From sle-security-updates at lists.suse.com Mon Jun 2 14:04:09 2014 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Mon, 2 Jun 2014 22:04:09 +0200 (CEST) Subject: SUSE-SU-2014:0733-2: important: Security update for IBM Java 7 Message-ID: <20140602200409.B2DC8320E8@maintenance.suse.de> SUSE Security Update: Security update for IBM Java 7 ______________________________________________________________________________ Announcement ID: SUSE-SU-2014:0733-2 Rating: important References: #877429 Cross-References: CVE-2013-6629 CVE-2013-6954 CVE-2014-0428 CVE-2014-0429 CVE-2014-0446 CVE-2014-0448 CVE-2014-0449 CVE-2014-0451 CVE-2014-0452 CVE-2014-0453 CVE-2014-0454 CVE-2014-0455 CVE-2014-0457 CVE-2014-0458 CVE-2014-0459 CVE-2014-0460 CVE-2014-0461 CVE-2014-0878 CVE-2014-1876 CVE-2014-2398 CVE-2014-2401 CVE-2014-2402 CVE-2014-2409 CVE-2014-2412 CVE-2014-2414 CVE-2014-2420 CVE-2014-2421 CVE-2014-2423 CVE-2014-2427 CVE-2014-2428 Affected Products: SUSE Linux Enterprise Software Development Kit 11 SP3 SUSE Linux Enterprise Server 11 SP3 for VMware SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Java 11 SP3 ______________________________________________________________________________ An update that fixes 30 vulnerabilities is now available. Description: IBM Java 7 was updated to version SR7, which received security and bug fixes. More information is available at: http://www.ibm.com/developerworks/java/jdk/aix/j764/Java7_64.fixes.html#SR7 Security Issues references: * CVE-2013-6629 * CVE-2013-6954 * CVE-2014-0429 * CVE-2014-0446 * CVE-2014-0448 * CVE-2014-0449 * CVE-2014-0451 * CVE-2014-0452 * CVE-2014-0457 * CVE-2014-0458 * CVE-2014-0459 * CVE-2014-0460 * CVE-2014-0461 * CVE-2014-1876 * CVE-2014-2398 * CVE-2014-2401 * CVE-2014-2402 * CVE-2014-2409 * CVE-2014-2412 * CVE-2014-2414 * CVE-2014-2420 * CVE-2014-2421 * CVE-2014-2423 * CVE-2014-2427 * CVE-2014-2428 * CVE-2014-0455 * CVE-2014-0428 * CVE-2014-0453 * CVE-2014-0454 * CVE-2014-0878 Patch Instructions: To install this SUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Software Development Kit 11 SP3: zypper in -t patch sdksp3-java-1_7_0-ibm-9263 - SUSE Linux Enterprise Server 11 SP3 for VMware: zypper in -t patch slessp3-java-1_7_0-ibm-9263 - SUSE Linux Enterprise Server 11 SP3: zypper in -t patch slessp3-java-1_7_0-ibm-9263 - SUSE Linux Enterprise Java 11 SP3: zypper in -t patch slejsp3-java-1_7_0-ibm-9263 To bring your system up-to-date, use "zypper patch". Package List: - SUSE Linux Enterprise Software Development Kit 11 SP3 (i586 ppc64 s390x x86_64): java-1_7_0-ibm-devel-1.7.0_sr7.0-0.5.1 - SUSE Linux Enterprise Server 11 SP3 for VMware (i586 x86_64): java-1_7_0-ibm-1.7.0_sr7.0-0.5.1 java-1_7_0-ibm-alsa-1.7.0_sr7.0-0.5.1 java-1_7_0-ibm-jdbc-1.7.0_sr7.0-0.5.1 java-1_7_0-ibm-plugin-1.7.0_sr7.0-0.5.1 - SUSE Linux Enterprise Server 11 SP3 (i586 ppc64 s390x x86_64): java-1_7_0-ibm-1.7.0_sr7.0-0.5.1 java-1_7_0-ibm-jdbc-1.7.0_sr7.0-0.5.1 - SUSE Linux Enterprise Server 11 SP3 (i586 x86_64): java-1_7_0-ibm-alsa-1.7.0_sr7.0-0.5.1 java-1_7_0-ibm-plugin-1.7.0_sr7.0-0.5.1 - SUSE Linux Enterprise Java 11 SP3 (i586 ppc64 s390x x86_64): java-1_7_0-ibm-1.7.0_sr7.0-0.5.1 java-1_7_0-ibm-devel-1.7.0_sr7.0-0.5.1 java-1_7_0-ibm-jdbc-1.7.0_sr7.0-0.5.1 - SUSE Linux Enterprise Java 11 SP3 (i586 x86_64): java-1_7_0-ibm-alsa-1.7.0_sr7.0-0.5.1 java-1_7_0-ibm-plugin-1.7.0_sr7.0-0.5.1 References: http://support.novell.com/security/cve/CVE-2013-6629.html http://support.novell.com/security/cve/CVE-2013-6954.html http://support.novell.com/security/cve/CVE-2014-0428.html http://support.novell.com/security/cve/CVE-2014-0429.html http://support.novell.com/security/cve/CVE-2014-0446.html http://support.novell.com/security/cve/CVE-2014-0448.html http://support.novell.com/security/cve/CVE-2014-0449.html http://support.novell.com/security/cve/CVE-2014-0451.html http://support.novell.com/security/cve/CVE-2014-0452.html http://support.novell.com/security/cve/CVE-2014-0453.html http://support.novell.com/security/cve/CVE-2014-0454.html http://support.novell.com/security/cve/CVE-2014-0455.html http://support.novell.com/security/cve/CVE-2014-0457.html http://support.novell.com/security/cve/CVE-2014-0458.html http://support.novell.com/security/cve/CVE-2014-0459.html http://support.novell.com/security/cve/CVE-2014-0460.html http://support.novell.com/security/cve/CVE-2014-0461.html http://support.novell.com/security/cve/CVE-2014-0878.html http://support.novell.com/security/cve/CVE-2014-1876.html http://support.novell.com/security/cve/CVE-2014-2398.html http://support.novell.com/security/cve/CVE-2014-2401.html http://support.novell.com/security/cve/CVE-2014-2402.html http://support.novell.com/security/cve/CVE-2014-2409.html http://support.novell.com/security/cve/CVE-2014-2412.html http://support.novell.com/security/cve/CVE-2014-2414.html http://support.novell.com/security/cve/CVE-2014-2420.html http://support.novell.com/security/cve/CVE-2014-2421.html http://support.novell.com/security/cve/CVE-2014-2423.html http://support.novell.com/security/cve/CVE-2014-2427.html http://support.novell.com/security/cve/CVE-2014-2428.html https://bugzilla.novell.com/877429 http://download.suse.com/patch/finder/?keywords=17742af872c505eb5cddf057e924c505 From sle-security-updates at lists.suse.com Mon Jun 2 14:07:14 2014 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Mon, 2 Jun 2014 22:07:14 +0200 (CEST) Subject: SUSE-SU-2014:0744-1: moderate: Security update for xorg-x11-server Message-ID: <20140602200714.82196320E8@maintenance.suse.de> SUSE Security Update: Security update for xorg-x11-server ______________________________________________________________________________ Announcement ID: SUSE-SU-2014:0744-1 Rating: moderate References: #813178 #813683 #814653 #816813 #843652 #853846 Cross-References: CVE-2013-1940 CVE-2013-4396 CVE-2013-6424 Affected Products: SUSE Linux Enterprise Server 11 SP1 LTSS ______________________________________________________________________________ An update that solves three vulnerabilities and has three fixes is now available. Description: This is a SLES 11 SP1 LTSS rollup update for the X.Org Server package. The following security issues have been fixed: * CVE-2013-6424: Integer underflow in the xTrapezoidValid macro in render/picture.h in X.Org allowed context-dependent attackers to cause a denial of service (crash) via a negative bottom value. * CVE-2013-4396: Use-after-free vulnerability in the doImageText function in dix/dixfonts.c in the xorg-server module before 1.14.4 in X.Org X11 allowed remote authenticated users to cause a denial of service (daemon crash) or possibly execute arbitrary code via a crafted ImageText request that triggers memory-allocation failure. * CVE-2013-1940: X.Org X server did not properly restrict access to input events when adding a new hot-plug device, which might have allowed physically proximate attackers to obtain sensitive information, as demonstrated by reading passwords from a tty. The following non-security issues have been fixed: * rfbAuthReenable is accessing rfbClient structure that was in most cases already freed. It actually needs only ScreenPtr, so pass it directly. (bnc#816813) * Memory leaks in ARGB cursor handling. (bnc#813178, bnc#813683) Security Issues: * CVE-2013-1940 * CVE-2013-4396 * CVE-2013-6424 Patch Instructions: To install this SUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Server 11 SP1 LTSS: zypper in -t patch slessp1-xorg-x11-Xvnc-9126 To bring your system up-to-date, use "zypper patch". Package List: - SUSE Linux Enterprise Server 11 SP1 LTSS (i586 s390x x86_64): xorg-x11-Xvnc-7.4-27.40.70.1 xorg-x11-server-7.4-27.40.70.1 xorg-x11-server-extra-7.4-27.40.70.1 References: http://support.novell.com/security/cve/CVE-2013-1940.html http://support.novell.com/security/cve/CVE-2013-4396.html http://support.novell.com/security/cve/CVE-2013-6424.html https://bugzilla.novell.com/813178 https://bugzilla.novell.com/813683 https://bugzilla.novell.com/814653 https://bugzilla.novell.com/816813 https://bugzilla.novell.com/843652 https://bugzilla.novell.com/853846 http://download.suse.com/patch/finder/?keywords=ba40d48b0976dd6e6e280de949ecbe09 From sle-security-updates at lists.suse.com Mon Jun 2 17:04:14 2014 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Tue, 3 Jun 2014 01:04:14 +0200 (CEST) Subject: SUSE-SU-2014:0728-3: important: Security update for IBM Java 6 Message-ID: <20140602230414.A332B320DF@maintenance.suse.de> SUSE Security Update: Security update for IBM Java 6 ______________________________________________________________________________ Announcement ID: SUSE-SU-2014:0728-3 Rating: important References: #877430 Cross-References: CVE-2013-6629 CVE-2013-6954 CVE-2014-0428 CVE-2014-0429 CVE-2014-0446 CVE-2014-0449 CVE-2014-0451 CVE-2014-0452 CVE-2014-0453 CVE-2014-0457 CVE-2014-0458 CVE-2014-0459 CVE-2014-0460 CVE-2014-0461 CVE-2014-0878 CVE-2014-1876 CVE-2014-2398 CVE-2014-2401 CVE-2014-2409 CVE-2014-2412 CVE-2014-2414 CVE-2014-2420 CVE-2014-2421 CVE-2014-2423 CVE-2014-2427 CVE-2014-2428 Affected Products: SUSE Linux Enterprise Software Development Kit 11 SP3 SUSE Linux Enterprise Server 11 SP3 for VMware SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP1 LTSS SUSE Linux Enterprise Java 11 SP3 ______________________________________________________________________________ An update that fixes 26 vulnerabilities is now available. Description: BM Java 6 was updated to version 6 SR16 to fix several security issues and various other bugs. More information can be found at: http://www.ibm.com/developerworks/java/jdk/alerts/ Security Issues references: * CVE-2013-6629 * CVE-2013-6954 * CVE-2014-0429 * CVE-2014-0446 * CVE-2014-0449 * CVE-2014-0451 * CVE-2014-0452 * CVE-2014-0457 * CVE-2014-0458 * CVE-2014-0459 * CVE-2014-0460 * CVE-2014-0461 * CVE-2014-1876 * CVE-2014-2398 * CVE-2014-2401 * CVE-2014-2409 * CVE-2014-2412 * CVE-2014-2414 * CVE-2014-2420 * CVE-2014-2421 * CVE-2014-2423 * CVE-2014-2427 * CVE-2014-2428 * CVE-2014-0428 * CVE-2014-0453 * CVE-2014-0878 Patch Instructions: To install this SUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Software Development Kit 11 SP3: zypper in -t patch sdksp3-java-1_6_0-ibm-9256 - SUSE Linux Enterprise Server 11 SP3 for VMware: zypper in -t patch slessp3-java-1_6_0-ibm-9256 - SUSE Linux Enterprise Server 11 SP3: zypper in -t patch slessp3-java-1_6_0-ibm-9256 - SUSE Linux Enterprise Server 11 SP1 LTSS: zypper in -t patch slessp1-java-1_6_0-ibm-9273 - SUSE Linux Enterprise Java 11 SP3: zypper in -t patch slejsp3-java-1_6_0-ibm-9256 To bring your system up-to-date, use "zypper patch". Package List: - SUSE Linux Enterprise Software Development Kit 11 SP3 (i586 ppc64 s390x x86_64): java-1_6_0-ibm-devel-1.6.0_sr16.0-0.3.1 - SUSE Linux Enterprise Software Development Kit 11 SP3 (i586 x86_64): java-1_6_0-ibm-1.6.0_sr16.0-0.3.1 java-1_6_0-ibm-fonts-1.6.0_sr16.0-0.3.1 - SUSE Linux Enterprise Server 11 SP3 for VMware (i586 x86_64): java-1_6_0-ibm-1.6.0_sr16.0-0.3.1 java-1_6_0-ibm-fonts-1.6.0_sr16.0-0.3.1 java-1_6_0-ibm-jdbc-1.6.0_sr16.0-0.3.1 java-1_6_0-ibm-plugin-1.6.0_sr16.0-0.3.1 - SUSE Linux Enterprise Server 11 SP3 for VMware (i586): java-1_6_0-ibm-alsa-1.6.0_sr16.0-0.3.1 - SUSE Linux Enterprise Server 11 SP3 (i586 ppc64 s390x x86_64): java-1_6_0-ibm-1.6.0_sr16.0-0.3.1 java-1_6_0-ibm-fonts-1.6.0_sr16.0-0.3.1 java-1_6_0-ibm-jdbc-1.6.0_sr16.0-0.3.1 - SUSE Linux Enterprise Server 11 SP3 (i586 x86_64): java-1_6_0-ibm-plugin-1.6.0_sr16.0-0.3.1 - SUSE Linux Enterprise Server 11 SP3 (i586): java-1_6_0-ibm-alsa-1.6.0_sr16.0-0.3.1 - SUSE Linux Enterprise Server 11 SP1 LTSS (i586 s390x x86_64): java-1_6_0-ibm-1.6.0_sr16.0-0.3.1 java-1_6_0-ibm-fonts-1.6.0_sr16.0-0.3.1 java-1_6_0-ibm-jdbc-1.6.0_sr16.0-0.3.1 - SUSE Linux Enterprise Server 11 SP1 LTSS (i586 x86_64): java-1_6_0-ibm-plugin-1.6.0_sr16.0-0.3.1 - SUSE Linux Enterprise Server 11 SP1 LTSS (i586): java-1_6_0-ibm-alsa-1.6.0_sr16.0-0.3.1 - SUSE Linux Enterprise Java 11 SP3 (i586 ppc64 s390x x86_64): java-1_6_0-ibm-1.6.0_sr16.0-0.3.1 java-1_6_0-ibm-devel-1.6.0_sr16.0-0.3.1 java-1_6_0-ibm-fonts-1.6.0_sr16.0-0.3.1 java-1_6_0-ibm-jdbc-1.6.0_sr16.0-0.3.1 - SUSE Linux Enterprise Java 11 SP3 (i586 x86_64): java-1_6_0-ibm-plugin-1.6.0_sr16.0-0.3.1 - SUSE Linux Enterprise Java 11 SP3 (i586): java-1_6_0-ibm-alsa-1.6.0_sr16.0-0.3.1 References: http://support.novell.com/security/cve/CVE-2013-6629.html http://support.novell.com/security/cve/CVE-2013-6954.html http://support.novell.com/security/cve/CVE-2014-0428.html http://support.novell.com/security/cve/CVE-2014-0429.html http://support.novell.com/security/cve/CVE-2014-0446.html http://support.novell.com/security/cve/CVE-2014-0449.html http://support.novell.com/security/cve/CVE-2014-0451.html http://support.novell.com/security/cve/CVE-2014-0452.html http://support.novell.com/security/cve/CVE-2014-0453.html http://support.novell.com/security/cve/CVE-2014-0457.html http://support.novell.com/security/cve/CVE-2014-0458.html http://support.novell.com/security/cve/CVE-2014-0459.html http://support.novell.com/security/cve/CVE-2014-0460.html http://support.novell.com/security/cve/CVE-2014-0461.html http://support.novell.com/security/cve/CVE-2014-0878.html http://support.novell.com/security/cve/CVE-2014-1876.html http://support.novell.com/security/cve/CVE-2014-2398.html http://support.novell.com/security/cve/CVE-2014-2401.html http://support.novell.com/security/cve/CVE-2014-2409.html http://support.novell.com/security/cve/CVE-2014-2412.html http://support.novell.com/security/cve/CVE-2014-2414.html http://support.novell.com/security/cve/CVE-2014-2420.html http://support.novell.com/security/cve/CVE-2014-2421.html http://support.novell.com/security/cve/CVE-2014-2423.html http://support.novell.com/security/cve/CVE-2014-2427.html http://support.novell.com/security/cve/CVE-2014-2428.html https://bugzilla.novell.com/877430 http://download.suse.com/patch/finder/?keywords=159cbf841fa77a526042b13b2fa5ba4b http://download.suse.com/patch/finder/?keywords=ae93268c78a2b60a14d572b620ac3add From sle-security-updates at lists.suse.com Tue Jun 3 17:04:13 2014 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Wed, 4 Jun 2014 01:04:13 +0200 (CEST) Subject: SUSE-SU-2014:0750-1: moderate: Security update for gpg2 Message-ID: <20140603230413.C7F9D320BA@maintenance.suse.de> SUSE Security Update: Security update for gpg2 ______________________________________________________________________________ Announcement ID: SUSE-SU-2014:0750-1 Rating: moderate References: #778723 #780943 #798465 #808958 #840510 #844175 Affected Products: SUSE Linux Enterprise Server 11 SP1 LTSS ______________________________________________________________________________ An update that contains security fixes can now be installed. Description: This is a SLES 11 SP1 LTSS rollup update for gpg2. The following security issues have been fixed: * CVE-2013-4402: The compressed packet parser in GnuPG allowed remote attackers to cause a denial of service (infinite recursion) via a crafted OpenPGP message. * CVE-2013-4351: GnuPG treated a key flags subpacket with all bits cleared (no usage permitted) as if it has all bits set (all usage permitted), which might have allowed remote attackers to bypass intended cryptographic protection mechanisms by leveraging the subkey. * CVE-2012-6085: The read_block function in g10/import.c in GnuPG, when importing a key, allowed remote attackers to corrupt the public keyring database or cause a denial of service (application crash) via a crafted length field of an OpenPGP packet. Also the following non-security bugs have been fixed: * set the umask before opening a file for writing (bnc#780943) * select proper ciphers when running in FIPS mode (bnc#808958) * add missing options to opts table (bnc#778723) Patch Instructions: To install this SUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Server 11 SP1 LTSS: zypper in -t patch slessp1-gpg2-9124 To bring your system up-to-date, use "zypper patch". Package List: - SUSE Linux Enterprise Server 11 SP1 LTSS (i586 s390x x86_64): gpg2-2.0.9-25.33.37.6 gpg2-lang-2.0.9-25.33.37.6 References: https://bugzilla.novell.com/778723 https://bugzilla.novell.com/780943 https://bugzilla.novell.com/798465 https://bugzilla.novell.com/808958 https://bugzilla.novell.com/840510 https://bugzilla.novell.com/844175 http://download.suse.com/patch/finder/?keywords=541ab699fd83742808f396e260b1da5d From sle-security-updates at lists.suse.com Wed Jun 4 11:04:13 2014 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Wed, 4 Jun 2014 19:04:13 +0200 (CEST) Subject: SUSE-SU-2014:0754-1: moderate: Security update for openstack-neutron Message-ID: <20140604170413.A6419320DF@maintenance.suse.de> SUSE Security Update: Security update for openstack-neutron ______________________________________________________________________________ Announcement ID: SUSE-SU-2014:0754-1 Rating: moderate References: #874757 Cross-References: CVE-2014-0187 Affected Products: SUSE Cloud 3 ______________________________________________________________________________ An update that fixes one vulnerability is now available. It includes one version update. Description: This update to openstack-neutron-2013.2.4.dev54.gc78491e fixes, besides other non-security issues, the security groups bypass through invalid CIDR vulnerability (CVE-2014-0187). Further information is available at http://www.openwall.com/lists/oss-security/2014/04/22/8 Security Issues: * CVE-2014-0187 Indications: Everybody should update. Patch Instructions: To install this SUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - SUSE Cloud 3: zypper in -t patch sleclo30sp3-openstack-neutron-9282 To bring your system up-to-date, use "zypper patch". Package List: - SUSE Cloud 3 (x86_64) [New Version: 2013.2.4.dev54.gc78491e]: openstack-neutron-2013.2.4.dev54.gc78491e-0.7.1 openstack-neutron-dhcp-agent-2013.2.4.dev54.gc78491e-0.7.1 openstack-neutron-ha-tool-2013.2.4.dev54.gc78491e-0.7.1 openstack-neutron-l3-agent-2013.2.4.dev54.gc78491e-0.7.1 openstack-neutron-lbaas-agent-2013.2.4.dev54.gc78491e-0.7.1 openstack-neutron-linuxbridge-agent-2013.2.4.dev54.gc78491e-0.7.1 openstack-neutron-metadata-agent-2013.2.4.dev54.gc78491e-0.7.1 openstack-neutron-metering-agent-2013.2.4.dev54.gc78491e-0.7.1 openstack-neutron-mlnx-agent-2013.2.4.dev54.gc78491e-0.7.1 openstack-neutron-nec-agent-2013.2.4.dev54.gc78491e-0.7.1 openstack-neutron-openvswitch-agent-2013.2.4.dev54.gc78491e-0.7.1 openstack-neutron-plugin-cisco-2013.2.4.dev54.gc78491e-0.7.1 openstack-neutron-ryu-agent-2013.2.4.dev54.gc78491e-0.7.1 openstack-neutron-server-2013.2.4.dev54.gc78491e-0.7.1 openstack-neutron-vmware-agent-2013.2.4.dev54.gc78491e-0.7.1 openstack-neutron-vpn-agent-2013.2.4.dev54.gc78491e-0.7.1 python-neutron-2013.2.4.dev54.gc78491e-0.7.1 - SUSE Cloud 3 (noarch) [New Version: 2013.2.4.dev54.gc78491e]: openstack-neutron-doc-2013.2.4.dev54.gc78491e-0.7.1 References: http://support.novell.com/security/cve/CVE-2014-0187.html https://bugzilla.novell.com/874757 http://download.suse.com/patch/finder/?keywords=0ac07054fd81f4c0ba9ab66087e8619c From sle-security-updates at lists.suse.com Wed Jun 4 12:04:11 2014 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Wed, 4 Jun 2014 20:04:11 +0200 (CEST) Subject: SUSE-SU-2014:0430-6: Security update for rubygem-will_paginate Message-ID: <20140604180411.E4E6E320DF@maintenance.suse.de> SUSE Security Update: Security update for rubygem-will_paginate ______________________________________________________________________________ Announcement ID: SUSE-SU-2014:0430-6 Rating: low References: #864873 Affected Products: SUSE Lifecycle Management Server 1.3 ______________________________________________________________________________ An update that contains security fixes can now be installed. Description: Various ruby gems were released where the unpacked tree was patched for the current security issues, but the included gem file (gem archive) was not adjusted. This update rolls the current updates to also contain the fixes in the .gem files (bnc#864873). Patch Instructions: To install this SUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - SUSE Lifecycle Management Server 1.3: zypper in -t patch sleslms13-rails-fixgem-201402a-8933 To bring your system up-to-date, use "zypper patch". Package List: - SUSE Lifecycle Management Server 1.3 (x86_64): rubygem-will_paginate-3.0.3-0.11.1 References: https://bugzilla.novell.com/864873 http://download.suse.com/patch/finder/?keywords=4d8d085771e8ad2bd297a6737e0655da From sle-security-updates at lists.suse.com Wed Jun 4 13:05:07 2014 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Wed, 4 Jun 2014 21:05:07 +0200 (CEST) Subject: SUSE-SU-2014:0730-2: moderate: Security update for rubygem-rack-ssl Message-ID: <20140604190507.55FF1320DF@maintenance.suse.de> SUSE Security Update: Security update for rubygem-rack-ssl ______________________________________________________________________________ Announcement ID: SUSE-SU-2014:0730-2 Rating: moderate References: #869162 Cross-References: CVE-2014-2538 Affected Products: SUSE Linux Enterprise Software Development Kit 11 SP3 ______________________________________________________________________________ An update that fixes one vulnerability is now available. Description: This update for rubygem-rack-ssl fixes a cross-site scripting (XSS) vulnerability in error page. Security Issue reference: * CVE-2014-2538 Patch Instructions: To install this SUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Software Development Kit 11 SP3: zypper in -t patch sdksp3-rubygem-rack-ssl-9098 To bring your system up-to-date, use "zypper patch". Package List: - SUSE Linux Enterprise Software Development Kit 11 SP3 (i586 ia64 ppc64 s390x x86_64): rubygem-rack-ssl-1.3.2-0.12.5.1 References: http://support.novell.com/security/cve/CVE-2014-2538.html https://bugzilla.novell.com/869162 http://download.suse.com/patch/finder/?keywords=2de6450fdeda964ef77efb5062253dc3 From sle-security-updates at lists.suse.com Wed Jun 4 18:04:13 2014 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Thu, 5 Jun 2014 02:04:13 +0200 (CEST) Subject: SUSE-SU-2014:0756-1: moderate: Security update for rubygem-actionpack-3_2 Message-ID: <20140605000413.0A58B320D9@maintenance.suse.de> SUSE Security Update: Security update for rubygem-actionpack-3_2 ______________________________________________________________________________ Announcement ID: SUSE-SU-2014:0756-1 Rating: moderate References: #864431 #864433 #864873 #876714 Cross-References: CVE-2014-0081 CVE-2014-0082 CVE-2014-0130 Affected Products: WebYaST 1.3 SUSE Studio Onsite 1.3 SUSE Lifecycle Management Server 1.3 ______________________________________________________________________________ An update that solves three vulnerabilities and has one errata is now available. It includes one version update. Description: Rubygem Actionpack has been updated to fix several security vulnerabilities: * XSS Vulnerability in number_to_currency, number_to_percentage and number_to_human (CVE-2014-0081). * Denial of Service Vulnerability in Action View when using render :text (CVE-2014-0082). * Directory traversal issue (CVE-2014-0130). Security Issue references: * CVE-2014-0082 * CVE-2014-0081 * CVE-2014-0130 Patch Instructions: To install this SUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - WebYaST 1.3: zypper in -t patch slewyst13-rubygem-actionpack-3_2-9292 - SUSE Studio Onsite 1.3: zypper in -t patch slestso13-rubygem-actionpack-3_2-9292 - SUSE Lifecycle Management Server 1.3: zypper in -t patch sleslms13-rubygem-actionpack-3_2-9292 To bring your system up-to-date, use "zypper patch". Package List: - WebYaST 1.3 (i586 ia64 ppc64 s390x x86_64) [New Version: 3.2.12]: rubygem-actionpack-3_2-3.2.12-0.15.1 - SUSE Studio Onsite 1.3 (x86_64) [New Version: 3.2.12]: rubygem-actionpack-3_2-3.2.12-0.15.1 - SUSE Lifecycle Management Server 1.3 (x86_64) [New Version: 3.2.12]: rubygem-actionpack-3_2-3.2.12-0.15.1 References: http://support.novell.com/security/cve/CVE-2014-0081.html http://support.novell.com/security/cve/CVE-2014-0082.html http://support.novell.com/security/cve/CVE-2014-0130.html https://bugzilla.novell.com/864431 https://bugzilla.novell.com/864433 https://bugzilla.novell.com/864873 https://bugzilla.novell.com/876714 http://download.suse.com/patch/finder/?keywords=e2b4307132973b16bf04c7367719a7bb From sle-security-updates at lists.suse.com Wed Jun 4 19:04:12 2014 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Thu, 5 Jun 2014 03:04:12 +0200 (CEST) Subject: SUSE-SU-2014:0758-1: important: Security update for gnutls Message-ID: <20140605010412.682CF320D9@maintenance.suse.de> SUSE Security Update: Security update for gnutls ______________________________________________________________________________ Announcement ID: SUSE-SU-2014:0758-1 Rating: important References: #880730 #880910 Cross-References: CVE-2014-3466 Affected Products: SUSE Linux Enterprise Software Development Kit 11 SP3 SUSE Linux Enterprise Server 11 SP3 for VMware SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise High Availability Extension 11 SP3 SUSE Linux Enterprise Desktop 11 SP3 ______________________________________________________________________________ An update that solves one vulnerability and has one errata is now available. Description: GnuTLS has been patched to ensure proper parsing of session ids during the TLS/SSL handshake. Additionally, three issues inherited from libtasn1 have been fixed. Further information is available at http://www.gnutls.org/security.html#GNUTLS-SA-2014-3 These security issues have been fixed: * Possible memory corruption during connect (CVE-2014-3466) * Multiple boundary check issues could allow DoS (CVE-2014-3467) * asn1_get_bit_der() can return negative bit length (CVE-2014-3468) * Possible DoS by NULL pointer dereference (CVE-2014-3469) Security Issue references: * CVE-2014-3466 Patch Instructions: To install this SUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Software Development Kit 11 SP3: zypper in -t patch sdksp3-gnutls-9320 - SUSE Linux Enterprise Server 11 SP3 for VMware: zypper in -t patch slessp3-gnutls-9320 - SUSE Linux Enterprise Server 11 SP3: zypper in -t patch slessp3-gnutls-9320 - SUSE Linux Enterprise High Availability Extension 11 SP3: zypper in -t patch slehasp3-gnutls-9320 - SUSE Linux Enterprise Desktop 11 SP3: zypper in -t patch sledsp3-gnutls-9320 To bring your system up-to-date, use "zypper patch". Package List: - SUSE Linux Enterprise Software Development Kit 11 SP3 (i586 ia64 ppc64 s390x x86_64): libgnutls-devel-2.4.1-24.39.51.1 libgnutls-extra-devel-2.4.1-24.39.51.1 libgnutls-extra26-2.4.1-24.39.51.1 - SUSE Linux Enterprise Server 11 SP3 for VMware (i586 x86_64): gnutls-2.4.1-24.39.51.1 libgnutls-extra26-2.4.1-24.39.51.1 libgnutls26-2.4.1-24.39.51.1 - SUSE Linux Enterprise Server 11 SP3 for VMware (x86_64): libgnutls26-32bit-2.4.1-24.39.51.1 - SUSE Linux Enterprise Server 11 SP3 (i586 ia64 ppc64 s390x x86_64): gnutls-2.4.1-24.39.51.1 libgnutls-extra26-2.4.1-24.39.51.1 libgnutls26-2.4.1-24.39.51.1 - SUSE Linux Enterprise Server 11 SP3 (ppc64 s390x x86_64): libgnutls26-32bit-2.4.1-24.39.51.1 - SUSE Linux Enterprise Server 11 SP3 (ia64): libgnutls26-x86-2.4.1-24.39.51.1 - SUSE Linux Enterprise High Availability Extension 11 SP3 (i586 ia64 ppc64 s390x x86_64): libgnutls-extra26-2.4.1-24.39.51.1 - SUSE Linux Enterprise Desktop 11 SP3 (i586 x86_64): gnutls-2.4.1-24.39.51.1 libgnutls26-2.4.1-24.39.51.1 - SUSE Linux Enterprise Desktop 11 SP3 (x86_64): libgnutls26-32bit-2.4.1-24.39.51.1 References: http://support.novell.com/security/cve/CVE-2014-3466.html https://bugzilla.novell.com/880730 https://bugzilla.novell.com/880910 http://download.suse.com/patch/finder/?keywords=cbb1ebdf6ecb2e49e09ac0ae8fadfbfc From sle-security-updates at lists.suse.com Thu Jun 5 16:04:14 2014 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Fri, 6 Jun 2014 00:04:14 +0200 (CEST) Subject: SUSE-SU-2014:0759-1: critical: Security update for OpenSSL Message-ID: <20140605220414.24D80320F0@maintenance.suse.de> SUSE Security Update: Security update for OpenSSL ______________________________________________________________________________ Announcement ID: SUSE-SU-2014:0759-1 Rating: critical References: #880891 Cross-References: CVE-2014-0221 CVE-2014-0224 CVE-2014-3470 Affected Products: SUSE Linux Enterprise Software Development Kit 11 SP3 SUSE Linux Enterprise Server 11 SP3 for VMware SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Desktop 11 SP3 ______________________________________________________________________________ An update that fixes three vulnerabilities is now available. Description: OpenSSL was updated to fix several vulnerabilities: * SSL/TLS MITM vulnerability. (CVE-2014-0224) * DTLS recursion flaw. (CVE-2014-0221) * Anonymous ECDH denial of service. (CVE-2014-3470) Further information can be found at http://www.openssl.org/news/secadv_20140605.txt . Security Issues references: * CVE-2014-0224 * CVE-2014-0221 * CVE-2014-3470 Patch Instructions: To install this SUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Software Development Kit 11 SP3: zypper in -t patch sdksp3-libopenssl-devel-9326 - SUSE Linux Enterprise Server 11 SP3 for VMware: zypper in -t patch slessp3-libopenssl-devel-9326 - SUSE Linux Enterprise Server 11 SP3: zypper in -t patch slessp3-libopenssl-devel-9326 - SUSE Linux Enterprise Desktop 11 SP3: zypper in -t patch sledsp3-libopenssl-devel-9326 To bring your system up-to-date, use "zypper patch". Package List: - SUSE Linux Enterprise Software Development Kit 11 SP3 (i586 ia64 ppc64 s390x x86_64): libopenssl-devel-0.9.8j-0.58.1 - SUSE Linux Enterprise Server 11 SP3 for VMware (i586 x86_64): libopenssl0_9_8-0.9.8j-0.58.1 libopenssl0_9_8-hmac-0.9.8j-0.58.1 openssl-0.9.8j-0.58.1 openssl-doc-0.9.8j-0.58.1 - SUSE Linux Enterprise Server 11 SP3 for VMware (x86_64): libopenssl0_9_8-32bit-0.9.8j-0.58.1 libopenssl0_9_8-hmac-32bit-0.9.8j-0.58.1 - SUSE Linux Enterprise Server 11 SP3 (i586 ia64 ppc64 s390x x86_64): libopenssl0_9_8-0.9.8j-0.58.1 libopenssl0_9_8-hmac-0.9.8j-0.58.1 openssl-0.9.8j-0.58.1 openssl-doc-0.9.8j-0.58.1 - SUSE Linux Enterprise Server 11 SP3 (ppc64 s390x x86_64): libopenssl0_9_8-32bit-0.9.8j-0.58.1 libopenssl0_9_8-hmac-32bit-0.9.8j-0.58.1 - SUSE Linux Enterprise Server 11 SP3 (ia64): libopenssl0_9_8-x86-0.9.8j-0.58.1 - SUSE Linux Enterprise Desktop 11 SP3 (i586 x86_64): libopenssl0_9_8-0.9.8j-0.58.1 openssl-0.9.8j-0.58.1 - SUSE Linux Enterprise Desktop 11 SP3 (x86_64): libopenssl0_9_8-32bit-0.9.8j-0.58.1 References: http://support.novell.com/security/cve/CVE-2014-0221.html http://support.novell.com/security/cve/CVE-2014-0224.html http://support.novell.com/security/cve/CVE-2014-3470.html https://bugzilla.novell.com/880891 http://download.suse.com/patch/finder/?keywords=db2f8a5e6769133f6c66e3727010bfb8 From sle-security-updates at lists.suse.com Thu Jun 5 17:04:13 2014 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Fri, 6 Jun 2014 01:04:13 +0200 (CEST) Subject: SUSE-SU-2014:0760-1: Security update for glibc Message-ID: <20140605230413.386E0320DF@maintenance.suse.de> SUSE Security Update: Security update for glibc ______________________________________________________________________________ Announcement ID: SUSE-SU-2014:0760-1 Rating: low References: #836746 #844309 #847227 #854445 #863499 #872832 Cross-References: CVE-2013-4357 CVE-2013-4458 Affected Products: SUSE Linux Enterprise Software Development Kit 11 SP3 SUSE Linux Enterprise Server 11 SP3 for VMware SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Desktop 11 SP3 ______________________________________________________________________________ An update that solves two vulnerabilities and has four fixes is now available. Description: This update for the GNU Lib C fixes security issues, some bugs and introduces one new feature. The following security issues have been fixed: * CVE-2013-4357: Various potential stack overflows in getaddrinfo() and others were fixed. (bnc#844309) * CVE-2013-4458: A stack (frame) overflow in getaddrinfo() when called with AF_INET6. The following new feature has been implemented: * On PowerLinux, a vDSO entry for getcpu() was added for possible performance enhancements. (FATE#316816, bnc#854445) The following issues have been fixed: * Performance problems with threads in __lll_lock_wait_private and __lll_unlock_wake_private. (bnc#836746) * IPv6: Memory leak in getaddrinfo() when many RRs are returned. (bnc#863499) * Using profiling C library (-lc_p) can trigger a segmentation fault. (bnc#872832) Security Issues references: * CVE-2013-4357 * CVE-2013-4458 Patch Instructions: To install this SUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Software Development Kit 11 SP3: zypper in -t patch sdksp3-glibc-9262 - SUSE Linux Enterprise Server 11 SP3 for VMware: zypper in -t patch slessp3-glibc-9262 - SUSE Linux Enterprise Server 11 SP3: zypper in -t patch slessp3-glibc-9262 - SUSE Linux Enterprise Desktop 11 SP3: zypper in -t patch sledsp3-glibc-9262 To bring your system up-to-date, use "zypper patch". Package List: - SUSE Linux Enterprise Software Development Kit 11 SP3 (i586 x86_64): glibc-html-2.11.3-17.62.1 glibc-info-2.11.3-17.62.1 - SUSE Linux Enterprise Server 11 SP3 for VMware (i586 x86_64): glibc-2.11.3-17.62.1 glibc-devel-2.11.3-17.62.1 glibc-html-2.11.3-17.62.1 glibc-i18ndata-2.11.3-17.62.1 glibc-info-2.11.3-17.62.1 glibc-locale-2.11.3-17.62.1 glibc-profile-2.11.3-17.62.1 nscd-2.11.3-17.62.1 - SUSE Linux Enterprise Server 11 SP3 for VMware (x86_64): glibc-32bit-2.11.3-17.62.1 glibc-devel-32bit-2.11.3-17.62.1 glibc-locale-32bit-2.11.3-17.62.1 glibc-profile-32bit-2.11.3-17.62.1 - SUSE Linux Enterprise Server 11 SP3 (i586 i686 ia64 ppc64 s390x x86_64): glibc-2.11.3-17.62.1 glibc-devel-2.11.3-17.62.1 - SUSE Linux Enterprise Server 11 SP3 (i586 ia64 ppc64 s390x x86_64): glibc-html-2.11.3-17.62.1 glibc-i18ndata-2.11.3-17.62.1 glibc-info-2.11.3-17.62.1 glibc-locale-2.11.3-17.62.1 glibc-profile-2.11.3-17.62.1 nscd-2.11.3-17.62.1 - SUSE Linux Enterprise Server 11 SP3 (ppc64 s390x x86_64): glibc-32bit-2.11.3-17.62.1 glibc-devel-32bit-2.11.3-17.62.1 glibc-locale-32bit-2.11.3-17.62.1 glibc-profile-32bit-2.11.3-17.62.1 - SUSE Linux Enterprise Server 11 SP3 (ia64): glibc-locale-x86-2.11.3-17.62.1 glibc-profile-x86-2.11.3-17.62.1 glibc-x86-2.11.3-17.62.1 - SUSE Linux Enterprise Desktop 11 SP3 (i586 i686 x86_64): glibc-2.11.3-17.62.1 glibc-devel-2.11.3-17.62.1 - SUSE Linux Enterprise Desktop 11 SP3 (i586 x86_64): glibc-i18ndata-2.11.3-17.62.1 glibc-locale-2.11.3-17.62.1 nscd-2.11.3-17.62.1 - SUSE Linux Enterprise Desktop 11 SP3 (x86_64): glibc-32bit-2.11.3-17.62.1 glibc-devel-32bit-2.11.3-17.62.1 glibc-locale-32bit-2.11.3-17.62.1 References: http://support.novell.com/security/cve/CVE-2013-4357.html http://support.novell.com/security/cve/CVE-2013-4458.html https://bugzilla.novell.com/836746 https://bugzilla.novell.com/844309 https://bugzilla.novell.com/847227 https://bugzilla.novell.com/854445 https://bugzilla.novell.com/863499 https://bugzilla.novell.com/872832 http://download.suse.com/patch/finder/?keywords=6e7b580c8401597aace1b6f6d46f6d74 From sle-security-updates at lists.suse.com Thu Jun 5 17:05:54 2014 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Fri, 6 Jun 2014 01:05:54 +0200 (CEST) Subject: SUSE-SU-2014:0761-1: critical: Security update for OpenSSL Message-ID: <20140605230554.2CC1B320DF@maintenance.suse.de> SUSE Security Update: Security update for OpenSSL ______________________________________________________________________________ Announcement ID: SUSE-SU-2014:0761-1 Rating: critical References: #859228 #859924 #860332 #862181 #869945 #870192 #880891 Cross-References: CVE-2014-0076 CVE-2014-0221 CVE-2014-0224 CVE-2014-3470 Affected Products: SUSE Linux Enterprise Server 11 SP2 LTSS SUSE Linux Enterprise Server 11 SP1 LTSS ______________________________________________________________________________ An update that solves four vulnerabilities and has three fixes is now available. It includes one version update. Description: OpenSSL was updated to fix several vulnerabilities: * SSL/TLS MITM vulnerability. (CVE-2014-0224) * DTLS recursion flaw. (CVE-2014-0221) * Anonymous ECDH denial of service. (CVE-2014-3470) * Using the FLUSH+RELOAD Cache Side-channel Attack the nonces could have been recovered. (CVE-2014-0076) Further information can be found at http://www.openssl.org/news/secadv_20140605.txt . Additionally, the following non-security fixes and enhancements have been included in this release: * Ensure that the stack is marked non-executable on x86 32bit. On other processor platforms it was already marked as non-executable before. (bnc#870192) * IPv6 support was added to the openssl s_client and s_server command line tool. (bnc#859228) * The openssl command line tool now checks certificates by default against /etc/ssl/certs (this can be changed via the -CApath option). (bnc#860332) * The Elliptic Curve Diffie-Hellman key exchange selector was enabled and can be selected by kECDHE, kECDH, ECDH tags in the SSL cipher string. (bnc#859924) * If an optional openssl1 command line tool is installed in parallel, c_rehash uses it to generate certificate hashes in both OpenSSL 0 and OpenSSL 1 style. This allows parallel usage of OpenSSL 0.9.8j and OpenSSL 1.x client libraries with a shared certificate store. (bnc#862181) Security Issues references: * CVE-2014-0224 * CVE-2014-0221 * CVE-2014-3470 * CVE-2014-0076 Patch Instructions: To install this SUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Server 11 SP2 LTSS: zypper in -t patch slessp2-libopenssl-devel-9324 - SUSE Linux Enterprise Server 11 SP1 LTSS: zypper in -t patch slessp1-libopenssl-devel-9323 To bring your system up-to-date, use "zypper patch". Package List: - SUSE Linux Enterprise Server 11 SP2 LTSS (i586 s390x x86_64): libopenssl0_9_8-0.9.8j-0.58.1 libopenssl0_9_8-hmac-0.9.8j-0.58.1 openssl-0.9.8j-0.58.1 openssl-doc-0.9.8j-0.58.1 - SUSE Linux Enterprise Server 11 SP2 LTSS (s390x x86_64): libopenssl0_9_8-32bit-0.9.8j-0.58.1 libopenssl0_9_8-hmac-32bit-0.9.8j-0.58.1 - SUSE Linux Enterprise Server 11 SP1 LTSS (i586 s390x x86_64) [New Version: 0.9.8j]: libopenssl0_9_8-0.9.8j-0.58.1 libopenssl0_9_8-hmac-0.9.8j-0.58.1 openssl-0.9.8j-0.58.1 openssl-doc-0.9.8j-0.58.1 - SUSE Linux Enterprise Server 11 SP1 LTSS (s390x x86_64) [New Version: 0.9.8j]: libopenssl0_9_8-32bit-0.9.8j-0.58.1 libopenssl0_9_8-hmac-32bit-0.9.8j-0.58.1 References: http://support.novell.com/security/cve/CVE-2014-0076.html http://support.novell.com/security/cve/CVE-2014-0221.html http://support.novell.com/security/cve/CVE-2014-0224.html http://support.novell.com/security/cve/CVE-2014-3470.html https://bugzilla.novell.com/859228 https://bugzilla.novell.com/859924 https://bugzilla.novell.com/860332 https://bugzilla.novell.com/862181 https://bugzilla.novell.com/869945 https://bugzilla.novell.com/870192 https://bugzilla.novell.com/880891 http://download.suse.com/patch/finder/?keywords=6cb273ec77c3138de899b696097344dc http://download.suse.com/patch/finder/?keywords=b76b151f2d2ff2b6064a21d179bb718f From sle-security-updates at lists.suse.com Fri Jun 6 01:04:10 2014 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Fri, 6 Jun 2014 09:04:10 +0200 (CEST) Subject: SUSE-SU-2014:0762-1: critical: Security update for OpenSSL 1.0 Message-ID: <20140606070410.F244B320F0@maintenance.suse.de> SUSE Security Update: Security update for OpenSSL 1.0 ______________________________________________________________________________ Announcement ID: SUSE-SU-2014:0762-1 Rating: critical References: #876282 #880891 Cross-References: CVE-2014-0195 CVE-2014-0198 CVE-2014-0221 CVE-2014-0224 CVE-2014-3470 Affected Products: SUSE Linux Enterprise Security Module 11 SP3 ______________________________________________________________________________ An update that fixes 5 vulnerabilities is now available. Description: OpenSSL was updated to fix several vulnerabilities: * SSL/TLS MITM vulnerability. (CVE-2014-0224) * DTLS recursion flaw. (CVE-2014-0221) * DTLS invalid fragment vulnerability. (CVE-2014-0195) * SSL_MODE_RELEASE_BUFFERS NULL pointer dereference. (CVE-2014-0198) * Anonymous ECDH denial of service. (CVE-2014-3470) Further information can be found at http://www.openssl.org/news/secadv_20140605.txt . Security Issues references: * CVE-2014-0224 * CVE-2014-0221 * CVE-2014-0195 * CVE-2014-0198 * CVE-2014-3470 Patch Instructions: To install this SUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Security Module 11 SP3: zypper in -t patch secsp3-libopenssl1-devel-9325 To bring your system up-to-date, use "zypper patch". Package List: - SUSE Linux Enterprise Security Module 11 SP3 (i586 ia64 ppc64 s390x x86_64): libopenssl1-devel-1.0.1g-0.16.1 libopenssl1_0_0-1.0.1g-0.16.1 openssl1-1.0.1g-0.16.1 openssl1-doc-1.0.1g-0.16.1 - SUSE Linux Enterprise Security Module 11 SP3 (ppc64 s390x x86_64): libopenssl1_0_0-32bit-1.0.1g-0.16.1 - SUSE Linux Enterprise Security Module 11 SP3 (ia64): libopenssl1_0_0-x86-1.0.1g-0.16.1 References: http://support.novell.com/security/cve/CVE-2014-0195.html http://support.novell.com/security/cve/CVE-2014-0198.html http://support.novell.com/security/cve/CVE-2014-0221.html http://support.novell.com/security/cve/CVE-2014-0224.html http://support.novell.com/security/cve/CVE-2014-3470.html https://bugzilla.novell.com/876282 https://bugzilla.novell.com/880891 http://download.suse.com/patch/finder/?keywords=61cb4c46d00371ca48e4548ed26e4ea8 From sle-security-updates at lists.suse.com Fri Jun 6 16:04:12 2014 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Sat, 7 Jun 2014 00:04:12 +0200 (CEST) Subject: SUSE-SU-2014:0768-1: critical: Security update for OpenSSL Message-ID: <20140606220412.B823E320F3@maintenance.suse.de> SUSE Security Update: Security update for OpenSSL ______________________________________________________________________________ Announcement ID: SUSE-SU-2014:0768-1 Rating: critical References: #459468 #489641 #880891 Cross-References: CVE-2011-4354 CVE-2014-0224 Affected Products: SUSE CORE 9 ______________________________________________________________________________ An update that solves two vulnerabilities and has one errata is now available. Description: OpenSSL was updated to fix the following security vulnerabilities: * SSL/TLS MITM vulnerability. (CVE-2014-0224) * ECC private