From sle-security-updates at lists.suse.com Tue Oct 9 13:08:33 2012 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Tue, 9 Oct 2012 21:08:33 +0200 (CEST) Subject: SUSE-SU-2012:1320-1: important: Security update for qemu Message-ID: <20121009190833.A894232265@maintenance.suse.de> SUSE Security Update: Security update for qemu ______________________________________________________________________________ Announcement ID: SUSE-SU-2012:1320-1 Rating: important References: #740165 #777084 Cross-References: CVE-2012-0029 CVE-2012-3515 Affected Products: SUSE Studio Onsite 1.2 ______________________________________________________________________________ An update that fixes two vulnerabilities is now available. Description: The qemu vt100 emulation was affected by a problem where specific vt100 sequences could have been used by guest users to affect the host. (CVE-2012-3515 aka XSA-17). CVE-2012-0029: A buffer overflow in the e1000 device emulation was fixed Security Issue references: * CVE-2012-3515 * CVE-2012-0029 Patch Instructions: To install this SUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - SUSE Studio Onsite 1.2: zypper in -t patch slestso12-qemu-6852 To bring your system up-to-date, use "zypper patch". Package List: - SUSE Studio Onsite 1.2 (x86_64): qemu-0.10.1-0.5.7.1 References: http://support.novell.com/security/cve/CVE-2012-0029.html http://support.novell.com/security/cve/CVE-2012-3515.html https://bugzilla.novell.com/740165 https://bugzilla.novell.com/777084 http://download.novell.com/patch/finder/?keywords=86d45c23c62093dbb012d29f065b7abe From sle-security-updates at lists.suse.com Wed Oct 10 13:08:33 2012 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Wed, 10 Oct 2012 21:08:33 +0200 (CEST) Subject: SUSE-SU-2012:1326-1: critical: Security update for flash-player Message-ID: <20121010190833.2796D3226C@maintenance.suse.de> SUSE Security Update: Security update for flash-player ______________________________________________________________________________ Announcement ID: SUSE-SU-2012:1326-1 Rating: critical References: #784168 Cross-References: CVE-2012-5248 CVE-2012-5249 CVE-2012-5250 CVE-2012-5251 CVE-2012-5252 CVE-2012-5253 CVE-2012-5254 CVE-2012-5255 CVE-2012-5256 CVE-2012-5257 CVE-2012-5258 CVE-2012-5259 CVE-2012-5260 CVE-2012-5261 CVE-2012-5262 CVE-2012-5263 CVE-2012-5264 CVE-2012-5265 CVE-2012-5266 CVE-2012-5267 CVE-2012-5268 CVE-2012-5269 CVE-2012-5270 CVE-2012-5271 CVE-2012-5272 Affected Products: SUSE Linux Enterprise Desktop 10 SP4 ______________________________________________________________________________ An update that fixes 25 vulnerabilities is now available. It includes one version update. Description: flash player was updated to version 11.2.202.243 fixing a lot of security issues: CVE-2012-5248, CVE-2012-5249, CVE-2012-5250, CVE-2012-5251, CVE-2012-5252, CVE-2012-5253, CVE-2012-5254, CVE-2012-5255, CVE-2012-5256, CVE-2012-5257, CVE-2012-5258, CVE-2012-5259, CVE-2012-5260, CVE-2012-5261, CVE-2012-5262, CVE-2012-5263, CVE-2012-5264, CVE-2012-5265, CVE-2012-5266, CVE-2012-5267, CVE-2012-5268, CVE-2012-5269, CVE-2012-5270, CVE-2012-5271, CVE-2012-5272 Please visit http://www.adobe.com/support/security/bulletins/apsb12-22.ht ml for details. Security Issue references: * CVE-2012-5248 * CVE-2012-5249 * CVE-2012-5250 * CVE-2012-5251 * CVE-2012-5253 * CVE-2012-5254 * CVE-2012-5255 * CVE-2012-5257 * CVE-2012-5259 * CVE-2012-5260 * CVE-2012-5262 * CVE-2012-5264 * CVE-2012-5265 * CVE-2012-5266 * CVE-2012-5252 * CVE-2012-5256 * CVE-2012-5258 * CVE-2012-5261 * CVE-2012-5263 * CVE-2012-5267 * CVE-2012-5268 * CVE-2012-5269 * CVE-2012-5270 * CVE-2012-5271 * CVE-2012-5272 Package List: - SUSE Linux Enterprise Desktop 10 SP4 (i586) [New Version: 11.2.202.243]: flash-player-11.2.202.243-0.5.1 References: http://support.novell.com/security/cve/CVE-2012-5248.html http://support.novell.com/security/cve/CVE-2012-5249.html http://support.novell.com/security/cve/CVE-2012-5250.html http://support.novell.com/security/cve/CVE-2012-5251.html http://support.novell.com/security/cve/CVE-2012-5252.html http://support.novell.com/security/cve/CVE-2012-5253.html http://support.novell.com/security/cve/CVE-2012-5254.html http://support.novell.com/security/cve/CVE-2012-5255.html http://support.novell.com/security/cve/CVE-2012-5256.html http://support.novell.com/security/cve/CVE-2012-5257.html http://support.novell.com/security/cve/CVE-2012-5258.html http://support.novell.com/security/cve/CVE-2012-5259.html http://support.novell.com/security/cve/CVE-2012-5260.html http://support.novell.com/security/cve/CVE-2012-5261.html http://support.novell.com/security/cve/CVE-2012-5262.html http://support.novell.com/security/cve/CVE-2012-5263.html http://support.novell.com/security/cve/CVE-2012-5264.html http://support.novell.com/security/cve/CVE-2012-5265.html http://support.novell.com/security/cve/CVE-2012-5266.html http://support.novell.com/security/cve/CVE-2012-5267.html http://support.novell.com/security/cve/CVE-2012-5268.html http://support.novell.com/security/cve/CVE-2012-5269.html http://support.novell.com/security/cve/CVE-2012-5270.html http://support.novell.com/security/cve/CVE-2012-5271.html http://support.novell.com/security/cve/CVE-2012-5272.html https://bugzilla.novell.com/784168 http://download.novell.com/patch/finder/?keywords=9861c635f16f057af9420d20facf5938 From sle-security-updates at lists.suse.com Wed Oct 10 15:08:26 2012 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Wed, 10 Oct 2012 23:08:26 +0200 (CEST) Subject: SUSE-SU-2012:1327-1: moderate: Security update for dhcp Message-ID: <20121010210826.141CE321ED@maintenance.suse.de> SUSE Security Update: Security update for dhcp ______________________________________________________________________________ Announcement ID: SUSE-SU-2012:1327-1 Rating: moderate References: #780167 Cross-References: CVE-2012-3955 Affected Products: SUSE Linux Enterprise Software Development Kit 11 SP2 SUSE Linux Enterprise Server 11 SP2 for VMware SUSE Linux Enterprise Server 11 SP2 SUSE Linux Enterprise Desktop 11 SP2 ______________________________________________________________________________ An update that fixes one vulnerability is now available. It includes one version update. Description: This update to ISC dhcp-4.2.4-P2 release provides a security fix for an issue with the use of lease times. Making certain changes to the end time of an IPv6 lease could cause the server to abort. Thanks to Glen Eustace of Massey University, New Zealand for finding this issue. CVE-2012-3955 has been assigned to this issue. Security Issue reference: * CVE-2012-3955 Patch Instructions: To install this SUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Software Development Kit 11 SP2: zypper in -t patch sdksp2-dhcp-6831 - SUSE Linux Enterprise Server 11 SP2 for VMware: zypper in -t patch slessp2-dhcp-6831 - SUSE Linux Enterprise Server 11 SP2: zypper in -t patch slessp2-dhcp-6831 - SUSE Linux Enterprise Desktop 11 SP2: zypper in -t patch sledsp2-dhcp-6831 To bring your system up-to-date, use "zypper patch". Package List: - SUSE Linux Enterprise Software Development Kit 11 SP2 (i586 ia64 ppc64 s390x x86_64) [New Version: 4.2.4.P2]: dhcp-devel-4.2.4.P2-0.5.1 - SUSE Linux Enterprise Server 11 SP2 for VMware (i586 x86_64) [New Version: 4.2.4.P2]: dhcp-4.2.4.P2-0.5.1 dhcp-client-4.2.4.P2-0.5.1 dhcp-relay-4.2.4.P2-0.5.1 dhcp-server-4.2.4.P2-0.5.1 - SUSE Linux Enterprise Server 11 SP2 (i586 ia64 ppc64 s390x x86_64) [New Version: 4.2.4.P2]: dhcp-4.2.4.P2-0.5.1 dhcp-client-4.2.4.P2-0.5.1 dhcp-relay-4.2.4.P2-0.5.1 dhcp-server-4.2.4.P2-0.5.1 - SUSE Linux Enterprise Desktop 11 SP2 (i586 x86_64) [New Version: 4.2.4.P2]: dhcp-4.2.4.P2-0.5.1 dhcp-client-4.2.4.P2-0.5.1 References: http://support.novell.com/security/cve/CVE-2012-3955.html https://bugzilla.novell.com/780167 http://download.novell.com/patch/finder/?keywords=7781f2ce06d447847fcd3a648a73d5e5 From sle-security-updates at lists.suse.com Fri Oct 12 22:08:30 2012 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Sat, 13 Oct 2012 06:08:30 +0200 (CEST) Subject: SUSE-SU-2012:1326-2: critical: Security update for flash-player Message-ID: <20121013040830.902DF32273@maintenance.suse.de> SUSE Security Update: Security update for flash-player ______________________________________________________________________________ Announcement ID: SUSE-SU-2012:1326-2 Rating: critical References: #784168 Cross-References: CVE-2012-5248 CVE-2012-5249 CVE-2012-5250 CVE-2012-5251 CVE-2012-5252 CVE-2012-5253 CVE-2012-5254 CVE-2012-5255 CVE-2012-5256 CVE-2012-5257 CVE-2012-5258 CVE-2012-5259 CVE-2012-5260 CVE-2012-5261 CVE-2012-5262 CVE-2012-5263 CVE-2012-5264 CVE-2012-5265 CVE-2012-5266 CVE-2012-5267 CVE-2012-5268 CVE-2012-5269 CVE-2012-5270 CVE-2012-5271 CVE-2012-5272 Affected Products: SUSE Linux Enterprise Desktop 11 SP2 ______________________________________________________________________________ An update that fixes 25 vulnerabilities is now available. It includes one version update. Description: flash player was updated to version 11.2.202.243, fixing a lot of security issues: CVE-2012-5248, CVE-2012-5249, CVE-2012-5250, CVE-2012-5251, CVE-2012-5252, CVE-2012-5253, CVE-2012-5254, CVE-2012-5255, CVE-2012-5256, CVE-2012-5257, CVE-2012-5258, CVE-2012-5259, CVE-2012-5260, CVE-2012-5261, CVE-2012-5262, CVE-2012-5263, CVE-2012-5264, CVE-2012-5265, CVE-2012-5266, CVE-2012-5267, CVE-2012-5268, CVE-2012-5269, CVE-2012-5270, CVE-2012-5271, CVE-2012-5272 Please visit http://www.adobe.com/support/security/bulletins/apsb12-22.ht ml for details. Security Issue references: * CVE-2012-5248 * CVE-2012-5249 * CVE-2012-5250 * CVE-2012-5251 * CVE-2012-5253 * CVE-2012-5254 * CVE-2012-5255 * CVE-2012-5257 * CVE-2012-5259 * CVE-2012-5260 * CVE-2012-5262 * CVE-2012-5264 * CVE-2012-5265 * CVE-2012-5266 * CVE-2012-5252 * CVE-2012-5256 * CVE-2012-5258 * CVE-2012-5261 * CVE-2012-5263 * CVE-2012-5267 * CVE-2012-5268 * CVE-2012-5269 * CVE-2012-5270 * CVE-2012-5271 * CVE-2012-5272 Patch Instructions: To install this SUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Desktop 11 SP2: zypper in -t patch sledsp2-flash-player-6937 To bring your system up-to-date, use "zypper patch". Package List: - SUSE Linux Enterprise Desktop 11 SP2 (i586 x86_64) [New Version: 11.2.202.243]: flash-player-11.2.202.243-0.3.1 References: http://support.novell.com/security/cve/CVE-2012-5248.html http://support.novell.com/security/cve/CVE-2012-5249.html http://support.novell.com/security/cve/CVE-2012-5250.html http://support.novell.com/security/cve/CVE-2012-5251.html http://support.novell.com/security/cve/CVE-2012-5252.html http://support.novell.com/security/cve/CVE-2012-5253.html http://support.novell.com/security/cve/CVE-2012-5254.html http://support.novell.com/security/cve/CVE-2012-5255.html http://support.novell.com/security/cve/CVE-2012-5256.html http://support.novell.com/security/cve/CVE-2012-5257.html http://support.novell.com/security/cve/CVE-2012-5258.html http://support.novell.com/security/cve/CVE-2012-5259.html http://support.novell.com/security/cve/CVE-2012-5260.html http://support.novell.com/security/cve/CVE-2012-5261.html http://support.novell.com/security/cve/CVE-2012-5262.html http://support.novell.com/security/cve/CVE-2012-5263.html http://support.novell.com/security/cve/CVE-2012-5264.html http://support.novell.com/security/cve/CVE-2012-5265.html http://support.novell.com/security/cve/CVE-2012-5266.html http://support.novell.com/security/cve/CVE-2012-5267.html http://support.novell.com/security/cve/CVE-2012-5268.html http://support.novell.com/security/cve/CVE-2012-5269.html http://support.novell.com/security/cve/CVE-2012-5270.html http://support.novell.com/security/cve/CVE-2012-5271.html http://support.novell.com/security/cve/CVE-2012-5272.html