From sle-security-updates at lists.suse.com Fri Feb 3 15:08:39 2012 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Fri, 3 Feb 2012 23:08:39 +0100 (CET) Subject: SUSE-SU-2012:0143-1: moderate: Security update for curl Message-ID: <20120203220839.4B1B3323C2@maintenance.suse.de> SUSE Security Update: Security update for curl ______________________________________________________________________________ Announcement ID: SUSE-SU-2012:0143-1 Rating: moderate References: #742306 Cross-References: CVE-2012-0036 Affected Products: SUSE Linux Enterprise Server 10 SP4 SUSE Linux Enterprise Desktop 10 SP4 SLE SDK 10 SP4 ______________________________________________________________________________ An update that fixes one vulnerability is now available. Description: This update to curl fixes the following security issue: * Don't set SSL_OP_ALL to avoid potential DTLS sniffing attacks. ( CVE-2012-0036 ) Indications: Everyone should install this update. Package List: - SUSE Linux Enterprise Server 10 SP4 (i586 ia64 ppc s390x x86_64): curl-7.15.1-19.20.1 curl-devel-7.15.1-19.20.1 - SUSE Linux Enterprise Server 10 SP4 (s390x x86_64): curl-32bit-7.15.1-19.20.1 - SUSE Linux Enterprise Server 10 SP4 (ia64): curl-x86-7.15.1-19.20.1 - SUSE Linux Enterprise Server 10 SP4 (ppc): curl-64bit-7.15.1-19.20.1 - SUSE Linux Enterprise Desktop 10 SP4 (i586 x86_64): curl-7.15.1-19.20.1 curl-devel-7.15.1-19.20.1 - SUSE Linux Enterprise Desktop 10 SP4 (x86_64): curl-32bit-7.15.1-19.20.1 - SLE SDK 10 SP4 (i586 ia64 ppc s390x x86_64): curl-devel-7.15.1-19.20.1 References: http://support.novell.com/security/cve/CVE-2012-0036.html https://bugzilla.novell.com/742306 http://download.novell.com/patch/finder/?keywords=8974c7b68cc0e0a4cf5b7453bd266343 From sle-security-updates at lists.suse.com Fri Feb 3 16:08:42 2012 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Sat, 4 Feb 2012 00:08:42 +0100 (CET) Subject: SUSE-SU-2012:0144-1: moderate: Security update for tomcat5 Message-ID: <20120203230842.097A2323CE@maintenance.suse.de> SUSE Security Update: Security update for tomcat5 ______________________________________________________________________________ Announcement ID: SUSE-SU-2012:0144-1 Rating: moderate References: #727543 Cross-References: CVE-2011-4858 Affected Products: SUSE Linux Enterprise Server 10 SP4 SLE SDK 10 SP4 ______________________________________________________________________________ An update that fixes one vulnerability is now available. Description: This security update for tomcat5 fixes a vulnerability to a hash collision attack which allows remote attackers to perform denial of service attacks. The issue is tracked as CVE-2011-4858 . Indications: Everyone using Apache Tomcat should update. Package List: - SUSE Linux Enterprise Server 10 SP4 (noarch): tomcat5-5.5.27-0.18.4 tomcat5-admin-webapps-5.5.27-0.18.4 tomcat5-webapps-5.5.27-0.18.4 - SLE SDK 10 SP4 (noarch): tomcat5-5.5.27-0.18.4 tomcat5-admin-webapps-5.5.27-0.18.4 tomcat5-webapps-5.5.27-0.18.4 References: http://support.novell.com/security/cve/CVE-2011-4858.html https://bugzilla.novell.com/727543 http://download.novell.com/patch/finder/?keywords=db53da1f9bc372bf81229767487059b1 From sle-security-updates at lists.suse.com Fri Feb 3 19:08:32 2012 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Sat, 4 Feb 2012 03:08:32 +0100 (CET) Subject: SUSE-SU-2012:0146-1: Security update for MozillaFirefox Message-ID: <20120204020832.1296C323C7@maintenance.suse.de> SUSE Security Update: Security update for MozillaFirefox ______________________________________________________________________________ Announcement ID: SUSE-SU-2012:0146-1 Rating: low References: #742826 Cross-References: CVE-2011-3659 CVE-2012-0442 CVE-2012-0443 CVE-2012-0444 CVE-2012-0445 CVE-2012-0446 CVE-2012-0447 CVE-2012-0449 CVE-2012-0450 Affected Products: SUSE Linux Enterprise Software Development Kit 11 SP1 SUSE Linux Enterprise Server 11 SP1 for VMware SUSE Linux Enterprise Server 11 SP1 SUSE Linux Enterprise Desktop 11 SP1 ______________________________________________________________________________ An update that fixes 9 vulnerabilities is now available. It includes three new package versions. Description: This update provides Mozilla Firefox 10, which provides many fixes, security and feature enhancements. For a detailed list, please have a look at http://www.mozilla.org/en-US/firefox/10.0/releasenotes/ and http://www.mozilla.org/de/firefox/features/ The following security issues have been fixed in this update: * Mozilla developers identified and fixed several memory safety bugs in the browser engine used in Firefox and other Mozilla-based products. Some of these bugs showed evidence of memory corruption under certain circumstances, and we presume that with enough effort at least some of these could be exploited to run arbitrary code. (MFSA 2012-01 , CVE-2012-0442 , CVE-2012-0443 ) * Alex Dvorov reported that an attacker could replace a sub-frame in another domain's document by using the name attribute of the sub-frame as a form submission target. This can potentially allow for phishing attacks against users and violates the HTML5 frame navigation policy. (MFSA 2012-03 , CVE-2012-0445 ) * Security researcher regenrecht reported via TippingPoint's Zero Day Initiative that removed child nodes of nsDOMAttribute can be accessed under certain circumstances because of a premature notification of AttributeChildRemoved. This use-after-free of the child nodes could possibly allow for for remote code execution. (MFSA 2012-04 , CVE-2011-3659 ) * Mozilla security researcher moz_bug_r_a4 reported that frame scripts bypass XPConnect security checks when calling untrusted objects. This allows for cross-site scripting (XSS) attacks through web pages and Firefox extensions. The fix enables the Script Security Manager (SSM) to force security checks on all frame scripts. (MFSA 2012-05 , CVE-2012-0446 ) * Mozilla developer Tim Abraldes reported that when encoding images as image/vnd.microsoft.icon the resulting data was always a fixed size, with uninitialized memory appended as padding beyond the size of the actual image. This is the result of mImageBufferSize in the encoder being initialized with a value different than the size of the source image. There is the possibility of sensitive data from uninitialized memory being appended to a PNG image when converted fron an ICO format image. This sensitive data may then be disclosed in the resulting image. ((MFSA 2012-06) http://www.mozilla.org/security/announce/2012/mfsa2012-06.ht ml], [CVE-2012-0447 ) * Security researcher regenrecht reported via TippingPoint's Zero Day Initiative the possibility of memory corruption during the decoding of Ogg Vorbis files. This can cause a crash during decoding and has the potential for remote code execution. (MFSA 2012-07 , CVE-2012-0444 ) * Security researchers Nicolas Gregoire and Aki Helin independently reported that when processing a malformed embedded XSLT stylesheet, Firefox can crash due to a memory corruption. While there is no evidence that this is directly exploitable, there is a possibility of remote code execution. (MFSA 2012-08 , CVE-2012-0449 ) * magicant starmen reported that if a user chooses to export their Firefox Sync key the "Firefox Recovery Key.html" file is saved with incorrect permissions, making the file contents potentially readable by other users on Linux and OS X systems. (MFSA 2012-09 , CVE-2012-0450 ) Indications: Firefox users should update. Patch Instructions: To install this SUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Software Development Kit 11 SP1: zypper in -t patch sdksp1-firefox-10-5754 - SUSE Linux Enterprise Server 11 SP1 for VMware: zypper in -t patch slessp1-firefox-10-5754 - SUSE Linux Enterprise Server 11 SP1: zypper in -t patch slessp1-firefox-10-5754 - SUSE Linux Enterprise Desktop 11 SP1: zypper in -t patch sledsp1-firefox-10-5754 To bring your system up-to-date, use "zypper patch". Package List: - SUSE Linux Enterprise Software Development Kit 11 SP1 (i586 ia64 s390x x86_64): beagle-0.3.8-56.44.45.6 beagle-devel-0.3.8-56.44.45.6 beagle-lang-0.3.8-56.44.45.6 - SUSE Linux Enterprise Server 11 SP1 for VMware (i586 x86_64) [New Version: 10.0 and 7]: MozillaFirefox-10.0-0.3.2 MozillaFirefox-branding-SLES-for-VMware-7-0.4.2.5 MozillaFirefox-translations-10.0-0.3.2 mozilla-kde4-integration-0.6.3-5.6.5 - SUSE Linux Enterprise Server 11 SP1 (i586 ia64 ppc64 s390x x86_64) [New Version: 10.0 and 7]: MozillaFirefox-10.0-0.3.2 MozillaFirefox-branding-SLED-7-0.6.7.7 MozillaFirefox-translations-10.0-0.3.2 mozilla-kde4-integration-0.6.3-5.6.5 - SUSE Linux Enterprise Desktop 11 SP1 (i586 x86_64) [New Version: 10.0 and 7]: MozillaFirefox-10.0-0.3.2 MozillaFirefox-branding-SLED-7-0.6.7.7 MozillaFirefox-translations-10.0-0.3.2 beagle-0.3.8-56.44.45.6 beagle-evolution-0.3.8-56.44.45.6 beagle-firefox-0.3.8-56.44.45.6 beagle-gui-0.3.8-56.44.45.6 beagle-lang-0.3.8-56.44.45.6 mhtml-firefox-0.5-1.45.7 mozilla-kde4-integration-0.6.3-5.6.5 - SUSE Linux Enterprise Desktop 11 SP1 (i586) [New Version: 11.1.102.55]: flash-player-11.1.102.55-0.13.1 References: http://support.novell.com/security/cve/CVE-2011-3659.html http://support.novell.com/security/cve/CVE-2012-0442.html http://support.novell.com/security/cve/CVE-2012-0443.html http://support.novell.com/security/cve/CVE-2012-0444.html http://support.novell.com/security/cve/CVE-2012-0445.html http://support.novell.com/security/cve/CVE-2012-0446.html http://support.novell.com/security/cve/CVE-2012-0447.html http://support.novell.com/security/cve/CVE-2012-0449.html http://support.novell.com/security/cve/CVE-2012-0450.html https://bugzilla.novell.com/742826 http://download.novell.com/patch/finder/?keywords=036e93199c4a2b5d3bc60b6d05a8d355 From sle-security-updates at lists.suse.com Fri Feb 3 19:08:44 2012 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Sat, 4 Feb 2012 03:08:44 +0100 (CET) Subject: SUSE-SU-2012:0147-1: moderate: Security update for ruby Message-ID: <20120204020844.C2181323C2@maintenance.suse.de> SUSE Security Update: Security update for ruby ______________________________________________________________________________ Announcement ID: SUSE-SU-2012:0147-1 Rating: moderate References: #704409 #739122 #740796 Cross-References: CVE-2011-2686 CVE-2011-2705 CVE-2011-3009 CVE-2011-4815 Affected Products: WebYaST [Appliance - Tools] WebYaST 1.2 SUSE Studio Standard Edition 1.2 SUSE Studio Onsite 1.2 SUSE Studio Onsite 1.1 SUSE Studio Extension for System z 1.2 SUSE Linux Enterprise Software Development Kit 11 SP1 SUSE Linux Enterprise Server 11 SP1 for VMware SUSE Linux Enterprise Server 11 SP1 SUSE Linux Enterprise Desktop 11 SP1 SUSE Lifecycle Management Server 1.1 [Appliance - Tools] ______________________________________________________________________________ An update that fixes four vulnerabilities is now available. It includes two new package versions. Description: This update of ruby provides 1.8.7p357, which contains many stability fixes and bug fixes while maintaining full compatibility with the previous version. A detailailed list of changes is available from http://svn.ruby-lang.org/repos/ruby/tags/v1_8_7_357/ChangeLo g . The most important fixes are: * Hash functions are now using a randomized seed to avoid algorithmic complexity attacks. If available, OpenSSL::Random.seed at the SecureRandom.random_bytes is used to achieve this. (CVE-2011-4815 ) * mkconfig.rb: fix for continued lines. * Fix Infinity to be greater than any bignum number. * Initialize store->ex_data.sk. * Several IPv6 related fixes. * Fixes for zlib. * Reinitialize PRNG when forking children (CVE-2011-2686 , CVE-2011-3009 ) * Fixes to securerandom. (CVE-2011-2705 ) * Fix uri route_to * Fix race condition with variables and autoload. Patch Instructions: To install this SUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - WebYaST [Appliance - Tools]: zypper in -t patch slewyst1sp1-ruby-187p357-5716 slewystsp1-ruby-187p357-5716 - WebYaST 1.2: zypper in -t patch slewyst12-ruby-187p357-5715 - SUSE Studio Standard Edition 1.2: zypper in -t patch sleslms12-ruby-187p357-5715 - SUSE Studio Onsite 1.2: zypper in -t patch slestso12-ruby-187p357-5715 - SUSE Studio Onsite 1.1: zypper in -t patch slestsosp1-ruby-187p357-5716 - SUSE Studio Extension for System z 1.2: zypper in -t patch slestso12-ruby-187p357-5715 - SUSE Linux Enterprise Software Development Kit 11 SP1: zypper in -t patch sdksp1-ruby-187p357-5716 - SUSE Linux Enterprise Server 11 SP1 for VMware: zypper in -t patch slessp1-ruby-187p357-5716 - SUSE Linux Enterprise Server 11 SP1: zypper in -t patch slessp1-ruby-187p357-5716 - SUSE Linux Enterprise Desktop 11 SP1: zypper in -t patch sledsp1-ruby-187p357-5716 - SUSE Lifecycle Management Server 1.1 [Appliance - Tools]: zypper in -t patch sleslmssp1-ruby-187p357-5716 To bring your system up-to-date, use "zypper patch". Package List: - WebYaST [Appliance - Tools] (i586 ia64 ppc64 s390x x86_64) [New Version: 0.4.0 and 1.8.7.p357]: ruby-dbus-0.4.0-0.9.4 ruby-devel-1.8.7.p357-0.7.1 - WebYaST 1.2 (i586 ia64 ppc64 s390x x86_64) [New Version: 1.8.7.p357]: ruby-dbus-0.4.0-0.9.4 ruby-devel-1.8.7.p357-0.7.1 - SUSE Studio Standard Edition 1.2 (x86_64) [New Version: 1.8.7.p357]: ruby-dbus-0.4.0-0.9.4 ruby-devel-1.8.7.p357-0.7.1 - SUSE Studio Onsite 1.2 (x86_64) [New Version: 1.8.7.p357]: ruby-dbus-0.4.0-0.9.4 ruby-devel-1.8.7.p357-0.7.1 - SUSE Studio Onsite 1.1 (x86_64) [New Version: 1.8.7.p357]: ruby-dbus-0.4.0-0.9.4 ruby-devel-1.8.7.p357-0.7.1 - SUSE Studio Extension for System z 1.2 (s390x) [New Version: 1.8.7.p357]: ruby-devel-1.8.7.p357-0.7.1 - SUSE Linux Enterprise Software Development Kit 11 SP1 (i586 ia64 ppc64 s390x x86_64) [New Version: 1.8.7.p357]: ruby-devel-1.8.7.p357-0.7.1 ruby-doc-ri-1.8.7.p357-0.7.1 ruby-examples-1.8.7.p357-0.7.1 ruby-test-suite-1.8.7.p357-0.7.1 - SUSE Linux Enterprise Software Development Kit 11 SP1 (i586 x86_64) [New Version: 1.8.7.p357]: ruby-doc-html-1.8.7.p357-0.7.1 ruby-tk-1.8.7.p357-0.7.1 - SUSE Linux Enterprise Server 11 SP1 for VMware (i586 x86_64) [New Version: 1.8.7.p357]: ruby-1.8.7.p357-0.7.1 ruby-doc-html-1.8.7.p357-0.7.1 ruby-tk-1.8.7.p357-0.7.1 - SUSE Linux Enterprise Server 11 SP1 (i586 ia64 ppc64 s390x x86_64) [New Version: 1.8.7.p357]: ruby-1.8.7.p357-0.7.1 ruby-doc-html-1.8.7.p357-0.7.1 ruby-tk-1.8.7.p357-0.7.1 - SUSE Linux Enterprise Desktop 11 SP1 (i586 x86_64) [New Version: 1.8.7.p357]: ruby-1.8.7.p357-0.7.1 - SUSE Lifecycle Management Server 1.1 [Appliance - Tools] (x86_64) [New Version: 1.8.7.p357]: ruby-dbus-0.4.0-0.9.4 ruby-devel-1.8.7.p357-0.7.1 References: http://support.novell.com/security/cve/CVE-2011-2686.html http://support.novell.com/security/cve/CVE-2011-2705.html http://support.novell.com/security/cve/CVE-2011-3009.html http://support.novell.com/security/cve/CVE-2011-4815.html https://bugzilla.novell.com/704409 https://bugzilla.novell.com/739122 https://bugzilla.novell.com/740796 http://download.novell.com/patch/finder/?keywords=04214679f41728fe49ac9a6f9d32da7f http://download.novell.com/patch/finder/?keywords=e0d0ef7ec3aa01a87e6c002c3f147d73 From sle-security-updates at lists.suse.com Mon Feb 6 07:08:23 2012 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Mon, 6 Feb 2012 15:08:23 +0100 (CET) Subject: SUSE-SU-2012:0153-1: important: Security update for the Linux Kernel Message-ID: <20120206140823.8A0CF323CC@maintenance.suse.de> SUSE Security Update: Security update for the Linux Kernel ______________________________________________________________________________ Announcement ID: SUSE-SU-2012:0153-1 Rating: important References: #651219 #653260 #668872 #671479 #688996 #694945 #697920 #703156 #706973 #707288 #708625 #711378 #716023 #722910 #724734 #725709 #726600 #726788 #728339 #728626 #729854 #730118 #731004 #731770 #732296 #732677 #733146 #733863 #734056 #735216 #735446 #735453 #735635 #736018 #738400 #740535 #740703 #740867 #742270 Cross-References: CVE-2010-3873 CVE-2010-4164 CVE-2011-2494 CVE-2011-2699 CVE-2011-4077 CVE-2011-4081 CVE-2011-4110 CVE-2011-4127 CVE-2011-4132 CVE-2012-0038 Affected Products: SUSE Linux Enterprise Server 11 SP1 for VMware SUSE Linux Enterprise Server 11 SP1 SUSE Linux Enterprise High Availability Extension 11 SP1 SUSE Linux Enterprise Desktop 11 SP1 ______________________________________________________________________________ An update that solves 10 vulnerabilities and has 29 fixes is now available. It includes one version update. Description: The SUSE Linux Enterprise 11 SP1 kernel has been updated to 2.6.32.54, fixing numerous bugs and security issues. The following security issues have been fixed: * A potential hypervisor escape by issuing SG_IO commands to partitiondevices was fixed by restricting access to these commands. ( CVE-2011-4127 ) * KEYS: Fix a NULL pointer deref in the user-defined key type, which allowed local attackers to Oops the