssh4-32bit-0.7.5-6.9.2 libssh4-32bit-debuginfo-0.7.5-6.9.2 References: https://www.suse.com/security/cve/CVE-2019-14889.html https://bugzilla.suse.com/1158095 From sle-updates at lists.suse.com Mon Jan 20 10:18:44 2020 From: sle-updates at lists.suse.com (sle-updates at lists.suse.com) Date: Mon, 20 Jan 2020 18:18:44 +0100 (CET) Subject: SUSE-RU-2020:0135-1: moderate: Recommended update for yast2-firstboot Message-ID: <20200120171844.41A57FC56@maintenance.suse.de> SUSE Recommended Update: Recommended update for yast2-firstboot ______________________________________________________________________________ Announcement ID: SUSE-RU-2020:0135-1 Rating: moderate References: #1154708 Affected Products: SUSE Linux Enterprise Server 12-SP5 ______________________________________________________________________________ An update that has one recommended fix can now be installed. Description: This update for yast2-firstboot fixes the following issues: - Improve the "firstboot_licenses" client to give precedence to the directory argument, allowing to use it multiple times to show different licenses (bsc#1154708). Patch Instructions: To install this SUSE Recommended Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Server 12-SP5: zypper in -t patch SUSE-SLE-SERVER-12-SP5-2020-135=1 Package List: - SUSE Linux Enterprise Server 12-SP5 (noarch): yast2-firstboot-3.1.25-3.6.1 References: https://bugzilla.suse.com/1154708 From sle-updates at lists.suse.com Mon Jan 20 10:20:20 2020 From: sle-updates at lists.suse.com (sle-updates at lists.suse.com) Date: Mon, 20 Jan 2020 18:20:20 +0100 (CET) Subject: SUSE-SU-2020:0139-1: important: Security update for libssh Message-ID: <20200120172020.2F31EFC56@maintenance.suse.de> SUSE Security Update: Security update for libssh ______________________________________________________________________________ Announcement ID: SUSE-SU-2020:0139-1 Rating: important References: #1158095 Cross-References: CVE-2019-14889 Affected Products: SUSE Linux Enterprise Software Development Kit 12-SP5 SUSE Linux Enterprise Software Development Kit 12-SP4 SUSE Linux Enterprise Server 12-SP4 SUSE Linux Enterprise Desktop 12-SP4 ______________________________________________________________________________ An update that fixes one vulnerability is now available. Description: This update for libssh fixes the following issues: - CVE-2019-14889: Fixed an unwanted command execution in scp caused by unsanitized location (bsc#1158095). Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Software Development Kit 12-SP5: zypper in -t patch SUSE-SLE-SDK-12-SP5-2020-139=1 - SUSE Linux Enterprise Software Development Kit 12-SP4: zypper in -t patch SUSE-SLE-SDK-12-SP4-2020-139=1 - SUSE Linux Enterprise Server 12-SP4: zypper in -t patch SUSE-SLE-SERVER-12-SP4-2020-139=1 - SUSE Linux Enterprise Desktop 12-SP4: zypper in -t patch SUSE-SLE-DESKTOP-12-SP4-2020-139=1 Package List: - SUSE Linux Enterprise Software Development Kit 12-SP5 (aarch64 ppc64le s390x x86_64): libssh-devel-doc-0.6.3-12.12.1 - SUSE Linux Enterprise Software Development Kit 12-SP4 (aarch64 ppc64le s390x x86_64): libssh-debugsource-0.6.3-12.12.1 libssh-devel-0.6.3-12.12.1 libssh-devel-doc-0.6.3-12.12.1 libssh4-0.6.3-12.12.1 libssh4-debuginfo-0.6.3-12.12.1 - SUSE Linux Enterprise Server 12-SP4 (aarch64 ppc64le s390x x86_64): libssh-debugsource-0.6.3-12.12.1 libssh4-0.6.3-12.12.1 libssh4-debuginfo-0.6.3-12.12.1 - SUSE Linux Enterprise Server 12-SP4 (s390x x86_64): libssh4-32bit-0.6.3-12.12.1 libssh4-debuginfo-32bit-0.6.3-12.12.1 - SUSE Linux Enterprise Desktop 12-SP4 (x86_64): libssh-debugsource-0.6.3-12.12.1 libssh4-0.6.3-12.12.1 libssh4-32bit-0.6.3-12.12.1 libssh4-debuginfo-0.6.3-12.12.1 libssh4-debuginfo-32bit-0.6.3-12.12.1 References: https://www.suse.com/security/cve/CVE-2019-14889.html https://bugzilla.suse.com/1158095 From sle-updates at lists.suse.com Mon Jan 20 10:21:05 2020 From: sle-updates at lists.suse.com (sle-updates at lists.suse.com) Date: Mon, 20 Jan 2020 18:21:05 +0100 (CET) Subject: SUSE-RU-2020:0133-1: moderate: Recommended update for ClusterTools2 Message-ID: <20200120172105.F1FD4FC56@maintenance.suse.de> SUSE Recommended Update: Recommended update for ClusterTools2 ______________________________________________________________________________ Announcement ID: SUSE-RU-2020:0133-1 Rating: moderate References: #1084925 #1097134 #1115405 Affected Products: SUSE Linux Enterprise Module for SAP Applications 15 ______________________________________________________________________________ An update that has three recommended fixes can now be installed. Description: This update for ClusterTools2 fixes the following issues: - Replace cron jobs with systemd timers. (bsc#1097134, jsc#SLE-9199) - As the ClusterTools2 does not contain any active cronjob it is removed. (bsc#1115405, fate#323635) Patch Instructions: To install this SUSE Recommended Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Module for SAP Applications 15: zypper in -t patch SUSE-SLE-Module-SAP-Applications-15-2020-133=1 Package List: - SUSE Linux Enterprise Module for SAP Applications 15 (noarch): ClusterTools2-3.1.0-3.3.1 References: https://bugzilla.suse.com/1084925 https://bugzilla.suse.com/1097134 https://bugzilla.suse.com/1115405 From sle-updates at lists.suse.com Mon Jan 20 10:22:46 2020 From: sle-updates at lists.suse.com (sle-updates at lists.suse.com) Date: Mon, 20 Jan 2020 18:22:46 +0100 (CET) Subject: SUSE-SU-2020:0132-1: moderate: Security update for Mesa Message-ID: <20200120172246.3B772FC56@maintenance.suse.de> SUSE Security Update: Security update for Mesa ______________________________________________________________________________ Announcement ID: SUSE-SU-2020:0132-1 Rating: moderate References: #1156015 Cross-References: CVE-2019-5068 Affected Products: SUSE Linux Enterprise Workstation Extension 15 SUSE Linux Enterprise Module for Open Buildservice Development Tools 15-SP1 SUSE Linux Enterprise Module for Open Buildservice Development Tools 15 SUSE Linux Enterprise Module for Basesystem 15 ______________________________________________________________________________ An update that fixes one vulnerability is now available. Description: This update for Mesa fixes the following issues: Security issue fixed: - CVE-2019-5068: Fixed exploitable shared memory permissions vulnerability (bsc#1156015). Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Workstation Extension 15: zypper in -t patch SUSE-SLE-Product-WE-15-2020-132=1 - SUSE Linux Enterprise Module for Open Buildservice Development Tools 15-SP1: zypper in -t patch SUSE-SLE-Module-Development-Tools-OBS-15-SP1-2020-132=1 - SUSE Linux Enterprise Module for Open Buildservice Development Tools 15: zypper in -t patch SUSE-SLE-Module-Development-Tools-OBS-15-2020-132=1 - SUSE Linux Enterprise Module for Basesystem 15: zypper in -t patch SUSE-SLE-Module-Basesystem-15-2020-132=1 Package List: - SUSE Linux Enterprise Workstation Extension 15 (x86_64): Mesa-dri-nouveau-18.0.2-27.6.1 Mesa-dri-nouveau-debuginfo-18.0.2-27.6.1 Mesa-drivers-debugsource-18.0.2-27.6.1 libXvMC_nouveau-18.0.2-27.6.1 libXvMC_nouveau-debuginfo-18.0.2-27.6.1 libvdpau_nouveau-18.0.2-27.6.1 libvdpau_nouveau-debuginfo-18.0.2-27.6.1 - SUSE Linux Enterprise Module for Open Buildservice Development Tools 15-SP1 (aarch64 ppc64le s390x x86_64): libwayland-egl-devel-18.0.2-27.6.1 - SUSE Linux Enterprise Module for Open Buildservice Development Tools 15-SP1 (aarch64 ppc64le s390x): Mesa-debugsource-18.0.2-27.6.1 - SUSE Linux Enterprise Module for Open Buildservice Development Tools 15-SP1 (x86_64): libwayland-egl-devel-32bit-18.0.2-27.6.1 - SUSE Linux Enterprise Module for Open Buildservice Development Tools 15 (aarch64 ppc64le s390x x86_64): Mesa-drivers-debugsource-18.0.2-27.6.1 Mesa-libOpenCL-18.0.2-27.6.1 Mesa-libOpenCL-debuginfo-18.0.2-27.6.1 - SUSE Linux Enterprise Module for Basesystem 15 (aarch64 ppc64le s390x x86_64): Mesa-18.0.2-27.6.1 Mesa-debugsource-18.0.2-27.6.1 Mesa-devel-18.0.2-27.6.1 Mesa-dri-18.0.2-27.6.1 Mesa-dri-debuginfo-18.0.2-27.6.1 Mesa-dri-devel-18.0.2-27.6.1 Mesa-drivers-debugsource-18.0.2-27.6.1 Mesa-gallium-18.0.2-27.6.1 Mesa-gallium-debuginfo-18.0.2-27.6.1 Mesa-libEGL-devel-18.0.2-27.6.1 Mesa-libEGL1-18.0.2-27.6.1 Mesa-libEGL1-debuginfo-18.0.2-27.6.1 Mesa-libGL-devel-18.0.2-27.6.1 Mesa-libGL1-18.0.2-27.6.1 Mesa-libGL1-debuginfo-18.0.2-27.6.1 Mesa-libGLESv1_CM-devel-18.0.2-27.6.1 Mesa-libGLESv1_CM1-18.0.2-27.6.1 Mesa-libGLESv2-2-18.0.2-27.6.1 Mesa-libGLESv2-devel-18.0.2-27.6.1 Mesa-libGLESv3-devel-18.0.2-27.6.1 Mesa-libglapi-devel-18.0.2-27.6.1 Mesa-libglapi0-18.0.2-27.6.1 Mesa-libglapi0-debuginfo-18.0.2-27.6.1 libOSMesa-devel-18.0.2-27.6.1 libOSMesa8-18.0.2-27.6.1 libOSMesa8-debuginfo-18.0.2-27.6.1 libgbm-devel-18.0.2-27.6.1 libgbm1-18.0.2-27.6.1 libgbm1-debuginfo-18.0.2-27.6.1 libwayland-egl-devel-18.0.2-27.6.1 libwayland-egl1-18.0.2-27.6.1 libwayland-egl1-debuginfo-18.0.2-27.6.1 - SUSE Linux Enterprise Module for Basesystem 15 (aarch64 ppc64le x86_64): Mesa-libva-18.0.2-27.6.1 Mesa-libva-debuginfo-18.0.2-27.6.1 libvdpau_r300-18.0.2-27.6.1 libvdpau_r300-debuginfo-18.0.2-27.6.1 libvdpau_r600-18.0.2-27.6.1 libvdpau_r600-debuginfo-18.0.2-27.6.1 libxatracker-devel-1.0.0-27.6.1 libxatracker2-1.0.0-27.6.1 libxatracker2-debuginfo-1.0.0-27.6.1 - SUSE Linux Enterprise Module for Basesystem 15 (x86_64): Mesa-32bit-18.0.2-27.6.1 Mesa-dri-32bit-18.0.2-27.6.1 Mesa-dri-32bit-debuginfo-18.0.2-27.6.1 Mesa-gallium-32bit-18.0.2-27.6.1 Mesa-gallium-32bit-debuginfo-18.0.2-27.6.1 Mesa-libEGL1-32bit-18.0.2-27.6.1 Mesa-libEGL1-32bit-debuginfo-18.0.2-27.6.1 Mesa-libGL1-32bit-18.0.2-27.6.1 Mesa-libGL1-32bit-debuginfo-18.0.2-27.6.1 Mesa-libVulkan-devel-18.0.2-27.6.1 Mesa-libd3d-18.0.2-27.6.1 Mesa-libd3d-debuginfo-18.0.2-27.6.1 Mesa-libd3d-devel-18.0.2-27.6.1 Mesa-libglapi0-32bit-18.0.2-27.6.1 Mesa-libglapi0-32bit-debuginfo-18.0.2-27.6.1 libgbm1-32bit-18.0.2-27.6.1 libgbm1-32bit-debuginfo-18.0.2-27.6.1 libvdpau_radeonsi-18.0.2-27.6.1 libvdpau_radeonsi-debuginfo-18.0.2-27.6.1 libvulkan_intel-18.0.2-27.6.1 libvulkan_intel-debuginfo-18.0.2-27.6.1 libvulkan_radeon-18.0.2-27.6.1 libvulkan_radeon-debuginfo-18.0.2-27.6.1 References: https://www.suse.com/security/cve/CVE-2019-5068.html https://bugzilla.suse.com/1156015 From sle-updates at lists.suse.com Mon Jan 20 10:23:28 2020 From: sle-updates at lists.suse.com (sle-updates at lists.suse.com) Date: Mon, 20 Jan 2020 18:23:28 +0100 (CET) Subject: SUSE-RU-2020:0137-1: moderate: Recommended update for sbd Message-ID: <20200120172328.80BDEFC56@maintenance.suse.de> SUSE Recommended Update: Recommended update for sbd ______________________________________________________________________________ Announcement ID: SUSE-RU-2020:0137-1 Rating: moderate References: #1140065 #1148236 #1150429 Affected Products: SUSE Linux Enterprise High Availability 12-SP5 ______________________________________________________________________________ An update that has three recommended fixes can now be installed. Description: This update for sbd fixes the following issues: - Add a warning log if failed to open/read device on startup. (bsc#1150429) - Log detailed errors for monitor failures. (bsc#1148236) - List/dump failures go to 'stderr'. (bsc#1148236) - Rebase patch for fixing sbd cluster for disconnection cmap exit. (bsc#1140065) Patch Instructions: To install this SUSE Recommended Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise High Availability 12-SP5: zypper in -t patch SUSE-SLE-HA-12-SP5-2020-137=1 Package List: - SUSE Linux Enterprise High Availability 12-SP5 (ppc64le s390x x86_64): sbd-1.4.0+20191029.695f9ca-3.3.10 sbd-debuginfo-1.4.0+20191029.695f9ca-3.3.10 sbd-debugsource-1.4.0+20191029.695f9ca-3.3.10 References: https://bugzilla.suse.com/1140065 https://bugzilla.suse.com/1148236 https://bugzilla.suse.com/1150429 From sle-updates at lists.suse.com Mon Jan 20 13:11:02 2020 From: sle-updates at lists.suse.com (sle-updates at lists.suse.com) Date: Mon, 20 Jan 2020 21:11:02 +0100 (CET) Subject: SUSE-RU-2020:0144-1: moderate: Recommended update for yast2-iscsi-client Message-ID: <20200120201102.B94C8F798@maintenance.suse.de> SUSE Recommended Update: Recommended update for yast2-iscsi-client ______________________________________________________________________________ Announcement ID: SUSE-RU-2020:0144-1 Rating: moderate References: #1157349 Affected Products: SUSE Linux Enterprise Server 12-SP5 SUSE Linux Enterprise Server 12-SP4 SUSE Linux Enterprise Desktop 12-SP4 ______________________________________________________________________________ An update that has one recommended fix can now be installed. Description: This update for yast2-iscsi-client fixes the following issues: - Fix detection of service current status (bsc#1157349). Patch Instructions: To install this SUSE Recommended Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Server 12-SP5: zypper in -t patch SUSE-SLE-SERVER-12-SP5-2020-144=1 - SUSE Linux Enterprise Server 12-SP4: zypper in -t patch SUSE-SLE-SERVER-12-SP4-2020-144=1 - SUSE Linux Enterprise Desktop 12-SP4: zypper in -t patch SUSE-SLE-DESKTOP-12-SP4-2020-144=1 Package List: - SUSE Linux Enterprise Server 12-SP5 (noarch): yast2-iscsi-client-3.1.32-3.6.1 - SUSE Linux Enterprise Server 12-SP4 (noarch): yast2-iscsi-client-3.1.32-3.6.1 - SUSE Linux Enterprise Desktop 12-SP4 (noarch): yast2-iscsi-client-3.1.32-3.6.1 References: https://bugzilla.suse.com/1157349 From sle-updates at lists.suse.com Mon Jan 20 13:13:00 2020 From: sle-updates at lists.suse.com (sle-updates at lists.suse.com) Date: Mon, 20 Jan 2020 21:13:00 +0100 (CET) Subject: SUSE-SU-2020:0143-1: important: Security update for libvpx Message-ID: <20200120201300.19BC5F798@maintenance.suse.de> SUSE Security Update: Security update for libvpx ______________________________________________________________________________ Announcement ID: SUSE-SU-2020:0143-1 Rating: important References: #1160611 #1160612 #1160613 #1160614 #1160615 Cross-References: CVE-2019-2126 CVE-2019-9232 CVE-2019-9325 CVE-2019-9371 CVE-2019-9433 Affected Products: SUSE Linux Enterprise Server for SAP 15 SUSE Linux Enterprise Server 15-LTSS SUSE Linux Enterprise Module for Packagehub Subpackages 15 SUSE Linux Enterprise Module for Open Buildservice Development Tools 15-SP1 SUSE Linux Enterprise Module for Open Buildservice Development Tools 15 SUSE Linux Enterprise Module for Desktop Applications 15-SP1 SUSE Linux Enterprise Module for Desktop Applications 15 SUSE Linux Enterprise Module for Basesystem 15-SP1 SUSE Linux Enterprise Module for Basesystem 15 SUSE Linux Enterprise High Performance Computing 15-LTSS SUSE Linux Enterprise High Performance Computing 15-ESPOS ______________________________________________________________________________ An update that fixes 5 vulnerabilities is now available. Description: This update for libvpx fixes the following issues: - CVE-2019-2126: Fixed a double free in ParseContentEncodingEntry() (bsc#1160611). - CVE-2019-9325: Fixed an out-of-bounds read (bsc#1160612). - CVE-2019-9232: Fixed an out-of-bounds memory access on fuzzed data (bsc#1160613). - CVE-2019-9433: Fixed a use-after-free in vp8_deblock() (bsc#1160614). - CVE-2019-9371: Fixed a resource exhaustion after memory leak (bsc#1160615). Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Server for SAP 15: zypper in -t patch SUSE-SLE-Product-SLES_SAP-15-2020-143=1 - SUSE Linux Enterprise Server 15-LTSS: zypper in -t patch SUSE-SLE-Product-SLES-15-2020-143=1 - SUSE Linux Enterprise Module for Packagehub Subpackages 15: zypper in -t patch SUSE-SLE-Module-Packagehub-Subpackages-15-2020-143=1 - SUSE Linux Enterprise Module for Open Buildservice Development Tools 15-SP1: zypper in -t patch SUSE-SLE-Module-Development-Tools-OBS-15-SP1-2020-143=1 - SUSE Linux Enterprise Module for Open Buildservice Development Tools 15: zypper in -t patch SUSE-SLE-Module-Development-Tools-OBS-15-2020-143=1 - SUSE Linux Enterprise Module for Desktop Applications 15-SP1: zypper in -t patch SUSE-SLE-Module-Desktop-Applications-15-SP1-2020-143=1 - SUSE Linux Enterprise Module for Desktop Applications 15: zypper in -t patch SUSE-SLE-Module-Desktop-Applications-15-2020-143=1 - SUSE Linux Enterprise Module for Basesystem 15-SP1: zypper in -t patch SUSE-SLE-Module-Basesystem-15-SP1-2020-143=1 - SUSE Linux Enterprise Module for Basesystem 15: zypper in -t patch SUSE-SLE-Module-Basesystem-15-2020-143=1 - SUSE Linux Enterprise High Performance Computing 15-LTSS: zypper in -t patch SUSE-SLE-Product-HPC-15-2020-143=1 - SUSE Linux Enterprise High Performance Computing 15-ESPOS: zypper in -t patch SUSE-SLE-Product-HPC-15-2020-143=1 Package List: - SUSE Linux Enterprise Server for SAP 15 (ppc64le x86_64): libvpx-debugsource-1.6.1-6.3.1 libvpx4-1.6.1-6.3.1 libvpx4-debuginfo-1.6.1-6.3.1 - SUSE Linux Enterprise Server 15-LTSS (aarch64 s390x): libvpx-debugsource-1.6.1-6.3.1 libvpx4-1.6.1-6.3.1 libvpx4-debuginfo-1.6.1-6.3.1 - SUSE Linux Enterprise Module for Packagehub Subpackages 15 (aarch64 ppc64le s390x x86_64): libvpx-debugsource-1.6.1-6.3.1 vpx-tools-1.6.1-6.3.1 vpx-tools-debuginfo-1.6.1-6.3.1 - SUSE Linux Enterprise Module for Open Buildservice Development Tools 15-SP1 (aarch64 ppc64le s390x x86_64): libvpx-debugsource-1.6.1-6.3.1 vpx-tools-1.6.1-6.3.1 vpx-tools-debuginfo-1.6.1-6.3.1 - SUSE Linux Enterprise Module for Open Buildservice Development Tools 15-SP1 (x86_64): libvpx4-32bit-1.6.1-6.3.1 libvpx4-32bit-debuginfo-1.6.1-6.3.1 - SUSE Linux Enterprise Module for Open Buildservice Development Tools 15 (aarch64 ppc64le s390x x86_64): libvpx-debugsource-1.6.1-6.3.1 vpx-tools-1.6.1-6.3.1 vpx-tools-debuginfo-1.6.1-6.3.1 - SUSE Linux Enterprise Module for Desktop Applications 15-SP1 (aarch64 ppc64le s390x x86_64): libvpx-debugsource-1.6.1-6.3.1 libvpx-devel-1.6.1-6.3.1 - SUSE Linux Enterprise Module for Desktop Applications 15 (aarch64 ppc64le s390x x86_64): libvpx-debugsource-1.6.1-6.3.1 libvpx-devel-1.6.1-6.3.1 - SUSE Linux Enterprise Module for Basesystem 15-SP1 (aarch64 ppc64le s390x x86_64): libvpx-debugsource-1.6.1-6.3.1 libvpx4-1.6.1-6.3.1 libvpx4-debuginfo-1.6.1-6.3.1 - SUSE Linux Enterprise Module for Basesystem 15 (aarch64 ppc64le s390x x86_64): libvpx-debugsource-1.6.1-6.3.1 libvpx4-1.6.1-6.3.1 libvpx4-debuginfo-1.6.1-6.3.1 - SUSE Linux Enterprise High Performance Computing 15-LTSS (aarch64 x86_64): libvpx-debugsource-1.6.1-6.3.1 libvpx4-1.6.1-6.3.1 libvpx4-debuginfo-1.6.1-6.3.1 - SUSE Linux Enterprise High Performance Computing 15-ESPOS (aarch64 x86_64): libvpx-debugsource-1.6.1-6.3.1 libvpx4-1.6.1-6.3.1 libvpx4-debuginfo-1.6.1-6.3.1 References: https://www.suse.com/security/cve/CVE-2019-2126.html https://www.suse.com/security/cve/CVE-2019-9232.html https://www.suse.com/security/cve/CVE-2019-9325.html https://www.suse.com/security/cve/CVE-2019-9371.html https://www.suse.com/security/cve/CVE-2019-9433.html https://bugzilla.suse.com/1160611 https://bugzilla.suse.com/1160612 https://bugzilla.suse.com/1160613 https://bugzilla.suse.com/1160614 https://bugzilla.suse.com/1160615 From sle-updates at lists.suse.com Mon Jan 20 13:14:07 2020 From: sle-updates at lists.suse.com (sle-updates at lists.suse.com) Date: Mon, 20 Jan 2020 21:14:07 +0100 (CET) Subject: SUSE-SU-2020:0142-1: important: Security update for MozillaThunderbird Message-ID: <20200120201407.76373F798@maintenance.suse.de> SUSE Security Update: Security update for MozillaThunderbird ______________________________________________________________________________ Announcement ID: SUSE-SU-2020:0142-1 Rating: important References: #1160305 #1160498 Cross-References: CVE-2019-17015 CVE-2019-17016 CVE-2019-17017 CVE-2019-17021 CVE-2019-17022 CVE-2019-17024 CVE-2019-17026 Affected Products: SUSE Linux Enterprise Workstation Extension 15-SP1 SUSE Linux Enterprise Workstation Extension 15 ______________________________________________________________________________ An update that fixes 7 vulnerabilities is now available. Description: This update for MozillaThunderbird to version 68.4.1 fixes the following issues: Security issues fixed: - CVE-2019-17026: IonMonkey type confusion with StoreElementHole and FallibleStoreElement - CVE-2019-17016: Bypass of @namespace CSS sanitization during pasting - CVE-2019-17017: Type Confusion in XPCVariant.cpp - CVE-2019-17022: CSS sanitization does not escape HTML tags - CVE-2019-17024: multiple Memory safety bugs fixed Non-security issues fixed: - Various improvements when setting up an account for a Microsoft Exchange server. For example better detection for Office 365 accounts. Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Workstation Extension 15-SP1: zypper in -t patch SUSE-SLE-Product-WE-15-SP1-2020-142=1 - SUSE Linux Enterprise Workstation Extension 15: zypper in -t patch SUSE-SLE-Product-WE-15-2020-142=1 Package List: - SUSE Linux Enterprise Workstation Extension 15-SP1 (x86_64): MozillaThunderbird-68.4.1-3.66.1 MozillaThunderbird-debuginfo-68.4.1-3.66.1 MozillaThunderbird-debugsource-68.4.1-3.66.1 MozillaThunderbird-translations-common-68.4.1-3.66.1 MozillaThunderbird-translations-other-68.4.1-3.66.1 - SUSE Linux Enterprise Workstation Extension 15 (x86_64): MozillaThunderbird-68.4.1-3.66.1 MozillaThunderbird-debuginfo-68.4.1-3.66.1 MozillaThunderbird-debugsource-68.4.1-3.66.1 MozillaThunderbird-translations-common-68.4.1-3.66.1 MozillaThunderbird-translations-other-68.4.1-3.66.1 References: https://www.suse.com/security/cve/CVE-2019-17015.html https://www.suse.com/security/cve/CVE-2019-17016.html https://www.suse.com/security/cve/CVE-2019-17017.html https://www.suse.com/security/cve/CVE-2019-17021.html https://www.suse.com/security/cve/CVE-2019-17022.html https://www.suse.com/security/cve/CVE-2019-17024.html https://www.suse.com/security/cve/CVE-2019-17026.html https://bugzilla.suse.com/1160305 https://bugzilla.suse.com/1160498 From sle-updates at lists.suse.com Tue Jan 21 07:11:14 2020 From: sle-updates at lists.suse.com (sle-updates at lists.suse.com) Date: Tue, 21 Jan 2020 15:11:14 +0100 (CET) Subject: SUSE-SU-2020:0145-1: moderate: Security update for Mesa Message-ID: <20200121141114.30535F798@maintenance.suse.de> SUSE Security Update: Security update for Mesa ______________________________________________________________________________ Announcement ID: SUSE-SU-2020:0145-1 Rating: moderate References: #1156015 Cross-References: CVE-2019-5068 Affected Products: SUSE Linux Enterprise Workstation Extension 12-SP4 SUSE Linux Enterprise Software Development Kit 12-SP4 SUSE Linux Enterprise Server 12-SP4 SUSE Linux Enterprise Desktop 12-SP4 ______________________________________________________________________________ An update that fixes one vulnerability is now available. Description: This update for Mesa fixes the following issues: Security issue fixed: - CVE-2019-5068: Fixed exploitable shared memory permissions vulnerability (bsc#1156015). Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Workstation Extension 12-SP4: zypper in -t patch SUSE-SLE-WE-12-SP4-2020-145=1 - SUSE Linux Enterprise Software Development Kit 12-SP4: zypper in -t patch SUSE-SLE-SDK-12-SP4-2020-145=1 - SUSE Linux Enterprise Server 12-SP4: zypper in -t patch SUSE-SLE-SERVER-12-SP4-2020-145=1 - SUSE Linux Enterprise Desktop 12-SP4: zypper in -t patch SUSE-SLE-DESKTOP-12-SP4-2020-145=1 Package List: - SUSE Linux Enterprise Workstation Extension 12-SP4 (x86_64): Mesa-debugsource-18.0.2-8.3.2 Mesa-libGLESv2-2-32bit-18.0.2-8.3.2 Mesa-libGLESv2-2-debuginfo-32bit-18.0.2-8.3.2 - SUSE Linux Enterprise Software Development Kit 12-SP4 (aarch64 ppc64le s390x x86_64): Mesa-debugsource-18.0.2-8.3.2 Mesa-devel-18.0.2-8.3.2 Mesa-dri-devel-18.0.2-8.3.2 Mesa-libEGL-devel-18.0.2-8.3.2 Mesa-libGL-devel-18.0.2-8.3.2 Mesa-libGLESv1_CM-devel-18.0.2-8.3.2 Mesa-libGLESv1_CM1-18.0.2-8.3.2 Mesa-libGLESv1_CM1-debuginfo-18.0.2-8.3.2 Mesa-libGLESv2-devel-18.0.2-8.3.2 Mesa-libGLESv3-devel-18.0.2-8.3.2 Mesa-libglapi-devel-18.0.2-8.3.2 libOSMesa-devel-18.0.2-8.3.2 libOSMesa8-18.0.2-8.3.2 libOSMesa8-debuginfo-18.0.2-8.3.2 libgbm-devel-18.0.2-8.3.2 - SUSE Linux Enterprise Software Development Kit 12-SP4 (aarch64 ppc64le x86_64): libxatracker-devel-1.0.0-8.3.2 - SUSE Linux Enterprise Software Development Kit 12-SP4 (s390x x86_64): libOSMesa8-32bit-18.0.2-8.3.2 libOSMesa8-debuginfo-32bit-18.0.2-8.3.2 - SUSE Linux Enterprise Server 12-SP4 (aarch64 ppc64le s390x x86_64): Mesa-18.0.2-8.3.2 Mesa-debugsource-18.0.2-8.3.2 Mesa-dri-18.0.2-8.3.2 Mesa-dri-debuginfo-18.0.2-8.3.2 Mesa-drivers-debugsource-18.0.2-8.3.2 Mesa-libEGL1-18.0.2-8.3.2 Mesa-libEGL1-debuginfo-18.0.2-8.3.2 Mesa-libGL1-18.0.2-8.3.2 Mesa-libGL1-debuginfo-18.0.2-8.3.2 Mesa-libGLESv2-2-18.0.2-8.3.2 Mesa-libGLESv2-2-debuginfo-18.0.2-8.3.2 Mesa-libglapi0-18.0.2-8.3.2 Mesa-libglapi0-debuginfo-18.0.2-8.3.2 libgbm1-18.0.2-8.3.2 libgbm1-debuginfo-18.0.2-8.3.2 - SUSE Linux Enterprise Server 12-SP4 (aarch64 ppc64le x86_64): libxatracker2-1.0.0-8.3.2 libxatracker2-debuginfo-1.0.0-8.3.2 - SUSE Linux Enterprise Server 12-SP4 (s390x x86_64): Mesa-32bit-18.0.2-8.3.2 Mesa-dri-32bit-18.0.2-8.3.2 Mesa-dri-debuginfo-32bit-18.0.2-8.3.2 Mesa-libEGL1-32bit-18.0.2-8.3.2 Mesa-libEGL1-debuginfo-32bit-18.0.2-8.3.2 Mesa-libGL1-32bit-18.0.2-8.3.2 Mesa-libGL1-debuginfo-32bit-18.0.2-8.3.2 Mesa-libglapi0-32bit-18.0.2-8.3.2 Mesa-libglapi0-debuginfo-32bit-18.0.2-8.3.2 libgbm1-32bit-18.0.2-8.3.2 libgbm1-debuginfo-32bit-18.0.2-8.3.2 - SUSE Linux Enterprise Desktop 12-SP4 (x86_64): Mesa-18.0.2-8.3.2 Mesa-32bit-18.0.2-8.3.2 Mesa-debugsource-18.0.2-8.3.2 Mesa-dri-18.0.2-8.3.2 Mesa-dri-32bit-18.0.2-8.3.2 Mesa-dri-debuginfo-18.0.2-8.3.2 Mesa-dri-debuginfo-32bit-18.0.2-8.3.2 Mesa-drivers-debugsource-18.0.2-8.3.2 Mesa-libEGL1-18.0.2-8.3.2 Mesa-libEGL1-32bit-18.0.2-8.3.2 Mesa-libEGL1-debuginfo-18.0.2-8.3.2 Mesa-libEGL1-debuginfo-32bit-18.0.2-8.3.2 Mesa-libGL1-18.0.2-8.3.2 Mesa-libGL1-32bit-18.0.2-8.3.2 Mesa-libGL1-debuginfo-18.0.2-8.3.2 Mesa-libGL1-debuginfo-32bit-18.0.2-8.3.2 Mesa-libGLESv2-2-18.0.2-8.3.2 Mesa-libGLESv2-2-32bit-18.0.2-8.3.2 Mesa-libGLESv2-2-debuginfo-18.0.2-8.3.2 Mesa-libGLESv2-2-debuginfo-32bit-18.0.2-8.3.2 Mesa-libglapi0-18.0.2-8.3.2 Mesa-libglapi0-32bit-18.0.2-8.3.2 Mesa-libglapi0-debuginfo-18.0.2-8.3.2 Mesa-libglapi0-debuginfo-32bit-18.0.2-8.3.2 libgbm1-18.0.2-8.3.2 libgbm1-32bit-18.0.2-8.3.2 libgbm1-debuginfo-18.0.2-8.3.2 libgbm1-debuginfo-32bit-18.0.2-8.3.2 libxatracker2-1.0.0-8.3.2 libxatracker2-debuginfo-1.0.0-8.3.2 References: https://www.suse.com/security/cve/CVE-2019-5068.html https://bugzilla.suse.com/1156015 From sle-updates at lists.suse.com Tue Jan 21 07:12:52 2020 From: sle-updates at lists.suse.com (sle-updates at lists.suse.com) Date: Tue, 21 Jan 2020 15:12:52 +0100 (CET) Subject: SUSE-RU-2020:0150-1: moderate: Recommended update for yast2-firstboot Message-ID: <20200121141252.802C7F798@maintenance.suse.de> SUSE Recommended Update: Recommended update for yast2-firstboot ______________________________________________________________________________ Announcement ID: SUSE-RU-2020:0150-1 Rating: moderate References: #1154708 #1156905 Affected Products: SUSE Linux Enterprise Module for Basesystem 15-SP1 ______________________________________________________________________________ An update that has two recommended fixes can now be installed. Description: This update for yast2-firstboot fixes the following issues: - Improve the "firstboot_licenses" client to give precedence to the directory argument, allowing to use it multiple times to show different licenses (bsc#1154708). - Add firstboot.rnc to the desktop file (related to bsc#1156905). - Remove the references to the already dropped automatic configuration feature (FATE#314695). Patch Instructions: To install this SUSE Recommended Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Module for Basesystem 15-SP1: zypper in -t patch SUSE-SLE-Module-Basesystem-15-SP1-2020-150=1 Package List: - SUSE Linux Enterprise Module for Basesystem 15-SP1 (noarch): yast2-firstboot-4.1.9-3.11.1 References: https://bugzilla.suse.com/1154708 https://bugzilla.suse.com/1156905 From sle-updates at lists.suse.com Tue Jan 21 07:14:13 2020 From: sle-updates at lists.suse.com (sle-updates at lists.suse.com) Date: Tue, 21 Jan 2020 15:14:13 +0100 (CET) Subject: SUSE-RU-2020:0147-1: moderate: Recommended update for saprouter-systemd Message-ID: <20200121141413.ABDB7F798@maintenance.suse.de> SUSE Recommended Update: Recommended update for saprouter-systemd ______________________________________________________________________________ Announcement ID: SUSE-RU-2020:0147-1 Rating: moderate References: #1094206 #1120164 Affected Products: SUSE Linux Enterprise Server for SAP 12-SP5 SUSE Linux Enterprise Server for SAP 12-SP4 SUSE Linux Enterprise Server for SAP 12-SP3 SUSE Linux Enterprise Server for SAP 12-SP2 ______________________________________________________________________________ An update that has two recommended fixes can now be installed. Description: This update for saprouter-systemd fixes the following issues: - Fix installation failures caused by differnt library path on different architectures. (bsc#1120164) - Fix typo for parameter WAITTIME making systemd non-functional. (bsc#1094206) Patch Instructions: To install this SUSE Recommended Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Server for SAP 12-SP5: zypper in -t patch SUSE-SLE-SAP-12-SP5-2020-147=1 - SUSE Linux Enterprise Server for SAP 12-SP4: zypper in -t patch SUSE-SLE-SAP-12-SP4-2020-147=1 - SUSE Linux Enterprise Server for SAP 12-SP3: zypper in -t patch SUSE-SLE-SAP-12-SP3-2020-147=1 - SUSE Linux Enterprise Server for SAP 12-SP2: zypper in -t patch SUSE-SLE-SAP-12-SP2-2020-147=1 Package List: - SUSE Linux Enterprise Server for SAP 12-SP5 (noarch): saprouter-systemd-0.2-3.3.1 - SUSE Linux Enterprise Server for SAP 12-SP4 (noarch): saprouter-systemd-0.2-3.3.1 - SUSE Linux Enterprise Server for SAP 12-SP3 (noarch): saprouter-systemd-0.2-3.3.1 - SUSE Linux Enterprise Server for SAP 12-SP2 (noarch): saprouter-systemd-0.2-3.3.1 References: https://bugzilla.suse.com/1094206 https://bugzilla.suse.com/1120164 From sle-updates at lists.suse.com Tue Jan 21 07:16:20 2020 From: sle-updates at lists.suse.com (sle-updates at lists.suse.com) Date: Tue, 21 Jan 2020 15:16:20 +0100 (CET) Subject: SUSE-SU-2020:0146-1: moderate: Security update for Mesa Message-ID: <20200121141620.081EBF79E@maintenance.suse.de> SUSE Security Update: Security update for Mesa ______________________________________________________________________________ Announcement ID: SUSE-SU-2020:0146-1 Rating: moderate References: #1156015 Cross-References: CVE-2019-5068 Affected Products: SUSE Linux Enterprise Workstation Extension 12-SP5 SUSE Linux Enterprise Software Development Kit 12-SP5 SUSE Linux Enterprise Server 12-SP5 ______________________________________________________________________________ An update that fixes one vulnerability is now available. Description: This update for Mesa fixes the following issues: Security issue fixed: - CVE-2019-5068: Fixed exploitable shared memory permissions vulnerability (bsc#1156015). Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Workstation Extension 12-SP5: zypper in -t patch SUSE-SLE-WE-12-SP5-2020-146=1 - SUSE Linux Enterprise Software Development Kit 12-SP5: zypper in -t patch SUSE-SLE-SDK-12-SP5-2020-146=1 - SUSE Linux Enterprise Server 12-SP5: zypper in -t patch SUSE-SLE-SERVER-12-SP5-2020-146=1 Package List: - SUSE Linux Enterprise Workstation Extension 12-SP5 (x86_64): Mesa-debugsource-18.3.2-14.3.2 Mesa-drivers-debugsource-18.3.2-14.3.2 Mesa-libGLESv1_CM1-18.3.2-14.3.2 Mesa-libGLESv1_CM1-debuginfo-18.3.2-14.3.2 Mesa-libGLESv2-2-32bit-18.3.2-14.3.2 Mesa-libGLESv2-2-debuginfo-32bit-18.3.2-14.3.2 Mesa-libd3d-18.3.2-14.3.2 Mesa-libd3d-debuginfo-18.3.2-14.3.2 Mesa-libva-18.3.2-14.3.2 Mesa-libva-debuginfo-18.3.2-14.3.2 libXvMC_nouveau-18.3.2-14.3.2 libXvMC_nouveau-debuginfo-18.3.2-14.3.2 libXvMC_r600-18.3.2-14.3.2 libXvMC_r600-debuginfo-18.3.2-14.3.2 libvdpau_nouveau-18.3.2-14.3.2 libvdpau_nouveau-debuginfo-18.3.2-14.3.2 libvdpau_r300-18.3.2-14.3.2 libvdpau_r300-debuginfo-18.3.2-14.3.2 libvdpau_r600-18.3.2-14.3.2 libvdpau_r600-debuginfo-18.3.2-14.3.2 libvdpau_radeonsi-18.3.2-14.3.2 libvdpau_radeonsi-debuginfo-18.3.2-14.3.2 libvulkan_intel-18.3.2-14.3.2 libvulkan_intel-debuginfo-18.3.2-14.3.2 libvulkan_radeon-18.3.2-14.3.2 libvulkan_radeon-debuginfo-18.3.2-14.3.2 - SUSE Linux Enterprise Software Development Kit 12-SP5 (aarch64 ppc64le s390x x86_64): Mesa-KHR-devel-18.3.2-14.3.2 Mesa-debugsource-18.3.2-14.3.2 Mesa-devel-18.3.2-14.3.2 Mesa-dri-devel-18.3.2-14.3.2 Mesa-libEGL-devel-18.3.2-14.3.2 Mesa-libGL-devel-18.3.2-14.3.2 Mesa-libGLESv1_CM-devel-18.3.2-14.3.2 Mesa-libGLESv1_CM1-18.3.2-14.3.2 Mesa-libGLESv1_CM1-debuginfo-18.3.2-14.3.2 Mesa-libGLESv2-devel-18.3.2-14.3.2 Mesa-libGLESv3-devel-18.3.2-14.3.2 Mesa-libglapi-devel-18.3.2-14.3.2 libOSMesa-devel-18.3.2-14.3.2 libOSMesa8-18.3.2-14.3.2 libOSMesa8-debuginfo-18.3.2-14.3.2 libgbm-devel-18.3.2-14.3.2 - SUSE Linux Enterprise Software Development Kit 12-SP5 (aarch64 ppc64le x86_64): libxatracker-devel-1.0.0-14.3.2 - SUSE Linux Enterprise Software Development Kit 12-SP5 (aarch64 x86_64): Mesa-drivers-debugsource-18.3.2-14.3.2 Mesa-libd3d-devel-18.3.2-14.3.2 - SUSE Linux Enterprise Software Development Kit 12-SP5 (s390x x86_64): libOSMesa8-32bit-18.3.2-14.3.2 libOSMesa8-debuginfo-32bit-18.3.2-14.3.2 - SUSE Linux Enterprise Software Development Kit 12-SP5 (x86_64): Mesa-libVulkan-devel-18.3.2-14.3.2 - SUSE Linux Enterprise Server 12-SP5 (aarch64 ppc64le s390x x86_64): Mesa-18.3.2-14.3.2 Mesa-debugsource-18.3.2-14.3.2 Mesa-dri-18.3.2-14.3.2 Mesa-dri-debuginfo-18.3.2-14.3.2 Mesa-drivers-debugsource-18.3.2-14.3.2 Mesa-libEGL1-18.3.2-14.3.2 Mesa-libEGL1-debuginfo-18.3.2-14.3.2 Mesa-libGL1-18.3.2-14.3.2 Mesa-libGL1-debuginfo-18.3.2-14.3.2 Mesa-libGLESv2-2-18.3.2-14.3.2 Mesa-libGLESv2-2-debuginfo-18.3.2-14.3.2 Mesa-libglapi0-18.3.2-14.3.2 Mesa-libglapi0-debuginfo-18.3.2-14.3.2 libgbm1-18.3.2-14.3.2 libgbm1-debuginfo-18.3.2-14.3.2 - SUSE Linux Enterprise Server 12-SP5 (aarch64 ppc64le x86_64): libxatracker2-1.0.0-14.3.2 libxatracker2-debuginfo-1.0.0-14.3.2 - SUSE Linux Enterprise Server 12-SP5 (s390x x86_64): Mesa-32bit-18.3.2-14.3.2 Mesa-dri-32bit-18.3.2-14.3.2 Mesa-dri-debuginfo-32bit-18.3.2-14.3.2 Mesa-libEGL1-32bit-18.3.2-14.3.2 Mesa-libEGL1-debuginfo-32bit-18.3.2-14.3.2 Mesa-libGL1-32bit-18.3.2-14.3.2 Mesa-libGL1-debuginfo-32bit-18.3.2-14.3.2 Mesa-libglapi0-32bit-18.3.2-14.3.2 Mesa-libglapi0-debuginfo-32bit-18.3.2-14.3.2 libgbm1-32bit-18.3.2-14.3.2 libgbm1-debuginfo-32bit-18.3.2-14.3.2 References: https://www.suse.com/security/cve/CVE-2019-5068.html https://bugzilla.suse.com/1156015 From sle-updates at lists.suse.com Tue Jan 21 07:17:05 2020 From: sle-updates at lists.suse.com (sle-updates at lists.suse.com) Date: Tue, 21 Jan 2020 15:17:05 +0100 (CET) Subject: SUSE-RU-2020:0148-1: moderate: Recommended update for yast2-configuration-management Message-ID: <20200121141705.A41D4F79E@maintenance.suse.de> SUSE Recommended Update: Recommended update for yast2-configuration-management ______________________________________________________________________________ Announcement ID: SUSE-RU-2020:0148-1 Rating: moderate References: #1159434 Affected Products: SUSE Linux Enterprise Module for Basesystem 15-SP1 ______________________________________________________________________________ An update that has one recommended fix can now be installed. Description: This update for yast2-configuration-management fixes the following issues: - Remove the AutoYaST User Interface menu entry for the module because, for the time being, it is not supported (bsc#1159434). Patch Instructions: To install this SUSE Recommended Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Module for Basesystem 15-SP1: zypper in -t patch SUSE-SLE-Module-Basesystem-15-SP1-2020-148=1 Package List: - SUSE Linux Enterprise Module for Basesystem 15-SP1 (noarch): yast2-configuration-management-4.1.7-3.3.1 References: https://bugzilla.suse.com/1159434 From sle-updates at lists.suse.com Tue Jan 21 07:12:11 2020 From: sle-updates at lists.suse.com (sle-updates at lists.suse.com) Date: Tue, 21 Jan 2020 15:12:11 +0100 (CET) Subject: SUSE-RU-2020:0149-1: moderate: Recommended update for desktop-file-utils Message-ID: <20200121141211.782F8F798@maintenance.suse.de> SUSE Recommended Update: Recommended update for desktop-file-utils ______________________________________________________________________________ Announcement ID: SUSE-RU-2020:0149-1 Rating: moderate References: #1094774 Affected Products: SUSE Linux Enterprise Server 12-SP5 SUSE Linux Enterprise Server 12-SP4 SUSE Linux Enterprise Desktop 12-SP4 ______________________________________________________________________________ An update that has one recommended fix can now be installed. Description: This update for desktop-file-utils fixes the following issues: - Backporting upstream fix to Add font in mime list(fdo#105785, bsc#1094774). Patch Instructions: To install this SUSE Recommended Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Server 12-SP5: zypper in -t patch SUSE-SLE-SERVER-12-SP5-2020-149=1 - SUSE Linux Enterprise Server 12-SP4: zypper in -t patch SUSE-SLE-SERVER-12-SP4-2020-149=1 - SUSE Linux Enterprise Desktop 12-SP4: zypper in -t patch SUSE-SLE-DESKTOP-12-SP4-2020-149=1 Package List: - SUSE Linux Enterprise Server 12-SP5 (aarch64 ppc64le s390x x86_64): desktop-file-utils-0.22-10.3.1 desktop-file-utils-debuginfo-0.22-10.3.1 desktop-file-utils-debugsource-0.22-10.3.1 - SUSE Linux Enterprise Server 12-SP4 (aarch64 ppc64le s390x x86_64): desktop-file-utils-0.22-10.3.1 desktop-file-utils-debuginfo-0.22-10.3.1 desktop-file-utils-debugsource-0.22-10.3.1 - SUSE Linux Enterprise Desktop 12-SP4 (x86_64): desktop-file-utils-0.22-10.3.1 desktop-file-utils-debuginfo-0.22-10.3.1 desktop-file-utils-debugsource-0.22-10.3.1 References: https://bugzilla.suse.com/1094774 From sle-updates at lists.suse.com Tue Jan 21 13:11:02 2020 From: sle-updates at lists.suse.com (sle-updates at lists.suse.com) Date: Tue, 21 Jan 2020 21:11:02 +0100 (CET) Subject: SUSE-RU-2019:3353-2: moderate: Recommended update for SUSE Manager Proxy 4.0 Message-ID: <20200121201102.BA32BF798@maintenance.suse.de> SUSE Recommended Update: Recommended update for SUSE Manager Proxy 4.0 ______________________________________________________________________________ Announcement ID: SUSE-RU-2019:3353-2 Rating: moderate References: #1113160 #1131556 #1143638 #1145591 #1145608 #1145755 #1146683 #1148352 #1152298 #1152722 #1154868 #1154968 #1155800 #1156521 #1158002 #1158947 Affected Products: SUSE Linux Enterprise Module for SUSE Manager Proxy 4.0 ______________________________________________________________________________ An update that has 16 recommended fixes can now be installed. Description: This update fixes the following issues: jabberd: - SQL scripts are now placed at /etc/jabberd/scripts to make jabberd compatible with JeOS (bsc#1148352) - Always require zlib-devel for building (fixes building for SLE15 SP2) patterns-suse-manager: - Add prometheus-formula and grafana-formula to the server pattern - Add the apache exporter to the proxy pattern as "Recommends" - Install cpu-mitigations-formula by default prometheus-exporters-formula: - Add support for provisioning the apache exporter rhnlib: - Fix malformed XML response when data contains non-ASCII chars (bsc#1154968) spacewalk-backend: - Fix specfile for systems that do not yet use systemd - Fix spacewalk-update-signatures for python3 (bsc#1156521) - Fix problems with Package Hub repos having multiple rpms with same NEVRA but different checksums (bsc#1146683) - Fix broken spacewalk-data-fsck utility (bsc#1131556) spacewalk-certs-tools: - Fix certificate generation when the serial has leading zeroes to avoid "asn1 encoding routines:a2i_ASN1_INTEGER:odd number of chars" during setup - Make traditional bootstrap more robust for unknown hostname (bsc#1152298) - Fix bootstrap script generator to work with Expanded Support 8 product (bsc#1158002) spacewalk-client-tools: - Skip dmidecode data on aarch64 to prevent coredump (bsc#1113160) spacewalk-proxy: - Fix problems with Package Hub repos having multiple rpms with same NEVRA but different checksums (bsc#1146683) spacewalk-setup-jabberd: - SQL scripts are now placed at /etc/jabberd/scripts to make jabberd compatible with JeOS (bsc#1148352) spacewalk-web: - Add self monitoring to Admin Monitoring UI (bsc#1143638) - Layout changes in formula forms, validation, deprecate $visibleIf and add new attributes: $disabled, $visisble, $required, $match - Fix create VM dialog when there is no virtual storage pool or network - Show channels and filters in CLM history - SPA: do not early drop modals they can contain inputs (bsc#1155800) - Fix WebUI invalidation time by using the package build time instead of the WebUI version (bsc#1154868) - Filter by description on the Products page works recursively - Add check/message for project not found (bsc#1145755) - Remove/change text on edit filters for clp (bsc#1145608) - Fix sorting issues on content filter list page (bsc#1145591) zypp-plugin-spacewalk: - Prevent possible encoding issues on Python 3 (bsc#1152722) How to apply this update: 1. Log in as root user to the SUSE Manager proxy. 2. Stop the proxy service: spacewalk-proxy stop 3. Apply the patch using either zypper patch or YaST Online Update. 4. Start the Spacewalk service: spacewalk-proxy start Patch Instructions: To install this SUSE Recommended Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Module for SUSE Manager Proxy 4.0: zypper in -t patch SUSE-SLE-Module-SUSE-Manager-Proxy-4.0-2020-151=1 Package List: - SUSE Linux Enterprise Module for SUSE Manager Proxy 4.0 (ppc64le s390x): golang-github-lusitaniae-apache_exporter-0.7.0-3.8.2 golang-github-lusitaniae-apache_exporter-debuginfo-0.7.0-3.8.2 jabberd-2.7.0-3.8.2 jabberd-db-2.7.0-3.8.2 jabberd-db-debuginfo-2.7.0-3.8.2 jabberd-debuginfo-2.7.0-3.8.2 jabberd-debugsource-2.7.0-3.8.2 jabberd-sqlite-2.7.0-3.8.2 jabberd-sqlite-debuginfo-2.7.0-3.8.2 patterns-suma_proxy-4.0-9.7.3 - SUSE Linux Enterprise Module for SUSE Manager Proxy 4.0 (noarch): prometheus-exporters-formula-0.5-3.7.3 python3-rhnlib-4.0.12-3.11.3 python3-spacewalk-backend-libs-4.0.29-3.20.3 python3-spacewalk-certs-tools-4.0.14-3.12.3 python3-spacewalk-check-4.0.11-3.10.3 python3-spacewalk-client-setup-4.0.11-3.10.3 python3-spacewalk-client-tools-4.0.11-3.10.3 python3-zypp-plugin-spacewalk-1.0.6-3.8.2 spacecmd-4.0.17-3.10.3 spacewalk-backend-4.0.29-3.20.3 spacewalk-base-minimal-4.0.18-3.15.3 spacewalk-base-minimal-config-4.0.18-3.15.3 spacewalk-certs-tools-4.0.14-3.12.3 spacewalk-check-4.0.11-3.10.3 spacewalk-client-setup-4.0.11-3.10.3 spacewalk-client-tools-4.0.11-3.10.3 spacewalk-proxy-broker-4.0.13-3.7.3 spacewalk-proxy-common-4.0.13-3.7.3 spacewalk-proxy-management-4.0.13-3.7.3 spacewalk-proxy-package-manager-4.0.13-3.7.3 spacewalk-proxy-redirect-4.0.13-3.7.3 spacewalk-proxy-salt-4.0.13-3.7.3 spacewalk-setup-jabberd-4.0.4-3.8.2 zypp-plugin-spacewalk-1.0.6-3.8.2 References: https://bugzilla.suse.com/1113160 https://bugzilla.suse.com/1131556 https://bugzilla.suse.com/1143638 https://bugzilla.suse.com/1145591 https://bugzilla.suse.com/1145608 https://bugzilla.suse.com/1145755 https://bugzilla.suse.com/1146683 https://bugzilla.suse.com/1148352 https://bugzilla.suse.com/1152298 https://bugzilla.suse.com/1152722 https://bugzilla.suse.com/1154868 https://bugzilla.suse.com/1154968 https://bugzilla.suse.com/1155800 https://bugzilla.suse.com/1156521 https://bugzilla.suse.com/1158002 https://bugzilla.suse.com/1158947 From sle-updates at lists.suse.com Tue Jan 21 13:22:44 2020 From: sle-updates at lists.suse.com (sle-updates at lists.suse.com) Date: Tue, 21 Jan 2020 21:22:44 +0100 (CET) Subject: SUSE-SU-2020:0152-1: moderate: Security update for samba Message-ID: <20200121202244.87EE3F79E@maintenance.suse.de> SUSE Security Update: Security update for samba ______________________________________________________________________________ Announcement ID: SUSE-SU-2020:0152-1 Rating: moderate References: #1160888 Cross-References: CVE-2019-14907 Affected Products: SUSE Linux Enterprise Software Development Kit 12-SP5 SUSE Linux Enterprise Server 12-SP5 SUSE Linux Enterprise High Availability 12-SP5 ______________________________________________________________________________ An update that fixes one vulnerability is now available. Description: This update for samba fixes the following issues: - CVE-2019-14907: Fixed a Server-side crash after charset conversion failure during NTLMSSP processing (bsc#1160888). Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Software Development Kit 12-SP5: zypper in -t patch SUSE-SLE-SDK-12-SP5-2020-152=1 - SUSE Linux Enterprise Server 12-SP5: zypper in -t patch SUSE-SLE-SERVER-12-SP5-2020-152=1 - SUSE Linux Enterprise High Availability 12-SP5: zypper in -t patch SUSE-SLE-HA-12-SP5-2020-152=1 Package List: - SUSE Linux Enterprise Software Development Kit 12-SP5 (aarch64 ppc64le s390x x86_64): libndr-devel-4.10.5+git.134.674d33703a6-3.3.1 libndr-krb5pac-devel-4.10.5+git.134.674d33703a6-3.3.1 libndr-nbt-devel-4.10.5+git.134.674d33703a6-3.3.1 libndr-standard-devel-4.10.5+git.134.674d33703a6-3.3.1 libsamba-util-devel-4.10.5+git.134.674d33703a6-3.3.1 libsmbclient-devel-4.10.5+git.134.674d33703a6-3.3.1 libwbclient-devel-4.10.5+git.134.674d33703a6-3.3.1 samba-core-devel-4.10.5+git.134.674d33703a6-3.3.1 samba-debuginfo-4.10.5+git.134.674d33703a6-3.3.1 samba-debugsource-4.10.5+git.134.674d33703a6-3.3.1 - SUSE Linux Enterprise Server 12-SP5 (aarch64 ppc64le s390x x86_64): libdcerpc-binding0-4.10.5+git.134.674d33703a6-3.3.1 libdcerpc-binding0-debuginfo-4.10.5+git.134.674d33703a6-3.3.1 libdcerpc0-4.10.5+git.134.674d33703a6-3.3.1 libdcerpc0-debuginfo-4.10.5+git.134.674d33703a6-3.3.1 libndr-krb5pac0-4.10.5+git.134.674d33703a6-3.3.1 libndr-krb5pac0-debuginfo-4.10.5+git.134.674d33703a6-3.3.1 libndr-nbt0-4.10.5+git.134.674d33703a6-3.3.1 libndr-nbt0-debuginfo-4.10.5+git.134.674d33703a6-3.3.1 libndr-standard0-4.10.5+git.134.674d33703a6-3.3.1 libndr-standard0-debuginfo-4.10.5+git.134.674d33703a6-3.3.1 libndr0-4.10.5+git.134.674d33703a6-3.3.1 libndr0-debuginfo-4.10.5+git.134.674d33703a6-3.3.1 libnetapi0-4.10.5+git.134.674d33703a6-3.3.1 libnetapi0-debuginfo-4.10.5+git.134.674d33703a6-3.3.1 libsamba-credentials0-4.10.5+git.134.674d33703a6-3.3.1 libsamba-credentials0-debuginfo-4.10.5+git.134.674d33703a6-3.3.1 libsamba-errors0-4.10.5+git.134.674d33703a6-3.3.1 libsamba-errors0-debuginfo-4.10.5+git.134.674d33703a6-3.3.1 libsamba-hostconfig0-4.10.5+git.134.674d33703a6-3.3.1 libsamba-hostconfig0-debuginfo-4.10.5+git.134.674d33703a6-3.3.1 libsamba-passdb0-4.10.5+git.134.674d33703a6-3.3.1 libsamba-passdb0-debuginfo-4.10.5+git.134.674d33703a6-3.3.1 libsamba-util0-4.10.5+git.134.674d33703a6-3.3.1 libsamba-util0-debuginfo-4.10.5+git.134.674d33703a6-3.3.1 libsamdb0-4.10.5+git.134.674d33703a6-3.3.1 libsamdb0-debuginfo-4.10.5+git.134.674d33703a6-3.3.1 libsmbclient0-4.10.5+git.134.674d33703a6-3.3.1 libsmbclient0-debuginfo-4.10.5+git.134.674d33703a6-3.3.1 libsmbconf0-4.10.5+git.134.674d33703a6-3.3.1 libsmbconf0-debuginfo-4.10.5+git.134.674d33703a6-3.3.1 libsmbldap2-4.10.5+git.134.674d33703a6-3.3.1 libsmbldap2-debuginfo-4.10.5+git.134.674d33703a6-3.3.1 libtevent-util0-4.10.5+git.134.674d33703a6-3.3.1 libtevent-util0-debuginfo-4.10.5+git.134.674d33703a6-3.3.1 libwbclient0-4.10.5+git.134.674d33703a6-3.3.1 libwbclient0-debuginfo-4.10.5+git.134.674d33703a6-3.3.1 samba-4.10.5+git.134.674d33703a6-3.3.1 samba-client-4.10.5+git.134.674d33703a6-3.3.1 samba-client-debuginfo-4.10.5+git.134.674d33703a6-3.3.1 samba-debuginfo-4.10.5+git.134.674d33703a6-3.3.1 samba-debugsource-4.10.5+git.134.674d33703a6-3.3.1 samba-libs-4.10.5+git.134.674d33703a6-3.3.1 samba-libs-debuginfo-4.10.5+git.134.674d33703a6-3.3.1 samba-libs-python3-4.10.5+git.134.674d33703a6-3.3.1 samba-libs-python3-debuginfo-4.10.5+git.134.674d33703a6-3.3.1 samba-winbind-4.10.5+git.134.674d33703a6-3.3.1 samba-winbind-debuginfo-4.10.5+git.134.674d33703a6-3.3.1 - SUSE Linux Enterprise Server 12-SP5 (s390x x86_64): libdcerpc-binding0-32bit-4.10.5+git.134.674d33703a6-3.3.1 libdcerpc-binding0-debuginfo-32bit-4.10.5+git.134.674d33703a6-3.3.1 libdcerpc0-32bit-4.10.5+git.134.674d33703a6-3.3.1 libdcerpc0-debuginfo-32bit-4.10.5+git.134.674d33703a6-3.3.1 libndr-krb5pac0-32bit-4.10.5+git.134.674d33703a6-3.3.1 libndr-krb5pac0-debuginfo-32bit-4.10.5+git.134.674d33703a6-3.3.1 libndr-nbt0-32bit-4.10.5+git.134.674d33703a6-3.3.1 libndr-nbt0-debuginfo-32bit-4.10.5+git.134.674d33703a6-3.3.1 libndr-standard0-32bit-4.10.5+git.134.674d33703a6-3.3.1 libndr-standard0-debuginfo-32bit-4.10.5+git.134.674d33703a6-3.3.1 libndr0-32bit-4.10.5+git.134.674d33703a6-3.3.1 libndr0-debuginfo-32bit-4.10.5+git.134.674d33703a6-3.3.1 libnetapi0-32bit-4.10.5+git.134.674d33703a6-3.3.1 libnetapi0-debuginfo-32bit-4.10.5+git.134.674d33703a6-3.3.1 libsamba-credentials0-32bit-4.10.5+git.134.674d33703a6-3.3.1 libsamba-credentials0-debuginfo-32bit-4.10.5+git.134.674d33703a6-3.3.1 libsamba-errors0-32bit-4.10.5+git.134.674d33703a6-3.3.1 libsamba-errors0-debuginfo-32bit-4.10.5+git.134.674d33703a6-3.3.1 libsamba-hostconfig0-32bit-4.10.5+git.134.674d33703a6-3.3.1 libsamba-hostconfig0-debuginfo-32bit-4.10.5+git.134.674d33703a6-3.3.1 libsamba-passdb0-32bit-4.10.5+git.134.674d33703a6-3.3.1 libsamba-passdb0-debuginfo-32bit-4.10.5+git.134.674d33703a6-3.3.1 libsamba-util0-32bit-4.10.5+git.134.674d33703a6-3.3.1 libsamba-util0-debuginfo-32bit-4.10.5+git.134.674d33703a6-3.3.1 libsamdb0-32bit-4.10.5+git.134.674d33703a6-3.3.1 libsamdb0-debuginfo-32bit-4.10.5+git.134.674d33703a6-3.3.1 libsmbclient0-32bit-4.10.5+git.134.674d33703a6-3.3.1 libsmbclient0-debuginfo-32bit-4.10.5+git.134.674d33703a6-3.3.1 libsmbconf0-32bit-4.10.5+git.134.674d33703a6-3.3.1 libsmbconf0-debuginfo-32bit-4.10.5+git.134.674d33703a6-3.3.1 libsmbldap2-32bit-4.10.5+git.134.674d33703a6-3.3.1 libsmbldap2-debuginfo-32bit-4.10.5+git.134.674d33703a6-3.3.1 libtevent-util0-32bit-4.10.5+git.134.674d33703a6-3.3.1 libtevent-util0-debuginfo-32bit-4.10.5+git.134.674d33703a6-3.3.1 libwbclient0-32bit-4.10.5+git.134.674d33703a6-3.3.1 libwbclient0-debuginfo-32bit-4.10.5+git.134.674d33703a6-3.3.1 samba-client-32bit-4.10.5+git.134.674d33703a6-3.3.1 samba-client-debuginfo-32bit-4.10.5+git.134.674d33703a6-3.3.1 samba-libs-32bit-4.10.5+git.134.674d33703a6-3.3.1 samba-libs-debuginfo-32bit-4.10.5+git.134.674d33703a6-3.3.1 samba-libs-python3-32bit-4.10.5+git.134.674d33703a6-3.3.1 samba-libs-python3-debuginfo-32bit-4.10.5+git.134.674d33703a6-3.3.1 samba-winbind-32bit-4.10.5+git.134.674d33703a6-3.3.1 samba-winbind-debuginfo-32bit-4.10.5+git.134.674d33703a6-3.3.1 - SUSE Linux Enterprise Server 12-SP5 (noarch): samba-doc-4.10.5+git.134.674d33703a6-3.3.1 - SUSE Linux Enterprise High Availability 12-SP5 (ppc64le s390x x86_64): ctdb-4.10.5+git.134.674d33703a6-3.3.1 ctdb-debuginfo-4.10.5+git.134.674d33703a6-3.3.1 samba-debuginfo-4.10.5+git.134.674d33703a6-3.3.1 samba-debugsource-4.10.5+git.134.674d33703a6-3.3.1 References: https://www.suse.com/security/cve/CVE-2019-14907.html https://bugzilla.suse.com/1160888 From sle-updates at lists.suse.com Wed Jan 22 00:27:26 2020 From: sle-updates at lists.suse.com (sle-updates at lists.suse.com) Date: Wed, 22 Jan 2020 08:27:26 +0100 (CET) Subject: SUSE-CU-2020:20-1: Security update of suse/sle15 Message-ID: <20200122072726.C8E63F798@maintenance.suse.de> SUSE Container Update Advisory: suse/sle15 ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2020:20-1 Container Tags : suse/sle15:15.0 , suse/sle15:15.0.4.22.134 Severity : important Type : security References : 1158095 CVE-2019-14889 ----------------------------------------------------------------- The container suse/sle15 was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2020:130-1 Released: Mon Jan 20 09:21:21 2020 Summary: Security update for libssh Type: security Severity: important References: 1158095,CVE-2019-14889 Description: This update for libssh fixes the following issues: - CVE-2019-14889: Fixed an unwanted command execution in scp caused by unsanitized location (bsc#1158095). From sle-updates at lists.suse.com Wed Jan 22 00:30:25 2020 From: sle-updates at lists.suse.com (sle-updates at lists.suse.com) Date: Wed, 22 Jan 2020 08:30:25 +0100 (CET) Subject: SUSE-CU-2020:21-1: Security update of suse/sle15 Message-ID: <20200122073025.7D8BBF796@maintenance.suse.de> SUSE Container Update Advisory: suse/sle15 ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2020:21-1 Container Tags : suse/sle15:15.1 , suse/sle15:15.1.6.2.145 Severity : important Type : security References : 1158095 CVE-2019-14889 ----------------------------------------------------------------- The container suse/sle15 was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2020:129-1 Released: Mon Jan 20 09:21:13 2020 Summary: Security update for libssh Type: security Severity: important References: 1158095,CVE-2019-14889 Description: This update for libssh fixes the following issues: - CVE-2019-14889: Fixed an unwanted command execution in scp caused by unsanitized location (bsc#1158095). From sle-updates at lists.suse.com Wed Jan 22 00:31:42 2020 From: sle-updates at lists.suse.com (sle-updates at lists.suse.com) Date: Wed, 22 Jan 2020 08:31:42 +0100 (CET) Subject: SUSE-CU-2020:22-1: Security update of suse/sles12sp5 Message-ID: <20200122073142.6CE26F796@maintenance.suse.de> SUSE Container Update Advisory: suse/sles12sp5 ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2020:22-1 Container Tags : suse/sles12sp5:5.2.276 , suse/sles12sp5:latest Severity : important Type : security References : 1158095 CVE-2019-14889 ----------------------------------------------------------------- The container suse/sles12sp5 was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2020:131-1 Released: Mon Jan 20 09:21:41 2020 Summary: Security update for libssh Type: security Severity: important References: 1158095,CVE-2019-14889 Description: This update for libssh fixes the following issues: - CVE-2019-14889: Fixed an unwanted command execution in scp caused by unsanitized location (bsc#1158095). From sle-updates at lists.suse.com Wed Jan 22 00:38:14 2020 From: sle-updates at lists.suse.com (sle-updates at lists.suse.com) Date: Wed, 22 Jan 2020 08:38:14 +0100 (CET) Subject: SUSE-CU-2020:23-1: Security update of suse/sles12sp4 Message-ID: <20200122073814.81F8FF796@maintenance.suse.de> SUSE Container Update Advisory: suse/sles12sp4 ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2020:23-1 Container Tags : suse/sles12sp4:26.125 , suse/sles12sp4:latest Severity : important Type : security References : 1158095 CVE-2019-14889 ----------------------------------------------------------------- The container suse/sles12sp4 was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2020:139-1 Released: Mon Jan 20 10:57:29 2020 Summary: Security update for libssh Type: security Severity: important References: 1158095,CVE-2019-14889 Description: This update for libssh fixes the following issues: - CVE-2019-14889: Fixed an unwanted command execution in scp caused by unsanitized location (bsc#1158095). From sle-updates at lists.suse.com Wed Jan 22 04:15:54 2020 From: sle-updates at lists.suse.com (sle-updates at lists.suse.com) Date: Wed, 22 Jan 2020 12:15:54 +0100 (CET) Subject: SUSE-RU-2020:0155-1: moderate: Recommended update for python-Sphinx Message-ID: <20200122111554.414F1F79E@maintenance.suse.de> SUSE Recommended Update: Recommended update for python-Sphinx ______________________________________________________________________________ Announcement ID: SUSE-RU-2020:0155-1 Rating: moderate References: #1157793 #1158158 Affected Products: SUSE Linux Enterprise Module for Packagehub Subpackages 15-SP1 SUSE Linux Enterprise Module for Open Buildservice Development Tools 15-SP1 SUSE Linux Enterprise Module for Development Tools 15-SP1 ______________________________________________________________________________ An update that has two recommended fixes can now be installed. Description: This update for python-Sphinx fixes the following issues: - Add patch to produce output that solves compatibliy issues with current Qt. (bsc#1157793, bsc#1158158) Patch