https://bugzilla.novell.com/784168 http://download.novell.com/patch/finder/?keywords=713cd3d91b738edf8089a1736e75e781 From sle-security-updates at lists.suse.com Fri Oct 12 22:09:06 2012 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Sat, 13 Oct 2012 06:09:06 +0200 (CEST) Subject: SUSE-SU-2012:1333-1: critical: Security update for bind Message-ID: <20121013040906.AF70932271@maintenance.suse.de> SUSE Security Update: Security update for bind ______________________________________________________________________________ Announcement ID: SUSE-SU-2012:1333-1 Rating: critical References: #780157 Cross-References: CVE-2012-4244 Affected Products: SUSE Linux Enterprise Server 10 SP3 LTSS ______________________________________________________________________________ An update that fixes one vulnerability is now available. Description: This update fixes a bug where specially-crafted RRs could have caused a Denial of Service (Application crash) in named. CVE-2012-4244 was assigned to this issue. Security Issue reference: * CVE-2012-4244 Package List: - SUSE Linux Enterprise Server 10 SP3 LTSS (i586 s390x x86_64): bind-9.3.4-1.40.1 bind-chrootenv-9.3.4-1.40.1 bind-devel-9.3.4-1.40.1 bind-doc-9.3.4-1.40.1 bind-libs-9.3.4-1.40.1 bind-utils-9.3.4-1.40.1 - SUSE Linux Enterprise Server 10 SP3 LTSS (s390x x86_64): bind-libs-32bit-9.3.4-1.40.1 References: http://support.novell.com/security/cve/CVE-2012-4244.html https://bugzilla.novell.com/780157 http://download.novell.com/patch/finder/?keywords=5798d03a4e2045a2e1ed416f1e06f583 From sle-security-updates at lists.suse.com Fri Oct 12 23:08:30 2012 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Sat, 13 Oct 2012 07:08:30 +0200 (CEST) Subject: SUSE-SU-2012:1336-1: moderate: Security update for PostgreSQL Message-ID: <20121013050830.C481532276@maintenance.suse.de> SUSE Security Update: Security update for PostgreSQL ______________________________________________________________________________ Announcement ID: SUSE-SU-2012:1336-1 Rating: moderate References: #700876 #765069 #770193 #776523 Cross-References: CVE-2012-3488 CVE-2012-3489 Affected Products: SUSE Linux Enterprise Server 10 SP4 SUSE Linux Enterprise Desktop 10 SP4 SLE SDK 10 SP4 ______________________________________________________________________________ An update that solves two vulnerabilities and has two fixes is now available. It includes one version update. Description: PostgreSQL was updated to the latest stable release 8.1.23, fixing various bugs and security issues. The following security issues have been fixed: * CVE-2012-3488: This update fixes arbitrary read and write of files via XSL functionality. * CVE-2012-2655: postgresql: denial of service (stack exhaustion) via specially-crafted SQL. * CVE-2011-2483: crypt_blowfish was mishandling 8 bit characters. Security Issue references: * CVE-2012-3488 * CVE-2012-3489 Package List: - SUSE Linux Enterprise Server 10 SP4 (i586 ia64 ppc ppc64 s390x x86_64) [New Version: 8.1.23]: postgresql-8.1.23-0.11.1 - SUSE Linux Enterprise Server 10 SP4 (i586 ia64 ppc s390x x86_64) [New Version: 8.1.23]: postgresql-contrib-8.1.23-0.11.1 postgresql-devel-8.1.23-0.11.1 postgresql-docs-8.1.23-0.11.1 postgresql-libs-8.1.23-0.11.1 postgresql-pl-8.1.23-0.11.1 postgresql-server-8.1.23-0.11.1 - SUSE Linux Enterprise Server 10 SP4 (s390x x86_64) [New Version: 8.1.23]: postgresql-libs-32bit-8.1.23-0.11.1 - SUSE Linux Enterprise Server 10 SP4 (ia64) [New Version: 8.1.23]: postgresql-libs-x86-8.1.23-0.11.1 - SUSE Linux Enterprise Server 10 SP4 (ppc) [New Version: 8.1.23]: postgresql-libs-64bit-8.1.23-0.11.1 - SUSE Linux Enterprise Desktop 10 SP4 (i586 x86_64) [New Version: 8.1.23]: postgresql-devel-8.1.23-0.11.1 postgresql-libs-8.1.23-0.11.1 - SUSE Linux Enterprise Desktop 10 SP4 (x86_64) [New Version: 8.1.23]: postgresql-libs-32bit-8.1.23-0.11.1 - SLE SDK 10 SP4 (i586 ia64 ppc ppc64 s390x x86_64) [New Version: 8.1.23]: postgresql-8.1.23-0.11.1 - SLE SDK 10 SP4 (i586 ia64 ppc s390x x86_64) [New Version: 8.1.23]: postgresql-contrib-8.1.23-0.11.1 postgresql-devel-8.1.23-0.11.1 postgresql-docs-8.1.23-0.11.1 postgresql-pl-8.1.23-0.11.1 postgresql-server-8.1.23-0.11.1 References: http://support.novell.com/security/cve/CVE-2012-3488.html http://support.novell.com/security/cve/CVE-2012-3489.html https://bugzilla.novell.com/700876 https://bugzilla.novell.com/765069 https://bugzilla.novell.com/770193 https://bugzilla.novell.com/776523 http://download.novell.com/patch/finder/?keywords=ee84db0d1f4471abd4ab51536636eb1e From sle-security-updates at lists.suse.com Mon Oct 15 16:09:05 2012 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Tue, 16 Oct 2012 00:09:05 +0200 (CEST) Subject: SUSE-SU-2012:1350-1: moderate: Security update for Linux kernel Message-ID: <20121015220905.B6F7832279@maintenance.suse.de> SUSE Security Update: Security update for Linux kernel ______________________________________________________________________________ Announcement ID: SUSE-SU-2012:1350-1 Rating: moderate References: #698102 #731035 #740291 #744198 #753617 #754670 #761774 #762099 #762214 #762693 #763198 #763954 #764209 #764900 #766156 #766654 #768084 #768504 #769035 #769195 #769251 #769407 #770034 #770695 #770763 #771706 #772407 #772427 #772473 #772786 #772831 #773007 #773319 #773320 #773688 #773831 #774073 #774289 #774612 #774902 #774973 #775182 #775373 #775984 #776019 #776095 #776787 #776896 #777024 #777269 #778082 #778822 #779330 #779461 #779699 #780012 #780461 #781018 #781134 Cross-References: CVE-2012-2745 Affected Products: SUSE Linux Enterprise Server 11 SP2 for VMware SUSE Linux Enterprise Server 11 SP2 SUSE Linux Enterprise High Availability Extension 11 SP2 SUSE Linux Enterprise Desktop 11 SP2 SLE 11 SERVER Unsupported Extras ______________________________________________________________________________ An update that solves one vulnerability and has 58 fixes is now available. It includes one version update. Description: The SUSE Linux Enterprise 11 SP2 kernel was updated to 3.0.42 which fixes various bugs and security issues. The following security issues have been fixed: * CVE-2012-2745: A denial of service in key management was fixed. (This was fixed in 3.0.28 already, but is listed here.) Some more security and bug fixes might already be part of the 3.0.42 stable kernel release which is included here. The following non security issues have been fixed: BTRFS: * btrfs: allow setting NOCOW for a zero sized file via ioctl * btrfs: fix a bug of per-file nocow * btrfs: fix the missing error information in create_pending_snapshot() * btrfs: fix off-by-one in file clone * btrfs: move transaction aborts to the point of failure * btrfs: fix unnecessary warning when the fragments make the space alloc fail * btrfs: return EPERM upon rmdir on a subvolume * btrfs: cleanup for duplicated code in find_free_extent * btrfs: cleanup fs_info->hashers * btrfs: use vfree instead of kfree * btrfs: fix error path in create_pending_snapshot() * btrfs: fix file extent discount problem in the, snapshot * btrfs: fix full backref problem when inserting shared block reference * btrfs: fix wrong size for the reservation of the, snapshot creation * btrfs: fix error handling in delete_block_group_cache() * btrfs: polish names of kmem caches * btrfs: update last trans if we do not update the inode * btrfs: fix possible corruption when fsyncing written prealloced extents * btrfs: set journal_info in async trans commit worker * btrfs: fix a bug in parsing return value in logical resolve * btrfs: use helper for logical resolve * btrfs: use larger limit for translation of logical to inode * btrfs: use a slab for ordered extents allocation * btrfs: fix unprotected ->log_batch * btrfs: output more information when aborting a unused transaction handle * btrfs: fix wrong size for the reservation when doing, file pre-allocation * btrfs: cleanup for unused ref cache stuff * btrfs: fix a misplaced address operator in a condition * btrfs: fix that error value is changed by mistake * btrfs: fix second lock in btrfs_delete_delayed_items() * btrfs: increase the size of the free space cache * btrfs: fix enospc problems when deleting a subvol * btrfs: fix wrong mtime and ctime when creating snapshots * btrfs: fix race in run_clustered_refs S/390: * zfcp: remove invalid reference to list iterator variable (bnc#779461). * zfcp: Make trace record tags unique (bnc#780012,LTC#84941). * zfcp: Do not wakeup while suspended (bnc#780012,LTC#84816). * zfcp: restore refcount check on port_remove (bnc#780012,LTC#84942). * zfcp: No automatic port_rescan on events (bnc#780012,LTC#84817). * dasd: System hang after all channel were lost (bnc#780012,LTC#85025). * Added patches.arch/s390-54-01-hypfs-missing-files.patch to series.conf. (bnc#769407) * dasd: set and unset TIMEOUT flag automatically (bnc#768084). * kernel: incorrect task size after fork of a 31 bit process (bnc#772407,LTC#83674). * patches.arch/s390-55-03-crst-table-downgrade.patch: Deleted due to 31bit compile error. ALSA: * ALSA: hda - Add mic-mute LED control for HP laptop (bnc#779330). * ALSA: hda - Add 3stack-automute model to AD1882 codec (bnc#775373). Wireless: * rt2x00: Remove incorrect led blink. (bnc#774902) * Revert "rt2x00: handle spurious pci interrupts". (bnc#774902) * rt2x00: Mark active channels survey data as "in use". (bnc#774902) * rt2x00: Convert big if-statements to switch-statements. (bnc#774902) * rt2800: zero MAC_SYS_CTRL bits during BBP and MAC reset. (bnc#774902) * rt2800lib: fix wrong -128dBm when signal is stronger than -12dBm. (bnc#774902) * rt2800: document RF_R03 register bits [7:4]. (bnc#774902) * rt2x00: Introduce concept of driver data in struct rt2x00_dev. (bnc#774902) * rt2x00: Use struct rt2x00_dev driver data in rt2800{pci,usb}. (bnc#774902) * rt2x00: fix a possible NULL pointer dereference. (bnc#774902) * rt2x00:Add VCO recalibration. (bnc#774902) * rt2x00:Add RT5372 chipset support. (bnc#774902) * rt2x00: Set IEEE80211_HW_REPORTS_TX_ACK_STATUS in rt2800. (bnc#774902) * rt2800: introduce wpdma_disable function. (bnc#774902) * rt2800: initialize queues before giving up due to DMA error. (bnc#774902) * rt2800: zero registers of unused TX rings. (bnc#774902) * wireless: rt2x00: rt2800pci add more RT539x ids. (bnc#774902) * rt2x00:Add RT5392 chipset support. (bnc#774902) * patches.fixes/0012-rt2x00-Add-RT5372-chipset-support.patch: Fix typo. * rt2800: Add documentation on MCU requests. (bnc#744198) * rt2800pci: Fix "Error - MCU request failed" during initialization. (bnc#744198) Packaging: * rpm/kernel-binary.spec.in: Temporarily disable icecream builds until miscompilation is resolved (bnc#763954 bnc#773831) * rpm/kernel-binary.spec.in: add Conflicts for older hyper-v hv_kvp_daemon (bnc#770763) the kernel-user interface changed, old binaries will busyloop with newer kernel * rpm/kernel-binary.spec.in: Do not run debugedit -i, use eu-unstrip to retrieve the build-id instead (bnc#768504). * rpm/kernel-binary.spec.in: Fix Obsoletes: tag for the SLE11-SP1 realtek-r8192ce_pci-kmp package. Misc * patches.suse/no-partition-scan: Implement "no_partition_scan" commandline option (FATE#303697). * vfs: dcache: use DCACHE_DENTRY_KILLED instead of DCACHE_DISCONNECTED in d_kill() (bnc#779699). * igb: convert to ndo_fix_features (bnc#777269). * igb: do vlan cleanup (bnc#777269). * tcp: flush DMA queue before sk_wait_data if rcv_wnd is zero (bnc#777024). * drm: Export drm_probe_ddc() (bnc#780461). * drm/dp: Update DPCD defines (bnc#780461). * drm/i915/dp: Be smarter about connection sense for branch devices (bnc#780461). * drm/i915/dp: Fetch downstream port info if needed during DPCD fetch (bnc#780461). * md: fix so that GET_ARRAY_INFO and GET_DISK_INFO fail correctly when array has not "raid_disks" count yet. * sched: Fix ancient race in do_exit() (bnc#781018). * sched: fix divide by zero in thread_group/task_times() (bnc#761774). * sched: fix migration thread runtime bogosity (bnc#773688, bnc#769251). * megaraid_sas: boot hangs up while LD is offline issue (bnc#698102). * memcg: warn on deeper hierarchies with use_hierarchy==0 (bnc#781134). * scsi_dh_alua: Retry the check-condition in case Mode Parameters Changed (bnc#772473). * scsi: update scsi.h with SYNCHRONIZE_CACHE_16 (FATE#313550,bnc#769195). * sd: Reshuffle init_sd to avoid crash (bnc#776787). * st: remove st_mutex (bnc#773007). * cifs: Assume passwords are encoded according to iocharset (try #2) (bnc#731035). * drm/fb-helper: delay hotplug handling when partially bound (bnc#778822). * drm/fb helper: do not call drm_crtc_helper_set_config (bnc#778822). * patches.drivers/drm-Skip-too-big-EDID-extensions: Delete. Fixed in firmware, so no longer needed (bnc#764900) * drm/i915: Fix backlight control for systems which have bl polarity reversed (bnc #766156). * patches.kernel.org/patch-3.0.27-28: Update references (bnc#770695 CVE-2012-2745). * xen/x86-64: fix hypercall page unwind info. * patches.xen/xen3-patch-3.0.40-41: Linux 3.0.41. * Refresh other Xen patches (bnc#776019). * e1000e: clear REQ and GNT in EECD (82571 && 82572) (bnc#762099). * bonding: add some slack to arp monitoring time limits (bnc#776095). * patches.arch/x2apic_opt_out.patch: Refresh. bnc#778082 * x86, mce: Do not call del_timer_sync() in IRQ context (bnc#776896). * cpufreq / ACPI: Fix not loading acpi-cpufreq driver regression (bnc#766654). * ida: Update references (bnc#740291). * audit: do not free_chunk() after fsnotify_add_mark() (bnc#762214). * audit: fix refcounting in audit-tree (bnc#762214). * mlx4_en: map entire pages to increase throughput. * usb: Add support for root hub port status CAS (bnc#774289). * fs,reiserfs: unlock superblock before calling reiserfs_quota_on_mount() (bnc#772786). * reiserfs: fix deadlock with nfs racing on create/lookup (bnc#762693). * NFS: Slow down state manager after an unhandled error (bnc#774973). * nfs: increase number of permitted callback connections (bnc#771706). * Freezer / sunrpc / NFS: do not allow TASK_KILLABLE sleeps to block the freezer (bnc#775182). * powerpc/pseries: Support lower minimum entitlement for virtual processors (bnc#775984). * powerpc: Disable /dev/port interface on systems without an ISA bridge (bnc#754670). * ocfs2: Add a missing journal credit in ocfs2_link_credits() -v2 (bnc#773320). * block: do not artificially constrain max_sectors for stacking drivers (bnc#774073). * bnx2x: Clear MDC/MDIO warning message (bnc#769035). * bnx2x: Fix BCM57810-KR AN speed transition (bnc#769035). * bnx2x: Fix BCM57810-KR FC (bnc#769035). * bnx2x: Fix BCM578x0-SFI pre-emphasis settings (bnc#769035). * bnx2x: Fix link issue for BCM8727 boards (bnc#769035). * bnx2x: PFC fix (bnc#769035). * bnx2x: fix checksum validation (bnc#769035). * bnx2x: fix panic when TX ring is full (bnc#769035). * bnx2x: previous driver unload revised (bnc#769035). * bnx2x: remove WARN_ON (bnc#769035). * bnx2x: update driver version (bnc#769035). * xhci: Fix a logical vs bitwise AND bug (bnc#772427). * xhci: Switch PPT ports to EHCI on shutdown (bnc#772427). * xhci: definitions of register definitions to preserve kABI (bnc#772427). * xhci: Introduce a private switchback method to preserve kABI (bnc#772427). * config.conf: Drop reference to a s390 vanilla config that does not exist. * block: eliminate potential for infinite loop in blkdev_issue_discard (bnc#773319). * Fix cosmetic (but worrisome to users) stop class accounting bug. * bluetooth: Another vendor specific ID for BCM20702A0 [0a5c:21f1] (bnc#774612). * memcg: further prevent OOM with too many dirty pages (bnc#763198). * patches.fixes/mm-consider-PageReclaim-for-sync-reclaim.patch : Refresh to match the upstream version. * tmpfs: optimize clearing when writing (VM Performance). * tmpfs: distribute interleave better across nodes (bnc#764209). * patches.fixes/tmpfs-implement-NUMA-node-interleaving.patch: dropped in favor of the upstream patch Security Issue reference: * CVE-2012-2745 Indications: Everyone using the Linux Kernel on x86_64 architecture should update. Special Instructions and Notes: Please reboot the system after installing this update. Patch Instructions: To install this SUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Server 11 SP2 for VMware: zypper in -t patch slessp2-kernel-6923 slessp2-kernel-6926 - SUSE Linux Enterprise Server 11 SP2: zypper in -t patch slessp2-kernel-6923 slessp2-kernel-6924 slessp2-kernel-6925 slessp2-kernel-6926 slessp2-kernel-6931 - SUSE Linux Enterprise High Availability Extension 11 SP2: zypper in -t patch sleshasp2-kernel-6923 sleshasp2-kernel-6924 sleshasp2-kernel-6925 sleshasp2-kernel-6926 sleshasp2-kernel-6931 - SUSE Linux Enterprise Desktop 11 SP2: zypper in -t patch sledsp2-kernel-6923 sledsp2-kernel-6926 To bring your system up-to-date, use "zypper patch". Package List: - SUSE Linux Enterprise Server 11 SP2 for VMware (i586 x86_64) [New Version: 3.0.42]: kernel-default-3.0.42-0.7.3 kernel-default-base-3.0.42-0.7.3 kernel-default-devel-3.0.42-0.7.3 kernel-source-3.0.42-0.7.3 kernel-syms-3.0.42-0.7.3 kernel-trace-3.0.42-0.7.3 kernel-trace-base-3.0.42-0.7.3 kernel-trace-devel-3.0.42-0.7.3 kernel-xen-devel-3.0.42-0.7.3 - SUSE Linux Enterprise Server 11 SP2 for VMware (i586) [New Version: 3.0.42]: kernel-pae-3.0.42-0.7.3 kernel-pae-base-3.0.42-0.7.3 kernel-pae-devel-3.0.42-0.7.3 - SUSE Linux Enterprise Server 11 SP2 (i586 ia64 ppc64 s390x x86_64) [New Version: 3.0.42]: kernel-default-3.0.42-0.7.3 kernel-default-base-3.0.42-0.7.3 kernel-default-devel-3.0.42-0.7.3 kernel-source-3.0.42-0.7.3 kernel-syms-3.0.42-0.7.3 kernel-trace-3.0.42-0.7.3 kernel-trace-base-3.0.42-0.7.3 kernel-trace-devel-3.0.42-0.7.3 - SUSE Linux Enterprise Server 11 SP2 (i586 x86_64) [New Version: 3.0.42]: kernel-ec2-3.0.42-0.7.3 kernel-ec2-base-3.0.42-0.7.3 kernel-ec2-devel-3.0.42-0.7.3 kernel-xen-3.0.42-0.7.3 kernel-xen-base-3.0.42-0.7.3 kernel-xen-devel-3.0.42-0.7.3 - SUSE Linux Enterprise Server 11 SP2 (s390x) [New Version: 3.0.42]: kernel-default-man-3.0.42-0.7.3 - SUSE Linux Enterprise Server 11 SP2 (ppc64) [New Version: 3.0.42]: kernel-ppc64-3.0.42-0.7.3 kernel-ppc64-base-3.0.42-0.7.3 kernel-ppc64-devel-3.0.42-0.7.3 - SUSE Linux Enterprise Server 11 SP2 (i586) [New Version: 3.0.42]: kernel-pae-3.0.42-0.7.3 kernel-pae-base-3.0.42-0.7.3 kernel-pae-devel-3.0.42-0.7.3 - SUSE Linux Enterprise High Availability Extension 11 SP2 (i586 ia64 ppc64 s390x x86_64): cluster-network-kmp-default-1.4_3.0.42_0.7-2.18.7 cluster-network-kmp-trace-1.4_3.0.42_0.7-2.18.7 gfs2-kmp-default-2_3.0.42_0.7-0.7.42 gfs2-kmp-trace-2_3.0.42_0.7-0.7.42 ocfs2-kmp-default-1.6_3.0.42_0.7-0.11.6 ocfs2-kmp-trace-1.6_3.0.42_0.7-0.11.6 - SUSE Linux Enterprise High Availability Extension 11 SP2 (i586 x86_64): cluster-network-kmp-xen-1.4_3.0.42_0.7-2.18.7 gfs2-kmp-xen-2_3.0.42_0.7-0.7.42 ocfs2-kmp-xen-1.6_3.0.42_0.7-0.11.6 - SUSE Linux Enterprise High Availability Extension 11 SP2 (ppc64): cluster-network-kmp-ppc64-1.4_3.0.42_0.7-2.18.7 gfs2-kmp-ppc64-2_3.0.42_0.7-0.7.42 ocfs2-kmp-ppc64-1.6_3.0.42_0.7-0.11.6 - SUSE Linux Enterprise High Availability Extension 11 SP2 (i586): cluster-network-kmp-pae-1.4_3.0.42_0.7-2.18.7 gfs2-kmp-pae-2_3.0.42_0.7-0.7.42 ocfs2-kmp-pae-1.6_3.0.42_0.7-0.11.6 - SUSE Linux Enterprise Desktop 11 SP2 (i586 x86_64) [New Version: 3.0.42]: kernel-default-3.0.42-0.7.3 kernel-default-base-3.0.42-0.7.3 kernel-default-devel-3.0.42-0.7.3 kernel-default-extra-3.0.42-0.7.3 kernel-source-3.0.42-0.7.3 kernel-syms-3.0.42-0.7.3 kernel-trace-3.0.42-0.7.3 kernel-trace-base-3.0.42-0.7.3 kernel-trace-devel-3.0.42-0.7.3 kernel-trace-extra-3.0.42-0.7.3 kernel-xen-3.0.42-0.7.3 kernel-xen-base-3.0.42-0.7.3 kernel-xen-devel-3.0.42-0.7.3 kernel-xen-extra-3.0.42-0.7.3 - SUSE Linux Enterprise Desktop 11 SP2 (i586) [New Version: 3.0.42]: kernel-pae-3.0.42-0.7.3 kernel-pae-base-3.0.42-0.7.3 kernel-pae-devel-3.0.42-0.7.3 kernel-pae-extra-3.0.42-0.7.3 - SLE 11 SERVER Unsupported Extras (i586 ia64 ppc64 s390x x86_64): ext4-writeable-kmp-default-0_3.0.42_0.7-0.14.23 ext4-writeable-kmp-trace-0_3.0.42_0.7-0.14.23 kernel-default-extra-3.0.42-0.7.3 - SLE 11 SERVER Unsupported Extras (i586 x86_64): ext4-writeable-kmp-xen-0_3.0.42_0.7-0.14.23 kernel-xen-extra-3.0.42-0.7.3 - SLE 11 SERVER Unsupported Extras (ppc64): ext4-writeable-kmp-ppc64-0_3.0.42_0.7-0.14.23 kernel-ppc64-extra-3.0.42-0.7.3 - SLE 11 SERVER Unsupported Extras (i586): ext4-writeable-kmp-pae-0_3.0.42_0.7-0.14.23 kernel-pae-extra-3.0.42-0.7.3 References: http://support.novell.com/security/cve/CVE-2012-2745.html https://bugzilla.novell.com/698102 https://bugzilla.novell.com/731035 https://bugzilla.novell.com/740291 https://bugzilla.novell.com/744198 https://bugzilla.novell.com/753617 https://bugzilla.novell.com/754670 https://bugzilla.novell.com/761774 https://bugzilla.novell.com/762099 https://bugzilla.novell.com/762214 https://bugzilla.novell.com/762693 https://bugzilla.novell.com/763198 https://bugzilla.novell.com/763954 https://bugzilla.novell.com/764209 https://bugzilla.novell.com/764900 https://bugzilla.novell.com/766156 https://bugzilla.novell.com/766654 https://bugzilla.novell.com/768084 https://bugzilla.novell.com/768504 https://bugzilla.novell.com/769035 https://bugzilla.novell.com/769195 https://bugzilla.novell.com/769251 https://bugzilla.novell.com/769407 https://bugzilla.novell.com/770034 https://bugzilla.novell.com/770695 https://bugzilla.novell.com/770763 https://bugzilla.novell.com/771706 https://bugzilla.novell.com/772407 https://bugzilla.novell.com/772427 https://bugzilla.novell.com/772473 https://bugzilla.novell.com/772786 https://bugzilla.novell.com/772831 https://bugzilla.novell.com/773007 https://bugzilla.novell.com/773319 https://bugzilla.novell.com/773320 https://bugzilla.novell.com/773688 https://bugzilla.novell.com/773831 https://bugzilla.novell.com/774073 https://bugzilla.novell.com/774289 https://bugzilla.novell.com/774612 https://bugzilla.novell.com/774902 https://bugzilla.novell.com/774973 https://bugzilla.novell.com/775182 https://bugzilla.novell.com/775373 https://bugzilla.novell.com/775984 https://bugzilla.novell.com/776019 https://bugzilla.novell.com/776095 https://bugzilla.novell.com/776787 https://bugzilla.novell.com/776896 https://bugzilla.novell.com/777024 https://bugzilla.novell.com/777269 https://bugzilla.novell.com/778082 https://bugzilla.novell.com/778822 https://bugzilla.novell.com/779330 https://bugzilla.novell.com/779461 https://bugzilla.novell.com/779699 https://bugzilla.novell.com/780012 https://bugzilla.novell.com/780461 https://bugzilla.novell.com/781018 https://bugzilla.novell.com/781134 http://download.novell.com/patch/finder/?keywords=093be6c543a0ba2b6ecf2968d4a92212 http://download.novell.com/patch/finder/?keywords=0a2a6cf21f8291011c81928522f1063a http://download.novell.com/patch/finder/?keywords=2205d86ff343bf4bd4269c0ee1a36fce http://download.novell.com/patch/finder/?keywords=56bb8b246b094d7b9bb76894fbb7a521 http://download.novell.com/patch/finder/?keywords=89ed32091b7cde5f4b5f62a8d0ae9f0f http://download.novell.com/patch/finder/?keywords=9bafa94f852e694b59b99001aa47a2b5 http://download.novell.com/patch/finder/?keywords=c29b53bba0dc375ee51121e1a1619e8d http://download.novell.com/patch/finder/?keywords=d3169be940573b6d9ace41778ad0a84c http://download.novell.com/patch/finder/?keywords=d62b0fd1b9b16f9da1561454d3ac760d http://download.novell.com/patch/finder/?keywords=f6f94ee4ea8bc5fdac3a7d71f4d55ed9 From sle-security-updates at lists.suse.com Tue Oct 16 14:08:33 2012 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Tue, 16 Oct 2012 22:08:33 +0200 (CEST) Subject: SUSE-SU-2012:1351-1: important: Security update for Mozilla Firefox Message-ID: <20121016200833.E8C4132279@maintenance.suse.de> SUSE Security Update: Security update for Mozilla Firefox ______________________________________________________________________________ Announcement ID: SUSE-SU-2012:1351-1 Rating: important References: #783533 Cross-References: CVE-2012-3977 CVE-2012-3982 CVE-2012-3983 CVE-2012-3984 CVE-2012-3985 CVE-2012-3986 CVE-2012-3987 CVE-2012-3988 CVE-2012-3989 CVE-2012-3990 CVE-2012-3991 CVE-2012-3992 CVE-2012-3993 CVE-2012-3994 CVE-2012-3995 CVE-2012-4179 CVE-2012-4180 CVE-2012-4181 CVE-2012-4182 CVE-2012-4183 CVE-2012-4184 CVE-2012-4185 CVE-2012-4186 CVE-2012-4187 CVE-2012-4188 CVE-2012-4192 CVE-2012-4193 Affected Products: SUSE Linux Enterprise Server 11 SP2 for VMware SUSE Linux Enterprise Server 11 SP2 SUSE Linux Enterprise Server 10 SP4 SUSE Linux Enterprise Desktop 11 SP2 SUSE Linux Enterprise Desktop 10 SP4 SLE SDK 10 SP4 ______________________________________________________________________________ An update that fixes 27 vulnerabilities is now available. It includes two new package versions. Description: MozillaFirefox was updated to the 10.0.9ESR security release which fixes bugs and security issues: * MFSA 2012-73 / CVE-2012-3977: Security researchers Thai Duong and Juliano Rizzo reported that SPDY's request header compression leads to information leakage, which can allow the extraction of private data such as session cookies, even over an encrypted SSL connection. (This does not affect Firefox 10 as it does not feature the SPDY extension. It was silently fixed for Firefox 15.) * MFSA 2012-74: Mozilla developers identified and fixed several memory safety bugs in the browser engine used in Firefox and other Mozilla-based products. Some of these bugs showed evidence of memory corruption under certain circumstances, and we presume that with enough effort at least some of these could be exploited to run arbitrary code. In general these flaws cannot be exploited through email in the Thunderbird and SeaMonkey products because scripting is disabled, but are potentially a risk in browser or browser-like contexts in those products. * CVE-2012-3983: Henrik Skupin, Jesse Ruderman and moz_bug_r_a4 reported memory safety problems and crashes that affect Firefox 15. * CVE-2012-3982: Christian Holler and Jesse Ruderman reported memory safety problems and crashes that affect Firefox ESR 10 and Firefox 15. * MFSA 2012-75 / CVE-2012-3984: Security researcher David Bloom of Cue discovered that "select" elements are always-on-top chromeless windows and that navigation away from a page with an active "select" menu does not remove this window.When another menu is opened programmatically on a new page, the original "select" menu can be retained and arbitrary HTML content within it rendered, allowing an attacker to cover arbitrary portions of the new page through absolute positioning/scrolling, leading to spoofing attacks. Security researcher Jordi Chancel found a variation that would allow for click-jacking attacks was well. In general these flaws cannot be exploited through email in the Thunderbird and SeaMonkey products because scripting is disabled, but are potentially a risk in browser or browser-like contexts in those products. References Navigation away from a page with an active "select" dropdown menu can be used for URL spoofing, other evil Firefox 10.0.1 : Navigation away from a page with multiple active "select" dropdown menu can be used for Spoofing And ClickJacking with XPI using window.open and geolocalisation * MFSA 2012-76 / CVE-2012-3985: Security researcher Collin Jackson reported a violation of the HTML5 specifications for document.domain behavior. Specified behavior requires pages to only have access to windows in a new document.domain but the observed violation allowed pages to retain access to windows from the page's initial origin in addition to the new document.domain. This could potentially lead to cross-site scripting (XSS) attacks. * MFSA 2012-77 / CVE-2012-3986: Mozilla developer Johnny Stenback discovered that several methods of a feature used for testing (DOMWindowUtils) are not protected by existing security checks, allowing these methods to be called through script by web pages. This was addressed by adding the existing security checks to these methods. * MFSA 2012-78 / CVE-2012-3987: Security researcher Warren He reported that when a page is transitioned into Reader Mode in Firefox for Android, the resulting page has chrome privileges and its content is not thoroughly sanitized. A successful attack requires user enabling of reader mode for a malicious page, which could then perform an attack similar to cross-site scripting (XSS) to gain the privileges allowed to Firefox on an Android device. This has been fixed by changing the Reader Mode page into an unprivileged page. This vulnerability only affects Firefox for Android. * MFSA 2012-79 / CVE-2012-3988: Security researcher Soroush Dalili reported that a combination of invoking full screen mode and navigating backwards in history could, in some circumstances, cause a hang or crash due to a timing dependent use-after-free pointer reference. This crash may be potentially exploitable. * MFSA 2012-80 / CVE-2012-3989: Mozilla community member Ms2ger reported a crash due to an invalid cast when using the instanceof operator on certain types of JavaScript objects. This can lead to a potentially exploitable crash. * MFSA 2012-81 / CVE-2012-3991: Mozilla community member Alice White reported that when the GetProperty function is invoked through JSAPI, security checking can be bypassed when getting cross-origin properties. This potentially allowed for arbitrary code execution. * MFSA 2012-82 / CVE-2012-3994: Security researcher Mariusz Mlynski reported that the location property can be accessed by binary plugins through top.location and top can be shadowed by Object.defineProperty as well. This can allow for possible cross-site scripting (XSS) attacks through plugins. * MFSA 2012-83: Security researcher Mariusz Mlynski reported that when InstallTrigger fails, it throws an error wrapped in a Chrome Object Wrapper (COW) that fails to specify exposed properties. These can then be added to the resulting object by an attacker, allowing access to chrome privileged functions through script. While investigating this issue, Mozilla security researcher moz_bug_r_a4 found that COW did not disallow accessing of properties from a standard prototype in some situations, even when the original issue had been fixed. These issues could allow for a cross-site scripting (XSS) attack or arbitrary code execution. * CVE-2012-3993: XrayWrapper pollution via unsafe COW * CVE-2012-4184: ChromeObjectWrapper is not implemented as intended * MFSA 2012-84 / CVE-2012-3992: Security researcher Mariusz Mlynski reported an issue with spoofing of the location property. In this issue, writes to location.hash can be used in concert with scripted history navigation to cause a specific website to be loaded into the history object. The baseURI can then be changed to this stored site, allowing an attacker to inject a script or intercept posted data posted to a location specified with a relative path. * MFSA 2012-85: Security researcher Abhishek Arya (Inferno) of the Google Chrome Security Team discovered a series of use-after-free, buffer overflow, and out of bounds read issues using the Address Sanitizer tool in shipped software. These issues are potentially exploitable, allowing for remote code execution. We would also like to thank Abhishek for reporting two additional use-after-free flaws introduced during Firefox 16 development and fixed before general release. * CVE-2012-3995: Out of bounds read in IsCSSWordSpacingSpace * CVE-2012-4179: Heap-use-after-free in nsHTMLCSSUtils::CreateCSSPropertyTxn * CVE-2012-4180: Heap-buffer-overflow in nsHTMLEditor::IsPrevCharInNodeWhitespace * CVE-2012-4181: Heap-use-after-free in nsSMILAnimationController::DoSample * CVE-2012-4182: Heap-use-after-free in nsTextEditRules::WillInsert * CVE-2012-4183: Heap-use-after-free in DOMSVGTests::GetRequiredFeatures * MFSA 2012-86: Security researcher Atte Kettunen from OUSPG reported several heap memory corruption issues found using the Address Sanitizer tool. These issues are potentially exploitable, allowing for remote code execution. * CVE-2012-4185: Global-buffer-overflow in nsCharTraits::length * CVE-2012-4186: Heap-buffer-overflow in nsWaveReader::DecodeAudioData * CVE-2012-4187: Crash with ASSERTION: insPos too small * CVE-2012-4188: Heap-buffer-overflow in Convolve3x3 * MFSA 2012-87 / CVE-2012-3990: Security researcher miaubiz used the Address Sanitizer tool to discover a use-after-free in the IME State Manager code. This could lead to a potentially exploitable crash. * MFSA 2012-89 / CVE-2012-4192 / CVE-2012-4193: Mozilla security researcher moz_bug_r_a4 reported a regression where security wrappers are unwrapped without doing a security check in defaultValue(). This can allow for improper access access to the Location object. In versions 15 and earlier of affected products, there was also the potential for arbitrary code execution. Security Issue reference: * CVE-2012-3977 * CVE-2012-3982 * CVE-2012-3983 * CVE-2012-3984 * CVE-2012-3985 * CVE-2012-3986 * CVE-2012-3987 * CVE-2012-3988 * CVE-2012-3989 * CVE-2012-3990 * CVE-2012-3991 * CVE-2012-3992 * CVE-2012-3993 * CVE-2012-3994 * CVE-2012-3995 * CVE-2012-4179 * CVE-2012-4180 * CVE-2012-4181 * CVE-2012-4182 * CVE-2012-4183 * CVE-2012-4184 * CVE-2012-4185 * CVE-2012-4186 * CVE-2012-4187 * CVE-2012-4188 * CVE-2012-4192 * CVE-2012-4193 Patch Instructions: To install this SUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Server 11 SP2 for VMware: zypper in -t patch slessp2-firefox-201210-6951 - SUSE Linux Enterprise Server 11 SP2: zypper in -t patch slessp2-firefox-201210-6951 - SUSE Linux Enterprise Desktop 11 SP2: zypper in -t patch sledsp2-firefox-201210-6951 To bring your system up-to-date, use "zypper patch". Package List: - SUSE Linux Enterprise Server 11 SP2 for VMware (i586 x86_64) [New Version: 10.0.9]: MozillaFirefox-10.0.9-0.3.1 MozillaFirefox-translations-10.0.9-0.3.1 - SUSE Linux Enterprise Server 11 SP2 (i586 ia64 ppc64 s390x x86_64) [New Version: 10.0.9]: MozillaFirefox-10.0.9-0.3.1 MozillaFirefox-branding-SLED-7-0.6.7.85 MozillaFirefox-translations-10.0.9-0.3.1 - SUSE Linux Enterprise Server 10 SP4 (i586 ia64 ppc s390x) [New Version: 7]: MozillaFirefox-10.0.9-0.5.1 MozillaFirefox-branding-SLED-7-0.8.35 MozillaFirefox-translations-10.0.9-0.5.1 - SUSE Linux Enterprise Desktop 11 SP2 (i586 x86_64) [New Version: 10.0.9]: MozillaFirefox-10.0.9-0.3.1 MozillaFirefox-branding-SLED-7-0.6.7.85 MozillaFirefox-translations-10.0.9-0.3.1 - SUSE Linux Enterprise Desktop 10 SP4 (i586) [New Version: 7]: MozillaFirefox-10.0.9-0.5.1 MozillaFirefox-branding-SLED-7-0.8.35 MozillaFirefox-translations-10.0.9-0.5.1 - SLE SDK 10 SP4 (i586 ia64 ppc s390x): MozillaFirefox-branding-upstream-10.0.9-0.5.1 References: http://support.novell.com/security/cve/CVE-2012-3977.html http://support.novell.com/security/cve/CVE-2012-3982.html http://support.novell.com/security/cve/CVE-2012-3983.html http://support.novell.com/security/cve/CVE-2012-3984.html http://support.novell.com/security/cve/CVE-2012-3985.html http://support.novell.com/security/cve/CVE-2012-3986.html http://support.novell.com/security/cve/CVE-2012-3987.html http://support.novell.com/security/cve/CVE-2012-3988.html http://support.novell.com/security/cve/CVE-2012-3989.html http://support.novell.com/security/cve/CVE-2012-3990.html http://support.novell.com/security/cve/CVE-2012-3991.html http://support.novell.com/security/cve/CVE-2012-3992.html http://support.novell.com/security/cve/CVE-2012-3993.html http://support.novell.com/security/cve/CVE-2012-3994.html