kernel. (CVE-2011-4110 ) * Avoid potential NULL pointer deref in ghash, which allowed local attackers to Oops the kernel. (CVE-2011-4081 ) * Fixed a memory corruption possibility in xfs readlink, which could be used by local attackers to crash the system or potentially execute code by mounting a prepared xfs filesystem image. (CVE-2011-4077 ) * A overflow in the xfs acl handling was fixed that could be used by local attackers to crash the system or potentially execute code by mounting a prepared xfs filesystem image. (CVE-2012-0038 ) * A flaw in the ext3/ext4 filesystem allowed a local attacker to crash the kernel by getting a prepared ext3/ext4 filesystem mounted. ( CVE-2011-4132 ) * Access to the taskstats /proc file was restricted to avoid local attackers gaining knowledge of IO of other users (and so effecting side-channel attacks for e.g. guessing passwords by typing speed). ( CVE-2011-2494 ) * When using X.25 communication a malicious sender could corrupt data structures, causing crashes or potential code execution. Please note that X.25 needs to be setup to make this effective, which these days is usually not the case. (CVE-2010-3873 ) * When using X.25 communication a malicious sender could make the machine leak memory, causing crashes. Please note that X.25 needs to be setup to make this effective, which these days is usually not the case. (CVE-2010-4164 ) * A remote denial of service due to a NULL pointer dereference by using IPv6 fragments was fixed. (CVE-2011-2699 ) The following non-security issues have been fixed (excerpt from changelog): * elousb: Fixed bug in USB core API usage, code cleanup. * cifs: overhaul cifs_revalidate and rename to cifs_revalidate_dentry. * cifs: set server_eof in cifs_fattr_to_inode. * xfs: Fix missing xfs_iunlock() on error recovery path in xfs_readlink(). * Silence some warnings about ioctls on partitions. * netxen: Remove all references to unified firmware file. * bonding: send out gratuitous arps even with no address configured. * patches.fixes/ocfs2-serialize_unaligned_aio.patch: ocfs2: serialize unaligned aio. * patches.fixes/bonding-check-if-clients-MAC-addr-has-changed. patch: Update references. * xfs: Fix wait calculations on lock acquisition and use milliseconds instead of jiffies to print the wait time. * ipmi: reduce polling when interrupts are available. * ipmi: reduce polling. * export shrink_dcache_for_umount_subtree. * patches.suse/stack-unwind: Fix more 2.6.29 merge problems plus a glue code problem. * PM / Sleep: Fix race between CPU hotplug and freezer. * jbd: Issue cache flush after checkpointing. * lpfc: make sure job exists when processing BSG. * blktap: fix locking (again). * xen: Update Xen patches to 2.6.32.52. * reiserfs: Lock buffers unconditionally in reiserfs_write_full_page(). * writeback: Include all dirty inodes in background writeback. * reiserfs: Fix quota mount option parsing. * bonding: check if clients MAC addr has changed. * rpc client can not deal with ENOSOCK, so translate it into ENOCONN. * st: modify tape driver to allow writing immediate filemarks. * xfs: fix for xfssyncd failure to wake. * ipmi: Fix deadlock in start_next_msg(). * net: bind() fix error return on wrong address family. * net: ipv4: relax AF_INET check in bind(). * net/ipv6: check for mistakenly passed in non-AF_INET6 sockaddrs. * Bluetooth: Fixed Atheros AR3012 Maryann PID/VID supported. * percpu: fix chunk range calculation. * x86, UV: Fix kdump reboot. * dm: Use done_bytes for io_completion. * Bluetooth: Add Atheros AR3012 Maryann PID/VID supported. * Bluetooth: Add Atheros AR3012 one PID/VID supported. * fix missing hunk in oplock break patch. * patches.arch/s390-34-01-pfault-cpu-hotplug.patch: Refresh. * Surrounded s390x lowcore change with __GENKSYMS__ * patches.xen/xen3-patch-2.6.30: Refresh. * sched, x86: Avoid unnecessary overflow in sched_clock. * ACPI thermal: Do not invalidate thermal zone if critical trip point is bad. Indications: Everyone using the Linux Kernel on x86 (32 bit) architecture should update. Special Instructions and Notes: Please reboot the system after installing this update. Patch Instructions: To install this SUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Server 11 SP1 for VMware: zypper in -t patch slessp1-kernel-5723 - SUSE Linux Enterprise Server 11 SP1: zypper in -t patch slessp1-kernel-5723 slessp1-kernel-5724 slessp1-kernel-5725 slessp1-kernel-5729 - SUSE Linux Enterprise High Availability Extension 11 SP1: zypper in -t patch sleshasp1-kernel-5723 sleshasp1-kernel-5724 sleshasp1-kernel-5725 sleshasp1-kernel-5729 - SUSE Linux Enterprise Desktop 11 SP1: zypper in -t patch sledsp1-kernel-5723 To bring your system up-to-date, use "zypper patch". Package List: - SUSE Linux Enterprise Server 11 SP1 for VMware (i586) [New Version: 2.6.32.54]: btrfs-kmp-default-0_2.6.32.54_0.3-0.3.73 btrfs-kmp-pae-0_2.6.32.54_0.3-0.3.73 ext4dev-kmp-default-0_2.6.32.54_0.3-7.9.40 ext4dev-kmp-pae-0_2.6.32.54_0.3-7.9.40 ext4dev-kmp-trace-0_2.6.32.54_0.3-7.9.40 hyper-v-kmp-default-0_2.6.32.54_0.3-0.18.3 hyper-v-kmp-pae-0_2.6.32.54_0.3-0.18.3 hyper-v-kmp-trace-0_2.6.32.54_0.3-0.18.3 kernel-default-2.6.32.54-0.3.1 kernel-default-base-2.6.32.54-0.3.1 kernel-default-devel-2.6.32.54-0.3.1 kernel-pae-2.6.32.54-0.3.1 kernel-pae-base-2.6.32.54-0.3.1 kernel-pae-devel-2.6.32.54-0.3.1 kernel-source-2.6.32.54-0.3.1 kernel-syms-2.6.32.54-0.3.1 kernel-trace-2.6.32.54-0.3.1 kernel-trace-base-2.6.32.54-0.3.1 kernel-trace-devel-2.6.32.54-0.3.1 - SUSE Linux Enterprise Server 11 SP1 (i586 ia64 ppc64 s390x) [New Version: 2.6.32.54]: btrfs-kmp-default-0_2.6.32.54_0.3-0.3.73 ext4dev-kmp-default-0_2.6.32.54_0.3-7.9.40 ext4dev-kmp-trace-0_2.6.32.54_0.3-7.9.40 kernel-default-2.6.32.54-0.3.1 kernel-default-base-2.6.32.54-0.3.1 kernel-default-devel-2.6.32.54-0.3.1 kernel-source-2.6.32.54-0.3.1 kernel-syms-2.6.32.54-0.3.1 kernel-trace-2.6.32.54-0.3.1 kernel-trace-base-2.6.32.54-0.3.1 kernel-trace-devel-2.6.32.54-0.3.1 - SUSE Linux Enterprise Server 11 SP1 (s390x) [New Version: 2.6.32.54]: kernel-default-man-2.6.32.54-0.3.1 - SUSE Linux Enterprise Server 11 SP1 (ppc64) [New Version: 2.6.32.54]: ext4dev-kmp-ppc64-0_2.6.32.54_0.3-7.9.40 kernel-ppc64-2.6.32.54-0.3.1 kernel-ppc64-base-2.6.32.54-0.3.1 kernel-ppc64-devel-2.6.32.54-0.3.1 - SUSE Linux Enterprise Server 11 SP1 (i586) [New Version: 2.6.32.54]: btrfs-kmp-pae-0_2.6.32.54_0.3-0.3.73 btrfs-kmp-xen-0_2.6.32.54_0.3-0.3.73 ext4dev-kmp-pae-0_2.6.32.54_0.3-7.9.40 ext4dev-kmp-xen-0_2.6.32.54_0.3-7.9.40 hyper-v-kmp-default-0_2.6.32.54_0.3-0.18.3 hyper-v-kmp-pae-0_2.6.32.54_0.3-0.18.3 hyper-v-kmp-trace-0_2.6.32.54_0.3-0.18.3 kernel-ec2-2.6.32.54-0.3.1 kernel-ec2-base-2.6.32.54-0.3.1 kernel-pae-2.6.32.54-0.3.1 kernel-pae-base-2.6.32.54-0.3.1 kernel-pae-devel-2.6.32.54-0.3.1 kernel-xen-2.6.32.54-0.3.1 kernel-xen-base-2.6.32.54-0.3.1 kernel-xen-devel-2.6.32.54-0.3.1 - SUSE Linux Enterprise High Availability Extension 11 SP1 (i586 ia64 ppc64 s390x): cluster-network-kmp-default-1.4_2.6.32.54_0.3-2.5.25 cluster-network-kmp-trace-1.4_2.6.32.54_0.3-2.5.25 gfs2-kmp-default-2_2.6.32.54_0.3-0.2.72 gfs2-kmp-trace-2_2.6.32.54_0.3-0.2.72 ocfs2-kmp-default-1.6_2.6.32.54_0.3-0.4.2.25 ocfs2-kmp-trace-1.6_2.6.32.54_0.3-0.4.2.25 - SUSE Linux Enterprise High Availability Extension 11 SP1 (ppc64): cluster-network-kmp-ppc64-1.4_2.6.32.54_0.3-2.5.25 gfs2-kmp-ppc64-2_2.6.32.54_0.3-0.2.72 ocfs2-kmp-ppc64-1.6_2.6.32.54_0.3-0.4.2.25 - SUSE Linux Enterprise High Availability Extension 11 SP1 (i586): cluster-network-kmp-pae-1.4_2.6.32.54_0.3-2.5.25 cluster-network-kmp-xen-1.4_2.6.32.54_0.3-2.5.25 gfs2-kmp-pae-2_2.6.32.54_0.3-0.2.72 gfs2-kmp-xen-2_2.6.32.54_0.3-0.2.72 ocfs2-kmp-pae-1.6_2.6.32.54_0.3-0.4.2.25 ocfs2-kmp-xen-1.6_2.6.32.54_0.3-0.4.2.25 - SUSE Linux Enterprise Desktop 11 SP1 (i586) [New Version: 2.6.32.54]: btrfs-kmp-default-0_2.6.32.54_0.3-0.3.73 btrfs-kmp-pae-0_2.6.32.54_0.3-0.3.73 btrfs-kmp-xen-0_2.6.32.54_0.3-0.3.73 hyper-v-kmp-default-0_2.6.32.54_0.3-0.18.3 hyper-v-kmp-pae-0_2.6.32.54_0.3-0.18.3 kernel-default-2.6.32.54-0.3.1 kernel-default-base-2.6.32.54-0.3.1 kernel-default-devel-2.6.32.54-0.3.1 kernel-default-extra-2.6.32.54-0.3.1 kernel-desktop-devel-2.6.32.54-0.3.1 kernel-pae-2.6.32.54-0.3.1 kernel-pae-base-2.6.32.54-0.3.1 kernel-pae-devel-2.6.32.54-0.3.1 kernel-pae-extra-2.6.32.54-0.3.1 kernel-source-2.6.32.54-0.3.1 kernel-syms-2.6.32.54-0.3.1 kernel-trace-devel-2.6.32.54-0.3.1 kernel-xen-2.6.32.54-0.3.1 kernel-xen-base-2.6.32.54-0.3.1 kernel-xen-devel-2.6.32.54-0.3.1 kernel-xen-extra-2.6.32.54-0.3.1 References: http://support.novell.com/security/cve/CVE-2010-3873.html http://support.novell.com/security/cve/CVE-2010-4164.html http://support.novell.com/security/cve/CVE-2011-2494.html http://support.novell.com/security/cve/CVE-2011-2699.html http://support.novell.com/security/cve/CVE-2011-4077.html http://support.novell.com/security/cve/CVE-2011-4081.html http://support.novell.com/security/cve/CVE-2011-4110.html http://support.novell.com/security/cve/CVE-2011-4127.html http://support.novell.com/security/cve/CVE-2011-4132.html http://support.novell.com/security/cve/CVE-2012-0038.html https://bugzilla.novell.com/651219 https://bugzilla.novell.com/653260 https://bugzilla.novell.com/668872 https://bugzilla.novell.com/671479 https://bugzilla.novell.com/688996 https://bugzilla.novell.com/694945 https://bugzilla.novell.com/697920 https://bugzilla.novell.com/703156 https://bugzilla.novell.com/706973 https://bugzilla.novell.com/707288 https://bugzilla.novell.com/708625 https://bugzilla.novell.com/711378 https://bugzilla.novell.com/716023 https://bugzilla.novell.com/722910 https://bugzilla.novell.com/724734 https://bugzilla.novell.com/725709 https://bugzilla.novell.com/726600 https://bugzilla.novell.com/726788 https://bugzilla.novell.com/728339 https://bugzilla.novell.com/728626 https://bugzilla.novell.com/729854 https://bugzilla.novell.com/730118 https://bugzilla.novell.com/731004 https://bugzilla.novell.com/731770 https://bugzilla.novell.com/732296 https://bugzilla.novell.com/732677 https://bugzilla.novell.com/733146 https://bugzilla.novell.com/733863 https://bugzilla.novell.com/734056 https://bugzilla.novell.com/735216 https://bugzilla.novell.com/735446 https://bugzilla.novell.com/735453 https://bugzilla.novell.com/735635 https://bugzilla.novell.com/736018 https://bugzilla.novell.com/738400 https://bugzilla.novell.com/740535 https://bugzilla.novell.com/740703 https://bugzilla.novell.com/740867 https://bugzilla.novell.com/742270 http://download.novell.com/patch/finder/?keywords=5246b1b1109a84332cefb2393523f790 http://download.novell.com/patch/finder/?keywords=63890e46f07aad0805351305ccf8a5f0 http://download.novell.com/patch/finder/?keywords=71cd114b345abf41eee10c920381e544 http://download.novell.com/patch/finder/?keywords=7560cd30aac0aa208a5dfb2a11c17d45 From sle-security-updates at lists.suse.com Mon Feb 6 15:08:26 2012 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Mon, 6 Feb 2012 23:08:26 +0100 (CET) Subject: SUSE-SU-2012:0153-2: important: Security update for Linux kernel Message-ID: <20120206220826.8DDE0323C1@maintenance.suse.de> SUSE Security Update: Security update for Linux kernel ______________________________________________________________________________ Announcement ID: SUSE-SU-2012:0153-2 Rating: important References: #651219 #653260 #668872 #671479 #688996 #694945 #697920 #703156 #706973 #707288 #708625 #711378 #716023 #722910 #724734 #725709 #726600 #726788 #728339 #728626 #729854 #730118 #731004 #731770 #732296 #732677 #733146 #733863 #734056 #735216 #735446 #735453 #735635 #736018 #738400 #740535 #740703 #740867 #742270 Cross-References: CVE-2010-3873 CVE-2010-4164 CVE-2011-2494 CVE-2011-2699 CVE-2011-4077 CVE-2011-4081 CVE-2011-4110 CVE-2011-4127 CVE-2011-4132 CVE-2012-0038 Affected Products: SUSE Linux Enterprise Server 11 SP1 for VMware SUSE Linux Enterprise Server 11 SP1 SUSE Linux Enterprise High Availability Extension 11 SP1 SUSE Linux Enterprise Desktop 11 SP1 ______________________________________________________________________________ An update that solves 10 vulnerabilities and has 29 fixes is now available. It includes one version update. Description: The SUSE Linux Enterprise 11 SP1 kernel was updated to 2.6.32.54, fixing lots of bugs and security issues. The following security issues have been fixed: * CVE-2011-4127: A potential hypervisor escape by issuing SG_IO commands to partitiondevices was fixed by restricting access to these commands. * CVE-2011-4110: KEYS: Fix a NULL pointer deref in the user-defined key type, which allowed local attackers to Oops the kernel. * CVE-2011-4081: Avoid potential NULL pointer deref in ghash, which allowed local attackers to Oops the kernel. * CVE-2011-4077: Fixed a memory corruption possibility in xfs readlink, which could be used by local attackers to crash the system or potentially execute code by mounting a prepared xfs filesystem image. * CVE-2012-0038: A overflow in the xfs acl handling was fixed that could be used by local attackers to crash the system or potentially execute code by mounting a prepared xfs filesystem image. * CVE-2011-4132: A flaw in the ext3/ext4 filesystem allowed a local attacker to crash the kernel by getting a prepared ext3/ext4 filesystem mounted. * CVE-2011-2494: Access to the taskstats /proc file was restricted to avoid local attackers gaining knowledge of IO of other users (and so effecting side-channel attacks for e.g. guessing passwords by typing speed). * CVE-2010-3873: When using X.25 communication a malicious sender could corrupt data structures, causing crashes or potential code execution. Please note that X.25 needs to be setup to make this effective, which these days is usually not the case. * CVE-2010-4164: When using X.25 communication a malicious sender could make the machine leak memory, causing crashes. Please note that X.25 needs to be setup to make this effective, which these days is usually not the case. * CVE-2011-2699: A remote denial of service due to a NULL pointer dereference by using IPv6 fragments was fixed. The following non-security issues have been fixed: * elousb: Fixed bug in USB core API usage, code cleanup (bnc#733863). * cifs: overhaul cifs_revalidate and rename to cifs_revalidate_dentry (bnc#735453). * cifs: set server_eof in cifs_fattr_to_inode (bnc#735453). * xfs: Fix missing xfs_iunlock() on error recovery path in xfs_readlink() (bnc#726600). * block: add and use scsi_blk_cmd_ioctl (bnc#738400 CVE-2011-4127). * block: fail SCSI passthrough ioctls on partition devices (bnc#738400 CVE-2011-4127). * dm: do not forward ioctls from logical volumes to the underlying device (bnc#738400 CVE-2011-4127). * Silence some warnings about ioctls on partitions. * netxen: Remove all references to unified firmware file (bnc#708625). * bonding: send out gratuitous arps even with no address configured (bnc#742270). * patches.fixes/ocfs2-serialize_unaligned_aio.patch: ocfs2: serialize unaligned aio (bnc#671479). * patches.fixes/bonding-check-if-clients-MAC-addr-has-changed. patch: Update references (bnc#729854, bnc#731004). * xfs: Fix wait calculations on lock acquisition and use milliseconds instead of jiffies to print the wait time. * ipmi: reduce polling when interrupts are available (bnc#740867). * ipmi: reduce polling (bnc#740867). * Linux 2.6.32.54. * export shrink_dcache_for_umount_subtree. * patches.suse/stack-unwind: Fix more 2.6.29 merge problems plus a glue code problem (bnc#736018). * PM / Sleep: Fix race between CPU hotplug and freezer (bnc#740535). * jbd: Issue cache flush after checkpointing (bnc#731770). * lpfc: make sure job exists when processing BSG (bnc#735635). * Linux 2.6.32.53. * blktap: fix locking (again) (bnc#724734). * xen: Update Xen patches to 2.6.32.52. * Linux 2.6.32.52. * Linux 2.6.32.51. * Linux 2.6.32.50. * reiserfs: Lock buffers unconditionally in reiserfs_write_full_page() (bnc#716023). * writeback: Include all dirty inodes in background writeback (bnc#716023). * reiserfs: Fix quota mount option parsing (bnc#728626). * bonding: check if clients MAC addr has changed (bnc#729854). * rpc client can not deal with ENOSOCK, so translate it into ENOCONN (bnc#733146). * st: modify tape driver to allow writing immediate filemarks (bnc#688996). * xfs: fix for xfssyncd failure to wake (bnc#722910). * ipmi: Fix deadlock in start_next_msg(). * net: bind() fix error return on wrong address family (bnc#735216). * net: ipv4: relax AF_INET check in bind() (bnc#735216). * net/ipv6: check for mistakenly passed in non-AF_INET6 sockaddrs (bnc#735216). * Bluetooth: Fixed Atheros AR3012 Maryann PID/VID supported (bnc#732296). * percpu: fix chunk range calculation (bnc#668872). * x86, UV: Fix kdump reboot (bnc#735446). * dm: Use done_bytes for io_completion (bnc#711378). * Bluetooth: Add Atheros AR3012 Maryann PID/VID supported. (bnc#732296) * Bluetooth: Add Atheros AR3012 one PID/VID supported. (bnc#732296) * fix