Instructions: To install this SUSE Recommended Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Module for Packagehub Subpackages 15-SP1: zypper in -t patch SUSE-SLE-Module-Packagehub-Subpackages-15-SP1-2020-155=1 - SUSE Linux Enterprise Module for Open Buildservice Development Tools 15-SP1: zypper in -t patch SUSE-SLE-Module-Development-Tools-OBS-15-SP1-2020-155=1 - SUSE Linux Enterprise Module for Development Tools 15-SP1: zypper in -t patch SUSE-SLE-Module-Development-Tools-15-SP1-2020-155=1 Package List: - SUSE Linux Enterprise Module for Packagehub Subpackages 15-SP1 (noarch): python2-Sphinx-1.7.6-3.3.3 - SUSE Linux Enterprise Module for Open Buildservice Development Tools 15-SP1 (noarch): python-Sphinx-doc-html-1.7.6-3.3.4 python-Sphinx-doc-man-common-1.7.6-3.3.4 python2-Sphinx-1.7.6-3.3.3 python2-Sphinx-doc-1.7.6-3.3.4 python2-Sphinx-doc-man-1.7.6-3.3.4 python2-Sphinx-latex-1.7.6-3.3.3 python3-Sphinx-doc-1.7.6-3.3.4 python3-Sphinx-doc-man-1.7.6-3.3.4 python3-Sphinx-latex-1.7.6-3.3.3 - SUSE Linux Enterprise Module for Development Tools 15-SP1 (noarch): python3-Sphinx-1.7.6-3.3.3 References: https://bugzilla.suse.com/1157793 https://bugzilla.suse.com/1158158 From sle-updates at lists.suse.com Wed Jan 22 04:17:43 2020 From: sle-updates at lists.suse.com (sle-updates at lists.suse.com) Date: Wed, 22 Jan 2020 12:17:43 +0100 (CET) Subject: SUSE-RU-2020:0154-1: moderate: Recommended update for libica Message-ID: <20200122111743.4BFB2F79E@maintenance.suse.de> SUSE Recommended Update: Recommended update for libica ______________________________________________________________________________ Announcement ID: SUSE-RU-2020:0154-1 Rating: moderate References: #1134004 #1153948 Affected Products: SUSE Linux Enterprise Module for Server Applications 15-SP1 ______________________________________________________________________________ An update that has two recommended fixes can now be installed. Description: This update for libica fixes the following issues: Upgraded to version 3.5.0 (fate#327840, bsc#1153948) * [FEATURE] Add MSA9 CPACF support for ECDSA sign/verify - Reworked how libica-tools loads and unloads kernel modules to avoid spurious error messages (bsc#1134004) Patch Instructions: To install this SUSE Recommended Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Module for Server Applications 15-SP1: zypper in -t patch SUSE-SLE-Module-Server-Applications-15-SP1-2020-154=1 Package List: - SUSE Linux Enterprise Module for Server Applications 15-SP1 (s390x): libica-debugsource-3.5.0-10.5.9 libica-devel-3.5.0-10.5.9 libica-devel-static-3.5.0-10.5.9 libica-tools-3.5.0-10.5.9 libica-tools-debuginfo-3.5.0-10.5.9 libica3-3.5.0-10.5.9 libica3-debuginfo-3.5.0-10.5.9 References: https://bugzilla.suse.com/1134004 https://bugzilla.suse.com/1153948 From sle-updates at lists.suse.com Wed Jan 22 04:18:36 2020 From: sle-updates at lists.suse.com (sle-updates at lists.suse.com) Date: Wed, 22 Jan 2020 12:18:36 +0100 (CET) Subject: SUSE-RU-2020:0156-1: moderate: Recommended update for libgcrypt Message-ID: <20200122111836.78DEBF79E@maintenance.suse.de> SUSE Recommended Update: Recommended update for libgcrypt ______________________________________________________________________________ Announcement ID: SUSE-RU-2020:0156-1 Rating: moderate References: #1161215 #1161216 #1161218 #1161219 #1161220 Affected Products: SUSE Linux Enterprise Server for SAP 15 SUSE Linux Enterprise Server 15-LTSS SUSE Linux Enterprise Module for Open Buildservice Development Tools 15 SUSE Linux Enterprise Module for Basesystem 15 SUSE Linux Enterprise High Performance Computing 15-LTSS SUSE Linux Enterprise High Performance Computing 15-ESPOS ______________________________________________________________________________ An update that has 5 recommended fixes can now be installed. Description: This update for libgcrypt fixes the following issues: - ECDSA: Check range of coordinates (bsc#1161216) - FIPS: libgcrypt DSA PQG parameter generation: Missing value (bsc#1161219) - FIPS: libgcrypt DSA PQG verification incorrect results (bsc#1161215) - FIPS: libgcrypt RSA siggen/keygen: 4k not supported (bsc#1161220) - FIPS: keywrap gives incorrect results (bsc#1161218) Patch Instructions: To install this SUSE Recommended Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Server for SAP 15: zypper in -t patch SUSE-SLE-Product-SLES_SAP-15-2020-156=1 - SUSE Linux Enterprise Server 15-LTSS: zypper in -t patch SUSE-SLE-Product-SLES-15-2020-156=1 - SUSE Linux Enterprise Module for Open Buildservice Development Tools 15: zypper in -t patch SUSE-SLE-Module-Development-Tools-OBS-15-2020-156=1 - SUSE Linux Enterprise Module for Basesystem 15: zypper in -t patch SUSE-SLE-Module-Basesystem-15-2020-156=1 - SUSE Linux Enterprise High Performance Computing 15-LTSS: zypper in -t patch SUSE-SLE-Product-HPC-15-2020-156=1 - SUSE Linux Enterprise High Performance Computing 15-ESPOS: zypper in -t patch SUSE-SLE-Product-HPC-15-2020-156=1 Package List: - SUSE Linux Enterprise Server for SAP 15 (ppc64le x86_64): libgcrypt-debugsource-1.8.2-6.26.1 libgcrypt-devel-1.8.2-6.26.1 libgcrypt-devel-debuginfo-1.8.2-6.26.1 libgcrypt20-1.8.2-6.26.1 libgcrypt20-debuginfo-1.8.2-6.26.1 libgcrypt20-hmac-1.8.2-6.26.1 - SUSE Linux Enterprise Server for SAP 15 (x86_64): libgcrypt20-32bit-1.8.2-6.26.1 libgcrypt20-32bit-debuginfo-1.8.2-6.26.1 libgcrypt20-hmac-32bit-1.8.2-6.26.1 - SUSE Linux Enterprise Server 15-LTSS (aarch64 s390x): libgcrypt-debugsource-1.8.2-6.26.1 libgcrypt-devel-1.8.2-6.26.1 libgcrypt-devel-debuginfo-1.8.2-6.26.1 libgcrypt20-1.8.2-6.26.1 libgcrypt20-debuginfo-1.8.2-6.26.1 libgcrypt20-hmac-1.8.2-6.26.1 - SUSE Linux Enterprise Module for Open Buildservice Development Tools 15 (aarch64 ppc64le s390x x86_64): libgcrypt-cavs-1.8.2-6.26.1 libgcrypt-cavs-debuginfo-1.8.2-6.26.1 libgcrypt-debugsource-1.8.2-6.26.1 - SUSE Linux Enterprise Module for Basesystem 15 (aarch64 ppc64le s390x x86_64): libgcrypt-debugsource-1.8.2-6.26.1 libgcrypt-devel-1.8.2-6.26.1 libgcrypt-devel-debuginfo-1.8.2-6.26.1 libgcrypt20-1.8.2-6.26.1 libgcrypt20-debuginfo-1.8.2-6.26.1 libgcrypt20-hmac-1.8.2-6.26.1 - SUSE Linux Enterprise Module for Basesystem 15 (x86_64): libgcrypt20-32bit-1.8.2-6.26.1 libgcrypt20-32bit-debuginfo-1.8.2-6.26.1 libgcrypt20-hmac-32bit-1.8.2-6.26.1 - SUSE Linux Enterprise High Performance Computing 15-LTSS (aarch64 x86_64): libgcrypt-debugsource-1.8.2-6.26.1 libgcrypt-devel-1.8.2-6.26.1 libgcrypt-devel-debuginfo-1.8.2-6.26.1 libgcrypt20-1.8.2-6.26.1 libgcrypt20-debuginfo-1.8.2-6.26.1 libgcrypt20-hmac-1.8.2-6.26.1 - SUSE Linux Enterprise High Performance Computing 15-LTSS (x86_64): libgcrypt20-32bit-1.8.2-6.26.1 libgcrypt20-32bit-debuginfo-1.8.2-6.26.1 libgcrypt20-hmac-32bit-1.8.2-6.26.1 - SUSE Linux Enterprise High Performance Computing 15-ESPOS (aarch64 x86_64): libgcrypt-debugsource-1.8.2-6.26.1 libgcrypt-devel-1.8.2-6.26.1 libgcrypt-devel-debuginfo-1.8.2-6.26.1 libgcrypt20-1.8.2-6.26.1 libgcrypt20-debuginfo-1.8.2-6.26.1 libgcrypt20-hmac-1.8.2-6.26.1 - SUSE Linux Enterprise High Performance Computing 15-ESPOS (x86_64): libgcrypt20-32bit-1.8.2-6.26.1 libgcrypt20-32bit-debuginfo-1.8.2-6.26.1 libgcrypt20-hmac-32bit-1.8.2-6.26.1 References: https://bugzilla.suse.com/1161215 https://bugzilla.suse.com/1161216 https://bugzilla.suse.com/1161218 https://bugzilla.suse.com/1161219 https://bugzilla.suse.com/1161220 From sle-updates at lists.suse.com Wed Jan 22 04:16:52 2020 From: sle-updates at lists.suse.com (sle-updates at lists.suse.com) Date: Wed, 22 Jan 2020 12:16:52 +0100 (CET) Subject: SUSE-RU-2020:0157-1: moderate: Recommended update for openssl-1_1 Message-ID: <20200122111652.2D87FF79E@maintenance.suse.de> SUSE Recommended Update: Recommended update for openssl-1_1 ______________________________________________________________________________ Announcement ID: SUSE-RU-2020:0157-1 Rating: moderate References: #1161198 #1161203 Affected Products: SUSE Linux Enterprise Server for SAP 15 SUSE Linux Enterprise Server 15-LTSS SUSE Linux Enterprise Module for Open Buildservice Development Tools 15 SUSE Linux Enterprise Module for Basesystem 15 SUSE Linux Enterprise High Performance Computing 15-LTSS SUSE Linux Enterprise High Performance Computing 15-ESPOS ______________________________________________________________________________ An update that has two recommended fixes can now be installed. Description: This update for openssl-1_1 fixes the following issues: - Fix FIPS DRBG without derivation function (bsc#1161198) - Allow md5_sha1 in FIPS mode to enable TLS 1.0 (bsc#1161203) Patch Instructions: To install this SUSE Recommended Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Server for SAP 15: zypper in -t patch SUSE-SLE-Product-SLES_SAP-15-2020-157=1 - SUSE Linux Enterprise Server 15-LTSS: zypper in -t patch SUSE-SLE-Product-SLES-15-2020-157=1 - SUSE Linux Enterprise Module for Open Buildservice Development Tools 15: zypper in -t patch SUSE-SLE-Module-Development-Tools-OBS-15-2020-157=1 - SUSE Linux Enterprise Module for Basesystem 15: zypper in -t patch SUSE-SLE-Module-Basesystem-15-2020-157=1 - SUSE Linux Enterprise High Performance Computing 15-LTSS: zypper in -t patch SUSE-SLE-Product-HPC-15-2020-157=1 - SUSE Linux Enterprise High Performance Computing 15-ESPOS: zypper in -t patch SUSE-SLE-Product-HPC-15-2020-157=1 Package List: - SUSE Linux Enterprise Server for SAP 15 (ppc64le x86_64): libopenssl-1_1-devel-1.1.0i-4.33.1 libopenssl1_1-1.1.0i-4.33.1 libopenssl1_1-debuginfo-1.1.0i-4.33.1 libopenssl1_1-hmac-1.1.0i-4.33.1 openssl-1_1-1.1.0i-4.33.1 openssl-1_1-debuginfo-1.1.0i-4.33.1 openssl-1_1-debugsource-1.1.0i-4.33.1 - SUSE Linux Enterprise Server for SAP 15 (x86_64): libopenssl1_1-32bit-1.1.0i-4.33.1 libopenssl1_1-32bit-debuginfo-1.1.0i-4.33.1 libopenssl1_1-hmac-32bit-1.1.0i-4.33.1 - SUSE Linux Enterprise Server 15-LTSS (aarch64 s390x): libopenssl-1_1-devel-1.1.0i-4.33.1 libopenssl1_1-1.1.0i-4.33.1 libopenssl1_1-debuginfo-1.1.0i-4.33.1 libopenssl1_1-hmac-1.1.0i-4.33.1 openssl-1_1-1.1.0i-4.33.1 openssl-1_1-debuginfo-1.1.0i-4.33.1 openssl-1_1-debugsource-1.1.0i-4.33.1 - SUSE Linux Enterprise Module for Open Buildservice Development Tools 15 (noarch): openssl-1_1-doc-1.1.0i-4.33.1 - SUSE Linux Enterprise Module for Open Buildservice Development Tools 15 (x86_64): libopenssl-1_1-devel-32bit-1.1.0i-4.33.1 - SUSE Linux Enterprise Module for Basesystem 15 (aarch64 ppc64le s390x x86_64): libopenssl-1_1-devel-1.1.0i-4.33.1 libopenssl1_1-1.1.0i-4.33.1 libopenssl1_1-debuginfo-1.1.0i-4.33.1 libopenssl1_1-hmac-1.1.0i-4.33.1 openssl-1_1-1.1.0i-4.33.1 openssl-1_1-debuginfo-1.1.0i-4.33.1 openssl-1_1-debugsource-1.1.0i-4.33.1 - SUSE Linux Enterprise Module for Basesystem 15 (x86_64): libopenssl-1_1-devel-32bit-1.1.0i-4.33.1 libopenssl1_1-32bit-1.1.0i-4.33.1 libopenssl1_1-32bit-debuginfo-1.1.0i-4.33.1 libopenssl1_1-hmac-32bit-1.1.0i-4.33.1 - SUSE Linux Enterprise High Performance Computing 15-LTSS (aarch64 x86_64): libopenssl-1_1-devel-1.1.0i-4.33.1 libopenssl1_1-1.1.0i-4.33.1 libopenssl1_1-debuginfo-1.1.0i-4.33.1 libopenssl1_1-hmac-1.1.0i-4.33.1 openssl-1_1-1.1.0i-4.33.1 openssl-1_1-debuginfo-1.1.0i-4.33.1 openssl-1_1-debugsource-1.1.0i-4.33.1 - SUSE Linux Enterprise High Performance Computing 15-LTSS (x86_64): libopenssl1_1-32bit-1.1.0i-4.33.1 libopenssl1_1-32bit-debuginfo-1.1.0i-4.33.1 libopenssl1_1-hmac-32bit-1.1.0i-4.33.1 - SUSE Linux Enterprise High Performance Computing 15-ESPOS (aarch64 x86_64): libopenssl-1_1-devel-1.1.0i-4.33.1 libopenssl1_1-1.1.0i-4.33.1 libopenssl1_1-debuginfo-1.1.0i-4.33.1 libopenssl1_1-hmac-1.1.0i-4.33.1 openssl-1_1-1.1.0i-4.33.1 openssl-1_1-debuginfo-1.1.0i-4.33.1 openssl-1_1-debugsource-1.1.0i-4.33.1 - SUSE Linux Enterprise High Performance Computing 15-ESPOS (x86_64): libopenssl1_1-32bit-1.1.0i-4.33.1 libopenssl1_1-32bit-debuginfo-1.1.0i-4.33.1 libopenssl1_1-hmac-32bit-1.1.0i-4.33.1 References: https://bugzilla.suse.com/1161198 https://bugzilla.suse.com/1161203 From sle-updates at lists.suse.com Wed Jan 22 04:11:28 2020 From: sle-updates at lists.suse.com (sle-updates at lists.suse.com) Date: Wed, 22 Jan 2020 12:11:28 +0100 (CET) Subject: SUSE-RU-2020:0158-1: moderate: Recommended update for ceph Message-ID: <20200122111128.4E905F798@maintenance.suse.de> SUSE Recommended Update: Recommended update for ceph ______________________________________________________________________________ Announcement ID: SUSE-RU-2020:0158-1 Rating: moderate References: #1124556 #1131817 #1132337 #1134365 #1137227 #1140504 #1140879 #1141203 #1145571 #1145756 #1148360 #1148498 #1153876 #1154230 #1155045 #1155463 #1155655 #1155950 #1156571 #1157611 #1158923 #1158925 #1158926 #1158927 #1158929 #1158930 #1158931 #1158932 #1158933 #1160920 Affected Products: SUSE Linux Enterprise Module for Open Buildservice Development Tools 15-SP1 SUSE Linux Enterprise Module for Basesystem 15-SP1 SUSE Enterprise Storage 6 ______________________________________________________________________________ An update that has 30 recommended fixes can now be installed. Description: This update for ceph fixes the following issues: Ceph was updated to 14.2.5-371-g3551250731: This is the upstream Nautilus 14.2.5 point release, see https://ceph.io/releases/v14-2-5-nautilus-released/ * health warnings will be issued if daemons have recently crashed (bsc#1158923) * pg_num must be a power of two, otherwise HEALTH_WARN (bsc#1158925) * pool size must be > 1, otherwise HEALTH_WARN (bsc#1158926) * health warning if average OSD heartbeat ping time exceeds threshold (bsc#1158927) * changes in the telemetry MGR module (bsc#1158929) * new OSD daemon command dump_recovery_reservations (bsc#1158930) * new OSD daemon command dump_scrub_reservations (bsc#1158931) * RGW now supports S3 Object Lock set of APIs (bsc#1158932) * RGW now supports List Objects V2 (bsc#1158933) * mon: keep v1 address type when explicitly (bsc#1140879) * doc: mention --namespace option in rados manpage (bsc#1157611) * mgr/dashboard: Remove env_build from e2e:ci * ceph-volume: check if we run in an selinux environment * qa/dashboard_e2e_tests.sh: Automatically use correct chromedriver version (bsc#1155950) * rebase on tip of upstream nautilus, SHA1 9989c20373e2294b7479ec4bd6ac5cce80b01645 * rgw: add S3 object lock feature to support object worm (jsc#SES-582) * os/bluestore: apply garbage collection against excessive blob count growth (bsc#1124556) * doc: update bluestore cache settings and clarify data fraction (bsc#1131817) * mgr/dashboard: Allow the decrease of pg's of an existing pool (bsc#1132337) * core: Improve health status for backfill_toofull and recovery_toofull and fix backfill_toofull seen on cluster where the most full OSD is at 1% (bsc#1134365) * mgr/dashboard: Set RO as the default access_type for RGW NFS exports (bsc#1137227) * mgr/dashboard: Allow disabling redirection on standby Dashboards (bsc#1140504) * rgw: dns name is not case sensitive (bsc#1141203) * os/bluestore: shallow fsck mode and legacy statfs auto repair (bsc#1145571) * mgr/dashboard: Display WWN and LUN number in iSCSI target details (bsc#1145756) * mgr/dashboard: access_control: add grafana scope read access to *-manager roles (bsc#1148360) * mgr/dashboard: internationalization support with AOT enabled (bsc#1148498) * mgr/dashboard: Fix data point alignment in MDS counters chart (bsc#1153876) * mgr/balancer: python3 compatibility issue (bsc#1154230) * mgr/dashboard: add debug mode, and accept expected exception when SSL handshaking (bsc#1155045) * mgr/{dashboard,prometheus}: return FQDN instead of '0.0.0.0' (bsc#1155463) * core: Improve health status for backfill_toofull and recovery_toofull and fix backfill_toofull seen on cluster where the most full OSD is at 1% (bsc#1155655) * mon: ensure prepare_failure() marks no_reply on op (bsc#1156571) * mgr/dashboard: Automatically use correct chromedriver version + Revert "rgw_file: introduce fast S3 Unix stats (immutable)" because it is incompatible with NFS-Ganesha 2.8 * include hotfix from upstream v14.2.6 release (bsc#1160920): * mon/PGMap.h: disable network stats in dump_osd_stats * osd_stat_t::dump: Add option for ceph-mgr python callers to skip ping network Patch Instructions: To install this SUSE Recommended Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Module for Open Buildservice Development Tools 15-SP1: zypper in -t patch SUSE-SLE-Module-Development-Tools-OBS-15-SP1-2020-158=1 - SUSE Linux Enterprise Module for Basesystem 15-SP1: zypper in -t patch SUSE-SLE-Module-Basesystem-15-SP1-2020-158=1 - SUSE Enterprise Storage 6: zypper in -t patch SUSE-Storage-6-2020-158=1 Package List: - SUSE Linux Enterprise Module for Open Buildservice Development Tools 15-SP1 (aarch64 ppc64le s390x x86_64): ceph-14.2.5.380+g1387ceaf78-3.27.2 ceph-base-14.2.5.380+g1387ceaf78-3.27.2 ceph-base-debuginfo-14.2.5.380+g1387ceaf78-3.27.2 ceph-debugsource-14.2.5.380+g1387ceaf78-3.27.2 ceph-fuse-14.2.5.380+g1387ceaf78-3.27.2 ceph-fuse-debuginfo-14.2.5.380+g1387ceaf78-3.27.2 ceph-mds-14.2.5.380+g1387ceaf78-3.27.2 ceph-mds-debuginfo-14.2.5.380+g1387ceaf78-3.27.2 ceph-mgr-14.2.5.380+g1387ceaf78-3.27.2 ceph-mgr-debuginfo-14.2.5.380+g1387ceaf78-3.27.2 ceph-mon-14.2.5.380+g1387ceaf78-3.27.2 ceph-mon-debuginfo-14.2.5.380+g1387ceaf78-3.27.2 ceph-osd-14.2.5.380+g1387ceaf78-3.27.2 ceph-osd-debuginfo-14.2.5.380+g1387ceaf78-3.27.2 ceph-radosgw-14.2.5.380+g1387ceaf78-3.27.2 ceph-radosgw-debuginfo-14.2.5.380+g1387ceaf78-3.27.2 cephfs-shell-14.2.5.380+g1387ceaf78-3.27.2 rbd-fuse-14.2.5.380+g1387ceaf78-3.27.2 rbd-fuse-debuginfo-14.2.5.380+g1387ceaf78-3.27.2 rbd-mirror-14.2.5.380+g1387ceaf78-3.27.2 rbd-mirror-debuginfo-14.2.5.380+g1387ceaf78-3.27.2 rbd-nbd-14.2.5.380+g1387ceaf78-3.27.2 rbd-nbd-debuginfo-14.2.5.380+g1387ceaf78-3.27.2 - SUSE Linux Enterprise Module for Open Buildservice Development Tools 15-SP1 (noarch): ceph-grafana-dashboards-14.2.5.380+g1387ceaf78-3.27.2 ceph-mgr-dashboard-14.2.5.380+g1387ceaf78-3.27.2 ceph-mgr-diskprediction-cloud-14.2.5.380+g1387ceaf78-3.27.2 ceph-mgr-diskprediction-local-14.2.5.380+g1387ceaf78-3.27.2 ceph-mgr-rook-14.2.5.380+g1387ceaf78-3.27.2 ceph-mgr-ssh-14.2.5.380+g1387ceaf78-3.27.2 - SUSE Linux Enterprise Module for Open Buildservice Development Tools 15-SP1 (x86_64): ceph-test-14.2.5.380+g1387ceaf78-3.27.2 ceph-test-debuginfo-14.2.5.380+g1387ceaf78-3.27.2 ceph-test-debugsource-14.2.5.380+g1387ceaf78-3.27.2 - SUSE Linux Enterprise Module for Basesystem 15-SP1 (aarch64 ppc64le s390x x86_64): ceph-common-14.2.5.380+g1387ceaf78-3.27.2 ceph-common-debuginfo-14.2.5.380+g1387ceaf78-3.27.2 ceph-debugsource-14.2.5.380+g1387ceaf78-3.27.2 libcephfs-devel-14.2.5.380+g1387ceaf78-3.27.2 libcephfs2-14.2.5.380+g1387ceaf78-3.27.2 libcephfs2-debuginfo-14.2.5.380+g1387ceaf78-3.27.2 librados-devel-14.2.5.380+g1387ceaf78-3.27.2 librados-devel-debuginfo-14.2.5.380+g1387ceaf78-3.27.2 librados2-14.2.5.380+g1387ceaf78-3.27.2 librados2-debuginfo-14.2.5.380+g1387ceaf78-3.27.2 libradospp-devel-14.2.5.380+g1387ceaf78-3.27.2 librbd-devel-14.2.5.380+g1387ceaf78-3.27.2 librbd1-14.2.5.380+g1387ceaf78-3.27.2 librbd1-debuginfo-14.2.5.380+g1387ceaf78-3.27.2 librgw-devel-14.2.5.380+g1387ceaf78-3.27.2 librgw2-14.2.5.380+g1387ceaf78-3.27.2 librgw2-debuginfo-14.2.5.380+g1387ceaf78-3.27.2 python3-ceph-argparse-14.2.5.380+g1387ceaf78-3.27.2 python3-cephfs-14.2.5.380+g1387ceaf78-3.27.2 python3-cephfs-debuginfo-14.2.5.380+g1387ceaf78-3.27.2 python3-rados-14.2.5.380+g1387ceaf78-3.27.2 python3-rados-debuginfo-14.2.5.380+g1387ceaf78-3.27.2 python3-rbd-14.2.5.380+g1387ceaf78-3.27.2 python3-rbd-debuginfo-14.2.5.380+g1387ceaf78-3.27.2 python3-rgw-14.2.5.380+g1387ceaf78-3.27.2 python3-rgw-debuginfo-14.2.5.380+g1387ceaf78-3.27.2 rados-objclass-devel-14.2.5.380+g1387ceaf78-3.27.2 - SUSE Enterprise Storage 6 (aarch64 x86_64): ceph-14.2.5.380+g1387ceaf78-3.27.2 ceph-base-14.2.5.380+g1387ceaf78-3.27.2 ceph-base-debuginfo-14.2.5.380+g1387ceaf78-3.27.2 ceph-common-14.2.5.380+g1387ceaf78-3.27.2 ceph-common-debuginfo-14.2.5.380+g1387ceaf78-3.27.2 ceph-debugsource-14.2.5.380+g1387ceaf78-3.27.2 ceph-fuse-14.2.5.380+g1387ceaf78-3.27.2 ceph-fuse-debuginfo-14.2.5.380+g1387ceaf78-3.27.2 ceph-mds-14.2.5.380+g1387ceaf78-3.27.2 ceph-mds-debuginfo-14.2.5.380+g1387ceaf78-3.27.2 ceph-mgr-14.2.5.380+g1387ceaf78-3.27.2 ceph-mgr-debuginfo-14.2.5.380+g1387ceaf78-3.27.2 ceph-mon-14.2.5.380+g1387ceaf78-3.27.2 ceph-mon-debuginfo-14.2.5.380+g1387ceaf78-3.27.2 ceph-osd-14.2.5.380+g1387ceaf78-3.27.2 ceph-osd-debuginfo-14.2.5.380+g1387ceaf78-3.27.2 ceph-radosgw-14.2.5.380+g1387ceaf78-3.27.2 ceph-radosgw-debuginfo-14.2.5.380+g1387ceaf78-3.27.2 cephfs-shell-14.2.5.380+g1387ceaf78-3.27.2 libcephfs2-14.2.5.380+g1387ceaf78-3.27.2 libcephfs2-debuginfo-14.2.5.380+g1387ceaf78-3.27.2 librados2-14.2.5.380+g1387ceaf78-3.27.2 librados2-debuginfo-14.2.5.380+g1387ceaf78-3.27.2 librbd1-14.2.5.380+g1387ceaf78-3.27.2 librbd1-debuginfo-14.2.5.380+g1387ceaf78-3.27.2 librgw2-14.2.5.380+g1387ceaf78-3.27.2 librgw2-debuginfo-14.2.5.380+g1387ceaf78-3.27.2 python3-ceph-argparse-14.2.5.380+g1387ceaf78-3.27.2 python3-cephfs-14.2.5.380+g1387ceaf78-3.27.2 python3-cephfs-debuginfo-14.2.5.380+g1387ceaf78-3.27.2 python3-rados-14.2.5.380+g1387ceaf78-3.27.2 python3-rados-debuginfo-14.2.5.380+g1387ceaf78-3.27.2 python3-rbd-14.2.5.380+g1387ceaf78-3.27.2 python3-rbd-debuginfo-14.2.5.380+g1387ceaf78-3.27.2 python3-rgw-14.2.5.380+g1387ceaf78-3.27.2 python3-rgw-debuginfo-14.2.5.380+g1387ceaf78-3.27.2 rbd-fuse-14.2.5.380+g1387ceaf78-3.27.2 rbd-fuse-debuginfo-14.2.5.380+g1387ceaf78-3.27.2 rbd-mirror-14.2.5.380+g1387ceaf78-3.27.2 rbd-mirror-debuginfo-14.2.5.380+g1387ceaf78-3.27.2 rbd-nbd-14.2.5.380+g1387ceaf78-3.27.2 rbd-nbd-debuginfo-14.2.5.380+g1387ceaf78-3.27.2 - SUSE Enterprise Storage 6 (noarch): ceph-grafana-dashboards-14.2.5.380+g1387ceaf78-3.27.2 ceph-mgr-dashboard-14.2.5.380+g1387ceaf78-3.27.2 ceph-mgr-diskprediction-local-14.2.5.380+g1387ceaf78-3.27.2 ceph-mgr-rook-14.2.5.380+g1387ceaf78-3.27.2 ceph-prometheus-alerts-14.2.5.380+g1387ceaf78-3.27.2 References: https://bugzilla.suse.com/1124556 https://bugzilla.suse.com/1131817 https://bugzilla.suse.com/1132337 https://bugzilla.suse.com/1134365 https://bugzilla.suse.com/1137227 https://bugzilla.suse.com/1140504 https://bugzilla.suse.com/1140879 https://bugzilla.suse.com/1141203 https://bugzilla.suse.com/1145571 https://bugzilla.suse.com/1145756 https://bugzilla.suse.com/1148360 https://bugzilla.suse.com/1148498 https://bugzilla.suse.com/1153876 https://bugzilla.suse.com/1154230 https://bugzilla.suse.com/1155045 https://bugzilla.suse.com/1155463 https://bugzilla.suse.com/1155655 https://bugzilla.suse.com/1155950 https://bugzilla.suse.com/1156571 https://bugzilla.suse.com/1157611 https://bugzilla.suse.com/1158923 https://bugzilla.suse.com/1158925 https://bugzilla.suse.com/1158926 https://bugzilla.suse.com/1158927 https://bugzilla.suse.com/1158929 https://bugzilla.suse.com/1158930 https://bugzilla.suse.com/1158931 https://bugzilla.suse.com/1158932 https://bugzilla.suse.com/1158933 https://bugzilla.suse.com/1160920 From sle-updates at lists.suse.com Wed Jan 22 07:11:18 2020 From: sle-updates at lists.suse.com (sle-updates at lists.suse.com) Date: Wed, 22 Jan 2020 15:11:18 +0100 (CET) Subject: SUSE-SU-2020:0159-1: important: Security update for tigervnc Message-ID: <20200122141118.9CFF4F798@maintenance.suse.de> SUSE Security Update: Security update for tigervnc ______________________________________________________________________________ Announcement ID: SUSE-SU-2020:0159-1 Rating: important References: #1159856 #1159858 #1159860 #1160250 #1160251 #1160937 Cross-References: CVE-2019-15691 CVE-2019-15692 CVE-2019-15693 CVE-2019-15694 CVE-2019-15695 Affected Products: SUSE OpenStack Cloud Crowbar 8 SUSE OpenStack Cloud 8 SUSE OpenStack Cloud 7 SUSE Linux Enterprise Server for SAP 12-SP3 SUSE Linux Enterprise Server for SAP 12-SP2 SUSE Linux Enterprise Server 12-SP3-LTSS SUSE Linux Enterprise Server 12-SP3-BCL SUSE Linux Enterprise Server 12-SP2-LTSS SUSE Linux Enterprise Server 12-SP2-BCL SUSE Enterprise Storage 5 HPE Helion Openstack 8 ______________________________________________________________________________ An update that solves 5 vulnerabilities and has one errata is now available. Description: This update for tigervnc fixes the following issues: - CVE-2019-15691: Fixed a use-after-return due to incorrect usage of stack memory in ZRLEDecoder (bsc#1159856). - CVE-2019-15692: Fixed a heap-based buffer overflow in CopyRectDecode (bsc#1160250). - CVE-2019-15693: Fixed a heap-based buffer overflow in TightDecoder::FilterGradient (bsc#1159858). - CVE-2019-15694: Fixed a heap-based buffer overflow, caused by improper error handling in processing MemOutStream (bsc#1160251). - CVE-2019-15695: Fixed a stack-based buffer overflow, which could be triggered from CMsgReader::readSetCursor (bsc#1159860). Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE OpenStack Cloud Crowbar 8: zypper in -t patch SUSE-OpenStack-Cloud-Crowbar-8-2020-159=1 - SUSE OpenStack Cloud 8: zypper in -t patch SUSE-OpenStack-Cloud-8-2020-159=1 - SUSE OpenStack Cloud 7: zypper in -t patch SUSE-OpenStack-Cloud-7-2020-159=1 - SUSE Linux Enterprise Server for SAP 12-SP3: zypper in -t patch SUSE-SLE-SAP-12-SP3-2020-159=1 - SUSE Linux Enterprise Server for SAP 12-SP2: zypper in -t patch SUSE-SLE-SAP-12-SP2-2020-159=1 - SUSE Linux Enterprise Server 12-SP3-LTSS: zypper in -t patch SUSE-SLE-SERVER-12-SP3-2020-159=1 - SUSE Linux Enterprise Server 12-SP3-BCL: zypper in -t patch SUSE-SLE-SERVER-12-SP3-BCL-2020-159=1 - SUSE Linux Enterprise Server 12-SP2-LTSS: zypper in -t patch SUSE-SLE-SERVER-12-SP2-2020-159=1 - SUSE Linux Enterprise Server 12-SP2-BCL: zypper in -t patch SUSE-SLE-SERVER-12-SP2-BCL-2020-159=1 - SUSE Enterprise Storage 5: zypper in -t patch SUSE-Storage-5-2020-159=1 - HPE Helion Openstack 8: zypper in -t patch HPE-Helion-OpenStack-8-2020-159=1 Package List: - SUSE OpenStack Cloud Crowbar 8 (x86_64): libXvnc1-1.6.0-18.28.1 libXvnc1-debuginfo-1.6.0-18.28.1 tigervnc-1.6.0-18.28.1 tigervnc-debuginfo-1.6.0-18.28.1 tigervnc-debugsource-1.6.0-18.28.1 xorg-x11-Xvnc-1.6.0-18.28.1 xorg-x11-Xvnc-debuginfo-1.6.0-18.28.1 - SUSE OpenStack Cloud 8 (x86_64): libXvnc1-1.6.0-18.28.1 libXvnc1-debuginfo-1.6.0-18.28.1 tigervnc-1.6.0-18.28.1 tigervnc-debuginfo-1.6.0-18.28.1 tigervnc-debugsource-1.6.0-18.28.1 xorg-x11-Xvnc-1.6.0-18.28.1 xorg-x11-Xvnc-debuginfo-1.6.0-18.28.1 - SUSE OpenStack Cloud 7 (s390x x86_64): libXvnc1-1.6.0-18.28.1 libXvnc1-debuginfo-1.6.0-18.28.1 tigervnc-1.6.0-18.28.1 tigervnc-debuginfo-1.6.0-18.28.1 tigervnc-debugsource-1.6.0-18.28.1 xorg-x11-Xvnc-1.6.0-18.28.1 xorg-x11-Xvnc-debuginfo-1.6.0-18.28.1 - SUSE Linux Enterprise Server for SAP 12-SP3 (ppc64le x86_64): libXvnc1-1.6.0-18.28.1 libXvnc1-debuginfo-1.6.0-18.28.1 tigervnc-1.6.0-18.28.1 tigervnc-debuginfo-1.6.0-18.28.1 tigervnc-debugsource-1.6.0-18.28.1 xorg-x11-Xvnc-1.6.0-18.28.1 xorg-x11-Xvnc-debuginfo-1.6.0-18.28.1 - SUSE Linux Enterprise Server for SAP 12-SP2 (ppc64le x86_64): libXvnc1-1.6.0-18.28.1 libXvnc1-debuginfo-1.6.0-18.28.1 tigervnc-1.6.0-18.28.1 tigervnc-debuginfo-1.6.0-18.28.1 tigervnc-debugsource-1.6.0-18.28.1 xorg-x11-Xvnc-1.6.0-18.28.1 xorg-x11-Xvnc-debuginfo-1.6.0-18.28.1 - SUSE Linux Enterprise Server 12-SP3-LTSS (aarch64 ppc64le s390x x86_64): libXvnc1-1.6.0-18.28.1 libXvnc1-debuginfo-1.6.0-18.28.1 tigervnc-1.6.0-18.28.1 tigervnc-debuginfo-1.6.0-18.28.1 tigervnc-debugsource-1.6.0-18.28.1 xorg-x11-Xvnc-1.6.0-18.28.1 xorg-x11-Xvnc-debuginfo-1.6.0-18.28.1 - SUSE Linux Enterprise Server 12-SP3-BCL (x86_64): libXvnc1-1.6.0-18.28.1 libXvnc1-debuginfo-1.6.0-18.28.1 tigervnc-1.6.0-18.28.1 tigervnc-debuginfo-1.6.0-18.28.1 tigervnc-debugsource-1.6.0-18.28.1 xorg-x11-Xvnc-1.6.0-18.28.1 xorg-x11-Xvnc-debuginfo-1.6.0-18.28.1 - SUSE Linux Enterprise Server 12-SP2-LTSS (ppc64le s390x x86_64): libXvnc1-1.6.0-18.28.1 libXvnc1-debuginfo-1.6.0-18.28.1 tigervnc-1.6.0-18.28.1 tigervnc-debuginfo-1.6.0-18.28.1 tigervnc-debugsource-1.6.0-18.28.1 xorg-x11-Xvnc-1.6.0-18.28.1 xorg-x11-Xvnc-debuginfo-1.6.0-18.28.1 - SUSE Linux Enterprise Server 12-SP2-BCL (x86_64): libXvnc1-1.6.0-18.28.1 libXvnc1-debuginfo-1.6.0-18.28.1 tigervnc-1.6.0-18.28.1 tigervnc-debuginfo-1.6.0-18.28.1 tigervnc-debugsource-1.6.0-18.28.1 xorg-x11-Xvnc-1.6.0-18.28.1 xorg-x11-Xvnc-debuginfo-1.6.0-18.28.1 - SUSE Enterprise Storage 5 (aarch64 x86_64): libXvnc1-1.6.0-18.28.1 libXvnc1-debuginfo-1.6.0-18.28.1 tigervnc-1.6.0-18.28.1 tigervnc-debuginfo-1.6.0-18.28.1 tigervnc-debugsource-1.6.0-18.28.1 xorg-x11-Xvnc-1.6.0-18.28.1 xorg-x11-Xvnc-debuginfo-1.6.0-18.28.1 - HPE Helion Openstack 8 (x86_64): libXvnc1-1.6.0-18.28.1 libXvnc1-debuginfo-1.6.0-18.28.1 tigervnc-1.6.0-18.28.1 tigervnc-debuginfo-1.6.0-18.28.1 tigervnc-debugsource-1.6.0-18.28.1 xorg-x11-Xvnc-1.6.0-18.28.1 xorg-x11-Xvnc-debuginfo-1.6.0-18.28.1 References: https://www.suse.com/security/cve/CVE-2019-15691.html https://www.suse.com/security/cve/CVE-2019-15692.html https://www.suse.com/security/cve/CVE-2019-15693.html https://www.suse.com/security/cve/CVE-2019-15694.html https://www.suse.com/security/cve/CVE-2019-15695.html https://bugzilla.suse.com/1159856 https://bugzilla.suse.com/1159858 https://bugzilla.suse.com/1159860 https://bugzilla.suse.com/1160250 https://bugzilla.suse.com/1160251 https://bugzilla.suse.com/1160937 From sle-updates at lists.suse.com Wed Jan 22 13:11:24 2020 From: sle-updates at lists.suse.com (sle-updates at lists.suse.com) Date: Wed, 22 Jan 2020 21:11:24 +0100 (CET) Subject: SUSE-SU-2020:0204-1: important: Security update for the Linux Kernel (Live Patch 33 for SLE 12 SP1) Message-ID: <20200122201124.20C7DF796@maintenance.suse.de> SUSE Security Update: Security update for the Linux Kernel (Live Patch 33 for SLE 12 SP1) ______________________________________________________________________________ Announcement ID: SUSE-SU-2020:0204-1 Rating: important References: #1160467 #1160468 Cross-References: CVE-2019-14896 CVE-2019-14897 Affected Products: SUSE Linux Enterprise Server for SAP 12-SP3 SUSE Linux Enterprise Server for SAP 12-SP2 SUSE Linux Enterprise Server for SAP 12-SP1 SUSE Linux Enterprise Server 12-SP3-LTSS SUSE Linux Enterprise Server 12-SP2-LTSS SUSE Linux Enterprise Server 12-SP1-LTSS SUSE Linux Enterprise Module for Live Patching 15-SP1 SUSE Linux Enterprise Module for Live Patching 15 SUSE Linux Enterprise Live Patching 12-SP5 SUSE Linux Enterprise Live Patching 12-SP4 ______________________________________________________________________________ An update that fixes two vulnerabilities is now available. Description: This update for the Linux Kernel 3.12.74-60_64_110 fixes several issues. The following security issues were fixed: - CVE-2019-14896: A heap-based buffer overflow vulnerability was found in the Marvell WiFi chip driver. A remote attacker could cause a denial of service (system crash) or, possibly execute arbitrary code, when the lbs_ibss_join_existing function is called after a STA connects to an AP (bsc#1157157). - CVE-2019-14897: A stack-based buffer overflow was found in the Marvell WiFi chip driver. An attacker was able to cause a denial of service (system crash) or, possibly execute arbitrary code, when a STA works in IBSS mode (allows connecting stations together without the use of an AP) and connects to another STA (bsc#1157155). Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Server for SAP 12-SP3: zypper in -t patch SUSE-SLE-SAP-12-SP3-2020-182=1 SUSE-SLE-SAP-12-SP3-2020-184=1 SUSE-SLE-SAP-12-SP3-2020-187=1 SUSE-SLE-SAP-12-SP3-2020-189=1 SUSE-SLE-SAP-12-SP3-2020-203=1 SUSE-SLE-SAP-12-SP3-2020-205=1 SUSE-SLE-SAP-12-SP3-2020-208=1 SUSE-SLE-SAP-12-SP3-2020-211=1 - SUSE Linux Enterprise Server for SAP 12-SP2: zypper in -t patch SUSE-SLE-SAP-12-SP2-2020-192=1 SUSE-SLE-SAP-12-SP2-2020-194=1 SUSE-SLE-SAP-12-SP2-2020-196=1 SUSE-SLE-SAP-12-SP2-2020-198=1 SUSE-SLE-SAP-12-SP2-2020-200=1 SUSE-SLE-SAP-12-SP2-2020-202=1 SUSE-SLE-SAP-12-SP2-2020-204=1 - SUSE Linux Enterprise Server for SAP 12-SP1: zypper in -t patch SUSE-SLE-SAP-12-SP1-2020-206=1 SUSE-SLE-SAP-12-SP1-2020-207=1 SUSE-SLE-SAP-12-SP1-2020-209=1 SUSE-SLE-SAP-12-SP1-2020-210=1 SUSE-SLE-SAP-12-SP1-2020-212=1 - SUSE Linux Enterprise Server 12-SP3-LTSS: zypper in -t patch SUSE-SLE-SERVER-12-SP3-2020-182=1 SUSE-SLE-SERVER-12-SP3-2020-184=1 SUSE-SLE-SERVER-12-SP3-2020-187=1 SUSE-SLE-SERVER-12-SP3-2020-189=1 SUSE-SLE-SERVER-12-SP3-2020-203=1 SUSE-SLE-SERVER-12-SP3-2020-205=1 SUSE-SLE-SERVER-12-SP3-2020-208=1 SUSE-SLE-SERVER-12-SP3-2020-211=1 - SUSE Linux Enterprise Server 12-SP2-LTSS: zypper in -t patch SUSE-SLE-SERVER-12-SP2-2020-192=1 SUSE-SLE-SERVER-12-SP2-2020-194=1 SUSE-SLE-SERVER-12-SP2-2020-196=1 SUSE-SLE-SERVER-12-SP2-2020-198=1 SUSE-SLE-SERVER-12-SP2-2020-200=1 SUSE-SLE-SERVER-12-SP2-2020-202=1 SUSE-SLE-SERVER-12-SP2-2020-204=1 - SUSE Linux Enterprise Server 12-SP1-LTSS: zypper in -t patch SUSE-SLE-SERVER-12-SP1-2020-206=1 SUSE-SLE-SERVER-12-SP1-2020-207=1 SUSE-SLE-SERVER-12-SP1-2020-209=1 SUSE-SLE-SERVER-12-SP1-2020-210=1 SUSE-SLE-SERVER-12-SP1-2020-212=1 - SUSE Linux Enterprise Module for Live Patching 15-SP1: zypper in -t patch SUSE-SLE-Module-Live-Patching-15-SP1-2020-161=1 - SUSE Linux Enterprise Module for Live Patching 15: zypper in -t patch SUSE-SLE-Module-Live-Patching-15-2020-170=1 - SUSE Linux Enterprise Live Patching 12-SP5: zypper in -t patch SUSE-SLE-Live-Patching-12-SP5-2020-180=1 SUSE-SLE-Live-Patching-12-SP5-2020-181=1 - SUSE Linux Enterprise Live Patching 12-SP4: zypper in -t patch SUSE-SLE-Live-Patching-12-SP4-2020-185=1 Package List: - SUSE Linux Enterprise Server for SAP 12-SP3 (ppc64le x86_64): kgraft-patch-4_4_175-94_79-default-8-2.1 kgraft-patch-4_4_175-94_79-default-debuginfo-8-2.1 kgraft-patch-4_4_176-94_88-default-7-2.1 kgraft-patch-4_4_176-94_88-default-debuginfo-7-2.1 kgraft-patch-4_4_178-94_91-default-7-2.1 kgraft-patch-4_4_178-94_91-default-debuginfo-7-2.1 kgraft-patch-4_4_180-94_100-default-5-2.1 kgraft-patch-4_4_180-94_100-default-debuginfo-5-2.1 kgraft-patch-4_4_180-94_103-default-5-2.1 kgraft-patch-4_4_180-94_103-default-debuginfo-5-2.1 kgraft-patch-4_4_180-94_107-default-3-2.1 kgraft-patch-4_4_180-94_107-default-debuginfo-3-2.1 kgraft-patch-4_4_180-94_113-default-2-2.1 kgraft-patch-4_4_180-94_113-default-debuginfo-2-2.1 kgraft-patch-4_4_180-94_97-default-7-2.1 kgraft-patch-4_4_180-94_97-default-debuginfo-7-2.1 - SUSE Linux Enterprise Server for SAP 12-SP2 (ppc64le x86_64): kgraft-patch-4_4_121-92_101-default-8-2.1 kgraft-patch-4_4_121-92_104-default-8-2.1 kgraft-patch-4_4_121-92_109-default-8-2.1 kgraft-patch-4_4_121-92_114-default-7-2.1 kgraft-patch-4_4_121-92_117-default-6-2.1 kgraft-patch-4_4_121-92_120-default-5-2.1 kgraft-patch-4_4_121-92_125-default-3-2.1 - SUSE Linux Enterprise Server for SAP 12-SP1 (x86_64): kgraft-patch-3_12_74-60_64_110-default-8-2.1 kgraft-patch-3_12_74-60_64_110-xen-8-2.1 kgraft-patch-3_12_74-60_64_115-default-7-2.1 kgraft-patch-3_12_74-60_64_115-xen-7-2.1 kgraft-patch-3_12_74-60_64_118-default-5-2.1 kgraft-patch-3_12_74-60_64_118-xen-5-2.1 kgraft-patch-3_12_74-60_64_121-default-5-2.1 kgraft-patch-3_12_74-60_64_121-xen-5-2.1 kgraft-patch-3_12_74-60_64_124-default-3-2.1 kgraft-patch-3_12_74-60_64_124-xen-3-2.1 - SUSE Linux Enterprise Server 12-SP3-LTSS (ppc64le x86_64): kgraft-patch-4_4_175-94_79-default-8-2.1 kgraft-patch-4_4_175-94_79-default-debuginfo-8-2.1 kgraft-patch-4_4_176-94_88-default-7-2.1 kgraft-patch-4_4_176-94_88-default-debuginfo-7-2.1 kgraft-patch-4_4_178-94_91-default-7-2.1 kgraft-patch-4_4_178-94_91-default-debuginfo-7-2.1 kgraft-patch-4_4_180-94_100-default-5-2.1 kgraft-patch-4_4_180-94_100-default-debuginfo-5-2.1 kgraft-patch-4_4_180-94_103-default-5-2.1 kgraft-patch-4_4_180-94_103-default-debuginfo-5-2.1 kgraft-patch-4_4_180-94_107-default-3-2.1 kgraft-patch-4_4_180-94_107-default-debuginfo-3-2.1 kgraft-patch-4_4_180-94_113-default-2-2.1 kgraft-patch-4_4_180-94_113-default-debuginfo-2-2.1 kgraft-patch-4_4_180-94_97-default-7-2.1 kgraft-patch-4_4_180-94_97-default-debuginfo-7-2.1 - SUSE Linux Enterprise Server 12-SP2-LTSS (ppc64le x86_64): kgraft-patch-4_4_121-92_101-default-8-2.1 kgraft-patch-4_4_121-92_104-default-8-2.1 kgraft-patch-4_4_121-92_109-default-8-2.1 kgraft-patch-4_4_121-92_114-default-7-2.1 kgraft-patch-4_4_121-92_117-default-6-2.1 kgraft-patch-4_4_121-92_120-default-5-2.1 kgraft-patch-4_4_121-92_125-default-3-2.1 - SUSE Linux Enterprise Server 12-SP1-LTSS (x86_64): kgraft-patch-3_12_74-60_64_110-default-8-2.1 kgraft-patch-3_12_74-60_64_110-xen-8-2.1 kgraft-patch-3_12_74-60_64_115-default-7-2.1 kgraft-patch-3_12_74-60_64_115-xen-7-2.1 kgraft-patch-3_12_74-60_64_118-default-5-2.1 kgraft-patch-3_12_74-60_64_118-xen-5-2.1 kgraft-patch-3_12_74-60_64_121-default-5-2.1 kgraft-patch-3_12_74-60_64_121-xen-5-2.1 kgraft-patch-3_12_74-60_64_124-default-3-2.1 kgraft-patch-3_12_74-60_64_124-xen-3-2.1 - SUSE Linux Enterprise Module for Live Patching 15-SP1 (ppc64le x86_64): kernel-livepatch-4_12_14-197_29-default-2-2.1 - SUSE Linux Enterprise Module for Live Patching 15 (ppc64le x86_64): kernel-livepatch-4_12_14-150_47-default-2-2.1 kernel-livepatch-4_12_14-150_47-default-debuginfo-2-2.1 - SUSE Linux Enterprise Live Patching 12-SP5 (ppc64le x86_64): kgraft-patch-4_12_14-122_12-default-2-2.1 kgraft-patch-4_12_14-122_7-default-2-2.1 - SUSE Linux Enterprise Live Patching 12-SP4 (ppc64le x86_64): kgraft-patch-4_12_14-95_45-default-2-2.1 References: https://www.suse.com/security/cve/CVE-2019-14896.html https://www.suse.com/security/cve/CVE-2019-14897.html https://bugzilla.suse.com/1160467 https://bugzilla.suse.com/1160468 From sle-updates at lists.suse.com Wed Jan 22 13:12:19 2020 From: sle-updates at lists.suse.com (sle-updates at lists.suse.com) Date: Wed, 22 Jan 2020 21:12:19 +0100 (CET) Subject: SUSE-RU-2020:0214-1: moderate: Recommended update for rpmlint Message-ID: <20200122201219.B7F42F796@maintenance.suse.de> SUSE Recommended Update: Recommended update for rpmlint ______________________________________________________________________________ Announcement ID: SUSE-RU-2020:0214-1 Rating: moderate References: #1151418 #1157663 Affected Products: SUSE Linux Enterprise Module for Development Tools 15-SP1 ______________________________________________________________________________ An update that has two recommended fixes can now be installed. Description: This update for rpmlint contains the following fixes: - Whitelist sssd infopipe. (bsc#1157663) - Whitelist sysprof3 D-Bus services. (bsc#1151418) Patch Instructions: To install this SUSE Recommended Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Module for Development Tools 15-SP1: zypper in -t patch SUSE-SLE-Module-Development-Tools-15-SP1-2020-214=1 Package List: - SUSE Linux Enterprise Module for Development Tools 15-SP1 (aarch64 ppc64le s390x x86_64): rpmlint-mini-1.10-7.6.1 rpmlint-mini-debuginfo-1.10-7.6.1 rpmlint-mini-debugsource-1.10-7.6.1 References: https://bugzilla.suse.com/1151418 https://bugzilla.suse.com/1157663 From sle-updates at lists.suse.com Wed Jan 22 16:11:28 2020 From: sle-updates at lists.suse.com (sle-updates at lists.suse.com) Date: Thu, 23 Jan 2020 00:11:28 +0100 (CET) Subject: SUSE-SU-2020:0213-1: important: Security update for java-11-openjdk Message-ID: <20200122231128.CC781F798@maintenance.suse.de> SUSE Security Update: Security update for java-11-openjdk ______________________________________________________________________________ Announcement ID: SUSE-SU-2020:0213-1 Rating: important References: #1160968 Cross-References: CVE-2020-2583 CVE-2020-2590 CVE-2020-2593 CVE-2020-2601 CVE-2020-2604 CVE-2020-2654 CVE-2020-2655 Affected Products: SUSE Linux Enterprise Server for SAP 15 SUSE Linux Enterprise Server 15-LTSS SUSE Linux Enterprise Module for Open Buildservice Development Tools 15-SP1 SUSE Linux Enterprise Module for Open Buildservice Development Tools 15 SUSE Linux Enterprise Module for Basesystem 15-SP1 SUSE Linux Enterprise Module for Basesystem 15 SUSE Linux Enterprise High Performance Computing 15-LTSS SUSE Linux Enterprise High Performance Computing 15-ESPOS ______________________________________________________________________________ An update that fixes 7 vulnerabilities is now available. Description: This update for java-11-openjdk fixes the following issues: Update to version jdk-11.0.6-10 (January 2020 CPU, bsc#1160968) Fixing these security related issues: - CVE-2020-2583: Unlink Set of LinkedHashSets - CVE-2020-2590: Improve Kerberos interop capabilities - CVE-2020-2593: Normalize normalization for all - CVE-2020-2601: Better Ticket Granting Services - CVE-2020-2604: Better serial filter handling - CVE-2020-2655: Better TLS messaging support - CVE-2020-2654: Improve Object Identifier Processing Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Server for SAP 15: zypper in -t patch SUSE-SLE-Product-SLES_SAP-15-2020-213=1 - SUSE Linux Enterprise Server 15-LTSS: zypper in -t patch SUSE-SLE-Product-SLES-15-2020-213=1 - SUSE Linux Enterprise Module for Open Buildservice Development Tools 15-SP1: zypper in -t patch SUSE-SLE-Module-Development-Tools-OBS-15-SP1-2020-213=1 - SUSE Linux Enterprise Module for Open Buildservice Development Tools 15: zypper in -t patch SUSE-SLE-Module-Development-Tools-OBS-15-2020-213=1 - SUSE Linux Enterprise Module for Basesystem 15-SP1: zypper in -t patch SUSE-SLE-Module-Basesystem-15-SP1-2020-213=1 - SUSE Linux Enterprise Module for Basesystem 15: zypper in -t patch SUSE-SLE-Module-Basesystem-15-2020-213=1 - SUSE Linux Enterprise High Performance Computing 15-LTSS: zypper in -t patch SUSE-SLE-Product-HPC-15-2020-213=1 - SUSE Linux Enterprise High Performance Computing 15-ESPOS: zypper in -t patch SUSE-SLE-Product-HPC-15-2020-213=1 Package List: - SUSE Linux Enterprise Server for SAP 15 (ppc64le x86_64): java-11-openjdk-11.0.6.0-3.39.2 java-11-openjdk-debuginfo-11.0.6.0-3.39.2 java-11-openjdk-debugsource-11.0.6.0-3.39.2 java-11-openjdk-demo-11.0.6.0-3.39.2 java-11-openjdk-devel-11.0.6.0-3.39.2 java-11-openjdk-headless-11.0.6.0-3.39.2 - SUSE Linux Enterprise Server 15-LTSS (aarch64 s390x): java-11-openjdk-11.0.6.0-3.39.2 java-11-openjdk-debuginfo-11.0.6.0-3.39.2 java-11-openjdk-debugsource-11.0.6.0-3.39.2 java-11-openjdk-demo-11.0.6.0-3.39.2 java-11-openjdk-devel-11.0.6.0-3.39.2 java-11-openjdk-headless-11.0.6.0-3.39.2 - SUSE Linux Enterprise Module for Open Buildservice Development Tools 15-SP1 (aarch64 ppc64le s390x x86_64): java-11-openjdk-accessibility-11.0.6.0-3.39.2 java-11-openjdk-accessibility-debuginfo-11.0.6.0-3.39.2 java-11-openjdk-debuginfo-11.0.6.0-3.39.2 java-11-openjdk-debugsource-11.0.6.0-3.39.2 java-11-openjdk-jmods-11.0.6.0-3.39.2 java-11-openjdk-src-11.0.6.0-3.39.2 - SUSE Linux Enterprise Module for Open Buildservice Development Tools 15-SP1 (noarch): java-11-openjdk-javadoc-11.0.6.0-3.39.2 - SUSE Linux Enterprise Module for Open Buildservice Development Tools 15 (aarch64 ppc64le s390x x86_64): java-11-openjdk-11.0.6.0-3.39.2 java-11-openjdk-accessibility-11.0.6.0-3.39.2 java-11-openjdk-accessibility-debuginfo-11.0.6.0-3.39.2 java-11-openjdk-debuginfo-11.0.6.0-3.39.2 java-11-openjdk-debugsource-11.0.6.0-3.39.2 java-11-openjdk-demo-11.0.6.0-3.39.2 java-11-openjdk-devel-11.0.6.0-3.39.2 java-11-openjdk-headless-11.0.6.0-3.39.2 java-11-openjdk-jmods-11.0.6.0-3.39.2 java-11-openjdk-src-11.0.6.0-3.39.2 - SUSE Linux Enterprise Module for Open Buildservice Development Tools 15 (noarch): java-11-openjdk-javadoc-11.0.6.0-3.39.2 - SUSE Linux Enterprise Module for Basesystem 15-SP1 (aarch64 ppc64le s390x x86_64): java-11-openjdk-11.0.6.0-3.39.2 java-11-openjdk-debuginfo-11.0.6.0-3.39.2 java-11-openjdk-debugsource-11.0.6.0-3.39.2 java-11-openjdk-demo-11.0.6.0-3.39.2 java-11-openjdk-devel-11.0.6.0-3.39.2 java-11-openjdk-headless-11.0.6.0-3.39.2 - SUSE Linux Enterprise Module for Basesystem 15 (aarch64 ppc64le s390x x86_64): java-11-openjdk-11.0.6.0-3.39.2 java-11-openjdk-debuginfo-11.0.6.0-3.39.2 java-11-openjdk-debugsource-11.0.6.0-3.39.2 java-11-openjdk-demo-11.0.6.0-3.39.2 java-11-openjdk-devel-11.0.6.0-3.39.2 java-11-openjdk-headless-11.0.6.0-3.39.2 - SUSE Linux Enterprise High Performance Computing 15-LTSS (aarch64 x86_64): java-11-openjdk-11.0.6.0-3.39.2 java-11-openjdk-debuginfo-11.0.6.0-3.39.2 java-11-openjdk-debugsource-11.0.6.0-3.39.2 java-11-openjdk-demo-11.0.6.0-3.39.2 java-11-openjdk-devel-11.0.6.0-3.39.2 java-11-openjdk-headless-11.0.6.0-3.39.2 - SUSE Linux Enterprise High Performance Computing 15-ESPOS (aarch64 x86_64): java-11-openjdk-11.0.6.0-3.39.2 java-11-openjdk-debuginfo-11.0.6.0-3.39.2 java-11-openjdk-debugsource-11.0.6.0-3.39.2 java-11-openjdk-demo-11.0.6.0-3.39.2 java-11-openjdk-devel-11.0.6.0-3.39.2 java-11-openjdk-headless-11.0.6.0-3.39.2 References: https://www.suse.com/security/cve/CVE-2020-2583.html https://www.suse.com/security/cve/CVE-2020-2590.html https://www.suse.com/security/cve/CVE-2020-2593.html https://www.suse.com/security/cve/CVE-2020-2601.html https://www.suse.com/security/cve/CVE-2020-2604.html https://www.suse.com/security/cve/CVE-2020-2654.html https://www.suse.com/security/cve/CVE-2020-2655.html https://bugzilla.suse.com/1160968 From sle-updates at lists.suse.com Wed Jan 22 16:12:09 2020 From: sle-updates at lists.suse.com (sle-updates at lists.suse.com) Date: Thu, 23 Jan 2020 00:12:09 +0100 (CET) Subject: SUSE-SU-2020:0183-1: important: Security update for the Linux Kernel (Live Patch 0 for SLE 12 SP5) Message-ID: <20200122231209.2DBB5F798@maintenance.suse.de> SUSE Security Update: Security update for the Linux Kernel (Live Patch 0 for SLE 12 SP5) ______________________________________________________________________________ Announcement ID: SUSE-SU-2020:0183-1 Rating: important References: #1103203 #1149841 #1151021 #1153108 #1153161 #1157770 #1160467 #1160468 Cross-References: CVE-2019-10220 CVE-2019-14835 CVE-2019-14896 CVE-2019-14897 CVE-2019-17133 Affected Products: SUSE Linux Enterprise Live Patching 12-SP5 ______________________________________________________________________________ An update that solves 5 vulnerabilities and has three fixes is now available. Description: This update for the Linux Kernel 4.12.14-120 fixes several issues. The following security issues were fixed: - CVE-2019-14896: A heap-based buffer overflow vulnerability was found in the Marvell WiFi chip driver. A remote attacker could cause a denial of service (system crash) or, possibly execute arbitrary code, when the lbs_ibss_join_existing function is called after a STA connects to an AP (bsc#1157157). - CVE-2019-14897: A stack-based buffer overflow was found in the Marvell WiFi chip driver. An attacker was able to cause a denial of service (system crash) or, possibly execute arbitrary code, when a STA works in IBSS mode (allows connecting stations together without the use of an AP) and connects to another STA (bsc#1157155). - CVE-2019-10220: The CIFS implementation was vulnerable to a relative paths injection in directory entry lists (bsc#1144903). - CVE-2019-17133: Fixed a Buffer Overflow in cfg80211_mgd_wext_giwessid() in net/wireless/wext-sme.c, because the function did not reject a long SSID IE (bsc#1153158). - CVE-2019-14835: A buffer overflow flaw was fixed in the vhost functionality that translates virtqueue buffers to IOVs, logged the buffer descriptors during migration. A privileged guest user able to pass descriptors with invalid length to the host when migration is underway, could use this flaw to increase their privileges on the host (bsc#1150112). - xen/pv: Fixed a boot up hang where domain_crash_sync was called from entry.S (bsc#1153811). Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Live Patching 12-SP5: zypper in -t patch SUSE-SLE-Live-Patching-12-SP5-2020-183=1 Package List: - SUSE Linux Enterprise Live Patching 12-SP5 (ppc64le x86_64): kgraft-patch-4_12_14-120-default-2-3.1 kgraft-patch-4_12_14-120-default-debuginfo-2-3.1 kgraft-patch-SLE12-SP5_Update_0-debugsource-2-3.1 References: https://www.suse.com/security/cve/CVE-2019-10220.html https://www.suse.com/security/cve/CVE-2019-14835.html https://www.suse.com/security/cve/CVE-2019-14896.html https://www.suse.com/security/cve/CVE-2019-14897.html https://www.suse.com/security/cve/CVE-2019-17133.html https://bugzilla.suse.com/1103203 https://bugzilla.suse.com/1149841 https://bugzilla.suse.com/1151021 https://bugzilla.suse.com/1153108 https://bugzilla.suse.com/1153161 https://bugzilla.suse.com/1157770 https://bugzilla.suse.com/1160467 https://bugzilla.suse.com/1160468 From sle-updates at lists.suse.com Thu Jan 23 00:04:41 2020 From: sle-updates at lists.suse.com (sle-updates at lists.suse.com) Date: Thu, 23 Jan 2020 08:04:41 +0100 (CET) Subject: SUSE-CU-2020:24-1: Recommended update of suse/sle15 Message-ID: <20200123070441.51134F798@maintenance.suse.de> SUSE Container Update Advisory: suse/sle15 ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2020:24-1 Container Tags : suse/sle15:15.0 , suse/sle15:15.0.4.22.135 Severity : moderate Type : recommended References : 1161198 1161203 1161215 1161216 1161218 1161219 1161220 ----------------------------------------------------------------- The container suse/sle15 was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:156-1 Released: Wed Jan 22 08:02:11 2020 Summary: Recommended update for libgcrypt Type: recommended Severity: moderate References: 1161215,1161216,1161218,1161219,1161220 Description: This update for libgcrypt fixes the following issues: - ECDSA: Check range of coordinates (bsc#1161216) - FIPS: libgcrypt DSA PQG parameter generation: Missing value (bsc#1161219) - FIPS: libgcrypt DSA PQG verification incorrect results (bsc#1161215) - FIPS: libgcrypt RSA siggen/keygen: 4k not supported (bsc#1161220) - FIPS: keywrap gives incorrect results (bsc#1161218) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:157-1 Released: Wed Jan 22 08:02:51 2020 Summary: Recommended update for openssl-1_1 Type: recommended Severity: moderate References: 1161198,1161203 Description: This update for openssl-1_1 fixes the following issues: - Fix FIPS DRBG without derivation function (bsc#1161198) - Allow md5_sha1 in FIPS mode to enable TLS 1.0 (bsc#1161203) From sle-updates at lists.suse.com Thu Jan 23 04:11:17 2020 From: sle-updates at lists.suse.com (sle-updates at lists.suse.com) Date: Thu, 23 Jan 2020 12:11:17 +0100 (CET) Subject: SUSE-RU-2020:0217-1: moderate: Recommended update for perl-Crypt-SSLeay Message-ID: <20200123111117.400D4F798@maintenance.suse.de> SUSE Recommended Update: Recommended update for perl-Crypt-SSLeay ______________________________________________________________________________ Announcement ID: SUSE-RU-2020:0217-1 Rating: moderate References: #1149792 Affected Products: SUSE Linux Enterprise Module for Development Tools 15-SP1 SUSE Linux Enterprise Module for Development Tools 15 ______________________________________________________________________________ An update that has one recommended fix can now be installed. Description: This update for perl-Crypt-SSLeay fixes the following issues: - Fix build not testing content of returned version strings - Add missing zlib build dependency, which used to be pulled in by libopenssl-devel. (bsc#1149792) Patch Instructions: To install this SUSE Recommended Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Module for Development Tools 15-SP1: zypper in -t patch SUSE-SLE-Module-Development-Tools-15-SP1-2020-217=1 - SUSE Linux Enterprise Module for Development Tools 15: zypper in -t patch SUSE-SLE-Module-Development-Tools-15-2020-217=1 Package List: - SUSE Linux Enterprise Module for Development Tools 15-SP1 (aarch64 ppc64le s390x x86_64): perl-Crypt-SSLeay-0.72-5.3.1 perl-Crypt-SSLeay-debuginfo-0.72-5.3.1 perl-Crypt-SSLeay-debugsource-0.72-5.3.1 - SUSE Linux Enterprise Module for Development Tools 15 (aarch64 ppc64le s390x x86_64): perl-Crypt-SSLeay-0.72-5.3.1 perl-Crypt-SSLeay-debuginfo-0.72-5.3.1 perl-Crypt-SSLeay-debugsource-0.72-5.3.1 References: https://bugzilla.suse.com/1149792 From sle-updates at lists.suse.com Thu Jan 23 04:12:01 2020 From: sle-updates at lists.suse.com (sle-updates at lists.suse.com) Date: Thu, 23 Jan 2020 12:12:01 +0100 (CET) Subject: SUSE-RU-2020:0218-1: moderate: Recommended update for yast2-installation Message-ID: <20200123111201.102AFF798@maintenance.suse.de> SUSE Recommended Update: Recommended update for yast2-installation ______________________________________________________________________________ Announcement ID: SUSE-RU-2020:0218-1 Rating: moderate References: #1138117 Affected Products: SUSE Linux Enterprise Module for Basesystem 15 SUSE Linux Enterprise Installer 15 ______________________________________________________________________________ An update that has one recommended fix can now be installed. Description: This update for yast2-installation fixes the following issues: - Downloading files: Remounting CD with bind option correctly if the CD has already been mounted (bsc#1138117). Patch Instructions: To install this SUSE Recommended Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Module for Basesystem 15: zypper in -t patch SUSE-SLE-Module-Basesystem-15-2020-218=1 - SUSE Linux Enterprise Installer 15: zypper in -t patch SUSE-SLE-INSTALLER-15-2020-218=1 Package List: - SUSE Linux Enterprise Module for Basesystem 15 (noarch): yast2-installation-4.0.75-3.16.1 - SUSE Linux Enterprise Installer 15 (noarch): yast2-installation-4.0.75-3.16.1 References: https://bugzilla.suse.com/1138117 From sle-updates at lists.suse.com Thu Jan 23 04:12:44 2020 From: sle-updates at lists.suse.com (sle-updates at lists.suse.com) Date: Thu, 23 Jan 2020 12:12:44 +0100 (CET) Subject: SUSE-RU-2020:0216-1: moderate: Recommended update for gimp-help Message-ID: <20200123111244.C75DBF798@maintenance.suse.de> SUSE Recommended Update: Recommended update for gimp-help ______________________________________________________________________________ Announcement ID: SUSE-RU-2020:0216-1 Rating: moderate References: #1158656 Affected Products: SUSE Linux Enterprise Workstation Extension 15-SP1 ______________________________________________________________________________ An update that has one recommended fix can now be installed. Description: This update for gimp-help fixes the following issues: - Add _constraints for ppc64/ppc64le as build failed with 3.5G disk (bsc#1158656). Patch Instructions: To install this SUSE Recommended Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Workstation Extension 15-SP1: zypper in -t patch SUSE-SLE-Product-WE-15-SP1-2020-216=1 Package List: - SUSE Linux Enterprise Workstation Extension 15-SP1 (noarch): gimp-help-2.8.2-3.3.2 gimp-help-ca-2.8.2-3.3.2 gimp-help-da-2.8.2-3.3.2 gimp-help-de-2.8.2-3.3.2 gimp-help-el-2.8.2-3.3.2 gimp-help-en_GB-2.8.2-3.3.2 gimp-help-es-2.8.2-3.3.2 gimp-help-fi-2.8.2-3.3.2 gimp-help-fr-2.8.2-3.3.2 gimp-help-hr-2.8.2-3.3.2 gimp-help-it-2.8.2-3.3.2 gimp-help-ja-2.8.2-3.3.2 gimp-help-ko-2.8.2-3.3.2 gimp-help-lt-2.8.2-3.3.2 gimp-help-nl-2.8.2-3.3.2 gimp-help-nn-2.8.2-3.3.2 gimp-help-pl-2.8.2-3.3.2 gimp-help-pt_BR-2.8.2-3.3.2 gimp-help-ru-2.8.2-3.3.2 gimp-help-sl-2.8.2-3.3.2 gimp-help-sv-2.8.2-3.3.2 gimp-help-zh-2.8.2-3.3.2 References: https://bugzilla.suse.com/1158656 From sle-updates at lists.suse.com Thu Jan 23 07:47:39 2020 From: sle-updates at lists.suse.com (sle-updates at lists.suse.com) Date: Thu, 23 Jan 2020 15:47:39 +0100 (CET) Subject: SUSE-CU-2020:25-1: Security update of sles12/registry Message-ID: <20200123144739.5A62EF798@maintenance.suse.de> SUSE Container Update Advisory: sles12/registry ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2020:25-1 Container Tags : sles12/registry:2.6.2 Severity : important Type : security References : 1049825 1082318 1093414 1104902 1107617 1114674 1116995 1123919 1124847 1128828 1131830 1134550 1136298 1137053 1137832 1139870 1139942 1140039 1140631 1140914 1141093 1142614 1142661 1143194 1143273 1145521 1145575 1145738 1145740 1145741 1145742 1146415 1148987 1149429 1149496 1150003 1150250 1150595 1150734 1151577 1153386 1153557 1154036 1154037 1154043 1154862 1154948 1155199 1155338 1155339 1157198 1158586 1158763 1159162 1160571 CVE-2018-10754 CVE-2018-18311 CVE-2019-10081 CVE-2019-10082 CVE-2019-10092 CVE-2019-10098 CVE-2019-12749 CVE-2019-13050 CVE-2019-13057 CVE-2019-13565 CVE-2019-13627 CVE-2019-14866 CVE-2019-1547 CVE-2019-1563 CVE-2019-15903 CVE-2019-17498 CVE-2019-17594 CVE-2019-17595 CVE-2019-18900 CVE-2019-3688 CVE-2019-3690 CVE-2019-5188 CVE-2019-5482 CVE-2019-9517 CVE-2019-9893 SLE-10396 SLE-7081 SLE-7257 ----------------------------------------------------------------- The container sles12/registry was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:2120-1 Released: Wed Aug 14 11:17:39 2019 Summary: Recommended update for pam Type: recommended Severity: moderate References: 1136298,SLE-7257 Description: This update for pam fixes the following issues: - Enable pam_userdb.so (SLE-7257,bsc#1136298) - Upgraded pam_userdb to 1.3.1. (bsc#1136298) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:2264-1 Released: Mon Sep 2 09:07:12 2019 Summary: Security update for perl Type: security Severity: important References: 1114674,CVE-2018-18311 Description: This update for perl fixes the following issues: Security issue fixed: - CVE-2018-18311: Fixed integer overflow with oversize environment (bsc#1114674). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:2288-1 Released: Wed Sep 4 14:22:47 2019 Summary: Recommended update for systemd Type: recommended Severity: moderate References: 1104902,1107617,1137053,1142661 Description: This update for systemd fixes the following issues: - Fixes an issue where the Kernel took very long to unmount a user's runtime directory (bsc#1104902) - udevd: changed the default value of udev.children-max (again) (bsc#1107617) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:2329-1 Released: Fri Sep 6 16:08:08 2019 Summary: Security update for apache2 Type: security Severity: important References: 1145575,1145738,1145740,1145741,1145742,CVE-2019-10081,CVE-2019-10082,CVE-2019-10092,CVE-2019-10098,CVE-2019-9517 Description: This update for apache2 fixes the following issues: Security issues fixed: - CVE-2019-9517: Fixed HTTP/2 implementations that are vulnerable to unconstrained interal data buffering (bsc#1145575). - CVE-2019-10081: Fixed mod_http2 that is vulnerable to memory corruption on early pushes (bsc#1145742). - CVE-2019-10082: Fixed mod_http2 that is vulnerable to read-after-free in h2 connection shutdown (bsc#1145741). - CVE-2019-10092: Fixed limited cross-site scripting in mod_proxy (bsc#1145740). - CVE-2019-10098: Fixed mod_rewrite configuration vulnerablility to open redirect (bsc#1145738). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:2372-1 Released: Thu Sep 12 14:01:27 2019 Summary: Recommended update for krb5 Type: recommended Severity: moderate References: 1139942,1140914,SLE-7081 Description: This update for krb5 fixes the following issues: - Fix missing responder if there is no pre-auth; (bsc#1139942) - Load mechglue config files from /etc/gss/mech.d; (bsc#1140914, jsc#SLE-7081) - Fix impersonate_name to work with interposers; (bsc#1140914, jsc#SLE-7081) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:2339-1 Released: Thu Sep 12 14:17:53 2019 Summary: Security update for curl Type: security Severity: important References: 1149496,CVE-2019-5482 Description: This update for curl fixes the following issues: Security issue fixed: - CVE-2019-5482: Fixed TFTP small blocksize heap buffer overflow (bsc#1149496). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:2390-1 Released: Tue Sep 17 15:46:02 2019 Summary: Security update for openldap2 Type: security Severity: moderate References: 1143194,1143273,CVE-2019-13057,CVE-2019-13565 Description: This update for openldap2 fixes the following issues: Security issues fixed: - CVE-2019-13565: Fixed ssf memory reuse that leads to incorrect authorization of another connection, granting excess connection rights (ssf) (bsc#1143194). - CVE-2019-13057: Fixed rootDN of a backend that may proxyauth incorrectly to another backend, violating multi-tenant isolation (bsc#1143273). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:2413-1 Released: Fri Sep 20 10:44:26 2019 Summary: Security update for openssl Type: security Severity: moderate References: 1150003,1150250,CVE-2019-1547,CVE-2019-1563 Description: This update for openssl fixes the following issues: OpenSSL Security Advisory [10 September 2019] - CVE-2019-1547: Added EC_GROUP_set_generator side channel attack avoidance (bsc#1150003). - CVE-2019-1563: Fixed Bleichenbacher attack against cms/pkcs7 encryption transported key (bsc#1150250). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:2440-1 Released: Mon Sep 23 17:15:13 2019 Summary: Security update for expat Type: security Severity: moderate References: 1149429,CVE-2019-15903 Description: This update for expat fixes the following issues: Security issue fixed: - CVE-2019-15903: Fixed a heap-based buffer over-read caused by crafted XML documents. (bsc#1149429) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:2480-1 Released: Fri Sep 27 13:12:08 2019 Summary: Security update for gpg2 Type: security Severity: moderate References: 1124847,1141093,CVE-2019-13050 Description: This update for gpg2 fixes the following issues: Security issue fixed: - CVE-2019-13050: Fixed denial-of-service attacks via big keys. (bsc#1141093) Non-security issue fixed: - Allow coredumps in X11 desktop sessions (bsc#1124847). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:2510-1 Released: Tue Oct 1 17:37:12 2019 Summary: Security update for libgcrypt Type: security Severity: moderate References: 1148987,CVE-2019-13627 Description: This update for libgcrypt fixes the following issues: Security issues fixed: - CVE-2019-13627: Mitigated ECDSA timing attack. (bsc#1148987) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:2818-1 Released: Tue Oct 29 17:22:01 2019 Summary: Recommended update for zypper and libzypp Type: recommended Severity: important References: 1049825,1116995,1140039,1145521,1146415,1153557 Description: This update for zypper and libzypp fixes the following issues: Package: zypper - Fixed an issue where zypper exited on a SIGPIPE during package download (bsc#1145521) - Rephrased the file conflicts check summary (bsc#1140039) - Fixes an issue where the bash completion was wrongly expanded (bsc#1049825) Package: libzypp - Fixed an issue where YaST2 was not able to find base products via libzypp (bsc#1153557) - Added a new 'solver.focus' option for /etc/zypp/zypp.conf to define systemwide focus mode when resolving jobs (bsc#1146415) - Fixes a file descriptor leak in the media backend (bsc#1116995) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:2820-1 Released: Wed Oct 30 10:21:18 2019 Summary: Security update for dbus-1 Type: security Severity: important References: 1137832,CVE-2019-12749 Description: This update for dbus-1 fixes the following issues: Security issue fixed: - CVE-2019-12749: Fixed an implementation flaw in DBUS_COOKIE_SHA1 which could have allowed local attackers to bypass authentication (bsc#1137832). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:2887-1 Released: Mon Nov 4 17:31:49 2019 Summary: Recommended update for apparmor Type: recommended Severity: moderate References: 1139870 Description: This update for apparmor provides the following fix: - Change pathname in logprof.conf and use check_qualifiers() in autodep to make sure apparmor does not generate profiles for programs marked as not having their own profiles. (bsc#1139870) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:2898-1 Released: Tue Nov 5 17:00:27 2019 Summary: Recommended update for systemd Type: recommended Severity: important References: 1140631,1150595,1154948 Description: This update for systemd fixes the following issues: - sd-bus: deal with cookie overruns (bsc#1150595) - rules: Add by-id symlinks for persistent memory (bsc#1140631) - Drop the old fds used for logging and reopen them in the sub process before doing any new logging. (bsc#1154948) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:2936-1 Released: Fri Nov 8 13:19:55 2019 Summary: Security update for libssh2_org Type: security Severity: moderate References: 1154862,CVE-2019-17498 Description: This update for libssh2_org fixes the following issue: - CVE-2019-17498: Fixed an integer overflow in a bounds check that might have led to the disclosure of sensitive information or a denial of service (bsc#1154862). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:2941-1 Released: Tue Nov 12 10:03:32 2019 Summary: Security update for libseccomp Type: security Severity: moderate References: 1082318,1128828,1142614,CVE-2019-9893 Description: This update for libseccomp fixes the following issues: Update to new upstream release 2.4.1: * Fix a BPF generation bug where the optimizer mistakenly identified duplicate BPF code blocks. Updated to 2.4.0 (bsc#1128828 CVE-2019-9893): * Update the syscall table for Linux v5.0-rc5 * Added support for the SCMP_ACT_KILL_PROCESS action * Added support for the SCMP_ACT_LOG action and SCMP_FLTATR_CTL_LOG attribute * Added explicit 32-bit (SCMP_AX_32(...)) and 64-bit (SCMP_AX_64(...)) argument comparison macros to help protect against unexpected sign extension * Added support for the parisc and parisc64 architectures * Added the ability to query and set the libseccomp API level via seccomp_api_get(3) and seccomp_api_set(3) * Return -EDOM on an endian mismatch when adding an architecture to a filter * Renumber the pseudo syscall number for subpage_prot() so it no longer conflicts with spu_run() * Fix PFC generation when a syscall is prioritized, but no rule exists * Numerous fixes to the seccomp-bpf filter generation code * Switch our internal hashing function to jhash/Lookup3 to MurmurHash3 * Numerous tests added to the included test suite, coverage now at ~92% * Update our Travis CI configuration to use Ubuntu 16.04 * Numerous documentation fixes and updates Update to release 2.3.3: * Updated the syscall table for Linux v4.15-rc7 Update to release 2.3.2: * Achieved full compliance with the CII Best Practices program * Added Travis CI builds to the GitHub repository * Added code coverage reporting with the '--enable-code-coverage' configure flag and added Coveralls to the GitHub repository * Updated the syscall tables to match Linux v4.10-rc6+ * Support for building with Python v3.x * Allow rules with the -1 syscall if the SCMP\_FLTATR\_API\_TSKIP attribute is set to true * Several small documentation fixes - ignore make check error for ppc64/ppc64le, bypass bsc#1142614 ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:3003-1 Released: Tue Nov 19 10:12:33 2019 Summary: Recommended update for procps Type: recommended Severity: moderate References: 1153386,SLE-10396 Description: This update for procps provides the following fixes: - Backport the MemAvailable patch into SLE12-SP4/SP5 procps. (jsc#SLE-10396) - Add missing ShmemPmdMapped entry for pmap with newer kernels. (bsc#1153386) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:3064-1 Released: Mon Nov 25 18:44:36 2019 Summary: Security update for cpio Type: security Severity: moderate References: 1155199,CVE-2019-14866 Description: This update for cpio fixes the following issues: - CVE-2019-14866: Fixed an improper validation of the values written in the header of a TAR file through the to_oct() function which could have led to unexpected TAR generation (bsc#1155199). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:3085-1 Released: Thu Nov 28 10:01:53 2019 Summary: Security update for libxml2 Type: security Severity: low References: 1123919 Description: This update for libxml2 doesn't fix any additional security issues, but correct the rpm changelog to reflect all CVEs that have been fixed over the past. ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:3094-1 Released: Thu Nov 28 16:47:52 2019 Summary: Security update for ncurses Type: security Severity: moderate References: 1131830,1134550,1154036,1154037,CVE-2018-10754,CVE-2019-17594,CVE-2019-17595 Description: This update for ncurses fixes the following issues: Security issue fixed: - CVE-2018-10754: Fixed a denial of service caused by a NULL Pointer Dereference in the _nc_parse_entry() (bsc#1131830). - CVE-2019-17594: Fixed a heap-based buffer over-read in _nc_find_entry function in tinfo/comp_hash.c (bsc#1154036). - CVE-2019-17595: Fixed a heap-based buffer over-read in fmt_entry function in tinfo/comp_hash.c (bsc#1154037). Bug fixes: - Fixed ppc64le build configuration (bsc#1134550). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:3132-1 Released: Tue Dec 3 10:52:14 2019 Summary: Recommended update for update-alternatives Type: recommended Severity: moderate References: 1154043 Description: This update for update-alternatives fixes the following issues: - Fix post install scripts: test if there is actual file before calling update-alternatives. (bsc#1154043) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:3180-1 Released: Thu Dec 5 11:42:40 2019 Summary: Security update for permissions Type: security Severity: moderate References: 1093414,1150734,1157198,CVE-2019-3688,CVE-2019-3690 Description: This update for permissions fixes the following issues: - CVE-2019-3688: Changed wrong ownership in /usr/sbin/pinger to root:squid which could have allowed a squid user to gain persistence by changing the binary (bsc#1093414). - CVE-2019-3690: Fixed a privilege escalation through untrusted symbolic links (bsc#1150734). - Fixed a regression which caused segmentation fault (bsc#1157198). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:3342-1 Released: Thu Dec 19 11:04:35 2019 Summary: Recommended update for elfutils Type: recommended Severity: moderate References: 1151577 Description: This update for elfutils fixes the following issues: - Add require of 'libebl1' for 'libelf1'. (bsc#1151577) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:3364-1 Released: Thu Dec 19 19:20:52 2019 Summary: Recommended update for ncurses Type: recommended Severity: moderate References: 1158586,1159162 Description: This update for ncurses fixes the following issues: - Work around a bug of old upstream gen-pkgconfig (bsc#1159162) - Remove doubled library path options (bsc#1159162) - Also remove private requirements as (lib)tinfo are binary compatible with normal and wide version of (lib)ncurses (bsc#1158586, bsc#1159162) - Fix last change, that is add missed library linker paths as well as missed include directories for none standard paths (bsc#1158586, bsc#1159162) - Do not mix include directories of different ncurses ABI (bsc#1158586) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2020:79-1 Released: Mon Jan 13 10:37:34 2020 Summary: Security update for libzypp Type: security Severity: moderate References: 1158763,CVE-2019-18900 Description: This update for libzypp fixes the following issues: Security issue fixed: - CVE-2019-18900: Fixed assert cookie file that was world readable (bsc#1158763). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2020:86-1 Released: Mon Jan 13 14:12:22 2020 Summary: Security update for e2fsprogs Type: security Severity: moderate References: 1160571,CVE-2019-5188 Description: This update for e2fsprogs fixes the following issues: - CVE-2019-5188: Fixed a code execution vulnerability in the directory rehashing functionality (bsc#1160571). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:106-1 Released: Wed Jan 15 12:50:55 2020 Summary: Recommended update for libgcrypt Type: recommended Severity: important References: 1155338,1155339 Description: This update for libgcrypt fixes the following issues: - Fix test dsa-rfc6979 in FIPS mode: Disabled tests in elliptic curves with 192 bits which are not recommended in FIPS mode - Added CMAC AES and TDES FIPS self-tests: (bsc#1155339, bsc#1155338) From sle-updates at lists.suse.com Thu Jan 23 10:11:35 2020 From: sle-updates at lists.suse.com (sle-updates at lists.suse.com) Date: Thu, 23 Jan 2020 18:11:35 +0100 (CET) Subject: SUSE-RU-2020:0222-1: moderate: Recommended update for ucode-intel Message-ID: <20200123171135.46625F798@maintenance.suse.de> SUSE Recommended Update: Recommended update for ucode-intel ______________________________________________________________________________ Announcement ID: SUSE-RU-2020:0222-1 Rating: moderate References: #1160478 Affected Products: SUSE Linux Enterprise Module for Basesystem 15-SP1 ______________________________________________________________________________ An update that has one recommended fix can now be installed. Description: This update for ucode-intel fixes the following issues: Reverted the Skylake Server Intel Microcode below to 0x02000064 due to occasional faults during warm-boot (bsc#1160478) - SKX-SP H0/M0/U0 6-55-4/b7 02000064->02000065 Xeon Scalable Patch Instructions: To install this SUSE Recommended Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Module for Basesystem 15-SP1: zypper in -t patch SUSE-SLE-Module-Basesystem-15-SP1-2020-222=1 Package List: - SUSE Linux Enterprise Module for Basesystem 15-SP1 (x86_64): ucode-intel-20191115-3.19.1 References: https://bugzilla.suse.com/1160478 From sle-updates at lists.suse.com Thu Jan 23 10:12:19 2020 From: sle-updates at lists.suse.com (sle-updates at lists.suse.com) Date: Thu, 23 Jan 2020 18:12:19 +0100 (CET) Subject: SUSE-RU-2020:0219-1: moderate: Recommended update for resource-agents Message-ID: <20200123171219.BEFA9F798@maintenance.suse.de> SUSE Recommended Update: Recommended update for resource-agents ______________________________________________________________________________ Announcement ID: SUSE-RU-2020:0219-1 Rating: moderate References: #1137130 Affected Products: SUSE Linux Enterprise High Availability 12-SP5 SUSE Linux Enterprise High Availability 12-SP4 ______________________________________________________________________________ An update that has one recommended fix can now be installed. Description: This update for resource-agents fixes the following issues: - Fix the CTDB resource agent for use by Samba 4.9.0 and later (bsc#1137130) Patch Instructions: To install this SUSE Recommended Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise High Availability 12-SP5: zypper in -t patch SUSE-SLE-HA-12-SP5-2020-219=1 - SUSE Linux Enterprise High Availability 12-SP4: zypper in -t patch SUSE-SLE-HA-12-SP4-2020-219=1 Package List: - SUSE Linux Enterprise High Availability 12-SP5 (ppc64le s390x x86_64): ldirectord-4.3.018.a7fb5035-3.36.1 resource-agents-4.3.018.a7fb5035-3.36.1 resource-agents-debuginfo-4.3.018.a7fb5035-3.36.1 resource-agents-debugsource-4.3.018.a7fb5035-3.36.1 - SUSE Linux Enterprise High Availability 12-SP5 (noarch): monitoring-plugins-metadata-4.3.018.a7fb5035-3.36.1 - SUSE Linux Enterprise High Availability 12-SP4 (ppc64le s390x x86_64): ldirectord-4.3.018.a7fb5035-3.36.1 resource-agents-4.3.018.a7fb5035-3.36.1 resource-agents-debuginfo-4.3.018.a7fb5035-3.36.1 resource-agents-debugsource-4.3.018.a7fb5035-3.36.1 - SUSE Linux Enterprise High Availability 12-SP4 (noarch): monitoring-plugins-metadata-4.3.018.a7fb5035-3.36.1 References: https://bugzilla.suse.com/1137130 From sle-updates at lists.suse.com Thu Jan 23 10:13:02 2020 From: sle-updates at lists.suse.com (sle-updates at lists.suse.com) Date: Thu, 23 Jan 2020 18:13:02 +0100 (CET) Subject: SUSE-RU-2020:0220-1: moderate: Recommended update for ucode-intel Message-ID: <20200123171302.4B84AF798@maintenance.suse.de> SUSE Recommended Update: Recommended update for ucode-intel ______________________________________________________________________________ Announcement ID: SUSE-RU-2020:0220-1 Rating: moderate References: #1160478 Affected Products: SUSE Linux Enterprise Server for SAP 15 SUSE Linux Enterprise Module for Basesystem 15 SUSE Linux Enterprise High Performance Computing 15-LTSS SUSE Linux Enterprise High Performance Computing 15-ESPOS ______________________________________________________________________________ An update that has one recommended fix can now be installed. Description: This update for ucode-intel fixes the following issues: Reverted the Skylake Server Intel CPU Microcode below to 0x02000064 due to occasional faults during warm-boot (bsc#1160478): - SKX-SP H0/M0/U0 6-55-4/b7 02000064->02000065 Xeon Scalable Patch Instructions: To install this SUSE Recommended Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Server for SAP 15: zypper in -t patch SUSE-SLE-Product-SLES_SAP-15-2020-220=1 - SUSE Linux Enterprise Module for Basesystem 15: zypper in -t patch SUSE-SLE-Module-Basesystem-15-2020-220=1 - SUSE Linux Enterprise High Performance Computing 15-LTSS: zypper in -t patch SUSE-SLE-Product-HPC-15-2020-220=1 - SUSE Linux Enterprise High Performance Computing 15-ESPOS: zypper in -t patch SUSE-SLE-Product-HPC-15-2020-220=1 Package List: - SUSE Linux Enterprise Server for SAP 15 (x86_64): ucode-intel-20191115-3.37.1 - SUSE Linux Enterprise Module for Basesystem 15 (x86_64): ucode-intel-20191115-3.37.1 - SUSE Linux Enterprise High Performance Computing 15-LTSS (x86_64): ucode-intel-20191115-3.37.1 - SUSE Linux Enterprise High Performance Computing 15-ESPOS (x86_64): ucode-intel-20191115-3.37.1 References: https://bugzilla.suse.com/1160478 From sle-updates at lists.suse.com Thu Jan 23 10:13:44 2020 From: sle-updates at lists.suse.com (sle-updates at lists.suse.com) Date: Thu, 23 Jan 2020 18:13:44 +0100 (CET) Subject: SUSE-RU-2020:0221-1: moderate: Recommended update for ucode-intel Message-ID: <20200123171344.25819F798@maintenance.suse.de> SUSE Recommended Update: Recommended update for ucode-intel ______________________________________________________________________________ Announcement ID: SUSE-RU-2020:0221-1 Rating: moderate References: #1160478 Affected Products: SUSE Linux Enterprise Server 12-SP5 ______________________________________________________________________________ An update that has one recommended fix can now be installed. Description: This update for ucode-intel fixes the following issues: Reverted the Skylake Server Intel CPU Microcode below to 0x02000064 due to occasional faults during warm-boot (bsc#1160478): - SKX-SP H0/M0/U0 6-55-4/b7 02000064->02000065 Xeon Scalable Patch Instructions: To install this SUSE Recommended Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Server 12-SP5: zypper in -t patch SUSE-SLE-SERVER-12-SP5-2020-221=1 Package List: - SUSE Linux Enterprise Server 12-SP5 (x86_64): ucode-intel-20191115-3.6.1 ucode-intel-debuginfo-20191115-3.6.1 ucode-intel-debugsource-20191115-3.6.1 References: https://bugzilla.suse.com/1160478 From sle-updates at lists.suse.com Thu Jan 23 13:11:10 2020 From: sle-updates at lists.suse.com (sle-updates at lists.suse.com) Date: Thu, 23 Jan 2020 21:11:10 +0100 (CET) Subject: SUSE-SU-2020:0223-1: moderate: Security update for samba Message-ID: <20200123201110.8D1ADF796@maintenance.suse.de> SUSE Security Update: Security update for samba ______________________________________________________________________________ Announcement ID: SUSE-SU-2020:0223-1 Rating: moderate References: #1141320 #1160850 #1160852 #1160888 Cross-References: CVE-2019-14902 CVE-2019-14907 CVE-2019-19344 Affected Products: SUSE Linux Enterprise Module for Python2 15-SP1 SUSE Linux Enterprise Module for Open Buildservice Development Tools 15-SP1 SUSE Linux Enterprise Module for Basesystem 15-SP1 SUSE Linux Enterprise High Availability 15-SP1 SUSE Enterprise Storage 6 ______________________________________________________________________________ An update that solves three vulnerabilities and has one errata is now available. Description: This update for samba fixes the following issues: Security issues fixed: - CVE-2019-14907: Fixed a Server-side crash after charset conversion failure during NTLMSSP processing (bsc#1160888). - CVE-2019-14902: Fixed an issue where automatic replication of ACLs down subtree on AD Directory is not working (bsc#1160850). - CVE-2019-19344: Fixed a server crash when using dns zone scavenging = yes (bsc#1160852). Non-security issue fixed: - Fixed Ceph snapshot path handling relative to root (bsc#1141320). Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Module for Python2 15-SP1: zypper in -t patch SUSE-SLE-Module-Python2-15-SP1-2020-223=1 - SUSE Linux Enterprise Module for Open Buildservice Development Tools 15-SP1: zypper in -t patch SUSE-SLE-Module-Development-Tools-OBS-15-SP1-2020-223=1 - SUSE Linux Enterprise Module for Basesystem 15-SP1: zypper in -t patch SUSE-SLE-Module-Basesystem-15-SP1-2020-223=1 - SUSE Linux Enterprise High Availability 15-SP1: zypper in -t patch SUSE-SLE-Product-HA-15-SP1-2020-223=1 - SUSE Enterprise Storage 6: zypper in -t patch SUSE-Storage-6-2020-223=1 Package List: - SUSE Linux Enterprise Module for Python2 15-SP1 (aarch64 ppc64le s390x x86_64): libsamba-policy0-4.9.5+git.243.e76c5cb3d97-3.21.1 libsamba-policy0-debuginfo-4.9.5+git.243.e76c5cb3d97-3.21.1 samba-ad-dc-4.9.5+git.243.e76c5cb3d97-3.21.1 samba-ad-dc-debuginfo-4.9.5+git.243.e76c5cb3d97-3.21.1 samba-debuginfo-4.9.5+git.243.e76c5cb3d97-3.21.1 samba-debugsource-4.9.5+git.243.e76c5cb3d97-3.21.1 samba-dsdb-modules-4.9.5+git.243.e76c5cb3d97-3.21.1 samba-dsdb-modules-debuginfo-4.9.5+git.243.e76c5cb3d97-3.21.1 samba-libs-python-4.9.5+git.243.e76c5cb3d97-3.21.1 samba-libs-python-debuginfo-4.9.5+git.243.e76c5cb3d97-3.21.1 samba-python-4.9.5+git.243.e76c5cb3d97-3.21.1 samba-python-debuginfo-4.9.5+git.243.e76c5cb3d97-3.21.1 - SUSE Linux Enterprise Module for Open Buildservice Development Tools 15-SP1 (aarch64 ppc64le s390x x86_64): ctdb-pcp-pmda-4.9.5+git.243.e76c5cb3d97-3.21.1 ctdb-pcp-pmda-debuginfo-4.9.5+git.243.e76c5cb3d97-3.21.1 ctdb-tests-4.9.5+git.243.e76c5cb3d97-3.21.1 ctdb-tests-debuginfo-4.9.5+git.243.e76c5cb3d97-3.21.1 libsamba-policy-python-devel-4.9.5+git.243.e76c5cb3d97-3.21.1 samba-debuginfo-4.9.5+git.243.e76c5cb3d97-3.21.1 samba-debugsource-4.9.5+git.243.e76c5cb3d97-3.21.1 samba-test-4.9.5+git.243.e76c5cb3d97-3.21.1 samba-test-debuginfo-4.9.5+git.243.e76c5cb3d97-3.21.1 - SUSE Linux Enterprise Module for Open Buildservice Development Tools 15-SP1 (aarch64 x86_64): samba-ceph-4.9.5+git.243.e76c5cb3d97-3.21.1 samba-ceph-debuginfo-4.9.5+git.243.e76c5cb3d97-3.21.1 - SUSE Linux Enterprise Module for Open Buildservice Development Tools 15-SP1 (x86_64): libdcerpc-samr0-32bit-4.9.5+git.243.e76c5cb3d97-3.21.1 libdcerpc-samr0-32bit-debuginfo-4.9.5+git.243.e76c5cb3d97-3.21.1 libsamba-policy0-32bit-4.9.5+git.243.e76c5cb3d97-3.21.1 libsamba-policy0-32bit-debuginfo-4.9.5+git.243.e76c5cb3d97-3.21.1 libsamba-policy0-python3-32bit-4.9.5+git.243.e76c5cb3d97-3.21.1 libsamba-policy0-python3-32bit-debuginfo-4.9.5+git.243.e76c5cb3d97-3.21.1 libsmbclient0-32bit-4.9.5+git.243.e76c5cb3d97-3.21.1 libsmbclient0-32bit-debuginfo-4.9.5+git.243.e76c5cb3d97-3.21.1 samba-ad-dc-32bit-4.9.5+git.243.e76c5cb3d97-3.21.1 samba-ad-dc-32bit-debuginfo-4.9.5+git.243.e76c5cb3d97-3.21.1 samba-client-32bit-4.9.5+git.243.e76c5cb3d97-3.21.1 samba-client-32bit-debuginfo-4.9.5+git.243.e76c5cb3d97-3.21.1 samba-libs-python-32bit-4.9.5+git.243.e76c5cb3d97-3.21.1 samba-libs-python-32bit-debuginfo-4.9.5+git.243.e76c5cb3d97-3.21.1 samba-libs-python3-32bit-4.9.5+git.243.e76c5cb3d97-3.21.1 samba-libs-python3-32bit-debuginfo-4.9.5+git.243.e76c5cb3d97-3.21.1 - SUSE Linux Enterprise Module for Open Buildservice Development Tools 15-SP1 (noarch): samba-doc-4.9.5+git.243.e76c5cb3d97-3.21.1 - SUSE Linux Enterprise Module for Basesystem 15-SP1 (aarch64 ppc64le s390x x86_64): libdcerpc-binding0-4.9.5+git.243.e76c5cb3d97-3.21.1 libdcerpc-binding0-debuginfo-4.9.5+git.243.e76c5cb3d97-3.21.1 libdcerpc-devel-4.9.5+git.243.e76c5cb3d97-3.21.1 libdcerpc-samr-devel-4.9.5+git.243.e76c5cb3d97-3.21.1 libdcerpc-samr0-4.9.5+git.243.e76c5cb3d97-3.21.1 libdcerpc-samr0-debuginfo-4.9.5+git.243.e76c5cb3d97-3.21.1 libdcerpc0-4.9.5+git.243.e76c5cb3d97-3.21.1 libdcerpc0-debuginfo-4.9.5+git.243.e76c5cb3d97-3.21.1 libndr-devel-4.9.5+git.243.e76c5cb3d97-3.21.1 libndr-krb5pac-devel-4.9.5+git.243.e76c5cb3d97-3.21.1 libndr-krb5pac0-4.9.5+git.243.e76c5cb3d97-3.21.1 libndr-krb5pac0-debuginfo-4.9.5+git.243.e76c5cb3d97-3.21.1 libndr-nbt-devel-4.9.5+git.243.e76c5cb3d97-3.21.1 libndr-nbt0-4.9.5+git.243.e76c5cb3d97-3.21.1 libndr-nbt0-debuginfo-4.9.5+git.243.e76c5cb3d97-3.21.1 libndr-standard-devel-4.9.5+git.243.e76c5cb3d97-3.21.1 libndr-standard0-4.9.5+git.243.e76c5cb3d97-3.21.1 libndr-standard0-debuginfo-4.9.5+git.243.e76c5cb3d97-3.21.1 libndr0-4.9.5+git.243.e76c5cb3d97-3.21.1 libndr0-debuginfo-4.9.5+git.243.e76c5cb3d97-3.21.1 libnetapi-devel-4.9.5+git.243.e76c5cb3d97-3.21.1 libnetapi0-4.9.5+git.243.e76c5cb3d97-3.21.1 libnetapi0-debuginfo-4.9.5+git.243.e76c5cb3d97-3.21.1 libsamba-credentials-devel-4.9.5+git.243.e76c5cb3d97-3.21.1 libsamba-credentials0-4.9.5+git.243.e76c5cb3d97-3.21.1 libsamba-credentials0-debuginfo-4.9.5+git.243.e76c5cb3d97-3.21.1 libsamba-errors-devel-4.9.5+git.243.e76c5cb3d97-3.21.1 libsamba-errors0-4.9.5+git.243.e76c5cb3d97-3.21.1 libsamba-errors0-debuginfo-4.9.5+git.243.e76c5cb3d97-3.21.1 libsamba-hostconfig-devel-4.9.5+git.243.e76c5cb3d97-3.21.1 libsamba-hostconfig0-4.9.5+git.243.e76c5cb3d97-3.21.1 libsamba-hostconfig0-debuginfo-4.9.5+git.243.e76c5cb3d97-3.21.1 libsamba-passdb-devel-4.9.5+git.243.e76c5cb3d97-3.21.1 libsamba-passdb0-4.9.5+git.243.e76c5cb3d97-3.21.1 libsamba-passdb0-debuginfo-4.9.5+git.243.e76c5cb3d97-3.21.1 libsamba-policy-devel-4.9.5+git.243.e76c5cb3d97-3.21.1 libsamba-policy-python3-devel-4.9.5+git.243.e76c5cb3d97-3.21.1 libsamba-policy0-python3-4.9.5+git.243.e76c5cb3d97-3.21.1 libsamba-policy0-python3-debuginfo-4.9.5+git.243.e76c5cb3d97-3.21.1 libsamba-util-devel-4.9.5+git.243.e76c5cb3d97-3.21.1 libsamba-util0-4.9.5+git.243.e76c5cb3d97-3.21.1 libsamba-util0-debuginfo-4.9.5+git.243.e76c5cb3d97-3.21.1 libsamdb-devel-4.9.5+git.243.e76c5cb3d97-3.21.1 libsamdb0-4.9.5+git.243.e76c5cb3d97-3.21.1 libsamdb0-debuginfo-4.9.5+git.243.e76c5cb3d97-3.21.1 libsmbclient-devel-4.9.5+git.243.e76c5cb3d97-3.21.1 libsmbclient0-4.9.5+git.243.e76c5cb3d97-3.21.1 libsmbclient0-debuginfo-4.9.5+git.243.e76c5cb3d97-3.21.1 libsmbconf-devel-4.9.5+git.243.e76c5cb3d97-3.21.1 libsmbconf0-4.9.5+git.243.e76c5cb3d97-3.21.1 libsmbconf0-debuginfo-4.9.5+git.243.e76c5cb3d97-3.21.1 libsmbldap-devel-4.9.5+git.243.e76c5cb3d97-3.21.1 libsmbldap2-4.9.5+git.243.e76c5cb3d97-3.21.1 libsmbldap2-debuginfo-4.9.5+git.243.e76c5cb3d97-3.21.1 libtevent-util-devel-4.9.5+git.243.e76c5cb3d97-3.21.1 libtevent-util0-4.9.5+git.243.e76c5cb3d97-3.21.1 libtevent-util0-debuginfo-4.9.5+git.243.e76c5cb3d97-3.21.1 libwbclient-devel-4.9.5+git.243.e76c5cb3d97-3.21.1 libwbclient0-4.9.5+git.243.e76c5cb3d97-3.21.1 libwbclient0-debuginfo-4.9.5+git.243.e76c5cb3d97-3.21.1 samba-4.9.5+git.243.e76c5cb3d97-3.21.1 samba-client-4.9.5+git.243.e76c5cb3d97-3.21.1 samba-client-debuginfo-4.9.5+git.243.e76c5cb3d97-3.21.1 samba-core-devel-4.9.5+git.243.e76c5cb3d97-3.21.1 samba-debuginfo-4.9.5+git.243.e76c5cb3d97-3.21.1 samba-debugsource-4.9.5+git.243.e76c5cb3d97-3.21.1 samba-libs-4.9.5+git.243.e76c5cb3d97-3.21.1 samba-libs-debuginfo-4.9.5+git.243.e76c5cb3d97-3.21.1 samba-libs-python3-4.9.5+git.243.e76c5cb3d97-3.21.1 samba-libs-python3-debuginfo-4.9.5+git.243.e76c5cb3d97-3.21.1 samba-python3-4.9.5+git.243.e76c5cb3d97-3.21.1 samba-python3-debuginfo-4.9.5+git.243.e76c5cb3d97-3.21.1 samba-winbind-4.9.5+git.243.e76c5cb3d97-3.21.1 samba-winbind-debuginfo-4.9.5+git.243.e76c5cb3d97-3.21.1 - SUSE Linux Enterprise Module for Basesystem 15-SP1 (x86_64): libdcerpc-binding0-32bit-4.9.5+git.243.e76c5cb3d97-3.21.1 libdcerpc-binding0-32bit-debuginfo-4.9.5+git.243.e76c5cb3d97-3.21.1 libdcerpc0-32bit-4.9.5+git.243.e76c5cb3d97-3.21.1 libdcerpc0-32bit-debuginfo-4.9.5+git.243.e76c5cb3d97-3.21.1 libndr-krb5pac0-32bit-4.9.5+git.243.e76c5cb3d97-3.21.1 libndr-krb5pac0-32bit-debuginfo-4.9.5+git.243.e76c5cb3d97-3.21.1 libndr-nbt0-32bit-4.9.5+git.243.e76c5cb3d97-3.21.1 libndr-nbt0-32bit-debuginfo-4.9.5+git.243.e76c5cb3d97-3.21.1 libndr-standard0-32bit-4.9.5+git.243.e76c5cb3d97-3.21.1 libndr-standard0-32bit-debuginfo-4.9.5+git.243.e76c5cb3d97-3.21.1 libndr0-32bit-4.9.5+git.243.e76c5cb3d97-3.21.1 libndr0-32bit-debuginfo-4.9.5+git.243.e76c5cb3d97-3.21.1 libnetapi0-32bit-4.9.5+git.243.e76c5cb3d97-3.21.1 libnetapi0-32bit-debuginfo-4.9.5+git.243.e76c5cb3d97-3.21.1 libsamba-credentials0-32bit-4.9.5+git.243.e76c5cb3d97-3.21.1 libsamba-credentials0-32bit-debuginfo-4.9.5+git.243.e76c5cb3d97-3.21.1 libsamba-errors0-32bit-4.9.5+git.243.e76c5cb3d97-3.21.1 libsamba-errors0-32bit-debuginfo-4.9.5+git.243.e76c5cb3d97-3.21.1 libsamba-hostconfig0-32bit-4.9.5+git.243.e76c5cb3d97-3.21.1 libsamba-hostconfig0-32bit-debuginfo-4.9.5+git.243.e76c5cb3d97-3.21.1 libsamba-passdb0-32bit-4.9.5+git.243.e76c5cb3d97-3.21.1 libsamba-passdb0-32bit-debuginfo-4.9.5+git.243.e76c5cb3d97-3.21.1 libsamba-util0-32bit-4.9.5+git.243.e76c5cb3d97-3.21.1 libsamba-util0-32bit-debuginfo-4.9.5+git.243.e76c5cb3d97-3.21.1 libsamdb0-32bit-4.9.5+git.243.e76c5cb3d97-3.21.1 libsamdb0-32bit-debuginfo-4.9.5+git.243.e76c5cb3d97-3.21.1 libsmbconf0-32bit-4.9.5+git.243.e76c5cb3d97-3.21.1 libsmbconf0-32bit-debuginfo-4.9.5+git.243.e76c5cb3d97-3.21.1 libsmbldap2-32bit-4.9.5+git.243.e76c5cb3d97-3.21.1 libsmbldap2-32bit-debuginfo-4.9.5+git.243.e76c5cb3d97-3.21.1 libtevent-util0-32bit-4.9.5+git.243.e76c5cb3d97-3.21.1 libtevent-util0-32bit-debuginfo-4.9.5+git.243.e76c5cb3d97-3.21.1 libwbclient0-32bit-4.9.5+git.243.e76c5cb3d97-3.21.1 libwbclient0-32bit-debuginfo-4.9.5+git.243.e76c5cb3d97-3.21.1 samba-libs-32bit-4.9.5+git.243.e76c5cb3d97-3.21.1 samba-libs-32bit-debuginfo-4.9.5+git.243.e76c5cb3d97-3.21.1 samba-winbind-32bit-4.9.5+git.243.e76c5cb3d97-3.21.1 samba-winbind-32bit-debuginfo-4.9.5+git.243.e76c5cb3d97-3.21.1 - SUSE Linux Enterprise High Availability 15-SP1 (aarch64 ppc64le s390x x86_64): ctdb-4.9.5+git.243.e76c5cb3d97-3.21.1 ctdb-debuginfo-4.9.5+git.243.e76c5cb3d97-3.21.1 samba-debuginfo-4.9.5+git.243.e76c5cb3d97-3.21.1 samba-debugsource-4.9.5+git.243.e76c5cb3d97-3.21.1 - SUSE Enterprise Storage 6 (aarch64 x86_64): samba-ceph-4.9.5+git.243.e76c5cb3d97-3.21.1 samba-ceph-debuginfo-4.9.5+git.243.e76c5cb3d97-3.21.1 samba-debuginfo-4.9.5+git.243.e76c5cb3d97-3.21.1 samba-debugsource-4.9.5+git.243.e76c5cb3d97-3.21.1 References: https://www.suse.com/security/cve/CVE-2019-14902.html https://www.suse.com/security/cve/CVE-2019-14907.html https://www.suse.com/security/cve/CVE-2019-19344.html https://bugzilla.suse.com/1141320 https://bugzilla.suse.com/1160850 https://bugzilla.suse.com/1160852 https://bugzilla.suse.com/1160888 From sle-updates at lists.suse.com Thu Jan 23 13:12:17 2020 From: sle-updates at lists.suse.com (sle-updates at lists.suse.com) Date: Thu, 23 Jan 2020 21:12:17 +0100 (CET) Subject: SUSE-SU-2020:0224-1: moderate: Security update for samba Message-ID: <20200123201217.57305F796@maintenance.suse.de> SUSE Security Update: Security update for samba ______________________________________________________________________________ Announcement ID: SUSE-SU-2020:0224-1 Rating: moderate References: #1160850 #1160888 Cross-References: CVE-2019-14902 CVE-2019-14907 Affected Products: SUSE Linux Enterprise Server for SAP 15 SUSE Linux Enterprise Server 15-LTSS SUSE Linux Enterprise Module for Packagehub Subpackages 15 SUSE Linux Enterprise Module for Open Buildservice Development Tools 15 SUSE Linux Enterprise Module for Basesystem 15 SUSE Linux Enterprise High Performance Computing 15-LTSS SUSE Linux Enterprise High Performance Computing 15-ESPOS SUSE Linux Enterprise High Availability 15 ______________________________________________________________________________ An update that fixes two vulnerabilities is now available. Description: This update for samba fixes the following issues: - CVE-2019-14902: Fixed an issue where automatic replication of ACLs down subtree on AD Directory is not working (bsc#1160850). - CVE-2019-14907: Fixed a Server-side crash after charset conversion failure during NTLMSSP processing (bsc#1160888). Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Server for SAP 15: zypper in -t patch SUSE-SLE-Product-SLES_SAP-15-2020-224=1 - SUSE Linux Enterprise Server 15-LTSS: zypper in -t patch SUSE-SLE-Product-SLES-15-2020-224=1 - SUSE Linux Enterprise Module for Packagehub Subpackages 15: zypper in -t patch SUSE-SLE-Module-Packagehub-Subpackages-15-2020-224=1 - SUSE Linux Enterprise Module for Open Buildservice Development Tools 15: zypper in -t patch SUSE-SLE-Module-Development-Tools-OBS-15-2020-224=1 - SUSE Linux Enterprise Module for Basesystem 15: zypper in -t patch SUSE-SLE-Module-Basesystem-15-2020-224=1 - SUSE Linux Enterprise High Performance Computing 15-LTSS: zypper in -t patch SUSE-SLE-Product-HPC-15-2020-224=1 - SUSE Linux Enterprise High Performance Computing 15-ESPOS: zypper in -t patch SUSE-SLE-Product-HPC-15-2020-224=1 - SUSE Linux Enterprise High Availability 15: zypper in -t patch SUSE-SLE-Product-HA-15-2020-224=1 Package List: - SUSE Linux Enterprise Server for SAP 15 (ppc64le x86_64): libdcerpc-binding0-4.7.11+git.218.58b95cbfc0f-4.37.1 libdcerpc-binding0-debuginfo-4.7.11+git.218.58b95cbfc0f-4.37.1 libdcerpc-devel-4.7.11+git.218.58b95cbfc0f-4.37.1 libdcerpc-samr-devel-4.7.11+git.218.58b95cbfc0f-4.37.1 libdcerpc-samr0-4.7.11+git.218.58b95cbfc0f-4.37.1 libdcerpc-samr0-debuginfo-4.7.11+git.218.58b95cbfc0f-4.37.1 libdcerpc0-4.7.11+git.218.58b95cbfc0f-4.37.1 libdcerpc0-debuginfo-4.7.11+git.218.58b95cbfc0f-4.37.1 libndr-devel-4.7.11+git.218.58b95cbfc0f-4.37.1 libndr-krb5pac-devel-4.7.11+git.218.58b95cbfc0f-4.37.1 libndr-krb5pac0-4.7.11+git.218.58b95cbfc0f-4.37.1 libndr-krb5pac0-debuginfo-4.7.11+git.218.58b95cbfc0f-4.37.1 libndr-nbt-devel-4.7.11+git.218.58b95cbfc0f-4.37.1 libndr-nbt0-4.7.11+git.218.58b95cbfc0f-4.37.1 libndr-nbt0-debuginfo-4.7.11+git.218.58b95cbfc0f-4.37.1 libndr-standard-devel-4.7.11+git.218.58b95cbfc0f-4.37.1 libndr-standard0-4.7.11+git.218.58b95cbfc0f-4.37.1 libndr-standard0-debuginfo-4.7.11+git.218.58b95cbfc0f-4.37.1 libndr0-4.7.11+git.218.58b95cbfc0f-4.37.1 libndr0-debuginfo-4.7.11+git.218.58b95cbfc0f-4.37.1 libnetapi-devel-4.7.11+git.218.58b95cbfc0f-4.37.1 libnetapi0-4.7.11+git.218.58b95cbfc0f-4.37.1 libnetapi0-debuginfo-4.7.11+git.218.58b95cbfc0f-4.37.1 libsamba-credentials-devel-4.7.11+git.218.58b95cbfc0f-4.37.1 libsamba-credentials0-4.7.11+git.218.58b95cbfc0f-4.37.1 libsamba-credentials0-debuginfo-4.7.11+git.218.58b95cbfc0f-4.37.1 libsamba-errors-devel-4.7.11+git.218.58b95cbfc0f-4.37.1 libsamba-errors0-4.7.11+git.218.58b95cbfc0f-4.37.1 libsamba-errors0-debuginfo-4.7.11+git.218.58b95cbfc0f-4.37.1 libsamba-hostconfig-devel-4.7.11+git.218.58b95cbfc0f-4.37.1 libsamba-hostconfig0-4.7.11+git.218.58b95cbfc0f-4.37.1 libsamba-hostconfig0-debuginfo-4.7.11+git.218.58b95cbfc0f-4.37.1 libsamba-passdb-devel-4.7.11+git.218.58b95cbfc0f-4.37.1 libsamba-passdb0-4.7.11+git.218.58b95cbfc0f-4.37.1 libsamba-passdb0-debuginfo-4.7.11+git.218.58b95cbfc0f-4.37.1 libsamba-policy-devel-4.7.11+git.218.58b95cbfc0f-4.37.1 libsamba-policy0-4.7.11+git.218.58b95cbfc0f-4.37.1 libsamba-util-devel-4.7.11+git.218.58b95cbfc0f-4.37.1 libsamba-util0-4.7.11+git.218.58b95cbfc0f-4.37.1 libsamba-util0-debuginfo-4.7.11+git.218.58b95cbfc0f-4.37.1 libsamdb-devel-4.7.11+git.218.58b95cbfc0f-4.37.1 libsamdb0-4.7.11+git.218.58b95cbfc0f-4.37.1 libsamdb0-debuginfo-4.7.11+git.218.58b95cbfc0f-4.37.1 libsmbclient-devel-4.7.11+git.218.58b95cbfc0f-4.37.1 libsmbclient0-4.7.11+git.218.58b95cbfc0f-4.37.1 libsmbclient0-debuginfo-4.7.11+git.218.58b95cbfc0f-4.37.1 libsmbconf-devel-4.7.11+git.218.58b95cbfc0f-4.37.1 libsmbconf0-4.7.11+git.218.58b95cbfc0f-4.37.1 libsmbconf0-debuginfo-4.7.11+git.218.58b95cbfc0f-4.37.1 libsmbldap-devel-4.7.11+git.218.58b95cbfc0f-4.37.1 libsmbldap2-4.7.11+git.218.58b95cbfc0f-4.37.1 libsmbldap2-debuginfo-4.7.11+git.218.58b95cbfc0f-4.37.1 libtevent-util-devel-4.7.11+git.218.58b95cbfc0f-4.37.1 libtevent-util0-4.7.11+git.218.58b95cbfc0f-4.37.1 libtevent-util0-debuginfo-4.7.11+git.218.58b95cbfc0f-4.37.1 libwbclient-devel-4.7.11+git.218.58b95cbfc0f-4.37.1 libwbclient0-4.7.11+git.218.58b95cbfc0f-4.37.1 libwbclient0-debuginfo-4.7.11+git.218.58b95cbfc0f-4.37.1 samba-4.7.11+git.218.58b95cbfc0f-4.37.1 samba-client-4.7.11+git.218.58b95cbfc0f-4.37.1 samba-client-debuginfo-4.7.11+git.218.58b95cbfc0f-4.37.1 samba-core-devel-4.7.11+git.218.58b95cbfc0f-4.37.1 samba-debuginfo-4.7.11+git.218.58b95cbfc0f-4.37.1 samba-debugsource-4.7.11+git.218.58b95cbfc0f-4.37.1 samba-libs-4.7.11+git.218.58b95cbfc0f-4.37.1 samba-libs-debuginfo-4.7.11+git.218.58b95cbfc0f-4.37.1 samba-winbind-4.7.11+git.218.58b95cbfc0f-4.37.1 samba-winbind-debuginfo-4.7.11+git.218.58b95cbfc0f-4.37.1 - SUSE Linux Enterprise Server for SAP 15 (x86_64): libdcerpc-binding0-32bit-4.7.11+git.218.58b95cbfc0f-4.37.1 libdcerpc-binding0-32bit-debuginfo-4.7.11+git.218.58b95cbfc0f-4.37.1 libdcerpc0-32bit-4.7.11+git.218.58b95cbfc0f-4.37.1 libdcerpc0-32bit-debuginfo-4.7.11+git.218.58b95cbfc0f-4.37.1 libndr-krb5pac0-32bit-4.7.11+git.218.58b95cbfc0f-4.37.1 libndr-krb5pac0-32bit-debuginfo-4.7.11+git.218.58b95cbfc0f-4.37.1 libndr-nbt0-32bit-4.7.11+git.218.58b95cbfc0f-4.37.1 libndr-nbt0-32bit-debuginfo-4.7.11+git.218.58b95cbfc0f-4.37.1 libndr-standard0-32bit-4.7.11+git.218.58b95cbfc0f-4.37.1 libndr-standard0-32bit-debuginfo-4.7.11+git.218.58b95cbfc0f-4.37.1 libndr0-32bit-4.7.11+git.218.58b95cbfc0f-4.37.1 libndr0-32bit-debuginfo-4.7.11+git.218.58b95cbfc0f-4.37.1 libnetapi0-32bit-4.7.11+git.218.58b95cbfc0f-4.37.1 libnetapi0-32bit-debuginfo-4.7.11+git.218.58b95cbfc0f-4.37.1 libsamba-credentials0-32bit-4.7.11+git.218.58b95cbfc0f-4.37.1 libsamba-credentials0-32bit-debuginfo-4.7.11+git.218.58b95cbfc0f-4.37.1 libsamba-errors0-32bit-4.7.11+git.218.58b95cbfc0f-4.37.1 libsamba-errors0-32bit-debuginfo-4.7.11+git.218.58b95cbfc0f-4.37.1 libsamba-hostconfig0-32bit-4.7.11+git.218.58b95cbfc0f-4.37.1 libsamba-hostconfig0-32bit-debuginfo-4.7.11+git.218.58b95cbfc0f-4.37.1 libsamba-passdb0-32bit-4.7.11+git.218.58b95cbfc0f-4.37.1 libsamba-passdb0-32bit-debuginfo-4.7.11+git.218.58b95cbfc0f-4.37.1 libsamba-util0-32bit-4.7.11+git.218.58b95cbfc0f-4.37.1 libsamba-util0-32bit-debuginfo-4.7.11+git.218.58b95cbfc0f-4.37.1 libsamdb0-32bit-4.7.11+git.218.58b95cbfc0f-4.37.1 libsamdb0-32bit-debuginfo-4.7.11+git.218.58b95cbfc0f-4.37.1 libsmbclient0-32bit-4.7.11+git.218.58b95cbfc0f-4.37.1 libsmbclient0-32bit-debuginfo-4.7.11+git.218.58b95cbfc0f-4.37.1 libsmbconf0-32bit-4.7.11+git.218.58b95cbfc0f-4.37.1 libsmbconf0-32bit-debuginfo-4.7.11+git.218.58b95cbfc0f-4.37.1 libsmbldap2-32bit-4.7.11+git.218.58b95cbfc0f-4.37.1 libsmbldap2-32bit-debuginfo-4.7.11+git.218.58b95cbfc0f-4.37.1 libtevent-util0-32bit-4.7.11+git.218.58b95cbfc0f-4.37.1 libtevent-util0-32bit-debuginfo-4.7.11+git.218.58b95cbfc0f-4.37.1 libwbclient0-32bit-4.7.11+git.218.58b95cbfc0f-4.37.1 libwbclient0-32bit-debuginfo-4.7.11+git.218.58b95cbfc0f-4.37.1 samba-client-32bit-4.7.11+git.218.58b95cbfc0f-4.37.1 samba-client-32bit-debuginfo-4.7.11+git.218.58b95cbfc0f-4.37.1 samba-libs-32bit-4.7.11+git.218.58b95cbfc0f-4.37.1 samba-libs-32bit-debuginfo-4.7.11+git.218.58b95cbfc0f-4.37.1 samba-winbind-32bit-4.7.11+git.218.58b95cbfc0f-4.37.1 samba-winbind-32bit-debuginfo-4.7.11+git.218.58b95cbfc0f-4.37.1 - SUSE Linux Enterprise Server 15-LTSS (aarch64 s390x): libdcerpc-binding0-4.7.11+git.218.58b95cbfc0f-4.37.1 libdcerpc-binding0-debuginfo-4.7.11+git.218.58b95cbfc0f-4.37.1 libdcerpc-devel-4.7.11+git.218.58b95cbfc0f-4.37.1 libdcerpc-samr-devel-4.7.11+git.218.58b95cbfc0f-4.37.1 libdcerpc-samr0-4.7.11+git.218.58b95cbfc0f-4.37.1 libdcerpc-samr0-debuginfo-4.7.11+git.218.58b95cbfc0f-4.37.1 libdcerpc0-4.7.11+git.218.58b95cbfc0f-4.37.1 libdcerpc0-debuginfo-4.7.11+git.218.58b95cbfc0f-4.37.1 libndr-devel-4.7.11+git.218.58b95cbfc0f-4.37.1 libndr-krb5pac-devel-4.7.11+git.218.58b95cbfc0f-4.37.1 libndr-krb5pac0-4.7.11+git.218.58b95cbfc0f-4.37.1 libndr-krb5pac0-debuginfo-4.7.11+git.218.58b95cbfc0f-4.37.1 libndr-nbt-devel-4.7.11+git.218.58b95cbfc0f-4.37.1 libndr-nbt0-4.7.11+git.218.58b95cbfc0f-4.37.1 libndr-nbt0-debuginfo-4.7.11+git.218.58b95cbfc0f-4.37.1 libndr-standard-devel-4.7.11+git.218.58b95cbfc0f-4.37.1 libndr-standard0-4.7.11+git.218.58b95cbfc0f-4.37.1 libndr-standard0-debuginfo-4.7.11+git.218.58b95cbfc0f-4.37.1 libndr0-4.7.11+git.218.58b95cbfc0f-4.37.1 libndr0-debuginfo-4.7.11+git.218.58b95cbfc0f-4.37.1 libnetapi-devel-4.7.11+git.218.58b95cbfc0f-4.37.1 libnetapi0-4.7.11+git.218.58b95cbfc0f-4.37.1 libnetapi0-debuginfo-4.7.11+git.218.58b95cbfc0f-4.37.1 libsamba-credentials-devel-4.7.11+git.218.58b95cbfc0f-4.37.1 libsamba-credentials0-4.7.11+git.218.58b95cbfc0f-4.37.1 libsamba-credentials0-debuginfo-4.7.11+git.218.58b95cbfc0f-4.37.1 libsamba-errors-devel-4.7.11+git.218.58b95cbfc0f-4.37.1 libsamba-errors0-4.7.11+git.218.58b95cbfc0f-4.37.1 libsamba-errors0-debuginfo-4.7.11+git.218.58b95cbfc0f-4.37.1 libsamba-hostconfig-devel-4.7.11+git.218.58b95cbfc0f-4.37.1 libsamba-hostconfig0-4.7.11+git.218.58b95cbfc0f-4.37.1 libsamba-hostconfig0-debuginfo-4.7.11+git.218.58b95cbfc0f-4.37.1 libsamba-passdb-devel-4.7.11+git.218.58b95cbfc0f-4.37.1 libsamba-passdb0-4.7.11+git.218.58b95cbfc0f-4.37.1 libsamba-passdb0-debuginfo-4.7.11+git.218.58b95cbfc0f-4.37.1 libsamba-policy-devel-4.7.11+git.218.58b95cbfc0f-4.37.1 libsamba-policy0-4.7.11+git.218.58b95cbfc0f-4.37.1 libsamba-util-devel-4.7.11+git.218.58b95cbfc0f-4.37.1 libsamba-util0-4.7.11+git.218.58b95cbfc0f-4.37.1 libsamba-util0-debuginfo-4.7.11+git.218.58b95cbfc0f-4.37.1 libsamdb-devel-4.7.11+git.218.58b95cbfc0f-4.37.1 libsamdb0-4.7.11+git.218.58b95cbfc0f-4.37.1 libsamdb0-debuginfo-4.7.11+git.218.58b95cbfc0f-4.37.1 libsmbclient-devel-4.7.11+git.218.58b95cbfc0f-4.37.1 libsmbclient0-4.7.11+git.218.58b95cbfc0f-4.37.1 libsmbclient0-debuginfo-4.7.11+git.218.58b95cbfc0f-4.37.1 libsmbconf-devel-4.7.11+git.218.58b95cbfc0f-4.37.1 libsmbconf0-4.7.11+git.218.58b95cbfc0f-4.37.1 libsmbconf0-debuginfo-4.7.11+git.218.58b95cbfc0f-4.37.1 libsmbldap-devel-4.7.11+git.218.58b95cbfc0f-4.37.1 libsmbldap2-4.7.11+git.218.58b95cbfc0f-4.37.1 libsmbldap2-debuginfo-4.7.11+git.218.58b95cbfc0f-4.37.1 libtevent-util-devel-4.7.11+git.218.58b95cbfc0f-4.37.1 libtevent-util0-4.7.11+git.218.58b95cbfc0f-4.37.1 libtevent-util0-debuginfo-4.7.11+git.218.58b95cbfc0f-4.37.1 libwbclient-devel-4.7.11+git.218.58b95cbfc0f-4.37.1 libwbclient0-4.7.11+git.218.58b95cbfc0f-4.37.1 libwbclient0-debuginfo-4.7.11+git.218.58b95cbfc0f-4.37.1 samba-4.7.11+git.218.58b95cbfc0f-4.37.1 samba-client-4.7.11+git.218.58b95cbfc0f-4.37.1 samba-client-debuginfo-4.7.11+git.218.58b95cbfc0f-4.37.1 samba-core-devel-4.7.11+git.218.58b95cbfc0f-4.37.1 samba-debuginfo-4.7.11+git.218.58b95cbfc0f-4.37.1 samba-debugsource-4.7.11+git.218.58b95cbfc0f-4.37.1 samba-libs-4.7.11+git.218.58b95cbfc0f-4.37.1 samba-libs-debuginfo-4.7.11+git.218.58b95cbfc0f-4.37.1 samba-winbind-4.7.11+git.218.58b95cbfc0f-4.37.1 samba-winbind-debuginfo-4.7.11+git.218.58b95cbfc0f-4.37.1 - SUSE Linux Enterprise Module for Packagehub Subpackages 15 (aarch64 ppc64le s390x x86_64): samba-debuginfo-4.7.11+git.218.58b95cbfc0f-4.37.1 samba-debugsource-4.7.11+git.218.58b95cbfc0f-4.37.1 samba-python-4.7.11+git.218.58b95cbfc0f-4.37.1 - SUSE Linux Enterprise Module for Open Buildservice Development Tools 15 (aarch64 ppc64le s390x x86_64): ctdb-pcp-pmda-4.7.11+git.218.58b95cbfc0f-4.37.1 ctdb-pcp-pmda-debuginfo-4.7.11+git.218.58b95cbfc0f-4.37.1 ctdb-tests-4.7.11+git.218.58b95cbfc0f-4.37.1 ctdb-tests-debuginfo-4.7.11+git.218.58b95cbfc0f-4.37.1 samba-debuginfo-4.7.11+git.218.58b95cbfc0f-4.37.1 samba-debugsource-4.7.11+git.218.58b95cbfc0f-4.37.1 samba-python-4.7.11+git.218.58b95cbfc0f-4.37.1 samba-test-4.7.11+git.218.58b95cbfc0f-4.37.1 samba-test-debuginfo-4.7.11+git.218.58b95cbfc0f-4.37.1 - SUSE Linux Enterprise Module for Open Buildservice Development Tools 15 (noarch): samba-doc-4.7.11+git.218.58b95cbfc0f-4.37.1 - SUSE Linux Enterprise Module for Basesystem 15 (aarch64 ppc64le s390x x86_64): libdcerpc-binding0-4.7.11+git.218.58b95cbfc0f-4.37.1 libdcerpc-binding0-debuginfo-4.7.11+git.218.58b95cbfc0f-4.37.1 libdcerpc-devel-4.7.11+git.218.58b95cbfc0f-4.37.1 libdcerpc-samr-devel-4.7.11+git.218.58b95cbfc0f-4.37.1 libdcerpc-samr0-4.7.11+git.218.58b95cbfc0f-4.37.1 libdcerpc-samr0-debuginfo-4.7.11+git.218.58b95cbfc0f-4.37.1 libdcerpc0-4.7.11+git.218.58b95cbfc0f-4.37.1 libdcerpc0-debuginfo-4.7.11+git.218.58b95cbfc0f-4.37.1 libndr-devel-4.7.11+git.218.58b95cbfc0f-4.37.1 libndr-krb5pac-devel-4.7.11+git.218.58b95cbfc0f-4.37.1 libndr-krb5pac0-4.7.11+git.218.58b95cbfc0f-4.37.1 libndr-krb5pac0-debuginfo-4.7.11+git.218.58b95cbfc0f-4.37.1 libndr-nbt-devel-4.7.11+git.218.58b95cbfc0f-4.37.1 libndr-nbt0-4.7.11+git.218.58b95cbfc0f-4.37.1 libndr-nbt0-debuginfo-4.7.11+git.218.58b95cbfc0f-4.37.1 libndr-standard-devel-4.7.11+git.218.58b95cbfc0f-4.37.1 libndr-standard0-4.7.11+git.218.58b95cbfc0f-4.37.1 libndr-standard0-debuginfo-4.7.11+git.218.58b95cbfc0f-4.37.1 libndr0-4.7.11+git.218.58b95cbfc0f-4.37.1 libndr0-debuginfo-4.7.11+git.218.58b95cbfc0f-4.37.1 libnetapi-devel-4.7.11+git.218.58b95cbfc0f-4.37.1 libnetapi0-4.7.11+git.218.58b95cbfc0f-4.37.1 libnetapi0-debuginfo-4.7.11+git.218.58b95cbfc0f-4.37.1 libsamba-credentials-devel-4.7.11+git.218.58b95cbfc0f-4.37.1 libsamba-credentials0-4.7.11+git.218.58b95cbfc0f-4.37.1 libsamba-credentials0-debuginfo-4.7.11+git.218.58b95cbfc0f-4.37.1 libsamba-errors-devel-4.7.11+git.218.58b95cbfc0f-4.37.1 libsamba-errors0-4.7.11+git.218.58b95cbfc0f-4.37.1 libsamba-errors0-debuginfo-4.7.11+git.218.58b95cbfc0f-4.37.1 libsamba-hostconfig-devel-4.7.11+git.218.58b95cbfc0f-4.37.1 libsamba-hostconfig0-4.7.11+git.218.58b95cbfc0f-4.37.1 libsamba-hostconfig0-debuginfo-4.7.11+git.218.58b95cbfc0f-4.37.1 libsamba-passdb-devel-4.7.11+git.218.58b95cbfc0f-4.37.1 libsamba-passdb0-4.7.11+git.218.58b95cbfc0f-4.37.1 libsamba-passdb0-debuginfo-4.7.11+git.218.58b95cbfc0f-4.37.1 libsamba-policy-devel-4.7.11+git.218.58b95cbfc0f-4.37.1 libsamba-policy0-4.7.11+git.218.58b95cbfc0f-4.37.1 libsamba-util-devel-4.7.11+git.218.58b95cbfc0f-4.37.1 libsamba-util0-4.7.11+git.218.58b95cbfc0f-4.37.1 libsamba-util0-debuginfo-4.7.11+git.218.58b95cbfc0f-4.37.1 libsamdb-devel-4.7.11+git.218.58b95cbfc0f-4.37.1 libsamdb0-4.7.11+git.218.58b95cbfc0f-4.37.1 libsamdb0-debuginfo-4.7.11+git.218.58b95cbfc0f-4.37.1 libsmbclient-devel-4.7.11+git.218.58b95cbfc0f-4.37.1 libsmbclient0-4.7.11+git.218.58b95cbfc0f-4.37.1 libsmbclient0-debuginfo-4.7.11+git.218.58b95cbfc0f-4.37.1 libsmbconf-devel-4.7.11+git.218.58b95cbfc0f-4.37.1 libsmbconf0-4.7.11+git.218.58b95cbfc0f-4.37.1 libsmbconf0-debuginfo-4.7.11+git.218.58b95cbfc0f-4.37.1 libsmbldap-devel-4.7.11+git.218.58b95cbfc0f-4.37.1 libsmbldap2-4.7.11+git.218.58b95cbfc0f-4.37.1 libsmbldap2-debuginfo-4.7.11+git.218.58b95cbfc0f-4.37.1 libtevent-util-devel-4.7.11+git.218.58b95cbfc0f-4.37.1 libtevent-util0-4.7.11+git.218.58b95cbfc0f-4.37.1 libtevent-util0-debuginfo-4.7.11+git.218.58b95cbfc0f-4.37.1 libwbclient-devel-4.7.11+git.218.58b95cbfc0f-4.37.1 libwbclient0-4.7.11+git.218.58b95cbfc0f-4.37.1 libwbclient0-debuginfo-4.7.11+git.218.58b95cbfc0f-4.37.1 samba-4.7.11+git.218.58b95cbfc0f-4.37.1 samba-client-4.7.11+git.218.58b95cbfc0f-4.37.1 samba-client-debuginfo-4.7.11+git.218.58b95cbfc0f-4.37.1 samba-core-devel-4.7.11+git.218.58b95cbfc0f-4.37.1 samba-debuginfo-4.7.11+git.218.58b95cbfc0f-4.37.1 samba-debugsource-4.7.11+git.218.58b95cbfc0f-4.37.1 samba-libs-4.7.11+git.218.58b95cbfc0f-4.37.1 samba-libs-debuginfo-4.7.11+git.218.58b95cbfc0f-4.37.1 samba-winbind-4.7.11+git.218.58b95cbfc0f-4.37.1 samba-winbind-debuginfo-4.7.11+git.218.58b95cbfc0f-4.37.1 - SUSE Linux Enterprise Module for Basesystem 15 (x86_64): libdcerpc-binding0-32bit-4.7.11+git.218.58b95cbfc0f-4.37.1 libdcerpc-binding0-32bit-debuginfo-4.7.11+git.218.58b95cbfc0f-4.37.1 libdcerpc0-32bit-4.7.11+git.218.58b95cbfc0f-4.37.1 libdcerpc0-32bit-debuginfo-4.7.11+git.218.58b95cbfc0f-4.37.1 libndr-krb5pac0-32bit-4.7.11+git.218.58b95cbfc0f-4.37.1 libndr-krb5pac0-32bit-debuginfo-4.7.11+git.218.58b95cbfc0f-4.37.1 libndr-nbt0-32bit-4.7.11+git.218.58b95cbfc0f-4.37.1 libndr-nbt0-32bit-debuginfo-4.7.11+git.218.58b95cbfc0f-4.37.1 libndr-standard0-32bit-4.7.11+git.218.58b95cbfc0f-4.37.1 libndr-standard0-32bit-debuginfo-4.7.11+git.218.58b95cbfc0f-4.37.1 libndr0-32bit-4.7.11+git.218.58b95cbfc0f-4.37.1 libndr0-32bit-debuginfo-4.7.11+git.218.58b95cbfc0f-4.37.1 libnetapi0-32bit-4.7.11+git.218.58b95cbfc0f-4.37.1 libnetapi0-32bit-debuginfo-4.7.11+git.218.58b95cbfc0f-4.37.1 libsamba-credentials0-32bit-4.7.11+git.218.58b95cbfc0f-4.37.1 libsamba-credentials0-32bit-debuginfo-4.7.11+git.218.58b95cbfc0f-4.37.1 libsamba-errors0-32bit-4.7.11+git.218.58b95cbfc0f-4.37.1 libsamba-errors0-32bit-debuginfo-4.7.11+git.218.58b95cbfc0f-4.37.1 libsamba-hostconfig0-32bit-4.7.11+git.218.58b95cbfc0f-4.37.1 libsamba-hostconfig0-32bit-debuginfo-4.7.11+git.218.58b95cbfc0f-4.37.1 libsamba-passdb0-32bit-4.7.11+git.218.58b95cbfc0f-4.37.1 libsamba-passdb0-32bit-debuginfo-4.7.11+git.218.58b95cbfc0f-4.37.1 libsamba-util0-32bit-4.7.11+git.218.58b95cbfc0f-4.37.1 libsamba-util0-32bit-debuginfo-4.7.11+git.218.58b95cbfc0f-4.37.1 libsamdb0-32bit-4.7.11+git.218.58b95cbfc0f-4.37.1 libsamdb0-32bit-debuginfo-4.7.11+git.218.58b95cbfc0f-4.37.1 libsmbclient0-32bit-4.7.11+git.218.58b95cbfc0f-4.37.1 libsmbclient0-32bit-debuginfo-4.7.11+git.218.58b95cbfc0f-4.37.1 libsmbconf0-32bit-4.7.11+git.218.58b95cbfc0f-4.37.1 libsmbconf0-32bit-debuginfo-4.7.11+git.218.58b95cbfc0f-4.37.1 libsmbldap2-32bit-4.7.11+git.218.58b95cbfc0f-4.37.1 libsmbldap2-32bit-debuginfo-4.7.11+git.218.58b95cbfc0f-4.37.1 libtevent-util0-32bit-4.7.11+git.218.58b95cbfc0f-4.37.1 libtevent-util0-32bit-debuginfo-4.7.11+git.218.58b95cbfc0f-4.37.1 libwbclient0-32bit-4.7.11+git.218.58b95cbfc0f-4.37.1 libwbclient0-32bit-debuginfo-4.7.11+git.218.58b95cbfc0f-4.37.1 samba-client-32bit-4.7.11+git.218.58b95cbfc0f-4.37.1 samba-client-32bit-debuginfo-4.7.11+git.218.58b95cbfc0f-4.37.1 samba-libs-32bit-4.7.11+git.218.58b95cbfc0f-4.37.1 samba-libs-32bit-debuginfo-4.7.11+git.218.58b95cbfc0f-4.37.1 samba-winbind-32bit-4.7.11+git.218.58b95cbfc0f-4.37.1 samba-winbind-32bit-debuginfo-4.7.11+git.218.58b95cbfc0f-4.37.1 - SUSE Linux Enterprise High Performance Computing 15-LTSS (aarch64 x86_64): libdcerpc-binding0-4.7.11+git.218.58b95cbfc0f-4.37.1 libdcerpc-binding0-debuginfo-4.7.11+git.218.58b95cbfc0f-4.37.1 libdcerpc-devel-4.7.11+git.218.58b95cbfc0f-4.37.1 libdcerpc-samr-devel-4.7.11+git.218.58b95cbfc0f-4.37.1 libdcerpc-samr0-4.7.11+git.218.58b95cbfc0f-4.37.1 libdcerpc-samr0-debuginfo-4.7.11+git.218.58b95cbfc0f-4.37.1 libdcerpc0-4.7.11+git.218.58b95cbfc0f-4.37.1 libdcerpc0-debuginfo-4.7.11+git.218.58b95cbfc0f-4.37.1 libndr-devel-4.7.11+git.218.58b95cbfc0f-4.37.1 libndr-krb5pac-devel-4.7.11+git.218.58b95cbfc0f-4.37.1 libndr-krb5pac0-4.7.11+git.218.58b95cbfc0f-4.37.1 libndr-krb5pac0-debuginfo-4.7.11+git.218.58b95cbfc0f-4.37.1 libndr-nbt-devel-4.7.11+git.218.58b95cbfc0f-4.37.1 libndr-nbt0-4.7.11+git.218.58b95cbfc0f-4.37.1 libndr-nbt0-debuginfo-4.7.11+git.218.58b95cbfc0f-4.37.1 libndr-standard-devel-4.7.11+git.218.58b95cbfc0f-4.37.1 libndr-standard0-4.7.11+git.218.58b95cbfc0f-4.37.1 libndr-standard0-debuginfo-4.7.11+git.218.58b95cbfc0f-4.37.1 libndr0-4.7.11+git.218.58b95cbfc0f-4.37.1 libndr0-debuginfo-4.7.11+git.218.58b95cbfc0f-4.37.1 libnetapi-devel-4.7.11+git.218.58b95cbfc0f-4.37.1 libnetapi0-4.7.11+git.218.58b95cbfc0f-4.37.1 libnetapi0-debuginfo-4.7.11+git.218.58b95cbfc0f-4.37.1 libsamba-credentials-devel-4.7.11+git.218.58b95cbfc0f-4.37.1 libsamba-credentials0-4.7.11+git.218.58b95cbfc0f-4.37.1 libsamba-credentials0-debuginfo-4.7.11+git.218.58b95cbfc0f-4.37.1 libsamba-errors-devel-4.7.11+git.218.58b95cbfc0f-4.37.1 libsamba-errors0-4.7.11+git.218.58b95cbfc0f-4.37.1 libsamba-errors0-debuginfo-4.7.11+git.218.58b95cbfc0f-4.37.1 libsamba-hostconfig-devel-4.7.11+git.218.58b95cbfc0f-4.37.1 libsamba-hostconfig0-4.7.11+git.218.58b95cbfc0f-4.37.1 libsamba-hostconfig0-debuginfo-4.7.11+git.218.58b95cbfc0f-4.37.1 libsamba-passdb-devel-4.7.11+git.218.58b95cbfc0f-4.37.1 libsamba-passdb0-4.7.11+git.218.58b95cbfc0f-4.37.1 libsamba-passdb0-debuginfo-4.7.11+git.218.58b95cbfc0f-4.37.1 libsamba-policy-devel-4.7.11+git.218.58b95cbfc0f-4.37.1 libsamba-policy0-4.7.11+git.218.58b95cbfc0f-4.37.1 libsamba-util-devel-4.7.11+git.218.58b95cbfc0f-4.37.1 libsamba-util0-4.7.11+git.218.58b95cbfc0f-4.37.1 libsamba-util0-debuginfo-4.7.11+git.218.58b95cbfc0f-4.37.1 libsamdb-devel-4.7.11+git.218.58b95cbfc0f-4.37.1 libsamdb0-4.7.11+git.218.58b95cbfc0f-4.37.1 libsamdb0-debuginfo-4.7.11+git.218.58b95cbfc0f-4.37.1 libsmbclient-devel-4.7.11+git.218.58b95cbfc0f-4.37.1 libsmbclient0-4.7.11+git.218.58b95cbfc0f-4.37.1 libsmbclient0-debuginfo-4.7.11+git.218.58b95cbfc0f-4.37.1 libsmbconf-devel-4.7.11+git.218.58b95cbfc0f-4.37.1 libsmbconf0-4.7.11+git.218.58b95cbfc0f-4.37.1 