From sle-security-updates at lists.suse.com Fri Mar 1 15:04:45 2013 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Fri, 1 Mar 2013 23:04:45 +0100 (CET) Subject: SUSE-SU-2013:0384-1: moderate: Security update for rubygem-rdoc Message-ID: <20130301220445.5152F3216A@maintenance.suse.de> SUSE Security Update: Security update for rubygem-rdoc ______________________________________________________________________________ Announcement ID: SUSE-SU-2013:0384-1 Rating: moderate References: #802406 Cross-References: CVE-2013-0256 Affected Products: WebYaST 1.2 SUSE Studio Standard Edition 1.2 SUSE Linux Enterprise Software Development Kit 11 SP2 ______________________________________________________________________________ An update that fixes one vulnerability is now available. Description: rubygem rdoc had a incorrect piece of javascript in darkfish.js, which allowed cross site scripting attacks (XSS). This was possible only if the darkfish.js or rdoc generated documentation is exposed on the webserver, which is not a common use case. (CVE-2013-0256) Security Issue reference: * CVE-2013-0256 Patch Instructions: To install this SUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - WebYaST 1.2: zypper in -t patch slewyst12-rubygem-rdoc-7394 - SUSE Studio Standard Edition 1.2: zypper in -t patch sleslms12-rubygem-rdoc-7394 - SUSE Linux Enterprise Software Development Kit 11 SP2: zypper in -t patch sdksp2-rubygem-rdoc-7390 To bring your system up-to-date, use "zypper patch". Package List: - WebYaST 1.2 (i586 ia64 ppc64 s390x x86_64): rubygem-rdoc-2.5.11-0.7.3 - SUSE Studio Standard Edition 1.2 (x86_64): rubygem-rdoc-2.5.11-0.7.3 - SUSE Linux Enterprise Software Development Kit 11 SP2 (i586 ia64 ppc64 s390x x86_64): rubygem-rdoc-3.9.1-0.8.3 References: http://support.novell.com/security/cve/CVE-2013-0256.html https://bugzilla.novell.com/802406 http://download.novell.com/patch/finder/?keywords=28614c91632c04e3da98e369501199a9 http://download.novell.com/patch/finder/?keywords=7107cb53f74618fbe8991eaabc4121c6 From sle-security-updates at lists.suse.com Mon Mar 4 14:04:24 2013 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Mon, 4 Mar 2013 22:04:24 +0100 (CET) Subject: SUSE-SU-2013:0387-1: Security update for apache2 Message-ID: <20130304210425.12C5427FF5@maintenance.suse.de> SUSE Security Update: Security update for apache2 ______________________________________________________________________________ Announcement ID: SUSE-SU-2013:0387-1 Rating: low References: #722545 #757710 #777260 Cross-References: CVE-2012-0883 CVE-2012-2687 Affected Products: SUSE Linux Enterprise Server 10 SP4 SLE SDK 10 SP4 ______________________________________________________________________________ An update that solves two vulnerabilities and has one errata is now available. Description: This update fixes the following security issues with apache2 httpd: * Improper LD_LIBRARY_PATH handling (CVE-2012-0883 ) * Filename escaping problem (CVE-2012-2687 ) Additionally, some non-security bugs have been fixed as enumerated in the changelog of the RPM. Indications: Everyone using apache2 httpd should update. Package List: - SUSE Linux Enterprise Server 10 SP4 (i586 ia64 ppc s390x x86_64): apache2-2.2.3-16.46.1 apache2-devel-2.2.3-16.46.1 apache2-doc-2.2.3-16.46.1 apache2-example-pages-2.2.3-16.46.1 apache2-prefork-2.2.3-16.46.1 apache2-worker-2.2.3-16.46.1 - SLE SDK 10 SP4 (i586 ia64 ppc s390x x86_64): apache2-2.2.3-16.46.1 apache2-devel-2.2.3-16.46.1 apache2-doc-2.2.3-16.46.1 apache2-example-pages-2.2.3-16.46.1 apache2-prefork-2.2.3-16.46.1 apache2-worker-2.2.3-16.46.1 References: http://support.novell.com/security/cve/CVE-2012-0883.html http://support.novell.com/security/cve/CVE-2012-2687.html https://bugzilla.novell.com/722545 https://bugzilla.novell.com/757710 https://bugzilla.novell.com/777260 http://download.novell.com/patch/finder/?keywords=f43eb058005728c7f0f35af643e86652 From sle-security-updates at lists.suse.com Mon Mar 4 15:04:29 2013 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Mon, 4 Mar 2013 23:04:29 +0100 (CET) Subject: SUSE-SU-2013:0388-1: important: Security update for pidgin Message-ID: <20130304220429.281B927FF5@maintenance.suse.de> SUSE Security Update: Security update for pidgin ______________________________________________________________________________ Announcement ID: SUSE-SU-2013:0388-1 Rating: important References: #804742 Cross-References: CVE-2013-0271 CVE-2013-0272 CVE-2013-0273 CVE-2013-0274 Affected Products: SUSE Linux Enterprise Software Development Kit 11 SP2 SUSE Linux Enterprise Desktop 11 SP2 SUSE Linux Enterprise Desktop 10 SP4 SLE SDK 10 SP4 ______________________________________________________________________________ An update that fixes four vulnerabilities is now available. Description: pidgin was updated to fix 4 security issues: * Fixed a crash when receiving UPnP responses with abnormally long values. (CVE-2013-0274, bnc#804742) * Fixed a crash in Sametime protocol when a malicious server sends us an abnormally long user ID. (CVE-2013-0273, bnc#804742) * Fixed a bug where the MXit server or a man-in-the-middle could potentially send specially crafted data that could overflow a buffer and lead to a crash or remote code execution.(CVE-2013-0272, bnc#804742) * Fixed a bug where a remote MXit user could possibly specify a local file path to be written to. (CVE-2013-0271, bnc#804742) Security Issue references: * CVE-2013-0271 * CVE-2013-0272 * CVE-2013-0273 * CVE-2013-0274 Patch Instructions: To install this SUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Software Development Kit 11 SP2: zypper in -t patch sdksp2-finch-7429 - SUSE Linux Enterprise Desktop 11 SP2: zypper in -t patch sledsp2-finch-7429 To bring your system up-to-date, use "zypper patch". Package List: - SUSE Linux Enterprise Software Development Kit 11 SP2 (i586 ia64 ppc64 s390x x86_64): finch-2.6.6-0.19.1 finch-devel-2.6.6-0.19.1 libpurple-2.6.6-0.19.1 libpurple-devel-2.6.6-0.19.1 libpurple-lang-2.6.6-0.19.1 pidgin-2.6.6-0.19.1 pidgin-devel-2.6.6-0.19.1 - SUSE Linux Enterprise Desktop 11 SP2 (i586 x86_64): finch-2.6.6-0.19.1 libpurple-2.6.6-0.19.1 libpurple-lang-2.6.6-0.19.1 libpurple-meanwhile-2.6.6-0.19.1 libpurple-tcl-2.6.6-0.19.1 pidgin-2.6.6-0.19.1 - SUSE Linux Enterprise Desktop 10 SP4 (i586 x86_64): finch-2.6.6-0.20.1 libpurple-2.6.6-0.20.1 pidgin-2.6.6-0.20.1 - SLE SDK 10 SP4 (i586 ia64 ppc s390x x86_64): finch-2.6.6-0.20.1 finch-devel-2.6.6-0.20.1 libpurple-2.6.6-0.20.1 libpurple-devel-2.6.6-0.20.1 pidgin-2.6.6-0.20.1 pidgin-devel-2.6.6-0.20.1 References: http://support.novell.com/security/cve/CVE-2013-0271.html http://support.novell.com/security/cve/CVE-2013-0272.html http://support.novell.com/security/cve/CVE-2013-0273.html http://support.novell.com/security/cve/CVE-2013-0274.html https://bugzilla.novell.com/804742 http://download.novell.com/patch/finder/?keywords=18e124b7db8b5f6aa5744f916ed16466 http://download.novell.com/patch/finder/?keywords=51b5f7c142afdeafafca33c1a4681683 From sle-security-updates at lists.suse.com Mon Mar 4 15:04:33 2013 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Mon, 4 Mar 2013 23:04:33 +0100 (CET) Subject: SUSE-SU-2013:0389-1: Security update for Apache Message-ID: <20130304220433.92DB827FF5@maintenance.suse.de> SUSE Security Update: Security update for Apache ______________________________________________________________________________ Announcement ID: SUSE-SU-2013:0389-1 Rating: low References: #722545 #757710 #774045 #777260 #782956 #788121 #793004 #798733 Cross-References: CVE-2012-0021 CVE-2012-0883 CVE-2012-2687 CVE-2012-4557 Affected Products: SUSE Linux Enterprise Software Development Kit 11 SP2 SUSE Linux Enterprise Server 11 SP2 for VMware SUSE Linux Enterprise Server 11 SP2 ______________________________________________________________________________ An update that solves four vulnerabilities and has four fixes is now available. Description: This update fixes the following issues: * CVE-2012-4557: Denial of Service via special requests in mod_proxy_ajp * CVE-2012-0883: improper LD_LIBRARY_PATH handling * CVE-2012-2687: filename escaping problem Additionally, some non-security bugs have been fixed: * ignore case when checking against SNI server names. [bnc#798733] * httpd-2.2.x-CVE-2011-3368_CVE-2011-4317-bnc722545.diff reworked to reflect the upstream changes. This will prevent the "Invalid URI in request OPTIONS *" messages in the error log. [bnc#722545] * new sysconfig variable APACHE_DISABLE_SSL_COMPRESSION; if set to on, OPENSSL_NO_DEFAULT_ZLIB will be inherited to the apache process; openssl will then transparently disable compression. This change affects start script and sysconfig fillup template. Default is on, SSL compression disabled. Please see mod_deflate for compressed transfer at http layer. [bnc#782956] Security Issue references: * CVE-2012-4557 * CVE-2012-2687 * CVE-2012-0883 * CVE-2012-0021 Patch Instructions: To install this SUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Software Development Kit 11 SP2: zypper in -t patch sdksp2-apache2-7409 - SUSE Linux Enterprise Server 11 SP2 for VMware: zypper in -t patch slessp2-apache2-7409 - SUSE Linux Enterprise Server 11 SP2: zypper in -t patch slessp2-apache2-7409 To bring your system up-to-date, use "zypper patch". Package List: - SUSE Linux Enterprise Software Development Kit 11 SP2 (i586 ia64 ppc64 s390x x86_64): apache2-devel-2.2.12-1.36.1 - SUSE Linux Enterprise Software Development Kit 11 SP2 (i586 x86_64): apache2-2.2.12-1.36.1 apache2-doc-2.2.12-1.36.1 apache2-example-pages-2.2.12-1.36.1 apache2-prefork-2.2.12-1.36.1 apache2-utils-2.2.12-1.36.1 apache2-worker-2.2.12-1.36.1 - SUSE Linux Enterprise Server 11 SP2 for VMware (i586 x86_64): apache2-2.2.12-1.36.1 apache2-doc-2.2.12-1.36.1 apache2-example-pages-2.2.12-1.36.1 apache2-prefork-2.2.12-1.36.1 apache2-utils-2.2.12-1.36.1 apache2-worker-2.2.12-1.36.1 - SUSE Linux Enterprise Server 11 SP2 (i586 ia64 ppc64 s390x x86_64): apache2-2.2.12-1.36.1 apache2-doc-2.2.12-1.36.1 apache2-example-pages-2.2.12-1.36.1 apache2-prefork-2.2.12-1.36.1 apache2-utils-2.2.12-1.36.1 apache2-worker-2.2.12-1.36.1 References: http://support.novell.com/security/cve/CVE-2012-0021.html http://support.novell.com/security/cve/CVE-2012-0883.html http://support.novell.com/security/cve/CVE-2012-2687.html http://support.novell.com/security/cve/CVE-2012-4557.html https://bugzilla.novell.com/722545 https://bugzilla.novell.com/757710 https://bugzilla.novell.com/774045 https://bugzilla.novell.com/777260 https://bugzilla.novell.com/782956 https://bugzilla.novell.com/788121 https://bugzilla.novell.com/793004 https://bugzilla.novell.com/798733 http://download.novell.com/patch/finder/?keywords=faf6f499f41597d750ce0aecd251ed2e From sle-security-updates at lists.suse.com Tue Mar 5 05:07:44 2013 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Tue, 5 Mar 2013 13:07:44 +0100 (CET) Subject: SUSE-SU-2013:0394-1: moderate: Security update for Linux kernel Message-ID: <20130305120744.40373321EA@maintenance.suse.de> SUSE Security Update: Security update for Linux kernel ______________________________________________________________________________ Announcement ID: SUSE-SU-2013:0394-1 Rating: moderate References: #698102 #705551 #708296 #715635 #718910 #720946 #722560 #723776 #725152 #725355 #729854 #730660 #731035 #731387 #731739 #736255 #739728 #740291 #741814 #744198 #744314 #744655 #744692 #745876 #746509 #748896 #749651 #752067 #752544 #753172 #754391 #754670 #754898 #755546 #755620 #756585 #758104 #758703 #760833 #761774 #761775 #762099 #762158 #762214 #762259 #762366 #762693 #763198 #763463 #763628 #763654 #763858 #763954 #763968 #764209 #764900 #766156 #766410 #766445 #766654 #766733 #767281 #767469 #767610 #767612 #767684 #767983 #768052 #768084 #768470 #768504 #768632 #769035 #769195 #769251 #769407 #769685 #769784 #769896 #770034 #770238 #770269 #770695 #770763 #771102 #771242 #771361 #771398 #771428 #771706 #771778 #772407 #772420 #772427 #772454 #772473 #772483 #772566 #772786 #772831 #772893 #773006 #773007 #773251 #773267 #773319 #773320 #773383 #773406 #773487 #773606 #773699 #773831 #773878 #774073 #774285 #774289 #774500 #774523 #774612 #774859 #774902 #774964 #774973 #775182 #775373 #775394 #775577 #775685 #775984 #776019 #776044 #776081 #776095 #776127 #776144 #776787 #776896 #777024 #777269 #777283 #778082 #778136 #778334 #778630 #778822 #779294 #779330 #779461 #779462 #779577 #779699 #779750 #779969 #780008 #780012 #780216 #780461 #780876 #781018 #781134 #781327 #781484 #781574 #782369 #782721 #783965 #784192 #784334 #784576 #785100 #785496 #785554 #785851 #786976 #787168 #787202 #787348 #787821 #787848 #788277 #788452 #789010 #789115 #789235 #789648 #789703 #789836 #789993 #790457 #790498 #790867 #790920 #790935 #791498 #791853 #791904 #792270 #792500 #792656 #792834 #793104 #793139 #793593 #793671 #794231 #795354 #795928 #796823 #797042 #798960 #799209 #799275 #799909 Cross-References: CVE-2012-1601 CVE-2012-2137 CVE-2012-2372 CVE-2012-2745 CVE-2012-3412 CVE-2012-3430 CVE-2012-4461 CVE-2012-5517 Affected Products: SUSE Linux Enterprise Real Time 11 SP2 ______________________________________________________________________________ An update that solves 8 vulnerabilities and has 206 fixes is now available. It includes one version update. Description: The SUSE Linux Enterprise Server 11 SP2 Realtime kernel was updated to 3.0.61 which fixes various bugs and security issues. The RT realtime patchset has been updated to "rt85". The following security issues have been fixed: * CVE-2012-4565: A division by zero in the TCP Illinois algorithm was fixed. * CVE-2012-0957: The UNAME26 personality leaked kernel memory information. * CVE-2012-4530: Kernel stack content was disclosed via binfmt_script load_script(). * CVE-2012-1601: The KVM implementation in the Linux kernel allowed host OS users to cause a denial of service (NULL pointer dereference and host OS crash) by making a KVM_CREATE_IRQCHIP ioctl call after a virtual CPU already exists. * CVE-2012-2137: Buffer overflow in virt/kvm/irq_comm.c in the KVM subsystem in the Linux kernel allowed local users to cause a denial of service (crash) and possibly execute arbitrary code via vectors related to Message Signaled Interrupts (MSI), irq routing entries, and an incorrect check by the setup_routing_entry function before invoking the kvm_set_irq function. * CVE-2012-2372: The rds_ib_xmit function in net/rds/ib_send.c in the Reliable Datagram Sockets (RDS) protocol implementation in the Linux kernel allowed local users to cause a denial of service (BUG_ON and kernel panic) by establishing an RDS connection with the source IP address equal to the IPoIB interface's own IP address, as demonstrated by rds-ping. * CVE-2012-2745: The copy_creds function in kernel/cred.c in the Linux kernel provided an invalid replacement session keyring to a child process, which allowed local users to cause a denial of service (panic) via a crafted application that uses the fork system call. * CVE-2012-3412: The sfc (aka Solarflare Solarstorm) driver in the Linux kernel allowed remote attackers to cause a denial of service (DMA descriptor consumption and network-controller outage) via crafted TCP packets that trigger a small MSS value. * CVE-2012-3430: The rds_recvmsg function in net/rds/recv.c in the Linux kernel did not initialize a certain structure member, which allowed local users to obtain potentially sensitive information from kernel stack memory via a (1) recvfrom or (2) recvmsg system call on an RDS socket. * CVE-2012-4461: The KVM subsystem in the Linux kernel, when running on hosts that use qemu userspace without XSAVE, allowed local users to cause a denial of service (kernel OOPS) by using the KVM_SET_SREGS ioctl to set the X86_CR4_OSXSAVE bit in the guest cr4 register, then calling the KVM_RUN ioctl. * CVE-2012-5517: The online_pages function in mm/memory_hotplug.c in the Linux kernel allowed local users to cause a denial of service (NULL pointer dereference and system crash) or possibly have unspecified other impact in opportunistic circumstances by using memory that was hot-added by an administrator. A long list of other bugs have been fixed in this update that were merged from regular SUSE Linux Enterprise 11 SP2 and are too many to list here. Check the kernel changelog (rpm -q --changelog kernel-rt ) for a detailed list. Other Realtime / scheduling related bugfixes that have been applied: * kernel: broken interrupt