From sle-security-updates at lists.suse.com Mon Jul 2 09:08:32 2012 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Mon, 2 Jul 2012 17:08:32 +0200 (CEST) Subject: SUSE-SU-2012:0807-1: Security update for GnuTLS Message-ID: <20120702150832.E99013284D@maintenance.suse.de> SUSE Security Update: Security update for GnuTLS ______________________________________________________________________________ Announcement ID: SUSE-SU-2012:0807-1 Rating: low References: #739898 #753301 #754223 Cross-References: CVE-2012-0390 Affected Products: SUSE Linux Enterprise Server 10 SP4 SUSE Linux Enterprise Desktop 10 SP4 ______________________________________________________________________________ An update that solves one vulnerability and has two fixes is now available. Description: This update of GnuTLS fixes multiple vulnerabilities: * CVE-2012-1569: remote attackers could cause a denial of service (heap memory corruption and application crash) via an issue in the asn1_get_length_der() function * CVE-2012-1573: crafted GenericBlockCipher structures allow remote attackers to cause a denial of service (heap memory corruption and application crash) * CVE-2012-0390: A vulnerability in the DTLS implementation which could allow remote attackers to recover partial plaintext via a timing side-channel attack was fixed. Security Issue reference: * CVE-2012-0390 Package List: - SUSE Linux Enterprise Server 10 SP4 (i586 ia64 ppc s390x x86_64): gnutls-1.2.10-13.30.1 gnutls-devel-1.2.10-13.30.1 - SUSE Linux Enterprise Server 10 SP4 (s390x x86_64): gnutls-32bit-1.2.10-13.30.1 gnutls-devel-32bit-1.2.10-13.30.1 - SUSE Linux Enterprise Server 10 SP4 (ia64): gnutls-x86-1.2.10-13.30.1 - SUSE Linux Enterprise Server 10 SP4 (ppc): gnutls-64bit-1.2.10-13.30.1 gnutls-devel-64bit-1.2.10-13.30.1 - SUSE Linux Enterprise Desktop 10 SP4 (i586 x86_64): gnutls-1.2.10-13.30.1 gnutls-devel-1.2.10-13.30.1 - SUSE Linux Enterprise Desktop 10 SP4 (x86_64): gnutls-32bit-1.2.10-13.30.1 gnutls-devel-32bit-1.2.10-13.30.1 References: http://support.novell.com/security/cve/CVE-2012-0390.html https://bugzilla.novell.com/739898 https://bugzilla.novell.com/753301 https://bugzilla.novell.com/754223 http://download.novell.com/patch/finder/?keywords=db5ce46e4686a3180984675829d5453e From sle-security-updates at lists.suse.com Mon Jul 2 09:08:35 2012 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Mon, 2 Jul 2012 17:08:35 +0200 (CEST) Subject: SUSE-SU-2012:0808-1: Security update for socat Message-ID: <20120702150835.60C6A3284D@maintenance.suse.de> SUSE Security Update: Security update for socat ______________________________________________________________________________ Announcement ID: SUSE-SU-2012:0808-1 Rating: low References: #627475 #759859 Cross-References: CVE-2010-2799 CVE-2012-0219 Affected Products: SUSE Linux Enterprise Server 11 SP2 SUSE Linux Enterprise Server 11 SP1 for VMware SUSE Linux Enterprise Server 11 SP1 SUSE Linux Enterprise Server 10 SP4 SUSE Linux Enterprise Desktop 11 SP2 SUSE Linux Enterprise Desktop 11 SP1 SUSE Linux Enterprise Desktop 10 SP4 ______________________________________________________________________________ An update that fixes two vulnerabilities is now available. Description: This update fixes two small security issues in socat: * Fixed a stack overflow in commandline parsing (bnc#627475 / CVE-2010-2799) Only exploitable if an attacker can control the commandline parameters. * Fixed heap overflow in READLINE output mode (bnc#759859 / CVE-2012-0219) Security Issue references: * CVE-2012-0219 * CVE-2010-2799 Patch Instructions: To install this SUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Server 11 SP2: zypper in -t patch slessp1-socat-6407 - SUSE Linux Enterprise Server 11 SP1 for VMware: zypper in -t patch slessp1-socat-6407 - SUSE Linux Enterprise Server 11 SP1: zypper in -t patch slessp1-socat-6407 - SUSE Linux Enterprise Desktop 11 SP2: zypper in -t patch sledsp1-socat-6407 - SUSE Linux Enterprise Desktop 11 SP1: zypper in -t patch sledsp1-socat-6407 To bring your system up-to-date, use "zypper patch". Package List: - SUSE Linux Enterprise Server 11 SP2 (i586 ia64 ppc64 s390x x86_64): socat-1.7.0.0-1.16.1 - SUSE Linux Enterprise Server 11 SP1 for VMware (i586 x86_64): socat-1.7.0.0-1.16.1 - SUSE Linux Enterprise Server 11 SP1 (i586 ia64 ppc64 s390x x86_64): socat-1.7.0.0-1.16.1 - SUSE Linux Enterprise Server 10 SP4 (i586 x86_64): socat-1.7.0.0-1.10.1 - SUSE Linux Enterprise Desktop 11 SP2 (i586 x86_64): socat-1.7.0.0-1.16.1 - SUSE Linux Enterprise Desktop 11 SP1 (i586 x86_64): socat-1.7.0.0-1.16.1 - SUSE Linux Enterprise Desktop 10 SP4 (i586 x86_64): socat-1.7.0.0-1.10.1 References: http://support.novell.com/security/cve/CVE-2010-2799.html http://support.novell.com/security/cve/CVE-2012-0219.html https://bugzilla.novell.com/627475 https://bugzilla.novell.com/759859 http://download.novell.com/patch/finder/?keywords=1247a92da8b58834174608c8159b5c1a http://download.novell.com/patch/finder/?keywords=26d6956b5e38b37b8fb00575dde970ba From sle-security-updates at lists.suse.com Tue Jul 3 08:08:21 2012 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Tue, 3 Jul 2012 16:08:21 +0200 (CEST) Subject: SUSE-SU-2012:0814-1: important: Security update for cobbler Message-ID: <20120703140821.DB0FA3284F@maintenance.suse.de> SUSE Security Update: Security update for cobbler ______________________________________________________________________________ Announcement ID: SUSE-SU-2012:0814-1 Rating: important References: #763610 Cross-References: CVE-2012-2395 Affected Products: SUSE Manager Client Tools for SLE 11 SP1 SUSE Manager 1.2 for SLE 11 SP1 ______________________________________________________________________________ An update that fixes one vulnerability is now available. Description: This update of cobbler fixes a remote code execution flaw which could have been exploited through cobbler's XMLRPC API (CVE-2012-2395). Security Issue references: * CVE-2012-2395 Patch Instructions: To install this SUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - SUSE Manager Client Tools for SLE 11 SP1: zypper in -t patch slesctsp1-cobbler-6378 - SUSE Manager 1.2 for SLE 11 SP1: zypper in -t patch sleman12sp1-cobbler-6378 To bring your system up-to-date, use "zypper patch". Package List: - SUSE Manager Client Tools for SLE 11 SP1 (x86_64): koan-2.0.10-0.38.1 - SUSE Manager 1.2 for SLE 11 SP1 (x86_64): cobbler-2.0.10-0.38.1 References: http://support.novell.com/security/cve/CVE-2012-2395.html https://bugzilla.novell.com/763610 http://download.novell.com/patch/finder/?keywords=a80df9eb737ded8b7bd7a02f531b043b From sle-security-updates at lists.suse.com Tue Jul 3 16:09:07 2012 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Wed, 4 Jul 2012 00:09:07 +0200 (CEST) Subject: SUSE-SU-2012:0817-1: moderate: Security update for hyper-v Message-ID: <20120703220907.17BC53284D@maintenance.suse.de> SUSE Security Update: Security update for hyper-v ______________________________________________________________________________ Announcement ID: SUSE-SU-2012:0817-1 Rating: moderate References: #761200 Cross-References: CVE-2012-2669 Affected Products: SUSE Linux Enterprise Server 11 SP2 ______________________________________________________________________________ An update that fixes one vulnerability is now available. Description: The Hyper-V userland daemon was updated to match the current kernel Hyper-V feature level. It brings key-value-pair storage that can be queried by the kernel via the netlink interface and can pass information out to the Hyper-V hypervisor. The netlink query code was adjusted to only allow the Linux kernel to access it via netlink messages (CVE-2012-2669). Security Issue reference: * CVE-2012-2669 Patch Instructions: To install this SUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Server 11 SP2: zypper in -t patch slessp2-hyper-v-6431 To bring your system up-to-date, use "zypper patch". Package List: - SUSE Linux Enterprise Server 11 SP2 (i586 x86_64): hyper-v-3-0.5.1 References: http://support.novell.com/security/cve/CVE-2012-2669.html https://bugzilla.novell.com/761200 http://download.novell.com/patch/finder/?keywords=e70f5ee49a7d2feb951ac6fe0ea3a0c3 From sle-security-updates at lists.suse.com Tue Jul 3 17:08:35 2012 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Wed, 4 Jul 2012 01:08:35 +0200 (CEST) Subject: SUSE-SU-2012:0818-1: Security update for GnuTLS Message-ID: <20120703230835.BD28632847@maintenance.suse.de> SUSE Security Update: Security update for GnuTLS ______________________________________________________________________________ Announcement ID: SUSE-SU-2012:0818-1 Rating: low References: #739898 #753301 #754223 #754953 Cross-References: CVE-2012-0390 Affected Products: SUSE Linux Enterprise Software Development Kit 11 SP2 SUSE Linux Enterprise Software Development Kit 11 SP1 SUSE Linux Enterprise Server 11 SP2 SUSE Linux Enterprise Server 11 SP1 for VMware SUSE Linux Enterprise Server 11 SP1 SUSE Linux Enterprise High Availability Extension 11 SP1 SUSE Linux Enterprise Desktop 11 SP2 SUSE Linux Enterprise Desktop 11 SP1 ______________________________________________________________________________ An update that solves one vulnerability and has three fixes is now available. Description: This update of GnuTLS fixes multiple vulnerabilities: * CVE-2012-1569: remote attackers could cause a denial of service (heap memory corruption and application crash) via an issue in the asn1_get_length_der() function * CVE-2012-1573: crafted GenericBlockCipher structures allow remote attackers to cause a denial of service (heap memory corruption and application crash) * CVE-2012-0390: A vulnerability in the DTLS implementation which could allow remote attackers to recover partial plaintext via a timing side-channel attack was fixed. In addition, support for customizing the signing function was added. Security Issue references: * CVE-2012-0390 Patch Instructions: To install this SUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Software Development Kit 11 SP2: zypper in -t patch sdksp1-gnutls-6448 - SUSE Linux Enterprise Software Development Kit 11 SP1: zypper in -t patch sdksp1-gnutls-6448 - SUSE Linux Enterprise Server 11 SP2: zypper in -t patch slessp1-gnutls-6448 - SUSE Linux Enterprise Server 11 SP1 for VMware: zypper in -t patch slessp1-gnutls-6448 - SUSE Linux Enterprise Server 11 SP1: zypper in -t patch slessp1-gnutls-6448 - SUSE Linux Enterprise High Availability Extension 11 SP1: zypper in -t patch sleshasp1-gnutls-6448 - SUSE Linux Enterprise Desktop 11 SP2: zypper in -t patch sledsp1-gnutls-6448 - SUSE Linux Enterprise Desktop 11 SP1: zypper in -t patch sledsp1-gnutls-6448 To bring your system up-to-date, use "zypper patch". Package List: - SUSE Linux Enterprise Software Development Kit 11 SP2 (i586 ia64 ppc64 s390x x86_64): libgnutls-devel-2.4.1-24.39.39.1 libgnutls-extra-devel-2.4.1-24.39.39.1 libgnutls-extra26-2.4.1-24.39.39.1 - SUSE Linux Enterprise Software Development Kit 11 SP1 (i586 ia64 ppc64 s390x x86_64): libgnutls-devel-2.4.1-24.39.39.1 libgnutls-extra-devel-2.4.1-24.39.39.1 libgnutls-extra26-2.4.1-24.39.39.1 - SUSE Linux Enterprise Server 11 SP2 (i586 ia64 ppc64 s390x x86_64): gnutls-2.4.1-24.39.39.1 libgnutls-extra26-2.4.1-24.39.39.1 libgnutls26-2.4.1-24.39.39.1 - SUSE Linux Enterprise Server 11 SP2 (ppc64 s390x x86_64): libgnutls26-32bit-2.4.1-24.39.39.1 - SUSE Linux Enterprise Server 11 SP2 (ia64): libgnutls26-x86-2.4.1-24.39.39.1 - SUSE Linux Enterprise Server 11 SP1 for VMware (i586 x86_64): gnutls-2.4.1-24.39.39.1 libgnutls26-2.4.1-24.39.39.1 - SUSE Linux Enterprise Server 11 SP1 for VMware (x86_64): libgnutls26-32bit-2.4.1-24.39.39.1 - SUSE Linux Enterprise Server 11 SP1 (i586 ia64 ppc64 s390x x86_64): gnutls-2.4.1-24.39.39.1 libgnutls-extra26-2.4.1-24.39.39.1 libgnutls26-2.4.1-24.39.39.1 - SUSE Linux Enterprise Server 11 SP1 (ppc64 s390x x86_64): libgnutls26-32bit-2.4.1-24.39.39.1 - SUSE Linux Enterprise Server 11 SP1 (ia64): libgnutls26-x86-2.4.1-24.39.39.1 - SUSE Linux Enterprise High Availability Extension 11 SP1 (i586 ia64 ppc64 s390x x86_64): libgnutls-extra26-2.4.1-24.39.39.1 - SUSE Linux Enterprise Desktop 11 SP2 (i586 x86_64): gnutls-2.4.1-24.39.39.1 libgnutls26-2.4.1-24.39.39.1 - SUSE Linux Enterprise Desktop 11 SP2 (x86_64): libgnutls26-32bit-2.4.1-24.39.39.1 - SUSE Linux Enterprise Desktop 11 SP1 (i586 x86_64): gnutls-2.4.1-24.39.39.1 libgnutls26-2.4.1-24.39.39.1 - SUSE Linux Enterprise Desktop 11 SP1 (x86_64): libgnutls26-32bit-2.4.1-24.39.39.1 References: http://support.novell.com/security/cve/CVE-2012-0390.html https://bugzilla.novell.com/739898 https://bugzilla.novell.com/753301 https://bugzilla.novell.com/754223 https://bugzilla.novell.com/754953 http://download.novell.com/patch/finder/?keywords=fd80f415721de0852c2a3ff1ffa6e262 From sle-security-updates at lists.suse.com Tue Jul 3 18:08:26 2012 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Wed, 4 Jul 2012 02:08:26 +0200 (CEST) Subject: SUSE-SU-2012:0819-1: moderate: Security update for SUSE Manager client tools Message-ID: <20120704000826.B75973284F@maintenance.suse.de> SUSE Security Update: Security update for SUSE Manager client tools ______________________________________________________________________________ Announcement ID: SUSE-SU-2012:0819-1 Rating: moderate References: #764532 #766148 Cross-References: CVE-2012-2679 Affected Products: SUSE Manager Client Tools for SLE 11 SP1 ______________________________________________________________________________ An update that solves one vulnerability and has one errata is now available. Description: This update fixes the following issue: * support new function signature for image deployment. * fixed insecure permissions used for /var/log/rhncfg-actions file Security Issue reference: * CVE-2012-2679 Indications: Everbody should update. Patch Instructions: To install this SUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - SUSE Manager Client Tools for SLE 11 SP1: zypper in -t patch slesctsp1-client-tools-201206-6443 To bring your system up-to-date, use "zypper patch". Package List: - SUSE Manager Client Tools for SLE 11 SP1 (noarch): rhn-virtualization-common-5.4.15-0.15.2 rhn-virtualization-host-5.4.15-0.15.2 rhncfg-5.9.33-0.20.1 rhncfg-actions-5.9.33-0.20.1 rhncfg-client-5.9.33-0.20.1 rhncfg-management-5.9.33-0.20.1 References: http://support.novell.com/security/cve/CVE-2012-2679.html https://bugzilla.novell.com/764532 https://bugzilla.novell.com/766148 http://download.novell.com/patch/finder/?keywords=809f7eda81dd96dabc16151753b8ab6d From sle-security-updates at lists.suse.com Tue Jul 3 18:08:28 2012 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Wed, 4 Jul 2012 02:08:28 +0200 (CEST) Subject: SUSE-SU-2012:0820-1: moderate: Security update for SUSE Manager client tools Message-ID: <20120704000828.B17903284F@maintenance.suse.de> SUSE Security Update: Security update for SUSE Manager client tools ______________________________________________________________________________ Announcement ID: SUSE-SU-2012:0820-1 Rating: moderate References: #766148 Cross-References: CVE-2012-2679 Affected Products: SLE CLIENT TOOLS 10 for x86_64 SLE CLIENT TOOLS 10 for s390x SLE CLIENT TOOLS 10 for ia64 SLE CLIENT TOOLS 10 for PPC SLE CLIENT TOOLS 10 ______________________________________________________________________________ An update that fixes one vulnerability is now available. Description: This update for the Client Tools for SUSE Manager fixes the following issue: * fixed insecure permissions used for /var/log/rhncfg-actions file Security Issue reference: * CVE-2012-2679 Package List: - SLE CLIENT TOOLS 10 for x86_64 (noarch): rhncfg-5.9.33-0.11.1 rhncfg-actions-5.9.33-0.11.1 rhncfg-client-5.9.33-0.11.1 rhncfg-management-5.9.33-0.11.1 - SLE CLIENT TOOLS 10 for s390x (noarch): rhncfg-5.9.33-0.11.1 rhncfg-actions-5.9.33-0.11.1 rhncfg-client-5.9.33-0.11.1 rhncfg-management-5.9.33-0.11.1 - SLE CLIENT TOOLS 10 for ia64 (noarch): rhncfg-5.9.33-0.11.1 rhncfg-actions-5.9.33-0.11.1 rhncfg-client-5.9.33-0.11.1 rhncfg-management-5.9.33-0.11.1 - SLE CLIENT TOOLS 10 for PPC (noarch): rhncfg-5.9.33-0.11.1 rhncfg-actions-5.9.33-0.11.1 rhncfg-client-5.9.33-0.11.1 rhncfg-management-5.9.33-0.11.1 - SLE CLIENT TOOLS 10 (noarch): rhncfg-5.9.33-0.11.1 rhncfg-actions-5.9.33-0.11.1 rhncfg-client-5.9.33-0.11.1 rhncfg-management-5.9.33-0.11.1 References: http://support.novell.com/security/cve/CVE-2012-2679.html https://bugzilla.novell.com/766148 http://download.novell.com/patch/finder/?keywords=312da6fd636d091671aa5a052e6d18bb From sle-security-updates at lists.suse.com Tue Jul 3 22:08:30 2012 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Wed, 4 Jul 2012 06:08:30 +0200 (CEST) Subject: SUSE-SU-2012:0821-1: moderate: Security update for SUSE Manager Message-ID: <20120704040830.E4E663284F@maintenance.suse.de> SUSE Security Update: Security update for SUSE Manager ______________________________________________________________________________ Announcement ID: SUSE-SU-2012:0821-1 Rating: moderate References: #753326 #760306 #760771 #761165 #763878 #763891 #764532 #764544 #765053 Cross-References: CVE-2012-0414 Affected Products: SUSE Manager 1.2 for SLE 11 SP1 ______________________________________________________________________________ An update that solves one vulnerability and has 8 fixes is now available. It includes one version update. Description: This update fixes the following issues: * new function signature for image deployment * ignore ip6addr if provided with hw_refresh from newer client versions * do not add a bootstrap repository on SLES 11-SP2 * escape image names to prevent XSS (CVE-2012-0414) * spacewalk-dobby now requires oracle-update * fix owner and permissions of /etc/rhn for spacewalk-dobby * make values in suseProductChannel unique before adding an unique index * added desktop file for susemanager_setup YaST module * add missing schema migration for rhnErrataBuglistTmp. * add option to migrate channels to RES subscriptions (bnc#765053) * fix schema upgrade * improved performance for repomd generation * fix ISE during registration because of duplicate ids * fix wrong transaction name in unsubscribe_channels * fix saving of SUSE Product names How to apply this update: 1. Log in as root user to the SUSE Manager server. 