key can leak on 32 bit platforms. (CVE-2011-4354) Further information can be found at http://www.openssl.org/news/secadv_20140605.txt . Security Issues references: * CVE-2014-0224 * CVE-2011-4354 Package List: - SUSE CORE 9 (i586 s390 s390x x86_64): openssl-0.9.7d-15.50 openssl-devel-0.9.7d-15.50 openssl-doc-0.9.7d-15.50 - SUSE CORE 9 (x86_64): openssl-32bit-9-201406041231 openssl-devel-32bit-9-201406041231 - SUSE CORE 9 (s390x): openssl-32bit-9-201406060130 openssl-devel-32bit-9-201406060130 References: http://support.novell.com/security/cve/CVE-2011-4354.html http://support.novell.com/security/cve/CVE-2014-0224.html https://bugzilla.novell.com/459468 https://bugzilla.novell.com/489641 https://bugzilla.novell.com/880891 http://download.suse.com/patch/finder/?keywords=cf56900ecd68d8b418e857ef2c7b6136 From sle-security-updates at lists.suse.com Fri Jun 6 16:04:23 2014 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Sat, 7 Jun 2014 00:04:23 +0200 (CEST) Subject: SUSE-SU-2014:0769-1: important: Security update for MySQL Message-ID: <20140606220423.DC2BA320F3@maintenance.suse.de> SUSE Security Update: Security update for MySQL ______________________________________________________________________________ Announcement ID: SUSE-SU-2014:0769-1 Rating: important References: #858823 #861493 #873896 Cross-References: CVE-2013-4316 CVE-2013-5860 CVE-2013-5881 CVE-2013-5882 CVE-2013-5891 CVE-2013-5894 CVE-2013-5908 CVE-2014-0001 CVE-2014-0384 CVE-2014-0386 CVE-2014-0393 CVE-2014-0401 CVE-2014-0402 CVE-2014-0412 CVE-2014-0420 CVE-2014-0427 CVE-2014-0430 CVE-2014-0431 CVE-2014-0433 CVE-2014-0437 CVE-2014-2419 CVE-2014-2430 CVE-2014-2431 CVE-2014-2432 CVE-2014-2434 CVE-2014-2435 CVE-2014-2436 CVE-2014-2438 CVE-2014-2440 CVE-2014-2442 CVE-2014-2444 CVE-2014-2450 CVE-2014-2451 Affected Products: SUSE Linux Enterprise Software Development Kit 11 SP3 SUSE Linux Enterprise Server 11 SP3 for VMware SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Desktop 11 SP3 ______________________________________________________________________________ An update that fixes 33 vulnerabilities is now available. It includes one version update. Description: MySQL was updated to version 5.5.37 to address various security issues. More information is available at http://www.oracle.com/technetwork/topics/security/cpujan2014-1972949.html#A ppendixMSQL and http://www.oracle.com/technetwork/topics/security/cpuapr2014-1972952.html#A ppendixMSQL . Security Issues references: * CVE-2014-2444 * CVE-2014-2436 * CVE-2014-2440 * CVE-2014-2434 * CVE-2014-2435 * CVE-2014-2442 * CVE-2014-2450 * CVE-2014-2419 * CVE-2014-0384 * CVE-2014-2430 * CVE-2014-2451 * CVE-2014-2438 * CVE-2014-2432 * CVE-2014-2431 * CVE-2013-4316 * CVE-2013-5860 * CVE-2013-5882 * CVE-2014-0433 * CVE-2013-5894 * CVE-2013-5881 * CVE-2014-0412 * CVE-2014-0402 * CVE-2014-0386 * CVE-2013-5891 * CVE-2014-0401 * CVE-2014-0427 * CVE-2014-0431 * CVE-2014-0437 * CVE-2014-0393 * CVE-2014-0430 * CVE-2014-0420 * CVE-2013-5908 * CVE-2014-0001 Patch Instructions: To install this SUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Software Development Kit 11 SP3: zypper in -t patch sdksp3-libmysql55client18-9303 - SUSE Linux Enterprise Server 11 SP3 for VMware: zypper in -t patch slessp3-libmysql55client18-9303 - SUSE Linux Enterprise Server 11 SP3: zypper in -t patch slessp3-libmysql55client18-9303 - SUSE Linux Enterprise Desktop 11 SP3: zypper in -t patch sledsp3-libmysql55client18-9303 To bring your system up-to-date, use "zypper patch". Package List: - SUSE Linux Enterprise Software Development Kit 11 SP3 (ppc64 s390x x86_64): libmysql55client_r18-32bit-5.5.37-0.7.1 libmysqlclient_r15-32bit-5.0.96-0.6.11 - SUSE Linux Enterprise Software Development Kit 11 SP3 (ia64): libmysql55client_r18-x86-5.5.37-0.7.1 libmysqlclient_r15-x86-5.0.96-0.6.11 - SUSE Linux Enterprise Server 11 SP3 for VMware (i586 x86_64) [New Version: 5.5.37]: libmysql55client18-5.5.37-0.7.1 libmysql55client_r18-5.5.37-0.7.1 libmysqlclient15-5.0.96-0.6.11 libmysqlclient_r15-5.0.96-0.6.11 mysql-5.5.37-0.7.1 mysql-client-5.5.37-0.7.1 mysql-tools-5.5.37-0.7.1 - SUSE Linux Enterprise Server 11 SP3 for VMware (x86_64) [New Version: 5.5.37]: libmysql55client18-32bit-5.5.37-0.7.1 libmysqlclient15-32bit-5.0.96-0.6.11 - SUSE Linux Enterprise Server 11 SP3 (i586 ia64 ppc64 s390x x86_64) [New Version: 5.5.37]: libmysql55client18-5.5.37-0.7.1 libmysql55client_r18-5.5.37-0.7.1 libmysqlclient15-5.0.96-0.6.11 libmysqlclient_r15-5.0.96-0.6.11 mysql-5.5.37-0.7.1 mysql-client-5.5.37-0.7.1 mysql-tools-5.5.37-0.7.1 - SUSE Linux Enterprise Server 11 SP3 (ppc64 s390x x86_64) [New Version: 5.5.37]: libmysql55client18-32bit-5.5.37-0.7.1 libmysqlclient15-32bit-5.0.96-0.6.11 - SUSE Linux Enterprise Server 11 SP3 (ia64) [New Version: 5.5.37]: libmysql55client18-x86-5.5.37-0.7.1 libmysqlclient15-x86-5.0.96-0.6.11 - SUSE Linux Enterprise Desktop 11 SP3 (i586 x86_64) [New Version: 5.5.37]: libmysql55client18-5.5.37-0.7.1 libmysql55client_r18-5.5.37-0.7.1 libmysqlclient15-5.0.96-0.6.11 libmysqlclient_r15-5.0.96-0.6.11 mysql-5.5.37-0.7.1 mysql-client-5.5.37-0.7.1 - SUSE Linux Enterprise Desktop 11 SP3 (x86_64) [New Version: 5.5.37]: libmysql55client18-32bit-5.5.37-0.7.1 libmysql55client_r18-32bit-5.5.37-0.7.1 libmysqlclient15-32bit-5.0.96-0.6.11 libmysqlclient_r15-32bit-5.0.96-0.6.11 References: http://support.novell.com/security/cve/CVE-2013-4316.html http://support.novell.com/security/cve/CVE-2013-5860.html http://support.novell.com/security/cve/CVE-2013-5881.html http://support.novell.com/security/cve/CVE-2013-5882.html http://support.novell.com/security/cve/CVE-2013-5891.html http://support.novell.com/security/cve/CVE-2013-5894.html http://support.novell.com/security/cve/CVE-2013-5908.html http://support.novell.com/security/cve/CVE-2014-0001.html http://support.novell.com/security/cve/CVE-2014-0384.html http://support.novell.com/security/cve/CVE-2014-0386.html http://support.novell.com/security/cve/CVE-2014-0393.html http://support.novell.com/security/cve/CVE-2014-0401.html http://support.novell.com/security/cve/CVE-2014-0402.html http://support.novell.com/security/cve/CVE-2014-0412.html http://support.novell.com/security/cve/CVE-2014-0420.html http://support.novell.com/security/cve/CVE-2014-0427.html http://support.novell.com/security/cve/CVE-2014-0430.html http://support.novell.com/security/cve/CVE-2014-0431.html http://support.novell.com/security/cve/CVE-2014-0433.html http://support.novell.com/security/cve/CVE-2014-0437.html http://support.novell.com/security/cve/CVE-2014-2419.html http://support.novell.com/security/cve/CVE-2014-2430.html http://support.novell.com/security/cve/CVE-2014-2431.html http://support.novell.com/security/cve/CVE-2014-2432.html http://support.novell.com/security/cve/CVE-2014-2434.html http://support.novell.com/security/cve/CVE-2014-2435.html http://support.novell.com/security/cve/CVE-2014-2436.html http://support.novell.com/security/cve/CVE-2014-2438.html http://support.novell.com/security/cve/CVE-2014-2440.html http://support.novell.com/security/cve/CVE-2014-2442.html http://support.novell.com/security/cve/CVE-2014-2444.html http://support.novell.com/security/cve/CVE-2014-2450.html http://support.novell.com/security/cve/CVE-2014-2451.html https://bugzilla.novell.com/858823 https://bugzilla.novell.com/861493 https://bugzilla.novell.com/873896 http://download.suse.com/patch/finder/?keywords=ab4ffe747d344a455ea19aa1b92c9b75 From sle-security-updates at lists.suse.com Fri Jun 6 17:04:14 2014 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Sat, 7 Jun 2014 01:04:14 +0200 (CEST) Subject: SUSE-SU-2014:0759-2: critical: Security update for OpenSSL Message-ID: <20140606230414.B1848320F1@maintenance.suse.de> SUSE Security Update: Security update for OpenSSL ______________________________________________________________________________ Announcement ID: SUSE-SU-2014:0759-2 Rating: critical References: #880891 Cross-References: CVE-2014-0221 CVE-2014-0224 CVE-2014-3470 Affected Products: SUSE Linux Enterprise Server 10 SP4 LTSS SUSE Linux Enterprise Server 10 SP3 LTSS ______________________________________________________________________________ An update that fixes three vulnerabilities is now available. Description: OpenSSL was updated to fix the following security vulnerabilities: * SSL/TLS MITM vulnerability. (CVE-2014-0224) * DTLS recursion flaw. (CVE-2014-0221) * Anonymous ECDH denial of service. (CVE-2014-3470) Further information can be found at http://www.openssl.org/news/secadv_20140605.txt . Security Issues references: * CVE-2014-0224 * CVE-2014-0221 * CVE-2014-3470 Package List: - SUSE Linux Enterprise Server 10 SP4 LTSS (i586 s390x x86_64): openssl-0.9.8a-18.82.4 openssl-devel-0.9.8a-18.82.4 openssl-doc-0.9.8a-18.82.4 - SUSE Linux Enterprise Server 10 SP4 LTSS (s390x x86_64): openssl-32bit-0.9.8a-18.82.4 openssl-devel-32bit-0.9.8a-18.82.4 - SUSE Linux Enterprise Server 10 SP3 LTSS (i586 s390x x86_64): openssl-0.9.8a-18.45.77.1 openssl-devel-0.9.8a-18.45.77.1 openssl-doc-0.9.8a-18.45.77.1 - SUSE Linux Enterprise Server 10 SP3 LTSS (s390x x86_64): openssl-32bit-0.9.8a-18.45.77.1 openssl-devel-32bit-0.9.8a-18.45.77.1 References: http://support.novell.com/security/cve/CVE-2014-0221.html http://support.novell.com/security/cve/CVE-2014-0224.html http://support.novell.com/security/cve/CVE-2014-3470.html https://bugzilla.novell.com/880891 http://download.suse.com/patch/finder/?keywords=06090ed98c412d84909da7f988402089 http://download.suse.com/patch/finder/?keywords=ae77e66ba2a03bee961e56bc2d1daee6 From sle-security-updates at lists.suse.com Tue Jun 10 12:04:12 2014 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Tue, 10 Jun 2014 20:04:12 +0200 (CEST) Subject: SUSE-SU-2014:0772-1: Security update for Linux Kernel Message-ID: <20140610180412.B7FC132138@maintenance.suse.de> SUSE Security Update: Security update for Linux Kernel ______________________________________________________________________________ Announcement ID: SUSE-SU-2014:0772-1 Rating: low References: #797175 #833968 #852553 #857643 #874108 #875798 Affected Products: SUSE Linux Enterprise Server 10 SP4 LTSS ______________________________________________________________________________ An update that contains security fixes can now be installed. Description: The SUSE Linux Enterprise Server 10 Service Pack 4 LTSS kernel has been updated to fix various security issues and several bugs. The following security issues have been addressed: * CVE-2013-6382: Multiple buffer underflows in the XFS implementation in the Linux kernel through 3.12.1 allow local users to cause a denial of service (memory corruption) or possibly have unspecified other impact by leveraging the CAP_SYS_ADMIN capability for a (1) XFS_IOC_ATTRLIST_BY_HANDLE or (2) XFS_IOC_ATTRLIST_BY_HANDLE_32 ioctl call with a crafted length value, related to the xfs_attrlist_by_handle function in fs/xfs/xfs_ioctl.c and the xfs_compat_attrlist_by_handle function in fs/xfs/xfs_ioctl32.c. (bnc#852553) * CVE-2013-7263: The Linux kernel before 3.12.4 updates certain length values before ensuring that associated data structures have been initialized, which allows local users to obtain sensitive information from kernel stack memory via a (1) recvfrom, (2) recvmmsg, or (3) recvmsg system call, related to net/ipv4/ping.c, net/ipv4/raw.c, net/ipv4/udp.c, net/ipv6/raw.c, and net/ipv6/udp.c. (bnc#857643) * CVE-2013-7264: The l2tp_ip_recvmsg function in net/l2tp/l2tp_ip.c in the Linux kernel before 3.12.4 updates a certain length value before ensuring that an associated data structure has been initialized, which allows local users to obtain sensitive information from kernel stack memory via a (1) recvfrom, (2) recvmmsg, or (3) recvmsg system call. (bnc#857643) * CVE-2013-7265: The pn_recvmsg function in net/phonet/datagram.c in the Linux kernel before 3.12.4 updates a certain length value before ensuring that an associated data structure has been initialized, which allows local users to obtain sensitive information from kernel stack memory via a (1) recvfrom, (2) recvmmsg, or (3) recvmsg system call. (bnc#857643) * CVE-2014-1737: The raw_cmd_copyin function in drivers/block/floppy.c in the Linux kernel through 3.14.3 does not properly handle error conditions during processing of an FDRAWCMD ioctl call, which allows local users to trigger kfree operations and gain privileges by leveraging write access to a /dev/fd device. (bnc#875798) * CVE-2014-1738: The raw_cmd_copyout function in drivers/block/floppy.c in the Linux kernel through 3.14.3 does not properly restrict access to certain pointers during processing of an FDRAWCMD ioctl call, which allows local users to obtain sensitive information from kernel heap memory by leveraging write access to a /dev/fd device. (bnc#875798) Additionally, the following non-security bugs have been fixed: * tcp: syncookies: reduce cookie lifetime to 128 seconds (bnc#833968). * tcp: syncookies: reduce mss table to four values (bnc#833968). * ia64: Change default PSR.ac from '1' to '0' (Fix erratum #237) (bnc#874108). * tty: fix up atime/mtime mess, take three (bnc#797175). Security Issues references: * CVE-2013-6382 * CVE-2013-7263 * CVE-2013-7264 * CVE-2013-7265 * CVE-2014-1737 * CVE-2014-1738 Indications: Everyone using the Linux Kernel on x86 architecture should update. Special Instructions and Notes: Please reboot the system after installing this update. Package List: - SUSE Linux Enterprise Server 10 SP4 LTSS (i586): kernel-bigsmp-2.6.16.60-0.107.1 kernel-debug-2.6.16.60-0.107.1 kernel-default-2.6.16.60-0.107.1 kernel-kdump-2.6.16.60-0.107.1 kernel-kdumppae-2.6.16.60-0.107.1 kernel-smp-2.6.16.60-0.107.1 kernel-source-2.6.16.60-0.107.1 kernel-syms-2.6.16.60-0.107.1 kernel-vmi-2.6.16.60-0.107.1 kernel-vmipae-2.6.16.60-0.107.1 kernel-xen-2.6.16.60-0.107.1 kernel-xenpae-2.6.16.60-0.107.1 References: https://bugzilla.novell.com/797175 https://bugzilla.novell.com/833968 https://bugzilla.novell.com/852553 https://bugzilla.novell.com/857643 https://bugzilla.novell.com/874108 https://bugzilla.novell.com/875798 http://download.suse.com/patch/finder/?keywords=00bbe32fc40478b12864bce2c72e300b From sle-security-updates at lists.suse.com Tue Jun 10 12:05:55 2014 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Tue, 10 Jun 2014 20:05:55 +0200 (CEST) Subject: SUSE-SU-2014:0773-1: Security update for Linux Kernel Message-ID: <20140610180555.8869832138@maintenance.suse.de> SUSE Security Update: Security update for Linux Kernel ______________________________________________________________________________ Announcement ID: SUSE-SU-2014:0773-1 Rating: low References: #797175 #833968 #852553 #857643 #874108 #875798 Cross-References: CVE-2013-6382 CVE-2013-7263 CVE-2013-7264 CVE-2013-7265 CVE-2014-1737 CVE-2014-1738 Affected Products: SUSE Linux Enterprise Server 10 SP4 LTSS ______________________________________________________________________________ An update that fixes 6 vulnerabilities is now available. Description: The SUSE Linux Enterprise Server 10 Service Pack 4 LTSS kernel has been updated to fix various security issues and several bugs. The following security issues have been addressed: * CVE-2013-6382: Multiple buffer underflows in the XFS implementation in the Linux kernel through 3.12.1 allow local users to cause a denial of service (memory corruption) or possibly have unspecified other impact by leveraging the CAP_SYS_ADMIN capability for a (1) XFS_IOC_ATTRLIST_BY_HANDLE or (2) XFS_IOC_ATTRLIST_BY_HANDLE_32 ioctl call with a crafted length value, related to the xfs_attrlist_by_handle function in fs/xfs/xfs_ioctl.c and the xfs_compat_attrlist_by_handle function in fs/xfs/xfs_ioctl32.c. (bnc#852553) * CVE-2013-7263: The Linux kernel before 3.12.4 updates certain length values before ensuring that associated data structures have been initialized, which allows local users to obtain sensitive information from kernel stack memory via a (1) recvfrom, (2) recvmmsg, or (3) recvmsg system call, related to net/ipv4/ping.c, net/ipv4/raw.c, net/ipv4/udp.c, net/ipv6/raw.c, and net/ipv6/udp.c. (bnc#857643) * CVE-2013-7264: The l2tp_ip_recvmsg function in net/l2tp/l2tp_ip.c in the Linux kernel before 3.12.4 updates a certain length value before ensuring that an associated data structure has been initialized, which allows local users to obtain sensitive information from kernel stack memory via a (1) recvfrom, (2) recvmmsg, or (3) recvmsg system call. (bnc#857643) * CVE-2013-7265: The pn_recvmsg function in net/phonet/datagram.c in the Linux kernel before 3.12.4 updates a certain length value before ensuring that an associated data structure has been initialized, which allows local users to obtain sensitive information from kernel stack memory via a (1) recvfrom, (2) recvmmsg, or (3) recvmsg system call. (bnc#857643) * CVE-2014-1737: The raw_cmd_copyin function in drivers/block/floppy.c in the Linux kernel through 3.14.3 does not properly handle error conditions during processing of an FDRAWCMD ioctl call, which allows local users to trigger kfree operations and gain privileges by leveraging write access to a /dev/fd device. (bnc#875798) * CVE-2014-1738: The raw_cmd_copyout function in drivers/block/floppy.c in the Linux kernel through 3.14.3 does not properly restrict access to certain pointers during processing of an FDRAWCMD ioctl call, which allows local users to obtain sensitive information from kernel heap memory by leveraging write access to a /dev/fd device. (bnc#875798) Additionally, the following non-security bugs have been fixed: * tcp: syncookies: reduce cookie lifetime to 128 seconds (bnc#833968). * tcp: syncookies: reduce mss table to four values (bnc#833968). * ia64: Change default PSR.ac from '1' to '0' (Fix erratum #237) (bnc#874108). * tty: fix up atime/mtime mess, take three (bnc#797175). Security Issues references: * CVE-2013-6382 * CVE-2013-7263 * CVE-2013-7264 * CVE-2013-7265 * CVE-2014-1737 * CVE-2014-1738 Indications: Everyone using the Linux Kernel on x86_64 architecture should update. Special Instructions and Notes: Please reboot the system after installing this update. Package List: - SUSE Linux Enterprise Server 10 SP4 LTSS (s390x x86_64): kernel-default-2.6.16.60-0.107.1 kernel-source-2.6.16.60-0.107.1 kernel-syms-2.6.16.60-0.107.1 - SUSE Linux Enterprise Server 10 SP4 LTSS (x86_64): kernel-debug-2.6.16.60-0.107.1 kernel-kdump-2.6.16.60-0.107.1 kernel-smp-2.6.16.60-0.107.1 kernel-xen-2.6.16.60-0.107.1 References: http://support.novell.com/security/cve/CVE-2013-6382.html http://support.novell.com/security/cve/CVE-2013-7263.html http://support.novell.com/security/cve/CVE-2013-7264.html http://support.novell.com/security/cve/CVE-2013-7265.html http://support.novell.com/security/cve/CVE-2014-1737.html http://support.novell.com/security/cve/CVE-2014-1738.html https://bugzilla.novell.com/797175 https://bugzilla.novell.com/833968 https://bugzilla.novell.com/852553 https://bugzilla.novell.com/857643 https://bugzilla.novell.com/874108 https://bugzilla.novell.com/875798 http://download.suse.com/patch/finder/?keywords=92e5a7d9af3ca4f050703bcbf2268c9e http://download.suse.com/patch/finder/?keywords=a9f7b560616d678d5217f211234abdba From sle-security-updates at lists.suse.com Tue Jun 10 13:04:12 2014 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Tue, 10 Jun 2014 21:04:12 +0200 (CEST) Subject: SUSE-SU-2014:0774-1: moderate: Security update for xorg-x11-libs Message-ID: <20140610190412.C811D3213E@maintenance.suse.de> SUSE Security Update: Security update for xorg-x11-libs ______________________________________________________________________________ Announcement ID: SUSE-SU-2014:0774-1 Rating: moderate References: #857544 Cross-References: CVE-2014-0209 CVE-2014-0210 CVE-2014-0211 Affected Products: SUSE Linux Enterprise Software Development Kit 11 SP3 SUSE Linux Enterprise Server 11 SP3 for VMware SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Desktop 11 SP3 ______________________________________________________________________________ An update that fixes three vulnerabilities is now available. Description: xorg-x11-libs was patched to fix the following security issues: * Integer overflow of allocations in font metadata file parsing. (CVE-2014-0209) * libxfont not validating length fields when parsing xfs protocol replies. (CVE-2014-0210) * Integer overflows causing miscalculating memory needs for xfs replies. (CVE-2014-0211) Further information is available at http://lists.x.org/archives/xorg-announce/2014-May/002431.html . Security Issues references: * CVE-2014-0209 * CVE-2014-0210 * CVE-2014-0211 Patch Instructions: To install this SUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Software Development Kit 11 SP3: zypper in -t patch sdksp3-xorg-x11-devel-9272 - SUSE Linux Enterprise Server 11 SP3 for VMware: zypper in -t patch slessp3-xorg-x11-devel-9272 - SUSE Linux Enterprise Server 11 SP3: zypper in -t patch slessp3-xorg-x11-devel-9272 - SUSE Linux Enterprise Desktop 11 SP3: zypper in -t patch sledsp3-xorg-x11-devel-9272 To bring your system up-to-date, use "zypper patch". Package List: - SUSE Linux Enterprise Software Development Kit 11 SP3 (i586 ia64 ppc64 s390x