From sle-security-updates at lists.suse.com Tue Mar 6 13:08:27 2012 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Tue, 6 Mar 2012 21:08:27 +0100 (CET) Subject: SUSE-SU-2012:0114-2: important: Security update for IBM Java 1.6.0 Message-ID: <20120306200827.9C20E3217A@maintenance.suse.de> SUSE Security Update: Security update for IBM Java 1.6.0 ______________________________________________________________________________ Announcement ID: SUSE-SU-2012:0114-2 Rating: important References: #739248 Cross-References: CVE-2011-3389 CVE-2011-3516 CVE-2011-3521 CVE-2011-3544 CVE-2011-3545 CVE-2011-3546 CVE-2011-3547 CVE-2011-3548 CVE-2011-3549 CVE-2011-3550 CVE-2011-3551 CVE-2011-3552 CVE-2011-3553 CVE-2011-3554 CVE-2011-3556 CVE-2011-3557 CVE-2011-3560 CVE-2011-3561 Affected Products: SUSE Linux Enterprise Software Development Kit 11 SP1 FOR SP2 SUSE Linux Enterprise Software Development Kit 11 SP1 SUSE Linux Enterprise Server 11 SP1 for VMware SUSE Linux Enterprise Server 11 SP1 FOR SP2 SUSE Linux Enterprise Server 11 SP1 SUSE Linux Enterprise Java 11 SP1 ______________________________________________________________________________ An update that fixes 18 vulnerabilities is now available. Description: IBM Java 1.6.0 SR10 has been released fixing the following CVE's/security Issues: * CVE-2011-3389 * CVE-2011-3516 * CVE-2011-3521 * CVE-2011-3544 * CVE-2011-3545 * CVE-2011-3546 * CVE-2011-3547 * CVE-2011-3548 * CVE-2011-3549 * CVE-2011-3550 * CVE-2011-3551 * CVE-2011-3552 * CVE-2011-3553 * CVE-2011-3554 * CVE-2011-3556 * CVE-2011-3557 * CVE-2011-3560 * CVE-2011-3561 Patch Instructions: To install this SUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Software Development Kit 11 SP1 FOR SP2: zypper in -t patch sdksp1fsp2-java-1_6_0-ibm-5872 - SUSE Linux Enterprise Software Development Kit 11 SP1: zypper in -t patch sdksp1-java-1_6_0-ibm-5872 - SUSE Linux Enterprise Server 11 SP1 for VMware: zypper in -t patch slessp1-java-1_6_0-ibm-5872 - SUSE Linux Enterprise Server 11 SP1 FOR SP2: zypper in -t patch slessp1fsp2-java-1_6_0-ibm-5872 - SUSE Linux Enterprise Server 11 SP1: zypper in -t patch slessp1-java-1_6_0-ibm-5872 - SUSE Linux Enterprise Java 11 SP1: zypper in -t patch slejsp1-java-1_6_0-ibm-5872 To bring your system up-to-date, use "zypper patch". Package List: - SUSE Linux Enterprise Software Development Kit 11 SP1 FOR SP2 (i586 ppc64 s390x x86_64): java-1_6_0-ibm-devel-1.6.0_sr10.0-0.3.1 - SUSE Linux Enterprise Software Development Kit 11 SP1 FOR SP2 (i586 x86_64): java-1_6_0-ibm-1.6.0_sr10.0-0.3.1 java-1_6_0-ibm-fonts-1.6.0_sr10.0-0.3.1 - SUSE Linux Enterprise Software Development Kit 11 SP1 (i586 ppc64 s390x x86_64): java-1_6_0-ibm-devel-1.6.0_sr10.0-0.3.1 - SUSE Linux Enterprise Software Development Kit 11 SP1 (i586 x86_64): java-1_6_0-ibm-1.6.0_sr10.0-0.3.1 java-1_6_0-ibm-fonts-1.6.0_sr10.0-0.3.1 - SUSE Linux Enterprise Server 11 SP1 for VMware (i586 x86_64): java-1_6_0-ibm-1.6.0_sr10.0-0.3.1 java-1_6_0-ibm-fonts-1.6.0_sr10.0-0.3.1 java-1_6_0-ibm-jdbc-1.6.0_sr10.0-0.3.1 java-1_6_0-ibm-plugin-1.6.0_sr10.0-0.3.1 - SUSE Linux Enterprise Server 11 SP1 for VMware (i586): java-1_6_0-ibm-alsa-1.6.0_sr10.0-0.3.1 - SUSE Linux Enterprise Server 11 SP1 FOR SP2 (i586 ppc64 s390x x86_64): java-1_6_0-ibm-1.6.0_sr10.0-0.3.1 java-1_6_0-ibm-fonts-1.6.0_sr10.0-0.3.1 java-1_6_0-ibm-jdbc-1.6.0_sr10.0-0.3.1 - SUSE Linux Enterprise Server 11 SP1 FOR SP2 (i586 x86_64): java-1_6_0-ibm-plugin-1.6.0_sr10.0-0.3.1 - SUSE Linux Enterprise Server 11 SP1 FOR SP2 (i586): java-1_6_0-ibm-alsa-1.6.0_sr10.0-0.3.1 - SUSE Linux Enterprise Server 11 SP1 (i586 ppc64 s390x x86_64): java-1_6_0-ibm-1.6.0_sr10.0-0.3.1 java-1_6_0-ibm-fonts-1.6.0_sr10.0-0.3.1 java-1_6_0-ibm-jdbc-1.6.0_sr10.0-0.3.1 - SUSE Linux Enterprise Server 11 SP1 (i586 x86_64): java-1_6_0-ibm-plugin-1.6.0_sr10.0-0.3.1 - SUSE Linux Enterprise Server 11 SP1 (i586): java-1_6_0-ibm-alsa-1.6.0_sr10.0-0.3.1 - SUSE Linux Enterprise Java 11 SP1 (i586 ppc64 s390x x86_64): java-1_6_0-ibm-1.6.0_sr10.0-0.3.1 java-1_6_0-ibm-devel-1.6.0_sr10.0-0.3.1 java-1_6_0-ibm-fonts-1.6.0_sr10.0-0.3.1 java-1_6_0-ibm-jdbc-1.6.0_sr10.0-0.3.1 - SUSE Linux Enterprise Java 11 SP1 (i586 x86_64): java-1_6_0-ibm-plugin-1.6.0_sr10.0-0.3.1 - SUSE Linux Enterprise Java 11 SP1 (i586): java-1_6_0-ibm-alsa-1.6.0_sr10.0-0.3.1 References: http://support.novell.com/security/cve/CVE-2011-3389.html http://support.novell.com/security/cve/CVE-2011-3516.html http://support.novell.com/security/cve/CVE-2011-3521.html http://support.novell.com/security/cve/CVE-2011-3544.html http://support.novell.com/security/cve/CVE-2011-3545.html http://support.novell.com/security/cve/CVE-2011-3546.html http://support.novell.com/security/cve/CVE-2011-3547.html http://support.novell.com/security/cve/CVE-2011-3548.html http://support.novell.com/security/cve/CVE-2011-3549.html http://support.novell.com/security/cve/CVE-2011-3550.html http://support.novell.com/security/cve/CVE-2011-3551.html http://support.novell.com/security/cve/CVE-2011-3552.html http://support.novell.com/security/cve/CVE-2011-3553.html http://support.novell.com/security/cve/CVE-2011-3554.html http://support.novell.com/security/cve/CVE-2011-3556.html http://support.novell.com/security/cve/CVE-2011-3557.html http://support.novell.com/security/cve/CVE-2011-3560.html http://support.novell.com/security/cve/CVE-2011-3561.html https://bugzilla.novell.com/739248 http://download.novell.com/patch/finder/?keywords=150456135775777ea73371c1398a948f From sle-security-updates at lists.suse.com Tue Mar 6 13:08:42 2012 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Tue, 6 Mar 2012 21:08:42 +0100 (CET) Subject: SUSE-SU-2012:0323-1: important: Security update for Apache2 Message-ID: <20120306200842.59C613217A@maintenance.suse.de> SUSE Security Update: Security update for Apache2 ______________________________________________________________________________ Announcement ID: SUSE-SU-2012:0323-1 Rating: important References: #736706 #738855 #741243 #743743 Cross-References: CVE-2007-6750 CVE-2012-0031 CVE-2012-0053 Affected Products: SUSE Linux Enterprise Server 10 SP4 SLE SDK 10 SP4 ______________________________________________________________________________ An update that solves three vulnerabilities and has one errata is now available. Description: This update of apache fixes regressions and several security problems: * bnc#741243, CVE-2012-0031: Fixed a scoreboard corruption (shared mem segment) by child causes crash of privileged parent (invalid free()) during shutdown. * bnc#743743,CVE-2012-0053: Fixed an issue in error responses that could expose "httpOnly" cookies when no custom ErrorDocument is specified for status code 400". * bnc#736706, the SSL configuration template suggested weak ciphers * bnc#738855,CVE-2007-6750: The "mod_reqtimeout" module was backported from Apache 2.2.21 to help mitigate the "Slowloris" Denial of Service attack. You need to enable the "mod_reqtimeout" module in your existing apache configuration to make it effective, e.g. in the APACHE_MODULES line in /etc/sysconfig/apache2. Security Issue references: * CVE-2012-0031 * CVE-2012-0053 * CVE-2007-6750 Package List: - SUSE Linux Enterprise Server 10 SP4 (i586 ia64 ppc s390x x86_64): apache2-2.2.3-16.44.1 apache2-devel-2.2.3-16.44.1 apache2-doc-2.2.3-16.44.1 apache2-example-pages-2.2.3-16.44.1 apache2-prefork-2.2.3-16.44.1 apache2-worker-2.2.3-16.44.1 - SLE SDK 10 SP4 (i586 ia64 ppc s390x x86_64): apache2-2.2.3-16.44.1 apache2-devel-2.2.3-16.44.1 apache2-doc-2.2.3-16.44.1 apache2-example-pages-2.2.3-16.44.1 apache2-prefork-2.2.3-16.44.1 apache2-worker-2.2.3-16.44.1 References: http://support.novell.com/security/cve/CVE-2007-6750.html http://support.novell.com/security/cve/CVE-2012-0031.html http://support.novell.com/security/cve/CVE-2012-0053.html https://bugzilla.novell.com/736706 https://bugzilla.novell.com/738855 https://bugzilla.novell.com/741243 https://bugzilla.novell.com/743743 http://download.novell.com/patch/finder/?keywords=1e0c99b5795cd7497ef910246faba28d From sle-security-updates at lists.suse.com Tue Mar 6 14:08:33 2012 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Tue, 6 Mar 2012 22:08:33 +0100 (CET) Subject: SUSE-SU-2012:0325-1: important: Security update for puppet Message-ID: <20120306210833.1AFBD3217D@maintenance.suse.de> SUSE Security Update: Security update for puppet ______________________________________________________________________________ Announcement ID: SUSE-SU-2012:0325-1 Rating: important References: #747657 Cross-References: CVE-2012-1053 CVE-2012-1054 Affected Products: SUSE Linux Enterprise Server 11 SP1 for VMware SUSE Linux Enterprise Server 11 SP1 FOR SP2 SUSE Linux Enterprise Server 11 SP1 SUSE Linux Enterprise Desktop 11 SP1 FOR SP2 SUSE Linux Enterprise Desktop 11 SP1 ______________________________________________________________________________ An update that fixes two vulnerabilities is now available. It includes one version update. Description: This update of puppet fixes two vulnerabilities that could potentially be exploited by local attackers to escalate privileges due to improper privilege dropping and file handling issues (symlink flaws) in puppet (CVE-2012-1053, CVE-2012-1054). Security Issue references: * CVE-2012-1053 * CVE-2012-1054 Patch Instructions: To install this SUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Server 11 SP1 for VMware: zypper in -t patch slessp1-puppet-5876 - SUSE Linux Enterprise Server 11 SP1 FOR SP2: zypper in -t patch slessp1fsp2-puppet-5876 - SUSE Linux Enterprise Server 11 SP1: zypper in -t patch slessp1-puppet-5876 - SUSE Linux Enterprise Desktop 11 SP1 FOR SP2: zypper in -t patch sledsp1fsp2-puppet-5876 - SUSE Linux Enterprise Desktop 11 SP1: zypper in -t patch sledsp1-puppet-5876 To bring your system up-to-date, use "zypper patch". Package List: - SUSE Linux Enterprise Server 11 SP1 for VMware (i586 x86_64) [New Version: 2.6.12]: puppet-2.6.12-0.12.1 puppet-server-2.6.12-0.12.1 - SUSE Linux Enterprise Server 11 SP1 FOR SP2 (i586 ia64 ppc64 s390x x86_64) [New Version: 2.6.12]: puppet-2.6.12-0.12.1 puppet-server-2.6.12-0.12.1 - SUSE Linux Enterprise Server 11 SP1 (i586 ia64 ppc64 s390x x86_64) [New Version: 2.6.12]: puppet-2.6.12-0.12.1 puppet-server-2.6.12-0.12.1 - SUSE Linux Enterprise Desktop 11 SP1 FOR SP2 (i586 x86_64) [New Version: 2.6.12]: puppet-2.6.12-0.12.1 - SUSE Linux Enterprise Desktop 11 SP1 (i586 x86_64) [New Version: 2.6.12]: puppet-2.6.12-0.12.1 References: http://support.novell.com/security/cve/CVE-2012-1053.html http://support.novell.com/security/cve/CVE-2012-1054.html https://bugzilla.novell.com/747657 http://download.novell.com/patch/finder/?keywords=810c76edc7112af5e466c9d5b28e5aa1 From sle-security-updates at lists.suse.com Tue Mar 6 15:08:23 2012 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Tue, 6 Mar 2012 23:08:23 +0100 (CET) Subject: SUSE-SU-2012:0326-1: important: Security update for libvorbis Message-ID: <20120306220823.AF7333217D@maintenance.suse.de> SUSE Security Update: Security update for libvorbis ______________________________________________________________________________ Announcement ID: SUSE-SU-2012:0326-1 Rating: important References: #747912 Cross-References: CVE-2012-0444 Affected Products: SUSE Linux Enterprise Software Development Kit 11 SP1 FOR SP2 SUSE Linux Enterprise Software Development Kit 11 SP1 SUSE Linux Enterprise Server 11 SP1 for VMware SUSE Linux Enterprise Server 11 SP1 FOR SP2 SUSE Linux Enterprise Server 11 SP1 SUSE Linux Enterprise Server 10 SP4 SUSE Linux Enterprise Desktop 11 SP1 FOR SP2 SUSE Linux Enterprise Desktop 11 SP1 SUSE Linux Enterprise Desktop 10 SP4 ______________________________________________________________________________ An update that fixes one vulnerability is now available. Description: Specially crafted Ogg files could cause a heap-based buffer overflow in the vorbis audio compression library that could potentially be exploited by attackers to cause a crash or execute arbitrary code (CVE-2012-0444). Security Issue reference: * CVE-2012-0444 Patch Instructions: To install this SUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Software Development Kit 11 SP1 FOR SP2: zypper in -t patch sdksp1fsp2-libvorbis-5851 - SUSE Linux Enterprise Software Development Kit 11 SP1: zypper in -t patch sdksp1-libvorbis-5851 - SUSE Linux Enterprise Server 11 SP1 for VMware: zypper in -t patch slessp1-libvorbis-5851 - SUSE Linux Enterprise Server 11 SP1 FOR SP2: zypper in -t patch slessp1fsp2-libvorbis-5851 - SUSE Linux Enterprise Server 11 SP1: zypper in -t patch slessp1-libvorbis-5851 - SUSE Linux Enterprise Desktop 11 SP1 FOR SP2: zypper in -t patch sledsp1fsp2-libvorbis-5851 - SUSE Linux Enterprise Desktop 11 SP1: zypper in -t patch sledsp1-libvorbis-5851 To bring your system up-to-date, use "zypper patch". Package List: - SUSE Linux Enterprise Software Development Kit 11 SP1 FOR SP2 (i586 ia64 ppc64 s390x x86_64): libvorbis-devel-1.2.0-79.20.1 - SUSE Linux Enterprise Software Development Kit 11 SP1 (i586 ia64 ppc64 s390x x86_64): libvorbis-devel-1.2.0-79.20.1 - SUSE Linux Enterprise Server 11 SP1 for VMware (i586 x86_64): libvorbis-1.2.0-79.20.1 libvorbis-doc-1.2.0-79.20.1 - SUSE Linux Enterprise Server 11 SP1 for VMware (x86_64): libvorbis-32bit-1.2.0-79.20.1 - SUSE Linux Enterprise Server 11 SP1 FOR SP2 (i586 ia64 ppc64 s390x x86_64): libvorbis-1.2.0-79.20.1 libvorbis-doc-1.2.0-79.20.1 - SUSE Linux Enterprise Server 11 SP1 FOR SP2 (ppc64 s390x x86_64): libvorbis-32bit-1.2.0-79.20.1 - SUSE Linux Enterprise Server 11 SP1 FOR SP2 (ia64): libvorbis-x86-1.2.0-79.20.1 - SUSE Linux Enterprise Server 11 SP1 (i586 ia64 ppc64 s390x x86_64): libvorbis-1.2.0-79.20.1 libvorbis-doc-1.2.0-79.20.1 - SUSE Linux Enterprise Server 11 SP1 (ppc64 s390x x86_64): libvorbis-32bit-1.2.0-79.20.1 - SUSE Linux Enterprise Server 11 SP1 (ia64): libvorbis-x86-1.2.0-79.20.1 - SUSE Linux Enterprise Server 10 SP4 (i586 ia64 ppc s390x x86_64): libvorbis-1.1.2-13.19.1 libvorbis-devel-1.1.2-13.19.1 - SUSE Linux Enterprise Server 10 SP4 (s390x x86_64): libvorbis-32bit-1.1.2-13.19.1 - SUSE Linux Enterprise Server 10 SP4 (ia64): libvorbis-x86-1.1.2-13.19.1 - SUSE Linux Enterprise Server 10 SP4 (ppc): libvorbis-64bit-1.1.2-13.19.1 - SUSE Linux Enterprise Desktop 11 SP1 FOR SP2 (i586 x86_64): libvorbis-1.2.0-79.20.1 - SUSE Linux Enterprise Desktop 11 SP1 FOR SP2 (x86_64): libvorbis-32bit-1.2.0-79.20.1 - SUSE Linux Enterprise Desktop 11 SP1 (i586 x86_64): libvorbis-1.2.0-79.20.1 - SUSE Linux Enterprise Desktop 11 SP1 (x86_64): libvorbis-32bit-1.2.0-79.20.1 - SUSE Linux Enterprise Desktop 10 SP4 (i586 x86_64): libvorbis-1.1.2-13.19.1 libvorbis-devel-1.1.2-13.19.1 - SUSE Linux Enterprise Desktop 10 SP4 (x86_64): libvorbis-32bit-1.1.2-13.19.1 References: http://support.novell.com/security/cve/CVE-2012-0444.html https://bugzilla.novell.com/747912 http://download.novell.com/patch/finder/?keywords=56f02ce23b1f6abe181f7e00c3bc1f23 http://download.novell.com/patch/finder/?keywords=dca0a520e9ca9f5bad17b1c77fc0f1a6 From sle-security-updates at lists.suse.com Tue Mar 6 17:08:26 2012 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Wed, 7 Mar 2012 01:08:26 +0100 (CET) Subject: SUSE-SU-2012:0329-1: moderate: Security update for ark Message-ID: <20120307000826.387FE3217D@maintenance.suse.de> SUSE Security Update: Security update for ark ______________________________________________________________________________ Announcement ID: SUSE-SU-2012:0329-1 Rating: moderate References: #708268 Cross-References: CVE-2011-2725 Affected Products: SUSE Linux Enterprise Server 11 SP1 for VMware SUSE Linux Enterprise Server 11 SP1 FOR SP2 SUSE Linux Enterprise Server 11 SP1 SUSE Linux Enterprise Desktop 11 SP1 FOR SP2 SUSE Linux Enterprise Desktop 11 SP1 ______________________________________________________________________________ An update that fixes one vulnerability is now available. Description: Ark was prone to a path traversal vulnerability allowing a maliciously-crafted zip file to allow for an arbitrary file to be displayed and, if the user has appropriate credentials, removed (CVE-2011-2725). Security Issue reference: * CVE-2011-2725 Patch Instructions: To install this SUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Server 11 SP1 for VMware: zypper in -t patch slessp1-ark-5906 - SUSE Linux Enterprise Server 11 SP1 FOR SP2: zypper in -t patch slessp1fsp2-ark-5906 - SUSE Linux Enterprise Server 11 SP1: zypper in -t patch slessp1-ark-5906 - SUSE Linux Enterprise Desktop 11 SP1 FOR SP2: zypper in -t patch sledsp1fsp2-ark-5906 - SUSE Linux Enterprise Desktop 11 SP1: zypper in -t patch sledsp1-ark-5906 To bring your system up-to-date, use "zypper patch". Package List: - SUSE Linux Enterprise Server 11 SP1 for VMware (i586 x86_64): ark-4.3.5-0.3.3 kcalc-4.3.5-0.3.3 kcharselect-4.3.5-0.3.3 kdessh-4.3.5-0.3.3 kdf-4.3.5-0.3.3 kfloppy-4.3.5-0.3.3 kgpg-4.3.5-0.3.3 ktimer-4.3.5-0.3.3 kwalletmanager-4.3.5-0.3.3 kwikdisk-4.3.5-0.3.3 okteta-4.3.5-0.3.3 - SUSE Linux Enterprise Server 11 SP1 FOR SP2 (i586 ia64 ppc64 s390x x86_64): ark-4.3.5-0.3.3 kcalc-4.3.5-0.3.3 kcharselect-4.3.5-0.3.3 kdessh-4.3.5-0.3.3 kdf-4.3.5-0.3.3 kfloppy-4.3.5-0.3.3 kgpg-4.3.5-0.3.3 ktimer-4.3.5-0.3.3 kwalletmanager-4.3.5-0.3.3 kwikdisk-4.3.5-0.3.3 okteta-4.3.5-0.3.3 - SUSE Linux Enterprise Server 11 SP1 (i586 ia64 ppc64 s390x x86_64): ark-4.3.5-0.3.3 kcalc-4.3.5-0.3.3 kcharselect-4.3.5-0.3.3 kdessh-4.3.5-0.3.3 kdf-4.3.5-0.3.3 kfloppy-4.3.5-0.3.3 kgpg-4.3.5-0.3.3 ktimer-4.3.5-0.3.3 kwalletmanager-4.3.5-0.3.3 kwikdisk-4.3.5-0.3.3 okteta-4.3.5-0.3.3 - SUSE Linux Enterprise Desktop 11 SP1 FOR SP2 (i586 x86_64): ark-4.3.5-0.3.3 kcalc-4.3.5-0.3.3 kdessh-4.3.5-0.3.3 kdf-4.3.5-0.3.3 kfloppy-4.3.5-0.3.3 kgpg-4.3.5-0.3.3 kwalletmanager-4.3.5-0.3.3 kwikdisk-4.3.5-0.3.3 okteta-4.3.5-0.3.3 - SUSE Linux Enterprise Desktop 11 SP1 (i586 x86_64): ark-4.3.5-0.3.3 kcalc-4.3.5-0.3.3 kdessh-4.3.5-0.3.3 kdf-4.3.5-0.3.3 kfloppy-4.3.5-0.3.3 kgpg-4.3.5-0.3.3 kwalletmanager-4.3.5-0.3.3 kwikdisk-4.3.5-0.3.3 okteta-4.3.5-0.3.3 References: http://support.novell.com/security/cve/CVE-2011-2725.html https://bugzilla.novell.com/708268 http://download.novell.com/patch/finder/?keywords=492e47f4d6e7ea245620d7b07b0c4d67 From sle-security-updates at lists.suse.com Wed Mar 7 11:08:15 2012 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Wed, 7 Mar 2012 19:08:15 +0100 (CET) Subject: SUSE-SU-2012:0332-1: important: Security update for flash-player Message-ID: <20120307180815.5246E32188@maintenance.suse.de> SUSE Security Update: Security update for flash-player ______________________________________________________________________________ Announcement ID: SUSE-SU-2012:0332-1 Rating: important References: #750614 Cross-References: CVE-2012-0768 CVE-2012-0769 Affected Products: SUSE Linux Enterprise Desktop 11 SP1 FOR SP2 SUSE Linux Enterprise Desktop 11 SP1 ______________________________________________________________________________ An update that fixes two vulnerabilities is now available. It includes one version update. Description: flash-player 11.1.102.63 fixes two security issues: * memory corruption vulnerability in Matrix3D could lead to code executionn (CVE-2012-0768) * integer errors that could lead to information disclosure (CVE-2012-0769) Security Issue references: * CVE-2012-0768 * CVE-2012-0769 Patch Instructions: To install this SUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Desktop 11 SP1 FOR SP2: zypper in -t patch sledsp1fsp2-flash-player-5928 - SUSE Linux Enterprise Desktop 11 SP1: zypper in -t patch sledsp1-flash-player-5928 To bring your system up-to-date, use "zypper patch". Package List: - SUSE Linux Enterprise Desktop 11 SP1 FOR SP2 (i586 x86_64) [New Version: 11.1.102.63]: flash-player-11.1.102.63-0.3.1 - SUSE Linux Enterprise Desktop 11 SP1 (i586 x86_64) [New Version: 11.1.102.63]: flash-player-11.1.102.63-0.3.1 References: http://support.novell.com/security/cve/CVE-2012-0768.html http://support.novell.com/security/cve/CVE-2012-0769.html https://bugzilla.novell.com/750614 http://download.novell.com/patch/finder/?keywords=2cd17573d24f9a05b79c0d54923441f3 From sle-security-updates at lists.suse.com Thu Mar 8 09:08:23 2012 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Thu, 8 Mar 2012 17:08:23 +0100 (CET) Subject: SUSE-SU-2012:0332-2: important: Security update for flash-player Message-ID: <20120308160823.1936132188@maintenance.suse.de> SUSE Security Update: Security update for flash-player ______________________________________________________________________________ Announcement ID: SUSE-SU-2012:0332-2 Rating: important References: #750614 Cross-References: CVE-2012-0768 CVE-2012-0769 Affected Products: SUSE Linux Enterprise Desktop 