2. Stop the Spacewalk service: spacewalk-service stop If the SUSE Manager database is running on the same machine as the SUSE Manager server, this command also stops the SUSE Manager database instance. 3. Apply the patch using either zypper patch or YaST Online Update. 4. If the SUSE Manager database is running on the same machine as your SUSE Manager server, start the database instance with /etc/init.d/oracle-xe start or /etc/init.d/oracle start 5. Upgrade the database schema with spacewalk-schema-upgrade 6. Start the Spacewalk service: spacewalk-service start Security Issue reference: * CVE-2012-0414 Indications: Everbody should update. Patch Instructions: To install this SUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - SUSE Manager 1.2 for SLE 11 SP1: zypper in -t patch sleman12sp1-spacewalk-backend-6445 To bring your system up-to-date, use "zypper patch". Package List: - SUSE Manager 1.2 for SLE 11 SP1 (x86_64): spacewalk-backend-1.2.74-0.58.1 spacewalk-backend-app-1.2.74-0.58.1 spacewalk-backend-applet-1.2.74-0.58.1 spacewalk-backend-config-files-1.2.74-0.58.1 spacewalk-backend-config-files-common-1.2.74-0.58.1 spacewalk-backend-config-files-tool-1.2.74-0.58.1 spacewalk-backend-iss-1.2.74-0.58.1 spacewalk-backend-iss-export-1.2.74-0.58.1 spacewalk-backend-libs-1.2.74-0.58.1 spacewalk-backend-package-push-server-1.2.74-0.58.1 spacewalk-backend-server-1.2.74-0.58.1 spacewalk-backend-sql-1.2.74-0.58.1 spacewalk-backend-sql-oracle-1.2.74-0.58.1 spacewalk-backend-tools-1.2.74-0.58.1 spacewalk-backend-xml-export-libs-1.2.74-0.58.1 spacewalk-backend-xmlrpc-1.2.74-0.58.1 spacewalk-backend-xp-1.2.74-0.58.1 susemanager-1.2.0-0.58.1 susemanager-tools-1.2.0-0.58.1 - SUSE Manager 1.2 for SLE 11 SP1 (noarch) [New Version: 1.2.75]: spacewalk-base-1.2.31-0.39.3 spacewalk-base-minimal-1.2.31-0.39.3 spacewalk-certs-tools-1.2.2-0.28.3 spacewalk-dobby-1.2.31-0.39.3 spacewalk-grail-1.2.31-0.39.3 spacewalk-html-1.2.31-0.39.3 spacewalk-java-1.2.115-0.60.1 spacewalk-java-config-1.2.115-0.60.1 spacewalk-java-lib-1.2.115-0.60.1 spacewalk-java-oracle-1.2.115-0.60.1 spacewalk-pxt-1.2.31-0.39.3 spacewalk-sniglets-1.2.31-0.39.3 spacewalk-taskomatic-1.2.115-0.60.1 susemanager-schema-1.2.75-0.5.1 References: http://support.novell.com/security/cve/CVE-2012-0414.html https://bugzilla.novell.com/753326 https://bugzilla.novell.com/760306 https://bugzilla.novell.com/760771 https://bugzilla.novell.com/761165 https://bugzilla.novell.com/763878 https://bugzilla.novell.com/763891 https://bugzilla.novell.com/764532 https://bugzilla.novell.com/764544 https://bugzilla.novell.com/765053 http://download.novell.com/patch/finder/?keywords=3fbb4edf5375671fbc21e432ba8996c4 From sle-security-updates at lists.suse.com Wed Jul 4 19:08:29 2012 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Thu, 5 Jul 2012 03:08:29 +0200 (CEST) Subject: SUSE-SU-2012:0840-1: important: Security update for PHP5 Message-ID: <20120705010829.7639E32850@maintenance.suse.de> SUSE Security Update: Security update for PHP5 ______________________________________________________________________________ Announcement ID: SUSE-SU-2012:0840-1 Rating: important References: #761631 #763814 #766798 Cross-References: CVE-2012-2143 CVE-2012-2335 CVE-2012-2336 CVE-2012-2386 Affected Products: SUSE Linux Enterprise Software Development Kit 11 SP2 SUSE Linux Enterprise Server 11 SP2 for VMware SUSE Linux Enterprise Server 11 SP2 ______________________________________________________________________________ An update that fixes four vulnerabilities is now available. Description: PHP5 was updated with incremental fixes to the previous update. * CVE-2012-2335: Additional unsafe cgi wrapper scripts are also fixed now. * CVE-2012-2336: Even more commandline option handling is filtered, which could lead to crashes of the php interpreter. * CVE-2012-2386: heap based buffer overflow in php's phar extension * CVE-2012-2143: The crypt() implementation ignored wide characters, leading to shorter effective password lengths. Note: With this update applied affected passwords will no longer work and need to be set again. Security Issue references: * CVE-2012-2335 * CVE-2012-2336 * CVE-2012-2386 * CVE-2012-2143 Patch Instructions: To install this SUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Software Development Kit 11 SP2: zypper in -t patch sdksp2-apache2-mod_php53-6440 - SUSE Linux Enterprise Server 11 SP2 for VMware: zypper in -t patch slessp2-apache2-mod_php53-6440 - SUSE Linux Enterprise Server 11 SP2: zypper in -t patch slessp2-apache2-mod_php53-6440 To bring your system up-to-date, use "zypper patch". Package List: - SUSE Linux Enterprise Software Development Kit 11 SP2 (i586 ia64 ppc64 s390x x86_64): php53-devel-5.3.8-0.33.2 php53-imap-5.3.8-0.33.2 php53-posix-5.3.8-0.33.2 php53-readline-5.3.8-0.33.2 php53-sockets-5.3.8-0.33.2 php53-sqlite-5.3.8-0.33.2 php53-tidy-5.3.8-0.33.2 - SUSE Linux Enterprise Server 11 SP2 for VMware (i586 x86_64): apache2-mod_php53-5.3.8-0.33.2 php53-5.3.8-0.33.2 php53-bcmath-5.3.8-0.33.2 php53-bz2-5.3.8-0.33.2 php53-calendar-5.3.8-0.33.2 php53-ctype-5.3.8-0.33.2 php53-curl-5.3.8-0.33.2 php53-dba-5.3.8-0.33.2 php53-dom-5.3.8-0.33.2 php53-exif-5.3.8-0.33.2 php53-fastcgi-5.3.8-0.33.2 php53-fileinfo-5.3.8-0.33.2 php53-ftp-5.3.8-0.33.2 php53-gd-5.3.8-0.33.2 php53-gettext-5.3.8-0.33.2 php53-gmp-5.3.8-0.33.2 php53-iconv-5.3.8-0.33.2 php53-intl-5.3.8-0.33.2 php53-json-5.3.8-0.33.2 php53-ldap-5.3.8-0.33.2 php53-mbstring-5.3.8-0.33.2 php53-mcrypt-5.3.8-0.33.2 php53-mysql-5.3.8-0.33.2 php53-odbc-5.3.8-0.33.2 php53-openssl-5.3.8-0.33.2 php53-pcntl-5.3.8-0.33.2 php53-pdo-5.3.8-0.33.2 php53-pear-5.3.8-0.33.2 php53-pgsql-5.3.8-0.33.2 php53-pspell-5.3.8-0.33.2 php53-shmop-5.3.8-0.33.2 php53-snmp-5.3.8-0.33.2 php53-soap-5.3.8-0.33.2 php53-suhosin-5.3.8-0.33.2 php53-sysvmsg-5.3.8-0.33.2 php53-sysvsem-5.3.8-0.33.2 php53-sysvshm-5.3.8-0.33.2 php53-tokenizer-5.3.8-0.33.2 php53-wddx-5.3.8-0.33.2 php53-xmlreader-5.3.8-0.33.2 php53-xmlrpc-5.3.8-0.33.2 php53-xmlwriter-5.3.8-0.33.2 php53-xsl-5.3.8-0.33.2 php53-zip-5.3.8-0.33.2 php53-zlib-5.3.8-0.33.2 - SUSE Linux Enterprise Server 11 SP2 (i586 ia64 ppc64 s390x x86_64): apache2-mod_php53-5.3.8-0.33.2 php53-5.3.8-0.33.2 php53-bcmath-5.3.8-0.33.2 php53-bz2-5.3.8-0.33.2 php53-calendar-5.3.8-0.33.2 php53-ctype-5.3.8-0.33.2 php53-curl-5.3.8-0.33.2 php53-dba-5.3.8-0.33.2 php53-dom-5.3.8-0.33.2 php53-exif-5.3.8-0.33.2 php53-fastcgi-5.3.8-0.33.2 php53-fileinfo-5.3.8-0.33.2 php53-ftp-5.3.8-0.33.2 php53-gd-5.3.8-0.33.2 php53-gettext-5.3.8-0.33.2 php53-gmp-5.3.8-0.33.2 php53-iconv-5.3.8-0.33.2 php53-intl-5.3.8-0.33.2 php53-json-5.3.8-0.33.2 php53-ldap-5.3.8-0.33.2 php53-mbstring-5.3.8-0.33.2 php53-mcrypt-5.3.8-0.33.2 php53-mysql-5.3.8-0.33.2 php53-odbc-5.3.8-0.33.2 php53-openssl-5.3.8-0.33.2 php53-pcntl-5.3.8-0.33.2 php53-pdo-5.3.8-0.33.2 php53-pear-5.3.8-0.33.2 php53-pgsql-5.3.8-0.33.2 php53-pspell-5.3.8-0.33.2 php53-shmop-5.3.8-0.33.2 php53-snmp-5.3.8-0.33.2 php53-soap-5.3.8-0.33.2 php53-suhosin-5.3.8-0.33.2 php53-sysvmsg-5.3.8-0.33.2 php53-sysvsem-5.3.8-0.33.2 php53-sysvshm-5.3.8-0.33.2 php53-tokenizer-5.3.8-0.33.2 php53-wddx-5.3.8-0.33.2 php53-xmlreader-5.3.8-0.33.2 php53-xmlrpc-5.3.8-0.33.2 php53-xmlwriter-5.3.8-0.33.2 php53-xsl-5.3.8-0.33.2 php53-zip-5.3.8-0.33.2 php53-zlib-5.3.8-0.33.2 References: http://support.novell.com/security/cve/CVE-2012-2143.html http://support.novell.com/security/cve/CVE-2012-2335.html http://support.novell.com/security/cve/CVE-2012-2336.html http://support.novell.com/security/cve/CVE-2012-2386.html https://bugzilla.novell.com/761631 https://bugzilla.novell.com/763814 https://bugzilla.novell.com/766798 http://download.novell.com/patch/finder/?keywords=493f50e026887ac9d2afb3216db47373 From sle-security-updates at lists.suse.com Thu Jul 5 10:08:33 2012 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Thu, 5 Jul 2012 18:08:33 +0200 (CEST) Subject: SUSE-SU-2012:0841-1: moderate: Security update for gdk-pixbuf Message-ID: <20120705160833.BD22E32854@maintenance.suse.de> SUSE Security Update: Security update for gdk-pixbuf ______________________________________________________________________________ Announcement ID: SUSE-SU-2012:0841-1 Rating: moderate References: #702028 #709852 #762735 Cross-References: CVE-2011-2485 CVE-2011-2897 CVE-2012-2370 Affected Products: SUSE Linux Enterprise Software Development Kit 11 SP2 SUSE Linux Enterprise Software Development Kit 11 SP1 SUSE Linux Enterprise Server 10 SP4 SUSE Linux Enterprise Desktop 11 SP2 SUSE Linux Enterprise Desktop 11 SP1 SUSE Linux Enterprise Desktop 10 SP4 SLE SDK 10 SP4 ______________________________________________________________________________ An update that fixes three vulnerabilities is now available. Description: This update of gdk-pixbuf fixes multiple buffer overflows that could have caused a crash or potentially have allowed heap corruptions (CVE-2011-2485, CVE-2012-2370, CVE-2011-2897). Security Issue references: * CVE-2011-2485 * CVE-2012-2370 * CVE-2011-2897 Patch Instructions: To install this SUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Software Development Kit 11 SP2: zypper in -t patch sdksp1-gdk-pixbuf-6367 - SUSE Linux Enterprise Software Development Kit 11 SP1: zypper in -t patch sdksp1-gdk-pixbuf-6367 - SUSE Linux Enterprise Desktop 11 SP2: zypper in -t patch sledsp1-gdk-pixbuf-6367 - SUSE Linux Enterprise Desktop 11 SP1: zypper in -t patch sledsp1-gdk-pixbuf-6367 To bring your system up-to-date, use "zypper patch". Package List: - SUSE Linux Enterprise Software Development Kit 11 SP2 (i586 ia64 ppc64 s390x x86_64): gdk-pixbuf-0.22.0-294.26.1 gdk-pixbuf-devel-0.22.0-294.26.1 - SUSE Linux Enterprise Software Development Kit 11 SP2 (ppc64 s390x x86_64): gdk-pixbuf-32bit-0.22.0-294.26.1 - SUSE Linux Enterprise Software Development Kit 11 SP1 (i586 ia64 ppc64 s390x x86_64): gdk-pixbuf-0.22.0-294.26.1 gdk-pixbuf-devel-0.22.0-294.26.1 - SUSE Linux Enterprise Software Development Kit 11 SP1 (ppc64 s390x x86_64): gdk-pixbuf-32bit-0.22.0-294.26.1 - SUSE Linux Enterprise Server 10 SP4 (i586 ia64 ppc s390x x86_64): gdk-pixbuf-0.22.0-93.9.1 - SUSE Linux Enterprise Server 10 SP4 (s390x x86_64): gdk-pixbuf-32bit-0.22.0-93.9.1 - SUSE Linux Enterprise Server 10 SP4 (ia64): gdk-pixbuf-x86-0.22.0-93.9.1 - SUSE Linux Enterprise Server 10 SP4 (ppc): gdk-pixbuf-64bit-0.22.0-93.9.1 - SUSE Linux Enterprise Desktop 11 SP2 (i586 x86_64): gdk-pixbuf-0.22.0-294.26.1 - SUSE Linux Enterprise Desktop 11 SP2 (x86_64): gdk-pixbuf-32bit-0.22.0-294.26.1 - SUSE Linux Enterprise Desktop 11 SP1 (i586 x86_64): gdk-pixbuf-0.22.0-294.26.1 - SUSE Linux Enterprise Desktop 11 SP1 (x86_64): gdk-pixbuf-32bit-0.22.0-294.26.1 - SUSE Linux Enterprise Desktop 10 SP4 (i586 x86_64): gdk-pixbuf-0.22.0-93.9.1 - SUSE Linux Enterprise Desktop 10 SP4 (x86_64): gdk-pixbuf-32bit-0.22.0-93.9.1 - SLE SDK 10 SP4 (i586 ia64 ppc s390x x86_64): gdk-pixbuf-devel-0.22.0-93.9.1 References: http://support.novell.com/security/cve/CVE-2011-2485.html http://support.novell.com/security/cve/CVE-2011-2897.html http://support.novell.com/security/cve/CVE-2012-2370.html https://bugzilla.novell.com/702028 https://bugzilla.novell.com/709852 https://bugzilla.novell.com/762735 http://download.novell.com/patch/finder/?keywords=0c456ea3e51de636ed5cb4e0f16503d3 http://download.novell.com/patch/finder/?keywords=1e4fac303fda249f28a90f89a7455837 From sle-security-updates at lists.suse.com Thu Jul 5 11:08:39 2012 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Thu, 5 Jul 2012 19:08:39 +0200 (CEST) Subject: SUSE-SU-2012:0843-1: moderate: Security update for rubygem-mail-2_3 Message-ID: <20120705170839.466E032844@maintenance.suse.de> SUSE Security Update: Security update for rubygem-mail-2_3 ______________________________________________________________________________ Announcement ID: SUSE-SU-2012:0843-1 Rating: moderate References: #759092 Cross-References: CVE-2012-2139 CVE-2012-2140 Affected Products: SUSE Linux Enterprise Software Development Kit 11 SP2 ______________________________________________________________________________ An update that fixes two vulnerabilities is now available. Description: This update of rubygem-mail fixes two security issues: * CVE-2012-2139: A file system traversal in file_delivery method. * CVE-2012-2140: Arbitrary command execution when using exim or sendmail from the commandline. Security Issue references: * CVE-2012-2139 * CVE-2012-2140 Special Instructions and Notes: This update triggers a restart of the software management stack. More updates will be available for installation after applying this update and restarting the application. This update triggers a restart of the software management stack. More updates will be available for installation after applying this update and restarting the application. This update triggers a restart of the software management stack. More updates will be available for installation after applying this update and restarting the application. This update triggers a restart of the software management stack. More updates will be available for installation after applying this update and restarting the application. This update triggers a restart of the software management stack. More updates will be available for installation after applying this update and restarting the application. This update triggers a restart of the software management stack. More updates will be available for installation after applying this update and restarting the application. This update triggers a restart of the software management stack. More updates will be available for installation after applying this update and restarting the application. Patch Instructions: To install this SUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Software Development Kit 11 SP2: zypper in -t patch sdksp2-rubygem-mail-2_3-6393 To bring your system up-to-date, use "zypper patch". Package List: - SUSE Linux Enterprise Software Development Kit 11 SP2 (i586 ia64 ppc64 s390x x86_64): rubygem-mail-2_3-2.3.0-0.10.1 References: http://support.novell.com/security/cve/CVE-2012-2139.html http://support.novell.com/security/cve/CVE-2012-2140.html https://bugzilla.novell.com/759092 http://download.novell.com/patch/finder/?keywords=a16c99a5d3c0b2249debbfddc8663032 From sle-security-updates at lists.suse.com Thu Jul 5 13:08:31 2012 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Thu, 5 Jul 2012 21:08:31 +0200 (CEST) Subject: SUSE-SU-2012:0844-1: moderate: Security update for gtk2 Message-ID: <20120705190831.29DCD32849@maintenance.suse.de> SUSE Security Update: Security update for gtk2 ______________________________________________________________________________ Announcement ID: SUSE-SU-2012:0844-1 Rating: moderate References: #702028 #762735 Cross-References: CVE-2011-2485 CVE-2012-2370 Affected Products: SUSE Linux Enterprise Software Development Kit 11 SP2 SUSE Linux Enterprise Software Development Kit 11 SP1 SUSE Linux Enterprise Server 11 SP2 for VMware SUSE Linux Enterprise Server 11 SP2 SUSE Linux Enterprise Server 11 SP1 for VMware SUSE Linux Enterprise Server 11 SP1 SUSE Linux Enterprise Server 10 SP4 SUSE Linux Enterprise Desktop 11 SP2 SUSE Linux Enterprise Desktop 11 SP1 SUSE Linux Enterprise Desktop 10 SP4 ______________________________________________________________________________ An update that fixes two vulnerabilities is now available. Description: The following issue has been fixed: * Specially crafted GIF and XBM files could have crashed gtk2 (CVE-2012-2370,CVE-2011-2485). Security Issue references: * CVE-2012-2370 * CVE-2011-2485 Patch Instructions: To install this SUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Software Development Kit 11 SP2: zypper in -t patch sdksp2-gtk2-6390 - SUSE Linux Enterprise Software Development Kit 11 SP1: zypper in -t patch sdksp1-gtk2-6389 - SUSE Linux Enterprise Server 11 SP2 for VMware: zypper in -t patch slessp2-gtk2-6390 - SUSE Linux Enterprise Server 11 SP2: zypper in -t patch slessp2-gtk2-6390 - SUSE Linux Enterprise Server 11 SP1 for VMware: zypper in -t patch slessp1-gtk2-6389 - SUSE Linux Enterprise Server 11 SP1: zypper in -t patch slessp1-gtk2-6389 - SUSE Linux