x86_64): xorg-x11-devel-7.4-8.26.42.1 - SUSE Linux Enterprise Software Development Kit 11 SP3 (ppc64 s390x x86_64): xorg-x11-devel-32bit-7.4-8.26.42.1 - SUSE Linux Enterprise Server 11 SP3 for VMware (i586 x86_64): xorg-x11-libs-7.4-8.26.42.1 - SUSE Linux Enterprise Server 11 SP3 for VMware (x86_64): xorg-x11-libs-32bit-7.4-8.26.42.1 - SUSE Linux Enterprise Server 11 SP3 (i586 ia64 ppc64 s390x x86_64): xorg-x11-libs-7.4-8.26.42.1 - SUSE Linux Enterprise Server 11 SP3 (ppc64 s390x x86_64): xorg-x11-libs-32bit-7.4-8.26.42.1 - SUSE Linux Enterprise Server 11 SP3 (ia64): xorg-x11-libs-x86-7.4-8.26.42.1 - SUSE Linux Enterprise Desktop 11 SP3 (i586 x86_64): xorg-x11-libs-7.4-8.26.42.1 - SUSE Linux Enterprise Desktop 11 SP3 (x86_64): xorg-x11-libs-32bit-7.4-8.26.42.1 References: http://support.novell.com/security/cve/CVE-2014-0209.html http://support.novell.com/security/cve/CVE-2014-0210.html http://support.novell.com/security/cve/CVE-2014-0211.html https://bugzilla.novell.com/857544 http://download.suse.com/patch/finder/?keywords=92f86c8002c082cf3a82a615023c2dde From sle-security-updates at lists.suse.com Tue Jun 10 21:04:31 2014 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Wed, 11 Jun 2014 05:04:31 +0200 (CEST) Subject: SUSE-SU-2014:0775-1: critical: Security update for Linux Kernel Message-ID: <20140611030431.0B0D932126@maintenance.suse.de> SUSE Security Update: Security update for Linux Kernel ______________________________________________________________________________ Announcement ID: SUSE-SU-2014:0775-1 Rating: critical References: #880892 Cross-References: CVE-2014-3153 Affected Products: SUSE Linux Enterprise Server 11 SP3 for VMware SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise High Availability Extension 11 SP3 SUSE Linux Enterprise Desktop 11 SP3 SLE 11 SERVER Unsupported Extras ______________________________________________________________________________ An update that fixes one vulnerability is now available. It includes one version update. Description: The SUSE Linux Enterprise 11 Service Pack 3 kernel was updated to fix a critical privilege escalation security issue: * CVE-2014-3153: The futex acquisition code in kernel/futex.c can be used to gain ring0 access via the futex syscall. This could be used for privilege escalation by non-root users. (bnc#880892) Security Issue reference: * CVE-2014-3153 Indications: Everyone using the Linux Kernel on x86_64 architecture should update. Special Instructions and Notes: Please reboot the system after installing this update. Patch Instructions: To install this SUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Server 11 SP3 for VMware: zypper in -t patch slessp3-kernel-9328 slessp3-kernel-9329 - SUSE Linux Enterprise Server 11 SP3: zypper in -t patch slessp3-kernel-9328 slessp3-kernel-9329 slessp3-kernel-9330 slessp3-kernel-9331 slessp3-kernel-9346 - SUSE Linux Enterprise High Availability Extension 11 SP3: zypper in -t patch slehasp3-kernel-9328 slehasp3-kernel-9329 slehasp3-kernel-9330 slehasp3-kernel-9331 slehasp3-kernel-9346 - SUSE Linux Enterprise Desktop 11 SP3: zypper in -t patch sledsp3-kernel-9328 sledsp3-kernel-9329 To bring your system up-to-date, use "zypper patch". Package List: - SUSE Linux Enterprise Server 11 SP3 for VMware (i586 x86_64) [New Version: 3.0.101]: kernel-default-3.0.101-0.31.1 kernel-default-base-3.0.101-0.31.1 kernel-default-devel-3.0.101-0.31.1 kernel-source-3.0.101-0.31.1 kernel-syms-3.0.101-0.31.1 kernel-trace-3.0.101-0.31.1 kernel-trace-base-3.0.101-0.31.1 kernel-trace-devel-3.0.101-0.31.1 kernel-xen-devel-3.0.101-0.31.1 - SUSE Linux Enterprise Server 11 SP3 for VMware (i586) [New Version: 3.0.101]: kernel-pae-3.0.101-0.31.1 kernel-pae-base-3.0.101-0.31.1 kernel-pae-devel-3.0.101-0.31.1 - SUSE Linux Enterprise Server 11 SP3 (i586 ia64 ppc64 s390x x86_64) [New Version: 3.0.101]: kernel-default-3.0.101-0.31.1 kernel-default-base-3.0.101-0.31.1 kernel-default-devel-3.0.101-0.31.1 kernel-source-3.0.101-0.31.1 kernel-syms-3.0.101-0.31.1 kernel-trace-3.0.101-0.31.1 kernel-trace-base-3.0.101-0.31.1 kernel-trace-devel-3.0.101-0.31.1 - SUSE Linux Enterprise Server 11 SP3 (i586 x86_64) [New Version: 3.0.101]: kernel-ec2-3.0.101-0.31.1 kernel-ec2-base-3.0.101-0.31.1 kernel-ec2-devel-3.0.101-0.31.1 kernel-xen-3.0.101-0.31.1 kernel-xen-base-3.0.101-0.31.1 kernel-xen-devel-3.0.101-0.31.1 xen-kmp-default-4.2.4_02_3.0.101_0.31-0.7.33 - SUSE Linux Enterprise Server 11 SP3 (s390x) [New Version: 3.0.101]: kernel-default-man-3.0.101-0.31.1 - SUSE Linux Enterprise Server 11 SP3 (ppc64) [New Version: 3.0.101]: kernel-ppc64-3.0.101-0.31.1 kernel-ppc64-base-3.0.101-0.31.1 kernel-ppc64-devel-3.0.101-0.31.1 - SUSE Linux Enterprise Server 11 SP3 (i586) [New Version: 3.0.101]: kernel-pae-3.0.101-0.31.1 kernel-pae-base-3.0.101-0.31.1 kernel-pae-devel-3.0.101-0.31.1 xen-kmp-pae-4.2.4_02_3.0.101_0.31-0.7.33 - SUSE Linux Enterprise High Availability Extension 11 SP3 (i586 ia64 ppc64 s390x x86_64): cluster-network-kmp-default-1.4_3.0.101_0.31-2.27.69 cluster-network-kmp-trace-1.4_3.0.101_0.31-2.27.69 gfs2-kmp-default-2_3.0.101_0.31-0.16.75 gfs2-kmp-trace-2_3.0.101_0.31-0.16.75 ocfs2-kmp-default-1.6_3.0.101_0.31-0.20.69 ocfs2-kmp-trace-1.6_3.0.101_0.31-0.20.69 - SUSE Linux Enterprise High Availability Extension 11 SP3 (i586 x86_64): cluster-network-kmp-xen-1.4_3.0.101_0.31-2.27.69 gfs2-kmp-xen-2_3.0.101_0.31-0.16.75 ocfs2-kmp-xen-1.6_3.0.101_0.31-0.20.69 - SUSE Linux Enterprise High Availability Extension 11 SP3 (ppc64): cluster-network-kmp-ppc64-1.4_3.0.101_0.31-2.27.69 gfs2-kmp-ppc64-2_3.0.101_0.31-0.16.75 ocfs2-kmp-ppc64-1.6_3.0.101_0.31-0.20.69 - SUSE Linux Enterprise High Availability Extension 11 SP3 (i586): cluster-network-kmp-pae-1.4_3.0.101_0.31-2.27.69 gfs2-kmp-pae-2_3.0.101_0.31-0.16.75 ocfs2-kmp-pae-1.6_3.0.101_0.31-0.20.69 - SUSE Linux Enterprise Desktop 11 SP3 (i586 x86_64) [New Version: 3.0.101]: kernel-default-3.0.101-0.31.1 kernel-default-base-3.0.101-0.31.1 kernel-default-devel-3.0.101-0.31.1 kernel-default-extra-3.0.101-0.31.1 kernel-source-3.0.101-0.31.1 kernel-syms-3.0.101-0.31.1 kernel-trace-devel-3.0.101-0.31.1 kernel-xen-3.0.101-0.31.1 kernel-xen-base-3.0.101-0.31.1 kernel-xen-devel-3.0.101-0.31.1 kernel-xen-extra-3.0.101-0.31.1 xen-kmp-default-4.2.4_02_3.0.101_0.31-0.7.33 - SUSE Linux Enterprise Desktop 11 SP3 (i586) [New Version: 3.0.101]: kernel-pae-3.0.101-0.31.1 kernel-pae-base-3.0.101-0.31.1 kernel-pae-devel-3.0.101-0.31.1 kernel-pae-extra-3.0.101-0.31.1 xen-kmp-pae-4.2.4_02_3.0.101_0.31-0.7.33 - SLE 11 SERVER Unsupported Extras (i586 ia64 ppc64 s390x x86_64): kernel-default-extra-3.0.101-0.31.1 - SLE 11 SERVER Unsupported Extras (i586 x86_64): kernel-xen-extra-3.0.101-0.31.1 - SLE 11 SERVER Unsupported Extras (ppc64): kernel-ppc64-extra-3.0.101-0.31.1 - SLE 11 SERVER Unsupported Extras (i586): kernel-pae-extra-3.0.101-0.31.1 References: http://support.novell.com/security/cve/CVE-2014-3153.html https://bugzilla.novell.com/880892 http://download.suse.com/patch/finder/?keywords=0cdcfea3b263f03fc7b11c9e27c68106 http://download.suse.com/patch/finder/?keywords=2394b6ce8b434732566fe3cbf2a956f7 http://download.suse.com/patch/finder/?keywords=5d5df6a9a600dbe5fe09c19d8dc24b0e http://download.suse.com/patch/finder/?keywords=8a869bd2122273831bd282fab2377076 http://download.suse.com/patch/finder/?keywords=a8f8feb5552e1da3b52f48f677f467cf http://download.suse.com/patch/finder/?keywords=a9d9490d68822582cd43af9c0c2aa6d7 http://download.suse.com/patch/finder/?keywords=c905f5237a7e0ae4f9fdf0c325c0dbb2 http://download.suse.com/patch/finder/?keywords=f6e7ea94e8ad3ddbdf3d897e2a3ff6b8 http://download.suse.com/patch/finder/?keywords=fab06fd0fffc9ae59673101aeace943a http://download.suse.com/patch/finder/?keywords=fd1bf222c9f9ff4cc32dae8bac451528 From sle-security-updates at lists.suse.com Thu Jun 12 11:04:12 2014 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Thu, 12 Jun 2014 19:04:12 +0200 (CEST) Subject: SUSE-SU-2014:0785-1: moderate: Security update for libvirt Message-ID: <20140612170412.EAB1E32147@maintenance.suse.de> SUSE Security Update: Security update for libvirt ______________________________________________________________________________ Announcement ID: SUSE-SU-2014:0785-1 Rating: moderate References: #857490 #873705 Cross-References: CVE-2013-6456 CVE-2014-0179 Affected Products: SUSE Linux Enterprise Software Development Kit 11 SP3 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Desktop 11 SP3 ______________________________________________________________________________ An update that fixes two vulnerabilities is now available. It includes one version update. Description: libvirt has been patched to fix two security issues. Further information is available at http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-0179 and http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-6456 These security issues have been fixed: * Unsafe parsing of XML documents allows arbitrary file read or denial of service (CVE-2014-0179) * Ability to delete or create arbitrary host devices (CVE-2013-6456) Security Issue references: * CVE-2014-0179 * CVE-2013-6456 Patch Instructions: To install this SUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Software Development Kit 11 SP3: zypper in -t patch sdksp3-libvirt-9203 - SUSE Linux Enterprise Server 11 SP3: zypper in -t patch slessp3-libvirt-9203 - SUSE Linux Enterprise Desktop 11 SP3: zypper in -t patch sledsp3-libvirt-9203 To bring your system up-to-date, use "zypper patch". Package List: - SUSE Linux Enterprise Software Development Kit 11 SP3 (i586 ia64 ppc64 s390x x86_64) [New Version: 1.0.5.9]: libvirt-devel-1.0.5.9-0.9.1 - SUSE Linux Enterprise Software Development Kit 11 SP3 (x86_64) [New Version: 1.0.5.9]: libvirt-devel-32bit-1.0.5.9-0.9.1 - SUSE Linux Enterprise Server 11 SP3 (i586 ia64 ppc64 s390x x86_64) [New Version: 1.0.5.9]: libvirt-1.0.5.9-0.9.1 libvirt-client-1.0.5.9-0.9.1 libvirt-doc-1.0.5.9-0.9.1 libvirt-lock-sanlock-1.0.5.9-0.9.1 libvirt-python-1.0.5.9-0.9.1 - SUSE Linux Enterprise Server 11 SP3 (ppc64 s390x x86_64) [New Version: 1.0.5.9]: libvirt-client-32bit-1.0.5.9-0.9.1 - SUSE Linux Enterprise Desktop 11 SP3 (i586 x86_64) [New Version: 1.0.5.9]: libvirt-1.0.5.9-0.9.1 libvirt-client-1.0.5.9-0.9.1 libvirt-doc-1.0.5.9-0.9.1 libvirt-python-1.0.5.9-0.9.1 - SUSE Linux Enterprise Desktop 11 SP3 (x86_64) [New Version: 1.0.5.9]: libvirt-client-32bit-1.0.5.9-0.9.1 References: http://support.novell.com/security/cve/CVE-2013-6456.html http://support.novell.com/security/cve/CVE-2014-0179.html https://bugzilla.novell.com/857490 https://bugzilla.novell.com/873705 http://download.suse.com/patch/finder/?keywords=5c021d19a6da458b87a825175bf66ced From sle-security-updates at lists.suse.com Thu Jun 12 16:04:27 2014 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Fri, 13 Jun 2014 00:04:27 +0200 (CEST) Subject: SUSE-SU-2014:0788-1: important: Security update for GnuTLS Message-ID: <20140612220427.1EEEA32147@maintenance.suse.de> SUSE Security Update: Security update for GnuTLS ______________________________________________________________________________ Announcement ID: SUSE-SU-2014:0788-1 Rating: important References: #880730 #880910 Cross-References: CVE-2014-3466 CVE-2014-3467 CVE-2014-3468 CVE-2014-3469 Affected Products: SUSE Linux Enterprise Server 11 SP2 LTSS SUSE Linux Enterprise Server 11 SP1 LTSS ______________________________________________________________________________ An update that fixes four vulnerabilities is now available. Description: GnuTLS was patched to ensure proper parsing of session ids during the TLS/SSL handshake. Additionally three issues inherited from libtasn1 were fixed. * Possible memory corruption during connect. (CVE-2014-3466) * Multiple boundary check issues could allow DoS. (CVE-2014-3467) * asn1_get_bit_der() can return negative bit length. (CVE-2014-3468) * Possible DoS by NULL pointer dereference. (CVE-2014-3469) Further information is available at http://www.gnutls.org/security.html#GNUTLS-SA-2014-3 . Security Issues references: * CVE-2014-3466 * CVE-2014-3467 * CVE-2014-3468 * CVE-2014-3469 Patch Instructions: To install this SUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Server 11 SP2 LTSS: zypper in -t patch slessp2-gnutls-9352 - SUSE Linux Enterprise Server 11 SP1 LTSS: zypper in -t patch slessp1-gnutls-9353 To bring your system up-to-date, use "zypper patch". Package List: - SUSE Linux Enterprise Server 11 SP2 LTSS (i586 s390x x86_64): gnutls-2.4.1-24.39.53.1 libgnutls-extra26-2.4.1-24.39.53.1 libgnutls26-2.4.1-24.39.53.1 - SUSE Linux Enterprise Server 11 SP2 LTSS (s390x x86_64): libgnutls26-32bit-2.4.1-24.39.53.1 - SUSE Linux Enterprise Server 11 SP1 LTSS (i586 s390x x86_64): gnutls-2.4.1-24.39.53.1 libgnutls-extra26-2.4.1-24.39.53.1 libgnutls26-2.4.1-24.39.53.1 - SUSE Linux Enterprise Server 11 SP1 LTSS (s390x x86_64): libgnutls26-32bit-2.4.1-24.39.53.1 References: http://support.novell.com/security/cve/CVE-2014-3466.html http://support.novell.com/security/cve/CVE-2014-3467.html http://support.novell.com/security/cve/CVE-2014-3468.html http://support.novell.com/security/cve/CVE-2014-3469.html https://bugzilla.novell.com/880730 https://bugzilla.novell.com/880910 http://download.suse.com/patch/finder/?keywords=04989b49e84d0e055f6a4e5b3d429751 http://download.suse.com/patch/finder/?keywords=3cb2688e28e1b5b12a8cc0b5b25a5cb8 From sle-security-updates at lists.suse.com Thu Jun 12 18:04:16 2014 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Fri, 13 Jun 2014 02:04:16 +0200 (CEST) Subject: SUSE-SU-2014:0790-1: moderate: Security update for libgadu Message-ID: <20140613000416.9E4143213E@maintenance.suse.de> SUSE Security Update: Security update for libgadu ______________________________________________________________________________ Announcement ID: SUSE-SU-2014:0790-1 Rating: moderate References: #878540 Cross-References: CVE-2013-6487 Affected Products: SUSE Linux Enterprise Software Development Kit 11 SP3 SUSE Linux Enterprise Desktop 11 SP3 ______________________________________________________________________________ An update that fixes one vulnerability is now available. Description: A memory corruption vulnerability has been fixed in libgadu. CVE-2013-6487 has been assigned to this issue. Security Issue reference: * CVE-2013-6487 Indications: Everybody should update. Patch Instructions: To install this SUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Software Development Kit 11 SP3: zypper in -t patch sdksp3-libgadu-9277 - SUSE Linux Enterprise Desktop 11 SP3: zypper in -t patch sledsp3-libgadu-9277 To bring your system up-to-date, use "zypper patch". Package List: - SUSE Linux Enterprise Software Development Kit 11 SP3 (i586 ia64 ppc64 s390x x86_64): libgadu-1.8.2-1.24.1 libgadu-devel-1.8.2-1.24.1 - SUSE Linux Enterprise Desktop 11 SP3 (i586 x86_64): libgadu-1.8.2-1.24.1 References: http://support.novell.com/security/cve/CVE-2013-6487.html https://bugzilla.novell.com/878540 http://download.suse.com/patch/finder/?keywords=4f0f26b9a73d113a8feb06d99159652d From sle-security-updates at lists.suse.com Thu Jun 12 18:04:33 2014 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Fri, 13 Jun 2014 02:04:33 +0200 (CEST) Subject: SUSE-SU-2014:0758-2: important: Security update for GnuTLS Message-ID: <20140613000433.53FD33213E@maintenance.suse.de> SUSE Security Update: Security update for GnuTLS ______________________________________________________________________________ Announcement ID: SUSE-SU-2014:0758-2 Rating: important References: #880730 #880910 Cross-References: CVE-2014-3466 Affected Products: SUSE Manager 1.7 for SLE 11 SP2 ______________________________________________________________________________ An update that solves one vulnerability and has one errata is now available. Description: GnuTLS has been patched to ensure proper parsing of session ids during the TLS/SSL handshake. Additionally three issues inherited from libtasn1 have been fixed. Further information is available at http://www.gnutls.org/security.html#GNUTLS-SA-2014-3 These security issues have been fixed: * Possible memory corruption during connect (CVE-2014-3466) * Multiple boundary check issues could allow DoS (CVE-2014-3467) * asn1_get_bit_der() can return negative bit length (CVE-2014-3468) * Possible DoS by NULL pointer dereference (CVE-2014-3469) Security Issue references: * CVE-2014-3466 Patch Instructions: To install this SUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - SUSE Manager 1.7 for SLE 11 SP2: zypper in -t patch sleman17sp2-gnutls-9319 To bring your system up-to-date, use "zypper patch". Package List: - SUSE Manager 1.7 for SLE 11 SP2 (x86_64): gnutls-2.4.1-24.39.51.1 libgnutls-extra26-2.4.1-24.39.51.1 libgnutls26-2.4.1-24.39.51.1 libgnutls26-32bit-2.4.1-24.39.51.1 References: http://support.novell.com/security/cve/CVE-2014-3466.html https://bugzilla.novell.com/880730 https://bugzilla.novell.com/880910 http://download.suse.com/patch/finder/?keywords=5dcca3466e06512dc053e91637ad9140 From sle-security-updates at lists.suse.com Fri Jun 13 11:04:13 2014 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Fri, 13 Jun 2014 19:04:13 +0200 (CEST) Subject: SUSE-SU-2014:0793-1: moderate: Security update for strongswan Message-ID: <20140613170413.E2C8B32148@maintenance.suse.de> SUSE Security Update: Security update for strongswan ______________________________________________________________________________ Announcement ID: SUSE-SU-2014:0793-1 Rating: moderate References: #876449 Cross-References: CVE-2014-2891 Affected Products: SUSE Linux Enterprise Server 11 SP3 for VMware SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Desktop 11 SP3 ______________________________________________________________________________ An update that fixes one vulnerability is now available. Description: This update fixes a NULL ptr dereference (DoS) via ID_DER_ASN1_DN ID payloads. Security Issue reference: * CVE-2014-2891 Indications: Everybody should update. Patch Instructions: To install this SUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Server 11 SP3 for VMware: zypper in -t patch slessp3-strongswan-9251 - SUSE Linux Enterprise Server 11 SP3: zypper in -t patch slessp3-strongswan-9251 - SUSE Linux Enterprise Desktop 11 SP3: zypper in -t patch sledsp3-strongswan-9251 To bring your system up-to-date, use "zypper patch". Package List: - SUSE Linux Enterprise Server 11 SP3 for VMware (i586 x86_64): strongswan-4.4.0-6.25.1 strongswan-doc-4.4.0-6.25.1 - SUSE Linux Enterprise Server 11 SP3 (i586 ia64 ppc64 s390x x86_64): strongswan-4.4.0-6.25.1 strongswan-doc-4.4.0-6.25.1 - SUSE Linux Enterprise Desktop 11 SP3 (i586 x86_64): strongswan-4.4.0-6.25.1 strongswan-doc-4.4.0-6.25.1 References: http://support.novell.com/security/cve/CVE-2014-2891.html https://bugzilla.novell.com/876449 http://download.suse.com/patch/finder/?keywords=a7ef4d27eca3df5b8df32db3b40be121 From sle-security-updates at lists.suse.com Fri Jun 13 11:04:30 2014 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Fri, 13 Jun 2014 19:04:30 +0200 (CEST) Subject: SUSE-SU-2014:0794-1: moderate: Security update for apache2-mod_wsgi Message-ID: <20140613170430.9BB5232148@maintenance.suse.de> SUSE Security Update: Security update for apache2-mod_wsgi ______________________________________________________________________________ Announcement ID: SUSE-SU-2014:0794-1 Rating: moderate References: #878550 #878553 Cross-References: CVE-2014-0240 CVE-2014-0242 Affected Products: SUSE Cloud 3 ______________________________________________________________________________ An update that fixes two vulnerabilities is now available. Description: The following issues have been fixed in apache2-mod_wsgi: * CVE-2014-0242: Information exposure. (bnc#878553) * CVE-2014-0240: Local privilege escalation. (bnc#878550) Security Issues references: * CVE-2014-0240 * CVE-2014-0242 Patch Instructions: To install this SUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - SUSE Cloud 3: zypper in -t patch sleclo30sp3-apache2-mod_wsgi-9279 To bring your system up-to-date, use "zypper patch". Package List: - SUSE Cloud 3 (x86_64): apache2-mod_wsgi-3.3-5.5.1 References: http://support.novell.com/security/cve/CVE-2014-0240.html http://support.novell.com/security/cve/CVE-2014-0242.html https://bugzilla.novell.com/878550 https://bugzilla.novell.com/878553 http://download.suse.com/patch/finder/?keywords=aff827b218841663039adc7efe88f65d From sle-security-updates at lists.suse.com Fri Jun 13 12:04:11 2014 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Fri, 13 Jun 2014 20:04:11 +0200 (CEST) Subject: SUSE-SU-2014:0788-2: important: Security update for GnuTLS Message-ID: <20140613180411.28BB832148@maintenance.suse.de> SUSE Security Update: Security update for GnuTLS ______________________________________________________________________________ Announcement ID: SUSE-SU-2014:0788-2 Rating: important References: #880730 #880910 Cross-References: CVE-2014-3466 CVE-2014-3467 CVE-2014-3468 CVE-2014-3469 Affected Products: SUSE Linux Enterprise Server 10 SP4 LTSS SUSE Linux Enterprise Server 10 SP3 LTSS ______________________________________________________________________________ An update that fixes four