missing hunk in oplock break patch (bnc#706973). * patches.arch/s390-34-01-pfault-cpu-hotplug.patch: Refresh. Surrounded s390x lowcore change with __GENKSYMS__ (bnc#728339) * patches.xen/xen3-patch-2.6.30: Refresh. * sched, x86: Avoid unnecessary overflow in sched_clock (bnc#725709). * ACPI thermal: Do not invalidate thermal zone if critical trip point is bad. Security Issue references: * CVE-2010-3873 * CVE-2010-4164 * CVE-2011-2494 * CVE-2011-2699 * CVE-2011-4077 * CVE-2011-4081 * CVE-2011-4110 * CVE-2011-4127 * CVE-2011-4132 * CVE-2012-0038 Indications: Everyone using the Linux Kernel on x86_64 architecture should update. Special Instructions and Notes: Please reboot the system after installing this update. Patch Instructions: To install this SUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Server 11 SP1 for VMware: zypper in -t patch slessp1-kernel-5732 - SUSE Linux Enterprise Server 11 SP1: zypper in -t patch slessp1-kernel-5732 - SUSE Linux Enterprise High Availability Extension 11 SP1: zypper in -t patch sleshasp1-kernel-5732 - SUSE Linux Enterprise Desktop 11 SP1: zypper in -t patch sledsp1-kernel-5732 To bring your system up-to-date, use "zypper patch". Package List: - SUSE Linux Enterprise Server 11 SP1 for VMware (x86_64) [New Version: 2.6.32.54]: btrfs-kmp-default-0_2.6.32.54_0.3-0.3.73 ext4dev-kmp-default-0_2.6.32.54_0.3-7.9.40 ext4dev-kmp-trace-0_2.6.32.54_0.3-7.9.40 hyper-v-kmp-default-0_2.6.32.54_0.3-0.18.3 hyper-v-kmp-trace-0_2.6.32.54_0.3-0.18.3 kernel-default-2.6.32.54-0.3.1 kernel-default-base-2.6.32.54-0.3.1 kernel-default-devel-2.6.32.54-0.3.1 kernel-source-2.6.32.54-0.3.1 kernel-syms-2.6.32.54-0.3.1 kernel-trace-2.6.32.54-0.3.1 kernel-trace-base-2.6.32.54-0.3.1 kernel-trace-devel-2.6.32.54-0.3.1 - SUSE Linux Enterprise Server 11 SP1 (x86_64) [New Version: 2.6.32.54]: btrfs-kmp-default-0_2.6.32.54_0.3-0.3.73 btrfs-kmp-xen-0_2.6.32.54_0.3-0.3.73 ext4dev-kmp-default-0_2.6.32.54_0.3-7.9.40 ext4dev-kmp-trace-0_2.6.32.54_0.3-7.9.40 ext4dev-kmp-xen-0_2.6.32.54_0.3-7.9.40 hyper-v-kmp-default-0_2.6.32.54_0.3-0.18.3 hyper-v-kmp-trace-0_2.6.32.54_0.3-0.18.3 kernel-default-2.6.32.54-0.3.1 kernel-default-base-2.6.32.54-0.3.1 kernel-default-devel-2.6.32.54-0.3.1 kernel-ec2-2.6.32.54-0.3.1 kernel-ec2-base-2.6.32.54-0.3.1 kernel-source-2.6.32.54-0.3.1 kernel-syms-2.6.32.54-0.3.1 kernel-trace-2.6.32.54-0.3.1 kernel-trace-base-2.6.32.54-0.3.1 kernel-trace-devel-2.6.32.54-0.3.1 kernel-xen-2.6.32.54-0.3.1 kernel-xen-base-2.6.32.54-0.3.1 kernel-xen-devel-2.6.32.54-0.3.1 - SUSE Linux Enterprise High Availability Extension 11 SP1 (x86_64): cluster-network-kmp-default-1.4_2.6.32.54_0.3-2.5.25 cluster-network-kmp-trace-1.4_2.6.32.54_0.3-2.5.25 cluster-network-kmp-xen-1.4_2.6.32.54_0.3-2.5.25 gfs2-kmp-default-2_2.6.32.54_0.3-0.2.72 gfs2-kmp-trace-2_2.6.32.54_0.3-0.2.72 gfs2-kmp-xen-2_2.6.32.54_0.3-0.2.72 ocfs2-kmp-default-1.6_2.6.32.54_0.3-0.4.2.25 ocfs2-kmp-trace-1.6_2.6.32.54_0.3-0.4.2.25 ocfs2-kmp-xen-1.6_2.6.32.54_0.3-0.4.2.25 - SUSE Linux Enterprise Desktop 11 SP1 (x86_64) [New Version: 2.6.32.54]: btrfs-kmp-default-0_2.6.32.54_0.3-0.3.73 btrfs-kmp-xen-0_2.6.32.54_0.3-0.3.73 hyper-v-kmp-default-0_2.6.32.54_0.3-0.18.3 kernel-default-2.6.32.54-0.3.1 kernel-default-base-2.6.32.54-0.3.1 kernel-default-devel-2.6.32.54-0.3.1 kernel-default-extra-2.6.32.54-0.3.1 kernel-desktop-devel-2.6.32.54-0.3.1 kernel-source-2.6.32.54-0.3.1 kernel-syms-2.6.32.54-0.3.1 kernel-trace-devel-2.6.32.54-0.3.1 kernel-xen-2.6.32.54-0.3.1 kernel-xen-base-2.6.32.54-0.3.1 kernel-xen-devel-2.6.32.54-0.3.1 kernel-xen-extra-2.6.32.54-0.3.1 References: http://support.novell.com/security/cve/CVE-2010-3873.html http://support.novell.com/security/cve/CVE-2010-4164.html http://support.novell.com/security/cve/CVE-2011-2494.html http://support.novell.com/security/cve/CVE-2011-2699.html http://support.novell.com/security/cve/CVE-2011-4077.html http://support.novell.com/security/cve/CVE-2011-4081.html http://support.novell.com/security/cve/CVE-2011-4110.html http://support.novell.com/security/cve/CVE-2011-4127.html http://support.novell.com/security/cve/CVE-2011-4132.html http://support.novell.com/security/cve/CVE-2012-0038.html https://bugzilla.novell.com/651219 https://bugzilla.novell.com/653260 https://bugzilla.novell.com/668872 https://bugzilla.novell.com/671479 https://bugzilla.novell.com/688996 https://bugzilla.novell.com/694945 https://bugzilla.novell.com/697920 https://bugzilla.novell.com/703156 https://bugzilla.novell.com/706973 https://bugzilla.novell.com/707288 https://bugzilla.novell.com/708625 https://bugzilla.novell.com/711378 https://bugzilla.novell.com/716023 https://bugzilla.novell.com/722910 https://bugzilla.novell.com/724734 https://bugzilla.novell.com/725709 https://bugzilla.novell.com/726600 https://bugzilla.novell.com/726788 https://bugzilla.novell.com/728339 https://bugzilla.novell.com/728626 https://bugzilla.novell.com/729854 https://bugzilla.novell.com/730118 https://bugzilla.novell.com/731004 https://bugzilla.novell.com/731770 https://bugzilla.novell.com/732296 https://bugzilla.novell.com/732677 https://bugzilla.novell.com/733146 https://bugzilla.novell.com/733863 https://bugzilla.novell.com/734056 https://bugzilla.novell.com/735216 https://bugzilla.novell.com/735446 https://bugzilla.novell.com/735453 https://bugzilla.novell.com/735635 https://bugzilla.novell.com/736018 https://bugzilla.novell.com/738400 https://bugzilla.novell.com/740535 https://bugzilla.novell.com/740703 https://bugzilla.novell.com/740867 https://bugzilla.novell.com/742270 http://download.novell.com/patch/finder/?keywords=3b09a8aade4545cf04761628743fec0e From sle-security-updates at lists.suse.com Mon Feb 6 20:08:26 2012 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Tue, 7 Feb 2012 04:08:26 +0100 (CET) Subject: SUSE-SU-2012:0155-1: important: Security update for tomcat6 Message-ID: <20120207030826.D7B26323D1@maintenance.suse.de> SUSE Security Update: Security update for tomcat6 ______________________________________________________________________________ Announcement ID: SUSE-SU-2012:0155-1 Rating: important References: #735343 #742477 Cross-References: CVE-2011-1184 CVE-2011-5062 CVE-2011-5063 CVE-2011-5064 Affected Products: SUSE Manager 1.2 for SLE 11 SP1 SUSE Linux Enterprise Server 11 SP1 for VMware SUSE Linux Enterprise Server 11 SP1 ______________________________________________________________________________ An update that fixes four vulnerabilities is now available. Description: This update fixes a regression in parameter passing (in urldecoding of parameters that contain spaces). In addition, multiple weaknesses in HTTP DIGESTS have been fixed (CVE-2011-1184): * CVE-2011-5062: The HTTP Digest Access Authentication implementation in Apache Tomcat 5.5.x before 5.5.34, 6.x before 6.0.33 and 7.x before 7.0.12 does not check qop values, which might allow remote attackers to bypass intended integrity-protection requirements via a qop=auth value, a different vulnerability than CVE-2011-1184. * CVE-2011-5063: The HTTP Digest Access Authentication implementation in Apache Tomcat 5.5.x before 5.5.34, 6.x before 6.0.33, and 7.x before 7.0.12 does not check realm values, which might allow remote attackers to bypass intended access restrictions by leveraging the availability of a protection space with weaker authentication or authorization requirements, a different vulnerability than CVE-2011-1184. * CVE-2011-5064: DigestAuthenticator.java in the HTTP Digest Access Authentication implementation in Apache Tomcat 5.5.x before 5.5.34, 6.x before 6.0.33, and 7.x before 7.0.12 uses Catalina as the hard-coded server secret (aka private key), which makes it easier for remote attackers to bypass cryptographic protection mechanisms by leveraging knowledge of this string, a different vulnerability than CVE-2011-1184. Security Issue references: * CVE-2011-1184 * CVE-2011-5062 * CVE-2011-5063 * CVE-2011-5064 Patch Instructions: To install this SUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - SUSE Manager 1.2 for SLE 11 SP1: zypper in -t patch sleman12sp1-tomcat6-5759 - SUSE Linux Enterprise Server 11 SP1 for VMware: zypper in -t patch slessp1-tomcat6-5759 - SUSE Linux Enterprise Server 11 SP1: zypper in -t patch slessp1-tomcat6-5759 To bring your system up-to-date, use "zypper patch". Package List: - SUSE Manager 1.2 for SLE 11 SP1 (noarch): tomcat6-6.0.18-20.35.36.1 tomcat6-jsp-2_1-api-6.0.18-20.35.36.1 tomcat6-lib-6.0.18-20.35.36.1 tomcat6-servlet-2_5-api-6.0.18-20.35.36.1 - SUSE Linux Enterprise Server 11 SP1 for VMware (noarch): tomcat6-6.0.18-20.35.36.1 tomcat6-admin-webapps-6.0.18-20.35.36.1 tomcat6-docs-webapp-6.0.18-20.35.36.1 tomcat6-javadoc-6.0.18-20.35.36.1 tomcat6-jsp-2_1-api-6.0.18-20.35.36.1 tomcat6-lib-6.0.18-20.35.36.1 tomcat6-servlet-2_5-api-6.0.18-20.35.36.1 tomcat6-webapps-6.0.18-20.35.36.1 - SUSE Linux Enterprise Server 11 SP1 (noarch): tomcat6-6.0.18-20.35.36.1 tomcat6-admin-webapps-6.0.18-20.35.36.1 tomcat6-docs-webapp-6.0.18-20.35.36.1 tomcat6-javadoc-6.0.18-20.35.36.1 tomcat6-jsp-2_1-api-6.0.18-20.35.36.1 tomcat6-lib-6.0.18-20.35.36.1 tomcat6-servlet-2_5-api-6.0.18-20.35.36.1 tomcat6-webapps-6.0.18-20.35.36.1 References: http://support.novell.com/security/cve/CVE-2011-1184.html http://support.novell.com/security/cve/CVE-2011-5062.html http://support.novell.com/security/cve/CVE-2011-5063.html http://support.novell.com/security/cve/CVE-2011-5064.html https://bugzilla.novell.com/735343 https://bugzilla.novell.com/742477 http://download.novell.com/patch/finder/?keywords=0caaafb09da77d4c28b53eeb14113592 From sle-security-updates at lists.suse.com Thu Feb 9 11:07:24 2012 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Thu, 9 Feb 2012 19:07:24 +0100 (CET) Subject: SUSE-SU-2012:0198-1: important: Security update for Mozilla XULrunner Message-ID: <20120209180725.03C20320E0@maintenance.suse.de> SUSE Security Update: Security update for Mozilla XULrunner ______________________________________________________________________________ Announcement ID: SUSE-SU-2012:0198-1 Rating: important References: #737533 #744275 Affected Products: SUSE Linux Enterprise Software Development Kit 11 SP1 SUSE Linux Enterprise Server 11 SP1 for VMware SUSE Linux Enterprise Server 11 SP1 SUSE Linux Enterprise Desktop 11 SP1 ______________________________________________________________________________ An update that contains security fixes can now be installed. It includes one version update. Description: Mozilla XULrunner was updated to 1.9.2.26 security update, fixing security issues and bugs. The following security bugs have been fixed: * MFSA 2012-01: Mozilla developers identified and fixed several memory safety bugs in the browser engine used in Firefox and other Mozilla-based products. Some of these bugs showed evidence of memory corruption under certain circumstances, and we presume that with enough effort at least some of these could be exploited to run arbitrary code. In general these flaws cannot be exploited through email in the Thunderbird and SeaMonkey products because scripting is disabled, but are potentially a risk in browser or browser-like contexts in those products. References * CVE-2012-0442: Jesse Ruderman and Bob Clary reported memory safety problems that were fixed in both Firefox 10 and Firefox 3.6.26. * MFSA 2012-02/CVE-2011-3670: For historical reasons Firefox has been generous in its interpretation of web addresses containing square brackets around the host. If this host was not a valid IPv6 literal address, Firefox attempted to interpret the host as a regular domain name. Gregory Fleischer reported that requests made using IPv6 syntax using XMLHttpRequest objects through a proxy may generate errors depending on proxy configuration for IPv6. The resulting error messages from the proxy may disclose sensitive data because Same-Origin Policy (SOP) will allow the XMLHttpRequest object to read these error messages, allowing user privacy to be eroded. Firefox now enforces RFC 3986 IPv6 literal syntax and that may break links written using the non-standard Firefox-only forms that were previously accepted. This was fixed previously for Firefox 7.0, Thunderbird 7.0, and SeaMonkey 2.4 but only fixed in Firefox 3.6.26 and Thunderbird 3.1.18 during 2012. * MFSA 2012-04/CVE-2011-3659: Security researcher regenrecht reported via TippingPoint's Zero Day Initiative that removed child nodes of nsDOMAttribute can be accessed under certain circumstances because of a premature notification of AttributeChildRemoved. This use-after-free of the child nodes could possibly allow for for remote code execution. * MFSA 2012-07/CVE-2012-0444: Security researcher regenrecht reported via TippingPoint's Zero Day Initiative the possibility of memory corruption during the decoding of Ogg Vorbis files. This can cause a crash during decoding and has the potential for remote code execution. * MFSA 2012-08/CVE-2012-0449: Security researchers Nicolas Gregoire and Aki Helin independently reported that when processing a malformed embedded XSLT stylesheet, Firefox can crash due to a memory corruption. While there is no evidence that this is directly exploitable, there is a possibility of remote code execution. Indications: Please install this update. Patch Instructions: To install this SUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Software Development Kit 11 SP1: zypper in -t patch sdksp1-mozilla-xulrunner192-5764 - SUSE Linux Enterprise Server 11 SP1 for VMware: zypper in -t patch slessp1-mozilla-xulrunner192-5764 - SUSE Linux Enterprise Server 11 SP1: zypper in -t patch slessp1-mozilla-xulrunner192-5764 - SUSE Linux Enterprise Desktop 11 SP1: zypper in -t patch sledsp1-mozilla-xulrunner192-5764 To bring your system up-to-date, use "zypper patch". Package List: - SUSE Linux Enterprise Software Development Kit 11 SP1 (i586 ia64 ppc64 s390x x86_64) [New Version: 1.9.2.26]: mozilla-xulrunner192-devel-1.9.2.26-0.3.1 - SUSE Linux Enterprise Software Development Kit 11 SP1 (ppc64 s390x x86_64) [New Version: 1.9.2.26]: mozilla-xulrunner192-gnome-32bit-1.9.2.26-0.3.1 mozilla-xulrunner192-translations-32bit-1.9.2.26-0.3.1 - SUSE Linux Enterprise Software Development Kit 11 SP1 (ia64) [New Version: 1.9.2.26]: mozilla-xulrunner192-gnome-x86-1.9.2.26-0.3.1 mozilla-xulrunner192-translations-x86-1.9.2.26-0.3.1 - SUSE Linux Enterprise Server 11 SP1 for VMware (i586 x86_64): mozilla-xulrunner192-1.9.2.26-0.3.1 mozilla-xulrunner192-gnome-1.9.2.26-0.3.1 mozilla-xulrunner192-translations-1.9.2.26-0.3.1 - SUSE Linux Enterprise Server 11 SP1 for VMware (x86_64): mozilla-xulrunner192-32bit-1.9.2.26-0.3.1 - SUSE Linux Enterprise Server 11 SP1 (i586 ia64 ppc64 s390x x86_64) [New Version: 1.9.2.26]: mozilla-xulrunner192-1.9.2.26-0.3.1 mozilla-xulrunner192-gnome-1.9.2.26-0.3.1 mozilla-xulrunner192-translations-1.9.2.26-0.3.1 - SUSE Linux Enterprise Server 11 SP1 (ppc64 s390x x86_64) [New Version: 1.9.2.26]: mozilla-xulrunner192-32bit-1.9.2.26-0.3.1 - SUSE Linux Enterprise Server 11 SP1 (ia64) [New Version: 1.9.2.26]: mozilla-xulrunner192-x86-1.9.2.26-0.3.1 - SUSE Linux Enterprise Desktop 11 SP1 (i586 x86_64) [New Version: 1.9.2.26]: mozilla-xulrunner192-1.9.2.26-0.3.1 mozilla-xulrunner192-gnome-1.9.2.26-0.3.1 mozilla-xulrunner192-translations-1.9.2.26-0.3.1 - SUSE Linux Enterprise Desktop 11 SP1 (x86_64) [New Version: 1.9.2.26]: mozilla-xulrunner192-32bit-1.9.2.26-0.3.1 mozilla-xulrunner192-gnome-32bit-1.9.2.26-0.3.1 mozilla-xulrunner192-translations-32bit-1.9.2.26-0.3.1 References: https://bugzilla.novell.com/737533 https://bugzilla.novell.com/744275 http://download.novell.com/patch/finder/?keywords=f3ea71cad4a071175c00255553cb3aa9 From sle-security-updates at lists.suse.com Thu Feb 9 11:07:27 2012 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Thu, 9 Feb 2012 19:07:27 +0100 (CET) Subject: SUSE-SU-2012:0201-1: moderate: Security update for lighttpd Message-ID: <20120209180727.4DDD332002@maintenance.suse.de> SUSE Security Update: Security update for lighttpd ______________________________________________________________________________ Announcement ID: SUSE-SU-2012:0201-1 Rating: moderate References: #733607 Cross-References: CVE-2011-4362 Affected Products: WebYaST [Appliance - Tools] SUSE Studio Onsite 1.1 SUSE Linux Enterprise Software Development Kit 11 SP1 SUSE Linux Enterprise High Availability Extension 11 SP1 SUSE Lifecycle Management Server 1.1 [Appliance - Tools] SLE SDK 10 SP4 ______________________________________________________________________________ An update that fixes one vulnerability is now available. Description: This update of lighttpd fixes an out-of-bounds read due to a signedness error which could cause a Denial of Service (CVE-2011-4362). Security Issue reference: * CVE-2011-4362 Patch Instructions: To install this SUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - WebYaST [Appliance - Tools]: zypper in -t patch