Enterprise Desktop 11 SP2: zypper in -t patch sledsp2-gtk2-6390 - SUSE Linux Enterprise Desktop 11 SP1: zypper in -t patch sledsp1-gtk2-6389 To bring your system up-to-date, use "zypper patch". Package List: - SUSE Linux Enterprise Software Development Kit 11 SP2 (i586 ia64 ppc64 s390x x86_64): gtk2-devel-2.18.9-0.23.1 - SUSE Linux Enterprise Software Development Kit 11 SP2 (ppc64): gtk2-devel-32bit-2.18.9-0.23.1 - SUSE Linux Enterprise Software Development Kit 11 SP1 (i586 ia64 ppc64 s390x x86_64): gtk2-devel-2.18.9-0.20.18.1 - SUSE Linux Enterprise Software Development Kit 11 SP1 (ppc64): gtk2-devel-32bit-2.18.9-0.20.18.1 - SUSE Linux Enterprise Server 11 SP2 for VMware (i586 x86_64): gtk2-2.18.9-0.23.1 gtk2-doc-2.18.9-0.23.1 gtk2-lang-2.18.9-0.23.1 - SUSE Linux Enterprise Server 11 SP2 for VMware (x86_64): gtk2-32bit-2.18.9-0.23.1 - SUSE Linux Enterprise Server 11 SP2 (i586 ia64 ppc64 s390x x86_64): gtk2-2.18.9-0.23.1 gtk2-doc-2.18.9-0.23.1 gtk2-lang-2.18.9-0.23.1 - SUSE Linux Enterprise Server 11 SP2 (ppc64 s390x x86_64): gtk2-32bit-2.18.9-0.23.1 - SUSE Linux Enterprise Server 11 SP2 (ia64): gtk2-x86-2.18.9-0.23.1 - SUSE Linux Enterprise Server 11 SP1 for VMware (i586 x86_64): gtk2-2.18.9-0.20.18.1 gtk2-doc-2.18.9-0.20.18.1 gtk2-lang-2.18.9-0.20.18.1 - SUSE Linux Enterprise Server 11 SP1 for VMware (x86_64): gtk2-32bit-2.18.9-0.20.18.1 - SUSE Linux Enterprise Server 11 SP1 (i586 ia64 ppc64 s390x x86_64): gtk2-2.18.9-0.20.18.1 gtk2-doc-2.18.9-0.20.18.1 gtk2-lang-2.18.9-0.20.18.1 - SUSE Linux Enterprise Server 11 SP1 (ppc64 s390x x86_64): gtk2-32bit-2.18.9-0.20.18.1 - SUSE Linux Enterprise Server 11 SP1 (ia64): gtk2-x86-2.18.9-0.20.18.1 - SUSE Linux Enterprise Server 10 SP4 (i586 ia64 ppc s390x x86_64): gtk2-2.8.11-0.29.2 gtk2-devel-2.8.11-0.29.2 gtk2-doc-2.8.11-0.29.2 - SUSE Linux Enterprise Server 10 SP4 (s390x x86_64): gtk2-32bit-2.8.11-0.29.2 - SUSE Linux Enterprise Server 10 SP4 (ia64): gtk2-x86-2.8.11-0.29.2 - SUSE Linux Enterprise Server 10 SP4 (ppc): gtk2-64bit-2.8.11-0.29.2 gtk2-devel-64bit-2.8.11-0.29.2 - SUSE Linux Enterprise Desktop 11 SP2 (i586 x86_64): gtk2-2.18.9-0.23.1 gtk2-devel-2.18.9-0.23.1 gtk2-lang-2.18.9-0.23.1 - SUSE Linux Enterprise Desktop 11 SP2 (x86_64): gtk2-32bit-2.18.9-0.23.1 - SUSE Linux Enterprise Desktop 11 SP1 (i586 x86_64): gtk2-2.18.9-0.20.18.1 gtk2-devel-2.18.9-0.20.18.1 gtk2-lang-2.18.9-0.20.18.1 - SUSE Linux Enterprise Desktop 11 SP1 (x86_64): gtk2-32bit-2.18.9-0.20.18.1 - SUSE Linux Enterprise Desktop 10 SP4 (i586 x86_64): gtk2-2.8.11-0.29.2 gtk2-devel-2.8.11-0.29.2 gtk2-doc-2.8.11-0.29.2 - SUSE Linux Enterprise Desktop 10 SP4 (x86_64): gtk2-32bit-2.8.11-0.29.2 References: http://support.novell.com/security/cve/CVE-2011-2485.html http://support.novell.com/security/cve/CVE-2012-2370.html https://bugzilla.novell.com/702028 https://bugzilla.novell.com/762735 http://download.novell.com/patch/finder/?keywords=20aead63ed168564e4a716a942666e5e http://download.novell.com/patch/finder/?keywords=9b8763dd2b5961b26badcb967643b9ba http://download.novell.com/patch/finder/?keywords=d761cd6e1a31389dc3a2d6c8c56cdbd3 From sle-security-updates at lists.suse.com Mon Jul 9 08:08:22 2012 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Mon, 9 Jul 2012 16:08:22 +0200 (CEST) Subject: SUSE-SU-2012:0852-1: Security update for rubygem-rack-cache Message-ID: <20120709140822.A883732852@maintenance.suse.de> SUSE Security Update: Security update for rubygem-rack-cache ______________________________________________________________________________ Announcement ID: SUSE-SU-2012:0852-1 Rating: low References: #763650 Cross-References: CVE-2012-2671 Affected Products: SUSE Linux Enterprise Software Development Kit 11 SP2 ______________________________________________________________________________ An update that fixes one vulnerability is now available. Description: The following issue has been fixed: * rack-cache caches potentially sensitive response headers such as Set-Cookie (CVE-2012-2671) Security Issue reference: * CVE-2012-2671 Patch Instructions: To install this SUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Software Development Kit 11 SP2: zypper in -t patch sdksp2-rubygem-rack-cache-1_1-6406 To bring your system up-to-date, use "zypper patch". Package List: - SUSE Linux Enterprise Software Development Kit 11 SP2 (i586 ia64 ppc64 s390x x86_64): rubygem-rack-cache-1_1-1.1-0.8.2 References: http://support.novell.com/security/cve/CVE-2012-2671.html https://bugzilla.novell.com/763650 http://download.novell.com/patch/finder/?keywords=05ea73e0d791a3fd5d9f41d53dfaf359 From sle-security-updates at lists.suse.com Tue Jul 10 14:08:31 2012 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Tue, 10 Jul 2012 22:08:31 +0200 (CEST) Subject: SUSE-SU-2012:0858-1: moderate: Security update for clamav Message-ID: <20120710200831.98F9D3284B@maintenance.suse.de> SUSE Security Update: Security update for clamav ______________________________________________________________________________ Announcement ID: SUSE-SU-2012:0858-1 Rating: moderate References: #753610 #753611 #753613 #767574 Cross-References: CVE-2012-1457 CVE-2012-1458 CVE-2012-1459 Affected Products: SUSE Linux Enterprise Server 11 SP2 SUSE Linux Enterprise Server 11 SP1 for VMware SUSE Linux Enterprise Server 11 SP1 SUSE Linux Enterprise Server 10 SP4 SUSE Linux Enterprise Desktop 11 SP2 SUSE Linux Enterprise Desktop 11 SP1 SUSE Linux Enterprise Desktop 10 SP4 SLE SDK 10 SP4 ______________________________________________________________________________ An update that solves three vulnerabilities and has one errata is now available. It includes one version update. Description: The following issue has been fixed: * Viruses contained in specially crafted tar or CHM files could have evaded detection by clamav (CVE-2012-1457, CVE-2012-1458, CVE-2012-1459). Security Issue references: * CVE-2012-1457 * CVE-2012-1458 * CVE-2012-1459 Patch Instructions: To install this SUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Server 11 SP2: zypper in -t patch slessp1-clamav-6474 - SUSE Linux Enterprise Server 11 SP1 for VMware: zypper in -t patch slessp1-clamav-6474 - SUSE Linux Enterprise Server 11 SP1: zypper in -t patch slessp1-clamav-6474 - SUSE Linux Enterprise Desktop 11 SP2: zypper in -t patch sledsp1-clamav-6474 - SUSE Linux Enterprise Desktop 11 SP1: zypper in -t patch sledsp1-clamav-6474 To bring your system up-to-date, use "zypper patch". Package List: - SUSE Linux Enterprise Server 11 SP2 (i586 ia64 ppc64 s390x x86_64) [New Version: 0.97.5]: clamav-0.97.5-0.2.1 - SUSE Linux Enterprise Server 11 SP1 for VMware (i586 x86_64) [New Version: 0.97.5]: clamav-0.97.5-0.2.1 - SUSE Linux Enterprise Server 11 SP1 (i586 ia64 ppc64 s390x x86_64) [New Version: 0.97.5]: clamav-0.97.5-0.2.1 - SUSE Linux Enterprise Server 10 SP4 (i586 ia64 ppc s390x x86_64) [New Version: 0.97.5]: clamav-0.97.5-0.5.2 - SUSE Linux Enterprise Desktop 11 SP2 (i586 x86_64) [New Version: 0.97.5]: clamav-0.97.5-0.2.1 - SUSE Linux Enterprise Desktop 11 SP1 (i586 x86_64) [New Version: 0.97.5]: clamav-0.97.5-0.2.1 - SUSE Linux Enterprise Desktop 10 SP4 (i586 x86_64) [New Version: 0.97.5]: clamav-0.97.5-0.5.2 - SLE SDK 10 SP4 (i586 ia64 ppc s390x x86_64) [New Version: 0.97.5]: clamav-0.97.5-0.5.2 References: http://support.novell.com/security/cve/CVE-2012-1457.html http://support.novell.com/security/cve/CVE-2012-1458.html http://support.novell.com/security/cve/CVE-2012-1459.html https://bugzilla.novell.com/753610 https://bugzilla.novell.com/753611 https://bugzilla.novell.com/753613 https://bugzilla.novell.com/767574 http://download.novell.com/patch/finder/?keywords=081f4d44356f37d28fa582731745c3e7 http://download.novell.com/patch/finder/?keywords=9915239be72cdac5c91614a1c9bc684f From sle-security-updates at lists.suse.com Thu Jul 12 14:08:23 2012 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Thu, 12 Jul 2012 22:08:23 +0200 (CEST) Subject: SUSE-SU-2012:0869-1: moderate: Security update for python-crypto Message-ID: <20120712200823.C962332853@maintenance.suse.de> SUSE Security Update: Security update for python-crypto ______________________________________________________________________________ Announcement ID: SUSE-SU-2012:0869-1 Rating: moderate References: #764127 Cross-References: CVE-2012-2417 Affected Products: SUSE Linux Enterprise Software Development Kit 11 SP2 SUSE Linux Enterprise Software Development Kit 11 SP1 ______________________________________________________________________________ An update that fixes one vulnerability is now available. Description: python-crypto did not use the full key space when generating ElGamal secret keys which made it easier for attackers to brute force the key (CVE-2012-2417). This has been fixed. Security Issue references: * CVE-2012-2417 Patch Instructions: To install this SUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Software Development Kit 11 SP2: zypper in -t patch sdksp1-python-crypto-6478 - SUSE Linux Enterprise Software Development Kit 11 SP1: zypper in -t patch sdksp1-python-crypto-6478 To bring your system up-to-date, use "zypper patch". Package List: - SUSE Linux Enterprise Software Development Kit 11 SP2 (i586 ia64 ppc64 s390x x86_64): python-crypto-2.0.1-28.20.1 - SUSE Linux Enterprise Software Development Kit 11 SP1 (i586 ia64 ppc64 s390x x86_64): python-crypto-2.0.1-28.20.1 References: http://support.novell.com/security/cve/CVE-2012-2417.html https://bugzilla.novell.com/764127 http://download.novell.com/patch/finder/?keywords=5a078bb3da298725ac28d4596f68efdb From sle-security-updates at lists.suse.com Thu Jul 12 15:08:33 2012 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Thu, 12 Jul 2012 23:08:33 +0200 (CEST) Subject: SUSE-SU-2012:0870-1: moderate: Security update for libsoup Message-ID: <20120712210833.120DE32855@maintenance.suse.de> SUSE Security Update: Security update for libsoup ______________________________________________________________________________ Announcement ID: SUSE-SU-2012:0870-1 Rating: moderate References: #758431 Cross-References: CVE-2012-2132 Affected Products: SUSE Linux Enterprise Software Development Kit 11 SP2 SUSE Linux Enterprise Server 11 SP2 for VMware SUSE Linux Enterprise Server 11 SP2 SUSE Linux Enterprise Desktop 11 SP2 ______________________________________________________________________________ An update that fixes one vulnerability is now available. Description: libsoup without ca path added, accepted all SSL certificats as trusted. This has been fixed. CVE-2012-2132 has been assigned to this issue. Security Issue reference: * CVE-2012-2132 Patch Instructions: To install this SUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Software Development Kit 11 SP2: zypper in -t patch sdksp2-libsoup-6520 - SUSE Linux Enterprise Server 11 SP2 for VMware: zypper in -t patch slessp2-libsoup-6520 - SUSE Linux Enterprise Server 11 SP2: zypper in -t patch slessp2-libsoup-6520 - SUSE Linux Enterprise Desktop 11 SP2: zypper in -t patch sledsp2-libsoup-6520 To bring your system up-to-date, use "zypper patch". Package List: - SUSE Linux Enterprise Software Development Kit 11 SP2 (i586 ia64 ppc64 s390x x86_64): libsoup-devel-2.32.2-4.11.1 - SUSE Linux Enterprise Software Development Kit 11 SP2 (ppc64 s390x x86_64): libsoup-devel-32bit-2.32.2-4.11.1 - SUSE Linux Enterprise Server 11 SP2 for VMware (i586 x86_64): libsoup-2_4-1-2.32.2-4.11.1 - SUSE Linux Enterprise Server 11 SP2 for VMware (x86_64): libsoup-2_4-1-32bit-2.32.2-4.11.1 - SUSE Linux Enterprise Server 11 SP2 (i586 ia64 ppc64 s390x x86_64): libsoup-2_4-1-2.32.2-4.11.1 - SUSE Linux Enterprise Server 11 SP2 (ppc64 s390x x86_64): libsoup-2_4-1-32bit-2.32.2-4.11.1 - SUSE Linux Enterprise Server 11 SP2 (ia64): libsoup-2_4-1-x86-2.32.2-4.11.1 - SUSE Linux Enterprise Desktop 11 SP2 (i586 x86_64): libsoup-2_4-1-2.32.2-4.11.1 - SUSE Linux Enterprise Desktop 11 SP2 (x86_64): libsoup-2_4-1-32bit-2.32.2-4.11.1 References: http://support.novell.com/security/cve/CVE-2012-2132.html https://bugzilla.novell.com/758431 http://download.novell.com/patch/finder/?keywords=625e36b09557835cd71a8041f2d28e18 From sle-security-updates at lists.suse.com Fri Jul 13 13:08:39 2012 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Fri, 13 Jul 2012 21:08:39 +0200 (CEST) Subject: SUSE-SU-2012:0741-6: important: Security update for bind Message-ID: <20120713190839.559A33287E@maintenance.suse.de> SUSE Security Update: Security update for bind ______________________________________________________________________________ Announcement ID: SUSE-SU-2012:0741-6 Rating: important References: #765315 Cross-References: CVE-2012-1667 Affected Products: SUSE CORE 9 ______________________________________________________________________________ An update that fixes one vulnerability is now available. Description: The following issue has been fixed: * Records with zero length rdata field could have crashed named or disclose portions of memory to clients (CVE-2012-1667). Security Issue reference: * CVE-2012-1667 Package List: - SUSE CORE 9 (i586 s390 s390x x86_64): bind-9.3.4-4.16 bind-devel-9.3.4-4.16 bind-utils-9.3.4-4.16 - SUSE CORE 9 (x86_64): bind-utils-32bit-9-201207061338 - SUSE CORE 9 (s390x): bind-utils-32bit-9-201207061342 References: http://support.novell.com/security/cve/CVE-2012-1667.html https://bugzilla.novell.com/765315 http://download.novell.com/patch/finder/?keywords=2f883f124c996f4e73d94255fee4adfc From sle-security-updates at lists.suse.com Mon Jul 16 11:08:33 2012 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Mon, 16 Jul 2012 19:08:33 +0200 (CEST) Subject: SUSE-SU-2012:0880-1: moderate: Security update for RPM Message-ID: <20120716170833.0B48032856@maintenance.suse.de> SUSE Security Update: Security update for RPM ______________________________________________________________________________ Announcement ID: SUSE-SU-2012:0880-1 Rating: moderate References: #747225 #754281 #754284 #754285 Cross-References: CVE-2012-0060 CVE-2012-0061 CVE-2012-0815 Affected Products: SUSE Linux Enterprise Server 10 SP4 SUSE Linux Enterprise Desktop 10 SP4 SLE SDK 10 SP4 ______________________________________________________________________________ An update that solves three vulnerabilities and has one errata is now available. Description: Multiple security vulnerabilities were reported in RPM which could have been exploited via specially crafted RPM files to cause a denial of service (application crash) or potentially allow attackers to execute arbitrary code. Additionally, a non-security issue was fixed that could cause a division by zero in cycles calculation under rare circumstances. Security Issue references: * CVE-2012-0815 * CVE-2012-0060 * CVE-2012-0061 Package List: - SUSE Linux Enterprise Server 10 SP4 (i586): popt-1.7-271.46.16 popt-devel-1.7-271.46.16 rpm-4.4.2-43.46.16 rpm-devel-4.4.2-43.46.16 rpm-python-4.4.2-43.46.16 - SUSE Linux Enterprise Desktop 10 SP4 (i586): popt-1.7-271.46.16 popt-devel-1.7-271.46.16 rpm-4.4.2-43.46.16 rpm-devel-4.4.2-43.46.16 rpm-python-4.4.2-43.46.16 - SLE SDK 10 SP4 (i586): rpm-devel-4.4.2-43.46.16 References: http://support.novell.com/security/cve/CVE-2012-0060.html http://support.novell.com/security/cve/CVE-2012-0061.html http://support.novell.com/security/cve/CVE-2012-0815.html https://bugzilla.novell.com/747225 https://bugzilla.novell.com/754281 https://bugzilla.novell.com/754284 https://bugzilla.novell.com/754285 http://download.novell.com/patch/finder/?keywords=3437ad480e640b7bf5a09b96d1218988 From sle-security-updates at lists.suse.com Mon Jul 16 11:08:34 2012 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Mon, 16 Jul 2012 19:08:34 +0200 (CEST) Subject: SUSE-SU-2012:0881-1: important: Security update for java-1_4_2-ibm-sap Message-ID: <20120716170834.9E5A13287B@maintenance.suse.de> SUSE Security Update: Security update for java-1_4_2-ibm-sap ______________________________________________________________________________ Announcement ID: SUSE-SU-2012:0881-1 Rating: important References: #768611 Affected Products: SUSE Linux Enterprise for SAP Applications 11 SP1 SUSE Linux Enterprise Java 11 SP1 ______________________________________________________________________________ An update that contains security fixes can now be installed. Description: IBM Java 1.4.2 SR13 FP12 has been released which fixes various bugs and security issues. For more information see http://www.ibm.com/developerworks/java/jdk/alerts/ CVEs addressed: CVE-2011-3563 CVE-2012-0499 CVE-2012-0502 CVE-2012-0503 CVE-2012-0505 CVE-2012-0506 Patch Instructions: To install this SUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - SUSE Linux Enterprise for SAP Applications 11 SP1: zypper in -t patch slesapp1-java-1_4_2-ibm-sap-6476 - SUSE Linux Enterprise Java 11 SP1: zypper in -t patch slejsp1-java-1_4_2-ibm-sap-6476 To bring your system up-to-date, use "zypper patch". Package List: - SUSE Linux Enterprise for SAP Applications 11 SP1 (x86_64): java-1_4_2-ibm-sap-1.4.2_sr13.12-0.3.1 java-1_4_2-ibm-sap-devel-1.4.2_sr13.12-0.3.1 - SUSE Linux Enterprise Java 11 SP1 (x86_64): java-1_4_2-ibm-sap-1.4.2_sr13.12-0.3.1 java-1_4_2-ibm-sap-devel-1.4.2_sr13.12-0.3.1 References: https://bugzilla.novell.com/768611 http://download.novell.com/patch/finder/?keywords=94625ebb99bafb508860512c2f55fd02 