vulnerabilities is now available. Description: GnuTLS has been patched to ensure proper parsing of session ids during the TLS/SSL handshake. Additionally three issues inherited from libtasn1 have been fixed. Further information is available at http://www.gnutls.org/security.html#GNUTLS-SA-2014-3 These security issues have been fixed: * Possible memory corruption during connect (CVE-2014-3466) * Multiple boundary check issues could allow DoS (CVE-2014-3467) * asn1_get_bit_der() can return negative bit length (CVE-2014-3468) * Possible DoS by NULL pointer dereference (CVE-2014-3469) Security Issue references: * CVE-2014-3466 Package List: - SUSE Linux Enterprise Server 10 SP4 LTSS (i586 s390x x86_64): gnutls-1.2.10-13.40.1 gnutls-devel-1.2.10-13.40.1 - SUSE Linux Enterprise Server 10 SP4 LTSS (s390x x86_64): gnutls-32bit-1.2.10-13.40.1 gnutls-devel-32bit-1.2.10-13.40.1 - SUSE Linux Enterprise Server 10 SP3 LTSS (i586 s390x x86_64): gnutls-1.2.10-13.40.1 gnutls-devel-1.2.10-13.40.1 - SUSE Linux Enterprise Server 10 SP3 LTSS (s390x x86_64): gnutls-32bit-1.2.10-13.40.1 gnutls-devel-32bit-1.2.10-13.40.1 References: http://support.novell.com/security/cve/CVE-2014-3466.html http://support.novell.com/security/cve/CVE-2014-3467.html http://support.novell.com/security/cve/CVE-2014-3468.html http://support.novell.com/security/cve/CVE-2014-3469.html https://bugzilla.novell.com/880730 https://bugzilla.novell.com/880910 http://download.suse.com/patch/finder/?keywords=3a664138948d527c37403de9fef272df http://download.suse.com/patch/finder/?keywords=ce2995d7d37c598d89a8e91d407bb481 From sle-security-updates at lists.suse.com Fri Jun 13 18:04:17 2014 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Sat, 14 Jun 2014 02:04:17 +0200 (CEST) Subject: SUSE-SU-2014:0796-1: important: Security update for Linux Kernel Message-ID: <20140614000418.00F7C320F2@maintenance.suse.de> SUSE Security Update: Security update for Linux Kernel ______________________________________________________________________________ Announcement ID: SUSE-SU-2014:0796-1 Rating: important References: #880892 Cross-References: CVE-2014-3153 Affected Products: SUSE Linux Enterprise Real Time Extension 11 SP3 ______________________________________________________________________________ An update that fixes one vulnerability is now available. It includes one version update. Description: The SUSE Linux Enterprise 11 Service Pack 3 RealTime Extension kernel was updated to fix a critical privilege escalation security issue: * CVE-2014-3153: The futex acquisition code in kernel/futex.c can be used to gain ring0 access via the futex syscall. This could be used for privilege escalation by non-root users. (bnc#880892) Security Issue reference: * CVE-2014-3153 Indications: Everyone using the Real Time Linux Kernel on x86_64 architecture should update. Special Instructions and Notes: Please reboot the system after installing this update. Patch Instructions: To install this SUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Real Time Extension 11 SP3: zypper in -t patch slertesp3-kernel-9337 To bring your system up-to-date, use "zypper patch". Package List: - SUSE Linux Enterprise Real Time Extension 11 SP3 (x86_64) [New Version: 3.0.101.rt130]: cluster-network-kmp-rt-1.4_3.0.101_rt130_0.18-2.27.69 cluster-network-kmp-rt_trace-1.4_3.0.101_rt130_0.18-2.27.69 drbd-kmp-rt-8.4.4_3.0.101_rt130_0.18-0.22.35 drbd-kmp-rt_trace-8.4.4_3.0.101_rt130_0.18-0.22.35 iscsitarget-kmp-rt-1.4.20_3.0.101_rt130_0.18-0.38.54 iscsitarget-kmp-rt_trace-1.4.20_3.0.101_rt130_0.18-0.38.54 kernel-rt-3.0.101.rt130-0.18.1 kernel-rt-base-3.0.101.rt130-0.18.1 kernel-rt-devel-3.0.101.rt130-0.18.1 kernel-rt_trace-3.0.101.rt130-0.18.1 kernel-rt_trace-base-3.0.101.rt130-0.18.1 kernel-rt_trace-devel-3.0.101.rt130-0.18.1 kernel-source-rt-3.0.101.rt130-0.18.1 kernel-syms-rt-3.0.101.rt130-0.18.1 lttng-modules-kmp-rt-2.1.1_3.0.101_rt130_0.18-0.11.47 lttng-modules-kmp-rt_trace-2.1.1_3.0.101_rt130_0.18-0.11.47 ocfs2-kmp-rt-1.6_3.0.101_rt130_0.18-0.20.69 ocfs2-kmp-rt_trace-1.6_3.0.101_rt130_0.18-0.20.69 ofed-kmp-rt-1.5.4.1_3.0.101_rt130_0.18-0.13.60 ofed-kmp-rt_trace-1.5.4.1_3.0.101_rt130_0.18-0.13.60 References: http://support.novell.com/security/cve/CVE-2014-3153.html https://bugzilla.novell.com/880892 http://download.suse.com/patch/finder/?keywords=b12b838c3802187f1ccd4d35cb77cddd From sle-security-updates at lists.suse.com Mon Jun 16 10:04:10 2014 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Mon, 16 Jun 2014 18:04:10 +0200 (CEST) Subject: SUSE-SU-2014:0800-1: important: Security update for GnuTLS Message-ID: <20140616160410.E5F7B32147@maintenance.suse.de> SUSE Security Update: Security update for GnuTLS ______________________________________________________________________________ Announcement ID: SUSE-SU-2014:0800-1 Rating: important References: #554084 #670152 #802651 #880730 #880910 Cross-References: CVE-2013-1619 CVE-2014-3466 CVE-2014-3467 CVE-2014-3468 CVE-2014-3469 Affected Products: SUSE CORE 9 ______________________________________________________________________________ An update that fixes 5 vulnerabilities is now available. Description: GnuTLS has been patched to ensure proper parsing of session ids during the TLS/SSL handshake. Additionally three issues inherited from libtasn1 have been fixed. Further information is available at http://www.gnutls.org/security.html#GNUTLS-SA-2014-3 These security issues have been fixed: * Possible memory corruption during connect (CVE-2014-3466) * Multiple boundary check issues could allow DoS (CVE-2014-3467) * asn1_get_bit_der() can return negative bit length (CVE-2014-3468) * Possible DoS by NULL pointer dereference (CVE-2014-3469) * Possible timing side-channel attack (Lucky 13) (CVE-2013-1619) One additional bug has been fixed: * Allow unsafe renegotiation (bnc#554084) Security Issue references: * CVE-2014-3466 * CVE-2014-3467 * CVE-2014-3468 * CVE-2014-3469 * CVE-2013-1619 Package List: - SUSE CORE 9 (i586 s390 s390x x86_64): gnutls-1.0.8-26.32 gnutls-devel-1.0.8-26.32 References: http://support.novell.com/security/cve/CVE-2013-1619.html http://support.novell.com/security/cve/CVE-2014-3466.html http://support.novell.com/security/cve/CVE-2014-3467.html http://support.novell.com/security/cve/CVE-2014-3468.html http://support.novell.com/security/cve/CVE-2014-3469.html https://bugzilla.novell.com/554084 https://bugzilla.novell.com/670152 https://bugzilla.novell.com/802651 https://bugzilla.novell.com/880730 https://bugzilla.novell.com/880910 http://download.suse.com/patch/finder/?keywords=144b31fbd95bc788b66959b55efa4c4d From sle-security-updates at lists.suse.com Mon Jun 16 17:04:13 2014 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Tue, 17 Jun 2014 01:04:13 +0200 (CEST) Subject: SUSE-SU-2014:0801-1: moderate: Security update for rubygem-actionpack-2_3 Message-ID: <20140616230413.C33B03213F@maintenance.suse.de> SUSE Security Update: Security update for rubygem-actionpack-2_3 ______________________________________________________________________________ Announcement ID: SUSE-SU-2014:0801-1 Rating: moderate References: #876714 Cross-References: CVE-2014-0130 Affected Products: SUSE Cloud 3 ______________________________________________________________________________ An update that fixes one vulnerability is now available. Description: Rubygem Actionpack 2.3 has been updated to fix several security vulnerabilities: * Directory traversal issue (CVE-2014-0130). Security Issue reference: * CVE-2014-0130 Patch Instructions: To install this SUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - SUSE Cloud 3: zypper in -t patch sleclo30sp3-rubygem-actionpack-2_3-9291 To bring your system up-to-date, use "zypper patch". Package List: - SUSE Cloud 3 (x86_64): rubygem-actionpack-2_3-2.3.17-0.17.1 References: http://support.novell.com/security/cve/CVE-2014-0130.html https://bugzilla.novell.com/876714 http://download.suse.com/patch/finder/?keywords=b4f5785a62f09cf98e9de03e30e2de89 From sle-security-updates at lists.suse.com Tue Jun 17 17:04:18 2014 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Wed, 18 Jun 2014 01:04:18 +0200 (CEST) Subject: SUSE-SU-2014:0806-1: important: Security update for flash-player Message-ID: <20140617230418.790F23214F@maintenance.suse.de> SUSE Security Update: Security update for flash-player ______________________________________________________________________________ Announcement ID: SUSE-SU-2014:0806-1 Rating: important References: #882187 Cross-References: CVE-2014-0531 CVE-2014-0532 CVE-2014-0533 CVE-2014-0534 CVE-2014-0535 CVE-2014-0536 Affected Products: SUSE Linux Enterprise Desktop 11 SP3 ______________________________________________________________________________ An update that fixes 6 vulnerabilities is now available. It includes one version update. Description: flash-player was updated to version 11.2.202.378 to fix the following security issues: * Cross-site-scripting vulnerabilities. (CVE-2014-0531, CVE-2014-0532, CVE-2014-0533) * Security bypass vulnerabilities. (CVE-2014-0534, CVE-2014-0535) * Memory corruption vulnerability that could result in arbitrary code execution. (CVE-2014-0536) More information can be found at http://helpx.adobe.com/security/products/flash-player/apsb14-16.html . Security Issues references: * CVE-2014-0531 * CVE-2014-0532 * CVE-2014-0533 * CVE-2014-0534 * CVE-2014-0535 * CVE-2014-0536 Patch Instructions: To install this SUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Desktop 11 SP3: zypper in -t patch sledsp3-flash-player-9373 To bring your system up-to-date, use "zypper patch". Package List: - SUSE Linux Enterprise Desktop 11 SP3 (i586 x86_64) [New Version: 11.2.202.378]: flash-player-11.2.202.378-0.3.1 flash-player-gnome-11.2.202.378-0.3.1 flash-player-kde4-11.2.202.378-0.3.1 References: http://support.novell.com/security/cve/CVE-2014-0531.html http://support.novell.com/security/cve/CVE-2014-0532.html http://support.novell.com/security/cve/CVE-2014-0533.html http://support.novell.com/security/cve/CVE-2014-0534.html http://support.novell.com/security/cve/CVE-2014-0535.html http://support.novell.com/security/cve/CVE-2014-0536.html https://bugzilla.novell.com/882187 http://download.suse.com/patch/finder/?keywords=3f55be6c119b579f05c8516f6f0484dc From sle-security-updates at lists.suse.com Tue Jun 17 17:04:35 2014 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Wed, 18 Jun 2014 01:04:35 +0200 (CEST) Subject: SUSE-SU-2014:0807-1: important: Security update for Linux Kernel Message-ID: <20140617230435.9D8EB3214F@maintenance.suse.de> SUSE Security Update: Security update for Linux Kernel ______________________________________________________________________________ Announcement ID: SUSE-SU-2014:0807-1 Rating: important References: #630970 #661605 #663516 #761774 #792407 #852553 #852967 #854634 #854743 #856756 #857643 #863335 #865310 #866102 #868049 #868488 #868653 #869563 #871561 #873070 #874108 #875690 #875798 #876102 #878289 #880892 Cross-References: CVE-2012-6647 CVE-2013-6382 CVE-2013-6885 CVE-2013-7027 CVE-2013-7263 CVE-2013-7264 CVE-2013-7265 CVE-2013-7339 CVE-2014-0101 CVE-2014-0196 CVE-2014-1737 CVE-2014-1738 CVE-2014-1874 CVE-2014-2523 CVE-2014-2678 CVE-2014-3122 CVE-2014-3153 Affected Products: SUSE Linux Enterprise Server 11 SP1 LTSS SLE 11 SERVER Unsupported Extras ______________________________________________________________________________ An update that solves 17 vulnerabilities and has 9 fixes is now available. It includes one version update. Description: The SUSE Linux Enterprise Server 11 SP1 LTSS kernel received a roll-up update to fix security and non-security issues. The following security issues have been fixed: * CVE-2014-3153: The futex acquisition code in kernel/futex.c can be used to gain ring0 access via the futex syscall. This could be used for privilege escalation for non root users. (bnc#880892) * CVE-2012-6647: The futex_wait_requeue_pi function in kernel/futex.c in the Linux kernel before 3.5.1 does not ensure that calls have two different futex addresses, which allows local users to cause a denial of service (NULL pointer dereference and system crash) or possibly have unspecified other impact via a crafted FUTEX_WAIT_REQUEUE_PI command. (bnc#878289) * CVE-2013-6382: Multiple buffer underflows in the XFS implementation in the Linux kernel through 3.12.1 allow local users to cause a denial of service (memory corruption) or possibly have unspecified other impact by leveraging the CAP_SYS_ADMIN capability for a (1) XFS_IOC_ATTRLIST_BY_HANDLE or (2) XFS_IOC_ATTRLIST_BY_HANDLE_32 ioctl call with a crafted length value, related to the xfs_attrlist_by_handle function in fs/xfs/xfs_ioctl.c and the xfs_compat_attrlist_by_handle function in fs/xfs/xfs_ioctl32.c. (bnc#852553) * CVE-2013-6885: The microcode on AMD 16h 00h through 0Fh processors does not properly handle the interaction between locked instructions and write-combined memory types, which allows local users to cause a denial of service (system hang) via a crafted application, aka the errata 793 issue. (bnc#852967) * CVE-2013-7263: The Linux kernel before 3.12.4 updates certain length values before ensuring that associated data structures have been initialized, which allows local users to obtain sensitive information from kernel stack memory via a (1) recvfrom, (2) recvmmsg, or (3) recvmsg system call, related to net/ipv4/ping.c, net/ipv4/raw.c, net/ipv4/udp.c, net/ipv6/raw.c, and net/ipv6/udp.c. (bnc#857643) * CVE-2013-7264: The l2tp_ip_recvmsg function in net/l2tp/l2tp_ip.c in the Linux kernel before 3.12.4 updates a certain length value before ensuring that an associated data structure has been initialized, which allows local users to obtain sensitive information from kernel stack memory via a (1) recvfrom, (2) recvmmsg, or (3) recvmsg system call. (bnc#857643) * CVE-2013-7265: The pn_recvmsg function in net/phonet/datagram.c in the Linux kernel before 3.12.4 updates a certain length value before ensuring that an associated data structure has been initialized, which allows local users to obtain sensitive information from kernel stack memory via a (1) recvfrom, (2) recvmmsg, or (3) recvmsg system call. (bnc#857643) * CVE-2013-7339: The rds_ib_laddr_check function in net/rds/ib.c in the Linux kernel before 3.12.8 allows local users to cause a denial of service (NULL pointer dereference and system crash) or possibly have unspecified other impact via a bind system call for an RDS socket on a system that lacks RDS transports. (bnc#869563) * CVE-2014-0101: The sctp_sf_do_5_1D_ce function in net/sctp/sm_statefuns.c in the Linux kernel through 3.13.6 does not validate certain auth_enable and auth_capable fields before making an sctp_sf_authenticate call, which allows remote attackers to cause a denial of service (NULL pointer dereference and system crash) via an SCTP handshake with a modified INIT chunk and a crafted AUTH chunk before a COOKIE_ECHO chunk. (bnc#866102) * CVE-2014-0196: The n_tty_write function in drivers/tty/n_tty.c in the Linux kernel through 3.14.3 does not properly manage tty driver access in the "LECHO & !OPOST" case, which allows local users to cause a denial of service (memory corruption and system crash) or gain privileges by triggering a race condition involving read and write operations with long strings. (bnc#875690) * CVE-2014-1737: The raw_cmd_copyin function in drivers/block/floppy.c in the Linux kernel through 3.14.3 does not properly handle error conditions during processing of an FDRAWCMD ioctl call, which allows local users to trigger kfree operations and gain privileges by leveraging write access to a /dev/fd device. (bnc#875798) * CVE-2014-1738: The raw_cmd_copyout function in drivers/block/floppy.c in the Linux kernel through 3.14.3 does not properly restrict access to certain pointers during processing of an FDRAWCMD ioctl call, which allows local users to obtain sensitive information from kernel heap memory by leveraging write access to a /dev/fd device. (bnc#875798) * CVE-2014-1874: The security_context_to_sid_core function in security/selinux/ss/services.c in the Linux kernel before 3.13.4 allows local users to cause a denial of service (system crash) by leveraging the CAP_MAC_ADMIN capability to set a zero-length security context. (bnc#863335) * CVE-2014-2523: net/netfilter/nf_conntrack_proto_dccp.c in the Linux kernel through 3.13.6 uses a DCCP header pointer incorrectly, which allows remote attackers to cause a denial of service (system crash) or possibly execute arbitrary code via a DCCP packet that triggers a call to the (1) dccp_new, (2) dccp_packet, or (3) dccp_error function. (bnc#868653) * CVE-2014-2678: The rds_iw_laddr_check function in net/rds/iw.c in the Linux kernel through 3.14 allows local users to cause a denial of service (NULL pointer dereference and system crash) or possibly have unspecified other impact via a bind system call for an RDS socket on a system that lacks RDS transports. (bnc#871561) * CVE-2014-3122: The try_to_unmap_cluster function in mm/rmap.c in the Linux kernel before 3.14.3 does not properly consider which pages must be locked, which allows local users to cause a denial of service (system crash) by triggering a memory-usage pattern that requires removal of page-table mappings. (bnc#876102) * CVE-2013-7027: The ieee80211_radiotap_iterator_init function in net/wireless/radiotap.c in the Linux kernel before 3.11.7 does not check whether a frame contains any data outside of the header, which might allow attackers to cause a denial of service (buffer over-read) via a crafted header. (bnc#854634) The following non-security issues have been fixed: * sched: protect scale_rt_power() from clock aberations (bnc#630970, bnc#661605, bnc#865310). * sched: fix divide by zero at {thread_group,task}_times (bnc#761774, bnc#873070). * clocksource: avoid unnecessary overflow in cyclecounter_cyc2ns() (bnc#865310). * ia64: Change default PSR.ac from "1" to "0" (Fix erratum #237) (bnc#874108). * block: Wait for queue cleanup until the queue is empty before queue cleanup (bnc#792407). * fs: do_add_mount()/umount -l races (bnc#663516). * vfs,proc: guarantee unique inodes in /proc (bnc#868049). * nfs: Allow nfsdv4 to work when fips=1 (bnc#868488). * inet_diag: fix oops for IPv4 AF_INET6 TCP SYN-RECV state (bnc#854743). * bonding: send unsolicited NA for all addresses (bnc#856756). * bonding: send unsolicited neighbour advertisements to all-nodes (bnc#856756). Security Issues references: * CVE-2012-6647 * CVE-2013-6382 * CVE-2013-6885 * CVE-2013-7027 * CVE-2013-7263 * CVE-2013-7264 * CVE-2013-7265 * CVE-2013-7339 * CVE-2014-0101 * CVE-2014-0196 * CVE-2014-1737 * CVE-2014-1738 * CVE-2014-1874 * CVE-2014-2523 * CVE-2014-2678 * CVE-2014-3122 * CVE-2014-3153 Indications: Everyone using the Linux Kernel on x86_64 architecture should update. Special Instructions and Notes: Please reboot the system after installing this update. Patch Instructions: To install this SUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Server 11 SP1 LTSS: zypper in -t patch slessp1-kernel-9359 slessp1-kernel-9360 slessp1-kernel-9361 To bring your system up-to-date, use "zypper patch". Package List: - SUSE Linux Enterprise Server 11 SP1 LTSS (i586 s390x x86_64) [New Version: 2.6.32.59]: btrfs-kmp-default-0_2.6.32.59_0.13-0.3.163 ext4dev-kmp-default-0_2.6.32.59_0.13-7.9.130 ext4dev-kmp-trace-0_2.6.32.59_0.13-7.9.130 kernel-default-2.6.32.59-0.13.1 kernel-default-base-2.6.32.59-0.13.1 kernel-default-devel-2.6.32.59-0.13.1 kernel-source-2.6.32.59-0.13.1 kernel-syms-2.6.32.59-0.13.1 kernel-trace-2.6.32.59-0.13.1 kernel-trace-base-2.6.32.59-0.13.1 kernel-trace-devel-2.6.32.59-0.13.1 - SUSE Linux Enterprise Server 11 SP1 LTSS (i586 x86_64) [New Version: 2.6.32.59]: btrfs-kmp-xen-0_2.6.32.59_0.13-0.3.163 ext4dev-kmp-xen-0_2.6.32.59_0.13-7.9.130 hyper-v-kmp-default-0_2.6.32.59_0.13-0.18.39 hyper-v-kmp-trace-0_2.6.32.59_0.13-0.18.39 kernel-ec2-2.6.32.59-0.13.1 kernel-ec2-base-2.6.32.59-0.13.1 kernel-ec2-devel-2.6.32.59-0.13.1 kernel-xen-2.6.32.59-0.13.1 kernel-xen-base-2.6.32.59-0.13.1 kernel-xen-devel-2.6.32.59-0.13.1 - SUSE Linux Enterprise Server 11 SP1 LTSS (s390x) [New Version: 2.6.32.59]: kernel-default-man-2.6.32.59-0.13.1 - SUSE Linux Enterprise Server 11 SP1 LTSS (i586) [New Version: 2.6.32.59]: btrfs-kmp-pae-0_2.6.32.59_0.13-0.3.163 ext4dev-kmp-pae-0_2.6.32.59_0.13-7.9.130 hyper-v-kmp-pae-0_2.6.32.59_0.13-0.18.39 kernel-pae-2.6.32.59-0.13.1 kernel-pae-base-2.6.32.59-0.13.1 kernel-pae-devel-2.6.32.59-0.13.1 - SLE 11 SERVER Unsupported Extras (i586 s390x x86_64): kernel-default-extra-2.6.32.59-0.13.1 - SLE 11 SERVER Unsupported Extras (i586 x86_64): kernel-xen-extra-2.6.32.59-0.13.1 - SLE 11 SERVER Unsupported Extras (i586): kernel-pae-extra-2.6.32.59-0.13.1 References: http://support.novell.com/security/cve/CVE-2012-6647.html http://support.novell.com/security/cve/CVE-2013-6382.html http://support.novell.com/security/cve/CVE-2013-6885.html http://support.novell.com/security/cve/CVE-2013-7027.html http://support.novell.com/security/cve/CVE-2013-7263.html http://support.novell.com/security/cve/CVE-2013-7264.html http://support.novell.com/security/cve/CVE-2013-7265.html