http://support.novell.com/security/cve/CVE-2012-3995.html http://support.novell.com/security/cve/CVE-2012-4179.html http://support.novell.com/security/cve/CVE-2012-4180.html http://support.novell.com/security/cve/CVE-2012-4181.html http://support.novell.com/security/cve/CVE-2012-4182.html http://support.novell.com/security/cve/CVE-2012-4183.html http://support.novell.com/security/cve/CVE-2012-4184.html http://support.novell.com/security/cve/CVE-2012-4185.html http://support.novell.com/security/cve/CVE-2012-4186.html http://support.novell.com/security/cve/CVE-2012-4187.html http://support.novell.com/security/cve/CVE-2012-4188.html http://support.novell.com/security/cve/CVE-2012-4192.html http://support.novell.com/security/cve/CVE-2012-4193.html https://bugzilla.novell.com/783533 http://download.novell.com/patch/finder/?keywords=9df8424f201589e4fca1abdc2e0b1023 http://download.novell.com/patch/finder/?keywords=b54051bb7b93d9b879c04f373ce0061d From sle-security-updates at lists.suse.com Tue Oct 16 15:08:27 2012 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Tue, 16 Oct 2012 23:08:27 +0200 (CEST) Subject: SUSE-SU-2012:1352-1: moderate: Security update for openstack-swift Message-ID: <20121016210827.E1ADD3227D@maintenance.suse.de> SUSE Security Update: Security update for openstack-swift ______________________________________________________________________________ Announcement ID: SUSE-SU-2012:1352-1 Rating: moderate References: #779215 Cross-References: CVE-2012-4413 Affected Products: SUSE Cloud 1.0 ______________________________________________________________________________ An update that fixes one vulnerability is now available. Description: The openstack SWIFT component has been updated to fix a security issue: * CVE-2012-4406: The pickle serialization for memcache could be exploited to execute code. It was replaced by JSON. Security Issue reference: * CVE-2012-4413 Patch Instructions: To install this SUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - SUSE Cloud 1.0: zypper in -t patch sleclo10sp2-openstack-swift-6819 To bring your system up-to-date, use "zypper patch". Package List: - SUSE Cloud 1.0 (x86_64): openstack-swift-1.4.8+git.1332408124.4a6fead-0.11.1 openstack-swift-account-1.4.8+git.1332408124.4a6fead-0.11.1 openstack-swift-container-1.4.8+git.1332408124.4a6fead-0.11.1 openstack-swift-doc-1.4.8+git.1332408124.4a6fead-0.11.1 openstack-swift-object-1.4.8+git.1332408124.4a6fead-0.11.1 openstack-swift-proxy-1.4.8+git.1332408124.4a6fead-0.11.1 python-swift-1.4.8+git.1332408124.4a6fead-0.11.1 References: http://support.novell.com/security/cve/CVE-2012-4413.html https://bugzilla.novell.com/779215 http://download.novell.com/patch/finder/?keywords=9d6ca417db66a8fd03dcda14001eaa95 From sle-security-updates at lists.suse.com Thu Oct 18 09:08:32 2012 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Thu, 18 Oct 2012 17:08:32 +0200 (CEST) Subject: SUSE-SU-2012:1367-1: moderate: Security update for rubygem-actionpack-2_3 Message-ID: <20121018150832.E4A6A3219D@maintenance.suse.de> SUSE Security Update: Security update for rubygem-actionpack-2_3 ______________________________________________________________________________ Announcement ID: SUSE-SU-2012:1367-1 Rating: moderate References: #775649 Cross-References: CVE-2012-3465 Affected Products: WebYaST 1.2 SUSE Studio Standard Edition 1.2 SUSE Studio Onsite 1.2 SUSE Studio Extension for System z 1.2 SUSE Linux Enterprise Software Development Kit 11 SP2 SUSE Cloud 1.0 ______________________________________________________________________________ An update that fixes one vulnerability is now available. It includes one version update. Description: This update fixes the strip_tags helper in Ruby on Rails which could have resulted in a cross-site scripting vulnerability. CVE-2012-3465 has been assigned to this issue. Security Issue reference: * CVE-2012-3465 Patch Instructions: To install this SUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - WebYaST 1.2: zypper in -t patch slewyst12-rubygem-actionpack-2_3-6802 - SUSE Studio Standard Edition 1.2: zypper in -t patch sleslms12-rubygem-actionpack-2_3-6802 - SUSE Studio Onsite 1.2: zypper in -t patch slestso12-rubygem-actionpack-2_3-6802 - SUSE Studio Extension for System z 1.2: zypper in -t patch slestso12-rubygem-actionpack-2_3-6802 - SUSE Linux Enterprise Software Development Kit 11 SP2: zypper in -t patch sdksp2-rubygem-actionpack-2_3-6801 - SUSE Cloud 1.0: zypper in -t patch sleclo10sp2-rubygem-actionpack-2_3-6801 To bring your system up-to-date, use "zypper patch". Package List: - WebYaST 1.2 (i586 ia64 ppc64 s390x x86_64) [New Version: 2.3.14]: rubygem-actionpack-2_3-2.3.14-0.7.8.1 - SUSE Studio Standard Edition 1.2 (x86_64) [New Version: 2.3.14]: rubygem-actionpack-2_3-2.3.14-0.7.8.1 - SUSE Studio Onsite 1.2 (x86_64) [New Version: 2.3.14]: rubygem-actionpack-2_3-2.3.14-0.7.8.1 - SUSE Studio Extension for System z 1.2 (s390x) [New Version: 2.3.14]: rubygem-actionpack-2_3-2.3.14-0.7.8.1 - SUSE Linux Enterprise Software Development Kit 11 SP2 (i586 ia64 ppc64 s390x x86_64): rubygem-actionpack-2_3-2.3.14-0.12.1 - SUSE Cloud 1.0 (x86_64): rubygem-actionpack-2_3-2.3.14-0.12.1 References: http://support.novell.com/security/cve/CVE-2012-3465.html https://bugzilla.novell.com/775649 http://download.novell.com/patch/finder/?keywords=2b07947598b12d37508907617d9fc83d http://download.novell.com/patch/finder/?keywords=6127d299d97f12be4acb434f8c4dc3b2 From sle-security-updates at lists.suse.com Tue Oct 23 11:08:35 2012 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Tue, 23 Oct 2012 19:08:35 +0200 (CEST) Subject: SUSE-SU-2012:1390-1: important: Security update for bind Message-ID: <20121023170835.9E95E32283@maintenance.suse.de> SUSE Security Update: Security update for bind ______________________________________________________________________________ Announcement ID: SUSE-SU-2012:1390-1 Rating: important References: #784602 Cross-References: CVE-2012-5166 Affected Products: SUSE Linux Enterprise Software Development Kit 11 SP2 SUSE Linux Enterprise Server 11 SP2 for VMware SUSE Linux Enterprise Server 11 SP2 SUSE Linux Enterprise Server 11 SP1 LTSS SUSE Linux Enterprise Server 10 SP4 SUSE Linux Enterprise Server 10 SP3 LTSS SUSE Linux Enterprise Desktop 11 SP2 SUSE Linux Enterprise Desktop 10 SP4 SLE SDK 10 SP4 ______________________________________________________________________________ An update that fixes one vulnerability is now available. It includes one version update. Description: The following issue has been fixed: * Specially crafted RDATA could have caused bind to lockup. This was a different flaw than CVE-2012-4244. Security Issue reference: * CVE-2012-5166 Patch Instructions: To install this SUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Software Development Kit 11 SP2: zypper in -t patch sdksp2-bind-6944 - SUSE Linux Enterprise Server 11 SP2 for VMware: zypper in -t patch slessp2-bind-6944 - SUSE Linux Enterprise Server 11 SP2: zypper in -t patch slessp2-bind-6944 - SUSE Linux Enterprise Server 11 SP1 LTSS: zypper in -t patch slessp1-bind-6980 - SUSE Linux Enterprise Desktop 11 SP2: zypper in -t patch sledsp2-bind-6944 To bring your system up-to-date, use "zypper patch". Package List: - SUSE Linux Enterprise Software Development Kit 11 SP2 (i586 ia64 ppc64 s390x x86_64) [New Version: 9.6ESVR7P4]: bind-devel-9.6ESVR7P4-0.8.1 - SUSE Linux Enterprise Software Development Kit 11 SP2 (ppc64) [New Version: 9.6ESVR7P4]: bind-devel-32bit-9.6ESVR7P4-0.8.1 - SUSE Linux Enterprise Server 11 SP2 for VMware (i586 x86_64) [New Version: 9.6ESVR7P4]: bind-9.6ESVR7P4-0.8.1 bind-chrootenv-9.6ESVR7P4-0.8.1 bind-doc-9.6ESVR7P4-0.8.1 bind-libs-9.6ESVR7P4-0.8.1 bind-utils-9.6ESVR7P4-0.8.1 - SUSE Linux Enterprise Server 11 SP2 for VMware (x86_64) [New Version: 9.6ESVR7P4]: bind-libs-32bit-9.6ESVR7P4-0.8.1 - SUSE Linux Enterprise Server 11 SP2 (i586 ia64 ppc64 s390x x86_64) [New Version: 9.6ESVR7P4]: bind-9.6ESVR7P4-0.8.1 bind-chrootenv-9.6ESVR7P4-0.8.1 bind-doc-9.6ESVR7P4-0.8.1 bind-libs-9.6ESVR7P4-0.8.1 bind-utils-9.6ESVR7P4-0.8.1 - SUSE Linux Enterprise Server 11 SP2 (ppc64 s390x x86_64) [New Version: 9.6ESVR7P4]: bind-libs-32bit-9.6ESVR7P4-0.8.1 - SUSE Linux Enterprise Server 11 SP2 (ia64) [New Version: 9.6ESVR7P4]: bind-libs-x86-9.6ESVR7P4-0.8.1 - SUSE Linux Enterprise Server 11 SP1 LTSS (i586 s390x x86_64) [New Version: 9.6ESVR7P4]: bind-9.6ESVR7P4-0.2.3.1 bind-chrootenv-9.6ESVR7P4-0.2.3.1 bind-doc-9.6ESVR7P4-0.2.3.1 bind-libs-9.6ESVR7P4-0.2.3.1 bind-utils-9.6ESVR7P4-0.2.3.1 - SUSE Linux Enterprise Server 11 SP1 LTSS (s390x x86_64) [New Version: 9.6ESVR7P4]: bind-libs-32bit-9.6ESVR7P4-0.2.3.1 - SUSE Linux Enterprise Server 10 SP4 (i586 ia64 ppc s390x x86_64) [New Version: 9.6ESVR7P4]: bind-9.6ESVR7P4-0.7.1 bind-chrootenv-9.6ESVR7P4-0.7.1 bind-devel-9.6ESVR7P4-0.7.1 bind-doc-9.6ESVR7P4-0.7.1 bind-libs-9.6ESVR7P4-0.7.1 bind-utils-9.6ESVR7P4-0.7.1 - SUSE Linux Enterprise Server 10 SP4 (s390x x86_64) [New Version: 9.6ESVR7P4]: bind-libs-32bit-9.6ESVR7P4-0.7.1 - SUSE Linux Enterprise Server 10 SP4 (ia64) [New Version: 9.6ESVR7P4]: bind-libs-x86-9.6ESVR7P4-0.7.1 - SUSE Linux Enterprise Server 10 SP4 (ppc) [New Version: 9.6ESVR7P4]: bind-devel-64bit-9.6ESVR7P4-0.7.1 bind-libs-64bit-9.6ESVR7P4-0.7.1 - SUSE Linux Enterprise Server 10 SP3 LTSS (i586 s390x x86_64): bind-9.3.4-1.42.1 bind-chrootenv-9.3.4-1.42.1 bind-devel-9.3.4-1.42.1 bind-doc-9.3.4-1.42.1 bind-libs-9.3.4-1.42.1 bind-utils-9.3.4-1.42.1 - SUSE Linux Enterprise Server 10 SP3 LTSS (s390x x86_64): bind-libs-32bit-9.3.4-1.42.1 - SUSE Linux Enterprise Desktop 11 SP2 (i586 x86_64) [New Version: 9.6ESVR7P4]: bind-libs-9.6ESVR7P4-0.8.1 bind-utils-9.6ESVR7P4-0.8.1 - SUSE Linux Enterprise Desktop 11 SP2 (x86_64) [New Version: 9.6ESVR7P4]: bind-libs-32bit-9.6ESVR7P4-0.8.1 - SUSE Linux Enterprise Desktop 10 SP4 (i586 x86_64) [New Version: 9.6ESVR7P4]: bind-libs-9.6ESVR7P4-0.7.1 bind-utils-9.6ESVR7P4-0.7.1 - SUSE Linux Enterprise Desktop 10 SP4 (x86_64) [New Version: 9.6ESVR7P4]: bind-libs-32bit-9.6ESVR7P4-0.7.1 - SLE SDK 10 SP4 (i586 ia64 ppc s390x x86_64) [New Version: 9.6ESVR7P4]: bind-9.6ESVR7P4-0.7.1 bind-chrootenv-9.6ESVR7P4-0.7.1 bind-devel-9.6ESVR7P4-0.7.1 bind-doc-9.6ESVR7P4-0.7.1 - SLE SDK 10 SP4 (ppc) [New Version: 9.6ESVR7P4]: bind-devel-64bit-9.6ESVR7P4-0.7.1 References: http://support.novell.com/security/cve/CVE-2012-5166.html https://bugzilla.novell.com/784602 http://download.novell.com/patch/finder/?keywords=0491290854c3af020f68ff0d5b8b26cd http://download.novell.com/patch/finder/?keywords=43e6060a96c82b013f497e12bdab3e50 http://download.novell.com/patch/finder/?keywords=746fd176e23d559fd877814c838c73cc http://download.novell.com/patch/finder/?keywords=b317f08d89c8077faca5bab8b9e853e7 From sle-security-updates at lists.suse.com Wed Oct 24 00:08:27 2012 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Wed, 24 Oct 2012 08:08:27 +0200 (CEST) Subject: SUSE-SU-2012:1390-2: important: Security update for bind Message-ID: <20121024060827.A678632282@maintenance.suse.de> SUSE Security Update: Security update for bind ______________________________________________________________________________ Announcement ID: SUSE-SU-2012:1390-2 Rating: important References: #784602 Cross-References: CVE-2012-5166 Affected Products: SUSE Linux Enterprise Server 10 SP2 ______________________________________________________________________________ An update that fixes one vulnerability is now available. Description: The following issue has been fixed: * Specially crafted RDATA could have caused bind to lockup. This was a different flaw than CVE-2012-4244. Security Issue reference: * CVE-2012-5166 Package List: - SUSE Linux Enterprise Server 10 SP2 (i586 s390x x86_64): bind-9.3.4-1.31.33.1 bind-chrootenv-9.3.4-1.31.33.1 