slewyst1sp1-lighttpd-5739 slewystsp1-lighttpd-5739 - SUSE Studio Onsite 1.1: zypper in -t patch slestsosp1-lighttpd-5739 - SUSE Linux Enterprise Software Development Kit 11 SP1: zypper in -t patch sdksp1-lighttpd-5739 - SUSE Linux Enterprise High Availability Extension 11 SP1: zypper in -t patch sleshasp1-lighttpd-5739 - SUSE Lifecycle Management Server 1.1 [Appliance - Tools]: zypper in -t patch sleslmssp1-lighttpd-5739 To bring your system up-to-date, use "zypper patch". Package List: - WebYaST [Appliance - Tools] (i586 ia64 ppc64 s390x x86_64): lighttpd-1.4.20-2.46.1 lighttpd-mod_magnet-1.4.20-2.46.1 - SUSE Studio Onsite 1.1 (x86_64): lighttpd-1.4.20-2.46.1 lighttpd-mod_magnet-1.4.20-2.46.1 - SUSE Linux Enterprise Software Development Kit 11 SP1 (i586 ia64 ppc64 s390x x86_64): lighttpd-1.4.20-2.46.1 lighttpd-mod_cml-1.4.20-2.46.1 lighttpd-mod_magnet-1.4.20-2.46.1 lighttpd-mod_mysql_vhost-1.4.20-2.46.1 lighttpd-mod_rrdtool-1.4.20-2.46.1 lighttpd-mod_trigger_b4_dl-1.4.20-2.46.1 lighttpd-mod_webdav-1.4.20-2.46.1 - SUSE Linux Enterprise High Availability Extension 11 SP1 (i586 ia64 ppc64 s390x x86_64): lighttpd-1.4.20-2.46.1 - SUSE Lifecycle Management Server 1.1 [Appliance - Tools] (x86_64): lighttpd-1.4.20-2.46.1 lighttpd-mod_magnet-1.4.20-2.46.1 - SLE SDK 10 SP4 (i586 ia64 ppc s390x x86_64): lighttpd-1.4.10-11.32.1 lighttpd-mod_cml-1.4.10-11.32.1 lighttpd-mod_mysql_vhost-1.4.10-11.32.1 lighttpd-mod_rrdtool-1.4.10-11.32.1 lighttpd-mod_trigger_b4_dl-1.4.10-11.32.1 lighttpd-mod_webdav-1.4.10-11.32.1 References: http://support.novell.com/security/cve/CVE-2011-4362.html https://bugzilla.novell.com/733607 http://download.novell.com/patch/finder/?keywords=c08fa2430c6570b012332d3fa931b82e http://download.novell.com/patch/finder/?keywords=decaee57a60c2feafab04139c68dd658 From sle-security-updates at lists.suse.com Thu Feb 9 11:10:19 2012 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Thu, 9 Feb 2012 19:10:19 +0100 (CET) Subject: SUSE-SU-2012:0220-1: Security update for MozillaFirefox Message-ID: <20120209181019.C4663320E0@maintenance.suse.de> SUSE Security Update: Security update for MozillaFirefox ______________________________________________________________________________ Announcement ID: SUSE-SU-2012:0220-1 Rating: low References: #742826 Cross-References: CVE-2011-3659 CVE-2012-0442 CVE-2012-0443 CVE-2012-0444 CVE-2012-0445 CVE-2012-0446 CVE-2012-0447 CVE-2012-0449 CVE-2012-0450 Affected Products: SUSE Linux Enterprise Software Development Kit 11 SP1 SUSE Linux Enterprise Server 11 SP1 for VMware SUSE Linux Enterprise Server 11 SP1 SUSE Linux Enterprise Desktop 11 SP1 ______________________________________________________________________________ An update that fixes 9 vulnerabilities is now available. It includes three new package versions. Description: This update provides Mozilla Firefox 10, which provides many fixes, security and feature enhancements. For a detailed list, please have a look at http://www.mozilla.org/en-US/firefox/10.0/releasenotes/ and http://www.mozilla.org/de/firefox/features/ The following security issues have been fixed in this update: * Mozilla developers identified and fixed several memory safety bugs in the browser engine used in Firefox and other Mozilla-based products. Some of these bugs showed evidence of memory corruption under certain circumstances, and we presume that with enough effort at least some of these could be exploited to run arbitrary code. (MFSA 2012-01 , CVE-2012-0442 , CVE-2012-0443 ) * Alex Dvorov reported that an attacker could replace a sub-frame in another domain's document by using the name attribute of the sub-frame as a form submission target. This can potentially allow for phishing attacks against users and violates the HTML5 frame navigation policy. (MFSA 2012-03 , CVE-2012-0445 ) * Security researcher regenrecht reported via TippingPoint's Zero Day Initiative that removed child nodes of nsDOMAttribute can be accessed under certain circumstances because of a premature notification of AttributeChildRemoved. This use-after-free of the child nodes could possibly allow for for remote code execution. (MFSA 2012-04 , CVE-2011-3659 ) * Mozilla security researcher moz_bug_r_a4 reported that frame scripts bypass XPConnect security checks when calling untrusted objects. This allows for cross-site scripting (XSS) attacks through web pages and Firefox extensions. The fix enables the Script Security Manager (SSM) to force security checks on all frame scripts. (MFSA 2012-05 , CVE-2012-0446 ) * Mozilla developer Tim Abraldes reported that when encoding images as image/vnd.microsoft.icon the resulting data was always a fixed size, with uninitialized memory appended as padding beyond the size of the actual image. This is the result of mImageBufferSize in the encoder being initialized with a value different than the size of the source image. There is the possibility of sensitive data from uninitialized memory being appended to a PNG image when converted fron an ICO format image. This sensitive data may then be disclosed in the resulting image. ((MFSA 2012-06) http://www.mozilla.org/security/announce/2012/mfsa2012-06.ht ml], [CVE-2012-0447 ) * Security researcher regenrecht reported via TippingPoint's Zero Day Initiative the possibility of memory corruption during the decoding of Ogg Vorbis files. This can cause a crash during decoding and has the potential for remote code execution. (MFSA 2012-07 , CVE-2012-0444 ) * Security researchers Nicolas Gregoire and Aki Helin independently reported that when processing a malformed embedded XSLT stylesheet, Firefox can crash due to a memory corruption. While there is no evidence that this is directly exploitable, there is a possibility of remote code execution. (MFSA 2012-08 , CVE-2012-0449 ) * magicant starmen reported that if a user chooses to export their Firefox Sync key the "Firefox Recovery Key.html" file is saved with incorrect permissions, making the file contents potentially readable by other users on Linux and OS X systems. (MFSA 2012-09 , CVE-2012-0450 ) Indications: Firefox users should update. Special Instructions and Notes: Please reboot the system after installing this update. Patch Instructions: To install this SUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Software Development Kit 11 SP1: zypper in -t patch sdksp1-firefox-10-5754 - SUSE Linux Enterprise Server 11 SP1 for VMware: zypper in -t patch slessp1-firefox-10-5754 - SUSE Linux Enterprise Server 11 SP1: zypper in -t patch slessp1-firefox-10-5754 - SUSE Linux Enterprise Desktop 11 SP1: zypper in -t patch sledsp1-firefox-10-5754 To bring your system up-to-date, use "zypper patch". Package List: - SUSE Linux Enterprise Software Development Kit 11 SP1 (i586 ia64 s390x x86_64): beagle-0.3.8-56.44.45.6 beagle-devel-0.3.8-56.44.45.6 beagle-lang-0.3.8-56.44.45.6 - SUSE Linux Enterprise Server 11 SP1 for VMware (i586 x86_64) [New Version: 10.0 and 7]: MozillaFirefox-10.0-0.3.2 MozillaFirefox-branding-SLES-for-VMware-7-0.4.2.5 MozillaFirefox-translations-10.0-0.3.2 mozilla-kde4-integration-0.6.3-5.6.5 - SUSE Linux Enterprise Server 11 SP1 (i586 ia64 ppc64 s390x x86_64) [New Version: 10.0 and 7]: MozillaFirefox-10.0-0.3.2 MozillaFirefox-branding-SLED-7-0.6.7.7 MozillaFirefox-translations-10.0-0.3.2 mozilla-kde4-integration-0.6.3-5.6.5 - SUSE Linux Enterprise Desktop 11 SP1 (i586 x86_64) [New Version: 10.0,11.1.102.55 and 7]: MozillaFirefox-10.0-0.3.2 MozillaFirefox-branding-SLED-7-0.6.7.7 MozillaFirefox-translations-10.0-0.3.2 beagle-0.3.8-56.44.45.6 beagle-evolution-0.3.8-56.44.45.6 beagle-firefox-0.3.8-56.44.45.6 beagle-gui-0.3.8-56.44.45.6 beagle-lang-0.3.8-56.44.45.6 flash-player-11.1.102.55-0.13.1 mhtml-firefox-0.5-1.45.7 mozilla-kde4-integration-0.6.3-5.6.5 References: http://support.novell.com/security/cve/CVE-2011-3659.html http://support.novell.com/security/cve/CVE-2012-0442.html http://support.novell.com/security/cve/CVE-2012-0443.html http://support.novell.com/security/cve/CVE-2012-0444.html http://support.novell.com/security/cve/CVE-2012-0445.html http://support.novell.com/security/cve/CVE-2012-0446.html http://support.novell.com/security/cve/CVE-2012-0447.html http://support.novell.com/security/cve/CVE-2012-0449.html http://support.novell.com/security/cve/CVE-2012-0450.html https://bugzilla.novell.com/742826 http://download.novell.com/patch/finder/?keywords=036e93199c4a2b5d3bc60b6d05a8d355 From sle-security-updates at lists.suse.com Thu Feb 9 11:10:21 2012 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Thu, 9 Feb 2012 19:10:21 +0100 (CET) Subject: SUSE-SU-2012:0221-1: important: Security update for Mozilla Firefox Message-ID: <20120209181021.BA38532154@maintenance.suse.de> SUSE Security Update: Security update for Mozilla Firefox ______________________________________________________________________________ Announcement ID: SUSE-SU-2012:0221-1 Rating: important References: #744275 Affected Products: SUSE Linux Enterprise Server 10 SP4 SUSE Linux Enterprise Desktop 10 SP4 SLE SDK 10 SP4 ______________________________________________________________________________ An update that contains security fixes can now be installed. It includes two new package versions. Description: Mozilla Firefox was updated to 3.6.26 fixing bugs and security issues. The following security issues have been fixed by this update: * MFSA 2012-01: Mozilla developers identified and fixed several memory safety bugs in the browser engine used in Firefox and other Mozilla-based products. Some of these bugs showed evidence of memory corruption under certain circumstances, and we presume that with enough effort at least some of these could be exploited to run arbitrary code. In general these flaws cannot be exploited through email in the Thunderbird and SeaMonkey products because scripting is disabled, but are potentially a risk in browser or browser-like contexts in those products. References * CVE-2012-0442: Jesse Ruderman and Bob Clary reported memory safety problems that were fixed in both Firefox 10 and Firefox 3.6.26. * MFSA 2012-02/CVE-2011-3670: For historical reasons Firefox has been generous in its interpretation of web addresses containing square brackets around the host. If this host was not a valid IPv6 literal address, Firefox attempted to interpret the host as a regular domain name. Gregory Fleischer reported that requests made using IPv6 syntax using XMLHttpRequest objects through a proxy may generate errors depending on proxy configuration for IPv6. The resulting error messages from the proxy may disclose sensitive data because Same-Origin Policy (SOP) will allow the XMLHttpRequest object to read these error messages, allowing user privacy to be eroded. Firefox now enforces RFC 3986 IPv6 literal syntax and that may break links written using the non-standard Firefox-only forms that were previously accepted. This was fixed previously for Firefox 7.0, Thunderbird 7.0, and SeaMonkey 2.4 but only fixed in Firefox 3.6.26 and Thunderbird 3.1.18 during 2012. * MFSA 2012-04/CVE-2011-3659: Security researcher regenrecht reported via TippingPoint's Zero Day Initiative that removed child nodes of nsDOMAttribute can be accessed under certain circumstances because of a premature notification of AttributeChildRemoved. This use-after-free of the child nodes could possibly allow for for remote code execution. * MFSA 2012-07/CVE-2012-0444: Security researcher regenrecht reported via TippingPoint's Zero Day Initiative the possibility of memory corruption during the decoding of Ogg Vorbis files. This can cause a crash during decoding and has the potential for remote code execution. * MFSA 2012-08/CVE-2012-0449: Security researchers Nicolas Gregoire and Aki Helin independently reported that when processing a malformed embedded XSLT stylesheet, Firefox can crash due to a memory corruption. While there is no evidence that this is directly exploitable, there is a possibility of remote code execution. Indications: Please install this update. Special Instructions and Notes: Please reboot the system after installing this update. Package List: - SUSE Linux Enterprise Server 10 SP4 (i586 ia64 ppc s390x x86_64) [New Version: 1.9.2.26]: mozilla-xulrunner192-1.9.2.26-0.5.1 mozilla-xulrunner192-gnome-1.9.2.26-0.5.1 mozilla-xulrunner192-translations-1.9.2.26-0.5.1 - SUSE Linux Enterprise Server 10 SP4 (i586 ia64 ppc s390x) [New Version: 3.6.26]: MozillaFirefox-3.6.26-0.6.1 MozillaFirefox-translations-3.6.26-0.6.1 - SUSE Linux Enterprise Server 10 SP4 (s390x x86_64) [New Version: 1.9.2.26]: mozilla-xulrunner192-32bit-1.9.2.26-0.5.1 mozilla-xulrunner192-gnome-32bit-1.9.2.26-0.5.1 mozilla-xulrunner192-translations-32bit-1.9.2.26-0.5.1 - SUSE Linux Enterprise Desktop 10 SP4 (i586 x86_64) [New Version: 1.9.2.26]: mozilla-xulrunner192-1.9.2.26-0.5.1 mozilla-xulrunner192-gnome-1.9.2.26-0.5.1 mozilla-xulrunner192-translations-1.9.2.26-0.5.1 - SUSE Linux Enterprise Desktop 10 SP4 (x86_64) [New Version: 1.9.2.26]: mozilla-xulrunner192-32bit-1.9.2.26-0.5.1 mozilla-xulrunner192-gnome-32bit-1.9.2.26-0.5.1 mozilla-xulrunner192-translations-32bit-1.9.2.26-0.5.1 - SUSE Linux Enterprise Desktop 10 SP4 (i586) [New Version: 3.6.26]: MozillaFirefox-3.6.26-0.6.1 MozillaFirefox-translations-3.6.26-0.6.1 - SLE SDK 10 SP4 (i586 ia64 ppc s390x): MozillaFirefox-branding-upstream-3.6.26-0.6.1 References: https://bugzilla.novell.com/744275 http://download.novell.com/patch/finder/?keywords=d1ff5a0e9707cb73c751a65b6759427d From sle-security-updates at lists.suse.com Thu Feb 9 11:10:43 2012 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Thu, 9 Feb 2012 19:10:43 +0100 (CET) Subject: SUSE-SU-2012:0231-1: moderate: Security update for sysconfig Message-ID: <20120209181043.3E5E532154@maintenance.suse.de> SUSE Security Update: Security update for sysconfig ______________________________________________________________________________ Announcement ID: SUSE-SU-2012:0231-1 Rating: moderate References: #704234 #735394 Cross-References: CVE-2011-4182 Affected Products: SUSE Linux Enterprise Server 10 SP4 SUSE Linux Enterprise Desktop 10 SP4 ______________________________________________________________________________ An update that solves one vulnerability and has one errata is now available. Description: The following bug has been fixed: * sysconfig hook script for NetworkManager did not properly quote shell meta characters when processing ESSIDs. Specially crafted network names could have therefore lead to execution of shell code (CVE-2011-4182). Security Issue reference: * CVE-2011-4182 Special Instructions and Notes: Please reboot the system after installing this update.This update triggers a restart of the software management stack. More updates will be available for installation after applying this update and restarting the application. This update triggers a restart of the software management stack. More updates will be available for installation after applying this update and restarting the application. Package List: - SUSE Linux Enterprise Server 10 SP4 (i586 ia64 ppc s390x x86_64): sysconfig-0.50.9-13.68.1 - SUSE Linux Enterprise Desktop 10 SP4 (i586 x86_64): sysconfig-0.50.9-13.68.1 References: http://support.novell.com/security/cve/CVE-2011-4182.html https://bugzilla.novell.com/704234 https://bugzilla.novell.com/735394 http://download.novell.com/patch/finder/?keywords=e1ff0acb7870582081808201b27ba00e From sle-security-updates at lists.suse.com Thu Feb 9 16:08:54 2012 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Fri, 10 Feb 2012 00:08:54 +0100 (CET) Subject: SUSE-SU-2012:0254-1: moderate: Security update for SUSE Manager Message-ID: <20120209230854.99DE332294@maintenance.suse.de> SUSE Security Update: Security update for SUSE Manager ______________________________________________________________________________ Announcement ID: SUSE-SU-2012:0254-1 Rating: moderate References: #728894 #730408 #731304 #732517 #732845 #734164 #736240 #737649 #738054 #740813 #742145 Cross-References: CVE-2012-0059 Affected Products: SUSE Manager 1.2 for SLE 11 SP1 ______________________________________________________________________________ An update that solves one vulnerability and has 10 fixes is now available. Description: This 2012/01 Update for SUSE Manager provides the following security fixes: * CVE-2012-0059: The spacewalk admin was able to read the password of other users that failed to register. The password is even send via email in plaintext. In addition the following non-security changes were added: * 728894: Fix internal server error when deleting a software channel * 730408: Remove markup from error message * 731304: Fix display of XML snippets in the web ui * 732517: Remove confirmation dialog when adding a channel * 732845: Fix query to determine config channels in SSM * 734164: Make all chars display properly * 736240: Remove setuid bits from oracle binaries * 737649: Add missing URL to auditlog configuration * 738054: Offer to disable YAST Automatic Online Update if it is enabled on the client. * 740813: Fix mgr-ncc-sync -s resetting the max_members of system groups to 10 * 742145: Set up seclist in registration.py How to apply this update: 1. Log in as root user to the SUSE Manager server. 