libsmbconf0-debuginfo-4.7.11+git.218.58b95cbfc0f-4.37.1 libsmbldap-devel-4.7.11+git.218.58b95cbfc0f-4.37.1 libsmbldap2-4.7.11+git.218.58b95cbfc0f-4.37.1 libsmbldap2-debuginfo-4.7.11+git.218.58b95cbfc0f-4.37.1 libtevent-util-devel-4.7.11+git.218.58b95cbfc0f-4.37.1 libtevent-util0-4.7.11+git.218.58b95cbfc0f-4.37.1 libtevent-util0-debuginfo-4.7.11+git.218.58b95cbfc0f-4.37.1 libwbclient-devel-4.7.11+git.218.58b95cbfc0f-4.37.1 libwbclient0-4.7.11+git.218.58b95cbfc0f-4.37.1 libwbclient0-debuginfo-4.7.11+git.218.58b95cbfc0f-4.37.1 samba-4.7.11+git.218.58b95cbfc0f-4.37.1 samba-client-4.7.11+git.218.58b95cbfc0f-4.37.1 samba-client-debuginfo-4.7.11+git.218.58b95cbfc0f-4.37.1 samba-core-devel-4.7.11+git.218.58b95cbfc0f-4.37.1 samba-debuginfo-4.7.11+git.218.58b95cbfc0f-4.37.1 samba-debugsource-4.7.11+git.218.58b95cbfc0f-4.37.1 samba-libs-4.7.11+git.218.58b95cbfc0f-4.37.1 samba-libs-debuginfo-4.7.11+git.218.58b95cbfc0f-4.37.1 samba-winbind-4.7.11+git.218.58b95cbfc0f-4.37.1 samba-winbind-debuginfo-4.7.11+git.218.58b95cbfc0f-4.37.1 - SUSE Linux Enterprise High Performance Computing 15-LTSS (x86_64): libdcerpc-binding0-32bit-4.7.11+git.218.58b95cbfc0f-4.37.1 libdcerpc-binding0-32bit-debuginfo-4.7.11+git.218.58b95cbfc0f-4.37.1 libdcerpc0-32bit-4.7.11+git.218.58b95cbfc0f-4.37.1 libdcerpc0-32bit-debuginfo-4.7.11+git.218.58b95cbfc0f-4.37.1 libndr-krb5pac0-32bit-4.7.11+git.218.58b95cbfc0f-4.37.1 libndr-krb5pac0-32bit-debuginfo-4.7.11+git.218.58b95cbfc0f-4.37.1 libndr-nbt0-32bit-4.7.11+git.218.58b95cbfc0f-4.37.1 libndr-nbt0-32bit-debuginfo-4.7.11+git.218.58b95cbfc0f-4.37.1 libndr-standard0-32bit-4.7.11+git.218.58b95cbfc0f-4.37.1 libndr-standard0-32bit-debuginfo-4.7.11+git.218.58b95cbfc0f-4.37.1 libndr0-32bit-4.7.11+git.218.58b95cbfc0f-4.37.1 libndr0-32bit-debuginfo-4.7.11+git.218.58b95cbfc0f-4.37.1 libnetapi0-32bit-4.7.11+git.218.58b95cbfc0f-4.37.1 libnetapi0-32bit-debuginfo-4.7.11+git.218.58b95cbfc0f-4.37.1 libsamba-credentials0-32bit-4.7.11+git.218.58b95cbfc0f-4.37.1 libsamba-credentials0-32bit-debuginfo-4.7.11+git.218.58b95cbfc0f-4.37.1 libsamba-errors0-32bit-4.7.11+git.218.58b95cbfc0f-4.37.1 libsamba-errors0-32bit-debuginfo-4.7.11+git.218.58b95cbfc0f-4.37.1 libsamba-hostconfig0-32bit-4.7.11+git.218.58b95cbfc0f-4.37.1 libsamba-hostconfig0-32bit-debuginfo-4.7.11+git.218.58b95cbfc0f-4.37.1 libsamba-passdb0-32bit-4.7.11+git.218.58b95cbfc0f-4.37.1 libsamba-passdb0-32bit-debuginfo-4.7.11+git.218.58b95cbfc0f-4.37.1 libsamba-util0-32bit-4.7.11+git.218.58b95cbfc0f-4.37.1 libsamba-util0-32bit-debuginfo-4.7.11+git.218.58b95cbfc0f-4.37.1 libsamdb0-32bit-4.7.11+git.218.58b95cbfc0f-4.37.1 libsamdb0-32bit-debuginfo-4.7.11+git.218.58b95cbfc0f-4.37.1 libsmbclient0-32bit-4.7.11+git.218.58b95cbfc0f-4.37.1 libsmbclient0-32bit-debuginfo-4.7.11+git.218.58b95cbfc0f-4.37.1 libsmbconf0-32bit-4.7.11+git.218.58b95cbfc0f-4.37.1 libsmbconf0-32bit-debuginfo-4.7.11+git.218.58b95cbfc0f-4.37.1 libsmbldap2-32bit-4.7.11+git.218.58b95cbfc0f-4.37.1 libsmbldap2-32bit-debuginfo-4.7.11+git.218.58b95cbfc0f-4.37.1 libtevent-util0-32bit-4.7.11+git.218.58b95cbfc0f-4.37.1 libtevent-util0-32bit-debuginfo-4.7.11+git.218.58b95cbfc0f-4.37.1 libwbclient0-32bit-4.7.11+git.218.58b95cbfc0f-4.37.1 libwbclient0-32bit-debuginfo-4.7.11+git.218.58b95cbfc0f-4.37.1 samba-client-32bit-4.7.11+git.218.58b95cbfc0f-4.37.1 samba-client-32bit-debuginfo-4.7.11+git.218.58b95cbfc0f-4.37.1 samba-libs-32bit-4.7.11+git.218.58b95cbfc0f-4.37.1 samba-libs-32bit-debuginfo-4.7.11+git.218.58b95cbfc0f-4.37.1 samba-winbind-32bit-4.7.11+git.218.58b95cbfc0f-4.37.1 samba-winbind-32bit-debuginfo-4.7.11+git.218.58b95cbfc0f-4.37.1 - SUSE Linux Enterprise High Performance Computing 15-ESPOS (aarch64 x86_64): libdcerpc-binding0-4.7.11+git.218.58b95cbfc0f-4.37.1 libdcerpc-binding0-debuginfo-4.7.11+git.218.58b95cbfc0f-4.37.1 libdcerpc-devel-4.7.11+git.218.58b95cbfc0f-4.37.1 libdcerpc-samr-devel-4.7.11+git.218.58b95cbfc0f-4.37.1 libdcerpc-samr0-4.7.11+git.218.58b95cbfc0f-4.37.1 libdcerpc-samr0-debuginfo-4.7.11+git.218.58b95cbfc0f-4.37.1 libdcerpc0-4.7.11+git.218.58b95cbfc0f-4.37.1 libdcerpc0-debuginfo-4.7.11+git.218.58b95cbfc0f-4.37.1 libndr-devel-4.7.11+git.218.58b95cbfc0f-4.37.1 libndr-krb5pac-devel-4.7.11+git.218.58b95cbfc0f-4.37.1 libndr-krb5pac0-4.7.11+git.218.58b95cbfc0f-4.37.1 libndr-krb5pac0-debuginfo-4.7.11+git.218.58b95cbfc0f-4.37.1 libndr-nbt-devel-4.7.11+git.218.58b95cbfc0f-4.37.1 libndr-nbt0-4.7.11+git.218.58b95cbfc0f-4.37.1 libndr-nbt0-debuginfo-4.7.11+git.218.58b95cbfc0f-4.37.1 libndr-standard-devel-4.7.11+git.218.58b95cbfc0f-4.37.1 libndr-standard0-4.7.11+git.218.58b95cbfc0f-4.37.1 libndr-standard0-debuginfo-4.7.11+git.218.58b95cbfc0f-4.37.1 libndr0-4.7.11+git.218.58b95cbfc0f-4.37.1 libndr0-debuginfo-4.7.11+git.218.58b95cbfc0f-4.37.1 libnetapi-devel-4.7.11+git.218.58b95cbfc0f-4.37.1 libnetapi0-4.7.11+git.218.58b95cbfc0f-4.37.1 libnetapi0-debuginfo-4.7.11+git.218.58b95cbfc0f-4.37.1 libsamba-credentials-devel-4.7.11+git.218.58b95cbfc0f-4.37.1 libsamba-credentials0-4.7.11+git.218.58b95cbfc0f-4.37.1 libsamba-credentials0-debuginfo-4.7.11+git.218.58b95cbfc0f-4.37.1 libsamba-errors-devel-4.7.11+git.218.58b95cbfc0f-4.37.1 libsamba-errors0-4.7.11+git.218.58b95cbfc0f-4.37.1 libsamba-errors0-debuginfo-4.7.11+git.218.58b95cbfc0f-4.37.1 libsamba-hostconfig-devel-4.7.11+git.218.58b95cbfc0f-4.37.1 libsamba-hostconfig0-4.7.11+git.218.58b95cbfc0f-4.37.1 libsamba-hostconfig0-debuginfo-4.7.11+git.218.58b95cbfc0f-4.37.1 libsamba-passdb-devel-4.7.11+git.218.58b95cbfc0f-4.37.1 libsamba-passdb0-4.7.11+git.218.58b95cbfc0f-4.37.1 libsamba-passdb0-debuginfo-4.7.11+git.218.58b95cbfc0f-4.37.1 libsamba-policy-devel-4.7.11+git.218.58b95cbfc0f-4.37.1 libsamba-policy0-4.7.11+git.218.58b95cbfc0f-4.37.1 libsamba-util-devel-4.7.11+git.218.58b95cbfc0f-4.37.1 libsamba-util0-4.7.11+git.218.58b95cbfc0f-4.37.1 libsamba-util0-debuginfo-4.7.11+git.218.58b95cbfc0f-4.37.1 libsamdb-devel-4.7.11+git.218.58b95cbfc0f-4.37.1 libsamdb0-4.7.11+git.218.58b95cbfc0f-4.37.1 libsamdb0-debuginfo-4.7.11+git.218.58b95cbfc0f-4.37.1 libsmbclient-devel-4.7.11+git.218.58b95cbfc0f-4.37.1 libsmbclient0-4.7.11+git.218.58b95cbfc0f-4.37.1 libsmbclient0-debuginfo-4.7.11+git.218.58b95cbfc0f-4.37.1 libsmbconf-devel-4.7.11+git.218.58b95cbfc0f-4.37.1 libsmbconf0-4.7.11+git.218.58b95cbfc0f-4.37.1 libsmbconf0-debuginfo-4.7.11+git.218.58b95cbfc0f-4.37.1 libsmbldap-devel-4.7.11+git.218.58b95cbfc0f-4.37.1 libsmbldap2-4.7.11+git.218.58b95cbfc0f-4.37.1 libsmbldap2-debuginfo-4.7.11+git.218.58b95cbfc0f-4.37.1 libtevent-util-devel-4.7.11+git.218.58b95cbfc0f-4.37.1 libtevent-util0-4.7.11+git.218.58b95cbfc0f-4.37.1 libtevent-util0-debuginfo-4.7.11+git.218.58b95cbfc0f-4.37.1 libwbclient-devel-4.7.11+git.218.58b95cbfc0f-4.37.1 libwbclient0-4.7.11+git.218.58b95cbfc0f-4.37.1 libwbclient0-debuginfo-4.7.11+git.218.58b95cbfc0f-4.37.1 samba-4.7.11+git.218.58b95cbfc0f-4.37.1 samba-client-4.7.11+git.218.58b95cbfc0f-4.37.1 samba-client-debuginfo-4.7.11+git.218.58b95cbfc0f-4.37.1 samba-core-devel-4.7.11+git.218.58b95cbfc0f-4.37.1 samba-debuginfo-4.7.11+git.218.58b95cbfc0f-4.37.1 samba-debugsource-4.7.11+git.218.58b95cbfc0f-4.37.1 samba-libs-4.7.11+git.218.58b95cbfc0f-4.37.1 samba-libs-debuginfo-4.7.11+git.218.58b95cbfc0f-4.37.1 samba-winbind-4.7.11+git.218.58b95cbfc0f-4.37.1 samba-winbind-debuginfo-4.7.11+git.218.58b95cbfc0f-4.37.1 - SUSE Linux Enterprise High Performance Computing 15-ESPOS (x86_64): libdcerpc-binding0-32bit-4.7.11+git.218.58b95cbfc0f-4.37.1 libdcerpc-binding0-32bit-debuginfo-4.7.11+git.218.58b95cbfc0f-4.37.1 libdcerpc0-32bit-4.7.11+git.218.58b95cbfc0f-4.37.1 libdcerpc0-32bit-debuginfo-4.7.11+git.218.58b95cbfc0f-4.37.1 libndr-krb5pac0-32bit-4.7.11+git.218.58b95cbfc0f-4.37.1 libndr-krb5pac0-32bit-debuginfo-4.7.11+git.218.58b95cbfc0f-4.37.1 libndr-nbt0-32bit-4.7.11+git.218.58b95cbfc0f-4.37.1 libndr-nbt0-32bit-debuginfo-4.7.11+git.218.58b95cbfc0f-4.37.1 libndr-standard0-32bit-4.7.11+git.218.58b95cbfc0f-4.37.1 libndr-standard0-32bit-debuginfo-4.7.11+git.218.58b95cbfc0f-4.37.1 libndr0-32bit-4.7.11+git.218.58b95cbfc0f-4.37.1 libndr0-32bit-debuginfo-4.7.11+git.218.58b95cbfc0f-4.37.1 libnetapi0-32bit-4.7.11+git.218.58b95cbfc0f-4.37.1 libnetapi0-32bit-debuginfo-4.7.11+git.218.58b95cbfc0f-4.37.1 libsamba-credentials0-32bit-4.7.11+git.218.58b95cbfc0f-4.37.1 libsamba-credentials0-32bit-debuginfo-4.7.11+git.218.58b95cbfc0f-4.37.1 libsamba-errors0-32bit-4.7.11+git.218.58b95cbfc0f-4.37.1 libsamba-errors0-32bit-debuginfo-4.7.11+git.218.58b95cbfc0f-4.37.1 libsamba-hostconfig0-32bit-4.7.11+git.218.58b95cbfc0f-4.37.1 libsamba-hostconfig0-32bit-debuginfo-4.7.11+git.218.58b95cbfc0f-4.37.1 libsamba-passdb0-32bit-4.7.11+git.218.58b95cbfc0f-4.37.1 libsamba-passdb0-32bit-debuginfo-4.7.11+git.218.58b95cbfc0f-4.37.1 libsamba-util0-32bit-4.7.11+git.218.58b95cbfc0f-4.37.1 libsamba-util0-32bit-debuginfo-4.7.11+git.218.58b95cbfc0f-4.37.1 libsamdb0-32bit-4.7.11+git.218.58b95cbfc0f-4.37.1 libsamdb0-32bit-debuginfo-4.7.11+git.218.58b95cbfc0f-4.37.1 libsmbclient0-32bit-4.7.11+git.218.58b95cbfc0f-4.37.1 libsmbclient0-32bit-debuginfo-4.7.11+git.218.58b95cbfc0f-4.37.1 libsmbconf0-32bit-4.7.11+git.218.58b95cbfc0f-4.37.1 libsmbconf0-32bit-debuginfo-4.7.11+git.218.58b95cbfc0f-4.37.1 libsmbldap2-32bit-4.7.11+git.218.58b95cbfc0f-4.37.1 libsmbldap2-32bit-debuginfo-4.7.11+git.218.58b95cbfc0f-4.37.1 libtevent-util0-32bit-4.7.11+git.218.58b95cbfc0f-4.37.1 libtevent-util0-32bit-debuginfo-4.7.11+git.218.58b95cbfc0f-4.37.1 libwbclient0-32bit-4.7.11+git.218.58b95cbfc0f-4.37.1 libwbclient0-32bit-debuginfo-4.7.11+git.218.58b95cbfc0f-4.37.1 samba-client-32bit-4.7.11+git.218.58b95cbfc0f-4.37.1 samba-client-32bit-debuginfo-4.7.11+git.218.58b95cbfc0f-4.37.1 samba-libs-32bit-4.7.11+git.218.58b95cbfc0f-4.37.1 samba-libs-32bit-debuginfo-4.7.11+git.218.58b95cbfc0f-4.37.1 samba-winbind-32bit-4.7.11+git.218.58b95cbfc0f-4.37.1 samba-winbind-32bit-debuginfo-4.7.11+git.218.58b95cbfc0f-4.37.1 - SUSE Linux Enterprise High Availability 15 (aarch64 ppc64le s390x x86_64): ctdb-4.7.11+git.218.58b95cbfc0f-4.37.1 ctdb-debuginfo-4.7.11+git.218.58b95cbfc0f-4.37.1 samba-debuginfo-4.7.11+git.218.58b95cbfc0f-4.37.1 samba-debugsource-4.7.11+git.218.58b95cbfc0f-4.37.1 References: https://www.suse.com/security/cve/CVE-2019-14902.html https://www.suse.com/security/cve/CVE-2019-14907.html https://bugzilla.suse.com/1160850 https://bugzilla.suse.com/1160888 From sle-updates at lists.suse.com Fri Jan 24 07:11:20 2020 From: sle-updates at lists.suse.com (sle-updates at lists.suse.com) Date: Fri, 24 Jan 2020 15:11:20 +0100 (CET) Subject: SUSE-RU-2020:0227-1: moderate: Recommended update for aaa_base Message-ID: <20200124141120.F0117F798@maintenance.suse.de> SUSE Recommended Update: Recommended update for aaa_base ______________________________________________________________________________ Announcement ID: SUSE-RU-2020:0227-1 Rating: moderate References: #1084934 #1115020 #1118364 #1128246 #1149127 #1157794 #910904 Affected Products: SUSE Linux Enterprise Software Development Kit 12-SP5 SUSE Linux Enterprise Software Development Kit 12-SP4 SUSE Linux Enterprise Server 12-SP5 SUSE Linux Enterprise Server 12-SP4 SUSE Linux Enterprise Desktop 12-SP4 SUSE CaaS Platform 3.0 ______________________________________________________________________________ An update that has 7 recommended fixes can now be installed. Description: This update for aaa_base fixes the following issues: - Use official key binding functions in inputrc that is replace up-history with previous-history, down-history with next-history and backward-delete-word with backward-kill-word. (bsc#1084934) - Reduces the list in /opt/* to gnome, kde4, and kde3. (bsc#910904, bsc#1149127) - Update logic for JRE_HOME variable. (bsc#1128246) - Restore old position of ssh/sudo source of profile. (bsc#1118364) - Revert "Avoid NAT on Bridges. Bridges are L2 devices, really." (bsc#1115020) - Generalize testing for JVM system variables supporting other shells when creating the java path. (boo#1157794) Patch Instructions: To install this SUSE Recommended Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Software Development Kit 12-SP5: zypper in -t patch SUSE-SLE-SDK-12-SP5-2020-227=1 - SUSE Linux Enterprise Software Development Kit 12-SP4: zypper in -t patch SUSE-SLE-SDK-12-SP4-2020-227=1 - SUSE Linux Enterprise Server 12-SP5: zypper in -t patch SUSE-SLE-SERVER-12-SP5-2020-227=1 - SUSE Linux Enterprise Server 12-SP4: zypper in -t patch SUSE-SLE-SERVER-12-SP4-2020-227=1 - SUSE Linux Enterprise Desktop 12-SP4: zypper in -t patch SUSE-SLE-DESKTOP-12-SP4-2020-227=1 - SUSE CaaS Platform 3.0: To install this update, use the SUSE CaaS Platform Velum dashboard. It will inform you if it detects new updates and let you then trigger updating of the complete cluster in a controlled way. Package List: - SUSE Linux Enterprise Software Development Kit 12-SP5 (aarch64 ppc64le s390x x86_64): aaa_base-debuginfo-13.2+git20140911.61c1681-38.22.1 aaa_base-debugsource-13.2+git20140911.61c1681-38.22.1 aaa_base-malloccheck-13.2+git20140911.61c1681-38.22.1 - SUSE Linux Enterprise Software Development Kit 12-SP4 (aarch64 ppc64le s390x x86_64): aaa_base-debuginfo-13.2+git20140911.61c1681-38.22.1 aaa_base-debugsource-13.2+git20140911.61c1681-38.22.1 aaa_base-malloccheck-13.2+git20140911.61c1681-38.22.1 - SUSE Linux Enterprise Server 12-SP5 (aarch64 ppc64le s390x x86_64): aaa_base-13.2+git20140911.61c1681-38.22.1 aaa_base-debuginfo-13.2+git20140911.61c1681-38.22.1 aaa_base-debugsource-13.2+git20140911.61c1681-38.22.1 aaa_base-extras-13.2+git20140911.61c1681-38.22.1 - SUSE Linux Enterprise Server 12-SP4 (aarch64 ppc64le s390x x86_64): aaa_base-13.2+git20140911.61c1681-38.22.1 aaa_base-debuginfo-13.2+git20140911.61c1681-38.22.1 aaa_base-debugsource-13.2+git20140911.61c1681-38.22.1 aaa_base-extras-13.2+git20140911.61c1681-38.22.1 - SUSE Linux Enterprise Desktop 12-SP4 (x86_64): aaa_base-13.2+git20140911.61c1681-38.22.1 aaa_base-debuginfo-13.2+git20140911.61c1681-38.22.1 aaa_base-debugsource-13.2+git20140911.61c1681-38.22.1 aaa_base-extras-13.2+git20140911.61c1681-38.22.1 - SUSE CaaS Platform 3.0 (x86_64): aaa_base-13.2+git20140911.61c1681-38.22.1 aaa_base-debuginfo-13.2+git20140911.61c1681-38.22.1 aaa_base-debugsource-13.2+git20140911.61c1681-38.22.1 References: https://bugzilla.suse.com/1084934 https://bugzilla.suse.com/1115020 https://bugzilla.suse.com/1118364 https://bugzilla.suse.com/1128246 https://bugzilla.suse.com/1149127 https://bugzilla.suse.com/1157794 https://bugzilla.suse.com/910904 From sle-updates at lists.suse.com Fri Jan 24 07:13:36 2020 From: sle-updates at lists.suse.com (sle-updates at lists.suse.com) Date: Fri, 24 Jan 2020 15:13:36 +0100 (CET) Subject: SUSE-SU-2020:0228-1: moderate: Security update for slurm Message-ID: <20200124141336.5138AF798@maintenance.suse.de> SUSE Security Update: Security update for slurm ______________________________________________________________________________ Announcement ID: SUSE-SU-2020:0228-1 Rating: moderate References: #1153259 #1155784 #1158696 Cross-References: CVE-2019-19727 Affected Products: SUSE Linux Enterprise Module for Open Buildservice Development Tools 15-SP1 SUSE Linux Enterprise Module for Open Buildservice Development Tools 15 SUSE Linux Enterprise Module for HPC 15-SP1 SUSE Linux Enterprise Module for HPC 15 ______________________________________________________________________________ An update that solves one vulnerability and has two fixes is now available. Description: This update for slurm fixes the following issues: - CVE-2019-19727: Fix permissions of configuration file 'slurmdbd.conf' (bsc#1155784). - Fix ownership of /var/spool/slurm on new installations and upgrade (bsc#1158696). - Fix '%posttrans' macro to cope with added newline (bsc#1153259). Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Module for Open Buildservice Development Tools 15-SP1: zypper in -t patch SUSE-SLE-Module-Development-Tools-OBS-15-SP1-2020-228=1 - SUSE Linux Enterprise Module for Open Buildservice Development Tools 15: zypper in -t patch SUSE-SLE-Module-Development-Tools-OBS-15-2020-228=1 - SUSE Linux Enterprise Module for HPC 15-SP1: zypper in -t patch SUSE-SLE-Module-HPC-15-SP1-2020-228=1 - SUSE Linux Enterprise Module for HPC 15: zypper in -t patch SUSE-SLE-Module-HPC-15-2020-228=1 Package List: - SUSE Linux Enterprise Module for Open Buildservice Development Tools 15-SP1 (ppc64le s390x): libslurm32-17.11.13-6.23.1 libslurm32-debuginfo-17.11.13-6.23.1 - SUSE Linux Enterprise Module for Open Buildservice Development Tools 15 (aarch64 ppc64le s390x x86_64): slurm-debuginfo-17.11.13-6.23.1 slurm-debugsource-17.11.13-6.23.1 slurm-openlava-17.11.13-6.23.1 slurm-seff-17.11.13-6.23.1 slurm-sjstat-17.11.13-6.23.1 slurm-sview-17.11.13-6.23.1 slurm-sview-debuginfo-17.11.13-6.23.1 - SUSE Linux Enterprise Module for HPC 15-SP1 (aarch64 x86_64): libslurm32-17.11.13-6.23.1 libslurm32-debuginfo-17.11.13-6.23.1 - SUSE Linux Enterprise Module for HPC 15 (aarch64 x86_64): libpmi0-17.11.13-6.23.1 libpmi0-debuginfo-17.11.13-6.23.1 libslurm32-17.11.13-6.23.1 libslurm32-debuginfo-17.11.13-6.23.1 perl-slurm-17.11.13-6.23.1 perl-slurm-debuginfo-17.11.13-6.23.1 slurm-17.11.13-6.23.1 slurm-auth-none-17.11.13-6.23.1 slurm-auth-none-debuginfo-17.11.13-6.23.1 slurm-config-17.11.13-6.23.1 slurm-debuginfo-17.11.13-6.23.1 slurm-debugsource-17.11.13-6.23.1 slurm-devel-17.11.13-6.23.1 slurm-doc-17.11.13-6.23.1 slurm-lua-17.11.13-6.23.1 slurm-lua-debuginfo-17.11.13-6.23.1 slurm-munge-17.11.13-6.23.1 slurm-munge-debuginfo-17.11.13-6.23.1 slurm-node-17.11.13-6.23.1 slurm-node-debuginfo-17.11.13-6.23.1 slurm-pam_slurm-17.11.13-6.23.1 slurm-pam_slurm-debuginfo-17.11.13-6.23.1 slurm-plugins-17.11.13-6.23.1 slurm-plugins-debuginfo-17.11.13-6.23.1 slurm-slurmdbd-17.11.13-6.23.1 slurm-slurmdbd-debuginfo-17.11.13-6.23.1 slurm-sql-17.11.13-6.23.1 slurm-sql-debuginfo-17.11.13-6.23.1 slurm-torque-17.11.13-6.23.1 slurm-torque-debuginfo-17.11.13-6.23.1 References: https://www.suse.com/security/cve/CVE-2019-19727.html https://bugzilla.suse.com/1153259 https://bugzilla.suse.com/1155784 https://bugzilla.suse.com/1158696 From sle-updates at lists.suse.com Fri Jan 24 07:12:53 2020 From: sle-updates at lists.suse.com (sle-updates at lists.suse.com) Date: Fri, 24 Jan 2020 15:12:53 +0100 (CET) Subject: SUSE-RU-2020:0225-1: moderate: Recommended update for procps Message-ID: <20200124141253.40EA5F798@maintenance.suse.de> SUSE Recommended Update: Recommended update for procps ______________________________________________________________________________ Announcement ID: SUSE-RU-2020:0225-1 Rating: moderate References: #1158830 Affected Products: SUSE Linux Enterprise Module for Basesystem 15-SP1 SUSE Linux Enterprise Module for Basesystem 15 ______________________________________________________________________________ An update that has one recommended fix can now be installed. Description: This update for procps fixes the following issues: - Fix for "ps -C" allowing to accept any arguments longer than 15 characters anymore. (bsc#1158830) Patch Instructions: To install this SUSE Recommended Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Module for Basesystem 15-SP1: zypper in -t patch SUSE-SLE-Module-Basesystem-15-SP1-2020-225=1 - SUSE Linux Enterprise Module for Basesystem 15: zypper in -t patch SUSE-SLE-Module-Basesystem-15-2020-225=1 Package List: - SUSE Linux Enterprise Module for Basesystem 15-SP1 (aarch64 ppc64le s390x x86_64): libprocps7-3.3.15-7.10.2 libprocps7-debuginfo-3.3.15-7.10.2 procps-3.3.15-7.10.2 procps-debuginfo-3.3.15-7.10.2 procps-debugsource-3.3.15-7.10.2 procps-devel-3.3.15-7.10.2 - SUSE Linux Enterprise Module for Basesystem 15 (aarch64 ppc64le s390x x86_64): libprocps7-3.3.15-7.10.2 libprocps7-debuginfo-3.3.15-7.10.2 procps-3.3.15-7.10.2 procps-debuginfo-3.3.15-7.10.2 procps-debugsource-3.3.15-7.10.2 procps-devel-3.3.15-7.10.2 References: https://bugzilla.suse.com/1158830 From sle-updates at lists.suse.com Fri Jan 24 07:14:31 2020 From: sle-updates at lists.suse.com (sle-updates at lists.suse.com) Date: Fri, 24 Jan 2020 15:14:31 +0100 (CET) Subject: SUSE-RU-2020:0230-1: Recommended update for ses-manual_en Message-ID: <20200124141431.D1F57F798@maintenance.suse.de> SUSE Recommended Update: Recommended update for ses-manual_en ______________________________________________________________________________ Announcement ID: SUSE-RU-2020:0230-1 Rating: low References: #1113529 #1123188 #1138864 #1142514 #1154568 #1155012 #1155450 #1156631 #1157538 #1157885 #1158106 #1158222 #1158944 #1160080 #1160219 Affected Products: SUSE Enterprise Storage 6 ______________________________________________________________________________ An update that has 15 recommended fixes can now be installed. Description: This is an update for the SUSE Enterprise Storage 6 manual: - Added release notes for ceph 14.2.5 (bsc#1158944) Besides the release notes of ceph 14.2.5, the following changes have been made as well: - Run upgrade.check runner to verify upgrade conditions (jsc#SES-356) - Overriding default NTP settings (bsc#1160080) - Removing specific instances of x86 in favor of (bsc#1155012) - Adding new portblock resource section (bsc#1123188) - 'salt osd.retain' is obsolete (bsc#1160219) - Made network recommendations more specific (bsc#1156631) - Additional software channels (bsc#1158106) - Updating the "ceph mds set" command (bsc#1157885) - Section about @/var/lib/ceph subvolume now covers all scenarios (bsc#1155450) - Added new prompts and updated their occurences (bsc#1142514) - Adding additional information on non-SUSE OpenStack distros (bsc#1158222) - Creating new monitoring and alerting chapter (bsc#1138864) - Added a tip on monitoring cluster nodes' status during upgrade (bsc#1154568) - Adding documented snapshot limitation (bsc#1157538) - Updated a table of pool statistics with a complete description of its columns (bsc#1113529) Patch Instructions: To install this SUSE Recommended Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Enterprise Storage 6: zypper in -t patch SUSE-Storage-6-2020-230=1 Package List: - SUSE Enterprise Storage 6 (noarch): ses-admin_en-pdf-6+git221.gb8e0ac0-3.23.1 ses-deployment_en-pdf-6+git221.gb8e0ac0-3.23.1 ses-manual_en-6+git221.gb8e0ac0-3.23.1 References: https://bugzilla.suse.com/1113529 https://bugzilla.suse.com/1123188 https://bugzilla.suse.com/1138864 https://bugzilla.suse.com/1142514 https://bugzilla.suse.com/1154568 https://bugzilla.suse.com/1155012 https://bugzilla.suse.com/1155450 https://bugzilla.suse.com/1156631 https://bugzilla.suse.com/1157538 https://bugzilla.suse.com/1157885 https://bugzilla.suse.com/1158106 https://bugzilla.suse.com/1158222 https://bugzilla.suse.com/1158944 https://bugzilla.suse.com/1160080 https://bugzilla.suse.com/1160219 From sle-updates at lists.suse.com Fri Jan 24 07:17:45 2020 From: sle-updates at lists.suse.com (sle-updates at lists.suse.com) Date: Fri, 24 Jan 2020 15:17:45 +0100 (CET) Subject: SUSE-SU-2020:0226-1: important: Security update for tomcat Message-ID: <20200124141745.B4B04F79E@maintenance.suse.de> SUSE Security Update: Security update for tomcat ______________________________________________________________________________ Announcement ID: SUSE-SU-2020:0226-1 Rating: important References: #1139924 #1159723 #1159729 #1161025 Cross-References: CVE-2019-10072 CVE-2019-12418 CVE-2019-17563 Affected Products: SUSE Linux Enterprise Module for Web Scripting 15 SUSE Linux Enterprise Module for Open Buildservice Development Tools 15 ______________________________________________________________________________ An update that solves three vulnerabilities and has one errata is now available. Description: This update for tomcat to version 9.0.30 fixes the following issues: Security issue fixed: - CVE-2019-12418: Fixed a local privilege escalation by manipulating the RMI registry (bsc#1159723). - CVE-2019-17563: Fixed a session fixation attack when using FORM authentication (bsc#1159729). Non-security issue fixed: - Fixed a problem during startup, related to changes in Java 9+ APIs (bsc#1161025). Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Module for Web Scripting 15: zypper in -t patch SUSE-SLE-Module-Web-Scripting-15-2020-226=1 - SUSE Linux Enterprise Module for Open Buildservice Development Tools 15: zypper in -t patch SUSE-SLE-Module-Development-Tools-OBS-15-2020-226=1 Package List: - SUSE Linux Enterprise Module for Web Scripting 15 (noarch): tomcat-9.0.30-3.34.1 tomcat-admin-webapps-9.0.30-3.34.1 tomcat-el-3_0-api-9.0.30-3.34.1 tomcat-jsp-2_3-api-9.0.30-3.34.1 tomcat-lib-9.0.30-3.34.1 tomcat-servlet-4_0-api-9.0.30-3.34.1 tomcat-webapps-9.0.30-3.34.1 - SUSE Linux Enterprise Module for Open Buildservice Development Tools 15 (noarch): tomcat-docs-webapp-9.0.30-3.34.1 tomcat-embed-9.0.30-3.34.1 tomcat-javadoc-9.0.30-3.34.1 tomcat-jsvc-9.0.30-3.34.1 References: https://www.suse.com/security/cve/CVE-2019-10072.html https://www.suse.com/security/cve/CVE-2019-12418.html https://www.suse.com/security/cve/CVE-2019-17563.html https://bugzilla.suse.com/1139924 https://bugzilla.suse.com/1159723 https://bugzilla.suse.com/1159729 https://bugzilla.suse.com/1161025 From sle-updates at lists.suse.com Fri Jan 24 07:16:47 2020 From: sle-updates at lists.suse.com (sle-updates at lists.suse.com) Date: Fri, 24 Jan 2020 15:16:47 +0100 (CET) Subject: SUSE-RU-2020:0229-1: moderate: Recommended update for crmsh Message-ID: <20200124141647.DE37DF79E@maintenance.suse.de> SUSE Recommended Update: Recommended update for crmsh ______________________________________________________________________________ Announcement ID: SUSE-RU-2020:0229-1 Rating: moderate References: #1127095 #1129462 #1154163 Affected Products: SUSE Linux Enterprise High Availability 12-SP3 ______________________________________________________________________________ An update that has three recommended fixes can now be installed. Description: This update for crmsh fixes the following issues: - Fix crmsh.spec: using mktemp to create tmp file(bsc#1154163) - Feature: bootstrap: Maximum number of SBD device is 3 - Feature: bootstrap: improve multi disk sbd usability support both '-s device1 -s device2' and '-s "device1;device2"' improve the logic of code - Fix bootstrap: set placement-strategy value as "default"(bsc#1129462) - Fix corosync: reject append ipaddress to config file if already have(bsc#1127095, 1127096) Patch Instructions: To install this SUSE Recommended Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise High Availability 12-SP3: zypper in -t patch SUSE-SLE-HA-12-SP3-2020-229=1 Package List: - SUSE Linux Enterprise High Availability 12-SP3 (noarch): crmsh-3.0.4+git.1578471114.a5abe5e6-13.26.1 crmsh-scripts-3.0.4+git.1578471114.a5abe5e6-13.26.1 References: https://bugzilla.suse.com/1127095 https://bugzilla.suse.com/1129462 https://bugzilla.suse.com/1154163 From sle-updates at lists.suse.com Fri Jan 24 10:11:40 2020 From: sle-updates at lists.suse.com (sle-updates at lists.suse.com) Date: Fri, 24 Jan 2020 18:11:40 +0100 (CET) Subject: SUSE-SU-2020:0231-1: important: Security update for java-1_8_0-openjdk Message-ID: <20200124171140.DB4FCF798@maintenance.suse.de> SUSE Security Update: Security update for java-1_8_0-openjdk ______________________________________________________________________________ Announcement ID: SUSE-SU-2020:0231-1 Rating: important References: #1160968 Cross-References: CVE-2020-2583 CVE-2020-2590 CVE-2020-2593 CVE-2020-2601 CVE-2020-2604 CVE-2020-2654 CVE-2020-2659 Affected Products: SUSE Linux Enterprise Server for SAP 15 SUSE Linux Enterprise Server 15-LTSS SUSE Linux Enterprise Module for Packagehub Subpackages 15 SUSE Linux Enterprise Module for Open Buildservice Development Tools 15-SP1 SUSE Linux Enterprise Module for Open Buildservice Development Tools 15 SUSE Linux Enterprise Module for Legacy Software 15-SP1 SUSE Linux Enterprise Module for Legacy Software 15 ______________________________________________________________________________ An update that fixes 7 vulnerabilities is now available. Description: This update for java-1_8_0-openjdk fixes the following issues: Update java-1_8_0-openjdk to version jdk8u242 (icedtea 3.15.0) (January 2020 CPU, bsc#1160968): - CVE-2020-2583: Unlink Set of LinkedHashSets - CVE-2020-2590: Improve Kerberos interop capabilities - CVE-2020-2593: Normalize normalization for all - CVE-2020-2601: Better Ticket Granting Services - CVE-2020-2604: Better serial filter handling - CVE-2020-2659: Enhance datagram socket support - CVE-2020-2654: Improve Object Identifier Processing Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Server for SAP 15: zypper in -t patch SUSE-SLE-Product-SLES_SAP-15-2020-231=1 - SUSE Linux Enterprise Server 15-LTSS: zypper in -t patch SUSE-SLE-Product-SLES-15-2020-231=1 - SUSE Linux Enterprise Module for Packagehub Subpackages 15: zypper in -t patch SUSE-SLE-Module-Packagehub-Subpackages-15-2020-231=1 - SUSE Linux Enterprise Module for Open Buildservice Development Tools 15-SP1: zypper in -t patch SUSE-SLE-Module-Development-Tools-OBS-15-SP1-2020-231=1 - SUSE Linux Enterprise Module for Open Buildservice Development Tools 15: zypper in -t patch SUSE-SLE-Module-Development-Tools-OBS-15-2020-231=1 - SUSE Linux Enterprise Module for Legacy Software 15-SP1: zypper in -t patch SUSE-SLE-Module-Legacy-15-SP1-2020-231=1 - SUSE Linux Enterprise Module for Legacy Software 15: zypper in -t patch SUSE-SLE-Module-Legacy-15-2020-231=1 Package List: - SUSE Linux Enterprise Server for SAP 15 (ppc64le x86_64): java-1_8_0-openjdk-1.8.0.242-3.30.2 java-1_8_0-openjdk-debuginfo-1.8.0.242-3.30.2 java-1_8_0-openjdk-debugsource-1.8.0.242-3.30.2 java-1_8_0-openjdk-demo-1.8.0.242-3.30.2 java-1_8_0-openjdk-demo-debuginfo-1.8.0.242-3.30.2 java-1_8_0-openjdk-devel-1.8.0.242-3.30.2 java-1_8_0-openjdk-devel-debuginfo-1.8.0.242-3.30.2 java-1_8_0-openjdk-headless-1.8.0.242-3.30.2 java-1_8_0-openjdk-headless-debuginfo-1.8.0.242-3.30.2 - SUSE Linux Enterprise Server 15-LTSS (aarch64 s390x): java-1_8_0-openjdk-1.8.0.242-3.30.2 java-1_8_0-openjdk-debuginfo-1.8.0.242-3.30.2 java-1_8_0-openjdk-debugsource-1.8.0.242-3.30.2 java-1_8_0-openjdk-demo-1.8.0.242-3.30.2 java-1_8_0-openjdk-demo-debuginfo-1.8.0.242-3.30.2 java-1_8_0-openjdk-devel-1.8.0.242-3.30.2 java-1_8_0-openjdk-devel-debuginfo-1.8.0.242-3.30.2 java-1_8_0-openjdk-headless-1.8.0.242-3.30.2 java-1_8_0-openjdk-headless-debuginfo-1.8.0.242-3.30.2 - SUSE Linux Enterprise Module for Packagehub Subpackages 15 (noarch): java-1_8_0-openjdk-javadoc-1.8.0.242-3.30.2 - SUSE Linux Enterprise Module for Open Buildservice Development Tools 15-SP1 (aarch64 ppc64le s390x x86_64): java-1_8_0-openjdk-accessibility-1.8.0.242-3.30.2 java-1_8_0-openjdk-debuginfo-1.8.0.242-3.30.2 java-1_8_0-openjdk-debugsource-1.8.0.242-3.30.2 java-1_8_0-openjdk-src-1.8.0.242-3.30.2 - SUSE Linux Enterprise Module for Open Buildservice Development Tools 15-SP1 (noarch): java-1_8_0-openjdk-javadoc-1.8.0.242-3.30.2 - SUSE Linux Enterprise Module for Open Buildservice Development Tools 15 (aarch64 ppc64le s390x x86_64): java-1_8_0-openjdk-accessibility-1.8.0.242-3.30.2 java-1_8_0-openjdk-debuginfo-1.8.0.242-3.30.2 java-1_8_0-openjdk-debugsource-1.8.0.242-3.30.2 java-1_8_0-openjdk-src-1.8.0.242-3.30.2 - SUSE Linux Enterprise Module for Open Buildservice Development Tools 15 (noarch): java-1_8_0-openjdk-javadoc-1.8.0.242-3.30.2 - SUSE Linux Enterprise Module for Legacy Software 15-SP1 (aarch64 ppc64le s390x x86_64): java-1_8_0-openjdk-1.8.0.242-3.30.2 java-1_8_0-openjdk-debuginfo-1.8.0.242-3.30.2 java-1_8_0-openjdk-debugsource-1.8.0.242-3.30.2 java-1_8_0-openjdk-demo-1.8.0.242-3.30.2 java-1_8_0-openjdk-demo-debuginfo-1.8.0.242-3.30.2 java-1_8_0-openjdk-devel-1.8.0.242-3.30.2 java-1_8_0-openjdk-devel-debuginfo-1.8.0.242-3.30.2 java-1_8_0-openjdk-headless-1.8.0.242-3.30.2 java-1_8_0-openjdk-headless-debuginfo-1.8.0.242-3.30.2 - SUSE Linux Enterprise Module for Legacy Software 15 (aarch64 ppc64le s390x x86_64): java-1_8_0-openjdk-1.8.0.242-3.30.2 java-1_8_0-openjdk-debuginfo-1.8.0.242-3.30.2 java-1_8_0-openjdk-debugsource-1.8.0.242-3.30.2 java-1_8_0-openjdk-demo-1.8.0.242-3.30.2 java-1_8_0-openjdk-demo-debuginfo-1.8.0.242-3.30.2 java-1_8_0-openjdk-devel-1.8.0.242-3.30.2 java-1_8_0-openjdk-devel-debuginfo-1.8.0.242-3.30.2 java-1_8_0-openjdk-headless-1.8.0.242-3.30.2 java-1_8_0-openjdk-headless-debuginfo-1.8.0.242-3.30.2 References: https://www.suse.com/security/cve/CVE-2020-2583.html https://www.suse.com/security/cve/CVE-2020-2590.html https://www.suse.com/security/cve/CVE-2020-2593.html https://www.suse.com/security/cve/CVE-2020-2601.html https://www.suse.com/security/cve/CVE-2020-2604.html https://www.suse.com/security/cve/CVE-2020-2654.html https://www.suse.com/security/cve/CVE-2020-2659.html https://bugzilla.suse.com/1160968 From sle-updates at lists.suse.com Fri Jan 24 13:11:17 2020 From: sle-updates at lists.suse.com (sle-updates at lists.suse.com) Date: Fri, 24 Jan 2020 21:11:17 +0100 (CET) Subject: SUSE-SU-2020:0234-1: important: Security update for python Message-ID: <20200124201117.B46ABF798@maintenance.suse.de> SUSE Security Update: Security update for python ______________________________________________________________________________ Announcement ID: SUSE-SU-2020:0234-1 Rating: important References: #1027282 #1041090 #1042670 #1068664 #1073269 #1073748 #1078326 #1078485 #1079300 #1081750 #1083507 #1084650 #1086001 #1088004 #1088009 #1109847 #1111793 #1113755 #1122191 #1129346 #1130840 #1130847 #1138459 #1141853 #1149792 #1149955 #1153238 #1153830 #1159035 #214983 #298378 #346490 #367853 #379534 #380942 #399190 #406051 #425138 #426563 #430761 #432677 #436966 #437293 #441088 #462375 #525295 #534721 #551715 #572673 #577032 #581765 #603255 #617751 #637176 #638233 #658604 #673071 #682554 #697251 #707667 #718009 #747125 #747794 #751718 #754447 #766778 #794139 #804978 #827982 #831442 #834601 #836739 #856835 #856836 #857470 #863741 #885882 #898572 #901715 #935856 #945401 #964182 #984751 #985177 #985348 #989523 #997436 Cross-References: CVE-2007-2052 CVE-2008-1721 CVE-2008-2315 CVE-2008-2316 CVE-2008-3142 CVE-2008-3143 CVE-2008-3144 CVE-2011-1521 CVE-2011-3389 CVE-2011-4944 CVE-2012-0845 CVE-2012-1150 CVE-2013-1752 CVE-2013-1753 CVE-2013-4238 CVE-2014-1912 CVE-2014-4650 CVE-2014-7185 CVE-2016-0772 CVE-2016-1000110 CVE-2016-5636 CVE-2016-5699 CVE-2017-1000158 CVE-2017-18207 CVE-2018-1000030 CVE-2018-1000802 CVE-2018-1060 CVE-2018-1061 CVE-2018-14647 CVE-2018-20852 CVE-2019-10160 CVE-2019-16056 CVE-2019-16935 CVE-2019-5010 CVE-2019-9636 CVE-2019-9947 CVE-2019-9948 Affected Products: SUSE Linux Enterprise Module for Python2 15-SP1 SUSE Linux Enterprise Module for Open Buildservice Development Tools 15-SP1 SUSE Linux Enterprise Module for Open Buildservice Development Tools 15 SUSE Linux Enterprise Module for Desktop Applications 15-SP1 SUSE Linux Enterprise Module for Desktop Applications 15 SUSE Linux Enterprise Module for Basesystem 15-SP1 SUSE Linux Enterprise Module for Basesystem 15 ______________________________________________________________________________ An update that solves 37 vulnerabilities and has 50 fixes is now available. Description: This update for python fixes the following issues: Updated to version 2.7.17 to unify packages among openSUSE:Factory and SLE versions (bsc#1159035). Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Module for Python2 15-SP1: zypper in -t patch SUSE-SLE-Module-Python2-15-SP1-2020-234=1 - SUSE Linux Enterprise Module for Open Buildservice Development Tools 15-SP1: zypper in -t patch SUSE-SLE-Module-Development-Tools-OBS-15-SP1-2020-234=1 - SUSE Linux Enterprise Module for Open Buildservice Development Tools 15: zypper in -t patch SUSE-SLE-Module-Development-Tools-OBS-15-2020-234=1 - SUSE Linux Enterprise Module for Desktop Applications 15-SP1: zypper in -t patch SUSE-SLE-Module-Desktop-Applications-15-SP1-2020-234=1 - SUSE Linux Enterprise Module for Desktop Applications 15: zypper in -t patch SUSE-SLE-Module-Desktop-Applications-15-2020-234=1 - SUSE Linux Enterprise Module for Basesystem 15-SP1: zypper in -t patch SUSE-SLE-Module-Basesystem-15-SP1-2020-234=1 - SUSE Linux Enterprise Module for Basesystem 15: zypper in -t patch SUSE-SLE-Module-Basesystem-15-2020-234=1 Package List: - SUSE Linux Enterprise Module for Python2 15-SP1 (aarch64 ppc64le s390x x86_64): python-base-debuginfo-2.7.17-7.32.1 python-base-debugsource-2.7.17-7.32.1 python-curses-2.7.17-7.32.2 python-curses-debuginfo-2.7.17-7.32.2 python-debuginfo-2.7.17-7.32.2 python-debugsource-2.7.17-7.32.2 python-devel-2.7.17-7.32.1 python-gdbm-2.7.17-7.32.2 python-gdbm-debuginfo-2.7.17-7.32.2 python-xml-2.7.17-7.32.1 python-xml-debuginfo-2.7.17-7.32.1 - SUSE Linux Enterprise Module for Open Buildservice Development Tools 15-SP1 (aarch64 ppc64le s390x x86_64): python-debuginfo-2.7.17-7.32.2 python-debugsource-2.7.17-7.32.2 python-demo-2.7.17-7.32.2 python-idle-2.7.17-7.32.2 - SUSE Linux Enterprise Module for Open Buildservice Development Tools 15-SP1 (x86_64): libpython2_7-1_0-32bit-2.7.17-7.32.1 libpython2_7-1_0-32bit-debuginfo-2.7.17-7.32.1 python-32bit-2.7.17-7.32.2 python-32bit-debuginfo-2.7.17-7.32.2 python-base-32bit-2.7.17-7.32.1 python-base-32bit-debuginfo-2.7.17-7.32.1 python-base-debugsource-2.7.17-7.32.1 - SUSE Linux Enterprise Module for Open Buildservice Development Tools 15-SP1 (noarch): python-doc-2.7.17-7.32.2 python-doc-pdf-2.7.17-7.32.2 - SUSE Linux Enterprise Module for Open Buildservice Development Tools 15 (aarch64 ppc64le s390x x86_64): python-debuginfo-2.7.17-7.32.2 python-debugsource-2.7.17-7.32.2 python-demo-2.7.17-7.32.2 python-idle-2.7.17-7.32.2 - SUSE Linux Enterprise Module for Open Buildservice Development Tools 15 (noarch): python-doc-2.7.17-7.32.2 python-doc-pdf-2.7.17-7.32.2 - SUSE Linux Enterprise Module for Desktop Applications 15-SP1 (aarch64 ppc64le s390x x86_64): python-debuginfo-2.7.17-7.32.2 python-debugsource-2.7.17-7.32.2 python-tk-2.7.17-7.32.2 python-tk-debuginfo-2.7.17-7.32.2 - SUSE Linux Enterprise Module for Desktop Applications 15 (aarch64 ppc64le s390x x86_64): python-debuginfo-2.7.17-7.32.2 python-debugsource-2.7.17-7.32.2 python-tk-2.7.17-7.32.2 python-tk-debuginfo-2.7.17-7.32.2 - SUSE Linux Enterprise Module for Basesystem 15-SP1 (aarch64 ppc64le s390x x86_64): libpython2_7-1_0-2.7.17-7.32.1 libpython2_7-1_0-debuginfo-2.7.17-7.32.1 python-2.7.17-7.32.2 python-base-2.7.17-7.32.1 python-base-debuginfo-2.7.17-7.32.1 python-base-debugsource-2.7.17-7.32.1 python-debuginfo-2.7.17-7.32.2 python-debugsource-2.7.17-7.32.2 - SUSE Linux Enterprise Module for Basesystem 15 (aarch64 ppc64le s390x x86_64): libpython2_7-1_0-2.7.17-7.32.1 libpython2_7-1_0-debuginfo-2.7.17-7.32.1 python-2.7.17-7.32.2 python-base-2.7.17-7.32.1 python-base-debuginfo-2.7.17-7.32.1 python-base-debugsource-2.7.17-7.32.1 python-curses-2.7.17-7.32.2 python-curses-debuginfo-2.7.17-7.32.2 python-debuginfo-2.7.17-7.32.2 python-debugsource-2.7.17-7.32.2 python-devel-2.7.17-7.32.1 python-gdbm-2.7.17-7.32.2 python-gdbm-debuginfo-2.7.17-7.32.2 python-xml-2.7.17-7.32.1 python-xml-debuginfo-2.7.17-7.32.1 References: https://www.suse.com/security/cve/CVE-2007-2052.html https://www.suse.com/security/cve/CVE-2008-1721.html https://www.suse.com/security/cve/CVE-2008-2315.html https://www.suse.com/security/cve/CVE-2008-2316.html https://www.suse.com/security/cve/CVE-2008-3142.html https://www.suse.com/security/cve/CVE-2008-3143.html https://www.suse.com/security/cve/CVE-2008-3144.html https://www.suse.com/security/cve/CVE-2011-1521.html https://www.suse.com/security/cve/CVE-2011-3389.html https://www.suse.com/security/cve/CVE-2011-4944.html https://www.suse.com/security/cve/CVE-2012-0845.html https://www.suse.com/security/cve/CVE-2012-1150.html https://www.suse.com/security/cve/CVE-2013-1752.html https://www.suse.com/security/cve/CVE-2013-1753.html https://www.suse.com/security/cve/CVE-2013-4238.html https://www.suse.com/security/cve/CVE-2014-1912.html https://www.suse.com/security/cve/CVE-2014-4650.html https://www.suse.com/security/cve/CVE-2014-7185.html https://www.suse.com/security/cve/CVE-2016-0772.html https://www.suse.com/security/cve/CVE-2016-1000110.html https://www.suse.com/security/cve/CVE-2016-5636.html https://www.suse.com/security/cve/CVE-2016-5699.html https://www.suse.com/security/cve/CVE-2017-1000158.html https://www.suse.com/security/cve/CVE-2017-18207.html https://www.suse.com/security/cve/CVE-2018-1000030.html https://www.suse.com/security/cve/CVE-2018-1000802.html https://www.suse.com/security/cve/CVE-2018-1060.html https://www.suse.com/security/cve/CVE-2018-1061.html https://www.suse.com/security/cve/CVE-2018-14647.html https://www.suse.com/security/cve/CVE-2018-20852.html https://www.suse.com/security/cve/CVE-2019-10160.html https://www.suse.com/security/cve/CVE-2019-16056.html https://www.suse.com/security/cve/CVE-2019-16935.html https://www.suse.com/security/cve/CVE-2019-5010.html https://www.suse.com/security/cve/CVE-2019-9636.html https://www.suse.com/security/cve/CVE-2019-9947.html https://www.suse.com/security/cve/CVE-2019-9948.html https://bugzilla.suse.com/1027282 https://bugzilla.suse.com/1041090 https://bugzilla.suse.com/1042670 https://bugzilla.suse.com/1068664 https://bugzilla.suse.com/1073269 https://bugzilla.suse.com/1073748 https://bugzilla.suse.com/1078326 https://bugzilla.suse.com/1078485 https://bugzilla.suse.com/1079300 https://bugzilla.suse.com/1081750 https://bugzilla.suse.com/1083507 https://bugzilla.suse.com/1084650 https://bugzilla.suse.com/1086001 https://bugzilla.suse.com/1088004 https://bugzilla.suse.com/1088009 https://bugzilla.suse.com/1109847 https://bugzilla.suse.com/1111793 https://bugzilla.suse.com/1113755 https://bugzilla.suse.com/1122191 https://bugzilla.suse.com/1129346 https://bugzilla.suse.com/1130840 https://bugzilla.suse.com/1130847 https://bugzilla.suse.com/1138459 https://bugzilla.suse.com/1141853 https://bugzilla.suse.com/1149792 https://bugzilla.suse.com/1149955 https://bugzilla.suse.com/1153238 https://bugzilla.suse.com/1153830 https://bugzilla.suse.com/1159035 https://bugzilla.suse.com/214983 https://bugzilla.suse.com/298378 https://bugzilla.suse.com/346490 https://bugzilla.suse.com/367853 https://bugzilla.suse.com/379534 https://bugzilla.suse.com/380942 https://bugzilla.suse.com/399190 https://bugzilla.suse.com/406051 https://bugzilla.suse.com/425138 https://bugzilla.suse.com/426563 https://bugzilla.suse.com/430761 https://bugzilla.suse.com/432677 https://bugzilla.suse.com/436966 https://bugzilla.suse.com/437293 https://bugzilla.suse.com/441088 https://bugzilla.suse.com/462375 https://bugzilla.suse.com/525295 https://bugzilla.suse.com/534721 https://bugzilla.suse.com/551715 https://bugzilla.suse.com/572673 https://bugzilla.suse.com/577032 https://bugzilla.suse.com/581765 https://bugzilla.suse.com/603255 https://bugzilla.suse.com/617751 https://bugzilla.suse.com/637176 https://bugzilla.suse.com/638233 https://bugzilla.suse.com/658604 https://bugzilla.suse.com/673071 https://bugzilla.suse.com/682554 https://bugzilla.suse.com/697251 https://bugzilla.suse.com/707667 https://bugzilla.suse.com/718009 https://bugzilla.suse.com/747125 https://bugzilla.suse.com/747794 https://bugzilla.suse.com/751718 https://bugzilla.suse.com/754447 https://bugzilla.suse.com/766778 https://bugzilla.suse.com/794139 https://bugzilla.suse.com/804978 https://bugzilla.suse.com/827982 https://bugzilla.suse.com/831442 https://bugzilla.suse.com/834601 https://bugzilla.suse.com/836739 https://bugzilla.suse.com/856835 https://bugzilla.suse.com/856836 https://bugzilla.suse.com/857470 https://bugzilla.suse.com/863741 https://bugzilla.suse.com/885882 https://bugzilla.suse.com/898572 https://bugzilla.suse.com/901715 https://bugzilla.suse.com/935856 https://bugzilla.suse.com/945401 https://bugzilla.suse.com/964182 https://bugzilla.suse.com/984751 https://bugzilla.suse.com/985177 https://bugzilla.suse.com/985348 https://bugzilla.suse.com/989523 https://bugzilla.suse.com/997436 From sle-updates at lists.suse.com Fri Jan 24 13:22:29 2020 From: sle-updates at lists.suse.com (sle-updates at lists.suse.com) Date: Fri, 24 Jan 2020 21:22:29 +0100 (CET) Subject: SUSE-RU-2020:0232-1: Recommended update for brotli Message-ID: <20200124202229.C295CFC56@maintenance.suse.de> SUSE Recommended Update: Recommended update for brotli ______________________________________________________________________________ Announcement ID: SUSE-RU-2020:0232-1 Rating: low References: #1161104 Affected Products: SUSE Linux Enterprise Server for SAP 15 SUSE Linux Enterprise Server 15-LTSS SUSE Linux Enterprise Module for Open Buildservice Development Tools 15-SP1 SUSE Linux Enterprise Module for Open Buildservice Development Tools 15 SUSE Linux Enterprise Module for Basesystem 15-SP1 SUSE Linux Enterprise Module for Basesystem 15 SUSE Linux Enterprise High Performance Computing 15-LTSS SUSE Linux Enterprise High Performance Computing 15-ESPOS ______________________________________________________________________________ An update that has one recommended fix can now be installed. Description: This update for brotli fixes the following issues: - Added missing libbrotlicommon1 and libbrotlidec1 Requires to devel subpackage (bsc#1161104). Patch Instructions: To install this SUSE Recommended Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Server for SAP 15: zypper in -t patch SUSE-SLE-Product-SLES_SAP-15-2020-232=1 - SUSE Linux Enterprise Server 15-LTSS: zypper in -t patch SUSE-SLE-Product-SLES-15-2020-232=1 - SUSE Linux Enterprise Module for Open Buildservice Development Tools 15-SP1: zypper in -t patch SUSE-SLE-Module-Development-Tools-OBS-15-SP1-2020-232=1 - SUSE Linux Enterprise Module for Open Buildservice Development Tools 15: zypper in -t patch SUSE-SLE-Module-Development-Tools-OBS-15-2020-232=1 - SUSE Linux Enterprise Module for Basesystem 15-SP1: zypper in -t patch SUSE-SLE-Module-Basesystem-15-SP1-2020-232=1 - SUSE Linux Enterprise Module for Basesystem 15: zypper in -t patch SUSE-SLE-Module-Basesystem-15-2020-232=1 - SUSE Linux Enterprise High Performance Computing 15-LTSS: zypper in -t patch SUSE-SLE-Product-HPC-15-2020-232=1 - SUSE Linux Enterprise High Performance Computing 15-ESPOS: zypper in -t patch SUSE-SLE-Product-HPC-15-2020-232=1 Package List: - SUSE Linux Enterprise Server for SAP 15 (ppc64le x86_64): brotli-debuginfo-1.0.2-3.3.1 brotli-debugsource-1.0.2-3.3.1 libbrotli-devel-1.0.2-3.3.1 libbrotlicommon1-1.0.2-3.3.1 libbrotlicommon1-debuginfo-1.0.2-3.3.1 libbrotlidec1-1.0.2-3.3.1 libbrotlidec1-debuginfo-1.0.2-3.3.1 libbrotlienc1-1.0.2-3.3.1 libbrotlienc1-debuginfo-1.0.2-3.3.1 - SUSE Linux Enterprise Server 15-LTSS (aarch64 s390x): brotli-debuginfo-1.0.2-3.3.1 brotli-debugsource-1.0.2-3.3.1 libbrotli-devel-1.0.2-3.3.1 libbrotlicommon1-1.0.2-3.3.1 libbrotlicommon1-debuginfo-1.0.2-3.3.1 libbrotlidec1-1.0.2-3.3.1 libbrotlidec1-debuginfo-1.0.2-3.3.1 libbrotlienc1-1.0.2-3.3.1 libbrotlienc1-debuginfo-1.0.2-3.3.1 - SUSE Linux Enterprise Module for Open Buildservice Development Tools 15-SP1 (aarch64 ppc64le s390x x86_64): brotli-1.0.2-3.3.1 brotli-debuginfo-1.0.2-3.3.1 brotli-debugsource-1.0.2-3.3.1 libbrotlidec1-1.0.2-3.3.1 libbrotlidec1-debuginfo-1.0.2-3.3.1 - SUSE Linux Enterprise Module for Open Buildservice Development Tools 15 (aarch64 ppc64le s390x x86_64): brotli-1.0.2-3.3.1 brotli-debuginfo-1.0.2-3.3.1 brotli-debugsource-1.0.2-3.3.1 libbrotlidec1-1.0.2-3.3.1 libbrotlidec1-debuginfo-1.0.2-3.3.1 - SUSE Linux Enterprise Module for Basesystem 15-SP1 (aarch64 ppc64le s390x x86_64): brotli-debuginfo-1.0.2-3.3.1 brotli-debugsource-1.0.2-3.3.1 libbrotli-devel-1.0.2-3.3.1 libbrotlicommon1-1.0.2-3.3.1 libbrotlicommon1-debuginfo-1.0.2-3.3.1 libbrotlidec1-1.0.2-3.3.1 libbrotlidec1-debuginfo-1.0.2-3.3.1 libbrotlienc1-1.0.2-3.3.1 libbrotlienc1-debuginfo-1.0.2-3.3.1 - SUSE Linux Enterprise Module for Basesystem 15 (aarch64 ppc64le s390x x86_64): brotli-debuginfo-1.0.2-3.3.1 brotli-debugsource-1.0.2-3.3.1 libbrotli-devel-1.0.2-3.3.1 libbrotlicommon1-1.0.2-3.3.1 libbrotlicommon1-debuginfo-1.0.2-3.3.1 libbrotlidec1-1.0.2-3.3.1 libbrotlidec1-debuginfo-1.0.2-3.3.1 libbrotlienc1-1.0.2-3.3.1 libbrotlienc1-debuginfo-1.0.2-3.3.1 - SUSE Linux Enterprise High Performance Computing 15-LTSS (aarch64 x86_64): brotli-debuginfo-1.0.2-3.3.1 brotli-debugsource-1.0.2-3.3.1 libbrotli-devel-1.0.2-3.3.1 libbrotlicommon1-1.0.2-3.3.1 libbrotlicommon1-debuginfo-1.0.2-3.3.1 libbrotlidec1-1.0.2-3.3.1 libbrotlidec1-debuginfo-1.0.2-3.3.1 libbrotlienc1-1.0.2-3.3.1 libbrotlienc1-debuginfo-1.0.2-3.3.1 - SUSE Linux Enterprise High Performance Computing 15-ESPOS (aarch64 x86_64): brotli-debuginfo-1.0.2-3.3.1 brotli-debugsource-1.0.2-3.3.1 libbrotli-devel-1.0.2-3.3.1 libbrotlicommon1-1.0.2-3.3.1 libbrotlicommon1-debuginfo-1.0.2-3.3.1 libbrotlidec1-1.0.2-3.3.1 libbrotlidec1-debuginfo-1.0.2-3.3.1 libbrotlienc1-1.0.2-3.3.1 libbrotlienc1-debuginfo-1.0.2-3.3.1 References: https://bugzilla.suse.com/1161104 From sle-updates at lists.suse.com Fri Jan 24 13:23:20 2020 From: sle-updates at lists.suse.com (sle-updates at lists.suse.com) Date: Fri, 24 Jan 2020 21:23:20 +0100 (CET) Subject: SUSE-SU-2020:0233-1: moderate: Security update for samba Message-ID: <20200124202320.80636FC56@maintenance.suse.de> SUSE Security Update: Security update for samba ______________________________________________________________________________ Announcement ID: SUSE-SU-2020:0233-1 Rating: moderate References: #1160888 Cross-References: CVE-2019-14907 Affected Products: SUSE OpenStack Cloud Crowbar 8 SUSE OpenStack Cloud 8 SUSE Linux Enterprise Software Development Kit 12-SP4 SUSE Linux Enterprise Server for SAP 12-SP3 SUSE Linux Enterprise Server 12-SP4 SUSE Linux Enterprise Server 12-SP3-LTSS SUSE Linux Enterprise Server 12-SP3-BCL SUSE Linux Enterprise High Availability 12-SP4 SUSE Linux Enterprise High Availability 12-SP3 SUSE Linux Enterprise Desktop 12-SP4 SUSE Enterprise Storage 5 HPE Helion Openstack 8 ______________________________________________________________________________ An update that fixes one vulnerability is now available. Description: This update for samba fixes the following issues: - CVE-2019-14907: Fixed a Server-side crash after charset conversion failure during NTLMSSP processing (bsc#1160888). Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE OpenStack Cloud Crowbar 8: zypper in -t patch SUSE-OpenStack-Cloud-Crowbar-8-2020-233=1 - SUSE OpenStack Cloud 8: zypper in -t patch SUSE-OpenStack-Cloud-8-2020-233=1 - SUSE Linux Enterprise Software Development Kit 12-SP4: zypper in -t patch SUSE-SLE-SDK-12-SP4-2020-233=1 - SUSE Linux Enterprise Server for SAP 12-SP3: zypper in -t patch SUSE-SLE-SAP-12-SP3-2020-233=1 - SUSE Linux Enterprise Server 12-SP4: zypper in -t patch SUSE-SLE-SERVER-12-SP4-2020-233=1 - SUSE Linux Enterprise Server 12-SP3-LTSS: zypper in -t patch SUSE-SLE-SERVER-12-SP3-2020-233=1 - SUSE Linux Enterprise Server 12-SP3-BCL: zypper in -t patch SUSE-SLE-SERVER-12-SP3-BCL-2020-233=1 - SUSE Linux Enterprise High Availability 12-SP4: zypper in -t patch SUSE-SLE-HA-12-SP4-2020-233=1 - SUSE Linux Enterprise High Availability 12-SP3: zypper in -t patch SUSE-SLE-HA-12-SP3-2020-233=1 - SUSE Linux Enterprise Desktop 12-SP4: zypper in -t patch SUSE-SLE-DESKTOP-12-SP4-2020-233=1 - SUSE Enterprise Storage 5: zypper in -t patch SUSE-Storage-5-2020-233=1 - HPE Helion Openstack 8: zypper in -t patch HPE-Helion-OpenStack-8-2020-233=1 Package List: - SUSE OpenStack Cloud Crowbar 8 (x86_64): libdcerpc-binding0-32bit-4.6.16+git.174.c2fd2e28c84-3.49.1 libdcerpc-binding0-4.6.16+git.174.c2fd2e28c84-3.49.1 libdcerpc-binding0-debuginfo-32bit-4.6.16+git.174.c2fd2e28c84-3.49.1 libdcerpc-binding0-debuginfo-4.6.16+git.174.c2fd2e28c84-3.49.1 libdcerpc0-32bit-4.6.16+git.174.c2fd2e28c84-3.49.1 libdcerpc0-4.6.16+git.174.c2fd2e28c84-3.49.1 libdcerpc0-debuginfo-32bit-4.6.16+git.174.c2fd2e28c84-3.49.1 libdcerpc0-debuginfo-4.6.16+git.174.c2fd2e28c84-3.49.1 libndr-krb5pac0-32bit-4.6.16+git.174.c2fd2e28c84-3.49.1 libndr-krb5pac0-4.6.16+git.174.c2fd2e28c84-3.49.1 libndr-krb5pac0-debuginfo-32bit-4.6.16+git.174.c2fd2e28c84-3.49.1 libndr-krb5pac0-debuginfo-4.6.16+git.174.c2fd2e28c84-3.49.1 libndr-nbt0-32bit-4.6.16+git.174.c2fd2e28c84-3.49.1 libndr-nbt0-4.6.16+git.174.c2fd2e28c84-3.49.1 libndr-nbt0-debuginfo-32bit-4.6.16+git.174.c2fd2e28c84-3.49.1 libndr-nbt0-debuginfo-4.6.16+git.174.c2fd2e28c84-3.49.1 libndr-standard0-32bit-4.6.16+git.174.c2fd2e28c84-3.49.1 libndr-standard0-4.6.16+git.174.c2fd2e28c84-3.49.1 libndr-standard0-debuginfo-32bit-4.6.16+git.174.c2fd2e28c84-3.49.1 libndr-standard0-debuginfo-4.6.16+git.174.c2fd2e28c84-3.49.1 libndr0-32bit-4.6.16+git.174.c2fd2e28c84-3.49.1 libndr0-4.6.16+git.174.c2fd2e28c84-3.49.1 libndr0-debuginfo-32bit-4.6.16+git.174.c2fd2e28c84-3.49.1 libndr0-debuginfo-4.6.16+git.174.c2fd2e28c84-3.49.1 libnetapi0-32bit-4.6.16+git.174.c2fd2e28c84-3.49.1 libnetapi0-4.6.16+git.174.c2fd2e28c84-3.49.1 libnetapi0-debuginfo-32bit-4.6.16+git.174.c2fd2e28c84-3.49.1 libnetapi0-debuginfo-4.6.16+git.174.c2fd2e28c84-3.49.1 libsamba-credentials0-32bit-4.6.16+git.174.c2fd2e28c84-3.49.1 libsamba-credentials0-4.6.16+git.174.c2fd2e28c84-3.49.1 libsamba-credentials0-debuginfo-32bit-4.6.16+git.174.c2fd2e28c84-3.49.1 libsamba-credentials0-debuginfo-4.6.16+git.174.c2fd2e28c84-3.49.1 libsamba-errors0-32bit-4.6.16+git.174.c2fd2e28c84-3.49.1 libsamba-errors0-4.6.16+git.174.c2fd2e28c84-3.49.1 libsamba-errors0-debuginfo-32bit-4.6.16+git.174.c2fd2e28c84-3.49.1 libsamba-errors0-debuginfo-4.6.16+git.174.c2fd2e28c84-3.49.1 libsamba-hostconfig0-32bit-4.6.16+git.174.c2fd2e28c84-3.49.1 libsamba-hostconfig0-4.6.16+git.174.c2fd2e28c84-3.49.1 libsamba-hostconfig0-debuginfo-32bit-4.6.16+git.174.c2fd2e28c84-3.49.1 libsamba-hostconfig0-debuginfo-4.6.16+git.174.c2fd2e28c84-3.49.1 libsamba-passdb0-32bit-4.6.16+git.174.c2fd2e28c84-3.49.1 libsamba-passdb0-4.6.16+git.174.c2fd2e28c84-3.49.1 libsamba-passdb0-debuginfo-32bit-4.6.16+git.174.c2fd2e28c84-3.49.1 libsamba-passdb0-debuginfo-4.6.16+git.174.c2fd2e28c84-3.49.1 libsamba-util0-32bit-4.6.16+git.174.c2fd2e28c84-3.49.1 libsamba-util0-4.6.16+git.174.c2fd2e28c84-3.49.1 libsamba-util0-debuginfo-32bit-4.6.16+git.174.c2fd2e28c84-3.49.1 libsamba-util0-debuginfo-4.6.16+git.174.c2fd2e28c84-3.49.1 libsamdb0-32bit-4.6.16+git.174.c2fd2e28c84-3.49.1 libsamdb0-4.6.16+git.174.c2fd2e28c84-3.49.1 libsamdb0-debuginfo-32bit-4.6.16+git.174.c2fd2e28c84-3.49.1 libsamdb0-debuginfo-4.6.16+git.174.c2fd2e28c84-3.49.1 libsmbclient0-32bit-4.6.16+git.174.c2fd2e28c84-3.49.1 libsmbclient0-4.6.16+git.174.c2fd2e28c84-3.49.1 libsmbclient0-debuginfo-32bit-4.6.16+git.174.c2fd2e28c84-3.49.1 libsmbclient0-debuginfo-4.6.16+git.174.c2fd2e28c84-3.49.1 libsmbconf0-32bit-4.6.16+git.174.c2fd2e28c84-3.49.1 libsmbconf0-4.6.16+git.174.c2fd2e28c84-3.49.1 libsmbconf0-debuginfo-32bit-4.6.16+git.174.c2fd2e28c84-3.49.1 libsmbconf0-debuginfo-4.6.16+git.174.c2fd2e28c84-3.49.1 libsmbldap0-32bit-4.6.16+git.174.c2fd2e28c84-3.49.1 libsmbldap0-4.6.16+git.174.c2fd2e28c84-3.49.1 libsmbldap0-debuginfo-32bit-4.6.16+git.174.c2fd2e28c84-3.49.1 libsmbldap0-debuginfo-4.6.16+git.174.c2fd2e28c84-3.49.1 libtevent-util0-32bit-4.6.16+git.174.c2fd2e28c84-3.49.1 libtevent-util0-4.6.16+git.174.c2fd2e28c84-3.49.1 libtevent-util0-debuginfo-32bit-4.6.16+git.174.c2fd2e28c84-3.49.1 libtevent-util0-debuginfo-4.6.16+git.174.c2fd2e28c84-3.49.1 libwbclient0-32bit-4.6.16+git.174.c2fd2e28c84-3.49.1 libwbclient0-4.6.16+git.174.c2fd2e28c84-3.49.1 libwbclient0-debuginfo-32bit-4.6.16+git.174.c2fd2e28c84-3.49.1 libwbclient0-debuginfo-4.6.16+git.174.c2fd2e28c84-3.49.1 samba-4.6.16+git.174.c2fd2e28c84-3.49.1 samba-client-32bit-4.6.16+git.174.c2fd2e28c84-3.49.1 samba-client-4.6.16+git.174.c2fd2e28c84-3.49.1 samba-client-debuginfo-32bit-4.6.16+git.174.c2fd2e28c84-3.49.1 samba-client-debuginfo-4.6.16+git.174.c2fd2e28c84-3.49.1 samba-debuginfo-4.6.16+git.174.c2fd2e28c84-3.49.1 samba-debugsource-4.6.16+git.174.c2fd2e28c84-3.49.1 samba-libs-32bit-4.6.16+git.174.c2fd2e28c84-3.49.1 samba-libs-4.6.16+git.174.c2fd2e28c84-3.49.1 samba-libs-debuginfo-32bit-4.6.16+git.174.c2fd2e28c84-3.49.1 samba-libs-debuginfo-4.6.16+git.174.c2fd2e28c84-3.49.1 samba-winbind-32bit-4.6.16+git.174.c2fd2e28c84-3.49.1 samba-winbind-4.6.16+git.174.c2fd2e28c84-3.49.1 samba-winbind-debuginfo-32bit-4.6.16+git.174.c2fd2e28c84-3.49.1 samba-winbind-debuginfo-4.6.16+git.174.c2fd2e28c84-3.49.1 - SUSE OpenStack Cloud Crowbar 8 (noarch): samba-doc-4.6.16+git.174.c2fd2e28c84-3.49.1 - SUSE OpenStack Cloud 8 (x86_64): libdcerpc-binding0-32bit-4.6.16+git.174.c2fd2e28c84-3.49.1 libdcerpc-binding0-4.6.16+git.174.c2fd2e28c84-3.49.1 libdcerpc-binding0-debuginfo-32bit-4.6.16+git.174.c2fd2e28c84-3.49.1 libdcerpc-binding0-debuginfo-4.6.16+git.174.c2fd2e28c84-3.49.1 libdcerpc0-32bit-4.6.16+git.174.c2fd2e28c84-3.49.1 libdcerpc0-4.6.16+git.174.c2fd2e28c84-3.49.1 libdcerpc0-debuginfo-32bit-4.6.16+git.174.c2fd2e28c84-3.49.1 libdcerpc0-debuginfo-4.6.16+git.174.c2fd2e28c84-3.49.1 libndr-krb5pac0-32bit-4.6.16+git.174.c2fd2e28c84-3.49.1 libndr-krb5pac0-4.6.16+git.174.c2fd2e28c84-3.49.1 libndr-krb5pac0-debuginfo-32bit-4.6.16+git.174.c2fd2e28c84-3.49.1 libndr-krb5pac0-debuginfo-4.6.16+git.174.c2fd2e28c84-3.49.1 libndr-nbt0-32bit-4.6.16+git.174.c2fd2e28c84-3.49.1 libndr-nbt0-4.6.16+git.174.c2fd2e28c84-3.49.1 libndr-nbt0-debuginfo-32bit-4.6.16+git.174.c2fd2e28c84-3.49.1 libndr-nbt0-debuginfo-4.6.16+git.174.c2fd2e28c84-3.49.1 libndr-standard0-32bit-4.6.16+git.174.c2fd2e28c84-3.49.1 libndr-standard0-4.6.16+git.174.c2fd2e28c84-3.49.1 libndr-standard0-debuginfo-32bit-4.6.16+git.174.c2fd2e28c84-3.49.1 libndr-standard0-debuginfo-4.6.16+git.174.c2fd2e28c84-3.49.1 libndr0-32bit-4.6.16+git.174.c2fd2e28c84-3.49.1 libndr0-4.6.16+git.174.c2fd2e28c84-3.49.1 libndr0-debuginfo-32bit-4.6.16+git.174.c2fd2e28c84-3.49.1 libndr0-debuginfo-4.6.16+git.174.c2fd2e28c84-3.49.1 libnetapi0-32bit-4.6.16+git.174.c2fd2e28c84-3.49.1 libnetapi0-4.6.16+git.174.c2fd2e28c84-3.49.1 libnetapi0-debuginfo-32bit-4.6.16+git.174.c2fd2e28c84-3.49.1 libnetapi0-debuginfo-4.6.16+git.174.c2fd2e28c84-3.49.1 libsamba-credentials0-32bit-4.6.16+git.174.c2fd2e28c84-3.49.1 libsamba-credentials0-4.6.16+git.174.c2fd2e28c84-3.49.1 libsamba-credentials0-debuginfo-32bit-4.6.16+git.174.c2fd2e28c84-3.49.1 libsamba-credentials0-debuginfo-4.6.16+git.174.c2fd2e28c84-3.49.1 libsamba-errors0-32bit-4.6.16+git.174.c2fd2e28c84-3.49.1 libsamba-errors0-4.6.16+git.174.c2fd2e28c84-3.49.1 libsamba-errors0-debuginfo-32bit-4.6.16+git.174.c2fd2e28c84-3.49.1 libsamba-errors0-debuginfo-4.6.16+git.174.c2fd2e28c84-3.49.1 libsamba-hostconfig0-32bit-4.6.16+git.174.c2fd2e28c84-3.49.1 libsamba-hostconfig0-4.6.16+git.174.c2fd2e28c84-3.49.1 libsamba-hostconfig0-debuginfo-32bit-4.6.16+git.174.c2fd2e28c84-3.49.1 libsamba-hostconfig0-debuginfo-4.6.16+git.174.c2fd2e28c84-3.49.1 libsamba-passdb0-32bit-4.6.16+git.174.c2fd2e28c84-3.49.1 libsamba-passdb0-4.6.16+git.174.c2fd2e28c84-3.49.1 libsamba-passdb0-debuginfo-32bit-4.6.16+git.174.c2fd2e28c84-3.49.1 libsamba-passdb0-debuginfo-4.6.16+git.174.c2fd2e28c84-3.49.1 libsamba-util0-32bit-4.6.16+git.174.c2fd2e28c84-3.49.1 libsamba-util0-4.6.16+git.174.c2fd2e28c84-3.49.1 libsamba-util0-debuginfo-32bit-4.6.16+git.174.c2fd2e28c84-3.49.1 libsamba-util0-debuginfo-4.6.16+git.174.c2fd2e28c84-3.49.1 libsamdb0-32bit-4.6.16+git.174.c2fd2e28c84-3.49.1 libsamdb0-4.6.16+git.174.c2fd2e28c84-3.49.1 libsamdb0-debuginfo-32bit-4.6.16+git.174.c2fd2e28c84-3.49.1 libsamdb0-debuginfo-4.6.16+git.174.c2fd2e28c84-3.49.1 libsmbclient0-32bit-4.6.16+git.174.c2fd2e28c84-3.49.1 libsmbclient0-4.6.16+git.174.c2fd2e28c84-3.49.1 libsmbclient0-debuginfo-32bit-4.6.16+git.174.c2fd2e28c84-3.49.1 libsmbclient0-debuginfo-4.6.16+git.174.c2fd2e28c84-3.49.1 libsmbconf0-32bit-4.6.16+git.174.c2fd2e28c84-3.49.1 libsmbconf0-4.6.16+git.174.c2fd2e28c84-3.49.1 libsmbconf0-debuginfo-32bit-4.6.16+git.174.c2fd2e28c84-3.49.1 libsmbconf0-debuginfo-4.6.16+git.174.c2fd2e28c84-3.49.1 libsmbldap0-32bit-4.6.16+git.174.c2fd2e28c84-3.49.1 libsmbldap0-4.6.16+git.174.c2fd2e28c84-3.49.1 libsmbldap0-debuginfo-32bit-4.6.16+git.174.c2fd2e28c84-3.49.1 libsmbldap0-debuginfo-4.6.16+git.174.c2fd2e28c84-3.49.1 libtevent-util0-32bit-4.6.16+git.174.c2fd2e28c84-3.49.1 libtevent-util0-4.6.16+git.174.c2fd2e28c84-3.49.1 libtevent-util0-debuginfo-32bit-4.6.16+git.174.c2fd2e28c84-3.49.1 libtevent-util0-debuginfo-4.6.16+git.174.c2fd2e28c84-3.49.1 libwbclient0-32bit-4.6.16+git.174.c2fd2e28c84-3.49.1 libwbclient0-4.6.16+git.174.c2fd2e28c84-3.49.1 libwbclient0-debuginfo-32bit-4.6.16+git.174.c2fd2e28c84-3.49.1 libwbclient0-debuginfo-4.6.16+git.174.c2fd2e28c84-3.49.1 samba-4.6.16+git.174.c2fd2e28c84-3.49.1 samba-client-32bit-4.6.16+git.174.c2fd2e28c84-3.49.1 samba-client-4.6.16+git.174.c2fd2e28c84-3.49.1 samba-client-debuginfo-32bit-4.6.16+git.174.c2fd2e28c84-3.49.1 samba-client-debuginfo-4.6.16+git.174.c2fd2e28c84-3.49.1 samba-debuginfo-4.6.16+git.174.c2fd2e28c84-3.49.1 samba-debugsource-4.6.16+git.174.c2fd2e28c84-3.49.1 samba-libs-32bit-4.6.16+git.174.c2fd2e28c84-3.49.1 samba-libs-4.6.16+git.174.c2fd2e28c84-3.49.1 samba-libs-debuginfo-32bit-4.6.16+git.174.c2fd2e28c84-3.49.1 samba-libs-debuginfo-4.6.16+git.174.c2fd2e28c84-3.49.1 samba-winbind-32bit-4.6.16+git.174.c2fd2e28c84-3.49.1 samba-winbind-4.6.16+git.174.c2fd2e28c84-3.49.1 samba-winbind-debuginfo-32bit-4.6.16+git.174.c2fd2e28c84-3.49.1 samba-winbind-debuginfo-4.6.16+git.174.c2fd2e28c84-3.49.1 - SUSE OpenStack Cloud 8 (noarch): samba-doc-4.6.16+git.174.c2fd2e28c84-3.49.1 - SUSE Linux Enterprise Software Development Kit 12-SP4 (aarch64 ppc64le s390x x86_64): libndr-devel-4.6.16+git.174.c2fd2e28c84-3.49.1 libndr-krb5pac-devel-4.6.16+git.174.c2fd2e28c84-3.49.1 libndr-nbt-devel-4.6.16+git.174.c2fd2e28c84-3.49.1 libndr-standard-devel-4.6.16+git.174.c2fd2e28c84-3.49.1 libsamba-util-devel-4.6.16+git.174.c2fd2e28c84-3.49.1 libsmbclient-devel-4.6.16+git.174.c2fd2e28c84-3.49.1 libwbclient-devel-4.6.16+git.174.c2fd2e28c84-3.49.1 samba-core-devel-4.6.16+git.174.c2fd2e28c84-3.49.1 samba-debuginfo-4.6.16+git.174.c2fd2e28c84-3.49.1 samba-debugsource-4.6.16+git.174.c2fd2e28c84-3.49.1 - SUSE Linux Enterprise Server for SAP 12-SP3 (ppc64le x86_64): libdcerpc-binding0-4.6.16+git.174.c2fd2e28c84-3.49.1 libdcerpc-binding0-debuginfo-4.6.16+git.174.c2fd2e28c84-3.49.1 libdcerpc0-4.6.16+git.174.c2fd2e28c84-3.49.1 libdcerpc0-debuginfo-4.6.16+git.174.c2fd2e28c84-3.49.1 libndr-krb5pac0-4.6.16+git.174.c2fd2e28c84-3.49.1 libndr-krb5pac0-debuginfo-4.6.16+git.174.c2fd2e28c84-3.49.1 libndr-nbt0-4.6.16+git.174.c2fd2e28c84-3.49.1 libndr-nbt0-debuginfo-4.6.16+git.174.c2fd2e28c84-3.49.1 libndr-standard0-4.6.16+git.174.c2fd2e28c84-3.49.1 libndr-standard0-debuginfo-4.6.16+git.174.c2fd2e28c84-3.49.1 libndr0-4.6.16+git.174.c2fd2e28c84-3.49.1 libndr0-debuginfo-4.6.16+git.174.c2fd2e28c84-3.49.1 libnetapi0-4.6.16+git.174.c2fd2e28c84-3.49.1 libnetapi0-debuginfo-4.6.16+git.174.c2fd2e28c84-3.49.1 libsamba-credentials0-4.6.16+git.174.c2fd2e28c84-3.49.1 libsamba-credentials0-debuginfo-4.6.16+git.174.c2fd2e28c84-3.49.1 libsamba-errors0-4.6.16+git.174.c2fd2e28c84-3.49.1 libsamba-errors0-debuginfo-4.6.16+git.174.c2fd2e28c84-3.49.1 libsamba-hostconfig0-4.6.16+git.174.c2fd2e28c84-3.49.1 libsamba-hostconfig0-debuginfo-4.6.16+git.174.c2fd2e28c84-3.49.1 libsamba-passdb0-4.6.16+git.174.c2fd2e28c84-3.49.1 libsamba-passdb0-debuginfo-4.6.16+git.174.c2fd2e28c84-3.49.1 libsamba-util0-4.6.16+git.174.c2fd2e28c84-3.49.1 libsamba-util0-debuginfo-4.6.16+git.174.c2fd2e28c84-3.49.1 libsamdb0-4.6.16+git.174.c2fd2e28c84-3.49.1 libsamdb0-debuginfo-4.6.16+git.174.c2fd2e28c84-3.49.1 libsmbclient0-4.6.16+git.174.c2fd2e28c84-3.49.1 libsmbclient0-debuginfo-4.6.16+git.174.c2fd2e28c84-3.49.1 libsmbconf0-4.6.16+git.174.c2fd2e28c84-3.49.1 libsmbconf0-debuginfo-4.6.16+git.174.c2fd2e28c84-3.49.1 libsmbldap0-4.6.16+git.174.c2fd2e28c84-3.49.1 libsmbldap0-debuginfo-4.6.16+git.174.c2fd2e28c84-3.49.1 libtevent-util0-4.6.16+git.174.c2fd2e28c84-3.49.1 libtevent-util0-debuginfo-4.6.16+git.174.c2fd2e28c84-3.49.1 libwbclient0-4.6.16+git.174.c2fd2e28c84-3.49.1 libwbclient0-debuginfo-4.6.16+git.174.c2fd2e28c84-3.49.1 samba-4.6.16+git.174.c2fd2e28c84-3.49.1 samba-client-4.6.16+git.174.c2fd2e28c84-3.49.1 samba-client-debuginfo-4.6.16+git.174.c2fd2e28c84-3.49.1 samba-debuginfo-4.6.16+git.174.c2fd2e28c84-3.49.1 samba-debugsource-4.6.16+git.174.c2fd2e28c84-3.49.1 samba-libs-4.6.16+git.174.c2fd2e28c84-3.49.1 samba-libs-debuginfo-4.6.16+git.174.c2fd2e28c84-3.49.1 samba-winbind-4.6.16+git.174.c2fd2e28c84-3.49.1 samba-winbind-debuginfo-4.6.16+git.174.c2fd2e28c84-3.49.1 - SUSE Linux Enterprise Server for SAP 12-SP3 (x86_64): libdcerpc-binding0-32bit-4.6.16+git.174.c2fd2e28c84-3.49.1 libdcerpc-binding0-debuginfo-32bit-4.6.16+git.174.c2fd2e28c84-3.49.1 libdcerpc0-32bit-4.6.16+git.174.c2fd2e28c84-3.49.1 libdcerpc0-debuginfo-32bit-4.6.16+git.174.c2fd2e28c84-3.49.1 libndr-krb5pac0-32bit-4.6.16+git.174.c2fd2e28c84-3.49.1 libndr-krb5pac0-debuginfo-32bit-4.6.16+git.174.c2fd2e28c84-3.49.1 libndr-nbt0-32bit-4.6.16+git.174.c2fd2e28c84-3.49.1 libndr-nbt0-debuginfo-32bit-4.6.16+git.174.c2fd2e28c84-3.49.1 libndr-standard0-32bit-4.6.16+git.174.c2fd2e28c84-3.49.1 libndr-standard0-debuginfo-32bit-4.6.16+git.174.c2fd2e28c84-3.49.1 libndr0-32bit-4.6.16+git.174.c2fd2e28c84-3.49.1 libndr0-debuginfo-32bit-4.6.16+git.174.c2fd2e28c84-3.49.1 libnetapi0-32bit-4.6.16+git.174.c2fd2e28c84-3.49.1 libnetapi0-debuginfo-32bit-4.6.16+git.174.c2fd2e28c84-3.49.1 libsamba-credentials0-32bit-4.6.16+git.174.c2fd2e28c84-3.49.1 libsamba-credentials0-debuginfo-32bit-4.6.16+git.174.c2fd2e28c84-3.49.1 libsamba-errors0-32bit-4.6.16+git.174.c2fd2e28c84-3.49.1 libsamba-errors0-debuginfo-32bit-4.6.16+git.174.c2fd2e28c84-3.49.1 libsamba-hostconfig0-32bit-4.6.16+git.174.c2fd2e28c84-3.49.1 libsamba-hostconfig0-debuginfo-32bit-4.6.16+git.174.c2fd2e28c84-3.49.1 libsamba-passdb0-32bit-4.6.16+git.174.c2fd2e28c84-3.49.1 libsamba-passdb0-debuginfo-32bit-4.6.16+git.174.c2fd2e28c84-3.49.1 libsamba-util0-32bit-4.6.16+git.174.c2fd2e28c84-3.49.1 libsamba-util0-debuginfo-32bit-4.6.16+git.174.c2fd2e28c84-3.49.1 libsamdb0-32bit-4.6.16+git.174.c2fd2e28c84-3.49.1 libsamdb0-debuginfo-32bit-4.6.16+git.174.c2fd2e28c84-3.49.1 libsmbclient0-32bit-4.6.16+git.174.c2fd2e28c84-3.49.1 libsmbclient0-debuginfo-32bit-4.6.16+git.174.c2fd2e28c84-3.49.1 libsmbconf0-32bit-4.6.16+git.174.c2fd2e28c84-3.49.1 libsmbconf0-debuginfo-32bit-4.6.16+git.174.c2fd2e28c84-3.49.1 libsmbldap0-32bit-4.6.16+git.174.c2fd2e28c84-3.49.1 libsmbldap0-debuginfo-32bit-4.6.16+git.174.c2fd2e28c84-3.49.1 libtevent-util0-32bit-4.6.16+git.174.c2fd2e28c84-3.49.1 libtevent-util0-debuginfo-32bit-4.6.16+git.174.c2fd2e28c84-3.49.1 libwbclient0-32bit-4.6.16+git.174.c2fd2e28c84-3.49.1 libwbclient0-debuginfo-32bit-4.6.16+git.174.c2fd2e28c84-3.49.1 samba-client-32bit-4.6.16+git.174.c2fd2e28c84-3.49.1 samba-client-debuginfo-32bit-4.6.16+git.174.c2fd2e28c84-3.49.1 samba-libs-32bit-4.6.16+git.174.c2fd2e28c84-3.49.1 samba-libs-debuginfo-32bit-4.6.16+git.174.c2fd2e28c84-3.49.1 samba-winbind-32bit-4.6.16+git.174.c2fd2e28c84-3.49.1 samba-winbind-debuginfo-32bit-4.6.16+git.174.c2fd2e28c84-3.49.1 - SUSE Linux Enterprise Server for SAP 12-SP3 (noarch): samba-doc-4.6.16+git.174.c2fd2e28c84-3.49.1 - SUSE Linux Enterprise Server 12-SP4 (aarch64 ppc64le s390x x86_64): libdcerpc-binding0-4.6.16+git.174.c2fd2e28c84-3.49.1 libdcerpc-binding0-debuginfo-4.6.16+git.174.c2fd2e28c84-3.49.1 libdcerpc0-4.6.16+git.174.c2fd2e28c84-3.49.1 libdcerpc0-debuginfo-4.6.16+git.174.c2fd2e28c84-3.49.1 libndr-krb5pac0-4.6.16+git.174.c2fd2e28c84-3.49.1 libndr-krb5pac0-debuginfo-4.6.16+git.174.c2fd2e28c84-3.49.1 libndr-nbt0-4.6.16+git.174.c2fd2e28c84-3.49.1 libndr-nbt0-debuginfo-4.6.16+git.174.c2fd2e28c84-3.49.1 libndr-standard0-4.6.16+git.174.c2fd2e28c84-3.49.1 libndr-standard0-debuginfo-4.6.16+git.174.c2fd2e28c84-3.49.1 libndr0-4.6.16+git.174.c2fd2e28c84-3.49.1 libndr0-debuginfo-4.6.16+git.174.c2fd2e28c84-3.49.1 libnetapi0-4.6.16+git.174.c2fd2e28c84-3.49.1 libnetapi0-debuginfo-4.6.16+git.174.c2fd2e28c84-3.49.1 libsamba-credentials0-4.6.16+git.174.c2fd2e28c84-3.49.1 libsamba-credentials0-debuginfo-4.6.16+git.174.c2fd2e28c84-3.49.1 libsamba-errors0-4.6.16+git.174.c2fd2e28c84-3.49.1 libsamba-errors0-debuginfo-4.6.16+git.174.c2fd2e28c84-3.49.1 libsamba-hostconfig0-4.6.16+git.174.c2fd2e28c84-3.49.1 libsamba-hostconfig0-debuginfo-4.6.16+git.174.c2fd2e28c84-3.49.1 libsamba-passdb0-4.6.16+git.174.c2fd2e28c84-3.49.1 libsamba-passdb0-debuginfo-4.6.16+git.174.c2fd2e28c84-3.49.1 libsamba-util0-4.6.16+git.174.c2fd2e28c84-3.49.1 libsamba-util0-debuginfo-4.6.16+git.174.c2fd2e28c84-3.49.1 libsamdb0-4.6.16+git.174.c2fd2e28c84-3.49.1 libsamdb0-debuginfo-4.6.16+git.174.c2fd2e28c84-3.49.1 libsmbclient0-4.6.16+git.174.c2fd2e28c84-3.49.1 libsmbclient0-debuginfo-4.6.16+git.174.c2fd2e28c84-3.49.1 libsmbconf0-4.6.16+git.174.c2fd2e28c84-3.49.1 libsmbconf0-debuginfo-4.6.16+git.174.c2fd2e28c84-3.49.1 libsmbldap0-4.6.16+git.174.c2fd2e28c84-3.49.1 libsmbldap0-debuginfo-4.6.16+git.174.c2fd2e28c84-3.49.1 libtevent-util0-4.6.16+git.174.c2fd2e28c84-3.49.1 libtevent-util0-debuginfo-4.6.16+git.174.c2fd2e28c84-3.49.1 libwbclient0-4.6.16+git.174.c2fd2e28c84-3.49.1 libwbclient0-debuginfo-4.6.16+git.174.c2fd2e28c84-3.49.1 samba-4.6.16+git.174.c2fd2e28c84-3.49.1 samba-client-4.6.16+git.174.c2fd2e28c84-3.49.1 samba-client-debuginfo-4.6.16+git.174.c2fd2e28c84-3.49.1 samba-debuginfo-4.6.16+git.174.c2fd2e28c84-3.49.1 samba-debugsource-4.6.16+git.174.c2fd2e28c84-3.49.1 samba-libs-4.6.16+git.174.c2fd2e28c84-3.49.1 samba-libs-debuginfo-4.6.16+git.174.c2fd2e28c84-3.49.1 samba-winbind-4.6.16+git.174.c2fd2e28c84-3.49.1 samba-winbind-debuginfo-4.6.16+git.174.c2fd2e28c84-3.49.1 - SUSE Linux Enterprise Server 12-SP4 (s390x x86_64): libdcerpc-binding0-32bit-4.6.16+git.174.c2fd2e28c84-3.49.1 libdcerpc-binding0-debuginfo-32bit-4.6.16+git.174.c2fd2e28c84-3.49.1 libdcerpc0-32bit-4.6.16+git.174.c2fd2e28c84-3.49.1 libdcerpc0-debuginfo-32bit-4.6.16+git.174.c2fd2e28c84-3.49.1 libndr-krb5pac0-32bit-4.6.16+git.174.c2fd2e28c84-3.49.1 libndr-krb5pac0-debuginfo-32bit-4.6.16+git.174.c2fd2e28c84-3.49.1 libndr-nbt0-32bit-4.6.16+git.174.c2fd2e28c84-3.49.1 libndr-nbt0-debuginfo-32bit-4.6.16+git.174.c2fd2e28c84-3.49.1 libndr-standard0-32bit-4.6.16+git.174.c2fd2e28c84-3.49.1 libndr-standard0-debuginfo-32bit-4.6.16+git.174.c2fd2e28c84-3.49.1 libndr0-32bit-4.6.16+git.174.c2fd2e28c84-3.49.1 libndr0-debuginfo-32bit-4.6.16+git.174.c2fd2e28c84-3.49.1 libnetapi0-32bit-4.6.16+git.174.c2fd2e28c84-3.49.1 libnetapi0-debuginfo-32bit-4.6.16+git.174.c2fd2e28c84-3.49.1 libsamba-credentials0-32bit-4.6.16+git.174.c2fd2e28c84-3.49.1 libsamba-credentials0-debuginfo-32bit-4.6.16+git.174.c2fd2e28c84-3.49.1 libsamba-errors0-32bit-4.6.16+git.174.c2fd2e28c84-3.49.1 libsamba-errors0-debuginfo-32bit-4.6.16+git.174.c2fd2e28c84-3.49.1 libsamba-hostconfig0-32bit-4.6.16+git.174.c2fd2e28c84-3.49.1 libsamba-hostconfig0-debuginfo-32bit-4.6.16+git.174.c2fd2e28c84-3.49.1 libsamba-passdb0-32bit-4.6.16+git.174.c2fd2e28c84-3.49.1 libsamba-passdb0-debuginfo-32bit-4.6.16+git.174.c2fd2e28c84-3.49.1 libsamba-util0-32bit-4.6.16+git.174.c2fd2e28c84-3.49.1 libsamba-util0-debuginfo-32bit-4.6.16+git.174.c2fd2e28c84-3.49.1 libsamdb0-32bit-4.6.16+git.174.c2fd2e28c84-3.49.1 libsamdb0-debuginfo-32bit-4.6.16+git.174.c2fd2e28c84-3.49.1 libsmbclient0-32bit-4.6.16+git.174.c2fd2e28c84-3.49.1 libsmbclient0-debuginfo-32bit-4.6.16+git.174.c2fd2e28c84-3.49.1 libsmbconf0-32bit-4.6.16+git.174.c2fd2e28c84-3.49.1 libsmbconf0-debuginfo-32bit-4.6.16+git.174.c2fd2e28c84-3.49.1 libsmbldap0-32bit-4.6.16+git.174.c2fd2e28c84-3.49.1 libsmbldap0-debuginfo-32bit-4.6.16+git.174.c2fd2e28c84-3.49.1 libtevent-util0-32bit-4.6.16+git.174.c2fd2e28c84-3.49.1 libtevent-util0-debuginfo-32bit-4.6.16+git.174.c2fd2e28c84-3.49.1 libwbclient0-32bit-4.6.16+git.174.c2fd2e28c84-3.49.1 libwbclient0-debuginfo-32bit-4.6.16+git.174.c2fd2e28c84-3.49.1 samba-client-32bit-4.6.16+git.174.c2fd2e28c84-3.49.1 samba-client-debuginfo-32bit-4.6.16+git.174.c2fd2e28c84-3.49.1 samba-libs-32bit-4.6.16+git.174.c2fd2e28c84-3.49.1 samba-libs-debuginfo-32bit-4.6.16+git.174.c2fd2e28c84-3.49.1 samba-winbind-32bit-4.6.16+git.174.c2fd2e28c84-3.49.1 samba-winbind-debuginfo-32bit-4.6.16+git.174.c2fd2e28c84-3.49.1 - SUSE Linux Enterprise Server 12-SP4 (noarch): samba-doc-4.6.16+git.174.c2fd2e28c84-3.49.1 - SUSE Linux Enterprise Server 12-SP3-LTSS (aarch64 ppc64le s390x x86_64): libdcerpc-binding0-4.6.16+git.174.c2fd2e28c84-3.49.1 libdcerpc-binding0-debuginfo-4.6.16+git.174.c2fd2e28c84-3.49.1 libdcerpc0-4.6.16+git.174.c2fd2e28c84-3.49.1 libdcerpc0-debuginfo-4.6.16+git.174.c2fd2e28c84-3.49.1 libndr-krb5pac0-4.6.16+git.174.c2fd2e28c84-3.49.1 libndr-krb5pac0-debuginfo-4.6.16+git.174.c2fd2e28c84-3.49.1 libndr-nbt0-4.6.16+git.174.c2fd2e28c84-3.49.1 libndr-nbt0-debuginfo-4.6.16+git.174.c2fd2e28c84-3.49.1 libndr-standard0-4.6.16+git.174.c2fd2e28c84-3.49.1 libndr-standard0-debuginfo-4.6.16+git.174.c2fd2e28c84-3.49.1 libndr0-4.6.16+git.174.c2fd2e28c84-3.49.1 libndr0-debuginfo-4.6.16+git.174.c2fd2e28c84-3.49.1 libnetapi0-4.6.16+git.174.c2fd2e28c84-3.49.1 libnetapi0-debuginfo-4.6.16+git.174.c2fd2e28c84-3.49.1 libsamba-credentials0-4.6.16+git.174.c2fd2e28c84-3.49.1 libsamba-credentials0-debuginfo-4.6.16+git.174.c2fd2e28c84-3.49.1 libsamba-errors0-4.6.16+git.174.c2fd2e28c84-3.49.1 libsamba-errors0-debuginfo-4.6.16+git.174.c2fd2e28c84-3.49.1 libsamba-hostconfig0-4.6.16+git.174.c2fd2e28c84-3.49.1 libsamba-hostconfig0-debuginfo-4.6.16+git.174.c2fd2e28c84-3.49.1 libsamba-passdb0-4.6.16+git.174.c2fd2e28c84-3.49.1 libsamba-passdb0-debuginfo-4.6.16+git.174.c2fd2e28c84-3.49.1 libsamba-util0-4.6.16+git.174.c2fd2e28c84-3.49.1 libsamba-util0-debuginfo-4.6.16+git.174.c2fd2e28c84-3.49.1 libsamdb0-4.6.16+git.174.c2fd2e28c84-3.49.1 libsamdb0-debuginfo-4.6.16+git.174.c2fd2e28c84-3.49.1 libsmbclient0-4.6.16+git.174.c2fd2e28c84-3.49.1 libsmbclient0-debuginfo-4.6.16+git.174.c2fd2e28c84-3.49.1 libsmbconf0-4.6.16+git.174.c2fd2e28c84-3.49.1 libsmbconf0-debuginfo-4.6.16+git.174.c2fd2e28c84-3.49.1 libsmbldap0-4.6.16+git.174.c2fd2e28c84-3.49.1 libsmbldap0-debuginfo-4.6.16+git.174.c2fd2e28c84-3.49.1 libtevent-util0-4.6.16+git.174.c2fd2e28c84-3.49.1 libtevent-util0-debuginfo-4.6.16+git.174.c2fd2e28c84-3.49.1 libwbclient0-4.6.16+git.174.c2fd2e28c84-3.49.1 libwbclient0-debuginfo-4.6.16+git.174.c2fd2e28c84-3.49.1 samba-4.6.16+git.174.c2fd2e28c84-3.49.1 samba-client-4.6.16+git.174.c2fd2e28c84-3.49.1 samba-client-debuginfo-4.6.16+git.174.c2fd2e28c84-3.49.1 samba-debuginfo-4.6.16+git.174.c2fd2e28c84-3.49.1 samba-debugsource-4.6.16+git.174.c2fd2e28c84-3.49.1 samba-libs-4.6.16+git.174.c2fd2e28c84-3.49.1 samba-libs-debuginfo-4.6.16+git.174.c2fd2e28c84-3.49.1 samba-winbind-4.6.16+git.174.c2fd2e28c84-3.49.1 samba-winbind-debuginfo-4.6.16+git.174.c2fd2e28c84-3.49.1 - SUSE Linux Enterprise Server 12-SP3-LTSS (s390x x86_64): libdcerpc-binding0-32bit-4.6.16+git.174.c2fd2e28c84-3.49.1 libdcerpc-binding0-debuginfo-32bit-4.6.16+git.174.c2fd2e28c84-3.49.1 libdcerpc0-32bit-4.6.16+git.174.c2fd2e28c84-3.49.1 libdcerpc0-debuginfo-32bit-4.6.16+git.174.c2fd2e28c84-3.49.1 libndr-krb5pac0-32bit-4.6.16+git.174.c2fd2e28c84-3.49.1 libndr-krb5pac0-debuginfo-32bit-4.6.16+git.174.c2fd2e28c84-3.49.1 libndr-nbt0-32bit-4.6.16+git.174.c2fd2e28c84-3.49.1 libndr-nbt0-debuginfo-32bit-4.6.16+git.174.c2fd2e28c84-3.49.1 libndr-standard0-32bit-4.6.16+git.174.c2fd2e28c84-3.49.1 libndr-standard0-debuginfo-32bit-4.6.16+git.174.c2fd2e28c84-3.49.1 libndr0-32bit-4.6.16+git.174.c2fd2e28c84-3.49.1 libndr0-debuginfo-32bit-4.6.16+git.174.c2fd2e28c84-3.49.1 libnetapi0-32bit-4.6.16+git.174.c2fd2e28c84-3.49.1 libnetapi0-debuginfo-32bit-4.6.16+git.174.c2fd2e28c84-3.49.1 libsamba-credentials0-32bit-4.6.16+git.174.c2fd2e28c84-3.49.1 libsamba-credentials0-debuginfo-32bit-4.6.16+git.174.c2fd2e28c84-3.49.1 libsamba-errors0-32bit-4.6.16+git.174.c2fd2e28c84-3.49.1 libsamba-errors0-debuginfo-32bit-4.6.16+git.174.c2fd2e28c84-3.49.1 libsamba-hostconfig0-32bit-4.6.16+git.174.c2fd2e28c84-3.49.1 libsamba-hostconfig0-debuginfo-32bit-4.6.16+git.174.c2fd2e28c84-3.49.1 libsamba-passdb0-32bit-4.6.16+git.174.c2fd2e28c84-3.49.1 libsamba-passdb0-debuginfo-32bit-4.6.16+git.174.c2fd2e28c84-3.49.1 libsamba-util0-32bit-4.6.16+git.174.c2fd2e28c84-3.49.1 libsamba-util0-debuginfo-32bit-4.6.16+git.174.c2fd2e28c84-3.49.1 libsamdb0-32bit-4.6.16+git.174.c2fd2e28c84-3.49.1 libsamdb0-debuginfo-32bit-4.6.16+git.174.c2fd2e28c84-3.49.1 libsmbclient0-32bit-4.6.16+git.174.c2fd2e28c84-3.49.1 libsmbclient0-debuginfo-32bit-4.6.16+git.174.c2fd2e28c84-3.49.1 libsmbconf0-32bit-4.6.16+git.174.c2fd2e28c84-3.49.1 libsmbconf0-debuginfo-32bit-4.6.16+git.174.c2fd2e28c84-3.49.1 libsmbldap0-32bit-4.6.16+git.174.c2fd2e28c84-3.49.1 libsmbldap0-debuginfo-32bit-4.6.16+git.174.c2fd2e28c84-3.49.1 libtevent-util0-32bit-4.6.16+git.174.c2fd2e28c84-3.49.1 libtevent-util0-debuginfo-32bit-4.6.16+git.174.c2fd2e28c84-3.49.1 libwbclient0-32bit-4.6.16+git.174.c2fd2e28c84-3.49.1 libwbclient0-debuginfo-32bit-4.6.16+git.174.c2fd2e28c84-3.49.1 samba-client-32bit-4.6.16+git.174.c2fd2e28c84-3.49.1 samba-client-debuginfo-32bit-4.6.16+git.174.c2fd2e28c84-3.49.1 samba-libs-32bit-4.6.16+git.174.c2fd2e28c84-3.49.1 samba-libs-debuginfo-32bit-4.6.16+git.174.c2fd2e28c84-3.49.1 samba-winbind-32bit-4.6.16+git.174.c2fd2e28c84-3.49.1 samba-winbind-debuginfo-32bit-4.6.16+git.174.c2fd2e28c84-3.49.1 - SUSE Linux Enterprise Server 12-SP3-LTSS (noarch): samba-doc-4.6.16+git.174.c2fd2e28c84-3.49.1 - SUSE Linux Enterprise Server 12-SP3-BCL (noarch): samba-doc-4.6.16+git.174.c2fd2e28c84-3.49.1 - SUSE Linux Enterprise Server 12-SP3-BCL (x86_64): libdcerpc-binding0-32bit-4.6.16+git.174.c2fd2e28c84-3.49.1 libdcerpc-binding0-4.6.16+git.174.c2fd2e28c84-3.49.1 libdcerpc-binding0-debuginfo-32bit-4.6.16+git.174.c2fd2e28c84-3.49.1 libdcerpc-binding0-debuginfo-4.6.16+git.174.c2fd2e28c84-3.49.1 libdcerpc0-32bit-4.6.16+git.174.c2fd2e28c84-3.49.1 libdcerpc0-4.6.16+git.174.c2fd2e28c84-3.49.1 libdcerpc0-debuginfo-32bit-4.6.16+git.174.c2fd2e28c84-3.49.1 libdcerpc0-debuginfo-4.6.16+git.174.c2fd2e28c84-3.49.1 libndr-krb5pac0-32bit-4.6.16+git.174.c2fd2e28c84-3.49.1 libndr-krb5pac0-4.6.16+git.174.c2fd2e28c84-3.49.1 libndr-krb5pac0-debuginfo-32bit-4.6.16+git.174.c2fd2e28c84-3.49.1 libndr-krb5pac0-debuginfo-4.6.16+git.174.c2fd2e28c84-3.49.1 libndr-nbt0-32bit-4.6.16+git.174.c2fd2e28c84-3.49.1 libndr-nbt0-4.6.16+git.174.c2fd2e28c84-3.49.1 libndr-nbt0-debuginfo-32bit-4.6.16+git.174.c2fd2e28c84-3.49.1 libndr-nbt0-debuginfo-4.6.16+git.174.c2fd2e28c84-3.49.1 libndr-standard0-32bit-4.6.16+git.174.c2fd2e28c84-3.49.1 libndr-standard0-4.6.16+git.174.c2fd2e28c84-3.49.1 libndr-standard0-debuginfo-32bit-4.6.16+git.174.c2fd2e28c84-3.49.1 libndr-standard0-debuginfo-4.6.16+git.174.c2fd2e28c84-3.49.1 libndr0-32bit-4.6.16+git.174.c2fd2e28c84-3.49.1 libndr0-4.6.16+git.174.c2fd2e28c84-3.49.1 libndr0-debuginfo-32bit-4.6.16+git.174.c2fd2e28c84-3.49.1 libndr0-debuginfo-4.6.16+git.174.c2fd2e28c84-3.49.1 libnetapi0-32bit-4.6.16+git.174.c2fd2e28c84-3.49.1 libnetapi0-4.6.16+git.174.c2fd2e28c84-3.49.1 libnetapi0-debuginfo-32bit-4.6.16+git.174.c2fd2e28c84-3.49.1 libnetapi0-debuginfo-4.6.16+git.174.c2fd2e28c84-3.49.1 libsamba-credentials0-32bit-4.6.16+git.174.c2fd2e28c84-3.49.1 libsamba-credentials0-4.6.16+git.174.c2fd2e28c84-3.49.1 libsamba-credentials0-debuginfo-32bit-4.6.16+git.174.c2fd2e28c84-3.49.1 libsamba-credentials0-debuginfo-4.6.16+git.174.c2fd2e28c84-3.49.1 libsamba-errors0-32bit-4.6.16+git.174.c2fd2e28c84-3.49.1 libsamba-errors0-4.6.16+git.174.c2fd2e28c84-3.49.1 libsamba-errors0-debuginfo-32bit-4.6.16+git.174.c2fd2e28c84-3.49.1 libsamba-errors0-debuginfo-4.6.16+git.174.c2fd2e28c84-3.49.1 libsamba-hostconfig0-32bit-4.6.16+git.174.c2fd2e28c84-3.49.1 libsamba-hostconfig0-4.6.16+git.174.c2fd2e28c84-3.49.1 libsamba-hostconfig0-debuginfo-32bit-4.6.16+git.174.c2fd2e28c84-3.49.1 libsamba-hostconfig0-debuginfo-4.6.16+git.174.c2fd2e28c84-3.49.1 libsamba-passdb0-32bit-4.6.16+git.174.c2fd2e28c84-3.49.1 libsamba-passdb0-4.6.16+git.174.c2fd2e28c84-3.49.1 libsamba-passdb0-debuginfo-32bit-4.6.16+git.174.c2fd2e28c84-3.49.1 libsamba-passdb0-debuginfo-4.6.16+git.174.c2fd2e28c84-3.49.1 libsamba-util0-32bit-4.6.16+git.174.c2fd2e28c84-3.49.1 libsamba-util0-4.6.16+git.174.c2fd2e28c84-3.49.1 libsamba-util0-debuginfo-32bit-4.6.16+git.174.c2fd2e28c84-3.49.1 libsamba-util0-debuginfo-4.6.16+git.174.c2fd2e28c84-3.49.1 libsamdb0-32bit-4.6.16+git.174.c2fd2e28c84-3.49.1 libsamdb0-4.6.16+git.174.c2fd2e28c84-3.49.1 libsamdb0-debuginfo-32bit-4.6.16+git.174.c2fd2e28c84-3.49.1 libsamdb0-debuginfo-4.6.16+git.174.c2fd2e28c84-3.49.1 libsmbclient0-32bit-4.6.16+git.174.c2fd2e28c84-3.49.1 libsmbclient0-4.6.16+git.174.c2fd2e28c84-3.49.1 libsmbclient0-debuginfo-32bit-4.6.16+git.174.c2fd2e28c84-3.49.1 libsmbclient0-debuginfo-4.6.16+git.174.c2fd2e28c84-3.49.1 libsmbconf0-32bit-4.6.16+git.174.c2fd2e28c84-3.49.1 libsmbconf0-4.6.16+git.174.c2fd2e28c84-3.49.1 libsmbconf0-debuginfo-32bit-4.6.16+git.174.c2fd2e28c84-3.49.1 libsmbconf0-debuginfo-4.6.16+git.174.c2fd2e28c84-3.49.1 libsmbldap0-32bit-4.6.16+git.174.c2fd2e28c84-3.49.1 libsmbldap0-4.6.16+git.174.c2fd2e28c84-3.49.1 libsmbldap0-debuginfo-32bit-4.6.16+git.174.c2fd2e28c84-3.49.1 libsmbldap0-debuginfo-4.6.16+git.174.c2fd2e28c84-3.49.1 libtevent-util0-32bit-4.6.16+git.174.c2fd2e28c84-3.49.1 libtevent-util0-4.6.16+git.174.c2fd2e28c84-3.49.1 libtevent-util0-debuginfo-32bit-4.6.16+git.174.c2fd2e28c84-3.49.1 libtevent-util0-debuginfo-4.6.16+git.174.c2fd2e28c84-3.49.1 libwbclient0-32bit-4.6.16+git.174.c2fd2e28c84-3.49.1 libwbclient0-4.6.16+git.174.c2fd2e28c84-3.49.1 libwbclient0-debuginfo-32bit-4.6.16+git.174.c2fd2e28c84-3.49.1 libwbclient0-debuginfo-4.6.16+git.174.c2fd2e28c84-3.49.1 samba-4.6.16+git.174.c2fd2e28c84-3.49.1 samba-client-32bit-4.6.16+git.174.c2fd2e28c84-3.49.1 samba-client-4.6.16+git.174.c2fd2e28c84-3.49.1 samba-client-debuginfo-32bit-4.6.16+git.174.c2fd2e28c84-3.49.1 samba-client-debuginfo-4.6.16+git.174.c2fd2e28c84-3.49.1 samba-debuginfo-4.6.16+git.174.c2fd2e28c84-3.49.1 samba-debugsource-4.6.16+git.174.c2fd2e28c84-3.49.1 samba-libs-32bit-4.6.16+git.174.c2fd2e28c84-3.49.1 samba-libs-4.6.16+git.174.c2fd2e28c84-3.49.1 samba-libs-debuginfo-32bit-4.6.16+git.174.c2fd2e28c84-3.49.1 samba-libs-debuginfo-4.6.16+git.174.c2fd2e28c84-3.49.1 samba-winbind-32bit-4.6.16+git.174.c2fd2e28c84-3.49.1 samba-winbind-4.6.16+git.174.c2fd2e28c84-3.49.1 samba-winbind-debuginfo-32bit-4.6.16+git.174.c2fd2e28c84-3.49.1 samba-winbind-debuginfo-4.6.16+git.174.c2fd2e28c84-3.49.1 - SUSE Linux Enterprise High Availability 12-SP4 (ppc64le s390x x86_64): ctdb-4.6.16+git.174.c2fd2e28c84-3.49.1 ctdb-debuginfo-4.6.16+git.174.c2fd2e28c84-3.49.1 samba-debuginfo-4.6.16+git.174.c2fd2e28c84-3.49.1 samba-debugsource-4.6.16+git.174.c2fd2e28c84-3.49.1 - SUSE Linux Enterprise High Availability 12-SP3 (ppc64le s390x x86_64): ctdb-4.6.16+git.174.c2fd2e28c84-3.49.1 ctdb-debuginfo-4.6.16+git.174.c2fd2e28c84-3.49.1 samba-debuginfo-4.6.16+git.174.c2fd2e28c84-3.49.1 samba-debugsource-4.6.16+git.174.c2fd2e28c84-3.49.1 - SUSE Linux Enterprise Desktop 12-SP4 (x86_64): libdcerpc-binding0-32bit-4.6.16+git.174.c2fd2e28c84-3.49.1 libdcerpc-binding0-4.6.16+git.174.c2fd2e28c84-3.49.1 libdcerpc-binding0-debuginfo-32bit-4.6.16+git.174.c2fd2e28c84-3.49.1 libdcerpc-binding0-debuginfo-4.6.16+git.174.c2fd2e28c84-3.49.1 libdcerpc0-32bit-4.6.16+git.174.c2fd2e28c84-3.49.1 libdcerpc0-4.6.16+git.174.c2fd2e28c84-3.49.1 libdcerpc0-debuginfo-32bit-4.6.16+git.174.c2fd2e28c84-3.49.1 libdcerpc0-debuginfo-4.6.16+git.174.c2fd2e28c84-3.49.1 libndr-krb5pac0-32bit-4.6.16+git.174.c2fd2e28c84-3.49.1 libndr-krb5pac0-4.6.16+git.174.c2fd2e28c84-3.49.1 libndr-krb5pac0-debuginfo-32bit-4.6.16+git.174.c2fd2e28c84-3.49.1 libndr-krb5pac0-debuginfo-4.6.16+git.174.c2fd2e28c84-3.49.1 libndr-nbt0-32bit-4.6.16+git.174.c2fd2e28c84-3.49.1 libndr-nbt0-4.6.16+git.174.c2fd2e28c84-3.49.1 libndr-nbt0-debuginfo-32bit-4.6.16+git.174.c2fd2e28c84-3.49.1 libndr-nbt0-debuginfo-4.6.16+git.174.c2fd2e28c84-3.49.1 libndr-standard0-32bit-4.6.16+git.174.c2fd2e28c84-3.49.1 libndr-standard0-4.6.16+git.174.c2fd2e28c84-3.49.1 libndr-standard0-debuginfo-32bit-4.6.16+git.174.c2fd2e28c84-3.49.1 libndr-standard0-debuginfo-4.6.16+git.174.c2fd2e28c84-3.49.1 libndr0-32bit-4.6.16+git.174.c2fd2e28c84-3.49.1 libndr0-4.6.16+git.174.c2fd2e28c84-3.49.1 libndr0-debuginfo-32bit-4.6.16+git.174.c2fd2e28c84-3.49.1 libndr0-debuginfo-4.6.16+git.174.c2fd2e28c84-3.49.1 libnetapi0-32bit-4.6.16+git.174.c2fd2e28c84-3.49.1 libnetapi0-4.6.16+git.174.c2fd2e28c84-3.49.1 libnetapi0-debuginfo-32bit-4.6.16+git.174.c2fd2e28c84-3.49.1 libnetapi0-debuginfo-4.6.16+git.174.c2fd2e28c84-3.49.1 libsamba-credentials0-32bit-4.6.16+git.174.c2fd2e28c84-3.49.1 libsamba-credentials0-4.6.16+git.174.c2fd2e28c84-3.49.1 libsamba-credentials0-debuginfo-32bit-4.6.16+git.174.c2fd2e28c84-3.49.1 libsamba-credentials0-debuginfo-4.6.16+git.174.c2fd2e28c84-3.49.1 libsamba-errors0-32bit-4.6.16+git.174.c2fd2e28c84-3.49.1 libsamba-errors0-4.6.16+git.174.c2fd2e28c84-3.49.1 libsamba-errors0-debuginfo-32bit-4.6.16+git.174.c2fd2e28c84-3.49.1 libsamba-errors0-debuginfo-4.6.16+git.174.c2fd2e28c84-3.49.1 libsamba-hostconfig0-32bit-4.6.16+git.174.c2fd2e28c84-3.49.1 libsamba-hostconfig0-4.6.16+git.174.c2fd2e28c84-3.49.1 libsamba-hostconfig0-debuginfo-32bit-4.6.16+git.174.c2fd2e28c84-3.49.1 libsamba-hostconfig0-debuginfo-4.6.16+git.174.c2fd2e28c84-3.49.1 libsamba-passdb0-32bit-4.6.16+git.174.c2fd2e28c84-3.49.1 libsamba-passdb0-4.6.16+git.174.c2fd2e28c84-3.49.1 libsamba-passdb0-debuginfo-32bit-4.6.16+git.174.c2fd2e28c84-3.49.1 libsamba-passdb0-debuginfo-4.6.16+git.174.c2fd2e28c84-3.49.1 libsamba-util0-32bit-4.6.16+git.174.c2fd2e28c84-3.49.1 libsamba-util0-4.6.16+git.174.c2fd2e28c84-3.49.1 libsamba-util0-debuginfo-32bit-4.6.16+git.174.c2fd2e28c84-3.49.1 libsamba-util0-debuginfo-4.6.16+git.174.c2fd2e28c84-3.49.1 libsamdb0-32bit-4.6.16+git.174.c2fd2e28c84-3.49.1 libsamdb0-4.6.16+git.174.c2fd2e28c84-3.49.1 libsamdb0-debuginfo-32bit-4.6.16+git.174.c2fd2e28c84-3.49.1 libsamdb0-debuginfo-4.6.16+git.174.c2fd2e28c84-3.49.1 libsmbclient0-32bit-4.6.16+git.174.c2fd2e28c84-3.49.1 libsmbclient0-4.6.16+git.174.c2fd2e28c84-3.49.1 libsmbclient0-debuginfo-32bit-4.6.16+git.174.c2fd2e28c84-3.49.1 libsmbclient0-debuginfo-4.6.16+git.174.c2fd2e28c84-3.49.1 libsmbconf0-32bit-4.6.16+git.174.c2fd2e28c84-3.49.1 libsmbconf0-4.6.16+git.174.c2fd2e28c84-3.49.1 libsmbconf0-debuginfo-32bit-4.6.16+git.174.c2fd2e28c84-3.49.1 libsmbconf0-debuginfo-4.6.16+git.174.c2fd2e28c84-3.49.1 libsmbldap0-32bit-4.6.16+git.174.c2fd2e28c84-3.49.1 libsmbldap0-4.6.16+git.174.c2fd2e28c84-3.49.1 libsmbldap0-debuginfo-32bit-4.6.16+git.174.c2fd2e28c84-3.49.1 libsmbldap0-debuginfo-4.6.16+git.174.c2fd2e28c84-3.49.1 libtevent-util0-32bit-4.6.16+git.174.c2fd2e28c84-3.49.1 libtevent-util0-4.6.16+git.174.c2fd2e28c84-3.49.1 libtevent-util0-debuginfo-32bit-4.6.16+git.174.c2fd2e28c84-3.49.1 libtevent-util0-debuginfo-4.6.16+git.174.c2fd2e28c84-3.49.1 libwbclient0-32bit-4.6.16+git.174.c2fd2e28c84-3.49.1 libwbclient0-4.6.16+git.174.c2fd2e28c84-3.49.1 libwbclient0-debuginfo-32bit-4.6.16+git.174.c2fd2e28c84-3.49.1 libwbclient0-debuginfo-4.6.16+git.174.c2fd2e28c84-3.49.1 samba-4.6.16+git.174.c2fd2e28c84-3.49.1 samba-client-32bit-4.6.16+git.174.c2fd2e28c84-3.49.1 samba-client-4.6.16+git.174.c2fd2e28c84-3.49.1 samba-client-debuginfo-32bit-4.6.16+git.174.c2fd2e28c84-3.49.1 samba-client-debuginfo-4.6.16+git.174.c2fd2e28c84-3.49.1 samba-debuginfo-4.6.16+git.174.c2fd2e28c84-3.49.1 samba-debugsource-4.6.16+git.174.c2fd2e28c84-3.49.1 samba-libs-32bit-4.6.16+git.174.c2fd2e28c84-3.49.1 samba-libs-4.6.16+git.174.c2fd2e28c84-3.49.1 samba-libs-debuginfo-32bit-4.6.16+git.174.c2fd2e28c84-3.49.1 samba-libs-debuginfo-4.6.16+git.174.c2fd2e28c84-3.49.1 samba-winbind-32bit-4.6.16+git.174.c2fd2e28c84-3.49.1 samba-winbind-4.6.16+git.174.c2fd2e28c84-3.49.1 samba-winbind-debuginfo-32bit-4.6.16+git.174.c2fd2e28c84-3.49.1 samba-winbind-debuginfo-4.6.16+git.174.c2fd2e28c84-3.49.1 - SUSE Linux Enterprise Desktop 12-SP4 (noarch): samba-doc-4.6.16+git.174.c2fd2e28c84-3.49.1 - SUSE Enterprise Storage 5 (aarch64 x86_64): ctdb-4.6.16+git.174.c2fd2e28c84-3.49.1 ctdb-debuginfo-4.6.16+git.174.c2fd2e28c84-3.49.1 libdcerpc-binding0-4.6.16+git.174.c2fd2e28c84-3.49.1 libdcerpc-binding0-debuginfo-4.6.16+git.174.c2fd2e28c84-3.49.1 libdcerpc0-4.6.16+git.174.c2fd2e28c84-3.49.1 libdcerpc0-debuginfo-4.6.16+git.174.c2fd2e28c84-3.49.1 libndr-krb5pac0-4.6.16+git.174.c2fd2e28c84-3.49.1 libndr-krb5pac0-debuginfo-4.6.16+git.174.c2fd2e28c84-3.49.1 libndr-nbt0-4.6.16+git.174.c2fd2e28c84-3.49.1 libndr-nbt0-debuginfo-4.6.16+git.174.c2fd2e28c84-3.49.1 libndr-standard0-4.6.16+git.174.c2fd2e28c84-3.49.1 libndr-standard0-debuginfo-4.6.16+git.174.c2fd2e28c84-3.49.1 libndr0-4.6.16+git.174.c2fd2e28c84-3.49.1 libndr0-debuginfo-4.6.16+git.174.c2fd2e28c84-3.49.1 libnetapi0-4.6.16+git.174.c2fd2e28c84-3.49.1 libnetapi0-debuginfo-4.6.16+git.174.c2fd2e28c84-3.49.1 libsamba-credentials0-4.6.16+git.174.c2fd2e28c84-3.49.1 libsamba-credentials0-debuginfo-4.6.16+git.174.c2fd2e28c84-3.49.1 libsamba-errors0-4.6.16+git.174.c2fd2e28c84-3.49.1 libsamba-errors0-debuginfo-4.6.16+git.174.c2fd2e28c84-3.49.1 libsamba-hostconfig0-4.6.16+git.174.c2fd2e28c84-3.49.1 libsamba-hostconfig0-debuginfo-4.6.16+git.174.c2fd2e28c84-3.49.1 libsamba-passdb0-4.6.16+git.174.c2fd2e28c84-3.49.1 libsamba-passdb0-debuginfo-4.6.16+git.174.c2fd2e28c84-3.49.1 libsamba-util0-4.6.16+git.174.c2fd2e28c84-3.49.1 libsamba-util0-debuginfo-4.6.16+git.174.c2fd2e28c84-3.49.1 libsamdb0-4.6.16+git.174.c2fd2e28c84-3.49.1 libsamdb0-debuginfo-4.6.16+git.174.c2fd2e28c84-3.49.1 libsmbclient0-4.6.16+git.174.c2fd2e28c84-3.49.1 libsmbclient0-debuginfo-4.6.16+git.174.c2fd2e28c84-3.49.1 libsmbconf0-4.6.16+git.174.c2fd2e28c84-3.49.1 libsmbconf0-debuginfo-4.6.16+git.174.c2fd2e28c84-3.49.1 libsmbldap0-4.6.16+git.174.c2fd2e28c84-3.49.1 libsmbldap0-debuginfo-4.6.16+git.174.c2fd2e28c84-3.49.1 libtevent-util0-4.6.16+git.174.c2fd2e28c84-3.49.1 libtevent-util0-debuginfo-4.6.16+git.174.c2fd2e28c84-3.49.1 libwbclient0-4.6.16+git.174.c2fd2e28c84-3.49.1 libwbclient0-debuginfo-4.6.16+git.174.c2fd2e28c84-3.49.1 samba-4.6.16+git.174.c2fd2e28c84-3.49.1 samba-ceph-4.6.16+git.174.c2fd2e28c84-3.49.1 samba-ceph-debuginfo-4.6.16+git.174.c2fd2e28c84-3.49.1 samba-client-4.6.16+git.174.c2fd2e28c84-3.49.1 samba-client-debuginfo-4.6.16+git.174.c2fd2e28c84-3.49.1 samba-debuginfo-4.6.16+git.174.c2fd2e28c84-3.49.1 samba-debugsource-4.6.16+git.174.c2fd2e28c84-3.49.1 samba-libs-4.6.16+git.174.c2fd2e28c84-3.49.1 samba-libs-debuginfo-4.6.16+git.174.c2fd2e28c84-3.49.1 samba-winbind-4.6.16+git.174.c2fd2e28c84-3.49.1 samba-winbind-debuginfo-4.6.16+git.174.c2fd2e28c84-3.49.1 - SUSE Enterprise Storage 5 (x86_64): libdcerpc-binding0-32bit-4.6.16+git.174.c2fd2e28c84-3.49.1 libdcerpc-binding0-debuginfo-32bit-4.6.16+git.174.c2fd2e28c84-3.49.1 libdcerpc0-32bit-4.6.16+git.174.c2fd2e28c84-3.49.1 libdcerpc0-debuginfo-32bit-4.6.16+git.174.c2fd2e28c84-3.49.1 libndr-krb5pac0-32bit-4.6.16+git.174.c2fd2e28c84-3.49.1 libndr-krb5pac0-debuginfo-32bit-4.6.16+git.174.c2fd2e28c84-3.49.1 libndr-nbt0-32bit-4.6.16+git.174.c2fd2e28c84-3.49.1 libndr-nbt0-debuginfo-32bit-4.6.16+git.174.c2fd2e28c84-3.49.1 libndr-standard0-32bit-4.6.16+git.174.c2fd2e28c84-3.49.1 libndr-standard0-debuginfo-32bit-4.6.16+git.174.c2fd2e28c84-3.49.1 libndr0-32bit-4.6.16+git.174.c2fd2e28c84-3.49.1 libndr0-debuginfo-32bit-4.6.16+git.174.c2fd2e28c84-3.49.1 libnetapi0-32bit-4.6.16+git.174.c2fd2e28c84-3.49.1 libnetapi0-debuginfo-32bit-4.6.16+git.174.c2fd2e28c84-3.49.1 libsamba-credentials0-32bit-4.6.16+git.174.c2fd2e28c84-3.49.1 libsamba-credentials0-debuginfo-32bit-4.6.16+git.174.c2fd2e28c84-3.49.1 libsamba-errors0-32bit-4.6.16+git.174.c2fd2e28c84-3.49.1 libsamba-errors0-debuginfo-32bit-4.6.16+git.174.c2fd2e28c84-3.49.1 libsamba-hostconfig0-32bit-4.6.16+git.174.c2fd2e28c84-3.49.1 libsamba-hostconfig0-debuginfo-32bit-4.6.16+git.174.c2fd2e28c84-3.49.1 libsamba-passdb0-32bit-4.6.16+git.174.c2fd2e28c84-3.49.1 libsamba-passdb0-debuginfo-32bit-4.6.16+git.174.c2fd2e28c84-3.49.1 libsamba-util0-32bit-4.6.16+git.174.c2fd2e28c84-3.49.1 libsamba-util0-debuginfo-32bit-4.6.16+git.174.c2fd2e28c84-3.49.1 libsamdb0-32bit-4.6.16+git.174.c2fd2e28c84-3.49.1 libsamdb0-debuginfo-32bit-4.6.16+git.174.c2fd2e28c84-3.49.1 libsmbclient0-32bit-4.6.16+git.174.c2fd2e28c84-3.49.1 libsmbclient0-debuginfo-32bit-4.6.16+git.174.c2fd2e28c84-3.49.1 libsmbconf0-32bit-4.6.16+git.174.c2fd2e28c84-3.49.1 libsmbconf0-debuginfo-32bit-4.6.16+git.174.c2fd2e28c84-3.49.1 libsmbldap0-32bit-4.6.16+git.174.c2fd2e28c84-3.49.1 libsmbldap0-debuginfo-32bit-4.6.16+git.174.c2fd2e28c84-3.49.1 libtevent-util0-32bit-4.6.16+git.174.c2fd2e28c84-3.49.1 libtevent-util0-debuginfo-32bit-4.6.16+git.174.c2fd2e28c84-3.49.1 libwbclient0-32bit-4.6.16+git.174.c2fd2e28c84-3.49.1 libwbclient0-debuginfo-32bit-4.6.16+git.174.c2fd2e28c84-3.49.1 samba-client-32bit-4.6.16+git.174.c2fd2e28c84-3.49.1 samba-client-debuginfo-32bit-4.6.16+git.174.c2fd2e28c84-3.49.1 samba-libs-32bit-4.6.16+git.174.c2fd2e28c84-3.49.1 samba-libs-debuginfo-32bit-4.6.16+git.174.c2fd2e28c84-3.49.1 samba-winbind-32bit-4.6.16+git.174.c2fd2e28c84-3.49.1 samba-winbind-debuginfo-32bit-4.6.16+git.174.c2fd2e28c84-3.49.1 - SUSE Enterprise Storage 5 (noarch): samba-doc-4.6.16+git.174.c2fd2e28c84-3.49.1 - HPE Helion Openstack 8 (x86_64): libdcerpc-binding0-32bit-4.6.16+git.174.c2fd2e28c84-3.49.1 libdcerpc-binding0-4.6.16+git.174.c2fd2e28c84-3.49.1 libdcerpc-binding0-debuginfo-32bit-4.6.16+git.174.c2fd2e28c84-3.49.1 libdcerpc-binding0-debuginfo-4.6.16+git.174.c2fd2e28c84-3.49.1 libdcerpc0-32bit-4.6.16+git.174.c2fd2e28c84-3.49.1 libdcerpc0-4.6.16+git.174.c2fd2e28c84-3.49.1 libdcerpc0-debuginfo-32bit-4.6.16+git.174.c2fd2e28c84-3.49.1 libdcerpc0-debuginfo-4.6.16+git.174.c2fd2e28c84-3.49.1 libndr-krb5pac0-32bit-4.6.16+git.174.c2fd2e28c84-3.49.1 libndr-krb5pac0-4.6.16+git.174.c2fd2e28c84-3.49.1 libndr-krb5pac0-debuginfo-32bit-4.6.16+git.174.c2fd2e28c84-3.49.1 libndr-krb5pac0-debuginfo-4.6.16+git.174.c2fd2e28c84-3.49.1 libndr-nbt0-32bit-4.6.16+git.174.c2fd2e28c84-3.49.1 libndr-nbt0-4.6.16+git.174.c2fd2e28c84-3.49.1 libndr-nbt0-debuginfo-32bit-4.6.16+git.174.c2fd2e28c84-3.49.1 libndr-nbt0-debuginfo-4.6.16+git.174.c2fd2e28c84-3.49.1 libndr-standard0-32bit-4.6.16+git.174.c2fd2e28c84-3.49.1 libndr-standard0-4.6.16+git.174.c2fd2e28c84-3.49.1 libndr-standard0-debuginfo-32bit-4.6.16+git.174.c2fd2e28c84-3.49.1 libndr-standard0-debuginfo-4.6.16+git.174.c2fd2e28c84-3.49.1 libndr0-32bit-4.6.16+git.174.c2fd2e28c84-3.49.1 libndr0-4.6.16+git.174.c2fd2e28c84-3.49.1 libndr0-debuginfo-32bit-4.6.16+git.174.c2fd2e28c84-3.49.1 libndr0-debuginfo-4.6.16+git.174.c2fd2e28c84-3.49.1 libnetapi0-32bit-4.6.16+git.174.c2fd2e28c84-3.49.1 libnetapi0-4.6.16+git.174.c2fd2e28c84-3.49.1 libnetapi0-debuginfo-32bit-4.6.16+git.174.c2fd2e28c84-3.49.1 libnetapi0-debuginfo-4.6.16+git.174.c2fd2e28c84-3.49.1 libsamba-credentials0-32bit-4.6.16+git.174.c2fd2e28c84-3.49.1 libsamba-credentials0-4.6.16+git.174.c2fd2e28c84-3.49.1 libsamba-credentials0-debuginfo-32bit-4.6.16+git.174.c2fd2e28c84-3.49.1 libsamba-credentials0-debuginfo-4.6.16+git.174.c2fd2e28c84-3.49.1 libsamba-errors0-32bit-4.6.16+git.174.c2fd2e28c84-3.49.1 libsamba-errors0-4.6.16+git.174.c2fd2e28c84-3.49.1 libsamba-errors0-debuginfo-32bit-4.6.16+git.174.c2fd2e28c84-3.49.1 libsamba-errors0-debuginfo-4.6.16+git.174.c2fd2e28c84-3.49.1 libsamba-hostconfig0-32bit-4.6.16+git.174.c2fd2e28c84-3.49.1 libsamba-hostconfig0-4.6.16+git.174.c2fd2e28c84-3.49.1 libsamba-hostconfig0-debuginfo-32bit-4.6.16+git.174.c2fd2e28c84-3.49.1 libsamba-hostconfig0-debuginfo-4.6.16+git.174.c2fd2e28c84-3.49.1 libsamba-passdb0-32bit-4.6.16+git.174.c2fd2e28c84-3.49.1 libsamba-passdb0-4.6.16+git.174.c2fd2e28c84-3.49.1 libsamba-passdb0-debuginfo-32bit-4.6.16+git.174.c2fd2e28c84-3.49.1 libsamba-passdb0-debuginfo-4.6.16+git.174.c2fd2e28c84-3.49.1 libsamba-util0-32bit-4.6.16+git.174.c2fd2e28c84-3.49.1 libsamba-util0-4.6.16+git.174.c2fd2e28c84-3.49.1 libsamba-util0-debuginfo-32bit-4.6.16+git.174.c2fd2e28c84-3.49.1 libsamba-util0-debuginfo-4.6.16+git.174.c2fd2e28c84-3.49.1 libsamdb0-32bit-4.6.16+git.174.c2fd2e28c84-3.49.1 libsamdb0-4.6.16+git.174.c2fd2e28c84-3.49.1 libsamdb0-debuginfo-32bit-4.6.16+git.174.c2fd2e28c84-3.49.1 libsamdb0-debuginfo-4.6.16+git.174.c2fd2e28c84-3.49.1 libsmbclient0-32bit-4.6.16+git.174.c2fd2e28c84-3.49.1 libsmbclient0-4.6.16+git.174.c2fd2e28c84-3.49.1 libsmbclient0-debuginfo-32bit-4.6.16+git.174.c2fd2e28c84-3.49.1 libsmbclient0-debuginfo-4.6.16+git.174.c2fd2e28c84-3.49.1 libsmbconf0-32bit-4.6.16+git.174.c2fd2e28c84-3.49.1 libsmbconf0-4.6.16+git.174.c2fd2e28c84-3.49.1 libsmbconf0-debuginfo-32bit-4.6.16+git.174.c2fd2e28c84-3.49.1 libsmbconf0-debuginfo-4.6.16+git.174.c2fd2e28c84-3.49.1 libsmbldap0-32bit-4.6.16+git.174.c2fd2e28c84-3.49.1 libsmbldap0-4.6.16+git.174.c2fd2e28c84-3.49.1 libsmbldap0-debuginfo-32bit-4.6.16+git.174.c2fd2e28c84-3.49.1 libsmbldap0-debuginfo-4.6.16+git.174.c2fd2e28c84-3.49.1 libtevent-util0-32bit-4.6.16+git.174.c2fd2e28c84-3.49.1 libtevent-util0-4.6.16+git.174.c2fd2e28c84-3.49.1 libtevent-util0-debuginfo-32bit-4.6.16+git.174.c2fd2e28c84-3.49.1 libtevent-util0-debuginfo-4.6.16+git.174.c2fd2e28c84-3.49.1 libwbclient0-32bit-4.6.16+git.174.c2fd2e28c84-3.49.1 libwbclient0-4.6.16+git.174.c2fd2e28c84-3.49.1 libwbclient0-debuginfo-32bit-4.6.16+git.174.c2fd2e28c84-3.49.1 libwbclient0-debuginfo-4.6.16+git.174.c2fd2e28c84-3.49.1 samba-4.6.16+git.174.c2fd2e28c84-3.49.1 samba-client-32bit-4.6.16+git.174.c2fd2e28c84-3.49.1 samba-client-4.6.16+git.174.c2fd2e28c84-3.49.1 samba-client-debuginfo-32bit-4.6.16+git.174.c2fd2e28c84-3.49.1 samba-client-debuginfo-4.6.16+git.174.c2fd2e28c84-3.49.1 samba-debuginfo-4.6.16+git.174.c2fd2e28c84-3.49.1 samba-debugsource-4.6.16+git.174.c2fd2e28c84-3.49.1 samba-libs-32bit-4.6.16+git.174.c2fd2e28c84-3.49.1 samba-libs-4.6.16+git.174.c2fd2e28c84-3.49.1 samba-libs-debuginfo-32bit-4.6.16+git.174.c2fd2e28c84-3.49.1 samba-libs-debuginfo-4.6.16+git.174.c2fd2e28c84-3.49.1 samba-winbind-32bit-4.6.16+git.174.c2fd2e28c84-3.49.1 samba-winbind-4.6.16+git.174.c2fd2e28c84-3.49.1 samba-winbind-debuginfo-32bit-4.6.16+git.174.c2fd2e28c84-3.49.1 samba-winbind-debuginfo-4.6.16+git.174.c2fd2e28c84-3.49.1 - HPE Helion Openstack 8 (noarch): samba-doc-4.6.16+git.174.c2fd2e28c84-3.49.1 References: https://www.suse.com/security/cve/CVE-2019-14907.html https://bugzilla.suse.com/1160888 From sle-updates at lists.suse.com Mon Jan 27 04:55:05 2020 From: sle-updates at lists.suse.com (sle-updates at lists.suse.com) Date: Mon, 27 Jan 2020 12:55:05 +0100 (CET) Subject: SUSE-RU-2020:0236-1: moderate: Recommended update for yast2 Message-ID: <20200127115505.BA6E1F798@maintenance.suse.de> SUSE Recommended Update: Recommended update for yast2 ______________________________________________________________________________ Announcement ID: SUSE-RU-2020:0236-1 Rating: moderate References: #1158946 Affected Products: SUSE Linux Enterprise Module for Basesystem 15-SP1 SUSE Linux Enterprise Installer 15-SP1 ______________________________________________________________________________ An update that has one recommended fix can now be installed. Description: This update for yast2 fixes the following issues: - Yast2::ServiceWidget: By default, propose to reload or restart the service when it is active (bsc#1158946). Patch Instructions: To install this SUSE Recommended Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Module for Basesystem 15-SP1: zypper in -t patch SUSE-SLE-Module-Basesystem-15-SP1-2020-236=1 - SUSE Linux Enterprise Installer 15-SP1: zypper in -t patch SUSE-SLE-INSTALLER-15-SP1-2020-236=1 Package List: - SUSE Linux Enterprise Module for Basesystem 15-SP1 (aarch64 ppc64le s390x x86_64): yast2-4.1.75-3.16.1 yast2-logs-4.1.75-3.16.1 - SUSE Linux Enterprise Installer 15-SP1 (aarch64 ppc64le s390x x86_64): yast2-4.1.75-3.16.1 References: https://bugzilla.suse.com/1158946 From sle-updates at lists.suse.com Mon Jan 27 04:55:51 2020 From: sle-updates at lists.suse.com (sle-updates at lists.suse.com) Date: Mon, 27 Jan 2020 12:55:51 +0100 (CET) Subject: SUSE-RU-2020:0235-1: moderate: Recommended update for crmsh Message-ID: <20200127115551.99B06F798@maintenance.suse.de> SUSE Recommended Update: Recommended update for crmsh ______________________________________________________________________________ Announcement ID: SUSE-RU-2020:0235-1 Rating: moderate References: #1127095 #1127096 #1129462 #1144241 #1145520 #1154163 Affected Products: SUSE Linux Enterprise High Availability 15 ______________________________________________________________________________ An update that has 6 recommended fixes can now be installed. Description: This update for crmsh fixes the following issues: - Fix for corosync: Reject appending ipaddress to config file if it already has one. (bsc#1127095, bsc#1127096) - Fix for ui_cluster: Refactoring function 'list_cluster_nodes' and handle the 'None' situation properly to avoid possible crash. (bsc#1145520) - Fixes an issue where the resource failcount was not set correctly (bsc#1144241) - Fixes an issue where the VM resource doesn't get started properly by pacemaker (bsc#1129462) Patch Instructions: To install this SUSE Recommended Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise High Availability 15: zypper in -t patch SUSE-SLE-Product-HA-15-2020-235=1 Package List: - SUSE Linux Enterprise High Availability 15 (noarch): crmsh-4.1.0+git.1578469492.493d5d62-3.19.1 crmsh-scripts-4.1.0+git.1578469492.493d5d62-3.19.1 References: https://bugzilla.suse.com/1127095 https://bugzilla.suse.com/1127096 https://bugzilla.suse.com/1129462 https://bugzilla.suse.com/1144241 https://bugzilla.suse.com/1145520 https://bugzilla.suse.com/1154163 From sle-updates at lists.suse.com Mon Jan 27 06:54:54 2020 From: sle-updates at lists.suse.com (sle-updates at lists.suse.com) Date: Mon, 27 Jan 2020 14:54:54 +0100 (CET) Subject: SUSE-RU-2020:0237-1: moderate: Recommended update for saptune Message-ID: <20200127135454.27FCBF796@maintenance.suse.de> SUSE Recommended Update: Recommended update for saptune ______________________________________________________________________________ Announcement ID: SUSE-RU-2020:0237-1 Rating: moderate References: #1142467 #1142526 #1149002 #1152598 #1159671 Affected Products: SUSE Linux Enterprise Module for SAP Applications 15-SP1 ______________________________________________________________________________ An update that has 5 recommended fixes can now be installed. Description: This update for saptune fixes the following issues: - Add function 'delete' and 'rename' to the 'note' operation to manipulate a customer or vendor specific note, with confirmation. (jsc#SLE-9283) - Inform the customer that the command 'saptune note customise [NoteID]' does not apply changes immediately but writes the changes into a configuration file that can be applied in a second step. (bsc#1142467) - Add warning to man page, not to rename/remove/modify active configurations. (bsc#1149002) - Implement support of multi-queue I/O scheduler for block devices. (bsc#1152598) - Add missing search pattern to the update helper script to find all old and superfluous notes during upgrade from SLE12 to SLE15. (bsc#1142526) - If a parameter is not supported by the system, the note action 'verify' will no longer report this as an error even if the value is not compliant. (bsc#1159671) Patch Instructions: To install this SUSE Recommended Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Module for SAP Applications 15-SP1: zypper in -t patch SUSE-SLE-Module-SAP-Applications-15-SP1-2020-237=1 Package List: - SUSE Linux Enterprise Module for SAP Applications 15-SP1 (ppc64le x86_64): saptune-2.0.2-8.8.1 saptune-debuginfo-2.0.2-8.8.1 References: https://bugzilla.suse.com/1142467 https://bugzilla.suse.com/1142526 https://bugzilla.suse.com/1149002 https://bugzilla.suse.com/1152598 https://bugzilla.suse.com/1159671 From sle-updates at lists.suse.com Mon Jan 27 06:56:09 2020 From: sle-updates at lists.suse.com (sle-updates at lists.suse.com) Date: Mon, 27 Jan 2020 14:56:09 +0100 (CET) Subject: SUSE-RU-2020:0239-1: moderate: Recommended update for saptune Message-ID: <20200127135609.68617F796@maintenance.suse.de> SUSE Recommended Update: Recommended update for saptune ______________________________________________________________________________ Announcement ID: SUSE-RU-2020:0239-1 Rating: moderate References: #1142467 #1142526 #1149002 #1152598 #1159671 Affected Products: SUSE Linux Enterprise Server for SAP 12-SP5 SUSE Linux Enterprise Server for SAP 12-SP4 ______________________________________________________________________________ An update that has 5 recommended fixes can now be installed. Description: This update for saptune fixes the following issues: - Add function 'delete' and 'rename' to the 'note' operation to manipulate a customer or vendor specific note, with confirmation. (jsc#SLE-9283) - Inform the customer that the command 'saptune note customise [NoteID]' does not apply changes immediately but writes the changes into a configuration file that can be applied in a second step. (bsc#1142467) - Add warning to man page, not to rename/remove/modify active configurations. (bsc#1149002) - Implement support of multi-queue I/O scheduler for block devices. (bsc#1152598) - Add missing search pattern to the update helper script to find all old and superfluous notes during upgrade from SLE12 to SLE15. (bsc#1142526) - If a parameter is not supported by the system, the note action 'verify' will no longer report this as an error even if the value is not compliant. (bsc#1159671) Patch Instructions: To install this SUSE Recommended Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Server for SAP 12-SP5: zypper in -t patch SUSE-SLE-SAP-12-SP5-2020-239=1 - SUSE Linux Enterprise Server for SAP 12-SP4: zypper in -t patch SUSE-SLE-SAP-12-SP4-2020-239=1 Package List: - SUSE Linux Enterprise Server for SAP 12-SP5 (ppc64le x86_64): saptune-2.0.2-3.8.1 saptune-debuginfo-2.0.2-3.8.1 - SUSE Linux Enterprise Server for SAP 12-SP4 (ppc64le x86_64): saptune-2.0.2-3.8.1 saptune-debuginfo-2.0.2-3.8.1 References: https://bugzilla.suse.com/1142467 https://bugzilla.suse.com/1142526 https://bugzilla.suse.com/1149002 https://bugzilla.suse.com/1152598 https://bugzilla.suse.com/1159671 From sle-updates at lists.suse.com Mon Jan 27 06:57:23 2020 From: sle-updates at lists.suse.com (sle-updates at lists.suse.com) Date: Mon, 27 Jan 2020 14:57:23 +0100 (CET) Subject: SUSE-RU-2020:0238-1: moderate: Recommended update for saptune Message-ID: <20200127135723.03B35F796@maintenance.suse.de> SUSE Recommended Update: Recommended update for saptune ______________________________________________________________________________ Announcement ID: SUSE-RU-2020:0238-1 Rating: moderate References: #1142467 #1142526 #1149002 #1152598 #1159671 Affected Products: SUSE Linux Enterprise Module for SAP Applications 15 ______________________________________________________________________________ An update that has 5 recommended fixes can now be installed. Description: This update for saptune fixes the following issues: - Add function 'delete' and 'rename' to the 'note' operation to manipulate a customer or vendor specific note, with confirmation. (jsc#SLE-9283) - Inform the customer that the command 'saptune note customise [NoteID]' does not apply changes immediately but writes the changes into a configuration file that can be applied in a second step. (bsc#1142467) - Add warning to man page, not to rename/remove/modify active configurations. (bsc#1149002) - Implement support of multi-queue I/O scheduler for block devices. (bsc#1152598) - Add missing search pattern to the update helper script to find all old and superfluous notes during upgrade from SLE12 to SLE15. (bsc#1142526) - If a parameter is not supported by the system, the note action 'verify' will no longer report this as an error even if the value is not compliant. (bsc#1159671) Patch Instructions: To install this SUSE Recommended Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Module for SAP Applications 15: zypper in -t patch SUSE-SLE-Module-SAP-Applications-15-2020-238=1 Package List: - SUSE Linux Enterprise Module for SAP Applications 15 (ppc64le x86_64): saptune-2.0.2-4.11.1 saptune-debuginfo-2.0.2-4.11.1 References: https://bugzilla.suse.com/1142467 https://bugzilla.suse.com/1142526 https://bugzilla.suse.com/1149002 https://bugzilla.suse.com/1152598 https://bugzilla.suse.com/1159671 From sle-updates at lists.suse.com Mon Jan 27 13:11:17 2020 From: sle-updates at lists.suse.com (sle-updates at lists.suse.com) Date: Mon, 27 Jan 2020 21:11:17 +0100 (CET) Subject: SUSE-RU-2020:0240-1: moderate: Recommended update for cloud-init Message-ID: <20200127201117.63D2EF798@maintenance.suse.de> SUSE Recommended Update: Recommended update for cloud-init ______________________________________________________________________________ Announcement ID: SUSE-RU-2020:0240-1 Rating: moderate References: #1155376 #1156139 #1157894 #1161132 #1161133 Affected Products: SUSE Linux Enterprise Module for Public Cloud 15 SUSE Linux Enterprise Module for Open Buildservice Development Tools 15 ______________________________________________________________________________ An update that has 5 recommended fixes can now be installed. Description: This update for cloud-init fixes the following issues: - Fixed an issue where it was not possible to add SSH keys and thus it was not possible to log into the system (bsc#1161132, bsc#1161133) - Fixes an issue where the IPv6 interface variable was not correctly set in an ifcfg file (bsc#1156139) - The route's destination network will now be written in CIDR notation. This provides support for correctly recording IPv6 routes (bsc#1155376) - Many smaller fixes came with this package as well. For a full list of all changes, refer to the rpm's changes file. Patch Instructions: To install this SUSE Recommended Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Module for Public Cloud 15: zypper in -t patch SUSE-SLE-Module-Public-Cloud-15-2020-240=1 - SUSE Linux Enterprise Module for Open Buildservice Development Tools 15: zypper in -t patch SUSE-SLE-Module-Development-Tools-OBS-15-2020-240=1 Package List: - SUSE Linux Enterprise Module for Public Cloud 15 (aarch64 ppc64le s390x x86_64): cloud-init-19.4-5.21.1 cloud-init-config-suse-19.4-5.21.1 - SUSE Linux Enterprise Module for Open Buildservice Development Tools 15 (aarch64 ppc64le s390x x86_64): cloud-init-doc-19.4-5.21.1 References: https://bugzilla.suse.com/1155376 https://bugzilla.suse.com/1156139 https://bugzilla.suse.com/1157894 https://bugzilla.suse.com/1161132 https://bugzilla.suse.com/1161133 From sle-updates at lists.suse.com Tue Jan 28 04:12:12 2020 From: sle-updates at lists.suse.com (sle-updates at lists.suse.com) Date: Tue, 28 Jan 2020 12:12:12 +0100 (CET) Subject: SUSE-RU-2020:0242-1: moderate: Recommended update for saptune Message-ID: <20200128111212.62D9DF798@maintenance.suse.de> SUSE Recommended Update: Recommended update for saptune ______________________________________________________________________________ Announcement ID: SUSE-RU-2020:0242-1 Rating: moderate References: #1142467 #1142526 #1149002 #1152598 #1159671 Affected Products: SUSE Linux Enterprise Server for SAP 12-SP3 ______________________________________________________________________________ An update that has 5 recommended fixes can now be installed. Description: This update for saptune fixes the following issues: - Add function 'delete' and 'rename' to the 'note' operation to manipulate a customer or vendor specific note, with confirmation. (jsc#SLE-9283) - Inform the customer that the command 'saptune note customise [NoteID]' does not apply changes immediately but writes the changes into a configuration file that can be applied in a second step. (bsc#1142467) - Add warning to man page, not to rename/remove/modify active configurations. (bsc#1149002) - Implement support of multi-queue I/O scheduler for block devices. (bsc#1152598) - Add missing search pattern to the update helper script to find all old and superfluous notes during upgrade from SLE12 to SLE15. (bsc#1142526) - If a parameter is not supported by the system, the note action 'verify' will no longer report this as an error even if the value is not compliant. (bsc#1159671) Patch Instructions: To install this SUSE Recommended Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Server for SAP 12-SP3: zypper in -t patch SUSE-SLE-SAP-12-SP3-2020-242=1 Package List: - SUSE Linux Enterprise Server for SAP 12-SP3 (ppc64le x86_64): saptune-2.0.2-3.21.1 saptune-debuginfo-2.0.2-3.21.1 References: https://bugzilla.suse.com/1142467 https://bugzilla.suse.com/1142526 https://bugzilla.suse.com/1149002 https://bugzilla.suse.com/1152598 https://bugzilla.suse.com/1159671 From sle-updates at