http://support.novell.com/security/cve/CVE-2013-7339.html http://support.novell.com/security/cve/CVE-2014-0101.html http://support.novell.com/security/cve/CVE-2014-0196.html http://support.novell.com/security/cve/CVE-2014-1737.html http://support.novell.com/security/cve/CVE-2014-1738.html http://support.novell.com/security/cve/CVE-2014-1874.html http://support.novell.com/security/cve/CVE-2014-2523.html http://support.novell.com/security/cve/CVE-2014-2678.html http://support.novell.com/security/cve/CVE-2014-3122.html http://support.novell.com/security/cve/CVE-2014-3153.html https://bugzilla.novell.com/630970 https://bugzilla.novell.com/661605 https://bugzilla.novell.com/663516 https://bugzilla.novell.com/761774 https://bugzilla.novell.com/792407 https://bugzilla.novell.com/852553 https://bugzilla.novell.com/852967 https://bugzilla.novell.com/854634 https://bugzilla.novell.com/854743 https://bugzilla.novell.com/856756 https://bugzilla.novell.com/857643 https://bugzilla.novell.com/863335 https://bugzilla.novell.com/865310 https://bugzilla.novell.com/866102 https://bugzilla.novell.com/868049 https://bugzilla.novell.com/868488 https://bugzilla.novell.com/868653 https://bugzilla.novell.com/869563 https://bugzilla.novell.com/871561 https://bugzilla.novell.com/873070 https://bugzilla.novell.com/874108 https://bugzilla.novell.com/875690 https://bugzilla.novell.com/875798 https://bugzilla.novell.com/876102 https://bugzilla.novell.com/878289 https://bugzilla.novell.com/880892 http://download.suse.com/patch/finder/?keywords=1f7d34dea2e5092125c31d9d0a405f5a http://download.suse.com/patch/finder/?keywords=518a51bcce5e0cc4e53c7e7bccd832c3 http://download.suse.com/patch/finder/?keywords=9ef95d829298aaa37050f0a54e442fe4 http://download.suse.com/patch/finder/?keywords=c146be129d24b739d74708b50d2cc532 http://download.suse.com/patch/finder/?keywords=d036686eebebfe198fe470f1df9f08cb http://download.suse.com/patch/finder/?keywords=fdf0b5f57e08d67cb242abf486c62992 From sle-security-updates at lists.suse.com Tue Jun 17 21:04:50 2014 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Wed, 18 Jun 2014 05:04:50 +0200 (CEST) Subject: SUSE-SU-2014:0808-1: moderate: Security update for openssl-certs Message-ID: <20140618030450.9035632154@maintenance.suse.de> SUSE Security Update: Security update for openssl-certs ______________________________________________________________________________ Announcement ID: SUSE-SU-2014:0808-1 Rating: moderate References: #875647 #881241 Affected Products: SUSE Linux Enterprise Server 11 SP3 for VMware SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Desktop 11 SP3 ______________________________________________________________________________ An update that contains security fixes can now be installed. It includes one version update. Description: openssl-certs has been updated to include four new and remove two certificates: * new: Atos_TrustedRoot_2011:2.8.92.51.203.98.44.95.179.50.crt * new: E-Tugra_Certification_Authority:2.8.106.104.62.156.81.155.203.83.crt * new: TeliaSonera_Root_CA_v1:2.17.0.149.190.22.160.247.46.70.241.123.57.130.114.2 50.139.205.150.crt * new: T-TeleSec_GlobalRoot_Class_2:2.1.1.crt * removed: Firmaprofesional_Root_CA:2.1.1.crt * removed: TDC_OCES_Root_CA:2.4.62.72.189.196.crt Patch Instructions: To install this SUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Server 11 SP3 for VMware: zypper in -t patch slessp3-openssl-certs-9341 - SUSE Linux Enterprise Server 11 SP3: zypper in -t patch slessp3-openssl-certs-9341 - SUSE Linux Enterprise Desktop 11 SP3: zypper in -t patch sledsp3-openssl-certs-9341 To bring your system up-to-date, use "zypper patch". Package List: - SUSE Linux Enterprise Server 11 SP3 for VMware (noarch) [New Version: 1.97]: openssl-certs-1.97-0.3.1 - SUSE Linux Enterprise Server 11 SP3 (noarch) [New Version: 1.97]: openssl-certs-1.97-0.3.1 - SUSE Linux Enterprise Desktop 11 SP3 (noarch) [New Version: 1.97]: openssl-certs-1.97-0.3.1 References: https://bugzilla.novell.com/875647 https://bugzilla.novell.com/881241 http://download.suse.com/patch/finder/?keywords=7d9f54e4fe192f93e3c7e334703d121c From sle-security-updates at lists.suse.com Wed Jun 18 11:04:13 2014 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Wed, 18 Jun 2014 19:04:13 +0200 (CEST) Subject: SUSE-SU-2014:0816-1: moderate: Security update for KVM Message-ID: <20140618170413.251AD32085@maintenance.suse.de> SUSE Security Update: Security update for KVM ______________________________________________________________________________ Announcement ID: SUSE-SU-2014:0816-1 Rating: moderate References: #864391 #864649 #864650 #864653 #864655 #864665 #864671 #864673 #864678 #864682 #864769 #864796 #864801 #864802 #864804 #864805 #864811 #864812 #864814 #873235 #874749 #874788 Cross-References: CVE-2014-0150 CVE-2014-2894 Affected Products: SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Desktop 11 SP3 ______________________________________________________________________________ An update that solves two vulnerabilities and has 20 fixes is now available. It includes one version update. Description: Several security issues in KVM have been fixed. Some issues could have resulted in arbitrary code execution or crash of the kvm host. * virtio-net: buffer overflow in virtio_net_handle_mac() function (CVE-2014-0150) * Fixed out of bounds buffer accesses, guest triggerable via IDE SMART (CVE-2014-2894) * Fixed various virtio-net buffer overflows (CVE-2013-4148,CVE-2013-4149,CVE-2013-4150,CVE-2013-4151) * Fixed ahci buffer overrun (CVE-2013-4526) * Fixed hpet buffer overrun (CVE-2013-4527) * Fixed a PCIE-AER buffer overrun (CVE-2013-4529) * Fixed a buffer overrun in pl022 (CVE-2013-4530) * Fixed a vmstate buffer overflow (CVE-2013-4531) * Fixed a pxa2xx buffer overrun (CVE-2013-4533) * Fixed a openpic buffer overrun (CVE-2013-4534) * Validate virtio num_sg mapping (CVE-2013-4535 / CVE-2013-4536) * Fixed ssi-sd buffer overrun (CVE-2013-4537) * Fixed ssd0323 buffer overrun (CVE-2013-4538) * Fixed tsc210x buffer overrun (CVE-2013-4539) * Fixed Zaurus buffer overrun (CVE-2013-4540) * Some USB sanity checking added (CVE-2013-4541) * Fixed virtio scsi buffer overrun (CVE-2013-4542) * Fixed another virtio buffer overrun (CVE-2013-6399) * Validate config_len on load in virtio (CVE-2014-0182) Security Issue references: * CVE-2014-0150 * CVE-2014-2894 Patch Instructions: To install this SUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Server 11 SP3: zypper in -t patch slessp3-kvm-9302 - SUSE Linux Enterprise Desktop 11 SP3: zypper in -t patch sledsp3-kvm-9302 To bring your system up-to-date, use "zypper patch". Package List: - SUSE Linux Enterprise Server 11 SP3 (i586 s390x x86_64) [New Version: 1.4.2]: kvm-1.4.2-0.15.2 - SUSE Linux Enterprise Desktop 11 SP3 (i586 x86_64) [New Version: 1.4.2]: kvm-1.4.2-0.15.2 References: http://support.novell.com/security/cve/CVE-2014-0150.html http://support.novell.com/security/cve/CVE-2014-2894.html https://bugzilla.novell.com/864391 https://bugzilla.novell.com/864649 https://bugzilla.novell.com/864650 https://bugzilla.novell.com/864653 https://bugzilla.novell.com/864655 https://bugzilla.novell.com/864665 https://bugzilla.novell.com/864671 https://bugzilla.novell.com/864673 https://bugzilla.novell.com/864678 https://bugzilla.novell.com/864682 https://bugzilla.novell.com/864769 https://bugzilla.novell.com/864796 https://bugzilla.novell.com/864801 https://bugzilla.novell.com/864802 https://bugzilla.novell.com/864804 https://bugzilla.novell.com/864805 https://bugzilla.novell.com/864811 https://bugzilla.novell.com/864812 https://bugzilla.novell.com/864814 https://bugzilla.novell.com/873235 https://bugzilla.novell.com/874749 https://bugzilla.novell.com/874788 http://download.suse.com/patch/finder/?keywords=2ef41e47e4c1105aba4dcd76e8c0e05e From sle-security-updates at lists.suse.com Wed Jun 18 13:04:12 2014 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Wed, 18 Jun 2014 21:04:12 +0200 (CEST) Subject: SUSE-SU-2014:0817-1: moderate: Security update for poppler Message-ID: <20140618190412.9E4B032089@maintenance.suse.de> SUSE Security Update: Security update for poppler ______________________________________________________________________________ Announcement ID: SUSE-SU-2014:0817-1 Rating: moderate References: #845765 Cross-References: CVE-2010-5110 Affected Products: SUSE Linux Enterprise Software Development Kit 11 SP3 SUSE Linux Enterprise Server 11 SP3 for VMware SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Desktop 11 SP3 ______________________________________________________________________________ An update that fixes one vulnerability is now available. Description: This update fixes problems in DCTStream error handling in poppler. Security Issue reference: * CVE-2010-5110 Indications: Everybody should update. Patch Instructions: To install this SUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Software Development Kit 11 SP3: zypper in -t patch sdksp3-libpoppler-devel-9284 - SUSE Linux Enterprise Server 11 SP3 for VMware: zypper in -t patch slessp3-libpoppler-devel-9284 - SUSE Linux Enterprise Server 11 SP3: zypper in -t patch slessp3-libpoppler-devel-9284 - SUSE Linux Enterprise Desktop 11 SP3: zypper in -t patch sledsp3-libpoppler-devel-9284 To bring your system up-to-date, use "zypper patch". Package List: - SUSE Linux Enterprise Software Development Kit 11 SP3 (i586 ia64 ppc64 s390x x86_64): libpoppler-devel-0.12.3-1.10.1 libpoppler-glib-devel-0.12.3-1.10.1 libpoppler-qt2-0.12.3-1.10.1 libpoppler-qt3-devel-0.12.3-1.10.1 libpoppler-qt4-devel-0.12.3-1.10.1 - SUSE Linux Enterprise Software Development Kit 11 SP3 (i586 x86_64): poppler-tools-0.12.3-1.10.1 - SUSE Linux Enterprise Server 11 SP3 for VMware (i586 x86_64): libpoppler-glib4-0.12.3-1.10.1 libpoppler-qt4-3-0.12.3-1.10.1 libpoppler5-0.12.3-1.10.1 poppler-tools-0.12.3-1.10.1 - SUSE Linux Enterprise Server 11 SP3 (i586 ia64 ppc64 s390x x86_64): libpoppler-glib4-0.12.3-1.10.1 libpoppler-qt4-3-0.12.3-1.10.1 libpoppler5-0.12.3-1.10.1 poppler-tools-0.12.3-1.10.1 - SUSE Linux Enterprise Desktop 11 SP3 (i586 x86_64): libpoppler-glib4-0.12.3-1.10.1 libpoppler-qt4-3-0.12.3-1.10.1 libpoppler5-0.12.3-1.10.1 poppler-tools-0.12.3-1.10.1 References: http://support.novell.com/security/cve/CVE-2010-5110.html https://bugzilla.novell.com/845765 http://download.suse.com/patch/finder/?keywords=54bc15d680a41b32fd48d8042a9b3d72 From sle-security-updates at lists.suse.com Wed Jun 18 19:04:13 2014 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Thu, 19 Jun 2014 03:04:13 +0200 (CEST) Subject: SUSE-SU-2014:0818-1: Security update for openssh Message-ID: <20140619010413.5C47B3209B@maintenance.suse.de> SUSE Security Update: Security update for openssh ______________________________________________________________________________ Announcement ID: SUSE-SU-2014:0818-1 Rating: low References: #826427 #833605 #847710 #869101 #870532 Cross-References: CVE-2014-2532 Affected Products: SUSE Linux Enterprise Server 11 SP3 for VMware SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Desktop 11 SP3 ______________________________________________________________________________ An update that solves one vulnerability and has four fixes is now available. Description: This update for OpenSSH fixes the following issues: * Exit sshd normally when port is already in use. (bnc#832628) * Use hardware crypto engines where available. (bnc#826427) * Use correct options for login when it is used. (bnc#833605) * Move FIPS messages to higher debug level. (bnc#862875) * Fix forwarding with IPv6 addresses in DISPLAY. (bnc#847710) * Do not link OpenSSH binaries with LDAP libraries. (bnc#826906) * Parse AcceptEnv properly. (bnc#869101, CVE-2014-2532) * Check SSHFP DNS records even for server certificates. (bnc#870532, CVE-2014-2653) Security Issues references: * CVE-2014-2532 * CVE-2014-2653 Indications: Everybody should update. Patch Instructions: To install this SUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Server 11 SP3 for VMware: zypper in -t patch slessp3-openssh-9357 - SUSE Linux Enterprise Server 11 SP3: zypper in -t patch slessp3-openssh-9357 - SUSE Linux Enterprise Desktop 11 SP3: zypper in -t patch sledsp3-openssh-9357 To bring your system up-to-date, use "zypper patch". Package List: - SUSE Linux Enterprise Server 11 SP3 for VMware (i586 x86_64): openssh-6.2p2-0.13.1 openssh-askpass-6.2p2-0.13.1 openssh-askpass-gnome-6.2p2-0.13.1 - SUSE Linux Enterprise Server 11 SP3 (i586 ia64 ppc64 s390x x86_64): openssh-6.2p2-0.13.1 openssh-askpass-6.2p2-0.13.1 openssh-askpass-gnome-6.2p2-0.13.1 - SUSE Linux Enterprise Desktop 11 SP3 (i586 x86_64): openssh-6.2p2-0.13.1 openssh-askpass-6.2p2-0.13.1 openssh-askpass-gnome-6.2p2-0.13.1 References: http://support.novell.com/security/cve/CVE-2014-2532.html https://bugzilla.novell.com/826427 https://bugzilla.novell.com/833605 https://bugzilla.novell.com/847710 https://bugzilla.novell.com/869101 https://bugzilla.novell.com/870532 http://download.suse.com/patch/finder/?keywords=662d3f9c264970d2784671e4c1366f91 From sle-security-updates at lists.suse.com Fri Jun 20 17:04:44 2014 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Sat, 21 Jun 2014 01:04:44 +0200 (CEST) Subject: SUSE-SU-2014:0824-1: important: Security update for MozillaFirefox Message-ID: <20140620230444.4DE4B320A4@maintenance.suse.de> SUSE Security Update: Security update for MozillaFirefox ______________________________________________________________________________ Announcement ID: SUSE-SU-2014:0824-1 Rating: important References: #881874 Cross-References: CVE-2014-1533 CVE-2014-1534 CVE-2014-1536 CVE-2014-1537 CVE-2014-1538 CVE-2014-1541 CVE-2014-1545 Affected Products: SUSE Linux Enterprise Software Development Kit 11 SP3 SUSE Linux Enterprise Server 11 SP3 for VMware SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 10 SP3 LTSS SUSE Linux Enterprise Desktop 11 SP3 ______________________________________________________________________________ An update that fixes 7 vulnerabilities is now available. It includes four new package versions. Description: MozillaFirefox was updated to version 24.6.0 to fix six security issues: * Miscellaneous memory safety hazards. (CVE-2014-1533, CVE-2014-1534) * Use-after-free and out of bounds issues found using Address Sanitizer. (CVE-2014-1536, CVE-2014-1537, CVE-2014-1538) * Use-after-free with SMIL Animation Controller. (CVE-2014-1541) mozilla-nspr was updated to version 4.10.6 to fix one security issue: * Out of bounds write in NSPR. (CVE-2014-1545) Further information can be found at https://www.mozilla.org/security/announce/ . Security Issues references: * CVE-2014-1533 * CVE-2014-1534 * CVE-2014-1536 * CVE-2014-1537 * CVE-2014-1538 * CVE-2014-1541 * CVE-2014-1545 Patch Instructions: To install this SUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Software Development Kit 11 SP3: zypper in -t patch sdksp3-Firefox-2014-06-9370 - SUSE Linux Enterprise Server 11 SP3 for VMware: zypper in -t patch slessp3-Firefox-2014-06-9370 - SUSE Linux Enterprise Server 11 SP3: zypper in -t patch slessp3-Firefox-2014-06-9370 - SUSE Linux Enterprise Desktop 11 SP3: zypper in -t patch sledsp3-Firefox-2014-06-9370 To bring your system up-to-date, use "zypper patch". Package List: - SUSE Linux Enterprise Software Development Kit 11 SP3 (i586 ia64 ppc64 s390x x86_64) [New Version: 3.16.1 and 4.10.6]: MozillaFirefox-devel-24.6.0esr-0.8.1 mozilla-nspr-devel-4.10.6-0.3.1 mozilla-nss-devel-3.16.1-0.8.1 - SUSE Linux Enterprise Server 11 SP3 for VMware (i586 x86_64) [New Version: 24.6.0esr,3.16.1 and 4.10.6]: MozillaFirefox-24.6.0esr-0.8.1 MozillaFirefox-translations-24.6.0esr-0.8.1 libfreebl3-3.16.1-0.8.1 libsoftokn3-3.16.1-0.8.1 mozilla-nspr-4.10.6-0.3.1 mozilla-nss-3.16.1-0.8.1 mozilla-nss-tools-3.16.1-0.8.1 - SUSE Linux Enterprise Server 11 SP3 for VMware (x86_64) [New Version: 3.16.1 and 4.10.6]: libfreebl3-32bit-3.16.1-0.8.1 libsoftokn3-32bit-3.16.1-0.8.1 mozilla-nspr-32bit-4.10.6-0.3.1 mozilla-nss-32bit-3.16.1-0.8.1 - SUSE Linux Enterprise Server 11 SP3 (i586 ia64 ppc64 s390x x86_64) [New Version: 24.6.0esr,3.16.1 and 4.10.6]: MozillaFirefox-24.6.0esr-0.8.1 MozillaFirefox-branding-SLED-24-0.7.48 MozillaFirefox-translations-24.6.0esr-0.8.1 libfreebl3-3.16.1-0.8.1 libsoftokn3-3.16.1-0.8.1 mozilla-nspr-4.10.6-0.3.1 mozilla-nss-3.16.1-0.8.1 mozilla-nss-tools-3.16.1-0.8.1 - SUSE Linux Enterprise Server 11 SP3 (ppc64 s390x x86_64) [New Version: 3.16.1 and 4.10.6]: libfreebl3-32bit-3.16.1-0.8.1 libsoftokn3-32bit-3.16.1-0.8.1 mozilla-nspr-32bit-4.10.6-0.3.1 mozilla-nss-32bit-3.16.1-0.8.1 - SUSE Linux Enterprise Server 11 SP3 (ia64) [New Version: 3.16.1 and 4.10.6]: libfreebl3-x86-3.16.1-0.8.1 libsoftokn3-x86-3.16.1-0.8.1 mozilla-nspr-x86-4.10.6-0.3.1 mozilla-nss-x86-3.16.1-0.8.1 - SUSE Linux Enterprise Server 10 SP3 LTSS (i586 s390x x86_64) [New Version: 3.16.1 and 4.10.6]: mozilla-nspr-4.10.6-0.5.1 mozilla-nspr-devel-4.10.6-0.5.1 mozilla-nss-3.16.1-0.5.1 mozilla-nss-devel-3.16.1-0.5.1 mozilla-nss-tools-3.16.1-0.5.1 - SUSE Linux Enterprise Server 10 SP3 LTSS (s390x x86_64) [New Version: 3.16.1 and 4.10.6]: mozilla-nspr-32bit-4.10.6-0.5.1 mozilla-nss-32bit-3.16.1-0.5.1 - SUSE Linux Enterprise Server 10 SP3 LTSS (i586 s390x) [New Version: 24]: MozillaFirefox-24.6.0esr-0.5.2 MozillaFirefox-branding-SLED-24-0.12.1 MozillaFirefox-translations-24.6.0esr-0.5.2 - SUSE Linux Enterprise Desktop 11 SP3 (i586 x86_64) [New Version: 24.6.0esr,3.16.1 and 4.10.6]: MozillaFirefox-24.6.0esr-0.8.1 MozillaFirefox-branding-SLED-24-0.7.48 MozillaFirefox-translations-24.6.0esr-0.8.1 libfreebl3-3.16.1-0.8.1 libsoftokn3-3.16.1-0.8.1 mozilla-nspr-4.10.6-0.3.1 mozilla-nss-3.16.1-0.8.1 mozilla-nss-tools-3.16.1-0.8.1 - SUSE Linux Enterprise Desktop 11 SP3 (x86_64) [New Version: 3.16.1 and 4.10.6]: libfreebl3-32bit-3.16.1-0.8.1 libsoftokn3-32bit-3.16.1-0.8.1 mozilla-nspr-32bit-4.10.6-0.3.1 mozilla-nss-32bit-3.16.1-0.8.1 References: http://support.novell.com/security/cve/CVE-2014-1533.html http://support.novell.com/security/cve/CVE-2014-1534.html http://support.novell.com/security/cve/CVE-2014-1536.html http://support.novell.com/security/cve/CVE-2014-1537.html http://support.novell.com/security/cve/CVE-2014-1538.html http://support.novell.com/security/cve/CVE-2014-1541.html http://support.novell.com/security/cve/CVE-2014-1545.html https://bugzilla.novell.com/881874 http://download.suse.com/patch/finder/?keywords=a5b350492b0ce3fad7397a840a5cdf61 http://download.suse.com/patch/finder/?keywords=bbcc06aa0b93e2453183b7b5b8bcc0ee From sle-security-updates at lists.suse.com Mon Jun 23 12:04:14 2014 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Mon, 23 Jun 2014 20:04:14 +0200 (CEST) Subject: SUSE-SU-2014:0832-1: moderate: Security update for Linux Kernel Message-ID: <20140623180414.2D3BD320B9@maintenance.suse.de> SUSE Security Update: Security update for Linux Kernel ______________________________________________________________________________ Announcement ID: SUSE-SU-2014:0832-1 Rating: moderate References: #758813 #805226 #820338 #830344 #833968 #835839 #847672 #848321 #851095 #852553 #852558 #853501 #857643 #858869 #858870 #858872 #860304 #874108 #875798 Cross-References: CVE-2013-0343 CVE-2013-2888 CVE-2013-2893 CVE-2013-2897 CVE-2013-4470 CVE-2013-4483 CVE-2013-4588 CVE-2013-6382 CVE-2013-6383 CVE-2013-7263 CVE-2013-7264 CVE-2013-7265 CVE-2014-1444 CVE-2014-1445 CVE-2014-1446 CVE-2014-1737 CVE-2014-1738 Affected Products: SUSE Linux Enterprise Server 10 SP3 LTSS ______________________________________________________________________________ An update that solves 17 vulnerabilities and has two fixes is now available. Description: The SUSE Linux Enterprise Server 10 SP3 LTSS received a roll up update to fix several security and non-security issues. The following security issues have been fixed: * CVE-2013-0343: The ipv6_create_tempaddr function in net/ipv6/addrconf.c in the Linux kernel through 3.8 does not properly handle problems with the generation of IPv6 temporary addresses, which allows remote attackers to cause a denial of service (excessive retries and address-generation outage), and consequently obtain sensitive information, via ICMPv6 Router Advertisement (RA) messages. (bnc#805226) * CVE-2013-2888: Multiple array index errors in drivers/hid/hid-core.c in the Human Interface Device (HID) subsystem in the Linux kernel through 3.11 allow physically proximate attackers to execute arbitrary code or cause a denial of service (heap memory corruption) via a crafted device that provides an invalid Report ID. (bnc#835839) * CVE-2013-2893: The Human Interface Device (HID) subsystem in the Linux kernel through 3.11, when CONFIG_LOGITECH_FF, CONFIG_LOGIG940_FF, or CONFIG_LOGIWHEELS_FF is enabled, allows physically proximate attackers to cause a denial of service (heap-based out-of-bounds write) via a crafted device, related to (1) drivers/hid/hid-lgff.c, (2) drivers/hid/hid-lg3ff.c, and (3) drivers/hid/hid-lg4ff.c. (bnc#835839) * CVE-2013-2897: Multiple array index errors in drivers/hid/hid-multitouch.c in the Human Interface Device (HID) subsystem in the Linux kernel through 3.11, when CONFIG_HID_MULTITOUCH is enabled, allow physically proximate attackers