bind-devel-9.3.4-1.31.33.1 bind-doc-9.3.4-1.31.33.1 bind-libs-9.3.4-1.31.33.1 bind-utils-9.3.4-1.31.33.1 - SUSE Linux Enterprise Server 10 SP2 (s390x x86_64): bind-libs-32bit-9.3.4-1.31.33.1 References: http://support.novell.com/security/cve/CVE-2012-5166.html https://bugzilla.novell.com/784602 http://download.novell.com/patch/finder/?keywords=a8e673632571bbd76e46ad33621a07bc From sle-security-updates at lists.suse.com Wed Oct 24 01:08:38 2012 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Wed, 24 Oct 2012 09:08:38 +0200 (CEST) Subject: SUSE-SU-2012:1391-1: important: Security update for Linux kernel Message-ID: <20121024070838.CBB5B3227E@maintenance.suse.de> SUSE Security Update: Security update for Linux kernel ______________________________________________________________________________ Announcement ID: SUSE-SU-2012:1391-1 Rating: important References: #674284 #703156 #734056 #738400 #738528 #747576 #755546 #758985 #760974 #762581 #763526 #765102 #765320 #767277 #767504 #767766 #767939 #769784 #770507 #770697 #772409 #773272 #773831 #776888 #777575 #783058 Cross-References: CVE-2011-1044 CVE-2011-4110 CVE-2012-2136 CVE-2012-2663 CVE-2012-2744 CVE-2012-3510 Affected Products: SUSE Linux Enterprise Server 10 SP4 SUSE Linux Enterprise Desktop 10 SP4 SLE SDK 10 SP4 ______________________________________________________________________________ An update that solves 6 vulnerabilities and has 20 fixes is now available. Description: This Linux kernel update fixes various security issues and bugs in the SUSE Linux Enterprise 10 SP4 kernel. The following security issues have been fixed: * CVE-2011-2494: kernel/taskstats.c in the Linux kernel allowed local users to obtain sensitive I/O statistics by sending taskstats commands to a netlink socket, as demonstrated by discovering the length of another users password (a side channel attack). * CVE-2012-2744: net/ipv6/netfilter/nf_conntrack_reasm.c in the Linux kernel, when the nf_conntrack_ipv6 module is enabled, allowed remote attackers to cause a denial of service (NULL pointer dereference and system crash) via certain types of fragmented IPv6 packets. * CVE-2012-3510: Use-after-free vulnerability in the xacct_add_tsk function in kernel/tsacct.c in the Linux kernel allowed local users to obtain potentially sensitive information from kernel memory or cause a denial of service (system crash) via a taskstats TASKSTATS_CMD_ATTR_PID command. * CVE-2011-4110: The user_update function in security/keys/user_defined.c in the Linux kernel 2.6 allowed local users to cause a denial of service (NULL pointer dereference and kernel oops) via vectors related to a user-defined key and updating a negative key into a fully instantiated key. * CVE-2011-1044: The ib_uverbs_poll_cq function in drivers/infiniband/core/uverbs_cmd.c in the Linux kernel did not initialize a certain response buffer, which allowed local users to obtain potentially sensitive information from kernel memory via vectors that cause this buffer to be only partially filled, a different vulnerability than CVE-2010-4649. * CVE-2012-3400: Heap-based buffer overflow in the udf_load_logicalvol function in fs/udf/super.c in the Linux kernel allowed remote attackers to cause a denial of service (system crash) or possibly have unspecified other impact via a crafted UDF filesystem. * CVE-2012-2136: The sock_alloc_send_pskb function in net/core/sock.c in the Linux kernel did not properly validate a certain length value, which allowed local users to cause a denial of service (heap-based buffer overflow and system crash) or possibly gain privileges by leveraging access to a TUN/TAP device. * CVE-2012-2663: A small denial of service leak in dropping syn+fin messages was fixed. The following non-security issues have been fixed: Packaging: * kbuild: Fix gcc -x syntax (bnc#773831). NFS: * knfsd: An assortment of little fixes to the sunrpc cache code (bnc#767766). * knfsd: Unexport cache_fresh and fix a small race (bnc#767766). * knfsd: nfsd: do not drop silently on upcall deferral (bnc#767766). * knfsd: svcrpc: remove another silent drop from deferral code (bnc#767766). * sunrpc/cache: simplify cache_fresh_locked and cache_fresh_unlocked (bnc#767766). * sunrpc/cache: recheck cache validity after cache_defer_req (bnc#767766). * sunrpc/cache: use list_del_init for the list_head entries in cache_deferred_req (bnc#767766). * sunrpc/cache: avoid variable over-loading in cache_defer_req (bnc#767766). * sunrpc/cache: allow thread to block while waiting for cache update (bnc#767766). * sunrpc/cache: Fix race in sunrpc/cache introduced by patch to allow thread to block while waiting for cache update (bnc#767766). * sunrpc/cache: Another fix for race problem with sunrpc cache deferal (bnc#767766). * knfsd: nfsd: make all exp_finding functions return -errnos on err (bnc#767766). * Fix kabi breakage in previous nfsd patch series (bnc#767766). * nfsd: Work around incorrect return type for wait_for_completion_interruptible_timeout (bnc#767766). * nfs: Fix a potential file corruption issue when writing (bnc#773272). * nfs: Allow sync writes to be multiple pages (bnc#763526). * nfs: fix reference counting for NFSv4 callback thread (bnc#767504). * nfs: flush signals before taking down callback thread (bnc#767504). * nfsv4: Ensure nfs_callback_down() calls svc_destroy() (bnc#767504). SCSI: * SCSI/ch: Check NULL for kmalloc() return (bnc#783058). * drivers/scsi/aic94xx/aic94xx_init.c: correct the size argument to kmalloc (bnc#783058). * block: fail SCSI passthrough ioctls on partition devices (bnc#738400). * dm: do not forward ioctls from logical volumes to the underlying device (bnc#738400). * vmware: Fix VMware hypervisor detection (bnc#777575, bnc#770507). S/390: * lgr: Make lgr_page static (bnc#772409,LTC#83520). * zfcp: Fix oops in _blk_add_trace() (bnc#772409,LTC#83510). * kernel: Add z/VM LGR detection (bnc#767277,LTC#RAS1203). * be2net: Fix EEH error reset before a flash dump completes (bnc#755546). * mptfusion: fix msgContext in mptctl_hp_hostinfo (bnc#767939). * PCI: Fix bus resource assignment on 32 bits with 64b resources. (bnc#762581) * PCI: fix up setup-bus.c #ifdef. (bnc#762581) * x86: powernow-k8: Fix indexing issue (bnc#758985). * net: Fix race condition about network device name allocation (bnc#747576). XEN: * smpboot: adjust ordering of operations. * xen/x86-64: provide a memset() that can deal with 4Gb or above at a time (bnc#738528). * xen: fix VM_FOREIGN users after c/s 878:eba6fe6d8d53 (bnc#760974). * xen/gntdev: fix multi-page slot allocation (bnc#760974). Security Issues: * CVE-2011-1044 * CVE-2011-4110 * CVE-2012-2136 * CVE-2012-2663 * CVE-2012-2744 * CVE-2012-3510 Indications: Everyone using the Linux Kernel on x86_64 architecture should update. Special Instructions and Notes: Please reboot the system after installing this update. Package List: - SUSE Linux Enterprise Server 10 SP4 (i586 ia64 ppc s390x x86_64): kernel-default-2.6.16.60-0.99.1 kernel-source-2.6.16.60-0.99.1 kernel-syms-2.6.16.60-0.99.1 - SUSE Linux Enterprise Server 10 SP4 (i586 ia64 x86_64): kernel-debug-2.6.16.60-0.99.1 - SUSE Linux Enterprise Server 10 SP4 (i586 ppc x86_64): kernel-kdump-2.6.16.60-0.99.1 - SUSE Linux Enterprise Server 10 SP4 (i586 x86_64): kernel-smp-2.6.16.60-0.99.1 kernel-xen-2.6.16.60-0.99.1 - SUSE Linux Enterprise Server 10 SP4 (i586): kernel-bigsmp-2.6.16.60-0.99.1 kernel-kdumppae-2.6.16.60-0.99.1 kernel-vmi-2.6.16.60-0.99.1 kernel-vmipae-2.6.16.60-0.99.1 kernel-xenpae-2.6.16.60-0.99.1 - SUSE Linux Enterprise Server 10 SP4 (ppc): kernel-iseries64-2.6.16.60-0.99.1 kernel-ppc64-2.6.16.60-0.99.1 - SUSE Linux Enterprise Desktop 10 SP4 (i586 x86_64): kernel-default-2.6.16.60-0.99.1 kernel-smp-2.6.16.60-0.99.1 kernel-source-2.6.16.60-0.99.1 kernel-syms-2.6.16.60-0.99.1 kernel-xen-2.6.16.60-0.99.1 - SUSE Linux Enterprise Desktop 10 SP4 (i586): kernel-bigsmp-2.6.16.60-0.99.1 kernel-xenpae-2.6.16.60-0.99.1 - SLE SDK 10 SP4 (i586 ia64 x86_64): kernel-debug-2.6.16.60-0.99.1 - SLE SDK 10 SP4 (i586 ppc x86_64): kernel-kdump-2.6.16.60-0.99.1 - SLE SDK 10 SP4 (i586 x86_64): kernel-xen-2.6.16.60-0.99.1 - SLE SDK 10 SP4 (i586): kernel-xenpae-2.6.16.60-0.99.1 References: http://support.novell.com/security/cve/CVE-2011-1044.html http://support.novell.com/security/cve/CVE-2011-4110.html http://support.novell.com/security/cve/CVE-2012-2136.html http://support.novell.com/security/cve/CVE-2012-2663.html http://support.novell.com/security/cve/CVE-2012-2744.html http://support.novell.com/security/cve/CVE-2012-3510.html https://bugzilla.novell.com/674284 https://bugzilla.novell.com/703156 https://bugzilla.novell.com/734056 https://bugzilla.novell.com/738400 https://bugzilla.novell.com/738528 https://bugzilla.novell.com/747576 https://bugzilla.novell.com/755546 https://bugzilla.novell.com/758985 https://bugzilla.novell.com/760974 https://bugzilla.novell.com/762581 https://bugzilla.novell.com/763526 https://bugzilla.novell.com/765102 https://bugzilla.novell.com/765320 https://bugzilla.novell.com/767277 https://bugzilla.novell.com/767504 https://bugzilla.novell.com/767766 https://bugzilla.novell.com/767939 https://bugzilla.novell.com/769784 https://bugzilla.novell.com/770507 https://bugzilla.novell.com/770697 https://bugzilla.novell.com/772409 https://bugzilla.novell.com/773272 https://bugzilla.novell.com/773831 https://bugzilla.novell.com/776888 https://bugzilla.novell.com/777575 https://bugzilla.novell.com/783058 http://download.novell.com/patch/finder/?keywords=118cf41af33f48911c473f3bd88c74a8 http://download.novell.com/patch/finder/?keywords=1d5bd8295622191606c935851bd82ff9 http://download.novell.com/patch/finder/?keywords=3b3320a96f49fe4615b35ba22bb6cbf3 http://download.novell.com/patch/finder/?keywords=9dc087603b172b449aa9a07b548bf3cf http://download.novell.com/patch/finder/?keywords=c77cfcc87d8e54df006cb42c12c2fadb From sle-security-updates at lists.suse.com Wed Oct 24 14:08:43 2012 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Wed, 24 Oct 2012 22:08:43 +0200 (CEST) Subject: SUSE-SU-2012:1398-1: important: Security update for OpenJDK Message-ID: <20121024200843.5261532283@maintenance.suse.de> SUSE Security Update: Security update for OpenJDK ______________________________________________________________________________ Announcement ID: SUSE-SU-2012:1398-1 Rating: important References: #785433 Cross-References: CVE-2012-1531 CVE-2012-1532 CVE-2012-1533 CVE-2012-3143 CVE-2012-3159 CVE-2012-3216 CVE-2012-4416 CVE-2012-4681 CVE-2012-5067 CVE-2012-5068 CVE-2012-5069 CVE-2012-5070 CVE-2012-5071 CVE-2012-5072 CVE-2012-5073 CVE-2012-5074 CVE-2012-5075 CVE-2012-5076 CVE-2012-5077 CVE-2012-5078 CVE-2012-5079 CVE-2012-5080 CVE-2012-5081 CVE-2012-5082 CVE-2012-5083 CVE-2012-5084 CVE-2012-5085 CVE-2012-5086 CVE-2012-5087 CVE-2012-5088 CVE-2012-5089 Affected Products: SUSE Linux Enterprise Desktop 11 SP2 ______________________________________________________________________________ An update that fixes 31 vulnerabilities is now available. Description: java-openjdk was upgraded to version 1.11.5 to fix various security and non-security issues. Security Issue references: * CVE-2012-4681 * CVE-2012-5083 * CVE-2012-1531 * CVE-2012-5086 * CVE-2012-5087 * CVE-2012-1533 * CVE-2012-1532 * CVE-2012-5076 * CVE-2012-3143 * CVE-2012-5088 * CVE-2012-5078 * CVE-2012-5089 * CVE-2012-5084 * CVE-2012-5080 * CVE-2012-3159 * CVE-2012-5068 * CVE-2012-4416 * CVE-2012-5074 * CVE-2012-5071 * CVE-2012-5069 * CVE-2012-5067 * CVE-2012-5070 * CVE-2012-5075 * CVE-2012-5073 * CVE-2012-5079 * CVE-2012-5072 * CVE-2012-5081 * CVE-2012-5082 * CVE-2012-3216 * CVE-2012-5077 * CVE-2012-5085 Patch Instructions: To install this SUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Desktop 11 SP2: zypper in -t patch sledsp2-java-1_6_0-openjdk-6987 To bring your system