10 SP4 ______________________________________________________________________________ An update that fixes two vulnerabilities is now available. It includes one version update. Description: flash-player 11.1.102.63 fixes two security issues: * memory corruption vulnerability in Matrix3D could lead to code executionn (CVE-2012-0768) * integer errors that could lead to information disclosure (CVE-2012-0769) Security Issue references: * CVE-2012-0768 * CVE-2012-0769 Package List: - SUSE Linux Enterprise Desktop 10 SP4 (i586) [New Version: 10.3.183.16]: flash-player-10.3.183.16-0.5.1 References: http://support.novell.com/security/cve/CVE-2012-0768.html http://support.novell.com/security/cve/CVE-2012-0769.html https://bugzilla.novell.com/750614 http://download.novell.com/patch/finder/?keywords=e55fbfc41d02cf21b84c2963260243e6 From sle-security-updates at lists.suse.com Thu Mar 8 11:08:15 2012 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Thu, 8 Mar 2012 19:08:15 +0100 (CET) Subject: SUSE-SU-2012:0337-1: critical: Security update for Samba Message-ID: <20120308180815.DADC732182@maintenance.suse.de> SUSE Security Update: Security update for Samba ______________________________________________________________________________ Announcement ID: SUSE-SU-2012:0337-1 Rating: critical References: #633729 #703655 #747934 Cross-References: CVE-2012-0870 Affected Products: SUSE Linux Enterprise Server 10 SP4 SUSE Linux Enterprise Server 10 SP3 LTSS SUSE Linux Enterprise Desktop 10 SP4 SLE SDK 10 SP4 ______________________________________________________________________________ An update that solves one vulnerability and has two fixes is now available. Description: This update of Samba fixes a heap-based buffer overflow that could be exploited by remote, unauthenticated attackers to crash the smbd daemon or potentially execute arbitrary code via specially crafted SMB AndX request packets (CVE-2012-0870). Also fixed two non security bugs: * Fix to handle domain join using NetBIOS name; (bnc #633729). * Fixed the DFS referral response for msdfs root; (bnc#703655). Security Issue reference: * CVE-2012-0870 Package List: - SUSE Linux Enterprise Server 10 SP4 (i586 ia64 ppc s390x x86_64): cifs-mount-3.0.36-0.13.18.1 ldapsmb-1.34b-25.13.18.1 libmsrpc-3.0.36-0.13.18.1 libmsrpc-devel-3.0.36-0.13.18.1 libsmbclient-3.0.36-0.13.18.1 libsmbclient-devel-3.0.36-0.13.18.1 samba-3.0.36-0.13.18.1 samba-client-3.0.36-0.13.18.1 samba-krb-printing-3.0.36-0.13.18.1 samba-python-3.0.36-0.13.18.1 samba-vscan-0.3.6b-43.13.18.1 samba-winbind-3.0.36-0.13.18.1 - SUSE Linux Enterprise Server 10 SP4 (s390x x86_64): libsmbclient-32bit-3.0.36-0.13.18.1 samba-32bit-3.0.36-0.13.18.1 samba-client-32bit-3.0.36-0.13.18.1 samba-winbind-32bit-3.0.36-0.13.18.1 - SUSE Linux Enterprise Server 10 SP4 (ia64): libsmbclient-x86-3.0.36-0.13.18.1 samba-client-x86-3.0.36-0.13.18.1 samba-winbind-x86-3.0.36-0.13.18.1 samba-x86-3.0.36-0.13.18.1 - SUSE Linux Enterprise Server 10 SP4 (ppc): libsmbclient-64bit-3.0.36-0.13.18.1 samba-64bit-3.0.36-0.13.18.1 samba-client-64bit-3.0.36-0.13.18.1 samba-winbind-64bit-3.0.36-0.13.18.1 - SUSE Linux Enterprise Server 10 SP3 LTSS (i586 s390x x86_64): cifs-mount-3.0.36-0.13.18.1 ldapsmb-1.34b-25.13.18.1 libmsrpc-3.0.36-0.13.18.1 libmsrpc-devel-3.0.36-0.13.18.1 libsmbclient-3.0.36-0.13.18.1 libsmbclient-devel-3.0.36-0.13.18.1 samba-3.0.36-0.13.18.1 samba-client-3.0.36-0.13.18.1 samba-krb-printing-3.0.36-0.13.18.1 samba-python-3.0.36-0.13.18.1 samba-vscan-0.3.6b-43.13.18.1 samba-winbind-3.0.36-0.13.18.1 - SUSE Linux Enterprise Server 10 SP3 LTSS (s390x x86_64): libsmbclient-32bit-3.0.36-0.13.18.1 samba-32bit-3.0.36-0.13.18.1 samba-client-32bit-3.0.36-0.13.18.1 samba-winbind-32bit-3.0.36-0.13.18.1 - SUSE Linux Enterprise Desktop 10 SP4 (i586 x86_64): cifs-mount-3.0.36-0.13.18.1 ldapsmb-1.34b-25.13.18.1 libsmbclient-3.0.36-0.13.18.1 libsmbclient-devel-3.0.36-0.13.18.1 samba-3.0.36-0.13.18.1 samba-client-3.0.36-0.13.18.1 samba-krb-printing-3.0.36-0.13.18.1 samba-vscan-0.3.6b-43.13.18.1 samba-winbind-3.0.36-0.13.18.1 - SUSE Linux Enterprise Desktop 10 SP4 (x86_64): libsmbclient-32bit-3.0.36-0.13.18.1 samba-32bit-3.0.36-0.13.18.1 samba-client-32bit-3.0.36-0.13.18.1 samba-winbind-32bit-3.0.36-0.13.18.1 - SLE SDK 10 SP4 (i586 ia64 ppc s390x x86_64): libmsrpc-3.0.36-0.13.18.1 libmsrpc-devel-3.0.36-0.13.18.1 libsmbclient-devel-3.0.36-0.13.18.1 libsmbsharemodes-3.0.36-0.13.18.1 libsmbsharemodes-devel-3.0.36-0.13.18.1 samba-python-3.0.36-0.13.18.1 References: http://support.novell.com/security/cve/CVE-2012-0870.html https://bugzilla.novell.com/633729 https://bugzilla.novell.com/703655 https://bugzilla.novell.com/747934 http://download.novell.com/patch/finder/?keywords=547e3b7057adb631e1439605662293be http://download.novell.com/patch/finder/?keywords=7da8ca4f10f91e5bf4d12b67b2bd7522 From sle-security-updates at lists.suse.com Thu Mar 8 11:08:22 2012 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Thu, 8 Mar 2012 19:08:22 +0100 (CET) Subject: SUSE-SU-2012:0338-1: critical: Security update for Samba Message-ID: <20120308180822.28D1232182@maintenance.suse.de> SUSE Security Update: Security update for Samba ______________________________________________________________________________ Announcement ID: SUSE-SU-2012:0338-1 Rating: critical References: #747934 Cross-References: CVE-2012-0870 Affected Products: SUSE CORE 9 ______________________________________________________________________________ An update that fixes one vulnerability is now available. Description: This update of Samba fixes a heap-based buffer overflow that could be exploited by remote, unauthenticated attackers to crash the smbd daemon or potentially execute arbitrary code via specially crafted SMB AndX request packets (CVE-2012-0870). Security Issue reference: * CVE-2012-0870 Package List: - SUSE CORE 9 (i586 s390 s390x x86_64): libsmbclient-3.0.26a-0.21 libsmbclient-devel-3.0.26a-0.21 samba-3.0.26a-0.21 samba-client-3.0.26a-0.21 samba-doc-3.0.26a-0.21 samba-pdb-3.0.26a-0.21 samba-python-3.0.26a-0.21 samba-vscan-0.3.6b-0.49 samba-winbind-3.0.26a-0.21 - SUSE CORE 9 (x86_64): libsmbclient-32bit-9-201202240204 samba-32bit-9-201202240204 samba-client-32bit-9-201202240204 samba-winbind-32bit-9-201202240204 - SUSE CORE 9 (s390x): libsmbclient-32bit-9-201202240207 samba-32bit-9-201202240207 samba-client-32bit-9-201202240207 samba-winbind-32bit-9-201202240207 References: http://support.novell.com/security/cve/CVE-2012-0870.html https://bugzilla.novell.com/747934 http://download.novell.com/patch/finder/?keywords=77fff45aa383e336358627a07aac4417 From sle-security-updates at lists.suse.com Fri Mar 9 09:08:14 2012 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Fri, 9 Mar 2012 17:08:14 +0100 (CET) Subject: SUSE-SU-2012:0348-1: critical: Security update for Samba Message-ID: <20120309160814.23B593219A@maintenance.suse.de> SUSE Security Update: Security update for Samba ______________________________________________________________________________ Announcement ID: SUSE-SU-2012:0348-1 Rating: critical References: #550002 #561894 #577868 #592198 #599873 #605935 #611927 #613459 #637218 #652620 #670431 #705241 #708503 #747934 Cross-References: CVE-2012-0870 Affected Products: SUSE Linux Enterprise Server 10 SP2 ______________________________________________________________________________ An update that solves one vulnerability and has 13 fixes is now available. It includes one version update. Description: This Samba file server update fixes various security issues: * CVE-2012-0870: A heap-based buffer overflow that could be exploited by remote, unauthenticated attackers to crash the smbd daemon or potentially execute arbitrary code via specially crafted SMB AndX request packets. * CVE-2011-2694: A cross site scripting problem in SWAT was fixed. * CVE-2011-0719: Fixed a possible denial of service caused by memory corruption. * CVE-2010-3069: Fix buffer overflow in sid_parse() to correctly check the input lengths when reading a binary representation of a Windows Security ID (SID). * CVE-2010-2063: Addressed possible buffer overrun in chain_reply code of pre-3.4 versions. * CVE-2010-1642: An uninitialized variable read could have caused an smbd crash. * CVE-2010-0787: Take extra care that a mount point of mount.cifs isn't changed during mount; Also the following bugs have been fixed: * Add Provides samba-client-gplv2 and samba-doc-gplv2 to pre-3.2 versions; (bnc#652620). * Initialize workgroup of nmblookup as empty string. * Fix trusts with Windows 2008R2 DCs; (bnc#613459); (bnc#599873); (bnc#592198); (bso#6697). * Document "wide links" defaults to "no" in the smb.conf man page for versions pre-3.4.6; (bnc#577868). * Allow forced pw change even with min pw age; (bnc#561894). Security Issue reference: * CVE-2012-0870 Package List: - SUSE Linux Enterprise Server 10 SP2 (i586 s390x x86_64) [New Version: 3.0.32]: cifs-mount-3.0.32-0.20.1 libmsrpc-3.0.32-0.20.1 libmsrpc-devel-3.0.32-0.20.1 libsmbclient-3.0.32-0.20.1 libsmbclient-devel-3.0.32-0.20.1 samba-3.0.32-0.20.1 samba-client-3.0.32-0.20.1 samba-krb-printing-3.0.32-0.20.1 samba-python-3.0.32-0.20.1 samba-vscan-0.3.6b-42.85.20.1 samba-winbind-3.0.32-0.20.1 - SUSE Linux Enterprise Server 10 SP2 (s390x x86_64) [New Version: 3.0.32]: libsmbclient-32bit-3.0.32-0.20.1 samba-32bit-3.0.32-0.20.1 samba-client-32bit-3.0.32-0.20.1 samba-winbind-32bit-3.0.32-0.20.1 - SUSE Linux Enterprise Server 10 SP2 (noarch) [New Version: 3.0.32]: samba-doc-3.0.32-0.20.1 References: http://support.novell.com/security/cve/CVE-2012-0870.html https://bugzilla.novell.com/550002 https://bugzilla.novell.com/561894 https://bugzilla.novell.com/577868 https://bugzilla.novell.com/592198 https://bugzilla.novell.com/599873 https://bugzilla.novell.com/605935 https://bugzilla.novell.com/611927 https://bugzilla.novell.com/613459 https://bugzilla.novell.com/637218 https://bugzilla.novell.com/652620 https://bugzilla.novell.com/670431 https://bugzilla.novell.com/705241 https://bugzilla.novell.com/708503 https://bugzilla.novell.com/747934 http://download.novell.com/patch/finder/?keywords=7647f10c23183441620c089dfae68cd9 From sle-security-updates at lists.suse.com Tue Mar 13 17:08:31 2012 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Wed, 14 Mar 2012 00:08:31 +0100 (CET) Subject: SUSE-SU-2012:0364-1: important: Security update for