2. Stop the Spacewalk service: spacewalk-service stop 3. Apply the patch using either zypper patch or YaST Online Update. 4. Optionally install new packages (required only if audit logging should be enabled): zypper in auditlog-keeper auditlog-keeper-spacewalk-validator auditlog-keeper-syslog Additional output plugins available: auditlog-keeper-rdbms, auditlog-keeper-xmlout To enable audit logging add the following line to /etc/rhn/rhn.conf: audit.enabled = 1 5. Start the Spacewalk service: spacewalk-service start Security Issue reference: * CVE-2012-0059 Indications: Please update. Patch Instructions: To install this SUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - SUSE Manager 1.2 for SLE 11 SP1: zypper in -t patch sleman12sp1-susemanager-201201-5718 To bring your system up-to-date, use "zypper patch". Package List: - SUSE Manager 1.2 for SLE 11 SP1 (x86_64): spacewalk-backend-1.2.74-0.46.1 spacewalk-backend-app-1.2.74-0.46.1 spacewalk-backend-applet-1.2.74-0.46.1 spacewalk-backend-config-files-1.2.74-0.46.1 spacewalk-backend-config-files-common-1.2.74-0.46.1 spacewalk-backend-config-files-tool-1.2.74-0.46.1 spacewalk-backend-iss-1.2.74-0.46.1 spacewalk-backend-iss-export-1.2.74-0.46.1 spacewalk-backend-libs-1.2.74-0.46.1 spacewalk-backend-package-push-server-1.2.74-0.46.1 spacewalk-backend-server-1.2.74-0.46.1 spacewalk-backend-sql-1.2.74-0.46.1 spacewalk-backend-sql-oracle-1.2.74-0.46.1 spacewalk-backend-tools-1.2.74-0.46.1 spacewalk-backend-xml-export-libs-1.2.74-0.46.1 spacewalk-backend-xmlrpc-1.2.74-0.46.1 spacewalk-backend-xp-1.2.74-0.46.1 susemanager-1.2.0-0.50.1 susemanager-tools-1.2.0-0.50.1 - SUSE Manager 1.2 for SLE 11 SP1 (noarch): editarea-0.8.2-0.4.1 spacewalk-base-1.2.31-0.33.1 spacewalk-base-minimal-1.2.31-0.33.1 spacewalk-certs-tools-1.2.2-0.24.1 spacewalk-grail-1.2.31-0.33.1 spacewalk-html-1.2.31-0.33.1 spacewalk-java-1.2.115-0.52.1 spacewalk-java-config-1.2.115-0.52.1 spacewalk-java-lib-1.2.115-0.52.1 spacewalk-java-oracle-1.2.115-0.52.1 spacewalk-pxt-1.2.31-0.33.1 spacewalk-sniglets-1.2.31-0.33.1 spacewalk-taskomatic-1.2.115-0.52.1 References: http://support.novell.com/security/cve/CVE-2012-0059.html https://bugzilla.novell.com/728894 https://bugzilla.novell.com/730408 https://bugzilla.novell.com/731304 https://bugzilla.novell.com/732517 https://bugzilla.novell.com/732845 https://bugzilla.novell.com/734164 https://bugzilla.novell.com/736240 https://bugzilla.novell.com/737649 https://bugzilla.novell.com/738054 https://bugzilla.novell.com/740813 https://bugzilla.novell.com/742145 http://download.novell.com/patch/finder/?keywords=cbd90cc906d52950a552c6ddd2659abf From sle-security-updates at lists.suse.com Wed Feb 15 12:08:24 2012 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Wed, 15 Feb 2012 20:08:24 +0100 (CET) Subject: SUSE-SU-2012:0260-1: moderate: Security update for NetworkManager-gnome Message-ID: <20120215190824.2477E323B3@maintenance.suse.de> SUSE Security Update: Security update for NetworkManager-gnome ______________________________________________________________________________ Announcement ID: SUSE-SU-2012:0260-1 Rating: moderate References: #574266 #732700 Affected Products: SUSE Linux Enterprise Server 11 SP1 for VMware SUSE Linux Enterprise Server 11 SP1 SUSE Linux Enterprise Desktop 11 SP1 ______________________________________________________________________________ An update that contains security fixes can now be installed. It includes one version update. Description: NetworkManager did not pin a certificate's subject to an ESSID. A rogue access point could therefore be used to conduct MITM attacks by using any other valid certificate issued by same CA as used in the original network (CVE-2006-7246). Please note that existing WPA2 Enterprise connections need to be deleted and re-created to take advantage of the new security checks. This is a re-release of the previous update to also enable the checks for EAP-TLS. Patch Instructions: To install this SUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Server 11 SP1 for VMware: zypper in -t patch slessp1-NetworkManager-gnome-5621 - SUSE Linux Enterprise Server 11 SP1: zypper in -t patch slessp1-NetworkManager-gnome-5621 - SUSE Linux Enterprise Desktop 11 SP1: zypper in -t patch sledsp1-NetworkManager-gnome-5621 To bring your system up-to-date, use "zypper patch". Package List: - SUSE Linux Enterprise Server 11 SP1 for VMware (i586 x86_64) [New Version: 0.7.1]: NetworkManager-gnome-0.7.1-5.15.11.1 - SUSE Linux Enterprise Server 11 SP1 (i586 ia64 ppc64 s390x x86_64) [New Version: 0.7.1]: NetworkManager-gnome-0.7.1-5.15.11.1 - SUSE Linux Enterprise Desktop 11 SP1 (i586 x86_64) [New Version: 0.7.1]: NetworkManager-gnome-0.7.1-5.15.11.1 References: https://bugzilla.novell.com/574266 https://bugzilla.novell.com/732700 http://download.novell.com/patch/finder/?keywords=c7f58cba030474918054f80ae9b9d8f5 From sle-security-updates at lists.suse.com Wed Feb 15 20:08:25 2012 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Thu, 16 Feb 2012 04:08:25 +0100 (CET) Subject: SUSE-SU-2012:0261-1: critical: Security update for Mozilla Firefox Message-ID: <20120216030825.5850E323C1@maintenance.suse.de> SUSE Security Update: Security update for Mozilla Firefox ______________________________________________________________________________ Announcement ID: SUSE-SU-2012:0261-1 Rating: critical References: #744625 #744629 #746616 Cross-References: CVE-2012-0452 Affected Products: SUSE Linux Enterprise Server 11 SP1 for VMware SUSE Linux Enterprise Server 11 SP1 FOR SP2 SUSE Linux Enterprise Server 11 SP1 SUSE Linux Enterprise Desktop 11 SP1 FOR SP2 SUSE Linux Enterprise Desktop 11 SP1 ______________________________________________________________________________ An update that solves one vulnerability and has two fixes is now available. It includes one version update. Description: MozillaFirefox was updated to 10.0.1 to fix critical bugs and security issue. The following security issue has been fixed: CVE-2012-0452: Mozilla developers Andrew McCreight and Olli Pettay found that ReadPrototypeBindings will leave a XBL binding in a hash table even when the function fails. If this occurs, when the cycle collector reads this hash table and attempts to do a virtual method on this binding a crash will occur. This crash may be potentially exploitable. Firefox 9 and earlier are not affected by this vulnerability. https://www.mozilla.org/security/announce/2012/mfsa2012-10.h tml Security Issues: * CVE-2012-0452 Patch Instructions: To install this SUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Server 11 SP1 for VMware: zypper in -t patch slessp1-MozillaFirefox-5807 - SUSE Linux Enterprise Server 11 SP1 FOR SP2: zypper in -t patch slessp1fsp2-MozillaFirefox-5807 - SUSE Linux Enterprise Server 11 SP1: zypper in -t patch slessp1-MozillaFirefox-5807 - SUSE Linux Enterprise Desktop 11 SP1 FOR SP2: zypper in -t patch sledsp1fsp2-MozillaFirefox-5807 - SUSE Linux Enterprise Desktop 11 SP1: zypper in -t patch sledsp1-MozillaFirefox-5807 To bring your system up-to-date, use "zypper patch". Package List: - SUSE Linux Enterprise Server 11 SP1 for VMware (i586 x86_64) [New Version: 10.0.1]: MozillaFirefox-10.0.1-0.4.1 MozillaFirefox-translations-10.0.1-0.4.1 - SUSE Linux Enterprise Server 11 SP1 FOR SP2 (i586 ia64 ppc64 s390x x86_64) [New Version: 10.0.1]: MozillaFirefox-10.0.1-0.4.1 MozillaFirefox-translations-10.0.1-0.4.1 - SUSE Linux Enterprise Server 11 SP1 (i586 ia64 ppc64 s390x x86_64) [New Version: 10.0.1]: MozillaFirefox-10.0.1-0.4.1 MozillaFirefox-translations-10.0.1-0.4.1 - SUSE Linux Enterprise Desktop 11 SP1 FOR SP2 (i586 x86_64) [New Version: 10.0.1]: MozillaFirefox-10.0.1-0.4.1 MozillaFirefox-translations-10.0.1-0.4.1 mhtml-firefox-0.5-1.47.47.1 - SUSE Linux Enterprise Desktop 11 SP1 (i586 x86_64) [New Version: 10.0.1]: MozillaFirefox-10.0.1-0.4.1 MozillaFirefox-translations-10.0.1-0.4.1 mhtml-firefox-0.5-1.47.47.1 References: http://support.novell.com/security/cve/CVE-2012-0452.html https://bugzilla.novell.com/744625 https://bugzilla.novell.com/744629 https://bugzilla.novell.com/746616 http://download.novell.com/patch/finder/?keywords=0727d8a4f41b1fef19dc1e8e92fae922 From sle-security-updates at lists.suse.com Fri Feb 17 13:08:31 2012 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Fri, 17 Feb 2012 21:08:31 +0100 (CET) Subject: SUSE-SU-2012:0275-1: Security update for qemu Message-ID: <20120217200831.62D04323B3@maintenance.suse.de> SUSE Security Update: Security update for qemu ______________________________________________________________________________ Announcement ID: SUSE-SU-2012:0275-1 Rating: low References: #740165 Cross-References: CVE-2012-0029 Affected Products: SUSE Linux Enterprise Software Development Kit 11 SP1 FOR SP2 SUSE Linux Enterprise Software Development Kit 11 SP1 SUSE Linux Enterprise Point of Service 11 SP1 ______________________________________________________________________________ An update that fixes one vulnerability is now available. Description: A heap-based buffer overflow in the legacy mode of the e1000 driver device emulation was fixed (CVE-2012-0029). Security Issue reference: * CVE-2012-0029 Patch Instructions: To install this SUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Software Development Kit 11 SP1 FOR SP2: zypper in -t patch sdksp1fsp2-qemu-5803 - SUSE Linux Enterprise Software Development Kit 11 SP1: zypper in -t patch sdksp1-qemu-5803 - SUSE Linux Enterprise Point of Service 11 SP1: zypper in -t patch sleposp1-qemu-5803 To bring your system up-to-date, use "zypper patch". Package List: - SUSE Linux Enterprise Software Development Kit 11 SP1 FOR SP2 (i586 x86_64): qemu-0.10.1-0.5.5.1 - SUSE Linux Enterprise Software Development Kit 11 SP1 (i586 x86_64): qemu-0.10.1-0.5.5.1 - SUSE Linux Enterprise Point of Service 11 SP1 (i586): qemu-0.10.1-0.5.5.1 References: http://support.novell.com/security/cve/CVE-2012-0029.html https://bugzilla.novell.com/740165 http://download.novell.com/patch/finder/?keywords=b94d7b858db9da7353cb997a14127ea8 From sle-security-updates at lists.suse.com Sat Feb 18 02:08:24 2012 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Sat, 18 Feb 2012 10:08:24 +0100 (CET) Subject: SUSE-SU-2012:0280-1: critical: Security update for flash-player Message-ID: <20120218090824.44624323B3@maintenance.suse.de> SUSE Security Update: Security update for flash-player ______________________________________________________________________________ Announcement ID: SUSE-SU-2012:0280-1 Rating: critical References: #747297 Cross-References: CVE-2012-0751 CVE-2012-0752 CVE-2012-0753 CVE-2012-0754 CVE-2012-0755 CVE-2012-0756 CVE-2012-0767 Affected Products: SUSE Linux Enterprise Desktop 11 SP1 FOR SP2 SUSE Linux Enterprise Desktop 11 SP1 ______________________________________________________________________________ An update that fixes 7 vulnerabilities is now available. It includes one version update. Description: flash-player was updated to version 11.1.102.62. It fixes lots of security issues, some already exploited in the wild. Details can be found at: https://www.adobe.com/support/security/bulletins/apsb12-03.h tml These vulnerabilities could cause a crash and potentially allow an attacker to take control of the affected system. This update also resolves a universal cross-site scripting vulnerability that could be used to take actions on a user's behalf on any website or webmail provider, if the user visits a malicious website. There are reports that this vulnerability (CVE-2012-0767) is being exploited in the wild in active targeted attacks designed to trick the user into clicking on a malicious link delivered in an email message (Internet Explorer on Windows only). Security Issue references: * CVE-2012-0751 * CVE-2012-0752 * CVE-2012-0753 * CVE-2012-0754 * CVE-2012-0755 * CVE-2012-0756 * CVE-2012-0767 Patch Instructions: To install this SUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Desktop 11 SP1 FOR SP2: zypper in -t patch sledsp1fsp2-flash-player-5817 - SUSE Linux Enterprise Desktop 11 SP1: zypper in -t patch sledsp1-flash-player-5817 To bring your system up-to-date, use "zypper patch". Package List: - SUSE Linux Enterprise Desktop 11 SP1 FOR SP2 (i586 x86_64) [New Version: 11.1.102.62]: flash-player-11.1.102.62-0.14.1 - SUSE Linux Enterprise Desktop 11 SP1 (i586 x86_64) [New Version: 11.1.102.62]: flash-player-11.1.102.62-0.14.1 References: http://support.novell.com/security/cve/CVE-2012-0751.html http://support.novell.com/security/cve/CVE-2012-0752.html http://support.novell.com/security/cve/CVE-2012-0753.html http://support.novell.com/security/cve/CVE-2012-0754.html http://support.novell.com/security/cve/CVE-2012-0755.html http://support.novell.com/security/cve/CVE-2012-0756.html http://support.novell.com/security/cve/CVE-2012-0767.html https://bugzilla.novell.com/747297 http://download.novell.com/patch/finder/?keywords=e7839de3d618cfe53b47ab455a9b2171 From sle-security-updates at lists.suse.com Sat Feb 18 02:08:25 2012 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Sat, 18 Feb 2012 10:08:25 +0100 (CET) Subject: SUSE-SU-2012:0281-1: moderate: Security update for libopenssl Message-ID: <20120218090825.4787F323BC@maintenance.suse.de> SUSE Security Update: Security update for libopenssl ______________________________________________________________________________ Announcement ID: SUSE-SU-2012:0281-1 Rating: moderate References: #742821 #743344 Cross-References: CVE-2012-0050 Affected Products: SUSE Linux Enterprise Software Development Kit 11 SP1 FOR SP2 SUSE Linux Enterprise Software Development Kit 11 SP1 SUSE Linux Enterprise Server 11 SP1 for VMware SUSE Linux Enterprise Server 11 SP1 FOR SP2 SUSE Linux Enterprise Server 11 SP1 SUSE Linux Enterprise Desktop 11 SP1 FOR SP2 SUSE Linux Enterprise Desktop 11 SP1 ______________________________________________________________________________ An update that solves one vulnerability and has one errata is now available. It includes one version update. Description: This update of OpenSSL fixes a Denial of Services issue that could be triggered via unspecified vectors (CVE-2012-0050). Also, the SHA256 and SHA512 algorithms are now enabled by default. Security Issue reference: * CVE-2012-0050 Patch Instructions: To install this SUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Software Development Kit 11 SP1 FOR SP2: zypper in -t patch sdksp1fsp2-libopenssl-devel-5808 - SUSE Linux Enterprise Software Development Kit 11 SP1: zypper in -t patch sdksp1-libopenssl-devel-5808 - SUSE Linux Enterprise Server 11 SP1 for VMware: zypper in -t patch slessp1-libopenssl-devel-5808 - SUSE Linux Enterprise Server 11 SP1 FOR SP2: zypper in -t patch slessp1fsp2-libopenssl-devel-5808 - SUSE Linux Enterprise Server 11 SP1: zypper in -t patch slessp1-libopenssl-devel-5808 - SUSE Linux Enterprise Desktop 11 SP1 FOR SP2: zypper in -t patch sledsp1fsp2-libopenssl-devel-5808 - SUSE Linux Enterprise Desktop 11 SP1: zypper in -t patch sledsp1-libopenssl-devel-5808 To bring your system up-to-date, use "zypper patch". Package List: - SUSE Linux Enterprise Software Development Kit 11 SP1 FOR SP2 (i586 ia64 ppc64 s390x x86_64) [New Version: 0.9.8j]: libopenssl-devel-0.9.8j-0.28.1 - SUSE Linux Enterprise Software Development Kit 11 SP1 (i586 ia64 ppc64 s390x x86_64) [New Version: 0.9.8j]: libopenssl-devel-0.9.8j-0.28.1 - SUSE Linux Enterprise Server 11 SP1 for VMware (i586 x86_64) [New Version: 0.9.8j]: libopenssl0_9_8-0.9.8j-0.28.1 openssl-0.9.8j-0.28.1 openssl-doc-0.9.8j-0.28.1 - SUSE Linux Enterprise Server 11 SP1 for VMware (x86_64) [New Version: 0.9.8j]: libopenssl0_9_8-32bit-0.9.8j-0.28.1 - SUSE Linux Enterprise Server 11 SP1 FOR SP2 (i586 ia64 ppc64 s390x x86_64) [New Version: 0.9.8j]: libopenssl0_9_8-0.9.8j-0.28.1 openssl-0.9.8j-0.28.1 openssl-doc-0.9.8j-0.28.1 - SUSE Linux Enterprise Server 11 SP1 FOR SP2 (ppc64 s390x x86_64) [New Version: 0.9.8j]: libopenssl0_9_8-32bit-0.9.8j-0.28.1 - SUSE Linux Enterprise Server 11 SP1 FOR SP2 (ia64) [New Version: 0.9.8j]: libopenssl0_9_8-x86-0.9.8j-0.28.1 - SUSE Linux Enterprise Server 11 SP1 (i586 ia64 ppc64 s390x x86_64) [New Version: 0.9.8j]: libopenssl0_9_8-0.9.8j-0.28.1 openssl-0.9.8j-0.28.1 openssl-doc-0.9.8j-0.28.1 - SUSE Linux Enterprise Server 11 SP1 (ppc64 s390x x86_64) [New Version: 0.9.8j]: libopenssl0_9_8-32bit-0.9.8j-0.28.1 - SUSE Linux Enterprise Server 11 SP1 (ia64) [New Version: 0.9.8j]: libopenssl0_9_8-x86-0.9.8j-0.28.1 - SUSE Linux Enterprise Desktop 11 SP1 FOR SP2 (i586 x86_64) [New Version: 0.9.8j]: libopenssl0_9_8-0.9.8j-0.28.1 openssl-0.9.8j-0.28.1 - SUSE