statistics (bnc#799275, LTC#87893). * kernel: sched_clock() overflow (bnc#799275, LTC#87978). * mm: call sleep_on_page_killable from __wait_on_page_locked_killable (bnc#799909). * sched, rt: Unthrottle rt runqueues in __disable_runtime(). * Add upstream group scheduling starvation fix. * sched/rt: Fix SCHED_RR across cgroups. * sched/rt: Do not throttle when PI boosting. * sched/rt: Keep period timer ticking when rt throttling is active. * sched/rt: Prevent idle task boosting. * mm: limit mmu_gather batching to fix soft lockups on !CONFIG_PREEMPT (bnc#791904). * kabi fixup for mm: limit mmu_gather batching to fix soft lockups on !CONFIG_PREEMPT (bnc#791904). * mm: compaction: Abort async compaction if locks are contended or taking too long. * mm: compaction: abort compaction loop if lock is contended or run too long. * mm: compaction: acquire the zone->lock as late as possible. * mm: compaction: acquire the zone->lru_lock as late as possible. * mm: compaction: move fatal signal check out of compact_checklock_irqsave. Reduce LRU and zone lock contention when compacting memory for THP (bnc#796823). * Update to -rt82 * sched: Adjust sched_reset_on_fork when nothing else changes. * sched: Queue RT tasks to head when prio drops. * sched: Consider pi boosting in setscheduler. * workqueue: exit rescuer_thread() as TASK_RUNNING (bnc#789993). * Update to -rt74 * softirq: Init softirq local lock after per cpu section is set up. * mm: slab: Fix potential deadlock. * mm: page_alloc: Use local_lock_on() instead of plain spinlock. * rt: rwsem/rwlock: lockdep annotations. * hrtimer: Raise softirq if hrtimer irq stalled. * rcu: Disable RCU_FAST_NO_HZ on RT. * net: netfilter: Serialize xt_write_recseq sections on RT. * Change 'goto' target to avoid pointless 'bug' messages in normal error cases. (bnc#787848) * intel_idle: IVB support (fate#313719). * perf: Do no try to schedule task events if there are none (bnc#781574). * perf: Do not set task_ctx pointer in cpuctx if there are no events in the context (bnc#781574). * hpwdt: Only BYTE reads/writes to WD Timer port 0x72. * Merge SLE11-SP2 rpm-3.0.38-0.5-122-g2890aac, and update to -rt65 * New rt patches: * patches.rt/0408-fix-printk-flush-of-messages.patch: fix printk flush of messages. * patches.rt/0411-fix-printk-flush-of-messages.patch: fix printk flush of messages. * sched: Fix ancient race in do_exit() (bnc#781018). * Merge SLE11-SP2, and update -rt version to rt61. No rt changes this merge. * Kill apply/revert dance below that evolved over 3.0-rt development. It's all in history, and now just gets in the way of stable comit b1c7ba1bab7363fee6dc5d4ee5be4e916adcf691: workqueue: perform cpu down operations from low priority cpu_notifier() * Freezer / sunrpc / NFS: don't allow TASK_KILLABLE sleeps to block the freezer (bnc#775182). * Merge SP2 and update rt version to -rt59 to match rt-mainline. * sched: fix divide by zero in thread_group/task_times() (bnc#761774). * sched: fix migration thread runtime bogosity (bnc#773699, bnc#769251). * Silence useless NOHZ: local_softirq_pending warning. If the local_softirq_lock for a softirq is held, don't gripe, there's nothing to be done about it. The nohz code will prevent shutting down the tick, with the same result as nohz=off, the pending softirq will be run when it can be. What we _can_ do is wake the appropriate softirq thread to potentially PI boost the lock holder, so do that. * mm: use cpu_chill() in spin_trylock_page() and cancel on immediately RT. (bnc#768470) * Update config files. o Unset CONFIG_WATCHDOG_NOWAYOUT to prevent reboot of openais on service stop. (bnc#756585) * sched: Make sure to not re-read variables after validation (bnc#769685). Security Issue references: * CVE-2012-1601 * CVE-2012-2137 * CVE-2012-2372 * CVE-2012-2745 * CVE-2012-3412 * CVE-2012-3430 * CVE-2012-4461 * CVE-2012-5517 Indications: Everyone using the Real Time Linux Kernel on x86_64 architecture should update. Special Instructions and Notes: Please reboot the system after installing this update. Patch Instructions: To install this SUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Real Time 11 SP2: zypper in -t patch slertesp2-kernel-7433 To bring your system up-to-date, use "zypper patch". Package List: - SUSE Linux Enterprise Real Time 11 SP2 (x86_64) [New Version: 3.0.61.rt85]: cluster-network-kmp-rt-1.4_3.0.61_rt85_0.7-2.18.23 cluster-network-kmp-rt_trace-1.4_3.0.61_rt85_0.7-2.18.23 drbd-kmp-rt-8.4.2_3.0.61_rt85_0.7-0.6.6.14 drbd-kmp-rt_trace-8.4.2_3.0.61_rt85_0.7-0.6.6.14 iscsitarget-kmp-rt-1.4.20_3.0.61_rt85_0.7-0.23.20 iscsitarget-kmp-rt_trace-1.4.20_3.0.61_rt85_0.7-0.23.20 kernel-rt-3.0.61.rt85-0.7.1 kernel-rt-base-3.0.61.rt85-0.7.1 kernel-rt-devel-3.0.61.rt85-0.7.1 kernel-rt_trace-3.0.61.rt85-0.7.1 kernel-rt_trace-base-3.0.61.rt85-0.7.1 kernel-rt_trace-devel-3.0.61.rt85-0.7.1 kernel-source-rt-3.0.61.rt85-0.7.1 kernel-syms-rt-3.0.61.rt85-0.7.1 lttng-modules-kmp-rt-2.0.4_3.0.61_rt85_0.7-0.7.19 lttng-modules-kmp-rt_trace-2.0.4_3.0.61_rt85_0.7-0.7.19 ocfs2-kmp-rt-1.6_3.0.61_rt85_0.7-0.11.22 ocfs2-kmp-rt_trace-1.6_3.0.61_rt85_0.7-0.11.22 ofed-kmp-rt-1.5.2_3.0.61_rt85_0.7-0.26.22 ofed-kmp-rt_trace-1.5.2_3.0.61_rt85_0.7-0.26.22 References: http://support.novell.com/security/cve/CVE-2012-1601.html http://support.novell.com/security/cve/CVE-2012-2137.html http://support.novell.com/security/cve/CVE-2012-2372.html http://support.novell.com/security/cve/CVE-2012-2745.html http://support.novell.com/security/cve/CVE-2012-3412.html http://support.novell.com/security/cve/CVE-2012-3430.html http://support.novell.com/security/cve/CVE-2012-4461.html http://support.novell.com/security/cve/CVE-2012-5517.html https://bugzilla.novell.com/698102 https://bugzilla.novell.com/705551 https://bugzilla.novell.com/708296 https://bugzilla.novell.com/715635 https://bugzilla.novell.com/718910 https://bugzilla.novell.com/720946 https://bugzilla.novell.com/722560 https://bugzilla.novell.com/723776 https://bugzilla.novell.com/725152 https://bugzilla.novell.com/725355 https://bugzilla.novell.com/729854 https://bugzilla.novell.com/730660 https://bugzilla.novell.com/731035 https://bugzilla.novell.com/731387 https://bugzilla.novell.com/731739 https://bugzilla.novell.com/736255 https://bugzilla.novell.com/739728 https://bugzilla.novell.com/740291 https://bugzilla.novell.com/741814 https://bugzilla.novell.com/744198 https://bugzilla.novell.com/744314 https://bugzilla.novell.com/744655 https://bugzilla.novell.com/744692 https://bugzilla.novell.com/745876 https://bugzilla.novell.com/746509 https://bugzilla.novell.com/748896 https://bugzilla.novell.com/749651 https://bugzilla.novell.com/752067 https://bugzilla.novell.com/752544 https://bugzilla.novell.com/753172 https://bugzilla.novell.com/754391 https://bugzilla.novell.com/754670 https://bugzilla.novell.com/754898 https://bugzilla.novell.com/755546 https://bugzilla.novell.com/755620 https://bugzilla.novell.com/756585 https://bugzilla.novell.com/758104 https://bugzilla.novell.com/758703 https://bugzilla.novell.com/760833 https://bugzilla.novell.com/761774 https://bugzilla.novell.com/761775 https://bugzilla.novell.com/762099 https://bugzilla.novell.com/762158 https://bugzilla.novell.com/762214 https://bugzilla.novell.com/762259 https://bugzilla.novell.com/762366 https://bugzilla.novell.com/762693 https://bugzilla.novell.com/763198 https://bugzilla.novell.com/763463 https://bugzilla.novell.com/763628 https://bugzilla.novell.com/763654 https://bugzilla.novell.com/763858 https://bugzilla.novell.com/763954 https://bugzilla.novell.com/763968 https://bugzilla.novell.com/764209 https://bugzilla.novell.com/764900 https://bugzilla.novell.com/766156 https://bugzilla.novell.com/766410 https://bugzilla.novell.com/766445 https://bugzilla.novell.com/766654 https://bugzilla.novell.com/766733 https://bugzilla.novell.com/767281 https://bugzilla.novell.com/767469 https://bugzilla.novell.com/767610 https://bugzilla.novell.com/767612 https://bugzilla.novell.com/767684 https://bugzilla.novell.com/767983 https://bugzilla.novell.com/768052 https://bugzilla.novell.com/768084 https://bugzilla.novell.com/768470 https://bugzilla.novell.com/768504 https://bugzilla.novell.com/768632 https://bugzilla.novell.com/769035 https://bugzilla.novell.com/769195 https://bugzilla.novell.com/769251 https://bugzilla.novell.com/769407 https://bugzilla.novell.com/769685 https://bugzilla.novell.com/769784 https://bugzilla.novell.com/769896 https://bugzilla.novell.com/770034 https://bugzilla.novell.com/770238 https://bugzilla.novell.com/770269 https://bugzilla.novell.com/770695 https://bugzilla.novell.com/770763 https://bugzilla.novell.com/771102 https://bugzilla.novell.com/771242 https://bugzilla.novell.com/771361 https://bugzilla.novell.com/771398 https://bugzilla.novell.com/771428 https://bugzilla.novell.com/771706 https://bugzilla.novell.com/771778 https://bugzilla.novell.com/772407 https://bugzilla.novell.com/772420 https://bugzilla.novell.com/772427 https://bugzilla.novell.com/772454 https://bugzilla.novell.com/772473 https://bugzilla.novell.com/772483 https://bugzilla.novell.com/772566 https://bugzilla.novell.com/772786 https://bugzilla.novell.com/772831 https://bugzilla.novell.com/772893 https://bugzilla.novell.com/773006 https://bugzilla.novell.com/773007 https://bugzilla.novell.com/773251 https://bugzilla.novell.com/773267 https://bugzilla.novell.com/773319 https://bugzilla.novell.com/773320 https://bugzilla.novell.com/773383 https://bugzilla.novell.com/773406 https://bugzilla.novell.com/773487 https://bugzilla.novell.com/773606 https://bugzilla.novell.com/773699 https://bugzilla.novell.com/773831 https://bugzilla.novell.com/773878 https://bugzilla.novell.com/774073 https://bugzilla.novell.com/774285 https://bugzilla.novell.com/774289 https://bugzilla.novell.com/774500 https://bugzilla.novell.com/774523 https://bugzilla.novell.com/774612 https://bugzilla.novell.com/774859 https://bugzilla.novell.com/774902 https://bugzilla.novell.com/774964 https://bugzilla.novell.com/774973 https://bugzilla.novell.com/775182 https://bugzilla.novell.com/775373 https://bugzilla.novell.com/775394 https://bugzilla.novell.com/775577 https://bugzilla.novell.com/775685 https://bugzilla.novell.com/775984 https://bugzilla.novell.com/776019 https://bugzilla.novell.com/776044 https://bugzilla.novell.com/776081 https://bugzilla.novell.com/776095 https://bugzilla.novell.com/776127 https://bugzilla.novell.com/776144 https://bugzilla.novell.com/776787 https://bugzilla.novell.com/776896 https://bugzilla.novell.com/777024 https://bugzilla.novell.com/777269 https://bugzilla.novell.com/777283 https://bugzilla.novell.com/778082 https://bugzilla.novell.com/778136 https://bugzilla.novell.com/778334 https://bugzilla.novell.com/778630 https://bugzilla.novell.com/778822 https://bugzilla.novell.com/779294 https://bugzilla.novell.com/779330 https://bugzilla.novell.com/779461 https://bugzilla.novell.com/779462 https://bugzilla.novell.com/779577 https://bugzilla.novell.com/779699 https://bugzilla.novell.com/779750 https://bugzilla.novell.com/779969 https://bugzilla.novell.com/780008 https://bugzilla.novell.com/780012 https://bugzilla.novell.com/780216 https://bugzilla.novell.com/780461 https://bugzilla.novell.com/780876 https://bugzilla.novell.com/781018 https://bugzilla.novell.com/781134 https://bugzilla.novell.com/781327 https://bugzilla.novell.com/781484 https://bugzilla.novell.com/781574 https://bugzilla.novell.com/782369 https://bugzilla.novell.com/782721 https://bugzilla.novell.com/783965 https://bugzilla.novell.com/784192 https://bugzilla.novell.com/784334 https://bugzilla.novell.com/784576 https://bugzilla.novell.com/785100 https://bugzilla.novell.com/785496 https://bugzilla.novell.com/785554 https://bugzilla.novell.com/785851 https://bugzilla.novell.com/786976 https://bugzilla.novell.com/787168 https://bugzilla.novell.com/787202 https://bugzilla.novell.com/787348 https://bugzilla.novell.com/787821 https://bugzilla.novell.com/787848 https://bugzilla.novell.com/788277 https://bugzilla.novell.com/788452 https://bugzilla.novell.com/789010 https://bugzilla.novell.com/789115 https://bugzilla.novell.com/789235 https://bugzilla.novell.com/789648 https://bugzilla.novell.com/789703 https://bugzilla.novell.com/789836 https://bugzilla.novell.com/789993 https://bugzilla.novell.com/790457 https://bugzilla.novell.com/790498 https://bugzilla.novell.com/790867 https://bugzilla.novell.com/790920 https://bugzilla.novell.com/790935 https://bugzilla.novell.com/791498 https://bugzilla.novell.com/791853 https://bugzilla.novell.com/791904 https://bugzilla.novell.com/792270 https://bugzilla.novell.com/792500 https://bugzilla.novell.com/792656 https://bugzilla.novell.com/792834 https://bugzilla.novell.com/793104 https://bugzilla.novell.com/793139 https://bugzilla.novell.com/793593 https://bugzilla.novell.com/793671 https://bugzilla.novell.com/794231 https://bugzilla.novell.com/795354 https://bugzilla.novell.com/795928 https://bugzilla.novell.com/796823 https://bugzilla.novell.com/797042 https://bugzilla.novell.com/798960 https://bugzilla.novell.com/799209 https://bugzilla.novell.com/799275 https://bugzilla.novell.com/799909 http://download.novell.com/patch/finder/?keywords=bb0aa1dbfea22b088bd77c648de9ca4e From sle-security-updates at lists.suse.com Wed Mar 6 15:04:29 2013 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Wed, 6 Mar 2013 23:04:29 +0100 (CET) Subject: SUSE-SU-2013:0400-1: moderate: Security update for openstack-nova Message-ID: <20130306220429.24BB63213D@maintenance.suse.de> SUSE Security Update: Security update for openstack-nova ______________________________________________________________________________ Announcement ID: SUSE-SU-2013:0400-1 Rating: moderate References: #799785 Cross-References: CVE-2013-0208 CVE-2013-0212 Affected Products: SUSE Cloud 1.0 ______________________________________________________________________________ An update that fixes two vulnerabilities is now available. Description: OpenStack Nova has been updated to fix booting from not allowed volumes: * Phil Day from HP reported a vulnerability in volume attachment in nova-volume, affecting the boot-from-volume feature. By passing a specific volume ID, an authenticated user may be able to boot from a volume he doesn't own, potentially resulting in full access to that 3rd-party volume contents. (CVE-2013-0208) Security Issue references: * CVE-2013-0208 * CVE-2013-0212 Patch Instructions: To install this SUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - SUSE Cloud 1.0: zypper in -t patch sleclo10sp2-openstack-nova-7315 To bring your system up-to-date, use "zypper patch". Package List: - SUSE Cloud 1.0 (x86_64): openstack-nova-2012.1+git.1351668974.0edd3cb-0.7.1 openstack-nova-api-2012.1+git.1351668974.0edd3cb-0.7.1 openstack-nova-cert-2012.1+git.1351668974.0edd3cb-0.7.1 openstack-nova-compute-2012.1+git.1351668974.0edd3cb-0.7.1 openstack-nova-network-2012.1+git.1351668974.0edd3cb-0.7.1 openstack-nova-objectstore-2012.1+git.1351668974.0edd3cb-0.7.1 openstack-nova-scheduler-2012.1+git.1351668974.0edd3cb-0.7.1 openstack-nova-vncproxy-2012.1+git.1351668974.0edd3cb-0.7.1 openstack-nova-volume-2012.1+git.1351668974.0edd3cb-0.7.1 python-nova-2012.1+git.1351668974.0edd3cb-0.7.1 References: http://support.novell.com/security/cve/CVE-2013-0208.html http://support.novell.com/security/cve/CVE-2013-0212.html https://bugzilla.novell.com/799785 http://download.novell.com/patch/finder/?keywords=beb33f4486b001718a6b6f5c9bcb6daa From sle-security-updates at lists.suse.com Wed Mar 6 15:04:33 2013 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Wed, 6 Mar 2013 23:04:33 +0100 (CET) Subject: SUSE-SU-2013:0401-1: moderate: Security update for openstack-glance Message-ID: <20130306220433.DA0323216A@maintenance.suse.de> SUSE Security Update: Security update for openstack-glance ______________________________________________________________________________ Announcement ID: SUSE-SU-2013:0401-1 Rating: moderate References: #787814 #800023 Cross-References: CVE-2013-0208 CVE-2013-0212 Affected Products: SUSE Cloud 1.0 ______________________________________________________________________________ An update that fixes two vulnerabilities is now available. Description: OpenStack Glance has been updated to fix a password leak. (CVE-2013-0212) It has also been updated to the latest git version (efd7e75) which includes: * pin sqlalchemy to the 0.7 series * Ensure image owned by user before delayed_deletion Security Issue references: * CVE-2013-0208 * CVE-2013-0212 Patch Instructions: To install this SUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - SUSE Cloud 1.0: zypper in -t patch sleclo10sp2-openstack-glance-7313 To bring your system up-to-date, use "zypper patch". Package List: - SUSE Cloud 1.0 (x86_64): openstack-glance-2012.1+git.1352338057.efd7e75-0.5.1 python-glance-2012.1+git.1352338057.efd7e75-0.5.1 References: http://support.novell.com/security/cve/CVE-2013-0208.html http://support.novell.com/security/cve/CVE-2013-0212.html https://bugzilla.novell.com/787814 https://bugzilla.novell.com/800023 http://download.novell.com/patch/finder/?keywords=0954d4d233c11eb02f7bf4024cd71bb9 From sle-security-updates at lists.suse.com Wed Mar 6 15:04:38 2013 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Wed, 6 Mar 2013 23:04:38 +0100 (CET) Subject: SUSE-SU-2013:0402-1: moderate: Security update for openstack-keystone Message-ID: <20130306220438.6BE1C3216A@maintenance.suse.de> SUSE Security Update: Security update for openstack-keystone ______________________________________________________________________________ Announcement ID: SUSE-SU-2013:0402-1 Rating: moderate References: #801289 Cross-References: CVE-2013-0247 Affected Products: SUSE Cloud 1.0 ______________________________________________________________________________ An update that fixes one vulnerability is now available. Description: OpenStack Keystone has been updated to fix a security problem: * Dan Prince of Red Hat reported a vulnerability in token creation error handling in Keystone. By requesting lots of invalid tokens, an unauthenticated user may fill up logs on Keystone API servers disks, potentially resulting in a denial of service attack against Keystone. (CVE-2013-0247) Security Issue reference: * CVE-2013-0247 Patch Instructions: To install this SUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - SUSE Cloud 1.0: zypper in -t patch sleclo10sp2-openstack-keystone-7314 To bring your system up-to-date, use "zypper patch". Package List: - SUSE Cloud 1.0 (x86_64): openstack-keystone-2012.1+git.1353613280.c17a999-0.7.1 openstack-keystone-doc-2012.1+git.1353613280.c17a999-0.7.1 python-keystone-2012.1+git.1353613280.c17a999-0.7.1 References: http://support.novell.com/security/cve/CVE-2013-0247.html https://bugzilla.novell.com/801289 http://download.novell.com/patch/finder/?keywords=08f520d613c55ed089a408cb68b2e876 From sle-security-updates at lists.suse.com Fri Mar 8 14:04:41 2013 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Fri, 8 Mar 2013 22:04:41 +0100 (CET) Subject: SUSE-SU-2013:0410-1: important: Security update for Mozilla Firefox Message-ID: <20130308210441.32A4832168@maintenance.suse.de> SUSE Security Update: Security update for Mozilla Firefox ______________________________________________________________________________ Announcement ID: SUSE-SU-2013:0410-1 Rating: important References: #804248 #806669 Cross-References: CVE-2013-0765 CVE-2013-0772 CVE-2013-0773 CVE-2013-0774 CVE-2013-0775 CVE-2013-0776 CVE-2013-0780 CVE-2013-0782 CVE-2013-0783 Affected Products: SUSE Linux Enterprise Software Development Kit 11 SP2 SUSE Linux Enterprise Server 11 SP2 for VMware SUSE Linux Enterprise Server 11 SP2 SUSE Linux Enterprise Desktop 11 SP2 ______________________________________________________________________________ An update that fixes 9 vulnerabilities is now available. It includes three new package versions. Description: MozillaFirefox has been updated to the 17.0.3ESR release. Important: due to compatibility issues, the Beagle plug-in for MozillaFirefox is temporarily disabled by this update. Besides the major version update from the 10ESR stable release line to the 17ESR stable release line, this update brings critical security and bugfixes: * MFSA 2013-28: Security researcher Abhishek Arya (Inferno) of the Google Chrome Security Team used the Address Sanitizer tool to discover a series of use-after-free, out of bounds read, and buffer overflow problems rated as low to critical security issues in shipped software. Some of these issues are potentially exploitable, allowing for remote code execution. We would also like to thank Abhishek for reporting four additional use-after-free and out of bounds write flaws introduced during Firefox development that were fixed before general release. * The following issues have been fixed in Firefox 19 and ESR 17.0.3: o Heap-use-after-free in nsOverflowContinuationTracker::Finish, with -moz-columns (CVE-2013-0780) o Heap-buffer-overflow WRITE in nsSaveAsCharset::DoCharsetConversion (CVE-2013-0782) * MFSA 2013-27 / CVE-2013-0776: Google security researcher Michal Zalewski reported an issue where the browser displayed the content of a proxy's 407 response if a user canceled the proxy's authentication prompt. In this circumstance, the addressbar will continue to show the requested site's address, including HTTPS addresses that appear to be secure. This spoofing of addresses can be used for phishing attacks by fooling users into entering credentials, for example. * MFSA 2013-26 / CVE-2013-0775: Security researcher Nils reported a use-after-free in nsImageLoadingContent when content script is executed. This could allow for arbitrary code execution. * MFSA 2013-25 / CVE-2013-0774: Mozilla security researcher Frederik Braun discovered that since Firefox 15 the file system location of the active browser profile was available to JavaScript workers. While not dangerous by itself, this could potentially be combined with other vulnerabilities to target the profile in an attack. * MFSA 2013-24 / CVE-2013-0773: Mozilla developer Bobby Holley discovered that it was possible to bypass some protections in Chrome Object Wrappers (COW) and System Only Wrappers (SOW), making their prototypes mutable by web content. This could be used leak information from chrome objects and possibly allow for arbitrary code execution. * MFSA 2013-23 / CVE-2013-0765: Mozilla developer Boris Zbarsky reported that in some circumstances a wrapped WebIDL object can be wrapped multiple times, overwriting the existing wrapped state. This could lead to an exploitable condition in rare cases. * MFSA 2013-22 / CVE-2013-0772: Using the Address Sanitizer tool, security researcher Atte Kettunen from OUSPG found an out-of-bounds read while rendering GIF format images. This could cause a non-exploitable crash and could also attempt to render normally inaccesible data as part of the image. * MFSA 2013-21: Mozilla developers identified and fixed several memory safety bugs in the browser engine used in Firefox and other Mozilla-based products. Some of these bugs showed evidence of memory corruption under certain circumstances, and we presume that with enough effort at least some of these could be exploited to run arbitrary code. Olli Pettay, Christoph Diehl, Gary Kwong, Jesse Ruderman, Andrew McCreight, Joe Drew, and Wayne Mery reported memory safety problems and crashes that affect Firefox ESR 17, and Firefox 18. * Memory safety bugs fixed in Firefox ESR 17.0.3, and Firefox 19 (CVE-2013-0783). Security Issue references: * CVE-2013-0780 * CVE-2013-0782 * CVE-2013-0776 * CVE-2013-0775 * CVE-2013-0774 * CVE-2013-0773 * CVE-2013-0765 * CVE-2013-0772 * CVE-2013-0783 Patch Instructions: To install this SUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Software Development Kit 11 SP2: zypper in -t patch sdksp2-firefox-201303-7447 - SUSE Linux Enterprise Server 11 SP2 for VMware: zypper in -t patch slessp2-firefox-201303-7447 - SUSE Linux Enterprise Server 11 SP2: zypper in -t patch slessp2-firefox-201303-7447 - SUSE Linux Enterprise Desktop 11 SP2: zypper in -t patch sledsp2-firefox-201303-7447 To bring your system up-to-date, use "zypper patch". Package List: - SUSE Linux Enterprise Software Development Kit 11 SP2 (i586 ia64 ppc64 s390x x86_64) [New Version: 3.14.2 and 4.9.5]: mozilla-nspr-devel-4.9.5-0.3.2 mozilla-nss-devel-3.14.2-0.4.3.2 - SUSE Linux Enterprise Software Development Kit 11 SP2 (i586 ia64 s390x x86_64): beagle-0.3.8-56.51.1 beagle-lang-0.3.8-56.44.45.129 - SUSE Linux Enterprise Software Development Kit 11 SP2 (i586 x86_64): beagle-devel-0.3.8-56.51.1 - SUSE Linux Enterprise Server 11 SP2 for VMware (i586 x86_64) [New Version: 17.0.3esr,3.14.2 and 4.9.5]: MozillaFirefox-17.0.3esr-0.4.4.1 MozillaFirefox-translations-17.0.3esr-0.4.4.1 libfreebl3-3.14.2-0.4.3.2 mozilla-nspr-4.9.5-0.3.2 mozilla-nss-3.14.2-0.4.3.2 mozilla-nss-tools-3.14.2-0.4.3.2 - SUSE Linux Enterprise Server 11 SP2 for VMware (x86_64) [New Version: 3.14.2 and 4.9.5]: libfreebl3-32bit-3.14.2-0.4.3.2 mozilla-nspr-32bit-4.9.5-0.3.2 mozilla-nss-32bit-3.14.2-0.4.3.2 - SUSE Linux Enterprise Server 11 SP2 (i586 ia64 ppc64 s390x x86_64) [New Version: 17.0.3esr,3.14.2 and 4.9.5]: MozillaFirefox-17.0.3esr-0.4.4.1 MozillaFirefox-branding-SLED-7-0.6.9.5 MozillaFirefox-translations-17.0.3esr-0.4.4.1 libfreebl3-3.14.2-0.4.3.2 mozilla-nspr-4.9.5-0.3.2 mozilla-nss-3.14.2-0.4.3.2 mozilla-nss-tools-3.14.2-0.4.3.2 - SUSE Linux Enterprise Server 11 SP2 (ppc64 s390x x86_64) [New Version: 3.14.2 and 4.9.5]: libfreebl3-32bit-3.14.2-0.4.3.2 mozilla-nspr-32bit-4.9.5-0.3.2 mozilla-nss-32bit-3.14.2-0.4.3.2 - SUSE Linux Enterprise Server 11 SP2 (ia64) [New Version: 3.14.2 and 4.9.5]: libfreebl3-x86-3.14.2-0.4.3.2 mozilla-nspr-x86-4.9.5-0.3.2 mozilla-nss-x86-3.14.2-0.4.3.2 - SUSE Linux Enterprise Desktop 11 SP2 (i586 x86_64) [New Version: 17.0.3esr,3.14.2 and 4.9.5]: MozillaFirefox-17.0.3esr-0.4.4.1 MozillaFirefox-branding-SLED-7-0.6.9.5 MozillaFirefox-translations-17.0.3esr-0.4.4.1 beagle-0.3.8-56.51.1 beagle-evolution-0.3.8-56.51.1 beagle-firefox-0.3.8-56.51.1 beagle-gui-0.3.8-56.51.1 beagle-lang-0.3.8-56.51.1 libfreebl3-3.14.2-0.4.3.2 mhtml-firefox-0.5-1.47.51.5 mozilla-nspr-4.9.5-0.3.2 mozilla-nss-3.14.2-0.4.3.2 mozilla-nss-tools-3.14.2-0.4.3.2 - SUSE Linux Enterprise Desktop 11 SP2 (x86_64) [New Version: 3.14.2 and 4.9.5]: libfreebl3-32bit-3.14.2-0.4.3.2 mozilla-nspr-32bit-4.9.5-0.3.2 mozilla-nss-32bit-3.14.2-0.4.3.2 References: http://support.novell.com/security/cve/CVE-2013-0765.html http://support.novell.com/security/cve/CVE-2013-0772.html http://support.novell.com/security/cve/CVE-2013-0773.html http://support.novell.com/security/cve/CVE-2013-0774.html http://support.novell.com/security/cve/CVE-2013-0775.html http://support.novell.com/security/cve/CVE-2013-0776.html http://support.novell.com/security/cve/CVE-2013-0780.html http://support.novell.com/security/cve/CVE-2013-0782.html http://support.novell.com/security/cve/CVE-2013-0783.html https://bugzilla.novell.com/804248 https://bugzilla.novell.com/806669 http://download.novell.com/patch/finder/?keywords=8807d796dff1dcb5ceabc4ae693cc9c4 From sle-security-updates at lists.suse.com Tue Mar 12 11:04:40 2013 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Tue, 12 Mar 2013 18:04:40 +0100 (CET) Subject: SUSE-SU-2013:0434-1: critical: Security update for Java Message-ID: <20130312170440.4199427FA4@maintenance.suse.de> SUSE Security Update: Security update for Java ______________________________________________________________________________ Announcement ID: SUSE-SU-2013:0434-1 Rating: critical References: #807487 Cross-References: CVE-2013-0809 CVE-2013-1493 Affected Products: SUSE Linux Enterprise Desktop 11 SP2 ______________________________________________________________________________ An update that fixes two vulnerabilities is now available. Description: This release of Icedtea6-1.12.4 fixes the following two issues that allowed a remote attacker to execute arbitrary code remotely by providing crafted images to the affected code. * CVE-2013-0809: CVSS v2 Base Score: 6.8 (critical) (AV:N/AC:M/Au:N/C:P/I:P/A:P): Insufficient Information (CWE-noinfo) * CVE-2013-1493: CVSS v2 Base Score: 6.8 (critical) (AV:N/AC:M/Au:N/C:P/I:P/A:P): Buffer Errors (CWE-119) Security Issue references: * CVE-2013-0809 * CVE-2013-1493 Patch Instructions: To install this SUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Desktop 11 SP2: zypper in -t patch sledsp2-java-1_6_0-openjdk-7457 To bring your system up-to-date, use "zypper patch". Package List: - SUSE Linux Enterprise Desktop 11 SP2 (i586 x86_64): java-1_6_0-openjdk-1.6.0.0_b27.1.12.4-0.2.1 java-1_6_0-openjdk-demo-1.6.0.0_b27.1.12.4-0.2.1 java-1_6_0-openjdk-devel-1.6.0.0_b27.1.12.4-0.2.1 References: http://support.novell.com/security/cve/CVE-2013-0809.html http://support.novell.com/security/cve/CVE-2013-1493.html https://bugzilla.novell.com/807487 http://download.novell.com/patch/finder/?keywords=b123f43a2f91b6662161836877dd2663 From sle-security-updates at lists.suse.com Tue Mar 12 11:04:49 2013 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Tue, 12 Mar 2013 18:04:49 +0100 (CET) Subject: SUSE-SU-2013:0435-1: moderate: Security update for ruby Message-ID: <20130312170449.10B3727FA4@maintenance.suse.de> SUSE Security Update: Security update for ruby ______________________________________________________________________________ Announcement ID: SUSE-SU-2013:0435-1 Rating: moderate References: #783525 Cross-References: CVE-2012-4522 Affected Products: SUSE Linux Enterprise Software Development Kit 11 SP2 SUSE Linux Enterprise Server 11 SP2 for VMware SUSE Linux Enterprise Server 11 SP2 SUSE Linux Enterprise Desktop 11 SP2 ______________________________________________________________________________ An update that fixes one vulnerability is now available. Description: The ruby interpreter received a fix for a security issue: * CVE-2012-4466: Ruby's $SAFE mechanism enables untrusted user codes to run in $SAFE >= 4 mode. This is a kind of sandboxing so some operations are restricted in that mode to protect other data outside the sandbox. The problem found was around this mechanism. Exception#to_s, NameError#to_s, and name_err_mesg_to_s() interpreter-internal API was not correctly handling the $SAFE bits so a String object which is not tainted can destructively be marked as tainted using them. By using this an untrusted code in a sandbox can modify a formerly-untainted string destructively. http://www.ruby-lang.org/en/news/2012/10/12/cve-2012-4464-cv e-2012-4466/ Security Issue references: * CVE-2012-4522 Patch Instructions: To install this SUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Software Development Kit 11 SP2: zypper in -t patch sdksp2-ruby-7386 - SUSE Linux Enterprise Server 11 SP2 for VMware: zypper in -t patch slessp2-ruby-7386 - SUSE Linux Enterprise Server 11 SP2: zypper in -t patch slessp2-ruby-7386 - SUSE Linux Enterprise Desktop 11 SP2: zypper in -t patch sledsp2-ruby-7386 To bring your system up-to-date, use "zypper patch". Package List: - SUSE Linux Enterprise Software Development Kit 11 SP2 (i586 ia64 ppc64 s390x x86_64): ruby-devel-1.8.7.p357-0.9.9.1 ruby-doc-html-1.8.7.p357-0.9.9.1 ruby-doc-ri-1.8.7.p357-0.9.9.1 ruby-examples-1.8.7.p357-0.9.9.1 ruby-test-suite-1.8.7.p357-0.9.9.1 ruby-tk-1.8.7.p357-0.9.9.1 - SUSE Linux Enterprise Server 11 SP2 for VMware (i586 x86_64): ruby-1.8.7.p357-0.9.9.1 ruby-doc-html-1.8.7.p357-0.9.9.1 ruby-tk-1.8.7.p357-0.9.9.1 - SUSE Linux Enterprise Server 11 SP2 (i586 ia64 ppc64 s390x x86_64): ruby-1.8.7.p357-0.9.9.1 ruby-doc-html-1.8.7.p357-0.9.9.1 ruby-tk-1.8.7.p357-0.9.9.1 - SUSE Linux Enterprise Desktop 11 SP2 (i586 x86_64): ruby-1.8.7.p357-0.9.9.1 References: http://support.novell.com/security/cve/CVE-2012-4522.html https://bugzilla.novell.com/783525 http://download.novell.com/patch/finder/?keywords=5ac69a022ffa717bb70bba9bdcbc60ca From sle-security-updates at lists.suse.com Tue Mar 12 17:05:28 2013 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Wed, 13 Mar 2013 00:05:28 +0100 (CET) Subject: SUSE-SU-2013:0440-1: important: Security update for Java Message-ID: <20130312230528.14CC432183@maintenance.suse.de> SUSE Security Update: Security update for Java ______________________________________________________________________________ Announcement ID: SUSE-SU-2013:0440-1 Rating: important References: #798535 Affected Products: SUSE Linux Enterprise Software Development Kit 11 SP2 SUSE Linux Enterprise Server 11 SP2 for VMware SUSE Linux Enterprise Server 11 SP2 SUSE Linux Enterprise Java 11 SP2 ______________________________________________________________________________ An update that contains security fixes can now be installed. Description: IBM Java 7 was updated to SR4, fixing various critical security issues and bugs. Please see the IBM JDK Alert page for more information: http://www.ibm.com/developerworks/java/jdk/alerts/ Security