Real Time Linux Kernel Message-ID: <20120313230831.D38413219E@maintenance.suse.de> SUSE Security Update: Security update for Real Time Linux Kernel ______________________________________________________________________________ Announcement ID: SUSE-SU-2012:0364-1 Rating: important References: #590980 #591293 #651219 #653260 #698450 #699709 #707096 #707288 #708877 #711203 #711539 #712366 #714001 #716901 #722406 #726788 #732021 #734056 #745881 Cross-References: CVE-2010-3873 CVE-2011-1576 CVE-2011-1577 CVE-2011-1833 CVE-2011-2203 CVE-2011-2918 CVE-2011-2928 CVE-2011-3191 CVE-2011-3353 CVE-2011-4081 CVE-2011-4110 CVE-2011-4326 Affected Products: SUSE Linux Enterprise Real Time 11 SP1 ______________________________________________________________________________ An update that solves 12 vulnerabilities and has 7 fixes is now available. It includes one version update. Description: The SUSE Linux Enterprise Server 11 SP1 Realtime kernel was updated to 2.6.33.20 to fix various bugs and security issues. The following security issues have been fixed: * CVE-2011-4110: KEYS: Fix a NULL pointer deref in the user-defined key type, which allowed local attackers to Oops the kernel. * CVE-2011-4081: Avoid potential NULL pointer deref in ghash, which allowed local attackers to Oops the kernel. * CVE-2010-3873: When using X.25 communication a malicious sender could corrupt data structures, causing crashes or potential code execution. Please note that X.25 needs to be setup to make this effective, which these days is usually not the case. * CVE-2011-2203: A NULL ptr dereference on mounting corrupt hfs filesystems was fixed which could be used by local attackers to crash the kernel. * CVE-2011-3191: A malicious CIFS server could cause a integer overflow on the local machine on directory index operations, in turn causing memory corruption. * CVE-2011-3353: In the fuse filesystem, FUSE_NOTIFY_INVAL_ENTRY did not check the length of the write so the message processing could overrun and result in a BUG_ON() in fuse_copy_fill(). This flaw could be used by local users able to mount FUSE filesystems to crash the system. * CVE-2011-4326: A bug was found in the way headroom check was performed in udp6_ufo_fragment() function. A remote attacker could use this flaw to crash the system. * CVE-2011-1576: The Generic Receive Offload (GRO) implementation in the Linux kernel allowed remote attackers to cause a denial of service via crafted VLAN packets that are processed by the napi_reuse_skb function, leading to (1) a memory leak or (2) memory corruption, a different vulnerability than CVE-2011-1478. * CVE-2011-1833: Added a kernel option to ensure ecryptfs is mounting only on paths belonging to the current ui, which would have allowed local attackers to potentially gain privileges via symlink attacks. * CVE-2011-2918: In the perf framework software event overflows could deadlock or delete an uninitialized timer. Included in Linux 2.6.32.19 stable update: * CVE-2011-2928: The befs_follow_link function in fs/befs/linuxvfs.c in the Linux kernel did not validate the length attribute of long symlinks, which allowed local users to cause a denial of service (incorrect pointer dereference and OOPS) by accessing a long symlink on a malformed Be filesystem. * CVE-2011-3353: In the fuse filesystem, FUSE_NOTIFY_INVAL_ENTRY did not check the length of the write so the message processing could overrun and result in a BUG_ON() in fuse_copy_fill(). This flaw could be used by local users able to mount FUSE filesystems to crash the system. * CVE-2011-1577: The Linux kernel automatically evaluated partition tables of storage devices. The code for evaluating EFI GUID partitions (in fs/partitions/efi.c) contained a bug that causes a kernel oops on certain corrupted GUID partition tables, which might be used by local attackers to crash the kernel or potentially execute code. The following non security bugs have been fixed: * Fix DL980G7 numa enumeration problem. HP bios SRAT table contains more entries (256) than SLERT NR_CPUS (128). Pull in mainline fixes to always parse the entire table, regardless of configured NR_CPUS. * x86, acpi: Parse all SRAT cpu entries even above the cpu number limitation (bnc#745881). * x86, ia64, acpi: Clean up x86-ism in drivers/acpi/numa.c (bnc#745881). * rt, timerfd: fix timerfd_settime() livelock. * Fix build failure on 12.1 systems. CONFIG_BUILD_DOCSRC builds Documentation/video4linux but without reference to local includes, thus build only succeeds on older SUSE releases where linux-glibc-devel provides (obsolete) videodev.h. Add upstream patch which drops support for v4lgrab.c which is safe as sample executable is not packaged in any released rpm. * Add missing references symset for the rt flavor (bnc#722406#c69). * Pick up SP1 82576 ET2 Quad Port driver addon. Pick up I350 as well, since it's just recognition of a follow-on part for 82580. * igb: Add support for 82576 ET2 Quad Port Server Adapter (bnc#591293, bnc#722406). * igb: add support for Intel I350 Gigabit Network Connection (bnc#590980). * Fix regression introduced by backport of mainline commit 43fa5460 * sched/rt: Migrate equal priority tasks to available CPUs. * sched: fix broken SCHED_RESET_ON_FORK handling (bnc#708877). * sched: Fix rt_rq runtime leakage bug (bnc#707096). Security Issue references: * CVE-2011-4110 * CVE-2011-4081 * CVE-2010-3873 * CVE-2011-2203 * CVE-2011-3191 * CVE-2011-3353 * CVE-2011-4326 * CVE-2011-1576 * CVE-2011-1833 * CVE-2011-2918 * CVE-2011-2928 * CVE-2011-3353 * CVE-2011-1577 Indications: Everyone using the Real Time Linux Kernel on x86_64 architecture should update. Special Instructions and Notes: Please reboot the system after installing this update. Patch Instructions: To install this SUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Real Time 11 SP1: zypper in -t patch slertesp1-kernel-5802 To bring your system up-to-date, use "zypper patch". Package List: - SUSE Linux Enterprise Real Time 11 SP1 (x86_64) [New Version: 2.6.33.20]: brocade-bna-kmp-rt-2.1.0.0_2.6.33.20_rt31_0.3-0.2.34 cluster-network-kmp-rt-1.4_2.6.33.20_rt31_0.3-2.5.28 cluster-network-kmp-rt_trace-1.4_2.6.33.20_rt31_0.3-2.5.28 drbd-kmp-rt-8.3.11_2.6.33.20_rt31_0.3-0.3.28 drbd-kmp-rt_trace-8.3.11_2.6.33.20_rt31_0.3-0.3.28 iscsitarget-kmp-rt-1.4.19_2.6.33.20_rt31_0.3-0.9.11.2 kernel-rt-2.6.33.20-0.3.1 kernel-rt-base-2.6.33.20-0.3.1 kernel-rt-devel-2.6.33.20-0.3.1 kernel-rt_trace-2.6.33.20-0.3.1 kernel-rt_trace-base-2.6.33.20-0.3.1 kernel-rt_trace-devel-2.6.33.20-0.3.1 kernel-source-rt-2.6.33.20-0.3.1 kernel-syms-rt-2.6.33.20-0.3.1 ocfs2-kmp-rt-1.6_2.6.33.20_rt31_0.3-0.4.2.28 ocfs2-kmp-rt_trace-1.6_2.6.33.20_rt31_0.3-0.4.2.28 ofed-kmp-rt-1.5.2_2.6.33.20_rt31_0.3-0.9.13.15 References: http://support.novell.com/security/cve/CVE-2010-3873.html http://support.novell.com/security/cve/CVE-2011-1576.html http://support.novell.com/security/cve/CVE-2011-1577.html http://support.novell.com/security/cve/CVE-2011-1833.html http://support.novell.com/security/cve/CVE-2011-2203.html http://support.novell.com/security/cve/CVE-2011-2918.html http://support.novell.com/security/cve/CVE-2011-2928.html http://support.novell.com/security/cve/CVE-2011-3191.html http://support.novell.com/security/cve/CVE-2011-3353.html http://support.novell.com/security/cve/CVE-2011-4081.html http://support.novell.com/security/cve/CVE-2011-4110.html http://support.novell.com/security/cve/CVE-2011-4326.html https://bugzilla.novell.com/590980 https://bugzilla.novell.com/591293 https://bugzilla.novell.com/651219 https://bugzilla.novell.com/653260 https://bugzilla.novell.com/698450 https://bugzilla.novell.com/699709 https://bugzilla.novell.com/707096 https://bugzilla.novell.com/707288 https://bugzilla.novell.com/708877 https://bugzilla.novell.com/711203 https://bugzilla.novell.com/711539 https://bugzilla.novell.com/712366 https://bugzilla.novell.com/714001 https://bugzilla.novell.com/716901 https://bugzilla.novell.com/722406 https://bugzilla.novell.com/726788 https://bugzilla.novell.com/732021 https://bugzilla.novell.com/734056 https://bugzilla.novell.com/745881 http://download.novell.com/patch/finder/?keywords=2e813f9c7b45c2dd561fb51cf3245000 From sle-security-updates at lists.suse.com Tue Mar 13 20:08:23 2012 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Wed, 14 Mar 2012 03:08:23 +0100 (CET) Subject: SUSE-SU-2012:0366-1: moderate: Security update for rubygem-actionpack Message-ID: <20120314020823.1DA5A3219E@maintenance.suse.de> SUSE Security Update: Security update for rubygem-actionpack ______________________________________________________________________________ Announcement ID: SUSE-SU-2012:0366-1 Rating: moderate References: #668817 #712057 #712058 #712060 #712062 Affected Products: SUSE Linux Enterprise Software Development Kit 11 SP2 SUSE Linux Enterprise Software Development Kit 11 SP1 ______________________________________________________________________________ An update that contains security fixes can now be installed. Description: Ruby on Rails 2.1 received some security fixes. The following security issues have been fixed: rubygem-actionpack-2_1: * properly encode special html chars from strings with malformed unicode CVE-2011-2932 * properly encode \r\n in the content-type header CVE-2011-3186 * properly strip tags from strings with specially crafted values CVE-2011-2931 * XSS Risk with mail_to (CVE-2011-0446) * CSRF Vulnerability in protect_from_forgery: (CVE-2011-0447) rubygem-activerecord-2_1: * fix vulnerability in the quote_table_name method which could allow malicious users to inject arbitrary SQL into a query (CVE-2011-2930) Patch Instructions: To install this SUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Software Development Kit 11 SP2: zypper in -t patch sdksp1fsp2-rubygem-actionpack-2_1-5875 - SUSE Linux Enterprise Software Development Kit 11 SP1: zypper in -t patch sdksp1-rubygem-actionpack-2_1-5875 To bring your system up-to-date, use "zypper patch". Package List: - SUSE Linux Enterprise Software Development Kit 11 SP2 (i586 ia64 ppc64 s390x x86_64): rubygem-actionpack-2_1-2.1.2-1.12.2 rubygem-activerecord-2_1-2.1.2-1.4.5 - SUSE Linux Enterprise Software Development Kit 11 SP1 (i586 ia64 ppc64 s390x x86_64): rubygem-actionpack-2_1-2.1.2-1.12.2 rubygem-activerecord-2_1-2.1.2-1.4.5 References: https://bugzilla.novell.com/668817 