Linux Enterprise Desktop 11 SP1 FOR SP2 (x86_64) [New Version: 0.9.8j]: libopenssl0_9_8-32bit-0.9.8j-0.28.1 - SUSE Linux Enterprise Desktop 11 SP1 (i586 x86_64) [New Version: 0.9.8j]: libopenssl0_9_8-0.9.8j-0.28.1 openssl-0.9.8j-0.28.1 - SUSE Linux Enterprise Desktop 11 SP1 (x86_64) [New Version: 0.9.8j]: libopenssl0_9_8-32bit-0.9.8j-0.28.1 References: http://support.novell.com/security/cve/CVE-2012-0050.html https://bugzilla.novell.com/742821 https://bugzilla.novell.com/743344 http://download.novell.com/patch/finder/?keywords=c361b0812d0530c122bf1decd47f80cb From sle-security-updates at lists.suse.com Sat Feb 18 03:08:11 2012 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Sat, 18 Feb 2012 11:08:11 +0100 (CET) Subject: SUSE-SU-2012:0282-1: moderate: Security update for OpenSSL Message-ID: <20120218100811.79E90323C1@maintenance.suse.de> SUSE Security Update: Security update for OpenSSL ______________________________________________________________________________ Announcement ID: SUSE-SU-2012:0282-1 Rating: moderate References: #742821 Cross-References: CVE-2012-0050 Affected Products: SUSE Linux Enterprise Server 10 SP4 SUSE Linux Enterprise Desktop 10 SP4 SLE SDK 10 SP4 ______________________________________________________________________________ An update that fixes one vulnerability is now available. Description: This update of OpenSSL fixes a Denial of Services issue that could be triggered via unspecified vectors (CVE-2012-0050). Security Issue reference: * CVE-2012-0050 Package List: - SUSE Linux Enterprise Server 10 SP4 (i586 ia64 ppc s390x x86_64): openssl-0.9.8a-18.60.3 openssl-devel-0.9.8a-18.60.3 openssl-doc-0.9.8a-18.60.3 - SUSE Linux Enterprise Server 10 SP4 (s390x x86_64): openssl-32bit-0.9.8a-18.60.3 openssl-devel-32bit-0.9.8a-18.60.3 - SUSE Linux Enterprise Server 10 SP4 (ia64): openssl-x86-0.9.8a-18.60.3 - SUSE Linux Enterprise Server 10 SP4 (ppc): openssl-64bit-0.9.8a-18.60.3 openssl-devel-64bit-0.9.8a-18.60.3 - SUSE Linux Enterprise Desktop 10 SP4 (i586 x86_64): openssl-0.9.8a-18.60.3 openssl-devel-0.9.8a-18.60.3 - SUSE Linux Enterprise Desktop 10 SP4 (x86_64): openssl-32bit-0.9.8a-18.60.3 openssl-devel-32bit-0.9.8a-18.60.3 - SLE SDK 10 SP4 (i586 ia64 ppc s390x x86_64): openssl-doc-0.9.8a-18.60.3 References: http://support.novell.com/security/cve/CVE-2012-0050.html https://bugzilla.novell.com/742821 http://download.novell.com/patch/finder/?keywords=f865d7708d91915ffe224375f1620a18 From sle-security-updates at lists.suse.com Sat Feb 18 05:08:14 2012 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Sat, 18 Feb 2012 13:08:14 +0100 (CET) Subject: SUSE-SU-2012:0283-1: moderate: Security update for NetworkManager Message-ID: <20120218120814.628F4323B3@maintenance.suse.de> SUSE Security Update: Security update for NetworkManager ______________________________________________________________________________ Announcement ID: SUSE-SU-2012:0283-1 Rating: moderate References: #574266 Cross-References: CVE-2006-7246 Affected Products: SUSE Linux Enterprise Server 10 SP4 SUSE Linux Enterprise Desktop 10 SP4 ______________________________________________________________________________ An update that fixes one vulnerability is now available. Description: NetworkManager did not pin a certificate's subject to an ESSID. A rogue access point could therefore be used to conduct MITM attacks by using any other valid certificate issued by same CA as used in the original network (CVE-2006-7246). Please note that existing WPA2 Enterprise connections need to be deleted and re-created to take advantage of the new security checks. Security Issue reference: * CVE-2006-7246 Special Instructions and Notes: Please reboot the system after installing this update. Package List: - SUSE Linux Enterprise Server 10 SP4 (i586 ia64 ppc s390x x86_64): NetworkManager-0.6.6-0.21.5 NetworkManager-devel-0.6.6-0.21.5 NetworkManager-glib-0.6.6-0.21.5 NetworkManager-gnome-0.6.6-0.21.5 wpa_supplicant-0.4.8-14.29.5 - SUSE Linux Enterprise Desktop 10 SP4 (i586 x86_64): NetworkManager-0.6.6-0.21.5 NetworkManager-devel-0.6.6-0.21.5 NetworkManager-glib-0.6.6-0.21.5 NetworkManager-gnome-0.6.6-0.21.5 wpa_supplicant-0.4.8-14.29.5 References: http://support.novell.com/security/cve/CVE-2006-7246.html https://bugzilla.novell.com/574266 http://download.novell.com/patch/finder/?keywords=3ae188b8ee6ea152ca6d4acbf24ee30e From sle-security-updates at lists.suse.com Sat Feb 18 05:08:15 2012 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Sat, 18 Feb 2012 13:08:15 +0100 (CET) Subject: SUSE-SU-2012:0284-1: important: Security update for Apache2 Message-ID: <20120218120815.D378D323B3@maintenance.suse.de> SUSE Security Update: Security update for Apache2 ______________________________________________________________________________ Announcement ID: SUSE-SU-2012:0284-1 Rating: important References: #728876 #738067 #738855 #739783 #741243 #741874 #743743 Cross-References: CVE-2007-6750 CVE-2012-0031 CVE-2012-0053 Affected Products: SUSE Linux Enterprise Software Development Kit 11 SP1 SUSE Linux Enterprise Server 11 SP1 for VMware SUSE Linux Enterprise Server 11 SP1 ______________________________________________________________________________ An update that solves three vulnerabilities and has four fixes is now available. It includes one version update. Description: This update of apache2 and libapr1 fixes regressions and several security problems. * CVE-2012-0031: Fixed a scoreboard corruption (shared mem segment) by child causes crash of privileged parent (invalid free()) during shutdown. * CVE-2012-0053: Fixed an issue in error responses that could expose "httpOnly" cookies when no custom ErrorDocument is specified for status code 400". * CVE-2007-6750: The "mod_reqtimeout" module was backported from Apache 2.2.21 to help mitigate the "Slowloris" Denial of Service attack. You need to enable the "mod_reqtimeout" module in your existing apache configuration to make it effective, e.g. in the APACHE_MODULES line in /etc/sysconfig/apache2. For more detailed information, check also the README file. Also the following bugs have been fixed: * Fixed init script action "check-reload" to avoid potential crashes. bnc#728876 * An overlapping memcpy() was replaced by memmove() to make this work with newer glibcs. bnc#738067 bnc#741874 * libapr1: reset errno to zero to not return previous value despite good status of new operation. bnc#739783 Security Issue references: * CVE-2007-6750 * CVE-2012-0031 * CVE-2012-0053 Special Instructions and Notes: Please reboot the system after installing this update. Patch Instructions: To install this SUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Software Development Kit 11 SP1: zypper in -t patch sdksp1-apache2-201202-5760 - SUSE Linux Enterprise Server 11 SP1 for VMware: zypper in -t patch slessp1-apache2-201202-5760 - SUSE Linux Enterprise Server 11 SP1: zypper in -t patch slessp1-apache2-201202-5760 To bring your system up-to-date, use "zypper patch". Package List: - SUSE Linux Enterprise Software Development Kit 11 SP1 (i586 ia64 ppc64 s390x x86_64) [New Version: 2.2.12]: apache2-devel-2.2.12-1.30.1 libapr1-devel-1.3.3-11.18.19.1 - SUSE Linux Enterprise Software Development Kit 11 SP1 (i586 x86_64) [New Version: 2.2.12]: apache2-2.2.12-1.30.1 apache2-doc-2.2.12-1.30.1 apache2-example-pages-2.2.12-1.30.1 apache2-prefork-2.2.12-1.30.1 apache2-utils-2.2.12-1.30.1 apache2-worker-2.2.12-1.30.1 libapr1-1.3.3-11.18.19.1 - SUSE Linux Enterprise Software Development Kit 11 SP1 (ppc64): libapr1-devel-32bit-1.3.3-11.18.19.1 - SUSE Linux Enterprise Server 11 SP1 for VMware (i586 x86_64) [New Version: 2.2.12]: apache2-2.2.12-1.30.1 apache2-doc-2.2.12-1.30.1 apache2-example-pages-2.2.12-1.30.1 apache2-prefork-2.2.12-1.30.1 apache2-utils-2.2.12-1.30.1 apache2-worker-2.2.12-1.30.1 libapr1-1.3.3-11.18.19.1 - SUSE Linux Enterprise Server 11 SP1 (i586 ia64 ppc64 s390x x86_64) [New Version: 2.2.12]: apache2-2.2.12-1.30.1 apache2-doc-2.2.12-1.30.1 apache2-example-pages-2.2.12-1.30.1 apache2-prefork-2.2.12-1.30.1 apache2-utils-2.2.12-1.30.1 apache2-worker-2.2.12-1.30.1 libapr1-1.3.3-11.18.19.1 - SUSE Linux Enterprise Server 11 SP1 (ppc64): libapr1-32bit-1.3.3-11.18.19.1 References: http://support.novell.com/security/cve/CVE-2007-6750.html http://support.novell.com/security/cve/CVE-2012-0031.html http://support.novell.com/security/cve/CVE-2012-0053.html https://bugzilla.novell.com/728876 https://bugzilla.novell.com/738067 https://bugzilla.novell.com/738855 https://bugzilla.novell.com/739783 https://bugzilla.novell.com/741243 https://bugzilla.novell.com/741874 https://bugzilla.novell.com/743743 http://download.novell.com/patch/finder/?keywords=26fd37ffcda352499111cd00df8417e9 From sle-security-updates at lists.suse.com Thu Feb 23 14:08:12 2012 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Thu, 23 Feb 2012 22:08:12 +0100 (CET) Subject: SUSE-SU-2012:0122-2: important: Security update for IBM Java 1.4.2 Message-ID: <20120223210812.891D032177@maintenance.suse.de> SUSE Security Update: Security update for IBM Java 1.4.2 ______________________________________________________________________________ Announcement ID: SUSE-SU-2012:0122-2 Rating: important References: #739256 Cross-References: CVE-2011-3389 CVE-2011-3545 CVE-2011-3547 CVE-2011-3548 CVE-2011-3549 CVE-2011-3552 CVE-2011-3556 CVE-2011-3557 CVE-2011-3560 Affected Products: SUSE Linux Enterprise for SAP Applications 11 SP1 SUSE Linux Enterprise Software Development Kit 11 SP1 SUSE Linux Enterprise Server 11 SP1 for VMware SUSE Linux Enterprise Server 11 SP1 SUSE Linux Enterprise Java 11 SP1 ______________________________________________________________________________ An update that fixes 9 vulnerabilities is now available. Description: IBM Java 1.4.2 SR13 FP11 has been released and contains various security fixes. http://www.ibm.com/developerworks/java/jdk/alerts/ http://www.ibm.com/developerworks/java/jdk/alerts/ (CVEs fixed: CVE-2011-3547 CVE-2011-3548 CVE-2011-3549 CVE-2011-3552 CVE-2011-3545 CVE-2011-3556 CVE-2011-3557 CVE-2011-3389 CVE-2011-3560 ) Security Issues: * CVE-2011-3389 * CVE-2011-3545 * CVE-2011-3547 * CVE-2011-3548 * CVE-2011-3549 * CVE-2011-3552 * CVE-2011-3556 * CVE-2011-3557 * CVE-2011-3560 Patch Instructions: To install this SUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - SUSE Linux Enterprise for SAP Applications 11 SP1: zypper in -t patch slesapp1-java-1_4_2-ibm-sap-5734 - SUSE Linux Enterprise Software Development Kit 11 SP1: zypper in -t patch sdksp1-java-1_4_2-ibm-5609 - SUSE Linux Enterprise Server 11 SP1 for VMware: zypper in -t patch slessp1-java-1_4_2-ibm-5609 - SUSE Linux Enterprise Server 11 SP1: zypper in -t patch slessp1-java-1_4_2-ibm-5609 - SUSE Linux Enterprise Java 11 SP1: zypper in -t patch slejsp1-java-1_4_2-ibm-5609 slejsp1-java-1_4_2-ibm-sap-5734 To bring your system up-to-date, use "zypper patch". Package List: - SUSE Linux Enterprise for SAP Applications 11 SP1 (x86_64): java-1_4_2-ibm-sap-1.4.2_sr13.11-0.3.1 java-1_4_2-ibm-sap-devel-1.4.2_sr13.11-0.3.1 - SUSE Linux Enterprise Software Development Kit 11 SP1 (i586 ia64 ppc64 s390x x86_64): java-1_4_2-ibm-devel-1.4.2_sr13.11-0.5.1 - SUSE Linux Enterprise Software Development Kit 11 SP1 (i586 x86_64): java-1_4_2-ibm-1.4.2_sr13.11-0.5.1 - SUSE Linux Enterprise Server 11 SP1 for VMware (i586 x86_64): java-1_4_2-ibm-1.4.2_sr13.11-0.5.1 - SUSE Linux Enterprise Server 11 SP1 for VMware (i586): java-1_4_2-ibm-jdbc-1.4.2_sr13.11-0.5.1 java-1_4_2-ibm-plugin-1.4.2_sr13.11-0.5.1 - SUSE Linux Enterprise Server 11 SP1 (i586 ia64 ppc64 s390x x86_64): java-1_4_2-ibm-1.4.2_sr13.11-0.5.1 - SUSE Linux Enterprise Server 11 SP1 (i586): java-1_4_2-ibm-jdbc-1.4.2_sr13.11-0.5.1 java-1_4_2-ibm-plugin-1.4.2_sr13.11-0.5.1 - SUSE Linux Enterprise Java 11 SP1 (i586 ia64 ppc64 s390x x86_64): java-1_4_2-ibm-1.4.2_sr13.11-0.5.1 - SUSE Linux Enterprise Java 11 SP1 (x86_64): java-1_4_2-ibm-sap-1.4.2_sr13.11-0.3.1 java-1_4_2-ibm-sap-devel-1.4.2_sr13.11-0.3.1 - SUSE Linux Enterprise Java 11 SP1 (i586): java-1_4_2-ibm-jdbc-1.4.2_sr13.11-0.5.1 java-1_4_2-ibm-plugin-1.4.2_sr13.11-0.5.1 References: http://support.novell.com/security/cve/CVE-2011-3389.html http://support.novell.com/security/cve/CVE-2011-3545.html http://support.novell.com/security/cve/CVE-2011-3547.html http://support.novell.com/security/cve/CVE-2011-3548.html http://support.novell.com/security/cve/CVE-2011-3549.html http://support.novell.com/security/cve/CVE-2011-3552.html http://support.novell.com/security/cve/CVE-2011-3556.html http://support.novell.com/security/cve/CVE-2011-3557.html http://support.novell.com/security/cve/CVE-2011-3560.html https://bugzilla.novell.com/739256 http://download.novell.com/patch/finder/?keywords=77471aa6472b33cde43cae36b3b3fef0 http://download.novell.com/patch/finder/?keywords=c0c632466d75a1ac53d2ceaf2d983053 From sle-security-updates at lists.suse.com Thu Feb 23 15:08:25 2012 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Thu, 23 Feb 2012 23:08:25 +0100 (CET) Subject: SUSE-SU-2012:0296-1: moderate: Security update for wireshark Message-ID: <20120223220826.0559932177@maintenance.suse.de> SUSE Security Update: Security update for wireshark ______________________________________________________________________________ Announcement ID: SUSE-SU-2012:0296-1 Rating: moderate References: #741187 #741188 #741190 Cross-References: CVE-2012-0041 CVE-2012-0042 CVE-2012-0043 CVE-2012-0066 CVE-2012-0067 CVE-2012-0068 Affected Products: SUSE Linux Enterprise Server 10 SP4 SUSE Linux Enterprise Desktop 10 SP4 SLE SDK 10 SP4 ______________________________________________________________________________ An update that fixes 6 vulnerabilities is now available. Description: This version upgrade of wireshark to 1.4.11 fixes the following security issues: * CVE-2012-0043: RLC dissector buffer overflow * CVE-2012-0041: multiple file parser vulnerabilities * CVE-2012-0042: NULL pointer vulnerabilities * CVE-2012-0066: DoS due to too large buffer alloc request * CVE-2012-0067: DoS due to integer underflow and too large buffer alloc. request * CVE-2012-0068: memory corruption due to buffer underflow Additionally, various other non-security issues were resolved. Security Issue references: * CVE-2012-0041 * CVE-2012-0043 * CVE-2012-0042 * CVE-2012-0066 * CVE-2012-0067 * CVE-2012-0068 Package List: - SUSE Linux Enterprise Server 10 SP4 (i586 ia64 ppc s390x x86_64): wireshark-1.4.11-0.5.1 wireshark-devel-1.4.11-0.5.1 - SUSE Linux Enterprise Desktop 10 SP4 (i586 x86_64): wireshark-1.4.11-0.5.1 - SLE SDK 10 SP4 (i586 ia64 ppc s390x x86_64): wireshark-devel-1.4.11-0.5.1 References: http://support.novell.com/security/cve/CVE-2012-0041.html http://support.novell.com/security/cve/CVE-2012-0042.html http://support.novell.com/security/cve/CVE-2012-0043.html http://support.novell.com/security/cve/CVE-2012-0066.html http://support.novell.com/security/cve/CVE-2012-0067.html http://support.novell.com/security/cve/CVE-2012-0068.html https://bugzilla.novell.com/741187 https://bugzilla.novell.com/741188 https://bugzilla.novell.com/741190 http://download.novell.com/patch/finder/?keywords=0f46263d00a0a835ae8b455b8d0c12d8 From sle-security-updates at lists.suse.com Sun Feb 26 17:08:15 2012 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Mon, 27 Feb 2012 01:08:15 +0100 (CET) Subject: SUSE-SU-2012:0298-1: important: Security update for Mozilla XULrunner Message-ID: <20120227000815.97BDF3216D@maintenance.suse.de> SUSE Security Update: Security update for Mozilla XULrunner ______________________________________________________________________________ Announcement ID: SUSE-SU-2012:0298-1 Rating: important References: #747328 Cross-References: CVE-2011-3026 Affected Products: SUSE Linux Enterprise Software Development Kit 11 SP1 FOR SP2 SUSE Linux Enterprise Software Development Kit 11 SP1 SUSE Linux Enterprise Server 11 SP1 for VMware SUSE Linux Enterprise Server 11 SP1 FOR SP2 SUSE Linux Enterprise Server 11 SP1 SUSE Linux Enterprise Server 10 SP4 SUSE Linux Enterprise Desktop 11 SP1 FOR SP2 SUSE Linux Enterprise Desktop 11 SP1 SUSE Linux Enterprise Desktop 10 SP4 SLE SDK 10 SP4 ______________________________________________________________________________ An update that fixes one vulnerability is now available. It includes two new package versions. Description: Mozilla XULRunner was updated to 1.9.2.27 to fix a security issue with the embedded libpng, where a integer overflow could allow remote attackers to crash the browser or potentially execute code (CVE-2011-3026), Security Issue reference: * CVE-2011-3026 Patch Instructions: To install this SUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Software Development Kit 11 SP1 FOR SP2: zypper in -t patch sdksp1fsp2-mozilla-xulrunner192-5840 - SUSE Linux Enterprise Software Development Kit 11 SP1: zypper in -t patch sdksp1-mozilla-xulrunner192-5840 - SUSE Linux Enterprise Server 11 