up-to-date, use "zypper patch". Package List: - SUSE Linux Enterprise Desktop 11 SP2 (i586 x86_64): java-1_6_0-openjdk-1.6.0.0_b24.1.11.5-0.2.1 java-1_6_0-openjdk-demo-1.6.0.0_b24.1.11.5-0.2.1 java-1_6_0-openjdk-devel-1.6.0.0_b24.1.11.5-0.2.1 References: http://support.novell.com/security/cve/CVE-2012-1531.html http://support.novell.com/security/cve/CVE-2012-1532.html http://support.novell.com/security/cve/CVE-2012-1533.html http://support.novell.com/security/cve/CVE-2012-3143.html http://support.novell.com/security/cve/CVE-2012-3159.html http://support.novell.com/security/cve/CVE-2012-3216.html http://support.novell.com/security/cve/CVE-2012-4416.html http://support.novell.com/security/cve/CVE-2012-4681.html http://support.novell.com/security/cve/CVE-2012-5067.html http://support.novell.com/security/cve/CVE-2012-5068.html http://support.novell.com/security/cve/CVE-2012-5069.html http://support.novell.com/security/cve/CVE-2012-5070.html http://support.novell.com/security/cve/CVE-2012-5071.html http://support.novell.com/security/cve/CVE-2012-5072.html http://support.novell.com/security/cve/CVE-2012-5073.html http://support.novell.com/security/cve/CVE-2012-5074.html http://support.novell.com/security/cve/CVE-2012-5075.html http://support.novell.com/security/cve/CVE-2012-5076.html http://support.novell.com/security/cve/CVE-2012-5077.html http://support.novell.com/security/cve/CVE-2012-5078.html http://support.novell.com/security/cve/CVE-2012-5079.html http://support.novell.com/security/cve/CVE-2012-5080.html http://support.novell.com/security/cve/CVE-2012-5081.html http://support.novell.com/security/cve/CVE-2012-5082.html http://support.novell.com/security/cve/CVE-2012-5083.html http://support.novell.com/security/cve/CVE-2012-5084.html http://support.novell.com/security/cve/CVE-2012-5085.html http://support.novell.com/security/cve/CVE-2012-5086.html http://support.novell.com/security/cve/CVE-2012-5087.html http://support.novell.com/security/cve/CVE-2012-5088.html http://support.novell.com/security/cve/CVE-2012-5089.html https://bugzilla.novell.com/785433 http://download.novell.com/patch/finder/?keywords=c230e2b1023ded8fd1041aa18bc26a60 From sle-security-updates at lists.suse.com Wed Oct 24 16:09:08 2012 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Thu, 25 Oct 2012 00:09:08 +0200 (CEST) Subject: SUSE-SU-2012:1203-2: important: Security update for qemu Message-ID: <20121024220908.1A91532285@maintenance.suse.de> SUSE Security Update: Security update for qemu ______________________________________________________________________________ Announcement ID: SUSE-SU-2012:1203-2 Rating: important References: #777084 Cross-References: CVE-2012-3515 Affected Products: SLE SDK 10 SP4 ______________________________________________________________________________ An update that fixes one vulnerability is now available. Description: The qemu vt100 emulation was affected by a problem where specific vt100 sequences could have been used by guest users to affect the host. (CVE-2012-3515 aka XSA-17). This has been fixed. Security Issue reference: * CVE-2012-3515 Package List: - SLE SDK 10 SP4 (i586 ia64 x86_64): qemu-0.8.2-37.14.1 References: http://support.novell.com/security/cve/CVE-2012-3515.html https://bugzilla.novell.com/777084 http://download.novell.com/patch/finder/?keywords=30f612a13ba8c3e5184ba89d4582a058 From sle-security-updates at lists.suse.com Wed Oct 31 15:08:27 2012 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Wed, 31 Oct 2012 22:08:27 +0100 (CET) Subject: SUSE-SU-2012:1426-1: important: Security update for Mozilla Firefox Message-ID: <20121031210827.C17D832280@maintenance.suse.de> SUSE Security Update: Security update for Mozilla Firefox ______________________________________________________________________________ Announcement ID: SUSE-SU-2012:1426-1 Rating: important References: #786522 Affected Products: SUSE Linux Enterprise Software Development Kit 11 SP2 SUSE Linux Enterprise Server 11 SP2 for VMware SUSE Linux Enterprise Server 11 SP2 SUSE Linux Enterprise Server 10 SP4 SUSE Linux Enterprise Desktop 11 SP2 SUSE Linux Enterprise Desktop 10 SP4 SLE SDK 10 SP4 ______________________________________________________________________________ An update that contains security fixes can now be installed. It includes two new package versions. Description: MozillaFirefox was updated to the 10.0.10ESR security release. The following issues have been fixed: * MFSA 2012-90: Mozilla has fixed a number of issues related to the Location object in order to enhance overall security. Details for each of the current fixed issues are below. Thunderbird is only affected by window.location issues through RSS feeds and extensions that load web content. * CVE-2012-4194: Security researcher Mariusz Mlynski reported that the true value of window.location could be shadowed by user content through the use of the valueOf method, which can be combined with some plugins to perform a cross-site scripting (XSS) attack on users. * CVE-2012-4195: Mozilla security researcher moz_bug_r_a4 discovered that the CheckURL function in window.location can be forced to return the wrong calling document and principal, allowing a cross-site scripting (XSS) attack. There is also the possibility of gaining arbitrary code execution if the attacker can take advantage of an add-on that interacts with the page content. * CVE-2012-4196: Security researcher Antoine Delignat-Lavaud of the PROSECCO research team at INRIA Paris reported the ability to use property injection by prototype to bypass security wrapper protections on the Location object, allowing the cross-origin reading of the Location object. Patch Instructions: To install this SUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Software Development Kit 11 SP2: zypper in -t patch sdksp2-firefox-201210b-7004 - SUSE Linux Enterprise Server 11 SP2 for VMware: zypper in -t patch slessp2-firefox-201210b-7004 - SUSE Linux Enterprise Server 11 SP2: zypper in -t patch slessp2-firefox-201210b-7004 - SUSE Linux Enterprise Desktop 11 SP2: zypper in -t patch sledsp2-firefox-201210b-7004 To bring your system up-to-date, use "zypper patch". Package List: - SUSE Linux Enterprise Software Development Kit 11 SP2 (i586 ia64 ppc64 s390x x86_64) [New Version: 4.9.3]: mozilla-nspr-devel-4.9.3-0.2.1 - SUSE Linux Enterprise Server 11 SP2 for VMware (i586 x86_64) [New Version: 10.0.10 and 4.9.3]: MozillaFirefox-10.0.10-0.3.1 MozillaFirefox-translations-10.0.10-0.3.1 mozilla-nspr-4.9.3-0.2.1 - SUSE Linux Enterprise Server 11 SP2 for VMware (x86_64) [New Version: 4.9.3]: mozilla-nspr-32bit-4.9.3-0.2.1 - SUSE Linux Enterprise Server 11 SP2 (i586 ia64 ppc64 s390x x86_64) [New Version: 10.0.10 and 4.9.3]: MozillaFirefox-10.0.10-0.3.1 MozillaFirefox-translations-10.0.10-0.3.1 mozilla-nspr-4.9.3-0.2.1 - SUSE Linux Enterprise Server 11 SP2 (ppc64 s390x x86_64) [New Version: 4.9.3]: mozilla-nspr-32bit-4.9.3-0.2.1 - SUSE Linux Enterprise Server 11 SP2 (ia64) [New Version: 4.9.3]: mozilla-nspr-x86-4.9.3-0.2.1 - SUSE Linux Enterprise Server 10 SP4 (i586 ia64 ppc s390x x86_64) [New Version: 4.9.3]: mozilla-nspr-4.9.3-0.5.1 mozilla-nspr-devel-4.9.3-0.5.1 - SUSE Linux Enterprise Server 10 SP4 (i586 ia64 ppc s390x): MozillaFirefox-10.0.10-0.5.2 MozillaFirefox-translations-10.0.10-0.5.2 - SUSE Linux Enterprise Server 10 SP4 (s390x x86_64) [New Version: 4.9.3]: mozilla-nspr-32bit-4.9.3-0.5.1 - SUSE Linux Enterprise Server 10 SP4 (ia64) [New Version: 4.9.3]: mozilla-nspr-x86-4.9.3-0.5.1 - SUSE Linux Enterprise Server 10 SP4 (ppc) [New Version: 4.9.3]: mozilla-nspr-64bit-4.9.3-0.5.1 - SUSE Linux Enterprise Desktop 11 SP2 (i586 x86_64) [New Version: 10.0.10 and 4.9.3]: MozillaFirefox-10.0.10-0.3.1 MozillaFirefox-translations-10.0.10-0.3.1 mozilla-nspr-4.9.3-0.2.1 - SUSE Linux Enterprise Desktop 11 SP2 (x86_64) [New Version: 4.9.3]: mozilla-nspr-32bit-4.9.3-0.2.1 - SUSE Linux Enterprise Desktop 10 SP4 (i586 x86_64) [New Version: 4.9.3]: mozilla-nspr-4.9.3-0.5.1 mozilla-nspr-devel-4.9.3-0.5.1 - SUSE Linux Enterprise Desktop 10 SP4 (x86_64) [New Version: 4.9.3]: mozilla-nspr-32bit-4.9.3-0.5.1 - SUSE Linux Enterprise Desktop 10 SP4 (i586): MozillaFirefox-10.0.10-0.5.2 MozillaFirefox-translations-10.0.10-0.5.2 - SLE SDK 10 SP4 (i586 ia64 ppc s390x): MozillaFirefox-branding-upstream-10.0.10-0.5.2 References: https://bugzilla.novell.com/786522 http://download.novell.com/patch/finder/?keywords=67c3a0325cfb67cf4cabe8f44fe58645 http://download.novell.com/patch/finder/?keywords=a779e3f3d65e3943cbd34d5b913f5501 From sle-security-updates at lists.suse.com Wed Oct 31 16:08:28 2012 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Wed, 31 Oct 2012 23:08:28 +0100 (CET) Subject: SUSE-SU-2012:1427-1: moderate: Security update for LibreOffice Message-ID: <20121031220828.20F1B32285@maintenance.suse.de> SUSE Security Update: Security update for LibreOffice ______________________________________________________________________________ Announcement ID: SUSE-SU-2012:1427-1 Rating: moderate References: #719988 #734733 #741480 #744510 #757602 #758565 #759172 #759180 #760019 #760997 #768027 #770708 #772094 #773048 #773061 #773515 #774167 #774681 #774921 #775899 #775906 #777181 #778669 Cross-References: CVE-2012-4233 Affected Products: SUSE Linux Enterprise Software Development Kit 11 SP2 SUSE Linux Enterprise Desktop 11 SP2 SUSE Linux Enterprise Desktop 10 SP4 SLE SDK 10 SP4 ______________________________________________________________________________ An update that solves one vulnerability and has 22 fixes is now available. It includes one version update. Description: LibreOffice was updated to SUSE 3.5 bugfix release 13 (based on upstream 3.5.6-rc2) which fixes a lot of bugs. The following bugs have been fixed: * polygon fill rule (bnc#759172) * open XML in Writer (bnc#777181) * undo in text objects (fdo#36138) * broken numbering level (bnc#760019) * better MathML detection (bnc#774921) * pictures in DOCX import (bnc#772094) * collapsing border painting (fdo#39415) * better DOCX text box export (fdo#45724) * hidden text in PPTX import (bnc#759180) * slide notes in PPTX import (bnc#768027) * RTL paragraphs in DOC import (fdo#43398) * better vertical text imports (bnc#744510) * HYPERLINK field in DOCX import (fdo#51034) * shadow color on partial redraw (bnc#773515) * floating objects in DOCX import (bnc#775899) * graphite2 hyphenation regression (fdo#49486) * missing shape position and size (bnc#760997) * page style attributes in ODF import (fdo#38056) * browsing in Template dialog crasher (fdo#46249) * wrong master slide shape being used (bnc#758565) * page borders regression in ODT import (fdo#38056) * invalidate bound rect after drag&drop (fdo#44534) * rotated shape margins in PPTX import (bnc#773048) * pasting into more than 1 sheet crasher (fdo#47311) * crashers in PPT/PPTX import (bnc#768027, bnc#774167 * missing footnote in DOCX/DOC/RTF export (fdo#46020) * checkbox no-label behaviour (fdo#51336, bnc#757602) * try somewhat harder to read w:position (bnc#773061) * FormatNumber can handle sal_uInt32 values (fdo#51793) * rectangle-paragraph tables in DOCX import (bnc#775899) * header and bullet in slideshow transition (bnc#759172) * default background color in DOC/DOCX export (fdo#45724) * font name / size attributes in DOCX import (bnc#774681) * zero rect. size causing wrong line positions (fdo#47434) * adjusted display of Bracket/BracePair in PPT (bnc#741480) * use Unicode functions for QuickStarter tooltip (fdo#52143) * TabRatio API and detect macro at group shape fixes (bnc#770708) * indented text in DOCX file does not wrap correctly (bnc#775906) * undocked toolbars do not show all icons in special ratio (fdo#47071) * cross-reference text when Caption order is Numbering first (fdo#50801) * bullet color same as following text by