https://bugzilla.novell.com/712057 https://bugzilla.novell.com/712058 https://bugzilla.novell.com/712060 https://bugzilla.novell.com/712062 http://download.novell.com/patch/finder/?keywords=d47da4fd99cc8c7e9247d0c8c2fe1323 From sle-security-updates at lists.suse.com Mon Mar 19 16:08:13 2012 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Mon, 19 Mar 2012 23:08:13 +0100 (CET) Subject: SUSE-SU-2012:0386-1: Security update for Xen and libvirt Message-ID: <20120319220813.C778C323C7@maintenance.suse.de> SUSE Security Update: Security update for Xen and libvirt ______________________________________________________________________________ Announcement ID: SUSE-SU-2012:0386-1 Rating: low References: #649209 #694863 #725169 #726332 #727515 #732782 #734826 #735403 #736824 #739585 #740165 Cross-References: CVE-2012-0029 Affected Products: SUSE Linux Enterprise Software Development Kit 11 SP1 SUSE Linux Enterprise Server 11 SP1 for VMware SUSE Linux Enterprise Server 11 SP1 SUSE Linux Enterprise Desktop 11 SP1 ______________________________________________________________________________ An update that solves one vulnerability and has 10 fixes is now available. It includes one version update. Description: This collective update 2012/02 for Xen provides fixes for the following reports: Xen: * 740165: Fix heap overflow in e1000 device emulation (applicable to Xen qemu - CVE-2012-0029) * 739585: Xen block-attach fails after repeated attach/detach * 727515: Fragmented packets hang network boot of HVM guest * 736824: Microcode patches for AMD's 15h processors panic the system * 732782: xm create hangs when maxmen value is enclosed in "quotes" * 734826: xm rename doesn't work anymore * 694863: kexec fails in xen * 726332: Fix considerable performance hit by previous changeset * 649209: Fix slow Xen live migrations libvirt * 735403: Fix connection with virt-manager as normal user virt-utils * Add Support for creating images that can be run on Microsoft Hyper-V host (Fix vpc file format. Add support for fixed disks) Security Issue references: * CVE-2012-0029 Indications: Every Xen user should update. Patch Instructions: To install this SUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Software Development Kit 11 SP1: zypper in -t patch sdksp1-xen-201202-5796 - SUSE Linux Enterprise Server 11 SP1 for VMware: zypper in -t patch slessp1-xen-201202-5796 - SUSE Linux Enterprise Server 11 SP1: zypper in -t patch slessp1-xen-201202-5796 - SUSE Linux Enterprise Desktop 11 SP1: zypper in -t patch sledsp1-xen-201202-5796 To bring your system up-to-date, use "zypper patch". Package List: - SUSE Linux Enterprise Software Development Kit 11 SP1 (i586 x86_64): libvirt-devel-0.7.6-1.29.2 xen-devel-4.0.3_21548_02-0.5.2 - SUSE Linux Enterprise Server 11 SP1 for VMware (i586 x86_64): xen-kmp-trace-4.0.3_21548_02_2.6.32.54_0.3-0.5.2 - SUSE Linux Enterprise Server 11 SP1 (i586 x86_64) [New Version: 1.1.3]: libvirt-0.7.6-1.29.2 libvirt-doc-0.7.6-1.29.2 libvirt-python-0.7.6-1.29.2 virt-utils-1.1.3-1.5.1 xen-4.0.3_21548_02-0.5.2 xen-doc-html-4.0.3_21548_02-0.5.2 xen-doc-pdf-4.0.3_21548_02-0.5.2 xen-kmp-default-4.0.3_21548_02_2.6.32.54_0.3-0.5.2 xen-kmp-trace-4.0.3_21548_02_2.6.32.54_0.3-0.5.2 xen-libs-4.0.3_21548_02-0.5.2 xen-tools-4.0.3_21548_02-0.5.2 xen-tools-domU-4.0.3_21548_02-0.5.2 - SUSE Linux Enterprise Server 11 SP1 (i586): xen-kmp-pae-4.0.3_21548_02_2.6.32.54_0.3-0.5.2 - SUSE Linux Enterprise Desktop 11 SP1 (i586 x86_64) [New Version: 1.1.3]: libvirt-0.7.6-1.29.2 libvirt-doc-0.7.6-1.29.2 libvirt-python-0.7.6-1.29.2 virt-utils-1.1.3-1.5.1 xen-4.0.3_21548_02-0.5.2 xen-kmp-default-4.0.3_21548_02_2.6.32.54_0.3-0.5.2 xen-libs-4.0.3_21548_02-0.5.2 xen-tools-4.0.3_21548_02-0.5.2 xen-tools-domU-4.0.3_21548_02-0.5.2 - SUSE Linux Enterprise Desktop 11 SP1 (i586): xen-kmp-pae-4.0.3_21548_02_2.6.32.54_0.3-0.5.2 References: http://support.novell.com/security/cve/CVE-2012-0029.html https://bugzilla.novell.com/649209 https://bugzilla.novell.com/694863 https://bugzilla.novell.com/725169 https://bugzilla.novell.com/726332 https://bugzilla.novell.com/727515 https://bugzilla.novell.com/732782 https://bugzilla.novell.com/734826 https://bugzilla.novell.com/735403 https://bugzilla.novell.com/736824 https://bugzilla.novell.com/739585 https://bugzilla.novell.com/740165 http://download.novell.com/patch/finder/?keywords=cc26db394df4e1893e567ae94e3d664f From sle-security-updates at lists.suse.com Wed Mar 21 04:08:17 2012 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Wed, 21 Mar 2012 11:08:17 +0100 (CET) Subject: SUSE-SU-2012:0393-1: Security update for Mono Message-ID: <20120321100817.BEEFE323C2@maintenance.suse.de> SUSE Security Update: Security update for Mono ______________________________________________________________________________ Announcement ID: SUSE-SU-2012:0393-1 Rating: low References: #648080 Cross-References: CVE-2010-3332 Affected Products: SUSE Linux Enterprise Server 10 SP4 SUSE Linux Enterprise Desktop 10 SP4 SLE SDK 10 SP4 ______________________________________________________________________________ An update that fixes one vulnerability is now available. Description: The FORMS authentication methods of mono ASP.net implementation were vulnerable to a padding oracle attack as described in CVE-2010-3332, as they did encryption after checksum. This update changes the method to checksum after encryption to avoid this attack. Security Issue reference: * CVE-2010-3332 Package List: - SUSE Linux Enterprise Server 10 SP4 (i586 ia64 ppc s390x x86_64): mono-core-1.2.2-12.32.1 mono-data-1.2.2-12.32.1 mono-data-firebird-1.2.2-12.32.1 mono-data-oracle-1.2.2-12.32.1 mono-data-postgresql-1.2.2-12.32.1 mono-data-sqlite-1.2.2-12.32.1 mono-data-sybase-1.2.2-12.32.1 mono-locale-extras-1.2.2-12.32.1 mono-nunit-1.2.2-12.32.1 mono-web-1.2.2-12.32.1 mono-winforms-1.2.2-12.32.1 - SUSE Linux Enterprise Server 10 SP4 (s390x x86_64): mono-core-32bit-1.2.2-12.32.1 - SUSE Linux Enterprise Server 10 SP4 (ia64): mono-core-x86-1.2.2-12.32.1 - SUSE Linux Enterprise Desktop 10 SP4 (i586 x86_64): bytefx-data-mysql-1.2.2-12.32.1 ibm-data-db2-1.2.2-12.32.1 mono-core-1.2.2-12.32.1 mono-data-1.2.2-12.32.1 mono-data-firebird-1.2.2-12.32.1 mono-data-oracle-1.2.2-12.32.1 mono-data-postgresql-1.2.2-12.32.1 mono-data-sqlite-1.2.2-12.32.1 mono-data-sybase-1.2.2-12.32.1 mono-devel-1.2.2-12.32.1 mono-extras-1.2.2-12.32.1 mono-locale-extras-1.2.2-12.32.1 mono-nunit-1.2.2-12.32.1 mono-web-1.2.2-12.32.1 mono-winforms-1.2.2-12.32.1 - SUSE Linux Enterprise Desktop 10 SP4 (x86_64): mono-core-32bit-1.2.2-12.32.1 - SLE SDK 10 SP4 (i586 ia64 ppc s390x x86_64): bytefx-data-mysql-1.2.2-12.32.1 ibm-data-db2-1.2.2-12.32.1 mono-core-1.2.2-12.32.1 mono-data-1.2.2-12.32.1 mono-data-firebird-1.2.2-12.32.1 mono-data-oracle-1.2.2-12.32.1 mono-data-postgresql-1.2.2-12.32.1 mono-data-sqlite-1.2.2-12.32.1 mono-data-sybase-1.2.2-12.32.1 mono-devel-1.2.2-12.32.1 mono-extras-1.2.2-12.32.1 mono-jscript-1.2.2-12.32.1 mono-locale-extras-1.2.2-12.32.1 mono-nunit-1.2.2-12.32.1 mono-web-1.2.2-12.32.1 mono-winforms-1.2.2-12.32.1 - SLE SDK 10 SP4 (s390x x86_64): mono-core-32bit-1.2.2-12.32.1 - SLE SDK 10 SP4 (ia64): mono-core-x86-1.2.2-12.32.1 References: http://support.novell.com/security/cve/CVE-2010-3332.html https://bugzilla.novell.com/648080 http://download.novell.com/patch/finder/?keywords=acf3e342c719d9e5ee642a15f5422903 From sle-security-updates at lists.suse.com Wed Mar 21 14:08:11 2012 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Wed, 21 Mar 2012 21:08:11 +0100 (CET) Subject: SUSE-SU-2012:0201-2: moderate: Security update for lighttpd Message-ID: <20120321200811.B8405323CB@maintenance.suse.de> SUSE Security Update: Security update for lighttpd ______________________________________________________________________________ Announcement ID: SUSE-SU-2012:0201-2 Rating: moderate References: #733607 Cross-References: CVE-2011-4362 Affected Products: SUSE Linux Enterprise High Availability Extension 11 SP2 ______________________________________________________________________________ An update that fixes one vulnerability is now available. Description: This update of lighttpd fixes an out-of-bounds read due to a signedness error which could have caused a Denial of Service (CVE-2011-4362). Security Issue reference: * CVE-2011-4362 Patch Instructions: To install this SUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - SUSE Linux Enterprise High Availability Extension 11 SP2: zypper in -t patch sleshasp2-lighttpd-6002 To bring your system up-to-date, use "zypper patch". Package List: - SUSE Linux Enterprise High Availability Extension 11 SP2 (i586 ia64 ppc64 s390x x86_64): lighttpd-1.4.20-2.46.10 References: http://support.novell.com/security/cve/CVE-2011-4362.html https://bugzilla.novell.com/733607 http://download.novell.com/patch/finder/?keywords=dd6c296252c3013697b6a2717cc65b62 From sle-security-updates at lists.suse.com Fri Mar 23 20:08:28 2012 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Sat, 24 Mar 2012 03:08:28 +0100 (CET) Subject: SUSE-SU-2012:0411-1: important: Security update for PHP5 Message-ID: <20120324020828.2FDC332294@maintenance.suse.de> SUSE Security Update: Security update for PHP5 ______________________________________________________________________________ Announcement ID: SUSE-SU-2012:0411-1 Rating: important References: #741520 #741859 #742273 #742806 #743308 #744966 #746661 #749111 Cross-References: CVE-2011-4153 CVE-2011-4885 CVE-2012-0057 CVE-2012-0781 CVE-2012-0788 CVE-2012-0789 CVE-2012-0807 CVE-2012-0830 CVE-2012-0831 Affected Products: SUSE Linux Enterprise Server 10 SP4 SLE SDK 10 SP4 ______________________________________________________________________________ An update that fixes 9 vulnerabilities is now available. Description: This update of php5 fixes multiple security flaws: * CVE-2011-4153, missing checks of return values could allow remote attackers to cause a denial of service (NULL pointer dereference) * CVE-2011-4885, denial of service via hash collisions * CVE-2012-0057, specially crafted XSLT stylesheets could allow remote attackers to create arbitrary files with arbitrary content * CVE-2012-0781, remote attackers can cause a denial of service via specially crafted input to an application that attempts to perform Tidy::diagnose operations * CVE-2012-0788, applications that use a PDO driver