to cause a denial of service (heap memory corruption, or NULL pointer dereference and OOPS) via a crafted device. (bnc#835839) * CVE-2013-4470: The Linux kernel before 3.12, when UDP Fragmentation Offload (UFO) is enabled, does not properly initialize certain data structures, which allows local users to cause a denial of service (memory corruption and system crash) or possibly gain privileges via a crafted application that uses the UDP_CORK option in a setsockopt system call and sends both short and long packets, related to the ip_ufo_append_data function in net/ipv4/ip_output.c and the ip6_ufo_append_data function in net/ipv6/ip6_output.c. (bnc#847672) * CVE-2013-4483: The ipc_rcu_putref function in ipc/util.c in the Linux kernel before 3.10 does not properly manage a reference count, which allows local users to cause a denial of service (memory consumption or system crash) via a crafted application. (bnc#848321) * CVE-2013-4588: Multiple stack-based buffer overflows in net/netfilter/ipvs/ip_vs_ctl.c in the Linux kernel before 2.6.33, when CONFIG_IP_VS is used, allow local users to gain privileges by leveraging the CAP_NET_ADMIN capability for (1) a getsockopt system call, related to the do_ip_vs_get_ctl function, or (2) a setsockopt system call, related to the do_ip_vs_set_ctl function. (bnc#851095) * CVE-2013-6382: Multiple buffer underflows in the XFS implementation in the Linux kernel through 3.12.1 allow local users to cause a denial of service (memory corruption) or possibly have unspecified other impact by leveraging the CAP_SYS_ADMIN capability for a (1) XFS_IOC_ATTRLIST_BY_HANDLE or (2) XFS_IOC_ATTRLIST_BY_HANDLE_32 ioctl call with a crafted length value, related to the xfs_attrlist_by_handle function in fs/xfs/xfs_ioctl.c and the xfs_compat_attrlist_by_handle function in fs/xfs/xfs_ioctl32.c. (bnc#852553) * CVE-2013-6383: The aac_compat_ioctl function in drivers/scsi/aacraid/linit.c in the Linux kernel before 3.11.8 does not require the CAP_SYS_RAWIO capability, which allows local users to bypass intended access restrictions via a crafted ioctl call. (bnc#852558) * CVE-2013-7263: The Linux kernel before 3.12.4 updates certain length values before ensuring that associated data structures have been initialized, which allows local users to obtain sensitive information from kernel stack memory via a (1) recvfrom, (2) recvmmsg, or (3) recvmsg system call, related to net/ipv4/ping.c, net/ipv4/raw.c, net/ipv4/udp.c, net/ipv6/raw.c, and net/ipv6/udp.c. (bnc#857643) * CVE-2013-7264: The l2tp_ip_recvmsg function in net/l2tp/l2tp_ip.c in the Linux kernel before 3.12.4 updates a certain length value before ensuring that an associated data structure has been initialized, which allows local users to obtain sensitive information from kernel stack memory via a (1) recvfrom, (2) recvmmsg, or (3) recvmsg system call. (bnc#857643) * CVE-2013-7265: The pn_recvmsg function in net/phonet/datagram.c in the Linux kernel before 3.12.4 updates a certain length value before ensuring that an associated data structure has been initialized, which allows local users to obtain sensitive information from kernel stack memory via a (1) recvfrom, (2) recvmmsg, or (3) recvmsg system call. (bnc#857643) * CVE-2014-1444: The fst_get_iface function in drivers/net/wan/farsync.c in the Linux kernel before 3.11.7 does not properly initialize a certain data structure, which allows local users to obtain sensitive information from kernel memory by leveraging the CAP_NET_ADMIN capability for an SIOCWANDEV ioctl call. (bnc#858869) * CVE-2014-1445: The wanxl_ioctl function in drivers/net/wan/wanxl.c in the Linux kernel before 3.11.7 does not properly initialize a certain data structure, which allows local users to obtain sensitive information from kernel memory via an ioctl call. (bnc#858870) * CVE-2014-1446: The yam_ioctl function in drivers/net/hamradio/yam.c in the Linux kernel before 3.12.8 does not initialize a certain structure member, which allows local users to obtain sensitive information from kernel memory by leveraging the CAP_NET_ADMIN capability for an SIOCYAMGCFG ioctl call. (bnc#858872) * CVE-2014-1737: The raw_cmd_copyin function in drivers/block/floppy.c in the Linux kernel through 3.14.3 does not properly handle error conditions during processing of an FDRAWCMD ioctl call, which allows local users to trigger kfree operations and gain privileges by leveraging write access to a /dev/fd device. (bnc#875798) * CVE-2014-1738: The raw_cmd_copyout function in drivers/block/floppy.c in the Linux kernel through 3.14.3 does not properly restrict access to certain pointers during processing of an FDRAWCMD ioctl call, which allows local users to obtain sensitive information from kernel heap memory by leveraging write access to a /dev/fd device. (bnc#875798) The following bugs have been fixed: * kernel: sclp console hangs (bnc#830344, LTC#95711, bnc#860304). * ia64: Change default PSR.ac from "1" to "0" (Fix erratum #237) (bnc#874108). * net: Uninline kfree_skb and allow NULL argument (bnc#853501). * tcp: syncookies: reduce cookie lifetime to 128 seconds (bnc#833968). * tcp: syncookies: reduce mss table to four values (bnc#833968). * udp: Fix bogus UFO packet generation (bnc#847672). * blkdev_max_block: make private to fs/buffer.c (bnc#820338). * vfs: avoid "attempt to access beyond end of device" warnings (bnc#820338). * vfs: fix O_DIRECT read past end of block device (bnc#820338). * HID: check for NULL field when setting values (bnc#835839). * HID: provide a helper for validating hid reports (bnc#835839). * dl2k: Tighten ioctl permissions (bnc#758813). Security Issues references: * CVE-2013-0343 * CVE-2013-2888 * CVE-2013-2893 * CVE-2013-2897 * CVE-2013-4470 * CVE-2013-4483 * CVE-2013-4588 * CVE-2013-6382 * CVE-2013-6383 * CVE-2013-7263 * CVE-2013-7264 * CVE-2013-7265 * CVE-2014-1444 * CVE-2014-1445 * CVE-2014-1446 * CVE-2014-1737 * CVE-2014-1738 Indications: Everyone using the Linux Kernel on x86_64 architecture should update. Special Instructions and Notes: Please reboot the system after installing this update. Package List: - SUSE Linux Enterprise Server 10 SP3 LTSS (i586 s390x x86_64): kernel-default-2.6.16.60-0.123.1 kernel-source-2.6.16.60-0.123.1 kernel-syms-2.6.16.60-0.123.1 - SUSE Linux Enterprise Server 10 SP3 LTSS (i586 x86_64): kernel-debug-2.6.16.60-0.123.1 kernel-kdump-2.6.16.60-0.123.1 kernel-smp-2.6.16.60-0.123.1 kernel-xen-2.6.16.60-0.123.1 - SUSE Linux Enterprise Server 10 SP3 LTSS (i586): kernel-bigsmp-2.6.16.60-0.123.1 kernel-kdumppae-2.6.16.60-0.123.1 kernel-vmi-2.6.16.60-0.123.1 kernel-vmipae-2.6.16.60-0.123.1 kernel-xenpae-2.6.16.60-0.123.1 References: http://support.novell.com/security/cve/CVE-2013-0343.html http://support.novell.com/security/cve/CVE-2013-2888.html http://support.novell.com/security/cve/CVE-2013-2893.html http://support.novell.com/security/cve/CVE-2013-2897.html http://support.novell.com/security/cve/CVE-2013-4470.html http://support.novell.com/security/cve/CVE-2013-4483.html http://support.novell.com/security/cve/CVE-2013-4588.html http://support.novell.com/security/cve/CVE-2013-6382.html http://support.novell.com/security/cve/CVE-2013-6383.html http://support.novell.com/security/cve/CVE-2013-7263.html http://support.novell.com/security/cve/CVE-2013-7264.html http://support.novell.com/security/cve/CVE-2013-7265.html http://support.novell.com/security/cve/CVE-2014-1444.html http://support.novell.com/security/cve/CVE-2014-1445.html http://support.novell.com/security/cve/CVE-2014-1446.html http://support.novell.com/security/cve/CVE-2014-1737.html http://support.novell.com/security/cve/CVE-2014-1738.html https://bugzilla.novell.com/758813 https://bugzilla.novell.com/805226 https://bugzilla.novell.com/820338 https://bugzilla.novell.com/830344 https://bugzilla.novell.com/833968 https://bugzilla.novell.com/835839 https://bugzilla.novell.com/847672 https://bugzilla.novell.com/848321 https://bugzilla.novell.com/851095 https://bugzilla.novell.com/852553 https://bugzilla.novell.com/852558 https://bugzilla.novell.com/853501 https://bugzilla.novell.com/857643 https://bugzilla.novell.com/858869 https://bugzilla.novell.com/858870 https://bugzilla.novell.com/858872 https://bugzilla.novell.com/860304 https://bugzilla.novell.com/874108 https://bugzilla.novell.com/875798 http://download.suse.com/patch/finder/?keywords=17ddf66eae63aab3af8b2b3bec742669 http://download.suse.com/patch/finder/?keywords=26314f5d51311e1fdece27b8fcdf804a http://download.suse.com/patch/finder/?keywords=9914353b490102922bc3d08bdf30bacc From sle-security-updates at lists.suse.com Mon Jun 23 12:09:11 2014 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Mon, 23 Jun 2014 20:09:11 +0200 (CEST) Subject: SUSE-SU-2014:0824-2: important: Security update for MozillaFirefox Message-ID: <20140623180911.71767320BA@maintenance.suse.de> SUSE Security Update: Security update for MozillaFirefox ______________________________________________________________________________ Announcement ID: SUSE-SU-2014:0824-2 Rating: important References: #881874 Cross-References: CVE-2014-1533 CVE-2014-1534 CVE-2014-1536 CVE-2014-1537 CVE-2014-1538 CVE-2014-1541 CVE-2014-1545 Affected Products: SUSE Linux Enterprise Server 11 SP1 LTSS SUSE Linux Enterprise Server 10 SP4 LTSS ______________________________________________________________________________ An update that fixes 7 vulnerabilities is now available. It includes four new package versions. Description: MozillaFirefox was updated to version 24.6.0 to fix six security issues: * Miscellaneous memory safety hazards. (CVE-2014-1533, CVE-2014-1534) * Use-after-free and out of bounds issues found using Address Sanitizer. (CVE-2014-1536, CVE-2014-1537, CVE-2014-1538) * Use-after-free with SMIL Animation Controller. (CVE-2014-1541) mozilla-nspr was updated to version 4.10.6 to fix one security issue: * Out of bounds write in NSPR. (CVE-2014-1545) Further information can be found at https://www.mozilla.org/security/announce/ . Security Issues references: * CVE-2014-1533 * CVE-2014-1534 * CVE-2014-1536 * CVE-2014-1537 * CVE-2014-1538 * CVE-2014-1541 * CVE-2014-1545 Special Instructions and Notes: Please reboot the system after installing this update. Patch Instructions: To install this SUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Server 11 SP1 LTSS: zypper in -t patch slessp1-Firefox-2014-06-9371 To bring your system up-to-date, use "zypper patch". Package List: - SUSE Linux Enterprise Server 11 SP1 LTSS (i586 s390x x86_64) [New Version: 24,24.6.0esr,3.16.1 and 4.10.6]: MozillaFirefox-24.6.0esr-0.3.1 MozillaFirefox-branding-SLED-24-0.4.10.24 MozillaFirefox-translations-24.6.0esr-0.3.1 libfreebl3-3.16.1-0.3.1 mozilla-nspr-4.10.6-0.3.1 mozilla-nss-3.16.1-0.3.1 mozilla-nss-tools-3.16.1-0.3.1 - SUSE Linux Enterprise Server 11 SP1 LTSS (s390x x86_64) [New Version: 3.16.1 and 4.10.6]: libfreebl3-32bit-3.16.1-0.3.1 mozilla-nspr-32bit-4.10.6-0.3.1 mozilla-nss-32bit-3.16.1-0.3.1 - SUSE Linux Enterprise Server 10 SP4 LTSS (i586 s390x x86_64) [New Version: 3.16.1 and 4.10.6]: mozilla-nspr-4.10.6-0.5.1 mozilla-nspr-devel-4.10.6-0.5.1 mozilla-nss-3.16.1-0.5.1 mozilla-nss-devel-3.16.1-0.5.1 mozilla-nss-tools-3.16.1-0.5.1 - SUSE Linux Enterprise Server 10 SP4 LTSS (s390x x86_64) [New Version: 3.16.1 and 4.10.6]: mozilla-nspr-32bit-4.10.6-0.5.1 mozilla-nss-32bit-3.16.1-0.5.1 - SUSE Linux Enterprise Server 10 SP4 LTSS (i586 s390x) [New Version: 24]: MozillaFirefox-24.6.0esr-0.5.2 MozillaFirefox-branding-SLED-24-0.12.1 MozillaFirefox-translations-24.6.0esr-0.5.2 References: http://support.novell.com/security/cve/CVE-2014-1533.html http://support.novell.com/security/cve/CVE-2014-1534.html http://support.novell.com/security/cve/CVE-2014-1536.html http://support.novell.com/security/cve/CVE-2014-1537.html http://support.novell.com/security/cve/CVE-2014-1538.html http://support.novell.com/security/cve/CVE-2014-1541.html http://support.novell.com/security/cve/CVE-2014-1545.html https://bugzilla.novell.com/881874 http://download.suse.com/patch/finder/?keywords=e2a57d92d922ffebb85c807219cf2d71 http://download.suse.com/patch/finder/?keywords=f0a739569a9d79d0a6467c5ca4d74942 From sle-security-updates at lists.suse.com Mon Jun 23 12:09:31 2014 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Mon, 23 Jun 2014 20:09:31 +0200 (CEST) Subject: SUSE-SU-2014:0833-1: moderate: Security update for compat-wireless, compat-wireless-debuginfo, compat-wireless-debugsource, compat-wireless-kmp-default, compat-wireless-kmp-pae, compat-wireless-kmp-trace, compat-wireless-kmp-xen Message-ID: <20140623180931.15878320BA@maintenance.suse.de> SUSE Security Update: Security update for compat-wireless, compat-wireless-debuginfo, compat-wireless-debugsource, compat-wireless-kmp-default, compat-wireless-kmp-pae, compat-wireless-kmp-trace, compat-wireless-kmp-xen ______________________________________________________________________________ Announcement ID: SUSE-SU-2014:0833-1 Rating: moderate References: #851021 #851426 #865475 #871148 #883209 Cross-References: CVE-2013-4579 CVE-2014-2672 Affected Products: SUSE Linux Enterprise Point of Service 11 SP3 SUSE Linux Enterprise Desktop 11 SP3 ______________________________________________________________________________ An update that solves two vulnerabilities and has three fixes is now available. Description: This update for the compat-wireless kernel modules provides many fixes and enhancements: * Fix potential crash problem in ath9k. (CVE-2014-2672, bnc#871148) * Fix improper updates of MAC addresses in ath9k_htc. (bnc#851426, CVE-2013-4579) * Fix stability issues in iwlwifi. (bnc#865475) * Improve support for Intel 7625 cards in iwlwifi. (bnc#51021) Installation notes: New driver modules may conflict with old modules, which are automatically loaded from the initrd file after reboot. To apply this maintenance update correctly, the following steps need to be executed on a SLEPOS system: * Rebuild image * Create specific scDistributionContainer with newly built initrd and kernel * Put the updated system image in it as a scPosImage object Alternatively, you can use a kernel parameter to enforce using the kernel from the system image: * Rebuild image * Set the kernel parameter FORCE_KEXEC, by adding the scPxeFileTemplate object under the relevant scPosImage object, with the scKernelParameters attribute containing 'FORCE_KEXEC=yes'. Security Issue references: * CVE-2014-2672 * CVE-2013-4579 Special Instructions and Notes: Please reboot the system after installing this update. Patch Instructions: To install this SUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Point of Service 11 SP3: zypper in -t patch sleposp3-compat-wireless-9414 - SUSE Linux Enterprise Desktop 11 SP3: zypper in -t patch sledsp3-compat-wireless-9414 To bring your system up-to-date, use "zypper patch". Package List: - SUSE Linux Enterprise Point of Service 11 SP3 (i586 x86_64): compat-wireless-kmp-default-3.13_3.0.101_0.31-0.9.1 - SUSE Linux Enterprise Point of Service 11 SP3 (i586): compat-wireless-kmp-pae-3.13_3.0.101_0.31-0.9.1 - SUSE Linux Enterprise Desktop 11 SP3 (i586 x86_64): compat-wireless-kmp-default-3.13_3.0.101_0.31-0.9.1 compat-wireless-kmp-xen-3.13_3.0.101_0.31-0.9.1 - SUSE Linux Enterprise Desktop 11 SP3 (i586): compat-wireless-kmp-pae-3.13_3.0.101_0.31-0.9.1 References: http://support.novell.com/security/cve/CVE-2013-4579.html http://support.novell.com/security/cve/CVE-2014-2672.html https://bugzilla.novell.com/851021 https://bugzilla.novell.com/851426 https://bugzilla.novell.com/865475 https://bugzilla.novell.com/871148 https://bugzilla.novell.com/883209 http://download.suse.com/patch/finder/?keywords=313c3f5584bd9bba06b195bad96e9fb8 From sle-security-updates at lists.suse.com Tue Jun 24 12:04:11 2014 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Tue, 24 Jun 2014 20:04:11 +0200 (CEST) Subject: SUSE-SU-2014:0837-1: important: Security update for Linux Kernel Message-ID: <20140624180411.2EAFD320BC@maintenance.suse.de> SUSE Security Update: Security update for Linux Kernel ______________________________________________________________________________ Announcement ID: SUSE-SU-2014:0837-1 Rating: important References: #880892 Cross-References: CVE-2014-3153 Affected Products: SUSE Linux Enterprise Server 11 SP2 LTSS SLE 11 SERVER Unsupported Extras ______________________________________________________________________________ An update that fixes one vulnerability is now available. It includes one version update. Description: The SUSE Linux Enterprise 11 Service Pack 2 LTSS kernel was updated to fix a critical security issue: * CVE-2014-3153: The futex acquisition code in kernel/futex.c can be used to gain ring0 access via the futex syscall. This could be used for privilege escalation by non-root users. (bnc#880892) Security Issue reference: * CVE-2014-3153 Indications: Everyone using the Linux Kernel on x86_64 architecture should update. Special Instructions and Notes: Please reboot the system after installing this update. Patch Instructions: To install this SUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Server 11 SP2 LTSS: zypper in -t patch slessp2-kernel-9401 To bring your system up-to-date, use "zypper patch". Package List: - SUSE Linux Enterprise Server 11 SP2 LTSS (x86_64) [New Version: 3.0.101]: kernel-default-3.0.101-0.7.21.1 kernel-default-base-3.0.101-0.7.21.1 kernel-default-devel-3.0.101-0.7.21.1 kernel-ec2-3.0.101-0.7.21.1 kernel-ec2-base-3.0.101-0.7.21.1 kernel-ec2-devel-3.0.101-0.7.21.1 kernel-source-3.0.101-0.7.21.1 kernel-syms-3.0.101-0.7.21.1 kernel-trace-3.0.101-0.7.21.1 kernel-trace-base-3.0.101-0.7.21.1 kernel-trace-devel-3.0.101-0.7.21.1 kernel-xen-3.0.101-0.7.21.1 kernel-xen-base-3.0.101-0.7.21.1 kernel-xen-devel-3.0.101-0.7.21.1 xen-kmp-default-4.1.6_06_3.0.101_0.7.21-0.5.16 xen-kmp-trace-4.1.6_06_3.0.101_0.7.21-0.5.16 - SLE 11 SERVER Unsupported Extras (i586 s390x x86_64): ext4-writeable-kmp-default-0_3.0.101_0.7.21-0.14.103 ext4-writeable-kmp-trace-0_3.0.101_0.7.21-0.14.103 kernel-default-extra-3.0.101-0.7.21.1 - SLE 11 SERVER Unsupported Extras (i586 x86_64): ext4-writeable-kmp-xen-0_3.0.101_0.7.21-0.14.103 kernel-xen-extra-3.0.101-0.7.21.1 - SLE 11 SERVER Unsupported Extras (i586): ext4-writeable-kmp-pae-0_3.0.101_0.7.21-0.14.103 kernel-pae-extra-3.0.101-0.7.21.1 References: http://support.novell.com/security/cve/CVE-2014-3153.html https://bugzilla.novell.com/880892 http://download.suse.com/patch/finder/?keywords=57e8ca903c0e219b4a246341a1dcc918 http://download.suse.com/patch/finder/?keywords=61e1a2a73687bac3fafca164f96d8cc7 http://download.suse.com/patch/finder/?keywords=8a436d368e8568ba2e588b5dcdbf5638 http://download.suse.com/patch/finder/?keywords=9f300f6a58020c0e115d462d377a8e9b From sle-security-updates at lists.suse.com Tue Jun 24 15:04:13 2014 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Tue, 24 Jun 2014 23:04:13 +0200 (CEST) Subject: SUSE-SU-2014:0838-1: important: Security update for rxvt-unicode Message-ID: <20140624210413.91DB3320DB@maintenance.suse.de> SUSE Security Update: Security update for rxvt-unicode ______________________________________________________________________________ Announcement ID: SUSE-SU-2014:0838-1 Rating: important References: #876101 Cross-References: CVE-2014-3121 Affected Products: SUSE Linux Enterprise Software Development Kit 11 SP3 SUSE Linux Enterprise Desktop 11 SP3 ______________________________________________________________________________ An update that fixes one vulnerability is now available. Description: rxvt-unicode was updated to ensure that window property values can not be queried in secure mode. (CVE-2014-3121) Security Issue reference: * CVE-2014-3121 Patch Instructions: To install this SUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Software Development Kit 11 SP3: zypper in -t patch sdksp3-rxvt-unicode-9421 - SUSE Linux Enterprise Desktop 11 SP3: zypper in -t patch sledsp3-rxvt-unicode-9421 To bring your system up-to-date, use "zypper patch". Package List: - SUSE Linux Enterprise Software Development Kit 11 SP3 (i586 ia64 ppc64 s390x x86_64): rxvt-unicode-9.05-1.19.1 - SUSE Linux Enterprise Desktop 11 SP3 (i586 x86_64): rxvt-unicode-9.05-1.19.1 References: http://support.novell.com/security/cve/CVE-2014-3121.html https://bugzilla.novell.com/876101 http://download.suse.com/patch/finder/?keywords=6bf1964f470fdf42df9dcb851b5d0358 From sle-security-updates at lists.suse.com Tue Jun 24 16:04:14 2014 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Wed, 25 Jun 2014 00:04:14 +0200 (CEST) Subject: SUSE-SU-2014:0824-3: important: Security update for MozillaFirefox Message-ID: <20140624220414.6DBEB320DB@maintenance.suse.de> SUSE Security Update: Security update for MozillaFirefox ______________________________________________________________________________ Announcement ID: SUSE-SU-2014:0824-3 Rating: important References: #881874 Cross-References: CVE-2014-1533 CVE-2014-1534 CVE-2014-1536 CVE-2014-1537 CVE-2014-1538 CVE-2014-1541 CVE-2014-1545 Affected Products: SUSE Linux Enterprise Server 11 SP2 LTSS ______________________________________________________________________________ An update that fixes 7 vulnerabilities is now