issues fixed: CVE-2013-1487, CVE-2013-1486, CVE-2013-1478, CVE-2013-0445, CVE-2013-1480, CVE-2013-0441, CVE-2013-1476, CVE-2012-1541, CVE-2013-0446, CVE-2012-3342, CVE-2013-0442, CVE-2013-0450, CVE-2013-0425, CVE-2013-0426, CVE-2013-0428, CVE-2012-3213, CVE-2013-0419, CVE-2013-0423, CVE-2013-0351, CVE-2013-0432, CVE-2013-1473, CVE-2013-0435, CVE-2013-0434, CVE-2013-0409, CVE-2013-0427, CVE-2013-0433, CVE-2013-0424, CVE-2013-0440, CVE-2013-0438, CVE-2013-0443, CVE-2013-1484, CVE-2013-1485, CVE-2013-0437, CVE-2013-0444, CVE-2013-0449, CVE-2013-0431, CVE-2013-0422, CVE-2012-3174. Patch Instructions: To install this SUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Software Development Kit 11 SP2: zypper in -t patch sdksp2-java-1_7_0-ibm-7454 - SUSE Linux Enterprise Server 11 SP2 for VMware: zypper in -t patch slessp2-java-1_7_0-ibm-7454 - SUSE Linux Enterprise Server 11 SP2: zypper in -t patch slessp2-java-1_7_0-ibm-7454 - SUSE Linux Enterprise Java 11 SP2: zypper in -t patch slejsp2-java-1_7_0-ibm-7454 To bring your system up-to-date, use "zypper patch". Package List: - SUSE Linux Enterprise Software Development Kit 11 SP2 (i586 ppc64 s390x x86_64): java-1_7_0-ibm-devel-1.7.0_sr4.0-0.6.1 - SUSE Linux Enterprise Server 11 SP2 for VMware (i586 x86_64): java-1_7_0-ibm-1.7.0_sr4.0-0.6.1 java-1_7_0-ibm-jdbc-1.7.0_sr4.0-0.6.1 java-1_7_0-ibm-plugin-1.7.0_sr4.0-0.6.1 - SUSE Linux Enterprise Server 11 SP2 for VMware (i586): java-1_7_0-ibm-alsa-1.7.0_sr4.0-0.6.1 - SUSE Linux Enterprise Server 11 SP2 (i586 ppc64 s390x x86_64): java-1_7_0-ibm-1.7.0_sr4.0-0.6.1 java-1_7_0-ibm-jdbc-1.7.0_sr4.0-0.6.1 - SUSE Linux Enterprise Server 11 SP2 (i586 x86_64): java-1_7_0-ibm-plugin-1.7.0_sr4.0-0.6.1 - SUSE Linux Enterprise Server 11 SP2 (i586): java-1_7_0-ibm-alsa-1.7.0_sr4.0-0.6.1 - SUSE Linux Enterprise Java 11 SP2 (i586 ppc64 s390x x86_64): java-1_7_0-ibm-1.7.0_sr4.0-0.6.1 java-1_7_0-ibm-devel-1.7.0_sr4.0-0.6.1 java-1_7_0-ibm-jdbc-1.7.0_sr4.0-0.6.1 - SUSE Linux Enterprise Java 11 SP2 (i586 x86_64): java-1_7_0-ibm-alsa-1.7.0_sr4.0-0.6.1 java-1_7_0-ibm-plugin-1.7.0_sr4.0-0.6.1 References: https://bugzilla.novell.com/798535 http://download.novell.com/patch/finder/?keywords=ec2cc97511073c725601f4d834445d63 From sle-security-updates at lists.suse.com Tue Mar 12 17:05:32 2013 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Wed, 13 Mar 2013 00:05:32 +0100 (CET) Subject: SUSE-SU-2013:0441-1: important: Security update for Perl Message-ID: <20130312230532.53E5732183@maintenance.suse.de> SUSE Security Update: Security update for Perl ______________________________________________________________________________ Announcement ID: SUSE-SU-2013:0441-1 Rating: important References: #789994 #796014 #797060 #804415 Cross-References: CVE-2013-1667 Affected Products: SUSE Linux Enterprise Software Development Kit 11 SP2 SUSE Linux Enterprise Server 11 SP2 for VMware SUSE Linux Enterprise Server 11 SP2 SUSE Linux Enterprise Desktop 11 SP2 ______________________________________________________________________________ An update that solves one vulnerability and has three fixes is now available. Description: This update of Perl 5 fixes the following security issues: * fix rehash DoS [bnc#804415] [CVE-2013-1667] * improve CGI crlf escaping [bnc#789994] [CVE-2012-5526] * fix glob denial of service [bnc#796014] [CVE-2011-2728] * sanitize input in Maketext.pm [bnc#797060] [CVE-2012-6329] Security Issue references: * CVE-2013-1667 Patch Instructions: To install this SUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Software Development Kit 11 SP2: zypper in -t patch sdksp2-perl-7439 - SUSE Linux Enterprise Server 11 SP2 for VMware: zypper in -t patch slessp2-perl-7439 - SUSE Linux Enterprise Server 11 SP2: zypper in -t patch slessp2-perl-7439 - SUSE Linux Enterprise Desktop 11 SP2: zypper in -t patch sledsp2-perl-7439 To bring your system up-to-date, use "zypper patch". Package List: - SUSE Linux Enterprise Software Development Kit 11 SP2 (ppc64 s390x x86_64): perl-base-32bit-5.10.0-64.61.61.1 - SUSE Linux Enterprise Software Development Kit 11 SP2 (ia64): perl-base-x86-5.10.0-64.61.61.1 - SUSE Linux Enterprise Server 11 SP2 for VMware (i586 x86_64): perl-5.10.0-64.61.61.1 perl-base-5.10.0-64.61.61.1 perl-doc-5.10.0-64.61.61.1 - SUSE Linux Enterprise Server 11 SP2 for VMware (x86_64): perl-32bit-5.10.0-64.61.61.1 - SUSE Linux Enterprise Server 11 SP2 (i586 ia64 ppc64 s390x x86_64): perl-5.10.0-64.61.61.1 perl-base-5.10.0-64.61.61.1 perl-doc-5.10.0-64.61.61.1 - SUSE Linux Enterprise Server 11 SP2 (ppc64 s390x x86_64): perl-32bit-5.10.0-64.61.61.1 - SUSE Linux Enterprise Server 11 SP2 (ia64): perl-x86-5.10.0-64.61.61.1 - SUSE Linux Enterprise Desktop 11 SP2 (i586 x86_64): perl-5.10.0-64.61.61.1 perl-base-5.10.0-64.61.61.1 perl-doc-5.10.0-64.61.61.1 - SUSE Linux Enterprise Desktop 11 SP2 (x86_64): perl-32bit-5.10.0-64.61.61.1 References: http://support.novell.com/security/cve/CVE-2013-1667.html https://bugzilla.novell.com/789994 https://bugzilla.novell.com/796014 https://bugzilla.novell.com/797060 https://bugzilla.novell.com/804415 http://download.novell.com/patch/finder/?keywords=3663b3a5fb6a8f33323d36be1a8dda9d From sle-security-updates at lists.suse.com Tue Mar 12 17:05:37 2013 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Wed, 13 Mar 2013 00:05:37 +0100 (CET) Subject: SUSE-SU-2013:0442-1: important: Security update for Perl Message-ID: <20130312230537.987B132172@maintenance.suse.de> SUSE Security Update: Security update for Perl ______________________________________________________________________________ Announcement ID: SUSE-SU-2013:0442-1 Rating: important References: #788388 #789994 #796014 #797060 #804415 Cross-References: CVE-2013-1667 Affected Products: SUSE Linux Enterprise Server 10 SP4 SUSE Linux Enterprise Desktop 10 SP4 ______________________________________________________________________________ An update that solves one vulnerability and has four fixes is now available. Description: This update of Perl 5 fixes the following security issues: * fix rehash DoS [bnc#804415] [CVE-2013-1667] * improve CGI crlf escaping [bnc#789994] [CVE-2012-5526] * fix glob denial of service [bnc#796014] [CVE-2011-2728] * sanitize input in Maketext.pm [bnc#797060] [CVE-2012-6329] * make getgrent work with long group entries [bnc#788388] Security Issue reference: * CVE-2013-1667 Package List: - SUSE Linux Enterprise Server 10 SP4 (i586 ia64 ppc s390x x86_64): perl-5.8.8-14.21.3 - SUSE Linux Enterprise Server 10 SP4 (s390x x86_64): perl-32bit-5.8.8-14.21.3 - SUSE Linux Enterprise Server 10 SP4 (ia64): perl-x86-5.8.8-14.21.3 - SUSE Linux Enterprise Server 10 SP4 (ppc): perl-64bit-5.8.8-14.21.3 - SUSE Linux Enterprise Desktop 10 SP4 (i586 x86_64): perl-5.8.8-14.21.3 - SUSE Linux Enterprise Desktop 10 SP4 (x86_64): perl-32bit-5.8.8-14.21.3 References: http://support.novell.com/security/cve/CVE-2013-1667.html https://bugzilla.novell.com/788388 https://bugzilla.novell.com/789994 https://bugzilla.novell.com/796014 https://bugzilla.novell.com/797060 https://bugzilla.novell.com/804415 http://download.novell.com/patch/finder/?keywords=ed1929d51b82752f08399dada0ae2769 From sle-security-updates at lists.suse.com Wed Mar 13 11:04:27 2013 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Wed, 13 Mar 2013 18:04:27 +0100 (CET) Subject: SUSE-SU-2013:0440-2: important: Security update for Java Message-ID: <20130313170427.08D7C3218B@maintenance.suse.de> SUSE Security Update: Security update for Java ______________________________________________________________________________ Announcement ID: SUSE-SU-2013:0440-2 Rating: important References: #798535 Affected Products: SUSE Linux Enterprise Software Development Kit 11 SP2 SUSE Linux Enterprise Server 11 SP2 for VMware SUSE Linux Enterprise Server 11 SP2 SUSE Linux Enterprise Server 10 SP4 SUSE Linux Enterprise Java 11 SP2 SUSE Linux Enterprise Java 10 SP4 ______________________________________________________________________________ An update that contains security fixes can now be installed. Description: IBM Java 1.4.2 has been updated to SR13-FP15 which fixes various critical security issues and bugs. Please see the IBM JDK Alert page for more information: http://www.ibm.com/developerworks/java/jdk/alerts/ Security issues fixed: CVE-2013-1478, CVE-2013-1480, CVE-2013-1476, CVE-2013-0442, CVE-2013-0425, CVE-2013-0426, CVE-2013-0428, CVE-2013-1481, CVE-2013-0432, CVE-2013-0434, CVE-2013-0424, CVE-2013-0440, CVE-2013-0443. Patch Instructions: To install this SUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Software Development Kit 11 SP2: zypper in -t patch sdksp2-java-1_4_2-ibm-7450 - SUSE Linux Enterprise Server 11 SP2 for VMware: zypper in -t patch slessp2-java-1_4_2-ibm-7450 - SUSE Linux Enterprise Server 11 SP2: zypper in -t patch slessp2-java-1_4_2-ibm-7450 - SUSE Linux Enterprise Java 11 SP2: zypper in -t patch slejsp2-java-1_4_2-ibm-7450 To bring your system up-to-date, use "zypper patch". Package List: - SUSE Linux Enterprise Software Development Kit 11 SP2 (i586 ia64 ppc64 s390x x86_64): java-1_4_2-ibm-devel-1.4.2_sr13.15-0.3.1 - SUSE Linux Enterprise Software Development Kit 11 SP2 (i586 x86_64): java-1_4_2-ibm-1.4.2_sr13.15-0.3.1 - SUSE Linux Enterprise Server 11 SP2 for VMware (i586 x86_64): java-1_4_2-ibm-1.4.2_sr13.15-0.3.1 - SUSE Linux Enterprise Server 11 SP2 for VMware (i586): java-1_4_2-ibm-jdbc-1.4.2_sr13.15-0.3.1 java-1_4_2-ibm-plugin-1.4.2_sr13.15-0.3.1 - SUSE Linux Enterprise Server 11 SP2 (i586 ia64 ppc64 s390x x86_64): java-1_4_2-ibm-1.4.2_sr13.15-0.3.1 - SUSE Linux Enterprise Server 11 SP2 (i586): java-1_4_2-ibm-jdbc-1.4.2_sr13.15-0.3.1 java-1_4_2-ibm-plugin-1.4.2_sr13.15-0.3.1 - SUSE Linux Enterprise Server 10 SP4 (i586 ia64 ppc s390x x86_64): java-1_4_2-ibm-1.4.2_sr13.15-0.6.1 java-1_4_2-ibm-devel-1.4.2_sr13.15-0.6.1 - SUSE Linux Enterprise Server 10 SP4 (i586 ppc): java-1_4_2-ibm-jdbc-1.4.2_sr13.15-0.6.1 - SUSE Linux Enterprise Server 10 SP4 (i586): java-1_4_2-ibm-plugin-1.4.2_sr13.15-0.6.1 - SUSE Linux Enterprise Java 11 SP2 (i586 ppc64 s390x x86_64): java-1_4_2-ibm-1.4.2_sr13.15-0.3.1 - SUSE Linux Enterprise Java 11 SP2 (i586): java-1_4_2-ibm-jdbc-1.4.2_sr13.15-0.3.1 java-1_4_2-ibm-plugin-1.4.2_sr13.15-0.3.1 - SUSE Linux Enterprise Java 10 SP4 (i586 ia64 ppc s390x x86_64): java-1_4_2-ibm-1.4.2_sr13.15-0.6.1 java-1_4_2-ibm-devel-1.4.2_sr13.15-0.6.1 - SUSE Linux Enterprise Java 10 SP4 (i586 ppc): java-1_4_2-ibm-jdbc-1.4.2_sr13.15-0.6.1 - SUSE Linux Enterprise Java 10 SP4 (i586): java-1_4_2-ibm-plugin-1.4.2_sr13.15-0.6.1 References: https://bugzilla.novell.com/798535 http://download.novell.com/patch/finder/?keywords=93cb6121fadaf694135bd63c1f9156b6 http://download.novell.com/patch/finder/?keywords=ec9d22c393a1ca0adfb36328a12130ef From sle-security-updates at lists.suse.com Thu Mar 14 10:04:53 2013 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Thu, 14 Mar 2013 17:04:53 +0100 (CET) Subject: SUSE-SU-2013:0456-1: important: Security update for Java Message-ID: <20130314160453.3D77B27FDD@maintenance.suse.de> SUSE Security Update: Security update for Java ______________________________________________________________________________ Announcement ID: SUSE-SU-2013:0456-1 Rating: important References: #798535 #808625 Affected Products: SUSE Linux Enterprise Server 10 SP4 SUSE Linux Enterprise Java 10 SP4 ______________________________________________________________________________ An update that contains security fixes can now be installed. Description: IBM Java 6 has been updated to SR13 which fixes various critical security issues and bugs. Please see the IBM JDK Alert page for more information: http://www.ibm.com/developerworks/java/jdk/alerts/ Security issues fixed: CVE-2013-1487, CVE-2013-1486, CVE-2013-1478, CVE-2013-0445, CVE-2013-1480, CVE-2013-0441, CVE-2013-1476, CVE-2012-1541, CVE-2013-0446, CVE-2012-3342, CVE-2013-0442, CVE-2013-0450, CVE-2013-0425, CVE-2013-0426, CVE-2013-0428, CVE-2012-3213, CVE-2013-1481, CVE-2013-0419, CVE-2013-0423, CVE-2013-0351, CVE-2013-0432, CVE-2013-1473, CVE-2013-0435, CVE-2013-0434, CVE-2013-0409, CVE-2013-0427, CVE-2013-0433, CVE-2013-0424, CVE-2013-0440, CVE-2013-0438, CVE-2013-0443. Package List: - SUSE Linux Enterprise Server 10 SP4 (i586 ppc s390x x86_64): java-1_6_0-ibm-1.6.0_sr13.0-0.13.3 java-1_6_0-ibm-devel-1.6.0_sr13.0-0.13.3 java-1_6_0-ibm-fonts-1.6.0_sr13.0-0.13.3 java-1_6_0-ibm-jdbc-1.6.0_sr13.0-0.13.3 - SUSE Linux Enterprise Server 10 SP4 (i586 ppc x86_64): java-1_6_0-ibm-plugin-1.6.0_sr13.0-0.13.3 - SUSE Linux Enterprise Server 10 SP4 (s390x x86_64): java-1_6_0-ibm-32bit-1.6.0_sr13.0-0.13.3 java-1_6_0-ibm-devel-32bit-1.6.0_sr13.0-0.13.3 - SUSE Linux Enterprise Server 10 SP4 (x86_64): java-1_6_0-ibm-alsa-32bit-1.6.0_sr13.0-0.13.3 java-1_6_0-ibm-plugin-32bit-1.6.0_sr13.0-0.13.3 - SUSE Linux Enterprise Server 10 SP4 (i586): java-1_6_0-ibm-alsa-1.6.0_sr13.0-0.13.3 - SUSE Linux Enterprise Server 10 SP4 (ppc): java-1_6_0-ibm-64bit-1.6.0_sr13.0-0.13.3 - SUSE Linux Enterprise Java 10 SP4 (x86_64): java-1_6_0-ibm-1.6.0_sr13.0-0.13.3 java-1_6_0-ibm-devel-1.6.0_sr13.0-0.13.3 java-1_6_0-ibm-fonts-1.6.0_sr13.0-0.13.3 java-1_6_0-ibm-jdbc-1.6.0_sr13.0-0.13.3 java-1_6_0-ibm-plugin-1.6.0_sr13.0-0.13.3 References: https://bugzilla.novell.com/798535 https://bugzilla.novell.com/808625 http://download.novell.com/patch/finder/?keywords=78075f3faaadfb1d4a70cc040d243ecc From sle-security-updates at lists.suse.com Thu Mar 14 10:04:57 2013 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Thu, 14 Mar 2013 17:04:57 +0100 (CET) Subject: SUSE-SU-2013:0457-1: moderate: Security update for libqt4 Message-ID: <20130314160457.AEB0D2BFA8@maintenance.suse.de> SUSE Security Update: Security update for libqt4 ______________________________________________________________________________ Announcement ID: SUSE-SU-2013:0457-1 Rating: moderate References: #784197 #797006 #802634 Cross-References: CVE-2013-0254 Affected Products: SUSE Linux Enterprise Software Development Kit 11 SP2 SUSE Linux Enterprise Server 11 SP2 for VMware SUSE Linux Enterprise Server 11 SP2 SUSE Linux Enterprise Desktop 11 SP2 ______________________________________________________________________________ An update that solves one vulnerability and has two fixes is now available. Description: libqt4 has been updated to fix several security issues. * An information disclosure via QSharedMemory was fixed which allowed local attackers to read information (e.g. bitmap content) from the attacked user (CVE-2013-0254). * openssl-incompatibility-fix.diff: Fix wrong error reporting when using a binary incompatible version of openSSL (bnc#797006, CVE-2012-6093) * Various compromised SSL root certificates were blacklisted. Also a non-security bugfix has been applied: * Add fix for qdbusviewer not matching args (bnc#784197) Security Issue reference: * CVE-2013-0254 Patch Instructions: To install this SUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Software Development Kit 11 SP2: zypper in -t patch sdksp2-libQtWebKit-devel-7441 - SUSE Linux Enterprise Server 11 SP2 for VMware: zypper in -t patch slessp2-libQtWebKit-devel-7441 - SUSE Linux Enterprise Server 11 SP2: zypper in -t patch slessp2-libQtWebKit-devel-7441 - SUSE Linux Enterprise Desktop 11 SP2: zypper in -t patch sledsp2-libQtWebKit-devel-7441 To bring your system up-to-date, use "zypper patch". Package List: - SUSE Linux Enterprise Software Development Kit 11 SP2 (i586 ia64 ppc64 s390x x86_64): libQtWebKit-devel-4.6.3-5.20.23.1 libqt4-devel-4.6.3-5.20.23.1 libqt4-devel-doc-4.6.3-5.20.23.1 libqt4-sql-postgresql-4.6.3-5.20.23.1 libqt4-sql-unixODBC-4.6.3-5.20.23.1 - SUSE Linux Enterprise Software Development Kit 11 SP2 (ppc64 s390x x86_64): libQtWebKit4-32bit-4.6.3-5.20.23.1 libqt4-sql-mysql-32bit-4.6.3-5.20.23.1 libqt4-sql-postgresql-32bit-4.6.3-5.20.23.1 libqt4-sql-sqlite-32bit-4.6.3-5.20.23.1 libqt4-sql-unixODBC-32bit-4.6.3-5.20.23.1 - SUSE Linux Enterprise Software Development Kit 11 SP2 (noarch): libqt4-devel-doc-data-4.6.3-5.20.23.1 - SUSE Linux Enterprise Software Development Kit 11 SP2 (ia64): libQtWebKit4-x86-4.6.3-5.20.23.1 libqt4-sql-mysql-x86-4.6.3-5.20.23.1 libqt4-sql-postgresql-x86-4.6.3-5.20.23.1 libqt4-sql-sqlite-x86-4.6.3-5.20.23.1 libqt4-sql-unixODBC-x86-4.6.3-5.20.23.1 - SUSE Linux Enterprise Server 11 SP2 for VMware (i586 x86_64): libQtWebKit4-4.6.3-5.20.23.1 libqt4-4.6.3-5.20.23.1 libqt4-qt3support-4.6.3-5.20.23.1 libqt4-sql-4.6.3-5.20.23.1 libqt4-sql-mysql-4.6.3-5.20.23.1 libqt4-sql-sqlite-4.6.3-5.20.23.1 