SP1 for VMware: zypper in -t patch slessp1-mozilla-xulrunner192-5840 - SUSE Linux Enterprise Server 11 SP1 FOR SP2: zypper in -t patch slessp1fsp2-mozilla-xulrunner192-5840 - SUSE Linux Enterprise Server 11 SP1: zypper in -t patch slessp1-mozilla-xulrunner192-5840 - SUSE Linux Enterprise Desktop 11 SP1 FOR SP2: zypper in -t patch sledsp1fsp2-mozilla-xulrunner192-5840 - SUSE Linux Enterprise Desktop 11 SP1: zypper in -t patch sledsp1-mozilla-xulrunner192-5840 To bring your system up-to-date, use "zypper patch". Package List: - SUSE Linux Enterprise Software Development Kit 11 SP1 FOR SP2 (i586 ia64 ppc64 s390x x86_64) [New Version: 1.9.2.27]: mozilla-xulrunner192-devel-1.9.2.27-0.2.1 - SUSE Linux Enterprise Software Development Kit 11 SP1 FOR SP2 (ppc64 s390x x86_64) [New Version: 1.9.2.27]: mozilla-xulrunner192-gnome-32bit-1.9.2.27-0.2.1 mozilla-xulrunner192-translations-32bit-1.9.2.27-0.2.1 - SUSE Linux Enterprise Software Development Kit 11 SP1 FOR SP2 (ia64) [New Version: 1.9.2.27]: mozilla-xulrunner192-gnome-x86-1.9.2.27-0.2.1 mozilla-xulrunner192-translations-x86-1.9.2.27-0.2.1 - SUSE Linux Enterprise Software Development Kit 11 SP1 (i586 ia64 ppc64 s390x x86_64) [New Version: 1.9.2.27]: mozilla-xulrunner192-devel-1.9.2.27-0.2.1 - SUSE Linux Enterprise Software Development Kit 11 SP1 (ppc64 s390x x86_64) [New Version: 1.9.2.27]: mozilla-xulrunner192-gnome-32bit-1.9.2.27-0.2.1 mozilla-xulrunner192-translations-32bit-1.9.2.27-0.2.1 - SUSE Linux Enterprise Software Development Kit 11 SP1 (ia64) [New Version: 1.9.2.27]: mozilla-xulrunner192-gnome-x86-1.9.2.27-0.2.1 mozilla-xulrunner192-translations-x86-1.9.2.27-0.2.1 - SUSE Linux Enterprise Server 11 SP1 for VMware (i586 x86_64) [New Version: 1.9.2.27]: mozilla-xulrunner192-1.9.2.27-0.2.1 mozilla-xulrunner192-gnome-1.9.2.27-0.2.1 mozilla-xulrunner192-translations-1.9.2.27-0.2.1 - SUSE Linux Enterprise Server 11 SP1 for VMware (x86_64) [New Version: 1.9.2.27]: mozilla-xulrunner192-32bit-1.9.2.27-0.2.1 - SUSE Linux Enterprise Server 11 SP1 FOR SP2 (i586 ia64 ppc64 s390x x86_64) [New Version: 1.9.2.27]: mozilla-xulrunner192-1.9.2.27-0.2.1 mozilla-xulrunner192-gnome-1.9.2.27-0.2.1 mozilla-xulrunner192-translations-1.9.2.27-0.2.1 - SUSE Linux Enterprise Server 11 SP1 FOR SP2 (ppc64 s390x x86_64) [New Version: 1.9.2.27]: mozilla-xulrunner192-32bit-1.9.2.27-0.2.1 - SUSE Linux Enterprise Server 11 SP1 FOR SP2 (ia64) [New Version: 1.9.2.27]: mozilla-xulrunner192-x86-1.9.2.27-0.2.1 - SUSE Linux Enterprise Server 11 SP1 (i586 ia64 ppc64 s390x x86_64) [New Version: 1.9.2.27]: mozilla-xulrunner192-1.9.2.27-0.2.1 mozilla-xulrunner192-gnome-1.9.2.27-0.2.1 mozilla-xulrunner192-translations-1.9.2.27-0.2.1 - SUSE Linux Enterprise Server 11 SP1 (ppc64 s390x x86_64) [New Version: 1.9.2.27]: mozilla-xulrunner192-32bit-1.9.2.27-0.2.1 - SUSE Linux Enterprise Server 11 SP1 (ia64) [New Version: 1.9.2.27]: mozilla-xulrunner192-x86-1.9.2.27-0.2.1 - SUSE Linux Enterprise Server 10 SP4 (i586 ia64 ppc s390x x86_64) [New Version: 1.9.2.27]: mozilla-xulrunner192-1.9.2.27-0.5.6 mozilla-xulrunner192-gnome-1.9.2.27-0.5.6 mozilla-xulrunner192-translations-1.9.2.27-0.5.6 - SUSE Linux Enterprise Server 10 SP4 (i586 ia64 ppc s390x) [New Version: 3.6.27]: MozillaFirefox-3.6.27-0.5.4 MozillaFirefox-translations-3.6.27-0.5.4 - SUSE Linux Enterprise Server 10 SP4 (s390x x86_64) [New Version: 1.9.2.27]: mozilla-xulrunner192-32bit-1.9.2.27-0.5.6 mozilla-xulrunner192-gnome-32bit-1.9.2.27-0.5.6 mozilla-xulrunner192-translations-32bit-1.9.2.27-0.5.6 - SUSE Linux Enterprise Desktop 11 SP1 FOR SP2 (i586 x86_64) [New Version: 1.9.2.27]: mozilla-xulrunner192-1.9.2.27-0.2.1 mozilla-xulrunner192-gnome-1.9.2.27-0.2.1 mozilla-xulrunner192-translations-1.9.2.27-0.2.1 - SUSE Linux Enterprise Desktop 11 SP1 FOR SP2 (x86_64) [New Version: 1.9.2.27]: mozilla-xulrunner192-32bit-1.9.2.27-0.2.1 mozilla-xulrunner192-gnome-32bit-1.9.2.27-0.2.1 mozilla-xulrunner192-translations-32bit-1.9.2.27-0.2.1 - SUSE Linux Enterprise Desktop 11 SP1 (i586 x86_64) [New Version: 1.9.2.27]: mozilla-xulrunner192-1.9.2.27-0.2.1 mozilla-xulrunner192-gnome-1.9.2.27-0.2.1 mozilla-xulrunner192-translations-1.9.2.27-0.2.1 - SUSE Linux Enterprise Desktop 11 SP1 (x86_64) [New Version: 1.9.2.27]: mozilla-xulrunner192-32bit-1.9.2.27-0.2.1 mozilla-xulrunner192-gnome-32bit-1.9.2.27-0.2.1 mozilla-xulrunner192-translations-32bit-1.9.2.27-0.2.1 - SUSE Linux Enterprise Desktop 10 SP4 (i586 x86_64) [New Version: 1.9.2.27]: mozilla-xulrunner192-1.9.2.27-0.5.6 mozilla-xulrunner192-gnome-1.9.2.27-0.5.6 mozilla-xulrunner192-translations-1.9.2.27-0.5.6 - SUSE Linux Enterprise Desktop 10 SP4 (x86_64) [New Version: 1.9.2.27]: mozilla-xulrunner192-32bit-1.9.2.27-0.5.6 mozilla-xulrunner192-gnome-32bit-1.9.2.27-0.5.6 mozilla-xulrunner192-translations-32bit-1.9.2.27-0.5.6 - SUSE Linux Enterprise Desktop 10 SP4 (i586) [New Version: 3.6.27]: MozillaFirefox-3.6.27-0.5.4 MozillaFirefox-translations-3.6.27-0.5.4 - SLE SDK 10 SP4 (i586 ia64 ppc s390x): MozillaFirefox-branding-upstream-3.6.27-0.5.4 References: http://support.novell.com/security/cve/CVE-2011-3026.html https://bugzilla.novell.com/747328 http://download.novell.com/patch/finder/?keywords=2c23debb2e4e3a09d318252e02175814 http://download.novell.com/patch/finder/?keywords=4513d87a4d6a69221d7fe51d3c22ad66 From sle-security-updates at lists.suse.com Sun Feb 26 17:08:18 2012 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Mon, 27 Feb 2012 01:08:18 +0100 (CET) Subject: SUSE-SU-2012:0299-1: critical: Security update for flash-player Message-ID: <20120227000818.BE6373216B@maintenance.suse.de> SUSE Security Update: Security update for flash-player ______________________________________________________________________________ Announcement ID: SUSE-SU-2012:0299-1 Rating: critical References: #747297 Cross-References: CVE-2012-0752 CVE-2012-0753 CVE-2012-0754 CVE-2012-0755 CVE-2012-0756 CVE-2012-0767 Affected Products: SUSE Linux Enterprise Desktop 10 SP4 ______________________________________________________________________________ An update that fixes 6 vulnerabilities is now available. It includes one version update. Description: This version upgrade of flash-player fixes multiple security issues that could potentially be exploited to cause a crash or even execute arbitrary code. The following CVE were assigned: CVE-2012-0752 CVE-2012-0753 CVE-2012-0754 CVE-2012-0755 CVE-2012-0756 CVE-2012-0767 Security Issue references: * CVE-2012-0752 * CVE-2012-0753 * CVE-2012-0754 * CVE-2012-0755 * CVE-2012-0756 * CVE-2012-0767 Package List: - SUSE Linux Enterprise Desktop 10 SP4 (i586) [New Version: 10.3.183.15]: flash-player-10.3.183.15-0.6.1 References: http://support.novell.com/security/cve/CVE-2012-0752.html http://support.novell.com/security/cve/CVE-2012-0753.html http://support.novell.com/security/cve/CVE-2012-0754.html http://support.novell.com/security/cve/CVE-2012-0755.html http://support.novell.com/security/cve/CVE-2012-0756.html http://support.novell.com/security/cve/CVE-2012-0767.html https://bugzilla.novell.com/747297 http://download.novell.com/patch/finder/?keywords=c3d08777a2397ababaa7778f2881067f From sle-security-updates at lists.suse.com Sun Feb 26 17:08:33 2012 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Mon, 27 Feb 2012 01:08:33 +0100 (CET) Subject: SUSE-SU-2012:0296-2: moderate: Security update for wireshark Message-ID: <20120227000833.714453216B@maintenance.suse.de> SUSE Security Update: Security update for wireshark ______________________________________________________________________________ Announcement ID: SUSE-SU-2012:0296-2 Rating: moderate References: #741187 #741188 #741190 Cross-References: CVE-2012-0041 CVE-2012-0042 CVE-2012-0043 CVE-2012-0066 CVE-2012-0067 CVE-2012-0068 Affected Products: SUSE Linux Enterprise Software Development Kit 11 SP1 SUSE Linux Enterprise Server 11 SP1 for VMware SUSE Linux Enterprise Server 11 SP1 SUSE Linux Enterprise Desktop 11 SP1 ______________________________________________________________________________ An update that fixes 6 vulnerabilities is now available. It includes one version update. Description: This version upgrade of wireshark to 1.4.11 fixes the following security issues: * CVE-2012-0043: RLC dissector buffer overflow * CVE-2012-0041: multiple file parser vulnerabilities * CVE-2012-0042: NULL pointer vulnerabilities * CVE-2012-0066: DoS due to too large buffer alloc request * CVE-2012-0067: DoS due to integer underflow and too large buffer alloc. request * CVE-2012-0068: memory corruption due to buffer underflow Additionally, various other non-security issues were resolved. Security Issue references: * CVE-2012-0041 * CVE-2012-0043 * CVE-2012-0042 * CVE-2012-0066 * CVE-2012-0067 * CVE-2012-0068 Special Instructions and Notes: This update triggers a restart of the software management stack. More updates will be available for installation after applying this update and restarting the application. This update triggers a restart of the software management stack. More updates will be available for installation after applying this update and restarting the application. This update triggers a restart of the software management stack. More updates will be available for installation after applying this update and restarting the application. This update triggers a restart of the software management stack. More updates will be available for installation after applying this update and restarting the application. Patch Instructions: To install this SUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Software Development Kit 11 SP1: zypper in -t patch sdksp1-wireshark-5741 - SUSE Linux Enterprise Server 11 SP1 for VMware: zypper in -t patch slessp1-wireshark-5741 - SUSE Linux Enterprise Server 11 SP1: zypper in -t patch slessp1-wireshark-5741 - SUSE Linux Enterprise Desktop 11 SP1: zypper in -t patch sledsp1-wireshark-5741 To bring your system up-to-date, use "zypper patch". Package List: - SUSE Linux Enterprise Software Development Kit 11 SP1 (i586 ia64 ppc64 s390x x86_64) [New Version: 1.4.11]: wireshark-devel-1.4.11-0.2.2.1 - SUSE Linux Enterprise Software Development Kit 11 SP1 (i586 x86_64) [New Version: 1.4.11]: wireshark-1.4.11-0.2.2.1 - SUSE Linux Enterprise Server 11 SP1 for VMware (i586 x86_64) [New Version: 1.4.11]: wireshark-1.4.11-0.2.2.1 - SUSE Linux Enterprise Server 11 SP1 (i586 ia64 ppc64 s390x x86_64) [New Version: 1.4.11]: wireshark-1.4.11-0.2.2.1 - SUSE Linux Enterprise Desktop 11 SP1 (i586 x86_64) [New Version: 1.4.11]: wireshark-1.4.11-0.2.2.1 References: http://support.novell.com/security/cve/CVE-2012-0041.html http://support.novell.com/security/cve/CVE-2012-0042.html http://support.novell.com/security/cve/CVE-2012-0043.html http://support.novell.com/security/cve/CVE-2012-0066.html http://support.novell.com/security/cve/CVE-2012-0067.html http://support.novell.com/security/cve/CVE-2012-0068.html https://bugzilla.novell.com/741187 https://bugzilla.novell.com/741188 https://bugzilla.novell.com/741190 http://download.novell.com/patch/finder/?keywords=18b5892df9e0199c97b6d5e6805fb1e9 From sle-security-updates at lists.suse.com Sun Feb 26 17:08:38 2012 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Mon, 27 Feb 2012 01:08:38 +0100 (CET) Subject: SUSE-SU-2012:0303-1: important: Security update for Mozilla Firefox Message-ID: <20120227000838.7B8773216D@maintenance.suse.de> SUSE Security Update: Security update for Mozilla Firefox ______________________________________________________________________________ Announcement ID: SUSE-SU-2012:0303-1 Rating: important References: #747320 #747328 Cross-References: CVE-2011-3026 Affected Products: SUSE Linux Enterprise Server 11 SP1 for VMware SUSE Linux Enterprise Server 11 SP1 FOR SP2 SUSE Linux Enterprise Server 11 SP1 SUSE Linux Enterprise Desktop 11 SP1 FOR SP2 SUSE Linux Enterprise Desktop 11 SP1 ______________________________________________________________________________ An update that solves one vulnerability and has one errata is now available. It includes one version update. Description: Mozilla Firefox was updated to 10.0.2 to fix a security issue with the embedded libpng, where a integer overflow could allow remote attackers to crash the browser or potentially execute code (CVE-2011-3026), Security Issue reference: * CVE-2011-3026 Special Instructions and Notes: This update triggers a restart of the software management stack. More updates will be available for installation after applying this update and restarting the application. This update triggers a restart of the software management stack. More updates will be available for installation after applying this update and restarting the application. This update triggers a restart of the software management stack. More updates will be available for installation after applying this update and restarting the application. This update triggers a restart of the software management stack. More updates will be available for installation after applying this update and restarting the application. Patch Instructions: To install this SUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Server 11 SP1 for VMware: zypper in -t patch slessp1-MozillaFirefox-5838 - SUSE Linux Enterprise Server 11 SP1 FOR SP2: zypper in -t patch slessp1fsp2-MozillaFirefox-5838 - SUSE Linux Enterprise Server 11 SP1: zypper in -t patch slessp1-MozillaFirefox-5838 - SUSE Linux Enterprise Desktop 11 SP1 FOR SP2: zypper in -t patch sledsp1fsp2-MozillaFirefox-5838 - SUSE Linux Enterprise Desktop 11 SP1: zypper in -t patch sledsp1-MozillaFirefox-5838 To bring your system up-to-date, use "zypper patch". Package List: - SUSE Linux Enterprise Server 11 SP1 for VMware (i586 x86_64) [New Version: 10.0.2]: MozillaFirefox-10.0.2-0.4.1 MozillaFirefox-translations-10.0.2-0.4.1 - SUSE Linux Enterprise Server 11 SP1 FOR SP2 (i586 ia64 ppc64 s390x x86_64) [New Version: 10.0.2]: MozillaFirefox-10.0.2-0.4.1 MozillaFirefox-translations-10.0.2-0.4.1 - SUSE Linux Enterprise Server 11 SP1 (i586 ia64 ppc64 s390x x86_64) [New Version: 10.0.2]: MozillaFirefox-10.0.2-0.4.1 MozillaFirefox-translations-10.0.2-0.4.1 - SUSE Linux Enterprise Desktop 11 SP1 FOR SP2 (i586 x86_64) [New Version: 10.0.2]: MozillaFirefox-10.0.2-0.4.1 MozillaFirefox-translations-10.0.2-0.4.1 - SUSE Linux Enterprise Desktop 11 SP1 (i586 x86_64) [New Version: 10.0.2]: MozillaFirefox-10.0.2-0.4.1 MozillaFirefox-translations-10.0.2-0.4.1 References: http://support.novell.com/security/cve/CVE-2011-3026.html https://bugzilla.novell.com/747320 https://bugzilla.novell.com/747328 http://download.novell.com/patch/finder/?keywords=0b3170cde26e23e656224d9bf0f40649 From sle-security-updates at lists.suse.com Sun Feb 26 20:08:13 2012 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Mon, 27 Feb 2012 04:08:13 +0100 (CET) Subject: SUSE-SU-2011:0635-2: moderate: Security update for Linux kernel Message-ID: <20120227030813.2D8123216D@maintenance.suse.de> SUSE Security Update: Security update for Linux kernel ______________________________________________________________________________ Announcement ID: SUSE-SU-2011:0635-2 Rating: moderate References: #211997 #363921 #506571 #518089 #570121 #584522 #597771 #59807 #598159 #599213 #599826 #608994 #612213 #615929 #620372 #641575 #644880 #646633 #647632 #650513 #651109 #652939 #652940 #655670 #657350 #657759 #660233 #664725 #678356 #686813 Affected Products: SUSE Linux Enterprise Server 10 SP2 ______________________________________________________________________________ An update that contains security fixes can now be installed. Description: This update fixes a several security issues and various bugs in the SUSE Linux Enterprise 10 SP 2 Long Term Service Pack Support (LTSS) kernel. The following security issues were fixed: * CVE-2011-1573: Boundschecking was missing in AARESOLVE_OFFSET, which allowed local attackers to overwrite kernel memory and so escalate privileges or crash the kernel. * CVE-2010-3849: The econet_sendmsg function in net/econet/af_econet.c in the Linux kernel, when an econet address is configured, allowed local users to cause a denial of service (NULL pointer dereference and OOPS) via a sendmsg call that specifies a NULL value for the remote address field. * CVE-2010-3848: Stack-based buffer overflow in the econet_sendmsg function in net/econet/af_econet.c in the Linux kernel when an econet address is configured, allowed local users to gain privileges by providing a large number of iovec structures. * CVE-2010-3850: The ec_dev_ioctl function in net/econet/af_econet.c in the Linux kernel did not require the CAP_NET_ADMIN capability, which allowed local users to bypass intended access restrictions and configure econet addresses via an SIOCSIFADDR ioctl call. * CVE-2010-4258: A local attacker could use a Oops (kernel crash) caused by other flaws to write a 0 byte to a attacker controlled address in the kernel. This could lead to privilege escalation