available. It includes three new package versions. Description: MozillaFirefox was updated to version 24.6.0 to fix six security issues: * Miscellaneous memory safety hazards. (CVE-2014-1533, CVE-2014-1534) * Use-after-free and out of bounds issues found using Address Sanitizer. (CVE-2014-1536, CVE-2014-1537, CVE-2014-1538) * Use-after-free with SMIL Animation Controller. (CVE-2014-1541) mozilla-nspr was updated to version 4.10.6 to fix one security issue: * Out of bounds write in NSPR. (CVE-2014-1545) Further information can be found at https://www.mozilla.org/security/announce/ . Security Issues references: * CVE-2014-1533 * CVE-2014-1534 * CVE-2014-1536 * CVE-2014-1537 * CVE-2014-1538 * CVE-2014-1541 * CVE-2014-1545 Patch Instructions: To install this SUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Server 11 SP2 LTSS: zypper in -t patch slessp2-Firefox-2014-06-9372 To bring your system up-to-date, use "zypper patch". Package List: - SUSE Linux Enterprise Server 11 SP2 LTSS (i586 s390x x86_64) [New Version: 24.6.0esr,3.16.1 and 4.10.6]: MozillaFirefox-24.6.0esr-0.3.1 MozillaFirefox-branding-SLED-24-0.4.10.24 MozillaFirefox-translations-24.6.0esr-0.3.1 libfreebl3-3.16.1-0.3.1 mozilla-nspr-4.10.6-0.3.1 mozilla-nspr-devel-4.10.6-0.3.1 mozilla-nss-3.16.1-0.3.1 mozilla-nss-devel-3.16.1-0.3.1 mozilla-nss-tools-3.16.1-0.3.1 - SUSE Linux Enterprise Server 11 SP2 LTSS (s390x x86_64) [New Version: 3.16.1 and 4.10.6]: libfreebl3-32bit-3.16.1-0.3.1 mozilla-nspr-32bit-4.10.6-0.3.1 mozilla-nss-32bit-3.16.1-0.3.1 References: http://support.novell.com/security/cve/CVE-2014-1533.html http://support.novell.com/security/cve/CVE-2014-1534.html http://support.novell.com/security/cve/CVE-2014-1536.html http://support.novell.com/security/cve/CVE-2014-1537.html http://support.novell.com/security/cve/CVE-2014-1538.html http://support.novell.com/security/cve/CVE-2014-1541.html http://support.novell.com/security/cve/CVE-2014-1545.html https://bugzilla.novell.com/881874 http://download.suse.com/patch/finder/?keywords=e2d7ece33b6e193c079bd4bb573757e6 From sle-security-updates at lists.suse.com Tue Jun 24 16:04:31 2014 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Wed, 25 Jun 2014 00:04:31 +0200 (CEST) Subject: SUSE-SU-2014:0839-1: moderate: Security update for Samba Message-ID: <20140624220431.1036D320DF@maintenance.suse.de> SUSE Security Update: Security update for Samba ______________________________________________________________________________ Announcement ID: SUSE-SU-2014:0839-1 Rating: moderate References: #848101 Cross-References: CVE-2013-4475 Affected Products: SUSE Linux Enterprise Server 11 SP1 LTSS ______________________________________________________________________________ An update that fixes one vulnerability is now available. Description: Samba was updated to fix a security issue: Samba, when vfs_streams_depot or vfs_streams_xattr is enabled, allows remote attackers to bypass intended file restrictions by leveraging ACL differences between a file and an associated alternate data stream (ADS). (CVE-2013-4475) Security Issue reference: * CVE-2013-4475 Patch Instructions: To install this SUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Server 11 SP1 LTSS: zypper in -t patch slessp1-cifs-mount-9316 To bring your system up-to-date, use "zypper patch". Package List: - SUSE Linux Enterprise Server 11 SP1 LTSS (i586 s390x x86_64): cifs-mount-3.4.3-1.54.1 ldapsmb-1.34b-11.28.54.1 libsmbclient0-3.4.3-1.54.1 libtalloc1-3.4.3-1.54.1 libtdb1-3.4.3-1.54.1 libwbclient0-3.4.3-1.54.1 samba-3.4.3-1.54.1 samba-client-3.4.3-1.54.1 samba-krb-printing-3.4.3-1.54.1 samba-winbind-3.4.3-1.54.1 - SUSE Linux Enterprise Server 11 SP1 LTSS (s390x x86_64): libsmbclient0-32bit-3.4.3-1.54.1 libtalloc1-32bit-3.4.3-1.54.1 libtdb1-32bit-3.4.3-1.54.1 libwbclient0-32bit-3.4.3-1.54.1 samba-32bit-3.4.3-1.54.1 samba-client-32bit-3.4.3-1.54.1 samba-winbind-32bit-3.4.3-1.54.1 - SUSE Linux Enterprise Server 11 SP1 LTSS (noarch): samba-doc-3.4.3-1.54.1 References: http://support.novell.com/security/cve/CVE-2013-4475.html https://bugzilla.novell.com/848101 http://download.suse.com/patch/finder/?keywords=9c387ea2ee57f099aaa538984f7f9b94 From sle-security-updates at lists.suse.com Tue Jun 24 16:04:48 2014 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Wed, 25 Jun 2014 00:04:48 +0200 (CEST) Subject: SUSE-SU-2014:0837-2: important: Security update for Linux Kernel Message-ID: <20140624220448.D4E88320DF@maintenance.suse.de> SUSE Security Update: Security update for Linux Kernel ______________________________________________________________________________ Announcement ID: SUSE-SU-2014:0837-2 Rating: important References: #880892 Cross-References: CVE-2014-3153 Affected Products: SUSE Linux Enterprise Server 11 SP2 LTSS ______________________________________________________________________________ An update that fixes one vulnerability is now available. It includes one version update. Description: The SUSE Linux Enterprise 11 Service Pack 2 LTSS kernel was updated to fix a critical security issue: * CVE-2014-3153: The futex acquisition code in kernel/futex.c can be used to gain ring0 access via the futex syscall. This could be used for privilege escalation by non-root users. (bnc#880892) Security Issue reference: * CVE-2014-3153 Indications: Everyone using the Linux Kernel on s390x architecture should update. Special Instructions and Notes: Please reboot the system after installing this update. Patch Instructions: To install this SUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Server 11 SP2 LTSS: zypper in -t patch slessp2-kernel-9394 slessp2-kernel-9396 To bring your system up-to-date, use "zypper patch". Package List: - SUSE Linux Enterprise Server 11 SP2 LTSS (i586 s390x) [New Version: 3.0.101]: kernel-default-3.0.101-0.7.21.1 kernel-default-base-3.0.101-0.7.21.1 kernel-default-devel-3.0.101-0.7.21.1 kernel-source-3.0.101-0.7.21.1 kernel-syms-3.0.101-0.7.21.1 kernel-trace-3.0.101-0.7.21.1 kernel-trace-base-3.0.101-0.7.21.1 kernel-trace-devel-3.0.101-0.7.21.1 - SUSE Linux Enterprise Server 11 SP2 LTSS (s390x) [New Version: 3.0.101]: kernel-default-man-3.0.101-0.7.21.1 - SUSE Linux Enterprise Server 11 SP2 LTSS (i586) [New Version: 3.0.101]: kernel-ec2-3.0.101-0.7.21.1 kernel-ec2-base-3.0.101-0.7.21.1 kernel-ec2-devel-3.0.101-0.7.21.1 kernel-pae-3.0.101-0.7.21.1 kernel-pae-base-3.0.101-0.7.21.1 kernel-pae-devel-3.0.101-0.7.21.1 kernel-xen-3.0.101-0.7.21.1 kernel-xen-base-3.0.101-0.7.21.1 kernel-xen-devel-3.0.101-0.7.21.1 xen-kmp-default-4.1.6_06_3.0.101_0.7.21-0.5.16 xen-kmp-pae-4.1.6_06_3.0.101_0.7.21-0.5.16 xen-kmp-trace-4.1.6_06_3.0.101_0.7.21-0.5.16 References: http://support.novell.com/security/cve/CVE-2014-3153.html https://bugzilla.novell.com/880892 http://download.suse.com/patch/finder/?keywords=ae793a34e7393acb565c7a3c4a4f24b1 http://download.suse.com/patch/finder/?keywords=b4fdb0d3ad801ad88765f88da9196e1b From sle-security-updates at lists.suse.com Wed Jun 25 11:04:17 2014 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Wed, 25 Jun 2014 19:04:17 +0200 (CEST) Subject: SUSE-SU-2014:0843-1: moderate: Security update for ruby Message-ID: <20140625170417.06749320F0@maintenance.suse.de> SUSE Security Update: Security update for ruby ______________________________________________________________________________ Announcement ID: SUSE-SU-2014:0843-1 Rating: moderate References: #808137 #827265 #851803 Cross-References: CVE-2013-1821 CVE-2013-4073 CVE-2013-4164 Affected Products: SUSE Linux Enterprise Server 11 SP2 LTSS ______________________________________________________________________________ An update that fixes three vulnerabilities is now available. Description: Ruby received an LTSS roll-up update to fix the following security issues: * CVE-2013-1821: A ruby entity expansion DoS vulnerability in REXML was fixed. * CVE-2013-4164: Fixed a heap overflow in float point parsing. * CVE-2013-4073: Fixed hostname check bypassing vulnerability in the SSL client. Security Issues references: * CVE-2013-4073 * CVE-2013-4164 * CVE-2013-1821 Patch Instructions: To install this SUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Server 11 SP2 LTSS: zypper in -t patch slessp2-ruby-9313 To bring your system up-to-date, use "zypper patch". Package List: - SUSE Linux Enterprise Server 11 SP2 LTSS (i586 s390x x86_64): ruby-1.8.7.p357-0.9.15.6 ruby-doc-html-1.8.7.p357-0.9.15.6 ruby-tk-1.8.7.p357-0.9.15.6 References: http://support.novell.com/security/cve/CVE-2013-1821.html http://support.novell.com/security/cve/CVE-2013-4073.html http://support.novell.com/security/cve/CVE-2013-4164.html https://bugzilla.novell.com/808137 https://bugzilla.novell.com/827265 https://bugzilla.novell.com/851803 http://download.suse.com/patch/finder/?keywords=9dc7120259a10c13389f5bc9d5c0eec6 From sle-security-updates at lists.suse.com Wed Jun 25 11:04:56 2014 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Wed, 25 Jun 2014 19:04:56 +0200 (CEST) Subject: SUSE-SU-2014:0844-1: moderate: Security update for ruby Message-ID: <20140625170456.4CCD6320F0@maintenance.suse.de> SUSE Security Update: Security update for ruby ______________________________________________________________________________ Announcement ID: SUSE-SU-2014:0844-1 Rating: moderate References: #783525 #808137 #827265 #851803 Cross-References: CVE-2012-4481 CVE-2013-1821 CVE-2013-4073 CVE-2013-4164 Affected Products: SUSE Linux Enterprise Server 11 SP1 LTSS ______________________________________________________________________________ An update that fixes four vulnerabilities is now available. It includes one version update. Description: Ruby received an LTSS roll-up update to fix the following security issues: * CVE-2012-4481: The safe-level feature in Ruby 1.8.7 allowed context-dependent attackers to modify strings via the NameError#to_s method when operating on Ruby objects. * CVE-2013-1821: A ruby entity expansion DoS vulnerability in REXML was fixed. * CVE-2013-4164: Fixed a heap overflow in float point parsing. * CVE-2013-4073: Fixed hostname check bypassing vulnerability in the SSL client. Security Issues references: * CVE-2012-4481 * CVE-2013-4073 * CVE-2013-4164 * CVE-2013-1821 Patch Instructions: To install this SUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Server 11 SP1 LTSS: zypper in -t patch slessp1-ruby-9312 To bring your system up-to-date, use "zypper patch". Package List: - SUSE Linux Enterprise Server 11 SP1 LTSS (i586 s390x x86_64) [New Version: 1.8.7.p357]: ruby-1.8.7.p357-0.9.15.6 ruby-doc-html-1.8.7.p357-0.9.15.6 ruby-tk-1.8.7.p357-0.9.15.6 References: http://support.novell.com/security/cve/CVE-2012-4481.html http://support.novell.com/security/cve/CVE-2013-1821.html http://support.novell.com/security/cve/CVE-2013-4073.html http://support.novell.com/security/cve/CVE-2013-4164.html https://bugzilla.novell.com/783525 https://bugzilla.novell.com/808137 https://bugzilla.novell.com/827265 https://bugzilla.novell.com/851803 http://download.suse.com/patch/finder/?keywords=9bc15e1f428f15de04cd5d99f4b7aa3d From sle-security-updates at lists.suse.com Wed Jun 25 13:04:13 2014 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Wed, 25 Jun 2014 21:04:13 +0200 (CEST) Subject: SUSE-SU-2014:0845-1: moderate: Security update for ctdb Message-ID: <20140625190413.16C23320F0@maintenance.suse.de> SUSE Security Update: Security update for ctdb ______________________________________________________________________________ Announcement ID: SUSE-SU-2014:0845-1 Rating: moderate References: #836064 #867815 Cross-References: CVE-2013-4159 Affected Products: SUSE Linux Enterprise Software Development Kit 11 SP3 SUSE Linux Enterprise High Availability Extension 11 SP3 ______________________________________________________________________________ An update that solves one vulnerability and has one errata is now available. Description: This update for ctdb provides fixes for the following issues: * Insecure temporary file creation potentially allows for exploitation via symbolic links. (CVE-2013-4159) * Excessive lock contention can result in severe performance degradation when a CTDB cluster is under load. Security Issue reference: * CVE-2013-4159 Patch Instructions: To install this SUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Software Development Kit 11 SP3: zypper in -t patch sdksp3-ctdb-9377 - SUSE Linux Enterprise High Availability Extension 11 SP3: zypper in -t patch slehasp3-ctdb-9377 To bring your system up-to-date, use "zypper patch". Package List: - SUSE Linux Enterprise Software Development Kit 11 SP3 (i586 ia64 ppc64 s390x x86_64): ctdb-devel-1.0.114.6-0.11.1 - SUSE Linux Enterprise High Availability Extension 11 SP3 (i586 ia64 ppc64 s390x x86_64): ctdb-1.0.114.6-0.11.1 References: http://support.novell.com/security/cve/CVE-2013-4159.html https://bugzilla.novell.com/836064 https://bugzilla.novell.com/867815 http://download.suse.com/patch/finder/?keywords=0015bf5062e049e3ea4352218ae36942 From sle-security-updates at lists.suse.com Wed Jun 25 15:04:15 2014 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Wed, 25 Jun 2014 23:04:15 +0200 (CEST) Subject: SUSE-SU-2014:0846-1: moderate: Security update for dbus-1 Message-ID: <20140625210415.B1972320F0@maintenance.suse.de> SUSE Security Update: Security update for dbus-1 ______________________________________________________________________________ Announcement ID: SUSE-SU-2014:0846-1 Rating: moderate References: #881137 Cross-References: CVE-2014-3477 Affected Products: SUSE Linux Enterprise Software Development Kit 11 SP3 SUSE Linux Enterprise Server 11 SP3 for VMware SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Desktop 11 SP3 ______________________________________________________________________________ An update that fixes one vulnerability is now available. Description: dbus-1 was patched to prevent a possible denial of service issue in dbus-daemon. (CVE-2014-3477) Security Issue reference: * CVE-2014-3477 Patch Instructions: To install this SUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Software Development Kit 11 SP3: zypper in -t patch sdksp3-dbus-1-9349 - SUSE Linux Enterprise Server 11 SP3 for VMware: zypper in -t patch slessp3-dbus-1-9349 - SUSE Linux Enterprise Server 11 SP3: zypper in -t patch slessp3-dbus-1-9349 - SUSE Linux Enterprise Desktop 11 SP3: zypper in -t patch sledsp3-dbus-1-9349 To bring your system up-to-date, use "zypper patch". Package List: - SUSE Linux Enterprise Software Development Kit 11 SP3 (i586 ia64 ppc64 s390x x86_64): dbus-1-devel-1.2.10-3.29.1 dbus-1-devel-doc-1.2.10-3.29.1 - SUSE Linux Enterprise Server 11 SP3 for VMware (i586 x86_64): dbus-1-1.2.10-3.29.1 dbus-1-x11-1.2.10-3.29.1 - SUSE Linux Enterprise Server 11 SP3 for VMware (x86_64): dbus-1-32bit-1.2.10-3.29.1 - SUSE Linux Enterprise Server 11 SP3 (i586 ia64 ppc64 s390x x86_64): dbus-1-1.2.10-3.29.1 dbus-1-x11-1.2.10-3.29.1 - SUSE Linux Enterprise Server 11 SP3 (ppc64 s390x x86_64): dbus-1-32bit-1.2.10-3.29.1 - SUSE Linux Enterprise Server 11 SP3 (ia64): dbus-1-x86-1.2.10-3.29.1 - SUSE Linux Enterprise Desktop 11 SP3 (i586 x86_64): dbus-1-1.2.10-3.29.1 dbus-1-x11-1.2.10-3.29.1 - SUSE Linux Enterprise Desktop 11 SP3 (x86_64): dbus-1-32bit-1.2.10-3.29.1 References: http://support.novell.com/security/cve/CVE-2014-3477.html https://bugzilla.novell.com/881137 http://download.suse.com/patch/finder/?keywords=b4ca07a8ed4d1bd27cb74ddf9e85cc13 From sle-security-updates at lists.suse.com Wed Jun 25 17:04:14 2014 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Thu, 26 Jun 2014 01:04:14 +0200 (CEST) Subject: SUSE-SU-2014:0847-1: important: Security update for novell-qtgui, novell-ui-base Message-ID: <20140625230414.BCD4D320DF@maintenance.suse.de> SUSE Security Update: Security update for novell-qtgui, novell-ui-base ______________________________________________________________________________ Announcement ID: SUSE-SU-2014:0847-1 Rating: important References: #872796 Cross-References: CVE-2014-0595 Affected Products: SUSE Linux Enterprise Desktop 11 SP3 ______________________________________________________________________________ An update that fixes one vulnerability is now available. Description: Packages novell-ui-base and novell-qtgui were updated to prevent erroneous rights assignment when a user is granted 'File Scan' rights (F). In this case nwrights was assigning Supervisor (S) rights. (CVE-2014-0595) Further information is available at https://bugzilla.novell.com/show_bug.cgi?id=872796 . Security Issue reference: * CVE-2014-0595 Patch Instructions: To install this SUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Desktop 11 SP3: zypper in -t patch sledsp3-novell-ui-201405-9276 To bring your system up-to-date, use "zypper patch". Package List: - SUSE Linux Enterprise Desktop 11 SP3 (i586 x86_64): novell-qtgui-3.0.0-0.20.1 novell-qtgui-cli-3.0.0-0.20.1 novell-ui-base-3.0.0-0.10.1 References: http://support.novell.com/security/cve/CVE-2014-0595.html https://bugzilla.novell.com/872796 http://download.suse.com/patch/finder/?keywords=5bdf8cabc0ee4ea4ea2e5c84d2171189 From sle-security-updates at lists.suse.com Wed Jun 25 17:04:35 2014 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Thu, 26 Jun 2014 01:04:35 +0200 (CEST) Subject: SUSE-SU-2014:0848-1: important: Security update for openstack-keystone Message-ID: <20140625230435.A4602320DF@maintenance.suse.de> SUSE Security Update: Security update for openstack-keystone ______________________________________________________________________________ Announcement ID: SUSE-SU-2014:0848-1 Rating: important References: #881977 Cross-References: CVE-2014-3476 Affected Products: SUSE Cloud 3 ______________________________________________________________________________ An update that fixes one vulnerability is now available. It includes one version update. Description: openstack-keystone was updated to version 2013.2.4.dev5.g9162837 to fix one security issue and one regular bug: * Privilege escalation through trust chained delegation. (CVE-2014-3476) * Fix invalid LDAP filter for user ID with commas. Security Issue reference: * CVE-2014-3476 Patch Instructions: To install this SUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - SUSE Cloud 3: zypper in -t patch sleclo30sp3-openstack-keystone-9378 To bring your system up-to-date, use "zypper patch". Package List: - SUSE Cloud 3 (x86_64) [New Version: 2013.2.4.dev5.g9162837]: openstack-keystone-2013.2.4.dev5.g9162837-0.7.1 python-keystone-2013.2.4.dev5.g9162837-0.7.1 - SUSE Cloud 3 (noarch) [New Version: 2013.2.4.dev5.g9162837]: openstack-keystone-doc-2013.2.4.dev5.g9162837-0.7.1 References: http://support.novell.com/security/cve/CVE-2014-3476.html https://bugzilla.novell.com/881977 http://download.suse.com/patch/finder/?keywords=7e3827dc35a978ab61c2261344784e9b From sle-security-updates at lists.suse.com Fri Jun 27 17:04:15 2014 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Sat, 28 Jun 2014 01:04:15 +0200 (CEST) Subject: SUSE-SU-2014:0851-1: moderate: Security update for python-django Message-ID: <20140627230415.104C1320F2@maintenance.suse.de> SUSE Security Update: Security update for python-django ______________________________________________________________________________ Announcement ID: SUSE-SU-2014:0851-1 Rating: moderate References: #874950 #874955 #874956 #877993 #878641 Cross-References: CVE-2014-0472 CVE-2014-0473 CVE-2014-0474 CVE-2014-1418 CVE-2014-3730 Affected Products: SUSE Cloud 3 ______________________________________________________________________________ An update that fixes 5 vulnerabilities is now available. It includes one version update. Description: python-django was updated to fix the following security issues: * Unexpected code execution using reverse(). (CVE-2014-0472) * Caching of anonymous pages could reveal CSRF token. (CVE-2014-0473) * Inproper MySQL typecasting for FilePathField, GenericIPAddressField, and IPAddressField model field classes. (CVE-2014-0474) * Prevent caches poisoning. (CVE-2014-1418) * Ensure malformed URLs from user input are validated. (CVE-2014-3730). Further information is available at https://www.djangoproject.com/weblog/2014/may/14/security-releases-issued/ and https://www.djangoproject.com/weblog/2014/apr/21/security/ . Security Issues references: * CVE-2014-0472 * CVE-2014-0473 * CVE-2014-0474 * CVE-2014-1418 * CVE-2014-3730 Patch Instructions: To install this SUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - SUSE Cloud 3: zypper in -t patch sleclo30sp3-python-django-9290 To bring your system up-to-date, use "zypper patch". Package List: - SUSE Cloud 3 (x86_64) [New Version: 1.5.8]: python-django-1.5.8-0.7.1 References: http://support.novell.com/security/cve/CVE-2014-0472.html http://support.novell.com/security/cve/CVE-2014-0473.html http://support.novell.com/security/cve/CVE-2014-0474.html http://support.novell.com/security/cve/CVE-2014-1418.html http://support.novell.com/security/cve/CVE-2014-3730.html https://bugzilla.novell.com/874950 https://bugzilla.novell.com/874955 https://bugzilla.novell.com/874956 https://bugzilla.novell.com/877993 https://bugzilla.novell.com/878641 http://download.suse.com/patch/finder/?keywords=44f05acc7b3321c1c776f63dfc9355ec