From sle-security-updates at lists.suse.com Mon Jul 16 11:08:36 2012 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Mon, 16 Jul 2012 19:08:36 +0200 (CEST) Subject: SUSE-SU-2012:0882-1: moderate: Security update for boost Message-ID: <20120716170836.4906932881@maintenance.suse.de> SUSE Security Update: Security update for boost ______________________________________________________________________________ Announcement ID: SUSE-SU-2012:0882-1 Rating: moderate References: #765443 #767949 Cross-References: CVE-2012-2677 Affected Products: SUSE Linux Enterprise Software Development Kit 11 SP2 SUSE Linux Enterprise Software Development Kit 11 SP1 SUSE Linux Enterprise Server 11 SP2 SUSE Linux Enterprise Server 11 SP1 for VMware SUSE Linux Enterprise Server 11 SP1 SUSE Linux Enterprise Server 10 SP4 SUSE Linux Enterprise Desktop 11 SP2 SUSE Linux Enterprise Desktop 11 SP1 SUSE Linux Enterprise Desktop 10 SP4 SLE SDK 10 SP4 ______________________________________________________________________________ An update that solves one vulnerability and has one errata is now available. Description: Two problems have been fixed in the boost library: * boost::pool's ordered_malloc could have overflowed when calculating the allocation size (CVE-2012-2677). * fully qualify the the boost::date_time::dst_adjustment_offsets (non security). Security Issue reference: * CVE-2012-2677 Patch Instructions: To install this SUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Software Development Kit 11 SP2: zypper in -t patch sdksp1-boost-6507 - SUSE Linux Enterprise Software Development Kit 11 SP1: zypper in -t patch sdksp1-boost-6507 - SUSE Linux Enterprise Server 11 SP2: zypper in -t patch slessp1-boost-6507 - SUSE Linux Enterprise Server 11 SP1 for VMware: zypper in -t patch slessp1-boost-6507 - SUSE Linux Enterprise Server 11 SP1: zypper in -t patch slessp1-boost-6507 - SUSE Linux Enterprise Desktop 11 SP2: zypper in -t patch sledsp1-boost-6507 - SUSE Linux Enterprise Desktop 11 SP1: zypper in -t patch sledsp1-boost-6507 To bring your system up-to-date, use "zypper patch". Package List: - SUSE Linux Enterprise Software Development Kit 11 SP2 (i586 ia64 ppc64 s390x x86_64): boost-devel-1.36.0-12.3.1 boost-doc-1.36.0-12.3.1 libboost_date_time1_36_0-1.36.0-12.3.1 libboost_filesystem1_36_0-1.36.0-12.3.1 libboost_graph1_36_0-1.36.0-12.3.1 libboost_iostreams1_36_0-1.36.0-12.3.1 libboost_math1_36_0-1.36.0-12.3.1 libboost_program_options1_36_0-1.36.0-12.3.1 libboost_python1_36_0-1.36.0-12.3.1 libboost_serialization1_36_0-1.36.0-12.3.1 libboost_system1_36_0-1.36.0-12.3.1 libboost_test1_36_0-1.36.0-12.3.1 libboost_thread1_36_0-1.36.0-12.3.1 libboost_wave1_36_0-1.36.0-12.3.1 - SUSE Linux Enterprise Software Development Kit 11 SP2 (i586 ppc64 x86_64): libboost_mpi1_36_0-1.36.0-12.3.1 - SUSE Linux Enterprise Software Development Kit 11 SP2 (i586 x86_64): libboost_regex1_36_0-1.36.0-12.3.1 - SUSE Linux Enterprise Software Development Kit 11 SP2 (ppc64): boost-devel-32bit-1.36.0-12.3.1 libboost_date_time1_36_0-32bit-1.36.0-12.3.1 libboost_filesystem1_36_0-32bit-1.36.0-12.3.1 libboost_graph1_36_0-32bit-1.36.0-12.3.1 libboost_iostreams1_36_0-32bit-1.36.0-12.3.1 libboost_math1_36_0-32bit-1.36.0-12.3.1 libboost_program_options1_36_0-32bit-1.36.0-12.3.1 libboost_python1_36_0-32bit-1.36.0-12.3.1 libboost_regex1_36_0-32bit-1.36.0-12.3.1 libboost_serialization1_36_0-32bit-1.36.0-12.3.1 libboost_signals1_36_0-32bit-1.36.0-12.3.1 libboost_system1_36_0-32bit-1.36.0-12.3.1 libboost_test1_36_0-32bit-1.36.0-12.3.1 libboost_thread1_36_0-32bit-1.36.0-12.3.1 libboost_wave1_36_0-32bit-1.36.0-12.3.1 - SUSE Linux Enterprise Software Development Kit 11 SP1 (i586 ia64 ppc64 s390x x86_64): boost-devel-1.36.0-12.3.1 boost-doc-1.36.0-12.3.1 libboost_date_time1_36_0-1.36.0-12.3.1 libboost_filesystem1_36_0-1.36.0-12.3.1 libboost_graph1_36_0-1.36.0-12.3.1 libboost_iostreams1_36_0-1.36.0-12.3.1 libboost_math1_36_0-1.36.0-12.3.1 libboost_program_options1_36_0-1.36.0-12.3.1 libboost_python1_36_0-1.36.0-12.3.1 libboost_serialization1_36_0-1.36.0-12.3.1 libboost_system1_36_0-1.36.0-12.3.1 libboost_test1_36_0-1.36.0-12.3.1 libboost_thread1_36_0-1.36.0-12.3.1 libboost_wave1_36_0-1.36.0-12.3.1 - SUSE Linux Enterprise Software Development Kit 11 SP1 (i586 ppc64 x86_64): libboost_mpi1_36_0-1.36.0-12.3.1 - SUSE Linux Enterprise Software Development Kit 11 SP1 (i586 x86_64): libboost_regex1_36_0-1.36.0-12.3.1 - SUSE Linux Enterprise Software Development Kit 11 SP1 (ppc64): boost-devel-32bit-1.36.0-12.3.1 libboost_date_time1_36_0-32bit-1.36.0-12.3.1 libboost_filesystem1_36_0-32bit-1.36.0-12.3.1 libboost_graph1_36_0-32bit-1.36.0-12.3.1 libboost_iostreams1_36_0-32bit-1.36.0-12.3.1 libboost_math1_36_0-32bit-1.36.0-12.3.1 libboost_program_options1_36_0-32bit-1.36.0-12.3.1 libboost_python1_36_0-32bit-1.36.0-12.3.1 libboost_regex1_36_0-32bit-1.36.0-12.3.1 libboost_serialization1_36_0-32bit-1.36.0-12.3.1 libboost_signals1_36_0-32bit-1.36.0-12.3.1 libboost_system1_36_0-32bit-1.36.0-12.3.1 libboost_test1_36_0-32bit-1.36.0-12.3.1 libboost_thread1_36_0-32bit-1.36.0-12.3.1 libboost_wave1_36_0-32bit-1.36.0-12.3.1 - SUSE Linux Enterprise Server 11 SP2 (i586 ia64 ppc64 s390x x86_64): boost-license-1.36.0-12.3.1 libboost_program_options1_36_0-1.36.0-12.3.1 libboost_regex1_36_0-1.36.0-12.3.1 libboost_signals1_36_0-1.36.0-12.3.1 - SUSE Linux Enterprise Server 11 SP1 for VMware (i586 x86_64): boost-license-1.36.0-12.3.1 libboost_program_options1_36_0-1.36.0-12.3.1 libboost_regex1_36_0-1.36.0-12.3.1 libboost_signals1_36_0-1.36.0-12.3.1 - SUSE Linux Enterprise Server 11 SP1 (i586 ia64 ppc64 s390x x86_64): boost-license-1.36.0-12.3.1 libboost_program_options1_36_0-1.36.0-12.3.1 libboost_regex1_36_0-1.36.0-12.3.1 libboost_signals1_36_0-1.36.0-12.3.1 - SUSE Linux Enterprise Server 10 SP4 (i586 ia64 ppc s390x x86_64): boost-1.33.1-17.15.1 boost-devel-1.33.1-17.15.1 boost-doc-1.33.1-17.15.1 - SUSE Linux Enterprise Server 10 SP4 (s390x x86_64): boost-32bit-1.33.1-17.15.1 - SUSE Linux Enterprise Server 10 SP4 (ppc): boost-64bit-1.33.1-17.15.1 boost-devel-64bit-1.33.1-17.15.1 - SUSE Linux Enterprise Desktop 11 SP2 (i586 x86_64): boost-license-1.36.0-12.3.1 libboost_program_options1_36_0-1.36.0-12.3.1 libboost_signals1_36_0-1.36.0-12.3.1 libboost_thread1_36_0-1.36.0-12.3.1 - SUSE Linux Enterprise Desktop 11 SP1 (i586 x86_64): boost-license-1.36.0-12.3.1 libboost_program_options1_36_0-1.36.0-12.3.1 libboost_signals1_36_0-1.36.0-12.3.1 libboost_thread1_36_0-1.36.0-12.3.1 - SUSE Linux Enterprise Desktop 10 SP4 (i586 x86_64): boost-1.33.1-17.15.1 - SUSE Linux Enterprise Desktop 10 SP4 (x86_64): boost-32bit-1.33.1-17.15.1 - SLE SDK 10 SP4 (i586 ia64 ppc s390x x86_64): boost-devel-1.33.1-17.15.1 boost-doc-1.33.1-17.15.1 - SLE SDK 10 SP4 (ppc): boost-devel-64bit-1.33.1-17.15.1 References: http://support.novell.com/security/cve/CVE-2012-2677.html https://bugzilla.novell.com/765443 https://bugzilla.novell.com/767949 http://download.novell.com/patch/finder/?keywords=31b79b5c0768465a390c98f00f43531b http://download.novell.com/patch/finder/?keywords=f7640e04677ae81b96d69003957f49c4 From sle-security-updates at lists.suse.com Tue Jul 17 15:08:32 2012 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Tue, 17 Jul 2012 23:08:32 +0200 (CEST) Subject: SUSE-SU-2012:0885-1: moderate: Security update for libopenssl Message-ID: <20120717210832.40F453284A@maintenance.suse.de> SUSE Security Update: Security update for libopenssl ______________________________________________________________________________ Announcement ID: SUSE-SU-2012:0885-1 Rating: moderate References: #767256 #768097 Cross-References: CVE-2011-5095 Affected Products: SUSE Linux Enterprise Software Development Kit 11 SP2 SUSE Linux Enterprise Software Development Kit 11 SP1 SUSE Linux Enterprise Server 11 SP2 SUSE Linux Enterprise Server 11 SP1 for VMware SUSE Linux Enterprise Server 11 SP1 SUSE Linux Enterprise Desktop 11 SP2 SUSE Linux Enterprise Desktop 11 SP1 ______________________________________________________________________________ An update that solves one vulnerability and has one errata is now available. It includes one version update. Description: This update adds libopenssl0_9_8-hmac packages, that, when installed, will enforce FIPS 140-2 self-test being run upon first use of the library. If FIPS mode is enforced, these new packages are required in order to enable FIPS mode successfully. The update also imposes limits on the parameters of a Diffie-Hellman key exchange to prevent man-in-the-middle (MITM) attacks in FIPS mode (CVE-2011-5095). Security reference: * CVE-2011-5095 Indications: Every FIPS user should update. Patch Instructions: To install this SUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Software Development Kit 11 SP2: zypper in -t patch sdksp1-libopenssl-devel-6521 - SUSE Linux Enterprise Software Development Kit 11 SP1: zypper in -t patch sdksp1-libopenssl-devel-6521 - SUSE Linux Enterprise Server 11 SP2: zypper in -t patch slessp1-libopenssl-devel-6521 - SUSE Linux Enterprise Server 11 SP1 for VMware: zypper in -t patch slessp1-libopenssl-devel-6521 - SUSE Linux Enterprise Server 11 SP1: zypper in -t patch slessp1-libopenssl-devel-6521 - SUSE Linux Enterprise Desktop 11 SP2: zypper in -t patch sledsp1-libopenssl-devel-6521 - SUSE Linux Enterprise Desktop 11 SP1: zypper in -t patch sledsp1-libopenssl-devel-6521 To bring your system up-to-date, use "zypper patch". Package List: - SUSE Linux Enterprise Software Development Kit 11 SP2 (i586 ia64 ppc64 s390x x86_64) [New Version: 0.9.8j]: libopenssl-devel-0.9.8j-0.44.1 - SUSE Linux Enterprise Software Development Kit 11 SP1 (i586 ia64 ppc64 s390x x86_64) [New Version: 0.9.8j]: libopenssl-devel-0.9.8j-0.44.1 - SUSE Linux Enterprise Server 11 SP2 (i586 ia64 ppc64 s390x x86_64) [New Version: 0.9.8j]: libopenssl0_9_8-0.9.8j-0.44.1 libopenssl0_9_8-hmac-0.9.8j-0.44.1 openssl-0.9.8j-0.44.1 openssl-doc-0.9.8j-0.44.1 - SUSE Linux Enterprise Server 11 SP2 (ppc64 s390x x86_64) [New Version: 0.9.8j]: libopenssl0_9_8-32bit-0.9.8j-0.44.1 libopenssl0_9_8-hmac-32bit-0.9.8j-0.44.1 - SUSE Linux Enterprise Server 11 SP2 (ia64) [New Version: 0.9.8j]: libopenssl0_9_8-hmac-x86-0.9.8j-0.44.1 libopenssl0_9_8-x86-0.9.8j-0.44.1 - SUSE Linux Enterprise Server 11 SP1 for VMware (i586 x86_64) [New Version: 0.9.8j]: libopenssl0_9_8-0.9.8j-0.44.1 libopenssl0_9_8-hmac-0.9.8j-0.44.1 openssl-0.9.8j-0.44.1 openssl-doc-0.9.8j-0.44.1 - SUSE Linux Enterprise Server 11 SP1 for VMware (x86_64) [New Version: 0.9.8j]: libopenssl0_9_8-32bit-0.9.8j-0.44.1 - SUSE Linux Enterprise Server 11 SP1 (i586 ia64 ppc64 s390x x86_64) [New Version: 0.9.8j]: libopenssl0_9_8-0.9.8j-0.44.1 libopenssl0_9_8-hmac-0.9.8j-0.44.1 openssl-0.9.8j-0.44.1 openssl-doc-0.9.8j-0.44.1 - SUSE Linux Enterprise Server 11 SP1 (ppc64 s390x x86_64) [New Version: 0.9.8j]: libopenssl0_9_8-32bit-0.9.8j-0.44.1 libopenssl0_9_8-hmac-32bit-0.9.8j-0.44.1 - SUSE Linux Enterprise Server 11 SP1 (ia64) [New Version: 0.9.8j]: libopenssl0_9_8-hmac-x86-0.9.8j-0.44.1 libopenssl0_9_8-x86-0.9.8j-0.44.1 - SUSE Linux Enterprise Desktop 11 SP2 (i586 x86_64) [New Version: 0.9.8j]: libopenssl0_9_8-0.9.8j-0.44.1 openssl-0.9.8j-0.44.1 - SUSE Linux Enterprise Desktop 11 SP2 (x86_64) [New Version: 0.9.8j]: libopenssl0_9_8-32bit-0.9.8j-0.44.1 - SUSE Linux Enterprise Desktop 11 SP1 (i586 x86_64) [New Version: 0.9.8j]: libopenssl0_9_8-0.9.8j-0.44.1 openssl-0.9.8j-0.44.1 - SUSE Linux Enterprise Desktop 11 SP1 (x86_64) [New Version: 0.9.8j]: libopenssl0_9_8-32bit-0.9.8j-0.44.1 References: http://support.novell.com/security/cve/CVE-2011-5095.html https://bugzilla.novell.com/767256 https://bugzilla.novell.com/768097 http://download.novell.com/patch/finder/?keywords=cd76f7d085cbf1216d964bfe19854d7f From sle-security-updates at lists.suse.com Wed Jul 18 14:08:31 2012 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Wed, 18 Jul 2012 22:08:31 +0200 (CEST) Subject: SUSE-SU-2012:0887-1: moderate: Security update for net-snmp Message-ID: <20120718200831.3F62332883@maintenance.suse.de> SUSE Security Update: Security update for net-snmp ______________________________________________________________________________ Announcement ID: SUSE-SU-2012:0887-1 Rating: moderate References: #759352 #762433 Cross-References: CVE-2012-2141 Affected Products: SUSE Linux Enterprise Server 10 SP4 SUSE Linux Enterprise Desktop 10 SP4 SLE SDK 10 SP4 ______________________________________________________________________________ An update that solves one vulnerability and has one errata is now available. Description: This update to net-snmp resolves the following issues: * Specially crafted SNMP GET requests could cause a denial of service (application crash) via a heap-based out-out-bounds read flaw which could be exploited remotely (CVE-2012-2141). * After rotating the net-snmp log file, use "try-restart" to restart the daemon. Reloading with a SIGHUP signal may trigger crashes when dynamic modules (dlmod) are in use (bnc#762433). Security Issue reference: * CVE-2012-2141 Package List: - SUSE Linux Enterprise Server 10 SP4 (i586 ia64 ppc s390x x86_64): net-snmp-5.3.0.1-25.43.1 net-snmp-devel-5.3.0.1-25.43.1 perl-SNMP-5.3.0.1-25.43.1 - SUSE Linux Enterprise Server 10 SP4 (s390x x86_64): net-snmp-32bit-5.3.0.1-25.43.1 - SUSE Linux Enterprise Server 10 SP4 (ia64): net-snmp-x86-5.3.0.1-25.43.1 - SUSE Linux Enterprise Server 10 SP4 (ppc): net-snmp-64bit-5.3.0.1-25.43.1 net-snmp-devel-64bit-5.3.0.1-25.43.1 - SUSE Linux Enterprise Desktop 10 SP4 (i586 x86_64): net-snmp-5.3.0.1-25.43.1 net-snmp-devel-5.3.0.1-25.43.1 perl-SNMP-5.3.0.1-25.43.1 - SUSE Linux Enterprise Desktop 10 SP4 (x86_64): net-snmp-32bit-5.3.0.1-25.43.1 - SLE SDK 10 SP4 (i586 ia64 ppc s390x x86_64): net-snmp-devel-5.3.0.1-25.43.1 - SLE SDK 10 SP4 (ppc): net-snmp-devel-64bit-5.3.0.1-25.43.1 References: http://support.novell.com/security/cve/CVE-2012-2141.html https://bugzilla.novell.com/759352 https://bugzilla.novell.com/762433 http://download.novell.com/patch/finder/?keywords=48b04a33674cd4129a7b5210a9eb8985 From sle-security-updates at lists.suse.com Wed Jul 18 15:08:50 2012 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Wed, 18 Jul 2012 23:08:50 +0200 (CEST) Subject: SUSE-SU-2012:0888-1: moderate: Security update for net-snmp Message-ID: <20120718210850.8F1B43287C@maintenance.suse.de> SUSE Security Update: Security update for net-snmp ______________________________________________________________________________ Announcement ID: SUSE-SU-2012:0888-1 Rating: moderate References: #670789 #759352 #762433 #762887 Cross-References: CVE-2012-2141 Affected Products: SUSE Linux Enterprise Software Development Kit 11 SP2 SUSE Linux Enterprise Software Development Kit 11 SP1 SUSE Linux Enterprise Server 11 SP2 SUSE Linux Enterprise Server 11 SP1 for VMware SUSE Linux Enterprise Server 11 SP1 SUSE Linux Enterprise Desktop 11 SP2 SUSE Linux Enterprise Desktop 11 SP1 ______________________________________________________________________________ An update that solves one vulnerability and has three fixes is now available. Description: This update to net-snmp resolves the following issues: * Specially crafted SNMP GET requests could cause a denial of service (application crash) via a heap-based out-out-bounds read flaw which could be exploited remotely (CVE-2012-2141). * The snmpd agent should read shared memory information from /proc/meminfo when running on Linux Kernel 2.6 or newer (bnc#762887). * The snmpd agent could crash when an AgentX sub-agent disconnects in the middle of a request (bnc#670789). * After rotating the net-snmp log file, use "try-restart" to restart the daemon. Reloading with a SIGHUP signal may trigger crashes when dynamic modules (dlmod) are in use (bnc#762433). Security Issue reference: * CVE-2012-2141 Patch Instructions: To install this SUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Software Development Kit 11 SP2: zypper in -t patch sdksp1-libsnmp15-6517 - SUSE Linux Enterprise Software Development Kit 11 SP1: zypper in -t patch sdksp1-libsnmp15-6517 - SUSE Linux Enterprise Server 11 SP2: zypper in -t patch slessp1-libsnmp15-6517 - SUSE Linux Enterprise Server 11 SP1 for VMware: zypper in -t patch slessp1-libsnmp15-6517 - SUSE Linux Enterprise Server 11 SP1: zypper in -t patch slessp1-libsnmp15-6517 - SUSE Linux Enterprise Desktop 11 SP2: zypper in -t patch sledsp1-libsnmp15-6517 - SUSE Linux Enterprise Desktop 11 SP1: zypper in -t patch sledsp1-libsnmp15-6517 To bring your system up-to-date, use "zypper patch". Package List: - SUSE Linux Enterprise Software Development Kit 11 SP2 (i586 ia64 ppc64 s390x x86_64): net-snmp-devel-5.4.2.1-8.12.10.1 - SUSE Linux Enterprise Software Development Kit 11 SP2 (x86_64): libsnmp15-32bit-5.4.2.1-8.12.10.1 - SUSE Linux Enterprise Software Development Kit 11 SP2 (ppc64): net-snmp-devel-32bit-5.4.2.1-8.12.10.1 - SUSE Linux Enterprise Software Development Kit 11 SP1 (i586 ia64 ppc64 s390x x86_64): net-snmp-devel-5.4.2.1-8.12.10.1 - SUSE Linux Enterprise Software Development Kit 11 SP1 (x86_64): libsnmp15-32bit-5.4.2.1-8.12.10.1 - SUSE Linux Enterprise Software Development Kit 11 SP1 (ppc64): net-snmp-devel-32bit-5.4.2.1-8.12.10.1 - SUSE Linux Enterprise Server 11 SP2 (i586 ia64 