were prone to denial of service flaws which could be exploited remotely * CVE-2012-0789, memory leak in the timezone functionality could allow remote attackers to cause a denial of service (memory consumption) * CVE-2012-0807, a stack based buffer overflow in php5's Suhosin extension could allow remote attackers to execute arbitrary code via a long string that is used in a Set-Cookie HTTP header * CVE-2012-0830, this fixes an incorrect fix for CVE-2011-4885 which could allow remote attackers to execute arbitrary code via a request containing a large number of variables * CVE-2012-0831, temporary changes to the magic_quotes_gpc directive during the importing of environment variables is not properly performed which makes it easier for remote attackers to conduct SQL injections Security Issue references: * CVE-2011-4153 * CVE-2011-4885 * CVE-2012-0057 * CVE-2012-0781 * CVE-2012-0788 * CVE-2012-0789 * CVE-2012-0807 * CVE-2012-0830 * CVE-2012-0831 Package List: - SUSE Linux Enterprise Server 10 SP4 (i586 ia64 ppc s390x x86_64): apache2-mod_php5-5.2.14-0.26.3 php5-5.2.14-0.26.3 php5-bcmath-5.2.14-0.26.3 php5-bz2-5.2.14-0.26.3 php5-calendar-5.2.14-0.26.3 php5-ctype-5.2.14-0.26.3 php5-curl-5.2.14-0.26.3 php5-dba-5.2.14-0.26.3 php5-dbase-5.2.14-0.26.3 php5-devel-5.2.14-0.26.3 php5-dom-5.2.14-0.26.3 php5-exif-5.2.14-0.26.3 php5-fastcgi-5.2.14-0.26.3 php5-ftp-5.2.14-0.26.3 php5-gd-5.2.14-0.26.3 php5-gettext-5.2.14-0.26.3 php5-gmp-5.2.14-0.26.3 php5-hash-5.2.14-0.26.3 php5-iconv-5.2.14-0.26.3 php5-imap-5.2.14-0.26.3 php5-json-5.2.14-0.26.3 php5-ldap-5.2.14-0.26.3 php5-mbstring-5.2.14-0.26.3 php5-mcrypt-5.2.14-0.26.3 php5-mhash-5.2.14-0.26.3 php5-mysql-5.2.14-0.26.3 php5-ncurses-5.2.14-0.26.3 php5-odbc-5.2.14-0.26.3 php5-openssl-5.2.14-0.26.3 php5-pcntl-5.2.14-0.26.3 php5-pdo-5.2.14-0.26.3 php5-pear-5.2.14-0.26.3 php5-pgsql-5.2.14-0.26.3 php5-posix-5.2.14-0.26.3 php5-pspell-5.2.14-0.26.3 php5-shmop-5.2.14-0.26.3 php5-snmp-5.2.14-0.26.3 php5-soap-5.2.14-0.26.3 php5-sockets-5.2.14-0.26.3 php5-sqlite-5.2.14-0.26.3 php5-suhosin-5.2.14-0.26.3 php5-sysvmsg-5.2.14-0.26.3 php5-sysvsem-5.2.14-0.26.3 php5-sysvshm-5.2.14-0.26.3 php5-tokenizer-5.2.14-0.26.3 php5-wddx-5.2.14-0.26.3 php5-xmlreader-5.2.14-0.26.3 php5-xmlrpc-5.2.14-0.26.3 php5-xsl-5.2.14-0.26.3 php5-zlib-5.2.14-0.26.3 - SLE SDK 10 SP4 (i586 ia64 ppc s390x x86_64): apache2-mod_php5-5.2.14-0.26.3 php5-5.2.14-0.26.3 php5-bcmath-5.2.14-0.26.3 php5-bz2-5.2.14-0.26.3 php5-calendar-5.2.14-0.26.3 php5-ctype-5.2.14-0.26.3 php5-curl-5.2.14-0.26.3 php5-dba-5.2.14-0.26.3 php5-dbase-5.2.14-0.26.3 php5-devel-5.2.14-0.26.3 php5-dom-5.2.14-0.26.3 php5-exif-5.2.14-0.26.3 php5-fastcgi-5.2.14-0.26.3 php5-ftp-5.2.14-0.26.3 php5-gd-5.2.14-0.26.3 php5-gettext-5.2.14-0.26.3 php5-gmp-5.2.14-0.26.3 php5-hash-5.2.14-0.26.3 php5-iconv-5.2.14-0.26.3 php5-imap-5.2.14-0.26.3 php5-ldap-5.2.14-0.26.3 php5-mbstring-5.2.14-0.26.3 php5-mcrypt-5.2.14-0.26.3 php5-mhash-5.2.14-0.26.3 php5-mysql-5.2.14-0.26.3 php5-ncurses-5.2.14-0.26.3 php5-odbc-5.2.14-0.26.3 php5-openssl-5.2.14-0.26.3 php5-pcntl-5.2.14-0.26.3 php5-pdo-5.2.14-0.26.3 php5-pear-5.2.14-0.26.3 php5-pgsql-5.2.14-0.26.3 php5-posix-5.2.14-0.26.3 php5-pspell-5.2.14-0.26.3 php5-shmop-5.2.14-0.26.3 php5-snmp-5.2.14-0.26.3 php5-soap-5.2.14-0.26.3 php5-sockets-5.2.14-0.26.3 php5-sqlite-5.2.14-0.26.3 php5-suhosin-5.2.14-0.26.3 php5-sysvmsg-5.2.14-0.26.3 php5-sysvsem-5.2.14-0.26.3 php5-sysvshm-5.2.14-0.26.3 php5-tidy-5.2.14-0.26.3 php5-tokenizer-5.2.14-0.26.3 php5-wddx-5.2.14-0.26.3 php5-xmlreader-5.2.14-0.26.3 php5-xmlrpc-5.2.14-0.26.3 php5-xsl-5.2.14-0.26.3 php5-zlib-5.2.14-0.26.3 References: http://support.novell.com/security/cve/CVE-2011-4153.html http://support.novell.com/security/cve/CVE-2011-4885.html http://support.novell.com/security/cve/CVE-2012-0057.html http://support.novell.com/security/cve/CVE-2012-0781.html http://support.novell.com/security/cve/CVE-2012-0788.html http://support.novell.com/security/cve/CVE-2012-0789.html http://support.novell.com/security/cve/CVE-2012-0807.html http://support.novell.com/security/cve/CVE-2012-0830.html http://support.novell.com/security/cve/CVE-2012-0831.html https://bugzilla.novell.com/741520 https://bugzilla.novell.com/741859 https://bugzilla.novell.com/742273 https://bugzilla.novell.com/742806 https://bugzilla.novell.com/743308 https://bugzilla.novell.com/744966 https://bugzilla.novell.com/746661 https://bugzilla.novell.com/749111 http://download.novell.com/patch/finder/?keywords=12fa3ee1e0074dc69ed195ba32ed4339 From sle-security-updates at lists.suse.com Fri Mar 23 21:09:51 2012 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Sat, 24 Mar 2012 04:09:51 +0100 (CET) Subject: SUSE-SU-2012:0413-1: moderate: Security update for libraptor Message-ID: <20120324030951.9C0EF323B2@maintenance.suse.de> SUSE Security Update: Security update for libraptor ______________________________________________________________________________ Announcement ID: SUSE-SU-2012:0413-1 Rating: moderate References: #745298 Cross-References: CVE-2012-0037 Affected Products: SUSE Linux Enterprise Software Development Kit 11 SP2 SUSE Linux Enterprise Software Development Kit 11 SP1 SUSE Linux Enterprise Server 11 SP2 SUSE Linux Enterprise Server 11 SP1 for VMware SUSE Linux Enterprise Server 11 SP1 SUSE Linux Enterprise Desktop 11 SP2 SUSE Linux Enterprise Desktop 11 SP1 ______________________________________________________________________________ An update that fixes one vulnerability is now available. Description: Specially crafted XML files could have allowed XML External Entity (XXE) attacks resulting in file theft and a loss of user privacy. This has been fixed. Patch Instructions: To install this SUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Software Development Kit 11 SP2: zypper in -t patch sdksp1-libraptor-devel-5836 - SUSE Linux Enterprise Software Development Kit 11 SP1: zypper in -t patch sdksp1-libraptor-devel-5836 - SUSE Linux Enterprise Server 11 SP2: zypper in -t patch slessp1-libraptor-devel-5836 - SUSE Linux Enterprise Server 11 SP1 for VMware: zypper in -t patch slessp1-libraptor-devel-5836 - SUSE Linux Enterprise Server 11 SP1: zypper in -t patch slessp1-libraptor-devel-5836 - SUSE Linux Enterprise Desktop 11 SP2: zypper in -t patch sledsp1-libraptor-devel-5836 - SUSE Linux Enterprise Desktop 11 SP1: zypper in -t patch sledsp1-libraptor-devel-5836 To bring your system up-to-date, use "zypper patch". Package List: - SUSE Linux Enterprise Software Development Kit 11 SP2 (i586 ia64 ppc64 s390x x86_64): libraptor-devel-1.4.18-28.23.2 raptor-1.4.18-28.23.2 - SUSE Linux Enterprise Software Development Kit 11 SP1 (i586 ia64 ppc64 s390x x86_64): libraptor-devel-1.4.18-28.23.2 raptor-1.4.18-28.23.2 - SUSE Linux Enterprise Server 11 SP2 (i586 ia64 ppc64 s390x x86_64): libraptor1-1.4.18-28.23.2 - SUSE Linux Enterprise Server 11 SP1 for VMware (i586 x86_64): libraptor1-1.4.18-28.23.2 - SUSE Linux Enterprise Server 11 SP1 (i586 ia64 ppc64 s390x x86_64): libraptor1-1.4.18-28.23.2 - SUSE Linux Enterprise Desktop 11 SP2 (i586 x86_64): libraptor1-1.4.18-28.23.2 raptor-1.4.18-28.23.2 - SUSE Linux Enterprise Desktop 11 SP1 (i586 x86_64): libraptor1-1.4.18-28.23.2 raptor-1.4.18-28.23.2 References: http://support.novell.com/security/cve/CVE-2012-0037.html https://bugzilla.novell.com/745298 http://download.novell.com/patch/finder/?keywords=5bf88cc8f664a7f7ee325f680a34e378 From sle-security-updates at lists.suse.com Wed Mar 28 13:08:29 2012 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Wed, 28 Mar 2012 21:08:29 +0200 (CEST) Subject: SUSE-SU-2012:0424-1: critical: Security update for Mozilla Firefox Message-ID: <20120328190829.67B623242C@maintenance.suse.de> SUSE Security Update: Security update for Mozilla Firefox ______________________________________________________________________________ Announcement ID: SUSE-SU-2012:0424-1 Rating: critical References: #745017 #750044 Cross-References: CVE-2012-0451 CVE-2012-0454 CVE-2012-0455 CVE-2012-0456 CVE-2012-0457 CVE-2012-0458 CVE-2012-0459 CVE-2012-0460 CVE-2012-0461 CVE-2012-0462 CVE-2012-0463 CVE-2012-0464 Affected Products: SUSE Linux Enterprise Software Development Kit 11 SP2 SUSE Linux Enterprise Software Development Kit 11 SP1 SUSE Linux Enterprise Server 11 SP2 SUSE Linux Enterprise Server 11 SP1 for VMware SUSE Linux Enterprise Server 11 SP1 SUSE Linux Enterprise Desktop 11 SP2 SUSE Linux Enterprise Desktop 11 SP1 ______________________________________________________________________________ An update that fixes 12 vulnerabilities is now available. It includes three new package versions. Description: Mozilla Firefox was updated to 10.0.3 ESR to fix various bugs and security issues. The following security issues have been fixed: * MFSA 2012-19: Mozilla developers identified and fixed several memory safety bugs in the browser engine used in Firefox and other Mozilla-based products. Some of these bugs showed evidence of memory corruption under certain circumstances, and we presume that with enough effort at least some of these could be exploited to run arbitrary code. In general these flaws cannot be exploited through email in the Thunderbird and SeaMonkey products because scripting is disabled, but are potentially a risk in browser or browser-like contexts in those products. References: Bob Clary reported two bugs that causes crashes that affected Firefox 3.6, Firefox ESR, and Firefox 10. CVE-2012-0461 Christian Holler, Jesse Ruderman, Nils, Michael Bebenita, Dindog, and David Anderson reported memory safety problems and crashes that affect Firefox ESR and Firefox 10. CVE-2012-0462 Jeff Walden reported a memory safety problem in the array.join function. This bug was independently reported by Vincenzo Iozzo via TippingPoint's Zero Day Initiative Pwn2Own contest. CVE-2012-0464 Masayuki Nakano reported a memory safety problem that affected Mobile Firefox * CVE-2012-0463 * MFSA 2012-18 / CVE-2012-0460: Mozilla developer Matt Brubeck reported that window.fullScreen is writeable by untrusted content now that the DOM fullscreen API is enabled. Because window.fullScreen does not include mozRequestFullscreen's security protections, it could be used for UI spoofing. This code change makes window.fullScreen read only by untrusted content, forcing the use of the DOM fullscreen API in normal usage. Firefox 3.6 and Thunderbird 3.1 are