default (bnc#719988, bnc#734733) * misc RTF import fixes (rhbz#819304, fdo#49666, bnc#774681, fdo#51772, fdo#48033, fdo#52066, fdo#48335, fdo#48446, fdo#49892, fdo#46966) * libvisio was updated to 0.0.19: * file displays as blank page in Draw (fdo#50990) * Use the vendor SUSE instead of Novell, Inc. * Some NULL pointer dereferences were fixed. (CVE-2012-4233) Security Issue reference: * CVE-2012-4233 Patch Instructions: To install this SUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Software Development Kit 11 SP2: zypper in -t patch sdksp2-libreoffice-356-6804 - SUSE Linux Enterprise Desktop 11 SP2: zypper in -t patch sledsp2-libreoffice-356-6804 To bring your system up-to-date, use "zypper patch". Package List: - SUSE Linux Enterprise Software Development Kit 11 SP2 (noarch) [New Version: 3.5.4.13]: libreoffice-branding-upstream-3.5.4.13-0.3.1 libreoffice-help-cs-3.5.4.13-0.3.1 libreoffice-help-da-3.5.4.13-0.3.1 libreoffice-help-de-3.5.4.13-0.3.1 libreoffice-help-en-GB-3.5.4.13-0.3.1 libreoffice-help-en-US-3.5.4.13-0.3.1 libreoffice-help-es-3.5.4.13-0.3.1 libreoffice-help-fr-3.5.4.13-0.3.1 libreoffice-help-gu-IN-3.5.4.13-0.3.1 libreoffice-help-hi-IN-3.5.4.13-0.3.1 libreoffice-help-hu-3.5.4.13-0.3.1 libreoffice-help-it-3.5.4.13-0.3.1 libreoffice-help-ja-3.5.4.13-0.3.1 libreoffice-help-ko-3.5.4.13-0.3.1 libreoffice-help-nl-3.5.4.13-0.3.1 libreoffice-help-pl-3.5.4.13-0.3.1 libreoffice-help-pt-3.5.4.13-0.3.1 libreoffice-help-pt-BR-3.5.4.13-0.3.1 libreoffice-help-ru-3.5.4.13-0.3.1 libreoffice-help-sv-3.5.4.13-0.3.1 libreoffice-help-zh-CN-3.5.4.13-0.3.1 libreoffice-help-zh-TW-3.5.4.13-0.3.1 libreoffice-icon-themes-3.5.4.13-0.3.1 libreoffice-l10n-af-3.5.4.13-0.3.1 libreoffice-l10n-ar-3.5.4.13-0.3.1 libreoffice-l10n-ca-3.5.4.13-0.3.1 libreoffice-l10n-cs-3.5.4.13-0.3.1 libreoffice-l10n-da-3.5.4.13-0.3.1 libreoffice-l10n-de-3.5.4.13-0.3.1 libreoffice-l10n-el-3.5.4.13-0.3.1 libreoffice-l10n-en-GB-3.5.4.13-0.3.1 libreoffice-l10n-es-3.5.4.13-0.3.1 libreoffice-l10n-fi-3.5.4.13-0.3.1 libreoffice-l10n-fr-3.5.4.13-0.3.1 libreoffice-l10n-gu-IN-3.5.4.13-0.3.1 libreoffice-l10n-hi-IN-3.5.4.13-0.3.1 libreoffice-l10n-hu-3.5.4.13-0.3.1 libreoffice-l10n-it-3.5.4.13-0.3.1 libreoffice-l10n-ja-3.5.4.13-0.3.1 libreoffice-l10n-ko-3.5.4.13-0.3.1 libreoffice-l10n-nb-3.5.4.13-0.3.1 libreoffice-l10n-nl-3.5.4.13-0.3.1 libreoffice-l10n-nn-3.5.4.13-0.3.1 libreoffice-l10n-pl-3.5.4.13-0.3.1 libreoffice-l10n-pt-3.5.4.13-0.3.1 libreoffice-l10n-pt-BR-3.5.4.13-0.3.1 libreoffice-l10n-ru-3.5.4.13-0.3.1 libreoffice-l10n-sk-3.5.4.13-0.3.1 libreoffice-l10n-sv-3.5.4.13-0.3.1 libreoffice-l10n-xh-3.5.4.13-0.3.1 libreoffice-l10n-zh-CN-3.5.4.13-0.3.1 libreoffice-l10n-zh-TW-3.5.4.13-0.3.1 libreoffice-l10n-zu-3.5.4.13-0.3.1 - SUSE Linux Enterprise Desktop 11 SP2 (noarch) [New Version: 3.5.4.13]: libreoffice-help-cs-3.5.4.13-0.3.1 libreoffice-help-da-3.5.4.13-0.3.1 libreoffice-help-de-3.5.4.13-0.3.1 libreoffice-help-en-GB-3.5.4.13-0.3.1 libreoffice-help-en-US-3.5.4.13-0.3.1 libreoffice-help-es-3.5.4.13-0.3.1 libreoffice-help-fr-3.5.4.13-0.3.1 libreoffice-help-gu-IN-3.5.4.13-0.3.1 libreoffice-help-hi-IN-3.5.4.13-0.3.1 libreoffice-help-hu-3.5.4.13-0.3.1 libreoffice-help-it-3.5.4.13-0.3.1 libreoffice-help-ja-3.5.4.13-0.3.1 libreoffice-help-ko-3.5.4.13-0.3.1 libreoffice-help-nl-3.5.4.13-0.3.1 libreoffice-help-pl-3.5.4.13-0.3.1 libreoffice-help-pt-3.5.4.13-0.3.1 libreoffice-help-pt-BR-3.5.4.13-0.3.1 libreoffice-help-ru-3.5.4.13-0.3.1 libreoffice-help-sv-3.5.4.13-0.3.1 libreoffice-help-zh-CN-3.5.4.13-0.3.1 libreoffice-help-zh-TW-3.5.4.13-0.3.1 libreoffice-icon-themes-3.5.4.13-0.3.1 libreoffice-l10n-af-3.5.4.13-0.3.1 libreoffice-l10n-ar-3.5.4.13-0.3.1 libreoffice-l10n-ca-3.5.4.13-0.3.1 libreoffice-l10n-cs-3.5.4.13-0.3.1 libreoffice-l10n-da-3.5.4.13-0.3.1 libreoffice-l10n-de-3.5.4.13-0.3.1 libreoffice-l10n-en-GB-3.5.4.13-0.3.1 libreoffice-l10n-es-3.5.4.13-0.3.1 libreoffice-l10n-fi-3.5.4.13-0.3.1 libreoffice-l10n-fr-3.5.4.13-0.3.1 libreoffice-l10n-gu-IN-3.5.4.13-0.3.1 libreoffice-l10n-hi-IN-3.5.4.13-0.3.1 libreoffice-l10n-hu-3.5.4.13-0.3.1 libreoffice-l10n-it-3.5.4.13-0.3.1 libreoffice-l10n-ja-3.5.4.13-0.3.1 libreoffice-l10n-ko-3.5.4.13-0.3.1 libreoffice-l10n-nb-3.5.4.13-0.3.1 libreoffice-l10n-nl-3.5.4.13-0.3.1 libreoffice-l10n-nn-3.5.4.13-0.3.1 libreoffice-l10n-pl-3.5.4.13-0.3.1 libreoffice-l10n-pt-3.5.4.13-0.3.1 libreoffice-l10n-pt-BR-3.5.4.13-0.3.1 libreoffice-l10n-ru-3.5.4.13-0.3.1 libreoffice-l10n-sk-3.5.4.13-0.3.1 libreoffice-l10n-sv-3.5.4.13-0.3.1 libreoffice-l10n-xh-3.5.4.13-0.3.1 libreoffice-l10n-zh-CN-3.5.4.13-0.3.1 libreoffice-l10n-zh-TW-3.5.4.13-0.3.1 libreoffice-l10n-zu-3.5.4.13-0.3.1 - SUSE Linux Enterprise Desktop 10 SP4 (i586) [New Version: 3.5.4.13]: libreoffice-3.5.4.13-0.7.1 libreoffice-af-3.5.4.13-0.7.1 libreoffice-ar-3.5.4.13-0.7.1 libreoffice-ca-3.5.4.13-0.7.1 libreoffice-cs-3.5.4.13-0.7.1 libreoffice-da-3.5.4.13-0.7.1 libreoffice-de-3.5.4.13-0.7.1 libreoffice-el-3.5.4.13-0.7.1 libreoffice-en-GB-3.5.4.13-0.7.1 libreoffice-es-3.5.4.13-0.7.1 libreoffice-fi-3.5.4.13-0.7.1 libreoffice-fr-3.5.4.13-0.7.1 libreoffice-galleries-3.5.4.13-0.7.1 libreoffice-gnome-3.5.4.13-0.7.1 libreoffice-gu-IN-3.5.4.13-0.7.1 libreoffice-hi-IN-3.5.4.13-0.7.1 libreoffice-hu-3.5.4.13-0.7.1 libreoffice-it-3.5.4.13-0.7.1 libreoffice-ja-3.5.4.13-0.7.1 libreoffice-kde-3.5.4.13-0.7.1 libreoffice-ko-3.5.4.13-0.7.1 libreoffice-mono-3.5.4.13-0.7.1 libreoffice-nb-3.5.4.13-0.7.1 libreoffice-nl-3.5.4.13-0.7.1 libreoffice-nn-3.5.4.13-0.7.1 libreoffice-pl-3.5.4.13-0.7.1 libreoffice-pt-BR-3.5.4.13-0.7.1 libreoffice-ru-3.5.4.13-0.7.1 libreoffice-sk-3.5.4.13-0.7.1 libreoffice-sv-3.5.4.13-0.7.1 libreoffice-xh-3.5.4.13-0.7.1 libreoffice-zh-CN-3.5.4.13-0.7.1 libreoffice-zh-TW-3.5.4.13-0.7.1 libreoffice-zu-3.5.4.13-0.7.1 - SLE SDK 10 SP4 (i586) [New Version: 3.5.4.13]: libreoffice-3.5.4.13-0.7.1 libreoffice-cs-3.5.4.13-0.7.1 libreoffice-de-3.5.4.13-0.7.1 libreoffice-es-3.5.4.13-0.7.1 libreoffice-fr-3.5.4.13-0.7.1 libreoffice-galleries-3.5.4.13-0.7.1 libreoffice-gnome-3.5.4.13-0.7.1 libreoffice-hu-3.5.4.13-0.7.1 libreoffice-it-3.5.4.13-0.7.1 libreoffice-ja-3.5.4.13-0.7.1 libreoffice-kde-3.5.4.13-0.7.1 libreoffice-mono-3.5.4.13-0.7.1 libreoffice-pl-3.5.4.13-0.7.1 libreoffice-pt-BR-3.5.4.13-0.7.1 libreoffice-sk-3.5.4.13-0.7.1 libreoffice-zh-CN-3.5.4.13-0.7.1 libreoffice-zh-TW-3.5.4.13-0.7.1 References: http://support.novell.com/security/cve/CVE-2012-4233.html https://bugzilla.novell.com/719988 https://bugzilla.novell.com/734733 https://bugzilla.novell.com/741480 https://bugzilla.novell.com/744510 https://bugzilla.novell.com/757602 https://bugzilla.novell.com/758565 https://bugzilla.novell.com/759172 https://bugzilla.novell.com/759180 https://bugzilla.novell.com/760019 https://bugzilla.novell.com/760997 https://bugzilla.novell.com/768027 https://bugzilla.novell.com/770708 https://bugzilla.novell.com/772094 https://bugzilla.novell.com/773048 https://bugzilla.novell.com/773061 https://bugzilla.novell.com/773515 https://bugzilla.novell.com/774167 https://bugzilla.novell.com/774681 https://bugzilla.novell.com/774921 https://bugzilla.novell.com/775899 https://bugzilla.novell.com/775906 https://bugzilla.novell.com/777181 https://bugzilla.novell.com/778669 http://download.novell.com/patch/finder/?keywords=75b0fcb15ca3749c7c3e6082b74f167b http://download.novell.com/patch/finder/?keywords=b81441caf6c597bd91c0c57a66bd0ed6 From sle-security-updates at lists.suse.com Wed Oct 31 17:09:06 2012 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Thu, 1 Nov 2012 00:09:06 +0100 (CET) Subject: SUSE-SU-2012:1428-1: moderate: Security update for Qt4 Message-ID: <20121031230906.981FC32289@maintenance.suse.de> SUSE Security Update: Security update for Qt4 ______________________________________________________________________________ Announcement ID: SUSE-SU-2012:1428-1 Rating: moderate References: #779952 Cross-References: CVE-2012-4929 Affected Products: SUSE Linux Enterprise Software Development Kit 11 SP2 SUSE Linux Enterprise Server 11 SP2 for VMware SUSE Linux Enterprise Server 11 SP2 SUSE Linux Enterprise Desktop 11 SP2 ______________________________________________________________________________ An update that fixes one vulnerability is now available. Description: libqt4 has been updated to fix the "CRIME" attack where compression using SSL connections have side-channel attacks to leak plaintext or cryptographic keys. Compression has been disabled to mitigate the CRIME attack (CVE-2012-4929). Security Issue reference: * CVE-2012-4929 Patch Instructions: To install this SUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Software Development Kit 11 SP2: zypper in -t patch sdksp2-libQtWebKit-devel-6935 - SUSE Linux Enterprise Server 11 SP2 for VMware: zypper in -t patch slessp2-libQtWebKit-devel-6935 - SUSE Linux Enterprise Server 11 SP2: zypper in -t patch slessp2-libQtWebKit-devel-6935 - SUSE Linux Enterprise Desktop 11 SP2: zypper in -t patch sledsp2-libQtWebKit-devel-6935 To bring your system up-to-date, use "zypper patch". Package List: - SUSE Linux Enterprise Software Development Kit 11 SP2 (i586 ia64 ppc64 s390x x86_64): libQtWebKit-devel-4.6.3-5.18.1 libqt4-devel-4.6.3-5.18.1 libqt4-sql-postgresql-4.6.3-5.18.1 libqt4-sql-unixODBC-4.6.3-5.18.1 - SUSE Linux Enterprise Software Development Kit 11 SP2 (ppc64 s390x x86_64): libQtWebKit4-32bit-4.6.3-5.18.1 libqt4-sql-mysql-32bit-4.6.3-5.18.1 libqt4-sql-postgresql-32bit-4.6.3-5.18.1 libqt4-sql-sqlite-32bit-4.6.3-5.18.1 libqt4-sql-unixODBC-32bit-4.6.3-5.18.1 - SUSE Linux Enterprise Software Development Kit 11 SP2 (noarch): libqt4-devel-doc-data-4.6.3-5.18.1 - SUSE Linux Enterprise Software Development Kit 11 SP2 (ia64): libQtWebKit4-x86-4.6.3-5.18.1 libqt4-sql-mysql-x86-4.6.3-5.18.1 libqt4-sql-postgresql-x86-4.6.3-5.18.1 libqt4-sql-sqlite-x86-4.6.3-5.18.1 libqt4-sql-unixODBC-x86-4.6.3-5.18.1 - SUSE Linux Enterprise Server 11 SP2 for VMware (i586 x86_64): libQtWebKit4-4.6.3-5.18.1 libqt4-4.6.3-5.18.1 libqt4-qt3support-4.6.3-5.18.1 libqt4-sql-4.6.3-5.18.1 libqt4-sql-mysql-4.6.3-5.18.1 libqt4-sql-sqlite-4.6.3-5.18.1 libqt4-x11-4.6.3-5.18.1 - SUSE Linux Enterprise Server 11 SP2 for VMware (x86_64): libQtWebKit4-32bit-4.6.3-5.18.1 libqt4-32bit-4.6.3-5.18.1 libqt4-qt3support-32bit-4.6.3-5.18.1 libqt4-sql-32bit-4.6.3-5.18.1 libqt4-x11-32bit-4.6.3-5.18.1 - SUSE Linux Enterprise Server 11 SP2 (i586 ia64 ppc64 s390x x86_64): libQtWebKit4-4.6.3-5.18.1 libqt4-4.6.3-5.18.1 libqt4-qt3support-4.6.3-5.18.1 libqt4-sql-4.6.3-5.18.1 libqt4-sql-mysql-4.6.3-5.18.1 libqt4-sql-sqlite-4.6.3-5.18.1 libqt4-x11-4.6.3-5.18.1 - SUSE Linux Enterprise Server 11 SP2 (ppc64 s390x x86_64): libQtWebKit4-32bit-4.6.3-5.18.1 libqt4-32bit-4.6.3-5.18.1 libqt4-qt3support-32bit-4.6.3-5.18.1 libqt4-sql-32bit-4.6.3-5.18.1 libqt4-x11-32bit-4.6.3-5.18.1 - SUSE Linux Enterprise Server 11 SP2 (ia64): libQtWebKit4-x86-4.6.3-5.18.1 libqt4-qt3support-x86-4.6.3-5.18.1 libqt4-sql-x86-4.6.3-5.18.1 libqt4-x11-x86-4.6.3-5.18.1 libqt4-x86-4.6.3-5.18.1 - SUSE Linux Enterprise Desktop 11 SP2 (i586 x86_64): libQtWebKit4-4.6.3-5.18.1 libqt4-4.6.3-5.18.1 libqt4-qt3support-4.6.3-5.18.1 libqt4-sql-4.6.3-5.18.1 libqt4-sql-mysql-4.6.3-5.18.1 libqt4-sql-postgresql-4.6.3-5.18.1 libqt4-sql-sqlite-4.6.3-5.18.1 libqt4-sql-unixODBC-4.6.3-5.18.1 libqt4-x11-4.6.3-5.18.1 - SUSE Linux Enterprise Desktop 11 SP2 (x86_64): libQtWebKit4-32bit-4.6.3-5.18.1 libqt4-32bit-4.6.3-5.18.1 libqt4-qt3support-32bit-4.6.3-5.18.1 libqt4-sql-32bit-4.6.3-5.18.1 libqt4-sql-mysql-32bit-4.6.3-5.18.1 libqt4-sql-postgresql-32bit-4.6.3-5.18.1 libqt4-sql-sqlite-32bit-4.6.3-5.18.1 libqt4-sql-unixODBC-32bit-4.6.3-5.18.1 libqt4-x11-32bit-4.6.3-5.18.1 References: http://support.novell.com/security/cve/CVE-2012-4929.html https://bugzilla.novell.com/779952 http://download.novell.com/patch/finder/?keywords=bb5ee44df67a64b7fc80a596cc675822