ppc64 s390x x86_64): libsnmp15-5.4.2.1-8.12.10.1 net-snmp-5.4.2.1-8.12.10.1 perl-SNMP-5.4.2.1-8.12.10.1 snmp-mibs-5.4.2.1-8.12.10.1 - SUSE Linux Enterprise Server 11 SP2 (ppc64 s390x x86_64): libsnmp15-32bit-5.4.2.1-8.12.10.1 - SUSE Linux Enterprise Server 11 SP2 (ia64): libsnmp15-x86-5.4.2.1-8.12.10.1 - SUSE Linux Enterprise Server 11 SP1 for VMware (i586 x86_64): libsnmp15-5.4.2.1-8.12.10.1 net-snmp-5.4.2.1-8.12.10.1 perl-SNMP-5.4.2.1-8.12.10.1 snmp-mibs-5.4.2.1-8.12.10.1 - SUSE Linux Enterprise Server 11 SP1 for VMware (x86_64): libsnmp15-32bit-5.4.2.1-8.12.10.1 - SUSE Linux Enterprise Server 11 SP1 (i586 ia64 ppc64 s390x x86_64): libsnmp15-5.4.2.1-8.12.10.1 net-snmp-5.4.2.1-8.12.10.1 perl-SNMP-5.4.2.1-8.12.10.1 snmp-mibs-5.4.2.1-8.12.10.1 - SUSE Linux Enterprise Server 11 SP1 (ppc64 s390x x86_64): libsnmp15-32bit-5.4.2.1-8.12.10.1 - SUSE Linux Enterprise Server 11 SP1 (ia64): libsnmp15-x86-5.4.2.1-8.12.10.1 - SUSE Linux Enterprise Desktop 11 SP2 (i586 x86_64): libsnmp15-5.4.2.1-8.12.10.1 net-snmp-5.4.2.1-8.12.10.1 perl-SNMP-5.4.2.1-8.12.10.1 snmp-mibs-5.4.2.1-8.12.10.1 - SUSE Linux Enterprise Desktop 11 SP2 (x86_64): libsnmp15-32bit-5.4.2.1-8.12.10.1 - SUSE Linux Enterprise Desktop 11 SP1 (i586 x86_64): libsnmp15-5.4.2.1-8.12.10.1 net-snmp-5.4.2.1-8.12.10.1 perl-SNMP-5.4.2.1-8.12.10.1 snmp-mibs-5.4.2.1-8.12.10.1 - SUSE Linux Enterprise Desktop 11 SP1 (x86_64): libsnmp15-32bit-5.4.2.1-8.12.10.1 References: http://support.novell.com/security/cve/CVE-2012-2141.html https://bugzilla.novell.com/670789 https://bugzilla.novell.com/759352 https://bugzilla.novell.com/762433 https://bugzilla.novell.com/762887 http://download.novell.com/patch/finder/?keywords=59f077255350ef94a864a7c48ecca695 From sle-security-updates at lists.suse.com Wed Jul 18 16:09:01 2012 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Thu, 19 Jul 2012 00:09:01 +0200 (CEST) Subject: SUSE-SU-2012:0889-1: Security update for zypper Message-ID: <20120718220901.8B0DB3284D@maintenance.suse.de> SUSE Security Update: Security update for zypper ______________________________________________________________________________ Announcement ID: SUSE-SU-2012:0889-1 Rating: low References: #770630 Cross-References: CVE-2012-0420 Affected Products: SUSE Linux Enterprise Server 11 SP2 for VMware SUSE Linux Enterprise Server 11 SP2 SUSE Linux Enterprise Server 11 SP1 for VMware SUSE Linux Enterprise Server 11 SP1 SUSE Linux Enterprise Desktop 11 SP2 SUSE Linux Enterprise Desktop 11 SP1 ______________________________________________________________________________ An update that fixes one vulnerability is now available. It includes two new package versions. Description: The following issue has been fixed: * The zypper setuid wrapper linked against libzypp. This is not needed and added unnecessary attack vectors. CVE-2012-0420 has been assigned to this issue. Security Issue reference: * CVE-2012-0420 Patch Instructions: To install this SUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Server 11 SP2 for VMware: zypper in -t patch slessp2-zypper-6528 - SUSE Linux Enterprise Server 11 SP2: zypper in -t patch slessp2-zypper-6528 - SUSE Linux Enterprise Server 11 SP1 for VMware: zypper in -t patch slessp1-zypper-6527 - SUSE Linux Enterprise Server 11 SP1: zypper in -t patch slessp1-zypper-6527 - SUSE Linux Enterprise Desktop 11 SP2: zypper in -t patch sledsp2-zypper-6528 - SUSE Linux Enterprise Desktop 11 SP1: zypper in -t patch sledsp1-zypper-6527 To bring your system up-to-date, use "zypper patch". Package List: - SUSE Linux Enterprise Server 11 SP2 for VMware (i586 x86_64) [New Version: 1.6.166]: zypper-1.6.166-0.5.1 zypper-log-1.6.166-0.5.1 - SUSE Linux Enterprise Server 11 SP2 (i586 ia64 ppc64 s390x x86_64) [New Version: 1.6.166]: zypper-1.6.166-0.5.1 zypper-log-1.6.166-0.5.1 - SUSE Linux Enterprise Server 11 SP1 for VMware (i586 x86_64) [New Version: 1.3.21]: zypper-1.3.21-0.3.1 - SUSE Linux Enterprise Server 11 SP1 (i586 ia64 ppc64 s390x x86_64) [New Version: 1.3.21]: zypper-1.3.21-0.3.1 - SUSE Linux Enterprise Desktop 11 SP2 (i586 x86_64) [New Version: 1.6.166]: zypper-1.6.166-0.5.1 zypper-log-1.6.166-0.5.1 - SUSE Linux Enterprise Desktop 11 SP1 (i586 x86_64) [New Version: 1.3.21]: zypper-1.3.21-0.3.1 References: http://support.novell.com/security/cve/CVE-2012-0420.html https://bugzilla.novell.com/770630 http://download.novell.com/patch/finder/?keywords=21b0014e7ebe0f97d850cca8d0be6bd5 http://download.novell.com/patch/finder/?keywords=857c5c5bf8d9a57d64e50045ec7ef20d From sle-security-updates at lists.suse.com Wed Jul 18 17:08:42 2012 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Thu, 19 Jul 2012 01:08:42 +0200 (CEST) Subject: SUSE-SU-2012:0890-1: important: Security update for pidgin, finch and libpurple Message-ID: <20120718230842.1FC2D32882@maintenance.suse.de> SUSE Security Update: Security update for pidgin, finch and libpurple ______________________________________________________________________________ Announcement ID: SUSE-SU-2012:0890-1 Rating: important References: #770304 Cross-References: CVE-2012-3374 Affected Products: SUSE Linux Enterprise Software Development Kit 11 SP2 SUSE Linux Enterprise Software Development Kit 11 SP1 SUSE Linux Enterprise Desktop 11 SP2 SUSE Linux Enterprise Desktop 11 SP1 SUSE Linux Enterprise Desktop 10 SP4 SLE SDK 10 SP4 ______________________________________________________________________________ An update that fixes one vulnerability is now available. Description: This update of pidgin fixes a stack-based buffer overflow in the MXit protocol which could have potentially been exploited by remote attackers to execute arbitrary code in the context of the user running pidgin (CVE-2012-3374). Security Issue reference: * CVE-2012-3374 Patch Instructions: To install this SUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Software Development Kit 11 SP2: zypper in -t patch sdksp1-finch-6534 - SUSE Linux Enterprise Software Development Kit 11 SP1: zypper in -t patch sdksp1-finch-6534 - SUSE Linux Enterprise Desktop 11 SP2: zypper in -t patch sledsp1-finch-6534 - SUSE Linux Enterprise Desktop 11 SP1: zypper in -t patch sledsp1-finch-6534 To bring your system up-to-date, use "zypper patch". Package List: - SUSE Linux Enterprise Software Development Kit 11 SP2 (i586 ia64 ppc64 s390x x86_64): finch-2.6.6-0.17.1 finch-devel-2.6.6-0.17.1 libpurple-2.6.6-0.17.1 libpurple-devel-2.6.6-0.17.1 libpurple-lang-2.6.6-0.17.1 pidgin-2.6.6-0.17.1 pidgin-devel-2.6.6-0.17.1 - SUSE Linux Enterprise Software Development Kit 11 SP1 (i586 ia64 ppc64 s390x x86_64): finch-2.6.6-0.17.1 finch-devel-2.6.6-0.17.1 libpurple-2.6.6-0.17.1 libpurple-devel-2.6.6-0.17.1 libpurple-lang-2.6.6-0.17.1 pidgin-2.6.6-0.17.1 pidgin-devel-2.6.6-0.17.1 - SUSE Linux Enterprise Desktop 11 SP2 (i586 x86_64): finch-2.6.6-0.17.1 libpurple-2.6.6-0.17.1 libpurple-lang-2.6.6-0.17.1 libpurple-meanwhile-2.6.6-0.17.1 libpurple-tcl-2.6.6-0.17.1 pidgin-2.6.6-0.17.1 - SUSE Linux Enterprise Desktop 11 SP1 (i586 x86_64): finch-2.6.6-0.17.1 libpurple-2.6.6-0.17.1 libpurple-lang-2.6.6-0.17.1 libpurple-meanwhile-2.6.6-0.17.1 libpurple-tcl-2.6.6-0.17.1 pidgin-2.6.6-0.17.1 - SUSE Linux Enterprise Desktop 10 SP4 (i586 x86_64): finch-2.6.6-0.18.1 libpurple-2.6.6-0.18.1 pidgin-2.6.6-0.18.1 - SLE SDK 10 SP4 (i586 ia64 ppc s390x x86_64): finch-2.6.6-0.18.1 finch-devel-2.6.6-0.18.1 libpurple-2.6.6-0.18.1 libpurple-devel-2.6.6-0.18.1 pidgin-2.6.6-0.18.1 pidgin-devel-2.6.6-0.18.1 References: http://support.novell.com/security/cve/CVE-2012-3374.html https://bugzilla.novell.com/770304 http://download.novell.com/patch/finder/?keywords=6cdbffccfb7e818b850e497dc8f94724 http://download.novell.com/patch/finder/?keywords=a738afec13eba5d4d2ab0d2b9a6f3416 From sle-security-updates at lists.suse.com Thu Jul 19 14:08:32 2012 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Thu, 19 Jul 2012 22:08:32 +0200 (CEST) Subject: SUSE-SU-2012:0894-1: important: Security update for libtiff Message-ID: <20120719200832.B392832889@maintenance.suse.de> SUSE Security Update: Security update for libtiff ______________________________________________________________________________ Announcement ID: SUSE-SU-2012:0894-1 Rating: important References: #767852 #767854 Cross-References: CVE-2012-2088 CVE-2012-2113 Affected Products: SUSE Linux Enterprise Software Development Kit 11 SP2 SUSE Linux Enterprise Software Development Kit 11 SP1 SUSE Linux Enterprise Server 11 SP2 SUSE Linux Enterprise Server 11 SP1 for VMware SUSE Linux Enterprise Server 11 SP1 SUSE Linux Enterprise Server 10 SP4 SUSE Linux Enterprise Desktop 11 SP2 SUSE Linux Enterprise Desktop 11 SP1 SUSE Linux Enterprise Desktop 10 SP4 SLE SDK 10 SP4 ______________________________________________________________________________ An update that fixes two vulnerabilities is now available. Description: The following issue has been fixed: * Specially crafted tiff files could have caused overflows in libtiff (CVE-2012-2088, CVE-2012-2113). Security Issue references: * CVE-2012-2088 * CVE-2012-2113 Patch Instructions: To install this SUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Software Development Kit 11 SP2: zypper in -t patch sdksp1-libtiff-devel-6475 - SUSE Linux Enterprise Software Development Kit 11 SP1: zypper in -t patch sdksp1-libtiff-devel-6475 - SUSE Linux Enterprise Server 11 SP2: zypper in -t patch slessp1-libtiff-devel-6475 - SUSE Linux Enterprise Server 11 SP1 for VMware: zypper in -t patch slessp1-libtiff-devel-6475 - SUSE Linux Enterprise Server 11 SP1: zypper in -t patch slessp1-libtiff-devel-6475 - SUSE Linux Enterprise Desktop 11 SP2: zypper in -t patch sledsp1-libtiff-devel-6475 - SUSE Linux Enterprise Desktop 11 SP1: zypper in -t patch sledsp1-libtiff-devel-6475 To bring your system up-to-date, use "zypper patch". Package List: - SUSE Linux Enterprise Software Development Kit 11 SP2 (i586 ia64 ppc64 s390x x86_64): libtiff-devel-3.8.2-141.146.1 - SUSE Linux Enterprise Software Development Kit 11 SP2 (ppc64 s390x x86_64): libtiff-devel-32bit-3.8.2-141.146.1 - SUSE Linux Enterprise Software Development Kit 11 SP1 (i586 ia64 ppc64 s390x x86_64): libtiff-devel-3.8.2-141.146.1 - SUSE Linux Enterprise Software Development Kit 11 SP1 (ppc64 s390x x86_64): libtiff-devel-32bit-3.8.2-141.146.1 - SUSE Linux Enterprise Server 11 SP2 (i586 ia64 ppc64 s390x x86_64): libtiff3-3.8.2-141.146.1 tiff-3.8.2-141.146.1 - SUSE Linux Enterprise Server 11 SP2 (ppc64 s390x x86_64): libtiff3-32bit-3.8.2-141.146.1 - SUSE Linux Enterprise Server 11 SP2 (ia64): libtiff3-x86-3.8.2-141.146.1 - SUSE Linux Enterprise Server 11 SP1 for VMware (i586 x86_64): libtiff3-3.8.2-141.146.1 tiff-3.8.2-141.146.1 - SUSE Linux Enterprise Server 11 SP1 for VMware (x86_64): libtiff3-32bit-3.8.2-141.146.1 - SUSE Linux Enterprise Server 11 SP1 (i586 ia64 ppc64 s390x x86_64): libtiff3-3.8.2-141.146.1 tiff-3.8.2-141.146.1 - SUSE Linux Enterprise Server 11 SP1 (ppc64 s390x x86_64): libtiff3-32bit-3.8.2-141.146.1 - SUSE Linux Enterprise Server 11 SP1 (ia64): libtiff3-x86-3.8.2-141.146.1 - SUSE Linux Enterprise Server 10 SP4 (i586 ia64 ppc s390x x86_64): libtiff-3.8.2-5.28.1 libtiff-devel-3.8.2-5.28.1 tiff-3.8.2-5.28.1 - SUSE Linux Enterprise Server 10 SP4 (s390x x86_64): libtiff-32bit-3.8.2-5.28.1 libtiff-devel-32bit-3.8.2-5.28.1 - SUSE Linux Enterprise Server 10 SP4 (ia64): libtiff-x86-3.8.2-5.28.1 - SUSE Linux Enterprise Server 10 SP4 (ppc): libtiff-64bit-3.8.2-5.28.1 libtiff-devel-64bit-3.8.2-5.28.1 - SUSE Linux Enterprise Desktop 11 SP2 (i586 x86_64): libtiff3-3.8.2-141.146.1 - SUSE Linux Enterprise Desktop 11 SP2 (x86_64): libtiff3-32bit-3.8.2-141.146.1 - SUSE Linux Enterprise Desktop 11 SP1 (i586 x86_64): libtiff3-3.8.2-141.146.1 - SUSE Linux Enterprise Desktop 11 SP1 (x86_64): libtiff3-32bit-3.8.2-141.146.1 - SUSE Linux Enterprise Desktop 10 SP4 (i586 x86_64): libtiff-3.8.2-5.28.1 libtiff-devel-3.8.2-5.28.1 tiff-3.8.2-5.28.1 - SUSE Linux Enterprise Desktop 10 SP4 (x86_64): libtiff-32bit-3.8.2-5.28.1 - SLE SDK 10 SP4 (i586 ia64 ppc s390x x86_64): libtiff-devel-3.8.2-5.28.1 - SLE SDK 10 SP4 (s390x x86_64): libtiff-devel-32bit-3.8.2-5.28.1 - SLE SDK 10 SP4 (ppc): libtiff-devel-64bit-3.8.2-5.28.1 References: http://support.novell.com/security/cve/CVE-2012-2088.html http://support.novell.com/security/cve/CVE-2012-2113.html https://bugzilla.novell.com/767852 https://bugzilla.novell.com/767854 http://download.novell.com/patch/finder/?keywords=bb00258755d4c0881387cfdfcb958733 http://download.novell.com/patch/finder/?keywords=eb87a9a1df36e6f2c25af8a7fd0d5d74 From sle-security-updates at lists.suse.com Fri Jul 20 17:08:16 2012 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Sat, 21 Jul 2012 01:08:16 +0200 (CEST) Subject: SUSE-SU-2012:0895-1: important: Security update for Mozilla Firefox Message-ID: <20120720230816.DACFB32886@maintenance.suse.de> SUSE Security Update: Security update for Mozilla Firefox ______________________________________________________________________________ Announcement ID: SUSE-SU-2012:0895-1 Rating: important References: #712248 #771583 Cross-References: CVE-2012-1948 CVE-2012-1949 CVE-2012-1950 CVE-2012-1951 CVE-2012-1952 CVE-2012-1953 CVE-2012-1954 CVE-2012-1955 CVE-2012-1957 CVE-2012-1958 CVE-2012-1959 CVE-2012-1961 CVE-2012-1962 CVE-2012-1963 CVE-2012-1964 CVE-2012-1965 CVE-2012-1966 CVE-2012-1967 Affected Products: SUSE Linux Enterprise Server 10 SP4 SUSE Linux Enterprise Desktop 10 SP4 SLE SDK 10 SP4 ______________________________________________________________________________ An update that fixes 18 vulnerabilities is now available. It includes one version update. Description: MozillaFirefox have been updated to the 10.0.6ESR security release fixing various bugs and several security issues, some critical. The ollowing security issues have been fixed: * MFSA 2012-42: Mozilla developers identified and fixed several memory safety bugs in the browser engine used in Firefox and other Mozilla-based products. Some of these bugs showed evidence of memory corruption under certain circumstances, and we presume that with enough effort at least some of these could be exploited to run arbitrary code. * CVE-2012-1948: Benoit Jacob, Jesse Ruderman, Christian Holler, and Bill McCloskey reported memory safety problems and crashes that affect Firefox ESR 10 and Firefox 13. * MFSA 2012-43 / CVE-2012-1950: Security researcher Mario Gomes andresearch firm Code Audit Labs reported a mechanism to short-circuit page loads through drag and drop to the addressbar by canceling the page load. This causes the address of the previously site entered to be displayed in the addressbar instead of the currently loaded page. This could lead to potential phishing attacks on users. * MFSA 2012-44 Google security researcher Abhishek Arya used the Address Sanitizer tool to uncover four issues: two use-after-free problems, one out of bounds read bug, and a bad cast. The first use-afte.r-free problem is caused when an array of nsSMILTimeValueSpec objects is destroyed but attempts are made to call into objects in this array later. The second use-after-free problem is in nsDocument::AdoptNode when it adopts into an empty document and then adopts into another document, emptying the first one. The heap buffer overflow is in ElementAnimations when data is read off of end of an array and then pointers are dereferenced. The bad cast happens when nsTableFrame::InsertFrames is called with frames in aFrameList that are a mix of row group frames and column group frames. AppendFrames is not able to handle this mix. All four of these issues are potentially exploitable. o CVE-2012-1951: Heap-use-after-free in nsSMILTimeValueSpec::IsEventBased o CVE-2012-1954: Heap-use-after-free in nsDocument::AdoptNode o CVE-2012-1953: Out of bounds read in ElementAnimations::EnsureStyleRuleFor o CVE-2012-1952: Bad cast in nsTableFrame::InsertFrames * MFSA 2012-45 / CVE-2012-1955: Security researcher Mariusz Mlynski reported an issue with spoofing of the location property. In this issue, calls to history.forward and history.back are used to navigate to a site while displaying the previous site in the addressbar but changing the baseURI to the newer site. This can be used for phishing by allowing the user input form or other data on the newer, attacking, site while appearing to be on the older, displayed site. * MFSA 2012-46 / CVE-2012-1966: Mozilla security researcher moz_bug_r_a4 reported a cross-site scripting (XSS) attack through the context menu using a data: URL. In this issue, context menu functionality ("View Image", "Show only this frame", and "View background image") are disallowed in a javascript: URL but allowed in a data: URL, allowing for XSS. This can lead to arbitrary code execution. * MFSA 2012-47 / CVE-2012-1957: Security researcher Mario Heiderich reported that javascript could be executed in the HTML feed-view using tag within the RSS . This problem is due to tags not being filtered out during parsing and can lead to a potential cross-site scripting (XSS) attack. The flaw existed in a parser utility class and could affect other parts of the browser or add-ons which rely on that class to sanitize untrusted input. * MFSA 2012-48 / CVE-2012-1958: Security researcher Arthur Gerkis used the Address Sanitizer