libqt4-x11-4.6.3-5.20.23.1 qt4-x11-tools-4.6.3-5.20.23.1 - SUSE Linux Enterprise Server 11 SP2 for VMware (x86_64): libQtWebKit4-32bit-4.6.3-5.20.23.1 libqt4-32bit-4.6.3-5.20.23.1 libqt4-qt3support-32bit-4.6.3-5.20.23.1 libqt4-sql-32bit-4.6.3-5.20.23.1 libqt4-x11-32bit-4.6.3-5.20.23.1 - SUSE Linux Enterprise Server 11 SP2 (i586 ia64 ppc64 s390x x86_64): libQtWebKit4-4.6.3-5.20.23.1 libqt4-4.6.3-5.20.23.1 libqt4-qt3support-4.6.3-5.20.23.1 libqt4-sql-4.6.3-5.20.23.1 libqt4-sql-mysql-4.6.3-5.20.23.1 libqt4-sql-sqlite-4.6.3-5.20.23.1 libqt4-x11-4.6.3-5.20.23.1 qt4-x11-tools-4.6.3-5.20.23.1 - SUSE Linux Enterprise Server 11 SP2 (ppc64 s390x x86_64): libQtWebKit4-32bit-4.6.3-5.20.23.1 libqt4-32bit-4.6.3-5.20.23.1 libqt4-qt3support-32bit-4.6.3-5.20.23.1 libqt4-sql-32bit-4.6.3-5.20.23.1 libqt4-x11-32bit-4.6.3-5.20.23.1 - SUSE Linux Enterprise Server 11 SP2 (ia64): libQtWebKit4-x86-4.6.3-5.20.23.1 libqt4-qt3support-x86-4.6.3-5.20.23.1 libqt4-sql-x86-4.6.3-5.20.23.1 libqt4-x11-x86-4.6.3-5.20.23.1 libqt4-x86-4.6.3-5.20.23.1 - SUSE Linux Enterprise Desktop 11 SP2 (i586 x86_64): libQtWebKit4-4.6.3-5.20.23.1 libqt4-4.6.3-5.20.23.1 libqt4-qt3support-4.6.3-5.20.23.1 libqt4-sql-4.6.3-5.20.23.1 libqt4-sql-mysql-4.6.3-5.20.23.1 libqt4-sql-postgresql-4.6.3-5.20.23.1 libqt4-sql-sqlite-4.6.3-5.20.23.1 libqt4-sql-unixODBC-4.6.3-5.20.23.1 libqt4-x11-4.6.3-5.20.23.1 - SUSE Linux Enterprise Desktop 11 SP2 (x86_64): libQtWebKit4-32bit-4.6.3-5.20.23.1 libqt4-32bit-4.6.3-5.20.23.1 libqt4-qt3support-32bit-4.6.3-5.20.23.1 libqt4-sql-32bit-4.6.3-5.20.23.1 libqt4-sql-mysql-32bit-4.6.3-5.20.23.1 libqt4-sql-postgresql-32bit-4.6.3-5.20.23.1 libqt4-sql-sqlite-32bit-4.6.3-5.20.23.1 libqt4-sql-unixODBC-32bit-4.6.3-5.20.23.1 libqt4-x11-32bit-4.6.3-5.20.23.1 References: http://support.novell.com/security/cve/CVE-2013-0254.html https://bugzilla.novell.com/784197 https://bugzilla.novell.com/797006 https://bugzilla.novell.com/802634 http://download.novell.com/patch/finder/?keywords=319695c0369c1600598cb3ff3f78d73a From sle-security-updates at lists.suse.com Thu Mar 14 10:05:04 2013 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Thu, 14 Mar 2013 17:05:04 +0100 (CET) Subject: SUSE-SU-2013:0458-1: critical: Security update for flash-player Message-ID: <20130314160504.3EC3827FDD@maintenance.suse.de> SUSE Security Update: Security update for flash-player ______________________________________________________________________________ Announcement ID: SUSE-SU-2013:0458-1 Rating: critical References: #808973 Cross-References: CVE-2013-0646 CVE-2013-0650 CVE-2013-1371 CVE-2013-1375 Affected Products: SUSE Linux Enterprise Desktop 11 SP2 SUSE Linux Enterprise Desktop 10 SP4 ______________________________________________________________________________ An update that fixes four vulnerabilities is now available. It includes one version update. Description: Adobe Flash Player has been updated to security release 11.2.202.275 (APSB13-09), fixing severe security issues. (CVE-2013-0646, CVE-2013-0650, CVE-2013-1371, CVE-2013-1375) More information can be found on: http://www.adobe.com/support/security/bulletins/apsb13-09.ht ml Security Issue references: * CVE-2013-0646 * CVE-2013-0650 * CVE-2013-1371 * CVE-2013-1375 Patch Instructions: To install this SUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Desktop 11 SP2: zypper in -t patch sledsp2-flash-player-7491 To bring your system up-to-date, use "zypper patch". Package List: - SUSE Linux Enterprise Desktop 11 SP2 (i586 x86_64) [New Version: 11.2.202.275]: flash-player-11.2.202.275-0.3.1 flash-player-gnome-11.2.202.275-0.3.1 flash-player-kde4-11.2.202.275-0.3.1 - SUSE Linux Enterprise Desktop 10 SP4 (i586) [New Version: 11.2.202.275]: flash-player-11.2.202.275-0.5.1 References: http://support.novell.com/security/cve/CVE-2013-0646.html http://support.novell.com/security/cve/CVE-2013-0650.html http://support.novell.com/security/cve/CVE-2013-1371.html http://support.novell.com/security/cve/CVE-2013-1375.html https://bugzilla.novell.com/808973 http://download.novell.com/patch/finder/?keywords=a590b251093353c9a532d47fac07b211 http://download.novell.com/patch/finder/?keywords=ced16d4be49bc3ca3c262247f4abcd7e From sle-security-updates at lists.suse.com Thu Mar 14 15:04:19 2013 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Thu, 14 Mar 2013 22:04:19 +0100 (CET) Subject: SUSE-SU-2013:0456-2: important: Security update for Java Message-ID: <20130314210419.4B67532168@maintenance.suse.de> SUSE Security Update: Security update for Java ______________________________________________________________________________ Announcement ID: SUSE-SU-2013:0456-2 Rating: important References: #798535 #808625 Affected Products: SUSE Linux Enterprise Server 10 SP3 LTSS ______________________________________________________________________________ An update that contains security fixes can now be installed. Description: IBM Java 6 has been updated to SR13 which fixes various critical security issues and bugs. Please see the IBM JDK Alert page for more information: http://www.ibm.com/developerworks/java/jdk/alerts/ Security issues fixed: CVE-2013-1487, CVE-2013-1486, CVE-2013-1478, CVE-2013-0445, CVE-2013-1480, CVE-2013-0441, CVE-2013-1476, CVE-2012-1541, CVE-2013-0446, CVE-2012-3342, CVE-2013-0442, CVE-2013-0450, CVE-2013-0425, CVE-2013-0426, CVE-2013-0428, CVE-2012-3213, CVE-2013-1481, CVE-2013-0419, CVE-2013-0423, CVE-2013-0351, CVE-2013-0432, CVE-2013-1473, CVE-2013-0435, CVE-2013-0434, CVE-2013-0409, CVE-2013-0427, CVE-2013-0433, CVE-2013-0424, CVE-2013-0440, CVE-2013-0438, CVE-2013-0443. Package List: - SUSE Linux Enterprise Server 10 SP3 LTSS (i586 s390x x86_64): java-1_6_0-ibm-1.6.0_sr13.0-0.7.7.1 java-1_6_0-ibm-devel-1.6.0_sr13.0-0.7.7.1 java-1_6_0-ibm-fonts-1.6.0_sr13.0-0.7.7.1 java-1_6_0-ibm-jdbc-1.6.0_sr13.0-0.7.7.1 - SUSE Linux Enterprise Server 10 SP3 LTSS (s390x x86_64): java-1_6_0-ibm-32bit-1.6.0_sr13.0-0.7.7.1 java-1_6_0-ibm-devel-32bit-1.6.0_sr13.0-0.7.7.1 - SUSE Linux Enterprise Server 10 SP3 LTSS (i586 x86_64): java-1_6_0-ibm-plugin-1.6.0_sr13.0-0.7.7.1 - SUSE Linux Enterprise Server 10 SP3 LTSS (x86_64): java-1_6_0-ibm-alsa-32bit-1.6.0_sr13.0-0.7.7.1 java-1_6_0-ibm-plugin-32bit-1.6.0_sr13.0-0.7.7.1 - SUSE Linux Enterprise Server 10 SP3 LTSS (i586): java-1_6_0-ibm-alsa-1.6.0_sr13.0-0.7.7.1 References: https://bugzilla.novell.com/798535 https://bugzilla.novell.com/808625 http://download.novell.com/patch/finder/?keywords=219c5ead437be21a7209a3563ce35c71 From sle-security-updates at lists.suse.com Thu Mar 14 16:04:43 2013 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Thu, 14 Mar 2013 23:04:43 +0100 (CET) Subject: SUSE-SU-2013:0440-3: important: Security update for Java Message-ID: <20130314220443.CA1122BFA9@maintenance.suse.de> SUSE Security Update: Security update for Java ______________________________________________________________________________ Announcement ID: SUSE-SU-2013:0440-3 Rating: important References: #798535 Affected Products: SUSE Linux Enterprise Server 11 SP1 for VMware LTSS SUSE Linux Enterprise Server 11 SP1 LTSS SUSE Linux Enterprise Server 10 SP3 LTSS ______________________________________________________________________________ An update that contains security fixes can now be installed. Description: IBM Java 1.4.2 has been updated to SR13-FP15 which fixes various critical security issues and bugs. Please see the IBM JDK Alert page for more information: http://www.ibm.com/developerworks/java/jdk/alerts/ Security issues fixed: CVE-2013-1478, CVE-2013-1480, CVE-2013-1476, CVE-2013-0442, CVE-2013-0425, CVE-2013-0426, CVE-2013-0428, CVE-2013-1481, CVE-2013-0432, CVE-2013-0434, CVE-2013-0424, CVE-2013-0440, CVE-2013-0443. Patch Instructions: To install this SUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Server 11 SP1 for VMware LTSS: zypper in -t patch slessp1-java-1_4_2-ibm-7479 - SUSE Linux Enterprise Server 11 SP1 LTSS: zypper in -t patch slessp1-java-1_4_2-ibm-7479 To bring your system up-to-date, use "zypper patch". Package List: - SUSE Linux Enterprise Server 11 SP1 for VMware LTSS (i586 x86_64): java-1_4_2-ibm-1.4.2_sr13.15-0.3.1 - SUSE Linux Enterprise Server 11 SP1 for VMware LTSS (i586): java-1_4_2-ibm-jdbc-1.4.2_sr13.15-0.3.1 java-1_4_2-ibm-plugin-1.4.2_sr13.15-0.3.1 - SUSE Linux Enterprise Server 11 SP1 LTSS (i586 s390x x86_64): java-1_4_2-ibm-1.4.2_sr13.15-0.3.1 - SUSE Linux Enterprise Server 11 SP1 LTSS (i586): java-1_4_2-ibm-jdbc-1.4.2_sr13.15-0.3.1 java-1_4_2-ibm-plugin-1.4.2_sr13.15-0.3.1 - SUSE Linux Enterprise Server 10 SP3 LTSS (i586 s390x x86_64): java-1_4_2-ibm-1.4.2_sr13.15-0.6.1 java-1_4_2-ibm-devel-1.4.2_sr13.15-0.6.1 - SUSE Linux Enterprise Server 10 SP3 LTSS (i586): java-1_4_2-ibm-jdbc-1.4.2_sr13.15-0.6.1 java-1_4_2-ibm-plugin-1.4.2_sr13.15-0.6.1 References: https://bugzilla.novell.com/798535 http://download.novell.com/patch/finder/?keywords=7014ea77ffe5c5f4f2e593888baa766b http://download.novell.com/patch/finder/?keywords=fc8b17df6be0cc8370eff53d8c702e02 From sle-security-updates at lists.suse.com Fri Mar 15 09:04:20 2013 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Fri, 15 Mar 2013 16:04:20 +0100 (CET) Subject: SUSE-SU-2013:0456-3: important: Security update for Java Message-ID: <20130315150420.307DE32158@maintenance.suse.de> SUSE Security Update: Security update for Java ______________________________________________________________________________ Announcement ID: SUSE-SU-2013:0456-3 Rating: important References: #798535 #808625 Affected Products: SUSE Linux Enterprise Server 11 SP1 for VMware LTSS SUSE Linux Enterprise Server 11 SP1 LTSS ______________________________________________________________________________ An update that contains security fixes can now be installed. Description: IBM Java 6 has been updated to SR13 which fixes various critical security issues and bugs. Please see the IBM JDK Alert page for more information: http://www.ibm.com/developerworks/java/jdk/alerts/ Security issues fixed: CVE-2013-1487, CVE-2013-1486, CVE-2013-1478, CVE-2013-0445, CVE-2013-1480, CVE-2013-0441, CVE-2013-1476, CVE-2012-1541, CVE-2013-0446, CVE-2012-3342, CVE-2013-0442, CVE-2013-0450, CVE-2013-0425, CVE-2013-0426, CVE-2013-0428, CVE-2012-3213, CVE-2013-1481, CVE-2013-0419, CVE-2013-0423, CVE-2013-0351, CVE-2013-0432, CVE-2013-1473, CVE-2013-0435, CVE-2013-0434, CVE-2013-0409, CVE-2013-0427, CVE-2013-0433, CVE-2013-0424, CVE-2013-0440, CVE-2013-0438, CVE-2013-0443. Patch Instructions: To install this SUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Server 11 SP1 for VMware LTSS: zypper in -t patch slessp1-java-1_6_0-ibm-7482 - SUSE Linux Enterprise Server 11 SP1 LTSS: zypper in -t patch slessp1-java-1_6_0-ibm-7482 To bring your system up-to-date, use "zypper patch". Package List: - SUSE Linux Enterprise Server 11 SP1 for VMware LTSS (i586 x86_64): java-1_6_0-ibm-1.6.0_sr13.0-0.8.1 java-1_6_0-ibm-fonts-1.6.0_sr13.0-0.8.1 java-1_6_0-ibm-jdbc-1.6.0_sr13.0-0.8.1 java-1_6_0-ibm-plugin-1.6.0_sr13.0-0.8.1 - SUSE Linux Enterprise Server 11 SP1 for VMware LTSS (i586): java-1_6_0-ibm-alsa-1.6.0_sr13.0-0.8.1 - SUSE Linux Enterprise Server 11 SP1 LTSS (i586 s390x x86_64): java-1_6_0-ibm-1.6.0_sr13.0-0.8.1 java-1_6_0-ibm-fonts-1.6.0_sr13.0-0.8.1 java-1_6_0-ibm-jdbc-1.6.0_sr13.0-0.8.1 - SUSE Linux Enterprise Server 11 SP1 LTSS (i586 x86_64): java-1_6_0-ibm-plugin-1.6.0_sr13.0-0.8.1 - SUSE Linux Enterprise Server 11 SP1 LTSS (i586): java-1_6_0-ibm-alsa-1.6.0_sr13.0-0.8.1 References: https://bugzilla.novell.com/798535 https://bugzilla.novell.com/808625 http://download.novell.com/patch/finder/?keywords=56a53806f2b9b8ace0893e899300698c From sle-security-updates at lists.suse.com Fri Mar 15 10:04:28 2013 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Fri, 15 Mar 2013 17:04:28 +0100 (CET) Subject: SUSE-SU-2013:0469-1: Security update for apache2 Message-ID: <20130315160428.CC36932172@maintenance.suse.de> SUSE Security Update: Security update for apache2 ______________________________________________________________________________ Announcement ID: SUSE-SU-2013:0469-1 Rating: low References: #688472 #719236 #722545 #727071 #727993 #729181 #736706 #738855 #741243 #743743 #757710 #777260 Cross-References: CVE-2012-0021 CVE-2012-0883 CVE-2012-2687 CVE-2012-4557 Affected Products: SUSE Linux Enterprise Server 10 SP3 LTSS ______________________________________________________________________________ An update that solves four vulnerabilities and has 8 fixes is now available. Description: This Apache2 LTSS roll-up update for SUSE Linux Enterprise 10 SP3 LTSS fixes the following security issues and bugs: * CVE-2012-4557: Denial of Service via special requests in mod_proxy_ajp * CVE-2012-0883: improper LD_LIBRARY_PATH handling * CVE-2012-2687: filename escaping problem * CVE-2012-0031: Fixed a scoreboard corruption (shared mem segment) by child causes crash of privileged parent (invalid free()) during shutdown. * CVE-2012-0053: Fixed an issue in error responses that could expose "httpOnly" cookies when no custom ErrorDocument is specified for status code 400". * The SSL configuration template has been adjusted not to suggested weak ciphers * CVE-2007-6750: The "mod_reqtimeout" module was backported from Apache 2.2.21 to help mitigate the "Slowloris" Denial of Service attack. You need to enable the "mod_reqtimeout" module in your existing apache configuration to make it effective, e.g. in the APACHE_MODULES line in /etc/sysconfig/apache2. * CVE-2011-3639, CVE-2011-3368, CVE-2011-4317: This update also includes several fixes for a mod_proxy reverse exposure via RewriteRule or ProxyPassMatch directives. * CVE-2011-1473: Fixed the SSL renegotiation DoS by disabling renegotiation by default. * CVE-2011-3607: Integer overflow in ap_pregsub function resulting in a heap based buffer overflow could potentially allow local attackers to gain privileges Additionally, some non-security bugs have been fixed which are listed in the changelog file. Security Issue references: * CVE-2012-4557 * CVE-2012-2687 * CVE-2012-0883 * CVE-2012-0021 Package List: - SUSE Linux Enterprise Server 10 SP3 LTSS (i586 s390x x86_64): apache2-2.2.3-16.32.45.1 apache2-devel-2.2.3-16.32.45.1 apache2-doc-2.2.3-16.32.45.1 apache2-example-pages-2.2.3-16.32.45.1 apache2-prefork-2.2.3-16.32.45.1 apache2-worker-2.2.3-16.32.45.1 References: http://support.novell.com/security/cve/CVE-2012-0021.html http://support.novell.com/security/cve/CVE-2012-0883.html http://support.novell.com/security/cve/CVE-2012-2687.html http://support.novell.com/security/cve/CVE-2012-4557.html https://bugzilla.novell.com/688472 https://bugzilla.novell.com/719236 https://bugzilla.novell.com/722545 https://bugzilla.novell.com/727071 https://bugzilla.novell.com/727993 https://bugzilla.novell.com/729181 https://bugzilla.novell.com/736706 https://bugzilla.novell.com/738855 https://bugzilla.novell.com/741243 https://bugzilla.novell.com/743743 https://bugzilla.novell.com/757710 https://bugzilla.novell.com/777260 http://download.novell.com/patch/finder/?keywords=25e42b7bd84d54954a51c9fe38e777e0 From sle-security-updates at lists.suse.com Fri Mar 15 11:04:28 2013 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Fri, 15 Mar 2013 18:04:28 +0100 (CET) Subject: SUSE-SU-2013:0470-1: important: Security update for Mozilla Firefox Message-ID: <20130315170428.654263216A@maintenance.suse.de> SUSE Security Update: Security update for Mozilla Firefox ______________________________________________________________________________ Announcement ID: SUSE-SU-2013:0470-1 Rating: important References: #808243 Cross-References: CVE-2013-0787 Affected Products: SUSE Linux Enterprise Server 11 SP2 for VMware SUSE Linux Enterprise Server 11 SP2 SUSE Linux Enterprise Desktop 11 SP2 ______________________________________________________________________________ An update that fixes one vulnerability is now available. It includes one version update. Description: MozillaFirefox has been updated to the 17.0.4ESR release which fixes one important security issue: * MFSA 2013-29 / CVE-2013-0787: VUPEN Security, via TippingPoint's Zero Day Initiative, reported a use-after-free within the HTML editor when content script is run by the document.execCommand() function while internal editor operations are occurring. This could allow for arbitrary code execution. Security Issue reference: * CVE-2013-0787 Patch Instructions: To install this SUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Server 11 SP2 for VMware: zypper in -t patch slessp2-firefox-201303-7464 - SUSE Linux Enterprise Server 11 SP2: zypper in -t patch slessp2-firefox-201303-7464 - SUSE Linux Enterprise Desktop 11 SP2: zypper in -t patch sledsp2-firefox-201303-7464 To bring your system up-to-date, use "zypper patch". Package List: - SUSE Linux Enterprise Server 11 SP2 for VMware (i586 x86_64) [New Version: 17.0.4esr]: MozillaFirefox-17.0.4esr-0.5.1 MozillaFirefox-translations-17.0.4esr-0.5.1 - SUSE Linux Enterprise Server 11 SP2 (i586 ia64 ppc64 s390x x86_64) [New Version: 17.0.4esr]: MozillaFirefox-17.0.4esr-0.5.1 MozillaFirefox-translations-17.0.4esr-0.5.1 - SUSE Linux Enterprise Desktop 11 SP2 (i586 x86_64) [New Version: 17.0.4esr]: MozillaFirefox-17.0.4esr-0.5.1 MozillaFirefox-translations-17.0.4esr-0.5.1 References: http://support.novell.com/security/cve/CVE-2013-0787.html https://bugzilla.novell.com/808243 http://download.novell.com/patch/finder/?keywords=80cb5f45bf32ac42965b90fa93bccfbc From sle-security-updates at lists.suse.com Fri Mar 15 12:04:42 2013 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Fri, 15 Mar 2013 19:04:42 +0100 (CET) Subject: SUSE-SU-2013:0471-1: important: Security update for Mozilla Firefox Message-ID: <20130315180442.C3E553216A@maintenance.suse.de> SUSE Security Update: Security update for Mozilla Firefox ______________________________________________________________________________ Announcement ID: SUSE-SU-2013:0471-1 Rating: important References: #804248 #808243 Cross-References: CVE-2013-0787 Affected Products: SUSE Linux Enterprise Server 10 SP4 SUSE Linux Enterprise Desktop 10 SP4 SLE SDK 10 SP4 ______________________________________________________________________________ An update that solves one vulnerability and has one errata is now available. It includes four new package versions. Description: MozillaFirefox has been updated to the 17.0.4ESR release. Besides the major version update from the 10ESR stable release line to the 17ESR stable release line, this update brings critical security and bugfixes: * MFSA 2013-29 / CVE-2013-0787: VUPEN Security, via TippingPoint's Zero Day Initiative, reported a use-after-free within the HTML editor when content script is run by the document.execCommand() function while internal editor operations are occurring. This could allow for arbitrary code execution. The Firefox 17.0.3ESR release also contains lots of security fixes: * MFSA 2013-28: Security researcher Abhishek Arya (Inferno) of the Google Chrome Security Team used the Address Sanitizer tool to discover a series of use-after-free, out of bounds read, and buffer overflow problems rated as low to critical security issues in shipped software. Some of these issues are potentially exploitable, allowing for remote code execution. We would also like to thank Abhishek for reporting four additional use-after-free and out of bounds write flaws introduced during Firefox development that were fixed before general release. The following issues have been fixed in Firefox 19 and ESR 17.0.3: * Heap-use-after-free in nsOverflowContinuationTracker::Finish, with -moz-columns (CVE-2013-0780) * Heap-buffer-overflow WRITE in nsSaveAsCharset::DoCharsetConversion (CVE-2013-0782) * MFSA 2013-27 / CVE-2013-0776: Google security researcher Michal Zalewski reported an issue where the browser displayed the content of a proxy's 407 response if a user canceled the proxy's authentication prompt. In this circumstance, the addressbar will continue to show the requested site's address, including HTTPS addresses that appear to be secure. This spoofing of addresses can be used for phishing attacks by fooling users into entering credentials, for example. * MFSA 2013-26 / CVE-2013-0775: Security researcher Nils reported a use-after-free in nsImageLoadingContent when content script is executed. This could allow for arbitrary code execution. * MFSA 2013-25 / CVE-2013-0774: Mozilla security researcher Frederik Braun discovered that since Firefox 15 the file system location of the active browser profile was available to JavaScript workers. While not dangerous by itself, this could potentially be combined with other vulnerabilities to target the profile in an attack. * MFSA 2013-24 / CVE-2013-0773: Mozilla developer Bobby Holley discovered that it was possible to bypass some protections in Chrome Object Wrappers (COW) and System Only Wrappers (SOW), making their prototypes mutable by web content. This could be used leak information from chrome objects and possibly allow for arbitrary code execution. * MFSA 2013-23 / CVE-2013-0765: Mozilla developer Boris Zbarsky reported that in some circumstances a wrapped WebIDL object can be wrapped multiple times, overwriting the existing wrapped state. This could lead to an exploitable condition in rare cases. * MFSA 2013-22 / CVE-2013-0772: Using the Address Sanitizer tool, security researcher Atte Kettunen from OUSPG found an out-of-bounds read while rendering GIF format images. This could cause a non-exploitable crash and could also attempt to render normally inaccesible data as part of the image. * MFSA 2013-21: Mozilla developers identified and fixed several memory safety bugs in the browser engine used in Firefox and other Mozilla-based products. Some of these bugs showed evidence of memory corruption under certain circumstances, and we presume that with enough effort at least some of these could be exploited to run arbitrary code. Olli Pettay, Christoph Diehl, Gary Kwong, Jesse Ruderman, Andrew McCreight, Joe Drew, and Wayne Mery reported memory safety problems and crashes that affect Firefox ESR 17, and Firefox 18. * Memory safety bugs fixed in Firefox ESR 17.0.3, and Firefox 19 (CVE-2013-0783) Security Issue references: * CVE-2013-0787 Package List: - SUSE Linux Enterprise Server 10 SP4 (i586 ia64 ppc s390x x86_64) [New Version: 3.14.1 and 4.9.4]: mozilla-nspr-4.9.4-0.6.3 mozilla-nspr-devel-4.9.4-0.6.3 mozilla-nss-3.14.1-0.6.3 mozilla-nss-devel-3.14.1-0.6.3 mozilla-nss-tools-3.14.1-0.6.3 - SUSE Linux Enterprise Server 10 SP4 (i586 ia64 ppc s390x) [New Version: 17.0.4esr and 7]: MozillaFirefox-17.0.4esr-0.7.1 MozillaFirefox-branding-SLED-7-0.10.4 MozillaFirefox-translations-17.0.4esr-0.7.1 - SUSE Linux Enterprise Server 10 SP4 (s390x x86_64) [New Version: 3.14.1 and 4.9.4]: mozilla-nspr-32bit-4.9.4-0.6.3 mozilla-nss-32bit-3.14.1-0.6.3 - SUSE Linux Enterprise Server 10 SP4 (ia64) [New Version: 3.14.1 and 4.9.4]: mozilla-nspr-x86-4.9.4-0.6.3 mozilla-nss-x86-3.14.1-0.6.3 - SUSE Linux Enterprise Server 10 SP4 (ppc) [New Version: 3.14.1 and 4.9.4]: mozilla-nspr-64bit-4.9.4-0.6.3 mozilla-nss-64bit-3.14.1-0.6.3 - SUSE Linux Enterprise Desktop 10 SP4 (i586 x86_64) [New Version: 3.14.1 and 4.9.4]: mhtml-firefox-0.5-1.13.4 mozilla-nspr-4.9.4-0.6.3 mozilla-nspr-devel-4.9.4-0.6.3 mozilla-nss-3.14.1-0.6.3 mozilla-nss-devel-3.14.1-0.6.3 mozilla-nss-tools-3.14.1-0.6.3 - SUSE Linux Enterprise Desktop 10 SP4 (x86_64) [New Version: 3.14.1 and 4.9.4]: mozilla-nspr-32bit-4.9.4-0.6.3 mozilla-nss-32bit-3.14.1-0.6.3 - SUSE Linux Enterprise Desktop 10 SP4 (i586) [New Version: 17.0.4esr and 7]: MozillaFirefox-17.0.4esr-0.7.1 MozillaFirefox-branding-SLED-7-0.10.4 MozillaFirefox-translations-17.0.4esr-0.7.1 - SLE SDK 10 SP4 (i586 ia64 ppc s390x x86_64) [New Version: 3.14.1]: firefox3-python-base-2.6.8-0.9.1 mozilla-nss-tools-3.14.1-0.6.3 - SLE SDK 10 SP4 (i586 ia64 ppc s390x): MozillaFirefox-branding-upstream-17.0.4esr-0.7.1 References: http://support.novell.com/security/cve/CVE-2013-0787.html https://bugzilla.novell.com/804248 https://bugzilla.novell.com/808243 http://download.novell.com/patch/finder/?keywords=e8a17727b5ca4754a7c066ed49b6d2d9 From sle-security-updates at lists.suse.com Fri Mar 15 13:04:25 2013 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Fri, 15 Mar 2013 20:04:25 +0100 (CET) Subject: SUSE-SU-2013:0440-4: important: Security update for Java Message-ID: <20130315190425.F038C32148@maintenance.suse.de> SUSE Security Update: Security update for Java ______________________________________________________________________________ Announcement ID: SUSE-SU-2013:0440-4 Rating: important References: #798535 Affected Products: SUSE Linux Enterprise Server 10 SP4 SUSE Linux Enterprise Java 10 SP4 SUSE Linux Enterprise Desktop 10 SP4 ______________________________________________________________________________ An update that contains security fixes can now be installed. Description: IBM Java 5 has been updated to SR16 which fixes various critical security issues and bugs. Please see the IBM JDK Alert page for more information: http://www.ibm.com/developerworks/java/jdk/alerts/ Security issues fixed: CVE-2013-1486, CVE-2013-1478, CVE-2013-0445, CVE-2013-1480, CVE-2013-1476, CVE-2013-0442, CVE-2013-0425, CVE-2013-0426, CVE-2013-0428, CVE-2013-1481, CVE-2013-0432, CVE-2013-0434, CVE-2013-0409, CVE-2013-0427, CVE-2013-0433, CVE-2013-0424, CVE-2013-0440, CVE-2013-0443. Package List: - SUSE Linux Enterprise Server 10 SP4 (i586 ppc s390x x86_64): java-1_5_0-ibm-1.5.0_sr16.0-0.6.1 java-1_5_0-ibm-devel-1.5.0_sr16.0-0.6.1 java-1_5_0-ibm-fonts-1.5.0_sr16.0-0.6.1 - SUSE Linux Enterprise Server 10 SP4 (s390x x86_64): java-1_5_0-ibm-32bit-1.5.0_sr16.0-0.6.1 java-1_5_0-ibm-devel-32bit-1.5.0_sr16.0-0.6.1 - SUSE Linux Enterprise Server 10 SP4 (i586 ppc): java-1_5_0-ibm-jdbc-1.5.0_sr16.0-0.6.1 java-1_5_0-ibm-plugin-1.5.0_sr16.0-0.6.1 - SUSE Linux Enterprise Server 10 SP4 (x86_64): java-1_5_0-ibm-alsa-32bit-1.5.0_sr16.0-0.6.1 - SUSE Linux Enterprise Server 10 SP4 (i586): java-1_5_0-ibm-alsa-1.5.0_sr16.0-0.6.1 - SUSE Linux Enterprise Server 10 SP4 (ppc): java-1_5_0-ibm-64bit-1.5.0_sr16.0-0.6.1 - SUSE Linux Enterprise Java 10 SP4 (i586 ppc s390x x86_64): java-1_5_0-ibm-1.5.0_sr16.0-0.6.1 java-1_5_0-ibm-devel-1.5.0_sr16.0-0.6.1 java-1_5_0-ibm-fonts-1.5.0_sr16.0-0.6.1 - SUSE Linux Enterprise Java 10 SP4 (ppc): java-1_5_0-ibm-jdbc-1.5.0_sr16.0-0.6.1 java-1_5_0-ibm-plugin-1.5.0_sr16.0-0.6.1 - SUSE Linux Enterprise Desktop 10 SP4 (i586 x86_64): java-1_5_0-ibm-1.5.0_sr16.0-0.6.1 java-1_5_0-ibm-demo-1.5.0_sr16.0-0.6.1 java-1_5_0-ibm-devel-1.5.0_sr16.0-0.6.1 java-1_5_0-ibm-fonts-1.5.0_sr16.0-0.6.1 java-1_5_0-ibm-src-1.5.0_sr16.0-0.6.1 - SUSE Linux Enterprise Desktop 10 SP4 (x86_64): java-1_5_0-ibm-32bit-1.5.0_sr16.0-0.6.1 java-1_5_0-ibm-alsa-32bit-1.5.0_sr16.0-0.6.1 java-1_5_0-ibm-devel-32bit-1.5.0_sr16.0-0.6.1 - SUSE Linux Enterprise Desktop 10 SP4 (i586): java-1_5_0-ibm-alsa-1.5.0_sr16.0-0.6.1 java-1_5_0-ibm-jdbc-1.5.0_sr16.0-0.6.1 java-1_5_0-ibm-plugin-1.5.0_sr16.0-0.6.1 References: https://bugzilla.novell.com/798535 http://download.novell.com/patch/finder/?keywords=f3e49a4d1f2884a3b859fbf98da12261 From sle-security-updates at lists.suse.com Fri Mar 15 15:05:21 2013 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Fri, 15 Mar 2013 22:05:21 +0100 (CET) Subject: SUSE-SU-2013:0456-4: important: Security update for Java Message-ID: <20130315210521.7954232176@maintenance.suse.de> SUSE Security Update: Security update for Java ______________________________________________________________________________ Announcement ID: SUSE-SU-2013:0456-4 Rating: important References: #798535 #808625 Affected Products: SUSE Linux Enterprise Software Development Kit 11 SP2 SUSE Linux Enterprise Server 11 SP2 for VMware SUSE Linux Enterprise Server 11 SP2 SUSE Linux Enterprise Java 11 SP2 ______________________________________________________________________________ An update that contains security fixes can now be installed. Description: IBM Java 6 has been updated to SR13 which fixes various critical security issues and bugs. Please see the IBM JDK Alert page for more information: http://www.ibm.com/developerworks/java/jdk/alerts/ Security issues fixed: CVE-2013-1487, CVE-2013-1486, CVE-2013-1478, CVE-2013-0445, CVE-2013-1480, CVE-2013-0441, CVE-2013-1476, CVE-2012-1541, CVE-2013-0446, CVE-2012-3342, CVE-2013-0442, CVE-2013-0450, CVE-2013-0425, CVE-2013-0426, CVE-2013-0428, CVE-2012-3213, CVE-2013-1481, CVE-2013-0419, CVE-2013-0423, CVE-2013-0351, CVE-2013-0432, CVE-2013-1473, CVE-2013-0435, CVE-2013-0434, CVE-2013-0409, CVE-2013-0427, CVE-2013-0433, CVE-2013-0424, CVE-2013-0440, CVE-2013-0438, CVE-2013-0443. Patch Instructions: To install this SUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Software Development Kit 11 SP2: zypper in -t patch sdksp2-java-1_6_0-ibm-7481 - SUSE Linux Enterprise Server 11 SP2 for VMware: zypper in -t patch slessp2-java-1_6_0-ibm-7481 - SUSE Linux Enterprise Server 11 SP2: zypper in -t patch slessp2-java-1_6_0-ibm-7481 - SUSE Linux Enterprise Java 11 SP2: zypper in -t patch slejsp2-java-1_6_0-ibm-7481 To bring your system up-to-date, use "zypper patch". Package List: - SUSE Linux Enterprise Software Development Kit 11 SP2 (i586 ppc64 s390x x86_64): java-1_6_0-ibm-devel-1.6.0_sr13.0-0.8.1 - SUSE Linux Enterprise Software Development Kit 11 SP2 (i586 x86_64): java-1_6_0-ibm-1.6.0_sr13.0-0.8.1 java-1_6_0-ibm-fonts-1.6.0_sr13.0-0.8.1 - SUSE Linux Enterprise Server 11 SP2 for VMware (i586 x86_64): java-1_6_0-ibm-1.6.0_sr13.0-0.8.1 java-1_6_0-ibm-fonts-1.6.0_sr13.0-0.8.1 java-1_6_0-ibm-jdbc-1.6.0_sr13.0-0.8.1 java-1_6_0-ibm-plugin-1.6.0_sr13.0-0.8.1 - SUSE Linux Enterprise Server 11 SP2 for VMware (i586): java-1_6_0-ibm-alsa-1.6.0_sr13.0-0.8.1 - SUSE Linux Enterprise Server 11 SP2 (i586 ppc64 s390x x86_64): java-1_6_0-ibm-1.6.0_sr13.0-0.8.1 java-1_6_0-ibm-fonts-1.6.0_sr13.0-0.8.1 java-1_6_0-ibm-jdbc-1.6.0_sr13.0-0.8.1 - SUSE Linux Enterprise Server 11 SP2 (i586 x86_64): java-1_6_0-ibm-plugin-1.6.0_sr13.0-0.8.1 - SUSE Linux Enterprise Server 11 SP2 (i586): java-1_6_0-ibm-alsa-1.6.0_sr13.0-0.8.1 - SUSE Linux Enterprise Java 11 SP2 (i586 ppc64 s390x x86_64): java-1_6_0-ibm-1.6.0_sr13.0-0.8.1 java-1_6_0-ibm-devel-1.6.0_sr13.0-0.8.1 java-1_6_0-ibm-fonts-1.6.0_sr13.0-0.8.1 java-1_6_0-ibm-jdbc-1.6.0_sr13.0-0.8.1 - SUSE Linux Enterprise Java 11 SP2 (i586 x86_64): java-1_6_0-ibm-plugin-1.6.0_sr13.0-0.8.1 - SUSE Linux Enterprise Java 11 SP2 (i586): java-1_6_0-ibm-alsa-1.6.0_sr13.0-0.8.1 References: https://bugzilla.novell.com/798535 https://bugzilla.novell.com/808625 http://download.novell.com/patch/finder/?keywords=fe51aa0e7e0daa0213ed3b6dc25f3983 From sle-security-updates at lists.suse.com Sat Mar 16 10:06:54 2013 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Sat, 16 Mar 2013 17:06:54 +0100 (CET) Subject: SUSE-SU-2013:0440-5: important: Security update for IBM Java5 JRE and SDK Message-ID: <20130316160654.DED0F321A4@maintenance.suse.de> SUSE Security Update: Security update for IBM Java5 JRE and SDK ______________________________________________________________________________ Announcement ID: SUSE-SU-2013:0440-5 Rating: important References: #798535 Affected Products: SUSE CORE 9 ______________________________________________________________________________ An update that contains security fixes can now be installed. Description: IBM Java 5 has been updated to SR16 which fixes various critical security issues and bugs. Please see the IBM JDK Alert page for more information: http://www.ibm.com/developerworks/java/jdk/alerts/ Security issues fixed: CVE-2013-1486, CVE-2013-1478, CVE-2013-0445, CVE-2013-1480, CVE-2013-1476, CVE-2013-0442, CVE-2013-0425, CVE-2013-0426, CVE-2013-0428, CVE-2013-1481, CVE-2013-0432, CVE-2013-0434, CVE-2013-0409, CVE-2013-0427, CVE-2013-0433, CVE-2013-0424, CVE-2013-0440, CVE-2013-0443. Package List: - SUSE CORE 9 (i586 s390 s390x x86_64): IBMJava5-JRE-1.5.0_sr16.0-0.4 IBMJava5-SDK-1.5.0_sr16.0-0.4 References: https://bugzilla.novell.com/798535 http://download.novell.com/patch/finder/?keywords=40a91b33dc9e5067426d661e5a9a76db From sle-security-updates at lists.suse.com Mon Mar 18 14:04:26 2013 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Mon, 18 Mar 2013 21:04:26 +0100 (CET) Subject: SUSE-SU-2013:0440-6: important: Security update for Java Message-ID: <20130318200426.D763D32183@maintenance.suse.de> SUSE Security Update: Security update for Java ______________________________________________________________________________ Announcement ID: SUSE-SU-2013:0440-6 Rating: important References: #798535 Affected Products: SUSE Linux Enterprise Server 10 SP3 LTSS ______________________________________________________________________________ An update that contains security fixes can now be installed. Description: IBM Java 5 has been updated to SR16 which fixes various critical security issues and bugs. Please see the IBM JDK Alert page for more information: http://www.ibm.com/developerworks/java/jdk/alerts/ Security issues fixed: CVE-2013-1486, CVE-2013-1478, CVE-2013-0445, CVE-2013-1480, CVE-2013-1476, CVE-2013-0442, CVE-2013-0425, CVE-2013-0426, CVE-2013-0428, CVE-2013-1481, CVE-2013-0432, CVE-2013-0434, CVE-2013-0409, CVE-2013-0427, CVE-2013-0433, CVE-2013-0424, CVE-2013-0440, CVE-2013-0443. Package List: - SUSE Linux Enterprise Server 10 SP3 LTSS (i586 s390x x86_64): java-1_5_0-ibm-1.5.0_sr16.0-0.6.1 java-1_5_0-ibm-devel-1.5.0_sr16.0-0.6.1 java-1_5_0-ibm-fonts-1.5.0_sr16.0-0.6.1 - SUSE Linux Enterprise Server 10 SP3 LTSS (s390x x86_64): java-1_5_0-ibm-32bit-1.5.0_sr16.0-0.6.1 java-1_5_0-ibm-devel-32bit-1.5.0_sr16.0-0.6.1 - SUSE Linux Enterprise Server 10 SP3 LTSS (x86_64): java-1_5_0-ibm-alsa-32bit-1.5.0_sr16.0-0.6.1 - SUSE Linux Enterprise Server 10 SP3 LTSS (i586): java-1_5_0-ibm-alsa-1.5.0_sr16.0-0.6.1 java-1_5_0-ibm-jdbc-1.5.0_sr16.0-0.6.1 java-1_5_0-ibm-plugin-1.5.0_sr16.0-0.6.1 References: https://bugzilla.novell.com/798535 http://download.novell.com/patch/finder/?keywords=5ea58c1fb829cad73b10e123453189b1 From sle-security-updates at lists.suse.com Mon Mar 18 15:04:25 2013 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Mon, 18 Mar 2013 22:04:25 +0100 (CET) Subject: SUSE-SU-2013:0478-1: important: Security update for IBM Java2 JRE and SDK Message-ID: <20130318210425.E23243219C@maintenance.suse.de> SUSE Security Update: Security update for IBM Java2 JRE and SDK ______________________________________________________________________________ Announcement ID: SUSE-SU-2013:0478-1 Rating: important References: #438695 #603353 #798535 Affected Products: SUSE CORE 9 ______________________________________________________________________________ An update that contains security fixes can now be installed. Description: IBM Java 1.4.2 has been updated to SR13-FP15 which fixes various critical security issues and bugs. Please see the IBM JDK Alert page for more information: http://www.ibm.com/developerworks/java/jdk/alerts/ Security issues fixed: CVE-2013-1478, CVE-2013-1480, CVE-2013-1476, CVE-2013-0442, CVE-2013-0425, CVE-2013-0426, CVE-2013-0428, CVE-2013-1481, CVE-2013-0432, CVE-2013-0434, CVE-2013-0424, CVE-2013-0440, CVE-2013-0443. Package List: - SUSE CORE 9 (i586 s390 s390x x86_64): IBMJava2-JRE-1.4.2_sr13.15-0.4 IBMJava2-SDK-1.4.2_sr13.15-0.4 References: https://bugzilla.novell.com/438695 https://bugzilla.novell.com/603353 https://bugzilla.novell.com/798535 http://download.novell.com/patch/finder/?keywords=514bd0c17c6dce42bd680235a566a928 From sle-security-updates at lists.suse.com Tue Mar 19 10:04:34 2013 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Tue, 19 Mar 2013 17:04:34 +0100 (CET) Subject: SUSE-SU-2013:0355-2: moderate: Security update for rubygem-rack Message-ID: <20130319160434.2C13032157@maintenance.suse.de> SUSE Security Update: Security update for rubygem-rack ______________________________________________________________________________ Announcement ID: SUSE-SU-2013:0355-2 Rating: moderate References: #798452 #802794 Cross-References: CVE-2012-6109 CVE-2013-0183 CVE-2013-0184 Affected Products: SUSE Linux Enterprise Software Development Kit 11 SP2 SUSE Cloud 1.0 ______________________________________________________________________________ An update that fixes three vulnerabilities is now available. It includes one version update. Description: Denial of service conditions in the Rack 1.1 rubygem have been fixed. Rack has been updated to 1.1.6: * Fix CVE-2013-0263, timing attack against Rack::Session::Cookie Rack has been updated to 1.1.5: * Rack::Auth::AbstractRequest no longer symbolizes arbitrary strings (CVE-2013-0184) * Add warnings when users do not provide a session secret * Security fix. http://www.ocert.org/advisories/ocert-2011-003.html Further information here: http://jruby.org/2011/12/27/jruby-1-6-5-1 Security Issue references: * CVE-2013-0184 * CVE-2013-0183 * CVE-2012-6109 Patch Instructions: To install this SUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Software Development Kit 11 SP2: zypper in -t patch sdksp2-rack-201302-7388 - SUSE Cloud 1.0: zypper in -t patch sleclo10sp2-rack-201302-7388 To bring your system up-to-date, use "zypper patch". Package List: - SUSE Linux Enterprise Software Development Kit 11 SP2 (i586 ia64 ppc64 s390x x86_64) [New Version: 1.1.6]: rubygem-rack-1.1.6-0.9.2 - SUSE Cloud 1.0 (x86_64) [New Version: 1.1.6]: rubygem-rack-1.1.6-0.9.2 References: http://support.novell.com/security/cve/CVE-2012-6109.html http://support.novell.com/security/cve/CVE-2013-0183.html http://support.novell.com/security/cve/CVE-2013-0184.html https://bugzilla.novell.com/798452 https://bugzilla.novell.com/802794 http://download.novell.com/patch/finder/?keywords=06a87ff3e927ed3dc1f888af3c9913a0 From sle-security-updates at lists.suse.com Tue Mar 19 11:04:44 2013 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Tue, 19 Mar 2013 18:04:44 +0100 (CET) Subject: SUSE-SU-2013:0486-1: important: Security update for Ruby On Rails Message-ID: <20130319170444.6BBF43219C@maintenance.suse.de> SUSE Security Update: Security update for Ruby On Rails ______________________________________________________________________________ Announcement ID: SUSE-SU-2013:0486-1 Rating: important References: #796712 #797449 #797452 #800320 #803336 #803339 Cross-References: CVE-2012-5664 CVE-2013-0155 CVE-2013-0156 CVE-2013-0276 CVE-2013-0277 Affected Products: SUSE Linux Enterprise Software Development Kit 11 SP2 SUSE Cloud 1.0 ______________________________________________________________________________ An update that solves 5 vulnerabilities and has one errata is now available. It includes one version update. Description: The Ruby on Rails stack has been updated to 2.3.17 to fix various security issues and bugs. The rails gems have been updated to fix: * Unsafe Query Generation Risk in Ruby on Rails (CVE-2013-0155) * Multiple vulnerabilities in parameter parsing in Action Pack (CVE-2013-0156) * activerecord: SQL Injection (CVE-2012-5664) * rails: Vulnerability in JSON Parser in Ruby on Rails 3.0 and 2.3 (CVE-2013-0333) * activerecord: Circumvention of attr_protected (CVE-2013-0276) * activerecord: Serialized Attributes YAML Vulnerability with Rails 2.3 and 3.0 (CVE-2013-0277) Security Issue references: * CVE-2012-5664 * CVE-2013-0155 * CVE-2013-0156 * CVE-2013-0277 * CVE-2013-0276 Patch Instructions: To install this SUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Software Development Kit 11 SP2: zypper in -t patch sdksp2-rubygem-actionmailer-2_3-7363 - SUSE Cloud 1.0: zypper in -t patch sleclo10sp2-rubygem-actionmailer-2_3-7363 To bring your system up-to-date, use "zypper patch". Package List: - SUSE Linux Enterprise Software Development Kit 11 SP2 (i586 ia64 ppc64 s390x x86_64) [New Version: 2.3.17]: rubygem-actionmailer-2_3-2.3.17-0.9.1 rubygem-actionpack-2_3-2.3.17-0.9.1 rubygem-activerecord-2_3-2.3.17-0.9.1 rubygem-activeresource-2_3-2.3.17-0.9.1 rubygem-activesupport-2_3-2.3.17-0.9.1 rubygem-rails-2_3-2.3.17-0.9.1 - SUSE Linux Enterprise Software Development Kit 11 SP2 (noarch) [New Version: 2.3.17]: rubygem-rails-2.3.17-0.8.1 - SUSE Cloud 1.0 (x86_64) [New Version: 2.3.17]: rubygem-actionmailer-2_3-2.3.17-0.9.1 rubygem-actionpack-2_3-2.3.17-0.9.1 rubygem-activerecord-2_3-2.3.17-0.9.1 rubygem-activeresource-2_3-2.3.17-0.9.1 rubygem-activesupport-2_3-2.3.17-0.9.1 rubygem-rails-2_3-2.3.17-0.9.1 References: http://support.novell.com/security/cve/CVE-2012-5664.html http://support.novell.com/security/cve/CVE-2013-0155.html http://support.novell.com/security/cve/CVE-2013-0156.html http://support.novell.com/security/cve/CVE-2013-0276.html http://support.novell.com/security/cve/CVE-2013-0277.html https://bugzilla.novell.com/796712 https://bugzilla.novell.com/797449 https://bugzilla.novell.com/797452 https://bugzilla.novell.com/800320 https://bugzilla.novell.com/803336 https://bugzilla.novell.com/803339 http://download.novell.com/patch/finder/?keywords=262e345a7ecb482ffca687eedd6b610a From sle-security-updates at lists.suse.com Tue Mar 19 16:04:33 2013 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Tue, 19 Mar 2013 23:04:33 +0100 (CET) Subject: SUSE-SU-2013:0488-1: moderate: Security update for openstack-keystone Message-ID: <20130319220433.91D203219A@maintenance.suse.de> SUSE Security Update: Security update for openstack-keystone ______________________________________________________________________________ Announcement ID: SUSE-SU-2013:0488-1 Rating: moderate References: #803351 #803739 Affected Products: SUSE Cloud 1.0 ______________________________________________________________________________ An update that contains security fixes can now be installed. Description: Openstack Keystone has been updated to fix various bugs and security issues. The following security issues have been fixed: * CVE-2013-0282: EC2-style authentication accepts disabled user/tenants. * CVE-2013-0280: Jonathan Murray from NCC Group, Joshua Harlow from Yahoo! and Stuart Stent independently reported a vulnerability in the parsing of XML requests in Keystone, Nova and Cinder. By using entities in XML requests, an unauthenticated attacker may consume excessive resources on the Keystone, Nova or Cinder API servers, resulting in a denial of service and potentially a crash. Authenticated attackers may also leverage XML entities to read the content of a local file on the Keystone API server. This only affects servers with XML support enabled. Patch Instructions: To install this SUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - SUSE Cloud 1.0: zypper in -t patch sleclo10sp2-openstack-keystone-7494 To bring your system up-to-date, use "zypper patch". Package List: - SUSE Cloud 1.0 (x86_64): openstack-keystone-2012.1+git.1353613280.c17a999-0.9.1 openstack-keystone-doc-2012.1+git.1353613280.c17a999-0.9.1 python-keystone-2012.1+git.1353613280.c17a999-0.9.1 References: https://bugzilla.novell.com/803351 https://bugzilla.novell.com/803739 http://download.novell.com/patch/finder/?keywords=fc8cc45f60ac6f0e29e07fe6db3c82cd From sle-security-updates at lists.suse.com Tue Mar 19 16:04:47 2013 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Tue, 19 Mar 2013 23:04:47 +0100 (CET) Subject: SUSE-SU-2013:0491-1: moderate: Security update for openstack-glance Message-ID: <20130319220447.92B253219A@maintenance.suse.de> SUSE Security Update: Security update for openstack-glance ______________________________________________________________________________ Announcement ID: SUSE-SU-2013:0491-1 Rating: moderate References: #808626 Affected Products: SUSE Cloud 1.0 ______________________________________________________________________________ An update that contains security fixes can now be installed. Description: Openstack Glance has been updated to fix security issues. The following security issue has been fixed: * CVE-2013-1840: Stuart McLaren from HP reported a vulnerability in the information potentially returned to the user in Glance v1 API. If an authenticated user requests, through the v1 API, an image that is already cached, the headers returned may disclose the Glance operator's backend credentials for that endpoint. Only setups accepting the Glance v1 API and using either the single-tenant Swift store or S3 store are affected. Patch Instructions: To install this SUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - SUSE Cloud 1.0: zypper in -t patch sleclo10sp2-openstack-glance-7493 To bring your system up-to-date, use "zypper patch". Package List: - SUSE Cloud 1.0 (x86_64): openstack-glance-2012.1+git.1352338057.efd7e75-0.7.1 python-glance-2012.1+git.1352338057.efd7e75-0.7.1 References: https://bugzilla.novell.com/808626 http://download.novell.com/patch/finder/?keywords=8ce969211306b6bb7632abba021db0d5 From sle-security-updates at lists.suse.com Wed Mar 20 10:04:39 2013 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Wed, 20 Mar 2013 17:04:39 +0100 (CET) Subject: SUSE-SU-2013:0508-1: important: Security update for rubygem-merb-core Message-ID: <20130320160439.3ECB232176@maintenance.suse.de> SUSE Security Update: Security update for rubygem-merb-core ______________________________________________________________________________ Announcement ID: SUSE-SU-2013:0508-1 Rating: important References: #805759 Cross-References: CVE-2012-2695 CVE-2012-5664 CVE-2012-6109 CVE-2013-0155 CVE-2013-0156 CVE-2013-0183 CVE-2013-0184 Affected Products: SUSE Cloud 1.0 ______________________________________________________________________________ An update that fixes 7 vulnerabilities is now available. Description: rubygem-merb-core has been updated to change the rack version dependency. Now any rack 1.1 version is accepted. This update needs to be installed in parallel with the 2.3.17 rails update. Security Issue references: * CVE-2013-0184 * CVE-2012-6109 * CVE-2013-0183 * CVE-2012-5664 * CVE-2012-2695 * CVE-2013-0155 * CVE-2013-0156 Patch Instructions: To install this SUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - SUSE Cloud 1.0: zypper in -t patch sleclo10sp2-rubygem-merb-core-7405 To bring your system up-to-date, use "zypper patch". Package List: - SUSE Cloud 1.0 (x86_64): rubygem-merb-core-1.1.3-0.9.1 References: http://support.novell.com/security/cve/CVE-2012-2695.html http://support.novell.com/security/cve/CVE-2012-5664.html http://support.novell.com/security/cve/CVE-2012-6109.html http://support.novell.com/security/cve/CVE-2013-0155.html http://support.novell.com/security/cve/CVE-2013-0156.html http://support.novell.com/security/cve/CVE-2013-0183.html http://support.novell.com/security/cve/CVE-2013-0184.html https://bugzilla.novell.com/805759 http://download.novell.com/patch/finder/?keywords=fe3baf16da4284805596caf983f71fcc From sle-security-updates at lists.suse.com Thu Mar 21 18:04:29 2013 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Fri, 22 Mar 2013 01:04:29 +0100 (CET) Subject: SUSE-SU-2013:0517-1: moderate: Security update for PostgreSQL Message-ID: <20130322000429.E97053218B@maintenance.suse.de> SUSE Security Update: Security update for PostgreSQL ______________________________________________________________________________ Announcement ID: SUSE-SU-2013:0517-1 Rating: moderate References: #802679 Cross-References: CVE-2013-0255 Affected Products: SUSE Linux Enterprise Software Development Kit 11 SP2 SUSE Linux Enterprise Server 11 SP2 for VMware SUSE Linux Enterprise Server 11 SP2 SUSE Linux Enterprise Desktop 11 SP2 ______________________________________________________________________________ An update that fixes one vulnerability is now available. It includes two new package versions. Description: PostgreSQL has been updated to version 9.1.8 which fixes various bugs and one security issue. The security issue fixed in this release, CVE-2013-0255, allowed a previously authenticated user to crash the server by calling an internal function with invalid arguments. This issue was discovered by the independent security researcher Sumit Soni this week and reported via Secunia SVCRP, and we are grateful for their efforts in making PostgreSQL more secure. More information can be found at http://www.postgresql.org/about/news/1446/ Security Issue reference: * CVE-2013-0255 Patch Instructions: To install this SUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Software Development Kit 11 SP2: zypper in -t patch sdksp2-libecpg6-7342 - SUSE Linux Enterprise Server 11 SP2 for VMware: zypper in -t patch slessp2-libecpg6-7342 slessp2-postgresql-7340 - SUSE Linux Enterprise Server 11 SP2: zypper in -t patch slessp2-libecpg6-7342 slessp2-postgresql-7340 - SUSE Linux Enterprise Desktop 11 SP2: zypper in -t patch sledsp2-libecpg6-7342 sledsp2-postgresql-7340 To bring your system up-to-date, use "zypper patch". Package List: - SUSE Linux Enterprise Software Development Kit 11 SP2 (i586 ia64 ppc64 s390x x86_64) [New Version: 9.1.8]: postgresql91-devel-9.1.8-0.5.1 - SUSE Linux Enterprise Server 11 SP2 for VMware (i586 x86_64) [New Version: 8.3.23 and 9.1.8]: libecpg6-9.1.8-0.5.1 libpq5-9.1.8-0.5.1 postgresql-8.3.23-0.4.1 postgresql-contrib-8.3.23-0.4.1 postgresql-docs-8.3.23-0.4.1 postgresql-server-8.3.23-0.4.1 postgresql91-9.1.8-0.5.1 postgresql91-contrib-9.1.8-0.5.1 postgresql91-docs-9.1.8-0.5.1 postgresql91-server-9.1.8-0.5.1 - SUSE Linux Enterprise Server 11 SP2 for VMware (x86_64) [New Version: 9.1.8]: libpq5-32bit-9.1.8-0.5.1 - SUSE Linux Enterprise Server 11 SP2 (i586 ia64 ppc64 s390x x86_64) [New Version: 8.3.23 and 9.1.8]: libecpg6-9.1.8-0.5.1 libpq5-9.1.8-0.5.1 postgresql-8.3.23-0.4.1 postgresql-contrib-8.3.23-0.4.1 