not affected by this vulnerability. * MFSA 2012-17 / CVE-2012-0459: Mozilla community member Daniel Glazman of Disruptive Innovations reported a crash when accessing a keyframe's cssText after dynamic modification. This crash may be potentially exploitable. Firefox 3.6 and Thunderbird 3.1 are not affected by this vulnerability. * MFSA 2012-16 / CVE-2012-0458: Security researcher Mariusz Mlynski reported that an attacker able to convince a potential victim to set a new home page by dragging a link to the "home" button can set that user's home page to a javascript: URL. Once this is done the attacker's page can cause repeated crashes of the browser, eventually getting the script URL loaded in the privileged about:sessionrestore context. * MFSA 2012-15 / CVE-2012-0451: Security Researcher Mike Brooks of Sitewatch reported that if multiple Content Security Policy (CSP) headers are present on a page, they have an additive effect page policy. Using carriage return line feed (CRLF) injection, a new CSP rule can be introduced which allows for cross-site scripting (XSS) on sites with a separate header injection vulnerability. Firefox 3.6 and Thunderbird 3.1 are not affected by this vulnerability. * MFSA 2012-14 / CVE-2012-0457 / CVE-2012-0456: Security researcher Atte Kettunen from OUSPG found two issues with Firefox's handling of SVG using the Address Sanitizer tool. The first issue, critically rated, is a use-after-free in SVG animation that could potentially lead to arbitrary code execution. The second issue is rated moderate and is an out of bounds read in SVG Filters. This could potentially incorporate data from the user's memory, making it accessible to the page content. * MFSA 2012-13 / CVE-2012-0455: Firefox prevents the dropping of javascript: links onto a frame to prevent malicious sites from tricking users into performing a cross-site scripting (XSS) attacks on themselves. Security researcher Soroush Dalili reported a way to bypass this protection. * MFSA 2012-12 / CVE-2012-0454: Security researchers Blair Strang and Scott Bell of Security Assessment found that when a parent window spawns and closes a child window that uses the file open dialog, a crash can be induced in shlwapi.dll on 32-bit Windows 7 systems. This crash may be potentially exploitable. Firefox 3.6 and Thunderbird 3.1 are not affected by this vulnerability. * Reworked the KDE4 integration. bnc#745017 Security Issue references: * CVE-2012-0461 * CVE-2012-0462 * CVE-2012-0464 * CVE-2012-0463 * CVE-2012-0460 * CVE-2012-0459 * CVE-2012-0458 * CVE-2012-0451 * CVE-2012-0457 * CVE-2012-0456 * CVE-2012-0455 * CVE-2012-0454 Patch Instructions: To install this SUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Software Development Kit 11 SP2: zypper in -t patch sdksp1-MozillaFirefox-6007 - SUSE Linux Enterprise Software Development Kit 11 SP1: zypper in -t patch sdksp1-MozillaFirefox-6007 - SUSE Linux Enterprise Server 11 SP2: zypper in -t patch slessp1-MozillaFirefox-6007 - SUSE Linux Enterprise Server 11 SP1 for VMware: zypper in -t patch slessp1-MozillaFirefox-6007 - SUSE Linux Enterprise Server 11 SP1: zypper in -t patch slessp1-MozillaFirefox-6007 - SUSE Linux Enterprise Desktop 11 SP2: zypper in -t patch sledsp1-MozillaFirefox-6007 - SUSE Linux Enterprise Desktop 11 SP1: zypper in -t patch sledsp1-MozillaFirefox-6007 To bring your system up-to-date, use "zypper patch". Package List: - SUSE Linux Enterprise Software Development Kit 11 SP2 (i586 ia64 ppc64 s390x x86_64) [New Version: 3.13.3 and 4.9.0]: mozilla-nspr-devel-4.9.0-0.3.1 mozilla-nss-devel-3.13.3-0.2.1 - SUSE Linux Enterprise Software Development Kit 11 SP1 (i586 ia64 ppc64 s390x x86_64) [New Version: 3.13.3 and 4.9.0]: mozilla-nspr-devel-4.9.0-0.3.1 mozilla-nss-devel-3.13.3-0.2.1 - SUSE Linux Enterprise Server 11 SP2 (i586 ia64 ppc64 s390x x86_64) [New Version: 10.0.3,3.13.3 and 4.9.0]: MozillaFirefox-10.0.3-0.7.1 MozillaFirefox-translations-10.0.3-0.7.1 libfreebl3-3.13.3-0.2.1 mozilla-nspr-4.9.0-0.3.1 mozilla-nss-3.13.3-0.2.1 mozilla-nss-tools-3.13.3-0.2.1 - SUSE Linux Enterprise Server 11 SP2 (ppc64 s390x x86_64) [New Version: 3.13.3 and 4.9.0]: libfreebl3-32bit-3.13.3-0.2.1 mozilla-nspr-32bit-4.9.0-0.3.1 mozilla-nss-32bit-3.13.3-0.2.1 - SUSE Linux Enterprise Server 11 SP2 (ia64) [New Version: 3.13.3 and 4.9.0]: libfreebl3-x86-3.13.3-0.2.1 mozilla-nspr-x86-4.9.0-0.3.1 mozilla-nss-x86-3.13.3-0.2.1 - SUSE Linux Enterprise Server 11 SP1 for VMware (i586 x86_64) [New Version: 10.0.3,3.13.3 and 4.9.0]: MozillaFirefox-10.0.3-0.7.1 MozillaFirefox-translations-10.0.3-0.7.1 libfreebl3-3.13.3-0.2.1 mozilla-nspr-4.9.0-0.3.1 mozilla-nss-3.13.3-0.2.1 mozilla-nss-tools-3.13.3-0.2.1 - SUSE Linux Enterprise Server 11 SP1 for VMware (x86_64) [New Version: 3.13.3 and 4.9.0]: libfreebl3-32bit-3.13.3-0.2.1 mozilla-nspr-32bit-4.9.0-0.3.1 mozilla-nss-32bit-3.13.3-0.2.1 - SUSE Linux Enterprise Server 11 SP1 (i586 ia64 ppc64 s390x x86_64) [New Version: 10.0.3,3.13.3 and 4.9.0]: MozillaFirefox-10.0.3-0.7.1 MozillaFirefox-translations-10.0.3-0.7.1 libfreebl3-3.13.3-0.2.1 mozilla-nspr-4.9.0-0.3.1 mozilla-nss-3.13.3-0.2.1 mozilla-nss-tools-3.13.3-0.2.1 - SUSE Linux Enterprise Server 11 SP1 (ppc64 s390x x86_64) [New Version: 3.13.3 and 4.9.0]: libfreebl3-32bit-3.13.3-0.2.1 mozilla-nspr-32bit-4.9.0-0.3.1 mozilla-nss-32bit-3.13.3-0.2.1 - SUSE Linux Enterprise Server 11 SP1 (ia64) [New Version: 3.13.3 and 4.9.0]: libfreebl3-x86-3.13.3-0.2.1 mozilla-nspr-x86-4.9.0-0.3.1 mozilla-nss-x86-3.13.3-0.2.1 - SUSE Linux Enterprise Desktop 11 SP2 (i586 x86_64) [New Version: 10.0.3,3.13.3 and 4.9.0]: MozillaFirefox-10.0.3-0.7.1 MozillaFirefox-translations-10.0.3-0.7.1 libfreebl3-3.13.3-0.2.1 mozilla-nspr-4.9.0-0.3.1 mozilla-nss-3.13.3-0.2.1 mozilla-nss-tools-3.13.3-0.2.1 - SUSE Linux Enterprise Desktop 11 SP2 (x86_64) [New Version: 3.13.3 and 4.9.0]: libfreebl3-32bit-3.13.3-0.2.1 mozilla-nspr-32bit-4.9.0-0.3.1 mozilla-nss-32bit-3.13.3-0.2.1 - SUSE Linux Enterprise Desktop 11 SP1 (i586 x86_64) [New Version: 10.0.3,3.13.3 and 4.9.0]: MozillaFirefox-10.0.3-0.7.1 MozillaFirefox-translations-10.0.3-0.7.1 libfreebl3-3.13.3-0.2.1 mozilla-nspr-4.9.0-0.3.1 mozilla-nss-3.13.3-0.2.1 mozilla-nss-tools-3.13.3-0.2.1 - SUSE Linux Enterprise Desktop 11 SP1 (x86_64) [New Version: 3.13.3 and 4.9.0]: libfreebl3-32bit-3.13.3-0.2.1 mozilla-nspr-32bit-4.9.0-0.3.1 mozilla-nss-32bit-3.13.3-0.2.1 References: http://support.novell.com/security/cve/CVE-2012-0451.html http://support.novell.com/security/cve/CVE-2012-0454.html http://support.novell.com/security/cve/CVE-2012-0455.html http://support.novell.com/security/cve/CVE-2012-0456.html http://support.novell.com/security/cve/CVE-2012-0457.html http://support.novell.com/security/cve/CVE-2012-0458.html http://support.novell.com/security/cve/CVE-2012-0459.html http://support.novell.com/security/cve/CVE-2012-0460.html http://support.novell.com/security/cve/CVE-2012-0461.html http://support.novell.com/security/cve/CVE-2012-0462.html http://support.novell.com/security/cve/CVE-2012-0463.html http://support.novell.com/security/cve/CVE-2012-0464.html https://bugzilla.novell.com/745017 https://bugzilla.novell.com/750044 http://download.novell.com/patch/finder/?keywords=19608dcf2d85bd752570d6368784dd84 From sle-security-updates at lists.suse.com Wed Mar 28 22:08:18 2012 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Thu, 29 Mar 2012 06:08:18 +0200 (CEST) Subject: SUSE-SU-2012:0425-1: critical: Security update for Mozilla Firefox Message-ID: <20120329040818.D54683242B@maintenance.suse.de> SUSE Security Update: Security update for Mozilla Firefox ______________________________________________________________________________ Announcement ID: SUSE-SU-2012:0425-1 Rating: critical References: #752168 Affected Products: SUSE Linux Enterprise Server 10 SP4 SUSE Linux Enterprise Desktop 10 SP4 SLE SDK 10 SP4 ______________________________________________________________________________ An update that contains security fixes can now be installed. It includes four new package versions. Description: Mozilla Firefox was updated to 3.6.28 to fix various bugs and security issues. The following security issues have been fixed: * MFSA 2012-19: Mozilla developers identified and fixed several memory safety bugs in the browser engine used in Firefox and other Mozilla-based products. Some of these bugs showed evidence of memory corruption under certain circumstances, and we presume that with enough effort at least some of these could be exploited to run arbitrary code. In general these flaws cannot be exploited through email in the Thunderbird and SeaMonkey products because scripting is disabled, but are potentially a risk in browser or browser-like contexts in those products. References Bob Clary reported two bugs that causes crashes that affected Firefox 3.6, Firefox ESR, and Firefox 10. CVE-2012-0461 Christian Holler, Jesse Ruderman, Nils, Michael Bebenita, Dindog, and David Anderson reported memory safety problems and crashes that affect Firefox ESR and Firefox 10. CVE-2012-0462 Jeff Walden reported a memory safety problem in the array.join function. This bug was independently reported by Vincenzo Iozzo via TippingPoint's Zero Day Initiative Pwn2Own contest. CVE-2012-0464 Masayuki Nakano reported a memory safety problem that affected Mobile Firefox 10. CVE-2012-0463 * MFSA 2012-16 / CVE-2012-0458: Security researcher Mariusz Mlynski reported that an attacker able to convince a potential victim to set a new home page by dragging a link to the "home" button can set that user's home page to a javascript: URL. Once this is done the attacker's page can cause repeated crashes of the browser, eventually getting the script URL loaded in the privileged about:sessionrestore context. * MFSA 2012-14 / CVE-2012-0457 / CVE-2012-0456: Security researcher Atte Kettunen from OUSPG found two issues with Firefox's handling of SVG using the Address Sanitizer tool. The first issue, critically rated, is a use-after-free in SVG animation that could potentially lead to arbitrary code execution. The second issue is rated moderate and is an out of bounds read in SVG Filters. This could potentially incorporate data from the user's memory, making it accessible to the page content. * MFSA 2012-13 / CVE-2012-0455: Firefox prevents the dropping of javascript: links onto a frame to prevent malicious sites