tool to find a use-after-free in nsGlobalWindow::PageHidden when mFocusedContent is released and oldFocusedContent is used afterwards. This use-after-free could possibly allow for remote code execution. * MFSA 2012-49 / CVE-2012-1959: Mozilla developer Bobby Holley found that same-compartment security wrappers (SCSW) can be bypassed by passing them to another compartment. Cross-compartment wrappers often do not go through SCSW, but have a filtering policy built into them. When an object is wrapped cross-compartment, the SCSW is stripped off and, when the object is read read back, it is not known that SCSW was previously present, resulting in a bypassing of SCSW. This could result in untrusted content having access to the XBL that implements browser functionality. * MFSA 2012-50 / CVE-2012-1960: Google developer Tony Payne reported an out of bounds (OOB) read in QCMS, Mozilla's color management library. With a carefully crafted color profile portions of a user's memory could be incorporated into a transformed image and possibly deciphered. * MFSA 2012-51 / CVE-2012-1961: Bugzilla developer Frederic Buclin reported that the "X-Frame-Options header is ignored when the value is duplicated, for example X-Frame-Options: SAMEORIGIN, SAMEORIGIN. This duplication occurs for unknown reasons on some websites and when it occurs results in Mozilla browsers not being protected against possible clickjacking attacks on those pages. * MFSA 2012-52 / CVE-2012-1962: Security researcher Bill Keese reported a memory corruption. This is caused by JSDependentString::undepend changing a dependent string into a fixed string when there are additional dependent strings relying on the same base. When the undepend occurs during conversion, the base data is freed, leaving other dependent strings with dangling pointers. This can lead to a potentially exploitable crash. * MFSA 2012-53 / CVE-2012-1963: Security researcher Karthikeyan Bhargavan of Prosecco at INRIA reported Content Security Policy (CSP) 1.0 implementation errors. CSP violation reports generated by Firefox and sent to the "report-uri" location include sensitive data within the "blocked-uri" parameter. These include fragment components and query strings even if the "blocked-uri" parameter has a different origin than the protected resource. This can be used to retrieve a user's OAuth 2.0 access tokens and OpenID credentials by malicious sites. * MFSA 2012-54 / CVE-2012-1964: Security Researcher Matt McCutchen reported that a clickjacking attack using the certificate warning page. A man-in-the-middle (MITM) attacker can use an iframe to display its own certificate error warning page (about:certerror) with the "Add Exception" button of a real warning page from a malicious site. This can mislead users to adding a certificate exception for a different site than the perceived one. This can lead to compromised communications with the user perceived site through the MITM attack once the certificate exception has been added. * MFSA 2012-55 / CVE-2012-1965: Security researchers Mario Gomes and Soroush Dalili reported that since Mozilla allows the pseudo-protocol feed: to prefix any valid URL, it is possible to construct feed:javascript: URLs that will execute scripts in some contexts. On some sites it may be possible to use this to evade output filtering that would otherwise strip javascript: URLs and thus contribute to cross-site scripting (XSS) problems on these sites. * MFSA 2012-56 / CVE-2012-1967: Mozilla security researcher moz_bug_r_a4 reported a arbitrary code execution attack using a javascript: URL. The Gecko engine features a JavaScript sandbox utility that allows the browser or add-ons to safely execute script in the context of a web page. In certain cases, javascript: URLs are executed in such a sandbox with insufficient context that can allow those scripts to escape from the sandbox and run with elevated privilege. This can lead to arbitrary code execution. Security Issue references: * CVE-2012-1967 * CVE-2012-1948 * CVE-2012-1949 * CVE-2012-1951 * CVE-2012-1952 * CVE-2012-1953 * CVE-2012-1954 * CVE-2012-1966 * CVE-2012-1958 * CVE-2012-1959 * CVE-2012-1962 * CVE-2012-1950 * CVE-2012-1955 * CVE-2012-1957 * CVE-2012-1961 * CVE-2012-1963 * CVE-2012-1964 * CVE-2012-1965 Package List: - SUSE Linux Enterprise Server 10 SP4 (i586 ia64 ppc s390x x86_64): firefox3-gtk2-2.10.6-0.12.1 - SUSE Linux Enterprise Server 10 SP4 (i586 ia64 ppc s390x) [New Version: 7]: MozillaFirefox-10.0.6-0.6.1 MozillaFirefox-branding-SLED-7-0.8.25 MozillaFirefox-translations-10.0.6-0.6.1 - SUSE Linux Enterprise Server 10 SP4 (s390x x86_64): firefox3-gtk2-32bit-2.10.6-0.12.1 - SUSE Linux Enterprise Desktop 10 SP4 (i586 x86_64): firefox3-gtk2-2.10.6-0.12.1 - SUSE Linux Enterprise Desktop 10 SP4 (x86_64): firefox3-gtk2-32bit-2.10.6-0.12.1 - SUSE Linux Enterprise Desktop 10 SP4 (i586) [New Version: 7]: MozillaFirefox-10.0.6-0.6.1 MozillaFirefox-branding-SLED-7-0.8.25 MozillaFirefox-translations-10.0.6-0.6.1 - SLE SDK 10 SP4 (i586 ia64 ppc s390x x86_64): firefox3-gtk2-devel-2.10.6-0.12.1 firefox3-gtk2-doc-2.10.6-0.12.1 - SLE SDK 10 SP4 (i586 ia64 ppc s390x): MozillaFirefox-branding-upstream-10.0.6-0.6.1 References: http://support.novell.com/security/cve/CVE-2012-1948.html http://support.novell.com/security/cve/CVE-2012-1949.html http://support.novell.com/security/cve/CVE-2012-1950.html http://support.novell.com/security/cve/CVE-2012-1951.html http://support.novell.com/security/cve/CVE-2012-1952.html http://support.novell.com/security/cve/CVE-2012-1953.html http://support.novell.com/security/cve/CVE-2012-1954.html http://support.novell.com/security/cve/CVE-2012-1955.html http://support.novell.com/security/cve/CVE-2012-1957.html http://support.novell.com/security/cve/CVE-2012-1958.html http://support.novell.com/security/cve/CVE-2012-1959.html http://support.novell.com/security/cve/CVE-2012-1961.html http://support.novell.com/security/cve/CVE-2012-1962.html http://support.novell.com/security/cve/CVE-2012-1963.html http://support.novell.com/security/cve/CVE-2012-1964.html http://support.novell.com/security/cve/CVE-2012-1965.html http://support.novell.com/security/cve/CVE-2012-1966.html http://support.novell.com/security/cve/CVE-2012-1967.html https://bugzilla.novell.com/712248 https://bugzilla.novell.com/771583 http://download.novell.com/patch/finder/?keywords=96da6f10cbe978aeccb3ac8d9d6b7ef8 From sle-security-updates at lists.suse.com Fri Jul 20 19:08:20 2012 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Sat, 21 Jul 2012 03:08:20 +0200 (CEST) Subject: SUSE-SU-2012:0896-1: important: Security update for Mozilla Firefox Message-ID: <20120721010820.C0B7A3287E@maintenance.suse.de> SUSE Security Update: Security update for Mozilla Firefox ______________________________________________________________________________ Announcement ID: SUSE-SU-2012:0896-1 Rating: important References: #771583 Cross-References: CVE-2012-1948 CVE-2012-1949 CVE-2012-1950 CVE-2012-1951 CVE-2012-1952 CVE-2012-1953 CVE-2012-1954 CVE-2012-1955 CVE-2012-1957 CVE-2012-1958 CVE-2012-1959 CVE-2012-1961 CVE-2012-1962 CVE-2012-1963 CVE-2012-1964 CVE-2012-1965 CVE-2012-1966 CVE-2012-1967 Affected Products: SUSE Linux Enterprise Server 11 SP2 SUSE Linux Enterprise Server 11 SP1 for VMware SUSE Linux Enterprise Server 11 SP1 SUSE Linux Enterprise Desktop 11 SP2 SUSE Linux Enterprise Desktop 11 SP1 ______________________________________________________________________________ An update that fixes 18 vulnerabilities is now available. It includes two new package versions. Description: MozillaFirefox has been updated to the 10.0.6ESR security release fixing various bugs and several security issues, some critical. The following security issues have been fixed: * MFSA 2012-42: Mozilla developers identified and fixed several memory safety bugs in the browser engine used in Firefox and other Mozilla-based products. Some of these bugs showed evidence of memory corruption under certain circumstances, and we presume that with enough effort at least some of these could be exploited to run arbitrary code. * CVE-2012-1948: Benoit Jacob, Jesse Ruderman, Christian Holler, and Bill McCloskey reported memory safety problems and crashes that affect Firefox ESR 10 and Firefox 13. * MFSA 2012-43 / CVE-2012-1950: Security researcher Mario Gomes andresearch firm Code Audit Labs reported a mechanism to short-circuit page loads through drag and drop to the addressbar by canceling the page load. This causes the address of the previously site entered to be displayed in the addressbar instead of the currently loaded page. This could lead to potential phishing attacks on users. * MFSA 2012-44 Google security researcher Abhishek Arya used the Address Sanitizer tool to uncover four issues: two use-after-free problems, one out of bounds read bug, and a bad cast. The first use-afte.r-free problem is caused when an array of nsSMILTimeValueSpec objects is destroyed but attempts are made to call into objects in this array later. The second use-after-free problem is in nsDocument::AdoptNode when it adopts into an empty document and then adopts into another document, emptying the first one. The heap buffer overflow is in ElementAnimations when data is read off of end of an array and then pointers are dereferenced. The bad cast happens when nsTableFrame::InsertFrames is called with frames in aFrameList that are a mix of row group frames and column group frames. AppendFrames is not able to handle this mix. All four of these issues are potentially exploitable. o CVE-2012-1951: Heap-use-after-free in nsSMILTimeValueSpec::IsEventBased o CVE-2012-1954: Heap-use-after-free in nsDocument::AdoptNode o CVE-2012-1953: Out of bounds read in ElementAnimations::EnsureStyleRuleFor o CVE-2012-1952: Bad cast in nsTableFrame::InsertFrames * MFSA 2012-45 / CVE-2012-1955: Security researcher Mariusz Mlynski reported an issue with spoofing of the location property. In this issue, calls to history.forward and history.back are used to navigate to a site while displaying the previous site in the addressbar but changing the baseURI to the newer site. This can be used for phishing by allowing the user input form or other data on the newer, attacking, site while appearing to be on the older, displayed site. * MFSA 2012-46 / CVE-2012-1966: Mozilla security researcher moz_bug_r_a4 reported a cross-site scripting (XSS) attack through the context menu using a data: URL. In this issue, context menu functionality ("View Image", "Show only this frame", and "View background image") are disallowed in a javascript: URL but allowed in a data: URL, allowing for XSS. This can lead to arbitrary code execution. * MFSA 2012-47 / CVE-2012-1957: Security researcher Mario Heiderich reported that javascript could be executed in the HTML feed-view using tag within the RSS . This problem is due to tags not being filtered out during parsing and can lead to a potential cross-site scripting (XSS) attack. The flaw existed in a parser utility class and could affect other parts of the browser or add-ons which rely on that class to sanitize untrusted input. * MFSA 2012-48 / CVE-2012-1958: Security researcher Arthur Gerkis used the Address Sanitizer tool to find a use-after-free in nsGlobalWindow::PageHidden when mFocusedContent is released and oldFocusedContent is used afterwards. This use-after-free could possibly allow for remote code execution. * MFSA 2012-49 / CVE-2012-1959: Mozilla developer Bobby Holley found that same-compartment security wrappers (SCSW) can be bypassed by passing them to another compartment. Cross-compartment wrappers often do not go through SCSW, but have a filtering policy built into them. When an object is wrapped cross-compartment, the SCSW is stripped off and, when the object is read read back, it is not known that SCSW was previously present, resulting in a bypassing of SCSW. This could result in untrusted content having access to the XBL that implements browser functionality. * MFSA 2012-50 / CVE-2012-1960: Google developer Tony Payne reported an out of bounds (OOB) read in QCMS, Mozilla's color management library. With a carefully crafted color profile portions of a user's memory could be incorporated into a transformed image and possibly deciphered. * MFSA 2012-51 / CVE-2012-1961: Bugzilla developer Frederic Buclin reported that the "X-Frame-Options header is ignored when the value is duplicated, for example X-Frame-Options: SAMEORIGIN, SAMEORIGIN. This duplication occurs for unknown reasons on some websites and when it occurs results in Mozilla browsers not being protected against possible clickjacking attacks on those pages. * MFSA 2012-52 / CVE-2012-1962: Security researcher Bill Keese reported a memory corruption. This is caused by JSDependentString::undepend changing a dependent string into a fixed string when there are additional dependent strings relying on the same base. When the undepend occurs during conversion, the base data is freed, leaving other dependent strings with dangling pointers. This can lead to a potentially exploitable crash. * MFSA 2012-53 / CVE-2012-1963: Security researcher Karthikeyan Bhargavan of Prosecco at INRIA reported Content Security Policy (CSP) 1.0 implementation errors. CSP violation reports generated by Firefox and sent to the "report-uri" location include sensitive data within the "blocked-uri" parameter. These include fragment components and query strings even if the "blocked-uri" parameter has a different origin than the protected resource. This can be used to retrieve a user's OAuth 2.0 access tokens and OpenID credentials by malicious sites. * MFSA 2012-54 / CVE-2012-1964: Security Researcher Matt McCutchen reported that a clickjacking attack using the certificate warning page. A man-in-the-middle (MITM) attacker can use an iframe to display its own certificate error warning page (about:certerror) with the "Add Exception" button of a real warning page from a malicious site. This can mislead users to adding a certificate exception for a different site than the perceived one. This can lead to compromised communications with the user perceived site through the MITM attack once the certificate exception has been added. * MFSA 2012-55 / CVE-2012-1965: Security researchers Mario Gomes and Soroush Dalili reported that since Mozilla allows the pseudo-protocol feed: to prefix any valid URL, it is possible to construct feed:javascript: URLs that will execute scripts in some contexts. On some sites it may be possible to use this to evade output filtering that would otherwise strip javascript: URLs and thus contribute to cross-site scripting (XSS) problems on these sites. * MFSA 2012-56 / CVE-2012-1967: Mozilla security researcher moz_bug_r_a4 reported a arbitrary code execution attack using a javascript: URL. The Gecko engine features a JavaScript sandbox utility that allows the browser or add-ons to safely execute script in the context of a web page. In certain cases, javascript: URLs are executed in such a sandbox with insufficient context that can allow those scripts to escape from the sandbox and run with elevated privilege. This can lead to arbitrary code execution. Security Issue references: * CVE-2012-1967 * CVE-2012-1948 * CVE-2012-1949 * CVE-2012-1951 * CVE-2012-1952 * CVE-2012-1953 * CVE-2012-1954 * CVE-2012-1966 * CVE-2012-1958 * CVE-2012-1959 * CVE-2012-1962 * CVE-2012-1950 * CVE-2012-1955 * CVE-2012-1957 * CVE-2012-1961 * CVE-2012-1963 * CVE-2012-1964 * CVE-2012-1965 Patch Instructions: To install this SUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Server 11 SP2: zypper in -t patch slessp1-firefox-201207-6574 - SUSE Linux Enterprise Server 11 SP1 for VMware: zypper in -t patch slessp1-firefox-201207-6574 - SUSE Linux Enterprise Server 11 SP1: zypper in -t patch slessp1-firefox-201207-6574 - SUSE Linux Enterprise Desktop 11 SP2: zypper in -t patch sledsp1-firefox-201207-6574 - SUSE Linux Enterprise Desktop 11 SP1: zypper in -t patch sledsp1-firefox-201207-6574 To bring your system up-to-date, use "zypper patch". Package List: - SUSE Linux Enterprise Server 11 SP2 (i586 ia64 ppc64 s390x x86_64) [New Version: 10.0.6 and 7]: MozillaFirefox-10.0.6-0.4.1 MozillaFirefox-branding-SLED-7-0.6.7.70 MozillaFirefox-translations-10.0.6-0.4.1 - SUSE Linux Enterprise Server 11 SP1 for VMware (i586 x86_64) [New Version: 10.0.6]: MozillaFirefox-10.0.6-0.4.1 MozillaFirefox-translations-10.0.6-0.4.1 - SUSE Linux Enterprise Server 11 SP1 (i586 ia64 ppc64 s390x x86_64) [New Version: 10.0.6 and 7]: MozillaFirefox-10.0.6-0.4.1 MozillaFirefox-branding-SLED-7-0.6.7.70 MozillaFirefox-translations-10.0.6-0.4.1 - SUSE Linux Enterprise Desktop 11 SP2 (i586 x86_64) [New Version: 10.0.6 and 7]: MozillaFirefox-10.0.6-0.4.1 MozillaFirefox-branding-SLED-7-0.6.7.70 MozillaFirefox-translations-10.0.6-0.4.1 - SUSE Linux Enterprise Desktop 11 SP1 (i586 x86_64) [New Version: 10.0.6 and 7]: MozillaFirefox-10.0.6-0.4.1 MozillaFirefox-branding-SLED-7-0.6.7.70 MozillaFirefox-translations-10.0.6-0.4.1 References: http://support.novell.com/security/cve/CVE-2012-1948.html http://support.novell.com/security/cve/CVE-2012-1949.html http://support.novell.com/security/cve/CVE-2012-1950.html