lists.suse.com Tue Jan 28 05:52:06 2020 From: sle-updates at lists.suse.com (sle-updates at lists.suse.com) Date: Tue, 28 Jan 2020 13:52:06 +0100 (CET) Subject: SUSE-RU-2020:0243-1: moderate: Recommended update for saptune Message-ID: <20200128125206.45156F798@maintenance.suse.de> SUSE Recommended Update: Recommended update for saptune ______________________________________________________________________________ Announcement ID: SUSE-RU-2020:0243-1 Rating: moderate References: #1142467 #1142526 #1149002 #1152598 #1159671 Affected Products: SUSE Linux Enterprise Server for SAP 12-SP2 ______________________________________________________________________________ An update that has 5 recommended fixes can now be installed. Description: This update for saptune fixes the following issues: - Add function 'delete' and 'rename' to the 'note' operation to manipulate a customer or vendor specific note, with confirmation. (jsc#SLE-9283) - Inform the customer that the command 'saptune note customise [NoteID]' does not apply changes immediately but writes the changes into a configuration file that can be applied in a second step. (bsc#1142467) - Add warning to man page, not to rename/remove/modify active configurations. (bsc#1149002) - Implement support of multi-queue I/O scheduler for block devices. (bsc#1152598) - Add missing search pattern to the update helper script to find all old and superfluous notes during upgrade from SLE12 to SLE15. (bsc#1142526) - If a parameter is not supported by the system, the note action 'verify' will no longer report this as an error even if the value is not compliant. (bsc#1159671) Patch Instructions: To install this SUSE Recommended Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Server for SAP 12-SP2: zypper in -t patch SUSE-SLE-SAP-12-SP2-2020-243=1 Package List: - SUSE Linux Enterprise Server for SAP 12-SP2 (ppc64le x86_64): saptune-2.0.2-8.21.1 saptune-debuginfo-2.0.2-8.21.1 References: https://bugzilla.suse.com/1142467 https://bugzilla.suse.com/1142526 https://bugzilla.suse.com/1149002 https://bugzilla.suse.com/1152598 https://bugzilla.suse.com/1159671 From sle-updates at lists.suse.com Tue Jan 28 05:53:14 2020 From: sle-updates at lists.suse.com (sle-updates at lists.suse.com) Date: Tue, 28 Jan 2020 13:53:14 +0100 (CET) Subject: SUSE-RU-2020:0244-1: moderate: Recommended update for cloud-init Message-ID: <20200128125314.CBE46F798@maintenance.suse.de> SUSE Recommended Update: Recommended update for cloud-init ______________________________________________________________________________ Announcement ID: SUSE-RU-2020:0244-1 Rating: moderate References: #1155376 #1156139 #1157894 #1161132 #1161133 Affected Products: SUSE Linux Enterprise Module for Public Cloud 12 SUSE CaaS Platform 3.0 ______________________________________________________________________________ An update that has 5 recommended fixes can now be installed. Description: This update for cloud-init fixes the following issues: - Fixed an issue where it was not possible to add SSH keys and thus it was not possible to log into the system (bsc#1161132, bsc#1161133) - Fixes an issue where the IPv6 interface variable was not correctly set in an ifcfg file (bsc#1156139) - The route's destination network will now be written in CIDR notation. This provides support for correctly recording IPv6 routes (bsc#1155376) - Many smaller fixes came with this package as well. For a full list of all changes, refer to the rpm's changes file. Patch Instructions: To install this SUSE Recommended Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Module for Public Cloud 12: zypper in -t patch SUSE-SLE-Module-Public-Cloud-12-2020-244=1 - SUSE CaaS Platform 3.0: To install this update, use the SUSE CaaS Platform Velum dashboard. It will inform you if it detects new updates and let you then trigger updating of the complete cluster in a controlled way. Package List: - SUSE Linux Enterprise Module for Public Cloud 12 (aarch64 ppc64le s390x x86_64): cloud-init-19.4-37.36.1 cloud-init-config-suse-19.4-37.36.1 - SUSE CaaS Platform 3.0 (x86_64): cloud-init-19.4-37.36.1 References: https://bugzilla.suse.com/1155376 https://bugzilla.suse.com/1156139 https://bugzilla.suse.com/1157894 https://bugzilla.suse.com/1161132 https://bugzilla.suse.com/1161133 From sle-updates at lists.suse.com Tue Jan 28 05:56:45 2020 From: sle-updates at lists.suse.com (sle-updates at lists.suse.com) Date: Tue, 28 Jan 2020 13:56:45 +0100 (CET) Subject: SUSE-RU-2020:0245-1: moderate: Recommended update for cloud-init Message-ID: <20200128125645.1944FF798@maintenance.suse.de> SUSE Recommended Update: Recommended update for cloud-init ______________________________________________________________________________ Announcement ID: SUSE-RU-2020:0245-1 Rating: moderate References: #1155376 #1156139 #1157894 #1161132 #1161133 Affected Products: SUSE Linux Enterprise Module for Public Cloud 15-SP1 SUSE Linux Enterprise Module for Open Buildservice Development Tools 15-SP1 ______________________________________________________________________________ An update that has 5 recommended fixes can now be installed. Description: This update for cloud-init fixes the following issues: - Fixed an issue where it was not possible to add SSH keys and thus it was not possible to log into the system (bsc#1161132, bsc#1161133) - Fixes an issue where the IPv6 interface variable was not correctly set in an ifcfg file (bsc#1156139) - The route's destination network will now be written in CIDR notation. This provides support for correctly recording IPv6 routes (bsc#1155376) - Many smaller fixes came with this package as well. For a full list of all changes, refer to the rpm's changes file. Patch Instructions: To install this SUSE Recommended Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Module for Public Cloud 15-SP1: zypper in -t patch SUSE-SLE-Module-Public-Cloud-15-SP1-2020-245=1 - SUSE Linux Enterprise Module for Open Buildservice Development Tools 15-SP1: zypper in -t patch SUSE-SLE-Module-Development-Tools-OBS-15-SP1-2020-245=1 Package List: - SUSE Linux Enterprise Module for Public Cloud 15-SP1 (aarch64 ppc64le s390x x86_64): cloud-init-19.4-8.14.1 cloud-init-config-suse-19.4-8.14.1 - SUSE Linux Enterprise Module for Open Buildservice Development Tools 15-SP1 (aarch64 ppc64le s390x x86_64): cloud-init-doc-19.4-8.14.1 References: https://bugzilla.suse.com/1155376 https://bugzilla.suse.com/1156139 https://bugzilla.suse.com/1157894 https://bugzilla.suse.com/1161132 https://bugzilla.suse.com/1161133 From sle-updates at lists.suse.com Tue Jan 28 05:57:56 2020 From: sle-updates at lists.suse.com (sle-updates at lists.suse.com) Date: Tue, 28 Jan 2020 13:57:56 +0100 (CET) Subject: SUSE-RU-2020:0246-1: moderate: Recommended update for crmsh Message-ID: <20200128125756.70ECFF798@maintenance.suse.de> SUSE Recommended Update: Recommended update for crmsh ______________________________________________________________________________ Announcement ID: SUSE-RU-2020:0246-1 Rating: moderate References: #1127095 #1127096 #1129462 #1144241 #1145520 #1154163 Affected Products: SUSE Linux Enterprise High Availability 12-SP5 SUSE Linux Enterprise High Availability 12-SP4 ______________________________________________________________________________ An update that has 6 recommended fixes can now be installed. Description: This update for crmsh fixes the following issues: - Fix for 'corosync': Reject append ipaddress to config file if already that has one. (bsc#1127095, bsc#1127096) - Fix for 'ui_cluster': Refactoring function 'list_cluster_nodes' and handle the 'None situation'. (bsc#1145520) - Fix for 'ui_resource': Set failcount correctly and clean it properly. (bsc#1144241) - Fix for 'crmsh.spec': Due to regression test using mktemp to create tmp file. (bsc#1154163) - Fix for 'bootstrap': Set the placement-strategy value as 'default' instead of 'balanced' and let the VM controlled by pacemaker. (bsc#1129462) Patch Instructions: To install this SUSE Recommended Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise High Availability 12-SP5: zypper in -t patch SUSE-SLE-HA-12-SP5-2020-246=1 - SUSE Linux Enterprise High Availability 12-SP4: zypper in -t patch SUSE-SLE-HA-12-SP4-2020-246=1 Package List: - SUSE Linux Enterprise High Availability 12-SP5 (noarch): crmsh-4.1.0+git.1578469492.493d5d62-2.19.1 crmsh-scripts-4.1.0+git.1578469492.493d5d62-2.19.1 - SUSE Linux Enterprise High Availability 12-SP4 (noarch): crmsh-4.1.0+git.1578469492.493d5d62-2.19.1 crmsh-scripts-4.1.0+git.1578469492.493d5d62-2.19.1 References: https://bugzilla.suse.com/1127095 https://bugzilla.suse.com/1127096 https://bugzilla.suse.com/1129462 https://bugzilla.suse.com/1144241 https://bugzilla.suse.com/1145520 https://bugzilla.suse.com/1154163 From sle-updates at lists.suse.com Tue Jan 28 07:16:13 2020 From: sle-updates at lists.suse.com (sle-updates at lists.suse.com) Date: Tue, 28 Jan 2020 15:16:13 +0100 (CET) Subject: SUSE-SU-2020:0247-1: important: Security update for nodejs6 Message-ID: <20200128141613.6F6E1F79E@maintenance.suse.de> SUSE Security Update: Security update for nodejs6 ______________________________________________________________________________ Announcement ID: SUSE-SU-2020:0247-1 Rating: important References: #1159352 Cross-References: CVE-2019-16775 CVE-2019-16776 CVE-2019-16777 Affected Products: SUSE OpenStack Cloud Crowbar 9 SUSE OpenStack Cloud Crowbar 8 SUSE OpenStack Cloud 7 SUSE Linux Enterprise Module for Web Scripting 12 ______________________________________________________________________________ An update that fixes three vulnerabilities is now available. Description: This update for nodejs6 to version 6.17.1 fixes the following issues: Security issues fixed: - CVE-2019-16777, CVE-2019-16776, CVE-2019-16775: Updated npm to 6.13.4, fixing an arbitrary path overwrite and access via "bin" field (bsc#1159352). Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE OpenStack Cloud Crowbar 9: zypper in -t patch SUSE-OpenStack-Cloud-Crowbar-9-2020-247=1 - SUSE OpenStack Cloud Crowbar 8: zypper in -t patch SUSE-OpenStack-Cloud-Crowbar-8-2020-247=1 - SUSE OpenStack Cloud 7: zypper in -t patch SUSE-OpenStack-Cloud-7-2020-247=1 - SUSE Linux Enterprise Module for Web Scripting 12: zypper in -t patch SUSE-SLE-Module-Web-Scripting-12-2020-247=1 Package List: - SUSE OpenStack Cloud Crowbar 9 (x86_64): nodejs6-6.17.1-11.30.1 nodejs6-debuginfo-6.17.1-11.30.1 nodejs6-debugsource-6.17.1-11.30.1 - SUSE OpenStack Cloud Crowbar 8 (x86_64): nodejs6-6.17.1-11.30.1 nodejs6-debuginfo-6.17.1-11.30.1 nodejs6-debugsource-6.17.1-11.30.1 - SUSE OpenStack Cloud 7 (aarch64 s390x x86_64): nodejs6-6.17.1-11.30.1 nodejs6-debuginfo-6.17.1-11.30.1 nodejs6-debugsource-6.17.1-11.30.1 - SUSE Linux Enterprise Module for Web Scripting 12 (aarch64 ppc64le s390x x86_64): nodejs6-6.17.1-11.30.1 nodejs6-debuginfo-6.17.1-11.30.1 nodejs6-debugsource-6.17.1-11.30.1 nodejs6-devel-6.17.1-11.30.1 npm6-6.17.1-11.30.1 - SUSE Linux Enterprise Module for Web Scripting 12 (noarch): nodejs6-docs-6.17.1-11.30.1 References: https://www.suse.com/security/cve/CVE-2019-16775.html https://www.suse.com/security/cve/CVE-2019-16776.html https://www.suse.com/security/cve/CVE-2019-16777.html https://bugzilla.suse.com/1159352 From sle-updates at lists.suse.com Tue Jan 28 10:13:24 2020 From: sle-updates at lists.suse.com (sle-updates at lists.suse.com) Date: Tue, 28 Jan 2020 18:13:24 +0100 (CET) Subject: SUSE-RU-2020:0248-1: moderate: Recommended update for suse-migration-services Message-ID: <20200128171324.A09B1F798@maintenance.suse.de> SUSE Recommended Update: Recommended update for suse-migration-services ______________________________________________________________________________ Announcement ID: SUSE-RU-2020:0248-1 Rating: moderate References: #1155192 #1156068 Affected Products: SUSE Linux Enterprise Module for Open Buildservice Development Tools 15-SP1 ______________________________________________________________________________ An update that has two recommended fixes can now be installed. Description: This update for suse-migration-services fixes the following issues: - Add support for LVM managed storing devices (bsc#1156068) Logical Volume Manager storage requires a service for activate and mount the required volumes. This fix provides the required service. - Fix registration checks and migration failure from SLES12-SP4 to SLES15-SP1 (bsc#1155192) Now the migration config file provides a schema validation for checking the config file before executing the migration process. As there could be different targets (SLES, SLES_SAP, etc) instead of setting the target in the custom file, the migration system auto detects the migration product. - Update documentation and logs provided by the migration tool Patch Instructions: To install this SUSE Recommended Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Module for Open Buildservice Development Tools 15-SP1: zypper in -t patch SUSE-SLE-Module-Development-Tools-OBS-15-SP1-2020-248=1 Package List: - SUSE Linux Enterprise Module for Open Buildservice Development Tools 15-SP1 (noarch): suse-migration-services-2.0.4-1.12.1 References: https://bugzilla.suse.com/1155192 https://bugzilla.suse.com/1156068 From sle-updates at lists.suse.com Tue Jan 28 11:27:19 2020 From: sle-updates at lists.suse.com (sle-updates at lists.suse.com) Date: Tue, 28 Jan 2020 19:27:19 +0100 (CET) Subject: SUSE-CU-2020:26-1: Recommended update of suse/sle15 Message-ID: <20200128182719.E7A32FC56@maintenance.suse.de> SUSE Container Update Advisory: suse/sle15 ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2020:26-1 Container Tags : suse/sle15:15.0 , suse/sle15:15.0.4.22.136 Container Release : 4.22.136 Severity : moderate Type : recommended References : 1158830 ----------------------------------------------------------------- The container suse/sle15 was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:225-1 Released: Fri Jan 24 06:49:07 2020 Summary: Recommended update for procps Type: recommended Severity: moderate References: 1158830 Description: This update for procps fixes the following issues: - Fix for 'ps -C' allowing to accept any arguments longer than 15 characters anymore. (bsc#1158830) From sle-updates at lists.suse.com Tue Jan 28 11:30:10 2020 From: sle-updates at lists.suse.com (sle-updates at lists.suse.com) Date: Tue, 28 Jan 2020 19:30:10 +0100 (CET) Subject: SUSE-CU-2020:27-1: Recommended update of suse/sle15 Message-ID: <20200128183010.EAE67F79E@maintenance.suse.de> SUSE Container Update Advisory: suse/sle15 ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2020:27-1 Container Tags : suse/sle15:15.1 , suse/sle15:15.1.6.2.148 Container Release : 6.2.148 Severity : moderate Type : recommended References : 1158830 ----------------------------------------------------------------- The container suse/sle15 was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:225-1 Released: Fri Jan 24 06:49:07 2020 Summary: Recommended update for procps Type: recommended Severity: moderate References: 1158830 Description: This update for procps fixes the following issues: - Fix for 'ps -C' allowing to accept any arguments longer than 15 characters anymore. (bsc#1158830) From sle-updates at lists.suse.com Tue Jan 28 11:31:33 2020 From: sle-updates at lists.suse.com (sle-updates at lists.suse.com) Date: Tue, 28 Jan 2020 19:31:33 +0100 (CET) Subject: SUSE-CU-2020:28-1: Recommended update of suse/sles12sp5 Message-ID: <20200128183133.D7D74F79E@maintenance.suse.de> SUSE Container Update Advisory: suse/sles12sp5 ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2020:28-1 Container Tags : suse/sles12sp5:5.2.278 , suse/sles12sp5:latest Container Release : 5.2.278 Severity : moderate Type : recommended References : 1084934 1115020 1118364 1128246 1149127 1157794 910904 ----------------------------------------------------------------- The container suse/sles12sp5 was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:227-1 Released: Fri Jan 24 09:24:11 2020 Summary: Recommended update for aaa_base Type: recommended Severity: moderate References: 1084934,1115020,1118364,1128246,1149127,1157794,910904 Description: This update for aaa_base fixes the following issues: - Use official key binding functions in inputrc that is replace up-history with previous-history, down-history with next-history and backward-delete-word with backward-kill-word. (bsc#1084934) - Reduces the list in /opt/* to gnome, kde4, and kde3. (bsc#910904, bsc#1149127) - Update logic for JRE_HOME variable. (bsc#1128246) - Restore old position of ssh/sudo source of profile. (bsc#1118364) - Revert 'Avoid NAT on Bridges. Bridges are L2 devices, really.' (bsc#1115020) - Generalize testing for JVM system variables supporting other shells when creating the java path. (boo#1157794) From sle-updates at lists.suse.com Tue Jan 28 11:37:33 2020 From: sle-updates at lists.suse.com (sle-updates at lists.suse.com) Date: Tue, 28 Jan 2020 19:37:33 +0100 (CET) Subject: SUSE-CU-2020:29-1: Recommended update of suse/sles12sp4 Message-ID: <20200128183733.850DDF79E@maintenance.suse.de> SUSE Container Update Advisory: suse/sles12sp4 ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2020:29-1 Container Tags : suse/sles12sp4:26.127 , suse/sles12sp4:latest Container Release : 26.127 Severity : moderate Type : recommended References : 1084934 1115020 1118364 1128246 1149127 1157794 910904 ----------------------------------------------------------------- The container suse/sles12sp4 was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:227-1 Released: Fri Jan 24 09:24:11 2020 Summary: Recommended update for aaa_base Type: recommended Severity: moderate References: 1084934,1115020,1118364,1128246,1149127,1157794,910904 Description: This update for aaa_base fixes the following issues: - Use official key binding functions in inputrc that is replace up-history with previous-history, down-history with next-history and backward-delete-word with backward-kill-word. (bsc#1084934) - Reduces the list in /opt/* to gnome, kde4, and kde3. (bsc#910904, bsc#1149127) - Update logic for JRE_HOME variable. (bsc#1128246) - Restore old position of ssh/sudo source of profile. (bsc#1118364) - Revert 'Avoid NAT on Bridges. Bridges are L2 devices, really.' (bsc#1115020) - Generalize testing for JVM system variables supporting other shells when creating the java path. (boo#1157794) From sle-updates at lists.suse.com Tue Jan 28 13:11:14 2020 From: sle-updates at lists.suse.com (sle-updates at lists.suse.com) Date: Tue, 28 Jan 2020 21:11:14 +0100 (CET) Subject: SUSE-SU-2020:0251-1: moderate: Security update for aws-cli Message-ID: <20200128201114.6F0D8F798@maintenance.suse.de> SUSE Security Update: Security update for aws-cli ______________________________________________________________________________ Announcement ID: SUSE-SU-2020:0251-1 Rating: moderate References: #1092493 #1105988 #1118021 #1118024 #1118099 Cross-References: CVE-2018-15869 Affected Products: SUSE OpenStack Cloud Crowbar 8 SUSE OpenStack Cloud 8 SUSE Linux Enterprise Module for Public Cloud 12 HPE Helion Openstack 8 ______________________________________________________________________________ An update that solves one vulnerability and has four fixes is now available. Description: This update for aws-cli to version 1.16.297 fixes the following issues: Security issue fixed: - CVE-2018-15869: Fixed an permission handling issue where an unexpected AMI could potentially be used (bsc#1105988). Non-security issues fixed: - Fixed an issue with the CLI client, where a ModuleNotFoundError was triggered (bsc#1092493). Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE OpenStack Cloud Crowbar 8: zypper in -t patch SUSE-OpenStack-Cloud-Crowbar-8-2020-251=1 - SUSE OpenStack Cloud 8: zypper in -t patch SUSE-OpenStack-Cloud-8-2020-251=1 - SUSE Linux Enterprise Module for Public Cloud 12: zypper in -t patch SUSE-SLE-Module-Public-Cloud-12-2020-251=1 - HPE Helion Openstack 8: zypper in -t patch HPE-Helion-OpenStack-8-2020-251=1 Package List: - SUSE OpenStack Cloud Crowbar 8 (noarch): aws-cli-1.16.297-22.11.1 - SUSE OpenStack Cloud 8 (noarch): aws-cli-1.16.297-22.11.1 - SUSE Linux Enterprise Module for Public Cloud 12 (noarch): aws-cli-1.16.297-22.11.1 - HPE Helion Openstack 8 (noarch): aws-cli-1.16.297-22.11.1 References: https://www.suse.com/security/cve/CVE-2018-15869.html https://bugzilla.suse.com/1092493 https://bugzilla.suse.com/1105988 https://bugzilla.suse.com/1118021 https://bugzilla.suse.com/1118024 https://bugzilla.suse.com/1118099 From sle-updates at lists.suse.com Tue Jan 28 13:12:25 2020 From: sle-updates at lists.suse.com (sle-updates at lists.suse.com) Date: Tue, 28 Jan 2020 21:12:25 +0100 (CET) Subject: SUSE-RU-2020:0252-1: moderate: Recommended update for ucode-intel Message-ID: <20200128201225.DB83FF798@maintenance.suse.de> SUSE Recommended Update: Recommended update for ucode-intel ______________________________________________________________________________ Announcement ID: SUSE-RU-2020:0252-1 Rating: moderate References: #1160478 Affected Products: SUSE OpenStack Cloud Crowbar 8 SUSE OpenStack Cloud 8 SUSE OpenStack Cloud 7 SUSE Linux Enterprise Server for SAP 12-SP3 SUSE Linux Enterprise Server for SAP 12-SP2 SUSE Linux Enterprise Server for SAP 12-SP1 SUSE Linux Enterprise Server 12-SP4 SUSE Linux Enterprise Server 12-SP3-LTSS SUSE Linux Enterprise Server 12-SP3-BCL SUSE Linux Enterprise Server 12-SP2-LTSS SUSE Linux Enterprise Server 12-SP2-BCL SUSE Linux Enterprise Server 12-SP1-LTSS SUSE Linux Enterprise Desktop 12-SP4 SUSE Enterprise Storage 5 SUSE CaaS Platform 3.0 HPE Helion Openstack 8 ______________________________________________________________________________ An update that has one recommended fix can now be installed. Description: This update for ucode-intel fixes the following issues: Reverted the Skylake Server Intel Microcode below to 0x02000064 due to occasional faults during warm-boot (bsc#1160478) - SKX-SP H0/M0/U0 6-55-4/b7 02000064->02000065 Xeon Scalable Patch Instructions: To install this SUSE Recommended Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE OpenStack Cloud Crowbar 8: zypper in -t patch SUSE-OpenStack-Cloud-Crowbar-8-2020-252=1 - SUSE OpenStack Cloud 8: zypper in -t patch SUSE-OpenStack-Cloud-8-2020-252=1 - SUSE OpenStack Cloud 7: zypper in -t patch SUSE-OpenStack-Cloud-7-2020-252=1 - SUSE Linux Enterprise Server for SAP 12-SP3: zypper in -t patch SUSE-SLE-SAP-12-SP3-2020-252=1 - SUSE Linux Enterprise Server for SAP 12-SP2: zypper in -t patch SUSE-SLE-SAP-12-SP2-2020-252=1 - SUSE Linux Enterprise Server for SAP 12-SP1: zypper in -t patch SUSE-SLE-SAP-12-SP1-2020-252=1 - SUSE Linux Enterprise Server 12-SP4: zypper in -t patch SUSE-SLE-SERVER-12-SP4-2020-252=1 - SUSE Linux Enterprise Server 12-SP3-LTSS: zypper in -t patch SUSE-SLE-SERVER-12-SP3-2020-252=1 - SUSE Linux Enterprise Server 12-SP3-BCL: zypper in -t patch SUSE-SLE-SERVER-12-SP3-BCL-2020-252=1 - SUSE Linux Enterprise Server 12-SP2-LTSS: zypper in -t patch SUSE-SLE-SERVER-12-SP2-2020-252=1 - SUSE Linux Enterprise Server 12-SP2-BCL: zypper in -t patch SUSE-SLE-SERVER-12-SP2-BCL-2020-252=1 - SUSE Linux Enterprise Server 12-SP1-LTSS: zypper in -t patch SUSE-SLE-SERVER-12-SP1-2020-252=1 - SUSE Linux Enterprise Desktop 12-SP4: zypper in -t patch SUSE-SLE-DESKTOP-12-SP4-2020-252=1 - SUSE Enterprise Storage 5: zypper in -t patch SUSE-Storage-5-2020-252=1 - SUSE CaaS Platform 3.0: To install this update, use the SUSE CaaS Platform Velum dashboard. It will inform you if it detects new updates and let you then trigger updating of the complete cluster in a controlled way. - HPE Helion Openstack 8: zypper in -t patch HPE-Helion-OpenStack-8-2020-252=1 Package List: - SUSE OpenStack Cloud Crowbar 8 (x86_64): ucode-intel-20191115-13.62.1 ucode-intel-debuginfo-20191115-13.62.1 ucode-intel-debugsource-20191115-13.62.1 - SUSE OpenStack Cloud 8 (x86_64): ucode-intel-20191115-13.62.1 ucode-intel-debuginfo-20191115-13.62.1 ucode-intel-debugsource-20191115-13.62.1 - SUSE OpenStack Cloud 7 (x86_64): ucode-intel-20191115-13.62.1 ucode-intel-debuginfo-20191115-13.62.1 ucode-intel-debugsource-20191115-13.62.1 - SUSE Linux Enterprise Server for SAP 12-SP3 (x86_64): ucode-intel-20191115-13.62.1 ucode-intel-debuginfo-20191115-13.62.1 ucode-intel-debugsource-20191115-13.62.1 - SUSE Linux Enterprise Server for SAP 12-SP2 (x86_64): ucode-intel-20191115-13.62.1 ucode-intel-debuginfo-20191115-13.62.1 ucode-intel-debugsource-20191115-13.62.1 - SUSE Linux Enterprise Server for SAP 12-SP1 (x86_64): ucode-intel-20191115-13.62.1 ucode-intel-debuginfo-20191115-13.62.1 ucode-intel-debugsource-20191115-13.62.1 - SUSE Linux Enterprise Server 12-SP4 (x86_64): ucode-intel-20191115-13.62.1 ucode-intel-debuginfo-20191115-13.62.1 ucode-intel-debugsource-20191115-13.62.1 - SUSE Linux Enterprise Server 12-SP3-LTSS (x86_64): ucode-intel-20191115-13.62.1 ucode-intel-debuginfo-20191115-13.62.1 ucode-intel-debugsource-20191115-13.62.1 - SUSE Linux Enterprise Server 12-SP3-BCL (x86_64): ucode-intel-20191115-13.62.1 ucode-intel-debuginfo-20191115-13.62.1 ucode-intel-debugsource-20191115-13.62.1 - SUSE Linux Enterprise Server 12-SP2-LTSS (x86_64): ucode-intel-20191115-13.62.1 ucode-intel-debuginfo-20191115-13.62.1 ucode-intel-debugsource-20191115-13.62.1 - SUSE Linux Enterprise Server 12-SP2-BCL (x86_64): ucode-intel-20191115-13.62.1 ucode-intel-debuginfo-20191115-13.62.1 ucode-intel-debugsource-20191115-13.62.1 - SUSE Linux Enterprise Server 12-SP1-LTSS (x86_64): ucode-intel-20191115-13.62.1 ucode-intel-debuginfo-20191115-13.62.1 ucode-intel-debugsource-20191115-13.62.1 - SUSE Linux Enterprise Desktop 12-SP4 (x86_64): ucode-intel-20191115-13.62.1 ucode-intel-debuginfo-20191115-13.62.1 ucode-intel-debugsource-20191115-13.62.1 - SUSE Enterprise Storage 5 (x86_64): ucode-intel-20191115-13.62.1 ucode-intel-debuginfo-20191115-13.62.1 ucode-intel-debugsource-20191115-13.62.1 - SUSE CaaS Platform 3.0 (x86_64): ucode-intel-20191115-13.62.1 ucode-intel-debuginfo-20191115-13.62.1 ucode-intel-debugsource-20191115-13.62.1 - HPE Helion Openstack 8 (x86_64): ucode-intel-20191115-13.62.1 ucode-intel-debuginfo-20191115-13.62.1 ucode-intel-debugsource-20191115-13.62.1 References: https://bugzilla.suse.com/1160478 From sle-updates at lists.suse.com Tue Jan 28 13:13:08 2020 From: sle-updates at lists.suse.com (sle-updates at lists.suse.com) Date: Tue, 28 Jan 2020 21:13:08 +0100 (CET) Subject: SUSE-RU-2020:0250-1: moderate: Recommended update for SUSE Manager Proxy 3.2 Message-ID: <20200128201308.87101F798@maintenance.suse.de> SUSE Recommended Update: Recommended update for SUSE Manager Proxy 3.2 ______________________________________________________________________________ Announcement ID: SUSE-RU-2020:0250-1 Rating: moderate References: #1113160 #1146683 #1148352 #1158002 #1158799 #1158818 #1159492 Affected Products: SUSE Manager Proxy 3.2 ______________________________________________________________________________ An update that has 7 recommended fixes can now be installed. Description: This update fixes the following issues: jabberd: - SQL scripts are now placed at /etc/jabberd/scripts to make jabberd compatible with JeOS (bsc#1148352) spacewalk-backend: - Do not break communication between 3.2 and 4.0 client tools (bsc#1158799) - Fix problems with Package Hub repos having multiple rpms with same NEVRA but different checksums (bsc#1146683) spacewalk-certs-tools: - Add additional minion options to configfile when generated by bootstrap script (bsc#1159492) - Fix bootstrap script generator to work with Expanded Support 8 product (bsc#1158002) spacewalk-client-tools: - Skip dmidecode data on aarch64 to prevent coredump (bsc#1113160) spacewalk-proxy: - Fix problems with Package Hub repos having multiple rpms with same NEVRA but different checksums (bsc#1146683) spacewalk-setup-jabberd: - SQL scripts are now placed at /etc/jabberd/scripts to make jabberd compatible with JeOS (bsc#1148352) spacewalk-web: - Fix ordering by date (bsc#1158818) How to apply this update: 1. Log in as root user to the SUSE Manager proxy. 2. Stop the proxy service: spacewalk-proxy stop 3. Apply the patch using either zypper patch or YaST Online Update. 4. Start the Spacewalk service: spacewalk-proxy start Patch Instructions: To install this SUSE Recommended Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Manager Proxy 3.2: zypper in -t patch SUSE-SUSE-Manager-Proxy-3.2-2020-250=1 Package List: - SUSE Manager Proxy 3.2 (noarch): python2-spacewalk-certs-tools-2.8.8.13-3.20.2 python2-spacewalk-check-2.8.22.6-3.9.2 python2-spacewalk-client-setup-2.8.22.6-3.9.2 python2-spacewalk-client-tools-2.8.22.6-3.9.2 spacewalk-backend-2.8.57.21-3.45.3 spacewalk-backend-libs-2.8.57.21-3.45.3 spacewalk-base-minimal-2.8.7.22-3.42.2 spacewalk-base-minimal-config-2.8.7.22-3.42.2 spacewalk-certs-tools-2.8.8.13-3.20.2 spacewalk-check-2.8.22.6-3.9.2 spacewalk-client-setup-2.8.22.6-3.9.2 spacewalk-client-tools-2.8.22.6-3.9.2 spacewalk-proxy-broker-2.8.5.7-3.14.2 spacewalk-proxy-common-2.8.5.7-3.14.2 spacewalk-proxy-management-2.8.5.7-3.14.2 spacewalk-proxy-package-manager-2.8.5.7-3.14.2 spacewalk-proxy-redirect-2.8.5.7-3.14.2 spacewalk-proxy-salt-2.8.5.7-3.14.2 spacewalk-setup-jabberd-2.8.5.2-3.3.2 susemanager-web-libs-2.8.7.22-3.42.2 - SUSE Manager Proxy 3.2 (x86_64): jabberd-2.6.1-4.3.2 jabberd-db-2.6.1-4.3.2 jabberd-db-debuginfo-2.6.1-4.3.2 jabberd-debuginfo-2.6.1-4.3.2 jabberd-debugsource-2.6.1-4.3.2 jabberd-sqlite-2.6.1-4.3.2 jabberd-sqlite-debuginfo-2.6.1-4.3.2 References: https://bugzilla.suse.com/1113160 https://bugzilla.suse.com/1146683 https://bugzilla.suse.com/1148352 https://bugzilla.suse.com/1158002 https://bugzilla.suse.com/1158799 https://bugzilla.suse.com/1158818 https://bugzilla.suse.com/1159492 From sle-updates at lists.suse.com Tue Jan 28 13:14:44 2020 From: sle-updates at lists.suse.com (sle-updates at lists.suse.com) Date: Tue, 28 Jan 2020 21:14:44 +0100 (CET) Subject: SUSE-RU-2020:0250-1: moderate: Recommended update for SUSE Manager Server 3.2 Message-ID: <20200128201444.77E5BF798@maintenance.suse.de> SUSE Recommended Update: Recommended update for SUSE Manager Server 3.2 ______________________________________________________________________________ Announcement ID: SUSE-RU-2020:0250-1 Rating: moderate References: #1113160 #1121640 #1129243 #1134708 #1134860 #1146683 #1148352 #1154246 #1157034 #1158002 #1158480 #1158799 #1158818 #1158963 #1159492 Affected Products: SUSE Manager Server 3.2 SUSE Manager Proxy 3.2 ______________________________________________________________________________ An update that has 15 recommended fixes can now be installed. Description: This update fixes the following issues: jabberd: - SQL scripts are now placed at /etc/jabberd/scripts to make jabberd compatible with JeOS (bsc#1148352) spacecmd: - Replace iteritems with items for python2/3 compat (bsc#1129243) spacewalk-backend: - Do not break communication between 3.2 and 4.0 client tools (bsc#1158799) - Fix problems with Package Hub repos having multiple rpms with same NEVRA but different checksums (bsc#1146683) spacewalk-certs-tools: - Add additional minion options to configfile when generated by bootstrap script (bsc#1159492) - Fix bootstrap script generator to work with Expanded Support 8 product (bsc#1158002) spacewalk-client-tools: - Skip dmidecode data on aarch64 to prevent coredump (bsc#1113160) spacewalk-java: - Fix container image import (bsc#1154246) - Generate metadata with empty vendor (bsc#1158480) - Prevent Package List Refresh actions to stay pending forever (bsc#1157034) - Fqdns are coming from salt network module instead of fqdns grain (bsc#1134860) - Fix problems with Package Hub repos having multiple rpms with same NEVRA but different checksums (bsc#1146683) spacewalk-setup-jabberd: - SQL scripts are now placed at /etc/jabberd/scripts to make jabberd compatible with JeOS (bsc#1148352) spacewalk-web: - Fix ordering by date (bsc#1158818) susemanager: - Show help message when missing sub-command in mgr-sync call (bsc#1134708) - Fix product id of SLES12 SP5 x86_64 and remove never released SLED product (bsc#1158963) - Add bootstrap-repo data for SLE12 SP5 Family (bsc#1158963) - Add bootstrap repo for RHEL 8 and ES 8 susemanager-schema: - Generate metadata with empty vendor (bsc#1158480) - Prevent SELECT INSTR error in Postgres logs every minute (bsc#1157034) susemanager-sls: - Split remove_traditional_stack into two parts. One for all systems and another for clients not being a Uyuni Server or Proxy (bsc#1121640) - Configure GPG keys and SSL Certificates for RHEL8 and ES8 How to apply this update: 1. Log in as root user to the SUSE Manager server. 2. Stop the Spacewalk service: spacewalk-service stop 3. Apply the patch using either zypper patch or YaST Online Update. 4. Upgrade the database schema: spacewalk-schema-upgrade 5. Start the Spacewalk service: spacewalk-service start Patch Instructions: To install this SUSE Recommended Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Manager Server 3.2: zypper in -t patch SUSE-SUSE-Manager-Server-3.2-2020-250=1 - SUSE Manager Proxy 3.2: zypper in -t patch SUSE-SUSE-Manager-Proxy-3.2-2020-250=1 Package List: - SUSE Manager Server 3.2 (ppc64le s390x x86_64): jabberd-2.6.1-4.3.2 jabberd-db-2.6.1-4.3.2 jabberd-db-debuginfo-2.6.1-4.3.2 jabberd-debuginfo-2.6.1-4.3.2 jabberd-debugsource-2.6.1-4.3.2 jabberd-sqlite-2.6.1-4.3.2 jabberd-sqlite-debuginfo-2.6.1-4.3.2 susemanager-3.2.22-3.37.2 susemanager-tools-3.2.22-3.37.2 - SUSE Manager Server 3.2 (noarch): python2-spacewalk-certs-tools-2.8.8.13-3.20.2 python2-spacewalk-client-tools-2.8.22.6-3.9.2 spacecmd-2.8.25.13-3.29.2 spacewalk-backend-2.8.57.21-3.45.3 spacewalk-backend-app-2.8.57.21-3.45.3 spacewalk-backend-applet-2.8.57.21-3.45.3 spacewalk-backend-config-files-2.8.57.21-3.45.3 spacewalk-backend-config-files-common-2.8.57.21-3.45.3 spacewalk-backend-config-files-tool-2.8.57.21-3.45.3 spacewalk-backend-iss-2.8.57.21-3.45.3 spacewalk-backend-iss-export-2.8.57.21-3.45.3 spacewalk-backend-libs-2.8.57.21-3.45.3 spacewalk-backend-package-push-server-2.8.57.21-3.45.3 spacewalk-backend-server-2.8.57.21-3.45.3 spacewalk-backend-sql-2.8.57.21-3.45.3 spacewalk-backend-sql-oracle-2.8.57.21-3.45.3 spacewalk-backend-sql-postgresql-2.8.57.21-3.45.3 spacewalk-backend-tools-2.8.57.21-3.45.3 spacewalk-backend-xml-export-libs-2.8.57.21-3.45.3 spacewalk-backend-xmlrpc-2.8.57.21-3.45.3 spacewalk-base-2.8.7.22-3.42.2 spacewalk-base-minimal-2.8.7.22-3.42.2 spacewalk-base-minimal-config-2.8.7.22-3.42.2 spacewalk-certs-tools-2.8.8.13-3.20.2 spacewalk-client-tools-2.8.22.6-3.9.2 spacewalk-html-2.8.7.22-3.42.2 spacewalk-java-2.8.78.27-3.44.2 spacewalk-java-config-2.8.78.27-3.44.2 spacewalk-java-lib-2.8.78.27-3.44.2 spacewalk-java-oracle-2.8.78.27-3.44.2 spacewalk-java-postgresql-2.8.78.27-3.44.2 spacewalk-setup-jabberd-2.8.5.2-3.3.2 spacewalk-taskomatic-2.8.78.27-3.44.2 susemanager-schema-3.2.23-3.37.2 susemanager-sls-3.2.29-3.41.2 susemanager-web-libs-2.8.7.22-3.42.2 - SUSE Manager Proxy 3.2 (noarch): python2-spacewalk-certs-tools-2.8.8.13-3.20.2 python2-spacewalk-check-2.8.22.6-3.9.2 python2-spacewalk-client-setup-2.8.22.6-3.9.2 python2-spacewalk-client-tools-2.8.22.6-3.9.2 spacewalk-backend-2.8.57.21-3.45.3 spacewalk-backend-libs-2.8.57.21-3.45.3 spacewalk-base-minimal-2.8.7.22-3.42.2 spacewalk-base-minimal-config-2.8.7.22-3.42.2 spacewalk-certs-tools-2.8.8.13-3.20.2 spacewalk-check-2.8.22.6-3.9.2 spacewalk-client-setup-2.8.22.6-3.9.2 spacewalk-client-tools-2.8.22.6-3.9.2 spacewalk-proxy-broker-2.8.5.7-3.14.2 spacewalk-proxy-common-2.8.5.7-3.14.2 spacewalk-proxy-management-2.8.5.7-3.14.2 spacewalk-proxy-package-manager-2.8.5.7-3.14.2 spacewalk-proxy-redirect-2.8.5.7-3.14.2 spacewalk-proxy-salt-2.8.5.7-3.14.2 spacewalk-setup-jabberd-2.8.5.2-3.3.2 susemanager-web-libs-2.8.7.22-3.42.2 - SUSE Manager Proxy 3.2 (x86_64): jabberd-2.6.1-4.3.2 jabberd-db-2.6.1-4.3.2 jabberd-db-debuginfo-2.6.1-4.3.2 jabberd-debuginfo-2.6.1-4.3.2 jabberd-debugsource-2.6.1-4.3.2 jabberd-sqlite-2.6.1-4.3.2 jabberd-sqlite-debuginfo-2.6.1-4.3.2 References: https://bugzilla.suse.com/1113160 https://bugzilla.suse.com/1121640 https://bugzilla.suse.com/1129243 https://bugzilla.suse.com/1134708 https://bugzilla.suse.com/1134860 https://bugzilla.suse.com/1146683 https://bugzilla.suse.com/1148352 https://bugzilla.suse.com/1154246 https://bugzilla.suse.com/1157034 https://bugzilla.suse.com/1158002 https://bugzilla.suse.com/1158480 https://bugzilla.suse.com/1158799 https://bugzilla.suse.com/1158818 https://bugzilla.suse.com/1158963 https://bugzilla.suse.com/1159492 From sle-updates at lists.suse.com Tue Jan 28 13:17:11 2020 From: sle-updates at lists.suse.com (sle-updates at lists.suse.com) Date: Tue, 28 Jan 2020 21:17:11 +0100 (CET) Subject: SUSE-RU-2020:0249-1: moderate: Recommended update for release-notes-susemanager, release-notes-susemanager-proxy Message-ID: <20200128201711.58AC0F79E@maintenance.suse.de> SUSE Recommended Update: Recommended update for release-notes-susemanager, release-notes-susemanager-proxy ______________________________________________________________________________ Announcement ID: SUSE-RU-2020:0249-1 Rating: moderate References: #1113160 #1121640 #1129243 #1134708 #1134860 #1146683 #1148352 #1152765 #1154246 #1157034 #1158002 #1158480 #1158799 #1158818 #1158963 #1159492 Affected Products: SUSE Manager Server 3.2 SUSE Manager Proxy 3.2 ______________________________________________________________________________ An update that has 16 recommended fixes can now be installed. Description: This update for release-notes-susemanager, release-notes-susemanager-proxy fixes the following issues: - Update to 3.2.13 - Bugs mentioned bsc#1113160, bsc#1121640, bsc#1129243, bsc#1134708, bsc#1134860, bsc#1146683, bsc#1148352, bsc#1154246, bsc#1157034, bsc#1158002, bsc#1158480, bsc#1158799, bsc#1158818, bsc#1158963, bsc#1159492, bsc#1152765 - Update to 3.2.13 - Bugs mentioned bsc#1113160, bsc#1146683, bsc#1148352, bsc#1158002, bsc#1158799, bsc#1158818, bsc#1159492, bsc#1152765 Patch Instructions: To install this SUSE Recommended Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Manager Server 3.2: zypper in -t patch SUSE-SUSE-Manager-Server-3.2-2020-249=1 - SUSE Manager Proxy 3.2: zypper in -t patch SUSE-SUSE-Manager-Proxy-3.2-2020-249=1 Package List: - SUSE Manager Server 3.2 (ppc64le s390x x86_64): release-notes-susemanager-3.2.13-6.47.1 - SUSE Manager Proxy 3.2 (x86_64): release-notes-susemanager-proxy-3.2.13-0.16.39.1 References: https://bugzilla.suse.com/1113160 https://bugzilla.suse.com/1121640 https://bugzilla.suse.com/1129243 https://bugzilla.suse.com/1134708 https://bugzilla.suse.com/1134860 https://bugzilla.suse.com/1146683 https://bugzilla.suse.com/1148352 https://bugzilla.suse.com/1152765 https://bugzilla.suse.com/1154246 https://bugzilla.suse.com/1157034 https://bugzilla.suse.com/1158002 https://bugzilla.suse.com/1158480 https://bugzilla.suse.com/1158799 https://bugzilla.suse.com/1158818 https://bugzilla.suse.com/1158963 https://bugzilla.suse.com/1159492 From sle-updates at lists.suse.com Tue Jan 28 16:11:08 2020 From: sle-updates at lists.suse.com (sle-updates at lists.suse.com) Date: Wed, 29 Jan 2020 00:11:08 +0100 (CET) Subject: SUSE-RU-2020:0253-1: moderate: Recommended update for obs-service-format_spec_file Message-ID: <20200128231108.CC6EFF798@maintenance.suse.de> SUSE Recommended Update: Recommended update for obs-service-format_spec_file ______________________________________________________________________________ Announcement ID: SUSE-RU-2020:0253-1 Rating: moderate References: #1160801 Affected Products: SUSE Linux Enterprise Module for Open Buildservice Development Tools 15-SP1 ______________________________________________________________________________ An update that has one recommended fix can now be installed. Description: This update for obs-service-format_spec_file fixes the following issues: - Update copyright removing the closing colon, according to the SUSE standards. (bsc#1160801) Patch Instructions: To install this SUSE Recommended Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Module for Open Buildservice Development Tools 15-SP1: zypper in -t patch SUSE-SLE-Module-Development-Tools-OBS-15-SP1-2020-253=1 Package List: - SUSE Linux Enterprise Module for Open Buildservice Development Tools 15-SP1 (noarch): obs-service-format_spec_file-20191114-3.6.1 References: https://bugzilla.suse.com/1160801 From sle-updates at lists.suse.com Tue Jan 28 16:11:53 2020 From: sle-updates at lists.suse.com (sle-updates at lists.suse.com) Date: Wed, 29 Jan 2020 00:11:53 +0100 (CET) Subject: SUSE-RU-2020:0254-1: important: Recommended update for kdump Message-ID: <20200128231153.E6FFBF798@maintenance.suse.de> SUSE Recommended Update: Recommended update for kdump ______________________________________________________________________________ Announcement ID: SUSE-RU-2020:0254-1 Rating: important References: #1021484 #1021846 #1036223 #1047609 #1047634 #1068234 #1072584 #1080916 #1080953 #1094444 #1101149 #1102252 #1108170 #1108919 #1111207 #1112387 #1116463 #1117652 #1125011 #1133407 #1141064 #884453 #951144 Affected Products: SUSE OpenStack Cloud Crowbar 8 SUSE OpenStack Cloud 8 SUSE Linux Enterprise Server for SAP 12-SP3 SUSE Linux Enterprise Server 12-SP3-LTSS SUSE Linux Enterprise Server 12-SP3-BCL SUSE Enterprise Storage 5 SUSE CaaS Platform 3.0 HPE Helion Openstack 8 ______________________________________________________________________________ An update that has 23 recommended fixes can now be installed. Description: This update for kdump fixes the following issues: - Fixes an issue where the OS might be hanging when triggering kdump over a USB disk (bsc#1101149) - Fixes an issue where kdump failed when a crash is triggered after CPU hot removal (bsc#1133407) - Fixes an issue where kdump could not be used on mounted nfs paths (bsc#1094444, bsc#1116463, bsc#1141064) - Fixes an issue where kdump crashed after booting the OS (bsc#1021484, bsc#1080953) - Added ':force' as an option to KDUMP_NETCONFIG to force network setup in kdump. This is needed to configure fence_kdump (bsc#1108919) - Improved the handling of NSS (bsc#1021846) - Fixes an issue where the kdump mount points were not unmounted before switching to system root. This could lead to devices being busy during system shutdown (bsc#1102252, bsc#1125011) - Fixes multipath configuration with user_friendly_names or aliases (bsc#1111207) - There's now a fallback to re-register FADUMP from userspace if the kernel is not able to do it (bsc#1108170) - Added a better fallback solution when Kernel signature is missing (bsc#1080916) - Fixed an issue where KDUMPTOOL_FLAGS has been passed several times to the command line on kdump restart (bsc#1072584) Patch Instructions: To install this SUSE Recommended Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE OpenStack Cloud Crowbar 8: zypper in -t patch SUSE-OpenStack-Cloud-Crowbar-8-2020-254=1 - SUSE OpenStack Cloud 8: zypper in -t patch SUSE-OpenStack-Cloud-8-2020-254=1 - SUSE Linux Enterprise Server for SAP 12-SP3: zypper in -t patch SUSE-SLE-SAP-12-SP3-2020-254=1 - SUSE Linux Enterprise Server 12-SP3-LTSS: zypper in -t patch SUSE-SLE-SERVER-12-SP3-2020-254=1 - SUSE Linux Enterprise Server 12-SP3-BCL: zypper in -t patch SUSE-SLE-SERVER-12-SP3-BCL-2020-254=1 - SUSE Enterprise Storage 5: zypper in -t patch SUSE-Storage-5-2020-254=1 - SUSE CaaS Platform 3.0: To install this update, use the SUSE CaaS Platform Velum dashboard. It will inform you if it detects new updates and let you then trigger updating of the complete cluster in a controlled way. - HPE Helion Openstack 8: zypper in -t patch HPE-Helion-OpenStack-8-2020-254=1 Package List: - SUSE OpenStack Cloud Crowbar 8 (x86_64): kdump-0.8.16-7.22.1 kdump-debuginfo-0.8.16-7.22.1 kdump-debugsource-0.8.16-7.22.1 - SUSE OpenStack Cloud 8 (x86_64): kdump-0.8.16-7.22.1 kdump-debuginfo-0.8.16-7.22.1 kdump-debugsource-0.8.16-7.22.1 - SUSE Linux Enterprise Server for SAP 12-SP3 (ppc64le x86_64): kdump-0.8.16-7.22.1 kdump-debuginfo-0.8.16-7.22.1 kdump-debugsource-0.8.16-7.22.1 - SUSE Linux Enterprise Server 12-SP3-LTSS (aarch64 ppc64le s390x x86_64): kdump-0.8.16-7.22.1 kdump-debuginfo-0.8.16-7.22.1 kdump-debugsource-0.8.16-7.22.1 - SUSE Linux Enterprise Server 12-SP3-BCL (x86_64): kdump-0.8.16-7.22.1 kdump-debuginfo-0.8.16-7.22.1 kdump-debugsource-0.8.16-7.22.1 - SUSE Enterprise Storage 5 (aarch64 x86_64): kdump-0.8.16-7.22.1 kdump-debuginfo-0.8.16-7.22.1 kdump-debugsource-0.8.16-7.22.1 - SUSE CaaS Platform 3.0 (x86_64): kdump-0.8.16-7.22.1 kdump-debuginfo-0.8.16-7.22.1 kdump-debugsource-0.8.16-7.22.1 - HPE Helion Openstack 8 (x86_64): kdump-0.8.16-7.22.1 kdump-debuginfo-0.8.16-7.22.1 kdump-debugsource-0.8.16-7.22.1 References: https://bugzilla.suse.com/1021484 https://bugzilla.suse.com/1021846 https://bugzilla.suse.com/1036223 https://bugzilla.suse.com/1047609 https://bugzilla.suse.com/1047634 https://bugzilla.suse.com/1068234 https://bugzilla.suse.com/1072584 https://bugzilla.suse.com/1080916 https://bugzilla.suse.com/1080953 https://bugzilla.suse.com/1094444 https://bugzilla.suse.com/1101149 https://bugzilla.suse.com/1102252 https://bugzilla.suse.com/1108170 https://bugzilla.suse.com/1108919 https://bugzilla.suse.com/1111207 https://bugzilla.suse.com/1112387 https://bugzilla.suse.com/1116463 https://bugzilla.suse.com/1117652 https://bugzilla.suse.com/1125011 https://bugzilla.suse.com/1133407 https://bugzilla.suse.com/1141064 https://bugzilla.suse.com/884453 https://bugzilla.suse.com/951144 From sle-updates at lists.suse.com Wed Jan 29 04:14:19 2020 From: sle-updates at lists.suse.com (sle-updates at lists.suse.com) Date: Wed, 29 Jan 2020 12:14:19 +0100 (CET) Subject: SUSE-SU-2020:0255-1: important: Security update for python-reportlab Message-ID: <20200129111419.D27C8F798@maintenance.suse.de> SUSE Security Update: Security update for python-reportlab ______________________________________________________________________________ Announcement ID: SUSE-SU-2020:0255-1 Rating: important References: #1154370 Cross-References: CVE-2019-17626 Affected Products: SUSE Linux Enterprise Module for Open Buildservice Development Tools 15-SP1 SUSE Linux Enterprise Module for Open Buildservice Development Tools 15 ______________________________________________________________________________ An update that fixes one vulnerability is now available. Description: This update for python-reportlab fixes the following issues: - CVE-2019-17626: Fixed a potential remote code execution because of the lack of input sanitization in toColor() (bsc#1154370). Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Module for Open Buildservice Development Tools 15-SP1: zypper in -t patch SUSE-SLE-Module-Development-Tools-OBS-15-SP1-2020-255=1 - SUSE Linux Enterprise Module for Open Buildservice Development Tools 15: zypper in -t patch SUSE-SLE-Module-Development-Tools-OBS-15-2020-255=1 Package List: - SUSE Linux Enterprise Module for Open Buildservice Development Tools 15-SP1 (aarch64 ppc64le s390x x86_64): python-reportlab-debuginfo-3.4.0-3.3.2 python-reportlab-debugsource-3.4.0-3.3.2 python2-reportlab-3.4.0-3.3.2 python2-reportlab-debuginfo-3.4.0-3.3.2 python3-reportlab-3.4.0-3.3.2 python3-reportlab-debuginfo-3.4.0-3.3.2 - SUSE Linux Enterprise Module for Open Buildservice Development Tools 15 (aarch64 ppc64le s390x x86_64): python-reportlab-debuginfo-3.4.0-3.3.2 python-reportlab-debugsource-3.4.0-3.3.2 python2-reportlab-3.4.0-3.3.2 python2-reportlab-debuginfo-3.4.0-3.3.2 python3-reportlab-3.4.0-3.3.2 python3-reportlab-debuginfo-3.4.0-3.3.2 References: https://www.suse.com/security/cve/CVE-2019-17626.html https://bugzilla.suse.com/1154370 From sle-updates at lists.suse.com Wed Jan 29 07:11:29 2020 From: sle-updates at lists.suse.com (sle-updates at lists.suse.com) Date: Wed, 29 Jan 2020 15:11:29 +0100 (CET) Subject: SUSE-RU-2020:0256-1: moderate: Recommended update for aaa_base Message-ID: <20200129141129.1D042F798@maintenance.suse.de> SUSE Recommended Update: Recommended update for aaa_base ______________________________________________________________________________ Announcement ID: SUSE-RU-2020:0256-1 Rating: moderate References: #1157794 #1160970 Affected Products: SUSE Linux Enterprise Module for Open Buildservice Development Tools 15-SP1 SUSE Linux Enterprise Module for Development Tools 15-SP1 SUSE Linux Enterprise Module for Basesystem 15-SP1 ______________________________________________________________________________ An update that has two recommended fixes can now be installed. Description: This update for aaa_base fixes the following issues: - Improves the way how the Java path is created to fix an issue with sapjvm. (bsc#1157794) - Drop 'dev.cdrom.autoclose' = 0 from sysctl config. (bsc#1160970) Patch Instructions: To install this SUSE Recommended Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Module for Open Buildservice Development Tools 15-SP1: zypper in -t patch SUSE-SLE-Module-Development-Tools-OBS-15-SP1-2020-256=1 - SUSE Linux Enterprise Module for Development Tools 15-SP1: zypper in -t patch SUSE-SLE-Module-Development-Tools-15-SP1-2020-256=1 - SUSE Linux Enterprise Module for Basesystem 15-SP1: zypper in -t patch SUSE-SLE-Module-Basesystem-15-SP1-2020-256=1 Package List: - SUSE Linux Enterprise Module for Open Buildservice Development Tools 15-SP1 (aarch64 ppc64le s390x x86_64): aaa_base-debuginfo-84.87+git20180409.04c9dae-3.30.1 aaa_base-debugsource-84.87+git20180409.04c9dae-3.30.1 aaa_base-wsl-84.87+git20180409.04c9dae-3.30.1 - SUSE Linux Enterprise Module for Development Tools 15-SP1 (aarch64 ppc64le s390x x86_64): aaa_base-debuginfo-84.87+git20180409.04c9dae-3.30.1 aaa_base-debugsource-84.87+git20180409.04c9dae-3.30.1 aaa_base-malloccheck-84.87+git20180409.04c9dae-3.30.1 - SUSE Linux Enterprise Module for Basesystem 15-SP1 (aarch64 ppc64le s390x x86_64): aaa_base-84.87+git20180409.04c9dae-3.30.1 aaa_base-debuginfo-84.87+git20180409.04c9dae-3.30.1 aaa_base-debugsource-84.87+git20180409.04c9dae-3.30.1 aaa_base-extras-84.87+git20180409.04c9dae-3.30.1 References: https://bugzilla.suse.com/1157794 https://bugzilla.suse.com/1160970 From sle-updates at lists.suse.com Thu Jan 30 04:11:46 2020 From: sle-updates at lists.suse.com (sle-updates at lists.suse.com) Date: Thu, 30 Jan 2020 12:11:46 +0100 (CET) Subject: SUSE-RU-2020:0259-1: important: Recommended update for kdump Message-ID: <20200130111146.24F70F798@maintenance.suse.de> SUSE Recommended Update: Recommended update for kdump ______________________________________________________________________________ Announcement ID: SUSE-RU-2020:0259-1 Rating: important References: #1021484 #1021846 #1036223 #1047609 #1047634 #1068234 #1080953 #1094444 #1101149 #1102252 #1108919 #1116463 #1117652 #1125011 #1133407 #1141064 Affected Products: SUSE Linux Enterprise Server 12-SP5 SUSE Linux Enterprise Server 12-SP4 ______________________________________________________________________________ An update that has 16 recommended fixes can now be installed. Description: This update for kdump fixes the following issues: - Fixes an issue where the OS might be hanging when triggering kdump over a USB disk (bsc#1101149) - Fixes an issue where kdump failed when a crash is triggered after CPU hot removal (bsc#1133407) - Fixes an issue where kdump could not be used on mounted nfs paths (bsc#1094444, bsc#1116463, bsc#1141064) - Fixes an issue where kdump crashed after booting the OS (bsc#1021484, bsc#1080953) - Added ':force' as an option to KDUMP_NETCONFIG to force network setup in kdump. This is needed to configure fence_kdump (bsc#1108919) - Improved the handling of NSS (bsc#1021846) - Fixes an issue where the kdump mount points were not unmounted before switching to system root. This could lead to devices being busy during system shutdown (bsc#1102252, bsc#1125011) Patch Instructions: To install this SUSE Recommended Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Server 12-SP5: zypper in -t patch SUSE-SLE-SERVER-12-SP5-2020-259=1 - SUSE Linux Enterprise Server 12-SP4: zypper in -t patch SUSE-SLE-SERVER-12-SP4-2020-259=1 Package List: - SUSE Linux Enterprise Server 12-SP5 (aarch64 ppc64le s390x x86_64): kdump-0.8.16-11.5.1 kdump-debuginfo-0.8.16-11.5.1 kdump-debugsource-0.8.16-11.5.1 - SUSE Linux Enterprise Server 12-SP4 (aarch64 ppc64le s390x x86_64): kdump-0.8.16-11.5.1 kdump-debuginfo-0.8.16-11.5.1 kdump-debugsource-0.8.16-11.5.1 References: https://bugzilla.suse.com/1021484 https://bugzilla.suse.com/1021846 https://bugzilla.suse.com/1036223 https://bugzilla.suse.com/1047609 https://bugzilla.suse.com/1047634 https://bugzilla.suse.com/1068234 https://bugzilla.suse.com/1080953 https://bugzilla.suse.com/1094444 https://bugzilla.suse.com/1101149 https://bugzilla.suse.com/1102252 https://bugzilla.suse.com/1108919 https://bugzilla.suse.com/1116463 https://bugzilla.suse.com/1117652 https://bugzilla.suse.com/1125011 https://bugzilla.suse.com/1133407 https://bugzilla.suse.com/1141064 From sle-updates at lists.suse.com Thu Jan 30 04:14:43 2020 From: sle-updates at lists.suse.com (sle-updates at lists.suse.com) Date: Thu, 30 Jan 2020 12:14:43 +0100 (CET) Subject: SUSE-SU-2020:0261-1: important: Security update for java-1_8_0-openjdk Message-ID: <20200130111443.9782BF798@maintenance.suse.de> SUSE Security Update: Security update for java-1_8_0-openjdk ______________________________________________________________________________ Announcement ID: SUSE-SU-2020:0261-1 Rating: important References: #1160968 Cross-References: CVE-2020-2583 CVE-2020-2590 CVE-2020-2593 CVE-2020-2601 CVE-2020-2604 CVE-2020-2654 CVE-2020-2659 Affected Products: SUSE OpenStack Cloud Crowbar 8 SUSE OpenStack Cloud 8 SUSE OpenStack Cloud 7 SUSE Linux Enterprise Server for SAP 12-SP3 SUSE Linux Enterprise Server for SAP 12-SP2 SUSE Linux Enterprise Server for SAP 12-SP1 SUSE Linux Enterprise Server 12-SP5 SUSE Linux Enterprise Server 12-SP4 SUSE Linux Enterprise Server 12-SP3-LTSS SUSE Linux Enterprise Server 12-SP3-BCL SUSE Linux Enterprise Server 12-SP2-LTSS SUSE Linux Enterprise Server 12-SP2-BCL SUSE Linux Enterprise Server 12-SP1-LTSS SUSE Linux Enterprise Desktop 12-SP4 SUSE Enterprise Storage 5 HPE Helion Openstack 8 ______________________________________________________________________________ An update that fixes 7 vulnerabilities is now available. Description: This update for java-1_8_0-openjdk fixes the following issues: Update java-1_8_0-openjdk to version jdk8u242 (icedtea 3.15.0) (January 2020 CPU, bsc#1160968): - CVE-2020-2583: Unlink Set of LinkedHashSets - CVE-2020-2590: Improve Kerberos interop capabilities - CVE-2020-2593: Normalize normalization for all - CVE-2020-2601: Better Ticket Granting Services - CVE-2020-2604: Better serial filter handling - CVE-2020-2659: Enhance datagram socket support - CVE-2020-2654: Improve Object Identifier Processing Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE OpenStack Cloud Crowbar 8: zypper in -t patch SUSE-OpenStack-Cloud-Crowbar-8-2020-261=1 - SUSE OpenStack Cloud 8: zypper in -t patch SUSE-OpenStack-Cloud-8-2020-261=1 - SUSE OpenStack Cloud 7: zypper in -t patch SUSE-OpenStack-Cloud-7-2020-261=1 - SUSE Linux Enterprise Server for SAP 12-SP3: zypper in -t patch SUSE-SLE-SAP-12-SP3-2020-261=1 - SUSE Linux Enterprise Server for SAP 12-SP2: zypper in -t patch SUSE-SLE-SAP-12-SP2-2020-261=1 - SUSE Linux Enterprise Server for SAP 12-SP1: zypper in -t patch SUSE-SLE-SAP-12-SP1-2020-261=1 - SUSE Linux Enterprise Server 12-SP5: zypper in -t patch SUSE-SLE-SERVER-12-SP5-2020-261=1 - SUSE Linux Enterprise Server 12-SP4: zypper in -t patch SUSE-SLE-SERVER-12-SP4-2020-261=1 - SUSE Linux Enterprise Server 12-SP3-LTSS: zypper in -t patch SUSE-SLE-SERVER-12-SP3-2020-261=1 - SUSE Linux Enterprise Server 12-SP3-BCL: zypper in -t patch SUSE-SLE-SERVER-12-SP3-BCL-2020-261=1 - SUSE Linux Enterprise Server 12-SP2-LTSS: zypper in -t patch SUSE-SLE-SERVER-12-SP2-2020-261=1 - SUSE Linux Enterprise Server 12-SP2-BCL: zypper in -t patch SUSE-SLE-SERVER-12-SP2-BCL-2020-261=1 - SUSE Linux Enterprise Server 12-SP1-LTSS: zypper in -t patch SUSE-SLE-SERVER-12-SP1-2020-261=1 - SUSE Linux Enterprise Desktop 12-SP4: zypper in -t patch