postgresql-docs-8.3.23-0.4.1 postgresql-server-8.3.23-0.4.1 postgresql91-9.1.8-0.5.1 postgresql91-contrib-9.1.8-0.5.1 postgresql91-docs-9.1.8-0.5.1 postgresql91-server-9.1.8-0.5.1 - SUSE Linux Enterprise Server 11 SP2 (ppc64 s390x x86_64) [New Version: 9.1.8]: libpq5-32bit-9.1.8-0.5.1 - SUSE Linux Enterprise Server 11 SP2 (ia64) [New Version: 9.1.8]: libpq5-x86-9.1.8-0.5.1 - SUSE Linux Enterprise Desktop 11 SP2 (i586 x86_64) [New Version: 8.3.23 and 9.1.8]: libecpg6-9.1.8-0.5.1 libpq5-9.1.8-0.5.1 postgresql-8.3.23-0.4.1 postgresql91-9.1.8-0.5.1 - SUSE Linux Enterprise Desktop 11 SP2 (x86_64) [New Version: 9.1.8]: libpq5-32bit-9.1.8-0.5.1 References: http://support.novell.com/security/cve/CVE-2013-0255.html https://bugzilla.novell.com/802679 http://download.novell.com/patch/finder/?keywords=c3212d7df41878fb9f2807cfcf4855ee http://download.novell.com/patch/finder/?keywords=cd006fe2067b8aff8ca70a034368785a From sle-security-updates at lists.suse.com Fri Mar 22 08:04:28 2013 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Fri, 22 Mar 2013 15:04:28 +0100 (CET) Subject: SUSE-SU-2013:0519-1: important: Security update for Samba Message-ID: <20130322140428.32B95321A1@maintenance.suse.de> SUSE Security Update: Security update for Samba ______________________________________________________________________________ Announcement ID: SUSE-SU-2013:0519-1 Rating: important References: #499233 #741623 #755663 #759731 #764577 #783384 #799641 #800982 Cross-References: CVE-2013-0213 CVE-2013-0214 Affected Products: SUSE Linux Enterprise Server 10 GPLv3 Extras ______________________________________________________________________________ An update that solves two vulnerabilities and has 6 fixes is now available. Description: The Samba Web Administration Tool (SWAT) in Samba versions 3.0.x to 4.0.1 was affected by a cross-site request forgery; CVE-2013-0214; (bnc#799641). The Samba Web Administration Tool (SWAT) in Samba versions 3.0.x to 4.0.1 could possibly be used in clickjacking attacks; CVE-2013-0213; (bnc#800982). Also the following bugs have been fixed: * Don't clutter the spec file diff view; (bnc#783384). * s3: Fix uninitialized memory read in talloc_free(); (bnc#764577). * Attempt to use samlogon validation level 6; (bso#7945); (bnc#741623). * Add PreReq /etc/init.d/nscd to the winbind package; (bnc#759731). * Recover from ncacn_ip_tcp ACCESS_DENIED/SEC_PKG_ERROR lsa errors; (bso#7944); (bnc#755663). * Fix lsa_LookupSids3 and lsa_LookupNames4 arguments. Security Issue references: * CVE-2013-0213 * CVE-2013-0214 Package List: - SUSE Linux Enterprise Server 10 GPLv3 Extras (i586 ia64 ppc s390x x86_64): libnetapi-devel-3.4.3-0.47.3 libnetapi0-3.4.3-0.47.3 libtalloc-devel-3.4.3-0.47.3 libtalloc1-3.4.3-0.47.3 libtdb-devel-3.4.3-0.47.3 libtdb1-3.4.3-0.47.3 libwbclient-devel-3.4.3-0.47.3 libwbclient0-3.4.3-0.47.3 samba-gplv3-3.4.3-0.47.3 samba-gplv3-client-3.4.3-0.47.3 samba-gplv3-krb-printing-3.4.3-0.47.3 samba-gplv3-winbind-3.4.3-0.47.3 - SUSE Linux Enterprise Server 10 GPLv3 Extras (noarch): samba-gplv3-doc-3.4.3-0.47.3 References: http://support.novell.com/security/cve/CVE-2013-0213.html http://support.novell.com/security/cve/CVE-2013-0214.html https://bugzilla.novell.com/499233 https://bugzilla.novell.com/741623 https://bugzilla.novell.com/755663 https://bugzilla.novell.com/759731 https://bugzilla.novell.com/764577 https://bugzilla.novell.com/783384 https://bugzilla.novell.com/799641 https://bugzilla.novell.com/800982 http://download.novell.com/patch/finder/?keywords=2420a6d522645b2b55c7b8e17af958f1 From sle-security-updates at lists.suse.com Fri Mar 22 10:04:29 2013 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Fri, 22 Mar 2013 17:04:29 +0100 (CET) Subject: SUSE-SU-2013:0520-1: moderate: Security update for git Message-ID: <20130322160429.F06B332183@maintenance.suse.de> SUSE Security Update: Security update for git ______________________________________________________________________________ Announcement ID: SUSE-SU-2013:0520-1 Rating: moderate References: #803874 #804730 Cross-References: CVE-2013-0308 Affected Products: SUSE Linux Enterprise Software Development Kit 11 SP2 ______________________________________________________________________________ An update that solves one vulnerability and has one errata is now available. It includes one version update. Description: git has been updated to fix a security issue and one bug: * CVE-2013-0308: git imap-send did not verify the SSL host certificate, allowing man in the middle attacks. This has been fixed. * The git-web frontend did not work after the last git update when AppArmor was active. The file path was adjusted so that this works again. Security Issue reference: * CVE-2013-0308 Patch Instructions: To install this SUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Software Development Kit 11 SP2: zypper in -t patch sdksp2-git-7398 To bring your system up-to-date, use "zypper patch". Package List: - SUSE Linux Enterprise Software Development Kit 11 SP2 (i586 ia64 ppc64 s390x x86_64) [New Version: 1.7.12.4]: git-1.7.12.4-0.5.1 git-arch-1.7.12.4-0.5.1 git-core-1.7.12.4-0.5.1 git-cvs-1.7.12.4-0.5.1 git-daemon-1.7.12.4-0.5.1 git-email-1.7.12.4-0.5.1 git-gui-1.7.12.4-0.5.1 git-svn-1.7.12.4-0.5.1 git-web-1.7.12.4-0.5.1 gitk-1.7.12.4-0.5.1 References: http://support.novell.com/security/cve/CVE-2013-0308.html https://bugzilla.novell.com/803874 https://bugzilla.novell.com/804730 http://download.novell.com/patch/finder/?keywords=d38f0c60ef50e644dcd202cc30fa4bd3 From sle-security-updates at lists.suse.com Tue Mar 26 18:04:33 2013 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Wed, 27 Mar 2013 01:04:33 +0100 (CET) Subject: SUSE-SU-2013:0543-1: moderate: Security update for oracle-update Message-ID: <20130327000433.EE79D32176@maintenance.suse.de> SUSE Security Update: Security update for oracle-update ______________________________________________________________________________ Announcement ID: SUSE-SU-2013:0543-1 Rating: moderate References: #781730 #799056 Cross-References: CVE-2012-3137 Affected Products: SUSE Manager 1.7 for SLE 11 SP2 SUSE Manager 1.2 for SLE 11 SP1 ______________________________________________________________________________ An update that solves one vulnerability and has one errata is now available. Description: Oracle Server has been updated via "oracle-update" to fix: * CVE-2012-3137: oracledb: stealth password cracking vulnerability and a bugfix has been added: * /etc/init.d/oracle status does not work (bnc#799056) Security Issue reference: * CVE-2012-3137 Patch Instructions: To install this SUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - SUSE Manager 1.7 for SLE 11 SP2: zypper in -t patch sleman17sp2-oracle-update-7417 - SUSE Manager 1.2 for SLE 11 SP1: zypper in -t patch sleman12sp1-oracle-update-7416 To bring your system up-to-date, use "zypper patch". Package List: - SUSE Manager 1.7 for SLE 11 SP2 (x86_64): oracle-update-1.7-0.15.1 - SUSE Manager 1.2 for SLE 11 SP1 (x86_64): oracle-update-1.7-0.4.14.1 References: http://support.novell.com/security/cve/CVE-2012-3137.html https://bugzilla.novell.com/781730 https://bugzilla.novell.com/799056 http://download.novell.com/patch/finder/?keywords=563c5199ca7ebdcced208a0e2939ee3a http://download.novell.com/patch/finder/?keywords=91c5476f38f46e7542de00075b38ab80 From sle-security-updates at lists.suse.com Wed Mar 27 10:04:45 2013 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Wed, 27 Mar 2013 17:04:45 +0100 (CET) Subject: SUSE-SU-2013:0549-1: moderate: Security update for OpenSSL Message-ID: <20130327160445.8EEE3321A1@maintenance.suse.de> SUSE Security Update: Security update for OpenSSL ______________________________________________________________________________ Announcement ID: SUSE-SU-2013:0549-1 Rating: moderate References: #779952 #802648 #802746 Cross-References: CVE-2013-0166 CVE-2013-0169 Affected Products: SUSE Linux Enterprise Software Development Kit 11 SP2 SUSE Linux Enterprise Server 11 SP2 for VMware SUSE Linux Enterprise Server 11 SP2 SUSE Linux Enterprise Desktop 11 SP2 ______________________________________________________________________________ An update that solves two vulnerabilities and has one errata is now available. Description: OpenSSL has been updated to fix several security issues: * CVE-2012-4929: Avoid the openssl CRIME attack by disabling SSL compression by default. Setting the environment variable "OPENSSL_NO_DEFAULT_ZLIB" to "no" enables compression again. * CVE-2013-0169: Timing attacks against TLS could be used by physically local attackers to gain access to transmitted plain text or private keymaterial. This issue is also known as the "Lucky-13" issue. * CVE-2013-0166: A OCSP invalid key denial of service issue was fixed. Security Issue references: * CVE-2013-0169 * CVE-2013-0166 Patch Instructions: To install this SUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Software Development Kit 11 SP2: zypper in -t patch sdksp2-libopenssl-devel-7548 - SUSE Linux Enterprise Server 11 SP2 for VMware: zypper in -t patch slessp2-libopenssl-devel-7548 - SUSE Linux Enterprise Server 11 SP2: zypper in -t patch slessp2-libopenssl-devel-7548 - SUSE Linux Enterprise Desktop 11 SP2: zypper in -t patch sledsp2-libopenssl-devel-7548 To bring your system up-to-date, use "zypper patch". Package List: - SUSE Linux Enterprise Software Development Kit 11 SP2 (i586 ia64 ppc64 s390x x86_64): libopenssl-devel-0.9.8j-0.50.1 - SUSE Linux Enterprise Server 11 SP2 for VMware (i586 x86_64): libopenssl0_9_8-0.9.8j-0.50.1 libopenssl0_9_8-hmac-0.9.8j-0.50.1 openssl-0.9.8j-0.50.1 openssl-doc-0.9.8j-0.50.1 - SUSE Linux Enterprise Server 11 SP2 for VMware (x86_64): libopenssl0_9_8-32bit-0.9.8j-0.50.1 - SUSE Linux Enterprise Server 11 SP2 (i586 ia64 ppc64 s390x x86_64): libopenssl0_9_8-0.9.8j-0.50.1 libopenssl0_9_8-hmac-0.9.8j-0.50.1 openssl-0.9.8j-0.50.1 openssl-doc-0.9.8j-0.50.1 - SUSE Linux Enterprise Server 11 SP2 (ppc64 s390x x86_64): libopenssl0_9_8-32bit-0.9.8j-0.50.1 libopenssl0_9_8-hmac-32bit-0.9.8j-0.50.1 - SUSE Linux Enterprise Server 11 SP2 (ia64): libopenssl0_9_8-hmac-x86-0.9.8j-0.50.1 libopenssl0_9_8-x86-0.9.8j-0.50.1 - SUSE Linux Enterprise Desktop 11 SP2 (i586 x86_64): libopenssl0_9_8-0.9.8j-0.50.1 openssl-0.9.8j-0.50.1 - SUSE Linux Enterprise Desktop 11 SP2 (x86_64): libopenssl0_9_8-32bit-0.9.8j-0.50.1 References: http://support.novell.com/security/cve/CVE-2013-0166.html http://support.novell.com/security/cve/CVE-2013-0169.html https://bugzilla.novell.com/779952 https://bugzilla.novell.com/802648 https://bugzilla.novell.com/802746 http://download.novell.com/patch/finder/?keywords=7511bcbbd6f49b6c61d8a67f90be3c62 From sle-security-updates at lists.suse.com Wed Mar 27 10:05:44 2013 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Wed, 27 Mar 2013 17:05:44 +0100 (CET) Subject: SUSE-SU-2013:0554-1: moderate: Security update for OpenSSL Message-ID: <20130327160544.F0BE7321A4@maintenance.suse.de> SUSE Security Update: Security update for OpenSSL ______________________________________________________________________________ Announcement ID: SUSE-SU-2013:0554-1 Rating: moderate References: #733252 #779952 #802648 #802746 #808942 Cross-References: CVE-2013-0166 CVE-2013-0169 Affected Products: SUSE Linux Enterprise Server 10 SP4 SUSE Linux Enterprise Desktop 10 SP4 SLE SDK 10 SP4 ______________________________________________________________________________ An update that solves two vulnerabilities and has three fixes is now available. Description: OpenSSL has been updated to fix several security issues: * CVE-2012-4929: Avoid the openssl CRIME attack by disabling SSL compression by default. Setting the environment variable "OPENSSL_NO_DEFAULT_ZLIB" to "no" enables compression again. Please note that openssl on SUSE Linux Enterprise 10 is not built with compression support. * CVE-2013-0169: Timing attacks against TLS could be used by physically local attackers to gain access to transmitted plain text or private keymaterial. This issue is also known as the "Lucky-13" issue. * CVE-2013-0166: A OCSP invalid key denial of service issue was fixed. Security Issue references: * CVE-2013-0169 * CVE-2013-0166 Package List: - SUSE Linux Enterprise Server 10 SP4 (i586 ia64 ppc s390x x86_64): openssl-0.9.8a-18.76.1 openssl-devel-0.9.8a-18.76.1 openssl-doc-0.9.8a-18.76.1 - SUSE Linux Enterprise Server 10 SP4 (s390x x86_64): openssl-32bit-0.9.8a-18.76.1 openssl-devel-32bit-0.9.8a-18.76.1 - SUSE Linux Enterprise Server 10 SP4 (ia64): openssl-x86-0.9.8a-18.76.1 - SUSE Linux Enterprise Server 10 SP4 (ppc): openssl-64bit-0.9.8a-18.76.1 openssl-devel-64bit-0.9.8a-18.76.1 - SUSE Linux Enterprise Desktop 10 SP4 (i586 x86_64): openssl-0.9.8a-18.76.1 openssl-devel-0.9.8a-18.76.1 - SUSE Linux Enterprise Desktop 10 SP4 (x86_64): openssl-32bit-0.9.8a-18.76.1 openssl-devel-32bit-0.9.8a-18.76.1 - SLE SDK 10 SP4 (i586 ia64 ppc s390x x86_64): openssl-doc-0.9.8a-18.76.1 References: http://support.novell.com/security/cve/CVE-2013-0166.html http://support.novell.com/security/cve/CVE-2013-0169.html https://bugzilla.novell.com/733252 https://bugzilla.novell.com/779952 https://bugzilla.novell.com/802648 https://bugzilla.novell.com/802746 https://bugzilla.novell.com/808942 http://download.novell.com/patch/finder/?keywords=42741ff95d9d4f1604b9b2d2fc5ec078 From sle-security-updates at lists.suse.com Wed Mar 27 20:04:21 2013 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Thu, 28 Mar 2013 03:04:21 +0100 (CET) Subject: SUSE-SU-2013:0558-1: Security update for Kerberos 5 Message-ID: <20130328020421.1790A32176@maintenance.suse.de> SUSE Security Update: Security update for Kerberos 5 ______________________________________________________________________________ Announcement ID: SUSE-SU-2013:0558-1 Rating: low References: #787272 #806715 Affected Products: SUSE Linux Enterprise Software Development Kit 11 SP2 SUSE Linux Enterprise Server 11 SP2 for VMware SUSE Linux Enterprise Server 11 SP2 SUSE Linux Enterprise Desktop 11 SP2 ______________________________________________________________________________ An update that contains security fixes can now be installed. Description: This update for Kerberos 5 fixes one security issue: The KDC plugin for PKINIT can dereference a null pointer when processing malformed packets, leading to a crash of the KDC process. (bnc#806715, CVE-2013-1415) Additionally, it improves compatibility with processes that handle large numbers of open files. (bnc#787272) Patch Instructions: To install this SUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Software Development Kit 11 SP2: zypper in -t patch sdksp2-krb5-7446 - SUSE Linux Enterprise Server 11 SP2 for VMware: zypper in -t patch slessp2-krb5-7446 - SUSE Linux Enterprise Server 11 SP2: zypper in -t patch slessp2-krb5-7446 - SUSE Linux Enterprise Desktop 11 SP2: zypper in -t patch sledsp2-krb5-7446 To bring your system up-to-date, use "zypper patch". Package List: - SUSE Linux Enterprise Software Development Kit 11 SP2 (i586 ia64 ppc64 s390x x86_64): krb5-devel-1.6.3-133.49.54.1 - SUSE Linux Enterprise Software Development Kit 11 SP2 (ppc64 s390x x86_64): krb5-devel-32bit-1.6.3-133.49.54.1 - SUSE Linux Enterprise Software Development Kit 11 SP2 (i586 x86_64): krb5-server-1.6.3-133.49.54.1 - SUSE Linux Enterprise Server 11 SP2 for VMware (i586 x86_64): krb5-1.6.3-133.49.54.1 krb5-apps-clients-1.6.3-133.49.54.1 krb5-apps-servers-1.6.3-133.49.54.1 krb5-client-1.6.3-133.49.54.1 krb5-plugin-kdb-ldap-1.6.3-133.49.54.1 krb5-plugin-preauth-pkinit-1.6.3-133.49.54.1 krb5-server-1.6.3-133.49.54.1 - SUSE Linux Enterprise Server 11 SP2 for VMware (x86_64): krb5-32bit-1.6.3-133.49.54.1 - SUSE Linux Enterprise Server 11 SP2 (i586 ia64 ppc64 s390x x86_64): krb5-1.6.3-133.49.54.1 krb5-apps-clients-1.6.3-133.49.54.1 krb5-apps-servers-1.6.3-133.49.54.1 krb5-client-1.6.3-133.49.54.1 krb5-plugin-kdb-ldap-1.6.3-133.49.54.1 krb5-plugin-preauth-pkinit-1.6.3-133.49.54.1 krb5-server-1.6.3-133.49.54.1 - SUSE Linux Enterprise Server 11 SP2 (ppc64 s390x x86_64): krb5-32bit-1.6.3-133.49.54.1 - SUSE Linux Enterprise Server 11 SP2 (ia64): krb5-x86-1.6.3-133.49.54.1 - SUSE Linux Enterprise Desktop 11 SP2 (i586 x86_64): krb5-1.6.3-133.49.54.1 krb5-client-1.6.3-133.49.54.1 - SUSE Linux Enterprise Desktop 11 SP2 (x86_64): krb5-32bit-1.6.3-133.49.54.1 References: https://bugzilla.novell.com/787272 https://bugzilla.novell.com/806715 http://download.novell.com/patch/finder/?keywords=b65786aee61582aa40a251cace29337a