http://support.novell.com/security/cve/CVE-2012-1951.html http://support.novell.com/security/cve/CVE-2012-1952.html http://support.novell.com/security/cve/CVE-2012-1953.html http://support.novell.com/security/cve/CVE-2012-1954.html http://support.novell.com/security/cve/CVE-2012-1955.html http://support.novell.com/security/cve/CVE-2012-1957.html http://support.novell.com/security/cve/CVE-2012-1958.html http://support.novell.com/security/cve/CVE-2012-1959.html http://support.novell.com/security/cve/CVE-2012-1961.html http://support.novell.com/security/cve/CVE-2012-1962.html http://support.novell.com/security/cve/CVE-2012-1963.html http://support.novell.com/security/cve/CVE-2012-1964.html http://support.novell.com/security/cve/CVE-2012-1965.html http://support.novell.com/security/cve/CVE-2012-1966.html http://support.novell.com/security/cve/CVE-2012-1967.html https://bugzilla.novell.com/771583 http://download.novell.com/patch/finder/?keywords=0b1471bd5af6e54566551a32a23095d3 From sle-security-updates at lists.suse.com Mon Jul 23 11:08:39 2012 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Mon, 23 Jul 2012 19:08:39 +0200 (CEST) Subject: SUSE-SU-2012:0901-1: Security update for libxslt Message-ID: <20120723170839.3EF5E32884@maintenance.suse.de> SUSE Security Update: Security update for libxslt ______________________________________________________________________________ Announcement ID: SUSE-SU-2012:0901-1 Rating: low References: #769182 Cross-References: CVE-2012-2825 Affected Products: SUSE Linux Enterprise Software Development Kit 11 SP2 SUSE Linux Enterprise Software Development Kit 11 SP1 SUSE Linux Enterprise Server 11 SP2 SUSE Linux Enterprise Server 11 SP1 for VMware SUSE Linux Enterprise Server 11 SP1 SUSE Linux Enterprise Server 10 SP4 SUSE Linux Enterprise Desktop 11 SP2 SUSE Linux Enterprise Desktop 11 SP1 SUSE Linux Enterprise Desktop 10 SP4 ______________________________________________________________________________ An update that fixes one vulnerability is now available. Description: The following issue has been fixed: * Specially crafted XSL documents could have crashed libxslt (CVE-2012-2825) Security Issue reference: * CVE-2012-2825 Patch Instructions: To install this SUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Software Development Kit 11 SP2: zypper in -t patch sdksp1-libxslt-6491 - SUSE Linux Enterprise Software Development Kit 11 SP1: zypper in -t patch sdksp1-libxslt-6491 - SUSE Linux Enterprise Server 11 SP2: zypper in -t patch slessp1-libxslt-6491 - SUSE Linux Enterprise Server 11 SP1 for VMware: zypper in -t patch slessp1-libxslt-6491 - SUSE Linux Enterprise Server 11 SP1: zypper in -t patch slessp1-libxslt-6491 - SUSE Linux Enterprise Desktop 11 SP2: zypper in -t patch sledsp1-libxslt-6491 - SUSE Linux Enterprise Desktop 11 SP1: zypper in -t patch sledsp1-libxslt-6491 To bring your system up-to-date, use "zypper patch". Package List: - SUSE Linux Enterprise Software Development Kit 11 SP2 (i586 ia64 ppc64 s390x x86_64): libxslt-devel-1.1.24-19.19.1 - SUSE Linux Enterprise Software Development Kit 11 SP2 (ppc64 s390x x86_64): libxslt-devel-32bit-1.1.24-19.19.1 - SUSE Linux Enterprise Software Development Kit 11 SP1 (i586 ia64 ppc64 s390x x86_64): libxslt-devel-1.1.24-19.19.1 - SUSE Linux Enterprise Software Development Kit 11 SP1 (ppc64 s390x x86_64): libxslt-devel-32bit-1.1.24-19.19.1 - SUSE Linux Enterprise Server 11 SP2 (i586 ia64 ppc64 s390x x86_64): libxslt-1.1.24-19.19.1 - SUSE Linux Enterprise Server 11 SP2 (ppc64 s390x x86_64): libxslt-32bit-1.1.24-19.19.1 - SUSE Linux Enterprise Server 11 SP2 (ia64): libxslt-x86-1.1.24-19.19.1 - SUSE Linux Enterprise Server 11 SP1 for VMware (i586 x86_64): libxslt-1.1.24-19.19.1 - SUSE Linux Enterprise Server 11 SP1 for VMware (x86_64): libxslt-32bit-1.1.24-19.19.1 - SUSE Linux Enterprise Server 11 SP1 (i586 ia64 ppc64 s390x x86_64): libxslt-1.1.24-19.19.1 - SUSE Linux Enterprise Server 11 SP1 (ppc64 s390x x86_64): libxslt-32bit-1.1.24-19.19.1 - SUSE Linux Enterprise Server 11 SP1 (ia64): libxslt-x86-1.1.24-19.19.1 - SUSE Linux Enterprise Server 10 SP4 (i586 ia64 ppc s390x x86_64): libxslt-1.1.15-15.18.4 libxslt-devel-1.1.15-15.18.4 - SUSE Linux Enterprise Server 10 SP4 (s390x x86_64): libxslt-32bit-1.1.15-15.18.4 libxslt-devel-32bit-1.1.15-15.18.4 - SUSE Linux Enterprise Server 10 SP4 (ia64): libxslt-x86-1.1.15-15.18.4 - SUSE Linux Enterprise Server 10 SP4 (ppc): libxslt-64bit-1.1.15-15.18.4 libxslt-devel-64bit-1.1.15-15.18.4 - SUSE Linux Enterprise Desktop 11 SP2 (i586 x86_64): libxslt-1.1.24-19.19.1 - SUSE Linux Enterprise Desktop 11 SP2 (x86_64): libxslt-32bit-1.1.24-19.19.1 - SUSE Linux Enterprise Desktop 11 SP1 (i586 x86_64): libxslt-1.1.24-19.19.1 - SUSE Linux Enterprise Desktop 11 SP1 (x86_64): libxslt-32bit-1.1.24-19.19.1 - SUSE Linux Enterprise Desktop 10 SP4 (i586 x86_64): libxslt-1.1.15-15.18.4 libxslt-devel-1.1.15-15.18.4 - SUSE Linux Enterprise Desktop 10 SP4 (x86_64): libxslt-32bit-1.1.15-15.18.4 libxslt-devel-32bit-1.1.15-15.18.4 References: http://support.novell.com/security/cve/CVE-2012-2825.html https://bugzilla.novell.com/769182 http://download.novell.com/patch/finder/?keywords=295ca8af6e771f001479c62f203d3b4e http://download.novell.com/patch/finder/?keywords=bfb749443a7fe15c20cde485a0b1485b From sle-security-updates at lists.suse.com Mon Jul 23 11:08:41 2012 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Mon, 23 Jul 2012 19:08:41 +0200 (CEST) Subject: SUSE-SU-2012:0902-1: important: Security update for libexif Message-ID: <20120723170841.A72BE32889@maintenance.suse.de> SUSE Security Update: Security update for libexif ______________________________________________________________________________ Announcement ID: SUSE-SU-2012:0902-1 Rating: important References: #771229 Cross-References: CVE-2012-2812 CVE-2012-2814 CVE-2012-2836 CVE-2012-2837 CVE-2012-2841 Affected Products: SUSE Linux Enterprise Server 10 SP4 SUSE Linux Enterprise Desktop 10 SP4 ______________________________________________________________________________ An update that fixes 5 vulnerabilities is now available. Description: Various overflows and other security related bugs in libexif were found by the Google Security team and fixed by the libexif developers. Security Issue references: * CVE-2012-2812 * CVE-2012-2814 * CVE-2012-2836 * CVE-2012-2837 * CVE-2012-2841 Package List: - SUSE Linux Enterprise Server 10 SP4 (i586 ia64 ppc s390x x86_64): libexif-0.6.13-20.14.1 - SUSE Linux Enterprise Server 10 SP4 (s390x x86_64): libexif-32bit-0.6.13-20.14.1 - SUSE Linux Enterprise Server 10 SP4 (ia64): libexif-x86-0.6.13-20.14.1 - SUSE Linux Enterprise Server 10 SP4 (ppc): libexif-64bit-0.6.13-20.14.1 - SUSE Linux Enterprise Desktop 10 SP4 (i586 x86_64): libexif-0.6.13-20.14.1 - SUSE Linux Enterprise Desktop 10 SP4 (x86_64): libexif-32bit-0.6.13-20.14.1 References: http://support.novell.com/security/cve/CVE-2012-2812.html http://support.novell.com/security/cve/CVE-2012-2814.html http://support.novell.com/security/cve/CVE-2012-2836.html http://support.novell.com/security/cve/CVE-2012-2837.html http://support.novell.com/security/cve/CVE-2012-2841.html https://bugzilla.novell.com/771229 http://download.novell.com/patch/finder/?keywords=9eed174e86533459e960c872be45c510 From sle-security-updates at lists.suse.com Mon Jul 23 11:08:43 2012 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Mon, 23 Jul 2012 19:08:43 +0200 (CEST) Subject: SUSE-SU-2012:0903-1: important: Security update for libexif Message-ID: <20120723170843.736D632884@maintenance.suse.de> SUSE Security Update: Security update for libexif ______________________________________________________________________________ Announcement ID: SUSE-SU-2012:0903-1 Rating: important References: #771229 Cross-References: CVE-2012-2812 CVE-2012-2813 CVE-2012-2814 CVE-2012-2836 CVE-2012-2837 CVE-2012-2840 CVE-2012-2841 Affected Products: SUSE Linux Enterprise Software Development Kit 11 SP2 SUSE Linux Enterprise Software Development Kit 11 SP1 SUSE Linux Enterprise Server 11 SP2 SUSE Linux Enterprise Server 11 SP1 for VMware SUSE Linux Enterprise Server 11 SP1 SUSE Linux Enterprise Desktop 11 SP2 SUSE Linux Enterprise Desktop 11 SP1 ______________________________________________________________________________ An update that fixes 7 vulnerabilities is now available. Description: Various overflows and other security related bugs in libexif were found by the Google Security team and fixed by the libexif developers. Security Issue references: * CVE-2012-2812 * CVE-2012-2813 * CVE-2012-2814 * CVE-2012-2836 * CVE-2012-2837 * CVE-2012-2840 * CVE-2012-2841 Patch Instructions: To install this SUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Software Development Kit 11 SP2: zypper in -t patch sdksp1-libexif-6568 - SUSE Linux Enterprise Software Development Kit 11 SP1: zypper in -t patch sdksp1-libexif-6568 - SUSE Linux Enterprise Server 11 SP2: zypper in -t patch slessp1-libexif-6568 - SUSE Linux Enterprise Server 11 SP1 for VMware: zypper in -t patch slessp1-libexif-6568 - SUSE Linux Enterprise Server 11 SP1: zypper in -t patch slessp1-libexif-6568 - SUSE Linux Enterprise Desktop 11 SP2: zypper in -t patch sledsp1-libexif-6568 - SUSE Linux Enterprise Desktop 11 SP1: zypper in -t patch sledsp1-libexif-6568 To bring your system up-to-date, use "zypper patch". Package List: - SUSE Linux Enterprise Software Development Kit 11 SP2 (i586 ia64 ppc64 s390x x86_64): libexif-devel-0.6.17-2.14.1 - SUSE Linux Enterprise Software Development Kit 11 SP1 (i586 ia64 ppc64 s390x x86_64): libexif-devel-0.6.17-2.14.1 - SUSE Linux Enterprise Server 11 SP2 (i586 ia64 ppc64 s390x x86_64): libexif-0.6.17-2.14.1 - SUSE Linux Enterprise Server 11 SP2 (ppc64 s390x x86_64): libexif-32bit-0.6.17-2.14.1 - SUSE Linux Enterprise Server 11 SP2 (ia64): libexif-x86-0.6.17-2.14.1 - SUSE Linux Enterprise Server 11 SP1 for VMware (i586 x86_64): libexif-0.6.17-2.14.1 - SUSE Linux Enterprise Server 11 SP1 for VMware (x86_64): libexif-32bit-0.6.17-2.14.1 - SUSE Linux Enterprise Server 11 SP1 (i586 ia64 ppc64 s390x x86_64): libexif-0.6.17-2.14.1 - SUSE Linux Enterprise Server 11 SP1 (ppc64 s390x x86_64): libexif-32bit-0.6.17-2.14.1 - SUSE Linux Enterprise Server 11 SP1 (ia64): libexif-x86-0.6.17-2.14.1 - SUSE Linux Enterprise Desktop 11 SP2 (i586 x86_64): libexif-0.6.17-2.14.1 - SUSE Linux Enterprise Desktop 11 SP2 (x86_64): libexif-32bit-0.6.17-2.14.1 - SUSE Linux Enterprise Desktop 11 SP1 (i586 x86_64): libexif-0.6.17-2.14.1 - SUSE Linux Enterprise Desktop 11 SP1 (x86_64): libexif-32bit-0.6.17-2.14.1 References: http://support.novell.com/security/cve/CVE-2012-2812.html http://support.novell.com/security/cve/CVE-2012-2813.html http://support.novell.com/security/cve/CVE-2012-2814.html http://support.novell.com/security/cve/CVE-2012-2836.html http://support.novell.com/security/cve/CVE-2012-2837.html http://support.novell.com/security/cve/CVE-2012-2840.html http://support.novell.com/security/cve/CVE-2012-2841.html https://bugzilla.novell.com/771229 http://download.novell.com/patch/finder/?keywords=795efea468ff4df45b9a7a62eb66f947 From sle-security-updates at lists.suse.com Mon Jul 23 16:08:32 2012 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Tue, 24 Jul 2012 00:08:32 +0200 (CEST) Subject: SUSE-SU-2012:0904-1: moderate: Security update for Linux kernel Message-ID: <20120723220832.3345632884@maintenance.suse.de> SUSE Security Update: Security update for Linux kernel ______________________________________________________________________________ Announcement ID: SUSE-SU-2012:0904-1 Rating: moderate References: #630970 #661605 #720374 #729247 #734300 #752858 #754085 #754428 #755513 #755537 #755546 #756050 #758013 #758058 #758104 #758260 #759545 #760902 #760974 #761414 #761988 #763194 #763656 #763830 #764098 #764150 #764500 #765022 #765102 #765320 #765548 #767684 #768632 #769210 #769685 #769777 #769784 #769896 Cross-References: CVE-2012-2123 CVE-2012-2136 CVE-2012-2319 CVE-2012-2383 CVE-2012-2384 CVE-2012-2390 CVE-2012-2663 CVE-2012-3375 CVE-2012-3400 Affected Products: SUSE Linux Enterprise Server 11 SP1 for VMware SUSE Linux Enterprise Server 11 SP1 SUSE Linux Enterprise High Availability Extension 11 SP1 SUSE Linux Enterprise Desktop 11 SP1 SLE 11 SERVER Unsupported Extras ______________________________________________________________________________ An update that solves 9 vulnerabilities and has 29 fixes is now available. It includes one version update. Description: The SUSE Linux Enterprise 11 SP1 kernel have been updated to fix various bugs and security issues. The following security issues have been fixed: * CVE-2012-3400: Several buffer overread and overwrite errors in the UDF logical volume descriptor code were fixed that might have allowed local attackers able to mount UDF volumes to crash the kernel or potentially gain privileges. * CVE-2012-3375: A local denial of service in the last epoll fix was fixed. * CVE-2012-2384: A integer overflow in i915_gem_do_execbuffer() was fixed that might be used by local attackers to crash the kernel or potentially execute code. * CVE-2012-2383: A integer overflow in i915_gem_execbuffer2() was fixed that might be used by local attackers to crash the kernel or potentially execute code. * CVE-2012-2390: Memiory leaks in the hugetlbfs map reservation code were fixed that could be used by local attackers to exhaust machine memory. * CVE-2012-2123: The filesystem cabability handling was not fully correct, allowing local users to bypass fscaps related restrictions to disable e.g. address space randomization. * CVE-2012-2136: Validation of data_len before allocating fragments of skbs was fixed that might have allowed a heap overflow. * CVE-2012-2319: Fixed potential buffer overflows in the hfsplus filesystem, which might be exploited by local attackers able to mount such filesystems. Several leapsecond related bug fixes have been created: * hrtimer: provide clock_was_set_delayed() (bnc#768632). * time: Fix leapsecond triggered hrtimer/futex load spike issue (bnc#768632). * ntp: fix leap second hrtimer deadlock (bnc#768632). * ntp: avoid printk under xtime_lock (bnc#767684). The following non-security issues have been fixed: * tcp: drop SYN+FIN messages to avoid memory leaks (bnc#765102) * be2net: Fix EEH error reset before a flash dump completes (bnc#755546). * REVERT svcrpc: destroy server sockets all at once (bnc#769210). * sched: Make sure to not re-read variables after validation (bnc#769685). * audit: Do not send uninitialized data for AUDIT_TTY_GET (bnc#755513). * dlm: do not depend on sctp (bnc#729247, bnc#763656). * RPC: killing RPC tasks races fixed (bnc#765548). * vlan/core: Fix memory leak/corruption on VLAN GRO_DROP (bnc#758058). * CPU hotplug, cpusets, suspend/resume: Do not modify cpusets during suspend/resume (bnc#752858). * ioat2: kill pending flag (bnc#765022). * Fix massive driver induced spin_lock_bh() contention. * ipmi: Fix IPMI errors due to timing problems (bnc#761988). * xen: fix VM_FOREIGN users after c/s 878:eba6fe6d8d53 (bnc#760974). * xen: gntdev: fix multi-page slot allocation (bnc#760974). * rpm/kernel-binary.spec.in: Own the right -kdump initrd (bnc#764500) * kernel: pfault task state race (bnc#764098,LTC#81724). * xfrm: take net hdr len into account for esp payload size calculation (bnc#759545). * bonding: do not dereference null pointer to device of VLAN 0 (bnc#763830). * cifs: fix oops while traversing open file list (try #4) (bnc#756050). * nfsd: fix BUG at fs/nfsd/nfsfh.h:199 on unlink (bnc#769777). * nfs: Ensure we never try to mount an NFS auto-mount dir (bnc748601). * patches.suse/cgroup-disable-memcg-when-low-lowmem.patch: fix typo: use if defined(CONFIG_) rather than if CONFIG_ * patches.suse/pagecache-limit-fix-shmem-deadlock.patch: Fixed the GFP_NOWAIT is zero and not suitable for tests bug (bnc#755537) * sys_poll: fix incorrect type for timeout parameter (bnc#754428). * scsi_transport_fc: fix blocked bsg request when fc object deleted (bnc#761414, bnc#734300). * ehea: fix allmulticast support (bnc#758013). * scsi: Silence unnecessary warnings about ioctl to partition (bnc#758104). * sched/x86: Fix overflow in cyc2ns_offset (bnc#630970, bnc#661605). * sched/rt: Do not throttle when PI boosting (bnc#754085). * sched/rt: Keep period timer ticking when rt throttling is active (bnc#754085). * sched,rt: fix isolated CPUs leaving root_task_group indefinitely throttled (bnc#754085). Security Issue references: * CVE-2012-2123 * CVE-2012-2136 * CVE-2012-2383 * CVE-2012-2384 * CVE-2012-2390 * CVE-2012-2663 * CVE-2012-3400 * CVE-2012-3375 * CVE-2012-2319 Indications: Everyone using the Linux Kernel on x86_64 architecture should update. Special Instructions and Notes: Please reboot the system after installing this update. Patch Instructions: To install this SUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Server 11 SP1 for VMware: zypper in -t patch slessp1-kernel-6547 slessp1-kernel-6548 - SUSE Linux Enterprise Server 11 SP1: zypper in -t patch slessp1-kernel-6547 slessp1-kernel-6548 slessp1-kernel-6549 slessp1-kernel-6550 slessp1-kernel-6556 - SUSE Linux Enterprise High Availability Extension 11 SP1: zypper in -t patch sleshasp1-kernel-6547 sleshasp1-kernel-6548 sleshasp1-kernel-6549 sleshasp1-kernel-6550 