together with other issues. * CVE-2010-4160: Multiple integer overflows in the (1) pppol2tp_sendmsg function in net/l2tp/l2tp_ppp.c, and the (2) l2tp_ip_sendmsg function in net/l2tp/l2tp_ip.c, in the PPPoL2TP and IPoL2TP implementations in the Linux kernel allowed local users to cause a denial of service (heap memory corruption and panic) or possibly gain privileges via a crafted sendto call. * CVE-2010-4157: A 32bit vs 64bit integer mismatch in gdth_ioctl_alloc could lead to memory corruption in the GDTH driver. * CVE-2010-3081: Incorrect buffer handling in the biarch-compat buffer handling could be used by local attackers to gain root privileges. This problem affects foremost x86_64, or potentially other biarch platforms, like PowerPC and S390x. * CVE-2010-2521: Multiple buffer overflows in fs/nfsd/nfs4xdr.c in the XDR implementation in the NFS server in the Linux kernel allowed remote attackers to cause a denial of service (panic) or possibly execute arbitrary code via a crafted NFSv4 compound WRITE request, related to the read_buf and nfsd4_decode_compound functions. Indications: Everyone using the Linux Kernel on s390x architecture should update. Special Instructions and Notes: Please reboot the system after installing this update. Package List: - SUSE Linux Enterprise Server 10 SP2 (s390x): kernel-default-2.6.16.60-0.42.11 kernel-source-2.6.16.60-0.42.11 kernel-syms-2.6.16.60-0.42.11 References: https://bugzilla.novell.com/211997 https://bugzilla.novell.com/363921 https://bugzilla.novell.com/506571 https://bugzilla.novell.com/518089 https://bugzilla.novell.com/570121 https://bugzilla.novell.com/584522 https://bugzilla.novell.com/597771 https://bugzilla.novell.com/59807 https://bugzilla.novell.com/598159 https://bugzilla.novell.com/599213 https://bugzilla.novell.com/599826 https://bugzilla.novell.com/608994 https://bugzilla.novell.com/612213 https://bugzilla.novell.com/615929 https://bugzilla.novell.com/620372 https://bugzilla.novell.com/641575 https://bugzilla.novell.com/644880 https://bugzilla.novell.com/646633 https://bugzilla.novell.com/647632 https://bugzilla.novell.com/650513 https://bugzilla.novell.com/651109 https://bugzilla.novell.com/652939 https://bugzilla.novell.com/652940 https://bugzilla.novell.com/655670 https://bugzilla.novell.com/657350 https://bugzilla.novell.com/657759 https://bugzilla.novell.com/660233 https://bugzilla.novell.com/664725 https://bugzilla.novell.com/678356 https://bugzilla.novell.com/686813 http://download.novell.com/patch/finder/?keywords=026b38ec9a6f1f9490f7afc997212483 From sle-security-updates at lists.suse.com Mon Feb 27 13:08:20 2012 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Mon, 27 Feb 2012 21:08:20 +0100 (CET) Subject: SUSE-SU-2012:0308-1: important: Security update for Java 1.6.0 Message-ID: <20120227200820.AE0A83216D@maintenance.suse.de> SUSE Security Update: Security update for Java 1.6.0 ______________________________________________________________________________ Announcement ID: SUSE-SU-2012:0308-1 Rating: important References: #747208 Cross-References: CVE-2011-3563 CVE-2011-3571 CVE-2011-5035 CVE-2012-0497 CVE-2012-0501 CVE-2012-0502 CVE-2012-0503 CVE-2012-0505 CVE-2012-0506 Affected Products: SUSE Linux Enterprise Desktop 11 SP1 FOR SP2 SUSE Linux Enterprise Desktop 11 SP1 ______________________________________________________________________________ An update that fixes 9 vulnerabilities is now available. Description: java-1_6_0-openjdk was updated to the IcedTea 1.11.1 b24 release, fixing multiple security issues: * S7082299, CVE-2011-3571: Fix inAtomicReferenceArray * S7088367, CVE-2011-3563: Fix issues in java sound * S7110683, CVE-2012-0502: Issues with some KeyboardFocusManager method * S7110687, CVE-2012-0503: Issues with TimeZone class * S7110700, CVE-2012-0505: Enhance exception throwing mechanism in ObjectStreamClass * S7110704, CVE-2012-0506: Issues with some method in corba * S7112642, CVE-2012-0497: Incorrect checking for graphics rendering object * S7118283, CVE-2012-0501: Better input parameter checking in zip file processing * S7126960, CVE-2011-5035: (httpserver) Add property to limit number of request headers to the HTTP Server Security Issue references: * CVE-2011-3571 * CVE-2011-3563 * CVE-2012-0502 * CVE-2012-0503 * CVE-2012-0505 * CVE-2012-0506 * CVE-2012-0497 * CVE-2012-0501 * CVE-2011-5035 Patch Instructions: To install this SUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Desktop 11 SP1 FOR SP2: zypper in -t patch sledsp1fsp2-java-1_6_0-openjdk-5845 - SUSE Linux Enterprise Desktop 11 SP1: zypper in -t patch sledsp1-java-1_6_0-openjdk-5845 To bring your system up-to-date, use "zypper patch". Package List: - SUSE Linux Enterprise Desktop 11 SP1 FOR SP2 (i586 x86_64): java-1_6_0-openjdk-1.6.0.0_b24.1.11.1-0.3.1 java-1_6_0-openjdk-demo-1.6.0.0_b24.1.11.1-0.3.1 java-1_6_0-openjdk-devel-1.6.0.0_b24.1.11.1-0.3.1 - SUSE Linux Enterprise Desktop 11 SP1 (i586 x86_64): java-1_6_0-openjdk-1.6.0.0_b24.1.11.1-0.3.1 java-1_6_0-openjdk-demo-1.6.0.0_b24.1.11.1-0.3.1 java-1_6_0-openjdk-devel-1.6.0.0_b24.1.11.1-0.3.1 References: http://support.novell.com/security/cve/CVE-2011-3563.html http://support.novell.com/security/cve/CVE-2011-3571.html http://support.novell.com/security/cve/CVE-2011-5035.html http://support.novell.com/security/cve/CVE-2012-0497.html http://support.novell.com/security/cve/CVE-2012-0501.html http://support.novell.com/security/cve/CVE-2012-0502.html http://support.novell.com/security/cve/CVE-2012-0503.html http://support.novell.com/security/cve/CVE-2012-0505.html http://support.novell.com/security/cve/CVE-2012-0506.html https://bugzilla.novell.com/747208 http://download.novell.com/patch/finder/?keywords=99d51f474667bf40a87309fbd3de5bbd From sle-security-updates at lists.suse.com Mon Feb 27 13:08:32 2012 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Mon, 27 Feb 2012 21:08:32 +0100 (CET) Subject: SUSE-SU-2012:0311-1: moderate: Security update for CVS Message-ID: <20120227200832.B0EC132170@maintenance.suse.de> SUSE Security Update: Security update for CVS ______________________________________________________________________________ Announcement ID: SUSE-SU-2012:0311-1 Rating: moderate References: #744059 Cross-References: CVE-2012-0804 Affected Products: SUSE Linux Enterprise Software Development Kit 11 SP1 FOR SP2 SUSE Linux Enterprise Software Development Kit 11 SP1 SUSE Linux Enterprise Server 11 SP1 for VMware SUSE Linux Enterprise Server 11 SP1 FOR SP2 SUSE Linux Enterprise Server 11 SP1 SUSE Linux Enterprise Server 10 SP4 SUSE Linux Enterprise Desktop 11 SP1 FOR SP2 SUSE Linux Enterprise Desktop 11 SP1 SUSE Linux Enterprise Desktop 10 SP4 SLE SDK 10 SP4 ______________________________________________________________________________ An update that fixes one vulnerability is now available. Description: A heap-based buffer overflow flaw was found in the way CVS read proxy connection HTTP responses. An attacker could exploit this to cause the application to crash or, potentially, execute arbitrary code in the context of the user running the application (CVE-2012-0804). Security Issue reference: * CVE-2012-0804 Patch Instructions: To install this SUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Software Development Kit 11 SP1 FOR SP2: zypper in -t patch sdksp1fsp2-cvs-5860 - SUSE Linux Enterprise Software Development Kit 11 SP1: zypper in -t patch sdksp1-cvs-5860 - SUSE Linux Enterprise Server 11 SP1 for VMware: zypper in -t patch slessp1-cvs-5860 - SUSE Linux Enterprise Server 11 SP1 FOR SP2: zypper in -t patch slessp1fsp2-cvs-5860 - SUSE Linux Enterprise Server 11 SP1: zypper in -t patch slessp1-cvs-5860 - SUSE Linux Enterprise Desktop 11 SP1 FOR SP2: zypper in -t patch sledsp1fsp2-cvs-5860 - SUSE Linux Enterprise Desktop 11 SP1: zypper in -t patch sledsp1-cvs-5860 To bring your system up-to-date, use "zypper patch". Package List: - SUSE Linux Enterprise Software Development Kit 11 SP1 FOR SP2 (i586 x86_64): cvs-doc-1.12.12-144.23.5.1 - SUSE Linux Enterprise Software Development Kit 11 SP1 (i586 x86_64): cvs-doc-1.12.12-144.23.5.1 - SUSE Linux Enterprise Server 11 SP1 for VMware (i586 x86_64): cvs-1.12.12-144.23.5.1 cvs-doc-1.12.12-144.23.5.1 - SUSE Linux Enterprise Server 11 SP1 FOR SP2 (i586 ia64 ppc64 s390x x86_64): cvs-1.12.12-144.23.5.1 cvs-doc-1.12.12-144.23.5.1 - SUSE Linux Enterprise Server 11 SP1 (i586 ia64 ppc64 s390x x86_64): cvs-1.12.12-144.23.5.1 cvs-doc-1.12.12-144.23.5.1 - SUSE Linux Enterprise Server 10 SP4 (i586 ia64 ppc s390x x86_64): cvs-1.12.12-19.10.1 cvs-doc-1.12.12-19.10.1 - SUSE Linux Enterprise Desktop 11 SP1 FOR SP2 (i586 x86_64): cvs-1.12.12-144.23.5.1 - SUSE Linux Enterprise Desktop 11 SP1 (i586 x86_64): cvs-1.12.12-144.23.5.1 - SUSE Linux Enterprise Desktop 10 SP4 (i586 x86_64): cvs-1.12.12-19.10.1 - SLE SDK 10 SP4 (i586 ia64 ppc s390x x86_64): cvs-doc-1.12.12-19.10.1 References: http://support.novell.com/security/cve/CVE-2012-0804.html https://bugzilla.novell.com/744059 http://download.novell.com/patch/finder/?keywords=41477536d35b7564ae5f346cb53a4248 http://download.novell.com/patch/finder/?keywords=41ed9e2e2ddfbd6e10469d928edf5ba4 From sle-security-updates at lists.suse.com Mon Feb 27 15:08:23 2012 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Mon, 27 Feb 2012 23:08:23 +0100 (CET) Subject: SUSE-SU-2012:0312-1: Security update for xorg-x11 Message-ID: <20120227220823.5711A3216F@maintenance.suse.de> SUSE Security Update: Security update for xorg-x11 ______________________________________________________________________________ Announcement ID: SUSE-SU-2012:0312-1 Rating: low References: #648287 #648290 Cross-References: CVE-2010-4818 CVE-2010-4819 Affected Products: SUSE Linux Enterprise Server 10 SP4 SUSE Linux Enterprise Desktop 10 SP4 SLE SDK 10 SP4 ______________________________________________________________________________ An update that fixes two vulnerabilities is now available. Description: This update of xorg-x11 fixes issues that could allow attackers using GLX opcodes to read access to arbitrary memory locations (CVE-2010-4818). Additionally, a crash due to missing bounds checks in the the Glyph Render protocol have been fixed (CVE-2010-4819). Access to the X server by the attacker was required to make this work. Security Issue references: * CVE-2010-4819 * CVE-2010-4818 Package List: - SUSE Linux Enterprise Server 10 SP4 (i586 ia64 ppc s390x x86_64): xorg-x11-6.9.0-50.78.5 xorg-x11-Xnest-6.9.0-50.78.5 xorg-x11-Xvfb-6.9.0-50.78.5 xorg-x11-Xvnc-6.9.0-50.78.5 xorg-x11-devel-6.9.0-50.78.5 xorg-x11-doc-6.9.0-50.78.5 xorg-x11-fonts-100dpi-6.9.0-50.78.5 xorg-x11-fonts-75dpi-6.9.0-50.78.5 xorg-x11-fonts-cyrillic-6.9.0-50.78.5 xorg-x11-fonts-scalable-6.9.0-50.78.5 xorg-x11-fonts-syriac-6.9.0-50.78.5 xorg-x11-libs-6.9.0-50.78.5 xorg-x11-man-6.9.0-50.78.5 - SUSE Linux Enterprise Server 10 SP4 (i586 ia64 ppc x86_64): xorg-x11-sdk-6.9.0-50.78.5 xorg-x11-server-6.9.0-50.78.5 xorg-x11-server-glx-6.9.0-50.78.5 - SUSE Linux Enterprise Server 10 SP4 (s390x x86_64): xorg-x11-devel-32bit-6.9.0-50.78.5 xorg-x11-libs-32bit-6.9.0-50.78.5 - SUSE Linux Enterprise Server 10 SP4 (ia64): xorg-x11-libs-x86-6.9.0-50.78.5 - SUSE Linux Enterprise Server 10 SP4 (ppc): xorg-x11-devel-64bit-6.9.0-50.78.5 xorg-x11-libs-64bit-6.9.0-50.78.5 - SUSE Linux Enterprise Desktop 10 SP4 (i586 x86_64): xorg-x11-6.9.0-50.78.5 xorg-x11-Xnest-6.9.0-50.78.5 xorg-x11-Xvfb-6.9.0-50.78.5 xorg-x11-Xvnc-6.9.0-50.78.5 xorg-x11-devel-6.9.0-50.78.5 xorg-x11-fonts-100dpi-6.9.0-50.78.5 xorg-x11-fonts-75dpi-6.9.0-50.78.5 xorg-x11-fonts-cyrillic-6.9.0-50.78.5 xorg-x11-fonts-scalable-6.9.0-50.78.5 xorg-x11-fonts-syriac-6.9.0-50.78.5 xorg-x11-libs-6.9.0-50.78.5 xorg-x11-man-6.9.0-50.78.5 xorg-x11-server-6.9.0-50.78.5 xorg-x11-server-glx-6.9.0-50.78.5 - SUSE Linux Enterprise Desktop 10 SP4 (x86_64): xorg-x11-devel-32bit-6.9.0-50.78.5 xorg-x11-libs-32bit-6.9.0-50.78.5 - SLE SDK 10 SP4 (i586 ia64 ppc s390x x86_64): xorg-x11-Xvfb-6.9.0-50.78.5 xorg-x11-doc-6.9.0-50.78.5 - SLE SDK 10 SP4 (i586 ia64 ppc x86_64): xorg-x11-sdk-6.9.0-50.78.5 References: http://support.novell.com/security/cve/CVE-2010-4818.html http://support.novell.com/security/cve/CVE-2010-4819.html https://bugzilla.novell.com/648287 https://bugzilla.novell.com/648290 http://download.novell.com/patch/finder/?keywords=926559701859ebd386944eb1075ad07e From sle-security-updates at lists.suse.com Tue Feb 28 14:37:10 2012 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Tue, 28 Feb 2012 22:37:10 +0100 (CET) Subject: SUSE-SU-2012:0318-1: important: Security update for libpng Message-ID: <20120228213710.41A3E3216F@maintenance.suse.de> SUSE Security Update: Security update for libpng ______________________________________________________________________________ Announcement ID: SUSE-SU-2012:0318-1 Rating: important References: #747311 Cross-References: CVE-2011-3026 Affected Products: SUSE Linux Enterprise Software Development Kit 11 SP1 FOR SP2 SUSE Linux Enterprise Software Development Kit 11 SP1 SUSE Linux Enterprise Server 11 SP1 for VMware SUSE Linux Enterprise Server 11 SP1 FOR SP2 SUSE Linux Enterprise Server 11 SP1 SUSE Linux Enterprise Server 10 SP4 SUSE Linux Enterprise Desktop 11 SP1 FOR SP2 SUSE Linux Enterprise Desktop 11 SP1 SUSE Linux Enterprise Desktop 10 SP4 ______________________________________________________________________________ An update that fixes one vulnerability is now available. Description: A heap-based buffer overflow in libpng was fixed that could potentially be exploited by attackers to execute arbitrary code or cause an application to crash (CVE-2011-3026). Security Issue reference: * CVE-2011-3026 Patch Instructions: To install this SUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Software Development Kit 11 SP1 FOR SP2: zypper in -t patch sdksp1fsp2-libpng-devel-5857 - SUSE Linux Enterprise Software Development Kit 11 SP1: zypper in -t patch sdksp1-libpng-devel-5857 - SUSE Linux Enterprise Server 11 SP1 for VMware: zypper in -t patch slessp1-libpng-devel-5857 - SUSE Linux Enterprise Server 11 SP1 FOR SP2: zypper in -t patch slessp1fsp2-libpng-devel-5857 - SUSE Linux Enterprise Server 11 SP1: zypper in -t patch slessp1-libpng-devel-5857 - SUSE Linux Enterprise Desktop 11 SP1 FOR SP2: zypper in -t patch sledsp1fsp2-libpng-devel-5857 - SUSE Linux Enterprise Desktop 11 SP1: zypper in -t patch sledsp1-libpng-devel-5857 To bring your system up-to-date, use "zypper patch". Package List: - SUSE Linux Enterprise Software Development Kit 11 SP1 FOR SP2 (i586 ia64 ppc64 s390x x86_64): libpng-devel-1.2.31-5.27.1 - SUSE Linux Enterprise Software Development Kit 11 SP1 FOR SP2 (ppc64 s390x x86_64): libpng-devel-32bit-1.2.31-5.27.1 - SUSE Linux Enterprise Software Development Kit 11 SP1 (i586 ia64 ppc64 s390x x86_64): libpng-devel-1.2.31-5.27.1 - SUSE Linux Enterprise Software Development Kit 11 SP1 (ppc64 s390x x86_64): libpng-devel-32bit-1.2.31-5.27.1 - SUSE Linux Enterprise Server 11 SP1 for VMware (i586 x86_64): libpng12-0-1.2.31-5.27.1 - SUSE Linux Enterprise Server 11 SP1 for VMware (x86_64): libpng12-0-32bit-1.2.31-5.27.1 - SUSE Linux Enterprise Server 11 SP1 FOR SP2 (i586 ia64 ppc64 s390x x86_64): libpng12-0-1.2.31-5.27.1 - SUSE Linux Enterprise Server 11 SP1 FOR SP2 (ppc64 s390x x86_64): libpng12-0-32bit-1.2.31-5.27.1 - SUSE Linux Enterprise Server 11 SP1 FOR SP2 (ia64): libpng12-0-x86-1.2.31-5.27.1 - SUSE Linux Enterprise Server 11 SP1 (i586 ia64 ppc64 s390x x86_64): libpng12-0-1.2.31-5.27.1 - SUSE Linux Enterprise Server 11 SP1 (ppc64 s390x x86_64): libpng12-0-32bit-1.2.31-5.27.1 - SUSE Linux Enterprise Server 11 SP1 (ia64): libpng12-0-x86-1.2.31-5.27.1 - SUSE Linux Enterprise Server 10 SP4 (i586 ia64 ppc s390x x86_64): libpng-1.2.8-19.33.7 libpng-devel-1.2.8-19.33.7 - SUSE Linux Enterprise Server 10 SP4 (s390x x86_64): libpng-32bit-1.2.8-19.33.7 libpng-devel-32bit-1.2.8-19.33.7 - SUSE Linux Enterprise Server 10 SP4 (ia64): libpng-x86-1.2.8-19.33.7 - SUSE Linux Enterprise Server 10 SP4 (ppc): libpng-64bit-1.2.8-19.33.7 libpng-devel-64bit-1.2.8-19.33.7 - SUSE Linux Enterprise Desktop 11 SP1 FOR SP2 (i586 x86_64): libpng-devel-1.2.31-5.27.1 libpng12-0-1.2.31-5.27.1 - SUSE Linux Enterprise Desktop 11 SP1 FOR SP2 (x86_64): libpng12-0-32bit-1.2.31-5.27.1 - SUSE Linux Enterprise Desktop 11 SP1 (i586 x86_64): libpng-devel-1.2.31-5.27.1 libpng12-0-1.2.31-5.27.1 - SUSE Linux Enterprise Desktop 11 SP1 (x86_64): libpng12-0-32bit-1.2.31-5.27.1 - SUSE Linux Enterprise Desktop 10 SP4 (i586 x86_64): libpng-1.2.8-19.33.7 libpng-devel-1.2.8-19.33.7 - SUSE Linux Enterprise Desktop 10 SP4 (x86_64): libpng-32bit-1.2.8-19.33.7 libpng-devel-32bit-1.2.8-19.33.7 References: http://support.novell.com/security/cve/CVE-2011-3026.html https://bugzilla.novell.com/747311 http://download.novell.com/patch/finder/?keywords=2690ba40942c362f70510de200d29b85 http://download.novell.com/patch/finder/?keywords=318c86355183d8c29b4dff152150bd1c