SUSE-SLE-DESKTOP-12-SP4-2020-261=1 - SUSE Enterprise Storage 5: zypper in -t patch SUSE-Storage-5-2020-261=1 - HPE Helion Openstack 8: zypper in -t patch HPE-Helion-OpenStack-8-2020-261=1 Package List: - SUSE OpenStack Cloud Crowbar 8 (x86_64): java-1_8_0-openjdk-1.8.0.242-27.41.1 java-1_8_0-openjdk-debuginfo-1.8.0.242-27.41.1 java-1_8_0-openjdk-debugsource-1.8.0.242-27.41.1 java-1_8_0-openjdk-demo-1.8.0.242-27.41.1 java-1_8_0-openjdk-demo-debuginfo-1.8.0.242-27.41.1 java-1_8_0-openjdk-devel-1.8.0.242-27.41.1 java-1_8_0-openjdk-devel-debuginfo-1.8.0.242-27.41.1 java-1_8_0-openjdk-headless-1.8.0.242-27.41.1 java-1_8_0-openjdk-headless-debuginfo-1.8.0.242-27.41.1 - SUSE OpenStack Cloud 8 (x86_64): java-1_8_0-openjdk-1.8.0.242-27.41.1 java-1_8_0-openjdk-debuginfo-1.8.0.242-27.41.1 java-1_8_0-openjdk-debugsource-1.8.0.242-27.41.1 java-1_8_0-openjdk-demo-1.8.0.242-27.41.1 java-1_8_0-openjdk-demo-debuginfo-1.8.0.242-27.41.1 java-1_8_0-openjdk-devel-1.8.0.242-27.41.1 java-1_8_0-openjdk-devel-debuginfo-1.8.0.242-27.41.1 java-1_8_0-openjdk-headless-1.8.0.242-27.41.1 java-1_8_0-openjdk-headless-debuginfo-1.8.0.242-27.41.1 - SUSE OpenStack Cloud 7 (s390x x86_64): java-1_8_0-openjdk-1.8.0.242-27.41.1 java-1_8_0-openjdk-debuginfo-1.8.0.242-27.41.1 java-1_8_0-openjdk-debugsource-1.8.0.242-27.41.1 java-1_8_0-openjdk-demo-1.8.0.242-27.41.1 java-1_8_0-openjdk-demo-debuginfo-1.8.0.242-27.41.1 java-1_8_0-openjdk-devel-1.8.0.242-27.41.1 java-1_8_0-openjdk-devel-debuginfo-1.8.0.242-27.41.1 java-1_8_0-openjdk-headless-1.8.0.242-27.41.1 java-1_8_0-openjdk-headless-debuginfo-1.8.0.242-27.41.1 - SUSE Linux Enterprise Server for SAP 12-SP3 (ppc64le x86_64): java-1_8_0-openjdk-1.8.0.242-27.41.1 java-1_8_0-openjdk-debuginfo-1.8.0.242-27.41.1 java-1_8_0-openjdk-debugsource-1.8.0.242-27.41.1 java-1_8_0-openjdk-demo-1.8.0.242-27.41.1 java-1_8_0-openjdk-demo-debuginfo-1.8.0.242-27.41.1 java-1_8_0-openjdk-devel-1.8.0.242-27.41.1 java-1_8_0-openjdk-devel-debuginfo-1.8.0.242-27.41.1 java-1_8_0-openjdk-headless-1.8.0.242-27.41.1 java-1_8_0-openjdk-headless-debuginfo-1.8.0.242-27.41.1 - SUSE Linux Enterprise Server for SAP 12-SP2 (ppc64le x86_64): java-1_8_0-openjdk-1.8.0.242-27.41.1 java-1_8_0-openjdk-debuginfo-1.8.0.242-27.41.1 java-1_8_0-openjdk-debugsource-1.8.0.242-27.41.1 java-1_8_0-openjdk-demo-1.8.0.242-27.41.1 java-1_8_0-openjdk-demo-debuginfo-1.8.0.242-27.41.1 java-1_8_0-openjdk-devel-1.8.0.242-27.41.1 java-1_8_0-openjdk-devel-debuginfo-1.8.0.242-27.41.1 java-1_8_0-openjdk-headless-1.8.0.242-27.41.1 java-1_8_0-openjdk-headless-debuginfo-1.8.0.242-27.41.1 - SUSE Linux Enterprise Server for SAP 12-SP1 (x86_64): java-1_8_0-openjdk-1.8.0.242-27.41.1 java-1_8_0-openjdk-debuginfo-1.8.0.242-27.41.1 java-1_8_0-openjdk-debugsource-1.8.0.242-27.41.1 java-1_8_0-openjdk-demo-1.8.0.242-27.41.1 java-1_8_0-openjdk-demo-debuginfo-1.8.0.242-27.41.1 java-1_8_0-openjdk-devel-1.8.0.242-27.41.1 java-1_8_0-openjdk-headless-1.8.0.242-27.41.1 java-1_8_0-openjdk-headless-debuginfo-1.8.0.242-27.41.1 - SUSE Linux Enterprise Server 12-SP5 (aarch64 ppc64le s390x x86_64): java-1_8_0-openjdk-1.8.0.242-27.41.1 java-1_8_0-openjdk-debuginfo-1.8.0.242-27.41.1 java-1_8_0-openjdk-debugsource-1.8.0.242-27.41.1 java-1_8_0-openjdk-demo-1.8.0.242-27.41.1 java-1_8_0-openjdk-demo-debuginfo-1.8.0.242-27.41.1 java-1_8_0-openjdk-devel-1.8.0.242-27.41.1 java-1_8_0-openjdk-devel-debuginfo-1.8.0.242-27.41.1 java-1_8_0-openjdk-headless-1.8.0.242-27.41.1 java-1_8_0-openjdk-headless-debuginfo-1.8.0.242-27.41.1 - SUSE Linux Enterprise Server 12-SP4 (aarch64 ppc64le s390x x86_64): java-1_8_0-openjdk-1.8.0.242-27.41.1 java-1_8_0-openjdk-debuginfo-1.8.0.242-27.41.1 java-1_8_0-openjdk-debugsource-1.8.0.242-27.41.1 java-1_8_0-openjdk-demo-1.8.0.242-27.41.1 java-1_8_0-openjdk-demo-debuginfo-1.8.0.242-27.41.1 java-1_8_0-openjdk-devel-1.8.0.242-27.41.1 java-1_8_0-openjdk-devel-debuginfo-1.8.0.242-27.41.1 java-1_8_0-openjdk-headless-1.8.0.242-27.41.1 java-1_8_0-openjdk-headless-debuginfo-1.8.0.242-27.41.1 - SUSE Linux Enterprise Server 12-SP3-LTSS (aarch64 ppc64le s390x x86_64): java-1_8_0-openjdk-1.8.0.242-27.41.1 java-1_8_0-openjdk-debuginfo-1.8.0.242-27.41.1 java-1_8_0-openjdk-debugsource-1.8.0.242-27.41.1 java-1_8_0-openjdk-demo-1.8.0.242-27.41.1 java-1_8_0-openjdk-demo-debuginfo-1.8.0.242-27.41.1 java-1_8_0-openjdk-devel-1.8.0.242-27.41.1 java-1_8_0-openjdk-devel-debuginfo-1.8.0.242-27.41.1 java-1_8_0-openjdk-headless-1.8.0.242-27.41.1 java-1_8_0-openjdk-headless-debuginfo-1.8.0.242-27.41.1 - SUSE Linux Enterprise Server 12-SP3-BCL (x86_64): java-1_8_0-openjdk-1.8.0.242-27.41.1 java-1_8_0-openjdk-debuginfo-1.8.0.242-27.41.1 java-1_8_0-openjdk-debugsource-1.8.0.242-27.41.1 java-1_8_0-openjdk-demo-1.8.0.242-27.41.1 java-1_8_0-openjdk-demo-debuginfo-1.8.0.242-27.41.1 java-1_8_0-openjdk-devel-1.8.0.242-27.41.1 java-1_8_0-openjdk-devel-debuginfo-1.8.0.242-27.41.1 java-1_8_0-openjdk-headless-1.8.0.242-27.41.1 java-1_8_0-openjdk-headless-debuginfo-1.8.0.242-27.41.1 - SUSE Linux Enterprise Server 12-SP2-LTSS (ppc64le s390x x86_64): java-1_8_0-openjdk-1.8.0.242-27.41.1 java-1_8_0-openjdk-debuginfo-1.8.0.242-27.41.1 java-1_8_0-openjdk-debugsource-1.8.0.242-27.41.1 java-1_8_0-openjdk-demo-1.8.0.242-27.41.1 java-1_8_0-openjdk-demo-debuginfo-1.8.0.242-27.41.1 java-1_8_0-openjdk-devel-1.8.0.242-27.41.1 java-1_8_0-openjdk-devel-debuginfo-1.8.0.242-27.41.1 java-1_8_0-openjdk-headless-1.8.0.242-27.41.1 java-1_8_0-openjdk-headless-debuginfo-1.8.0.242-27.41.1 - SUSE Linux Enterprise Server 12-SP2-BCL (x86_64): java-1_8_0-openjdk-1.8.0.242-27.41.1 java-1_8_0-openjdk-debuginfo-1.8.0.242-27.41.1 java-1_8_0-openjdk-debugsource-1.8.0.242-27.41.1 java-1_8_0-openjdk-demo-1.8.0.242-27.41.1 java-1_8_0-openjdk-demo-debuginfo-1.8.0.242-27.41.1 java-1_8_0-openjdk-devel-1.8.0.242-27.41.1 java-1_8_0-openjdk-devel-debuginfo-1.8.0.242-27.41.1 java-1_8_0-openjdk-headless-1.8.0.242-27.41.1 java-1_8_0-openjdk-headless-debuginfo-1.8.0.242-27.41.1 - SUSE Linux Enterprise Server 12-SP1-LTSS (ppc64le s390x x86_64): java-1_8_0-openjdk-1.8.0.242-27.41.1 java-1_8_0-openjdk-debuginfo-1.8.0.242-27.41.1 java-1_8_0-openjdk-debugsource-1.8.0.242-27.41.1 java-1_8_0-openjdk-demo-1.8.0.242-27.41.1 java-1_8_0-openjdk-demo-debuginfo-1.8.0.242-27.41.1 java-1_8_0-openjdk-devel-1.8.0.242-27.41.1 java-1_8_0-openjdk-headless-1.8.0.242-27.41.1 java-1_8_0-openjdk-headless-debuginfo-1.8.0.242-27.41.1 - SUSE Linux Enterprise Desktop 12-SP4 (x86_64): java-1_8_0-openjdk-1.8.0.242-27.41.1 java-1_8_0-openjdk-debuginfo-1.8.0.242-27.41.1 java-1_8_0-openjdk-debugsource-1.8.0.242-27.41.1 java-1_8_0-openjdk-headless-1.8.0.242-27.41.1 java-1_8_0-openjdk-headless-debuginfo-1.8.0.242-27.41.1 - SUSE Enterprise Storage 5 (aarch64 x86_64): java-1_8_0-openjdk-1.8.0.242-27.41.1 java-1_8_0-openjdk-debuginfo-1.8.0.242-27.41.1 java-1_8_0-openjdk-debugsource-1.8.0.242-27.41.1 java-1_8_0-openjdk-demo-1.8.0.242-27.41.1 java-1_8_0-openjdk-demo-debuginfo-1.8.0.242-27.41.1 java-1_8_0-openjdk-devel-1.8.0.242-27.41.1 java-1_8_0-openjdk-devel-debuginfo-1.8.0.242-27.41.1 java-1_8_0-openjdk-headless-1.8.0.242-27.41.1 java-1_8_0-openjdk-headless-debuginfo-1.8.0.242-27.41.1 - HPE Helion Openstack 8 (x86_64): java-1_8_0-openjdk-1.8.0.242-27.41.1 java-1_8_0-openjdk-debuginfo-1.8.0.242-27.41.1 java-1_8_0-openjdk-debugsource-1.8.0.242-27.41.1 java-1_8_0-openjdk-demo-1.8.0.242-27.41.1 java-1_8_0-openjdk-demo-debuginfo-1.8.0.242-27.41.1 java-1_8_0-openjdk-devel-1.8.0.242-27.41.1 java-1_8_0-openjdk-devel-debuginfo-1.8.0.242-27.41.1 java-1_8_0-openjdk-headless-1.8.0.242-27.41.1 java-1_8_0-openjdk-headless-debuginfo-1.8.0.242-27.41.1 References: https://www.suse.com/security/cve/CVE-2020-2583.html https://www.suse.com/security/cve/CVE-2020-2590.html https://www.suse.com/security/cve/CVE-2020-2593.html https://www.suse.com/security/cve/CVE-2020-2601.html https://www.suse.com/security/cve/CVE-2020-2604.html https://www.suse.com/security/cve/CVE-2020-2654.html https://www.suse.com/security/cve/CVE-2020-2659.html https://bugzilla.suse.com/1160968 From sle-updates at lists.suse.com Thu Jan 30 04:15:37 2020 From: sle-updates at lists.suse.com (sle-updates at lists.suse.com) Date: Thu, 30 Jan 2020 12:15:37 +0100 (CET) Subject: SUSE-RU-2020:0258-1: moderate: Recommended update for munge Message-ID: <20200130111537.63345F79E@maintenance.suse.de> SUSE Recommended Update: Recommended update for munge ______________________________________________________________________________ Announcement ID: SUSE-RU-2020:0258-1 Rating: moderate References: #1160075 Affected Products: SUSE Linux Enterprise Module for Open Buildservice Development Tools 15-SP1 SUSE Linux Enterprise Module for HPC 15-SP1 SUSE Linux Enterprise Module for HPC 15 ______________________________________________________________________________ An update that has one recommended fix can now be installed. Description: This update for munge fixes the following issues: - Add Provides for 'munge-libs' to package libmunge for compatibility with the upstream spec file (bsc#1160075). Patch Instructions: To install this SUSE Recommended Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Module for Open Buildservice Development Tools 15-SP1: zypper in -t patch SUSE-SLE-Module-Development-Tools-OBS-15-SP1-2020-258=1 - SUSE Linux Enterprise Module for HPC 15-SP1: zypper in -t patch SUSE-SLE-Module-HPC-15-SP1-2020-258=1 - SUSE Linux Enterprise Module for HPC 15: zypper in -t patch SUSE-SLE-Module-HPC-15-2020-258=1 Package List: - SUSE Linux Enterprise Module for Open Buildservice Development Tools 15-SP1 (ppc64le s390x x86_64): munge-debugsource-0.5.13-4.6.1 - SUSE Linux Enterprise Module for Open Buildservice Development Tools 15-SP1 (ppc64le s390x): libmunge2-0.5.13-4.6.1 libmunge2-debuginfo-0.5.13-4.6.1 munge-0.5.13-4.6.1 munge-debuginfo-0.5.13-4.6.1 munge-devel-0.5.13-4.6.1 - SUSE Linux Enterprise Module for Open Buildservice Development Tools 15-SP1 (x86_64): libmunge2-32bit-0.5.13-4.6.1 libmunge2-32bit-debuginfo-0.5.13-4.6.1 munge-devel-32bit-0.5.13-4.6.1 - SUSE Linux Enterprise Module for HPC 15-SP1 (aarch64 x86_64): libmunge2-0.5.13-4.6.1 libmunge2-debuginfo-0.5.13-4.6.1 munge-0.5.13-4.6.1 munge-debuginfo-0.5.13-4.6.1 munge-debugsource-0.5.13-4.6.1 munge-devel-0.5.13-4.6.1 - SUSE Linux Enterprise Module for HPC 15 (aarch64 x86_64): libmunge2-0.5.13-4.6.1 libmunge2-debuginfo-0.5.13-4.6.1 munge-0.5.13-4.6.1 munge-debuginfo-0.5.13-4.6.1 munge-debugsource-0.5.13-4.6.1 munge-devel-0.5.13-4.6.1 References: https://bugzilla.suse.com/1160075 From sle-updates at lists.suse.com Thu Jan 30 04:16:26 2020 From: sle-updates at lists.suse.com (sle-updates at lists.suse.com) Date: Thu, 30 Jan 2020 12:16:26 +0100 (CET) Subject: SUSE-RU-2020:0257-1: moderate: Recommended update for python-tabulate, python-py, python-cryptography, python-pyOpenSSL Message-ID: <20200130111626.55C6AF79E@maintenance.suse.de> SUSE Recommended Update: Recommended update for python-tabulate, python-py, python-cryptography, python-pyOpenSSL ______________________________________________________________________________ Announcement ID: SUSE-RU-2020:0257-1 Rating: moderate References: #1054413 #1065275 #1073879 Affected Products: SUSE Linux Enterprise Server for SAP 12-SP3 SUSE Linux Enterprise Server for SAP 12-SP2 SUSE Linux Enterprise Server 12-SP5 SUSE Linux Enterprise Server 12-SP4 SUSE Linux Enterprise Server 12-SP3-LTSS SUSE Linux Enterprise Server 12-SP3-BCL SUSE Linux Enterprise Server 12-SP2-LTSS SUSE Linux Enterprise Server 12-SP2-BCL SUSE Linux Enterprise Module for Public Cloud 12 SUSE Linux Enterprise Desktop 12-SP4 SUSE Enterprise Storage 5 SUSE CaaS Platform 3.0 ______________________________________________________________________________ An update that has three recommended fixes can now be installed. Description: This update for python-tabulate, python-py, python-cryptography, python-pyOpenSSL brings updates for use by Azure Client Tools. - python-tabulate: shipped also as python3 variant. - python-cryptography: updated to 1.7.2 - python-py: updated to 1.5.2 - python-pyOpenSSL: updated to 17.0.0 Patch Instructions: To install this SUSE Recommended Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Server for SAP 12-SP3: zypper in -t patch SUSE-SLE-SAP-12-SP3-2020-257=1 - SUSE Linux Enterprise Server for SAP 12-SP2: zypper in -t patch SUSE-SLE-SAP-12-SP2-2020-257=1 - SUSE Linux Enterprise Server 12-SP5: zypper in -t patch SUSE-SLE-SERVER-12-SP5-2020-257=1 - SUSE Linux Enterprise Server 12-SP4: zypper in -t patch SUSE-SLE-SERVER-12-SP4-2020-257=1 - SUSE Linux Enterprise Server 12-SP3-LTSS: zypper in -t patch SUSE-SLE-SERVER-12-SP3-2020-257=1 - SUSE Linux Enterprise Server 12-SP3-BCL: zypper in -t patch SUSE-SLE-SERVER-12-SP3-BCL-2020-257=1 - SUSE Linux Enterprise Server 12-SP2-LTSS: zypper in -t patch SUSE-SLE-SERVER-12-SP2-2020-257=1 - SUSE Linux Enterprise Server 12-SP2-BCL: zypper in -t patch SUSE-SLE-SERVER-12-SP2-BCL-2020-257=1 - SUSE Linux Enterprise Module for Public Cloud 12: zypper in -t patch SUSE-SLE-Module-Public-Cloud-12-2020-257=1 - SUSE Linux Enterprise Desktop 12-SP4: zypper in -t patch SUSE-SLE-DESKTOP-12-SP4-2020-257=1 - SUSE Enterprise Storage 5: zypper in -t patch SUSE-Storage-5-2020-257=1 - SUSE CaaS Platform 3.0: To install this update, use the SUSE CaaS Platform Velum dashboard. It will inform you if it detects new updates and let you then trigger updating of the complete cluster in a controlled way. Package List: - SUSE Linux Enterprise Server for SAP 12-SP3 (ppc64le x86_64): python-cryptography-1.7.2-7.24.1 python-cryptography-debuginfo-1.7.2-7.24.1 python-cryptography-debugsource-1.7.2-7.24.1 python3-cryptography-1.7.2-7.24.1 - SUSE Linux Enterprise Server for SAP 12-SP3 (noarch): python-pyOpenSSL-17.0.0-4.20.10 python3-pyOpenSSL-17.0.0-4.20.10 - SUSE Linux Enterprise Server for SAP 12-SP2 (ppc64le x86_64): python-cryptography-1.7.2-7.24.1 python-cryptography-debuginfo-1.7.2-7.24.1 python-cryptography-debugsource-1.7.2-7.24.1 python3-cryptography-1.7.2-7.24.1 - SUSE Linux Enterprise Server for SAP 12-SP2 (noarch): python-pyOpenSSL-17.0.0-4.20.10 python3-pyOpenSSL-17.0.0-4.20.10 - SUSE Linux Enterprise Server 12-SP5 (aarch64 ppc64le s390x x86_64): python-cryptography-1.7.2-7.24.1 python-cryptography-debuginfo-1.7.2-7.24.1 python-cryptography-debugsource-1.7.2-7.24.1 python3-cryptography-1.7.2-7.24.1 python3-cryptography-debuginfo-1.7.2-7.24.1 - SUSE Linux Enterprise Server 12-SP5 (noarch): python-py-1.5.2-11.6.9 python-pyOpenSSL-17.0.0-4.20.10 python3-pyOpenSSL-17.0.0-4.20.10 - SUSE Linux Enterprise Server 12-SP4 (aarch64 ppc64le s390x x86_64): python-cryptography-1.7.2-7.24.1 python-cryptography-debuginfo-1.7.2-7.24.1 python-cryptography-debugsource-1.7.2-7.24.1 python3-cryptography-1.7.2-7.24.1 python3-cryptography-debuginfo-1.7.2-7.24.1 - SUSE Linux Enterprise Server 12-SP4 (noarch): python-pyOpenSSL-17.0.0-4.20.10 python3-pyOpenSSL-17.0.0-4.20.10 - SUSE Linux Enterprise Server 12-SP3-LTSS (aarch64 ppc64le s390x x86_64): python-cryptography-1.7.2-7.24.1 python-cryptography-debuginfo-1.7.2-7.24.1 python-cryptography-debugsource-1.7.2-7.24.1 python3-cryptography-1.7.2-7.24.1 - SUSE Linux Enterprise Server 12-SP3-LTSS (noarch): python-pyOpenSSL-17.0.0-4.20.10 python3-pyOpenSSL-17.0.0-4.20.10 - SUSE Linux Enterprise Server 12-SP3-BCL (x86_64): python-cryptography-1.7.2-7.24.1 python-cryptography-debuginfo-1.7.2-7.24.1 python-cryptography-debugsource-1.7.2-7.24.1 python3-cryptography-1.7.2-7.24.1 - SUSE Linux Enterprise Server 12-SP3-BCL (noarch): python-pyOpenSSL-17.0.0-4.20.10 python3-pyOpenSSL-17.0.0-4.20.10 - SUSE Linux Enterprise Server 12-SP2-LTSS (ppc64le s390x x86_64): python-cryptography-1.7.2-7.24.1 python-cryptography-debuginfo-1.7.2-7.24.1 python-cryptography-debugsource-1.7.2-7.24.1 python3-cryptography-1.7.2-7.24.1 - SUSE Linux Enterprise Server 12-SP2-LTSS (noarch): python-pyOpenSSL-17.0.0-4.20.10 python3-pyOpenSSL-17.0.0-4.20.10 - SUSE Linux Enterprise Server 12-SP2-BCL (noarch): python-pyOpenSSL-17.0.0-4.20.10 python3-pyOpenSSL-17.0.0-4.20.10 - SUSE Linux Enterprise Server 12-SP2-BCL (x86_64): python-cryptography-1.7.2-7.24.1 python-cryptography-debuginfo-1.7.2-7.24.1 python-cryptography-debugsource-1.7.2-7.24.1 python3-cryptography-1.7.2-7.24.1 - SUSE Linux Enterprise Module for Public Cloud 12 (noarch): python-tabulate-0.7.7-1.6.2 python3-tabulate-0.7.7-1.6.2 - SUSE Linux Enterprise Desktop 12-SP4 (x86_64): python-cryptography-1.7.2-7.24.1 python-cryptography-debuginfo-1.7.2-7.24.1 python-cryptography-debugsource-1.7.2-7.24.1 python3-cryptography-1.7.2-7.24.1 python3-cryptography-debuginfo-1.7.2-7.24.1 - SUSE Linux Enterprise Desktop 12-SP4 (noarch): python-pyOpenSSL-17.0.0-4.20.10 python3-pyOpenSSL-17.0.0-4.20.10 - SUSE Enterprise Storage 5 (aarch64 x86_64): python-cryptography-1.7.2-7.24.1 python-cryptography-debuginfo-1.7.2-7.24.1 python-cryptography-debugsource-1.7.2-7.24.1 python3-cryptography-1.7.2-7.24.1 - SUSE Enterprise Storage 5 (noarch): python-pyOpenSSL-17.0.0-4.20.10 python3-pyOpenSSL-17.0.0-4.20.10 - SUSE CaaS Platform 3.0 (x86_64): python-cryptography-1.7.2-7.24.1 python-cryptography-debuginfo-1.7.2-7.24.1 python-cryptography-debugsource-1.7.2-7.24.1 - SUSE CaaS Platform 3.0 (noarch): python-pyOpenSSL-17.0.0-4.20.10 References: https://bugzilla.suse.com/1054413 https://bugzilla.suse.com/1065275 https://bugzilla.suse.com/1073879 From sle-updates at lists.suse.com Thu Jan 30 04:17:35 2020 From: sle-updates at lists.suse.com (sle-updates at lists.suse.com) Date: Thu, 30 Jan 2020 12:17:35 +0100 (CET) Subject: SUSE-SU-2020:0260-1: important: Security update for rmt-server Message-ID: <20200130111735.87D1AF79E@maintenance.suse.de> SUSE Security Update: Security update for rmt-server ______________________________________________________________________________ Announcement ID: SUSE-SU-2020:0260-1 Rating: important References: #1141122 #1157119 #1160673 #1160922 Cross-References: CVE-2019-18904 Affected Products: SUSE Linux Enterprise Server for SAP 15 SUSE Linux Enterprise Server 15-LTSS SUSE Linux Enterprise Module for Server Applications 15 SUSE Linux Enterprise High Performance Computing 15-LTSS SUSE Linux Enterprise High Performance Computing 15-ESPOS ______________________________________________________________________________ An update that solves one vulnerability and has three fixes is now available. Description: This update for rmt-server to version 2.5.2 fixes the following issues: Security issue fixed: - CVE-2019-18904: Fixed a denial of service in the offline migration (bsc#1160922). Non-security issue fixed: - Relaxed systemd units dependencies (bsc#1160673) - Added more verbose error reporting for SCC API errors (bsc#1157119) - Fixed system listing when architecture is not well referenced (bsc#1141122) Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Server for SAP 15: zypper in -t patch SUSE-SLE-Product-SLES_SAP-15-2020-260=1 - SUSE Linux Enterprise Server 15-LTSS: zypper in -t patch SUSE-SLE-Product-SLES-15-2020-260=1 - SUSE Linux Enterprise Module for Server Applications 15: zypper in -t patch SUSE-SLE-Module-Server-Applications-15-2020-260=1 - SUSE Linux Enterprise High Performance Computing 15-LTSS: zypper in -t patch SUSE-SLE-Product-HPC-15-2020-260=1 - SUSE Linux Enterprise High Performance Computing 15-ESPOS: zypper in -t patch SUSE-SLE-Product-HPC-15-2020-260=1 Package List: - SUSE Linux Enterprise Server for SAP 15 (ppc64le x86_64): rmt-server-2.5.2-3.26.1 rmt-server-config-2.5.2-3.26.1 rmt-server-debuginfo-2.5.2-3.26.1 - SUSE Linux Enterprise Server 15-LTSS (aarch64 s390x): rmt-server-2.5.2-3.26.1 rmt-server-config-2.5.2-3.26.1 rmt-server-debuginfo-2.5.2-3.26.1 - SUSE Linux Enterprise Module for Server Applications 15 (aarch64 ppc64le s390x x86_64): rmt-server-2.5.2-3.26.1 rmt-server-config-2.5.2-3.26.1 rmt-server-debuginfo-2.5.2-3.26.1 - SUSE Linux Enterprise High Performance Computing 15-LTSS (aarch64 x86_64): rmt-server-2.5.2-3.26.1 rmt-server-config-2.5.2-3.26.1 rmt-server-debuginfo-2.5.2-3.26.1 - SUSE Linux Enterprise High Performance Computing 15-ESPOS (aarch64 x86_64): rmt-server-2.5.2-3.26.1 rmt-server-config-2.5.2-3.26.1 rmt-server-debuginfo-2.5.2-3.26.1 References: https://www.suse.com/security/cve/CVE-2019-18904.html https://bugzilla.suse.com/1141122 https://bugzilla.suse.com/1157119 https://bugzilla.suse.com/1160673 https://bugzilla.suse.com/1160922 From sle-updates at lists.suse.com Thu Jan 30 07:11:27 2020 From: sle-updates at lists.suse.com (sle-updates at lists.suse.com) Date: Thu, 30 Jan 2020 15:11:27 +0100 (CET) Subject: SUSE-SU-2020:0262-1: moderate: Security update for glibc Message-ID: <20200130141127.DB183F798@maintenance.suse.de> SUSE Security Update: Security update for glibc ______________________________________________________________________________ Announcement ID: SUSE-SU-2020:0262-1 Rating: moderate References: #1149332 #1151582 #1157292 #1157893 #1158996 Cross-References: CVE-2019-19126 Affected Products: SUSE Linux Enterprise Module for Open Buildservice Development Tools 15-SP1 SUSE Linux Enterprise Module for Open Buildservice Development Tools 15 SUSE Linux Enterprise Module for Development Tools 15-SP1 SUSE Linux Enterprise Module for Development Tools 15 SUSE Linux Enterprise Module for Basesystem 15-SP1 SUSE Linux Enterprise Module for Basesystem 15 ______________________________________________________________________________ An update that solves one vulnerability and has four fixes is now available. Description: This update for glibc fixes the following issues: Security issue fixed: - CVE-2019-19126: Fixed to ignore the LD_PREFER_MAP_32BIT_EXEC environment variable during program execution after a security transition (bsc#1157292). Bug fixes: - Fixed z15 (s390x) strstr implementation that can return incorrect results if search string cross page boundary (bsc#1157893). - Fixed Hardware support in toolchain (bsc#1151582). - Fixed syscalls during early process initialization (SLE-8348). - Fixed an array overflow in backtrace for PowerPC (bsc#1158996). - Moved to posix_spawn on popen (bsc#1149332). Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Module for Open Buildservice Development Tools 15-SP1: zypper in -t patch SUSE-SLE-Module-Development-Tools-OBS-15-SP1-2020-262=1 - SUSE Linux Enterprise Module for Open Buildservice Development Tools 15: zypper in -t patch SUSE-SLE-Module-Development-Tools-OBS-15-2020-262=1 - SUSE Linux Enterprise Module for Development Tools 15-SP1: zypper in -t patch SUSE-SLE-Module-Development-Tools-15-SP1-2020-262=1 - SUSE Linux Enterprise Module for Development Tools 15: zypper in -t patch SUSE-SLE-Module-Development-Tools-15-2020-262=1 - SUSE Linux Enterprise Module for Basesystem 15-SP1: zypper in -t patch SUSE-SLE-Module-Basesystem-15-SP1-2020-262=1 - SUSE Linux Enterprise Module for Basesystem 15: zypper in -t patch SUSE-SLE-Module-Basesystem-15-2020-262=1 Package List: - SUSE Linux Enterprise Module for Open Buildservice Development Tools 15-SP1 (s390x x86_64): glibc-debugsource-2.26-13.36.1 - SUSE Linux Enterprise Module for Open Buildservice Development Tools 15-SP1 (x86_64): glibc-32bit-debuginfo-2.26-13.36.1 glibc-devel-static-32bit-2.26-13.36.1 glibc-locale-base-32bit-2.26-13.36.1 glibc-locale-base-32bit-debuginfo-2.26-13.36.1 glibc-profile-32bit-2.26-13.36.1 glibc-utils-32bit-2.26-13.36.1 glibc-utils-32bit-debuginfo-2.26-13.36.1 glibc-utils-src-debugsource-2.26-13.36.1 - SUSE Linux Enterprise Module for Open Buildservice Development Tools 15-SP1 (noarch): glibc-html-2.26-13.36.1 - SUSE Linux Enterprise Module for Open Buildservice Development Tools 15 (noarch): glibc-html-2.26-13.36.1 - SUSE Linux Enterprise Module for Development Tools 15-SP1 (aarch64 ppc64le s390x x86_64): glibc-debuginfo-2.26-13.36.1 glibc-debugsource-2.26-13.36.1 glibc-devel-static-2.26-13.36.1 glibc-utils-2.26-13.36.1 glibc-utils-debuginfo-2.26-13.36.1 glibc-utils-src-debugsource-2.26-13.36.1 - SUSE Linux Enterprise Module for Development Tools 15-SP1 (x86_64): glibc-32bit-debuginfo-2.26-13.36.1 glibc-devel-32bit-2.26-13.36.1 glibc-devel-32bit-debuginfo-2.26-13.36.1 - SUSE Linux Enterprise Module for Development Tools 15 (aarch64 ppc64le s390x x86_64): glibc-debuginfo-2.26-13.36.1 glibc-debugsource-2.26-13.36.1 glibc-devel-static-2.26-13.36.1 glibc-utils-2.26-13.36.1 glibc-utils-debuginfo-2.26-13.36.1 glibc-utils-src-debugsource-2.26-13.36.1 - SUSE Linux Enterprise Module for Development Tools 15 (x86_64): glibc-32bit-debuginfo-2.26-13.36.1 glibc-devel-32bit-2.26-13.36.1 glibc-devel-32bit-debuginfo-2.26-13.36.1 - SUSE Linux Enterprise Module for Basesystem 15-SP1 (aarch64 ppc64le s390x x86_64): glibc-2.26-13.36.1 glibc-debuginfo-2.26-13.36.1 glibc-debugsource-2.26-13.36.1 glibc-devel-2.26-13.36.1 glibc-devel-debuginfo-2.26-13.36.1 glibc-extra-2.26-13.36.1 glibc-extra-debuginfo-2.26-13.36.1 glibc-locale-2.26-13.36.1 glibc-locale-base-2.26-13.36.1 glibc-locale-base-debuginfo-2.26-13.36.1 glibc-profile-2.26-13.36.1 nscd-2.26-13.36.1 nscd-debuginfo-2.26-13.36.1 - SUSE Linux Enterprise Module for Basesystem 15-SP1 (x86_64): glibc-32bit-2.26-13.36.1 glibc-32bit-debuginfo-2.26-13.36.1 glibc-locale-base-32bit-2.26-13.36.1 glibc-locale-base-32bit-debuginfo-2.26-13.36.1 - SUSE Linux Enterprise Module for Basesystem 15-SP1 (noarch): glibc-i18ndata-2.26-13.36.1 glibc-info-2.26-13.36.1 - SUSE Linux Enterprise Module for Basesystem 15 (aarch64 ppc64le s390x x86_64): glibc-2.26-13.36.1 glibc-debuginfo-2.26-13.36.1 glibc-debugsource-2.26-13.36.1 glibc-devel-2.26-13.36.1 glibc-devel-debuginfo-2.26-13.36.1 glibc-extra-2.26-13.36.1 glibc-extra-debuginfo-2.26-13.36.1 glibc-locale-2.26-13.36.1 glibc-locale-base-2.26-13.36.1 glibc-locale-base-debuginfo-2.26-13.36.1 glibc-profile-2.26-13.36.1 nscd-2.26-13.36.1 nscd-debuginfo-2.26-13.36.1 - SUSE Linux Enterprise Module for Basesystem 15 (noarch): glibc-i18ndata-2.26-13.36.1 glibc-info-2.26-13.36.1 - SUSE Linux Enterprise Module for Basesystem 15 (x86_64): glibc-32bit-2.26-13.36.1 glibc-32bit-debuginfo-2.26-13.36.1 glibc-locale-base-32bit-2.26-13.36.1 glibc-locale-base-32bit-debuginfo-2.26-13.36.1 References: https://www.suse.com/security/cve/CVE-2019-19126.html https://bugzilla.suse.com/1149332 https://bugzilla.suse.com/1151582 https://bugzilla.suse.com/1157292 https://bugzilla.suse.com/1157893 https://bugzilla.suse.com/1158996 From sle-updates at lists.suse.com Thu Jan 30 10:11:58 2020 From: sle-updates at lists.suse.com (sle-updates at lists.suse.com) Date: Thu, 30 Jan 2020 18:11:58 +0100 (CET) Subject: SUSE-SU-2020:0263-1: important: Security update for wicked Message-ID: <20200130171158.831A7F798@maintenance.suse.de> SUSE Security Update: Security update for wicked ______________________________________________________________________________ Announcement ID: SUSE-SU-2020:0263-1 Rating: important References: #1160903 #1160905 Cross-References: CVE-2019-18902 CVE-2020-7216 Affected Products: SUSE Linux Enterprise Server for SAP 15 SUSE Linux Enterprise Server 15-LTSS SUSE Linux Enterprise Module for Basesystem 15 SUSE Linux Enterprise High Performance Computing 15-LTSS SUSE Linux Enterprise High Performance Computing 15-ESPOS ______________________________________________________________________________ An update that fixes two vulnerabilities is now available. Description: This update for wicked fixes the following issues: - CVE-2019-18902: Fixed a use-after-free when receiving invalid DHCP6 client options (bsc#1160903). - CVE-2020-7216: Fixed a potential denial of service via a memory leak when processing packets with missing message type option in DHCP4 (bsc#1160905). Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Server for SAP 15: zypper in -t patch SUSE-SLE-Product-SLES_SAP-15-2020-263=1 - SUSE Linux Enterprise Server 15-LTSS: zypper in -t patch SUSE-SLE-Product-SLES-15-2020-263=1 - SUSE Linux Enterprise Module for Basesystem 15: zypper in -t patch SUSE-SLE-Module-Basesystem-15-2020-263=1 - SUSE Linux Enterprise High Performance Computing 15-LTSS: zypper in -t patch SUSE-SLE-Product-HPC-15-2020-263=1 - SUSE Linux Enterprise High Performance Computing 15-ESPOS: zypper in -t patch SUSE-SLE-Product-HPC-15-2020-263=1 Package List: - SUSE Linux Enterprise Server for SAP 15 (ppc64le x86_64): wicked-0.6.60-3.21.1 wicked-debuginfo-0.6.60-3.21.1 wicked-debugsource-0.6.60-3.21.1 wicked-service-0.6.60-3.21.1 - SUSE Linux Enterprise Server 15-LTSS (aarch64 s390x): wicked-0.6.60-3.21.1 wicked-debuginfo-0.6.60-3.21.1 wicked-debugsource-0.6.60-3.21.1 wicked-service-0.6.60-3.21.1 - SUSE Linux Enterprise Module for Basesystem 15 (aarch64 ppc64le s390x x86_64): wicked-0.6.60-3.21.1 wicked-debuginfo-0.6.60-3.21.1 wicked-debugsource-0.6.60-3.21.1 wicked-service-0.6.60-3.21.1 - SUSE Linux Enterprise High Performance Computing 15-LTSS (aarch64 x86_64): wicked-0.6.60-3.21.1 wicked-debuginfo-0.6.60-3.21.1 wicked-debugsource-0.6.60-3.21.1 wicked-service-0.6.60-3.21.1 - SUSE Linux Enterprise High Performance Computing 15-ESPOS (aarch64 x86_64): wicked-0.6.60-3.21.1 wicked-debuginfo-0.6.60-3.21.1 wicked-debugsource-0.6.60-3.21.1 wicked-service-0.6.60-3.21.1 References: https://www.suse.com/security/cve/CVE-2019-18902.html https://www.suse.com/security/cve/CVE-2020-7216.html https://bugzilla.suse.com/1160903 https://bugzilla.suse.com/1160905 From sle-updates at lists.suse.com Thu Jan 30 10:12:46 2020 From: sle-updates at lists.suse.com (sle-updates at lists.suse.com) Date: Thu, 30 Jan 2020 18:12:46 +0100 (CET) Subject: SUSE-SU-2020:0265-1: moderate: Security update for e2fsprogs Message-ID: <20200130171246.51822F798@maintenance.suse.de> SUSE Security Update: Security update for e2fsprogs ______________________________________________________________________________ Announcement ID: SUSE-SU-2020:0265-1 Rating: moderate References: #1160571 Cross-References: CVE-2019-5188 Affected Products: SUSE Linux Enterprise Module for Open Buildservice Development Tools 15-SP1 SUSE Linux Enterprise Module for Basesystem 15-SP1 SUSE Linux Enterprise Module for Basesystem 15 ______________________________________________________________________________ An update that fixes one vulnerability is now available. Description: This update for e2fsprogs fixes the following issues: - CVE-2019-5188: Fixed a code execution vulnerability in the directory rehashing functionality (bsc#1160571). Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Module for Open Buildservice Development Tools 15-SP1: zypper in -t patch SUSE-SLE-Module-Development-Tools-OBS-15-SP1-2020-265=1 - SUSE Linux Enterprise Module for Basesystem 15-SP1: zypper in -t patch SUSE-SLE-Module-Basesystem-15-SP1-2020-265=1 - SUSE Linux Enterprise Module for Basesystem 15: zypper in -t patch SUSE-SLE-Module-Basesystem-15-2020-265=1 Package List: - SUSE Linux Enterprise Module for Open Buildservice Development Tools 15-SP1 (x86_64): e2fsprogs-32bit-debuginfo-1.43.8-4.17.1 e2fsprogs-debugsource-1.43.8-4.17.1 libcom_err-devel-32bit-1.43.8-4.17.1 libext2fs-devel-32bit-1.43.8-4.17.1 libext2fs2-32bit-1.43.8-4.17.1 libext2fs2-32bit-debuginfo-1.43.8-4.17.1 - SUSE Linux Enterprise Module for Basesystem 15-SP1 (aarch64 ppc64le s390x x86_64): e2fsprogs-1.43.8-4.17.1 e2fsprogs-debuginfo-1.43.8-4.17.1 e2fsprogs-debugsource-1.43.8-4.17.1 e2fsprogs-devel-1.43.8-4.17.1 libcom_err-devel-1.43.8-4.17.1 libcom_err-devel-static-1.43.8-4.17.1 libcom_err2-1.43.8-4.17.1 libcom_err2-debuginfo-1.43.8-4.17.1 libext2fs-devel-1.43.8-4.17.1 libext2fs-devel-static-1.43.8-4.17.1 libext2fs2-1.43.8-4.17.1 libext2fs2-debuginfo-1.43.8-4.17.1 - SUSE Linux Enterprise Module for Basesystem 15-SP1 (x86_64): e2fsprogs-32bit-debuginfo-1.43.8-4.17.1 libcom_err2-32bit-1.43.8-4.17.1 libcom_err2-32bit-debuginfo-1.43.8-4.17.1 - SUSE Linux Enterprise Module for Basesystem 15 (aarch64 ppc64le s390x x86_64): e2fsprogs-1.43.8-4.17.1 e2fsprogs-debuginfo-1.43.8-4.17.1 e2fsprogs-debugsource-1.43.8-4.17.1 e2fsprogs-devel-1.43.8-4.17.1 libcom_err-devel-1.43.8-4.17.1 libcom_err-devel-static-1.43.8-4.17.1 libcom_err2-1.43.8-4.17.1 libcom_err2-debuginfo-1.43.8-4.17.1 libext2fs-devel-1.43.8-4.17.1 libext2fs-devel-static-1.43.8-4.17.1 libext2fs2-1.43.8-4.17.1 libext2fs2-debuginfo-1.43.8-4.17.1 - SUSE Linux Enterprise Module for Basesystem 15 (x86_64): e2fsprogs-32bit-debuginfo-1.43.8-4.17.1 libcom_err2-32bit-1.43.8-4.17.1 libcom_err2-32bit-debuginfo-1.43.8-4.17.1 References: https://www.suse.com/security/cve/CVE-2019-5188.html https://bugzilla.suse.com/1160571 From sle-updates at lists.suse.com Thu Jan 30 10:13:26 2020 From: sle-updates at lists.suse.com (sle-updates at lists.suse.com) Date: Thu, 30 Jan 2020 18:13:26 +0100 (CET) Subject: SUSE-SU-2020:0264-1: important: Security update for wicked Message-ID: <20200130171326.0C98FF798@maintenance.suse.de> SUSE Security Update: Security update for wicked ______________________________________________________________________________ Announcement ID: SUSE-SU-2020:0264-1 Rating: important References: #1160903 #1160905 Cross-References: CVE-2019-18902 CVE-2020-7216 Affected Products: SUSE Linux Enterprise Module for Basesystem 15-SP1 ______________________________________________________________________________ An update that fixes two vulnerabilities is now available. Description: This update for wicked fixes the following issues: - CVE-2019-18902: Fixed a use-after-free when receiving invalid DHCP6 client options (bsc#1160903). - CVE-2020-7216: Fixed a potential denial of service via a memory leak when processing packets with missing message type option in DHCP4 (bsc#1160905). Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Module for Basesystem 15-SP1: zypper in -t patch SUSE-SLE-Module-Basesystem-15-SP1-2020-264=1 Package List: - SUSE Linux Enterprise Module for Basesystem 15-SP1 (aarch64 ppc64le s390x x86_64): wicked-0.6.60-3.10.1 wicked-debuginfo-0.6.60-3.10.1 wicked-debugsource-0.6.60-3.10.1 wicked-service-0.6.60-3.10.1 References: https://www.suse.com/security/cve/CVE-2019-18902.html https://www.suse.com/security/cve/CVE-2020-7216.html https://bugzilla.suse.com/1160903 https://bugzilla.suse.com/1160905 From sle-updates at lists.suse.com Thu Jan 30 13:11:30 2020 From: sle-updates at lists.suse.com (sle-updates at lists.suse.com) Date: Thu, 30 Jan 2020 21:11:30 +0100 (CET) Subject: SUSE-RU-2020:0272-1: moderate: Recommended update for ldb Message-ID: <20200130201130.A2EE9F798@maintenance.suse.de> SUSE Recommended Update: Recommended update for ldb ______________________________________________________________________________ Announcement ID: SUSE-RU-2020:0272-1 Rating: moderate References: #1161417 Affected Products: SUSE Linux Enterprise Software Development Kit 12-SP5 SUSE Linux Enterprise Server 12-SP5 ______________________________________________________________________________ An update that has one recommended fix can now be installed. Description: This update for ldb fixes the following issue: - ship the ldb-tools package. (bsc#1161417) Patch Instructions: To install this SUSE Recommended Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Software Development Kit 12-SP5: zypper in -t patch SUSE-SLE-SDK-12-SP5-2020-272=1 - SUSE Linux Enterprise Server 12-SP5: zypper in -t patch SUSE-SLE-SERVER-12-SP5-2020-272=1 Package List: - SUSE Linux Enterprise Software Development Kit 12-SP5 (aarch64 ppc64le s390x x86_64): ldb-debugsource-1.5.4-3.2.1 libldb-devel-1.5.4-3.2.1 python-ldb-1.5.4-3.2.1 python-ldb-debuginfo-1.5.4-3.2.1 python-ldb-devel-1.5.4-3.2.1 - SUSE Linux Enterprise Server 12-SP5 (aarch64 ppc64le s390x x86_64): ldb-debugsource-1.5.4-3.2.1 ldb-tools-1.5.4-3.2.1 ldb-tools-debuginfo-1.5.4-3.2.1 libldb1-1.5.4-3.2.1 libldb1-debuginfo-1.5.4-3.2.1 - SUSE Linux Enterprise Server 12-SP5 (s390x x86_64): libldb1-32bit-1.5.4-3.2.1 libldb1-debuginfo-32bit-1.5.4-3.2.1 References: https://bugzilla.suse.com/1161417 From sle-updates at lists.suse.com Thu Jan 30 13:12:12 2020 From: sle-updates at lists.suse.com (sle-updates at lists.suse.com) Date: Thu, 30 Jan 2020 21:12:12 +0100 (CET) Subject: SUSE-SU-2020:0275-1: moderate: Security update for ImageMagick Message-ID: <20200130201212.7A90CF798@maintenance.suse.de> SUSE Security Update: Security update for ImageMagick ______________________________________________________________________________ Announcement ID: SUSE-SU-2020:0275-1 Rating: moderate References: #1159861 #1160369 #1161194 Cross-References: CVE-2019-19948 CVE-2019-19949 Affected Products: SUSE Linux Enterprise Module for Open Buildservice Development Tools 15-SP1 SUSE Linux Enterprise Module for Open Buildservice Development Tools 15 SUSE Linux Enterprise Module for Development Tools 15-SP1 SUSE Linux Enterprise Module for Development Tools 15 SUSE Linux Enterprise Module for Desktop Applications 15-SP1 SUSE Linux Enterprise Module for Desktop Applications 15 ______________________________________________________________________________ An update that solves two vulnerabilities and has one errata is now available. Description: This update for ImageMagick fixes the following issues: Security issue fixed: - CVE-2019-19948: Fixed a heap-based buffer overflow in WriteSGIImage() (bsc#1159861). - CVE-2019-19949: Fixed a heap-based buffer over-read in WritePNGImage() (bsc#1160369). Non-security issue fixed: - Fixed an issue where converting tiff to png would lead to unviewable files (bsc#1161194). Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Module for Open Buildservice Development Tools 15-SP1: zypper in -t patch SUSE-SLE-Module-Development-Tools-OBS-15-SP1-2020-275=1 - SUSE Linux Enterprise Module for Open Buildservice Development Tools 15: zypper in -t patch SUSE-SLE-Module-Development-Tools-OBS-15-2020-275=1 - SUSE Linux Enterprise Module for Development Tools 15-SP1: zypper in -t patch SUSE-SLE-Module-Development-Tools-15-SP1-2020-275=1 - SUSE Linux Enterprise Module for Development Tools 15: zypper in -t patch SUSE-SLE-Module-Development-Tools-15-2020-275=1 - SUSE Linux Enterprise Module for Desktop Applications 15-SP1: zypper in -t patch SUSE-SLE-Module-Desktop-Applications-15-SP1-2020-275=1 - SUSE Linux Enterprise Module for Desktop Applications 15: zypper in -t patch SUSE-SLE-Module-Desktop-Applications-15-2020-275=1 Package List: - SUSE Linux Enterprise Module for Open Buildservice Development Tools 15-SP1 (aarch64 ppc64le s390x x86_64): ImageMagick-config-7-upstream-7.0.7.34-3.79.1 ImageMagick-debuginfo-7.0.7.34-3.79.1 ImageMagick-debugsource-7.0.7.34-3.79.1 ImageMagick-extra-7.0.7.34-3.79.1 ImageMagick-extra-debuginfo-7.0.7.34-3.79.1 - SUSE Linux Enterprise Module for Open Buildservice Development Tools 15-SP1 (x86_64): ImageMagick-devel-32bit-7.0.7.34-3.79.1 libMagick++-7_Q16HDRI4-32bit-7.0.7.34-3.79.1 libMagick++-7_Q16HDRI4-32bit-debuginfo-7.0.7.34-3.79.1 libMagick++-devel-32bit-7.0.7.34-3.79.1 libMagickCore-7_Q16HDRI6-32bit-7.0.7.34-3.79.1 libMagickCore-7_Q16HDRI6-32bit-debuginfo-7.0.7.34-3.79.1 libMagickWand-7_Q16HDRI6-32bit-7.0.7.34-3.79.1 libMagickWand-7_Q16HDRI6-32bit-debuginfo-7.0.7.34-3.79.1 - SUSE Linux Enterprise Module for Open Buildservice Development Tools 15-SP1 (noarch): ImageMagick-doc-7.0.7.34-3.79.1 - SUSE Linux Enterprise Module for Open Buildservice Development Tools 15 (aarch64 ppc64le s390x x86_64): ImageMagick-debuginfo-7.0.7.34-3.79.1 ImageMagick-debugsource-7.0.7.34-3.79.1 ImageMagick-extra-7.0.7.34-3.79.1 ImageMagick-extra-debuginfo-7.0.7.34-3.79.1 - SUSE Linux Enterprise Module for Open Buildservice Development Tools 15 (noarch): ImageMagick-doc-7.0.7.34-3.79.1 - SUSE Linux Enterprise Module for Development Tools 15-SP1 (aarch64 ppc64le s390x x86_64): ImageMagick-debuginfo-7.0.7.34-3.79.1 ImageMagick-debugsource-7.0.7.34-3.79.1 perl-PerlMagick-7.0.7.34-3.79.1 perl-PerlMagick-debuginfo-7.0.7.34-3.79.1 - SUSE Linux Enterprise Module for Development Tools 15 (aarch64 ppc64le s390x x86_64): ImageMagick-debuginfo-7.0.7.34-3.79.1 ImageMagick-debugsource-7.0.7.34-3.79.1 perl-PerlMagick-7.0.7.34-3.79.1 perl-PerlMagick-debuginfo-7.0.7.34-3.79.1 - SUSE Linux Enterprise Module for Desktop Applications 15-SP1 (aarch64 ppc64le s390x x86_64): ImageMagick-7.0.7.34-3.79.1 ImageMagick-config-7-SUSE-7.0.7.34-3.79.1 ImageMagick-debuginfo-7.0.7.34-3.79.1 ImageMagick-debugsource-7.0.7.34-3.79.1 ImageMagick-devel-7.0.7.34-3.79.1 libMagick++-7_Q16HDRI4-7.0.7.34-3.79.1 libMagick++-7_Q16HDRI4-debuginfo-7.0.7.34-3.79.1 libMagick++-devel-7.0.7.34-3.79.1 libMagickCore-7_Q16HDRI6-7.0.7.34-3.79.1 libMagickCore-7_Q16HDRI6-debuginfo-7.0.7.34-3.79.1 libMagickWand-7_Q16HDRI6-7.0.7.34-3.79.1 libMagickWand-7_Q16HDRI6-debuginfo-7.0.7.34-3.79.1 - SUSE Linux Enterprise Module for Desktop Applications 15 (aarch64 ppc64le s390x x86_64): ImageMagick-7.0.7.34-3.79.1 ImageMagick-config-7-SUSE-7.0.7.34-3.79.1 ImageMagick-config-7-upstream-7.0.7.34-3.79.1 ImageMagick-debuginfo-7.0.7.34-3.79.1 ImageMagick-debugsource-7.0.7.34-3.79.1 ImageMagick-devel-7.0.7.34-3.79.1 libMagick++-7_Q16HDRI4-7.0.7.34-3.79.1 libMagick++-7_Q16HDRI4-debuginfo-7.0.7.34-3.79.1 libMagick++-devel-7.0.7.34-3.79.1 libMagickCore-7_Q16HDRI6-7.0.7.34-3.79.1 libMagickCore-7_Q16HDRI6-debuginfo-7.0.7.34-3.79.1 libMagickWand-7_Q16HDRI6-7.0.7.34-3.79.1 libMagickWand-7_Q16HDRI6-debuginfo-7.0.7.34-3.79.1 References: https://www.suse.com/security/cve/CVE-2019-19948.html https://www.suse.com/security/cve/CVE-2019-19949.html https://bugzilla.suse.com/1159861 https://bugzilla.suse.com/1160369 https://bugzilla.suse.com/1161194 From sle-updates at lists.suse.com Thu Jan 30 13:13:09 2020 From: sle-updates at lists.suse.com (sle-updates at lists.suse.com) Date: Thu, 30 Jan 2020 21:13:09 +0100 (CET) Subject: SUSE-SU-2020:0266-1: important: Security update for tigervnc Message-ID: <20200130201309.31072F798@maintenance.suse.de> SUSE Security Update: Security update for tigervnc ______________________________________________________________________________ Announcement ID: SUSE-SU-2020:0266-1 Rating: important References: #1041847 #1053373 #1159856 #1159858 #1159860 #1160250 #1160251 #1160937 Cross-References: CVE-2019-15691 CVE-2019-15692 CVE-2019-15693 CVE-2019-15694 CVE-2019-15695 Affected Products: SUSE Linux Enterprise Server for SAP 12-SP1 SUSE Linux Enterprise Server 12-SP1-LTSS ______________________________________________________________________________ An update that solves 5 vulnerabilities and has three fixes is now available. Description: This update for tigervnc provides the following fixes: Security issues fixed: - CVE-2019-15691: Fixed a use-after-return due to incorrect usage of stack memory in ZRLEDecoder (bsc#1159856). - CVE-2019-15692: Fixed a heap-based buffer overflow in CopyRectDecode (bsc#1160250). - CVE-2019-15693: Fixed a heap-based buffer overflow in TightDecoder::FilterGradient (bsc#1159858). - CVE-2019-15694: Fixed a heap-based buffer overflow, caused by improper error handling in processing MemOutStream (bsc#1160251). - CVE-2019-15695: Fixed a stack-based buffer overflow, which could be triggered from CMsgReader::readSetCursor (bsc#1159860). Non-security issue fixed: - Make sure CN in generated certificate doesn't exceed 64 characters. (bnc#1041847) - Change with-vnc-key.sh to generate TLS certificate using current hostname to keep it short. (bsc#1041847) - Disable MIT-SHM extension when running under user "vnc". (bsc#1053373) Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Server for SAP 12-SP1: zypper in -t patch SUSE-SLE-SAP-12-SP1-2020-266=1 - SUSE Linux Enterprise Server 12-SP1-LTSS: zypper in -t patch SUSE-SLE-SERVER-12-SP1-2020-266=1 Package List: - SUSE Linux Enterprise Server for SAP 12-SP1 (x86_64): tigervnc-1.4.3-25.11.1 tigervnc-debuginfo-1.4.3-25.11.1 tigervnc-debugsource-1.4.3-25.11.1 xorg-x11-Xvnc-1.4.3-25.11.1 xorg-x11-Xvnc-debuginfo-1.4.3-25.11.1 - SUSE Linux Enterprise Server 12-SP1-LTSS (ppc64le s390x x86_64): tigervnc-1.4.3-25.11.1 tigervnc-debuginfo-1.4.3-25.11.1 tigervnc-debugsource-1.4.3-25.11.1 xorg-x11-Xvnc-1.4.3-25.11.1 xorg-x11-Xvnc-debuginfo-1.4.3-25.11.1 References: https://www.suse.com/security/cve/CVE-2019-15691.html https://www.suse.com/security/cve/CVE-2019-15692.html https://www.suse.com/security/cve/CVE-2019-15693.html https://www.suse.com/security/cve/CVE-2019-15694.html https://www.suse.com/security/cve/CVE-2019-15695.html https://bugzilla.suse.com/1041847 https://bugzilla.suse.com/1053373 https://bugzilla.suse.com/1159856 https://bugzilla.suse.com/1159858 https://bugzilla.suse.com/1159860 https://bugzilla.suse.com/1160250 https://bugzilla.suse.com/1160251 https://bugzilla.suse.com/1160937 From sle-updates at lists.suse.com Thu Jan 30 13:14:50 2020 From: sle-updates at lists.suse.com (sle-updates at lists.suse.com) Date: Thu, 30 Jan 2020 21:14:50 +0100 (CET) Subject: SUSE-RU-2020:0271-1: moderate: Recommended update for ldb Message-ID: <20200130201450.92539F798@maintenance.suse.de> SUSE Recommended Update: Recommended update for ldb ______________________________________________________________________________ Announcement ID: SUSE-RU-2020:0271-1 Rating: moderate References: #1161417 Affected Products: SUSE Linux Enterprise Module for Python2 15-SP1 SUSE Linux Enterprise Module for Open Buildservice Development Tools 15-SP1 SUSE Linux Enterprise Module for Basesystem 15-SP1 ______________________________________________________________________________ An update that has one recommended fix can now be installed. Description: This update for ldb fixes the following issue: - ship the ldb-tools package. (bsc#1161417) Patch Instructions: To install this SUSE Recommended Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Module for Python2 15-SP1: zypper in -t patch SUSE-SLE-Module-Python2-15-SP1-2020-271=1 - SUSE Linux Enterprise Module for Open Buildservice Development Tools 15-SP1: zypper in -t patch SUSE-SLE-Module-Development-Tools-OBS-15-SP1-2020-271=1 - SUSE Linux Enterprise Module for Basesystem 15-SP1: zypper in -t patch SUSE-SLE-Module-Basesystem-15-SP1-2020-271=1 Package List: - SUSE Linux Enterprise Module for Python2 15-SP1 (aarch64 ppc64le s390x x86_64): ldb-debugsource-1.4.6-3.2.1 python-ldb-1.4.6-3.2.1 python-ldb-debuginfo-1.4.6-3.2.1 python-ldb-devel-1.4.6-3.2.1 - SUSE Linux Enterprise Module for Open Buildservice Development Tools 15-SP1 (aarch64 ppc64le s390x x86_64): ldb-debugsource-1.4.6-3.2.1 ldb-tools-1.4.6-3.2.1 ldb-tools-debuginfo-1.4.6-3.2.1 - SUSE Linux Enterprise Module for Open Buildservice Development Tools 15-SP1 (x86_64): python-ldb-32bit-1.4.6-3.2.1 python-ldb-32bit-debuginfo-1.4.6-3.2.1 python3-ldb-32bit-1.4.6-3.2.1 python3-ldb-32bit-debuginfo-1.4.6-3.2.1 - SUSE Linux Enterprise Module for Basesystem 15-SP1 (aarch64 ppc64le s390x x86_64): ldb-debugsource-1.4.6-3.2.1 ldb-tools-1.4.6-3.2.1 ldb-tools-debuginfo-1.4.6-3.2.1 libldb-devel-1.4.6-3.2.1 libldb1-1.4.6-3.2.1 libldb1-debuginfo-1.4.6-3.2.1 python3-ldb-1.4.6-3.2.1 python3-ldb-debuginfo-1.4.6-3.2.1 python3-ldb-devel-1.4.6-3.2.1 - SUSE Linux Enterprise Module for Basesystem 15-SP1 (x86_64): libldb1-32bit-1.4.6-3.2.1 libldb1-32bit-debuginfo-1.4.6-3.2.1 References: https://bugzilla.suse.com/1161417 From sle-updates at lists.suse.com Thu Jan 30 13:15:39 2020 From: sle-updates at lists.suse.com (sle-updates at lists.suse.com) Date: Thu, 30 Jan 2020 21:15:39 +0100 (CET) Subject: SUSE-RU-2020:0276-1: important: Recommended update for apache2 Message-ID: <20200130201539.70AFFF79E@maintenance.suse.de> SUSE Recommended Update: Recommended update for apache2 ______________________________________________________________________________ Announcement ID: SUSE-RU-2020:0276-1 Rating: important References: #1160100 #1161675 Affected Products: SUSE OpenStack Cloud Crowbar 8 SUSE OpenStack Cloud 8 SUSE OpenStack Cloud 7 SUSE Linux Enterprise Software Development Kit 12-SP5 SUSE Linux Enterprise Software Development Kit 12-SP4 SUSE Linux Enterprise Server for SAP 12-SP3 SUSE Linux Enterprise Server for SAP 12-SP2 SUSE Linux Enterprise Server 12-SP5 SUSE Linux Enterprise Server 12-SP4 SUSE Linux Enterprise Server 12-SP3-LTSS SUSE Linux Enterprise Server 12-SP3-BCL SUSE Linux Enterprise Server 12-SP2-LTSS SUSE Linux Enterprise Server 12-SP2-BCL SUSE Enterprise Storage 5 HPE Helion Openstack 8 ______________________________________________________________________________ An update that has two recommended fixes can now be installed. Description: This update for apache2 fixes the following issues: - Fix crash in mod_ssl: work around leaks on (graceful) restart (bsc#1161675) - apache2-devel now provides httpd-devel [bsc#1160100] Patch Instructions: To install this SUSE Recommended Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE OpenStack Cloud Crowbar 8: zypper in -t patch SUSE-OpenStack-Cloud-Crowbar-8-2020-276=1 - SUSE OpenStack Cloud 8: zypper in -t patch SUSE-OpenStack-Cloud-8-2020-276=1 - SUSE OpenStack Cloud 7: zypper in -t patch SUSE-OpenStack-Cloud-7-2020-276=1 - SUSE Linux Enterprise Software Development Kit 12-SP5: zypper in -t patch SUSE-SLE-SDK-12-SP5-2020-276=1 - SUSE Linux Enterprise Software Development Kit 12-SP4: zypper in -t patch SUSE-SLE-SDK-12-SP4-2020-276=1 - SUSE Linux Enterprise Server for SAP 12-SP3: zypper in -t patch SUSE-SLE-SAP-12-SP3-2020-276=1 - SUSE Linux Enterprise Server for SAP 12-SP2: zypper in -t patch SUSE-SLE-SAP-12-SP2-2020-276=1 - SUSE Linux Enterprise Server 12-SP5: zypper in -t patch SUSE-SLE-SERVER-12-SP5-2020-276=1 - SUSE Linux Enterprise Server 12-SP4: zypper in -t patch SUSE-SLE-SERVER-12-SP4-2020-276=1 - SUSE Linux Enterprise Server 12-SP3-LTSS: zypper in -t patch SUSE-SLE-SERVER-12-SP3-2020-276=1 - SUSE Linux Enterprise Server 12-SP3-BCL: zypper in -t patch SUSE-SLE-SERVER-12-SP3-BCL-2020-276=1 - SUSE Linux Enterprise Server 12-SP2-LTSS: zypper in -t patch SUSE-SLE-SERVER-12-SP2-2020-276=1 - SUSE Linux Enterprise Server 12-SP2-BCL: zypper in -t patch SUSE-SLE-SERVER-12-SP2-BCL-2020-276=1 - SUSE Enterprise Storage 5: zypper in -t patch SUSE-Storage-5-2020-276=1 - HPE Helion Openstack 8: zypper in -t patch HPE-Helion-OpenStack-8-2020-276=1 Package List: - SUSE OpenStack Cloud Crowbar 8 (noarch): apache2-doc-2.4.23-29.47.1 - SUSE OpenStack Cloud Crowbar 8 (x86_64): apache2-2.4.23-29.47.1 apache2-debuginfo-2.4.23-29.47.1 apache2-debugsource-2.4.23-29.47.1 apache2-example-pages-2.4.23-29.47.1 apache2-prefork-2.4.23-29.47.1 apache2-prefork-debuginfo-2.4.23-29.47.1 apache2-utils-2.4.23-29.47.1 apache2-utils-debuginfo-2.4.23-29.47.1 apache2-worker-2.4.23-29.47.1 apache2-worker-debuginfo-2.4.23-29.47.1 - SUSE OpenStack Cloud 8 (noarch): apache2-doc-2.4.23-29.47.1 - SUSE OpenStack Cloud 8 (x86_64): apache2-2.4.23-29.47.1 apache2-debuginfo-2.4.23-29.47.1 apache2-debugsource-2.4.23-29.47.1 apache2-example-pages-2.4.23-29.47.1 apache2-prefork-2.4.23-29.47.1 apache2-prefork-debuginfo-2.4.23-29.47.1 apache2-utils-2.4.23-29.47.1 apache2-utils-debuginfo-2.4.23-29.47.1 apache2-worker-2.4.23-29.47.1 apache2-worker-debuginfo-2.4.23-29.47.1 - SUSE OpenStack Cloud 7 (s390x x86_64): apache2-2.4.23-29.47.1 apache2-debuginfo-2.4.23-29.47.1 apache2-debugsource-2.4.23-29.47.1 apache2-example-pages-2.4.23-29.47.1 apache2-prefork-2.4.23-29.47.1 apache2-prefork-debuginfo-2.4.23-29.47.1 apache2-utils-2.4.23-29.47.1 apache2-utils-debuginfo-2.4.23-29.47.1 apache2-worker-2.4.23-29.47.1 apache2-worker-debuginfo-2.4.23-29.47.1 - SUSE OpenStack Cloud 7 (noarch): apache2-doc-2.4.23-29.47.1 - SUSE Linux Enterprise Software Development Kit 12-SP5 (aarch64 ppc64le s390x x86_64): apache2-debuginfo-2.4.23-29.47.1 apache2-debugsource-2.4.23-29.47.1 apache2-devel-2.4.23-29.47.1 - SUSE Linux Enterprise Software Development Kit 12-SP4 (aarch64 ppc64le s390x x86_64): apache2-debuginfo-2.4.23-29.47.1 apache2-debugsource-2.4.23-29.47.1 apache2-devel-2.4.23-29.47.1 - SUSE Linux Enterprise Server for SAP 12-SP3 (ppc64le x86_64): apache2-2.4.23-29.47.1 apache2-debuginfo-2.4.23-29.47.1 apache2-debugsource-2.4.23-29.47.1 apache2-example-pages-2.4.23-29.47.1 apache2-prefork-2.4.23-29.47.1 apache2-prefork-debuginfo-2.4.23-29.47.1 apache2-utils-2.4.23-29.47.1 apache2-utils-debuginfo-2.4.23-29.47.1 apache2-worker-2.4.23-29.47.1 apache2-worker-debuginfo-2.4.23-29.47.1 - SUSE Linux Enterprise Server for SAP 12-SP3 (noarch): apache2-doc-2.4.23-29.47.1 - SUSE Linux Enterprise Server for SAP 12-SP2 (ppc64le x86_64): apache2-2.4.23-29.47.1 apache2-debuginfo-2.4.23-29.47.1 apache2-debugsource-2.4.23-29.47.1 apache2-example-pages-2.4.23-29.47.1 apache2-prefork-2.4.23-29.47.1 apache2-prefork-debuginfo-2.4.23-29.47.1 apache2-utils-2.4.23-29.47.1 apache2-utils-debuginfo-2.4.23-29.47.1 apache2-worker-2.4.23-29.47.1 apache2-worker-debuginfo-2.4.23-29.47.1 - SUSE Linux Enterprise Server for SAP 12-SP2 (noarch): apache2-doc-2.4.23-29.47.1 - SUSE Linux Enterprise Server 12-SP5 (aarch64 ppc64le s390x x86_64): apache2-2.4.23-29.47.1 apache2-debuginfo-2.4.23-29.47.1 apache2-debugsource-2.4.23-29.47.1 apache2-example-pages-2.4.23-29.47.1 apache2-prefork-2.4.23-29.47.1 apache2-prefork-debuginfo-2.4.23-29.47.1 apache2-utils-2.4.23-29.47.1 apache2-utils-debuginfo-2.4.23-29.47.1 apache2-worker-2.4.23-29.47.1 apache2-worker-debuginfo-2.4.23-29.47.1 - SUSE Linux Enterprise Server 12-SP5 (noarch): apache2-doc-2.4.23-29.47.1 - SUSE Linux Enterprise Server 12-SP4 (aarch64 ppc64le s390x x86_64): apache2-2.4.23-29.47.1 apache2-debuginfo-2.4.23-29.47.1 apache2-debugsource-2.4.23-29.47.1 apache2-example-pages-2.4.23-29.47.1 apache2-prefork-2.4.23-29.47.1 apache2-prefork-debuginfo-2.4.23-29.47.1 apache2-utils-2.4.23-29.47.1 apache2-utils-debuginfo-2.4.23-29.47.1 apache2-worker-2.4.23-29.47.1 apache2-worker-debuginfo-2.4.23-29.47.1 - SUSE Linux Enterprise Server 12-SP4 (noarch): apache2-doc-2.4.23-29.47.1 - SUSE Linux Enterprise Server 12-SP3-LTSS (aarch64 ppc64le s390x x86_64): apache2-2.4.23-29.47.1 apache2-debuginfo-2.4.23-29.47.1 apache2-debugsource-2.4.23-29.47.1 apache2-example-pages-2.4.23-29.47.1 apache2-prefork-2.4.23-29.47.1 apache2-prefork-debuginfo-2.4.23-29.47.1 apache2-utils-2.4.23-29.47.1 apache2-utils-debuginfo-2.4.23-29.47.1 apache2-worker-2.4.23-29.47.1 apache2-worker-debuginfo-2.4.23-29.47.1 - SUSE Linux Enterprise Server 12-SP3-LTSS (noarch): apache2-doc-2.4.23-29.47.1 - SUSE Linux Enterprise Server 12-SP3-BCL (x86_64): apache2-2.4.23-29.47.1 apache2-debuginfo-2.4.23-29.47.1 apache2-debugsource-2.4.23-29.47.1 apache2-example-pages-2.4.23-29.47.1 apache2-prefork-2.4.23-29.47.1 apache2-prefork-debuginfo-2.4.23-29.47.1 apache2-utils-2.4.23-29.47.1 apache2-utils-debuginfo-2.4.23-29.47.1 apache2-worker-2.4.23-29.47.1 apache2-worker-debuginfo-2.4.23-29.47.1 - SUSE Linux Enterprise Server 12-SP3-BCL (noarch): apache2-doc-2.4.23-29.47.1 - SUSE Linux Enterprise Server 12-SP2-LTSS (ppc64le s390x x86_64): apache2-2.4.23-29.47.1 apache2-debuginfo-2.4.23-29.47.1 apache2-debugsource-2.4.23-29.47.1 apache2-example-pages-2.4.23-29.47.1 apache2-prefork-2.4.23-29.47.1 apache2-prefork-debuginfo-2.4.23-29.47.1 apache2-utils-2.4.23-29.47.1 apache2-utils-debuginfo-2.4.23-29.47.1 apache2-worker-2.4.23-29.47.1 apache2-worker-debuginfo-2.4.23-29.47.1 - SUSE Linux Enterprise Server 12-SP2-LTSS (noarch): apache2-doc-2.4.23-29.47.1 - SUSE Linux Enterprise Server 12-SP2-BCL (noarch): apache2-doc-2.4.23-29.47.1 - SUSE Linux Enterprise Server 12-SP2-BCL (x86_64): apache2-2.4.23-29.47.1 apache2-debuginfo-2.4.23-29.47.1 apache2-debugsource-2.4.23-29.47.1 apache2-example-pages-2.4.23-29.47.1 apache2-prefork-2.4.23-29.47.1 apache2-prefork-debuginfo-2.4.23-29.47.1 apache2-utils-2.4.23-29.47.1 apache2-utils-debuginfo-2.4.23-29.47.1 apache2-worker-2.4.23-29.47.1 apache2-worker-debuginfo-2.4.23-29.47.1 - SUSE Enterprise Storage 5 (aarch64 x86_64): apache2-2.4.23-29.47.1 apache2-debuginfo-2.4.23-29.47.1 apache2-debugsource-2.4.23-29.47.1 apache2-example-pages-2.4.23-29.47.1 apache2-prefork-2.4.23-29.47.1 apache2-prefork-debuginfo-2.4.23-29.47.1 apache2-utils-2.4.23-29.47.1 apache2-utils-debuginfo-2.4.23-29.47.1 apache2-worker-2.4.23-29.47.1 apache2-worker-debuginfo-2.4.23-29.47.1 - SUSE Enterprise Storage 5 (noarch): apache2-doc-2.4.23-29.47.1 - HPE Helion Openstack 8 (x86_64): apache2-2.4.23-29.47.1 apache2-debuginfo-2.4.23-29.47.1 apache2-debugsource-2.4.23-29.47.1 apache2-example-pages-2.4.23-29.47.1 apache2-prefork-2.4.23-29.47.1 apache2-prefork-debuginfo-2.4.23-29.47.1 apache2-utils-2.4.23-29.47.1 apache2-utils-debuginfo-2.4.23-29.47.1 apache2-worker-2.4.23-29.47.1 apache2-worker-debuginfo-2.4.23-29.47.1 - HPE Helion Openstack 8 (noarch): apache2-doc-2.4.23-29.47.1 References: https://bugzilla.suse.com/1160100 https://bugzilla.suse.com/1161675 From sle-updates at lists.suse.com Thu Jan 30 13:17:07 2020 From: sle-updates at lists.suse.com (sle-updates at lists.suse.com) Date: Thu, 30 Jan 2020 21:17:07 +0100 (CET) Subject: SUSE-RU-2020:0274-1: moderate: Recommended update for MozillaFirefox Message-ID: <20200130201707.ACCC7F79E@maintenance.suse.de> SUSE Recommended Update: Recommended update for MozillaFirefox ______________________________________________________________________________ Announcement ID: SUSE-RU-2020:0274-1 Rating: moderate References: #1161799 Affected Products: SUSE Linux Enterprise Module for Open Buildservice Development Tools 15-SP1 SUSE Linux Enterprise Module for Open Buildservice Development Tools 15 SUSE Linux Enterprise Module for Desktop Applications 15-SP1 SUSE Linux Enterprise Module for Desktop Applications 15 ______________________________________________________________________________ An update that has one recommended fix can now be installed. Description: This update for MozillaFirefox fixes the following issues: Mozilla Firefox Extended Support Release 68.4.2 ESR: * Fixed: Fixed various issues opening files with spaces in their path (bmo#1601905, bmo#1602726) Patch Instructions: To install this SUSE Recommended Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Module for Open Buildservice Development Tools 15-SP1: zypper in -t patch SUSE-SLE-Module-Development-Tools-OBS-15-SP1-2020-274=1 - SUSE Linux Enterprise Module for Open Buildservice Development Tools 15: zypper in -t patch SUSE-SLE-Module-Development-Tools-OBS-15-2020-274=1 - SUSE Linux Enterprise Module for Desktop Applications 15-SP1: zypper in -t patch SUSE-SLE-Module-Desktop-Applications-15-SP1-2020-274=1 - SUSE Linux Enterprise Module for Desktop Applications 15: zypper in -t patch SUSE-SLE-Module-Desktop-Applications-15-2020-274=1 Package List: - SUSE Linux Enterprise Module for Open Buildservice Development Tools 15-SP1 (aarch64 ppc64le s390x x86_64): MozillaFirefox-branding-upstream-68.4.2-3.69.1 MozillaFirefox-debuginfo-68.4.2-3.69.1 MozillaFirefox-debugsource-68.4.2-3.69.1 - SUSE Linux Enterprise Module for Open Buildservice Development Tools 15-SP1 (x86_64): MozillaFirefox-buildsymbols-68.4.2-3.69.1 - SUSE Linux Enterprise Module for Open Buildservice Development Tools 15-SP1 (s390x): MozillaFirefox-devel-68.4.2-3.69.1 - SUSE Linux Enterprise Module for Open Buildservice Development Tools 15 (aarch64 ppc64le s390x x86_64): MozillaFirefox-branding-upstream-68.4.2-3.69.1 MozillaFirefox-debuginfo-68.4.2-3.69.1 MozillaFirefox-debugsource-68.4.2-3.69.1 - SUSE Linux Enterprise Module for Desktop Applications 15-SP1 (aarch64 ppc64le s390x x86_64): MozillaFirefox-68.4.2-3.69.1 MozillaFirefox-debuginfo-68.4.2-3.69.1 MozillaFirefox-debugsource-68.4.2-3.69.1 MozillaFirefox-translations-common-68.4.2-3.69.1 MozillaFirefox-translations-other-68.4.2-3.69.1 - SUSE Linux Enterprise Module for Desktop Applications 15-SP1 (aarch64 ppc64le x86_64): MozillaFirefox-devel-68.4.2-3.69.1 - SUSE Linux Enterprise Module for Desktop Applications 15 (aarch64 ppc64le s390x x86_64): MozillaFirefox-68.4.2-3.69.1 MozillaFirefox-debuginfo-68.4.2-3.69.1 MozillaFirefox-debugsource-68.4.2-3.69.1 MozillaFirefox-devel-68.4.2-3.69.1 MozillaFirefox-translations-common-68.4.2-3.69.1 MozillaFirefox-translations-other-68.4.2-3.69.1 References: https://bugzilla.suse.com/1161799 From sle-updates at lists.suse.com Thu Jan 30 13:17:49 2020 From: sle-updates at lists.suse.com (sle-updates at lists.suse.com) Date: Thu, 30 Jan 2020 21:17:49 +0100 (CET) Subject: SUSE-RU-2020:0268-1: important: Recommended update for tomcat Message-ID: <20200130201749.43F6DF79E@maintenance.suse.de> SUSE Recommended Update: Recommended update for tomcat ______________________________________________________________________________ Announcement ID: SUSE-RU-2020:0268-1 Rating: important References: #1161025 #1162081 Affected Products: SUSE Linux Enterprise Module for Web Scripting 15-SP1 SUSE Linux Enterprise Module for Open Buildservice Development Tools 15-SP1 ______________________________________________________________________________ An update that has two recommended fixes can now be installed. Description: This update for tomcat fixes the following issues: - Fixes an issue that led to a crash during the last upgrade, which was caused by a wrong typecast (bsc#1161025, bsc#1162081) Patch Instructions: To install this SUSE Recommended Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Module for Web Scripting 15-SP1: zypper in -t patch SUSE-SLE-Module-Web-Scripting-15-SP1-2020-268=1 - SUSE Linux Enterprise Module for Open Buildservice Development Tools 15-SP1: zypper in -t patch SUSE-SLE-Module-Development-Tools-OBS-15-SP1-2020-268=1 Package List: - SUSE Linux Enterprise Module for Web Scripting 15-SP1 (noarch): tomcat-9.0.30-4.15.1 tomcat-admin-webapps-9.0.30-4.15.1 tomcat-el-3_0-api-9.0.30-4.15.1 tomcat-jsp-2_3-api-9.0.30-4.15.1 tomcat-lib-9.0.30-4.15.1 tomcat-servlet-4_0-api-9.0.30-4.15.1 tomcat-webapps-9.0.30-4.15.1 - SUSE Linux Enterprise Module for Open Buildservice Development Tools 15-SP1 (noarch): tomcat-docs-webapp-9.0.30-4.15.1 tomcat-embed-9.0.30-4.15.1 tomcat-javadoc-9.0.30-4.15.1 tomcat-jsvc-9.0.30-4.15.1 References: https://bugzilla.suse.com/1161025 https://bugzilla.suse.com/1162081 From sle-updates at lists.suse.com Thu Jan 30 13:18:41 2020 From: sle-updates at lists.suse.com (sle-updates at lists.suse.com) Date: Thu, 30 Jan 2020 21:18:41 +0100 (CET) Subject: SUSE-RU-2020:0270-1: moderate: Recommended update for ldb Message-ID: <20200130201841.094A0F79E@maintenance.suse.de> SUSE Recommended Update: Recommended update for ldb ______________________________________________________________________________ Announcement ID: SUSE-RU-2020:0270-1 Rating: moderate References: #1161417 Affected Products: SUSE Linux Enterprise Server for SAP 15 SUSE Linux Enterprise Server 15-LTSS SUSE Linux Enterprise Module for Open Buildservice Development Tools 15 SUSE Linux Enterprise Module for Basesystem 15 SUSE Linux Enterprise High Performance Computing 15-LTSS SUSE Linux Enterprise High Performance Computing 15-ESPOS ______________________________________________________________________________ An update that has one recommended fix can now be installed. Description: This update for ldb fixes the following issue: - ship the ldb-tools package. (bsc#1161417) Patch Instructions: To install this SUSE Recommended Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Server for SAP 15: zypper in -t patch SUSE-SLE-Product-SLES_SAP-15-2020-270=1 - SUSE Linux Enterprise Server 15-LTSS: zypper in -t patch SUSE-SLE-Product-SLES-15-2020-270=1 - SUSE Linux Enterprise Module for Open Buildservice Development Tools 15: zypper in -t patch SUSE-SLE-Module-Development-Tools-OBS-15-2020-270=1 - SUSE Linux Enterprise Module for Basesystem 15: zypper in -t patch SUSE-SLE-Module-Basesystem-15-2020-270=1 - SUSE Linux Enterprise High Performance Computing 15-LTSS: zypper in -t patch SUSE-SLE-Product-HPC-15-2020-270=1 - SUSE Linux Enterprise High Performance Computing 15-ESPOS: zypper in -t patch SUSE-SLE-Product-HPC-15-2020-270=1 Package List: - SUSE Linux Enterprise Server for SAP 15 (ppc64le x86_64): ldb-debugsource-1.2.4-3.14.1 ldb-tools-1.2.4-3.14.1 ldb-tools-debuginfo-1.2.4-3.14.1 libldb-devel-1.2.4-3.14.1 libldb1-1.2.4-3.14.1 libldb1-debuginfo-1.2.4-3.14.1 python-ldb-1.2.4-3.14.1 python-ldb-debuginfo-1.2.4-3.14.1 python-ldb-devel-1.2.4-3.14.1 python3-ldb-1.2.4-3.14.1 python3-ldb-debuginfo-1.2.4-3.14.1 python3-ldb-devel-1.2.4-3.14.1 - SUSE Linux Enterprise Server for SAP 15 (x86_64): libldb1-32bit-1.2.4-3.14.1 libldb1-32bit-debuginfo-1.2.4-3.14.1 - SUSE Linux Enterprise Server 15-LTSS (aarch64 s390x): ldb-debugsource-1.2.4-3.14.1 ldb-tools-1.2.4-3.14.1 ldb-tools-debuginfo-1.2.4-3.14.1 libldb-devel-1.2.4-3.14.1 libldb1-1.2.4-3.14.1 libldb1-debuginfo-1.2.4-3.14.1 python-ldb-1.2.4-3.14.1 python-ldb-debuginfo-1.2.4-3.14.1 python-ldb-devel-1.2.4-3.14.1 python3-ldb-1.2.4-3.14.1 python3-ldb-debuginfo-1.2.4-3.14.1 python3-ldb-devel-1.2.4-3.14.1 - SUSE Linux Enterprise Module for Open Buildservice Development Tools 15 (aarch64 ppc64le s390x x86_64): ldb-debugsource-1.2.4-3.14.1 ldb-tools-1.2.4-3.14.1 ldb-tools-debuginfo-1.2.4-3.14.1 - SUSE Linux Enterprise Module for Basesystem 15 (aarch64 ppc64le s390x x86_64): ldb-debugsource-1.2.4-3.14.1 ldb-tools-1.2.4-3.14.1 ldb-tools-debuginfo-1.2.4-3.14.1 libldb-devel-1.2.4-3.14.1 libldb1-1.2.4-3.14.1 libldb1-debuginfo-1.2.4-3.14.1 python-ldb-1.2.4-3.14.1 python-ldb-debuginfo-1.2.4-3.14.1 python-ldb-devel-1.2.4-3.14.1 python3-ldb-1.2.4-3.14.1 python3-ldb-debuginfo-1.2.4-3.14.1 python3-ldb-devel-1.2.4-3.14.1 - SUSE Linux Enterprise Module for Basesystem 15 (x86_64): libldb1-32bit-1.2.4-3.14.1 libldb1-32bit-debuginfo-1.2.4-3.14.1 - SUSE Linux Enterprise High Performance Computing 15-LTSS (aarch64 x86_64): ldb-debugsource-1.2.4-3.14.1 ldb-tools-1.2.4-3.14.1 ldb-tools-debuginfo-1.2.4-3.14.1 libldb-devel-1.2.4-3.14.1 libldb1-1.2.4-3.14.1 libldb1-debuginfo-1.2.4-3.14.1 python-ldb-1.2.4-3.14.1 python-ldb-debuginfo-1.2.4-3.14.1 python-ldb-devel-1.2.4-3.14.1 python3-ldb-1.2.4-3.14.1 python3-ldb-debuginfo-1.2.4-3.14.1 python3-ldb-devel-1.2.4-3.14.1 - SUSE Linux Enterprise High Performance Computing 15-LTSS (x86_64): libldb1-32bit-1.2.4-3.14.1 libldb1-32bit-debuginfo-1.2.4-3.14.1 - SUSE Linux Enterprise High Performance Computing 15-ESPOS (aarch64 x86_64): ldb-debugsource-1.2.4-3.14.1 ldb-tools-1.2.4-3.14.1 ldb-tools-debuginfo-1.2.4-3.14.1 libldb-devel-1.2.4-3.14.1 libldb1-1.2.4-3.14.1 libldb1-debuginfo-1.2.4-3.14.1 python-ldb-1.2.4-3.14.1 python-ldb-debuginfo-1.2.4-3.14.1 python-ldb-devel-1.2.4-3.14.1 python3-ldb-1.2.4-3.14.1 python3-ldb-debuginfo-1.2.4-3.14.1 python3-ldb-devel-1.2.4-3.14.1 - SUSE Linux Enterprise High Performance Computing 15-ESPOS (x86_64): libldb1-32bit-1.2.4-3.14.1 libldb1-32bit-debuginfo-1.2.4-3.14.1 References: https://bugzilla.suse.com/1161417 From sle-updates at lists.suse.com Thu Jan 30 13:19:25 2020 From: sle-updates at lists.suse.com (sle-updates at lists.suse.com) Date: Thu, 30 Jan 2020 21:19:25 +0100 (CET) Subject: SUSE-SU-2020:0267-1: moderate: Security update for php72 Message-ID: <20200130201925.23089F79E@maintenance.suse.de> SUSE Security Update: Security update for php72 ______________________________________________________________________________ Announcement ID: SUSE-SU-2020:0267-1 Rating: moderate References: #1159922 #1159923 #1159924 #1159927 Cross-References: CVE-2019-11045 CVE-2019-11046 CVE-2019-11047 CVE-2019-11050 Affected Products: SUSE Linux Enterprise Software Development Kit 12-SP5 SUSE Linux Enterprise Software Development Kit 12-SP4 SUSE Linux Enterprise Module for Web Scripting 12 ______________________________________________________________________________ An update that fixes four vulnerabilities is now available. Description: This update for php72 fixes the following issues: - CVE-2019-11045: Fixed an issue with improper input validation in the filename handling of the DirectoryIterator class (bsc#1159923). - CVE-2019-11046: Fixed an information leak in bc_shift_addsub() (bsc#1159924). - CVE-2019-11047, CVE-2019-11050: Fixed multiple information leaks in exif_read_data() (bsc#1159922, bsc#1159927). Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Software Development Kit 12-SP5: zypper in -t patch SUSE-SLE-SDK-12-SP5-2020-267=1 - SUSE Linux Enterprise Software Development Kit 12-SP4: zypper in -t patch SUSE-SLE-SDK-12-SP4-2020-267=1 - SUSE Linux Enterprise Module for Web Scripting 12: zypper in -t patch SUSE-SLE-Module-Web-Scripting-12-2020-267=1 Package List: - SUSE Linux Enterprise Software Development Kit 12-SP5 (aarch64 ppc64le s390x x86_64): php72-debuginfo-7.2.5-1.32.1 php72-debugsource-7.2.5-1.32.1 php72-devel-7.2.5-1.32.1 - SUSE Linux Enterprise Software Development Kit 12-SP4 (aarch64 ppc64le s390x x86_64): php72-debuginfo-7.2.5-1.32.1 php72-debugsource-7.2.5-1.32.1 php72-devel-7.2.5-1.32.1 - SUSE Linux Enterprise Module for Web Scripting 12 (aarch64 ppc64le s390x x86_64): apache2-mod_php72-7.2.5-1.32.1 apache2-mod_php72-debuginfo-7.2.5-1.32.1 php72-7.2.5-1.32.1 php72-bcmath-7.2.5-1.32.1 php72-bcmath-debuginfo-7.2.5-1.32.1 php72-bz2-7.2.5-1.32.1 php72-bz2-debuginfo-7.2.5-1.32.1 php72-calendar-7.2.5-1.32.1 php72-calendar-debuginfo-7.2.5-1.32.1 php72-ctype-7.2.5-1.32.1 php72-ctype-debuginfo-7.2.5-1.32.1 php72-curl-7.2.5-1.32.1 php72-curl-debuginfo-7.2.5-1.32.1 php72-dba-7.2.5-1.32.1 php72-dba-debuginfo-7.2.5-1.32.1 php72-debuginfo-7.2.5-1.32.1 php72-debugsource-7.2.5-1.32.1 php72-dom-7.2.5-1.32.1 php72-dom-debuginfo-7.2.5-1.32.1 php72-enchant-7.2.5-1.32.1 php72-enchant-debuginfo-7.2.5-1.32.1 php72-exif-7.2.5-1.32.1 php72-exif-debuginfo-7.2.5-1.32.1 php72-fastcgi-7.2.5-1.32.1 php72-fastcgi-debuginfo-7.2.5-1.32.1 php72-fileinfo-7.2.5-1.32.1 php72-fileinfo-debuginfo-7.2.5-1.32.1 php72-fpm-7.2.5-1.32.1 php72-fpm-debuginfo-7.2.5-1.32.1 php72-ftp-7.2.5-1.32.1 php72-ftp-debuginfo-7.2.5-1.32.1 php72-gd-7.2.5-1.32.1 php72-gd-debuginfo-7.2.5-1.32.1 php72-gettext-7.2.5-1.32.1 php72-gettext-debuginfo-7.2.5-1.32.1 php72-gmp-7.2.5-1.32.1 php72-gmp-debuginfo-7.2.5-1.32.1 php72-iconv-7.2.5-1.32.1 php72-iconv-debuginfo-7.2.5-1.32.1 php72-imap-7.2.5-1.32.1 php72-imap-debuginfo-7.2.5-1.32.1 php72-intl-7.2.5-1.32.1 php72-intl-debuginfo-7.2.5-1.32.1 php72-json-7.2.5-1.32.1 php72-json-debuginfo-7.2.5-1.32.1 php72-ldap-7.2.5-1.32.1 php72-ldap-debuginfo-7.2.5-1.32.1 php72-mbstring-7.2.5-1.32.1 php72-mbstring-debuginfo-7.2.5-1.32.1 php72-mysql-7.2.5-1.32.1 php72-mysql-debuginfo-7.2.5-1.32.1 php72-odbc-7.2.5-1.32.1 php72-odbc-debuginfo-7.2.5-1.32.1 php72-opcache-7.2.5-1.32.1 php72-opcache-debuginfo-7.2.5-1.32.1 php72-openssl-7.2.5-1.32.1 php72-openssl-debuginfo-7.2.5-1.32.1 php72-pcntl-7.2.5-1.32.1 php72-pcntl-debuginfo-7.2.5-1.32.1 php72-pdo-7.2.5-1.32.1 php72-pdo-debuginfo-7.2.5-1.32.1 php72-pgsql-7.2.5-1.32.1 php72-pgsql-debuginfo-7.2.5-1.32.1 php72-phar-7.2.5-1.32.1 php72-phar-debuginfo-7.2.5-1.32.1 php72-posix-7.2.5-1.32.1 php72-posix-debuginfo-7.2.5-1.32.1 php72-pspell-7.2.5-1.32.1 php72-pspell-debuginfo-7.2.5-1.32.1 php72-readline-7.2.5-1.32.1 php72-readline-debuginfo-7.2.5-1.32.1 php72-shmop-7.2.5-1.32.1 php72-shmop-debuginfo-7.2.5-1.32.1 php72-snmp-7.2.5-1.32.1 php72-snmp-debuginfo-7.2.5-1.32.1 php72-soap-7.2.5-1.32.1 php72-soap-debuginfo-7.2.5-1.32.1 php72-sockets-7.2.5-1.32.1 php72-sockets-debuginfo-7.2.5-1.32.1 php72-sodium-7.2.5-1.32.1 php72-sodium-debuginfo-7.2.5-1.32.1 php72-sqlite-7.2.5-1.32.1 php72-sqlite-debuginfo-7.2.5-1.32.1 php72-sysvmsg-7.2.5-1.32.1 php72-sysvmsg-debuginfo-7.2.5-1.32.1 php72-sysvsem-7.2.5-1.32.1 php72-sysvsem-debuginfo-7.2.5-1.32.1 php72-sysvshm-7.2.5-1.32.1 php72-sysvshm-debuginfo-7.2.5-1.32.1 php72-tidy-7.2.5-1.32.1 php72-tidy-debuginfo-7.2.5-1.32.1 php72-tokenizer-7.2.5-1.32.1 php72-tokenizer-debuginfo-7.2.5-1.32.1 php72-wddx-7.2.5-1.32.1 php72-wddx-debuginfo-7.2.5-1.32.1 php72-xmlreader-7.2.5-1.32.1 php72-xmlreader-debuginfo-7.2.5-1.32.1 php72-xmlrpc-7.2.5-1.32.1 php72-xmlrpc-debuginfo-7.2.5-1.32.1 php72-xmlwriter-7.2.5-1.32.1 php72-xmlwriter-debuginfo-7.2.5-1.32.1 php72-xsl-7.2.5-1.32.1 php72-xsl-debuginfo-7.2.5-1.32.1 php72-zip-7.2.5-1.32.1 php72-zip-debuginfo-7.2.5-1.32.1 php72-zlib-7.2.5-1.32.1 php72-zlib-debuginfo-7.2.5-1.32.1 - SUSE Linux Enterprise Module for Web Scripting 12 (noarch): php72-pear-7.2.5-1.32.1 php72-pear-Archive_Tar-7.2.5-1.32.1 References: https://www.suse.com/security/cve/CVE-2019-11045.html https://www.suse.com/security/cve/CVE-2019-11046.html https://www.suse.com/security/cve/CVE-2019-11047.html https://www.suse.com/security/cve/CVE-2019-11050.html https://bugzilla.suse.com/1159922 https://bugzilla.suse.com/1159923 https://bugzilla.suse.com/1159924 https://bugzilla.suse.com/1159927 From sle-updates at lists.suse.com Thu Jan 30 13:20:30 2020 From: sle-updates at lists.suse.com (sle-updates at lists.suse.com) Date: Thu, 30 Jan 2020 21:20:30 +0100 (CET) Subject: SUSE-RU-2020:0273-1: moderate: Recommended update for gnu-compilers-hpc Message-ID: <20200130202030.677F2F79E@maintenance.suse.de> SUSE Recommended Update: Recommended update for gnu-compilers-hpc ______________________________________________________________________________ Announcement ID: SUSE-RU-2020:0273-1 Rating: moderate References: #1160924 Affected Products: SUSE Linux Enterprise Module for HPC 15 SUSE Linux Enterprise High Performance Computing 15-LTSS SUSE Linux Enterprise High Performance Computing 15-ESPOS ______________________________________________________________________________ An update that has one recommended fix can now be installed. Description: This update for gnu-compilers-hpc fixes the following issues: - Added gcc9 flavors (jsc#SLE-8604 bsc#1160924) Patch Instructions: To install this SUSE Recommended Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Module for HPC 15: zypper in -t patch SUSE-SLE-Module-HPC-15-2020-273=1 - SUSE Linux Enterprise High Performance Computing 15-LTSS: zypper in -t patch SUSE-SLE-Product-HPC-15-2020-273=1 - SUSE Linux Enterprise High Performance Computing 15-ESPOS: zypper in -t patch SUSE-SLE-Product-HPC-15-2020-273=1 Package List: - SUSE Linux Enterprise Module for HPC 15 (noarch): gnu-compilers-hpc-1.4-5.6.1 gnu-compilers-hpc-devel-1.4-5.6.1 gnu-compilers-hpc-macros-devel-1.4-5.6.1 gnu8-compilers-hpc-1.4-5.6.1 gnu8-compilers-hpc-devel-1.4-5.6.1 gnu8-compilers-hpc-macros-devel-1.4-5.6.1 gnu9-compilers-hpc-1.4-5.6.1 gnu9-compilers-hpc-devel-1.4-5.6.1 gnu9-compilers-hpc-macros-devel-1.4-5.6.1 - SUSE Linux Enterprise High Performance Computing 15-LTSS (noarch): gnu-compilers-hpc-1.4-5.6.1 gnu-compilers-hpc-devel-1.4-5.6.1 gnu-compilers-hpc-macros-devel-1.4-5.6.1 gnu8-compilers-hpc-1.4-5.6.1 gnu8-compilers-hpc-devel-1.4-5.6.1 gnu8-compilers-hpc-macros-devel-1.4-5.6.1 gnu9-compilers-hpc-1.4-5.6.1 gnu9-compilers-hpc-devel-1.4-5.6.1 gnu9-compilers-hpc-macros-devel-1.4-5.6.1 - SUSE Linux Enterprise High Performance Computing 15-ESPOS (noarch): gnu-compilers-hpc-1.4-5.6.1 gnu-compilers-hpc-devel-1.4-5.6.1 gnu-compilers-hpc-macros-devel-1.4-5.6.1 gnu8-compilers-hpc-1.4-5.6.1 gnu8-compilers-hpc-devel-1.4-5.6.1 gnu8-compilers-hpc-macros-devel-1.4-5.6.1 gnu9-compilers-hpc-1.4-5.6.1 gnu9-compilers-hpc-devel-1.4-5.6.1 gnu9-compilers-hpc-macros-devel-1.4-5.6.1 References: https://bugzilla.suse.com/1160924 From sle-updates at lists.suse.com Fri Jan 31 00:14:15 2020 From: sle-updates at lists.suse.com (sle-updates at lists.suse.com) Date: Fri, 31 Jan 2020 08:14:15 +0100 (CET) Subject: SUSE-CU-2020:30-1: Security update of suse/sle15 Message-ID: <20200131071415.99BFBF798@maintenance.suse.de> SUSE Container Update Advisory: suse/sle15 ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2020:30-1 Container Tags : suse/sle15:15.0 , suse/sle15:15.0.4.22.140 Container Release : 4.22.140 Severity : moderate Type : security References : 1149332 1151582 1157292 1157794 1157893 1158996 1160571 1160970 CVE-2019-19126 CVE-2019-5188 ----------------------------------------------------------------- The container suse/sle15 was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:256-1 Released: Wed Jan 29 09:39:17 2020 Summary: Recommended update for aaa_base Type: recommended Severity: moderate References: 1157794,1160970 Description: This update for aaa_base fixes the following issues: - Improves the way how the Java path is created to fix an issue with sapjvm. (bsc#1157794) - Drop 'dev.cdrom.autoclose' = 0 from sysctl config. (bsc#1160970) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2020:262-1 Released: Thu Jan 30 11:02:42 2020 Summary: Security update for glibc Type: security Severity: moderate References: 1149332,1151582,1157292,1157893,1158996,CVE-2019-19126 Description: This update for glibc fixes the following issues: Security issue fixed: - CVE-2019-19126: Fixed to ignore the LD_PREFER_MAP_32BIT_EXEC environment variable during program execution after a security transition (bsc#1157292). Bug fixes: - Fixed z15 (s390x) strstr implementation that can return incorrect results if search string cross page boundary (bsc#1157893). - Fixed Hardware support in toolchain (bsc#1151582). - Fixed syscalls during early process initialization (SLE-8348). - Fixed an array overflow in backtrace for PowerPC (bsc#1158996). - Moved to posix_spawn on popen (bsc#1149332). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2020:265-1 Released: Thu Jan 30 14:05:34 2020 Summary: Security update for e2fsprogs Type: security Severity: moderate References: 1160571,CVE-2019-5188 Description: This update for e2fsprogs fixes the following issues: - CVE-2019-5188: Fixed a code execution vulnerability in the directory rehashing functionality (bsc#1160571). From sle-updates at lists.suse.com Fri Jan 31 00:17:21 2020 From: sle-updates at lists.suse.com (sle-updates at lists.suse.com) Date: Fri, 31 Jan 2020 08:17:21 +0100 (CET) Subject: SUSE-CU-2020:31-1: Security update of suse/sle15 Message-ID: <20200131071721.C4732F798@maintenance.suse.de> SUSE Container Update Advisory: suse/sle15 ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2020:31-1 Container Tags : suse/sle15:15.1 , suse/sle15:15.1.6.2.152 Container Release : 6.2.152 Severity : moderate Type : security References : 1149332 1151582 1157292 1157794 1157893 1158996 1160571 1160970 CVE-2019-19126 CVE-2019-5188 ----------------------------------------------------------------- The container suse/sle15 was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:256-1 Released: Wed Jan 29 09:39:17 2020 Summary: Recommended update for aaa_base Type: recommended Severity: moderate References: 1157794,1160970 Description: This update for aaa_base fixes the following issues: - Improves the way how the Java path is created to fix an issue with sapjvm. (bsc#1157794) - Drop 'dev.cdrom.autoclose' = 0 from sysctl config. (bsc#1160970) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2020:262-1 Released: Thu Jan 30 11:02:42 2020 Summary: Security update for glibc Type: security Severity: moderate References: 1149332,1151582,1157292,1157893,1158996,CVE-2019-19126 Description: This update for glibc fixes the following issues: Security issue fixed: - CVE-2019-19126: Fixed to ignore the LD_PREFER_MAP_32BIT_EXEC environment variable during program execution after a security transition (bsc#1157292). Bug fixes: - Fixed z15 (s390x) strstr implementation that can return incorrect results if search string cross page boundary (bsc#1157893). - Fixed Hardware support in toolchain (bsc#1151582). - Fixed syscalls during early process initialization (SLE-8348). - Fixed an array overflow in backtrace for PowerPC (bsc#1158996). - Moved to posix_spawn on popen (bsc#1149332). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2020:265-1 Released: Thu Jan 30 14:05:34 2020 Summary: Security update for e2fsprogs Type: security Severity: moderate References: 1160571,CVE-2019-5188 Description: This update for e2fsprogs fixes the following issues: - CVE-2019-5188: Fixed a code execution vulnerability in the directory rehashing functionality (bsc#1160571). From sle-updates at lists.suse.com Fri Jan 31 07:11:14 2020 From: sle-updates at lists.suse.com (sle-updates at lists.suse.com) Date: Fri, 31 Jan 2020 15:11:14 +0100 (CET) Subject: SUSE-RU-2020:0280-1: moderate: Recommended update for yast2-auth-client Message-ID: <20200131141114.74E0CF798@maintenance.suse.de> SUSE Recommended Update: Recommended update for yast2-auth-client ______________________________________________________________________________ Announcement ID: SUSE-RU-2020:0280-1 Rating: moderate References: #1153547 Affected Products: SUSE Linux Enterprise Module for Basesystem 15-SP1 ______________________________________________________________________________ An update that has one recommended fix can now be installed. Description: This update for yast2-auth-client fixes the following issues: - Add missing domain setting 'ignore_group_members'; (bsc#1153547); Patch Instructions: To install this SUSE Recommended Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Module for Basesystem 15-SP1: zypper in -t patch SUSE-SLE-Module-Basesystem-15-SP1-2020-280=1 Package List: - SUSE Linux Enterprise Module for Basesystem 15-SP1 (noarch): yast2-auth-client-4.1.3-3.6.1 References: https://bugzilla.suse.com/1153547 From sle-updates at lists.suse.com Fri Jan 31 07:11:54 2020 From: sle-updates at lists.suse.com (sle-updates at lists.suse.com) Date: Fri, 31 Jan 2020 15:11:54 +0100 (CET) Subject: SUSE-RU-2020:0279-1: moderate: Recommended update for p11-kit Message-ID: <20200131141154.1BDEBF798@maintenance.suse.de> SUSE Recommended Update: Recommended update for p11-kit ______________________________________________________________________________ Announcement ID: SUSE-RU-2020:0279-1 Rating: moderate References: #1013125 Affected Products: SUSE Linux Enterprise Module for Open Buildservice Development Tools 15-SP1 SUSE Linux Enterprise Module for Basesystem 15-SP1 ______________________________________________________________________________ An update that has one recommended fix can now be installed. Description: This update for p11-kit fixes the following issues: - Also build documentation (bsc#1013125) Patch Instructions: To install this SUSE Recommended Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Module for Open Buildservice Development Tools 15-SP1: zypper in -t patch SUSE-SLE-Module-Development-Tools-OBS-15-SP1-2020-279=1 - SUSE Linux Enterprise Module for Basesystem 15-SP1: zypper in -t patch SUSE-SLE-Module-Basesystem-15-SP1-2020-279=1 Package List: - SUSE Linux Enterprise Module for Open Buildservice Development Tools 15-SP1 (x86_64): p11-kit-32bit-0.23.2-4.8.3 p11-kit-32bit-debuginfo-0.23.2-4.8.3 p11-kit-debugsource-0.23.2-4.8.3 p11-kit-nss-trust-32bit-0.23.2-4.8.3 - SUSE Linux Enterprise Module for Basesystem 15-SP1 (aarch64 ppc64le s390x x86_64): libp11-kit0-0.23.2-4.8.3 libp11-kit0-debuginfo-0.23.2-4.8.3 p11-kit-0.23.2-4.8.3 p11-kit-debuginfo-0.23.2-4.8.3 p11-kit-debugsource-0.23.2-4.8.3 p11-kit-devel-0.23.2-4.8.3 p11-kit-nss-trust-0.23.2-4.8.3 p11-kit-tools-0.23.2-4.8.3 p11-kit-tools-debuginfo-0.23.2-4.8.3 - SUSE Linux Enterprise Module for Basesystem 15-SP1 (x86_64): libp11-kit0-32bit-0.23.2-4.8.3 libp11-kit0-32bit-debuginfo-0.23.2-4.8.3 p11-kit-32bit-debuginfo-0.23.2-4.8.3 References: https://bugzilla.suse.com/1013125 From sle-updates at lists.suse.com Fri Jan 31 07:12:34 2020 From: sle-updates at lists.suse.com (sle-updates at lists.suse.com) Date: Fri, 31 Jan 2020 15:12:34 +0100 (CET) Subject: SUSE-SU-2020:0278-1: important: Security update for rmt-server Message-ID: <20200131141234.AF7A7F798@maintenance.suse.de> SUSE Security Update: Security update for rmt-server ______________________________________________________________________________ Announcement ID: SUSE-SU-2020:0278-1 Rating: important References: #1141122 #1157119 #1160673 #1160922 Cross-References: CVE-2019-18904 Affected Products: SUSE Linux Enterprise Module for Server Applications 15-SP1 SUSE Linux Enterprise Module for Public Cloud 15-SP1 ______________________________________________________________________________ An update that solves one vulnerability and has three fixes is now available. Description: This update for rmt-server to version 2.5.2 fixes the following issues: Security issue fixed: - CVE-2019-18904: Fixed a denial of service in the offline migration (bsc#1160922). Non-security issue fixed: - Relaxed systemd units dependencies (bsc#1160673) - Added more verbose error reporting for SCC API errors (bsc#1157119) - Fixed system listing when architecture is not well referenced (bsc#1141122) Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Module for Server Applications 15-SP1: zypper in -t patch SUSE-SLE-Module-Server-Applications-15-SP1-2020-278=1 - SUSE Linux Enterprise Module for Public Cloud 15-SP1: zypper in -t patch SUSE-SLE-Module-Public-Cloud-15-SP1-2020-278=1 Package List: - SUSE Linux Enterprise Module for Server Applications 15-SP1 (aarch64 ppc64le s390x x86_64): rmt-server-2.5.2-3.9.1 rmt-server-config-2.5.2-3.9.1 rmt-server-debuginfo-2.5.2-3.9.1 - SUSE Linux Enterprise Module for Public Cloud 15-SP1 (aarch64 ppc64le s390x x86_64): rmt-server-debuginfo-2.5.2-3.9.1 rmt-server-pubcloud-2.5.2-3.9.1 References: https://www.suse.com/security/cve/CVE-2019-18904.html https://bugzilla.suse.com/1141122 https://bugzilla.suse.com/1157119 https://bugzilla.suse.com/1160673 https://bugzilla.suse.com/1160922 From sle-updates at lists.suse.com Fri Jan 31 10:11:42 2020 From: sle-updates at lists.suse.com (sle-updates at lists.suse.com) Date: Fri, 31 Jan 2020 18:11:42 +0100 (CET) Subject: SUSE-RU-2020:14272-1: moderate: Recommended update for firefox-gcc8 Message-ID: <20200131171142.A53BCF798@maintenance.suse.de> SUSE Recommended Update: Recommended update for firefox-gcc8 ______________________________________________________________________________ Announcement ID: SUSE-RU-2020:14272-1 Rating: moderate References: #1160489 Affected Products: SUSE Linux Enterprise Server 11-SP4-LTSS ______________________________________________________________________________ An update that has one recommended fix can now be installed. Description: This update for firefox-gcc8 fixes the following issue: - firefox-libstdc++6 and firefox-libgcc_s1 had provides of the system libstdc++6 and libgcc_s1 provides (bsc#1160489) Patch Instructions: To install this SUSE Recommended Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Server 11-SP4-LTSS: zypper in -t patch slessp4-firefox-libstdc-20200122-14272=1 Package List: - SUSE Linux Enterprise Server 11-SP4-LTSS (x86_64): firefox-libgcc_s1-8.2.1+r264010-2.11.1 firefox-libstdc++6-8.2.1+r264010-2.11.1 References: https://bugzilla.suse.com/1160489 From sle-updates at lists.suse.com Fri Jan 31 13:11:20 2020 From: sle-updates at lists.suse.com (sle-updates at lists.suse.com) Date: Fri, 31 Jan 2020 21:11:20 +0100 (CET) Subject: SUSE-RU-2020:0295-1: moderate: Recommended Beta update for SUSE Manager Client Tools Message-ID: <20200131201120.66678F798@maintenance.suse.de> SUSE Recommended Update: Recommended Beta update for SUSE Manager Client Tools ______________________________________________________________________________ Announcement ID: SUSE-RU-2020:0295-1 Rating: moderate References: #1157700 #1158697 Affected Products: SUSE Manager Tools 12-BETA ______________________________________________________________________________ An update that has two recommended fixes can now be installed. Description: This update fixes the following issues: mgr-osad: - Take care that osad is not disabled nor deactivated during update (bsc#1157700, bsc#1158697) - Separate osa-dispatcher and jabberd so it can be disabled independently supportutils-plugin-susemanager-client: - Rename rhncfg-actions to mgr-cfg-actions uyuni-common-libs: - Remove conflicts to spacewalk-backend-libs packages Patch Instructions: To install this SUSE Recommended Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Manager Tools 12-BETA: zypper in -t patch SUSE-SLE-Manager-Tools-12-2020-295=1 Package List: - SUSE Manager Tools 12-BETA (aarch64 ppc64le s390x x86_64): python2-uyuni-common-libs-4.1.2-3.6.1 - SUSE Manager Tools 12-BETA (noarch): mgr-osad-4.1.2-4.6.1 python2-mgr-osa-common-4.1.2-4.6.1 python2-mgr-osad-4.1.2-4.6.1 supportutils-plugin-susemanager-client-4.1.2-9.6.1 References: https://bugzilla.suse.com/1157700 https://bugzilla.suse.com/1158697 From sle-updates at lists.suse.com Fri Jan 31 13:12:07 2020 From: sle-updates at lists.suse.com (sle-updates at lists.suse.com) Date: Fri, 31 Jan 2020 21:12:07 +0100 (CET) Subject: SUSE-RU-2020:0294-1: moderate: Recommended Beta update for Salt Message-ID: <20200131201207.402D1F798@maintenance.suse.de> SUSE Recommended Update: Recommended Beta update for Salt ______________________________________________________________________________ Announcement ID: SUSE-RU-2020:0294-1 Rating: moderate References: #1153611 #1157479 #1158441 Affected Products: SUSE Manager Tools 15-BETA ______________________________________________________________________________ An update that has three recommended fixes can now be installed. Description: This update fixes the following issues: salt: - Support for Btrfs and XFS in parted and mkfs added - Adds list_downloaded for apt Module to enable pre-downloading support Adds virt.(pool|network)_get_xml functions Various libvirt updates - Virt: adding kernel boot parameters to libvirt xml - Fix virt states to not fail on VMs already stopped - Xfs: do not fail if type is not present (bsc#1153611) - Don't use __python indirection macros on spec file %__python is no longer defined in RPM 4.15 (python2 is going EOL in Jan 2020); additionally, python/python3 are just binaries in the path. - Fix errors when running virt.get_hypervisor function - Align virt.full_info fixes with upstream Salt - Let salt-ssh use platform-python on RHEL8 (bsc#1158441) - Fix StreamClosedError issue (bsc#1157479) - Requires vs BuildRequires - Limiting M2Crypto to >= SLE15 - Replacing pycrypto with M2Crypto - Fix for log checking in x509 test - Prevent test_mod_del_repo_multiline_values to fail Patch Instructions: To install this SUSE Recommended Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Manager Tools 15-BETA: zypper in -t patch SUSE-SLE-Manager-Tools-15-2020-294=1 Package List: - SUSE Manager Tools 15-BETA (aarch64 ppc64le s390x x86_64): python2-salt-2019.2.2-8.6.6 python3-salt-2019.2.2-8.6.6 salt-2019.2.2-8.6.6 salt-api-2019.2.2-8.6.6 salt-cloud-2019.2.2-8.6.6 salt-doc-2019.2.2-8.6.6 salt-master-2019.2.2-8.6.6 salt-minion-2019.2.2-8.6.6 salt-proxy-2019.2.2-8.6.6 salt-ssh-2019.2.2-8.6.6 salt-standalone-formulas-configuration-2019.2.2-8.6.6 salt-syndic-2019.2.2-8.6.6 - SUSE Manager Tools 15-BETA (noarch): salt-bash-completion-2019.2.2-8.6.6 salt-fish-completion-2019.2.2-8.6.6 salt-zsh-completion-2019.2.2-8.6.6 References: https://bugzilla.suse.com/1153611 https://bugzilla.suse.com/1157479 https://bugzilla.suse.com/1158441 From sle-updates at lists.suse.com Fri Jan 31 13:12:59 2020 From: sle-updates at lists.suse.com (sle-updates at lists.suse.com) Date: Fri, 31 Jan 2020 21:12:59 +0100 (CET) Subject: SUSE-RU-2020:14279-1: moderate: Recommended Beta update for Salt Message-ID: <20200131201259.4A828F798@maintenance.suse.de> SUSE Recommended Update: Recommended Beta update for Salt ______________________________________________________________________________ Announcement ID: SUSE-RU-2020:14279-1 Rating: moderate References: #1153611 #1157479 #1158441 Affected Products: SUSE Manager Ubuntu 16.04-CLIENT-TOOLS-BETA ______________________________________________________________________________ An update that has three recommended fixes can now be installed. Description: This update fixes the following issues: salt: - Support for Btrfs and XFS in parted and mkfs added - Adds list_downloaded for apt Module to enable pre-downloading support Adds virt.(pool|network)_get_xml functions Various libvirt updates - Virt: adding kernel boot parameters to libvirt xml - Fix virt states to not fail on VMs already stopped - Xfs: do not fail if type is not present (bsc#1153611) - Don't use __python indirection macros on spec file %__python is no longer defined in RPM 4.15 (python2 is going EOL in Jan 2020); additionally, python/python3 are just binaries in the path. - Fix errors when running virt.get_hypervisor function - Align virt.full_info fixes with upstream Salt - Let salt-ssh use platform-python on RHEL8 (bsc#1158441) - Fix StreamClosedError issue (bsc#1157479) - Requires vs BuildRequires - Limiting M2Crypto to >= SLE15 - Replacing pycrypto with M2Crypto - Fix for log checking in x509 test - Prevent test_mod_del_repo_multiline_values to fail Patch Instructions: To install this SUSE Recommended Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Manager Ubuntu 16.04-CLIENT-TOOLS-BETA: zypper in -t patch suse-ubu164ct-salt-beta-202001-14279=1 Package List: - SUSE Manager Ubuntu 16.04-CLIENT-TOOLS-BETA (all): salt-common-2019.2.2+ds-1.1+26.6.2 salt-minion-2019.2.2+ds-1.1+26.6.2 References: https://bugzilla.suse.com/1153611 https://bugzilla.suse.com/1157479 https://bugzilla.suse.com/1158441 From sle-updates at lists.suse.com Fri Jan 31 13:13:50 2020 From: sle-updates at lists.suse.com (sle-updates at lists.suse.com) Date: Fri, 31 Jan 2020 21:13:50 +0100 (CET) Subject: SUSE-RU-2020:0285-1: moderate: Recommended Beta update for SUSE Manager Client Tools Message-ID: <20200131201350.DD315F798@maintenance.suse.de> SUSE Recommended Update: Recommended Beta update for SUSE Manager Client Tools ______________________________________________________________________________ Announcement ID: SUSE-RU-2020:0285-1 Rating: moderate References: #1157700 #1158032 #1158697 Affected Products: SUSE Manager Tools 15-BETA ______________________________________________________________________________ An update that has three recommended fixes can now be installed. Description: This update fixes the following issues: POS_Image-Graphical7: - Enable install-local-bootloader.service (bsc#1158032) - Update to version 0.1.1579102150.4716559 POS_Image-JeOS7: - Enable install-local-bootloader.service (bsc#1158032) - Update to version 0.1.1579102150.4716559 dracut-saltboot: - Source wicked network information to access IPADDR and DNSDOMAIN variables - Replace systemException functions by log and reboot actions - Stop waiting for devices when dracut timeout is hit - Update to version 0.1.1579102150.4716559 mgr-osad: - Take care that osad is not disabled nor deactivated during update (bsc#1157700, bsc#1158697) - Separate osa-dispatcher and jabberd so it can be disabled independently supportutils-plugin-susemanager-client: - Rename rhncfg-actions to mgr-cfg-actions uyuni-common-libs: - Remove conflicts to spacewalk-backend-libs packages Patch Instructions: To install this SUSE Recommended Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Manager Tools 15-BETA: zypper in -t patch SUSE-SLE-Manager-Tools-15-2020-285=1 Package List: - SUSE Manager Tools 15-BETA (aarch64 ppc64le s390x x86_64): python3-uyuni-common-libs-4.1.2-3.6.2 - SUSE Manager Tools 15-BETA (noarch): POS_Image-Graphical7-0.1.1579102150.4716559-3.6.2 POS_Image-JeOS7-0.1.1579102150.4716559-3.6.2 dracut-saltboot-0.1.1579102150.4716559-3.6.1 mgr-osad-4.1.2-4.6.2 python3-mgr-osa-common-4.1.2-4.6.2 python3-mgr-osad-4.1.2-4.6.2 supportutils-plugin-susemanager-client-4.1.2-6.6.1 References: https://bugzilla.suse.com/1157700 https://bugzilla.suse.com/1158032 https://bugzilla.suse.com/1158697 From sle-updates at lists.suse.com Fri Jan 31 13:14:44 2020 From: sle-updates at lists.suse.com (sle-updates at lists.suse.com) Date: Fri, 31 Jan 2020 21:14:44 +0100 (CET) Subject: SUSE-RU-2020:14278-1: moderate: Recommended Beta update for Salt Message-ID: <20200131201444.62676F798@maintenance.suse.de> SUSE Recommended Update: Recommended Beta update for Salt ______________________________________________________________________________ Announcement ID: SUSE-RU-2020:14278-1 Rating: moderate References: #1153611 #1157479 #1158441 Affected Products: SUSE Manager Ubuntu 18.04-CLIENT-TOOLS-BETA ______________________________________________________________________________ An update that has three recommended fixes can now be installed. Description: This update fixes the following issues: salt: - Support for Btrfs and XFS in parted and mkfs added - Adds list_downloaded for apt Module to enable pre-downloading support Adds virt.(pool|network)_get_xml functions Various libvirt updates - Virt: adding kernel boot parameters to libvirt xml - Fix virt states to not fail on VMs already stopped - Xfs: do not fail if type is not present (bsc#1153611) - Don't use __python indirection macros on spec file %__python is no longer defined in RPM 4.15 (python2 is going EOL in Jan 2020); additionally, python/python3 are just binaries in the path. - Fix errors when running virt.get_hypervisor function - Align virt.full_info fixes with upstream Salt - Let salt-ssh use platform-python on RHEL8 (bsc#1158441) - Fix StreamClosedError issue (bsc#1157479) - Requires vs BuildRequires - Limiting M2Crypto to >= SLE15 - Replacing pycrypto with M2Crypto - Fix for log checking in x509 test - Prevent test_mod_del_repo_multiline_values to fail Patch Instructions: To install this SUSE Recommended Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Manager Ubuntu 18.04-CLIENT-TOOLS-BETA: zypper in -t patch suse-ubu184ct-salt-beta-202001-14278=1 Package List: - SUSE Manager Ubuntu 18.04-CLIENT-TOOLS-BETA (all): salt-common-2019.2.2+ds-1.1+27.6.2 salt-minion-2019.2.2+ds-1.1+27.6.2 References: https://bugzilla.suse.com/1153611 https://bugzilla.suse.com/1157479 https://bugzilla.suse.com/1158441 From sle-updates at lists.suse.com Fri Jan 31 13:15:40 2020 From: sle-updates at lists.suse.com (sle-updates at lists.suse.com) Date: Fri, 31 Jan 2020 21:15:40 +0100 (CET) Subject: SUSE-RU-2020:14273-1: moderate: Recommended Beta update for SUSE Manager Client Tools Message-ID: <20200131201540.2355CF79E@maintenance.suse.de> SUSE Recommended Update: Recommended Beta update for SUSE Manager Client Tools ______________________________________________________________________________ Announcement ID: SUSE-RU-2020:14273-1 Rating: moderate References: #1157700 #1158697 Affected Products: SUSE Linux Enterprise Server 11-SP4-CLIENT-TOOLS-BETA SUSE Linux Enterprise Server 11-SP3-CLIENT-TOOLS-BETA ______________________________________________________________________________ An update that has two recommended fixes can now be installed. Description: This update fixes the following issues: mgr-osad: - Take care that osad is not disabled nor deactivated during update (bsc#1157700, bsc#1158697) - Separate osa-dispatcher and jabberd so it can be disabled independently supportutils-plugin-susemanager-client: - Rename rhncfg-actions to mgr-cfg-actions uyuni-common-libs: - Remove conflicts to spacewalk-backend-libs packages Patch Instructions: To install this SUSE Recommended Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Server 11-SP4-CLIENT-TOOLS-BETA: zypper in -t patch slesctsp4-client-tools-beta-202001-14273=1 - SUSE Linux Enterprise Server 11-SP3-CLIENT-TOOLS-BETA: zypper in -t patch slesctsp3-client-tools-beta-202001-14273=1 Package List: - SUSE Linux Enterprise Server 11-SP4-CLIENT-TOOLS-BETA (i586 ia64 ppc64 s390x x86_64): mgr-osad-4.1.2-8.6.2 python2-mgr-osa-common-4.1.2-8.6.2 python2-mgr-osad-4.1.2-8.6.2 python2-uyuni-common-libs-4.1.2-7.6.2 - SUSE Linux Enterprise Server 11-SP4-CLIENT-TOOLS-BETA (noarch): supportutils-plugin-susemanager-client-4.1.2-12.6.2 - SUSE Linux Enterprise Server 11-SP3-CLIENT-TOOLS-BETA (i586 ia64 ppc64 s390x x86_64): mgr-osad-4.1.2-8.6.2 python2-mgr-osa-common-4.1.2-8.6.2 python2-mgr-osad-4.1.2-8.6.2 python2-uyuni-common-libs-4.1.2-7.6.2 - SUSE Linux Enterprise Server 11-SP3-CLIENT-TOOLS-BETA (noarch): supportutils-plugin-susemanager-client-4.1.2-12.6.2 References: https://bugzilla.suse.com/1157700 https://bugzilla.suse.com/1158697 From sle-updates at lists.suse.com Fri Jan 31 13:16:28 2020 From: sle-updates at lists.suse.com (sle-updates at lists.suse.com) Date: Fri, 31 Jan 2020 21:16:28 +0100 (CET) Subject: SUSE-RU-2020:14276-1: moderate: Recommended Beta update for Salt Message-ID: <20200131201628.5832DF79E@maintenance.suse.de> SUSE Recommended Update: Recommended Beta update for Salt ______________________________________________________________________________ Announcement ID: SUSE-RU-2020:14276-1 Rating: moderate References: #1162382 Affected Products: SUSE Linux Enterprise Server 11-SP4-CLIENT-TOOLS-BETA SUSE Linux Enterprise Server 11-SP3-CLIENT-TOOLS-BETA ______________________________________________________________________________ An update that has one recommended fix can now be installed. Description: This update fixes the following issues: salt: - Replace pycrypto with M2Crypto as dependency for SLE15+ Patch Instructions: To install this SUSE Recommended Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Server 11-SP4-CLIENT-TOOLS-BETA: zypper in -t patch slesctsp4-salt-beta-202001-14276=1 - SUSE Linux Enterprise Server 11-SP3-CLIENT-TOOLS-BETA: zypper in -t patch slesctsp3-salt-beta-202001-14276=1 Package List: - SUSE Linux Enterprise Server 11-SP4-CLIENT-TOOLS-BETA (i586 ia64 ppc64 s390x x86_64): salt-2016.11.10-46.3.2 salt-doc-2016.11.10-46.3.2 salt-minion-2016.11.10-46.3.2 - SUSE Linux Enterprise Server 11-SP3-CLIENT-TOOLS-BETA (i586 ia64 ppc64 s390x x86_64): salt-2016.11.10-46.3.2 salt-doc-2016.11.10-46.3.2 salt-minion-2016.11.10-46.3.2 References: https://bugzilla.suse.com/1162382 From sle-updates at lists.suse.com Fri Jan 31 13:17:09 2020 From: sle-updates at lists.suse.com (sle-updates at lists.suse.com) Date: Fri, 31 Jan 2020 21:17:09 +0100 (CET) Subject: SUSE-RU-2020:0282-1: moderate: Recommended update for crmsh Message-ID: <20200131201709.6EABDF79E@maintenance.suse.de> SUSE Recommended Update: Recommended update for crmsh ______________________________________________________________________________ Announcement ID: SUSE-RU-2020:0282-1 Rating: moderate References: #1127095 #1127096 #1129462 #1144241 #1145520 #1154163 Affected Products: SUSE Linux Enterprise Module for Open Buildservice Development Tools 15-SP1 SUSE Linux Enterprise High Availability 15-SP1 ______________________________________________________________________________ An update that has 6 recommended fixes can now be installed. Description: This update for crmsh fixes the following issues: - Fix for corosync: Reject appending ipaddress to config file if it already has one. (bsc#1127095, bsc#1127096) - Fix for ui_cluster: Refactoring function 'list_cluster_nodes' and handle the 'None' situation properly to avoid possible crash. (bsc#1145520) - Fixes an issue where the resource failcount was not set correctly (bsc#1144241) - Fixes an issue where the VM resource doesn't get started properly by pacemaker (bsc#1129462) Patch Instructions: To install this SUSE Recommended Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Module for Open Buildservice Development Tools 15-SP1: zypper in -t patch SUSE-SLE-Module-Development-Tools-OBS-15-SP1-2020-282=1 - SUSE Linux Enterprise High Availability 15-SP1: zypper in -t patch SUSE-SLE-Product-HA-15-SP1-2020-282=1 Package List: - SUSE Linux Enterprise Module for Open Buildservice Development Tools 15-SP1 (noarch): crmsh-test-4.1.0+git.1578469492.493d5d62-3.11.1 - SUSE Linux Enterprise High Availability 15-SP1 (noarch): crmsh-4.1.0+git.1578469492.493d5d62-3.11.1 crmsh-scripts-4.1.0+git.1578469492.493d5d62-3.11.1 References: https://bugzilla.suse.com/1127095 https://bugzilla.suse.com/1127096 https://bugzilla.suse.com/1129462 https://bugzilla.suse.com/1144241 https://bugzilla.suse.com/1145520 https://bugzilla.suse.com/1154163 From sle-updates at lists.suse.com Fri Jan 31 13:18:24 2020 From: sle-updates at lists.suse.com (sle-updates at lists.suse.com) Date: Fri, 31 Jan 2020 21:18:24 +0100 (CET) Subject: SUSE-RU-2020:0292-1: moderate: Recommended Beta update for Salt Message-ID: <20200131201824.35C0AF79E@maintenance.suse.de> SUSE Recommended Update: Recommended Beta update for Salt ______________________________________________________________________________ Announcement ID: SUSE-RU-2020:0292-1 Rating: moderate References: #1153611 #1157479 #1158441 Affected Products: SUSE Manager Tools 12-BETA ______________________________________________________________________________ An update that has three recommended fixes can now be installed. Description: This update fixes the following issues: salt: - Support for Btrfs and XFS in parted and mkfs added - Adds list_downloaded for apt Module to enable pre-downloading support Adds virt.(pool|network)_get_xml functions Various libvirt updates - Virt: adding kernel boot parameters to libvirt xml - Fix virt states to not fail on VMs already stopped - Xfs: do not fail if type is not present (bsc#1153611) - Don't use __python indirection macros on spec file %__python is no longer defined in RPM 4.15 (python2 is going EOL in Jan 2020); additionally, python/python3 are just binaries in the path. - Fix errors when running virt.get_hypervisor function - Align virt.full_info fixes with upstream Salt - Let salt-ssh use platform-python on RHEL8 (bsc#1158441) - Fix StreamClosedError issue (bsc#1157479) - Requires vs BuildRequires - Limiting M2Crypto to >= SLE15 - Replacing pycrypto with M2Crypto - Fix for log checking in x509 test - Prevent test_mod_del_repo_multiline_values to fail Patch Instructions: To install this SUSE Recommended Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Manager Tools 12-BETA: zypper in -t patch SUSE-SLE-Manager-Tools-12-2020-292=1 Package List: - SUSE Manager Tools 12-BETA (aarch64 ppc64le s390x x86_64): python2-salt-2019.2.2-49.6.1 python3-salt-2019.2.2-49.6.1 salt-2019.2.2-49.6.1 salt-doc-2019.2.2-49.6.1 salt-minion-2019.2.2-49.6.1 References: https://bugzilla.suse.com/1153611 https://bugzilla.suse.com/1157479 https://bugzilla.suse.com/1158441 From sle-updates at lists.suse.com Fri Jan 31 13:19:19 2020 From: sle-updates at lists.suse.com (sle-updates at lists.suse.com) Date: Fri, 31 Jan 2020 21:19:19 +0100 (CET) Subject: SUSE-SU-2020:0296-1: moderate: Security update for ceph Message-ID: <20200131201919.AC394F79E@maintenance.suse.de> SUSE Security Update: Security update for ceph ______________________________________________________________________________ Announcement ID: SUSE-SU-2020:0296-1 Rating: moderate References: #1161074 #1161312 Cross-References: CVE-2020-1699 CVE-2020-1700 Affected Products: SUSE Linux Enterprise Module for Open Buildservice Development Tools 15-SP1 SUSE Linux Enterprise Module for Basesystem 15-SP1 SUSE Enterprise Storage 6 ______________________________________________________________________________ An update that fixes two vulnerabilities is now available. Description: This update for ceph fixes the following issues: - CVE-2020-1700: Fixed a denial of service against the RGW server via connection leakage (bsc#1161312). - CVE-2020-1699: Fixed a information disclosure by improper URL checking (bsc#1161074). Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Module for Open Buildservice Development Tools 15-SP1: zypper in -t patch SUSE-SLE-Module-Development-Tools-OBS-15-SP1-2020-296=1 - SUSE Linux Enterprise Module for Basesystem 15-SP1: zypper in -t patch SUSE-SLE-Module-Basesystem-15-SP1-2020-296=1 - SUSE Enterprise Storage 6: zypper in -t patch SUSE-Storage-6-2020-296=1 Package List: - SUSE Linux Enterprise Module for Open Buildservice Development Tools 15-SP1 (aarch64 ppc64le s390x x86_64): ceph-14.2.5.382+g8881d33957-3.30.1 ceph-base-14.2.5.382+g8881d33957-3.30.1 ceph-base-debuginfo-14.2.5.382+g8881d33957-3.30.1 ceph-debugsource-14.2.5.382+g8881d33957-3.30.1 ceph-fuse-14.2.5.382+g8881d33957-3.30.1 ceph-fuse-debuginfo-14.2.5.382+g8881d33957-3.30.1 ceph-mds-14.2.5.382+g8881d33957-3.30.1 ceph-mds-debuginfo-14.2.5.382+g8881d33957-3.30.1 ceph-mgr-14.2.5.382+g8881d33957-3.30.1 ceph-mgr-debuginfo-14.2.5.382+g8881d33957-3.30.1 ceph-mon-14.2.5.382+g8881d33957-3.30.1 ceph-mon-debuginfo-14.2.5.382+g8881d33957-3.30.1 ceph-osd-14.2.5.382+g8881d33957-3.30.1 ceph-osd-debuginfo-14.2.5.382+g8881d33957-3.30.1 ceph-radosgw-14.2.5.382+g8881d33957-3.30.1 ceph-radosgw-debuginfo-14.2.5.382+g8881d33957-3.30.1 cephfs-shell-14.2.5.382+g8881d33957-3.30.1 rbd-fuse-14.2.5.382+g8881d33957-3.30.1 rbd-fuse-debuginfo-14.2.5.382+g8881d33957-3.30.1 rbd-mirror-14.2.5.382+g8881d33957-3.30.1 rbd-mirror-debuginfo-14.2.5.382+g8881d33957-3.30.1 rbd-nbd-14.2.5.382+g8881d33957-3.30.1 rbd-nbd-debuginfo-14.2.5.382+g8881d33957-3.30.1 - SUSE Linux Enterprise Module for Open Buildservice Development Tools 15-SP1 (noarch): ceph-grafana-dashboards-14.2.5.382+g8881d33957-3.30.1 ceph-mgr-dashboard-14.2.5.382+g8881d33957-3.30.1 ceph-mgr-diskprediction-cloud-14.2.5.382+g8881d33957-3.30.1 ceph-mgr-diskprediction-local-14.2.5.382+g8881d33957-3.30.1 ceph-mgr-rook-14.2.5.382+g8881d33957-3.30.1 ceph-mgr-ssh-14.2.5.382+g8881d33957-3.30.1 - SUSE Linux Enterprise Module for Open Buildservice Development Tools 15-SP1 (x86_64): ceph-test-14.2.5.382+g8881d33957-3.30.1 ceph-test-debuginfo-14.2.5.382+g8881d33957-3.30.1 ceph-test-debugsource-14.2.5.382+g8881d33957-3.30.1 - SUSE Linux Enterprise Module for Basesystem 15-SP1 (aarch64 ppc64le s390x x86_64): ceph-common-14.2.5.382+g8881d33957-3.30.1 ceph-common-debuginfo-14.2.5.382+g8881d33957-3.30.1 ceph-debugsource-14.2.5.382+g8881d33957-3.30.1 libcephfs-devel-14.2.5.382+g8881d33957-3.30.1 libcephfs2-14.2.5.382+g8881d33957-3.30.1 libcephfs2-debuginfo-14.2.5.382+g8881d33957-3.30.1 librados-devel-14.2.5.382+g8881d33957-3.30.1 librados-devel-debuginfo-14.2.5.382+g8881d33957-3.30.1 librados2-14.2.5.382+g8881d33957-3.30.1 librados2-debuginfo-14.2.5.382+g8881d33957-3.30.1 libradospp-devel-14.2.5.382+g8881d33957-3.30.1 librbd-devel-14.2.5.382+g8881d33957-3.30.1 librbd1-14.2.5.382+g8881d33957-3.30.1 librbd1-debuginfo-14.2.5.382+g8881d33957-3.30.1 librgw-devel-14.2.5.382+g8881d33957-3.30.1 librgw2-14.2.5.382+g8881d33957-3.30.1 librgw2-debuginfo-14.2.5.382+g8881d33957-3.30.1 python3-ceph-argparse-14.2.5.382+g8881d33957-3.30.1 python3-cephfs-14.2.5.382+g8881d33957-3.30.1 python3-cephfs-debuginfo-14.2.5.382+g8881d33957-3.30.1 python3-rados-14.2.5.382+g8881d33957-3.30.1 python3-rados-debuginfo-14.2.5.382+g8881d33957-3.30.1 python3-rbd-14.2.5.382+g8881d33957-3.30.1 python3-rbd-debuginfo-14.2.5.382+g8881d33957-3.30.1 python3-rgw-14.2.5.382+g8881d33957-3.30.1 python3-rgw-debuginfo-14.2.5.382+g8881d33957-3.30.1 rados-objclass-devel-14.2.5.382+g8881d33957-3.30.1 - SUSE Enterprise Storage 6 (aarch64 x86_64): ceph-14.2.5.382+g8881d33957-3.30.1 ceph-base-14.2.5.382+g8881d33957-3.30.1 ceph-base-debuginfo-14.2.5.382+g8881d33957-3.30.1 ceph-common-14.2.5.382+g8881d33957-3.30.1 ceph-common-debuginfo-14.2.5.382+g8881d33957-3.30.1 ceph-debugsource-14.2.5.382+g8881d33957-3.30.1 ceph-fuse-14.2.5.382+g8881d33957-3.30.1 ceph-fuse-debuginfo-14.2.5.382+g8881d33957-3.30.1 ceph-mds-14.2.5.382+g8881d33957-3.30.1 ceph-mds-debuginfo-14.2.5.382+g8881d33957-3.30.1 ceph-mgr-14.2.5.382+g8881d33957-3.30.1 ceph-mgr-debuginfo-14.2.5.382+g8881d33957-3.30.1 ceph-mon-14.2.5.382+g8881d33957-3.30.1 ceph-mon-debuginfo-14.2.5.382+g8881d33957-3.30.1 ceph-osd-14.2.5.382+g8881d33957-3.30.1 ceph-osd-debuginfo-14.2.5.382+g8881d33957-3.30.1 ceph-radosgw-14.2.5.382+g8881d33957-3.30.1 ceph-radosgw-debuginfo-14.2.5.382+g8881d33957-3.30.1 cephfs-shell-14.2.5.382+g8881d33957-3.30.1 libcephfs2-14.2.5.382+g8881d33957-3.30.1 libcephfs2-debuginfo-14.2.5.382+g8881d33957-3.30.1 librados2-14.2.5.382+g8881d33957-3.30.1 librados2-debuginfo-14.2.5.382+g8881d33957-3.30.1 librbd1-14.2.5.382+g8881d33957-3.30.1 librbd1-debuginfo-14.2.5.382+g8881d33957-3.30.1 librgw2-14.2.5.382+g8881d33957-3.30.1 librgw2-debuginfo-14.2.5.382+g8881d33957-3.30.1 python3-ceph-argparse-14.2.5.382+g8881d33957-3.30.1 python3-cephfs-14.2.5.382+g8881d33957-3.30.1 python3-cephfs-debuginfo-14.2.5.382+g8881d33957-3.30.1 python3-rados-14.2.5.382+g8881d33957-3.30.1 python3-rados-debuginfo-14.2.5.382+g8881d33957-3.30.1 python3-rbd-14.2.5.382+g8881d33957-3.30.1 python3-rbd-debuginfo-14.2.5.382+g8881d33957-3.30.1 python3-rgw-14.2.5.382+g8881d33957-3.30.1 python3-rgw-debuginfo-14.2.5.382+g8881d33957-3.30.1 rbd-fuse-14.2.5.382+g8881d33957-3.30.1 rbd-fuse-debuginfo-14.2.5.382+g8881d33957-3.30.1 rbd-mirror-14.2.5.382+g8881d33957-3.30.1 rbd-mirror-debuginfo-14.2.5.382+g8881d33957-3.30.1 rbd-nbd-14.2.5.382+g8881d33957-3.30.1 rbd-nbd-debuginfo-14.2.5.382+g8881d33957-3.30.1 - SUSE Enterprise Storage 6 (noarch): ceph-grafana-dashboards-14.2.5.382+g8881d33957-3.30.1 ceph-mgr-dashboard-14.2.5.382+g8881d33957-3.30.1 ceph-mgr-diskprediction-local-14.2.5.382+g8881d33957-3.30.1 ceph-mgr-rook-14.2.5.382+g8881d33957-3.30.1 ceph-prometheus-alerts-14.2.5.382+g8881d33957-3.30.1 References: https://www.suse.com/security/cve/CVE-2020-1699.html https://www.suse.com/security/cve/CVE-2020-1700.html https://bugzilla.suse.com/1161074 https://bugzilla.suse.com/1161312