sleshasp1-kernel-6556 - SUSE Linux Enterprise Desktop 11 SP1: zypper in -t patch sledsp1-kernel-6547 sledsp1-kernel-6548 To bring your system up-to-date, use "zypper patch". Package List: - SUSE Linux Enterprise Server 11 SP1 for VMware (i586 x86_64) [New Version: 2.6.32.59]: btrfs-kmp-default-0_2.6.32.59_0.7-0.3.107 ext4dev-kmp-default-0_2.6.32.59_0.7-7.9.74 ext4dev-kmp-trace-0_2.6.32.59_0.7-7.9.74 hyper-v-kmp-default-0_2.6.32.59_0.7-0.18.20 hyper-v-kmp-trace-0_2.6.32.59_0.7-0.18.20 kernel-default-2.6.32.59-0.7.1 kernel-default-base-2.6.32.59-0.7.1 kernel-default-devel-2.6.32.59-0.7.1 kernel-source-2.6.32.59-0.7.1 kernel-syms-2.6.32.59-0.7.1 kernel-trace-2.6.32.59-0.7.1 kernel-trace-base-2.6.32.59-0.7.1 kernel-trace-devel-2.6.32.59-0.7.1 - SUSE Linux Enterprise Server 11 SP1 for VMware (i586) [New Version: 2.6.32.59]: btrfs-kmp-pae-0_2.6.32.59_0.7-0.3.107 ext4dev-kmp-pae-0_2.6.32.59_0.7-7.9.74 hyper-v-kmp-pae-0_2.6.32.59_0.7-0.18.20 kernel-pae-2.6.32.59-0.7.1 kernel-pae-base-2.6.32.59-0.7.1 kernel-pae-devel-2.6.32.59-0.7.1 - SUSE Linux Enterprise Server 11 SP1 (i586 ia64 ppc64 s390x x86_64) [New Version: 2.6.32.59]: btrfs-kmp-default-0_2.6.32.59_0.7-0.3.107 ext4dev-kmp-default-0_2.6.32.59_0.7-7.9.74 ext4dev-kmp-trace-0_2.6.32.59_0.7-7.9.74 kernel-default-2.6.32.59-0.7.1 kernel-default-base-2.6.32.59-0.7.1 kernel-default-devel-2.6.32.59-0.7.1 kernel-source-2.6.32.59-0.7.1 kernel-syms-2.6.32.59-0.7.1 kernel-trace-2.6.32.59-0.7.1 kernel-trace-base-2.6.32.59-0.7.1 kernel-trace-devel-2.6.32.59-0.7.1 - SUSE Linux Enterprise Server 11 SP1 (i586 x86_64) [New Version: 2.6.32.59]: btrfs-kmp-xen-0_2.6.32.59_0.7-0.3.107 ext4dev-kmp-xen-0_2.6.32.59_0.7-7.9.74 hyper-v-kmp-default-0_2.6.32.59_0.7-0.18.20 hyper-v-kmp-trace-0_2.6.32.59_0.7-0.18.20 kernel-ec2-2.6.32.59-0.7.1 kernel-ec2-base-2.6.32.59-0.7.1 kernel-ec2-devel-2.6.32.59-0.7.1 kernel-xen-2.6.32.59-0.7.1 kernel-xen-base-2.6.32.59-0.7.1 kernel-xen-devel-2.6.32.59-0.7.1 - SUSE Linux Enterprise Server 11 SP1 (s390x) [New Version: 2.6.32.59]: kernel-default-man-2.6.32.59-0.7.1 - SUSE Linux Enterprise Server 11 SP1 (ppc64) [New Version: 2.6.32.59]: ext4dev-kmp-ppc64-0_2.6.32.59_0.7-7.9.74 kernel-ppc64-2.6.32.59-0.7.1 kernel-ppc64-base-2.6.32.59-0.7.1 kernel-ppc64-devel-2.6.32.59-0.7.1 - SUSE Linux Enterprise Server 11 SP1 (i586) [New Version: 2.6.32.59]: btrfs-kmp-pae-0_2.6.32.59_0.7-0.3.107 ext4dev-kmp-pae-0_2.6.32.59_0.7-7.9.74 hyper-v-kmp-pae-0_2.6.32.59_0.7-0.18.20 kernel-pae-2.6.32.59-0.7.1 kernel-pae-base-2.6.32.59-0.7.1 kernel-pae-devel-2.6.32.59-0.7.1 - SUSE Linux Enterprise High Availability Extension 11 SP1 (i586 ia64 ppc64 s390x x86_64): cluster-network-kmp-default-1.4_2.6.32.59_0.7-2.5.60 cluster-network-kmp-trace-1.4_2.6.32.59_0.7-2.5.60 gfs2-kmp-default-2_2.6.32.59_0.7-0.2.106 gfs2-kmp-trace-2_2.6.32.59_0.7-0.2.106 ocfs2-kmp-default-1.6_2.6.32.59_0.7-0.4.2.60 ocfs2-kmp-trace-1.6_2.6.32.59_0.7-0.4.2.60 - SUSE Linux Enterprise High Availability Extension 11 SP1 (i586 x86_64): cluster-network-kmp-xen-1.4_2.6.32.59_0.7-2.5.60 gfs2-kmp-xen-2_2.6.32.59_0.7-0.2.106 ocfs2-kmp-xen-1.6_2.6.32.59_0.7-0.4.2.60 - SUSE Linux Enterprise High Availability Extension 11 SP1 (ppc64): cluster-network-kmp-ppc64-1.4_2.6.32.59_0.7-2.5.60 gfs2-kmp-ppc64-2_2.6.32.59_0.7-0.2.106 ocfs2-kmp-ppc64-1.6_2.6.32.59_0.7-0.4.2.60 - SUSE Linux Enterprise High Availability Extension 11 SP1 (i586): cluster-network-kmp-pae-1.4_2.6.32.59_0.7-2.5.60 gfs2-kmp-pae-2_2.6.32.59_0.7-0.2.106 ocfs2-kmp-pae-1.6_2.6.32.59_0.7-0.4.2.60 - SUSE Linux Enterprise Desktop 11 SP1 (i586 x86_64) [New Version: 2.6.32.59]: btrfs-kmp-default-0_2.6.32.59_0.7-0.3.107 btrfs-kmp-xen-0_2.6.32.59_0.7-0.3.107 hyper-v-kmp-default-0_2.6.32.59_0.7-0.18.20 kernel-default-2.6.32.59-0.7.1 kernel-default-base-2.6.32.59-0.7.1 kernel-default-devel-2.6.32.59-0.7.1 kernel-default-extra-2.6.32.59-0.7.1 kernel-desktop-devel-2.6.32.59-0.7.1 kernel-source-2.6.32.59-0.7.1 kernel-syms-2.6.32.59-0.7.1 kernel-trace-devel-2.6.32.59-0.7.1 kernel-xen-2.6.32.59-0.7.1 kernel-xen-base-2.6.32.59-0.7.1 kernel-xen-devel-2.6.32.59-0.7.1 kernel-xen-extra-2.6.32.59-0.7.1 - SUSE Linux Enterprise Desktop 11 SP1 (i586) [New Version: 2.6.32.59]: btrfs-kmp-pae-0_2.6.32.59_0.7-0.3.107 hyper-v-kmp-pae-0_2.6.32.59_0.7-0.18.20 kernel-pae-2.6.32.59-0.7.1 kernel-pae-base-2.6.32.59-0.7.1 kernel-pae-devel-2.6.32.59-0.7.1 kernel-pae-extra-2.6.32.59-0.7.1 - SLE 11 SERVER Unsupported Extras (i586 ia64 ppc64 s390x x86_64): kernel-default-extra-2.6.32.59-0.7.1 - SLE 11 SERVER Unsupported Extras (i586 x86_64): kernel-xen-extra-2.6.32.59-0.7.1 - SLE 11 SERVER Unsupported Extras (ppc64): kernel-ppc64-extra-2.6.32.59-0.7.1 - SLE 11 SERVER Unsupported Extras (i586): kernel-pae-extra-2.6.32.59-0.7.1 References: http://support.novell.com/security/cve/CVE-2012-2123.html http://support.novell.com/security/cve/CVE-2012-2136.html http://support.novell.com/security/cve/CVE-2012-2319.html http://support.novell.com/security/cve/CVE-2012-2383.html http://support.novell.com/security/cve/CVE-2012-2384.html http://support.novell.com/security/cve/CVE-2012-2390.html http://support.novell.com/security/cve/CVE-2012-2663.html http://support.novell.com/security/cve/CVE-2012-3375.html http://support.novell.com/security/cve/CVE-2012-3400.html https://bugzilla.novell.com/630970 https://bugzilla.novell.com/661605 https://bugzilla.novell.com/720374 https://bugzilla.novell.com/729247 https://bugzilla.novell.com/734300 https://bugzilla.novell.com/752858 https://bugzilla.novell.com/754085 https://bugzilla.novell.com/754428 https://bugzilla.novell.com/755513 https://bugzilla.novell.com/755537 https://bugzilla.novell.com/755546 https://bugzilla.novell.com/756050 https://bugzilla.novell.com/758013 https://bugzilla.novell.com/758058 https://bugzilla.novell.com/758104 https://bugzilla.novell.com/758260 https://bugzilla.novell.com/759545 https://bugzilla.novell.com/760902 https://bugzilla.novell.com/760974 https://bugzilla.novell.com/761414 https://bugzilla.novell.com/761988 https://bugzilla.novell.com/763194 https://bugzilla.novell.com/763656 https://bugzilla.novell.com/763830 https://bugzilla.novell.com/764098 https://bugzilla.novell.com/764150 https://bugzilla.novell.com/764500 https://bugzilla.novell.com/765022 https://bugzilla.novell.com/765102 https://bugzilla.novell.com/765320 https://bugzilla.novell.com/765548 https://bugzilla.novell.com/767684 https://bugzilla.novell.com/768632 https://bugzilla.novell.com/769210 https://bugzilla.novell.com/769685 https://bugzilla.novell.com/769777 https://bugzilla.novell.com/769784 https://bugzilla.novell.com/769896 http://download.novell.com/patch/finder/?keywords=06fda69d421dc021aa1af6db3dbbfe00 http://download.novell.com/patch/finder/?keywords=175c75ce63a62eca1f569471fb682a0d http://download.novell.com/patch/finder/?keywords=229c8046cc2d922862a076dcade035ee http://download.novell.com/patch/finder/?keywords=2bf30579d340919def37b6c31f52d5cc http://download.novell.com/patch/finder/?keywords=30e20c3438f64370257cb21aa8034b43 http://download.novell.com/patch/finder/?keywords=5399a2fd4163cc21db7ac98a1c252c2d http://download.novell.com/patch/finder/?keywords=7d95313094a63156fae454daf49c9590 http://download.novell.com/patch/finder/?keywords=95c9d9077bf68ea687769a36cfba8c10 http://download.novell.com/patch/finder/?keywords=aa8ba1a426ec842bf42ddf697706fb0a http://download.novell.com/patch/finder/?keywords=da9cb313bde70908a00e430c3f84de25 From sle-security-updates at lists.suse.com Sun Jul 29 17:08:27 2012 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Mon, 30 Jul 2012 01:08:27 +0200 (CEST) Subject: SUSE-SU-2012:0919-1: moderate: Security update for libtiff Message-ID: <20120729230827.097E032888@maintenance.suse.de> SUSE Security Update: Security update for libtiff ______________________________________________________________________________ Announcement ID: SUSE-SU-2012:0919-1 Rating: moderate References: #770816 Cross-References: CVE-2012-3401 Affected Products: SUSE Linux Enterprise Software Development Kit 11 SP2 SUSE Linux Enterprise Software Development Kit 11 SP1 SUSE Linux Enterprise Server 11 SP2 SUSE Linux Enterprise Server 11 SP1 for VMware SUSE Linux Enterprise Server 11 SP1 SUSE Linux Enterprise Server 10 SP4 SUSE Linux Enterprise Desktop 11 SP2 SUSE Linux Enterprise Desktop 11 SP1 SUSE Linux Enterprise Desktop 10 SP4 SLE SDK 10 SP4 ______________________________________________________________________________ An update that fixes one vulnerability is now available. Description: This update of tiff fixes a heap-based buffer overflow that could have caused a crash or potentially allowed attackers to execute arbitrary code (CVE-2012-3401). Security Issue reference: * CVE-2012-3401 Patch Instructions: To install this SUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Software Development Kit 11 SP2: zypper in -t patch sdksp1-libtiff-devel-6579 - SUSE Linux Enterprise Software Development Kit 11 SP1: zypper in -t patch sdksp1-libtiff-devel-6579 - SUSE Linux Enterprise Server 11 SP2: zypper in -t patch slessp1-libtiff-devel-6579 - SUSE Linux Enterprise Server 11 SP1 for VMware: zypper in -t patch slessp1-libtiff-devel-6579 - SUSE Linux Enterprise Server 11 SP1: zypper in -t patch slessp1-libtiff-devel-6579 - SUSE Linux Enterprise Desktop 11 SP2: zypper in -t patch sledsp1-libtiff-devel-6579 - SUSE Linux Enterprise Desktop 11 SP1: zypper in -t patch sledsp1-libtiff-devel-6579 To bring your system up-to-date, use "zypper patch". Package List: - SUSE Linux Enterprise Software Development Kit 11 SP2 (i586 ia64 ppc64 s390x x86_64): libtiff-devel-3.8.2-141.148.1 - SUSE Linux Enterprise Software Development Kit 11 SP2 (ppc64 s390x x86_64): libtiff-devel-32bit-3.8.2-141.148.1 - SUSE Linux Enterprise Software Development Kit 11 SP1 (i586 ia64 ppc64 s390x x86_64): libtiff-devel-3.8.2-141.148.1 - SUSE Linux Enterprise Software Development Kit 11 SP1 (ppc64 s390x x86_64): libtiff-devel-32bit-3.8.2-141.148.1 - SUSE Linux Enterprise Server 11 SP2 (i586 ia64 ppc64 s390x x86_64): libtiff3-3.8.2-141.148.1 tiff-3.8.2-141.148.1 - SUSE Linux Enterprise Server 11 SP2 (ppc64 s390x x86_64): libtiff3-32bit-3.8.2-141.148.1 - SUSE Linux Enterprise Server 11 SP2 (ia64): libtiff3-x86-3.8.2-141.148.1 - SUSE Linux Enterprise Server 11 SP1 for VMware (i586 x86_64): libtiff3-3.8.2-141.148.1 tiff-3.8.2-141.148.1 - SUSE Linux Enterprise Server 11 SP1 for VMware (x86_64): libtiff3-32bit-3.8.2-141.148.1 - SUSE Linux Enterprise Server 11 SP1 (i586 ia64 ppc64 s390x x86_64): libtiff3-3.8.2-141.148.1 tiff-3.8.2-141.148.1 - SUSE Linux Enterprise Server 11 SP1 (ppc64 s390x x86_64): libtiff3-32bit-3.8.2-141.148.1 - SUSE Linux Enterprise Server 11 SP1 (ia64): libtiff3-x86-3.8.2-141.148.1 - SUSE Linux Enterprise Server 10 SP4 (i586 ia64 ppc s390x x86_64): libtiff-3.8.2-5.30.5 libtiff-devel-3.8.2-5.30.5 tiff-3.8.2-5.30.5 - SUSE Linux Enterprise Server 10 SP4 (s390x x86_64): libtiff-32bit-3.8.2-5.30.5 libtiff-devel-32bit-3.8.2-5.30.5 - SUSE Linux Enterprise Server 10 SP4 (ia64): libtiff-x86-3.8.2-5.30.5 - SUSE Linux Enterprise Server 10 SP4 (ppc): libtiff-64bit-3.8.2-5.30.5 libtiff-devel-64bit-3.8.2-5.30.5 - SUSE Linux Enterprise Desktop 11 SP2 (i586 x86_64): libtiff3-3.8.2-141.148.1 - SUSE Linux Enterprise Desktop 11 SP2 (x86_64): libtiff3-32bit-3.8.2-141.148.1 - SUSE Linux Enterprise Desktop 11 SP1 (i586 x86_64): libtiff3-3.8.2-141.148.1 - SUSE Linux Enterprise Desktop 11 SP1 (x86_64): libtiff3-32bit-3.8.2-141.148.1 - SUSE Linux Enterprise Desktop 10 SP4 (i586 x86_64): libtiff-3.8.2-5.30.5 libtiff-devel-3.8.2-5.30.5 tiff-3.8.2-5.30.5 - SUSE Linux Enterprise Desktop 10 SP4 (x86_64): libtiff-32bit-3.8.2-5.30.5 - SLE SDK 10 SP4 (i586 ia64 ppc s390x x86_64): libtiff-devel-3.8.2-5.30.5 - SLE SDK 10 SP4 (s390x x86_64): libtiff-devel-32bit-3.8.2-5.30.5 - SLE SDK 10 SP4 (ppc): libtiff-devel-64bit-3.8.2-5.30.5 References: http://support.novell.com/security/cve/CVE-2012-3401.html https://bugzilla.novell.com/770816 http://download.novell.com/patch/finder/?keywords=a78f353752b21e600db9a8b58dd10c52 http://download.novell.com/patch/finder/?keywords=f8b83ed2a49634464cd29a53ef0fb20a From sle-security-updates at lists.suse.com Tue Jul 31 07:08:35 2012 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Tue, 31 Jul 2012 15:08:35 +0200 (CEST) Subject: SUSE-SU-2012:0927-1: important: Security update for xrdp Message-ID: <20120731130835.C764C32187@maintenance.suse.de> SUSE Security Update: Security update for xrdp ______________________________________________________________________________ Announcement ID: SUSE-SU-2012:0927-1 Rating: important References: #764044 Affected Products: SUSE Linux Enterprise Server 11 SP2 for VMware SUSE Linux Enterprise Server 11 SP2 SUSE Linux Enterprise Desktop 11 SP2 ______________________________________________________________________________ An update that contains security fixes can now be installed. Description: The XRDP service was changed so that the default crypto level in XRDP was changed from "low" to "high". This switches from using a 40 bit encryption to a 128 bit two-way encryption. Patch Instructions: To install this SUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Server 11 SP2 for VMware: zypper in -t patch slessp2-xrdp-6511 - SUSE Linux Enterprise Server 11 SP2: zypper in -t patch slessp2-xrdp-6511 - SUSE Linux Enterprise Desktop 11 SP2: zypper in -t patch sledsp2-xrdp-6511 To bring your system up-to-date, use "zypper patch". Package List: - SUSE Linux Enterprise Server 11 SP2 for VMware (i586 x86_64): xrdp-0.4.1-28.19.1 - SUSE Linux Enterprise Server 11 SP2 (i586 x86_64): xrdp-0.4.1-28.19.1 - SUSE Linux Enterprise Desktop 11 SP2 (i586 x86_64): xrdp-0.4.1-28.19.1 References: https://bugzilla.novell.com/764044 http://download.novell.com/patch/finder/?keywords=2ce52b092c823f641524602d7a1647b9 From sle-security-updates at lists.suse.com Tue Jul 31 10:08:22 2012 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Tue, 31 Jul 2012 18:08:22 +0200 (CEST) Subject: SUSE-SU-2012:0928-1: moderate: Security update for Mono Message-ID: <20120731160822.729CA32126@maintenance.suse.de> SUSE Security Update: Security update for Mono ______________________________________________________________________________ Announcement ID: SUSE-SU-2012:0928-1 Rating: moderate References: #769799 Cross-References: CVE-2012-3382 Affected Products: SUSE Linux Enterprise Software Development Kit 11 SP2 SUSE Linux Enterprise Server 11 SP2 for VMware SUSE Linux Enterprise Server 11 SP2 SUSE Linux Enterprise Desktop 11 SP2 ______________________________________________________________________________ An update that fixes one vulnerability is now available. Description: Mono was updated to fix a cross site scripting attack in the System.Web class "forbidden extensions" filtering has been fixed. (CVE-2012-3382) Security Issue reference: * CVE-2012-3382 Patch Instructions: To install this SUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Software Development Kit 11 SP2: zypper in -t patch sdksp2-bytefx-data-mysql-6543 - SUSE Linux Enterprise Server 11 SP2 for VMware: zypper in -t patch slessp2-bytefx-data-mysql-6543 - SUSE Linux Enterprise Server 11 SP2: zypper in -t patch slessp2-bytefx-data-mysql-6543 - SUSE Linux Enterprise Desktop 11 SP2: zypper in -t patch sledsp2-bytefx-data-mysql-6543 To bring your system up-to-date, use "zypper patch". Package List: - SUSE Linux Enterprise Software Development Kit 11 SP2 (i586 ia64 ppc64 s390x x86_64): bytefx-data-mysql-2.6.7-0.9.1 mono-data-firebird-2.6.7-0.9.1 mono-data-oracle-2.6.7-0.9.1 mono-data-sybase-2.6.7-0.9.1 mono-devel-2.6.7-0.9.1 mono-extras-2.6.7-0.9.1 mono-jscript-2.6.7-0.9.1 mono-wcf-2.6.7-0.9.1 mono-winfxcore-2.6.7-0.9.1 monodoc-core-2.6.7-0.9.1 - SUSE Linux Enterprise Software Development Kit 11 SP2 (ppc64): mono-core-2.6.7-0.9.1 mono-data-2.6.7-0.9.1 mono-data-postgresql-2.6.7-0.9.1 mono-data-sqlite-2.6.7-0.9.1 mono-locale-extras-2.6.7-0.9.1 mono-nunit-2.6.7-0.9.1 mono-web-2.6.7-0.9.1 mono-winforms-2.6.7-0.9.1 - SUSE Linux Enterprise Server 11 SP2 for VMware (i586 x86_64): mono-core-2.6.7-0.9.1 mono-data-2.6.7-0.9.1 mono-data-postgresql-2.6.7-0.9.1 mono-data-sqlite-2.6.7-0.9.1 mono-locale-extras-2.6.7-0.9.1 mono-nunit-2.6.7-0.9.1 mono-web-2.6.7-0.9.1 mono-winforms-2.6.7-0.9.1 - SUSE Linux Enterprise Server 11 SP2 (i586 ia64 ppc64 s390x x86_64): mono-core-2.6.7-0.9.1 mono-data-2.6.7-0.9.1 mono-data-postgresql-2.6.7-0.9.1 mono-data-sqlite-2.6.7-0.9.1 mono-locale-extras-2.6.7-0.9.1 mono-nunit-2.6.7-0.9.1 mono-web-2.6.7-0.9.1 mono-winforms-2.6.7-0.9.1 - SUSE Linux Enterprise Desktop 11 SP2 (i586 x86_64): bytefx-data-mysql-2.6.7-0.9.1 ibm-data-db2-2.6.7-0.9.1 mono-core-2.6.7-0.9.1 mono-data-2.6.7-0.9.1 mono-data-firebird-2.6.7-0.9.1 mono-data-oracle-2.6.7-0.9.1 mono-data-postgresql-2.6.7-0.9.1 mono-data-sqlite-2.6.7-0.9.1 mono-data-sybase-2.6.7-0.9.1 mono-devel-2.6.7-0.9.1 mono-extras-2.6.7-0.9.1 mono-jscript-2.6.7-0.9.1 mono-locale-extras-2.6.7-0.9.1 mono-nunit-2.6.7-0.9.1 mono-wcf-2.6.7-0.9.1 mono-web-2.6.7-0.9.1 mono-winforms-2.6.7-0.9.1 monodoc-core-2.6.7-0.9.1 References: http://support.novell.com/security/cve/CVE-2012-3382.html https://bugzilla.novell.com/769799 http://download.novell.com/patch/finder/?keywords=f371b5cb1313da6d56bf10e7e215fd1b