from tricking users into performing a cross-site scripting (XSS) attacks on themselves. Security researcher Soroush Dalili reported a way to bypass this protection. The full overview can be found on Mozillas security page at: http://www.mozilla.org/security/announce/ Package List: - SUSE Linux Enterprise Server 10 SP4 (i586 ia64 ppc s390x x86_64) [New Version: 1.9.2.28,3.13.3 and 4.9.0]: mozilla-nspr-4.9.0-0.6.1 mozilla-nspr-devel-4.9.0-0.6.1 mozilla-nss-3.13.3-0.5.1 mozilla-nss-devel-3.13.3-0.5.1 mozilla-nss-tools-3.13.3-0.5.1 mozilla-xulrunner192-1.9.2.28-0.7.1 mozilla-xulrunner192-gnome-1.9.2.28-0.7.1 mozilla-xulrunner192-translations-1.9.2.28-0.7.1 - SUSE Linux Enterprise Server 10 SP4 (i586 ia64 ppc s390x) [New Version: 3.6.28]: MozillaFirefox-3.6.28-0.5.2 MozillaFirefox-translations-3.6.28-0.5.2 - SUSE Linux Enterprise Server 10 SP4 (s390x x86_64) [New Version: 1.9.2.28,3.13.3 and 4.9.0]: mozilla-nspr-32bit-4.9.0-0.6.1 mozilla-nss-32bit-3.13.3-0.5.1 mozilla-xulrunner192-32bit-1.9.2.28-0.7.1 mozilla-xulrunner192-gnome-32bit-1.9.2.28-0.7.1 mozilla-xulrunner192-translations-32bit-1.9.2.28-0.7.1 - SUSE Linux Enterprise Server 10 SP4 (ia64) [New Version: 3.13.3 and 4.9.0]: mozilla-nspr-x86-4.9.0-0.6.1 mozilla-nss-x86-3.13.3-0.5.1 - SUSE Linux Enterprise Server 10 SP4 (ppc) [New Version: 3.13.3 and 4.9.0]: mozilla-nspr-64bit-4.9.0-0.6.1 mozilla-nss-64bit-3.13.3-0.5.1 - SUSE Linux Enterprise Desktop 10 SP4 (i586 x86_64) [New Version: 1.9.2.28,3.13.3 and 4.9.0]: mozilla-nspr-4.9.0-0.6.1 mozilla-nspr-devel-4.9.0-0.6.1 mozilla-nss-3.13.3-0.5.1 mozilla-nss-devel-3.13.3-0.5.1 mozilla-nss-tools-3.13.3-0.5.1 mozilla-xulrunner192-1.9.2.28-0.7.1 mozilla-xulrunner192-gnome-1.9.2.28-0.7.1 mozilla-xulrunner192-translations-1.9.2.28-0.7.1 - SUSE Linux Enterprise Desktop 10 SP4 (x86_64) [New Version: 1.9.2.28,3.13.3 and 4.9.0]: mozilla-nspr-32bit-4.9.0-0.6.1 mozilla-nss-32bit-3.13.3-0.5.1 mozilla-xulrunner192-32bit-1.9.2.28-0.7.1 mozilla-xulrunner192-gnome-32bit-1.9.2.28-0.7.1 mozilla-xulrunner192-translations-32bit-1.9.2.28-0.7.1 - SUSE Linux Enterprise Desktop 10 SP4 (i586) [New Version: 3.6.28]: MozillaFirefox-3.6.28-0.5.2 MozillaFirefox-translations-3.6.28-0.5.2 - SLE SDK 10 SP4 (i586 ia64 ppc s390x x86_64) [New Version: 3.13.3]: mozilla-nss-tools-3.13.3-0.5.1 - SLE SDK 10 SP4 (i586 ia64 ppc s390x): MozillaFirefox-branding-upstream-3.6.28-0.5.2 References: https://bugzilla.novell.com/752168 http://download.novell.com/patch/finder/?keywords=3cbbf6dfa64d498549bb143a54005d87 From sle-security-updates at lists.suse.com Fri Mar 30 11:08:17 2012 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Fri, 30 Mar 2012 19:08:17 +0200 (CEST) Subject: SUSE-SU-2012:0434-1: moderate: Security update for Ruby On Rails Message-ID: <20120330170817.E92623242F@maintenance.suse.de> SUSE Security Update: Security update for Ruby On Rails ______________________________________________________________________________ Announcement ID: SUSE-SU-2012:0434-1 Rating: moderate References: #668817 #712057 #712058 #712060 #712062 Cross-References: CVE-2010-3933 CVE-2011-0446 CVE-2011-0447 CVE-2011-0448 CVE-2011-0449 CVE-2011-2930 CVE-2011-2931 CVE-2011-2932 CVE-2011-3186 Affected Products: WebYaST [Appliance - Tools] WebYaST 1.2 SUSE Studio Standard Edition 1.2 SUSE Studio Onsite 1.2 SUSE Studio Extension for System z 1.2 SUSE Linux Enterprise Software Development Kit 11 SP1 ______________________________________________________________________________ An update that fixes 9 vulnerabilities is now available. It includes two new package versions. Description: This update of Ruby on Rails to 2.3.14 fixes the following security issues: * CVE-2011-2930 - SQL-injection in quote_table_name function via specially crafted column names (bnc#712062) * CVE-2011-2931 - Cross-Site Scripting (XSS) in the strip_tags helper (bnc#712057) * CVE-2011-3186 - Response Splitting (bnc#712058) * CVE-2010-3933 - Arbitrary modification of records via specially crafted form parameters (bnc#712058) * CVE-2011-0446 - Cross-Site Scripting (XSS) in the mail_to helper (bnc#668817) * CVE-2011-0447 - Improper validation of 'X-Requested-With' header (bnc#668817) * CVE-2011-0448 - SQL-injection caused by improperly sanitized arguments to the limit function (bnc#668817) * CVE-2011-0449 - Bypass of access restrictions via specially crafted action names (bnc#668817) * CVE-2011-2932 - Cross-Site Scripting in output_safety.rb (bnc#712060) Security Issue reference: * CVE-2011-2930 * CVE-2011-2931 * CVE-2011-3186 * CVE-2010-3933 * CVE-2011-0446 * CVE-2011-0447 * CVE-2011-0448 * CVE-2011-0449 * CVE-2011-2932 Patch Instructions: To install this SUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - WebYaST [Appliance - Tools]: zypper in -t patch slewystsp1-rubyonrails-2314-201202-5884 - WebYaST 1.2: zypper in -t patch slewyst12-rubyonrails-2314-201202-5884 - SUSE Studio Standard Edition 1.2: zypper in -t patch sleslms12-rubyonrails-2314-201202-5884 - SUSE Studio Onsite 1.2: zypper in -t patch slestso12-rubyonrails-2314-201202-5884 - SUSE Studio Extension for System z 1.2: zypper in -t patch slestso12-rubyonrails-2314-201202-5884 - SUSE Linux Enterprise Software Development Kit 11 SP1: zypper in -t patch sdksp1-rubyonrails-2314-201202-5884 To bring your system up-to-date, use "zypper patch". Package List: - WebYaST [Appliance - Tools] (i586 ia64 ppc64 s390x x86_64) [New Version: 1.1.2 and 2.3.14]: rubygem-actionmailer-2_3-2.3.14-0.7.4.3 rubygem-actionpack-2_3-2.3.14-0.7.4.3 rubygem-activerecord-2_3-2.3.14-0.7.4.3 rubygem-activeresource-2_3-2.3.14-0.7.4.3 rubygem-activesupport-2_3-2.3.14-0.7.4.3 rubygem-rack-1.1.2-0.8.8.3 rubygem-rails-2_3-2.3.14-0.7.4.3 - WebYaST 1.2 (i586 ia64 ppc64 s390x x86_64) [New Version: 1.1.2 and 2.3.14]: rubygem-actionmailer-2_3-2.3.14-0.7.4.3 rubygem-actionpack-2_3-2.3.14-0.7.4.3 rubygem-activerecord-2_3-2.3.14-0.7.4.3 rubygem-activeresource-2_3-2.3.14-0.7.4.3 rubygem-activesupport-2_3-2.3.14-0.7.4.3 rubygem-rack-1.1.2-0.8.8.3 rubygem-rails-2_3-2.3.14-0.7.4.3 - SUSE Studio Standard Edition 1.2 (x86_64) [New Version: 1.1.2 and 2.3.14]: rubygem-actionmailer-2_3-2.3.14-0.7.4.3 rubygem-actionpack-2_3-2.3.14-0.7.4.3 rubygem-activerecord-2_3-2.3.14-0.7.4.3 rubygem-activeresource-2_3-2.3.14-0.7.4.3 rubygem-activesupport-2_3-2.3.14-0.7.4.3 rubygem-rack-1.1.2-0.8.8.3 rubygem-rails-2_3-2.3.14-0.7.4.3 - SUSE Studio Standard Edition 1.2 (noarch) [New Version: 2.3.14]: rubygem-rails-2.3.14-0.8.6.1 - SUSE Studio Onsite 1.2 (x86_64) [New Version: 1.1.2 and 2.3.14]: rubygem-actionmailer-2_3-2.3.14-0.7.4.3 rubygem-actionpack-2_3-2.3.14-0.7.4.3 rubygem-activerecord-2_3-2.3.14-0.7.4.3 rubygem-activeresource-2_3-2.3.14-0.7.4.3 rubygem-activesupport-2_3-2.3.14-0.7.4.3 rubygem-rack-1.1.2-0.8.8.3 rubygem-rails-2_3-2.3.14-0.7.4.3 - SUSE Studio Extension for System z 1.2 (s390x) [New Version: 1.1.2 and 2.3.14]: rubygem-actionmailer-2_3-2.3.14-0.7.4.3 rubygem-actionpack-2_3-2.3.14-0.7.4.3 rubygem-activerecord-2_3-2.3.14-0.7.4.3 rubygem-activeresource-2_3-2.3.14-0.7.4.3 rubygem-activesupport-2_3-2.3.14-0.7.4.3 rubygem-rack-1.1.2-0.8.8.3 rubygem-rails-2_3-2.3.14-0.7.4.3 - SUSE Linux Enterprise Software Development Kit 11 SP1 (i586 ia64 ppc64 s390x x86_64) [New Version: 1.1.2 and 2.3.14]: rubygem-actionmailer-2_3-2.3.14-0.7.4.3 rubygem-actionpack-2_3-2.3.14-0.7.4.3 rubygem-activerecord-2_3-2.3.14-0.7.4.3 rubygem-activeresource-2_3-2.3.14-0.7.4.3 rubygem-activesupport-2_3-2.3.14-0.7.4.3 rubygem-rack-1.1.2-0.8.8.3 rubygem-rails-2_3-2.3.14-0.7.4.3 - SUSE Linux Enterprise Software Development Kit 11 SP1 (noarch) [New Version: 2.3.14]: rubygem-rails-2.3.14-0.8.6.1 References: http://support.novell.com/security/cve/CVE-2010-3933.html http://support.novell.com/security/cve/CVE-2011-0446.html http://support.novell.com/security/cve/CVE-2011-0447.html http://support.novell.com/security/cve/CVE-2011-0448.html http://support.novell.com/security/cve/CVE-2011-0449.html http://support.novell.com/security/cve/CVE-2011-2930.html http://support.novell.com/security/cve/CVE-2011-2931.html http://support.novell.com/security/cve/CVE-2011-2932.html http://support.novell.com/security/cve/CVE-2011-3186.html https://bugzilla.novell.com/668817 https://bugzilla.novell.com/712057 https://bugzilla.novell.com/712058 https://bugzilla.novell.com/712060 https://bugzilla.novell.com/712062 http://download.novell.com/patch/finder/?keywords=a9a7e5b0e289aeb951fcc43761e059bf From sle-security-updates at lists.suse.com Fri Mar 30 12:08:27 2012 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Fri, 30 Mar 2012 20:08:27 +0200 (CEST) Subject: SUSE-SU-2012:0437-1: critical: Security update for flash-player Message-ID: <20120330180827.96D913242D@maintenance.suse.de> SUSE Security Update: Security update for flash-player ______________________________________________________________________________ Announcement ID: SUSE-SU-2012:0437-1 Rating: critical References: #754689 Cross-References: CVE-2012-0773 Affected Products: SUSE Linux Enterprise Desktop 11 SP2 SUSE Linux Enterprise Desktop 11 SP1 SUSE Linux Enterprise Desktop 10 SP4 ______________________________________________________________________________ An update that fixes one vulnerability is now available. It includes two new package versions. Description: Adobe Flash Player 11.1.102.63 fixes a memory corruption vulnerability in the NetStream class that could have lead to code execution (CVE-2012-0773). Security Issue reference: * CVE-2012-0773 Patch Instructions: To install this SUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Desktop 11 SP2: zypper in -t patch sledsp1-flash-player-6059 - SUSE Linux Enterprise Desktop 11 SP1: zypper in -t patch sledsp1-flash-player-6059 To bring your system up-to-date, use "zypper patch". Package List: - SUSE Linux Enterprise Desktop 11 SP2 (i586 x86_64) [New Version: 11.2.202.228]: flash-player-11.2.202.228-0.3.1 - SUSE Linux Enterprise Desktop 11 SP1 (i586 x86_64) [New Version: 11.2.202.228]: flash-player-11.2.202.228-0.3.1 - SUSE Linux Enterprise Desktop 10 SP4 (i586) [New Version: 10.3.183.18]: flash-player-10.3.183.18-0.5.2 References: http://support.novell.com/security/cve/CVE-2012-0773.html https://bugzilla.novell.com/754689 http://download.novell.com/patch/finder/?keywords=03280de9cddaad9751a83521641289ac http://download.novell.com/patch/finder/?keywords=144a85c0189094a03103ec1018241f01